Re: Patch request for Apache 2.4.x for the CVE-2016-4975

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4andrewjoshwa4@xxxxxxxxx> wrote:
Hi,

Can anyone please help me to get the patch for the CVE-2016-4975.

Yes, http://www.apache.org/dist/httpd/, obtain and build the latest version of 2.4.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain 2.4.35
from http://archive.apache.org/dist/httpd/ (at minimum, 2.4.27, which corrects
shortcomings of the patch you note below.)
 
I have found the below link for patch from internet.
However this contains many changes.

There were further changes. The branch of all changes you are asking for is;

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict/

Please let me know if we need to port all changes mentioned in above patch OR please let me know if specific revision can be ported to fix CVE-2016-4975

This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite challenging..

Unfortunately this class of vulnerabilities could not be addressed in a simple fix.

The entire patch is needed to protect the client / proxy / backend from malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux