Update apache24 to 2.4.25 (Apache HTTPD 2.4.25). 2.4.24 was not released.

This release fixes several security problems, some of them are already handled in pkgsrc. Please refer CHANGES file in detail. *) SECURITY: CVE-2016-8740 (cve.mitre.org) mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State University, Stefan Eissing] *) SECURITY: CVE-2016-5387 (cve.mitre.org) core: Mitigate [f]cgi "httpoxy" issues. [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic] *) SECURITY: CVE-2016-2161 (cve.mitre.org) mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted. [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion] *) SECURITY: CVE-2016-0736 (cve.mitre.org) mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack. [Yann Ylavic, Colm MacCarthaigh] *) SECURITY: CVE-2016-8743 (cve.mitre.org) Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
author: taca <taca> 2016-12-20 21:06:34 +0000
committer: taca <taca> 2016-12-20 21:06:34 +0000
commit: bc903fd8a7230ff69c7b55765a9002c433d5e47f (patch)
tree: 0dedb0a362cbb236942c6e2dbb65d54790cd42e3
parent: 2d6d9fbf1563b21e82c3605fde24aaf4526ee4a8 (diff)
download: pkgsrc-bc903fd8a7230ff69c7b55765a9002c433d5e47f.tar.gz
4 files changed, 7 insertions, 68 deletions
diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index 24fee1915b8..907a75efbd1 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.50 2016/12/11 23:52:55 taca Exp $
+# $NetBSD: Makefile,v 1.51 2016/12/20 21:06:34 taca Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=	httpd-2.4.23
+DISTNAME=	httpd-2.4.25
 PKGNAME=	${DISTNAME:S/httpd/apache/}
-PKGREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
 		http://archive.apache.org/dist/httpd/ \
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index 221fb48eb90..5bf164be457 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,10 +1,9 @@
-$NetBSD: distinfo,v 1.27 2016/12/11 23:52:55 taca Exp $
+$NetBSD: distinfo,v 1.28 2016/12/20 21:06:34 taca Exp $
 
-SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
-RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
-SHA512 (httpd-2.4.23.tar.bz2) = c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1
-Size (httpd-2.4.23.tar.bz2) = 6351875 bytes
-SHA1 (patch-CVE-2016-8740-2.4.23) = 286afd11a07f4bb1acb0ca9b89086c79930ca562
+SHA1 (httpd-2.4.25.tar.bz2) = bd6d138c31c109297da2346c6e7b93b9283993d2
+RMD160 (httpd-2.4.25.tar.bz2) = 6dd0e159f8ff4bb0112476bbee038bd855057c10
+SHA512 (httpd-2.4.25.tar.bz2) = 6ba4ce1dcef71416cf1c0de2468c002767b5637a75744daf5beb0edd045749a751b3826c4132f594c48e4b33ca8e1b25ebfb63ac4c8b759ca066a89d3261fb22
+Size (httpd-2.4.25.tar.bz2) = 6398218 bytes
 SHA1 (patch-aa) = 2d92b1340aaae40289421f164346348c6d7fe839
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d
@@ -16,4 +15,3 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
-SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2
diff --git a/www/apache24/patches/patch-CVE-2016-8740-2.4.23 b/www/apache24/patches/patch-CVE-2016-8740-2.4.23
deleted file mode 100644
index 4d69be605f3..00000000000
--- a/www/apache24/patches/patch-CVE-2016-8740-2.4.23
+++ /dev/null
@@ -1,36 +0,0 @@
-$NetBSD: patch-CVE-2016-8740-2.4.23,v 1.1 2016/12/11 23:52:55 taca Exp $
-
-Patch for CVE-2016-8740.
-
---- modules/http2/h2_stream.c.orig	2016-06-09 10:38:10.000000000 +0000
-+++ modules/http2/h2_stream.c
-@@ -322,18 +322,18 @@ apr_status_t h2_stream_add_header(h2_str
-                                            HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
-             }
-         }
--    }
--    
--    if (h2_stream_is_scheduled(stream)) {
--        return h2_request_add_trailer(stream->request, stream->pool,
--                                      name, nlen, value, vlen);
--    }
--    else {
--        if (!input_open(stream)) {
--            return APR_ECONNRESET;
-+        
-+        if (h2_stream_is_scheduled(stream)) {
-+            return h2_request_add_trailer(stream->request, stream->pool,
-+                                          name, nlen, value, vlen);
-+        }
-+        else {
-+            if (!input_open(stream)) {
-+                return APR_ECONNRESET;
-+            }
-+            return h2_request_add_header(stream->request, stream->pool,
-+                                         name, nlen, value, vlen);
-         }
--        return h2_request_add_header(stream->request, stream->pool,
--                                     name, nlen, value, vlen);
-     }
- }
- 
diff --git a/www/apache24/patches/patch-server_util__script.c b/www/apache24/patches/patch-server_util__script.c
deleted file mode 100644
index 993f392546e..00000000000
--- a/www/apache24/patches/patch-server_util__script.c
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:11:25 wiz Exp $
-
-Fix httpoxy vulnerability.
-https://www.apache.org/security/asf-httpoxy-response.txt
-
---- server/util_script.c.orig	2016-04-27 13:03:00.000000000 +0000
-+++ server/util_script.c
-@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
-         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
-             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
-         }
-+        /* HTTP_PROXY collides with a popular envvar used to configure
-+         * proxies, don't let clients set/override it.  But, if you must...
-+         */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+            ;
-+        }
-+#endif
-         /*
-          * You really don't want to disable this check, since it leaves you
-          * wide open to CGIs stealing passwords and people viewing them
author	taca <taca>	2016-12-20 21:06:34 +0000
committer	taca <taca>	2016-12-20 21:06:34 +0000
commit	bc903fd8a7230ff69c7b55765a9002c433d5e47f (patch)
tree	0dedb0a362cbb236942c6e2dbb65d54790cd42e3
parent	2d6d9fbf1563b21e82c3605fde24aaf4526ee4a8 (diff)
download	pkgsrc-bc903fd8a7230ff69c7b55765a9002c433d5e47f.tar.gz