Just patched Apache HTTP Server 2.2.21

Nothing special. I reviewed Apache HTTP Server mod_proxy reverse proxy issue [Reverse proxy feature (mod_proxy) has a new vulnerability] and "Patch is available for 2.2.21". I was just curious to patch Apache HTTP Server (Source) and then...

# /usr/local/apache/bin/httpd -v
Server version: Apache/2.2.21 (Unix)
Server built: Sep 30 2011 22:54:45

*** Go to Source ***

# cd httpd-2.2.21
# cat config.nice
#! /bin/sh
#
# Created by configure

"./configure" \
"--prefix=/usr/local/apache" \
"--enable-unique-id" \
"--with-included-apr" \
"$@"

*** Download patch for 2.2.21 at http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ ***

# wget http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
--2011-10-07 02:33:18-- http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
Resolving www.apache.org... 140.211.11.131
Connecting to www.apache.org|140.211.11.131|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1123 (1.1K)
Saving to: CVE-2011-3368.patch

100%[======================================>] 1,123 --.-K/s in 0s
2011-10-07 02:33:19 (34.7 MB/s) - CVE-2011-3368.patch

# ls -l CVE-2011-3368.patch
-rw-r--r--. 1 root root 1123 Oct 5 21:27 CVE-2011-3368.patch

# cat CVE-2011-3368.patch
SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI.

http://svn.apache.org/viewvc?rev=1179239&view=rev

--- httpd-2.2.21/server/protocol.c
+++ httpd-2.2.21/server/protocol.c
@@ -640,6 +640,25 @@

ap_parse_uri(r, uri);

+ /* RFC 2616:
+ * Request-URI = "*" | absoluteURI | abs_path | authority
+ *
+ * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail
+ * and give a 400 response. */
+ if (r->method_number != M_CONNECT
+ && !r->parsed_uri.scheme
+ && uri[0] != '/'
+ && !(uri[0] == '*' && uri[1] == '\0')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid request-URI %s", uri);
+ r->args = NULL;
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
+ }
+
if (ll[0]) {
r->assbackwards = 0;
pro = ll;

*** Patch Apache HTTP Server source and recompile + reinstall it ***

# patch -p1 < CVE-2011-3368.patch
patching file server/protocol.c

# ls -la server/protocol.c
-rw-r--r--. 1 root cgred 57874 Oct 7 02:35 server/protocol.c

# make clean
# make
# /usr/local/apache/bin/apachectl stop
# make install
# /usr/local/apache/bin/httpd -v
Server version: Apache/2.2.21 (Unix)
Server built: Oct 7 2011 02:59:09

# /usr/local/apache/bin/apachectl start

*** Checked log files, make sure no error ***
Remark:
patch - it's shell-command and takes a patch file patchfile containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions.