--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/CVE-2014-0118.patch Fri Aug 15 11:18:48 2014 -0700
@@ -0,0 +1,278 @@
+Patch origin: upstream
+Patch status: will be part of next version
+
+http://svn.apache.org/viewvc?view=revision&revision=1611426
+
+--- modules/filters/mod_deflate.c 2014/07/17 18:19:00 1611425
++++ modules/filters/mod_deflate.c 2014/07/17 18:20:46 1611426
+@@ -37,6 +37,7 @@
+ #include "httpd.h"
+ #include "http_config.h"
+ #include "http_log.h"
++#include "http_core.h"
+ #include "apr_lib.h"
+ #include "apr_strings.h"
+ #include "apr_general.h"
+@@ -51,6 +52,9 @@
+ static const char deflateFilterName[] = "DEFLATE";
+ module AP_MODULE_DECLARE_DATA deflate_module;
+
++#define AP_INFLATE_RATIO_LIMIT 200
++#define AP_INFLATE_RATIO_BURST 3
++
+ typedef struct deflate_filter_config_t
+ {
+ int windowSize;
+@@ -62,6 +66,12 @@
+ char *note_output_name;
+ } deflate_filter_config;
+
++typedef struct deflate_dirconf_t {
++ apr_off_t inflate_limit;
++ int ratio_limit,
++ ratio_burst;
++} deflate_dirconf_t;
++
+ /* RFC 1952 Section 2.3 defines the gzip header:
+ *
+ * +---+---+---+---+---+---+---+---+---+---+
+@@ -193,6 +203,14 @@
+ return c;
+ }
+
++static void *create_deflate_dirconf(apr_pool_t *p, char *dummy)
++{
++ deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc));
++ dc->ratio_limit = AP_INFLATE_RATIO_LIMIT;
++ dc->ratio_burst = AP_INFLATE_RATIO_BURST;
++ return dc;
++}
++
+ static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy,
+ const char *arg)
+ {
+@@ -284,6 +302,55 @@
+ return NULL;
+ }
+
++
++static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf,
++ const char *arg)
++{
++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
++ char *errp;
++
++ if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) {
++ return "DeflateInflateLimitRequestBody is not parsable.";
++ }
++ if (*errp || dc->inflate_limit < 0) {
++ return "DeflateInflateLimitRequestBody requires a non-negative integer.";
++ }
++
++ return NULL;
++}
++
++static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd,
++ void *dirconf,
++ const char *arg)
++{
++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
++ int i;
++
++ i = atoi(arg);
++ if (i <= 0)
++ return "DeflateInflateRatioLimit must be positive";
++
++ dc->ratio_limit = i;
++
++ return NULL;
++}
++
++static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd,
++ void *dirconf,
++ const char *arg)
++{
++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
++ int i;
++
++ i = atoi(arg);
++ if (i <= 0)
++ return "DeflateInflateRatioBurst must be positive";
++
++ dc->ratio_burst = i;
++
++ return NULL;
++}
++
+ typedef struct deflate_ctx_t
+ {
+ z_stream stream;
+@@ -294,8 +361,26 @@
+ unsigned char *validation_buffer;
+ apr_size_t validation_buffer_length;
+ int inflate_init;
++ int ratio_hits;
++ apr_off_t inflate_total;
+ } deflate_ctx;
+
++/* Check whether the (inflate) ratio exceeds the configured limit/burst. */
++static int check_ratio(request_rec *r, deflate_ctx *ctx,
++ const deflate_dirconf_t *dc)
++{
++ if (ctx->stream.total_in) {
++ int ratio = ctx->stream.total_out / ctx->stream.total_in;
++ if (ratio < dc->ratio_limit) {
++ ctx->ratio_hits = 0;
++ }
++ else if (++ctx->ratio_hits > dc->ratio_burst) {
++ return 0;
++ }
++ }
++ return 1;
++}
++
+ /* Number of validation bytes (CRC and length) after the compressed data */
+ #define VALIDATION_SIZE 8
+ /* Do not update ctx->crc, see comment in flush_libz_buffer */
+@@ -744,6 +829,8 @@
+ int zRC;
+ apr_status_t rv;
+ deflate_filter_config *c;
++ deflate_dirconf_t *dc;
++ apr_off_t inflate_limit;
+
+ /* just get out of the way of things we don't want. */
+ if (mode != AP_MODE_READBYTES) {
+@@ -751,6 +838,7 @@
+ }
+
+ c = ap_get_module_config(r->server->module_config, &deflate_module);
++ dc = ap_get_module_config(r->per_dir_config, &deflate_module);
+
+ if (!ctx) {
+ char deflate_hdr[10];
+@@ -803,11 +891,13 @@
