summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbsiegert <bsiegert@pkgsrc.org>2017-02-03 11:26:04 +0000
committerbsiegert <bsiegert@pkgsrc.org>2017-02-03 11:26:04 +0000
commitcd2a69dd419827c7fa9536c137a574e23a0be51d (patch)
treec4444131728dafd0f4132492d02e1e7d04823132
parent0f1c7df447d63e501db1f484c845a674e0cf7452 (diff)
downloadpkgsrc-cd2a69dd419827c7fa9536c137a574e23a0be51d.tar.gz
Pullup ticket #5204 - requested by sevan
www/apache2: security fix Revisions pulled up: - www/apache22/Makefile 1.111 - www/apache22/distinfo 1.66 - www/apache22/patches/patch-include_ap_mmn.h deleted - www/apache22/patches/patch-modules_proxy_mod_proxy.c deleted - www/apache22/patches/patch-modules_proxy_mod_proxy.h deleted - www/apache22/patches/patch-modules_proxy_proxy_util.c deleted - www/apache22/patches/patch-server_util__script.c deleted --- Module Name: pkgsrc Committed By: adam Date: Mon Jan 16 14:34:42 UTC 2017 Modified Files: pkgsrc/www/apache22: Makefile distinfo Removed Files: pkgsrc/www/apache22/patches: patch-include_ap_mmn.h patch-modules_proxy_mod_proxy.c patch-modules_proxy_mod_proxy.h patch-modules_proxy_proxy_util.c patch-server_util__script.c Log Message: Changes with Apache 2.2.32 *) SECURITY: CVE-2016-8743 (cve.mitre.org) Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. *) Validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules. *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues. *) core: Avoid a possible truncation of the faulty header included in the HTML response when LimitRequestFieldSize is reached. *) core: Enforce LimitRequestFieldSize after multiple headers with the same name have been merged. *) core: Drop Content-Length header and message-body from HTTP 204 responses. *) core: Permit unencoded ';' characters to appear in proxy requests and Location: response headers. Corresponds to modern browser behavior. *) core: ap_rgetline_core now pulls from r->proto_input_filters. *) core: Correctly parse an IPv6 literal host specification in an absolute URL in the request line. *) core: New directive RegisterHttpMethod for registering non-standard HTTP methods. *) core: Limit to ten the number of tolerated empty lines between request. *) core: reject NULLs in request line or request headers. *) mod_proxy: Use the correct server name for SNI in case the backend SSL connection itself is established via a proxy server. *) Fix potential rejection of valid MaxMemFree and ThreadStackSize directives. *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3. *) mod_proxy: Correctly consider error response codes by the backend when processing failonstatus. *) mod_proxy: Play/restore the TLS-SNI on new backend connections which had to be issued because the remote closed the previous/reusable one during idle (keep-alive) time. *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params. *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to use a different scoreboard slot then the original one. *) mod_proxy: Fix a race condition that caused a failed worker to be retried before the retry period is over. *) mod_proxy: don't recyle backend announced "Connection: close" connections to avoid reusing it should the close be effective after some new request is ready to be sent. *) mod_mem_cache: Fix concurrent removal of stale entries which could lead to a crash. *) mime.types: add common extension "m4a" for MPEG 4 Audio. *) mod_substitute: Allow to configure the patterns merge order with the new SubstituteInheritBefore on|off directive. *) mod_mem_cache: Don't cache incomplete responses when the client connection is aborted before the body is fully read. *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve failures under Visual Studio 2015 and other mismatched MSVCRT flavors. *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
