Commits · ce30e64d12ce19b2e9bc6fa1236cf965376c53a6 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

Aug 21, 2014

mention quirk of the trailers CVE · ce30e64d

Eric Covener authored Aug 21, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1619385 13f79535-47bb-0310-9956-ffa450edef68

ce30e64d

fix comment · 31880154

Eric Covener authored Aug 21, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1619384 13f79535-47bb-0310-9956-ffa450edef68

31880154

Aug 14, 2014

* Vote and promote · 26ad2093

Ruediger Pluem authored Aug 14, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1617949 13f79535-47bb-0310-9956-ffa450edef68

26ad2093

Aug 09, 2014

drop showstopper, lone report and no followup or recreate · fb57d962

Eric Covener authored Aug 09, 2014



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1617000 13f79535-47bb-0310-9956-ffa450edef68

fb57d962

Jul 26, 2014

Rebuild · 48bd5f56

Lucien Gentis authored Jul 26, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1613704 13f79535-47bb-0310-9956-ffa450edef68

48bd5f56

XML update. · 77e85774

Lucien Gentis authored Jul 26, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1613703 13f79535-47bb-0310-9956-ffa450edef68

77e85774

add a showstopper Jeff might have found on users@ · 66033c17

Eric Covener authored Jul 26, 2014



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1613655 13f79535-47bb-0310-9956-ffa450edef68

66033c17

Jul 24, 2014

Merge r1613318 from trunk: · ee207b10

Eric Covener authored Jul 24, 2014

two commenters were confused authnprovideralias
providing special config to authz providers

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1613320 13f79535-47bb-0310-9956-ffa450edef68

ee207b10

Jul 18, 2014

Backported. · 5caaecaa

Yann Ylavic authored Jul 18, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611818 13f79535-47bb-0310-9956-ffa450edef68

5caaecaa

fix latex build · c6ea7c42

Andre Malo authored Jul 18, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611817 13f79535-47bb-0310-9956-ffa450edef68

c6ea7c42

Follow up to r1611813: add missing CHANGE · 72c773a6

Yann Ylavic authored Jul 18, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611816 13f79535-47bb-0310-9956-ffa450edef68

72c773a6

Merge r1572630, r1572611, r1572967, r1573229 from trunk: · 13978f5c

Yann Ylavic authored Jul 18, 2014

Redo what was reverted in r1572627.
Don't reuse a SSL backend connection whose SNI differs. PR 55782.
This may happen when ProxyPreserveHost is on and the proxy-worker
handles connections to different Hosts.


Follows up r1572606.
MMN minor bump required by proxy_conn_rec change.


mod_proxy: follows up r1572630.
Don't reuse a SSL backend connection with no SNI for a request requiring SNI.


mod_proxy: Add comment and avoid ternary operator as condition (no functional change).


Submitted by: ylavic
Reviewed by: ylavic, rpluem, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611813 13f79535-47bb-0310-9956-ffa450edef68

13978f5c

v4 for PR 46146. · 01b9a3cd

Yann Ylavic authored Jul 18, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611809 13f79535-47bb-0310-9956-ffa450edef68

01b9a3cd

Merge r1572092 from trunk: · 2fd9e170

Yann Ylavic authored Jul 18, 2014

mod_deflate: fix decompression of files larger than 4GB. According to RFC1952,
Input SIZE (compLen) contains the size of the original input data modulo 2^32.

PR: 56062
Submitted by: Lukas Bezdicka
Reviewed by: ylavic, breser, wrowe



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611806 13f79535-47bb-0310-9956-ffa450edef68

2fd9e170

update transformation · 409529b5

Andre Malo authored Jul 18, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611796 13f79535-47bb-0310-9956-ffa450edef68

409529b5

mod_deflate proposal v3. · ed57c906

Yann Ylavic authored Jul 18, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611771 13f79535-47bb-0310-9956-ffa450edef68

ed57c906

That's the ticket · 070d8977

William A. Rowe Jr authored Jul 18, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611768 13f79535-47bb-0310-9956-ffa450edef68

070d8977

Fix mod_deflate proposal. · 678b007a

Yann Ylavic authored Jul 18, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611766 13f79535-47bb-0310-9956-ffa450edef68

