the-miz
asked on
Redhat EL 5 Patching
I need to patch Apache 2.2.3 on Redhat EL 5 without having a subscription to RHN. The patche I require is attached, and I have tried running it in several ways....
patch -s < <patch.name>
patch -p1 <patch.name>
patch -p0 <patch.name>
Most times it is ran, I get a prompt for "File to patch:"
I do not know what it is asking of me.
patch -s < <patch.name>
patch -p1 <patch.name>
patch -p0 <patch.name>
Most times it is ran, I get a prompt for "File to patch:"
I do not know what it is asking of me.
Index: CHANGES
===================================================================
--- CHANGES (revision 548701)
+++ CHANGES (working copy)
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.5
+ *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+ mod_cache: Prevent segmentation fault if a Cache-Control header has
+ no value [Niklas Edmundsson]
+
*) mod_cache: Let Cache-Control max-age set the expiration of the cached
representation if Expires is not set. [Justin Erenkrantz]
Index: modules/cache/cache_util.c
===================================================================
--- modules/cache/cache_util.c (revision 548701)
+++ modules/cache/cache_util.c (working copy)
@@ -243,7 +243,8 @@
age = ap_cache_current_age(info, age_c, r->request_time);
/* extract s-maxage */
- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
+ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
+ && val != NULL) {
smaxage = apr_atoi64(val);
}
else {
@@ -252,7 +253,8 @@
/* extract max-age from request */
if (!conf->ignorecachecontrol
- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
+ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
+ && val != NULL) {
maxage_req = apr_atoi64(val);
}
else {
@@ -260,7 +262,8 @@
}
/* extract max-age from response */
- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
+ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
+ && val != NULL) {
maxage_cresp = apr_atoi64(val);
}
else {
@@ -282,7 +285,20 @@
/* extract max-stale */
if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
- maxstale = apr_atoi64(val);
+ if(val != NULL) {
+ maxstale = apr_atoi64(val);
+ }
+ else {
+ /*
+ * If no value is assigned to max-stale, then the client is willing
+ * to accept a stale response of any age (RFC2616 14.9.3). We will
+ * set it to one year in this case as this situation is somewhat
+ * similar to a "never expires" Expires header (RFC2616 14.21)
+ * which is set to a date one year from the time the response is
+ * sent in this case.
+ */
+ maxstale = APR_INT64_C(86400*365);
+ }
}
else {
maxstale = 0;
@@ -290,7 +306,8 @@
/* extract min-fresh */
if (!conf->ignorecachecontrol
- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
+ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
+ && val != NULL) {
minfresh = apr_atoi64(val);
}
else {
@@ -419,6 +436,9 @@
next - val_start);
}
}
+ else {
+ *val = NULL;
+ }
}
return 1;
}ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
running find, does not find modules :(
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not found, guess it's not installed. I guess what this comes down to is we need to become PCI Compliant with Security Metrics and they sent me the following issue:
Description: vulnerable Apache version: 2.2.3 rrcs-24-103-167-154.nys.bi
Not sure you can help me.
Description: vulnerable Apache version: 2.2.3 rrcs-24-103-167-154.nys.bi
Not sure you can help me.
No, sorry.
What I can tell you is that you can't patch a file which is not there.
On the other hand - when the stated vulnerability is in mod_cache, and you don't have mod_cache on your system there's also no vulnerability.
Are you aware that you would have had to recompile Apache if you had been able to apply the patch?
I'd really suggest upgrading Apache to the newest 2.2.x version anyway.
wmp
What I can tell you is that you can't patch a file which is not there.
On the other hand - when the stated vulnerability is in mod_cache, and you don't have mod_cache on your system there's also no vulnerability.
Are you aware that you would have had to recompile Apache if you had been able to apply the patch?
I'd really suggest upgrading Apache to the newest 2.2.x version anyway.
wmp
ASKER
I check out apache.org and they only have version 2.2.0 with a bunch of patches up to 2.2.9 which is a bit confusing to me. I'm running RHEL 5.6 as well
Meanwhile I assume that you didn't compile Apache on your own but that you're running a precompiled version.
You can't patch such a thing with a source patch like the one shown.
Of course you could go with compiling Apache on your own - do you have the required GCC compiler installed?
If you don't you'll have to procure the newest RedHat RPM version of Apache - which is a bit difficult without a subscription, that's true.
I fear I will not be able to help you further here.
wmp
You can't patch such a thing with a source patch like the one shown.
Of course you could go with compiling Apache on your own - do you have the required GCC compiler installed?
If you don't you'll have to procure the newest RedHat RPM version of Apache - which is a bit difficult without a subscription, that's true.
I fear I will not be able to help you further here.
wmp
ASKER