summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wendler <polynomial-c@gentoo.org>2014-05-28 09:41:36 +0200
committerLars Wendler <polynomial-c@gentoo.org>2014-05-28 09:41:36 +0200
commit68bf261f5deea91855076a07330793f455475242 (patch)
tree6ca48e08e5f770dc45b389081897c6503a583c29
parentRemoved comment about deprecated AddDirectoryIndex option as per request in b... (diff)
downloadapache-68bf261f5deea91855076a07330793f455475242.tar.gz
apache-68bf261f5deea91855076a07330793f455475242.tar.bz2
apache-68bf261f5deea91855076a07330793f455475242.zip
Removed obsolete patch for CVE-2011-3368 (bug #511656).
-rw-r--r--2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch34
-rw-r--r--2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch34
2 files changed, 0 insertions, 68 deletions
diff --git a/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch b/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch
deleted file mode 100644
index e8125d9..0000000
--- a/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-
-SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
-reverse proxy configurations by strictly validating the request-URI.
-
-http://svn.apache.org/viewvc?rev=1179239&view=rev
-
---- httpd-2.2.21/server/protocol.c
-+++ httpd-2.2.21/server/protocol.c
-@@ -640,6 +640,25 @@
-
- ap_parse_uri(r, uri);
-
-+ /* RFC 2616:
-+ * Request-URI = "*" | absoluteURI | abs_path | authority
-+ *
-+ * authority is a special case for CONNECT. If the request is not
-+ * using CONNECT, and the parsed URI does not have scheme, and
-+ * it does not begin with '/', and it is not '*', then, fail
-+ * and give a 400 response. */
-+ if (r->method_number != M_CONNECT
-+ && !r->parsed_uri.scheme
-+ && uri[0] != '/'
-+ && !(uri[0] == '*' && uri[1] == '\0')) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "invalid request-URI %s", uri);
-+ r->args = NULL;
-+ r->hostname = NULL;
-+ r->status = HTTP_BAD_REQUEST;
-+ r->uri = apr_pstrdup(r->pool, uri);
-+ }
-+
- if (ll[0]) {
- r->assbackwards = 0;
- pro = ll;
diff --git a/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch b/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch
deleted file mode 100644
index e8125d9..0000000
--- a/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-
-SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
-reverse proxy configurations by strictly validating the request-URI.
-
-http://svn.apache.org/viewvc?rev=1179239&view=rev
-
---- httpd-2.2.21/server/protocol.c
-+++ httpd-2.2.21/server/protocol.c
-@@ -640,6 +640,25 @@
-
- ap_parse_uri(r, uri);
-
-+ /* RFC 2616:
-+ * Request-URI = "*" | absoluteURI | abs_path | authority
-+ *
-+ * authority is a special case for CONNECT. If the request is not
-+ * using CONNECT, and the parsed URI does not have scheme, and
-+ * it does not begin with '/', and it is not '*', then, fail
-+ * and give a 400 response. */
-+ if (r->method_number != M_CONNECT
-+ && !r->parsed_uri.scheme
-+ && uri[0] != '/'
-+ && !(uri[0] == '*' && uri[1] == '\0')) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "invalid request-URI %s", uri);
-+ r->args = NULL;
-+ r->hostname = NULL;
-+ r->status = HTTP_BAD_REQUEST;
-+ r->uri = apr_pstrdup(r->pool, uri);
-+ }
-+
- if (ll[0]) {
- r->assbackwards = 0;
- pro = ll;