678b007a

Vote up, two are promoted as accepted, defect identified in ylavic's patch · d2ca29e3
William A. Rowe Jr authored Jul 18, 2014
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611672 13f79535-47bb-0310-9956-ffa450edef68
```
d2ca29e3

Update porposal -- Ruediger spotted the hand-merge error: · 728f7393

Eric Covener authored Jul 18, 2014

+                    if (!apr_is_empty_table(rp->trailers_in)) {
+                        apr_table_do(add_trailers, rp->trailers_out,
                                                    ^
+                                rp->trailers_in, NULL);
+                        apr_table_clear(rp->trailers_in);
+                    }



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611597 13f79535-47bb-0310-9956-ffa450edef68

728f7393

Fix typo. · b63348ec

Rainer Jung authored Jul 18, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611596 13f79535-47bb-0310-9956-ffa450edef68

b63348ec

· ffb371ad

Eric Covener authored Jul 18, 2014

add patch/proposal for CVE-2013-5704 trailers thing



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611522 13f79535-47bb-0310-9956-ffa450edef68

ffb371ad

Jul 17, 2014

drop CVE-2014-0117 proposal, 2.2 not affected · ef722a09

Eric Covener authored Jul 17, 2014



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611499 13f79535-47bb-0310-9956-ffa450edef68

ef722a09

And... vote some · c4f4385f

William A. Rowe Jr authored Jul 17, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611497 13f79535-47bb-0310-9956-ffa450edef68

c4f4385f

Delete BOM, wrap before 80 col · 524561f8

William A. Rowe Jr authored Jul 17, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611468 13f79535-47bb-0310-9956-ffa450edef68

524561f8

Merge r1572896, r1572911, r1603156 from trunk: · f582f975

Jim Jagielski authored Jul 17, 2014

mod_deflate:
Don't fail when asked to flush inflated data to the user-agent and that
coincides with the end of stream ("Zlib error flushing inflate buffer").
PR 56196.

Submitted By: [Christoph Fausak <christoph.fausak glueckkanja com>]
Committed By: ylavic


mod_deflate: follows up r1572896.
Be safe from successive or post end-of-stream flush buckets.


Add missing CHANGES entries for r1572655,1572663,1572668-1572671,1573224,1586745,1587594,1587639,1590509, r1572092, and r1572896,1572911.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611428 13f79535-47bb-0310-9956-ffa450edef68

f582f975

Merge r1610501 from trunk: · c4fc1cc6

Jim Jagielski authored Jul 17, 2014

  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to avoid
     denial of sevice via highly compressed bodies.  See directives 
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst.

Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue.

Submitted By: ylavic, covener
Reviewed By: jorton, covener, jim



Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611426 13f79535-47bb-0310-9956-ffa450edef68

c4fc1cc6

promote · d87b1719

Jim Jagielski authored Jul 17, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611425 13f79535-47bb-0310-9956-ffa450edef68

d87b1719

vote · f621a332

Jim Jagielski authored Jul 17, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611424 13f79535-47bb-0310-9956-ffa450edef68

f621a332

Withdrawal. · 2c9de73f

Yann Ylavic authored Jul 17, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611414 13f79535-47bb-0310-9956-ffa450edef68

2c9de73f

checks out for me · 6cd85809

Eric Covener authored Jul 17, 2014


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611331 13f79535-47bb-0310-9956-ffa450edef68

6cd85809

CVE-2014-0117 does not seem to apply to 2.2.x, second set of eyeballs welcome. · baf3f433
Joe Orton authored Jul 17, 2014
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611326 13f79535-47bb-0310-9956-ffa450edef68
```
baf3f433
Fooled by weird "svn merge" failing to fail... no this patch doesn't apply. · 82553fdb
Joe Orton authored Jul 17, 2014
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611319 13f79535-47bb-0310-9956-ffa450edef68
```
82553fdb

Vote, promote. · bef3960f

Joe Orton authored Jul 17, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611318 13f79535-47bb-0310-9956-ffa450edef68

bef3960f

Jul 16, 2014

Correct CHANGES entry with attribution · cf46e459

William A. Rowe Jr authored Jul 16, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611195 13f79535-47bb-0310-9956-ffa450edef68

cf46e459

Fix PR 56480: PROPFIND walker doesn't encode hrefs properly · 21f14aba

William A. Rowe Jr authored Jul 16, 2014

Reverts r1529559 partially (specifically the dav_xml_escape_uri) bit.
Reverts r1531505 entirely.

* modules/dav/main/mod_dav.c
  (dav_xml_escape_uri): Revert the piece of r1529559 that removes the URI
    escaping from this function.

* modules/dav/main/props.c
  (dav_do_prop_subreq): Escape the URI before doing a sub request with it.
    This resolves some properties like getcontenttype from failing to be
    returned for files that contain characters that require encoding in their
    path.

* modules/dav/main/mod_dav.h
  (dav_resource): Note the inconsistency in the documentation.

* modules/dav/fs/repos.c
  (dav_fs_get_resource): Don't use the unparsed_uri to set the uri field of
    the resource.  This is the correct fix for the double encoding in mod_dav_fs
    that led to the dav_xml_escape_uri() change and r1531505.
  (dav_fs_walker, dav_fs_append_uri): Revert r1531505 changes.

Submitted by: breser
PR: 56480
Backports: r1602338
Reviewed by: breser, rpluem, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611189 13f79535-47bb-0310-9956-ffa450edef68

21f14aba

SECURITY: CVE-2014-0231 · ca0b7d78

William A. Rowe Jr authored Jul 16, 2014

mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server.

Submitted by: Rainer Jung, Eric Covener, Yann Ylavic
Backports: r1610509, r1535125
Reviewed by: covener, trawick, ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611185 13f79535-47bb-0310-9956-ffa450edef68

ca0b7d78

Propose utf-8 service names for winnt · ced3540d

William A. Rowe Jr authored Jul 16, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611179 13f79535-47bb-0310-9956-ffa450edef68

ced3540d

Vote. · 3ecbbe2b

Yann Ylavic authored Jul 16, 2014

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1610995 13f79535-47bb-0310-9956-ffa450edef68

3ecbbe2b

Extend the scope of SSLSessionCacheTimeout to sessions · ed4490f0

Rainer Jung authored Jul 16, 2014

resumed by TLS session resumption (RFC 5077).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1610914 13f79535-47bb-0310-9956-ffa450edef68

ed4490f0