httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: [users@httpd] Patch request for Apache 2.4.x for the CVE-2016-4975
Date Mon, 05 Nov 2018 16:09:55 GMT
On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4andrewjoshwa4@gmail.com>
wrote:

> Hi,
>
> Can anyone please help me to get the patch for the CVE-2016-4975.
>

Yes, http://www.apache.org/dist/httpd/, obtain and build the latest version
of 2.4.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain
2.4.35
from http://archive.apache.org/dist/httpd/ (at minimum, 2.4.27, which
corrects
shortcomings of the patch you note below.)


> I have found the below link for patch from internet.
> https://svn.apache.org/viewvc?view=revision&revision=1772678
> However this contains many changes.
>

There were further changes. The branch of all changes you are asking for is;

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict/

Please let me know if we need to port all changes mentioned in above patch
> OR please let me know if specific revision can be ported to fix
> CVE-2016-4975
>

This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and
similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite
challenging..

Unfortunately this class of vulnerabilities could not be addressed in a
simple fix.

The entire patch is needed to protect the client / proxy / backend from
malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.

Mime
View raw message