debian/patches/CVE-2021-26691.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Description: mod_session: account for the '&' in identity_concat().
Author: Apache authors
Origin: upstream, https://github.com/apache/httpd/commit/7e09dd71
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2021-06-10

--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -305,7 +305,7 @@
 static int identity_count(void *v, const char *key, const char *val)
 {
     int *count = v;
-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
+    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
     return 1;
 }