CVS commit: [pkgsrc-2024Q1] pkgsrc/www/apache24

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Mon Apr  8 18:03:27 UTC 2024

Modified Files:
        pkgsrc/www/apache24 [pkgsrc-2024Q1]: Makefile distinfo
        pkgsrc/www/apache24/patches [pkgsrc-2024Q1]: patch-configure
Removed Files:
        pkgsrc/www/apache24/patches [pkgsrc-2024Q1]:
            patch-modules_filters_mod__xml2enc.c

Log Message:
Pullup ticket #6843 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.124
- www/apache24/distinfo                                         1.62
- www/apache24/patches/patch-configure                          1.5
- www/apache24/patches/patch-modules_filters_mod__xml2enc.c     deleted

---
   Module Name: pkgsrc
   Committed By:        adam
   Date:                Fri Apr  5 09:31:38 UTC 2024

   Modified Files:
        pkgsrc/www/apache24: Makefile distinfo
        pkgsrc/www/apache24/patches: patch-configure
   Removed Files:
        pkgsrc/www/apache24/patches: patch-modules_filters_mod__xml2enc.c

   Log Message:
   apache24: updated to 2.4.59

   Changes with Apache 2.4.59

   *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
      memory exhaustion on endless continuation frames (cve.mitre.org)
      HTTP/2 incoming headers exceeding the limit are temporarily
      buffered in nghttp2 in order to generate an informative HTTP 413
      response. If a client does not stop sending headers, this leads
      to memory exhaustion.
      Credits: Bartek Nowotarski (https://nowotarski.info/)

   *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
      Splitting in multiple modules (cve.mitre.org)
      HTTP Response splitting in multiple modules in Apache HTTP
      Server allows an attacker that can inject malicious response
      headers into backend applications to cause an HTTP
      desynchronization attack.
      Users are recommended to upgrade to version 2.4.59, which fixes
      this issue.
      Credits: Keran Mu, Tsinghua University and Zhongguancun
      Laboratory.

   *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
      splitting (cve.mitre.org)
      Faulty input validation in the core of Apache allows malicious
      or exploitable backend/content generators to split HTTP
      responses.
      This issue affects Apache HTTP Server: through 2.4.58.
      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) mod_deflate: Fixes and better logging for handling various
      error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
      Eric Norris <enorris etsy.com>]

   *) Add CGIScriptTimeout to mod_cgi. [Eric Covener]

   *) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
      [ttachi <tachihara AT hotmail.com>]

   *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
      [Jean-Frederic Clere]

   *) mod_ssl: Use OpenSSL-standard functions to assemble CA
      name lists for SSLCACertificatePath/SSLCADNRequestPath.
      Names will now be consistently sorted.
      [Joe Orton]

   *) mod_xml2enc: Update check to accept any text/ media type
      or any XML media type per RFC 7303, avoiding
      corruption of Microsoft OOXML formats.
      [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]

   *) mod_http2: v2.0.26 with the following fixes:
      - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
        <https://github.com/icing/mod_h2/issues/272>.
      - Fixed small memory leak in h2 header bucket free. Thanks to
        Michael Kaufmann for finding this and providing the fix.

   *) htcacheclean: In -a/-A mode, list all files per subdirectory
      rather than only one.
      [Artem Egorenkov <aegorenkov.91 gmail.com>]

   *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
      which include CA certificates; those CA certs are treated as if
      configured with SSLProxyMachineCertificateChainFile.  [Joe Orton]

   *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
      "hashing", rather than "encrypting" passwords.
      [Michele Preziuso <mpreziuso kaosdynamics.com>]

   *) mod_ssl: Fix build with LibreSSL 2.0.7+.
      [Giovanni Bechis, Yann Ylavic]

   *) htpasswd: Add support for passwords using SHA-2.  [Joe Orton,
      Yann Ylavic]

   *) core: Allow mod_env to override system environment vars. [Joe Orton]

   *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
      operation which removes a directory/file between apr_dir_read() and
      apr_stat(). Current behaviour is to abort the connection which seems
      inferior to tolerating (and logging) the error. [Joe Orton]

   *) mod_ldap: HTML-escape data in the ldap-status handler.
      [Eric Covener, Chamal De Silva]

   *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
      Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
      notably with OpenSSL >= 3.  [Yann Ylavic, Joe Orton]

   *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
      deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
      to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
      [Yann Ylavic]

   *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]

   *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
      some dollar substitution (backreference) happens in the hostname or port
      part of the URL.  [Yann Ylavic]

   *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
      systems are cached. [Yann Ylavic]

   *) mod_proxy: Add optional third argument for ProxyRemote, which
      configures Basic authentication credentials to pass to the remote
      proxy.


