From 692a27baa1b889755b928d2766f9efee17462291 Mon Sep 17 00:00:00 2001
From: Lars Wendler <polynomial-c@gentoo.org>
Date: Wed, 2 Nov 2016 15:38:57 +0100
Subject: www-servers/apache: Security revbumps for CVE-2016-5387 (bug
 #589226).

Also fixes fcgi bug in apache-2.4.23 (bug #591288).

Package-Manager: portage-2.3.2
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
---
 www-servers/apache/files/apache-asf-httpoxy.patch | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 www-servers/apache/files/apache-asf-httpoxy.patch

(limited to 'www-servers/apache/files')

diff --git a/www-servers/apache/files/apache-asf-httpoxy.patch b/www-servers/apache/files/apache-asf-httpoxy.patch
new file mode 100644
index 000000000000..68e3d869a77e
--- /dev/null
+++ b/www-servers/apache/files/apache-asf-httpoxy.patch
@@ -0,0 +1,20 @@
+https://bugs.gentoo.org/589226
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c	(revision 1752426)
++++ server/util_script.c	(working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
-- 
cgit v1.2.3-65-gdbad