diff -Nru apache2-2.4.18/debian/changelog apache2-2.4.18/debian/changelog --- apache2-2.4.18/debian/changelog 2017-09-18 15:09:02.000000000 +0000 +++ apache2-2.4.18/debian/changelog 2018-04-18 15:03:17.000000000 +0000 @@ -1,3 +1,44 @@ +apache2 (2.4.18-2ubuntu3.8) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig + - debian/patches/CVE-2017-15710.patch: fix language long names + detection as short name in modules/aaa/mod_authnz_ldap.c. + - CVE-2017-15710 + * SECURITY UPDATE: incorrect matching + - debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to + include/httpd.h, server/util.c. + - debian/patches/CVE-2017-15715.patch: allow to configure + global/default options for regexes, like caseless matching or + extended format in include/ap_regex.h, server/core.c, + server/util_pcre.c. + - CVE-2017-15715 + * SECURITY UPDATE: mod_session header manipulation + - debian/patches/CVE-2018-1283.patch: strip Session header when + SessionEnv is on in modules/session/mod_session.c. + - CVE-2018-1283 + * SECURITY UPDATE: DoS via specially-crafted request + - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL + terminated on any error, not only on buffer full in + server/protocol.c. + - CVE-2018-1301 + * SECURITY UPDATE: mod_cache_socache DoS + - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up + to carriage return in modules/cache/mod_cache_socache.c. + - CVE-2018-1303 + * SECURITY UPDATE: insecure nonce generation + - debian/patches/CVE-2018-1312.patch: actually use the secret when + generating nonces in modules/aaa/mod_auth_digest.c. + - CVE-2018-1312 + + -- Marc Deslauriers Wed, 18 Apr 2018 10:53:04 -0400 + +apache2 (2.4.18-2ubuntu3.7) xenial; urgency=medium + + * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683) + - added debian/patches/util_ldap_cache_lock_fix.patch + + -- Rafael David Tinoco Thu, 01 Mar 2018 18:29:12 +0000 + apache2 (2.4.18-2ubuntu3.5) xenial-security; urgency=medium * SECURITY UPDATE: optionsbleed information leak diff -Nru apache2-2.4.18/debian/patches/CVE-2017-15710.patch apache2-2.4.18/debian/patches/CVE-2017-15710.patch --- apache2-2.4.18/debian/patches/CVE-2017-15710.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/CVE-2017-15710.patch 2018-04-18 14:51:04.000000000 +0000 @@ -0,0 +1,24 @@ +Description: fix DoS via missing header with AuthLDAPCharsetConfig +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1824456 + +Index: apache2-2.4.29/modules/aaa/mod_authnz_ldap.c +=================================================================== +--- apache2-2.4.29.orig/modules/aaa/mod_authnz_ldap.c 2017-06-29 07:31:20.000000000 -0400 ++++ apache2-2.4.29/modules/aaa/mod_authnz_ldap.c 2018-04-18 09:14:38.995193064 -0400 +@@ -126,9 +126,13 @@ static char* derive_codepage_from_lang ( + + charset = (char*) apr_hash_get(charset_conversions, language, APR_HASH_KEY_STRING); + +- if (!charset) { +- language[2] = '\0'; +- charset = (char*) apr_hash_get(charset_conversions, language, APR_HASH_KEY_STRING); ++ /* ++ * Test if language values like 'en-US' return a match from the charset ++ * conversion map when shortened to 'en'. ++ */ ++ if (!charset && strlen(language) > 3 && language[2] == '-') { ++ char *language_short = apr_pstrndup(p, language, 2); ++ charset = (char*) apr_hash_get(charset_conversions, language_short, APR_HASH_KEY_STRING); + } + + if (charset) { diff -Nru apache2-2.4.18/debian/patches/CVE-2017-15715.patch apache2-2.4.18/debian/patches/CVE-2017-15715.patch --- apache2-2.4.18/debian/patches/CVE-2017-15715.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/CVE-2017-15715.patch 2018-04-18 14:51:12.000000000 +0000 @@ -0,0 +1,192 @@ +Description: fix incorrect matching +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1824472 + +Index: apache2-2.4.18/include/ap_regex.h +=================================================================== +--- apache2-2.4.18.orig/include/ap_regex.h 2018-04-18 10:51:09.727938688 -0400 ++++ apache2-2.4.18/include/ap_regex.h 2018-04-18 10:51:09.723938680 -0400 +@@ -77,6 +77,8 @@ extern "C" { + #define AP_REG_NOMEM 0x20 /* nomem in our code */ + #define AP_REG_DOTALL 0x40 /* perl's /s flag */ + ++#define AP_REG_DOLLAR_ENDONLY 0x200 /* '$' matches at end of subject string only */ ++ + #define AP_REG_MATCH "MATCH_" /** suggested prefix for ap_regname */ + + /* Error values: */ +@@ -103,6 +105,26 @@ typedef struct { + /* The functions */ + + /** ++ * Get default compile flags ++ * @return Bitwise OR of AP_REG_* flags ++ */ ++AP_DECLARE(int) ap_regcomp_get_default_cflags(void); ++ ++/** ++ * Set default compile flags ++ * @param cflags Bitwise OR of AP_REG_* flags ++ */ ++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags); ++ ++/** ++ * Get the AP_REG_* corresponding to the string. ++ * @param name The name (i.e. AP_REG_) ++ * @return The AP_REG_*, or zero if the string is unknown ++ * ++ */ ++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name); ++ ++/** + * Compile a regular expression. + * @param preg Returned compiled regex + * @param regex The regular expression string +Index: apache2-2.4.18/server/core.c +=================================================================== +--- apache2-2.4.18.orig/server/core.c 2018-04-18 