diff options
author | bsiegert <bsiegert> | 2016-09-07 18:08:36 +0000 |
---|---|---|
committer | bsiegert <bsiegert> | 2016-09-07 18:08:36 +0000 |
commit | 915916d953ded15bbff86ccfb2f2b8cb067a4503 (patch) | |
tree | d47f2bce2d1ae591a4b26f9e68ce588f212f3fa7 | |
parent | 62ffdcf2ca9deeccb01c4d1634095ee1fcb0badc (diff) | |
download | pkgsrc-915916d953ded15bbff86ccfb2f2b8cb067a4503.tar.gz |
Pullup ticket #5093 - requested by taca
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.48
- www/apache24/distinfo 1.26
- www/apache24/patches/patch-server_util__script.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Jul 29 11:11:25 UTC 2016
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Added Files:
pkgsrc/www/apache24/patches: patch-server_util__script.c
Log Message:
Fix httpoxy vulnerability.
Bump PKGREVISION.
-rw-r--r-- | www/apache24/Makefile | 3 | ||||
-rw-r--r-- | www/apache24/distinfo | 3 | ||||
-rw-r--r-- | www/apache24/patches/patch-server_util__script.c | 22 |
3 files changed, 26 insertions, 2 deletions
diff --git a/www/apache24/Makefile b/www/apache24/Makefile index fc0bfe51bb3..b29dca272dc 100644 --- a/www/apache24/Makefile +++ b/www/apache24/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.45.2.1 2016/07/20 04:59:21 spz Exp $ +# $NetBSD: Makefile,v 1.45.2.2 2016/09/07 18:08:36 bsiegert Exp $ # # When updating this package, make sure that no strings like # "PR 12345" are in the commit message. Upstream likes @@ -7,6 +7,7 @@ DISTNAME= httpd-2.4.23 PKGNAME= ${DISTNAME:S/httpd/apache/} +PKGREVISION= 2 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ diff --git a/www/apache24/distinfo b/www/apache24/distinfo index 71a9d68ddde..b237397aad6 100644 --- a/www/apache24/distinfo +++ b/www/apache24/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.24.2.1 2016/07/20 04:59:21 spz Exp $ +$NetBSD: distinfo,v 1.24.2.2 2016/09/07 18:08:36 bsiegert Exp $ SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc @@ -15,3 +15,4 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 +SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2 diff --git a/www/apache24/patches/patch-server_util__script.c b/www/apache24/patches/patch-server_util__script.c new file mode 100644 index 00000000000..f8b1888dce4 --- /dev/null +++ b/www/apache24/patches/patch-server_util__script.c @@ -0,0 +1,22 @@ +$NetBSD: patch-server_util__script.c,v 1.1.2.2 2016/09/07 18:08:36 bsiegert Exp $ + +Fix httpoxy vulnerability. +https://www.apache.org/security/asf-httpoxy-response.txt + +--- server/util_script.c.orig 2016-04-27 13:03:00.000000000 +0000 ++++ server/util_script.c +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them |