main/apache2: security hotfix #844 (CVE-2011-4317)

(cherry picked from commit 9f987f8ab1533bc6cdb29f36f144101bae980efe)
2026-05-04 20:06:43 +02:00 · 2011-11-28 12:00:52 +00:00 · 2011-11-28 12:00:52 +00:00 · fc62f60822
commit fc62f60822
parent 4f91626f29
2 changed files with 41 additions and 3 deletions
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=apache2
 pkgver=2.2.21
-pkgrel=0
+pkgrel=1
 pkgdesc="A high performance Unix-based HTTP server"
 url="http://httpd.apache.org/"
 license="APACHE"
@ -31,7 +31,8 @@ source="http://archive.apache.org/dist/httpd/httpd-$pkgver.tar.bz2
 	httpd.conf
 	ssl.conf
 	ldap.conf
-	alpine.layout"
+	alpine.layout
+	CVE-2011-4317.patch"

 prepare() {
 	cd "$srcdir"
@ -191,4 +192,5 @@ e322b5211e49511cac6e40c86af1b1da  apache2.confd
 2df3891a45abcdc4083a2699ff7f26fc  httpd.conf
 5d0d024ca43571b863874ab871b2c109  ssl.conf
 b70fe826486043e3953cfe21f9e6fa16  ldap.conf
-c66ff5f70260d5266e6803a59b39bd7f  alpine.layout"
+c66ff5f70260d5266e6803a59b39bd7f  alpine.layout
+4c9b33458e4c8dea1be39f811da39be3  CVE-2011-4317.patch"
--- a/main/apache2/CVE-2011-4317.patch
+++ b/main/apache2/CVE-2011-4317.patch
@ -0,0 +1,36 @@
+Index: modules/proxy/mod_proxy.c
+===================================================================
+--- httpd-2.2.21/modules/proxy/mod_proxy.c	(revision 1179633)
+++ httpd-2.2.21/modules/proxy/mod_proxy.c	(working copy)
+@@ -566,6 +566,13 @@
+         return OK;
+     }
+ 
+    /* Check that the URI is valid. */
+    if (!r->uri  || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+
+     /* XXX: since r->uri has been manipulated already we're not really
+      * compliant with RFC1945 at this point.  But this probably isn't
+      * an issue because this is a hybrid proxy/origin server.
+Index: modules/mappers/mod_rewrite.c
+===================================================================
+--- httpd-2.2.21/modules/mappers/mod_rewrite.c	(revision 1179633)
+++ httpd-2.2.21/modules/mappers/mod_rewrite.c	(working copy)
+@@ -4266,6 +4266,13 @@
+         return DECLINED;
+     }
+ 
+    /* Check that the URI is valid. */
+    if (!r->uri || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+    
+     /*
+      *  add the SCRIPT_URL variable to the env. this is a bit complicated
+      *  due to the fact that apache uses subrequests and internal redirects