Pullup ticket 2100 - requested by obache

security update for ap-jk

Revisions pulled up:
- pkgsrc/www/ap-jk/Makefile.common			1.5, 1.6
- pkgsrc/www/ap-jk/distinfo				1.8, 1.9
- pkgsrc/www/ap-jk/patches/patch-aa			1.5

   Module Name:		pkgsrc
   Committed By:	obache
   Date:		Wed Apr 25 06:24:02 UTC 2007

   Modified Files:
   	pkgsrc/www/ap-jk: Makefile.common distinfo
   	pkgsrc/www/ap-jk/patches: patch-aa

   Log Message:
   Update ap-jk to 1.2.22.

   Changes between 1.2.21 and 1.2.22

   Native
     Refactor line endings logging to make it correct for all platforms and
   webservers. (mturk)
     Added command line windows make files. (mturk)
     Allow fail_on_status directive to be multi line. (mturk)
     42076: Fix name of new option from ForwardCertChain to
   ForwardSSLCertChain as documented. (rjung)
     Docs: Fix a couple of typos, change format of a few tables, fix links to
   news pages. (rjung)
     Fix correct URL for TC 6 examples in new IIS rewrite.properties
   configuration example file. (rjung)
     Add svn properties to several files. (rjung)
     Add TC 6 examples to uriworkermap.properties in config examples. (rjung)
     Allow multiple status codes for fail_on_status directive. The status
   codes can be delimited by space or comma characters. (mturk)
     IIS. Added pcre like regular expressions for url rewrite rules. (mturk)
     41922: Apache 1.3. Enable JkEnvVar. (mturk)
     Apache. Add --enable-flock configure parameter for explicit compilation
   of faster flock() system calls for OS supporting those calls. By default
   the fcntl system call for locking will be used that is a little bit slower
   but it can work on NFS mounted volumes as well. (mturk)
     41562: Add Debug logging for read from client in ISAPI Redirector.
   Contributed by Tim Whittington. (mturk)
     Apache. Add ForwardSSLCertChain JkOption. Contributed by Patrik
   Schnellmann. (mturk)
     IIS. Do not forbid access to web-inf or meta-inf if there is no mapped
   worker. This allows to have resource with those names that are outside
   mapped contexts. (mturk)
     Apache. Use process id for creating shared memory name and delete shared
   memory and shared memory lock files on exit. (mturk)
     IIS. Fix Keep-Alive regression introduced in 1.2.21. (mturk)
     Delete unused check for empty init_map during startup. (rjung)
     41770: Fix startup error if no JkWorkersFile is used. (rjung)
     Use JK_TRUE/JK_FALSE instead of OK/!OK as return values in init_jk().
   (rjung)
     Minor adjustments to apache startup log messages (when to use STDERR,
   remove deprecated NOERRNO flag, shm warning and warnings for usage of
   default files). (rjung)
     Replace APR precompiler directive by httpd mpm_query to detect MPM
   threading. Add a debug log message about auto-detected pool size. (rjung)
     Make MMN check easier to understand and a little more precise (for new
   ap_get_server_banner()/ap_get_server_description()). We use the new API
   only for Apache httpd 2.3. This way our binaries are not tightly coupled
   to a minor 2.0 version, and we don't use ap_get_server_banner() any way.
   (rjung)
     Use the full description string ap_get_server_description() instead of
   the truncated info from ap_get_server_banner(), because this info gets
   used internally (status worker display and ajp14 backend communication)
   and is not send back to the normal user. (rjung)
     41757: Document the "--enable-prefork" flag of configure. (rjung)
     Enhance log messages for failures when parsing attribute maps. (rjung)
     Correct log message during worker initialization, in case remote host
   could not be resolved. We logged the default host name "localhost" instead
   of the configured one. (rjung)
     41770: Fix the second part of the bug: local_worker and local_worker_only
   is missing from the list of deprecated attributes (and not supported
   either), so prevents the web server from startup. (rjung)

