[pkgsrc/trunk]: pkgsrc/www/apache22 Add patch from Apache SVN repository to a...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/dfa540b56031
branches:  trunk
changeset: 545678:dfa540b56031
user:      tron <tron%pkgsrc.org@localhost>
date:      Sat Aug 09 22:16:44 2008 +0000

description:
Add patch from Apache SVN repository to avoid cross-site scripting attacks
in the FTP proxy module. This fixes the security vulnerability reported
in CVE-2008-2939.

diffstat:

 www/apache22/Makefile         |   3 ++-
 www/apache22/distinfo         |   3 ++-
 www/apache22/patches/patch-ab |  15 +++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diffs (48 lines):

diff -r c07e7bc1726f -r dfa540b56031 www/apache22/Makefile
--- a/www/apache22/Makefile     Sat Aug 09 22:03:52 2008 +0000
+++ b/www/apache22/Makefile     Sat Aug 09 22:16:44 2008 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.27 2008/06/18 21:38:00 tron Exp $
+# $NetBSD: Makefile,v 1.28 2008/08/09 22:16:44 tron Exp $
 
 .include "Makefile.common"
 
 PKGNAME=       apache-${APACHE_VERSION}
+PKGREVISION=   1
 CATEGORIES=    www
 
 HOMEPAGE=      http://httpd.apache.org/
diff -r c07e7bc1726f -r dfa540b56031 www/apache22/distinfo
--- a/www/apache22/distinfo     Sat Aug 09 22:03:52 2008 +0000
+++ b/www/apache22/distinfo     Sat Aug 09 22:16:44 2008 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.11 2008/06/18 21:38:01 tron Exp $
+$NetBSD: distinfo,v 1.12 2008/08/09 22:16:44 tron Exp $
 
 SHA1 (httpd-2.2.9.tar.bz2) = 71715d81e7a5ace4499803df7369c78b85251083
 RMD160 (httpd-2.2.9.tar.bz2) = 8fd62ae78271aa0ded6ba2f5bfeea8c63b79060a
 Size (httpd-2.2.9.tar.bz2) = 4943462 bytes
 SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf
+SHA1 (patch-ab) = f88048318569424b9f215debc71fec0f32295358
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
diff -r c07e7bc1726f -r dfa540b56031 www/apache22/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache22/patches/patch-ab     Sat Aug 09 22:16:44 2008 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-ab,v 1.8 2008/08/09 22:16:44 tron Exp $
+
+Patch for CVE-2008-2939, taken from the Apache SVN repository:
+http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c?r1=681190&r2=682868&pathrev=682868
+
+--- modules/proxy/mod_proxy_ftp.c.orig 2008-05-17 20:42:03.000000000 +0100
++++ modules/proxy/mod_proxy_ftp.c      2008-08-09 23:07:09.000000000 +0100
+@@ -383,6 +383,7 @@
+                                                            c->bucket_alloc));
+         }
+         if (wildcard != NULL) {
++            wildcard = ap_escape_html(p, wildcard);
+             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
+                                                            strlen(wildcard), p,
+                                                            c->bucket_alloc));