diff -Nru apache2-2.4.41/debian/apache2ctl apache2-2.4.41/debian/apache2ctl --- apache2-2.4.41/debian/apache2ctl 2020-11-13 01:29:22.000000000 +0000 +++ apache2-2.4.41/debian/apache2ctl 2021-07-05 07:11:44.000000000 +0000 @@ -143,18 +143,6 @@ fi } -need_systemd () { - # Detect if systemd is in use and should be used for managing - # the Apache2 httpd service. Returns 0 if so, 1 otherwise. - if [ -z "${APACHE_STARTED_BY_SYSTEMD}" ]; then - case "$(readlink -f /proc/1/exe)" in - *systemd*) - return 0 - ;; - esac - fi - return 1 -} [ ! -d ${APACHE_RUN_DIR:-/var/run/apache2} ] && mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2} [ ! -d ${APACHE_LOCK_DIR:-/var/lock/apache2} ] && mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} @@ -165,38 +153,38 @@ # (this is bad if there are several apache2 instances running) rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache* - if need_systemd; then + need_systemd=false + if [ -z "$APACHE_STARTED_BY_SYSTEMD" ] ; then + case "$(readlink -f /proc/1/exe)" in + *systemd*) + need_systemd=true + ;; + *) + ;; + esac + fi + if $need_systemd ; then # If running on systemd we should not start httpd without systemd # or systemd will get confused about the status of httpd. - echo "Invoking 'systemctl start ${APACHE_SYSTEMD_SERVICE}'." - echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info." - systemctl start "${APACHE_SYSTEMD_SERVICE}" + echo "Invoking 'systemctl start $APACHE_SYSTEMD_SERVICE'." + echo "Use 'systemctl status $APACHE_SYSTEMD_SERVICE' for more info." + systemctl start "$APACHE_SYSTEMD_SERVICE" else unset APACHE_STARTED_BY_SYSTEMD - ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}" + $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV" fi ERROR=$? ;; stop|graceful-stop) - ${HTTPD} ${APACHE_ARGUMENTS} -k "$ARGV" + $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV" ERROR=$? ;; restart|graceful) if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then - if need_systemd; then - # If running on systemd we should not directly restart httpd since - # systemd would be confused about httpd's status. - # (See LP: #1832182) - echo "Invoking 'systemctl restart ${APACHE_SYSTEMD_SERVICE}'." - echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info." - systemctl restart "${APACHE_SYSTEMD_SERVICE}" - else - unset APACHE_STARTED_BY_SYSTEMD - ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}" - fi + $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV" else - ${HTTPD} ${APACHE_ARGUMENTS} -t + $HTTPD ${APACHE_ARGUMENTS} -t fi ERROR=$? ;; diff -Nru apache2-2.4.41/debian/changelog apache2-2.4.41/debian/changelog --- apache2-2.4.41/debian/changelog 2020-11-13 01:36:32.000000000 +0000 +++ apache2-2.4.41/debian/changelog 2021-07-05 07:16:56.000000000 +0000 @@ -1,12 +1,37 @@ -apache2 (2.4.41-4ubuntu3.2) focal; urgency=medium +apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium - * d/apache2ctl: Also use systemd for graceful if it is in use. - (LP: #1832182) - - This extends an earlier fix for the start command to behave - similarly for restart / graceful. Fixes service failures on - unattended upgrade. + * d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode + (LP: #1930430) - -- Bryce Harrington Fri, 13 Nov 2020 01:36:32 +0000 + -- Christian Ehrhardt Mon, 05 Jul 2021 09:16:56 +0200 + +apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium + + * SECURITY UPDATE: mod_proxy_http denial of service. + - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy + connection in modules/proxy/mod_proxy_http.c. + - CVE-2020-13950 + * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest + - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's + base64 to fail early if the format can't match anyway in + modules/aaa/mod_auth_digest.c. + - CVE-2020-35452 + * SECURITY UPDATE: DoS via cookie header in mod_session + - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in + session_identity_decode() in modules/session/mod_session.c. + - CVE-2021-26690 + * SECURITY UPDATE: heap overflow via SessionHeader + - debian/patches/CVE-2021-26691.patch: account for the '&' in + identity_concat() in modules/session/mod_session.c. + - CVE-2021-26691 + * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF' + - debian/patches/CVE-2021-30641.patch: change default behavior in + server/request.c. + - CVE-2021-30641 + * This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in + focal-proposed. + + -- Marc Deslauriers Thu, 17 Jun 2021 14:27:53 -0400 apache2 (2.4.41-4ubuntu3.1) focal-security; urgency=medium diff -Nru apache2-2.4.41/debian/patches/CVE-2020-13950.patch apache2-2.4.41/debian/patches/CVE-2020-13950.patch --- apache2-2.4.41/debian/patches/CVE-2020-13950.