diffstat for pound-2.6 pound-2.6 changelog | 8 control | 2 patches/anti_beast.patch | 201 +++++++++++++++++++------ patches/anti_poodle.patch | 90 +++++++++++ patches/http_https_redirect_encoding_fix.patch | 32 +++ patches/series | 3 patches/tls_compression_disable.patch | 71 ++++++++ patches/xss_redirect_fix.patch | 18 +- 8 files changed, 373 insertions(+), 52 deletions(-) diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog --- pound-2.6/debian/changelog 2012-02-03 09:50:41.000000000 +0000 +++ pound-2.6/debian/changelog 2015-01-27 23:31:30.000000000 +0000 @@ -1,3 +1,11 @@ +pound (2.6-2.1) stable-security; urgency=low + + * anti_poodle patch + * disable tls compression patch + * don't wrongly encode = in redirect + + -- Brett Parker Thu, 15 Jan 2015 14:11:44 +0000 + pound (2.6-2) unstable; urgency=low * Update anti_beast patch diff -Nru pound-2.6/debian/control pound-2.6/debian/control --- pound-2.6/debian/control 2012-01-30 11:12:24.000000000 +0000 +++ pound-2.6/debian/control 2015-01-27 23:31:30.000000000 +0000 @@ -1,7 +1,7 @@ Source: pound Section: net Priority: extra -Maintainer: Martin Meredith +Maintainer: Brett Parker Build-Depends: debhelper (>= 7), libssl-dev (>= 0.9.7), autotools-dev, libpcre3-dev, openssl Standards-Version: 3.9.2 Homepage: http://www.apsis.ch/pound/ diff -Nru pound-2.6/debian/patches/anti_beast.patch pound-2.6/debian/patches/anti_beast.patch --- pound-2.6/debian/patches/anti_beast.patch 2012-02-03 09:40:16.000000000 +0000 +++ pound-2.6/debian/patches/anti_beast.patch 2015-01-27 23:31:30.000000000 +0000 @@ -1,32 +1,20 @@ -From: Joe Gooch -Author: Joe Gooch -Description: SSL Renegotiation Patch - This patch adds two new config directives: - SSLHonorCipherOrder 0|1 - When set to 1, server prefers Ciphers in the order specified. When 0, Server advertises no preference. - - SSLAllowClientRenegotiation 0|1|2 - When set to 0, no client renegotiation will be honored. - When 1, secure renegotiation will be honored. - When 2, insecure renegotiation will be honored. - - It will also disable insecure renegotiation on backend HTTPS connections. - - Given these options, the most secure configuration would be: - SSLAllowClientRenegotiation 0 - SSLHonorCipherOrder 1 - Ciphers "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" - - Which mitigates BEAST attacks as outlined here: - http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html - - As well as renegotiation attacks. - - Test your server at https://www.ssllabs.com/ssldb/ -Forwarded: http://www.apsis.ch/pound/pound_list/archive/2012/2012-02/1328105174000#1328207465000 +From: Brett Parker +Date: Tue, 27 Jan 2015 22:31:52 +0000 +Subject: anti_beast + +--- + config.c | 39 +++++++++++++++++++++++++++++++++++++-- + http.c | 45 ++++++++++++++++++++++++++++++++++++++------- + pound.8 | 13 +++++++++++++ + pound.h | 9 +++++++++ + svc.c | 31 +++++++++++++++++++++++++++++++ + 5 files changed, 128 insertions(+), 9 deletions(-) + +diff --git a/config.c b/config.c +index 1294d84..b066dd8 100755 --- a/config.c +++ b/config.c -@@ -76,7 +76,7 @@ +@@ -76,7 +76,7 @@ static regex_t ListenHTTP, ListenHTTPS, End, Address, Port, Cert, xHTTP, Client static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination; static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr; static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale; @@ -35,7 +23,7 @@ static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName; static regmatch_t