Date: Tue, 19 Jul 2016 15:30:44 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r418804 - in branches/2016Q3/www: apache22 apache22/files apache24 apache24/files Message-ID: <201607191530.u6JFUibk039803@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Tue Jul 19 15:30:44 2016 New Revision: 418804 URL: https://svnweb.freebsd.org/changeset/ports/418804 Log: MFH: r418743 www/apache24: Fix httpoxy vulnerability (+2.2) - Add upstream patch to www/apache24 - Add upstream patch to www/apache22 - Bump PORTREVISION Approved by: feld (ports-secteam) Security: cf0b5668-4d1b-11e6-b2ec-b499baebfeaf Security: CVE-2016-5387 Approved by: ports-secteam (feld) Added: branches/2016Q3/www/apache22/files/patch-httpoxy - copied unchanged from r418743, head/www/apache22/files/patch-httpoxy branches/2016Q3/www/apache24/files/patch-httpoxy - copied unchanged from r418743, head/www/apache24/files/patch-httpoxy Modified: branches/2016Q3/www/apache22/Makefile branches/2016Q3/www/apache24/Makefile Directory Properties: branches/2016Q3/ (props changed) Modified: branches/2016Q3/www/apache22/Makefile ============================================================================== --- branches/2016Q3/www/apache22/Makefile Tue Jul 19 15:26:54 2016 (r418803) +++ branches/2016Q3/www/apache22/Makefile Tue Jul 19 15:30:44 2016 (r418804) @@ -2,7 +2,7 @@ PORTNAME= apache22 PORTVERSION= 2.2.31 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} Copied: branches/2016Q3/www/apache22/files/patch-httpoxy (from r418743, head/www/apache22/files/patch-httpoxy) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q3/www/apache22/files/patch-httpoxy Tue Jul 19 15:30:44 2016 (r418804, copy of r418743, head/www/apache22/files/patch-httpoxy) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>. + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them Modified: branches/2016Q3/www/apache24/Makefile ============================================================================== --- branches/2016Q3/www/apache24/Makefile Tue Jul 19 15:26:54 2016 (r418803) +++ branches/2016Q3/www/apache24/Makefile Tue Jul 19 15:30:44 2016 (r418804) @@ -2,6 +2,7 @@ PORTNAME= apache24 PORTVERSION= 2.4.23 +PORTREVISION= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} Copied: branches/2016Q3/www/apache24/files/patch-httpoxy (from r418743, head/www/apache24/files/patch-httpoxy) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q3/www/apache24/files/patch-httpoxy Tue Jul 19 15:30:44 2016 (r418804, copy of r418743, head/www/apache24/files/patch-httpoxy) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>. + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607191530.u6JFUibk039803>