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.41/debian/patches/CVE-2020-13950.patch 2021-07-05 07:11:44.000000000 +0000 @@ -0,0 +1,33 @@ +Backport of: + +From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 11 May 2015 15:48:58 +0000 +Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection + may be NULL during prefetch, don't try to dereference it! Still + origin->keepalive will be set according to p_conn->close by the caller + (proxy_http_handler). + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy_http.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_ + apr_off_t bytes; + int force10, rv; + apr_read_type_e block; +- conn_rec *origin = p_conn->connection; + + if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) { + if (req->expecting_100) { +@@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_ + "chunked body with Content-Length (C-L ignored)", + c->client_ip, c->remote_host ? c->remote_host: ""); + req->old_cl_val = NULL; +- origin->keepalive = AP_CONN_CLOSE; + p_conn->close = 1; + } + diff -Nru apache2-2.4.41/debian/patches/CVE-2020-35452.patch apache2-2.4.41/debian/patches/CVE-2020-35452.patch --- apache2-2.4.41/debian/patches/CVE-2020-35452.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.41/debian/patches/CVE-2020-35452.patch 2021-07-05 07:11:44.000000000 +0000 @@ -0,0 +1,51 @@ +From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 18 Jan 2021 17:39:12 +0000 +Subject: [PATCH] Merge r1885659 from trunk: + +mod_auth_digest: Fast validation of the nonce's base64 to fail early if + the format can't match anyway. + +Submitted by: ylavic +Reviewed by: ylavic, covener, jailletc36 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68 +--- + CHANGES | 3 +++ + modules/aaa/mod_auth_digest.c | 9 +++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index e5c6afc3aa5..5af3c081b93 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -1,6 +1,9 @@ +# -*- coding: utf-8 -*- +# Changes with Apache 2.4.47 +# +#+ *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if +#+ the format can't match anyway. [Yann Ylavic] +#+ +# *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked +# Transfer-Encoding from the client, spooling the request body when needed +# to provide a Content-Length to the backend. PR 57087. [Yann Ylavic] +--- a/modules/aaa/mod_auth_digest.c ++++ b/modules/aaa/mod_auth_digest.c +@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, d + time_rec nonce_time; + char tmp, hash[NONCE_HASH_LEN+1]; + +- if (strlen(resp->nonce) != NONCE_LEN) { ++ /* Since the time part of the nonce is a base64 encoding of an ++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. ++ */ ++ if (strlen(resp->nonce) != NONCE_LEN ++ || resp->nonce[NONCE_TIME_LEN - 1] != '=') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) +- "invalid nonce %s received - length is not %d", ++ "invalid nonce '%s' received - length is not %d " ++ "or time encoding is incorrect", + resp->nonce, NONCE_LEN); + note_digest_auth_failure(r, conf, resp, 1); + return HTTP_UNAUTHORIZED; diff -Nru apache2-2.4.41/debian/patches/CVE-2021-26690.patch apache2-2.4.41/debian/patches/CVE-2021-26690.patch --- apache2-2.4.41/debian/patches/CVE-2021-26690.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.41/debian/patches/CVE-2021-26690.patch 2021-07-05 07:11:44.000000000 +0000 @@ -0,0 +1,25 @@ +From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 1 Mar 2021 20:07:08 +0000 +Subject: [PATCH] mod_session: save one apr_strtok() in + session_identity_decode(). + +When the encoding is invalid (missing '='), no need to parse further. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/session/mod_session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -404,8 +404,8 @@ static apr_status_t session_identity_dec + char *plast = NULL; + const char *psep = "="; + char *key = apr_strtok(pair, psep, &plast); +- char *val = apr_strtok(NULL, psep, &plast); + if (key && *key) { ++ char *val = apr_strtok(NULL, sep, &plast); + if (!val || !*val) { + apr_table_unset(z->entries, key); + } diff -Nru apache2-2.4.41/debian/patches/CVE-2021-26691.patch apache2-2.4.41/debian/patches/CVE-2021-26691.patch --- apache2-2.4.41/debian/patches/CVE-2021-26691.