pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2016Q2] pkgsrc/www/apache24
Module Name: pkgsrc
Committed By: bsiegert
Date: Wed Sep 7 18:08:36 UTC 2016
Modified Files:
pkgsrc/www/apache24 [pkgsrc-2016Q2]: Makefile distinfo
Added Files:
pkgsrc/www/apache24/patches [pkgsrc-2016Q2]:
patch-server_util__script.c
Log Message:
Pullup ticket #5093 - requested by taca
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.48
- www/apache24/distinfo 1.26
- www/apache24/patches/patch-server_util__script.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Jul 29 11:11:25 UTC 2016
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Added Files:
pkgsrc/www/apache24/patches: patch-server_util__script.c
Log Message:
Fix httpoxy vulnerability.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.45.2.1 -r1.45.2.2 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.24.2.1 -r1.24.2.2 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
pkgsrc/www/apache24/patches/patch-server_util__script.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.45.2.1 pkgsrc/www/apache24/Makefile:1.45.2.2
--- pkgsrc/www/apache24/Makefile:1.45.2.1 Wed Jul 20 04:59:21 2016
+++ pkgsrc/www/apache24/Makefile Wed Sep 7 18:08:36 2016
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.45.2.1 2016/07/20 04:59:21 spz Exp $
+# $NetBSD: Makefile,v 1.45.2.2 2016/09/07 18:08:36 bsiegert Exp $
#
# When updating this package, make sure that no strings like
# "PR 12345" are in the commit message. Upstream likes
@@ -7,6 +7,7 @@
DISTNAME= httpd-2.4.23
PKGNAME= ${DISTNAME:S/httpd/apache/}
+PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
http://archive.apache.org/dist/httpd/ \
Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.24.2.1 pkgsrc/www/apache24/distinfo:1.24.2.2
--- pkgsrc/www/apache24/distinfo:1.24.2.1 Wed Jul 20 04:59:21 2016
+++ pkgsrc/www/apache24/distinfo Wed Sep 7 18:08:36 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24.2.1 2016/07/20 04:59:21 spz Exp $
+$NetBSD: distinfo,v 1.24.2.2 2016/09/07 18:08:36 bsiegert Exp $
SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
@@ -15,3 +15,4 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d
SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2
Added files:
Index: pkgsrc/www/apache24/patches/patch-server_util__script.c
diff -u /dev/null pkgsrc/www/apache24/patches/patch-server_util__script.c:1.1.2.2
--- /dev/null Wed Sep 7 18:08:36 2016
+++ pkgsrc/www/apache24/patches/patch-server_util__script.c Wed Sep 7 18:08:36 2016
@@ -0,0 +1,22 @@
+$NetBSD: patch-server_util__script.c,v 1.1.2.2 2016/09/07 18:08:36 bsiegert Exp $
+
+Fix httpoxy vulnerability.
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c.orig 2016-04-27 13:03:00.000000000 +0000
++++ server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them
Home |
Main Index |
Thread Index |
Old Index