summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2020-35452.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/CVE-2020-35452.patch27
1 files changed, 0 insertions, 27 deletions
diff --git a/debian/patches/CVE-2020-35452.patch b/debian/patches/CVE-2020-35452.patch
deleted file mode 100644
index 5204210..0000000
--- a/debian/patches/CVE-2020-35452.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Description: <short summary of the patch>
-Author: Apache authors
-Origin: upstream, https://github.com/apache/httpd/commit/3b6431e
-Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-35452
-Forwarded: not-needed
-Reviewed-By: Yadd <yadd@debian.org>
-Last-Update: 2021-06-10
-
---- a/modules/aaa/mod_auth_digest.c
-+++ b/modules/aaa/mod_auth_digest.c
-@@ -1422,9 +1422,14 @@
- time_rec nonce_time;
- char tmp, hash[NONCE_HASH_LEN+1];
-
-- if (strlen(resp->nonce) != NONCE_LEN) {
-+ /* Since the time part of the nonce is a base64 encoding of an
-+ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
-+ */
-+ if (strlen(resp->nonce) != NONCE_LEN
-+ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
-- "invalid nonce %s received - length is not %d",
-+ "invalid nonce '%s' received - length is not %d "
-+ "or time encoding is incorrect",
- resp->nonce, NONCE_LEN);
- note_digest_auth_failure(r, conf, resp, 1);
- return HTTP_UNAUTHORIZED;