httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "TSAO,YU-KANG (HP-USA,ex1)" <yu-kang_t...@hp.com>
Subject RE: apache 1.3.3 patch
Date Thu, 27 Jun 2002 19:33:54 GMT

Hi Rasmus:

Thank you very much for your help.   I got this code from that patch web
site

http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/SECURITY_chunk_size_
patch.txt

how should I apply it  ?  Thanks a lot.   

===============================================================
===============================================================

--- apache_1.3.22/src/main/http_protocol_orig.c	Fri Jun 22 05:43:54 2001
+++ apache_1.3.22/src/main/http_protocol.c	Sun Jun 23 15:56:34 2002
@@ -1913,6 +1913,9 @@
         }
 
         r->remaining = atol(lenp);
+        if (r->remaining < 0) {
+            return HTTP_BAD_REQUEST;
+        }
     }
 
     if ((r->read_body == REQUEST_NO_BODY) &&
@@ -2049,6 +2052,10 @@
         }
 
         len_to_read = get_chunk_size(buffer);
+        if (len_to_read < 0) {
+            r->connection->keepalive = -1;
+            return -1;
+        }
 
         if (len_to_read == 0) { /* Last chunk indicated, get footers */
             if (r->read_body == REQUEST_CHUNKED_DECHUNK) {


===============================================================
===============================================================

Sincerely,

Yu-Kang


-----Original Message-----
From: Rasmus Lerdorf [mailto:rasmus@apache.org]
Sent: Thursday, June 27, 2002 12:27 PM
To: TSAO,YU-KANG (HP-USA,ex1)
Cc: users@httpd.apache.org
Subject: Re: apache 1.3.3 patch 


> Hi Everyone:
>
> I have a Windows NT 4 server and apache 1.3.3 on it which will fall on to
> this latest apache vulunerability as post in
>
> http://httpd.apache.org/info/security_bulletin_20020617.txt
>
> It's the bug that include in routines that deal with invalid processing
> requests using "chunked encoding" techniques.
>
> Is there any patch  for apache1.3.3 for this security hole instead of
> upgrading it to apache 2.0.39 ?   Thanks a lot.

Just upgrade to 1.3.26

Or, if you want to just fix 1.3.3 look here:

http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/

The patch itself is:

http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/SECURITY_chunk_size_
patch.txt

-Rasmus

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message