FreeBSD Bugzilla – Attachment 177716 Details for
Bug 215096
www/apache24: Fix HTTP/2 DoS vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
svn diff for www/apache24
patch-www_apache24-2.4.23_2 (text/plain), 4.89 KB, created by
Bernard Spil
on 2016-12-06 11:23:54 UTC
(
hide
)
Description:
svn diff for www/apache24
Filename:
MIME Type:
Creator:
Bernard Spil
Created:
2016-12-06 11:23:54 UTC
Size:
4.89 KB
patch
obsolete
>Index: www/apache24/Makefile >=================================================================== >--- www/apache24/Makefile (revision 427946) >+++ www/apache24/Makefile (working copy) >@@ -2,7 +2,7 @@ > > PORTNAME= apache24 > PORTVERSION= 2.4.23 >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= www ipv6 > MASTER_SITES= APACHE_HTTPD > DISTNAME= httpd-${PORTVERSION} >Index: www/apache24/files/patch-CVE-2016-8740 >=================================================================== >--- www/apache24/files/patch-CVE-2016-8740 (nonexistent) >+++ www/apache24/files/patch-CVE-2016-8740 (working copy) >@@ -0,0 +1,116 @@ >+ Security Advisory - Apache Software Foundation >+ Apache HTTPD WebServer / httpd.apache.org >+ >+ Server memory can be exhausted and service denied when HTTP/2 is used >+ >+ CVE-2016-8740 >+ >+The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations >+on request headers correctly when experimental module for the HTTP/2 >+protocol is used to access a resource. >+ >+The net result is that a the server allocates too much memory instead of denying >+the request. This can lead to memory exhaustion of the server by a properly >+crafted request. >+ >+Background: >+- ----------- >+ >+Apache has limits on the number and length of request header fields. which >+limits the amount of memory a client can allocate on the server for a request. >+ >+Version 2.4.17 of the Apache HTTP Server introduced an experimental feature: >+mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as >+Google SPDY). >+ >+This module is NOT compiled in by default -and- is not enabled by default, >+although some distribution may have chosen to do so. >+ >+It is generally needs to be enabled in the 'Protocols' line in httpd by >+adding 'h2' and/or 'h2c' to the 'http/1.1' only default. >+ >+The default distributions of the Apache Software Foundation do not include >+this experimental feature. >+ >+Details: >+- -------- >+ >+- From version 2.4.17, upto and including version 2.4.23 the server failed >+to take the limitations on request memory use into account when providing >+access to a resource over HTTP/2. This issue has been fixed >+in version 2.4.23 (r1772576). >+ >+As a result - with a request using the HTTP/2 protocol a specially crafted >+request can allocate memory on the server until it reaches its limit. This can >+lead to denial of service for all requests against the server. >+ >+Impact: >+- ------- >+ >+This can lead to denial of service for all server resources. >+Versions affected: >+- ------------------ >+All versions from 2.4.17 to 2.4.23. >+ >+Resolution: >+- ----------- >+ >+For a 2.4.23 version a patch is supplied. This will be included in the >+next release. >+ >+Mitigations and work arounds: >+- ----------------------------- >+ >+As a temporary workaround - HTTP/2 can be disabled by changing >+the configuration by removing h2 and h2c from the Protocols >+line(s) in the configuration file. >+ >+The resulting line should read: >+ >+ Protocols http/1.1 >+ >+Credits and timeline >+- -------------------- >+ >+The flaw was found and reported by Naveen Tiwari <naveen.tiwari@asu.edu> >+and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was >+resolved by Stefan Eissing and incorporated in the Apache repository, >+ready for inclusion in the next release. >+ >+Apache would like to thank all involved for their help with this. >+ >+Index: modules/http2/h2_stream.c >+=================================================================== >+--- modules/http2/h2_stream.c (revision 1771866) >++++ modules/http2/h2_stream.c (working copy) >+@@ -322,18 +322,18 @@ >+ HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); >+ } >+ } >+- } >+- >+- if (h2_stream_is_scheduled(stream)) { >+- return h2_request_add_trailer(stream->request, stream->pool, >+- name, nlen, value, vlen); >+- } >+- else { >+- if (!input_open(stream)) { >+- return APR_ECONNRESET; >++ >++ if (h2_stream_is_scheduled(stream)) { >++ return h2_request_add_trailer(stream->request, stream->pool, >++ name, nlen, value, vlen); >+ } >+- return h2_request_add_header(stream->request, stream->pool, >+- name, nlen, value, vlen); >++ else { >++ if (!input_open(stream)) { >++ return APR_ECONNRESET; >++ } >++ return h2_request_add_header(stream->request, stream->pool, >++ name, nlen, value, vlen); >++ } >+ } >+ } >+ >+ > >Property changes on: www/apache24/files/patch-CVE-2016-8740 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=177716">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 215096
: 177716