pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/www/apache24



Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Dec 21 09:18:38 UTC 2021

Modified Files:
        pkgsrc/www/apache24: Makefile PLIST distinfo
Added Files:
        pkgsrc/www/apache24/patches: patch-configure
Removed Files:
        pkgsrc/www/apache24/patches: patch-ac

Log Message:
apache24: updated to 2.4.52

Changes with Apache 2.4.52

*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
   multipart content in mod_lua of Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A carefully crafted request body can cause a buffer overflow in
   the mod_lua multipart parser (r:parsebody() called from Lua
   scripts).
   The Apache httpd team is not aware of an exploit for the
   vulnerabilty though it might be possible to craft one.
   This issue affects Apache HTTP Server 2.4.51 and earlier.
   Credits: Chamal

*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
   forward proxy configurations in Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A crafted URI sent to httpd configured as a forward proxy
   (ProxyRequests on) can cause a crash (NULL pointer dereference)
   or, for configurations mixing forward and reverse proxy
   declarations, can allow for requests to be directed to a
   declared Unix Domain Socket endpoint (Server Side Request
   Forgery).
   This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
   (included).
   Credits: 柂于éź
   TengMA(@Te3t123)

*) http: Enforce that fully qualified uri-paths not to be forward-proxied
   have an http(s) scheme, and that the ones to be forward proxied have a
   hostname, per HTTP specifications.

*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
   specified openssl path.

*) mod_proxy_connect, mod_proxy: Do not change the status code after we
   already sent it to the client.

*) mod_http: Correctly sent a 100 Continue status code when sending an interim
   response as result of an Expect: 100-Continue in the request and not the
   current status code of the request.

*) mod_dav: Some DAV extensions, like CalDAV, specify both document
   elements and property elements that need to be taken into account
   when generating a property. The document element and property element
   are made available in the dav_liveprop_elem structure by calling
   dav_get_liveprop_element().

*) mod_dav: Add utility functions dav_validate_root_ns(),
   dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
   dav_find_attr() so that other modules get to play too.

*) mpm_event: Restart stopping of idle children after a load peak.

*) mod_http2: fixes 2 regressions in server limit handling.
   1. When reaching server limits, such as MaxRequestsPerChild, the
      HTTP/2 connection send a GOAWAY frame much too early on new
      connections, leading to invalid protocol state and a client
      failing the request.
      The module now initializes the HTTP/2 protocol correctly and
      allows the client to submit one request before the shutdown
      via a GOAWAY frame is being announced.
   2. A regression in v1.15.24 was fixed that could lead to httpd
      child processes not being terminated on a graceful reload or
      when reaching MaxConnectionsPerChild. When unprocessed h2
      requests were queued at the time, these could stall.
      See <https://github.com/icing/mod_h2/issues/212>.

*) mod_ssl: Add build support for OpenSSL v3.

*) mod_proxy_connect: Honor the smallest of the backend or client timeout
   while tunneling.

*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
   half-close forwarding when tunneling protocols.

*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
   a third-party module.

*) mod_md: Fix memory leak in case of failures to load the private key.

*) mod_md: adding v2.4.8 with the following changes
  - Added support for ACME External Account Binding (EAB).
    Use the new directive `MDExternalAccountBinding` to provide the
    server with the value for key identifier and hmac as provided by
    your CA.
    While working on some servers, EAB handling is not uniform
    across CAs. First tests with a Sectigo Certificate Manager in
    demo mode are successful. But ZeroSSL, for example, seems to
    regard EAB values as a one-time-use-only thing, which makes them
    fail if you create a seconde account or retry the creation of the
    first account with the same EAB.
  - The directive 'MDCertificateAuthority' now checks if its parameter
    is a http/https url or one of a set of known names. Those are
    'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
    for now and they are not case-sensitive.
    The default of LetsEncrypt is unchanged.
  - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
    section.
  - Treating 401 HTTP status codes for orders like 403, since some ACME
    servers seem to prefer that for accessing oders from other accounts.
  - When retrieving certificate chains, try to read the repsonse even
    if the HTTP Content-Type is unrecognized.
  - Fixed a bug that reset the error counter of a certificate renewal
    and prevented the increasing delays in further attempts.
  - Fixed the renewal process giving up every time on an already existing
    order with some invalid domains. Now, if such are seen in a previous
    order, a new order is created for a clean start over again.
    See <https://github.com/icing/mod_md/issues/268>
  - Fixed a mixup in md-status handler when static certificate files
    and renewal was configured at the same time.

*) mod_md: values for External Account Binding (EAB) can
   now also be configured to be read from a separate JSON
   file. This allows to keep server configuration permissions
   world readable without exposing secrets.

*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.


