CVS commit: pkgsrc/www/apache24

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Sep 18 13:24:05 UTC 2017

Modified Files:
        pkgsrc/www/apache24: Makefile distinfo
Added Files:
        pkgsrc/www/apache24/patches: patch-server_core.c

Log Message:
apache24: fix "Optionsbleed" security bug

See https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/apache24/patches/patch-server_core.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.60 pkgsrc/www/apache24/Makefile:1.61
--- pkgsrc/www/apache24/Makefile:1.60   Thu Aug 24 20:03:41 2017
+++ pkgsrc/www/apache24/Makefile        Mon Sep 18 13:24:05 2017
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.60 2017/08/24 20:03:41 adam Exp $
+# $NetBSD: Makefile,v 1.61 2017/09/18 13:24:05 wiz Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,7 +7,7 @@
 
 DISTNAME=      httpd-2.4.27
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+= http://archive.apache.org/dist/httpd/

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.30 pkgsrc/www/apache24/distinfo:1.31
--- pkgsrc/www/apache24/distinfo:1.30   Wed Jul 12 07:01:34 2017
+++ pkgsrc/www/apache24/distinfo        Mon Sep 18 13:24:05 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2017/07/12 07:01:34 adam Exp $
+$NetBSD: distinfo,v 1.31 2017/09/18 13:24:05 wiz Exp $
 
 SHA1 (httpd-2.4.27.tar.bz2) = 699e4e917e8fb5fd7d0ce7e009f8256ed02ec6fc
 RMD160 (httpd-2.4.27.tar.bz2) = 46f601f58de77eb11fa4c7ea35fa0858d2f4d289
@@ -15,3 +15,4 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_core.c) = 9f32577f350553b40848bef6af5e9db1d40af3d8

Added files:

Index: pkgsrc/www/apache24/patches/patch-server_core.c
diff -u /dev/null pkgsrc/www/apache24/patches/patch-server_core.c:1.1
--- /dev/null   Mon Sep 18 13:24:05 2017
+++ pkgsrc/www/apache24/patches/patch-server_core.c     Mon Sep 18 13:24:05 2017
@@ -0,0 +1,20 @@
+$NetBSD: patch-server_core.c,v 1.1 2017/09/18 13:24:05 wiz Exp $
+
+Fix security problem using upstream patch.
+://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
+
+--- server/core.c.orig 2016-12-05 14:34:29.000000000 +0000
++++ server/core.c
+@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_
+             /* method has not been registered yet, but resource restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method '%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+         }