[pkgsrc/pkgsrc-2008Q2]: pkgsrc/www/apache22 Pullup ticket 2476 - requested by...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/77b63a24507f
branches:  pkgsrc-2008Q2
changeset: 544243:77b63a24507f
user:      spz <spz%pkgsrc.org@localhost>
date:      Tue Aug 12 18:16:33 2008 +0000

description:
Pullup ticket 2476 - requested by tron
Security fix

Revisions pulled up:
- pkgsrc/www/apache22/Makefile                  1.28
- pkgsrc/www/apache22/distinfo                  1.12
- pkgsrc/www/apache22/patches/patch-ab          1.8

   Module Name: pkgsrc
   Committed By:        tron
   Date:                Sat Aug  9 22:16:44 UTC 2008

   Modified Files:
        pkgsrc/www/apache22: Makefile distinfo
   Added Files:
        pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Add patch from Apache SVN repository to avoid cross-site scripting attacks
   in the FTP proxy module. This fixes the security vulnerability reported
   in CVE-2008-2939.


   To generate a diff of this commit:
   cvs rdiff -r1.27 -r1.28 pkgsrc/www/apache22/Makefile
   cvs rdiff -r1.11 -r1.12 pkgsrc/www/apache22/distinfo
   cvs rdiff -r0 -r1.8 pkgsrc/www/apache22/patches/patch-ab

diffstat:

 www/apache22/Makefile         |   3 ++-
 www/apache22/distinfo         |   3 ++-
 www/apache22/patches/patch-ab |  15 +++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diffs (48 lines):

diff -r ad74e468c004 -r 77b63a24507f www/apache22/Makefile
--- a/www/apache22/Makefile     Tue Aug 12 11:47:16 2008 +0000
+++ b/www/apache22/Makefile     Tue Aug 12 18:16:33 2008 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.27 2008/06/18 21:38:00 tron Exp $
+# $NetBSD: Makefile,v 1.27.4.1 2008/08/12 18:16:33 spz Exp $
 
 .include "Makefile.common"
 
 PKGNAME=       apache-${APACHE_VERSION}
+PKGREVISION=   1
 CATEGORIES=    www
 
 HOMEPAGE=      http://httpd.apache.org/
diff -r ad74e468c004 -r 77b63a24507f www/apache22/distinfo
--- a/www/apache22/distinfo     Tue Aug 12 11:47:16 2008 +0000
+++ b/www/apache22/distinfo     Tue Aug 12 18:16:33 2008 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.11 2008/06/18 21:38:01 tron Exp $
+$NetBSD: distinfo,v 1.11.4.1 2008/08/12 18:16:33 spz Exp $
 
 SHA1 (httpd-2.2.9.tar.bz2) = 71715d81e7a5ace4499803df7369c78b85251083
 RMD160 (httpd-2.2.9.tar.bz2) = 8fd62ae78271aa0ded6ba2f5bfeea8c63b79060a
 Size (httpd-2.2.9.tar.bz2) = 4943462 bytes
 SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf
+SHA1 (patch-ab) = f88048318569424b9f215debc71fec0f32295358
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
diff -r ad74e468c004 -r 77b63a24507f www/apache22/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache22/patches/patch-ab     Tue Aug 12 18:16:33 2008 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-ab,v 1.7.2.1 2008/08/12 18:16:33 spz Exp $
+
+Patch for CVE-2008-2939, taken from the Apache SVN repository:
+http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c?r1=681190&r2=682868&pathrev=682868
+
+--- modules/proxy/mod_proxy_ftp.c.orig 2008-05-17 20:42:03.000000000 +0100
++++ modules/proxy/mod_proxy_ftp.c      2008-08-09 23:07:09.000000000 +0100
+@@ -383,6 +383,7 @@
+                                                            c->bucket_alloc));
+         }
+         if (wildcard != NULL) {
++            wildcard = ap_escape_html(p, wildcard);
+             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
+                                                            strlen(wildcard), p,
+                                                            c->bucket_alloc));