matches[5]; -@@ -289,9 +289,12 @@ +@@ -289,9 +289,12 @@ parse_be(const int is_emergency) } else if(!regexec(&HTTPS, lin, 4, matches, 0)) { if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) conf_err("SSL_CTX_new failed - aborted"); @@ -48,7 +36,7 @@ sprintf(lin, "%d-Pound-%ld", getpid(), random()); SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin)); SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback); -@@ -299,6 +302,7 @@ +@@ -299,6 +302,7 @@ parse_be(const int is_emergency) } else if(!regexec(&HTTPSCert, lin, 4, matches, 0)) { if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) conf_err("SSL_CTX_new failed - aborted"); @@ -56,7 +44,7 @@ lin[matches[1].rm_eo] = '\0'; if(SSL_CTX_use_certificate_chain_file(res->ctx, lin + matches[1].rm_so) != 1) conf_err("SSL_CTX_use_certificate_chain_file failed - aborted"); -@@ -309,6 +313,8 @@ +@@ -309,6 +313,8 @@ parse_be(const int is_emergency) SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_options(res->ctx, SSL_OP_ALL); @@ -65,7 +53,7 @@ sprintf(lin, "%d-Pound-%ld", getpid(), random()); SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin)); SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback); -@@ -829,11 +835,15 @@ +@@ -829,11 +835,15 @@ parse_HTTPS(void) SERVICE *svc; MATCHER *m; int has_addr, has_port, has_other; @@ -81,21 +69,21 @@ if((res = (LISTENER *)malloc(sizeof(LISTENER))) == NULL) conf_err("ListenHTTPS config: out of memory - aborted"); memset(res, 0, sizeof(LISTENER)); -@@ -844,6 +854,7 @@ +@@ -844,6 +854,7 @@ parse_HTTPS(void) res->err500 = "An internal server error occurred. Please try again later."; res->err501 = "This method may not be used."; res->err503 = "The service is not available. Please try again later."; -+ res->allow_client_reneg = 0; ++ res->allow_cl_reneg = 0; res->log_level = log_level; if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED)) conf_err("xHTTP bad default pattern - aborted"); -@@ -1029,6 +1040,23 @@ +@@ -1029,6 +1040,23 @@ parse_HTTPS(void) strcat(res->add_head, "\r\n"); strcat(res->add_head, lin + matches[1].rm_so); } + } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) { -+ res->allow_client_reneg = atoi(lin + matches[1].rm_so); -+ if (res->allow_client_reneg == 2) { ++ res->allow_cl_reneg = atoi(lin + matches[1].rm_so); ++ if (res->allow_cl_reneg == 2) { + ssl_op_enable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + ssl_op_disable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + } else { @@ -113,7 +101,7 @@ } else if(!regexec(&Ciphers, lin, 4, matches, 0)) { has_other = 1; if(res->ctx == NULL) -@@ -1105,12 +1133,15 @@ +@@ -1105,12 +1133,15 @@ parse_HTTPS(void) conf_err("ListenHTTPS: can't set SNI callback"); #endif for(pc = res->ctx; pc; pc = pc->next) { @@ -130,7 +118,7 @@ } return res; } else { -@@ -1305,6 +1336,8 @@ +@@ -1305,6 +1336,8 @@ config_parse(const int argc, char **const argv) || regcomp(&DynScale, "^[ \t]*DynScale[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) @@ -139,7 +127,7 @@ || regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) -@@ -1463,6 +1496,8 @@ +@@ -1463,6 +1496,8 @@ config_parse(const int argc, char **const argv) regfree(&DynScale); regfree(&ClientCert); regfree(&AddHeader); @@ -148,9 +136,128 @@ regfree(&Ciphers); regfree(&CAlist); regfree(&VerifyList); +diff --git a/http.c b/http.c +index bb2ce8b..d420b69 100755 +--- a/http.c ++++ b/http.c +@@ -246,6 +246,11 @@ copy_chunks(BIO *const cl, BIO *const