apache2: Import patch for CVE-2017-9798 ("optionsbleed")

Imported from: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch For details see: https://nvd.nist.gov/vuln/detail/CVE-2017-9798 Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2017-09-20 11:08:52 +02:00
parent fdff464161
commit b76d0433be
2 changed files with 16 additions and 1 deletions
--- a/lfs/apache2
+++ b/lfs/apache2
@@ -76,7 +76,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/apache-2.4.27-PR61382-fix.patch
-
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/apache-2.4.27-CVE-2017-9798-fix.patch
 	### Add IPFire's layout, too
 	echo "# IPFire layout" >> $(DIR_APP)/config.layout
 	echo "<Layout IPFire>" >> $(DIR_APP)/config.layout
--- a/src/patches/apache-2.4.27-CVE-2017-9798-fix.patch
+++ b/src/patches/apache-2.4.27-CVE-2017-9798-fix.patch
@@ -0,0 +1,15 @@
+--- server/core.c	2017/08/16 16:50:29	1805223
+++ server/core.c	2017/09/08 13:13:11	1807754
+@@ -2262,6 +2262,12 @@
+             /* method has not been registered yet, but resource restriction
+              * is always checked before method handling, so register it.
+              */
+            if (cmd->pool == cmd->temp_pool) {
+                /* In .htaccess, we can't globally register new methods. */
+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
+                                   "for %s from .htaccess configuration",
+                                    method, cmd->cmd->name);
+            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+         }