diff options
Diffstat (limited to 'www/apache24/files/patch-CVE-2016-8740')
| -rw-r--r-- | www/apache24/files/patch-CVE-2016-8740 | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/www/apache24/files/patch-CVE-2016-8740 b/www/apache24/files/patch-CVE-2016-8740 deleted file mode 100644 index 04b00be52062..000000000000 --- a/www/apache24/files/patch-CVE-2016-8740 +++ /dev/null @@ -1,116 +0,0 @@ - Security Advisory - Apache Software Foundation - Apache HTTPD WebServer / httpd.apache.org - - Server memory can be exhausted and service denied when HTTP/2 is used - - CVE-2016-8740 - -The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations -on request headers correctly when experimental module for the HTTP/2 -protocol is used to access a resource. - -The net result is that a the server allocates too much memory instead of denying -the request. This can lead to memory exhaustion of the server by a properly -crafted request. - -Background: -- ----------- - -Apache has limits on the number and length of request header fields. which -limits the amount of memory a client can allocate on the server for a request. - -Version 2.4.17 of the Apache HTTP Server introduced an experimental feature: -mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as -Google SPDY). - -This module is NOT compiled in by default -and- is not enabled by default, -although some distribution may have chosen to do so. - -It is generally needs to be enabled in the 'Protocols' line in httpd by -adding 'h2' and/or 'h2c' to the 'http/1.1' only default. - -The default distributions of the Apache Software Foundation do not include -this experimental feature. - -Details: -- -------- - -- From version 2.4.17, upto and including version 2.4.23 the server failed -to take the limitations on request memory use into account when providing -access to a resource over HTTP/2. This issue has been fixed -in version 2.4.23 (r1772576). - -As a result - with a request using the HTTP/2 protocol a specially crafted -request can allocate memory on the server until it reaches its limit. This can -lead to denial of service for all requests against the server. - -Impact: -- ------- - -This can lead to denial of service for all server resources. -Versions affected: -- ------------------ -All versions from 2.4.17 to 2.4.23. - -Resolution: -- ----------- - -For a 2.4.23 version a patch is supplied. This will be included in the -next release. - -Mitigations and work arounds: -- ----------------------------- - -As a temporary workaround - HTTP/2 can be disabled by changing -the configuration by removing h2 and h2c from the Protocols -line(s) in the configuration file. - -The resulting line should read: - - Protocols http/1.1 - -Credits and timeline -- -------------------- - -The flaw was found and reported by Naveen Tiwari <naveen.tiwari@asu.edu> -and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was -resolved by Stefan Eissing and incorporated in the Apache repository, -ready for inclusion in the next release. - -Apache would like to thank all involved for their help with this. - -Index: modules/http2/h2_stream.c -=================================================================== ---- modules/http2/h2_stream.c (revision 1771866) -+++ modules/http2/h2_stream.c (working copy) -@@ -322,18 +322,18 @@ - HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); - } - } -- } -- -- if (h2_stream_is_scheduled(stream)) { -- return h2_request_add_trailer(stream->request, stream->pool, -- name, nlen, value, vlen); -- } -- else { -- if (!input_open(stream)) { -- return APR_ECONNRESET; -+ -+ if (h2_stream_is_scheduled(stream)) { -+ return h2_request_add_trailer(stream->request, stream->pool, -+ name, nlen, value, vlen); - } -- return h2_request_add_header(stream->request, stream->pool, -- name, nlen, value, vlen); -+ else { -+ if (!input_open(stream)) { -+ return APR_ECONNRESET; -+ } -+ return h2_request_add_header(stream->request, stream->pool, -+ name, nlen, value, vlen); -+ } - } - } - - |