diff options
| author | adam <adam@pkgsrc.org> | 2022-03-15 05:46:54 +0000 |
|---|---|---|
| committer | adam <adam@pkgsrc.org> | 2022-03-15 05:46:54 +0000 |
| commit | 9fc1838fe4a250be4c3c38a4cfcfaad5aa2e26b7 (patch) | |
| tree | 875a01f2f14e3b19ded60a2480969c6bac1b23a2 /www/apache24/Makefile | |
| parent | 5e8a290f18b2a943ddad988c43f81b93ec067099 (diff) | |
| download | pkgsrc-9fc1838fe4a250be4c3c38a4cfcfaad5aa2e26b7.tar.gz | |
apache24: updated to 2.4.53
Changes with Apache 2.4.53
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
(cve.mitre.org)
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
Server allows an attacker to overwrite heap memory with possibly
attacker provided data.
This issue affects Apache HTTP Server 2.4 version 2.4.52 and
prior versions.
*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
very large or unlimited LimitXMLRequestBody (cve.mitre.org)
If LimitXMLRequestBody is set to allow request bodies larger
than 350MB (defaults to 1M) on 32 bit systems an integer
overflow happens which later causes out of bounds writes.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Anonymous working with Trend Micro Zero Day Initiative
*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
Apache HTTP Server 2.4.52 and earlier fails to close inbound
connection when errors are encountered discarding the request
body, exposing the server to HTTP Request Smuggling
*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
in r:parsebody (cve.mitre.org)
A carefully crafted request body can cause a read to a random
memory area which could cause the process to crash.
This issue affects Apache HTTP Server 2.4.52 and earlier.
*) core: Make sure and check that LimitXMLRequestBody fits in system memory.
*) core: Simpler connection close logic if discarding the request body fails.
*) mod_http2: preserve the port number given in a HTTP/1.1
request that was Upgraded to HTTP/2.
*) mod_proxy: Allow for larger worker name.
*) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
an attempt to load a dbm driver fails, log clearly which driver triggered
the error (not "default"), and what the error was.
*) mod_proxy: Use the maxium of front end and backend timeouts instead of the
minimum when tunneling requests (websockets, CONNECT requests).
Backend timeouts can be configured more selectively (per worker if needed)
as front end timeouts and typically the backend timeouts reflect the
application requirements better.
*) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
when an efficient TLS implementation is available.
*) core, mod_info: Add compiled and loaded PCRE versions to version
number display.
*) mod_md: do not interfere with requests to /.well-known/acme-challenge/
resources if challenge type 'http-01' is not configured for a domain.
Fixes <https://github.com/icing/mod_md/issues/279>.
*) mod_dav: Fix regression when gathering properties which could lead to huge
memory consumption proportional to the number of resources.
*) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
for regular expression evaluation. This depends on locating pcre2-config.
*) Add the ldap function to the expression API, allowing LDAP filters and
distinguished names based on expressions to be escaped correctly to
guard against LDAP injection.
*) mod_md: the status description in MDomain's JSON, exposed in the
md-status handler (if configured) did sometimes not carry the correct
message when certificates needed renew.
*) mpm_event: Fix a possible listener deadlock on heavy load when restarting
and/or reaching MaxConnectionsPerChild.
Diffstat (limited to 'www/apache24/Makefile')
| -rw-r--r-- | www/apache24/Makefile | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/www/apache24/Makefile b/www/apache24/Makefile index af6117e7158..c312a6232dc 100644 --- a/www/apache24/Makefile +++ b/www/apache24/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.108 2021/12/21 09:18:37 adam Exp $ +# $NetBSD: Makefile,v 1.109 2022/03/15 05:46:54 adam Exp $ # # When updating this package, make sure that no strings like # "PR 12345" are in the commit message. Upstream likes # to reference their own PRs this way, but this ends up # in NetBSD GNATS. -DISTNAME= httpd-2.4.52 +DISTNAME= httpd-2.4.53 PKGNAME= ${DISTNAME:S/httpd/apache/} CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} @@ -45,7 +45,7 @@ BUILDLINK_API_DEPENDS.apr+= apr>=1.5.0 .include "../../devel/apr/buildlink3.mk" BUILDLINK_API_DEPENDS.apr-util+= apr-util>=1.5.3 .include "../../devel/apr-util/buildlink3.mk" -.include "../../devel/pcre/buildlink3.mk" +.include "../../devel/pcre2/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" .include "../../textproc/expat/buildlink3.mk" .include "../../mk/dlopen.buildlink3.mk" |