+ if (len != 10 ||
+ deflate_hdr[0] != deflate_magic[0] ||
+ deflate_hdr[1] != deflate_magic[1]) {
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes");
+ return APR_EGENERAL;
+ }
+
+ /* We can't handle flags for now. */
+ if (deflate_hdr[3] != 0) {
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags");
+ return APR_EGENERAL;
+ }
+
+@@ -831,6 +921,12 @@
+ apr_brigade_cleanup(ctx->bb);
+ }
+
++ inflate_limit = dc->inflate_limit;
++ if (inflate_limit == 0) {
++ /* The core is checking the deflated body, we'll check the inflated */
++ inflate_limit = ap_get_limit_req_body(f->r);
++ }
++
+ if (APR_BRIGADE_EMPTY(ctx->proc_bb)) {
+ rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes);
+
+@@ -863,6 +959,17 @@
+
+ ctx->stream.next_out = ctx->buffer;
+ len = c->bufferSize - ctx->stream.avail_out;
++
++ ctx->inflate_total += len;
++ if (inflate_limit && ctx->inflate_total > inflate_limit) {
++ inflateEnd(&ctx->stream);
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content length of %" APR_OFF_T_FMT
++ " is larger than the configured limit"
++ " of %" APR_OFF_T_FMT,
++ ctx->inflate_total, inflate_limit);
++ return APR_ENOSPC;
++ }
+
+ ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
+ tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
+@@ -891,6 +998,26 @@
+ ctx->stream.next_out = ctx->buffer;
+ len = c->bufferSize - ctx->stream.avail_out;
+
++ ctx->inflate_total += len;
++ if (inflate_limit && ctx->inflate_total > inflate_limit) {
++ inflateEnd(&ctx->stream);
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content length of %" APR_OFF_T_FMT
++ " is larger than the configured limit"
++ " of %" APR_OFF_T_FMT,
++ ctx->inflate_total, inflate_limit);
++ return APR_ENOSPC;
++ }
++
++ if (!check_ratio(r, ctx, dc)) {
++ inflateEnd(&ctx->stream);
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content ratio is larger than the "
++ "configured limit %i by %i time(s)",
++ dc->ratio_limit, dc->ratio_burst);
++ return APR_EINVAL;
++ }
++
+ ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
+ tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
+ NULL, f->c->bucket_alloc);
+@@ -1003,6 +1130,7 @@
+ int zRC;
+ apr_status_t rv;
+ deflate_filter_config *c;
++ deflate_dirconf_t *dc;
+
+ /* Do nothing if asked to filter nothing. */
+ if (APR_BRIGADE_EMPTY(bb)) {
+@@ -1010,6 +1138,7 @@
+ }
+
+ c = ap_get_module_config(r->server->module_config, &deflate_module);
++ dc = ap_get_module_config(r->per_dir_config, &deflate_module);
+
+ if (!ctx) {
+
+@@ -1272,6 +1401,14 @@
+ while (ctx->stream.avail_in != 0) {
+ if (ctx->stream.avail_out == 0) {
+
++ if (!check_ratio(r, ctx, dc)) {
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content ratio is larger than the "
++ "configured limit %i by %i time(s)",
++ dc->ratio_limit, dc->ratio_burst);
++ return APR_EINVAL;
++ }
++
+ ctx->stream.next_out = ctx->buffer;
+ len = c->bufferSize - ctx->stream.avail_out;
+
+@@ -1346,12 +1483,20 @@
+ "Set the Deflate Memory Level (1-9)"),
+ AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF,
+ "Set the Deflate Compression Level (1-9)"),
++ AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL,
++ "Set a limit on size of inflated input"),
++ AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL,
++ "Set the inflate ratio limit above which inflation is "
++ "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"),
++ AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL,
++ "Set the maximum number of following inflate ratios above limit "
++ "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"),
+ {NULL}
+ };
+
+ module AP_MODULE_DECLARE_DATA deflate_module = {
+ STANDARD20_MODULE_STUFF,
+- NULL, /* dir config creater */
++ create_deflate_dirconf, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ create_deflate_server_config, /* server config */
+ NULL, /* merge server config */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/CVE-2014-0226.patch Fri Aug 15 11:18:48 2014 -0700
