diff options
| author | lkundrak <lkundrak> | 2007-06-28 01:20:52 +0000 |
|---|---|---|
| committer | lkundrak <lkundrak> | 2007-06-28 01:20:52 +0000 |
| commit | 4632291a8e0b6a6cc5b069985f195ace9e9f552b (patch) | |
| tree | db678a4eb2b548a44a1977b49d99b37ff1b81805 /www | |
| parent | bd17f2d485f5ee2486b6ff7fa8ced897600ad5d8 (diff) | |
| download | pkgsrc-4632291a8e0b6a6cc5b069985f195ace9e9f552b.tar.gz | |
Fixes for security issues, PKGREVISION bump.
CVE-2007-3304 Denial of Service.
CVE-2006-5752 XSS in mod_status with ExtendedStatus on.
CVE-2007-1863 remote crash when mod_cache enabled.
Diffstat (limited to 'www')
| -rw-r--r-- | www/apache22/Makefile | 4 | ||||
| -rw-r--r-- | www/apache22/distinfo | 11 | ||||
| -rw-r--r-- | www/apache22/patches/patch-ab | 36 | ||||
| -rw-r--r-- | www/apache22/patches/patch-ao | 44 | ||||
| -rw-r--r-- | www/apache22/patches/patch-ap | 78 | ||||
| -rw-r--r-- | www/apache22/patches/patch-aq | 24 | ||||
| -rw-r--r-- | www/apache22/patches/patch-ar | 33 | ||||
| -rw-r--r-- | www/apache22/patches/patch-as | 14 | ||||
| -rw-r--r-- | www/apache22/patches/patch-at | 15 | ||||
| -rw-r--r-- | www/apache22/patches/patch-au | 14 |
10 files changed, 266 insertions, 7 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 7d9820da025..d3769554e69 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.13 2007/06/08 12:25:06 wiz Exp $ +# $NetBSD: Makefile,v 1.14 2007/06/28 01:20:52 lkundrak Exp $ .include "Makefile.common" PKGNAME= apache-${APACHE_VERSION} -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= www HOMEPAGE= http://httpd.apache.org/ diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 27209698491..5cd2be48d4c 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,10 +1,10 @@ -$NetBSD: distinfo,v 1.5 2007/06/05 01:43:44 lkundrak Exp $ +$NetBSD: distinfo,v 1.6 2007/06/28 01:20:52 lkundrak Exp $ SHA1 (httpd-2.2.4.tar.bz2) = 64ceae373434a986dc99b8ed953afa0d4fad85ce RMD160 (httpd-2.2.4.tar.bz2) = bb6e8a7447fa8e8f629010f30b548068de518523 Size (httpd-2.2.4.tar.bz2) = 4930375 bytes SHA1 (patch-aa) = 233dbabda2bd830c6f0664c42e192e4acd2aff4c -SHA1 (patch-ab) = 387892276efd49fd081a187c1123de26fb6486ba +SHA1 (patch-ab) = b8586dea7600febbadbbad5089300336ea695ffb SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 @@ -13,3 +13,10 @@ SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 SHA1 (patch-an) = 1d02b10e92ad1f613b17b6ebc812d8931b54d3da +SHA1 (patch-ao) = 85e38b6415ade9b328800b7bf15b9741758d455c +SHA1 (patch-ap) = 9a25ce74bd355d9eeb2a885f65e19a3ba473ce77 +SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1 +SHA1 (patch-ar) = 536fb47cf750a316c773b1d3153cba52c3fac37c +SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c +SHA1 (patch-at) = 114a55493527a87bada21ee192828b5188a5cddd +SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1 diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab index 93c91dbc77f..1c8d2a3b7ad 100644 --- a/www/apache22/patches/patch-ab +++ b/www/apache22/patches/patch-ab @@ -1,8 +1,38 @@ -$NetBSD: patch-ab,v 1.1.1.1 2006/12/08 23:31:52 xtraeme Exp $ +$NetBSD: patch-ab,v 1.2 2007/06/28 01:20:52 lkundrak Exp $ ---- server/mpm_common.c.orig 2005-03-30 09:42:15.000000000 +0000 +Part of fix for CVE-2007-3304 Denial of Service. + +--- server/mpm_common.c.orig 2007-06-28 02:53:52.000000000 +0200 +++ server/mpm_common.c -@@ -420,7 +420,7 @@ AP_DECLARE(gid_t) ap_gname2id(const char +@@ -126,6 +126,10 @@ static int reclaim_one_pid(pid_t pid, ac + apr_proc_t proc; + apr_status_t waitret; + ++ if (!MPM_VALID_PID(pid)) { ++ return 1; ++ } ++ + proc.pid = pid; + waitret = apr_proc_wait(&proc, NULL, NULL, APR_NOWAIT); + if (waitret != APR_CHILD_NOTDONE) { +@@ -305,6 +309,16 @@ void ap_relieve_child_processes(void) + cur_extra = next; + } + } ++ ++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig) ++{ ++ if (MPM_VALID_PID(pid)) { ++ return kill(pid, sig) ? errno : APR_SUCCESS; ++ } ++ else { ++ return APR_EINVAL; ++ } ++} + #endif /* AP_MPM_WANT_RECLAIM_CHILD_PROCESSES */ + + #ifdef AP_MPM_WANT_WAIT_OR_TIMEOUT +@@ -468,7 +482,7 @@ AP_DECLARE(gid_t) ap_gname2id(const char #ifndef HAVE_INITGROUPS int initgroups(const char *name, gid_t basegid) { diff --git a/www/apache22/patches/patch-ao