10:51:09.727938688 -0400 ++++ apache2-2.4.18/server/core.c 2018-04-18 10:51:09.723938680 -0400 +@@ -48,6 +48,7 @@ + #include "mod_core.h" + #include "mod_proxy.h" + #include "ap_listen.h" ++#include "ap_regex.h" + + #include "mod_so.h" /* for ap_find_loaded_module_symbol */ + +@@ -2725,6 +2726,58 @@ static const char *virtualhost_section(c + return errmsg; + } + ++static const char *set_regex_default_options(cmd_parms *cmd, ++ void *dummy, ++ const char *arg) ++{ ++ const command_rec *thiscmd = cmd->cmd; ++ int cflags, cflag; ++ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ cflags = ap_regcomp_get_default_cflags(); ++ while (*arg) { ++ const char *name = ap_getword_conf(cmd->pool, &arg); ++ int how = 0; ++ ++ if (strcasecmp(name, "none") == 0) { ++ cflags = 0; ++ continue; ++ } ++ ++ if (*name == '+') { ++ name++; ++ how = +1; ++ } ++ else if (*name == '-') { ++ name++; ++ how = -1; ++ } ++ ++ cflag = ap_regcomp_default_cflag_by_name(name); ++ if (!cflag) { ++ return apr_psprintf(cmd->pool, "%s: option '%s' unknown", ++ thiscmd->name, name); ++ } ++ ++ if (how > 0) { ++ cflags |= cflag; ++ } ++ else if (how < 0) { ++ cflags &= ~cflag; ++ } ++ else { ++ cflags = cflag; ++ } ++ } ++ ap_regcomp_set_default_cflags(cflags); ++ ++ return NULL; ++} ++ + static const char *set_server_alias(cmd_parms *cmd, void *dummy, + const char *arg) + { +@@ -4278,6 +4331,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_lim + OR_ALL, "soft/hard limits for max number of processes per uid"), + #endif + ++AP_INIT_RAW_ARGS("RegexDefaultOptions", set_regex_default_options, NULL, RSRC_CONF, ++ "default options for regexes (prefixed by '+' to add, '-' to del)"), ++ + /* internal recursion stopper */ + AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF, + "maximum recursion depth of internal redirects and subrequests"), +@@ -4689,6 +4745,8 @@ static int core_pre_config(apr_pool_t *p + apr_pool_cleanup_register(pconf, NULL, reset_config_defines, + apr_pool_cleanup_null); + ++ ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY); ++ + mpm_common_pre_config(pconf); + + return OK; +Index: apache2-2.4.18/server/util_pcre.c +=================================================================== +--- apache2-2.4.18.orig/server/util_pcre.c 2018-04-18 10:51:09.727938688 -0400 ++++ apache2-2.4.18/server/util_pcre.c 2018-04-18 10:51:09.723938680 -0400 +@@ -111,6 +111,38 @@ AP_DECLARE(void) ap_regfree(ap_regex_t * + * Compile a regular expression * + *************************************************/ + ++static int default_cflags = AP_REG_DOLLAR_ENDONLY; ++ ++AP_DECLARE(int) ap_regcomp_get_default_cflags(void) ++{ ++ return default_cflags; ++} ++ ++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags) ++{ ++ default_cflags = cflags; ++} ++ ++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name) ++{ ++ int cflag = 0; ++ ++ if (ap_cstr_casecmp(name, "ICASE") == 0) { ++ cflag = AP_REG_ICASE; ++ } ++ else if (ap_cstr_casecmp(name, "DOTALL") == 0) { ++ cflag = AP_REG_DOTALL; ++ } ++ else if (ap_cstr_casecmp(name, "DOLLAR_ENDONLY") == 0) { ++ cflag = AP_REG_DOLLAR_ENDONLY; ++ } ++ else if (ap_cstr_casecmp(name, "EXTENDED") == 0) { ++ cflag = AP_REG_EXTENDED; ++ } ++ ++ return cflag; ++} ++ + /* + * Arguments: + * preg points to a structure for recording the compiled expression +@@ -127,12 +159,15 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * + int errcode = 0; + int options = PCRE_DUPNAMES; + ++ cflags |= default_cflags; + if ((cflags & AP_REG_ICASE) != 0) + options |= PCRE_CASELESS; + if ((cflags & AP_REG_NEWLINE) != 0) + options |= PCRE_MULTILINE; + if ((cflags & AP_REG_DOTALL) != 0) + options |= PCRE_DOTALL; ++ if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0) ++ options |= PCRE_DOLLAR_ENDONLY; + + preg->re_pcre = + pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL); diff -Nru apache2-2.4.18/debian/patches/CVE-2017-15715-pre.patch apache2-2.4.18/debian/patches/CVE-2017-15715-pre.patch --- apache2-2.4.18/debian/patches/CVE-2017-15715-pre.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/CVE-2017-15715-pre.patch 2018-04-18 15:03:43.000000000 +0000 @@ -0,0 +1,183 @@ +Description: add ap_cstr_casecmp[n]() +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1748334 + +Index: apache2-2.4.18/include/httpd.h +=================================================================== +--- apache2-2.4.18.orig/include/httpd.h 2018-04-18 11:01:22.805124317 -0400 ++++ apache2-2.4.18/include/httpd.h 2018-04-18 11:02:15.609229465 -0400 +@@ -2334,6 +2334,34 @@ AP_DECLARE(int) ap_array_str_index(const + AP_DECLARE(int) ap_array_str_contains(const apr_array_header_t *array, + const char *s); + ++/** ++ * Perform a case-insensitive comparison of two strings @a atr1 and @a atr2, ++ * treating upper and lower case values of the 26 standard C/POSIX alphabetic ++ * characters as equivalent. Extended latin characters outside of this set ++ * are treated as unique octets, irrespective of the current locale. ++ * ++ * Returns in integer greater than, equal to, or less than 0, ++ * according to whether @a str1 is considered greater than, equal to, ++ * or less than @a str2. ++ * ++ * @note Same code as apr_cstr_casecmp, which