[pkgsrc/pkgsrc-2004Q3]: pkgsrc Security Pullup - requested by Havard Eidnes

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkgsrc-2004Q3]: pkgsrc Security Pullup - requested by Havard Eidnes
From: agc <agc%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 00:34:52 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/316aedfabab8
branches:  pkgsrc-2004Q3
changeset: 480729:316aedfabab8
user:      agc <agc%pkgsrc.org@localhost>
date:      Tue Nov 02 10:47:01 2004 +0000

description:
Security Pullup - requested by Havard Eidnes
security fix for apache2

        Module Name:    pkgsrc
        Committed By:   reed
        Date:           Thu Sep 23 21:07:25 UTC 2004

        Modified Files:
                pkgsrc/www/apache2: Makefile
        Added Files:
                pkgsrc/www/apache2/patches: patch-ab

        Log Message:
        Add patch for Apache security issue.

        2.0.51 had a regression where the Satisfy directive could take
        effect for different directories (and could bypass some access
        control).

        This patch is direct from Apache.

        Also bumped the package revision.
---
        Module Name:    pkgsrc
        Committed By:   grant
        Date:           Thu Sep 23 22:51:52 UTC 2004

        Modified Files:
                pkgsrc/www/apache2: distinfo

        Log Message:
        update checksum for patch-ab (hi, reed!)

diffstat:

 doc/CHANGES-pkgsrc-2004Q3    |   4 +++-
 www/apache2/Makefile         |   3 ++-
 www/apache2/distinfo         |   3 ++-
 www/apache2/patches/patch-ab |  29 +++++++++++++++++++++++++++++
 4 files changed, 36 insertions(+), 3 deletions(-)

diffs (75 lines):

diff -r d1e92050a975 -r 316aedfabab8 doc/CHANGES-pkgsrc-2004Q3
--- a/doc/CHANGES-pkgsrc-2004Q3 Tue Nov 02 10:39:07 2004 +0000
+++ b/doc/CHANGES-pkgsrc-2004Q3 Tue Nov 02 10:47:01 2004 +0000
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-pkgsrc-2004Q3,v 1.1.2.15 2004/11/02 10:39:07 agc Exp $
+$NetBSD: CHANGES-pkgsrc-2004Q3,v 1.1.2.16 2004/11/02 10:47:01 agc Exp $
 
 Changes to the packages collection and infrastructure on the
 pkgsrc-2004Q3 branch:
@@ -33,4 +33,6 @@
 security fix for cabextract
 Security Pullup - requested by Grant Beattie and Havard Eidnes
 security fix for wv
+Security Pullup - requested by Havard Eidnes
+security fix for apache2
 
diff -r d1e92050a975 -r 316aedfabab8 www/apache2/Makefile
--- a/www/apache2/Makefile      Tue Nov 02 10:39:07 2004 +0000
+++ b/www/apache2/Makefile      Tue Nov 02 10:47:01 2004 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.44 2004/09/20 17:19:33 adrianp Exp $
+# $NetBSD: Makefile,v 1.44.2.1 2004/11/02 10:47:01 agc Exp $
 
 PKGNAME=               apache-${APACHE_VERSION}
+PKGREVISION=           1
 CATEGORIES=            www
 
 HOMEPAGE=              http://httpd.apache.org/
diff -r d1e92050a975 -r 316aedfabab8 www/apache2/distinfo
--- a/www/apache2/distinfo      Tue Nov 02 10:39:07 2004 +0000
+++ b/www/apache2/distinfo      Tue Nov 02 10:47:01 2004 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.28 2004/09/20 17:19:33 adrianp Exp $
+$NetBSD: distinfo,v 1.28.2.1 2004/11/02 10:47:01 agc Exp $
 
 SHA1 (httpd-2.0.51.tar.gz) = 68ce1da942226c0a6276c9c313d21fe794a95222
 Size (httpd-2.0.51.tar.gz) = 6735558 bytes
 SHA1 (patch-aa) = 341d546fa758ae65023ff13422a3a002a7f1686b
+SHA1 (patch-ab) = aee81f0adc8c23bfd7fd3cacbcf9a4aed67d6ec2
 SHA1 (patch-ad) = 27fa3655d6ba4840296e79fa6fd96cd9de79a33a
 SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
 SHA1 (patch-ak) = f11a86b1235d5c595fa381bbb474db4fe8448215
diff -r d1e92050a975 -r 316aedfabab8 www/apache2/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache2/patches/patch-ab      Tue Nov 02 10:47:01 2004 +0000
@@ -0,0 +1,29 @@
+$NetBSD: patch-ab,v 1.2.8.1 2004/11/02 10:47:01 agc Exp $
+
+http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch
+
+SECURITY: CAN-2004-0811 (cve.mitre.org)
+
+Fix merging of the Satisfy directive, which was applied to
+the surrounding context and could allow access despite configured
+authentication.  (a regression in 2.0.51)
+
+Apache PR: 31315
+Submitted by:  Rici Lake <rici ricilake.net>
+
+--- server/core.c      2004/08/31 08:16:56     1.225.2.27
++++ server/core.c      2004/09/21 13:21:16     1.225.2.28
+@@ -351,9 +351,13 @@
+     /* Otherwise we simply use the base->sec_file array
+      */
+ 
++    /* use a separate ->satisfy[] array either way */
++    conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
+     for (i = 0; i < METHODS; ++i) {
+         if (new->satisfy[i] != SATISFY_NOSPEC) {
+             conf->satisfy[i] = new->satisfy[i];
++        } else {
++            conf->satisfy[i] = base->satisfy[i];
+         }
+     }
+

Prev by Date: [pkgsrc/pkgsrc-2004Q3]: pkgsrc/audio Pullup ticket 134 - requested by Matthia...
Next by Date: [pkgsrc/pkgsrc-2004Q3]: pkgsrc/mail/clamav Pullup ticket 127 - requested by G...
Previous by Thread: [pkgsrc/pkgsrc-2004Q3]: pkgsrc/audio Pullup ticket 134 - requested by Matthia...
Next by Thread: [pkgsrc/pkgsrc-2004Q3]: pkgsrc/mail/clamav Pullup ticket 127 - requested by G...
Indexes:

Home | Main Index | Thread Index | Old Index