CVS commit: pkgsrc/www/apache24

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/apache24
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Fri, 29 Jul 2016 11:11:25 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Fri Jul 29 11:11:25 UTC 2016

Modified Files:
        pkgsrc/www/apache24: Makefile distinfo
Added Files:
        pkgsrc/www/apache24/patches: patch-server_util__script.c

Log Message:
Fix httpoxy vulnerability.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.25 -r1.26 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/www/apache24/patches/patch-server_util__script.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.47 pkgsrc/www/apache24/Makefile:1.48
--- pkgsrc/www/apache24/Makefile:1.47   Sat Jul  9 06:39:10 2016
+++ pkgsrc/www/apache24/Makefile        Fri Jul 29 11:11:24 2016
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.47 2016/07/09 06:39:10 wiz Exp $
+# $NetBSD: Makefile,v 1.48 2016/07/29 11:11:24 wiz Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,7 +7,7 @@
 
 DISTNAME=      httpd-2.4.23
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.25 pkgsrc/www/apache24/distinfo:1.26
--- pkgsrc/www/apache24/distinfo:1.25   Tue Jul  5 16:13:53 2016
+++ pkgsrc/www/apache24/distinfo        Fri Jul 29 11:11:24 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2016/07/05 16:13:53 taca Exp $
+$NetBSD: distinfo,v 1.26 2016/07/29 11:11:24 wiz Exp $
 
 SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
 RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
@@ -15,3 +15,4 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2

Added files:

Index: pkgsrc/www/apache24/patches/patch-server_util__script.c
diff -u /dev/null pkgsrc/www/apache24/patches/patch-server_util__script.c:1.1
--- /dev/null   Fri Jul 29 11:11:25 2016
+++ pkgsrc/www/apache24/patches/patch-server_util__script.c     Fri Jul 29 11:11:25 2016
@@ -0,0 +1,22 @@
+$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:11:25 wiz Exp $
+
+Fix httpoxy vulnerability.
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c.orig  2016-04-27 13:03:00.000000000 +0000
++++ server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index