To generate a diff of this commit:
cvs rdiff -u -r1.123 -r1.123.2.1 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.61 -r1.61.2.1 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r1.4 -r1.4.4.1 pkgsrc/www/apache24/patches/patch-configure
cvs rdiff -u -r1.2 -r0 \
    pkgsrc/www/apache24/patches/patch-modules_filters_mod__xml2enc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.123 pkgsrc/www/apache24/Makefile:1.123.2.1
--- pkgsrc/www/apache24/Makefile:1.123  Wed Mar 20 01:45:52 2024
+++ pkgsrc/www/apache24/Makefile        Mon Apr  8 18:03:27 2024
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.123 2024/03/20 01:45:52 nia Exp $
+# $NetBSD: Makefile,v 1.123.2.1 2024/04/08 18:03:27 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.58
+DISTNAME=      httpd-2.4.59
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.61 pkgsrc/www/apache24/distinfo:1.61.2.1
--- pkgsrc/www/apache24/distinfo:1.61   Wed Jan 31 09:38:13 2024
+++ pkgsrc/www/apache24/distinfo        Mon Apr  8 18:03:27 2024
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.61 2024/01/31 09:38:13 taca Exp $
+$NetBSD: distinfo,v 1.61.2.1 2024/04/08 18:03:27 bsiegert Exp $
 
-BLAKE2s (httpd-2.4.58.tar.bz2) = 4f2e5e35244b2fe55ddda508b3c2c8bde95de56c60a7c2e53a0972c3362f1b30
-SHA512 (httpd-2.4.58.tar.bz2) = d6e73bf413a507ec16b621ff635e178206207a9e9810ce3944b3dc98d39cde8f225307110167fc9da5822175796c8cb66f98be5b9f0d8b76dcd83a401d39b2c1
-Size (httpd-2.4.58.tar.bz2) = 7485817 bytes
+BLAKE2s (httpd-2.4.59.tar.bz2) = be909991d69d0fad5bfccd3cea49e4ce0190e5450426fefd2a3db6cfbbf358a2
+SHA512 (httpd-2.4.59.tar.bz2) = 209da0bbac5e2564d4590302515b35495be6402273ff4024aa93e85e44554c95e053201d606383936425a41e1b5b97e6b40055dcbb385eb691a5029a6f3158c2
+Size (httpd-2.4.59.tar.bz2) = 7503198 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
@@ -12,7 +12,6 @@ SHA1 (patch-ai) = d3870e46e41adc97c3fce8
 SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
-SHA1 (patch-configure) = 6a54f65b4ea0ca92ed707d53921ca1d3cd454031
+SHA1 (patch-configure) = d529df410f564571a8cc7c2a31c3b446479a71df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
-SHA1 (patch-modules_filters_mod__xml2enc.c) = a191e1e6515d5cccd17606f94e15dbfacd92bb7a
 SHA1 (patch-modules_filters_mod_substitute.c) = d47ee06e70942ab522acf119eb2c4b313aed9bbd

Index: pkgsrc/www/apache24/patches/patch-configure
diff -u pkgsrc/www/apache24/patches/patch-configure:1.4 pkgsrc/www/apache24/patches/patch-configure:1.4.4.1
--- pkgsrc/www/apache24/patches/patch-configure:1.4     Thu Oct 19 14:22:02 2023
+++ pkgsrc/www/apache24/patches/patch-configure Mon Apr  8 18:03:27 2024
@@ -1,9 +1,9 @@
-$NetBSD: patch-configure,v 1.4 2023/10/19 14:22:02 wiz Exp $
+$NetBSD: patch-configure,v 1.4.4.1 2024/04/08 18:03:27 bsiegert Exp $
 
---- configure.orig     2023-10-16 15:06:18.000000000 +0000
+--- configure.orig     2024-04-03 12:22:44.000000000 +0000
 +++ configure
-@@ -41305,7 +41305,6 @@ cat >>confdefs.h <<_ACEOF
- _ACEOF
+@@ -42821,7 +42821,6 @@ printf "%s\n" "#define SERVER_CONFIG_FIL
+ printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h
  
  
 -perlbin=`$ac_aux_dir/PrintPath perl`