Skip to content
  1. May 19, 2009
  3. May 17, 2009
  5. May 15, 2009
  7. May 14, 2009
  9. May 13, 2009
  11. May 12, 2009
    • Eric Covener's avatar
      move SECURITY to top · ee37c95f
      Eric Covener authored 
      
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773882 13f79535-47bb-0310-9956-ffa450edef68
      ee37c95f
    • Eric Covener's avatar
      backport 772997, 773322, 773342 from trunk. · bd3a7c90
      Eric Covener authored 
      Reviewed By: jorton, rpluem, covener

Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with
exec= enabled to be configured in an .htaccess file:

* include/http_core.h: Change semantics of Includes/IncludeNoExec
 options bits to be additive; OPT_INCLUDES now means SSI is enabled
 without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
 with exec=.

* server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
 from default override_opts; no functional change.
 (merge_core_dir_configs): Update logic to ensure that exec= is
 disabled in a context where IncludesNoexec is configured, even if
 Includes-with-exec is permitted in the inherited options set.
 (set_allow_opts, set_options): Update to reflect new semantics
 of OPT_INCLUDES, OPT_INC_WITH_EXEC.

* server/config.c: Update to remove OPT_INCNOEXEC from default
 override_opts; no functional change.

* modules/filters/mod_include.c (includes_filter): Update to reflect
 new options semantics - disable exec= support if the
 OPT_INC_WITH_EXEC bit is not set.

Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
         jorton
Thanks to: Vincent Danon <vdanon redhat.com>




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773881 13f79535-47bb-0310-9956-ffa450edef68
      bd3a7c90
    • Eric Covener's avatar
      vote & promote CVE-2009-1195 · 444b2b97
      Eric Covener authored 
      
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773880 13f79535-47bb-0310-9956-ffa450edef68
      444b2b97
  13. May 10, 2009
  15. May 08, 2009
  17. May 06, 2009
  19. May 05, 2009
  21. May 04, 2009
  23. May 03, 2009
  25. Apr 30, 2009
  27. Apr 27, 2009
  29. Apr 25, 2009
    • Ruediger Pluem's avatar
      Merge r768535 from trunk: · 4753b241
      Ruediger Pluem authored 
      * Fix an error in the documentation.

Submitted by: rpluem
Reviewed by: pluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768536 13f79535-47bb-0310-9956-ffa450edef68
      4753b241
    • Ruediger Pluem's avatar
      Merge r764239 from trunk: · b5b5e5a0
      Ruediger Pluem authored 
      * Check more strictly that the backend follows the AJP protocol.

Submitted by: mturk
Reviewed by: rpluem, jim, jfclere


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768507 13f79535-47bb-0310-9956-ffa450edef68
      b5b5e5a0
    • Ruediger Pluem's avatar
      Merge r763394 from trunk: · eac933c8
      Ruediger Pluem authored 
      * Avoid delivering content from a previous request which failed to send a request
  body by closing the connection to the backend in this case instead of reusing it.

CVE: CVE-2009-1191 (cve.mitre.org)
PR: 46949
Submitted by: rpluem
Reviewed by: rpluem, wrowe, jfclere


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768506 13f79535-47bb-0310-9956-ffa450edef68
      eac933c8
    • Ruediger Pluem's avatar
      Backport of r760866: · 6f5e5a93
      Ruediger Pluem authored 
      * Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
  stricter checking of remote server certificates.

  (docs/manual/mod/mod_ssl.xml)
    Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

  (modules/proxy/mod_proxy_http.c)
    Set the hostname of the request URL as note on the connection.

  (modules/ssl/ssl_private.h)
    Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
    the SSLSrvConfigRec.

  (modules/ssl/ssl_engine_config.c)
    Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

  (modules/ssl/ssl_engine_io.c)
    Check whether the remote servers certificate is expired / if there is a
    mismatch between the requested hostanme and the remote server certificates
    CN field.
    Be able to parse ASN1 times.

  (modules/ssl/mod_ssl.c)
    Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

Submitted by: rpluem
Reviewed by: rpluem, jim, jfclere


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768504 13f79535-47bb-0310-9956-ffa450edef68
      6f5e5a93