Skip to content
GitLab
  1. 19 May, 2009 1 commit
  3. 17 May, 2009 1 commit
  5. 15 May, 2009 2 commits
  7. 14 May, 2009 5 commits
  9. 13 May, 2009 4 commits
  11. 12 May, 2009 3 commits
    • Eric Covener's avatar
      move SECURITY to top · ee37c95f
      Eric Covener authored 
      
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773882 13f79535-47bb-0310-9956-ffa450edef68
      ee37c95f
    • Eric Covener's avatar
      backport 772997, 773322, 773342 from trunk. · bd3a7c90
      Eric Covener authored 
      Reviewed By: jorton, rpluem, covener

Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with
exec= enabled to be configured in an .htaccess file:

* include/http_core.h: Change semantics of Includes/IncludeNoExec
 options bits to be additive; OPT_INCLUDES now means SSI is enabled
 without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
 with exec=.

* server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
 from default override_opts; no functional change.
 (merge_core_dir_configs): Update logic to ensure that exec= is
 disabled in a context where IncludesNoexec is configured, even if
 Includes-with-exec is permitted in the inherited options set.
 (set_allow_opts, set_options): Update to reflect new semantics
 of OPT_INCLUDES, OPT_INC_WITH_EXEC.

* server/config.c: Update to remove OPT_INCNOEXEC from default
 override_opts; no functional change.

* modules/filters/mod_include.c (includes_filter): Update to reflect
 new options semantics - disable exec= support if the
 OPT_INC_WITH_EXEC bit is not set.

Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
         jorton
Thanks to: Vincent Danon <vdanon redhat.com>




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773881 13f79535-47bb-0310-9956-ffa450edef68
      bd3a7c90
    • Eric Covener's avatar
      vote & promote CVE-2009-1195 · 444b2b97
      Eric Covener authored 
      
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773880 13f79535-47bb-0310-9956-ffa450edef68
      444b2b97
  13. 10 May, 2009 5 commits
  15. 08 May, 2009 2 commits
  17. 06 May, 2009 2 commits
  19. 05 May, 2009 1 commit
  21. 04 May, 2009 7 commits
  23. 03 May, 2009 1 commit
  25. 30 Apr, 2009 1 commit
  27. 27 Apr, 2009 1 commit
  29. 25 Apr, 2009 4 commits
    • Ruediger Pluem's avatar
      Merge r768535 from trunk: · 4753b241
      Ruediger Pluem authored 
      * Fix an error in the documentation.

Submitted by: rpluem
Reviewed by: pluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768536 13f79535-47bb-0310-9956-ffa450edef68
      4753b241
    • Ruediger Pluem's avatar
      Merge r764239 from trunk: · b5b5e5a0
      Ruediger Pluem authored 
      * Check more strictly that the backend follows the AJP protocol.

Submitted by: mturk
Reviewed by: rpluem, jim, jfclere


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768507 13f79535-47bb-0310-9956-ffa450edef68
      b5b5e5a0
    • Ruediger Pluem's avatar
      Merge r763394 from trunk: · eac933c8
      Ruediger Pluem authored 
      * Avoid delivering content from a previous request which failed to send a request
  body by closing the connection to the backend in this case instead of reusing it.

CVE: CVE-2009-1191 (cve.mitre.org)
PR: 46949
Submitted by: rpluem
Reviewed by: rpluem, wrowe, jfclere


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768506 13f79535-47bb-0310-9956-ffa450edef68
      eac933c8
    • Ruediger Pluem's avatar
      Backport of r760866: · 6f5e5a93
      Ruediger Pluem authored 
      * Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
  stricter checking of remote server certificates.

  (docs/manual/mod/mod_ssl.xml)
    Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

  (modules/proxy/mod_proxy_http.c)
    Set the hostname of the request URL as note on the connection.

  (modules/ssl/ssl_private.h)
    Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
    the SSLSrvConfigRec.

  (modules/ssl/ssl_engine_config.c)
    Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

  (modules/ssl/ssl_engine_io.c)
    Check whether the remote servers certificate is expired / if there is a
    mismatch between the requested hostanme and the remote server certificates
    CN field.
    Be able to parse ASN1 times.

  (modules/ssl/mod_ssl.c)
    Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

Submitted by: rpluem
Reviewed by: rpluem, jim, jfclere


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768504 13f79535-47bb-0310-9956-ffa450edef68
      6f5e5a93