   Changes between 1.2.20 and 1.2.21

   Native
     CVE-2007-0774 : A denial of service and critical remote code execution
   vulnerability. Caused by buffer overflow in map_uri_to_worker() when URL
   were longer that 4095 bytes. Reported by ZDI (www.zerodayintiative.com).
   Please note this issue only affected versions 1.2.19 and 1.2.20 of the
   Apache Tomcat JK Web Server Connector and not previous versions. Tomcat
   5.5.20 and Tomcat 4.1.34 included a vulnerable version in their source
   packages. Other versions of Tomcat were not affected.
     Check the worker. parameters and don't start if the parameter is not a
   valid one. (jfclere)
     41439: Allow session IDs to get stripped off URLs of static content in
   Apache by adding JkStripSession directive (configurable per vhost). (mturk)
     Change semantics of empty defaults for JkEnvVar variables. Until 1.2.19:
   not allowed. In 1.2.20: send variables as empty strings, if neither set to
   non empty in config, nor during runtime. Starting with 1.2.21: If config
   has no second argument only send variable if set (even when set to empty
   string) during runtime. Allows good combination with condition attribute
   in tomcat access log. (rjung)
     41610: Fix incorrect detection of missing Content-Length header leading
   to duplicate headers. Contributed by Boris Maras. (rjung)
     Better build support for SunONE (Netscape/iPlanet) webservers. (jim)
     Add warning if duplicate map keys are read and are not allowed, e.g. when
   parsing uriworkermap.properties. (rjung)
     Don't concat worker names, if uriworkermap.properties has a duplicate
   pattern, instead overwrite the worker. (rjung)
     Log deprecation message even in duplication case. (rjung)
     uriworkermap.properties: Fix off-by-one problem when deleting URL mapping
   during reloading of uriworkermap.properties. (rjung)
     41439: Allow session IDs to get stripped off URLs of static content in
   IIS (configurable). (rjung)
     41333: Re New attribute user (list) denies access, if the request
   user in the sense of remote_user is not in this list. Empty list = no deny
   (rjung)
     Status Worker: New attribute read_only di (rjung)
     36121: Don't change main uri when mod_jk serves included uri. (markt)
     Apache VHosts: Merge JkOptions +base - -base + +vhost - -vhost. (rjung)
     Apache Docs: Adding requirements, context information, default values and
   inheritance rules tpe to status worker, remove the redundant
   "context" column in the map listing (context=uri). (rjung)
     uriworkermap: On reload of the file, all old entries from the previous
   file versiops and exclusion maps internally separate. Don't treat them
   as the same when adding a rule. (rjung)
     Status Worker: Display mapping rules also for non-lb workers and in
   global view. (r the main log. (rjung)
     Apache VHosts: Allow individual timestamp formats by refactoring the
   formatting method. (rjung)
     Apache VHosts: Adding all missing config items to the virtual host level.
   Don't overwrite the settings from the global server, but inherit them in
   case they are not set in the virtual host. (rjung)
     Apache: remove unnecessary function names from log messages. (rjung)
     Apache: add a default log file location and a message, if the default
   gets used. (rjung)
     Apache: add missing JK_IS_DEBUG_LEVEL() (rjung)
     Apache VHosts: Allow JkWorkersFile, JKWorkerProperty, JkShmFile and
   JkShmFileSize only in global virtual server. (rjung)
     Add some more jk_close_socket() and reduce log level for some info
   messages. (rjung)
     Load Balancer: Added the Sessions strategy. Contributed by Takayuki
   Kaneko. (rjung)
     Docs: Minor enhancements and syncing with more recent versions. (rjung)
     40997: Separate uri mappings from their '!' counterpart when checking for
   duplicates in(rjung)
     40877: Make sure the shared memory is reset on attach for multiple web
   server child processes. (mturk)
     IIS: Added shm_size property to be able to deal with over 64 workers
   case default thread count to 250, so its the same as Apache
   Httpd default configuration. (mturk)
     40966: Fix socket descriptor checks on windows. (mturk)
     40965: Initialize missing servi(mturk)
     40938: Fix releasing of rewrite map. Thanks to Chris Adams for spotting
   that. (mturk)
     Apache: Added +FlushHeader JkOptions. (mturk)
     Added explicit flush when AJP body packet sensitivity bug in URL mapping. (rjung)
     40793: Documentation: Improvements to Apache HowTo provided by Paul
   Charles Leddy. (markt)
     40774: Fixing wrong recursion termination. This one restricted the
   "reference" feature unintentionally to 20 wor  40716: Adding "reference" feature to IIS and Netscape. (rjung)
     Documentation: Corrected SetEnvIf syntax in JK_WORKER_NAME example.
   (rjung)
     Documentation: Added forgotten STATE and A Apache. (rjung)
     Apache: Use instdso.sh instead libtool: libtool does not work on HP-UX
   for example. (jfclere)
---
   Module Name:		pkgsrc
   Committed By:	obache
   Date:		Tue May 29 02:22:22 UTC 2007

