diff options
| -rw-r--r-- | debian/apache2-utils.ufw.profile | 14 | ||||
| -rw-r--r-- | debian/apache2.dirs | 1 | ||||
| -rw-r--r-- | debian/apache2.install | 1 | ||||
| -rw-r--r-- | debian/apache2.postrm | 1 | ||||
| -rw-r--r-- | debian/changelog | 25 | ||||
| -rw-r--r-- | debian/control | 5 | ||||
| -rw-r--r-- | debian/index.html | 4 | ||||
| -rw-r--r-- | debian/patches/fhs_compliance.patch | 4 | ||||
| -rw-r--r-- | debian/tests/CVE-2023-25690 | 110 | ||||
| -rw-r--r-- | debian/tests/control | 8 | ||||
| -rw-r--r-- | debian/tests/uwsgi | 145 |
11 files changed, 312 insertions, 6 deletions
diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile new file mode 100644 index 0000000..974a655 --- /dev/null +++ b/debian/apache2-utils.ufw.profile @@ -0,0 +1,14 @@ +[Apache] +title=Web Server +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80/tcp + +[Apache Secure] +title=Web Server (HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=443/tcp + +[Apache Full] +title=Web Server (HTTP,HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80,443/tcp diff --git a/debian/apache2.dirs b/debian/apache2.dirs index 6089013..1aa6d3c 100644 --- a/debian/apache2.dirs +++ b/debian/apache2.dirs @@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk var/lib/apache2 var/log/apache2 var/www/html +/etc/ufw/applications.d/apache2 diff --git a/debian/apache2.install b/debian/apache2.install index b6ad789..92865fc 100644 --- a/debian/apache2.install +++ b/debian/apache2.install @@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2 debian/config-dir/envvars /etc/apache2 debian/config-dir/magic /etc/apache2 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/ +debian/apache2-utils.ufw.profile /etc/ufw/applications.d/ diff --git a/debian/apache2.postrm b/debian/apache2.postrm index a68583c..21d748e 100644 --- a/debian/apache2.postrm +++ b/debian/apache2.postrm @@ -33,6 +33,7 @@ is_default_index_html () { 776221a94e5a174dc2396c0f3f6b6a74 c481228d439cbb54bdcedbaec5bbb11a e2620d4a5a0f8d80dd4b16de59af981f + 58d03fa9125ca62b1019ce77c8accaa6 EOF } diff --git a/debian/changelog b/debian/changelog index cd9a501..5960e4a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,28 @@ +apache2 (2.4.60-1) unstable; urgency=medium + + [ Bastien Roucariès ] + * Forward port CVE-2023-25690 uwsgi tests + * Fix depends of uwsgi test + * Use python3 uwsgi plugin + * Encode bytes for uwsgi test + + [ Bryce Harrington ] + * Add UFW profile integration (Closes: #1071705) + + [Chris Murray] + * Use https instead of http in doc (LP: #2045055) + + [ Yadd ] + * Bump liblua from liblua5.3-dev to liblua5.4-dev (Closes: #1071701) + * Update test framework + * releasing package apache2 version 2.4.59-1~deb12u1 + * New upstream version (CLoses: CVE-2024-36387, CVE-2024-38472, + CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, + CVE-2024-38477, CVE-2024-39573) + * Unfuzz patches + + -- Yadd <yadd@debian.org> Mon, 01 Jul 2024 18:04:08 +0400 + apache2 (2.4.59-2~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: diff --git a/debian/control b/debian/control index e577fb2..52cc370 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,7 @@ Build-Depends: debhelper-compat (= 13), libapr1-dev, libaprutil1-dev, libbrotli-dev, - liblua5.3-dev, + liblua5.4-dev, libnghttp2-dev, libpcre2-dev, libssl-dev, @@ -48,7 +48,8 @@ Depends: apache2-bin (= ${binary:Version}), ssl-cert | dehydrated Suggests: apache2-doc, apache2-suexec-pristine | apache2-suexec-custom, - www-browser + www-browser, + ufw Pre-Depends: ${misc:Pre-Depends} Provides: httpd, httpd-cgi diff --git a/debian/index.html b/debian/index.html index 766401d..d1415e2 100644 --- a/debian/index.html +++ b/debian/index.html @@ -326,7 +326,7 @@ <p> By default, Debian does not allow access through the web browser to <em>any</em> file apart of those located in <tt>/var/www</tt>, - <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> + <a href="https://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> directories (when enabled) and <tt>/usr/share</tt> (for web applications). If your site is using a web document root located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your @@ -347,7 +347,7 @@ <p> Please use the <tt>reportbug</tt> tool to report bugs in the Apache2 package with Debian. However, check <a - href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" + href="https://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" rel="nofollow">existing bug reports</a> before reporting a new bug. </p> <p> diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch index 986d8bc..50755a8 100644 --- a/debian/patches/fhs_compliance.patch +++ b/debian/patches/fhs_compliance.patch @@ -6,7 +6,7 @@ Last-Update: 2023-10-19 --- a/configure +++ b/configure -@@ -42812,13 +42812,13 @@ +@@ -42844,13 +42844,13 @@ ap_prefix="${ap_cur}" @@ -25,7 +25,7 @@ Last-Update: 2023-10-19 perlbin=`$ac_aux_dir/PrintPath perl` --- a/configure.in +++ b/configure.in -@@ -928,11 +928,11 @@ +@@ -934,11 +934,11 @@ echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c APR_EXPAND_VAR(ap_prefix, $prefix) diff --git a/debian/tests/CVE-2023-25690 b/debian/tests/CVE-2023-25690 new file mode 100644 index 0000000..2aa916f --- /dev/null +++ b/debian/tests/CVE-2023-25690 @@ -0,0 +1,110 @@ +#!