arrives in APR 1.6 ++ */ ++AP_DECLARE(int) ap_cstr_casecmp(const char *s1, const char *s2); ++ ++/** ++ * Perform a case-insensitive comparison of two strings @a atr1 and @a atr2, ++ * treating upper and lower case values of the 26 standard C/POSIX alphabetic ++ * characters as equivalent. Extended latin characters outside of this set ++ * are treated as unique octets, irrespective of the current locale. ++ * ++ * Returns in integer greater than, equal to, or less than 0, ++ * according to whether @a str1 is considered greater than, equal to, ++ * or less than @a str2. ++ * ++ * @note Same code as apr_cstr_casecmpn, which arrives in APR 1.6 ++ */ ++AP_DECLARE(int) ap_cstr_casecmpn(const char *s1, const char *s2, apr_size_t n); ++ + #ifdef __cplusplus + } + #endif +Index: apache2-2.4.18/server/util.c +=================================================================== +--- apache2-2.4.18.orig/server/util.c 2018-04-18 11:01:22.853124413 -0400 ++++ apache2-2.4.18/server/util.c 2018-04-18 11:02:15.605229457 -0400 +@@ -96,7 +96,6 @@ + #undef APLOG_MODULE_INDEX + #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX + +- + /* + * Examine a field value (such as a media-/content-type) string and return + * it sans any parameters; e.g., strip off any ';charset=foo' and the like. +@@ -3148,3 +3147,128 @@ AP_DECLARE(int) ap_array_str_contains(co + return (ap_array_str_index(array, s, 0) >= 0); + } + ++#if !APR_CHARSET_EBCDIC ++/* ++ * Our own known-fast translation table for casecmp by character. ++ * Only ASCII alpha characters 41-5A are folded to 61-7A, other ++ * octets (such as extended latin alphabetics) are never case-folded. ++ * NOTE: Other than Alpha A-Z/a-z, each code point is unique! ++ */ ++static const short ucharmap[] = { ++ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, ++ 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, ++ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, ++ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, ++ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, ++ 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, ++ 0x40, 'a', 'b', 'c', 'd', 'e', 'f', 'g', ++ 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', ++ 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', ++ 'x', 'y', 'z', 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, ++ 0x60, 'a', 'b', 'c', 'd', 'e', 'f', 'g', ++ 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', ++ 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', ++ 'x', 'y', 'z', 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, ++ 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, ++ 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, ++ 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, ++ 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, ++ 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, ++ 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, ++ 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, ++ 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, ++ 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, ++ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, ++ 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff ++}; ++#else /* APR_CHARSET_EBCDIC */ ++/* ++ * Derived from apr-iconv/ccs/cp037.c for EBCDIC case comparison, ++ * provides unique identity of every char value (strict ISO-646 ++ * conformance, arbitrary election of an ISO-8859-1 ordering, and ++ * very arbitrary control code assignments into C1 to achieve ++ * identity and a reversible mapping of code points), ++ * then folding the equivalences of ASCII 41-5A into 61-7A, ++ * presenting comparison results in a somewhat ISO/IEC 10646 ++ * (ASCII-like) order, depending on the EBCDIC code page in use. ++ * ++ * NOTE: Other than Alpha A-Z/a-z, each code point is unique! ++ */ ++static const short ucharmap[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x9C, 0x09, 0x86, 0x7F, ++ 0x97, 0x8D, 0x8E, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, ++ 0x10, 0x11, 0x12, 0x13, 0x9D, 0x85, 0x08, 0x87, ++ 0x18, 0x19, 0x92, 0x8F, 0x1C, 0x1D, 0x1E, 0x1F, ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x0A, 0x17, 0x1B, ++ 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x05, 0x06, 0x07, ++ 0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04, ++ 0x98, 0x99, 0x9A, 0x9B, 0x14, 0x15, 0x9E, 0x1A, ++ 0x20, 0xA0, 0xE2, 0xE4, 0xE0, 0xE1, 0xE3, 0xE5, ++ 0xE7, 0xF1, 0xA2, 0x2E, 0x3C, 0x28, 0x2B, 0x7C, ++ 0x26, 0xE9, 0xEA, 0xEB, 0xE8, 0xED, 0xEE, 0xEF, ++ 0xEC, 0xDF, 0x21, 0x24, 0x2A, 0x29, 0x3B, 0xAC, ++ 0x2D, 0x2F, 0xC2, 0xC4, 0xC0, 0xC1, 0xC3, 0xC5, ++ 0xC7, 0xD1, 0xA6, 0x2C, 0x25, 0x5F, 0x3E, 0x3F, ++ 0xF8, 0xC9, 0xCA, 0xCB, 0xC8, 0xCD, 0xCE, 0xCF, ++ 0xCC, 0x60, 0x3A, 0x23, 0x40, 0x27, 0x3D, 0x22, ++ 0xD8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, ++ 0x68, 0x69, 0xAB, 0xBB, 0xF0, 0xFD, 0xFE, 0xB1, ++ 0xB0, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, ++ 0x71, 0x72, 0xAA, 0xBA, 0xE6, 0xB8, 0xC6, 0xA4, ++ 0xB5, 0x7E, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, ++ 0x79, 0x7A, 0xA1, 0xBF, 0xD0, 0xDD, 0xDE, 0xAE, ++ 0x5E, 0xA3, 0xA5, 0xB7, 0xA9, 0xA7, 0xB6, 0xBC, ++ 0xBD, 0xBE, 