diff options
| author | wiz <wiz> | 2016-07-29 11:10:24 +0000 |
|---|---|---|
| committer | wiz <wiz> | 2016-07-29 11:10:24 +0000 |
| commit | 8028b4016a960547c012756acdeb2a89133639e6 (patch) | |
| tree | 4d498266856919410c26d351624bca7cfefa0503 | |
| parent | 494ca7602083509ae21556d0f9e579a173eb7e90 (diff) | |
| download | pkgsrc-8028b4016a960547c012756acdeb2a89133639e6.tar.gz | |
Fix httpoxy vulnerability.
Bump PKGREVISION.
| -rw-r--r-- | www/apache22/Makefile | 4 | ||||
| -rw-r--r-- | www/apache22/distinfo | 3 | ||||
| -rw-r--r-- | www/apache22/patches/patch-server_util__script.c | 22 |
3 files changed, 26 insertions, 3 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index f28fa52cb8b..98e81df562c 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.109 2016/07/09 06:39:10 wiz Exp $ +# $NetBSD: Makefile,v 1.110 2016/07/29 11:10:24 wiz Exp $ DISTNAME= httpd-2.2.31 PKGNAME= ${DISTNAME:S/httpd/apache/} -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 42699ec6b41..89a427c27d7 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.64 2015/11/12 15:21:51 prlw1 Exp $ +$NetBSD: distinfo,v 1.65 2016/07/29 11:10:24 wiz Exp $ SHA1 (httpd-2.2.31.tar.bz2) = e3b55387112206307ba76526820a2627472f3787 RMD160 (httpd-2.2.31.tar.bz2) = 5b073f5f556c74e19eba8e40faa5c5fa308e018a @@ -22,3 +22,4 @@ SHA1 (patch-modules_proxy_mod_proxy.h) = a4453d85f6a3cf43df44f4e491aee07aaff4490 SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746 SHA1 (patch-modules_proxy_proxy_util.c) = 1368694ef3141c3a1e9a1ddd73664bbb33465271 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 +SHA1 (patch-server_util__script.c) = 770f773ba278ec774f1f5a812fa9956fad9cc3f8 diff --git a/www/apache22/patches/patch-server_util__script.c b/www/apache22/patches/patch-server_util__script.c new file mode 100644 index 00000000000..a706d1cc909 --- /dev/null +++ b/www/apache22/patches/patch-server_util__script.c @@ -0,0 +1,22 @@ +$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:10:24 wiz Exp $ + +Fix httpoxy vulnerability. +https://www.apache.org/security/asf-httpoxy-response.txt + +--- server/util_script.c.orig 2012-08-21 17:42:49.000000000 +0000 ++++ server/util_script.c +@@ -165,6 +165,14 @@ AP_DECLARE(void) ap_add_common_vars(requ + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them |