-rw-r--r--www/apache22/Makefile5
-rw-r--r--www/apache22/distinfo15
-rw-r--r--www/apache22/patches/patch-include_ap_mmn.h27
-rw-r--r--www/apache22/patches/patch-modules_proxy_mod_proxy.c25
-rw-r--r--www/apache22/patches/patch-modules_proxy_mod_proxy.h25
-rw-r--r--www/apache22/patches/patch-modules_proxy_proxy_util.c63
-rw-r--r--www/apache22/patches/patch-server_util__script.c22
7 files changed, 7 insertions, 175 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 98e81df562c..14ba35874cd 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.110 2016/07/29 11:10:24 wiz Exp $
+# $NetBSD: Makefile,v 1.110.4.1 2017/02/03 11:26:04 bsiegert Exp $
-DISTNAME= httpd-2.2.31
+DISTNAME= httpd-2.2.32
PKGNAME= ${DISTNAME:S/httpd/apache/}
-PKGREVISION= 4
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
http://archive.apache.org/dist/httpd/ \
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index 89a427c27d7..b7ac5f007f0 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.65 2016/07/29 11:10:24 wiz Exp $
+$NetBSD: distinfo,v 1.65.4.1 2017/02/03 11:26:04 bsiegert Exp $
-SHA1 (httpd-2.2.31.tar.bz2) = e3b55387112206307ba76526820a2627472f3787
-RMD160 (httpd-2.2.31.tar.bz2) = 5b073f5f556c74e19eba8e40faa5c5fa308e018a
-SHA512 (httpd-2.2.31.tar.bz2) = 5aa47d4b76f692bbd8b309135ff99152df98cf69b505b9daf3f13f7f2a31443eaf4995161adfbc47a133b4d0e091fda2d95fc6b87a956f0ada18d7466ee28e74
-Size (httpd-2.2.31.tar.bz2) = 5610489 bytes
+SHA1 (httpd-2.2.32.tar.bz2) = 36dc7f2ac97627192dcff0a121408b897f91b121
+RMD160 (httpd-2.2.32.tar.bz2) = 88789518915babeaa8dbf0e8130b6d630bebb6c3
+SHA512 (httpd-2.2.32.tar.bz2) = b1802579f4fc950705ddcf0a24f502ffadbd91d5693fdd3b290ac7ca40122f8fa48132ad1055afae9b841dd55e8bb343239be07ca431b0f60ea081f5c2fad2c3
+Size (httpd-2.2.32.tar.bz2) = 5777509 bytes
SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7
SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150
SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
@@ -15,11 +15,6 @@ SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
-SHA1 (patch-include_ap_mmn.h) = 2fec04379f38ecc90debc69faafe38932099e5e1
SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
-SHA1 (patch-modules_proxy_mod_proxy.c) = 67d8d441c546a46aa729ed82673da4883f73dec8
-SHA1 (patch-modules_proxy_mod_proxy.h) = a4453d85f6a3cf43df44f4e491aee07aaff44905
SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
-SHA1 (patch-modules_proxy_proxy_util.c) = 1368694ef3141c3a1e9a1ddd73664bbb33465271
SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
-SHA1 (patch-server_util__script.c) = 770f773ba278ec774f1f5a812fa9956fad9cc3f8
diff --git a/www/apache22/patches/patch-include_ap_mmn.h b/www/apache22/patches/patch-include_ap_mmn.h
deleted file mode 100644
index e72493a2223..00000000000
--- a/www/apache22/patches/patch-include_ap_mmn.h
+++ /dev/null
@@ -1,27 +0,0 @@
-$NetBSD: patch-include_ap_mmn.h,v 1.1 2015/11/12 15:21:51 prlw1 Exp $
-
-Fix a regression with 2.2.31 that caused inherited workers to
-use a different scoreboard slot then the original one.
-
-https://svn.apache.org/viewvc?view=revision&revision=1700408
-
---- include/ap_mmn.h.orig 2015-06-05 16:50:47.000000000 +0000
-+++ include/ap_mmn.h
-@@ -158,6 +158,8 @@
- * 20051115.38 (2.2.30) Add ap_proxy_set_scoreboard_lb() in mod_proxy.h
- * 20051115.39 (2.2.30) Add ap_proxy_connection_reusable()
- * 20051115.40 (2.2.30) Add ap_map_http_request_error()
-+ * 20051115.41 (2.2.32) Add s member to proxy_server_conf struct and server
-+ * member to proxy_worker struct.
