From: Nick Kew Date: Tue, 1 Jan 2008 14:12:33 +0000 (+0000) Subject: * Backport CVE-2007-6422 fix (r607273, r607402). X-Git-Tag: 2.2.7~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84cb0035c259161663b0064491854fd9899c78de;p=thirdparty%2Fapache%2Fhttpd.git * Backport CVE-2007-6422 fix (r607273, r607402). * Update proposal for PR 38034 fix (mod_dav negotiation bug) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@607850 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index ac525dcbaba..b9a54e75fa4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@  -*- coding: utf-8 -*- Changes with Apache 2.2.7 + *) SECURITY: CVE-2007-6422 (cve.mitre.org) + Prevent crash in balancer manager if invalid balancer name is passed + as parameter. Reported by SecurityReason. [Ruediger Pluem] + *) SECURITY: CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. diff --git a/STATUS b/STATUS index fc4ab20e77d..f5d56c10127 100644 --- a/STATUS +++ b/STATUS @@ -127,22 +127,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_proxy_balancer: Prevent crash in balancer manager if invalid balancer - name is passed as parameter. - Trunk version of patch: - http://svn.apache.org/viewvc?rev=607273&view=rev - http://svn.apache.org/viewvc?rev=607402&view=rev (CVE number added - to CHANGES entry) - Backport version for 2.2.x of patch: - Trunk version of patch works - +1: rpluem, jorton - niq: +1 to the fix, but wouldn't it be a good idea to log a debug - message rather than silently ignore it if the test fails? - rpluem: I do not see this need right now as this cannot happen if you - use the link contructed by the balancer manager. It can only - happen if you construct the URL by yourself. But I may change my - mind once I have to do bug hunting in this area :-). - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] @@ -192,11 +176,9 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: * mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals. PR 38034 http://svn.apache.org/viewvc?view=rev&revision=607466 + http://svn.apache.org/viewvc?view=rev&revision=607472 + http://svn.apache.org/viewvc?view=rev&revision=607838 +1: niq - rpluem says: Please add r607472 to fix some style nits. - -1: rpluem: This causes a segfault on trunk. Also it changes the behaviour - by sending headers in cases where we did not before. It needs - to be evaluated first if this is the correct thing to do. * mod_proxy_ftp: Introduce the ProxyFtpDirCharset directive, allowing the administrator to identify a default, or specific servers or paths diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index 8a28b6ffa28..fe841797eaf 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -638,7 +638,7 @@ static int balancer_handler(request_rec *r) proxy_worker *ws; ws = ap_proxy_get_worker(r->pool, conf, name); - if (ws) { + if (bsel && ws) { worker = (proxy_worker *)bsel->workers->elts; for (n = 0; n < bsel->workers->nelts; n++) { if (strcasecmp(worker->name, ws->name) == 0) {