Commits · a208378727540ff84f5f4d7390e5cca8c50d249d · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

Jul 18, 2014

Propose. · a2083787

Rainer Jung authored Jul 18, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1611603 13f79535-47bb-0310-9956-ffa450edef68

a2083787

Fix typo. · a6b2d483

Rainer Jung authored Jul 18, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1611595 13f79535-47bb-0310-9956-ffa450edef68

a6b2d483

Backport r1513461 to fix some Doxygen warnings/comments, except for the... · 6aa9db6f

Christophe Jaillet authored Jul 18, 2014

Backport r1513461 to fix some Doxygen warnings/comments, except for the following files which rely on other patches which have not been backported yet:
   - ap_mpm.h: r1493741 
   - http_log.h: r1512819
   - httpd.h: r1426877
   - mpm_common.h: which is already in synch with 2.4
So only mpm_var_buf.h remains. This is however needed in order to backport other doxygen clean-up.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1611541 13f79535-47bb-0310-9956-ffa450edef68

6aa9db6f

Jul 16, 2014

Improve doxygen comment. · e49c7520

Christophe Jaillet authored Jul 16, 2014

Improve layout, add trailing '.' in function description, remove unneeded @fn.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1611203 13f79535-47bb-0310-9956-ffa450edef68

e49c7520

Repaginate some short/long entries · 01701db6

William A. Rowe Jr authored Jul 16, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1611194 13f79535-47bb-0310-9956-ffa450edef68

01701db6

Propose utf-8 service names for winnt · 2bba4d44

William A. Rowe Jr authored Jul 16, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1611178 13f79535-47bb-0310-9956-ffa450edef68

2bba4d44

Add compatibility note. · 0f4e534f

Rainer Jung authored Jul 16, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610915 13f79535-47bb-0310-9956-ffa450edef68

0f4e534f

Jul 15, 2014

Propose · 235f3ef4

Christophe Jaillet authored Jul 15, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610834 13f79535-47bb-0310-9956-ffa450edef68

