diff options
author | Li Wang <li.wang@windriver.com> | 2021-07-08 17:04:37 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-07-10 11:20:05 -0700 |
commit | 70b1aa0a4cd4bfd08b6c8d36a76f9b7cf20d61a6 (patch) | |
tree | edd013e65a51a36182efd1746b35efbaf67c35a3 /meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch | |
parent | 82385049035a3a4a81b18af099d2131b46802965 (diff) | |
download | meta-openembedded-70b1aa0a4cd4bfd08b6c8d36a76f9b7cf20d61a6.tar.gz |
apache2: fix CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641
CVE-2020-13950:
Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be
made to crash (NULL pointer dereference) with specially crafted
requests using both Content-Length and Transfer-Encoding headers,
leading to a Denial of Service
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-13950
Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966738
https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b
CVE-2020-35452:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Digest nonce can cause a stack overflow in
mod_auth_digest. There is no report of this overflow
being exploitable, nor the Apache HTTP Server team could
create one, though some particular compiler and/or
compilation option might make it possible, with limited
consequences anyway due to the size (a single byte) and
the value (zero byte) of the overflow
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-35452
Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2020-35452
https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b
CVE-2021-26690:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Cookie header handled by mod_session can cause
a NULL pointer dereference and crash, leading to a
possible Denial Of Service
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26690
Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2021-26690
https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8
CVE-2021-26691:
In Apache HTTP Server versions 2.4.0 to 2.4.46 a
specially crafted SessionHeader sent by an origin server
could cause a heap overflow
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26691
Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966732
https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b
CVE-2021-30641:
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected
matching behavior with 'MergeSlashes OFF'
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30641
Upstream patches:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch')
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch new file mode 100644 index 0000000000..001ca9252d --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch @@ -0,0 +1,49 @@ +From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic <ylavic@apache.org> +Date: Mon, 18 Jan 2021 17:39:12 +0000 +Subject: [PATCH] Merge r1885659 from trunk: + +mod_auth_digest: Fast validation of the nonce's base64 to fail early if + the format can't match anyway. + +Submitted by: ylavic +Reviewed by: ylavic, covener, jailletc36 + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68 + +Upstream-Status: Backport +CVE: CVE-2020-35452 + +Reference to upstream patch: +https://security-tracker.debian.org/tracker/CVE-2020-35452 +https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + modules/aaa/mod_auth_digest.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c +index b760941..0825b1b 100644 +--- a/modules/aaa/mod_auth_digest.c ++++ b/modules/aaa/mod_auth_digest.c +@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp, + time_rec nonce_time; + char tmp, hash[NONCE_HASH_LEN+1]; + +- if (strlen(resp->nonce) != NONCE_LEN) { ++ /* Since the time part of the nonce is a base64 encoding of an ++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. ++ */ ++ if (strlen(resp->nonce) != NONCE_LEN ++ || resp->nonce[NONCE_TIME_LEN - 1] != '=') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) +- "invalid nonce %s received - length is not %d", ++ "invalid nonce '%s' received - length is not %d " ++ "or time encoding is incorrect", + resp->nonce, NONCE_LEN); + note_digest_auth_failure(r, conf, resp, 1); + return HTTP_UNAUTHORIZED; +-- +2.7.4 + |