* Backport CVE-2007-6422 fix (r607273, r607402).

* Update proposal for PR 38034 fix (mod_dav negotiation bug)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@607850 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ac525dcbaba2870c103c4b42dbcd10d2444e0a77..b9a54e75fa4e9c673a1a205fa8539bf784716c0a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.7
 
+  *) SECURITY: CVE-2007-6422 (cve.mitre.org)
+     Prevent crash in balancer manager if invalid balancer name is passed
+     as parameter. Reported by SecurityReason. [Ruediger Pluem]
+
   *) SECURITY: CVE-2007-6388 (cve.mitre.org)
      mod_status: Ensure refresh parameter is numeric to prevent
      a possible XSS attack caused by redirecting to other URLs.

diff --git a/STATUS b/STATUS
index fc4ab20e77dc0465e0b58744687c8f512028b662..f5d56c101279445f90b58b7a090db38b003de6cf 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -127,22 +127,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_proxy_balancer: Prevent crash in balancer manager if invalid balancer
-     name is passed as parameter.
-     Trunk version of patch:
-        http://svn.apache.org/viewvc?rev=607273&view=rev
-        http://svn.apache.org/viewvc?rev=607402&view=rev (CVE number added
-                                                          to CHANGES entry)
-     Backport version for 2.2.x of patch:
-        Trunk version of patch works
-     +1: rpluem, jorton
-     niq: +1 to the fix, but wouldn't it be a good idea to log a debug
-          message rather than silently ignore it if the test fails?
-     rpluem: I do not see this need right now as this cannot happen if you
-             use the link contructed by the balancer manager. It can only
-             happen if you construct the URL by yourself. But I may change my
-             mind once I have to do bug hunting in this area :-).
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
@@ -192,11 +176,9 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
    * mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals.
      PR 38034
      http://svn.apache.org/viewvc?view=rev&revision=607466
+     http://svn.apache.org/viewvc?view=rev&revision=607472
+     http://svn.apache.org/viewvc?view=rev&revision=607838
      +1: niq
-     rpluem says: Please add r607472 to fix some style nits.
-     -1: rpluem: This causes a segfault on trunk. Also it changes the behaviour
-                 by sending headers in cases where we did not before. It needs
-                 to be evaluated first if this is the correct thing to do.
 
   * mod_proxy_ftp: Introduce the ProxyFtpDirCharset directive, allowing
     the administrator to identify a default, or specific servers or paths

diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 8a28b6ffa28fec015a5ec1729407a2930f041890..fe841797eaf2f6bf2489fc875b4289eaa2de13f3 100644 (file)
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -638,7 +638,7 @@ static int balancer_handler(request_rec *r)
         proxy_worker *ws;
 
         ws = ap_proxy_get_worker(r->pool, conf, name);
-        if (ws) {
+        if (bsel && ws) {
             worker = (proxy_worker *)bsel->workers->elts;
             for (n = 0; n < bsel->workers->nelts; n++) {
                 if (strcasecmp(worker->name, ws->name) == 0) {