diff options
author | tron <tron@pkgsrc.org> | 2008-06-25 10:35:40 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2008-06-25 10:35:40 +0000 |
commit | 18af6ec3aeb922f9737be32dc74e17f081a35c1e (patch) | |
tree | 45c83b6fe407af851e1359267f584c1237637b98 | |
parent | c7e44796a51cb26660c67eb70d6992f54dda0195 (diff) | |
download | pkgsrc-18af6ec3aeb922f9737be32dc74e17f081a35c1e.tar.gz |
Pullup ticket #2434 - requested by he
Security patch for apache2
Revisions pulled up:
- www/apache2/Makefile.common 1.25
- www/apache2/distinfo 1.53
- www/apache2/patches/patch-ap 1.5
---
Module Name: pkgsrc
Committed By: he
Date: Fri Jun 20 13:28:08 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile.common distinfo
Added Files:
pkgsrc/www/apache2/patches: patch-ap
Log Message:
Apply the patch for CVE-2008-2364 from apache.
Bump pkg revision.
-rw-r--r-- | www/apache2/Makefile.common | 3 | ||||
-rw-r--r-- | www/apache2/distinfo | 3 | ||||
-rw-r--r-- | www/apache2/patches/patch-ap | 70 |
3 files changed, 74 insertions, 2 deletions
diff --git a/www/apache2/Makefile.common b/www/apache2/Makefile.common index f58f064a53b..2f7e32080b3 100644 --- a/www/apache2/Makefile.common +++ b/www/apache2/Makefile.common @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.24 2008/01/21 14:38:29 taca Exp $ +# $NetBSD: Makefile.common,v 1.24.2.1 2008/06/25 10:35:40 tron Exp $ # used by devel/apr0/Makefile @@ -7,6 +7,7 @@ EXTRACT_SUFX= .tar.bz2 # When updating this version be sure to update the checksum and remove # any PKGREVISION for devel/apr also. APACHE_VERSION= 2.0.63 +PKGREVISION= 1 APR_VERSION= 0.9.17 MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ ${MASTER_SITE_APACHE:=httpd/old/} \ diff --git a/www/apache2/distinfo b/www/apache2/distinfo index 7a74aab02db..c95dda89546 100644 --- a/www/apache2/distinfo +++ b/www/apache2/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.52 2008/01/21 14:37:22 taca Exp $ +$NetBSD: distinfo,v 1.52.2.1 2008/06/25 10:35:41 tron Exp $ SHA1 (httpd-2.0.63.tar.bz2) = 20e2b64944e38e96491af788a37cb709d2c5b755 RMD160 (httpd-2.0.63.tar.bz2) = f6a7de59860f627ac40b245fcf742fb07e1b4870 @@ -13,3 +13,4 @@ SHA1 (patch-ak) = f11a86b1235d5c595fa381bbb474db4fe8448215 SHA1 (patch-al) = 9af7b6c56177d971e135f0a00b3ab9ded5d1b6dd SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 SHA1 (patch-ao) = c629a7563d0e555922526e26b266251144a14ff6 +SHA1 (patch-ap) = 260b9c88bbcb238a81319ff5bef523ec6d765a27 diff --git a/www/apache2/patches/patch-ap b/www/apache2/patches/patch-ap new file mode 100644 index 00000000000..e0da5595212 --- /dev/null +++ b/www/apache2/patches/patch-ap @@ -0,0 +1,70 @@ +$NetBSD: patch-ap,v 1.4.6.1 2008/06/25 10:35:41 tron Exp $ + +This is directly from +http://www.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt +and as the name indicates a security-related patch. + +Index: modules/proxy/proxy_http.c +=================================================================== +--- modules/proxy/proxy_http.c (revision 666240) ++++ modules/proxy/proxy_http.c (working copy) +@@ -1290,6 +1290,16 @@ + return 1; + } + ++/* ++ * Limit the number of interim respones we sent back to the client. Otherwise ++ * we suffer from a memory build up. Besides there is NO sense in sending back ++ * an unlimited number of interim responses to the client. Thus if we cross ++ * this limit send back a 502 (Bad Gateway). ++ */ ++#ifndef AP_MAX_INTERIM_RESPONSES ++#define AP_MAX_INTERIM_RESPONSES 10 ++#endif ++ + static + apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, + proxy_http_conn_t *p_conn, +@@ -1322,7 +1332,7 @@ + */ + rp->proxyreq = PROXYREQ_RESPONSE; + +- while (received_continue) { ++ while (received_continue && (received_continue <= AP_MAX_INTERIM_RESPONSES)) { + apr_brigade_cleanup(bb); + + len = ap_getline(buffer, sizeof(buffer), rp, 0); +@@ -1440,7 +1450,9 @@ + if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { + ap_set_content_type(r, apr_pstrdup(p, buf)); + } +- ap_proxy_pre_http_request(origin,rp); ++ if (!ap_is_HTTP_INFO(r->status)) { ++ ap_proxy_pre_http_request(origin, rp); ++ } + + /* handle Via header in response */ + if (conf->viaopt != via_off && conf->viaopt != via_block) { +@@ -1486,6 +1498,7 @@ + if ( r->status != HTTP_CONTINUE ) { + received_continue = 0; + } else { ++ received_continue++; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "proxy: HTTP: received 100 CONTINUE"); + } +@@ -1622,6 +1635,14 @@ + } + } + ++ /* See define of AP_MAX_INTERIM_RESPONSES for why */ ++ if (received_continue > AP_MAX_INTERIM_RESPONSES) { ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ++ apr_psprintf(p, ++ "Too many (%d) interim responses from origin server", ++ received_continue)); ++ } ++ + if ( conf->error_override ) { + /* the code above this checks for 'OK' which is what the hook expects */ + if ( r->status == HTTP_OK ) |