Pullup ticket #6645 - requested by taca

www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.111
- www/apache24/distinfo                                         1.53

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Thu Jun  9 18:15:51 UTC 2022

   Modified Files:
   	pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.54

   Changes with Apache 2.4.54

   *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
      hop-by-hop mechanism (cve.mitre.org)
      Apache HTTP Server 2.4.53 and earlier may not send the
      X-Forwarded-* headers to the origin server based on client side
      Connection header hop-by-hop mechanism.
      This may be used to bypass IP based authentication on the origin
      server/application.
      Credits: The Apache HTTP Server project would like to thank
      Gaetan Ferry (Synacktiv) for reporting this issue

   *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
      websockets (cve.mitre.org)
      Apache HTTP Server 2.4.53 and earlier may return lengths to
      applications calling r:wsread() that point past the end of the
      storage allocated for the buffer.
      Credits: The Apache HTTP Server project would like to thank
      Ronald Crane (Zippenhop LLC) for reporting this issue

   *) SECURITY: CVE-2022-30522: mod_sed denial of service
      (cve.mitre.org)
      If Apache HTTP Server 2.4.53 is configured to do transformations
      with mod_sed in contexts where the input to mod_sed may be very
      large, mod_sed may make excessively large memory allocations and
      trigger an abort.
      Credits: This issue was found by Brian Moussalli from the JFrog
      Security Research team

   *) SECURITY: CVE-2022-29404: Denial of service in mod_lua
      r:parsebody (cve.mitre.org)
      In Apache HTTP Server 2.4.53 and earlier, a malicious request to
      a lua script that calls r:parsebody(0) may cause a denial of
      service due to no default limit on possible input size.
      Credits: The Apache HTTP Server project would like to thank
      Ronald Crane (Zippenhop LLC) for reporting this issue

   *) SECURITY: CVE-2022-28615: Read beyond bounds in
      ap_strcmp_match() (cve.mitre.org)
      Apache HTTP Server 2.4.53 and earlier may crash or disclose
      information due to a read beyond bounds in ap_strcmp_match()
      when provided with an extremely large input buffer.  While no
      code distributed with the server can be coerced into such a
      call, third-party modules or lua scripts that use
      ap_strcmp_match() may hypothetically be affected.
      Credits: The Apache HTTP Server project would like to thank
      Ronald Crane (Zippenhop LLC) for reporting this issue

   *) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
      (cve.mitre.org)
      The ap_rwrite() function in Apache HTTP Server 2.4.53 and
      earlier may read unintended memory if an attacker can cause the
      server to reflect very large input using ap_rwrite() or
      ap_rputs(), such as with mod_luas r:puts() function.
      Credits: The Apache HTTP Server project would like to thank
      Ronald Crane (Zippenhop LLC) for reporting this issue

   *) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
      (cve.mitre.org)
      Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
      bounds when configured to process requests with the mod_isapi
      module.
      Credits: The Apache HTTP Server project would like to thank
      Ronald Crane (Zippenhop LLC) for reporting this issue

   *) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
      smuggling (cve.mitre.org)
      Inconsistent Interpretation of HTTP Requests ('HTTP Request
      Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
      allows an attacker to smuggle requests to the AJP server it
      forwards requests to.  This issue affects Apache HTTP Server
      Apache HTTP Server 2.4 version 2.4.53 and prior versions.
      Credits: Ricter Z @ 360 Noah Lab

   *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.

   *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

   *) mod_md:  a bug was fixed that caused very large MDomains
      with the combined DNS names exceeding ~7k to fail, as
      request bodies would contain partially wrong data from
      uninitialized memory. This would have appeared as failure
      in signing-up/renewing such configurations.

   *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

   *) MPM event: Restart children processes killed before idle maintenance.

   *) ab: Allow for TLSv1.3 when the SSL library supports it.

   *) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
      transmission delays.

   *) MPM event: Fix accounting of active/total processes on ungraceful restart,

   *) core: make ap_escape_quotes() work correctly on strings
      with more than MAX_INT/2 characters, counting quotes double.
      Credit to <generalbugs@zippenhop.com> for finding this.

   *) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
      an ACME CA. This gives a failover for renewals when several consecutive attempts
      to get a certificate failed.
      A new directive was added: `MDRetryDelay` sets the delay of retries.
      A new directive was added: `MDRetryFailover` sets the number of errored
      attempts before an alternate CA is selected for certificate renewals.

   *) mod_http2: remove unused and insecure code.

   *) mod_proxy: Add backend port to log messages to
      ease identification of involved service.

   *) mod_http2: removing unscheduling of ongoing tasks when
      connection shows potential abuse by a client. This proved
      counter-productive and the abuse detection can false flag
      requests using server-side-events.
      Fixes <https://github.com/icing/mod_h2/issues/231>.

   *) mod_md: Implement full auto status ("key: value" type status output).
      Especially not only status summary counts for certificates and
      OCSP stapling but also lists. Auto status format is similar to
      what was used for mod_proxy_balancer.

   *) mod_md: fixed a bug leading to failed transfers for OCSP
      stapling information when more than 6 certificates needed
      updates in the same run.

   *) mod_proxy: Set a status code of 502 in case the backend just closed the
      connection in reply to our forwarded request.

   *) mod_md: a possible NULL pointer deref was fixed in
      the JSON code for persisting time periods (start+end).
      Fixes #282 on mod_md's github.
      Thanks to @marcstern for finding this.

   *) mod_heartmonitor: Set the documented default value
      "10" for HeartbeatMaxServers instead of "0". With "0"
      no shared memory slotmem was initialized.

   *) mod_md: added support for managing certificates via a
      local tailscale daemon for users of that secure networking.
      This gives trusted certificates for tailscale assigned
      domain names in the *.ts.net space.

2 files changed, 6 insertions, 6 deletions

diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index c312a6232dc..34b499a03f9 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.109 2022/03/15 05:46:54 adam Exp $
+# $NetBSD: Makefile,v 1.109.2.1 2022/06/11 10:42:04 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=	httpd-2.4.53
+DISTNAME=	httpd-2.4.54
 PKGNAME=	${DISTNAME:S/httpd/apache/}
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/}
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index 631e7a42443..7ef1bbe48d2 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.52 2022/03/15 05:46:54 adam Exp $
+$NetBSD: distinfo,v 1.52.2.1 2022/06/11 10:42:04 bsiegert Exp $
 
-BLAKE2s (httpd-2.4.53.tar.bz2) = 9e94c81d1fdf55e3f0d708a4665a7276f635c2862cd47816c97a24ba9b9cbe75
-SHA512 (httpd-2.4.53.tar.bz2) = 07ef59594251a30a864cc9cc9a58ab788c2d006cef85b728f29533243927c63cb063e0867f2a306f37324c3adb9cf7dcb2402f3516b05c2c6f32469d475dd756
-Size (httpd-2.4.53.tar.bz2) = 7431942 bytes
+BLAKE2s (httpd-2.4.54.tar.bz2) = 421718830ac12956e4d25911309314eefa3be169462008243d93b5106f226ab1
+SHA512 (httpd-2.4.54.tar.bz2) = 228493b2ff32c4142c6e484d304f2ea12e467498605fe12adce2b61388d8efe7b2e96ae2fd0abd1dc88a5f12d625e007d8da0ae5628cff2a5272806754f41e18
+Size (httpd-2.4.54.tar.bz2) = 7434530 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157