?
Solved

Redhat EL 5 Patching

Posted on 2011-09-02
9
Medium Priority
?
694 Views
Last Modified: 2012-05-12
I need to patch Apache 2.2.3 on Redhat EL 5 without having a subscription to RHN.  The patche I require is attached, and I have tried running it in several ways....  

patch -s < <patch.name>
patch -p1 <patch.name>
patch -p0 <patch.name>

Most times it is ran, I get a prompt for "File to patch:"  

I do not know what it is asking of me.
Index: CHANGES
===================================================================
--- CHANGES	(revision 548701)
+++ CHANGES	(working copy)
@@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.5
 
+  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+     mod_cache: Prevent segmentation fault if a Cache-Control header has
+     no value [Niklas Edmundsson]
+
   *) mod_cache: Let Cache-Control max-age set the expiration of the cached
      representation if Expires is not set.  [Justin Erenkrantz]
 
Index: modules/cache/cache_util.c
===================================================================
--- modules/cache/cache_util.c	(revision 548701)
+++ modules/cache/cache_util.c	(working copy)
@@ -243,7 +243,8 @@
     age = ap_cache_current_age(info, age_c, r->request_time);
 
     /* extract s-maxage */
-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
+    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
+        && val != NULL) {
         smaxage = apr_atoi64(val);
     }
     else {
@@ -252,7 +253,8 @@
 
     /* extract max-age from request */
     if (!conf->ignorecachecontrol
-        && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
+        && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
+        && val != NULL) {
         maxage_req = apr_atoi64(val);
     }
     else {
@@ -260,7 +262,8 @@
     }
 
     /* extract max-age from response */
-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
+    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
+        && val != NULL) {
         maxage_cresp = apr_atoi64(val);
     }
     else {
@@ -282,7 +285,20 @@
 
     /* extract max-stale */
     if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
-        maxstale = apr_atoi64(val);
+        if(val != NULL) {
+            maxstale = apr_atoi64(val);
+        }
+        else {
+            /*
+             * If no value is assigned to max-stale, then the client is willing
+             * to accept a stale response of any age (RFC2616 14.9.3). We will
+             * set it to one year in this case as this situation is somewhat
+             * similar to a "never expires" Expires header (RFC2616 14.21)
+             * which is set to a date one year from the time the response is
+             * sent in this case.
+             */
+            maxstale = APR_INT64_C(86400*365);
+        }
     }
     else {
         maxstale = 0;
@@ -290,7 +306,8 @@
 
     /* extract min-fresh */
     if (!conf->ignorecachecontrol
-        && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
+        && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
+        && val != NULL) {
         minfresh = apr_atoi64(val);
     }
     else {
@@ -419,6 +436,9 @@
                                                   next - val_start);
                         }
                     }
+                    else {
+                        *val = NULL;
+                    }
                 }
                 return 1;
             }

Open in new window

0
Comment
Question by:the-miz
  • 5
  • 4
9 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 36472836
Take care to cd into the directory just above "modules/cache/..." and run patch using the "-p 0" flag.

wmp
0
 

Author Comment

by:the-miz
ID: 36473725
where is modules/cache directory?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 36473809
Issue "httpd -V" and look for "HTTPD_ROOT".

cd to the directory shown and issue

find . -type d -name modules

cd to the found directory, then issue

cd ..

and you'll be there.

wmp
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:the-miz
ID: 36473919
running find, does not find modules :(
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 36475050
The file to be patched is "cache_util.c"

Search this file from top level with

find / -type f -name "cache_util.c" 2>/dev/null

If it's found cd to the directory where it's in and run patch without any "-p" parameter, like:

patch /path/to/patchfile

"patchfile" is the file whose content you posted in your Q!

If "cache_util.c" is not found on your machine there is nothing you could patch!

wmp
0
 

Author Comment

by:the-miz
ID: 36475112
Not found, guess it's not installed.  I guess what this comes down to is we need to become PCI Compliant with Security Metrics and they sent me the following issue:

Description: vulnerable Apache version: 2.2.3 rrcs-24-103-167-154.nys.biz.rr.com24.103. 167.154Red HatSep 01 16:33:11 2011newSeverity: Area of Concern CVE: CVE-2006-4110 CVE-2006-5752 CVE-2007-1863 CVE-2007-3303 CVE-2007-3304 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6420 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 CVE-2008-0455 CVE-2008-0456 CVE-2009-1195 CVE-2009-1891 CVE-2009-2412 CVE-2010-0425 CVE-2010-0434 CVE-2010-1452 CVE-2010-1623 CVE-2011-0419 CVE-2011-1928 10.010new11Impact: A remote attacker could crash the web server or execute arbitrary commands. Background: Apache is a web server which runs on Unix, Linux, Mac OS and Windows systems. Apache web servers support chunked encoding, which is part of the HTTP protocol specification. Chunked encoding is used by a web client to send data to the server in parts, or chunks. After a chunk is received, the server indicates that it is ready to receive the next chunk, until all of the data has been received. Resolution [http://httpd.apache.org/download.cgi] Upgrade Apache 1.x to version 1.3.41-dev or higher, 2.0.x to version 2.0.64-dev or higher when available, or a version higher than 2.2.18. Patches for the mod_cache DoS can be applied for [http://people.apache.org/~mjc/cve-2007- 1863-2.0.patch] 2.0 or [http://people.apache.org/~mjc/cve-2007- 1863-2.2.patch] 2.2. Alternatively, apply a fix from your operating system vendor. Vulnerability Details: Service: http Received: Server: Apache/2.2.3 (Red Hat)

Not sure you can help me.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36475242
No, sorry.

What I can tell you is that you can't patch a file which is not there.

On the other hand - when the stated vulnerability is in mod_cache, and you don't have mod_cache on your system there's also no vulnerability.

Are you aware that you would have had to recompile Apache if you had been able to apply the patch?

I'd really suggest upgrading Apache to the newest 2.2.x version anyway.

wmp
0
 

Author Comment

by:the-miz
ID: 36475268
I check out apache.org and they only have version 2.2.0 with a bunch of patches up to 2.2.9  which is a bit confusing to me.  I'm running RHEL 5.6 as well
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36475324
Meanwhile I assume that you didn't compile Apache on your own but that you're running a precompiled version.

You can't patch such a thing with a source patch like the one shown.

Of course you could go with compiling Apache on your own - do you have the required GCC compiler installed?

If you don't you'll have to procure the newest RedHat RPM version of Apache - which is a bit difficult without a subscription, that's true.

I fear I will not be able to help you further here.


wmp
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question