pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2024Q2] pkgsrc/www/apache24



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Tue Jul  2 18:11:40 UTC 2024

Modified Files:
        pkgsrc/www/apache24 [pkgsrc-2024Q2]: Makefile distinfo

Log Message:
Pullup ticket #6875 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.127
- www/apache24/distinfo                                         1.63

---
   Module Name: pkgsrc
   Committed By:        adam
   Date:                Tue Jul  2 10:31:58 UTC 2024

   Modified Files:
        pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.60

   Changes with Apache 2.4.60

   *) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
      handler substitution (cve.mitre.org)
      Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
      earlier allows an attacker to cause unsafe RewriteRules to
      unexpectedly setup URL's to be handled by mod_proxy.
      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
      Denial of Service in mod_proxy via a malicious request
      (cve.mitre.org)
      null pointer dereference in mod_proxy in Apache HTTP Server
      2.4.59 and earlier allows an attacker to crash the server via a
      malicious request.
      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) SECURITY: CVE-2024-38476: Apache HTTP Server may use
      exploitable/malicious backend application output to run local
      handlers via internal redirect (cve.mitre.org)
      Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
      are vulnerably to information disclosure, SSRF or local script
      execution via backend applications whose response headers are
      malicious or exploitable.

      Note: Some legacy uses of the 'AddType' directive to connect a
      request to a handler must be ported to 'SetHandler' after this fix.

      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
      mod_rewrite when first segment of substitution matches
      filesystem path. (cve.mitre.org)
      Improper escaping of output in mod_rewrite in Apache HTTP Server
      2.4.59 and earlier allows an attacker to map URLs to filesystem
      locations that are permitted to be served by the server but are
      not intentionally/directly reachable by any URL, resulting in
      code execution or source code disclosure.
      Substitutions in server context that use a backreferences or
      variables as the first segment of the substitution are affected.
      Some unsafe RewiteRules will be broken by this change and the
      rewrite flag "UnsafePrefixStat" can be used to opt back in once
      ensuring the substitution is appropriately constrained.
      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
      encoded question marks in backreferences (cve.mitre.org)
      Substitution encoding issue in mod_rewrite in Apache HTTP Server
      2.4.59 and earlier allows attacker to execute scripts in
      directories permitted by the configuration but not directly
      reachable by any URL or source disclosure of scripts meant to
      only to be executed as CGI.

      Note: Some RewriteRules that capture and substitute unsafely will now
      fail unless rewrite flag "UnsafeAllow3F" is specified.

      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
      problem (cve.mitre.org)
      Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
      earlier allows request URLs with incorrect encoding to be sent
      to backend services, potentially bypassing authentication via
      crafted requests.
      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
      (cve.mitre.org)
      SSRF in Apache HTTP Server on Windows allows to potentially leak
      NTML hashes to a malicious server via SSRF and malicious
      requests or content

      Note: Existing configurations that access UNC paths
      will have to configure new directive "UNCList" to allow access
      during request processing.

      Credits: Orange Tsai (@orange_8361) from DEVCORE

   *) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
      pointer in websocket over HTTP/2 (cve.mitre.org)
      Serving WebSocket protocol upgrades over a HTTP/2 connection
      could result in a Null Pointer dereference, leading to a crash
      of the server process, degrading performance.
      Credits: Marc Stern (<marc.stern approach.be>)

   *) mod_proxy: Fix DNS requests and connections closed before the
      configured addressTTL.

   *) core: On Linux, log the real thread ID in error logs.  [Joe Orton]

   *) core: Support zone/scope in IPv6 link-local addresses in Listen and
      VirtualHost directives (requires APR 1.7.x or later).
      [Joe Orton]

   *) mod_ssl: Reject client-initiated renegotiation with a TLS alert
      (rather than connection closure).  [Joe Orton, Yann Ylavic]

   *) Updated mime.types.  [Mohamed Akram <mohd.akram outlook.com>,
      Adam Silverstein <adamsilverstein earthboundhosting.com>]

   *) mod_ssl: Fix a regression that causes the default DH parameters for a key
      no longer set and thus effectively disabling DH ciphers when no explicit
      DH parameters are set.

   *) mod_cgid: Optional support for file descriptor passing, fixing
      error log handling (configure --enable-cgid-fdpassing) on Unix
      platforms.

   *) mod_cgid/mod_cgi: Distinguish script stderr output clearly in
      error logs.

   *) mod_tls: update version of rustls-ffi to v0.13.0.
      [Daniel McCarney (@cpu}]

   *) mod_md:
      - Using OCSP stapling information to trigger certificate renewals. Proposed
        by @frasertweedale.
      - Added directive `MDCheckInterval` to control how often the server checks
        for detected revocations. Added proposals for configurations in the
        README.md chapter "Revocations".
      - OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
        allowed in RFC 6960. Treat those as having an update interval of 12 hours.
        Added by @frasertweedale.
      - Adapt OpenSSL usage to changes in their API. By Yann Ylavic.


To generate a diff of this commit:
cvs rdiff -u -r1.126 -r1.126.2.1 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.62 -r1.62.2.1 pkgsrc/www/apache24/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.126 pkgsrc/www/apache24/Makefile:1.126.2.1
--- pkgsrc/www/apache24/Makefile:1.126  Wed May 29 16:34:47 2024
+++ pkgsrc/www/apache24/Makefile        Tue Jul  2 18:11:40 2024
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.126 2024/05/29 16:34:47 adam Exp $
+# $NetBSD: Makefile,v 1.126.2.1 2024/07/02 18:11:40 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.59
+DISTNAME=      httpd-2.4.60
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.62 pkgsrc/www/apache24/distinfo:1.62.2.1
--- pkgsrc/www/apache24/distinfo:1.62   Fri Apr  5 09:31:38 2024
+++ pkgsrc/www/apache24/distinfo        Tue Jul  2 18:11:40 2024
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.62 2024/04/05 09:31:38 adam Exp $
+$NetBSD: distinfo,v 1.62.2.1 2024/07/02 18:11:40 bsiegert Exp $
 
-BLAKE2s (httpd-2.4.59.tar.bz2) = be909991d69d0fad5bfccd3cea49e4ce0190e5450426fefd2a3db6cfbbf358a2
-SHA512 (httpd-2.4.59.tar.bz2) = 209da0bbac5e2564d4590302515b35495be6402273ff4024aa93e85e44554c95e053201d606383936425a41e1b5b97e6b40055dcbb385eb691a5029a6f3158c2
-Size (httpd-2.4.59.tar.bz2) = 7503198 bytes
+BLAKE2s (httpd-2.4.60.tar.bz2) = 9a3693c6068cf9cade40d896a18c885787b4e2a149e34e9ff71b05d653925fc3
+SHA512 (httpd-2.4.60.tar.bz2) = c1591389f76699beaa5d32b019729e25f1ed5b828311c82b52f1a4edd5d28b73e697958df384d7628b314521a831dbb0af418bc37cdf031cfe133e53c195d8ad
+Size (httpd-2.4.60.tar.bz2) = 7508704 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157



Home | Main Index | Thread Index | Old Index