b/www/apache22/patches/patch-ao new file mode 100644 index 00000000000..bc54349ac39 --- /dev/null +++ b/www/apache22/patches/patch-ao @@ -0,0 +1,44 @@ +$NetBSD: patch-ao,v 1.1 2007/06/28 01:20:52 lkundrak Exp $ + +Fix for CVE-2006-5752 XSS in mod_status with ExtendedStatus on. + +--- modules/generators/mod_status.c.orig 2007-06-28 01:54:44.000000000 +0200 ++++ modules/generators/mod_status.c +@@ -270,7 +270,7 @@ static int status_handler(request_rec *r + if (r->method_number != M_GET) + return DECLINED; + +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + + /* + * Simple table-driven form data set parser that lets you alter the header +@@ -299,7 +299,7 @@ static int status_handler(request_rec *r + no_table_report = 1; + break; + case STAT_OPT_AUTO: +- ap_set_content_type(r, "text/plain"); ++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); + short_report = 1; + break; + } +@@ -673,7 +673,8 @@ static int status_handler(request_rec *r + ap_escape_html(r->pool, + ws_record->client), + ap_escape_html(r->pool, +- ws_record->request), ++ ap_escape_logitem(r->pool, ++ ws_record->request)), + ap_escape_html(r->pool, + ws_record->vhost)); + } +@@ -763,7 +764,8 @@ static int status_handler(request_rec *r + ap_escape_html(r->pool, + ws_record->vhost), + ap_escape_html(r->pool, +- ws_record->request)); ++ ap_escape_logitem(r->pool, ++ ws_record->request))); + } /* no_table_report */ + } /* for (j...) */ + } /* for (i...) */ diff --git a/www/apache22/patches/patch-ap b/www/apache22/patches/patch-ap new file mode 100644 index 00000000000..c112356348c --- /dev/null +++ b/www/apache22/patches/patch-ap @@ -0,0 +1,78 @@ +$NetBSD: patch-ap,v 1.1 2007/06/28 01:20:52 lkundrak Exp $ + +Fix for CVE-2007-1863 remote crash when mod_cache enabled. + +--- modules/cache/cache_util.c.orig 2007-06-28 02:03:05.000000000 +0200 ++++ modules/cache/cache_util.c +@@ -243,7 +243,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn + age = ap_cache_current_age(info, age_c, r->request_time); + + /* extract s-maxage */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) ++ && val != NULL) { + smaxage = apr_atoi64(val); + } + else { +@@ -252,7 +253,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn + + /* extract max-age from request */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) ++ && val != NULL) { + maxage_req = apr_atoi64(val); + } + else { +@@ -260,7 +262,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn + } + + /* extract max-age from response */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) ++ && val != NULL) { + maxage_cresp = apr_atoi64(val); + } + else { +@@ -282,7 +285,20 @@ CACHE_DECLARE(int) ap_cache_check_freshn + + /* extract max-stale */ + if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { +- maxstale = apr_atoi64(val); ++ if(val != NULL) { ++ maxstale = apr_atoi64(val); ++ } ++ else { ++ /* ++ * If no value is assigned to max-stale, then the client is willing ++ * to accept a stale response of any age (RFC2616 14.9.3). We will ++ * set it to one year in this case as this situation is somewhat ++ * similar to a "never expires" Expires header (RFC2616 14.21) ++ * which is set to a date one year from the time the response is ++ * sent in this case. ++ */ ++ maxstale = APR_INT64_C(86400*365); ++ } + } + else { + maxstale = 0; +@@ -290,7 +306,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn + + /* extract min-fresh */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) ++ && val != NULL) { + minfresh = apr_atoi64(val); + } + else { +@@ -419,6 +436,9 @@ CACHE_DECLARE(int) ap_cache_liststr(apr_ + next - val_start); + } + } ++ else { ++ *val = NULL; ++ } + } + return 1; + } diff --git a/www/apache22/patches/patch-aq b/www/apache22/patches/patch-aq new file mode 100644 index 00000000000..45eccc2d043 --- /dev/null +++ b/www/apache22/patches/patch-aq @@ -0,0 +1,24 @@ +$NetBSD: patch-aq,v 1.1 2007/06/28 01:20:53 lkundrak Exp $ + +Part of fix for CVE-2007-3304 Denial of Service. + +--- include/mpm_common.h.orig 2007-06-28 02:53:26.000000000 +0200 ++++ include/mpm_common.h +@@ -145,6 +145,17 @@ int ap_unregister_extra_mpm_process(pid_ + #endif + + /** ++ * Safely signal an MPM child process, if the process is in the ++ * current process