diff options
author | Efraim Flashner <efraim@flashner.co.il> | 2017-10-01 19:59:55 +0300 |
---|---|---|
committer | Efraim Flashner <efraim@flashner.co.il> | 2017-10-01 22:16:22 +0300 |
commit | 64df08f0cfac8f7a329002afa3461fd62a4b229c (patch) | |
tree | 019909423138ceb49cdd86f1af48d366503db68f /gnu/packages/patches/httpd-CVE-2017-9798.patch | |
parent | b83ad3ace56c65a367e8f58c7b78323cf251b94b (diff) | |
parent | 0ef1c223071869488c35b72b7407234c11425589 (diff) | |
download | guix-patches-64df08f0cfac8f7a329002afa3461fd62a4b229c.tar guix-patches-64df08f0cfac8f7a329002afa3461fd62a4b229c.tar.gz |
Merge remote-tracking branch 'origin/master' into core-updates
Diffstat (limited to 'gnu/packages/patches/httpd-CVE-2017-9798.patch')
-rw-r--r-- | gnu/packages/patches/httpd-CVE-2017-9798.patch | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/gnu/packages/patches/httpd-CVE-2017-9798.patch b/gnu/packages/patches/httpd-CVE-2017-9798.patch new file mode 100644 index 0000000000..8391a3db4a --- /dev/null +++ b/gnu/packages/patches/httpd-CVE-2017-9798.patch @@ -0,0 +1,22 @@ +Fixes "options bleed", aka. CVE-2017-9798: + + https://nvd.nist.gov/vuln/detail/CVE-2017-9798 + https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html + +From <https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch>. + +--- a/server/core.c 2017/08/16 16:50:29 1805223 ++++ b/server/core.c 2017/09/08 13:13:11 1807754 +@@ -2266,6 +2266,12 @@ + /* method has not been registered yet, but resource restriction + * is always checked before method handling, so register it. + */ ++ if (cmd->pool == cmd->temp_pool) { ++ /* In .htaccess, we can't globally register new methods. */ ++ return apr_psprintf(cmd->pool, "Could not register method '%s' " ++ "for %s from .htaccess configuration", ++ method, cmd->cmd->name); ++ } + methnum = ap_method_register(cmd->pool, + apr_pstrdup(cmd->pool, method)); + } |