- */
-
- #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
-@@ -165,7 +167,7 @@
- #ifndef MODULE_MAGIC_NUMBER_MAJOR
- #define MODULE_MAGIC_NUMBER_MAJOR 20051115
- #endif
--#define MODULE_MAGIC_NUMBER_MINOR 40 /* 0...n */
-+#define MODULE_MAGIC_NUMBER_MINOR 41 /* 0...n */
-
- /**
- * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
diff --git a/www/apache22/patches/patch-modules_proxy_mod_proxy.c b/www/apache22/patches/patch-modules_proxy_mod_proxy.c
deleted file mode 100644
index 8922b90454a..00000000000
--- a/www/apache22/patches/patch-modules_proxy_mod_proxy.c
+++ /dev/null
@@ -1,25 +0,0 @@
-$NetBSD: patch-modules_proxy_mod_proxy.c,v 1.3 2015/11/12 15:21:51 prlw1 Exp $
-
-Fix a regression with 2.2.31 that caused inherited workers to
-use a different scoreboard slot then the original one.
-
-https://svn.apache.org/viewvc?view=revision&revision=1700408
-
---- modules/proxy/mod_proxy.c.orig 2015-06-05 16:50:47.000000000 +0000
-+++ modules/proxy/mod_proxy.c
-@@ -1129,6 +1129,7 @@ static void * create_proxy_config(apr_po
- ps->badopt = bad_error;
- ps->badopt_set = 0;
- ps->pool = p;
-+ ps->s = s;
-
- return ps;
- }
-@@ -1172,6 +1173,7 @@ static void * merge_proxy_config(apr_poo
- ps->proxy_status = (overrides->proxy_status_set == 0) ? base->proxy_status : overrides->proxy_status;
- ps->proxy_status_set = overrides->proxy_status_set || base->proxy_status_set;
- ps->pool = p;
-+ ps->s = overrides->s;
- return ps;
- }
-
diff --git a/www/apache22/patches/patch-modules_proxy_mod_proxy.h b/www/apache22/patches/patch-modules_proxy_mod_proxy.h
deleted file mode 100644
index 7779283e6ba..00000000000
--- a/www/apache22/patches/patch-modules_proxy_mod_proxy.h
+++ /dev/null
@@ -1,25 +0,0 @@
-$NetBSD: patch-modules_proxy_mod_proxy.h,v 1.1 2015/11/12 15:21:51 prlw1 Exp $
-
-Fix a regression with 2.2.31 that caused inherited workers to
-use a different scoreboard slot then the original one.
-
-https://svn.apache.org/viewvc?view=revision&revision=1700408
-
---- modules/proxy/mod_proxy.h.orig 2015-07-15 16:10:27.000000000 +0000
-+++ modules/proxy/mod_proxy.h
-@@ -193,6 +193,7 @@ typedef struct {
- } proxy_status; /* Status display options */
- char proxy_status_set;
- apr_pool_t *pool; /* Pool used for allocating this struct */
-+ server_rec *s; /* The server_rec where this configuration was created in */
- } proxy_server_conf;
-
-
-@@ -369,6 +370,7 @@ struct proxy_worker {
- char disablereuse_set;
- apr_interval_time_t conn_timeout;
- char conn_timeout_set;
-+ server_rec *server; /* The server_rec where this configuration was created in */
- };
-
- /*
diff --git a/www/apache22/patches/patch-modules_proxy_proxy_util.c b/www/apache22/patches/patch-modules_proxy_proxy_util.c
deleted file mode 100644
index 3d34ea0d1b9..00000000000
--- a/www/apache22/patches/patch-modules_proxy_proxy_util.c
+++ /dev/null
@@ -1,63 +0,0 @@
-$NetBSD: patch-modules_proxy_proxy_util.c,v 1.1 2015/11/12 15:21:51 prlw1 Exp $
-
-Fix a regression with 2.2.31 that caused inherited workers to
-use a different scoreboard slot then the original one.
