diff options
| author | taca <taca@pkgsrc.org> | 2011-10-10 10:13:42 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2011-10-10 10:13:42 +0000 |
| commit | fbff0f485afd7983bf8a63febe3f53b947aabe25 (patch) | |
| tree | 7159dbe4701fa3b89e6c1f24cadc860dbcd11a61 | |
| parent | 95267f4ff32e310336aa9cc16f935c2149b74631 (diff) | |
| download | pkgsrc-fbff0f485afd7983bf8a63febe3f53b947aabe25.tar.gz | |
Add patch for CVE-2011-3368 from Apache's repository.
Bump PKGREVISION.
| -rw-r--r-- | www/apache22/Makefile | 3 | ||||
| -rw-r--r-- | www/apache22/distinfo | 3 | ||||
| -rw-r--r-- | www/apache22/patches/patch-server_protocol.c | 35 |
3 files changed, 39 insertions, 2 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 25c5d7782a3..40dd7159503 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.71 2011/09/14 17:52:15 hans Exp $ +# $NetBSD: Makefile,v 1.72 2011/10/10 10:13:42 taca Exp $ DISTNAME= httpd-2.2.21 PKGNAME= ${DISTNAME:S/httpd/apache/} +PKGREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ diff --git a/www/apache22/distinfo b/www/apache22/distinfo index c09155c563e..650d9031030 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.42 2011/09/14 07:10:21 taca Exp $ +$NetBSD: distinfo,v 1.43 2011/10/10 10:13:42 taca Exp $ SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4 RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1 @@ -16,3 +16,4 @@ SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 +SHA1 (patch-server_protocol.c) = 5361b5218d4f2aa22ea79e4ba6534ca0252c6e4e diff --git a/www/apache22/patches/patch-server_protocol.c b/www/apache22/patches/patch-server_protocol.c new file mode 100644 index 00000000000..e5b4a7d44c9 --- /dev/null +++ b/www/apache22/patches/patch-server_protocol.c @@ -0,0 +1,35 @@ +$NetBSD: patch-server_protocol.c,v 1.1 2011/10/10 10:13:42 taca Exp $ + +revision 1179239 from http://svn.apache.org/: + SECURITY (CVE-2011-3368): Prevent unintended pattern expansion + in some reverse proxy configurations by strictly validating + the request-URI. + +--- server/protocol.c.orig 2011-10-10 09:11:16.000000000 +0000 ++++ server/protocol.c +@@ -640,6 +640,25 @@ static int read_request_line(request_rec + + ap_parse_uri(r, uri); + ++ /* RFC 2616: ++ * Request-URI = "*" | absoluteURI | abs_path | authority ++ * ++ * authority is a special case for CONNECT. If the request is not ++ * using CONNECT, and the parsed URI does not have scheme, and ++ * it does not begin with '/', and it is not '*', then, fail ++ * and give a 400 response. */ ++ if (r->method_number != M_CONNECT ++ && !r->parsed_uri.scheme ++ && uri[0] != '/' ++ && !(uri[0] == '*' && uri[1] == '\0')) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "invalid request-URI %s", uri); ++ r->args = NULL; ++ r->hostname = NULL; ++ r->status = HTTP_BAD_REQUEST; ++ r->uri = apr_pstrdup(r->pool, uri); ++ } ++ + if (ll[0]) { + r->assbackwards = 0; + pro = ll; |