@@ -0,0 +1,95 @@
+Patch origin: upstream
+Patch status: will be part of next version
+
+http://svn.apache.org/viewvc?view=revision&revision=1610515
+
+--- include/ap_mmn.h 2014/07/14 20:23:27 1610514
++++ include/ap_mmn.h 2014/07/14 20:34:32 1610515
+@@ -151,6 +151,7 @@
+ * 20051115.31 (2.2.23) Add forcerecovery to proxy_balancer_shared struct
+ * 20051115.32 (2.2.24) Add ap_get_exec_line
+ * 20051115.33 (2.2.24) Add ap_pregsub_ex()
++ * 20051115.34 (2.2.28) Add ap_copy_scoreboard_worker()
+ */
+
+ #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
+@@ -158,7 +159,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20051115
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 33 /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 34 /* 0...n */
+
+ /**
+ * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+--- include/scoreboard.h 2014/07/14 20:23:27 1610514
++++ include/scoreboard.h 2014/07/14 20:34:32 1610515
+@@ -189,7 +189,24 @@
+ int status, request_rec *r);
+ void ap_time_process_request(ap_sb_handle_t *sbh, int status);
+
++/** Return a pointer to the worker_score for a given child, thread pair.
++ * @param child_num The child number.
++ * @param thread_num The thread number.
++ * @return A pointer to the worker_score structure.
++ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead.
++ */
+ AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y);
++
++/** Copy the contents of a worker's scoreboard entry. The contents of
++ * the worker_score structure are copied verbatim into the dest
++ * structure.
++ * @param dest Output parameter.
++ * @param child_num The child number.
++ * @param thread_num The thread number.
++ */
++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,
++ int child_num, int thread_num);
++
+ AP_DECLARE(process_score *) ap_get_scoreboard_process(int x);
+ AP_DECLARE(global_score *) ap_get_scoreboard_global(void);
+ AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num);
+--- modules/generators/mod_status.c 2014/07/14 20:23:27 1610514
++++ modules/generators/mod_status.c 2014/07/14 20:34:32 1610515
+@@ -241,7 +241,7 @@
+ #endif
+ int short_report;
+ int no_table_report;
+- worker_score *ws_record;
++ worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record);
+ process_score *ps_record;
+ char *stat_buffer;
+ pid_t *pid_buffer, worker_pid;
+@@ -333,7 +333,7 @@
+ for (j = 0; j < thread_limit; ++j) {
+ int indx = (i * thread_limit) + j;
+
+- ws_record = ap_get_scoreboard_worker(i, j);
++ ap_copy_scoreboard_worker(ws_record, i, j);
+ res = ws_record->status;
+ stat_buffer[indx] = status_flags[res];
+
+--- server/scoreboard.c 2014/07/14 20:23:27 1610514
++++ server/scoreboard.c 2014/07/14 20:34:32 1610515
+@@ -510,6 +510,21 @@
+ return &ap_scoreboard_image->servers[x][y];
+ }
+
++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,
++ int child_num,
++ int thread_num)
++{
++ worker_score *ws = ap_get_scoreboard_worker(child_num, thread_num);
++
++ memcpy(dest, ws, sizeof *ws);
++
++ /* For extra safety, NUL-terminate the strings returned, though it
++ * should be true those last bytes are always zero anyway. */
++ dest->client[sizeof(dest->client) - 1] = '\0';
++ dest->request[sizeof(dest->request) - 1] = '\0';
++ dest->vhost[sizeof(dest->vhost) - 1] = '\0';
++}
++
+ AP_DECLARE(process_score *) ap_get_scoreboard_process(int x)
+ {
+ if ((x < 0) || (server_limit < x)) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/CVE-2014-0231.patch Fri Aug 15 11:18:48 2014 -0700
@@ -0,0 +1,148 @@
+Patch origin: upstream
+Patch status: will be part of next version
+
+http://svn.apache.org/viewvc?view=revision&revision=1611185
+
+--- modules/generators/mod_cgid.c 2014/07/16 20:53:11 1611184
++++ modules/generators/mod_cgid.c 2014/07/16 20:56:51 1611185
+@@ -93,6 +93,10 @@
+ static pid_t parent_pid;