To generate a diff of this commit:
cvs rdiff -u -r1.107 -r1.108 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.34 -r1.35 pkgsrc/www/apache24/PLIST
cvs rdiff -u -r1.50 -r1.51 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r1.1.1.1 -r0 pkgsrc/www/apache24/patches/patch-ac
cvs rdiff -u -r0 -r1.1 pkgsrc/www/apache24/patches/patch-configure

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.107 pkgsrc/www/apache24/Makefile:1.108
--- pkgsrc/www/apache24/Makefile:1.107  Wed Dec  8 16:06:54 2021
+++ pkgsrc/www/apache24/Makefile        Tue Dec 21 09:18:37 2021
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.107 2021/12/08 16:06:54 adam Exp $
+# $NetBSD: Makefile,v 1.108 2021/12/21 09:18:37 adam Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.51
+DISTNAME=      httpd-2.4.52
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+= https://archive.apache.org/dist/httpd/

Index: pkgsrc/www/apache24/PLIST
diff -u pkgsrc/www/apache24/PLIST:1.34 pkgsrc/www/apache24/PLIST:1.35
--- pkgsrc/www/apache24/PLIST:1.34      Fri Jun  4 09:47:15 2021
+++ pkgsrc/www/apache24/PLIST   Tue Dec 21 09:18:37 2021
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.34 2021/06/04 09:47:15 wiz Exp $
+@comment $NetBSD: PLIST,v 1.35 2021/12/21 09:18:37 adam Exp $
 bin/ab
 bin/apxs
 bin/dbmmanage
@@ -1256,6 +1256,8 @@ share/httpd/manual/mod/mod_suexec.html.t
 share/httpd/manual/mod/mod_systemd.html
 share/httpd/manual/mod/mod_systemd.html.en
 share/httpd/manual/mod/mod_systemd.html.fr.utf8
+share/httpd/manual/mod/mod_tls.html
+share/httpd/manual/mod/mod_tls.html.en
 share/httpd/manual/mod/mod_unique_id.html
 share/httpd/manual/mod/mod_unique_id.html.en
 share/httpd/manual/mod/mod_unique_id.html.fr.utf8

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.50 pkgsrc/www/apache24/distinfo:1.51
--- pkgsrc/www/apache24/distinfo:1.50   Tue Oct 26 11:29:20 2021
+++ pkgsrc/www/apache24/distinfo        Tue Dec 21 09:18:37 2021
@@ -1,11 +1,10 @@
-$NetBSD: distinfo,v 1.50 2021/10/26 11:29:20 nia Exp $
+$NetBSD: distinfo,v 1.51 2021/12/21 09:18:37 adam Exp $
 
-BLAKE2s (httpd-2.4.51.tar.bz2) = f3d4b11de08672ab5759ce1951294d2b27c8c48975121c7c6e03d6ff928ae30b
-SHA512 (httpd-2.4.51.tar.bz2) = 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66
-Size (httpd-2.4.51.tar.bz2) = 7653609 bytes
+BLAKE2s (httpd-2.4.52.tar.bz2) = 3548e78a90ea83cf0c18c5203e04ff443932ec1a692ff1522412db892b0c9a35
+SHA512 (httpd-2.4.52.tar.bz2) = 97c021c576022a9d32f4a390f62e07b5f550973aef2f299fd52defce1a9fa5d27bd4a676e7bf214373ba46063d34aecce42de62fdd93678a4e925cfcbb2afdf6
+Size (httpd-2.4.52.tar.bz2) = 7439184 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
-SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
 SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903
 SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1
@@ -13,5 +12,6 @@ SHA1 (patch-ai) = d3870e46e41adc97c3fce8
 SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
+SHA1 (patch-configure) = f264b68afe3473fbdaf2609b5b7675cca41bf356
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
 SHA1 (patch-modules_filters_mod_substitute.c) = 730af0342b78de04fe51b7dcc3ed057b2b0c3a54

Added files:

Index: pkgsrc/www/apache24/patches/patch-configure
diff -u /dev/null pkgsrc/www/apache24/patches/patch-configure:1.1
--- /dev/null   Tue Dec 21 09:18:38 2021
+++ pkgsrc/www/apache24/patches/patch-configure Tue Dec 21 09:18:38 2021
@@ -0,0 +1,12 @@
+$NetBSD: patch-configure,v 1.1 2021/12/21 09:18:38 adam Exp $
+
+--- configure.orig     2021-12-16 13:49:07.000000000 +0000
++++ configure
+@@ -41857,7 +41857,6 @@ printf "%s\n" "#define SERVER_CONFIG_FIL
+ printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h
+ 
+ 
+-perlbin=`$ac_aux_dir/PrintPath perl`
+ if test "x$perlbin" = "x"; then
+     perlbin="/replace/with/path/to/perl/interpreter"
+ fi



Home | Main Index | Thread Index | Old Index