[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Patch request for Apache 2.4.x for the CVE-2016-4975

On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4andrewjoshwa4@xxxxxxxxx> wrote:

Can anyone please help me to get the patch for the CVE-2016-4975.

Yes,, obtain and build the latest version of 2.4.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain 2.4.35
from (at minimum, 2.4.27, which corrects
shortcomings of the patch you note below.)
I have found the below link for patch from internet.
However this contains many changes.

There were further changes. The branch of all changes you are asking for is;

Please let me know if we need to port all changes mentioned in above patch OR please let me know if specific revision can be ported to fix CVE-2016-4975

This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite challenging..

Unfortunately this class of vulnerabilities could not be addressed in a simple fix.

The entire patch is needed to protect the client / proxy / backend from malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.