httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "TSAO,YU-KANG (HP-USA,ex1)" <yu-kang_t...@hp.com>
Subject RE: apache 1.3.3 patch
Date Thu, 27 Jun 2002 19:57:01 GMT

Hi Rasmus:

Thanks for the reply but I still don't get it.  my first apache patch ...

what is the <apply_to... after 

patch -p1 < apply_to...  ?

Do  I need to put the whole code afer that like this ?

Thanks a lot,

Sincerely,

Yu-Kang

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~


c:\>cd apache_1.3.3

c:\>patch -p1 --- apache_1.3.22/src/main/http_protocol_orig.c	Fri Jun 22
05:43:54 2001
+++ apache_1.3.22/src/main/http_protocol.c	Sun Jun 23 15:56:34 2002
@@ -1913,6 +1913,9 @@
         }
 
         r->remaining = atol(lenp);
+        if (r->remaining < 0) {
+            return HTTP_BAD_REQUEST;
+        }
     }
 
     if ((r->read_body == REQUEST_NO_BODY) &&
@@ -2049,6 +2052,10 @@
         }
 
         len_to_read = get_chunk_size(buffer);
+        if (len_to_read < 0) {
+            r->connection->keepalive = -1;
+            return -1;
+        }
 
         if (len_to_read == 0) { /* Last chunk indicated, get footers */
             if (r->read_body == REQUEST_CHUNKED_DECHUNK) {

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~




-----Original Message-----
From: Rasmus Lerdorf [mailto:rasmus@apache.org]
Sent: Thursday, June 27, 2002 3:34 PM
To: TSAO,YU-KANG (HP-USA,ex1)
Cc: users@httpd.apache.org
Subject: RE: apache 1.3.3 patch 


cd apache_1.3.3
patch -p1 < apply_to...

On Thu, 27 Jun 2002, TSAO,YU-KANG (HP-USA,ex1) wrote:

>
> Hi Rasmus:
>
> Thank you very much for your help.   I got this code from that patch web
> site
>
>
http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/SECURITY_chunk_size_
> patch.txt
>
> how should I apply it  ?  Thanks a lot.
>
> ===============================================================
> ===============================================================
>
> --- apache_1.3.22/src/main/http_protocol_orig.c	Fri Jun 22 05:43:54
2001
> +++ apache_1.3.22/src/main/http_protocol.c	Sun Jun 23 15:56:34 2002
> @@ -1913,6 +1913,9 @@
>          }
>
>          r->remaining = atol(lenp);
> +        if (r->remaining < 0) {
> +            return HTTP_BAD_REQUEST;
> +        }
>      }
>
>      if ((r->read_body == REQUEST_NO_BODY) &&
> @@ -2049,6 +2052,10 @@
>          }
>
>          len_to_read = get_chunk_size(buffer);
> +        if (len_to_read < 0) {
> +            r->connection->keepalive = -1;
> +            return -1;
> +        }
>
>          if (len_to_read == 0) { /* Last chunk indicated, get footers */
>              if (r->read_body == REQUEST_CHUNKED_DECHUNK) {
>
>
> ===============================================================
> ===============================================================
>
> Sincerely,
>
> Yu-Kang
>
>
> -----Original Message-----
> From: Rasmus Lerdorf [mailto:rasmus@apache.org]
> Sent: Thursday, June 27, 2002 12:27 PM
> To: TSAO,YU-KANG (HP-USA,ex1)
> Cc: users@httpd.apache.org
> Subject: Re: apache 1.3.3 patch
>
>
> > Hi Everyone:
> >
> > I have a Windows NT 4 server and apache 1.3.3 on it which will fall on
to
> > this latest apache vulunerability as post in
> >
> > http://httpd.apache.org/info/security_bulletin_20020617.txt
> >
> > It's the bug that include in routines that deal with invalid processing
> > requests using "chunked encoding" techniques.
> >
> > Is there any patch  for apache1.3.3 for this security hole instead of
> > upgrading it to apache 2.0.39 ?   Thanks a lot.
>
> Just upgrade to 1.3.26
>
> Or, if you want to just fix 1.3.3 look here:
>
> http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/
>
> The patch itself is:
>
>
http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/SECURITY_chunk_size_
> patch.txt
>
> -Rasmus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message