[users@httpd] Patch request for Apache 2.4.x for the CVE-2016-4975

[Andrew Joshwa <4a...@gmail.com>]

Hi,

Can anyone please help me to get the patch for the CVE-2016-4975.

I have found the below link for patch from internet.
https://svn.apache.org/viewvc?view=revision&revision=1772678
However this contains many changes.

Please let me know if we need to port all changes mentioned in above patch
OR please let me know if specific revision can be ported to fix
CVE-2016-4975


Regards,
Andrew

Re: [users@httpd] Patch request for Apache 2.4.x for the CVE-2016-4975

[William A Rowe Jr <wr...@rowe-clan.net>]

On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4a...@gmail.com>
wrote:

> Hi,
>
> Can anyone please help me to get the patch for the CVE-2016-4975.
>

Yes, http://www.apache.org/dist/httpd/, obtain and build the latest version
of 2.4.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain
2.4.35
from http://archive.apache.org/dist/httpd/ (at minimum, 2.4.27, which
corrects
shortcomings of the patch you note below.)


> I have found the below link for patch from internet.
> https://svn.apache.org/viewvc?view=revision&revision=1772678
> However this contains many changes.
>

There were further changes. The branch of all changes you are asking for is;

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict/

Please let me know if we need to port all changes mentioned in above patch
> OR please let me know if specific revision can be ported to fix
> CVE-2016-4975
>

This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and
similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite
challenging..

Unfortunately this class of vulnerabilities could not be addressed in a
simple fix.

The entire patch is needed to protect the client / proxy / backend from
malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.