[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Patch request for Apache 2.4.x for the CVE-2016-4975

On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4andrewjoshwa4@xxxxxxxxx> wrote:

Can anyone please help me to get the patch for the CVE-2016-4975.

Yes, http://www.apache.org/dist/httpd/, obtain and build the latest version of 2.4.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain 2.4.35
from http://archive.apache.org/dist/httpd/ (at minimum, 2.4.27, which corrects
shortcomings of the patch you note below.)
I have found the below link for patch from internet.
However this contains many changes.

There were further changes. The branch of all changes you are asking for is;

Please let me know if we need to port all changes mentioned in above patch OR please let me know if specific revision can be ported to fix CVE-2016-4975

This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite challenging..

Unfortunately this class of vulnerabilities could not be addressed in a simple fix.

The entire patch is needed to protect the client / proxy / backend from malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.