Solved

Redhat EL 5 Patching

Posted on 2011-09-02
9
683 Views
Last Modified: 2012-05-12
I need to patch Apache 2.2.3 on Redhat EL 5 without having a subscription to RHN.  The patche I require is attached, and I have tried running it in several ways....  

patch -s < <patch.name>
patch -p1 <patch.name>
patch -p0 <patch.name>

Most times it is ran, I get a prompt for "File to patch:"  

I do not know what it is asking of me.
Index: CHANGES
===================================================================
--- CHANGES	(revision 548701)
+++ CHANGES	(working copy)
@@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.5
 
+  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+     mod_cache: Prevent segmentation fault if a Cache-Control header has
+     no value [Niklas Edmundsson]
+
   *) mod_cache: Let Cache-Control max-age set the expiration of the cached
      representation if Expires is not set.  [Justin Erenkrantz]
 
Index: modules/cache/cache_util.c
===================================================================
--- modules/cache/cache_util.c	(revision 548701)
+++ modules/cache/cache_util.c	(working copy)
@@ -243,7 +243,8 @@
     age = ap_cache_current_age(info, age_c, r->request_time);
 
     /* extract s-maxage */
-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
+    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
+        && val != NULL) {
         smaxage = apr_atoi64(val);
     }
     else {
@@ -252,7 +253,8 @@
 
     /* extract max-age from request */
     if (!conf->ignorecachecontrol
-        && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
+        && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
+        && val != NULL) {
         maxage_req = apr_atoi64(val);
     }
     else {
@@ -260,7 +262,8 @@
     }
 
     /* extract max-age from response */
-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
+    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
+        && val != NULL) {
         maxage_cresp = apr_atoi64(val);
     }
     else {
@@ -282,7 +285,20 @@
 
     /* extract max-stale */
     if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
-        maxstale = apr_atoi64(val);
+        if(val != NULL) {
+            maxstale = apr_atoi64(val);
+        }
+        else {
+            /*
+             * If no value is assigned to max-stale, then the client is willing
+             * to accept a stale response of any age (RFC2616 14.9.3). We will
+             * set it to one year in this case as this situation is somewhat
+             * similar to a "never expires" Expires header (RFC2616 14.21)
+             * which is set to a date one year from the time the response is
+             * sent in this case.
+             */
+            maxstale = APR_INT64_C(86400*365);
+        }
     }
     else {
         maxstale = 0;
@@ -290,7 +306,8 @@
 
     /* extract min-fresh */
     if (!conf->ignorecachecontrol
-        && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
+        && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
+        && val != NULL) {
         minfresh = apr_atoi64(val);
     }
     else {
@@ -419,6 +436,9 @@
                                                   next - val_start);
                         }
                     }
+                    else {
+                        *val = NULL;
+                    }
                 }
                 return 1;
             }

Open in new window

0
Comment
Question by:the-miz
  • 5
  • 4
9 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 36472836
Take care to cd into the directory just above "modules/cache/..." and run patch using the "-p 0" flag.

wmp
0
 

Author Comment

by:the-miz
ID: 36473725
where is modules/cache directory?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 500 total points
ID: 36473809
Issue "httpd -V" and look for "HTTPD_ROOT".

cd to the directory shown and issue

find . -type d -name modules

cd to the found directory, then issue

cd ..

and you'll be there.

wmp
0
 

Author Comment

by:the-miz
ID: 36473919
running find, does not find modules :(
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 500 total points
ID: 36475050
The file to be patched is "cache_util.c"

Search this file from top level with

find / -type f -name "cache_util.c" 2>/dev/null

If it's found cd to the directory where it's in and run patch without any "-p" parameter, like:

patch /path/to/patchfile

"patchfile" is the file whose content you posted in your Q!

If "cache_util.c" is not found on your machine there is nothing you could patch!

wmp
0
 

Author Comment

by:the-miz
ID: 36475112
Not found, guess it's not installed.  I guess what this comes down to is we need to become PCI Compliant with Security Metrics and they sent me the following issue:

Description: vulnerable Apache version: 2.2.3 rrcs-24-103-167-154.nys.biz.rr.com24.103. 167.154Red HatSep 01 16:33:11 2011newSeverity: Area of Concern CVE: CVE-2006-4110 CVE-2006-5752 CVE-2007-1863 CVE-2007-3303 CVE-2007-3304 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6420 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 CVE-2008-0455 CVE-2008-0456 CVE-2009-1195 CVE-2009-1891 CVE-2009-2412 CVE-2010-0425 CVE-2010-0434 CVE-2010-1452 CVE-2010-1623 CVE-2011-0419 CVE-2011-1928 10.010new11Impact: A remote attacker could crash the web server or execute arbitrary commands. Background: Apache is a web server which runs on Unix, Linux, Mac OS and Windows systems. Apache web servers support chunked encoding, which is part of the HTTP protocol specification. Chunked encoding is used by a web client to send data to the server in parts, or chunks. After a chunk is received, the server indicates that it is ready to receive the next chunk, until all of the data has been received. Resolution [http://httpd.apache.org/download.cgi] Upgrade Apache 1.x to version 1.3.41-dev or higher, 2.0.x to version 2.0.64-dev or higher when available, or a version higher than 2.2.18. Patches for the mod_cache DoS can be applied for [http://people.apache.org/~mjc/cve-2007- 1863-2.0.patch] 2.0 or [http://people.apache.org/~mjc/cve-2007- 1863-2.2.patch] 2.2. Alternatively, apply a fix from your operating system vendor. Vulnerability Details: Service: http Received: Server: Apache/2.2.3 (Red Hat)

Not sure you can help me.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36475242
No, sorry.

What I can tell you is that you can't patch a file which is not there.

On the other hand - when the stated vulnerability is in mod_cache, and you don't have mod_cache on your system there's also no vulnerability.

Are you aware that you would have had to recompile Apache if you had been able to apply the patch?

I'd really suggest upgrading Apache to the newest 2.2.x version anyway.

wmp
0
 

Author Comment

by:the-miz
ID: 36475268
I check out apache.org and they only have version 2.2.0 with a bunch of patches up to 2.2.9  which is a bit confusing to me.  I'm running RHEL 5.6 as well
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36475324
Meanwhile I assume that you didn't compile Apache on your own but that you're running a precompiled version.

You can't patch such a thing with a source patch like the one shown.

Of course you could go with compiling Apache on your own - do you have the required GCC compiler installed?

If you don't you'll have to procure the newest RedHat RPM version of Apache - which is a bit difficult without a subscription, that's true.

I fear I will not be able to help you further here.


wmp
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now