CVS commit: pkgsrc/www/apache24

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Mar 15 05:46:54 UTC 2022

Modified Files:
        pkgsrc/www/apache24: Makefile distinfo
        pkgsrc/www/apache24/patches: patch-configure

Log Message:
apache24: updated to 2.4.53

Changes with Apache 2.4.53

*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
   (cve.mitre.org)
   Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
   Server allows an attacker to overwrite heap memory with possibly
   attacker provided data.
   This issue affects Apache HTTP Server 2.4 version 2.4.52 and
   prior versions.

*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
   very large or unlimited LimitXMLRequestBody (cve.mitre.org)
   If LimitXMLRequestBody is set to allow request bodies larger
   than 350MB (defaults to 1M) on 32 bit systems an integer
   overflow happens which later causes out of bounds writes.
   This issue affects Apache HTTP Server 2.4.52 and earlier.
   Credits: Anonymous working with Trend Micro Zero Day Initiative

*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
   in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
   Apache HTTP Server 2.4.52 and earlier fails to close inbound
   connection when errors are encountered discarding the request
   body, exposing the server to HTTP Request Smuggling

*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
   in r:parsebody (cve.mitre.org)
   A carefully crafted request body can cause a read to a random
   memory area which could cause the process to crash.
   This issue affects Apache HTTP Server 2.4.52 and earlier.

*) core: Make sure and check that LimitXMLRequestBody fits in system memory.

*) core: Simpler connection close logic if discarding the request body fails.

*) mod_http2: preserve the port number given in a HTTP/1.1
   request that was Upgraded to HTTP/2.

*) mod_proxy: Allow for larger worker name.

*) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
   an attempt to load a dbm driver fails, log clearly which driver triggered
   the error (not "default"), and what the error was.

*) mod_proxy: Use the maxium of front end and backend timeouts instead of the
   minimum when tunneling requests (websockets, CONNECT requests).
   Backend timeouts can be configured more selectively (per worker if needed)
   as front end timeouts and typically the backend timeouts reflect the
   application requirements better.

*) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
   when an efficient TLS implementation is available.

*) core, mod_info: Add compiled and loaded PCRE versions to version
   number display.

*) mod_md: do not interfere with requests to /.well-known/acme-challenge/
   resources if challenge type 'http-01' is not configured for a domain.
   Fixes <https://github.com/icing/mod_md/issues/279>.

*) mod_dav: Fix regression when gathering properties which could lead to huge
   memory consumption proportional to the number of resources.

*) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
   for regular expression evaluation. This depends on locating pcre2-config.

*) Add the ldap function to the expression API, allowing LDAP filters and
   distinguished names based on expressions to be escaped correctly to
   guard against LDAP injection.

*) mod_md: the status description in MDomain's JSON, exposed in the
   md-status handler (if configured) did sometimes not carry the correct
   message when certificates needed renew.

*) mpm_event: Fix a possible listener deadlock on heavy load when restarting
   and/or reaching MaxConnectionsPerChild.


To generate a diff of this commit:
cvs rdiff -u -r1.108 -r1.109 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.51 -r1.52 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/apache24/patches/patch-configure

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.108 pkgsrc/www/apache24/Makefile:1.109
--- pkgsrc/www/apache24/Makefile:1.108  Tue Dec 21 09:18:37 2021
+++ pkgsrc/www/apache24/Makefile        Tue Mar 15 05:46:54 2022
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.108 2021/12/21 09:18:37 adam Exp $
+# $NetBSD: Makefile,v 1.109 2022/03/15 05:46:54 adam Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.52
+DISTNAME=      httpd-2.4.53
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
@@ -45,7 +45,7 @@ BUILDLINK_API_DEPENDS.apr+=   apr>=1.5.0
 .include "../../devel/apr/buildlink3.mk"
 BUILDLINK_API_DEPENDS.apr-util+=       apr-util>=1.5.3
 .include "../../devel/apr-util/buildlink3.mk"
-.include "../../devel/pcre/buildlink3.mk"
+.include "../../devel/pcre2/buildlink3.mk"
 .include "../../security/openssl/buildlink3.mk"
 .include "../../textproc/expat/buildlink3.mk"
 .include "../../mk/dlopen.buildlink3.mk"

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.51 pkgsrc/www/apache24/distinfo:1.52
--- pkgsrc/www/apache24/distinfo:1.51   Tue Dec 21 09:18:37 2021
+++ pkgsrc/www/apache24/distinfo        Tue Mar 15 05:46:54 2022
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.51 2021/12/21 09:18:37 adam Exp $
+$NetBSD: distinfo,v 1.52 2022/03/15 05:46:54 adam Exp $
 
-BLAKE2s (httpd-2.4.52.tar.bz2) = 3548e78a90ea83cf0c18c5203e04ff443932ec1a692ff1522412db892b0c9a35
-SHA512 (httpd-2.4.52.tar.bz2) = 97c021c576022a9d32f4a390f62e07b5f550973aef2f299fd52defce1a9fa5d27bd4a676e7bf214373ba46063d34aecce42de62fdd93678a4e925cfcbb2afdf6
-Size (httpd-2.4.52.tar.bz2) = 7439184 bytes
+BLAKE2s (httpd-2.4.53.tar.bz2) = 9e94c81d1fdf55e3f0d708a4665a7276f635c2862cd47816c97a24ba9b9cbe75
+SHA512 (httpd-2.4.53.tar.bz2) = 07ef59594251a30a864cc9cc9a58ab788c2d006cef85b728f29533243927c63cb063e0867f2a306f37324c3adb9cf7dcb2402f3516b05c2c6f32469d475dd756
+Size (httpd-2.4.53.tar.bz2) = 7431942 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
@@ -12,6 +12,6 @@ SHA1 (patch-ai) = d3870e46e41adc97c3fce8
 SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
-SHA1 (patch-configure) = f264b68afe3473fbdaf2609b5b7675cca41bf356
+SHA1 (patch-configure) = 7426d8b053cfe89c5e37b0a4591f2eba2a8ca17f
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
 SHA1 (patch-modules_filters_mod_substitute.c) = 730af0342b78de04fe51b7dcc3ed057b2b0c3a54

Index: pkgsrc/www/apache24/patches/patch-configure
diff -u pkgsrc/www/apache24/patches/patch-configure:1.1 pkgsrc/www/apache24/patches/patch-configure:1.2
--- pkgsrc/www/apache24/patches/patch-configure:1.1     Tue Dec 21 09:18:38 2021
+++ pkgsrc/www/apache24/patches/patch-configure Tue Mar 15 05:46:54 2022
@@ -1,9 +1,9 @@
-$NetBSD: patch-configure,v 1.1 2021/12/21 09:18:38 adam Exp $
+$NetBSD: patch-configure,v 1.2 2022/03/15 05:46:54 adam Exp $
 
---- configure.orig     2021-12-16 13:49:07.000000000 +0000
+--- configure.orig     2022-03-09 14:17:37.000000000 +0000
 +++ configure
-@@ -41857,7 +41857,6 @@ printf "%s\n" "#define SERVER_CONFIG_FIL
- printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h
+@@ -41155,7 +41155,6 @@ cat >>confdefs.h <<_ACEOF
+ _ACEOF
  
  
 -perlbin=`$ac_aux_dir/PrintPath perl`