diff options
Diffstat (limited to 'debian/patches/CVE-2019-0215.patch')
| -rw-r--r-- | debian/patches/CVE-2019-0215.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/debian/patches/CVE-2019-0215.patch b/debian/patches/CVE-2019-0215.patch new file mode 100644 index 0000000..6c0461e --- /dev/null +++ b/debian/patches/CVE-2019-0215.patch @@ -0,0 +1,52 @@ +From 84edf5f49db23ced03259812bbf9426685f7d82a Mon Sep 17 00:00:00 2001 +From: Joe Orton <jorton@apache.org> +Date: Wed, 20 Mar 2019 15:45:16 +0000 +Subject: [PATCH] Merge r1855849 from trunk: + +* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly + restore SSL verify state after PHA failure in TLSv1.3. + +Submitted by: Michael Kaufmann <mail michael-kaufmann.ch> +Reviewed by: jorton, covener, jim + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855917 13f79535-47bb-0310-9956-ffa450edef68 +--- + CHANGES | 3 +++ + modules/ssl/ssl_engine_kernel.c | 2 ++ + 2 files changed, 5 insertions(+) + +#diff --git a/CHANGES b/CHANGES +#index 6b03eadfa07..6f20d688ece 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -1,6 +1,9 @@ +# -*- coding: utf-8 -*- +# Changes with Apache 2.4.39 +# +#+ *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. +#+ [Michael Kaufmann <mail michael-kaufmann.ch>] +#+ +# *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host +# PR 55348 +# +Index: apache2-2.4.38/modules/ssl/ssl_engine_kernel.c +=================================================================== +--- apache2-2.4.38.orig/modules/ssl/ssl_engine_kernel.c 2019-04-03 14:31:14.279214679 -0400 ++++ apache2-2.4.38/modules/ssl/ssl_engine_kernel.c 2019-04-03 14:31:14.279214679 -0400 +@@ -1154,6 +1154,7 @@ static int ssl_hook_Access_modern(reques + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + apr_table_setn(r->notes, "error-notes", + "Reason: Cannot perform Post-Handshake Authentication.<br />"); ++ SSL_set_verify(ssl, vmode_inplace, NULL); + return HTTP_FORBIDDEN; + } + +@@ -1175,6 +1176,7 @@ static int ssl_hook_Access_modern(reques + * Finally check for acceptable renegotiation results + */ + if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) { ++ SSL_set_verify(ssl, vmode_inplace, NULL); + return rc; + } + } |