Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

Rashmi Srinivasan
Hi,
  We are trying to port the fix for CVE (CVE-2016-8743) to 2.4.18. Tried checking the revision on git for the list of files fixed for this CVE. 
There are lots of changes related to RFC7320 and was difficult to figure out the files changed for this CVE as We couldnt find the CVE-2016-8743 in the log either.

 We are planning to port all the files from below:

Is this correct? Please help.

Thanks

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

Yann Ylavic
Hi,

On Wed, Jan 25, 2017 at 9:17 AM, Rashmi Srinivasan
<[hidden email]> wrote:

>   We are trying to port the fix for CVE (CVE-2016-8743) to 2.4.18. Tried
> checking the revision on git for the list of files fixed for this CVE.
> There are lots of changes related to RFC7320 and was difficult to figure out
> the files changed for this CVE as We couldnt find the CVE-2016-8743 in the
> log either.

The branch [1] collects all the related changes between versions
2.4.25 (latest) and 2.4.23 (previous).

Attached is the output of:
$ svn diff -x-p
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@r1767912
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict
>httpd-2.4.23-CVE-2016-8743.patch

It should apply cleanly to 2.4.23, though it may not to 2.4.18
(possibly more work needed...).

Hope this helps.

Regards,
Yann.

[1] https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

httpd-2.4.23-CVE-2016-8743.patch (122K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

Rashmi Srinivasan
Thank a lot for the patch Yann,
I will check if this fits in.

regards,
Rashmi

On Wed, Jan 25, 2017 at 6:04 PM, Yann Ylavic <[hidden email]> wrote:
Hi,

On Wed, Jan 25, 2017 at 9:17 AM, Rashmi Srinivasan
<[hidden email]> wrote:

>   We are trying to port the fix for CVE (CVE-2016-8743) to 2.4.18. Tried
> checking the revision on git for the list of files fixed for this CVE.
> There are lots of changes related to RFC7320 and was difficult to figure out
> the files changed for this CVE as We couldnt find the CVE-2016-8743 in the
> log either.

The branch [1] collects all the related changes between versions
2.4.25 (latest) and 2.4.23 (previous).

Attached is the output of:
$ svn diff -x-p
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@r1767912
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict
>httpd-2.4.23-CVE-2016-8743.patch

It should apply cleanly to 2.4.23, though it may not to 2.4.18
(possibly more work needed...).

Hope this helps.

Regards,
Yann.

[1] https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

Rashmi Srinivasan
Hi Yann,
         To port the fix for CVE-2016-8743 to 2.2.29, is it ok to port the changes from http://svn.apache.org/viewvc?view=revision&revision=1777405
         Would that suffice?
          Please advise.

regards,
Rashmi


On Fri, Feb 10, 2017 at 1:30 PM, Rashmi Srinivasan <[hidden email]> wrote:
Thank a lot for the patch Yann,
I will check if this fits in.

regards,
Rashmi

On Wed, Jan 25, 2017 at 6:04 PM, Yann Ylavic <[hidden email]> wrote:
Hi,

On Wed, Jan 25, 2017 at 9:17 AM, Rashmi Srinivasan
<[hidden email]> wrote:

>   We are trying to port the fix for CVE (CVE-2016-8743) to 2.4.18. Tried
> checking the revision on git for the list of files fixed for this CVE.
> There are lots of changes related to RFC7320 and was difficult to figure out
> the files changed for this CVE as We couldnt find the CVE-2016-8743 in the
> log either.

The branch [1] collects all the related changes between versions
2.4.25 (latest) and 2.4.23 (previous).

Attached is the output of:
$ svn diff -x-p
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@r1767912
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict
>httpd-2.4.23-CVE-2016-8743.patch

It should apply cleanly to 2.4.23, though it may not to 2.4.18
(possibly more work needed...).

Hope this helps.

Regards,
Yann.

[1] https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

Rashmi Srinivasan
Hi Yann,
       Any update on this will be very helpful.

regards,
Rashmi


On Thu, Jun 1, 2017 at 2:49 PM, Rashmi Srinivasan <[hidden email]> wrote:
Hi Yann,
         To port the fix for CVE-2016-8743 to 2.2.29, is it ok to port the changes from http://svn.apache.org/viewvc?view=revision&revision=1777405
         Would that suffice?
          Please advise.

regards,
Rashmi


On Fri, Feb 10, 2017 at 1:30 PM, Rashmi Srinivasan <[hidden email]> wrote:
Thank a lot for the patch Yann,
I will check if this fits in.

regards,
Rashmi

On Wed, Jan 25, 2017 at 6:04 PM, Yann Ylavic <[hidden email]> wrote:
Hi,

On Wed, Jan 25, 2017 at 9:17 AM, Rashmi Srinivasan
<[hidden email]> wrote:

>   We are trying to port the fix for CVE (CVE-2016-8743) to 2.4.18. Tried
> checking the revision on git for the list of files fixed for this CVE.
> There are lots of changes related to RFC7320 and was difficult to figure out
> the files changed for this CVE as We couldnt find the CVE-2016-8743 in the
> log either.

The branch [1] collects all the related changes between versions
2.4.25 (latest) and 2.4.23 (previous).

Attached is the output of:
$ svn diff -x-p
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@r1767912
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict
>httpd-2.4.23-CVE-2016-8743.patch

It should apply cleanly to 2.4.23, though it may not to 2.4.18
(possibly more work needed...).

Hope this helps.

Regards,
Yann.

[1] https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

Yann Ylavic
In reply to this post by Rashmi Srinivasan
Hi Rashmi,

On Thu, Jun 1, 2017 at 11:19 AM, Rashmi Srinivasan
<[hidden email]> wrote:
>          To port the fix for CVE-2016-8743 to 2.2.29, is it ok to port the
> changes from http://svn.apache.org/viewvc?view=revision&revision=1777405
>          Would that suffice?
>           Please advise.

That's indeed the patch related to CVE-2016-8743 for 2.2.32.
I didn't check if it applies cleanly to 2.2.29, though.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Patches for CVE-2016-8743 (apache 2.4.18)

Rashmi Srinivasan
Thanks  lot Yann for confirming.

regards,
Rashmi

On Sun, Jun 4, 2017 at 4:09 AM, Yann Ylavic <[hidden email]> wrote:
Hi Rashmi,

On Thu, Jun 1, 2017 at 11:19 AM, Rashmi Srinivasan
<[hidden email]> wrote:
>          To port the fix for CVE-2016-8743 to 2.2.29, is it ok to port the
> changes from http://svn.apache.org/viewvc?view=revision&revision=1777405
>          Would that suffice?
>           Please advise.

That's indeed the patch related to CVE-2016-8743 for 2.2.32.
I didn't check if it applies cleanly to 2.2.29, though.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Loading...