[pkgsrc/pkgsrc-2016Q2]: pkgsrc/www/apache24 Pullup ticket #5093 - requested b...

[bsiegert <bsiegert%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/92ae946372de
branches:  pkgsrc-2016Q2
changeset: 408882:92ae946372de
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Wed Sep 07 18:08:36 2016 +0000

description:
Pullup ticket #5093 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.48
- www/apache24/distinfo                                         1.26
- www/apache24/patches/patch-server_util__script.c              1.1

---
   Module Name:    pkgsrc
   Committed By:   wiz
   Date:           Fri Jul 29 11:11:25 UTC 2016

   Modified Files:
           pkgsrc/www/apache24: Makefile distinfo
   Added Files:
           pkgsrc/www/apache24/patches: patch-server_util__script.c

   Log Message:
   Fix httpoxy vulnerability.

   Bump PKGREVISION.

diffstat:

 www/apache24/Makefile                            |   3 ++-
 www/apache24/distinfo                            |   3 ++-
 www/apache24/patches/patch-server_util__script.c |  22 ++++++++++++++++++++++
 3 files changed, 26 insertions(+), 2 deletions(-)

diffs (57 lines):

diff -r f0908aef9dfc -r 92ae946372de www/apache24/Makefile
--- a/www/apache24/Makefile     Tue Sep 06 19:13:20 2016 +0000
+++ b/www/apache24/Makefile     Wed Sep 07 18:08:36 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.45.2.1 2016/07/20 04:59:21 spz Exp $
+# $NetBSD: Makefile,v 1.45.2.2 2016/09/07 18:08:36 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,6 +7,7 @@
 
 DISTNAME=      httpd-2.4.23
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \
diff -r f0908aef9dfc -r 92ae946372de www/apache24/distinfo
--- a/www/apache24/distinfo     Tue Sep 06 19:13:20 2016 +0000
+++ b/www/apache24/distinfo     Wed Sep 07 18:08:36 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24.2.1 2016/07/20 04:59:21 spz Exp $
+$NetBSD: distinfo,v 1.24.2.2 2016/09/07 18:08:36 bsiegert Exp $
 
 SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
 RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
@@ -15,3 +15,4 @@
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2
diff -r f0908aef9dfc -r 92ae946372de www/apache24/patches/patch-server_util__script.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache24/patches/patch-server_util__script.c  Wed Sep 07 18:08:36 2016 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-server_util__script.c,v 1.1.2.2 2016/09/07 18:08:36 bsiegert Exp $
+
+Fix httpoxy vulnerability.
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c.orig  2016-04-27 13:03:00.000000000 +0000
++++ server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them