[pkgsrc/trunk]: pkgsrc/www/apache2 Apply the patch for CVE-2008-2364 from apa...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/www/apache2 Apply the patch for CVE-2008-2364 from apa...
From: he <he%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 06:15:23 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/77d5564e4376
branches:  trunk
changeset: 543562:77d5564e4376
user:      he <he%pkgsrc.org@localhost>
date:      Fri Jun 20 13:28:08 2008 +0000

description:
Apply the patch for CVE-2008-2364 from apache.
Bump pkg revision.

diffstat:

 www/apache2/Makefile.common  |   3 +-
 www/apache2/distinfo         |   3 +-
 www/apache2/patches/patch-ap |  70 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 2 deletions(-)

diffs (105 lines):

diff -r 5bf449ef5106 -r 77d5564e4376 www/apache2/Makefile.common
--- a/www/apache2/Makefile.common       Fri Jun 20 12:07:58 2008 +0000
+++ b/www/apache2/Makefile.common       Fri Jun 20 13:28:08 2008 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.24 2008/01/21 14:38:29 taca Exp $
+# $NetBSD: Makefile.common,v 1.25 2008/06/20 13:28:08 he Exp $
 
 # used by devel/apr0/Makefile
 
@@ -7,6 +7,7 @@
 # When updating this version be sure to update the checksum and remove
 # any PKGREVISION for devel/apr also.
 APACHE_VERSION=                2.0.63
+PKGREVISION=           1
 APR_VERSION=           0.9.17
 MASTER_SITES=          ${MASTER_SITE_APACHE:=httpd/} \
                        ${MASTER_SITE_APACHE:=httpd/old/} \
diff -r 5bf449ef5106 -r 77d5564e4376 www/apache2/distinfo
--- a/www/apache2/distinfo      Fri Jun 20 12:07:58 2008 +0000
+++ b/www/apache2/distinfo      Fri Jun 20 13:28:08 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.52 2008/01/21 14:37:22 taca Exp $
+$NetBSD: distinfo,v 1.53 2008/06/20 13:28:08 he Exp $
 
 SHA1 (httpd-2.0.63.tar.bz2) = 20e2b64944e38e96491af788a37cb709d2c5b755
 RMD160 (httpd-2.0.63.tar.bz2) = f6a7de59860f627ac40b245fcf742fb07e1b4870
@@ -13,3 +13,4 @@
 SHA1 (patch-al) = 9af7b6c56177d971e135f0a00b3ab9ded5d1b6dd
 SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
 SHA1 (patch-ao) = c629a7563d0e555922526e26b266251144a14ff6
+SHA1 (patch-ap) = 260b9c88bbcb238a81319ff5bef523ec6d765a27
diff -r 5bf449ef5106 -r 77d5564e4376 www/apache2/patches/patch-ap
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache2/patches/patch-ap      Fri Jun 20 13:28:08 2008 +0000
@@ -0,0 +1,70 @@
+$NetBSD: patch-ap,v 1.5 2008/06/20 13:28:08 he Exp $
+
+This is directly from
+http://www.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt
+and as the name indicates a security-related patch.
+
+Index: modules/proxy/proxy_http.c
+===================================================================
+--- modules/proxy/proxy_http.c (revision 666240)
++++ modules/proxy/proxy_http.c (working copy)
+@@ -1290,6 +1290,16 @@
+     return 1;
+ }
+ 
++/*
++ * Limit the number of interim respones we sent back to the client. Otherwise
++ * we suffer from a memory build up. Besides there is NO sense in sending back
++ * an unlimited number of interim responses to the client. Thus if we cross
++ * this limit send back a 502 (Bad Gateway).
++ */
++#ifndef AP_MAX_INTERIM_RESPONSES
++#define AP_MAX_INTERIM_RESPONSES 10
++#endif
++
+ static
+ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
+                                             proxy_http_conn_t *p_conn,
+@@ -1322,7 +1332,7 @@
+      */
+     rp->proxyreq = PROXYREQ_RESPONSE;
+ 
+-    while (received_continue) {
++    while (received_continue && (received_continue <= AP_MAX_INTERIM_RESPONSES)) {
+         apr_brigade_cleanup(bb);
+ 
+         len = ap_getline(buffer, sizeof(buffer), rp, 0);
+@@ -1440,7 +1450,9 @@
+             if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
+                 ap_set_content_type(r, apr_pstrdup(p, buf));
+             }            
+-            ap_proxy_pre_http_request(origin,rp);
++            if (!ap_is_HTTP_INFO(r->status)) {
++                ap_proxy_pre_http_request(origin, rp);
++            }
+ 
+             /* handle Via header in response */
+             if (conf->viaopt != via_off && conf->viaopt != via_block) {
+@@ -1486,6 +1498,7 @@
+         if ( r->status != HTTP_CONTINUE ) {
+             received_continue = 0;
+         } else {
++            received_continue++;
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+                          "proxy: HTTP: received 100 CONTINUE");
+         }
+@@ -1622,6 +1635,14 @@
+         }
+     }
+ 
++    /* See define of AP_MAX_INTERIM_RESPONSES for why */
++    if (received_continue > AP_MAX_INTERIM_RESPONSES) {
++        return ap_proxyerror(r, HTTP_BAD_GATEWAY,
++                             apr_psprintf(p, 
++                             "Too many (%d) interim responses from origin server",
++                             received_continue));
++    }
++
+     if ( conf->error_override ) {
+         /* the code above this checks for 'OK' which is what the hook expects */
+         if ( r->status == HTTP_OK )

Prev by Date: [pkgsrc/trunk]: pkgsrc/databases Changes 8.2.9:
Next by Date: [pkgsrc/trunk]: pkgsrc/math/ruby-rb-gsl Update ruby-rb-gsl to 1.10.3.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/databases Changes 8.2.9:
Next by Thread: [pkgsrc/trunk]: pkgsrc/math/ruby-rb-gsl Update ruby-rb-gsl to 1.10.3.
Indexes:

Home | Main Index | Thread Index | Old Index