pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/www/apache24 apache24: updated to 2.4.50



details:   https://anonhg.NetBSD.org/pkgsrc/rev/64ee45b01815
branches:  trunk
changeset: 459384:64ee45b01815
user:      adam <adam%pkgsrc.org@localhost>
date:      Tue Oct 05 19:22:08 2021 +0000

description:
apache24: updated to 2.4.50

Changes with Apache 2.4.50

*) SECURITY: CVE-2021-41773: Path traversal and file disclosure
   vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
   A flaw was found in a change made to path normalization in
   Apache HTTP Server 2.4.49. An attacker could use a path
   traversal attack to map URLs to files outside the expected
   document root.
   If files outside of the document root are not protected by
   "require all denied" these requests can succeed. Additionally
   this flaw could leak the source of interpreted files like CGI
   scripts.
   This issue is known to be exploited in the wild.
   This issue only affects Apache 2.4.49 and not earlier versions.
   Credits: This issue was reported by Ash Daulton along with the
   cPanel Security Team

*) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
   (cve.mitre.org)
   While fuzzing the 2.4.49 httpd, a new null pointer dereference
   was detected during HTTP/2 request processing,
   allowing an external source to DoS the server. This requires a
   specially crafted request.
   The vulnerability was recently introduced in version 2.4.49. No
   exploit is known to the project.
   Credits: Apache httpd team would like to thank LI ZHI XIN from
   NSFocus Security Team for reporting this issue.

*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
   the uri-path when it's preceded by a dot.

*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
   fails (!= 0 exit), the renewal process is aborted and an error is
   reported for the MDomain. This provides scripts that distribute
   information in a cluster to abort early with bothering an ACME
   server to validate a dns name that will not work. The common
   retry logic will make another attempt in the future, as with
   other failures.
   Fixed a bug when adding private key specs to an already working
   MDomain, see <https://github.com/icing/mod_md/issues/260>.

*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
   had no hostname ("unix:/...").

*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
   run into an assertion which terminated (and restarted) the child process where
   the task was running. Eventually, all OCSP responses were collected, but not
   in the way that things are supposed to work.
   See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
   The bug was possibly triggered when more than one OCSP status needed updating
   at the same time. For example for several renewed certificates after a server
   reload.

*) mod_rewrite: Fix UDS ("unix:") scheme for

*) event mpm: Correctly count active child processes in parent process if
   child process dies due to MaxConnectionsPerChild.

*) mod_http2: when a server is restarted gracefully, any idle h2 worker
   threads are shut down immediately.
   Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
   Adds all other, never proposed code changes to make a clean
   sync of http2 sources.

*) mod_dav: Correctly handle errors returned by dav providers on REPORT
   requests.

*) core: do not install core input/output filters on secondary
   connections.

*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
   and use it to prevent that failures in running the pre_connection
   hook cause crashes afterwards.

*) mod_speling: Add CheckBasenameMatch.

diffstat:

 www/apache24/Makefile |   5 ++---
 www/apache24/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 8 deletions(-)

diffs (37 lines):

diff -r 6ae2f8f207ca -r 64ee45b01815 www/apache24/Makefile
--- a/www/apache24/Makefile     Tue Oct 05 19:08:57 2021 +0000
+++ b/www/apache24/Makefile     Tue Oct 05 19:22:08 2021 +0000
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.103 2021/09/29 19:01:26 adam Exp $
+# $NetBSD: Makefile,v 1.104 2021/10/05 19:22:08 adam Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.49
+DISTNAME=      httpd-2.4.50
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+= https://archive.apache.org/dist/httpd/
diff -r 6ae2f8f207ca -r 64ee45b01815 www/apache24/distinfo
--- a/www/apache24/distinfo     Tue Oct 05 19:08:57 2021 +0000
+++ b/www/apache24/distinfo     Tue Oct 05 19:22:08 2021 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.46 2021/09/17 12:49:57 adam Exp $
+$NetBSD: distinfo,v 1.47 2021/10/05 19:22:08 adam Exp $
 
-SHA1 (httpd-2.4.49.tar.bz2) = 17e8efc1b178ce677202d71678e380459594f697
-RMD160 (httpd-2.4.49.tar.bz2) = 73c3e94bdb0da77c833590334a4ac288d782424c
-SHA512 (httpd-2.4.49.tar.bz2) = 418e277232cf30a81d02b8554e31aaae6433bbea842bdb81e47a609469395cc4891183fb6ee02bd669edb2392c2007869b19da29f5998b8fd5c7d3142db310dd
-Size (httpd-2.4.49.tar.bz2) = 7199599 bytes
+SHA1 (httpd-2.4.50.tar.bz2) = 560cea1589d107aa06ae7eabf144316b00338141
+RMD160 (httpd-2.4.50.tar.bz2) = 5f93e67fccb703318115b921d670d12ec81ad3c8
+SHA512 (httpd-2.4.50.tar.bz2) = b1afbaf44e503b822ff2b443881dcb44a93aa55d496f88ae399a2e7def05f78590f266a16da1f2c0aac88e463b76fba20843b1e20a102e76c8269de6fae3e158
+Size (httpd-2.4.50.tar.bz2) = 7653174 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d



Home | Main Index | Thread Index | Old Index