0x5B, 0x5D, 0xAF, 0xA8, 0xB4, 0xD7, ++ 0x7B, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, ++ 0x68, 0x69, 0xAD, 0xF4, 0xF6, 0xF2, 0xF3, 0xF5, ++ 0x7D, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, ++ 0x71, 0x72, 0xB9, 0xFB, 0xFC, 0xF9, 0xFA, 0xFF, ++ 0x5C, 0xF7, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, ++ 0x79, 0x7A, 0xB2, 0xD4, 0xD6, 0xD2, 0xD3, 0xD5, ++ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, ++ 0x38, 0x39, 0xB3, 0xDB, 0xDC, 0xD9, 0xDA, 0x9F ++}; ++#endif ++ ++AP_DECLARE(int) ap_cstr_casecmp(const char *s1, const char *s2) ++{ ++ const unsigned char *str1 = (const unsigned char *)s1; ++ const unsigned char *str2 = (const unsigned char *)s2; ++ for (;;) ++ { ++ const int c1 = (int)(*str1); ++ const int c2 = (int)(*str2); ++ const int cmp = ucharmap[c1] - ucharmap[c2]; ++ /* Not necessary to test for !c2, this is caught by cmp */ ++ if (cmp || !c1) ++ return cmp; ++ str1++; ++ str2++; ++ } ++} ++ ++AP_DECLARE(int) ap_cstr_casecmpn(const char *s1, const char *s2, apr_size_t n) ++{ ++ const unsigned char *str1 = (const unsigned char *)s1; ++ const unsigned char *str2 = (const unsigned char *)s2; ++ while (n--) ++ { ++ const int c1 = (int)(*str1); ++ const int c2 = (int)(*str2); ++ const int cmp = ucharmap[c1] - ucharmap[c2]; ++ /* Not necessary to test for !c2, this is caught by cmp */ ++ if (cmp || !c1) ++ return cmp; ++ str1++; ++ str2++; ++ } ++ return 0; ++} ++ diff -Nru apache2-2.4.18/debian/patches/CVE-2018-1283.patch apache2-2.4.18/debian/patches/CVE-2018-1283.patch --- apache2-2.4.18/debian/patches/CVE-2018-1283.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/CVE-2018-1283.patch 2018-04-18 14:51:20.000000000 +0000 @@ -0,0 +1,28 @@ +Description: fix mod_session header manipulation +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1824477 + +Index: apache2-2.4.18/modules/session/mod_session.c +=================================================================== +--- apache2-2.4.18.orig/modules/session/mod_session.c 2018-04-18 10:51:17.951953940 -0400 ++++ apache2-2.4.18/modules/session/mod_session.c 2018-04-18 10:51:17.951953940 -0400 +@@ -511,12 +511,15 @@ static int session_fixups(request_rec * + */ + ap_session_load(r, &z); + +- if (z && conf->env) { +- session_identity_encode(r, z); +- if (z->encoded) { +- apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded); +- z->encoded = NULL; ++ if (conf->env) { ++ if (z) { ++ session_identity_encode(r, z); ++ if (z->encoded) { ++ apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded); ++ z->encoded = NULL; ++ } + } ++ apr_table_unset(r->headers_in, "Session"); + } + + return OK; diff -Nru apache2-2.4.18/debian/patches/CVE-2018-1301.patch apache2-2.4.18/debian/patches/CVE-2018-1301.patch --- apache2-2.4.18/debian/patches/CVE-2018-1301.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/CVE-2018-1301.patch 2018-04-18 14:51:24.000000000 +0000 @@ -0,0 +1,200 @@ +Description: fix DoS via specially-crafted request +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1824469 + +Index: apache2-2.4.29/server/protocol.c +=================================================================== +--- apache2-2.4.29.orig/server/protocol.c 2017-10-10 13:51:13.000000000 -0400 ++++ apache2-2.4.29/server/protocol.c 2018-04-18 09:15:27.027283380 -0400 +@@ -225,6 +225,11 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + int fold = flags & AP_GETLINE_FOLD; + int crlf = flags & AP_GETLINE_CRLF; + ++ if (!n) { ++ /* Needs room for NUL byte at least */ ++ return APR_BADARG; ++ } ++ + /* + * Initialize last_char as otherwise a random value will be compared + * against APR_ASCII_LF at the end of the loop if bb only contains +@@ -238,14 +243,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_GETLINE, + APR_BLOCK_READ, 0); + if (rv != APR_SUCCESS) { +- return rv; ++ goto cleanup; + } + + /* Something horribly wrong happened. Someone didn't block! + * (this also happens at the end of each keepalive connection) + */ + if (APR_BRIGADE_EMPTY(bb)) { +- return APR_EGENERAL; ++ rv = APR_EGENERAL; ++ goto cleanup; + } + + for (e = APR_BRIGADE_FIRST(bb); +@@ -263,7 +269,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + + rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ); + if (rv != APR_SUCCESS) { +- return rv; ++ goto cleanup; + } + + if (len == 0) { +@@ -276,17 +282,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + + /* Would this overrun our buffer? If so, we'll die. */ + if (n < bytes_handled + len) { +- *read = bytes_handled; +- if (*s) { +- /* ensure this string is NUL terminated */ +- if (bytes_handled > 0) { +- (*s)[bytes_handled-1] = '\0'; +- } +- else { +- (*s)[0] = '\0'; +- } +- } +- return APR_ENOSPC; ++ rv = APR_ENOSPC; ++ goto cleanup; + } + + /* Do we have to handle the allocation ourselves? */ +@@ -294,7 +291,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + /* We'll assume the common case where one bucket is enough. */ + if (!