pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2016Q2] pkgsrc/www/apache24



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Wed Sep  7 18:08:36 UTC 2016

Modified Files:
        pkgsrc/www/apache24 [pkgsrc-2016Q2]: Makefile distinfo
Added Files:
        pkgsrc/www/apache24/patches [pkgsrc-2016Q2]:
            patch-server_util__script.c

Log Message:
Pullup ticket #5093 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.48
- www/apache24/distinfo                                         1.26
- www/apache24/patches/patch-server_util__script.c              1.1

---
   Module Name:    pkgsrc
   Committed By:   wiz
   Date:           Fri Jul 29 11:11:25 UTC 2016

   Modified Files:
           pkgsrc/www/apache24: Makefile distinfo
   Added Files:
           pkgsrc/www/apache24/patches: patch-server_util__script.c

   Log Message:
   Fix httpoxy vulnerability.

   Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.45.2.1 -r1.45.2.2 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.24.2.1 -r1.24.2.2 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/www/apache24/patches/patch-server_util__script.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.45.2.1 pkgsrc/www/apache24/Makefile:1.45.2.2
--- pkgsrc/www/apache24/Makefile:1.45.2.1       Wed Jul 20 04:59:21 2016
+++ pkgsrc/www/apache24/Makefile        Wed Sep  7 18:08:36 2016
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.45.2.1 2016/07/20 04:59:21 spz Exp $
+# $NetBSD: Makefile,v 1.45.2.2 2016/09/07 18:08:36 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,6 +7,7 @@
 
 DISTNAME=      httpd-2.4.23
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.24.2.1 pkgsrc/www/apache24/distinfo:1.24.2.2
--- pkgsrc/www/apache24/distinfo:1.24.2.1       Wed Jul 20 04:59:21 2016
+++ pkgsrc/www/apache24/distinfo        Wed Sep  7 18:08:36 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24.2.1 2016/07/20 04:59:21 spz Exp $
+$NetBSD: distinfo,v 1.24.2.2 2016/09/07 18:08:36 bsiegert Exp $
 
 SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
 RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
@@ -15,3 +15,4 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2

Added files:

Index: pkgsrc/www/apache24/patches/patch-server_util__script.c
diff -u /dev/null pkgsrc/www/apache24/patches/patch-server_util__script.c:1.1.2.2
--- /dev/null   Wed Sep  7 18:08:36 2016
+++ pkgsrc/www/apache24/patches/patch-server_util__script.c     Wed Sep  7 18:08:36 2016
@@ -0,0 +1,22 @@
+$NetBSD: patch-server_util__script.c,v 1.1.2.2 2016/09/07 18:08:36 bsiegert Exp $
+
+Fix httpoxy vulnerability.
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c.orig  2016-04-27 13:03:00.000000000 +0000
++++ server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them



Home | Main Index | Thread Index | Old Index