Ubuntu
apache2 package

Merge ~paelzer/ubuntu/+source/apache2:lp-1930430-ocsp-in-proxy-mode-FOCAL into ubuntu/+source/apache2:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/apache2
  3. lp-1930430-ocsp-in-proxy-mode-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 8bfbd1c13b5a2e56b2ce3963904c3c496784343a
Merge reported by: Christian Ehrhardt 
Merged at revision: 8bfbd1c13b5a2e56b2ce3963904c3c496784343a
Proposed branch: ~paelzer/ubuntu/+source/apache2:lp-1930430-ocsp-in-proxy-mode-FOCAL
Merge into: ubuntu/+source/apache2:ubuntu/focal-devel
Diff against target: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp-1930430-Backport-r1865740.patch (+32/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+405164@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hey,

This looks good, matches the upstream patch (of course!), changes seem relevant, the bug reported verified that this works already. +1. \o/

Just one minor diff comment which is up to you to consider.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/apache2
 * [new tag] upload/2.4.41-4ubuntu3.4 -> upload/2.4.41-4ubuntu3.

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.41-4ubuntu3.4.dsc: done.
  Uploading apache2_2.4.41-4ubuntu3.4.debian.tar.xz: done.
  Uploading apache2_2.4.41-4ubuntu3.4_source.buildinfo: done.
  Uploading apache2_2.4.41-4ubuntu3.4_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

merged

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 5c08dd7..e76652c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium
2
3 * d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
4 (LP: #1930430)
5
6 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Jul 2021 09:16:56 +0200
7
1apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium8apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium
29
3 * SECURITY UPDATE: mod_proxy_http denial of service.10 * SECURITY UPDATE: mod_proxy_http denial of service.
diff --git a/debian/patches/lp-1930430-Backport-r1865740.patch b/debian/patches/lp-1930430-Backport-r1865740.patch
4new file mode 10064411new file mode 100644
index 0000000..4f5d7fc
--- /dev/null
+++ b/debian/patches/lp-1930430-Backport-r1865740.patch
@@ -0,0 +1,32 @@
1From c11b1cd3b11f073ab1b5d1d670cec9db21144683 Mon Sep 17 00:00:00 2001
2From: Graham Leggett <minfrin@apache.org>
3Date: Wed, 1 Jan 2020 23:05:42 +0000
4Subject: [PATCH] Backport r1865740. mod_ssl: OCSP does not apply to proxy
5 mode.
6
7git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1872226 13f79535-47bb-0310-9956-ffa450edef68
8
9Origin: backport, https://github.com/apache/httpd/commit/c11b1cd3b11f
10Bug-Ubuntu: https://bugs.launchpad.net/bugs/1930430
11Last-Update: 2021-07-05
12X-Backport-Note: skipped non functional changes to status (doesn't exist) and changes (does't match)
13
14---
15 CHANGES | 2 ++
16 STATUS | 5 -----
17 modules/ssl/ssl_engine_kernel.c | 4 ++--
18 3 files changed, 4 insertions(+), 7 deletions(-)
19
20--- a/modules/ssl/ssl_engine_kernel.c
21+++ b/modules/ssl/ssl_engine_kernel.c
22@@ -1836,8 +1836,8 @@ int ssl_callback_SSLVerify(int ok, X509_
23 /*
24 * Perform OCSP-based revocation checks
25 */
26- if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
27- (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
28+ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
29+ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
30 /* If there was an optional verification error, it's not
31 * possible to perform OCSP validation since the issuer may be
32 * missing/untrusted. Fail in that case. */
diff --git a/debian/patches/series b/debian/patches/series
index 80ebe01..a065dd6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ CVE-2020-35452.patch
27CVE-2021-26690.patch27CVE-2021-26690.patch
28CVE-2021-26691.patch28CVE-2021-26691.patch
29CVE-2021-30641.patch29CVE-2021-30641.patch
30lp-1930430-Backport-r1865740.patch

Subscribers

People subscribed via source and target branches