pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2022Q4] pkgsrc/www/apache24



Module Name:    pkgsrc
Committed By:   spz
Date:           Sat Mar  4 13:04:06 UTC 2023

Modified Files:
        pkgsrc/www/apache24 [pkgsrc-2022Q4]: Makefile PLIST distinfo
        pkgsrc/www/apache24/patches [pkgsrc-2022Q4]: patch-configure

Log Message:
Pullup ticket #6739 - requested by taca
www/apache24: security update

Revisions pulled up:
- www/apache24/Makefile                                         1.115
- www/apache24/PLIST                                            1.36
- www/apache24/distinfo                                         1.54
- www/apache24/patches/patch-configure                          1.3

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        adam
   Date:                Fri Jan 20 14:03:16 UTC 2023

   Modified Files:
        pkgsrc/www/apache24: Makefile PLIST distinfo
        pkgsrc/www/apache24/patches: patch-configure

   Log Message:
   apache24: updated to 2.4.55

   Changes with Apache 2.4.55

     *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
        2.4.55 allows a backend to trigger HTTP response splitting
        (cve.mitre.org)
        Prior to Apache HTTP Server 2.4.55, a malicious backend can
        cause the response headers to be truncated early, resulting in
        some headers being incorporated into the response body. If the
        later headers have any security purpose, they will not be
        interpreted by the client.
        Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)

     *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
        Possible request smuggling (cve.mitre.org)
        Inconsistent Interpretation of HTTP Requests ('HTTP Request
        Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
        allows an attacker to smuggle requests to the AJP server it
        forwards requests to.  This issue affects Apache HTTP Server
        Apache HTTP Server 2.4 version 2.4.54 and prior versions.
        Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
        at Qi'anxin Group

     *) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
        of zero byte (cve.mitre.org)
        A carefully crafted If: request header can cause a memory read,
        or write of a single zero byte, in a pool (heap) memory location
        beyond the header value sent. This could cause the process to
        crash.
        This issue affects Apache HTTP Server 2.4.54 and earlier.

     *) mod_dav: Open the lock database read-only when possible.

     *) mod_proxy_http2: apply the standard httpd content type handling
        to responses from the backend, as other proxy modules do.

     *) mod_dav: mod_dav overrides dav_fs response on PUT failure.

     *) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]

     *) mod_http2: version 2.0.10 of the module, synchronizing changes
        with the gitgub version. This is a partial rewrite of how connections
        and streams are handled.
        - an APR pollset and pipes (where supported) are used to monitor
          the main connection and react to IO for request/response handling.
          This replaces the stuttered timed waits of earlier versions.
        - H2SerializeHeaders directive still exists, but has no longer an effect.
        - Clients that seemingly misbehave still get less resources allocated,
          but ongoing requests are no longer disrupted.
        - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
          were overwritten instead of preserved.
        - A regression in v1.15.24 was fixed that could lead to httpd child
          processes not being terminated on a graceful reload or when reaching
          MaxConnectionsPerChild. When unprocessed h2 requests were queued at
          the time, these could stall.
        - Improved information displayed in 'server-status' for H2 connections when
          Extended Status is enabled. Now one can see the last request that IO
          operations happened on and transferred IO stats are updated as well.
        - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
          send a GOAWAY frame much too early on new connections, leading to invalid
          protocol state and a client failing the request.
          The module now initializes the HTTP/2 protocol correctly and allows the
          client to submit one request before the shutdown via a GOAWAY frame
          is being announced.
        - :scheme pseudo-header values, not matching the
          connection scheme, are forwarded via absolute uris to the
          http protocol processing to preserve semantics of the request.
          Checks on combinations of pseudo-headers values/absence
          have been added as described in RFC 7540. Fixes #230.
        - A bug that prevented trailers (e.g. HEADER frame at the end) to be
          generated in certain cases was fixed. See #233 where it prevented
          gRPC responses to be properly generated.
        - Request and response header values are automatically stripped of leading
          and trialing space/tab characters. This is equivalent behaviour to what
          Apache httpd's http/1.1 parser does.
          The checks for this in nghttp2 v1.50.0+ are disabled.
        - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
          on the v2.0.x versions for stability. Many thanks!
     *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
        request ':authority' is known. Improved test case that did not catch that
        the previous 'fix' was incorrect.

     *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
        using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]

     *) mod_proxy: The AH03408 warning for a forcibly closed backend
        connection is now logged at INFO level.  [Yann Ylavic]

     *) mod_ssl: When dumping the configuration, the existence of
        certificate/key files is no longer tested.  [Joe Orton]

     *) mod_authn_core: Add expression support to AuthName and AuthType.
        [Graham Leggett]

     *) mod_ssl: when a proxy connection had handled a request using SSL, an
        error was logged when "SSLProxyEngine" was only configured in the
        location/proxy section and not the overall server. The connection
        continued to work, the error log was in error.

     *) mod_proxy_hcheck: Re-enable workers in standard ERROR state.

     *) mod_proxy_hcheck: Detect AJP/CPING support correctly.

     *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]

     *) mod_md: a new directive `MDStoreLocks` can be used on cluster
        setups with a shared file system for `MDStoreDir` to order
        activation of renewed certificates when several cluster nodes are
        restarted at the same time. Store locks are not enabled by default.
        Restored curl_easy cleanup behaviour from v2.4.14 and refactored
        the use of curl_multi for OCSP requests to work with that.
        Fixes <https://github.com/icing/mod_md/issues/293>.

     *) core: Avoid an overflow on large inputs in ap_is_matchexp.

