diff options
author | Derek Straka <derek@asterius.io> | 2016-12-21 18:38:58 -0500 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2016-12-26 08:24:54 +0100 |
commit | 9148d8b8243236c61c2d5a45c807fa0bd4387da6 (patch) | |
tree | fe445d9d57e43011f21a9dea81bf42828caa9744 /meta-webserver/recipes-httpd/apache2/apache2 | |
parent | e873c0e6e30029729fa18b5b7cb0af58dfbf47d3 (diff) | |
download | meta-openembedded-9148d8b8243236c61c2d5a45c807fa0bd4387da6.tar.gz |
apache2: update to version 2.4.25
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-webserver/recipes-httpd/apache2/apache2')
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch | 25 |
1 files changed, 0 insertions, 25 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch deleted file mode 100644 index dbcdfc6df6..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch +++ /dev/null @@ -1,25 +0,0 @@ -This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt -as a mitigation of CVE-2016-5387. - -Upstream-Status: Backport - fixed in 2.4.24 - -Signed-off-by: Joe Slater<jslater@windriver.com> - - ---- a/server/util_script.c (revision 1752426) -+++ b/server/util_script.c (working copy) -@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r - else if (!strcasecmp(hdrs[i].key, "Content-length")) { - apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); - } -+ /* HTTP_PROXY collides with a popular envvar used to configure -+ * proxies, don't let clients set/override it. But, if you must... -+ */ -+#ifndef SECURITY_HOLE_PASS_PROXY -+ else if (!strcasecmp(hdrs[i].key, "Proxy")) { -+ ; -+ } -+#endif - /* - * You really don't want to disable this check, since it leaves you - * wide open to CGIs stealing passwords and people viewing them |