From bc53791ae4e0ff5beef5c3d06fff7eb886738940 Mon Sep 17 00:00:00 2001 From: jorton Date: Mon, 6 Feb 2006 14:58:12 +0000 Subject: [PATCH] - mod_auth_basic/mod_authn_file: if no provider is configured, and AuthUserFile is not configured, decline to handle authn silently rather than failing noisily. --- httpd-2.2.0-authnoprov.patch | 30 ++++++++++++++++++++++++++++++ httpd.spec | 9 ++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 httpd-2.2.0-authnoprov.patch diff --git a/httpd-2.2.0-authnoprov.patch b/httpd-2.2.0-authnoprov.patch new file mode 100644 index 0000000..c9cfe8b --- /dev/null +++ b/httpd-2.2.0-authnoprov.patch @@ -0,0 +1,30 @@ +--- httpd-2.2.0/modules/aaa/mod_authn_file.c.authnoprov ++++ httpd-2.2.0/modules/aaa/mod_authn_file.c +@@ -70,6 +70,10 @@ + apr_status_t status; + char *file_password = NULL; + ++ if (!conf->pwfile) { ++ return AUTH_GENERAL_ERROR; ++ } ++ + status = ap_pcfg_openfile(&f, r->pool, conf->pwfile); + + if (status != APR_SUCCESS) { +--- httpd-2.2.0/modules/aaa/mod_auth_basic.c.authnoprov ++++ httpd-2.2.0/modules/aaa/mod_auth_basic.c +@@ -252,6 +252,14 @@ + return DECLINED; + } + ++ /* If no providers were configured, and the default file ++ * provider gave a general error (which will happen only if ++ * has not been configured), presume that a non-provider-based ++ * authn module is configured, and get out of the way. */ ++ if (!conf->providers && auth_result == AUTH_GENERAL_ERROR) { ++ return DECLINED; ++ } ++ + switch (auth_result) { + case AUTH_DENIED: + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, diff --git a/httpd.spec b/httpd.spec index c1622cb..8cd7a71 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,7 +7,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.2.0 -Release: 5 +Release: 5.1 URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source1: index.html @@ -43,6 +43,7 @@ Patch50: httpd-2.0.45-encode.patch Patch51: httpd-2.2.0-headclength.patch Patch52: httpd-2.2.0-ajpcookie.patch Patch53: httpd-2.2.0-cppheader.patch +Patch54: httpd-2.2.0-authnoprov.patch # Security fixes Patch200: httpd-2.2.0-CVE-2005-3352.patch Patch201: httpd-2.2.0-CVE-2005-3357.patch @@ -126,6 +127,7 @@ Security (TLS) protocols. %patch51 -p1 -b .headclength %patch52 -p1 -b .ajpcookie %patch53 -p1 -b .cppheader +%patch54 -p1 -b .authnoprov %patch200 -p1 -b .cve3352 %patch201 -p1 -b .cve3352 @@ -489,6 +491,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Mon Feb 6 2006 Joe Orton 2.2.0-5.1 +- mod_auth_basic/mod_authn_file: if no provider is configured, + and AuthUserFile is not configured, decline to handle authn + silently rather than failing noisily. + * Fri Feb 3 2006 Joe Orton 2.2.0-5 - mod_ssl: add security fix for CVE-2005-3357 (#177914) - mod_imagemap: add security fix for CVE-2005-3352 (#177913)