Date: Mon, 18 Jul 2016 20:14:19 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r418743 - in head/www: apache22 apache22/files apache24 apache24/files Message-ID: <201607182014.u6IKEJEC008603@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Mon Jul 18 20:14:19 2016 New Revision: 418743 URL: https://svnweb.freebsd.org/changeset/ports/418743 Log: www/apache24: Fix httpoxy vulnerability (+2.2) - Add upstream patch to www/apache24 - Add upstream patch to www/apache22 - Bump PORTREVISION Approved by: feld (ports-secteam) MFH: 2016Q3 Security: cf0b5668-4d1b-11e6-b2ec-b499baebfeaf Security: CVE-2016-5387 Added: head/www/apache22/files/patch-httpoxy (contents, props changed) head/www/apache24/files/patch-httpoxy (contents, props changed) Modified: head/www/apache22/Makefile head/www/apache24/Makefile Modified: head/www/apache22/Makefile ============================================================================== --- head/www/apache22/Makefile Mon Jul 18 20:05:42 2016 (r418742) +++ head/www/apache22/Makefile Mon Jul 18 20:14:19 2016 (r418743) @@ -2,7 +2,7 @@ PORTNAME= apache22 PORTVERSION= 2.2.31 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} Added: head/www/apache22/files/patch-httpoxy ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/apache22/files/patch-httpoxy Mon Jul 18 20:14:19 2016 (r418743) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>. + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them Modified: head/www/apache24/Makefile ============================================================================== --- head/www/apache24/Makefile Mon Jul 18 20:05:42 2016 (r418742) +++ head/www/apache24/Makefile Mon Jul 18 20:14:19 2016 (r418743) @@ -2,6 +2,7 @@ PORTNAME= apache24 PORTVERSION= 2.4.23 +PORTREVISION= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} Added: head/www/apache24/files/patch-httpoxy ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/apache24/files/patch-httpoxy Mon Jul 18 20:14:19 2016 (r418743) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>. + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607182014.u6IKEJEC008603>