From 2eef66714b46a42c2b2a802d43694cb404202147 Mon Sep 17 00:00:00 2001 From: reed Date: Thu, 23 Sep 2004 21:07:25 +0000 Subject: Add patch for Apache security issue. 2.0.51 had a regression where the Satisfy directive could take effect for different directories (and could bypass some access control). This patch is direct from Apache. Also bumped the package revision. --- www/apache2/Makefile | 3 ++- www/apache2/patches/patch-ab | 29 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 www/apache2/patches/patch-ab (limited to 'www') diff --git a/www/apache2/Makefile b/www/apache2/Makefile index 545d0b24c37..9052cc375eb 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.44 2004/09/20 17:19:33 adrianp Exp $ +# $NetBSD: Makefile,v 1.45 2004/09/23 21:07:25 reed Exp $ PKGNAME= apache-${APACHE_VERSION} +PKGREVISION= 1 CATEGORIES= www HOMEPAGE= http://httpd.apache.org/ diff --git a/www/apache2/patches/patch-ab b/www/apache2/patches/patch-ab new file mode 100644 index 00000000000..19aaeada36c --- /dev/null +++ b/www/apache2/patches/patch-ab @@ -0,0 +1,29 @@ +$NetBSD: patch-ab,v 1.3 2004/09/23 21:07:25 reed Exp $ + +http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch + +SECURITY: CAN-2004-0811 (cve.mitre.org) + +Fix merging of the Satisfy directive, which was applied to +the surrounding context and could allow access despite configured +authentication. (a regression in 2.0.51) + +Apache PR: 31315 +Submitted by: Rici Lake + +--- server/core.c 2004/08/31 08:16:56 1.225.2.27 ++++ server/core.c 2004/09/21 13:21:16 1.225.2.28 +@@ -351,9 +351,13 @@ + /* Otherwise we simply use the base->sec_file array + */ + ++ /* use a separate ->satisfy[] array either way */ ++ conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS); + for (i = 0; i < METHODS; ++i) { + if (new->satisfy[i] != SATISFY_NOSPEC) { + conf->satisfy[i] = new->satisfy[i]; ++ } else { ++ conf->satisfy[i] = base->satisfy[i]; + } + } + -- cgit v1.2.3