be, LONG *res_bytes, const int no_write, c + + static int err_to = -1; + ++typedef struct { ++ int timeout; ++ RENEG_STATE *reneg_state; ++} BIO_ARG; ++ + /* + * Time-out for client read/gets + * the SSL manual says not to do it, but it works well enough anyway... +@@ -253,18 +258,32 @@ static int err_to = -1; + static long + bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret) + { ++ BIO_ARG *bio_arg; + struct pollfd p; + int to, p_res, p_err; + + if(cmd != BIO_CB_READ && cmd != BIO_CB_WRITE) + return ret; + ++ //logmsg(LOG_NOTICE, "bio callback"); + /* a time-out already occured */ +- if((to = *((int *)BIO_get_callback_arg(bio)) * 1000) < 0) { ++ if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret; ++ if((to = bio_arg->timeout * 1000) < 0) { + errno = ETIMEDOUT; + return -1; + } + ++ /* Renegotiations */ ++ //logmsg(LOG_NOTICE, "RENEG STATE %d", bio_arg->reneg_state==NULL?-1:*bio_arg->reneg_state); ++ if (bio_arg->reneg_state != NULL && *bio_arg->reneg_state == RENEG_ABORT) { ++ logmsg(LOG_NOTICE, "REJECTING renegotiated session"); ++ errno = ECONNABORTED; ++ return -1; ++ } ++ ++ //logmsg(LOG_NOTICE, "TO %d", to); ++ if (to == 0) return ret; ++ + for(;;) { + memset(&p, 0, sizeof(p)); + BIO_get_fd(bio, &p.fd); +@@ -299,7 +318,7 @@ bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long arg + return -1; + case 0: + /* timeout - mark the BIO as unusable for the future */ +- BIO_set_callback_arg(bio, (char *)&err_to); ++ bio_arg->timeout = err_to; + #ifdef EBUG + logmsg(LOG_WARNING, "(%lx) CALLBACK timeout poll after %d secs: %s", + pthread_self(), to / 1000, strerror(p_err)); +@@ -503,7 +522,14 @@ do_http(thr_arg *arg) + regmatch_t matches[4]; + struct linger l; + double start_req, end_req; +- ++ RENEG_STATE reneg_state; ++ BIO_ARG ba1, ba2; ++ ++ reneg_state = RENEG_INIT; ++ ba1.reneg_state = &reneg_state; ++ ba2.reneg_state = &reneg_state; ++ ba1.timeout = 0; ++ ba2.timeout = 0; + from_host = ((thr_arg *)arg)->from_host; + memcpy(&from_host_addr, from_host.ai_addr, from_host.ai_addrlen); + from_host.ai_addr = (struct sockaddr *)&from_host_addr; +@@ -512,6 +538,8 @@ do_http(thr_arg *arg) + free(((thr_arg *)arg)->from_host.ai_addr); + free(arg); + ++ if(lstn->allow_cl_reneg) reneg_state = RENEG_ALLOW; ++ + n = 1; + setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&n, sizeof(n)); + l.l_onoff = 1; +@@ -535,10 +563,11 @@ do_http(thr_arg *arg) + close(sock); + return; + } +- if(lstn->to > 0) { +- BIO_set_callback_arg(cl, (char *)&lstn->to); ++ //if(lstn->to > 0) { ++ ba1.timeout = lstn->to; ++ BIO_set_callback_arg(cl, (char *)&ba1); + BIO_set_callback(cl, bio_callback); +- } ++ //} + + if(lstn->ctx != NULL) { + if((ssl = SSL_new(lstn->ctx->ctx)) == NULL) { +@@ -547,6 +576,7 @@ do_http(thr_arg *arg) + BIO_free_all(cl); + return; + } ++ SSL_set_app_data(ssl, &reneg_state); + SSL_set_bio(ssl, cl, cl); + if((bb = BIO_new(BIO_f_ssl())) == NULL) { + logmsg(LOG_WARNING, "(%lx) BIO_new(Bio_f_ssl()) failed", pthread_self()); +@@ -848,7 +878,8 @@ do_http(thr_arg *arg) + } + BIO_set_close(be, BIO_CLOSE); + if(backend->to > 0) { +- BIO_set_callback_arg(be, (char *)&backend->to); ++ ba2.timeout = backend->to; ++ BIO_set_callback_arg(be, (char *)&ba2); + BIO_set_callback(be, bio_callback); + } + if(backend->ctx != NULL) { +diff --git a/pound.8 b/pound.8 +index f878a4d..b95e794 100755 --- a/pound.8 +++ b/pound.8 -@@ -501,6 +501,19 @@ +@@ -501,6 +501,19 @@ string in the same format as in