Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Jul 2016 15:30:44 +0000 (UTC)
From:      Bernard Spil <brnrd@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r418804 - in branches/2016Q3/www: apache22 apache22/files apache24 apache24/files
Message-ID:  <201607191530.u6JFUibk039803@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: brnrd
Date: Tue Jul 19 15:30:44 2016
New Revision: 418804
URL: https://svnweb.freebsd.org/changeset/ports/418804

Log:
  MFH: r418743
  
  www/apache24: Fix httpoxy vulnerability (+2.2)
  
    - Add upstream patch to www/apache24
    - Add upstream patch to www/apache22
    - Bump PORTREVISION
  
  Approved by:    feld (ports-secteam)
  Security:       cf0b5668-4d1b-11e6-b2ec-b499baebfeaf
  Security:       CVE-2016-5387
  
  Approved by:	ports-secteam (feld)

Added:
  branches/2016Q3/www/apache22/files/patch-httpoxy
     - copied unchanged from r418743, head/www/apache22/files/patch-httpoxy
  branches/2016Q3/www/apache24/files/patch-httpoxy
     - copied unchanged from r418743, head/www/apache24/files/patch-httpoxy
Modified:
  branches/2016Q3/www/apache22/Makefile
  branches/2016Q3/www/apache24/Makefile
Directory Properties:
  branches/2016Q3/   (props changed)

Modified: branches/2016Q3/www/apache22/Makefile
==============================================================================
--- branches/2016Q3/www/apache22/Makefile	Tue Jul 19 15:26:54 2016	(r418803)
+++ branches/2016Q3/www/apache22/Makefile	Tue Jul 19 15:30:44 2016	(r418804)
@@ -2,7 +2,7 @@
 
 PORTNAME=	apache22
 PORTVERSION=	2.2.31
-PORTREVISION?=	0
+PORTREVISION?=	1
 CATEGORIES=	www ipv6
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}

Copied: branches/2016Q3/www/apache22/files/patch-httpoxy (from r418743, head/www/apache22/files/patch-httpoxy)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q3/www/apache22/files/patch-httpoxy	Tue Jul 19 15:30:44 2016	(r418804, copy of r418743, head/www/apache22/files/patch-httpoxy)
@@ -0,0 +1,63 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+Apache HTTP Server may be configured to proxy HTTP requests as a forward
+or reverse (gateway) proxy server, can proxy requests to a FastCGI service
+using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
+or mod_cgid or the related mod_isapi service. The project's mod_fcgid
+subproject (available as a separate add-in module) directly manages CGI
+scripts using the FastCGI protocol.
+
+It may also be configured to directly host a number of external modules
+which run CGI-style applications in-process. The server itself does not 
+modify the CGI environment in this case, however, these external modules
+may perform such modifications of their environment variables in-process.
+Such examples include mod_php, mod_perl and mod_wsgi.
+
+To mitigate "httpoxy" issues across all of the above mechanisms, the most
+direct solution is to drop any "Proxy:" header arriving from an upstream
+proxy server or the origin user-agent. this will mitigate the issue for any
+vulnerable back-end server or CGI across all traffic through this server. 
+
+The two lines below enabled in the httpd.conf file will remove the "Proxy:"
+header from all incoming requests, before further processing;
+
+    LoadModule headers_module {path-to}/mod_headers.so
+
+    RequestHeader unset Proxy early
+
+(Users who have mod_headers compiled-in to the httpd binary must omit
+the LoadModule directive above, others must adjust the {path-to} to point
+to the mod_headers.so file.)
+
+If the administrator wishes to preserve the value of the "Proxy:" header
+for most traffic, and only eliminate it from the CGI environment variable
+HTTP_PROXY, a second mitigation is offered. This patch will address this
+behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
+along with all other consumers of httpd's built-in environment handling.
+
+The bundled httpd modules all rely on ap_add_common_vars() to set up the
+target CGI environment. The project will include the recommended patch
+below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
+Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
+recompile and re-install httpd to obtain this mitigation. This migitation
+has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
+
+======= Patch to httpd sources 2.4.x and 2.2.x =======
+
+--- server/util_script.c	(revision 1752426)
++++ server/util_script.c	(working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them

Modified: branches/2016Q3/www/apache24/Makefile
==============================================================================
--- branches/2016Q3/www/apache24/Makefile	Tue Jul 19 15:26:54 2016	(r418803)
+++ branches/2016Q3/www/apache24/Makefile	Tue Jul 19 15:30:44 2016	(r418804)
@@ -2,6 +2,7 @@
 
 PORTNAME=	apache24
 PORTVERSION=	2.4.23
+PORTREVISION=	1
 CATEGORIES=	www ipv6
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}

Copied: branches/2016Q3/www/apache24/files/patch-httpoxy (from r418743, head/www/apache24/files/patch-httpoxy)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q3/www/apache24/files/patch-httpoxy	Tue Jul 19 15:30:44 2016	(r418804, copy of r418743, head/www/apache24/files/patch-httpoxy)
@@ -0,0 +1,63 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+Apache HTTP Server may be configured to proxy HTTP requests as a forward
+or reverse (gateway) proxy server, can proxy requests to a FastCGI service
+using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
+or mod_cgid or the related mod_isapi service. The project's mod_fcgid
+subproject (available as a separate add-in module) directly manages CGI
+scripts using the FastCGI protocol.
+
+It may also be configured to directly host a number of external modules
+which run CGI-style applications in-process. The server itself does not 
+modify the CGI environment in this case, however, these external modules
+may perform such modifications of their environment variables in-process.
+Such examples include mod_php, mod_perl and mod_wsgi.
+
+To mitigate "httpoxy" issues across all of the above mechanisms, the most
+direct solution is to drop any "Proxy:" header arriving from an upstream
+proxy server or the origin user-agent. this will mitigate the issue for any
+vulnerable back-end server or CGI across all traffic through this server. 
+
+The two lines below enabled in the httpd.conf file will remove the "Proxy:"
+header from all incoming requests, before further processing;
+
+    LoadModule headers_module {path-to}/mod_headers.so
+
+    RequestHeader unset Proxy early
+
+(Users who have mod_headers compiled-in to the httpd binary must omit
+the LoadModule directive above, others must adjust the {path-to} to point
+to the mod_headers.so file.)
+
+If the administrator wishes to preserve the value of the "Proxy:" header
+for most traffic, and only eliminate it from the CGI environment variable
+HTTP_PROXY, a second mitigation is offered. This patch will address this
+behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
+along with all other consumers of httpd's built-in environment handling.
+
+The bundled httpd modules all rely on ap_add_common_vars() to set up the
+target CGI environment. The project will include the recommended patch
+below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
+Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
+recompile and re-install httpd to obtain this mitigation. This migitation
+has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
+
+======= Patch to httpd sources 2.4.x and 2.2.x =======
+
+--- server/util_script.c	(revision 1752426)
++++ server/util_script.c	(working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607191530.u6JFUibk039803>