[pkgsrc/trunk]: pkgsrc/www/apache24 apache24: update to 2.4.28

[adam <adam%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/53e067994642
branches:  trunk
changeset: 369825:53e067994642
user:      adam <adam%pkgsrc.org@localhost>
date:      Fri Oct 06 06:22:05 2017 +0000

description:
apache24: update to 2.4.28

Changes with Apache 2.4.28

*) SECURITY: CVE-2017-9798 (cve.mitre.org)
   Corrupted or freed memory access. <Limit[Except]> must now be used in the
   main configuration file (httpd.conf) to register HTTP methods before the
   .htaccess files.

*) event: Avoid possible blocking in the listener thread when shutting down
   connections.

*) mod_speling: Don't embed referer data in a link in error page.

*) htdigest: prevent a buffer overflow when a string exceeds the allowed max
   length in a password file.

*) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).

*) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.

*) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
   down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
   's' (second) and 'hr' (hour!) time suffixes.

*) mod_http2: Fix for stalling when more than 32KB are written to a
   suspended stream.

*) build: allow configuration without APR sources.

*) mod_ssl, ab: Fix compatibility with LibreSSL.

*) core/log: Support use of optional "tag" in syslog entries.

*) mod_proxy: Fix ProxyAddHeaders merging.

*) core: Disallow multiple Listen on the same IP:port when listener buckets
   are configured (ListenCoresBucketsRatio > 0), consistently with the single
   bucket case (default), thus avoiding the leak of the corresponding socket
   descriptors on graceful restart.

*) event: Avoid listener periodic wake ups by using the pollset wake-ability
   when available.

*) mod_proxy_wstunnel: Fix detection of unresponded request which could have
   led to spurious HTTP 502 error messages sent on upgrade connections.

diffstat:

 www/apache24/Makefile                    |   5 ++---
 www/apache24/distinfo                    |  11 +++++------
 www/apache24/patches/patch-server_core.c |  20 --------------------
 3 files changed, 7 insertions(+), 29 deletions(-)

diffs (66 lines):

diff -r cc8ffb129777 -r 53e067994642 www/apache24/Makefile
--- a/www/apache24/Makefile     Fri Oct 06 06:15:00 2017 +0000
+++ b/www/apache24/Makefile     Fri Oct 06 06:22:05 2017 +0000
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.61 2017/09/18 13:24:05 wiz Exp $
+# $NetBSD: Makefile,v 1.62 2017/10/06 06:22:05 adam Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.27
+DISTNAME=      httpd-2.4.28
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+= http://archive.apache.org/dist/httpd/
diff -r cc8ffb129777 -r 53e067994642 www/apache24/distinfo
--- a/www/apache24/distinfo     Fri Oct 06 06:15:00 2017 +0000
+++ b/www/apache24/distinfo     Fri Oct 06 06:22:05 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.32 2017/09/18 13:34:51 wiz Exp $
+$NetBSD: distinfo,v 1.33 2017/10/06 06:22:05 adam Exp $
 
-SHA1 (httpd-2.4.27.tar.bz2) = 699e4e917e8fb5fd7d0ce7e009f8256ed02ec6fc
-RMD160 (httpd-2.4.27.tar.bz2) = 46f601f58de77eb11fa4c7ea35fa0858d2f4d289
-SHA512 (httpd-2.4.27.tar.bz2) = 7e7e8070715b74cb6890096a74e194f4c6a49c14bda685b1ad832e84312f1ac4316ea03a430e679502bfd8e1853aefa544ee002a20d0f7e994b9a590c74bc42c
-Size (httpd-2.4.27.tar.bz2) = 6527394 bytes
+SHA1 (httpd-2.4.28.tar.bz2) = 0b37522b808dcee72e1d56d656b0def530b820a2
+RMD160 (httpd-2.4.28.tar.bz2) = b242f9b671a5b1cc58e3897d3bb6c278d4125e47
+SHA512 (httpd-2.4.28.tar.bz2) = 8de8e32b87e6de220e492e74db9df0882fae11c3b9732f3d3316da048c04767ac4429c0433c36f87d8705263e3376f97a7e1f66a9d7a518632a67b6fe617590a
+Size (httpd-2.4.28.tar.bz2) = 6553163 bytes
 SHA1 (patch-aa) = 2d92b1340aaae40289421f164346348c6d7fe839
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d
@@ -15,4 +15,3 @@
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
-SHA1 (patch-server_core.c) = 52dbf840b22c4ad48ede200c3fe5ae889d2fe509
diff -r cc8ffb129777 -r 53e067994642 www/apache24/patches/patch-server_core.c
--- a/www/apache24/patches/patch-server_core.c  Fri Oct 06 06:15:00 2017 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,20 +0,0 @@
-$NetBSD: patch-server_core.c,v 1.2 2017/09/18 13:34:51 wiz Exp $
-
-Fix security problem using upstream patch.
-http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
-
---- server/core.c.orig 2016-12-05 14:34:29.000000000 +0000
-+++ server/core.c
-@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_
-             /* method has not been registered yet, but resource restriction
-              * is always checked before method handling, so register it.
-              */
-+            if (cmd->pool == cmd->temp_pool) {
-+                /* In .htaccess, we can't globally register new methods. */
-+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
-+                                   "for %s from .htaccess configuration",
-+                                    method, cmd->cmd->name);
-+            }
-             methnum = ap_method_register(cmd->pool,
-                                          apr_pstrdup(cmd->pool, method));
-         }