svn commit: r427953 - in head/www/apache24: . files
Bernard Spil
brnrd at FreeBSD.org
Tue Dec 6 12:43:38 UTC 2016
Author: brnrd
Date: Tue Dec 6 12:43:36 2016
New Revision: 427953
URL: https://svnweb.freebsd.org/changeset/ports/427953
Log:
www/apache24: Fix HTTP/2 DoS vulnerability
- Add patch from upstream security advisory
- Bump PORTREVISION
PR: 215096
MFH: 2016Q4
Security: cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
Security: CVE-2016-8740
Added:
head/www/apache24/files/patch-CVE-2016-8740 (contents, props changed)
Modified:
head/www/apache24/Makefile
Modified: head/www/apache24/Makefile
==============================================================================
--- head/www/apache24/Makefile Tue Dec 6 12:32:35 2016 (r427952)
+++ head/www/apache24/Makefile Tue Dec 6 12:43:36 2016 (r427953)
@@ -2,7 +2,7 @@
PORTNAME= apache24
PORTVERSION= 2.4.23
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www ipv6
MASTER_SITES= APACHE_HTTPD
DISTNAME= httpd-${PORTVERSION}
Added: head/www/apache24/files/patch-CVE-2016-8740
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/www/apache24/files/patch-CVE-2016-8740 Tue Dec 6 12:43:36 2016 (r427953)
@@ -0,0 +1,116 @@
+ Security Advisory - Apache Software Foundation
+ Apache HTTPD WebServer / httpd.apache.org
+
+ Server memory can be exhausted and service denied when HTTP/2 is used
+
+ CVE-2016-8740
+
+The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations
+on request headers correctly when experimental module for the HTTP/2
+protocol is used to access a resource.
+
+The net result is that a the server allocates too much memory instead of denying
+the request. This can lead to memory exhaustion of the server by a properly
+crafted request.
+
+Background:
+- -----------
+
+Apache has limits on the number and length of request header fields. which
+limits the amount of memory a client can allocate on the server for a request.
+
+Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
+mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as
+Google SPDY).
+
+This module is NOT compiled in by default -and- is not enabled by default,
+although some distribution may have chosen to do so.
+
+It is generally needs to be enabled in the 'Protocols' line in httpd by
+adding 'h2' and/or 'h2c' to the 'http/1.1' only default.
+
+The default distributions of the Apache Software Foundation do not include
+this experimental feature.
+
+Details:
+- --------
+
+- From version 2.4.17, upto and including version 2.4.23 the server failed
+to take the limitations on request memory use into account when providing
+access to a resource over HTTP/2. This issue has been fixed
+in version 2.4.23 (r1772576).
+
+As a result - with a request using the HTTP/2 protocol a specially crafted
+request can allocate memory on the server until it reaches its limit. This can
+lead to denial of service for all requests against the server.
+
+Impact:
+- -------
+
+This can lead to denial of service for all server resources.
+Versions affected:
+- ------------------
+All versions from 2.4.17 to 2.4.23.
+
+Resolution:
+- -----------
+
+For a 2.4.23 version a patch is supplied. This will be included in the
+next release.
+
+Mitigations and work arounds:
+- -----------------------------
+
+As a temporary workaround - HTTP/2 can be disabled by changing
+the configuration by removing h2 and h2c from the Protocols
+line(s) in the configuration file.
+
+The resulting line should read:
+
+ Protocols http/1.1
+
+Credits and timeline
+- --------------------
+
+The flaw was found and reported by Naveen Tiwari <naveen.tiwari at asu.edu>
+and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was
+resolved by Stefan Eissing and incorporated in the Apache repository,
+ready for inclusion in the next release.
+
+Apache would like to thank all involved for their help with this.
+
+Index: modules/http2/h2_stream.c
+===================================================================
+--- modules/http2/h2_stream.c (revision 1771866)
++++ modules/http2/h2_stream.c (working copy)
+@@ -322,18 +322,18 @@
+ HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
+ }
+ }
+- }
+-
+- if (h2_stream_is_scheduled(stream)) {
+- return h2_request_add_trailer(stream->request, stream->pool,
+- name, nlen, value, vlen);
+- }
+- else {
+- if (!input_open(stream)) {
+- return APR_ECONNRESET;
++
++ if (h2_stream_is_scheduled(stream)) {
++ return h2_request_add_trailer(stream->request, stream->pool,
++ name, nlen, value, vlen);
+ }
+- return h2_request_add_header(stream->request, stream->pool,
+- name, nlen, value, vlen);
++ else {
++ if (!input_open(stream)) {
++ return APR_ECONNRESET;
++ }
++ return h2_request_add_header(stream->request, stream->pool,
++ name, nlen, value, vlen);
++ }
+ }
+ }
+
+
More information about the svn-ports-head
mailing list