Author: colm
Date: Mon Jan 23 11:57:18 2006
New Revision: 371643
URL: http://svn.apache.org/viewcvs?rev=371643&view=rev
Log:
Merge r354394 from trunk:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Omit further
access control checks if SSL is not in use regardless of vhost
settings.
Submitted by: rpluem, jorton
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=371643&r1=371642&r2=371643&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Mon Jan 23 11:57:18 2006
@@ -1,6 +1,13 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.56
+ *) SECURITY: CVE-2005-3357 (cve.mitre.org)
+ mod_ssl: Fix a possible crash during access control checks if a
+ non-SSL request is processed for an SSL vhost (such as the
+ "HTTP request received on SSL port" error message when an 400
+ ErrorDocument is configured, or if using "SSLEngine optional").
+ PR 37791. [Rüdiger Plüm, Joe Orton]
+
*) Add ReceiveBufferSize directive to control the TCP receive buffer.
[Eric Covener <covener gmail.com>]
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=371643&r1=371642&r2=371643&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Mon Jan 23 11:57:18 2006
@@ -165,14 +165,6 @@
http://issues.apache.org/bugzilla/attachment.cgi?id=16995
+1: rpluem, colm, trawick
- *) mod_ssl: Fix PR37791 (CVEID: CAN-2005-3357) (SEGV if the client is
- connection plain to a SSL enabled port)
- Trunk version of patch:
- http://svn.apache.org/viewcvs.cgi?rev=354394&view=rev
- Backport version for 2.0.x of patch:
- http://issues.apache.org/bugzilla/attachment.cgi?id=17393
- +1: rpluem, colm, trawick
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ please place SVN revisions from trunk here, so it is easy to
identify exactly what the proposed changes are! Add all new
Modified: httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c?rev=371643&r1=371642&r2=371643&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c Mon Jan 23 11:57:18 2006
@@ -202,11 +202,14 @@
}
/*
- * Check to see if SSL protocol is on
+ * Check to see whether SSL is in use; if it's not, then no
+ * further access control checks are relevant. (the test for
+ * sc->enabled is probably strictly unnecessary)
*/
- if (!(sc->enabled || ssl)) {
+ if (!sc->enabled || !ssl) {
return DECLINED;
}
+
/*
* Support for per-directory reconfigured SSL connection parameters.
*
|