group. Otherwise fail. ++ * @param pid the process id of a child process to signal ++ * @param sig the signal number to send ++ * @return APR_SUCCESS if signal is sent, otherwise an error as per kill(3) ++ */ ++#ifdef AP_MPM_WANT_RECLAIM_CHILD_PROCESSES ++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig); ++#endif ++ ++/** + * Determine if any child process has died. If no child process died, then + * this process sleeps for the amount of time specified by the MPM defined + * macro SCOREBOARD_MAINTENANCE_INTERVAL. diff --git a/www/apache22/patches/patch-ar b/www/apache22/patches/patch-ar new file mode 100644 index 00000000000..7b3e7323e6d --- /dev/null +++ b/www/apache22/patches/patch-ar @@ -0,0 +1,33 @@ +$NetBSD: patch-ar,v 1.1 2007/06/28 01:20:53 lkundrak Exp $ + +Part of fix for CVE-2007-3304 Denial of Service. + +--- server/mpm/prefork/prefork.c.orig 2007-06-28 02:53:26.000000000 +0200 ++++ server/mpm/prefork/prefork.c +@@ -1127,7 +1127,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p + for (index = 0; index < ap_daemons_limit; ++index) { + if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) { + /* Ask each child to close its listeners. */ +- kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL); ++ ap_mpm_safe_kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL); + active_children++; + } + } +@@ -1166,7 +1166,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p + active_children = 0; + for (index = 0; index < ap_daemons_limit; ++index) { + if (MPM_CHILD_PID(index) != 0) { +- if (kill(MPM_CHILD_PID(index), 0) == 0) { ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) { + active_children = 1; + /* Having just one child is enough to stay around */ + break; +@@ -1222,7 +1222,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p + * piped loggers, etc. They almost certainly won't handle + * it gracefully. + */ +- kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL); ++ ap_mpm_safe_kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL); + } + } + } diff --git a/www/apache22/patches/patch-as b/www/apache22/patches/patch-as new file mode 100644 index 00000000000..a849cb0a6d3 --- /dev/null +++ b/www/apache22/patches/patch-as @@ -0,0 +1,14 @@ +$NetBSD: patch-as,v 1.1 2007/06/28 01:20:53 lkundrak Exp $ + +Part of fix for CVE-2007-3304 Denial of Service. + +--- server/mpm/prefork/mpm.h.orig 2007-06-28 02:53:26.000000000 +0200 ++++ server/mpm/prefork/mpm.h +@@ -53,6 +53,7 @@ + #define AP_MPM_USES_POD 1 + #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid) + #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0) ++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp()) + #define MPM_ACCEPT_FUNC unixd_accept + + extern int ap_threads_per_child; diff --git a/www/apache22/patches/patch-at b/www/apache22/patches/patch-at new file mode 100644 index 00000000000..1d1729cb84c --- /dev/null +++ b/www/apache22/patches/patch-at @@ -0,0 +1,15 @@ +$NetBSD: patch-at,v 1.1 2007/06/28 01:20:53 lkundrak Exp $ + +Part of fix for CVE-2007-3304 Denial of Service. + +--- server/mpm/worker/worker.c.orig 2007-06-28 02:53:26.000000000 +0200 ++++ server/mpm/worker/worker.c +@@ -1814,7 +1814,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p + active_children = 0; + for (index = 0; index < ap_daemons_limit; ++index) { + if (MPM_CHILD_PID(index) != 0) { +- if (kill(MPM_CHILD_PID(index), 0) == 0) { ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) { + active_children = 1; + /* Having just one child is enough to stay around */ + break; diff --git a/www/apache22/patches/patch-au b/www/apache22/patches/patch-au new file mode 100644 index 00000000000..3a86830be07 --- /dev/null +++ b/www/apache22/patches/patch-au @@ -0,0 +1,14 @@ +$NetBSD: patch-au,v 1.1 2007/06/28 01:20:54 lkundrak Exp $ + +Part of fix for CVE-2007-3304 Denial of Service. + +--- server/mpm/worker/mpm.h.orig 2007-06-28 02:53:26.000000000 +0200 ++++ server/mpm/worker/mpm.h +@@ -52,6 +52,7 @@ + #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid) + #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0) + #define MPM_ACCEPT_FUNC unixd_accept ++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp()) + + extern int ap_threads_per_child; + extern int ap_max_daemons_limit; |