pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/apache22 Update "apache" package to version 2.2.22...
details: https://anonhg.NetBSD.org/pkgsrc/rev/dc8d4c0692a4
branches: trunk
changeset: 598911:dc8d4c0692a4
user: tron <tron%pkgsrc.org@localhost>
date: Wed Feb 01 19:53:21 2012 +0000
description:
Update "apache" package to version 2.2.22. Changes since 2.2.21:
- SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
- SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
- SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[Joe Orton]
- SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. Bug#52256.
[Rainer Canavan <rainer-apache 7val com>]
- SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
- SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
- mod_proxy_ajp: Try to prevent a single long request from marking a worker
in error. [Jean-Frederic Clere]
- config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
- core: Fix segfault in ap_send_interim_response(). Bug#52315.
[Stefan Fritsch]
- mod_log_config: Prevent segfault. Bug#50861. [Torsten Foertsch
<torsten.foertsch gmx.net>]
- mod_win32: Invert logic for env var UTF-8 fixing.
Now we exclude a list of vars which we know for sure they dont hold UTF-8
chars; all other vars will be fixed. This has the benefit that now also
all vars from 3rd-party modules will be fixed. Bug#13029 / 34985.
[Guenter Knauf]
- core: Fix hook sorting for Perl modules, a regression introduced in
2.2.21. Bug#45076. [Torsten Foertsch <torsten foertsch gmx net>]
- Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
A range of '0-' will now return 206 instead of 200. Bug#51878.
[Jim Jagielski]
- Example configuration: Fix entry for MaxRanges (use "unlimited" instead
of "0"). [Rainer Jung]
- mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]
Please note that all the security fixes had been integrated into
"pkgsrc" as patches previously.
diffstat:
www/apache22/Makefile | 9 +-
www/apache22/PLIST | 16 +-
www/apache22/distinfo | 16 +-
www/apache22/patches/patch-CVE-2012-0021 | 42 ----
www/apache22/patches/patch-af | 8 +-
www/apache22/patches/patch-modules_mappers_mod_rewrite.c | 35 ----
www/apache22/patches/patch-modules_proxy_mod_proxy.c | 35 ----
www/apache22/patches/patch-server_protocol.c | 129 ---------------
www/apache22/patches/patch-server_scoreboard.c | 33 ---
www/apache22/patches/patch-server_util.c | 26 ---
10 files changed, 25 insertions(+), 324 deletions(-)
diffs (truncated from 478 to 300 lines):
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/Makefile
--- a/www/apache22/Makefile Wed Feb 01 19:31:51 2012 +0000
+++ b/www/apache22/Makefile Wed Feb 01 19:53:21 2012 +0000
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.78 2012/01/29 12:29:07 tron Exp $
