Date: Tue, 6 Dec 2016 12:52:27 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r427954 - in branches/2016Q4/www/apache24: . files Message-ID: <201612061252.uB6CqRpj073716@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Tue Dec 6 12:52:27 2016 New Revision: 427954 URL: https://svnweb.freebsd.org/changeset/ports/427954 Log: MFH: r427953 www/apache24: Fix HTTP/2 DoS vulnerability - Add patch from upstream security advisory - Bump PORTREVISION PR: 215096 Security: cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf Security: CVE-2016-8740 Approved by: ports-secteam (implicit, "Backport of security and reliability fixes") Added: branches/2016Q4/www/apache24/files/patch-CVE-2016-8740 - copied unchanged from r427953, head/www/apache24/files/patch-CVE-2016-8740 Modified: branches/2016Q4/www/apache24/Makefile Directory Properties: branches/2016Q4/ (props changed) Modified: branches/2016Q4/www/apache24/Makefile ============================================================================== --- branches/2016Q4/www/apache24/Makefile Tue Dec 6 12:43:36 2016 (r427953) +++ branches/2016Q4/www/apache24/Makefile Tue Dec 6 12:52:27 2016 (r427954) @@ -2,7 +2,7 @@ PORTNAME= apache24 PORTVERSION= 2.4.23 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} Copied: branches/2016Q4/www/apache24/files/patch-CVE-2016-8740 (from r427953, head/www/apache24/files/patch-CVE-2016-8740) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q4/www/apache24/files/patch-CVE-2016-8740 Tue Dec 6 12:52:27 2016 (r427954, copy of r427953, head/www/apache24/files/patch-CVE-2016-8740) @@ -0,0 +1,116 @@ + Security Advisory - Apache Software Foundation + Apache HTTPD WebServer / httpd.apache.org + + Server memory can be exhausted and service denied when HTTP/2 is used + + CVE-2016-8740 + +The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations +on request headers correctly when experimental module for the HTTP/2 +protocol is used to access a resource. + +The net result is that a the server allocates too much memory instead of denying +the request. This can lead to memory exhaustion of the server by a properly +crafted request. + +Background: +- ----------- + +Apache has limits on the number and length of request header fields. which +limits the amount of memory a client can allocate on the server for a request. + +Version 2.4.17 of the Apache HTTP Server introduced an experimental feature: +mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as +Google SPDY). + +This module is NOT compiled in by default -and- is not enabled by default, +although some distribution may have chosen to do so. + +It is generally needs to be enabled in the 'Protocols' line in httpd by +adding 'h2' and/or 'h2c' to the 'http/1.1' only default. + +The default distributions of the Apache Software Foundation do not include +this experimental feature. + +Details: +- -------- + +- From version 2.4.17, upto and including version 2.4.23 the server failed +to take the limitations on request memory use into account when providing +access to a resource over HTTP/2. This issue has been fixed +in version 2.4.23 (r1772576). + +As a result - with a request using the HTTP/2 protocol a specially crafted +request can allocate memory on the server until it reaches its limit. This can +lead to denial of service for all requests against the server. + +Impact: +- ------- + +This can lead to denial of service for all server resources. +Versions affected: +- ------------------ +All versions from 2.4.17 to 2.4.23. + +Resolution: +- ----------- + +For a 2.4.23 version a patch is supplied. This will be included in the +next release. + +Mitigations and work arounds: +- ----------------------------- + +As a temporary workaround - HTTP/2 can be disabled by changing +the configuration by removing h2 and h2c from the Protocols +line(s) in the configuration file. + +The resulting line should read: + + Protocols http/1.1 + +Credits and timeline +- -------------------- + +The flaw was found and reported by Naveen Tiwari <naveen.tiwari@asu.edu> +and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was +resolved by Stefan Eissing and incorporated in the Apache repository, +ready for inclusion in the next release. + +Apache would like to thank all involved for their help with this. + +Index: modules/http2/h2_stream.c +=================================================================== +--- modules/http2/h2_stream.c (revision 1771866) ++++ modules/http2/h2_stream.c (working copy) +@@ -322,18 +322,18 @@ + HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); + } + } +- } +- +- if (h2_stream_is_scheduled(stream)) { +- return h2_request_add_trailer(stream->request, stream->pool, +- name, nlen, value, vlen); +- } +- else { +- if (!input_open(stream)) { +- return APR_ECONNRESET; ++ ++ if (h2_stream_is_scheduled(stream)) { ++ return h2_request_add_trailer(stream->request, stream->pool, ++ name, nlen, value, vlen); + } +- return h2_request_add_header(stream->request, stream->pool, +- name, nlen, value, vlen); ++ else { ++ if (!input_open(stream)) { ++ return APR_ECONNRESET; ++ } ++ return h2_request_add_header(stream->request, stream->pool, ++ name, nlen, value, vlen); ++ } + } + } + +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612061252.uB6CqRpj073716>