*s) { + current_alloc = len; +- *s = apr_palloc(r->pool, current_alloc); ++ *s = apr_palloc(r->pool, current_alloc + 1); + } + else if (bytes_handled + len > current_alloc) { + /* Increase the buffer size */ +@@ -305,7 +302,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + new_size = (bytes_handled + len) * 2; + } + +- new_buffer = apr_palloc(r->pool, new_size); ++ new_buffer = apr_palloc(r->pool, new_size + 1); + + /* Copy what we already had. */ + memcpy(new_buffer, *s, bytes_handled); +@@ -329,19 +326,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + } + } + +- if (crlf && (last_char <= *s || last_char[-1] != APR_ASCII_CR)) { +- *last_char = '\0'; +- bytes_handled = last_char - *s; +- *read = bytes_handled; +- return APR_EINVAL; +- } +- +- /* Now NUL-terminate the string at the end of the line; ++ /* Now terminate the string at the end of the line; + * if the last-but-one character is a CR, terminate there */ + if (last_char > *s && last_char[-1] == APR_ASCII_CR) { + last_char--; + } +- *last_char = '\0'; ++ else if (crlf) { ++ rv = APR_EINVAL; ++ goto cleanup; ++ } + bytes_handled = last_char - *s; + + /* If we're folding, we have more work to do. +@@ -361,7 +354,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_SPECULATIVE, + APR_BLOCK_READ, 1); + if (rv != APR_SUCCESS) { +- return rv; ++ goto cleanup; + } + + if (APR_BRIGADE_EMPTY(bb)) { +@@ -378,7 +371,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ); + if (rv != APR_SUCCESS) { + apr_brigade_cleanup(bb); +- return rv; ++ goto cleanup; + } + + /* Found one, so call ourselves again to get the next line. +@@ -395,10 +388,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + if (c == APR_ASCII_BLANK || c == APR_ASCII_TAB) { + /* Do we have enough space? We may be full now. */ + if (bytes_handled >= n) { +- *read = n; +- /* ensure this string is terminated */ +- (*s)[n-1] = '\0'; +- return APR_ENOSPC; ++ rv = APR_ENOSPC; ++ goto cleanup; + } + else { + apr_size_t next_size, next_len; +@@ -411,7 +402,6 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + tmp = NULL; + } + else { +- /* We're null terminated. */ + tmp = last_char; + } + +@@ -420,7 +410,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + rv = ap_rgetline_core(&tmp, next_size, + &next_len, r, 0, bb); + if (rv != APR_SUCCESS) { +- return rv; ++ goto cleanup; + } + + if (do_alloc && next_len > 0) { +@@ -434,7 +424,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + memcpy(new_buffer, *s, bytes_handled); + + /* copy the new line, including the trailing null */ +- memcpy(new_buffer + bytes_handled, tmp, next_len + 1); ++ memcpy(new_buffer + bytes_handled, tmp, next_len); + *s = new_buffer; + } + +@@ -447,8 +437,21 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor + } + } + } ++ ++cleanup: ++ if (bytes_handled >= n) { ++ bytes_handled = n - 1; ++ } ++ if (*s) { ++ /* ensure the string is NUL terminated */ ++ (*s)[bytes_handled] = '\0'; ++ } + *read = bytes_handled; + ++ if (rv != APR_SUCCESS) { ++ return rv; ++ } ++ + /* PR#43039: We shouldn't accept NULL bytes within the line */ + if (strlen(*s) < bytes_handled) { + return APR_EINVAL; +@@ -487,6 +490,11 @@ AP_DECLARE(int) ap_getline(char *s, int + apr_size_t len; + apr_bucket_brigade *tmp_bb; + ++ if (n < 1) { ++ /* Can't work since we always NUL terminate */ ++ return -1; ++ } ++ + tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); + rv = ap_rgetline(&tmp_s, n, &len, r, flags, tmp_bb); + apr_brigade_destroy(tmp_bb); diff -Nru apache2-2.4.18/debian/patches/CVE-2018-1303.patch apache2-2.4.18/debian/patches/CVE-2018-1303.patch --- apache2-2.4.18/debian/patches/CVE-2018-1303.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/CVE-2018-1303.patch 2018-04-18 14:51:28.000000000 +0000 @@ -0,0 +1,17 @@ +Description: fix mod_cache_socache DoS +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1824475 + +Index: apache2-2.4.29/modules/cache/mod_cache_socache.c +=================================================================== +--- apache2-2.4.29.orig/modules/cache/mod_cache_socache.c 2017-06-29 07:31:20.000000000 -0400 ++++ apache2-2.4.29/modules/cache/mod_cache_socache.c 2018-04-18 09:15:39.675307037 -0400 +@@ -213,7 +213,8 @@ static apr_status_t read_table(cache_han + "Premature end of cache headers."); + return APR_EGENERAL; + } +- while (apr_isspace(buffer[colon])) { ++ /* Do not go past the \r from above as apr_isspace('\r') is true */ ++ while (apr_isspace(buffer[colon]) && (colon < *slider)) { + colon++; + } + apr_table_addn(table, apr_pstrndup(r->pool, (const char *) buffer diff -Nru apache2-2.4.18/debian/patches/CVE-2018-1312.patch apache2-2.4.18/debian/patches/CVE-2018-1312.patch --- apache2-2.4.18/debian/patches/CVE-2018-1312.