+# $NetBSD: Makefile,v 1.79 2012/02/01 19:53:21 tron Exp $
-DISTNAME= httpd-2.2.21
+DISTNAME= httpd-2.2.22
PKGNAME= ${DISTNAME:S/httpd/apache/}
-PKGREVISION= 7
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
http://archive.apache.org/dist/httpd/ \
@@ -122,8 +121,8 @@
FIX_PERMS= apachectl apxs dbmmanage envvars-std mkcert
FIX_MAN_PERMS= man1/htdbm.1 man1/htpasswd.1 man1/htdigest.1
FIX_MAN_PERMS+= man1/dbmmanage.1 man8/httpd.8 man8/suexec.8
-FIX_MAN_PERMS+= man8/rotatelogs.8 man8/logresolve.8 man8/apxs.8
-FIX_MAN_PERMS+= man8/apachectl.8 man8/ab.8
+FIX_MAN_PERMS+= man8/rotatelogs.8 man1/logresolve.1 man1/apxs.1
+FIX_MAN_PERMS+= man8/apachectl.8 man1/ab.1 man1/httxt2dbm.1
# Fix paths in the apache manpages.
SUBST_CLASSES+= man
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/PLIST
--- a/www/apache22/PLIST Wed Feb 01 19:31:51 2012 +0000
+++ b/www/apache22/PLIST Wed Feb 01 19:53:21 2012 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.19 2011/05/12 06:50:44 tron Exp $
+@comment $NetBSD: PLIST,v 1.20 2012/02/01 19:53:21 tron Exp $
${PLIST.suexec}sbin/suexec
include/httpd/ap_compat.h
include/httpd/ap_config.h
@@ -127,16 +127,17 @@
${PLIST.all-shared}lib/httpd/mod_vhost_alias.so
libexec/cgi-bin/printenv
libexec/cgi-bin/test-cgi
+man/man1/ab.1
+man/man1/apxs.1
man/man1/dbmmanage.1
man/man1/htdbm.1
man/man1/htdigest.1
man/man1/htpasswd.1
-man/man8/ab.8
+man/man1/httxt2dbm.1
+man/man1/logresolve.1
man/man8/apachectl.8
-man/man8/apxs.8
man/man8/htcacheclean.8
man/man8/httpd.8
-man/man8/logresolve.8
man/man8/rotatelogs.8
man/man8/suexec.8
sbin/ab
@@ -618,6 +619,7 @@
share/httpd/manual/license.html.en
share/httpd/manual/logs.html
share/httpd/manual/logs.html.en
+share/httpd/manual/logs.html.fr
share/httpd/manual/logs.html.ja.utf8
share/httpd/manual/logs.html.ko.euc-kr
share/httpd/manual/logs.html.tr.utf8
@@ -892,11 +894,14 @@
share/httpd/manual/mod/mod_proxy_connect.html.ja.utf8
share/httpd/manual/mod/mod_proxy_ftp.html
share/httpd/manual/mod/mod_proxy_ftp.html.en
+share/httpd/manual/mod/mod_proxy_ftp.html.ja.utf8
share/httpd/manual/mod/mod_proxy_http.html
share/httpd/manual/mod/mod_proxy_http.html.en
share/httpd/manual/mod/mod_proxy_http.html.fr
+share/httpd/manual/mod/mod_proxy_http.html.ja.utf8
share/httpd/manual/mod/mod_proxy_scgi.html
share/httpd/manual/mod/mod_proxy_scgi.html.en
+share/httpd/manual/mod/mod_proxy_scgi.html.ja.utf8
share/httpd/manual/mod/mod_reqtimeout.html
share/httpd/manual/mod/mod_reqtimeout.html.en
share/httpd/manual/mod/mod_rewrite.html
@@ -1007,6 +1012,7 @@
share/httpd/manual/new_features_2_2.html
share/httpd/manual/new_features_2_2.html.en
share/httpd/manual/new_features_2_2.html.fr
+share/httpd/manual/new_features_2_2.html.ja.utf8
share/httpd/manual/new_features_2_2.html.ko.euc-kr
share/httpd/manual/new_features_2_2.html.pt-br
share/httpd/manual/new_features_2_2.html.tr.utf8
@@ -1074,6 +1080,7 @@
share/httpd/manual/programs/index.html
share/httpd/manual/programs/index.html.en
share/httpd/manual/programs/index.html.es
+share/httpd/manual/programs/index.html.ja.utf8
share/httpd/manual/programs/index.html.ko.euc-kr
share/httpd/manual/programs/index.html.ru.koi8-r
share/httpd/manual/programs/index.html.tr.utf8
@@ -1190,6 +1197,7 @@
share/httpd/manual/upgrading.html.de
share/httpd/manual/upgrading.html.en
share/httpd/manual/upgrading.html.fr
+share/httpd/manual/upgrading.html.ja.utf8
share/httpd/manual/urlmapping.html
