1 |
commit: 68bf261f5deea91855076a07330793f455475242 |
2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed May 28 07:41:36 2014 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed May 28 07:41:36 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commit;h=68bf261f |
7 |
|
8 |
Removed obsolete patch for CVE-2011-3368 (bug #511656). |
9 |
|
10 |
--- |
11 |
.../25_all-apply_to_2.2.21-CVE-2011-3368.patch | 34 ---------------------- |
12 |
.../25_all-apply_to_2.2.21-CVE-2011-3368.patch | 34 ---------------------- |
13 |
2 files changed, 68 deletions(-) |
14 |
|
15 |
diff --git a/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch b/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch |
16 |
deleted file mode 100644 |
17 |
index e8125d9..0000000 |
18 |
--- a/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch |
19 |
+++ /dev/null |
20 |
@@ -1,34 +0,0 @@ |
21 |
- |
22 |
-SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some |
23 |
-reverse proxy configurations by strictly validating the request-URI. |
24 |
- |
25 |
-http://svn.apache.org/viewvc?rev=1179239&view=rev |
26 |
- |
27 |
---- httpd-2.2.21/server/protocol.c |
28 |
-+++ httpd-2.2.21/server/protocol.c |
29 |
-@@ -640,6 +640,25 @@ |
30 |
- |
31 |
- ap_parse_uri(r, uri); |
32 |
- |
33 |
-+ /* RFC 2616: |
34 |
-+ * Request-URI = "*" | absoluteURI | abs_path | authority |
35 |
-+ * |
36 |
-+ * authority is a special case for CONNECT. If the request is not |
37 |
-+ * using CONNECT, and the parsed URI does not have scheme, and |
38 |
-+ * it does not begin with '/', and it is not '*', then, fail |
39 |
-+ * and give a 400 response. */ |
40 |
-+ if (r->method_number != M_CONNECT |
41 |
-+ && !r->parsed_uri.scheme |
42 |
-+ && uri[0] != '/' |
43 |
-+ && !(uri[0] == '*' && uri[1] == '\0')) { |
44 |
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
45 |
-+ "invalid request-URI %s", uri); |
46 |
-+ r->args = NULL; |
47 |
-+ r->hostname = NULL; |
48 |
-+ r->status = HTTP_BAD_REQUEST; |
49 |
-+ r->uri = apr_pstrdup(r->pool, uri); |
50 |
-+ } |
51 |
-+ |
52 |
- if (ll[0]) { |
53 |
- r->assbackwards = 0; |
54 |
- pro = ll; |
55 |
|
56 |
diff --git a/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch b/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch |
57 |
deleted file mode 100644 |
58 |
index e8125d9..0000000 |
59 |
--- a/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch |
60 |
+++ /dev/null |
61 |
@@ -1,34 +0,0 @@ |
62 |
- |
63 |
-SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some |
64 |
-reverse proxy configurations by strictly validating the request-URI. |
65 |
- |
66 |
-http://svn.apache.org/viewvc?rev=1179239&view=rev |
67 |
- |
68 |
---- httpd-2.2.21/server/protocol.c |
69 |
-+++ httpd-2.2.21/server/protocol.c |
70 |
-@@ -640,6 +640,25 @@ |
71 |
- |
72 |
- ap_parse_uri(r, uri); |
73 |
- |
74 |
-+ /* RFC 2616: |
75 |
-+ * Request-URI = "*" | absoluteURI | abs_path | authority |
76 |
-+ * |
77 |
-+ * authority is a special case for CONNECT. If the request is not |
78 |
-+ * using CONNECT, and the parsed URI does not have scheme, and |
79 |
-+ * it does not begin with '/', and it is not '*', then, fail |
80 |
-+ * and give a 400 response. */ |
81 |
-+ if (r->method_number != M_CONNECT |
82 |
-+ && !r->parsed_uri.scheme |
83 |
-+ && uri[0] != '/' |
84 |
-+ && !(uri[0] == '*' && uri[1] == '\0')) { |
85 |
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
86 |
-+ "invalid request-URI %s", uri); |
87 |
-+ r->args = NULL; |
88 |
-+ r->hostname = NULL; |
89 |
-+ r->status = HTTP_BAD_REQUEST; |
90 |
-+ r->uri = apr_pstrdup(r->pool, uri); |
91 |
-+ } |
92 |
-+ |
93 |
- if (ll[0]) { |
94 |
- r->assbackwards = 0; |
95 |
- pro = ll; |