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.41/debian/patches/CVE-2021-26691.patch 2021-07-05 07:11:44.000000000 +0000 @@ -0,0 +1,39 @@ +From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 1 Mar 2021 20:13:54 +0000 +Subject: [PATCH] mod_session: account for the '&' in identity_concat(). + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68 +--- + changes-entries/session_parsing.txt | 2 ++ + modules/session/mod_session.c | 3 +-- + 2 files changed, 3 insertions(+), 2 deletions(-) + create mode 100644 changes-entries/session_parsing.txt + +#diff --git a/changes-entries/session_parsing.txt b/changes-entries/session_parsing.txt +#new file mode 100644 +#index 00000000000..a996e821063 +#--- /dev/null +#+++ b/changes-entries/session_parsing.txt +#@@ -0,0 +1,2 @@ +#+ *) mod_session: Improve session parsing. [Yann Yalvic] +#+ +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(reque + static int identity_count(void *v, const char *key, const char *val) + { + int *count = v; +- *count += strlen(key) * 3 + strlen(val) * 3 + 1; ++ *count += strlen(key) * 3 + strlen(val) * 3 + 2; + return 1; + } + +@@ -353,7 +353,6 @@ static int identity_concat(void *v, cons + */ + static apr_status_t session_identity_encode(request_rec * r, session_rec * z) + { +- + char *buffer = NULL; + int length = 0; + if (z->expiry) { diff -Nru apache2-2.4.41/debian/patches/CVE-2021-30641.patch apache2-2.4.41/debian/patches/CVE-2021-30641.patch --- apache2-2.4.41/debian/patches/CVE-2021-30641.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.41/debian/patches/CVE-2021-30641.patch 2021-07-05 07:11:44.000000000 +0000 @@ -0,0 +1,60 @@ +From eb986059aa5aa0b6c1d52714ea83e3dd758afdd1 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Wed, 21 Apr 2021 01:10:12 +0000 +Subject: [PATCH] Merge r1889036 from trunk: + +legacy default slash-matching behavior w/ 'MergeSlashes OFF' + +Submitted By: Ruediger Pluem +Reviewed By: covener, rpluem, ylavic + + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1889038 13f79535-47bb-0310-9956-ffa450edef68 +--- + server/request.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/server/request.c ++++ b/server/request.c +@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request + + cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); + cached = (cache->cached != NULL); +- entry_uri = r->uri; ++ ++ /* ++ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri ++ * have not been merged. But for Location walks we always go with merged ++ * slashes no matter what merge_slashes is set to. ++ */ ++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { ++ entry_uri = r->uri; ++ } ++ else { ++ char *uri = apr_pstrdup(r->pool, r->uri); ++ ap_no2slash(uri); ++ entry_uri = uri; ++ } + + /* If we have an cache->cached location that matches r->uri, + * and the vhost's list of locations hasn't changed, we can skip +@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request + pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t)); + } + +- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) { ++ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) { + continue; + } + +@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request + apr_table_setn(r->subprocess_env, + ((const char **)entry_core->refs->elts)[i], + apr_pstrndup(r->pool, +- entry_uri + pmatch[i].rm_so, ++ r->uri + pmatch[i].rm_so, + pmatch[i].rm_eo - pmatch[i].rm_so)); + } + } diff -Nru apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch --- apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch 2021-07-05 07:15:29.000000000 +0000 @@ -0,0 +1,32 @@ +From c11b1cd3b11f073ab1b5d1d670cec9db21144683 Mon Sep 17 00:00:00 2001 +From: Graham Leggett +Date: Wed, 1 Jan 2020 23:05:42 +0000 +Subject: [PATCH] Backport r1865740. mod_ssl: OCSP does not apply to proxy + mode. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1872226 13f79535-47bb-0310-9956-ffa450edef68 + +Origin: backport, https://github.com/apache/httpd/commit/c11b1cd3b11f +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1930430 +Last-Update: 2021-07-05 +X-Backport-Note: skipped non functional changes to status (doesn't exist) and changes (does't match) + +--- + CHANGES | 2 ++ + STATUS | 5 ----- + modules/ssl/ssl_engine_kernel.c | 4 ++-- + 3 files changed, 4 insertions(+), 7 deletions(-) + +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -1836,8 +1836,8 @@ int ssl_callback_SSLVerify(int ok, X509_ + /* + * Perform OCSP-based revocation checks + */ +- if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) || +- (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { ++ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) || ++ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { + /* If there was an optional verification error, it's not + * possible to perform OCSP validation since the issuer may be + * missing/untrusted. Fail in that case. */ diff -Nru apache2-2.4.41/debian/patches/series apache2-2.4.41/debian/patches/series --- apache2-2.4.41/debian/patches/series 2020-11-10 00:43:24.000000000 +0000 +++ apache2-2.4.41/debian/patches/series 2021-07-05 07:12:42.000000000 +0000 @@ -22,3 +22,9 @@ CVE-2020-11984.patch CVE-2020-11993-pre1.patch CVE-2020-11993.patch +CVE-2020-13950.patch +CVE-2020-35452.patch +CVE-2021-26690.patch +CVE-2021-26691.patch +CVE-2021-30641.patch +lp-1930430-Backport-r1865740.patch