235f3ef4

propose trailers fix, didn't make the cut for 2.4.10 because I had backpor troubles. · dd11501f
Eric Covener authored Jul 15, 2014
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610816 13f79535-47bb-0310-9956-ffa450edef68
```
dd11501f

And we are at 2.4.11-dev · 64daaa40

Jim Jagielski authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610760 13f79535-47bb-0310-9956-ffa450edef68

64daaa40

Get ready to tag 2.4.10 · 2f6aab82

Jim Jagielski authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610757 13f79535-47bb-0310-9956-ffa450edef68

2f6aab82

xforms · 582b0005

Jim Jagielski authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610749 13f79535-47bb-0310-9956-ffa450edef68

582b0005

We know this will happen today :) · 59185b92

Jim Jagielski authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610748 13f79535-47bb-0310-9956-ffa450edef68

59185b92

change attribution to Ben · b0020ccc

Eric Covener authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610745 13f79535-47bb-0310-9956-ffa450edef68

b0020ccc

CVE-2014-0117 done, the simple/dumb way. · 95e0c589

Joe Orton authored Jul 15, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610741 13f79535-47bb-0310-9956-ffa450edef68

95e0c589

Expand -0117 text a bit and credit Eric who wrote the · 9197b0e3

Joe Orton authored Jul 15, 2014

one-liner down first ;)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610738 13f79535-47bb-0310-9956-ffa450edef68

9197b0e3

mod_proxy Connection handling crasher, CVE-2014-0117 · 0ad9ec32

Jim Jagielski authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610737 13f79535-47bb-0310-9956-ffa450edef68

0ad9ec32

promote · 7b260556

Jim Jagielski authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610736 13f79535-47bb-0310-9956-ffa450edef68

7b260556

+1, Joe · f1aeba98

Jeff Trawick authored Jul 15, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610733 13f79535-47bb-0310-9956-ffa450edef68

f1aeba98

Really really think "rushing" this is not wise... · 7af62516

Jim Jagielski authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610704 13f79535-47bb-0310-9956-ffa450edef68

7af62516

Vote for Connection header's RFC compliance. · 1d1fe877

Yann Ylavic authored Jul 15, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610701 13f79535-47bb-0310-9956-ffa450edef68

1d1fe877

Collect -0117 patches... can I make conditional votes? · f2a7a98f

Joe Orton authored Jul 15, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610691 13f79535-47bb-0310-9956-ffa450edef68

f2a7a98f

Fix CHANGES entry from r1587201. · f6897cea

Yann Ylavic authored Jul 15, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610670 13f79535-47bb-0310-9956-ffa450edef68

f6897cea

Fix CVE number for WinNT MPM issue (Thanks Joe) · 3dc81f82

Jeff Trawick authored Jul 15, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610661 13f79535-47bb-0310-9956-ffa450edef68

3dc81f82

Merge r1610652 from trunk: · c17f0b89

Jeff Trawick authored Jul 15, 2014

SECURITY (CVE-2014-3523): Fix a memory consumption denial of
service in the WinNT MPM used in all Windows installations.
Workaround: AcceptFilter <protocol> {none|connect}

Submitted by: trawick
Reviewed by: jorton, covener, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610653 13f79535-47bb-0310-9956-ffa450edef68

c17f0b89

clarify new use of Timeout for scripts · 8dea09a1

Jeff Trawick authored Jul 15, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610641 13f79535-47bb-0310-9956-ffa450edef68

8dea09a1

Jul 14, 2014

Add missing APLOGNO + fix a typo in a comment · cebe3384

Christophe Jaillet authored Jul 14, 2014

r1610518 in trunk

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610522 13f79535-47bb-0310-9956-ffa450edef68

cebe3384

"CGIDScriptTimeout", not "CGIDRequestTimeout" · a09ef1be

Jeff Trawick authored Jul 14, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610517 13f79535-47bb-0310-9956-ffa450edef68

a09ef1be

Credit/blame where it's due. · 1b5a10ea

Joe Orton authored Jul 14, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610516 13f79535-47bb-0310-9956-ffa450edef68

1b5a10ea

add CGIDRequestTimeout to CHANGES · 703cc14c

Eric Covener authored Jul 14, 2014



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610514 13f79535-47bb-0310-9956-ffa450edef68

703cc14c

merge r1535125 and r1610509 from trunk: · 52ec23f6

Eric Covener authored Jul 14, 2014

    *) SECURITY: CVE-2014-0231 (cve.mitre.org)
       mod_cgid: Fix a denial of service against CGI scripts that do
       not consume stdin that could lead to lingering HTTPD child processes
       filling up the scoreboard and eventually hanging the server.
       [Rainer Jung, Eric Covener, Yann Ylavic]

Submitted By: rjung, covener, ylavic
Reviewed By: trawick, jorton, covener, jim




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610512 13f79535-47bb-0310-9956-ffa450edef68

52ec23f6

backport r1610501 from trunk: · 7cec61b1

Eric Covener authored Jul 14, 2014

      *) SECURITY: CVE-2014-0118 (cve.mitre.org)
         mod_deflate: The DEFLATE input filter (inflates request bodies) now
         limits the length and compression ratio of inflated request bodies to avoid
         denial of sevice via highly compressed bodies.  See directives
         DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
         and DeflateInflateRatioBurst.

    Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue.

Submitted By: ylavic, covener
Reviewed By: jorton, covener, jim 



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610503 13f79535-47bb-0310-9956-ffa450edef68

7cec61b1

Merge 1610491 from trunk: · fb57ea42

Joe Orton authored Jul 14, 2014

SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,
which could lead to a heap buffer overflow.  Thanks to Marek Kroemeke
working with HP's Zero Day Initiative for reporting this.

* include/scoreboard.h: Add ap_copy_scoreboard_worker.

* server/scoreboard.c (ap_copy_scoreboard_worker): New function.

* modules/generators/mod_status.c (status_handler): Use it.

* modules/lua/lua_request.c (lua_ap_scoreboard_worker): Likewise.

Reviewed by: trawick, jorton, covener, jim
Submitted by: jorton, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610499 13f79535-47bb-0310-9956-ffa450edef68

fb57ea42

Note CVE name for mod_cache crasher fixed in 2.4.7. · 2e9c8222

Joe Orton authored Jul 14, 2014

This issue affected httpd versions 2.4.5 and 2.4.6 only.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610495 13f79535-47bb-0310-9956-ffa450edef68

2e9c8222

Done. · 3e57e20d

Joe Orton authored Jul 14, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610400 13f79535-47bb-0310-9956-ffa450edef68

3e57e20d

Merge 1610311 from trunk: · 4adf21a4

Joe Orton authored Jul 14, 2014

Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077).

Submitted by: rjung
Reviewed by: rjung, ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610399 13f79535-47bb-0310-9956-ffa450edef68

4adf21a4

Vote, promote. · 6831d117

Joe Orton authored Jul 14, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610398 13f79535-47bb-0310-9956-ffa450edef68

6831d117

Merge r1572896, r1572911 from trunk: · 46334b01

Jim Jagielski authored Jul 14, 2014

mod_deflate:
Don't fail when asked to flush inflated data to the user-agent and that
coincides with the end of stream ("Zlib error flushing inflate buffer").
PR 56196.

Submitted By: [Christoph Fausak <christoph.fausak glueckkanja com>]
Committed By: ylavic


mod_deflate: follows up r1572896.
Be safe from successive or post end-of-stream flush buckets.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610397 13f79535-47bb-0310-9956-ffa450edef68

46334b01

Merge r1452551, r1607960 from trunk: · ccedbe89

Jim Jagielski authored Jul 14, 2014

PR54587: LDAP connections used for authn were not respecting 
LDAPConnectionPoolTimeout due to confusion over what "bound" means.

Added some LDAP trace at TRACE5 to track how LDAP connections are
reused and rebound.



make LDAPConnectionPoolTTL more conservative, use r->request_time rather than
end-of-request time, and only update it after a round-trip with the LDAP
server rather than every time we check back into the pool.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610396 13f79535-47bb-0310-9956-ffa450edef68

ccedbe89

Merge r1610207 from trunk: · 8cc3cf82

Rainer Jung authored Jul 14, 2014

Forward local IP address as a custom request attribute
like we already do for the remote port.

Both were forgotten in the original AJP 13 spec
but are needed by the Servlet spec. Until now,
Tomcat simply returns for getLocalAddr() the same as
for getLocalName().

The next round of Tomcat releases will look for the
optional new request attribute.

See also Tomcat BZ 56661.

Submitted by: rjung
Reviewed by: trawick, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610340 13f79535-47bb-0310-9956-ffa450edef68

8cc3cf82