diff options
| author | bsiegert <bsiegert@pkgsrc.org> | 2020-08-23 18:52:33 +0000 |
|---|---|---|
| committer | bsiegert <bsiegert@pkgsrc.org> | 2020-08-23 18:52:33 +0000 |
| commit | 30c9215103f1a9cd71e61e5c5b2d97df0f1534d1 (patch) | |
| tree | 6b2cc897d0d0f5d981ad6b46ad9649b5573da057 | |
| parent | 7eb48e64a83f3c89f98fc4f06c3b33c17c185f92 (diff) | |
| download | pkgsrc-30c9215103f1a9cd71e61e5c5b2d97df0f1534d1.tar.gz | |
Pullup ticket #6301 - requested by taca
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.94
- www/apache24/distinfo 1.44
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 9 15:01:55 UTC 2020
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Log Message:
www/apache24: update to 2.4.46
Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several
security problems:
CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
CVE-2020-11984: mod_uwsgi buffer overlow
CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header
pkgsrc changes: reduce warnings by SUBST_* processing.
Changes with Apache 2.4.46
*) mod_proxy_fcgi: Fix build warnings for Windows platform
[Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
*) mod_http2: remove support for abandoned http-wg draft
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
[Stefan Eissing]
Changes with Apache 2.4.44
*) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
protocol limit). [Yann Ylavic]
*) mod_http2:
Fixes <https://github.com/icing/mod_h2/issues/200>:
"LimitRequestFields 0" now disables the limit, as documented.
Fixes <https://github.com/icing/mod_h2/issues/201>:
Do not count repeated headers with same name against the field
count limit. The are merged internally, as if sent in a single HTTP/1 line.
[Stefan Eissing]
*) mod_http2: Avoid segfaults in case of handling certain responses for
already aborted connections. [Stefan Eissing, Ruediger Pluem]
*) mod_http2: The module now handles master/secondary connections and has marked
methods according to use. [Stefan Eissing]
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
[Yann Ylavic, Luca Toscano]
*) Add support for strict content-length parsing through addition of
ap_parse_strict_length() [Yann Ylavic]
*) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
*) mod_proxy_http: flush spooled request body in one go to avoid
leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
*) mod_ssl: Fix a race condition and possible crash when using a proxy client
certificate (SSLProxyMachineCertificateFile).
[Armin Abfalterer <a.abfalterer gmail.com>]
*) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
PR64330 [Stefan Eissing]
*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
was configured with a handshake timeout. Fixes gitub issue #196.
[Stefan Eissing]
*) mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
*) core: httpd is no longer linked against -lsystemd if mod_systemd
is enabled (and built as a DSO). [Rainer Jung]
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
| -rw-r--r-- | www/apache24/Makefile | 10 | ||||
| -rw-r--r-- | www/apache24/distinfo | 10 |
2 files changed, 10 insertions, 10 deletions
diff --git a/www/apache24/Makefile b/www/apache24/Makefile index 6484b739312..289cffa7775 100644 --- a/www/apache24/Makefile +++ b/www/apache24/Makefile @@ -1,13 +1,12 @@ -# $NetBSD: Makefile,v 1.93 2020/06/23 14:33:22 bacon Exp $ +# $NetBSD: Makefile,v 1.93.2.1 2020/08/23 18:52:33 bsiegert Exp $ # # When updating this package, make sure that no strings like # "PR 12345" are in the commit message. Upstream likes # to reference their own PRs this way, but this ends up # in NetBSD GNATS. -DISTNAME= httpd-2.4.43 +DISTNAME= httpd-2.4.46 PKGNAME= ${DISTNAME:S/httpd/apache/} -PKGREVISION= 4 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} MASTER_SITES+= http://archive.apache.org/dist/httpd/ @@ -109,7 +108,8 @@ FIX_MAN_PERMS+= man8/apachectl.8 man1/ab.1 man1/httxt2dbm.1 SUBST_CLASSES+= man SUBST_STAGE.man= pre-configure SUBST_MESSAGE.man= Fixing paths in man pages. -SUBST_FILES.man= docs/man/*.1 docs/man/*.8 +SUBST_FILES.man= docs/man/apxs.1 docs/man/htdbm.1 \ + docs/man/htpasswd.1 docs/man/httpd.8 SUBST_SED.man= -e 's,/usr/local/etc/apache,${PKG_SYSCONFDIR},' SUBST_SED.man+= -e 's,/path/to/apache/etc,${PKG_SYSCONFDIR},' SUBST_SED.man+= -e 's,/usr/local/apache2,${PREFIX}/share/httpd/htdocs,' @@ -151,7 +151,7 @@ SUBST_MESSAGE.abs_srcdir= Fixing abs_srcdir SUBST_FILES.abs_srcdir= ${DESTDIR}${PREFIX}/share/httpd/build/config_vars.mk SUBST_SED.abs_srcdir= -e 's|^\(abs_srcdir =\) .*|\1 ${PREFIX}/share/httpd|' -REPLACE_PERL= docs/cgi-examples/printenv +#REPLACE_PERL= docs/cgi-examples/printenv .include "../../devel/zlib/buildlink3.mk" CONFIGURE_ARGS+= --with-ssl=${BUILDLINK_PREFIX.openssl} diff --git a/www/apache24/distinfo b/www/apache24/distinfo index b297054e9d5..46f68daa0e6 100644 --- a/www/apache24/distinfo +++ b/www/apache24/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.43 2020/05/04 12:26:37 manu Exp $ +$NetBSD: distinfo,v 1.43.2.1 2020/08/23 18:52:33 bsiegert Exp $ -SHA1 (httpd-2.4.43.tar.bz2) = fc078df062503ffcf19319c4bf4e8cf27fe30cb4 -RMD160 (httpd-2.4.43.tar.bz2) = 8ccc599b50478330e5505bf75780145d80f4f4ce -SHA512 (httpd-2.4.43.tar.bz2) = 16cfeecc8f6fab6eca478065a384bdf1872f7ac42206b0bc2bcac6c0d9c576f392c07107201f39e0601dec1bbafcb33d66153544de4d87d79b9a52094d334b64 -Size (httpd-2.4.43.tar.bz2) = 7155865 bytes +SHA1 (httpd-2.4.46.tar.bz2) = 1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb +RMD160 (httpd-2.4.46.tar.bz2) = 8e5365222be2b53bed955f6f658fc4b6cc6c60a2 +SHA512 (httpd-2.4.46.tar.bz2) = 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 +Size (httpd-2.4.46.tar.bz2) = 7187805 bytes SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d |