     *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
        storage instead of slotmem. Needed after setting
        HeartbeatMaxServers default to the documented value 10 in 2.4.54.

     *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
        This is a game changer for performances if client use PROPFIND a lot.

   To generate a diff of this commit:
   cvs rdiff -u -r1.114 -r1.115 pkgsrc/www/apache24/Makefile
   cvs rdiff -u -r1.35 -r1.36 pkgsrc/www/apache24/PLIST
   cvs rdiff -u -r1.53 -r1.54 pkgsrc/www/apache24/distinfo
   cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/apache24/patches/patch-configure


To generate a diff of this commit:
cvs rdiff -u -r1.114 -r1.114.2.1 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.35 -r1.35.10.1 pkgsrc/www/apache24/PLIST
cvs rdiff -u -r1.53 -r1.53.6.1 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r1.2 -r1.2.8.1 pkgsrc/www/apache24/patches/patch-configure

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.114 pkgsrc/www/apache24/Makefile:1.114.2.1
--- pkgsrc/www/apache24/Makefile:1.114  Wed Nov 23 16:21:18 2022
+++ pkgsrc/www/apache24/Makefile        Sat Mar  4 13:04:06 2023
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.114 2022/11/23 16:21:18 adam Exp $
+# $NetBSD: Makefile,v 1.114.2.1 2023/03/04 13:04:06 spz Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.54
+DISTNAME=      httpd-2.4.55
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   3
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+= https://archive.apache.org/dist/httpd/

Index: pkgsrc/www/apache24/PLIST
diff -u pkgsrc/www/apache24/PLIST:1.35 pkgsrc/www/apache24/PLIST:1.35.10.1
--- pkgsrc/www/apache24/PLIST:1.35      Tue Dec 21 09:18:37 2021
+++ pkgsrc/www/apache24/PLIST   Sat Mar  4 13:04:06 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.35 2021/12/21 09:18:37 adam Exp $
+@comment $NetBSD: PLIST,v 1.35.10.1 2023/03/04 13:04:06 spz Exp $
 bin/ab
 bin/apxs
 bin/dbmmanage
@@ -42,6 +42,7 @@ include/httpd/mod_cgi.h
 include/httpd/mod_core.h
 include/httpd/mod_dav.h
 include/httpd/mod_dbd.h
+include/httpd/mod_http2.h
 include/httpd/mod_include.h
 include/httpd/mod_log_config.h
 include/httpd/mod_proxy.h

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.53 pkgsrc/www/apache24/distinfo:1.53.6.1
--- pkgsrc/www/apache24/distinfo:1.53   Thu Jun  9 18:15:50 2022
+++ pkgsrc/www/apache24/distinfo        Sat Mar  4 13:04:06 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.53 2022/06/09 18:15:50 adam Exp $
+$NetBSD: distinfo,v 1.53.6.1 2023/03/04 13:04:06 spz Exp $
 
-BLAKE2s (httpd-2.4.54.tar.bz2) = 421718830ac12956e4d25911309314eefa3be169462008243d93b5106f226ab1
-SHA512 (httpd-2.4.54.tar.bz2) = 228493b2ff32c4142c6e484d304f2ea12e467498605fe12adce2b61388d8efe7b2e96ae2fd0abd1dc88a5f12d625e007d8da0ae5628cff2a5272806754f41e18
-Size (httpd-2.4.54.tar.bz2) = 7434530 bytes
+BLAKE2s (httpd-2.4.55.tar.bz2) = e822cdaece492e04d2b4bd5761ae64ab2d26def4a7f534e2977991ec8cfb995f
+SHA512 (httpd-2.4.55.tar.bz2) = 94982f7a1fedac8961fc17b5a22cf763ac28cb27ee6facab2e6a15b249b927773667493fd3f7354fb13fcb34a6f1afc1bdd5cf4b7be030cba1dfb523e40d43fb
+Size (httpd-2.4.55.tar.bz2) = 7456187 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
@@ -12,6 +12,6 @@ SHA1 (patch-ai) = d3870e46e41adc97c3fce8
 SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
-SHA1 (patch-configure) = 7426d8b053cfe89c5e37b0a4591f2eba2a8ca17f
+SHA1 (patch-configure) = 050119b817b53d72909be1906181434bf18fe3d7
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
 SHA1 (patch-modules_filters_mod_substitute.c) = 730af0342b78de04fe51b7dcc3ed057b2b0c3a54

Index: pkgsrc/www/apache24/patches/patch-configure
diff -u pkgsrc/www/apache24/patches/patch-configure:1.2 pkgsrc/www/apache24/patches/patch-configure:1.2.8.1
--- pkgsrc/www/apache24/patches/patch-configure:1.2     Tue Mar 15 05:46:54 2022
+++ pkgsrc/www/apache24/patches/patch-configure Sat Mar  4 13:04:06 2023
@@ -1,9 +1,9 @@
-$NetBSD: patch-configure,v 1.2 2022/03/15 05:46:54 adam Exp $
+$NetBSD: patch-configure,v 1.2.8.1 2023/03/04 13:04:06 spz Exp $
 
---- configure.orig     2022-03-09 14:17:37.000000000 +0000
+--- configure.orig     2023-01-10 13:38:25.000000000 +0000
 +++ configure
-@@ -41155,7 +41155,6 @@ cat >>confdefs.h <<_ACEOF
- _ACEOF
+@@ -42087,7 +42087,6 @@ printf "%s\n" "#define SERVER_CONFIG_FIL
+ printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h
  
  
 -perlbin=`$ac_aux_dir/PrintPath perl`



Home | Main Index | Thread Index | Old Index