Adding debian version 2.4.38-3+deb10u8.debian/2.4.38-3+deb10u8

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 32 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-36160-2.patch b/debian/patches/CVE-2021-36160-2.patch
new file mode 100644
index 0000000..cad5774
--- /dev/null
+++ b/debian/patches/CVE-2021-36160-2.patch
@@ -0,0 +1,32 @@
+Description: mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
+ Relaxes the behaviour introduced by the CVE-2021-36160 fix
+Author: Stefan Eissing <icing@apache.org>
+Origin: upstream, https://github.com/apache/httpd/commit/8966e290a
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-12-21
+
+--- a/modules/proxy/mod_proxy_uwsgi.c
++++ b/modules/proxy/mod_proxy_uwsgi.c
+@@ -467,11 +467,20 @@
+ 
+     /* ADD PATH_INFO (unescaped) */
+     u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/');
+-    if (!u_path_info || ap_unescape_url(u_path_info) != OK) {
++    if (!u_path_info) {
++        u_path_info = apr_pstrdup(r->pool, "/");
++    }
++    else if (ap_unescape_url(u_path_info) != OK) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100)
+                       "unable to decode uwsgi uri: %s", url);
+         return HTTP_INTERNAL_SERVER_ERROR;
+     }
++    else {
++        /* Remove duplicate slashes at the beginning of PATH_INFO */
++        while (u_path_info[1] == '/') {
++            u_path_info++;
++        }
++    }
+     apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);
+ 
+