[pkgsrc/pkgsrc-2021Q3]: pkgsrc/www/apache24 Pullup ticket #6506 - requested b...

[bsiegert <bsiegert%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/357e31c4ffa4
branches:  pkgsrc-2021Q3
changeset: 459505:357e31c4ffa4
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Fri Oct 08 13:37:27 2021 +0000

description:
Pullup ticket #6506 - requested by taca
apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.105
- www/apache24/distinfo                                         1.49

---
   Module Name: pkgsrc
   Committed By:        adam
   Date:                Thu Oct  7 19:05:25 UTC 2021

   Modified Files:
        pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.51

   Changes with Apache 2.4.51

   *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
      Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
      fix of CVE-2021-41773) (cve.mitre.org)
      It was found that the fix for CVE-2021-41773 in Apache HTTP
      Server 2.4.50 was insufficient.  An attacker could use a path
      traversal attack to map URLs to files outside the directories
      configured by Alias-like directives.
      If files outside of these directories are not protected by the
      usual default configuration "require all denied", these requests
      can succeed. If CGI scripts are also enabled for these aliased
      pathes, this could allow for remote code execution.
      This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
      earlier versions.

   *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
      unused AP_NORMALIZE_DROP_PARAMETERS flag.

diffstat:

 www/apache24/Makefile |  4 ++--
 www/apache24/distinfo |  9 ++++-----
 2 files changed, 6 insertions(+), 7 deletions(-)

diffs (34 lines):

diff -r f6d4d1b02bc3 -r 357e31c4ffa4 www/apache24/Makefile
--- a/www/apache24/Makefile     Fri Oct 08 13:15:53 2021 +0000
+++ b/www/apache24/Makefile     Fri Oct 08 13:37:27 2021 +0000
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.101.2.1 2021/10/06 21:59:03 tm Exp $
+# $NetBSD: Makefile,v 1.101.2.2 2021/10/08 13:37:27 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.50
+DISTNAME=      httpd-2.4.51
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
diff -r f6d4d1b02bc3 -r 357e31c4ffa4 www/apache24/distinfo
--- a/www/apache24/distinfo     Fri Oct 08 13:15:53 2021 +0000
+++ b/www/apache24/distinfo     Fri Oct 08 13:37:27 2021 +0000
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.46.2.1 2021/10/06 21:59:03 tm Exp $
+$NetBSD: distinfo,v 1.46.2.2 2021/10/08 13:37:27 bsiegert Exp $
 
-SHA1 (httpd-2.4.50.tar.bz2) = 560cea1589d107aa06ae7eabf144316b00338141
-RMD160 (httpd-2.4.50.tar.bz2) = 5f93e67fccb703318115b921d670d12ec81ad3c8
-SHA512 (httpd-2.4.50.tar.bz2) = b1afbaf44e503b822ff2b443881dcb44a93aa55d496f88ae399a2e7def05f78590f266a16da1f2c0aac88e463b76fba20843b1e20a102e76c8269de6fae3e158
-Size (httpd-2.4.50.tar.bz2) = 7653174 bytes
+RMD160 (httpd-2.4.51.tar.bz2) = 339cf2df89613855dc44affe6296ba1b1652db14
+SHA512 (httpd-2.4.51.tar.bz2) = 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66
+Size (httpd-2.4.51.tar.bz2) = 7653609 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d