/bin/bash + +# test CVE-2023-25690 +set -eux + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + + +function exit_handler() +{ + # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied + chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true + systemctl status apache2.service || true + systemctl stop apache2 || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true +} +trap exit_handler EXIT + + +a2enmod proxy +a2enmod proxy_http +a2enmod rewrite + +rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS" +rm /var/log/apache2/* +mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2 + +tee /etc/apache2/ports.conf <<'EOF' +Listen 80 +Listen 8080 +EOF + + +tee /etc/apache2/sites-available/000-default.conf <<'EOF' +<VirtualHost *:8080> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.8080.log + CustomLog ${APACHE_LOG_DIR}/access.8080.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf +</VirtualHost> +<VirtualHost *:80> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + LogLevel alert rewrite:trace6 + LogLevel error proxy:trace6 + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + RewriteEngine on + RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P] + ProxyPassReverse "/here/" "http://localhost:8080/" +</VirtualHost> +EOF + +systemctl restart apache2 + +CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1" +wget -S -q --output-document - "$CHOKEURL" || true +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] ' + +cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1 + +exit 0 + diff --git a/debian/tests/control b/debian/tests/control index 2453137..1298110 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -27,3 +27,11 @@ Tests: chroot Features: no-build-needed Restrictions: needs-root allow-stderr breaks-testbed Depends: apache2, wget, dpkg-dev, gcc + +Tests: uwsgi +Restrictions: allow-stderr, needs-root +Depends: apache2, uwsgi, wget, uwsgi-plugin-python3, rsync, netcat-openbsd | netcat-traditional + +Tests: CVE-2023-25690 +Restrictions: allow-stderr, needs-root, isolation-container +Depends: apache2, rsync, curl, wget diff --git a/debian/tests/uwsgi b/debian/tests/uwsgi new file mode 100644 index 0000000..3350144 --- /dev/null +++ b/debian/tests/uwsgi @@ -0,0 +1,145 @@ +#!/bin/bash +set -eux + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + + +function exit_handler() +{ + systemctl stop apache2 || true + if test -f /run/uwsgi/uwsgi.pid; then + kill -TERM $(cat /run/uwsgi/uwsgi.pid) + fi + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.error.log || true +} +trap exit_handler EXIT + + +a2enmod proxy +a2enmod proxy_uwsgi + +rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS" +rm /var/log/apache2/* +mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2 + +tee /etc/apache2/sites-available/000-default.conf <<'EOF' +<VirtualHost *:80> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + ProxyPass "/uwsgi" "unix:/run/uwsgi/test.socket|uwsgi://localhost" +</VirtualHost> +EOF + +systemctl restart apache2 + +test -d /etc/uwsgi/ || mkdir /etc/uwsgi + + + +tee /etc/systemd/system/uwsgi-app@.socket <<EOF +[Unit] +Description=Socket for uWSGI app %i + +[Socket] +ListenStream=/run/uwsgi/%i.socket +SocketUser=www-%i +SocketGroup=www-data +SocketMode=0660 + +[Install] +WantedBy=sockets.target +EOF + +tee /etc/systemd/system/uwsgi-app@.service <<EOF +[Unit] +Description=%i uWSGI app +After=syslog.target + +[Service] +ExecStart=/usr/bin/uwsgi \ + --ini /etc/uwsgi/apps-available/%i.ini \ + --socket /run/uwsgi/%i.socket +User=www-%i +Group=www-data +Restart=on-failure +KillSignal=SIGQUIT +Type=notify +StandardError=file:/var/log/apache2/uwsgi.error.log +StandardOutput=file:/var/log/apache2/uwsgi.log +NotifyAccess=all + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload + +useradd uwsgi_test +useradd www-test + +tee /etc/uwsgi/apps-available/test.ini <<EOF +[uwsgi] +chdir=/tmp +master=True +cheap=True +die-on-idle=True +manage-script-name=True +plugin=python3 +wsgi-file=/tmp/uwsgi.py +EOF + + +tee /tmp/uwsgi.py <<'EOF' +import wsgiref.headers as h +def application(env, start_response): + buggy_header=('buggy','buggy#\r\nbuggy2:buggy2') + start_response('200 OK', [('Content-Type','text/html'),buggy_header]) + ret = "Hello World Headers {}".format(env).encode() + return [ret] +EOF +chown 'www-test:www-test' /tmp/uwsgi.py +chmod +x /tmp/uwsgi.py + +systemctl enable uwsgi-app@test.socket +systemctl enable uwsgi-app@test.service +systemctl start uwsgi-app@test.socket +systemctl restart apache2 + + +wget -S -q --output-document - http://localhost/uwsgi +wget -q --output-document - http://localhost/uwsgi | grep "^Hello World" + +exit $RC +- |