Adding debian version 2.4.38-3+deb10u8.debian/2.4.38-3+deb10u8debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 92 insertions, 0 deletions

diff --git a/debian/patches/CVE-2020-1927.patch b/debian/patches/CVE-2020-1927.patch
new file mode 100644
index 0000000..cbdd84f
--- /dev/null
+++ b/debian/patches/CVE-2020-1927.patch
@@ -0,0 +1,92 @@
+Description: fix for CVE-2020-1927
+Author: covener
+Origin: upstream, https://svn.apache.org/r1873905
+ https://svn.apache.org/r1874191
+Bug: https://security-tracker.debian.org/tracker/CVE-2020-1927
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-08-25
+
+--- a/include/ap_regex.h
++++ b/include/ap_regex.h
+@@ -84,7 +84,11 @@
+ 
+ #define AP_REG_DOLLAR_ENDONLY 0x200 /* '$' matches at end of subject string only */
+ 
+-#define AP_REG_MATCH "MATCH_" /** suggested prefix for ap_regname */
++#define AP_REG_NO_DEFAULT 0x400 /**< Don't implicitely add AP_REG_DEFAULT options */
++
++#define AP_REG_MATCH "MATCH_" /**< suggested prefix for ap_regname */
++
++#define AP_REG_DEFAULT (AP_REG_DOTALL|AP_REG_DOLLAR_ENDONLY)
+ 
+ /* Error values: */
+ enum {
+--- a/modules/filters/mod_substitute.c
++++ b/modules/filters/mod_substitute.c
+@@ -667,8 +667,10 @@
+ 
+     /* first see if we can compile the regex */
+     if (!is_pattern) {
+-        r = ap_pregcomp(cmd->pool, from, AP_REG_EXTENDED |
+-                        (ignore_case ? AP_REG_ICASE : 0));
++         int flags = AP_REG_NO_DEFAULT
++                    | (ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY)
++                    | (ignore_case ? AP_REG_ICASE : 0);
++        r = ap_pregcomp(cmd->pool, from, flags);
+         if (!r)
+             return "Substitute could not compile regex";
+     }
+--- a/server/core.c
++++ b/server/core.c
+@@ -4937,7 +4937,7 @@
+     apr_pool_cleanup_register(pconf, NULL, reset_config_defines,
+                               apr_pool_cleanup_null);
+ 
+-    ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY);
++    ap_regcomp_set_default_cflags(AP_REG_DEFAULT);
+ 
+     mpm_common_pre_config(pconf);
+ 
+--- a/server/util_pcre.c
++++ b/server/util_pcre.c
+@@ -120,8 +120,7 @@
+  *            Compile a regular expression       *
+  *************************************************/
+ 
+-static int default_cflags = AP_REG_DOTALL |
+-                            AP_REG_DOLLAR_ENDONLY;
++static int default_cflags = AP_REG_DEFAULT;
+ 
+ AP_DECLARE(int) ap_regcomp_get_default_cflags(void)
+ {
+@@ -169,7 +168,9 @@
+     int errcode = 0;
+     int options = PCRE_DUPNAMES;
+ 
+-    cflags |= default_cflags;
++    if ((cflags & AP_REG_NO_DEFAULT) == 0)
++        cflags |= default_cflags;
++
+     if ((cflags & AP_REG_ICASE) != 0)
+         options |= PCRE_CASELESS;
+     if ((cflags & AP_REG_NEWLINE) != 0)
+--- a/server/util_regex.c
++++ b/server/util_regex.c
+@@ -94,6 +94,7 @@
+     }
+ 
+     /* anything after the current delimiter is flags */
++    ret->flags = ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY;
+     while (*++endp) {
+         switch (*endp) {
+         case 'i': ret->flags |= AP_REG_ICASE; break;
+@@ -106,7 +107,7 @@
+         default: break; /* we should probably be stricter here */
+         }
+     }
+-    if (ap_regcomp(&ret->rx, rxstr, ret->flags) == 0) {
++    if (ap_regcomp(&ret->rx, rxstr, AP_REG_NO_DEFAULT | ret->flags) == 0) {
+         apr_pool_cleanup_register(pool, &ret->rx, rxplus_cleanup,
+                                   apr_pool_cleanup_null);
+     }