share/httpd/manual/urlmapping.html.en
share/httpd/manual/urlmapping.html.ja.utf8
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/distinfo
--- a/www/apache22/distinfo Wed Feb 01 19:31:51 2012 +0000
+++ b/www/apache22/distinfo Wed Feb 01 19:53:21 2012 +0000
@@ -1,24 +1,18 @@
-$NetBSD: distinfo,v 1.49 2012/01/29 12:29:07 tron Exp $
+$NetBSD: distinfo,v 1.50 2012/02/01 19:53:21 tron Exp $
-SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4
-RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1
-Size (httpd-2.2.21.tar.bz2) = 5324905 bytes
-SHA1 (patch-CVE-2012-0021) = 8c44c591ffa3a4ca32de47c71d1aa8470de81f1e
+SHA1 (httpd-2.2.22.tar.bz2) = 766cd0843050a8dfb781e48b976f3ba6ebcf8696
+RMD160 (httpd-2.2.22.tar.bz2) = 237a26a7759e7e1af175900d598e25fb082a4eb9
+Size (httpd-2.2.22.tar.bz2) = 5378934 bytes
SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7
SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150
SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
-SHA1 (patch-af) = 312d3bce5e1bf6e747b5f0f313d89bf5b4636392
+SHA1 (patch-af) = 580950dbf0154ba1c93f5c58eae766c7d6c0c00c
SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
-SHA1 (patch-modules_mappers_mod_rewrite.c) = de7bbdf02dda38e2542e4967ee6f22745ec0f118
-SHA1 (patch-modules_proxy_mod_proxy.c) = bab58b70eee22d7c08be9a4a9ada3fad886fa796
SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
-SHA1 (patch-server_protocol.c) = dc99717704f53837dfd7b9c1018487a787dcbfd9
-SHA1 (patch-server_scoreboard.c) = 8d1e007f8d1d6a6db827a41d82369749e603a2b3
-SHA1 (patch-server_util.c) = 37e9c357618a9645222cd981f0ccb04c7987fe15
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/patches/patch-CVE-2012-0021
--- a/www/apache22/patches/patch-CVE-2012-0021 Wed Feb 01 19:31:51 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,42 +0,0 @@
-$NetBSD: patch-CVE-2012-0021,v 1.1 2012/01/29 12:29:08 tron Exp $
-
-Fix security vulnerability reported in CVE-2012-0021. Patch taken from
-Apache SVN repository:
-
-http://svn.apache.org/viewvc?view=revision&revision=1227292
-
---- modules/loggers/mod_log_config.c.orig 2010-08-24 07:41:38.000000000 +0100
-+++ modules/loggers/mod_log_config.c 2012-01-29 12:08:13.000000000 +0000
-@@ -524,19 +524,21 @@
-
- while ((cookie = apr_strtok(cookies, ";", &last1))) {
- char *name = apr_strtok(cookie, "=", &last2);
-- char *value;
-- apr_collapse_spaces(name, name);
-+ if (name) {
-+ char *value;
-+ apr_collapse_spaces(name, name);
-+
-+ if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
-+ char *last;
-+ value += strspn(value, " \t"); /* Move past leading WS */
-+ last = value + strlen(value) - 1;
-+ while (last >= value && apr_isspace(*last)) {
-+ *last = '\0';
-+ --last;
-+ }
-
-- if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
-- char *last;
-- value += strspn(value, " \t"); /* Move past leading WS */
-- last = value + strlen(value) - 1;
-- while (last >= value && apr_isspace(*last)) {
-- *last = '\0';
-- --last;
-+ return ap_escape_logitem(r->pool, value);
- }
--
-- return ap_escape_logitem(r->pool, value);
- }
- cookies = NULL;
- }
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/patches/patch-af
--- a/www/apache22/patches/patch-af Wed Feb 01 19:31:51 2012 +0000
+++ b/www/apache22/patches/patch-af Wed Feb 01 19:53:21 2012 +0000
@@ -1,10 +1,10 @@
-$NetBSD: patch-af,v 1.5 2011/03/20 03:18:21 dholland Exp $
+$NetBSD: patch-af,v 1.6 2012/02/01 19:53:21 tron Exp $
Fix markup glitch.