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/CVE-2018-1312.patch 2018-04-18 14:52:56.000000000 +0000 @@ -0,0 +1,403 @@ +Description: fix insecure nonce generation +Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1824481 +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=54637 + +Index: apache2-2.4.18/modules/aaa/mod_auth_digest.c +=================================================================== +--- apache2-2.4.18.orig/modules/aaa/mod_auth_digest.c 2018-04-18 10:51:39.939994842 -0400 ++++ apache2-2.4.18/modules/aaa/mod_auth_digest.c 2018-04-18 10:52:23.624076606 -0400 +@@ -26,20 +26,13 @@ + * reports to the Apache bug-database, or send them directly to me + * at ronald@innovation.ch. + * +- * Requires either /dev/random (or equivalent) or the truerand library, +- * available for instance from +- * ftp://research.att.com/dist/mab/librand.shar +- * + * Open Issues: + * - qop=auth-int (when streams and trailer support available) + * - nonce-format configurability + * - Proxy-Authorization-Info header is set by this module, but is + * currently ignored by mod_proxy (needs patch to mod_proxy) +- * - generating the secret takes a while (~ 8 seconds) if using the +- * truerand library + * - The source of the secret should be run-time directive (with server +- * scope: RSRC_CONF). However, that could be tricky when trying to +- * choose truerand vs. file... ++ * scope: RSRC_CONF) + * - shared-mem not completely tested yet. Seems to work ok for me, + * but... (definitely won't work on Windoze) + * - Sharing a realm among multiple servers has following problems: +@@ -52,6 +45,8 @@ + * captures a packet sent to one server and sends it to another + * one. Should we add "AuthDigestNcCheck Strict"? + * - expired nonces give amaya fits. ++ * - MD5-sess and auth-int are not yet implemented. An incomplete ++ * implementation has been removed and can be retrieved from svn history. + */ + + #include "apr_sha1.h" +@@ -94,7 +89,6 @@ typedef struct digest_config_struct { + apr_array_header_t *qop_list; + apr_sha1_ctx_t nonce_ctx; + apr_time_t nonce_lifetime; +- const char *nonce_format; + int check_nc; + const char *algorithm; + char *uri_list; +@@ -112,7 +106,8 @@ typedef struct digest_config_struct { + #define NONCE_HASH_LEN (2*APR_SHA1_DIGESTSIZE) + #define NONCE_LEN (int )(NONCE_TIME_LEN + NONCE_HASH_LEN) + +-#define SECRET_LEN 20 ++#define SECRET_LEN 20 ++#define RETAINED_DATA_ID "mod_auth_digest" + + + /* client list definitions */ +@@ -121,7 +116,6 @@ typedef struct hash_entry { + unsigned long key; /* the key for this entry */ + struct hash_entry *next; /* next entry in the bucket */ + unsigned long nonce_count; /* for nonce-count checking */ +- char ha1[2*APR_MD5_DIGESTSIZE+1]; /* for algorithm=MD5-sess */ + char last_nonce[NONCE_LEN+1]; /* for one-time nonce's */ + } client_entry; + +@@ -170,7 +164,7 @@ typedef union time_union { + unsigned char arr[sizeof(apr_time_t)]; + } time_rec; + +-static unsigned char secret[SECRET_LEN]; ++static unsigned char *secret; + + /* client-list, opaque, and one-time-nonce stuff */ + +@@ -228,35 +222,11 @@ static apr_status_t cleanup_tables(void + return APR_SUCCESS; + } + +-static apr_status_t initialize_secret(server_rec *s) +-{ +- apr_status_t status; +- +- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01757) +- "generating secret for digest authentication ..."); +- +-#if APR_HAS_RANDOM +- status = apr_generate_random_bytes(secret, sizeof(secret)); +-#else +-#error APR random number support is missing; you probably need to install the truerand library. +-#endif +- +- if (status != APR_SUCCESS) { +- ap_log_error(APLOG_MARK, APLOG_CRIT, status, s, APLOGNO(01758) +- "error generating secret"); +- return status; +- } +- +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01759) "done"); +- +- return APR_SUCCESS; +-} +- + static void log_error_and_cleanup(char *msg, apr_status_t sts, server_rec *s) + { + ap_log_error(APLOG_MARK, APLOG_ERR, sts, s, APLOGNO(01760) +- "%s - all nonce-count checking, one-time nonces, and " +- "MD5-sess algorithm disabled", msg); ++ "%s - all nonce-count checking and one-time nonces" ++ "disabled", msg); + + cleanup_tables(NULL); + } +@@ -377,16 +347,32 @@ static int initialize_tables(server_rec + static int pre_init(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) + { + apr_status_t rv; ++ void *retained; + + rv = ap_mutex_register(pconf, client_mutex_type, NULL, APR_LOCK_DEFAULT, 0); +- if (rv == APR_SUCCESS) { +- rv = ap_mutex_register(pconf, opaque_mutex_type, NULL, APR_LOCK_DEFAULT, +- 0); +- } +- if (rv != APR_SUCCESS) { +- return rv; +- } ++ if (rv != APR_SUCCESS) ++ return !OK; ++ rv = ap_mutex_register(pconf, opaque_mutex_type, NULL, APR_LOCK_DEFAULT, 0); ++ if (rv != APR_SUCCESS) ++ return !OK; + ++ retained = ap_retained_data_get(RETAINED_DATA_ID); ++ if (retained == NULL) { ++ retained = ap_retained_data_create(RETAINED_DATA_ID, SECRET_LEN); ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, APLOGNO(01757) ++ "generating secret for digest authentication"); ++#if APR_HAS_RANDOM ++ rv = apr_generate_random_bytes(retained, SECRET_LEN); ++#else ++#error APR random number support is missing ++#endif ++ if (rv != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, NULL, APLOGNO(01758) ++ "error generating secret"); ++ return !OK; ++ } ++ } ++ secret = retained; + return OK; + } + +@@ -399,10 +385,6 @@ static int initialize_module(apr_pool_t + if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) + return OK; + +- if (initialize_secret(s) != APR_SUCCESS) { +- return !OK; +- } +- + #if APR_HAS_SHARED_MEMORY + /* Note: this stuff is currently fixed for the lifetime of the server, + * i.e. even across restarts. This means that A) any shmem-size +@@ -483,6 +465,16 @@ static void *create_digest_dir_config(ap + static const char *set_realm(cmd_parms *cmd, void *config, const char *realm) + { + digest_config_rec *conf = (digest_config_rec *) config; ++#ifdef AP_DEBUG ++ int i; ++ ++ /* check that we got random numbers */ ++ for (i = 0; i < SECRET_LEN; i++) { ++ if (secret[i] != 0) ++ break; ++ } ++ ap_assert(i < SECRET_LEN); ++#endif + + /* The core already handles the realm, but it's just too convenient to + * grab it ourselves too and cache some setups. However, we need to +@@ -496,7 +488,7 @@ static const char *set_realm(cmd_parms * + * and directives outside a virtual host section) + */ + apr_sha1_init(&conf->nonce_ctx); +- apr_sha1_update_binary(&conf->nonce_ctx, secret, sizeof(secret)); ++ apr_sha1_update_binary(&conf->nonce_ctx, secret, SECRET_LEN); + apr_sha1_update_binary(&conf->nonce_ctx, (const unsigned char *) realm, + strlen(realm)); + +@@ -590,8 +582,7 @@ static const char *set_nonce_lifetime(cm + static const char *set_nonce_format(cmd_parms *cmd, void *config, + const char *fmt) + { +- ((digest_config_rec *) config)->nonce_format = fmt; +- return "AuthDigestNonceFormat is not implemented (yet)"; ++ return "AuthDigestNonceFormat is not implemented"; + } + + static const char *set_nc_check(cmd_parms *cmd, void *config, int flag) +@@ -612,7 +603,7 @@ static const char *set_algorithm(cmd_par + { + if (!strcasecmp(alg, "MD5-sess")) { + return "AuthDigestAlgorithm: ERROR: algorithm `MD5-sess' " +- "is not fully implemented"; ++ "is not implemented"; + } + else if (strcasecmp(alg, "MD5")) { + return apr_pstrcat(cmd->pool, "Invalid algorithm in AuthDigestAlgorithm: ", alg, NULL); +@@ -1138,7 +1129,7 @@ static const char *gen_nonce(apr_pool_t + static client_entry *gen_client(const request_rec *r) + { + unsigned long op; +- client_entry new_entry = { 0, NULL, 0, "", "" }, *entry; ++ client_entry new_entry = { 0, NULL, 0, "" }, *entry; + + if (!opaque_cntr) { + return NULL; +@@ -1159,92 +1150,6 @@ static client_entry *gen_client(const re + + + /* +- * MD5-sess code. +- * +- * If you want to use algorithm=MD5-sess you must write get_userpw_hash() +- * yourself (see below). The dummy provided here just uses the hash from +- * the auth-file, i.e. it is only useful for testing client implementations +- * of MD5-sess . +- */ +- +-/* +- * get_userpw_hash() will be called each time a new session needs to be +- * generated and is expected to return the equivalent of +- * +- * h_urp = ap_md5(r->pool, +- * apr_pstrcat(r->pool, username, ":", ap_auth_name(r), ":", passwd)) +- * ap_md5(r->pool, +- * (unsigned char *) apr_pstrcat(r->pool, h_urp, ":", resp->nonce, ":", +- * resp->cnonce, NULL)); +- * +- * or put differently, it must return +- * +- * MD5(MD5(username ":" realm ":" password) ":" nonce ":" cnonce) +- * +- * If something goes wrong, the failure must be logged and NULL returned. +- * +- * You must implement this yourself, which will probably consist of code +- * contacting the password server with the necessary information (typically +- * the username, realm, nonce, and cnonce) and receiving the hash from it. +- * +- * TBD: This function should probably be in a separate source file so that +- * people need not modify mod_auth_digest.c each time they install a new +- * version of apache. +- */ +-static const char *get_userpw_hash(const request_rec *r, +- const digest_header_rec *resp, +- const digest_config_rec *conf) +-{ +- return ap_md5(r->pool, +- (unsigned char *) apr_pstrcat(r->pool, conf->ha1, ":", resp->nonce, +- ":", resp->cnonce, NULL)); +-} +- +- +-/* Retrieve current session H(A1). If there is none and "generate" is +- * true then a new session for MD5-sess is generated and stored in the +- * client struct; if generate is false, or a new session could not be +- * generated then NULL is returned (in case of failure to generate the +- * failure reason will have been logged already). +- */ +-static const char *get_session_HA1(const request_rec *r, +- digest_header_rec *resp, +- const digest_config_rec *conf, +- int generate) +-{ +- const char *ha1 = NULL; +- +- /* return the current sessions if there is one */ +- if (resp->opaque && resp->client && resp->client->ha1[0]) { +- return resp->client->ha1; +- } +- else if (!generate) { +- return NULL; +- } +- +- /* generate a new session */ +- if (!resp->client) { +- resp->client = gen_client(r); +- } +- if (resp->client) { +- ha1 = get_userpw_hash(r, resp, conf); +- if (ha1) { +- memcpy(resp->client->ha1, ha1, sizeof(resp->client->ha1)); +- } +- } +- +- return ha1; +-} +- +- +-static void clear_session(const digest_header_rec *resp) +-{ +- if (resp->client) { +- resp->client->ha1[0] = '\0'; +- } +-} +- +-/* + * Authorization challenge generation code (for WWW-Authenticate) + */ + +@@ -1282,8 +1187,7 @@ static void note_digest_auth_failure(req + + if (resp->opaque == NULL) { + /* new client */ +- if ((conf->check_nc || conf->nonce_lifetime == 0 +- || !strcasecmp(conf->algorithm, "MD5-sess")) ++ if ((conf->check_nc || conf->nonce_lifetime == 0) + && (resp->client = gen_client(r)) != NULL) { + opaque = ltox(r->pool, resp->client->key); + } +@@ -1323,15 +1227,6 @@ static void note_digest_auth_failure(req + memcpy(resp->client->last_nonce, nonce, NONCE_LEN+1); + } + +- /* Setup MD5-sess stuff. Note that we just clear out the session +- * info here, since we can't generate a new session until the