   Modified Files:
   	pkgsrc/www/ap-jk: Makefile.common distinfo

   Log Message:
   Update ap-jk to 1.2.23.
   It fixes an Important vulnerability.

   Changes between 1.2.22 and 1.2.23

   Native
   	Change the default value of JkOptions to ForwardURICompatUnparsed. The
   	old default value was ForwardURICompat. This should make URL
   	interpretation between Apache httpd and Tomcat consistent (prevent
   	double decoding problems). (rjung)

3 files changed, 10 insertions, 10 deletions

diff --git a/www/ap-jk/Makefile.common b/www/ap-jk/Makefile.common
index dc7f7210f47..3bb787385a8 100644
--- a/www/ap-jk/Makefile.common
+++ b/www/ap-jk/Makefile.common
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile.common,v 1.4 2007/02/22 19:27:18 wiz Exp $
+# $NetBSD: Makefile.common,v 1.4.2.1 2007/05/31 11:10:45 salo Exp $
 
-JK_VERSION=	1.2.19
+JK_VERSION=	1.2.23
 CATEGORIES=	www java
 MASTER_SITES=	http://www.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-${JK_VERSION}/
 
diff --git a/www/ap-jk/distinfo b/www/ap-jk/distinfo
index fe9ade001c4..dbb7f7ba6bd 100644
--- a/www/ap-jk/distinfo
+++ b/www/ap-jk/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.7 2006/11/15 11:04:04 abs Exp $
+$NetBSD: distinfo,v 1.7.4.1 2007/05/31 11:10:45 salo Exp $
 
-SHA1 (tomcat-connectors-1.2.19-src.tar.gz) = 7e49c98000455ea226b16c45cf63fd565c2221eb
-RMD160 (tomcat-connectors-1.2.19-src.tar.gz) = f48895b847b84a77f95ec87faa47115b023f686f
-Size (tomcat-connectors-1.2.19-src.tar.gz) = 1246419 bytes
-SHA1 (patch-aa) = 27774432ecc82209e47beca24a54ef5139d4e2eb
+SHA1 (tomcat-connectors-1.2.23-src.tar.gz) = 9ab3c108a9e6b20dc7dd172917f8941eee0ec32c
+RMD160 (tomcat-connectors-1.2.23-src.tar.gz) = d7892ff73f22e83feb49b4746d769f518e3f4c6a
+Size (tomcat-connectors-1.2.23-src.tar.gz) = 1368060 bytes
+SHA1 (patch-aa) = c7a68265883fd7494356543a17dcec0be7744fe9
 SHA1 (patch-ab) = 57e4ead1a73d9a47fb634d5c7fb18d49d0393a08
 SHA1 (patch-ac) = 14fdec1c921f369ee51a5d73a3bee3ec9056f07a
 SHA1 (patch-ad) = 2c2548e0c5b5909c7fab369c97f747c4e4c47df2
diff --git a/www/ap-jk/patches/patch-aa b/www/ap-jk/patches/patch-aa
index ca877265397..c32c47b7832 100644
--- a/www/ap-jk/patches/patch-aa
+++ b/www/ap-jk/patches/patch-aa
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.4 2006/01/31 16:26:22 abs Exp $
+$NetBSD: patch-aa,v 1.4.10.1 2007/05/31 11:10:45 salo Exp $
 
---- common/jk_util.c.orig	2005-07-01 16:41:08.000000000 +0100
+--- common/jk_util.c.orig	2007-04-10 14:29:48.000000000 +0000
 +++ common/jk_util.c
-@@ -1242,7 +1242,7 @@ int jk_gettid()
+@@ -1720,7 +1720,7 @@ int jk_gettid()
      pthread_getunique_np(&t, &tid);
      return ((int)(tid.intId.lo & 0xFFFFFFFF));
  #else