---- docs/man/apxs.8~ 2011-03-20 02:48:50.000000000 +0000
-+++ docs/man/apxs.8
-@@ -96,7 +96,11 @@ This explicitly sets the module name for
+--- docs/man/apxs.1.orig 2012-01-10 23:32:02.000000000 +0000
++++ docs/man/apxs.1 2012-02-01 19:18:34.000000000 +0000
+@@ -96,7 +96,11 @@
.TP
-q
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/patches/patch-modules_mappers_mod_rewrite.c
--- a/www/apache22/patches/patch-modules_mappers_mod_rewrite.c Wed Feb 01 19:31:51 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-$NetBSD: patch-modules_mappers_mod_rewrite.c,v 1.1 2011/12/13 15:37:56 spz Exp $
-
-revision 1209432 from http://svn.apache.org/:
- Fix for additional cases of URL rewriting with ProxyPassMatch or
- RewriteRule, where particular request-URIs could result in undesired
- backend network exposure in some configurations. (CVE-2011-4317)
-
- Thanks to Prutha Parikh from Qualys for reporting this issue.
-
- * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
- request-URI. Fail for cases where r->uri does not begin with a "/".
-
- * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
-
---- modules/mappers/mod_rewrite.c.orig 2011-09-03 22:54:25.000000000 +0000
-+++ modules/mappers/mod_rewrite.c
-@@ -4266,6 +4266,18 @@ static int hook_uri2file(request_rec *r)
- return DECLINED;
- }
-
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* Don't apply rewrite rules to "*". */
-+ return DECLINED;
-+ }
-+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
- /*
- * add the SCRIPT_URL variable to the env. this is a bit complicated
- * due to the fact that apache uses subrequests and internal redirects
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/patches/patch-modules_proxy_mod_proxy.c
--- a/www/apache22/patches/patch-modules_proxy_mod_proxy.c Wed Feb 01 19:31:51 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-$NetBSD: patch-modules_proxy_mod_proxy.c,v 1.1 2011/12/13 15:37:57 spz Exp $
-
-revision 1209432 from http://svn.apache.org/:
- Fix for additional cases of URL rewriting with ProxyPassMatch or
- RewriteRule, where particular request-URIs could result in undesired
- backend network exposure in some configurations. (CVE-2011-4317)
-
- Thanks to Prutha Parikh from Qualys for reporting this issue.
-
- * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
- request-URI. Fail for cases where r->uri does not begin with a "/".
-
- * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
-
---- modules/proxy/mod_proxy.c.orig 2010-10-07 18:51:18.000000000 +0000
-+++ modules/proxy/mod_proxy.c
-@@ -566,6 +566,18 @@ static int proxy_trans(request_rec *r)
- return OK;
- }
-
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* "*" cannot be proxied. */
-+ return DECLINED;
-+ }
-+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
- /* XXX: since r->uri has been manipulated already we're not really
- * compliant with RFC1945 at this point. But this probably isn't
- * an issue because this is a hybrid proxy/origin server.
diff -r 6deb1e5114b4 -r dc8d4c0692a4 www/apache22/patches/patch-server_protocol.c
--- a/www/apache22/patches/patch-server_protocol.c Wed Feb 01 19:31:51 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,129 +0,0 @@
-$NetBSD: patch-server_protocol.c,v 1.4 2012/01/29 12:29:08 tron Exp $
-
-revision 1179239 from http://svn.apache.org/:
- SECURITY (CVE-2011-3368): Prevent unintended pattern expansion
- in some reverse proxy configurations by strictly validating
- the request-URI.
-
-revision 1179525 from http://svn.apache.org/:
- SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
- reverse proxy configurations by strictly validating the request-URI:
- * server/protocol.c (read_request_line): Send a 400 response if the
- request-URI does not match the grammar from RFC 2616. This ensures
- the input string for RewriteRule et al really is an absolute path.
-
-revision 1235454 from http://svn.apache.org/:
- CVE-2012-0053: Fix an issue in error responses that could expose
- "httpOnly" cookies when no custom ErrorDocument is specified for
- status code 400.
Home |
Main Index |
Thread Index |
Old Index