diff options
| author | wiz <wiz@pkgsrc.org> | 2016-07-29 11:11:24 +0000 |
|---|---|---|
| committer | wiz <wiz@pkgsrc.org> | 2016-07-29 11:11:24 +0000 |
| commit | 25e970af76a6aef80de1c494d1cfdd07fe55abb7 (patch) | |
| tree | eebd225f4b97e4e7f9c7f282bfaa573c98efcda8 /www/apache24 | |
| parent | 1f11d47b0074ae0174a3ccc9e75e3a2eec1e932c (diff) | |
| download | pkgsrc-25e970af76a6aef80de1c494d1cfdd07fe55abb7.tar.gz | |
Fix httpoxy vulnerability.
Bump PKGREVISION.
Diffstat (limited to 'www/apache24')
| -rw-r--r-- | www/apache24/Makefile | 4 | ||||
| -rw-r--r-- | www/apache24/distinfo | 3 | ||||
| -rw-r--r-- | www/apache24/patches/patch-server_util__script.c | 22 |
3 files changed, 26 insertions, 3 deletions
diff --git a/www/apache24/Makefile b/www/apache24/Makefile index 408d77a8eec..8a58dd4c032 100644 --- a/www/apache24/Makefile +++ b/www/apache24/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.47 2016/07/09 06:39:10 wiz Exp $ +# $NetBSD: Makefile,v 1.48 2016/07/29 11:11:24 wiz Exp $ # # When updating this package, make sure that no strings like # "PR 12345" are in the commit message. Upstream likes @@ -7,7 +7,7 @@ DISTNAME= httpd-2.4.23 PKGNAME= ${DISTNAME:S/httpd/apache/} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ diff --git a/www/apache24/distinfo b/www/apache24/distinfo index c07ad3d3833..e8dc5ec03ab 100644 --- a/www/apache24/distinfo +++ b/www/apache24/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.25 2016/07/05 16:13:53 taca Exp $ +$NetBSD: distinfo,v 1.26 2016/07/29 11:11:24 wiz Exp $ SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc @@ -15,3 +15,4 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 +SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2 diff --git a/www/apache24/patches/patch-server_util__script.c b/www/apache24/patches/patch-server_util__script.c new file mode 100644 index 00000000000..993f392546e --- /dev/null +++ b/www/apache24/patches/patch-server_util__script.c @@ -0,0 +1,22 @@ +$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:11:25 wiz Exp $ + +Fix httpoxy vulnerability. +https://www.apache.org/security/asf-httpoxy-response.txt + +--- server/util_script.c.orig 2016-04-27 13:03:00.000000000 +0000 ++++ server/util_script.c +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them |