+ static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 };
+
++typedef struct {
++ apr_interval_time_t timeout;
++} cgid_dirconf;
++
+ /* The APR other-child API doesn't tell us how the daemon exited
+ * (SIGSEGV vs. exit(1)). The other-child maintenance function
+ * needs to decide whether to restart the daemon after a failure
+@@ -934,7 +938,14 @@
+ return overrides->logname ? overrides : base;
+ }
+
++static void *create_cgid_dirconf(apr_pool_t *p, char *dummy)
++{
++ cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf));
++ return c;
++}
++
+ static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg)
++
+ {
+ server_rec *s = cmd->server;
+ cgid_server_conf *conf = ap_get_module_config(s->module_config,
+@@ -987,7 +998,16 @@
+
+ return NULL;
+ }
++static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg)
++{
++ cgid_dirconf *dc = dummy;
+
++ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) {
++ return "CGIDScriptTimeout has wrong format";
++ }
++
++ return NULL;
++}
+ static const command_rec cgid_cmds[] =
+ {
+ AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF,
+@@ -999,6 +1019,10 @@
+ AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF,
+ "the name of the socket to use for communication with "
+ "the cgi daemon."),
++ AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF,
++ "The amount of time to wait between successful reads from "
++ "the CGI script, in seconds."),
++
+ {NULL}
+ };
+
+@@ -1335,11 +1359,15 @@
+ apr_file_t *tempsock;
+ struct cleanup_script_info *info;
+ apr_status_t rv;
++ cgid_dirconf *dc;
+
+ if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script"))
+ return DECLINED;
+
+ conf = ap_get_module_config(r->server->module_config, &cgid_module);
++ dc = ap_get_module_config(r->per_dir_config, &cgid_module);
++
++
+ is_included = !strcmp(r->protocol, "INCLUDED");
+
+ if ((argv0 = strrchr(r->filename, '/')) != NULL)
+@@ -1412,6 +1440,12 @@
+ */
+
+ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
++ if (dc->timeout > 0) {
++ apr_file_pipe_timeout_set(tempsock, dc->timeout);
++ }
++ else {
++ apr_file_pipe_timeout_set(tempsock, r->server->timeout);
++ }
+ apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
+
+ if ((argv0 = strrchr(r->filename, '/')) != NULL)
+@@ -1487,6 +1521,10 @@
+ if (rv != APR_SUCCESS) {
+ /* silly script stopped reading, soak up remaining message */
+ child_stopped_reading = 1;
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "Error writing request body to script %s",
++ r->filename);
++
+ }
+ }
+ apr_brigade_cleanup(bb);
+@@ -1577,7 +1615,13 @@
+ return HTTP_MOVED_TEMPORARILY;
+ }
+
+- ap_pass_brigade(r->output_filters, bb);
++ rv = ap_pass_brigade(r->output_filters, bb);
++ if (rv != APR_SUCCESS) {
++ /* APLOG_ERR because the core output filter message is at error,
++ * but doesn't know it's passing CGI output
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client");
++ }
+ }
+
+ if (nph) {
+@@ -1707,6 +1751,8 @@
+ request_rec *r = f->r;
+ cgid_server_conf *conf = ap_get_module_config(r->server->module_config,
+ &cgid_module);
++ cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module);
++
+ struct cleanup_script_info *info;
+
+ add_ssi_vars(r);
+@@ -1736,6 +1782,13 @@
+ * get rid of the cleanup we registered when we created the socket.
+ */
+ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
++ if (dc->timeout > 0) {
++ apr_file_pipe_timeout_set(tempsock, dc->timeout);
++ }
++ else {
++ apr_file_pipe_timeout_set(tempsock, r->server->timeout);
++ }
++
+ apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
+
+ APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,
+@@ -1841,7 +1894,7 @@
+
+ module AP_MODULE_DECLARE_DATA cgid_module = {
+ STANDARD20_MODULE_STUFF,
+- NULL, /* dir config creater */
++ create_cgid_dirconf, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ create_cgid_config, /* server config */
+ merge_cgid_config, /* merge server config */