OpenSSL and .I SSL_CTX_set_cipher_list(3). .TP @@ -170,17 +277,19 @@ \fBCAlist\fR "CAcert_file" Set the list of "trusted" CA's for this server. The CAcert_file is a file containing a sequence of CA certificates (PEM format). The names of the defined CA certificates +diff --git a/pound.h b/pound.h +index 114db58..3feb0fd 100755 --- a/pound.h +++ b/pound.h -@@ -404,6 +404,7 @@ +@@ -404,6 +404,7 @@ typedef struct _listener { int rewr_dest; /* rewrite destination header */ int disabled; /* true if the listener is disabled */ int log_level; /* log level for this listener */ -+ int allow_client_reneg; /* Allow Client SSL Renegotiation */ ++ int allow_cl_reneg; /* Allow Client SSL Renegotiation */ SERVICE *services; struct _listener *next; } LISTENER; -@@ -419,6 +420,9 @@ +@@ -419,6 +420,9 @@ typedef struct _thr_arg { struct _thr_arg *next; } thr_arg; /* argument to processing threads: socket, origin */ @@ -190,7 +299,7 @@ /* Header types */ #define HEADER_ILLEGAL -1 #define HEADER_OTHER 0 -@@ -591,6 +595,11 @@ +@@ -591,6 +595,11 @@ extern RSA *RSA_tmp_callback(SSL *, int, int); extern DH *DH_tmp_callback(SSL *, int, int); /* @@ -202,9 +311,11 @@ * expiration stuff */ #ifndef EXPIRE_TO +diff --git a/svc.c b/svc.c +index fca3e3b..8c33a10 100755 --- a/svc.c +++ b/svc.c -@@ -1797,3 +1797,34 @@ +@@ -1797,3 +1797,34 @@ thr_control(void *arg) close(ctl); } } diff -Nru pound-2.6/debian/patches/anti_poodle.patch pound-2.6/debian/patches/anti_poodle.patch --- pound-2.6/debian/patches/anti_poodle.patch 1970-01-01 01:00:00.000000000 +0100 +++ pound-2.6/debian/patches/anti_poodle.patch 2015-01-27 23:31:30.000000000 +0000 @@ -0,0 +1,90 @@ +From: Brett Parker +Date: Tue, 27 Jan 2015 22:38:10 +0000 +Subject: anti_poodle + +--- + config.c | 21 ++++++++++++++++++++- + pound.h | 2 ++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/config.c b/config.c +index dfe0ff6..55ae404 100755 +--- a/config.c ++++ b/config.c +@@ -76,7 +76,7 @@ static regex_t ListenHTTP, ListenHTTPS, End, Address, Port, Cert, xHTTP, Client + static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination; + static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr; + static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale; +-static regex_t ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11; ++static regex_t ClientCert, AddHeader, DisableSSLv2, DisableSSLv3, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11; + static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName; + + static regmatch_t matches[5]; +@@ -864,6 +864,8 @@ parse_HTTPS(void) + res->err501 = "This method may not be used."; + res->err503 = "The service is not available. Please try again later."; + res->allow_cl_reneg = 0; ++ res->disable_ssl_v2 = 0; ++ res->disable_ssl_v3 = 0; + res->log_level = log_level; + if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED)) + conf_err("xHTTP bad default pattern - aborted"); +@@ -1049,6 +1051,10 @@ parse_HTTPS(void) + strcat(res->add_head, "\r\n"); + strcat(res->add_head, lin + matches[1].rm_so); + } ++ } else if(!regexec(&DisableSSLv2, lin, 4, matches, 0)) { ++ res->disable_ssl_v2 = 1; ++ } else if(!regexec(&DisableSSLv3, lin, 4, matches, 0)) { ++ res->disable_ssl_v3 = 1; + } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) { + res->allow_cl_reneg = atoi(lin + matches[1].rm_so); + if (res->allow_cl_reneg == 2) { +@@ -1145,7 +1151,16 @@ parse_HTTPS(void) + SSL_CTX_set_app_data(pc->ctx, res); + SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_options(pc->ctx, ssl_op_enable); ++ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION); + SSL_CTX_clear_options(pc->ctx, ssl_op_disable); ++ if (res->disable_ssl_v2 == 1) ++ { ++ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2); ++ } ++ if (res->disable_ssl_v3 == 1) ++ { ++ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv3); ++ } + sprintf(lin, "%d-Pound-%ld", getpid(), random()); + SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin)); + SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback); +@@ -1346,6 +1361,8 @@ config_parse(const int argc, char **const argv) + || regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ++ || regcomp(&DisableSSLv2, "^[ \t]*DisableSSLv2[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ++ || regcomp(&DisableSSLv3, "^[ \t]*DisableSSLv3[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) +@@ -1506,6 +1523,8 @@ config_parse(const int argc, char **const argv) + regfree(&ClientCert); + regfree(&AddHeader); + regfree(&SSLAllowClientRenegotiation); ++ regfree(&DisableSSLv2); ++ regfree(&DisableSSLv3); + regfree(&SSLHonorCipherOrder); + regfree(&Ciphers); + regfree(&CAlist); +diff --git a/pound.h b/pound.h +index 3feb0fd..21dd9b7 100755 +--- a/pound.h ++++ b/pound.h +@@ -405,6 +405,8 @@ typedef struct _listener { + int disabled; /* true if the listener is disabled */ + int log_level; /* log level for this listener */ + int allow_cl_reneg; /* Allow Client SSL Renegotiation */ ++ int disable_ssl_v2; /* Disable SSL version 2 */ ++ int disable_ssl_v3; /* Disable SSL version 3 */ + SERVICE *services; + struct _listener *next; + } LISTENER; diff -Nru pound-2.6/debian/patches/http_https_redirect_encoding_fix.patch pound-2.6/debian/patches/http_https_redirect_encoding_fix.patch --- pound-2.6/debian/patches/http_https_redirect_encoding_fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ pound-2.6/debian/patches/http_https_redirect_encoding_fix.patch 2015-01-27 23:31:30.000000000 +0000 @@ -0,0 +1,32 @@ +From: kieranjwelch +Date: Tue, 8 Oct 2013 16:17:09 +0100 +Subject: http_https_redirect_encoding_fix + +Fixed incorrect encoding of '=' when redirecting from http > https +--- + http.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/http.c b/http.c +index b937e87..32528b0 100755 +--- a/http.c ++++ b/http.c +@@ -77,12 +77,12 @@ redirect_reply(BIO *const c, const char *url, const int code) + break; + } + for(i=0,j=0; url[i] && j= 'A' && ch <='Z') || +- (ch>= 'a' && ch <='z') || +- (ch>= '0' && ch <='9') || +- ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';') { ++ ch = url[i]; ++ if ( ++ (ch>= 'A' && ch <='Z') || ++ (ch>= 'a' && ch <='z') || ++ (ch>= '0' && ch <='9') || ++ ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';' || ch == '=') { + + urlbuf[j++] = ch; + continue; diff -Nru pound-2.6/debian/patches/series pound-2.6/debian/patches/series --- pound-2.6/debian/patches/series 2012-02-03 09:43:39.000000000 +0000 +++ pound-2.6/debian/patches/series 2015-01-27 23:31:30.000000000 +0000 @@ -1,2 +1,5 @@ anti_beast.patch xss_redirect_fix.patch +tls_compression_disable.patch +anti_poodle.patch +http_https_redirect_encoding_fix.patch diff -Nru pound-2.6/debian/patches/tls_compression_disable.patch pound-2.6/debian/patches/tls_compression_disable.patch --- pound-2.6/debian/patches/tls_compression_disable.patch 1970-01-01 01:00:00.000000000 +0100 +++ pound-2.6/debian/patches/tls_compression_disable.patch 