Merge ~paelzer/ubuntu/+source/apache2:lp-1930430-ocsp-in-proxy-mode-FOCAL into ubuntu/+source/apache2:ubuntu/focal-devel

Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 8bfbd1c13b5a2e56b2ce3963904c3c496784343a
Merge reported by: Christian Ehrhardt 
Merged at revision: 8bfbd1c13b5a2e56b2ce3963904c3c496784343a
Proposed branch: ~paelzer/ubuntu/+source/apache2:lp-1930430-ocsp-in-proxy-mode-FOCAL
Merge into: ubuntu/+source/apache2:ubuntu/focal-devel
Diff against target: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp-1930430-Backport-r1865740.patch (+32/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+405164@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hey,

This looks good, matches the upstream patch (of course!), changes seem relevant, the bug reported verified that this works already. +1. \o/

Just one minor diff comment which is up to you to consider.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/apache2
 * [new tag] upload/2.4.41-4ubuntu3.4 -> upload/2.4.41-4ubuntu3.

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.41-4ubuntu3.4.dsc: done.
  Uploading apache2_2.4.41-4ubuntu3.4.debian.tar.xz: done.
  Uploading apache2_2.4.41-4ubuntu3.4_source.buildinfo: done.
  Uploading apache2_2.4.41-4ubuntu3.4_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

merged

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 5c08dd7..e76652c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium
7+
8+ * d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
9+ (LP: #1930430)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Jul 2021 09:16:56 +0200
12+
13 apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium
14
15 * SECURITY UPDATE: mod_proxy_http denial of service.
16diff --git a/debian/patches/lp-1930430-Backport-r1865740.patch b/debian/patches/lp-1930430-Backport-r1865740.patch
17new file mode 100644
18index 0000000..4f5d7fc
19--- /dev/null
20+++ b/debian/patches/lp-1930430-Backport-r1865740.patch
21@@ -0,0 +1,32 @@
22+From c11b1cd3b11f073ab1b5d1d670cec9db21144683 Mon Sep 17 00:00:00 2001
23+From: Graham Leggett <minfrin@apache.org>
24+Date: Wed, 1 Jan 2020 23:05:42 +0000
25+Subject: [PATCH] Backport r1865740. mod_ssl: OCSP does not apply to proxy
26+ mode.
27+
28+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1872226 13f79535-47bb-0310-9956-ffa450edef68
29+
30+Origin: backport, https://github.com/apache/httpd/commit/c11b1cd3b11f
31+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1930430
32+Last-Update: 2021-07-05
33+X-Backport-Note: skipped non functional changes to status (doesn't exist) and changes (does't match)
34+
35+---
36+ CHANGES | 2 ++
37+ STATUS | 5 -----
38+ modules/ssl/ssl_engine_kernel.c | 4 ++--
39+ 3 files changed, 4 insertions(+), 7 deletions(-)
40+
41+--- a/modules/ssl/ssl_engine_kernel.c
42++++ b/modules/ssl/ssl_engine_kernel.c
43+@@ -1836,8 +1836,8 @@ int ssl_callback_SSLVerify(int ok, X509_
44+ /*
45+ * Perform OCSP-based revocation checks
46+ */
47+- if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
48+- (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
49++ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
50++ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
51+ /* If there was an optional verification error, it's not
52+ * possible to perform OCSP validation since the issuer may be
53+ * missing/untrusted. Fail in that case. */
54diff --git a/debian/patches/series b/debian/patches/series
55index 80ebe01..a065dd6 100644
56--- a/debian/patches/series
57+++ b/debian/patches/series
58@@ -27,3 +27,4 @@ CVE-2020-35452.patch
59 CVE-2021-26690.patch
60 CVE-2021-26691.patch
61 CVE-2021-30641.patch
62+lp-1930430-Backport-r1865740.patch

Subscribers

People subscribed via source and target branches