request +- * from the client comes in with the cnonce. +- */ +- +- if (!strcasecmp(conf->algorithm, "MD5-sess")) { +- clear_session(resp); +- } +- + /* setup domain attribute. We want to send this attribute wherever + * possible so that the client won't send the Authorization header + * unnecessarily (it's usually > 200 bytes!). +@@ -1597,24 +1492,9 @@ static const char *new_digest(const requ + { + const char *ha1, *ha2, *a2; + +- if (resp->algorithm && !strcasecmp(resp->algorithm, "MD5-sess")) { +- ha1 = get_session_HA1(r, resp, conf, 1); +- if (!ha1) { +- return NULL; +- } +- } +- else { +- ha1 = conf->ha1; +- } ++ ha1 = conf->ha1; + +- if (resp->message_qop && !strcasecmp(resp->message_qop, "auth-int")) { +- a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, ":", +- ap_md5(r->pool, (const unsigned char*) ""), NULL); +- /* TBD */ +- } +- else { +- a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); +- } ++ a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); + ha2 = ap_md5(r->pool, (const unsigned char *)a2); + + return ap_md5(r->pool, +@@ -1862,8 +1742,7 @@ static int authenticate_digest_user(requ + } + + if (resp->algorithm != NULL +- && strcasecmp(resp->algorithm, "MD5") +- && strcasecmp(resp->algorithm, "MD5-sess")) { ++ && strcasecmp(resp->algorithm, "MD5")) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01789) + "unknown algorithm `%s' received: %s", + resp->algorithm, r->uri); +@@ -2015,27 +1894,9 @@ static int add_auth_info(request_rec *r) + + /* calculate rspauth attribute + */ +- if (resp->algorithm && !strcasecmp(resp->algorithm, "MD5-sess")) { +- ha1 = get_session_HA1(r, resp, conf, 0); +- if (!ha1) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01795) +- "internal error: couldn't find session " +- "info for user %s", resp->username); +- return !OK; +- } +- } +- else { +- ha1 = conf->ha1; +- } ++ ha1 = conf->ha1; + +- if (resp->message_qop && !strcasecmp(resp->message_qop, "auth-int")) { +- a2 = apr_pstrcat(r->pool, ":", resp->uri, ":", +- ap_md5(r->pool,(const unsigned char *) ""), NULL); +- /* TBD */ +- } +- else { +- a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); +- } ++ a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); + ha2 = ap_md5(r->pool, (const unsigned char *)a2); + + resp_dig = ap_md5(r->pool, diff -Nru apache2-2.4.18/debian/patches/series apache2-2.4.18/debian/patches/series --- apache2-2.4.18/debian/patches/series 2017-09-18 15:08:55.000000000 +0000 +++ apache2-2.4.18/debian/patches/series 2018-04-18 15:01:29.000000000 +0000 @@ -22,3 +22,11 @@ CVE-2017-7679.patch CVE-2017-9788.patch CVE-2017-9798.patch +util_ldap_cache_lock_fix.patch +CVE-2017-15710.patch +CVE-2017-15715-pre.patch +CVE-2017-15715.patch +CVE-2018-1283.patch +CVE-2018-1301.patch +CVE-2018-1303.patch +CVE-2018-1312.patch diff -Nru apache2-2.4.18/debian/patches/util_ldap_cache_lock_fix.patch apache2-2.4.18/debian/patches/util_ldap_cache_lock_fix.patch --- apache2-2.4.18/debian/patches/util_ldap_cache_lock_fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.18/debian/patches/util_ldap_cache_lock_fix.patch 2018-04-04 00:03:33.000000000 +0000 @@ -0,0 +1,55 @@ +Description: [PATCH] Merge r1824811 from trunk: + + 00:00:00 2001 From: Yann Ylavic Date: Tue, 20 Feb 2018 + 13:02:54 +0000 Subject: [PATCH] Merge r1824811 from trunk: + +10 years after r567503 , fix this properly. + +The lock is created in post_config, so we can't copy it +around in a merge_server_config() callback. + +Submitted by: covener +Reviewed by: covener, rpluem, jim +-- +Origin: https://bz.apache.org/bugzilla/show_bug.cgi?id=60296 +Origin: upstream, commit: 39ae6cd642689c20b599727ee1fb95233faabb05 +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58483 +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60296 +Bug-Debian: https://bugs.debian.org/814980 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1752683 +Reviewed-by: Rafael David Tinoco +Last-Update: 2018-03-01 +--- + modules/ldap/util_ldap.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c +index 52acafb..b671bf9 100644 +--- a/modules/ldap/util_ldap.c ++++ b/modules/ldap/util_ldap.c +@@ -2858,7 +2858,6 @@ static void *util_ldap_merge_config(apr_pool_t *p, void *basev, + st->search_cache_size = base->search_cache_size; + st->compare_cache_ttl = base->compare_cache_ttl; + st->compare_cache_size = base->compare_cache_size; +- st->util_ldap_cache_lock = base->util_ldap_cache_lock; + + st->connections = NULL; + st->ssl_supported = 0; /* not known until post-config and re-merged */ +@@ -2977,12 +2976,12 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, + st_vhost = (util_ldap_state_t *) + ap_get_module_config(s_vhost->module_config, + &ldap_module); +- ++ st_vhost->util_ldap_cache = st->util_ldap_cache; ++ st_vhost->util_ldap_cache_lock = st->util_ldap_cache_lock; + #if APR_HAS_SHARED_MEMORY + st_vhost->cache_shm = st->cache_shm; + st_vhost->cache_rmm = st->cache_rmm; + st_vhost->cache_file = st->cache_file; +- st_vhost->util_ldap_cache = st->util_ldap_cache; + ap_log_error(APLOG_MARK, APLOG_DEBUG, result, s, APLOGNO(01316) + "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp " + "for VHOST: %s", st->cache_shm, st->cache_rmm, +-- +2.7.4 +