-
-https://svn.apache.org/viewvc?view=revision&revision=1700408
-
---- modules/proxy/proxy_util.c.orig 2015-07-15 16:10:27.000000000 +0000
-+++ modules/proxy/proxy_util.c
-@@ -1460,6 +1460,7 @@ PROXY_DECLARE(const char *) ap_proxy_add
- (*worker)->flush_packets = flush_off;
- (*worker)->flush_wait = PROXY_FLUSH_WAIT;
- (*worker)->smax = -1;
-+ (*worker)->server = conf->s;
- /* Increase the total worker count */
- proxy_lb_workers++;
- init_conn_pool(p, *worker);
-@@ -1807,6 +1808,7 @@ PROXY_DECLARE(void*) ap_proxy_set_scoreb
- server_rec *server)
- {
- if (ap_scoreboard_image && !worker->s) {
-+ server_rec *id_server;
- int i = 0;
- proxy_worker_stat *free_slot = NULL;
- proxy_worker_stat *s;
-@@ -1824,14 +1826,20 @@ PROXY_DECLARE(void*) ap_proxy_set_scoreb
- apr_md5_update(&ctx, (unsigned char *)balancer->name,
- strlen(balancer->name));
- }
-- if (server) {
-+ if (worker->server) {
-+ id_server = worker->server;
-+ }
-+ else {
-+ id_server = server;
-+ }
-+ if (id_server) {
- server_addr_rec *addr;
- /* Assumes the unique identifier of a vhost is its address(es)
- * plus the ServerName:Port. Should two or more vhosts have this
- * same identifier, the first one would always be elected to
- * handle the requests, so this shouldn't be an issue...
- */
-- for (addr = server->addrs; addr; addr = addr->next) {
-+ for (addr = id_server->addrs; addr; addr = addr->next) {
- char host_ip[64]; /* for any IPv[46] string */
- apr_sockaddr_ip_getbuf(host_ip, sizeof host_ip,
- addr->host_addr);
-@@ -1840,10 +1848,10 @@ PROXY_DECLARE(void*) ap_proxy_set_scoreb
- apr_md5_update(&ctx, (unsigned char *)&addr->host_port,
- sizeof(addr->host_port));
- }
-- apr_md5_update(&ctx, (unsigned char *)server->server_hostname,
-- strlen(server->server_hostname));
-- apr_md5_update(&ctx, (unsigned char *)&server->port,
-- sizeof(server->port));
-+ apr_md5_update(&ctx, (unsigned char *)id_server->server_hostname,
-+ strlen(id_server->server_hostname));
-+ apr_md5_update(&ctx, (unsigned char *)&id_server->port,
-+ sizeof(id_server->port));
- }
- apr_md5_final(digest, &ctx);
-
diff --git a/www/apache22/patches/patch-server_util__script.c b/www/apache22/patches/patch-server_util__script.c
deleted file mode 100644
index a706d1cc909..00000000000
--- a/www/apache22/patches/patch-server_util__script.c
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:10:24 wiz Exp $
-
-Fix httpoxy vulnerability.
-https://www.apache.org/security/asf-httpoxy-response.txt
-
---- server/util_script.c.orig 2012-08-21 17:42:49.000000000 +0000
-+++ server/util_script.c
-@@ -165,6 +165,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
- else if (!strcasecmp(hdrs[i].key, "Content-length")) {
- apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
- }
-+ /* HTTP_PROXY collides with a popular envvar used to configure
-+ * proxies, don't let clients set/override it. But, if you must...
-+ */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+ ;
-+ }
-+#endif
- /*
- * You really don't want to disable this check, since it leaves you
- * wide open to CGIs stealing passwords and people viewing them