From owner-svn-ports-head@freebsd.org Mon Jul 18 20:14:21 2016 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3377EB9DBDA; Mon, 18 Jul 2016 20:14:21 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DB77E1840; Mon, 18 Jul 2016 20:14:20 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u6IKEJw2008607; Mon, 18 Jul 2016 20:14:19 GMT (envelope-from brnrd@FreeBSD.org) Received: (from brnrd@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u6IKEJEC008603; Mon, 18 Jul 2016 20:14:19 GMT (envelope-from brnrd@FreeBSD.org) Message-Id: <201607182014.u6IKEJEC008603@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brnrd set sender to brnrd@FreeBSD.org using -f From: Bernard Spil Date: Mon, 18 Jul 2016 20:14:19 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r418743 - in head/www: apache22 apache22/files apache24 apache24/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2016 20:14:21 -0000 Author: brnrd Date: Mon Jul 18 20:14:19 2016 New Revision: 418743 URL: https://svnweb.freebsd.org/changeset/ports/418743 Log: www/apache24: Fix httpoxy vulnerability (+2.2) - Add upstream patch to www/apache24 - Add upstream patch to www/apache22 - Bump PORTREVISION Approved by: feld (ports-secteam) MFH: 2016Q3 Security: cf0b5668-4d1b-11e6-b2ec-b499baebfeaf Security: CVE-2016-5387 Added: head/www/apache22/files/patch-httpoxy (contents, props changed) head/www/apache24/files/patch-httpoxy (contents, props changed) Modified: head/www/apache22/Makefile head/www/apache24/Makefile Modified: head/www/apache22/Makefile ============================================================================== --- head/www/apache22/Makefile Mon Jul 18 20:05:42 2016 (r418742) +++ head/www/apache22/Makefile Mon Jul 18 20:14:19 2016 (r418743) @@ -2,7 +2,7 @@ PORTNAME= apache22 PORTVERSION= 2.2.31 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} Added: head/www/apache22/files/patch-httpoxy ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/apache22/files/patch-httpoxy Mon Jul 18 20:14:19 2016 (r418743) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 . + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them Modified: head/www/apache24/Makefile ============================================================================== --- head/www/apache24/Makefile Mon Jul 18 20:05:42 2016 (r418742) +++ head/www/apache24/Makefile Mon Jul 18 20:14:19 2016 (r418743) @@ -2,6 +2,7 @@ PORTNAME= apache24 PORTVERSION= 2.4.23 +PORTREVISION= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} Added: head/www/apache24/files/patch-httpoxy ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/apache24/files/patch-httpoxy Mon Jul 18 20:14:19 2016 (r418743) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 . + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them