From owner-freebsd-apache@FreeBSD.ORG Mon May 17 03:57:33 2010 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87B661065675 for ; Mon, 17 May 2010 03:57:33 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from exhub015-1.exch015.msoutlookonline.net (exhub015-1.exch015.msoutlookonline.net [207.5.72.93]) by mx1.freebsd.org (Postfix) with ESMTP id 6E1D58FC14 for ; Mon, 17 May 2010 03:57:33 +0000 (UTC) Received: from [192.168.1.2] (71.246.240.70) by smtpx15.msoutlookonline.net (207.5.72.103) with Microsoft SMTP Server (TLS) id 8.2.234.1; Sun, 16 May 2010 20:57:33 -0700 Message-ID: <4BF0BEB7.5010209@p6m7g8.com> Date: Sun, 16 May 2010 23:57:43 -0400 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: apache@freebsd.org X-Enigmail-Version: 1.0.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig7CB4534CD123FEA7F2696CDB" Cc: Subject: Fwd: svn commit: r943980 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/proxy/proxy_ftp.c X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2010 03:57:33 -0000 --------------enig7CB4534CD123FEA7F2696CDB Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable -------- Original Message -------- Subject: svn commit: r943980 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/proxy/proxy_ftp.c Date: Thu, 13 May 2010 19:18:50 -0000 From: trawick@apache.org Reply-To: dev@httpd.apache.org To: cvs@httpd.apache.org Author: trawick Date: Thu May 13 19:18:50 2010 New Revision: 943980 URL: http://svn.apache.org/viewvc?rev=3D943980&view=3Drev Log: merge r814045 from trunk (2.2.x rev 814847): CVE-2009-3095: mod_proxy_ftp sanity check authn credentials. Submitted by: Stefan Fritsch , Joe Orton Reviewed by: pgollucci, poirier, rjung, trawick Modified: httpd/httpd/branches/2.0.x/CHANGES httpd/httpd/branches/2.0.x/STATUS httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Modified: httpd/httpd/branches/2.0.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=3D943= 980&r1=3D943979&r2=3D943980&view=3Ddiff =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu May 13 19:18:50 2010 @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.64 + *) SECURITY: CVE-2009-3095 (cve.mitre.org) + mod_proxy_ftp: sanity check authn credentials. + [Stefan Fritsch , Joe Orton] + *) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton] Modified: httpd/httpd/branches/2.0.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=3D9439= 80&r1=3D943979&r2=3D943980&view=3Ddiff =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- httpd/httpd/branches/2.0.x/STATUS (original) +++ httpd/httpd/branches/2.0.x/STATUS Thu May 13 19:18:50 2010 @@ -125,13 +125,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: http://people.apache.org/~fuankg/diffs/httpd-2.0.x-ap_vhost_iterate_given= _conn.diff +1: fuankg, wrowe, pgollucci - * mod_proxy_ftp, CVE-2009-3095, sanity check authn credentials - Patch in 2.2.x branch: - http://svn.apache.org/viewvc?view=3Drevision&revision=3D814847 - Backport: - http://people.apache.org/~trawick/CVE-2009-3095-2.0.txt - +1: pgollucci, poirier, rjung, trawick - * core output filter, CVE-2009-1891, consuming CPU after client disconnects Patch in 2.2.x branch: http://svn.apache.org/viewvc?view=3Drevision&revision=3D791454 Modified: httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/proxy/pro= xy_ftp.c?rev=3D943980&r1=3D943979&r2=3D943980&view=3Ddiff =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c (original) +++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Thu May 13 19:18:50 2010 @@ -890,6 +890,11 @@ int ap_proxy_ftp_handler(request_rec *r, if ((password =3D apr_table_get(r->headers_in, "Authorization")) !=3D= NULL && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") =3D=3D= 0 && (password =3D ap_pbase64decode(r->pool, password))[0] !=3D ':= ') { + /* Check the decoded string for special characters. */ + if (!ftp_check_string(password)) { + return ap_proxyerror(r, HTTP_BAD_REQUEST, + "user credentials contained invalid character"); + } /* * Note that this allocation has to be made from r->connection->pool * because it has the lifetime of the connection. The other --------------enig7CB4534CD123FEA7F2696CDB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkvwvrcACgkQdbiP+9ubjBy9oACfRxWsu3hOkfCLvxUmwgFw5OZI FacAn2TQYKp0nVpsEDk9H3aVunAdNAob =rGi0 -----END PGP SIGNATURE----- --------------enig7CB4534CD123FEA7F2696CDB--