2015-01-27 23:31:30.000000000 +0000 @@ -0,0 +1,71 @@ +From: Brett Parker +Date: Tue, 27 Jan 2015 22:33:33 +0000 +Subject: tls_compression_disable + +--- + config.c | 9 +++++++++ + pound.c | 17 +++++++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/config.c b/config.c +index b066dd8..dfe0ff6 100755 +--- a/config.c ++++ b/config.c +@@ -293,6 +293,9 @@ parse_be(const int is_emergency) + SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_options(res->ctx, SSL_OP_ALL); ++#ifdef SSL_OP_NO_COMPRESSION ++ SSL_CTX_set_options(res->ctx, SSL_OP_NO_COMPRESSION); ++#endif + SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); + SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT); + sprintf(lin, "%d-Pound-%ld", getpid(), random()); +@@ -313,6 +316,9 @@ parse_be(const int is_emergency) + SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_options(res->ctx, SSL_OP_ALL); ++#ifdef SSL_OP_NO_COMPRESSION ++ SSL_CTX_set_options(res->ctx, SSL_OP_NO_COMPRESSION); ++#endif + SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); + SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT); + sprintf(lin, "%d-Pound-%ld", getpid(), random()); +@@ -842,6 +848,9 @@ parse_HTTPS(void) + POUND_CTX *pc; + + ssl_op_enable = SSL_OP_ALL; ++#ifdef SSL_OP_NO_COMPRESSION ++ ssl_op_enable |= SSL_OP_NO_COMPRESSION; ++#endif + ssl_op_disable = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | SSL_OP_LEGACY_SERVER_CONNECT; + + if((res = (LISTENER *)malloc(sizeof(LISTENER))) == NULL) +diff --git a/pound.c b/pound.c +index 9667dcd..79007f6 100755 +--- a/pound.c ++++ b/pound.c +@@ -251,6 +251,23 @@ main(const int argc, char **argv) + CRYPTO_set_locking_callback(l_lock); + init_timer(); + ++ /* Disable SSL Compression for OpenSSL pre-1.0. 1.0 is handled with an option in config.c */ ++#if OPENSSL_VERSION_NUMBER >= 0x00907000L ++#ifndef SSL_OP_NO_COMPRESSION ++ { ++ int i,n; ++ STACK_OF(SSL_COMP) *ssl_comp_methods; ++ ++ ssl_comp_methods = SSL_COMP_get_compression_methods(); ++ n = sk_SSL_COMP_num(ssl_comp_methods); ++ ++ for(i=n-1; i>=0; i--) { ++ sk_SSL_COMP_delete(ssl_comp_methods, i); ++ } ++ } ++#endif ++#endif ++ + /* prepare regular expressions */ + if(regcomp(&HEADER, "^([a-z0-9!#$%&'*+.^_`|~-]+):[ \t]*(.*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&CHUNK_HEAD, "^([0-9a-f]+).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) diff -Nru pound-2.6/debian/patches/xss_redirect_fix.patch pound-2.6/debian/patches/xss_redirect_fix.patch --- pound-2.6/debian/patches/xss_redirect_fix.patch 2012-02-03 09:46:07.000000000 +0000 +++ pound-2.6/debian/patches/xss_redirect_fix.patch 2015-01-27 23:31:30.000000000 +0000 @@ -1,10 +1,16 @@ -From: Joe Gooch -Author: Joe Gooch -Description: Fix logic for redirect to overcome potential XSS -Forwarded: http://www.apsis.ch/pound/pound_list/archive/2012/2012-02/1328105174000#1328207465000 +From: Brett Parker +Date: Tue, 27 Jan 2015 22:32:48 +0000 +Subject: xss_redirect_fix + +--- + http.c | 41 ++++++++++++++++++++++++++++++++++------- + 1 file changed, 34 insertions(+), 7 deletions(-) + +diff --git a/http.c b/http.c +index d420b69..b937e87 100755 --- a/http.c +++ b/http.c -@@ -46,13 +46,24 @@ +@@ -46,13 +46,24 @@ err_reply(BIO *const c, const char *head, const char *txt) return; } @@ -30,7 +36,7 @@ switch(code) { case 301: -@@ -65,14 +76,30 @@ +@@ -65,14 +76,30 @@ redirect_reply(BIO *const c, const char *url, const int code) code_msg = "Found"; break; }