Merge https://svn.apache.org/r1796343 from trunk: (3fdeae4d) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+5 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,11 @@ Changes with Apache 2.2.33
		request headers, an attacker may be able to cause a segmentation fault,
		or to force ap_find_token() to return an incorrect value.

		*) SECURITY: CVE-2017-3169 (cve.mitre.org)
		mod_ssl may dereference a NULL pointer when third-party modules call
		ap_hook_process_connection() during an HTTP request to an HTTPS port.
		[Yann Ylavic]

		*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
		[Joe Orton]

STATUS

+0 −7

Original line number	Diff line number	Diff line
		@@ -104,13 +104,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
		to ssl_io_filter_error(). [Yann Ylavic]
		trunk patch: https://svn.apache.org/r1796343
		2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ssl_error_page_ctx.diff
		(function names and parameters changed a bit)
		+1 covener, ylavic, wrowe

		*) core: ap_get_basic_auth_pw deprecation
		trunk patch: https://svn.apache.org/r1796348
		2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ap_get_basic_auth_pw.diff

modules/ssl/ssl_engine_io.c

+8 −7

Original line number	Diff line number	Diff line
		@@ -865,19 +865,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
		sizeof(HTTP_ON_HTTPS_PORT) - 1, \
		alloc)

		static void ssl_io_filter_disable(SSLConnRec sslconn, ap_filter_t f)
		static void ssl_io_filter_disable(SSLConnRec *sslconn,
		bio_filter_in_ctx_t *inctx)
		{
		bio_filter_in_ctx_t *inctx = f->ctx;
		SSL_free(inctx->ssl);
		sslconn->ssl = NULL;
		inctx->ssl = NULL;
		inctx->filter_ctx->pssl = NULL;
		}

		static apr_status_t ssl_io_filter_error(ap_filter_t *f,
		static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
		apr_bucket_brigade *bb,
		apr_status_t status)
		{
		ap_filter_t *f = inctx->f;
		SSLConnRec *sslconn = myConnConfig(f->c);
		apr_bucket *bucket;
		int send_eos = 1;
		@@ -891,7 +892,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
		ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);

		sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
		ssl_io_filter_disable(sslconn, f);
		ssl_io_filter_disable(sslconn, inctx);

		/* fake the request line */
		bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
		@@ -1407,7 +1408,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
		* rather than have SSLEngine On configured.
		*/
		if ((status = ssl_io_filter_connect(inctx->filter_ctx)) != APR_SUCCESS) {
		return ssl_io_filter_error(f, bb, status);
		return ssl_io_filter_error(inctx, bb, status);
		}

		if (is_init) {
		@@ -1443,7 +1444,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,

		/* Handle custom errors. */
		if (status != APR_SUCCESS) {
		return ssl_io_filter_error(f, bb, status);
		return ssl_io_filter_error(inctx, bb, status);
		}

		/* Create a transient bucket out of the decrypted data. */
		@@ -1486,7 +1487,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
		inctx->block = APR_BLOCK_READ;

		if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) {
		return ssl_io_filter_error(f, bb, status);
		return ssl_io_filter_error(inctx, bb, status);
		}

		while (!APR_BRIGADE_EMPTY(bb)) {