CVS commit: [pkgsrc-2021Q3] pkgsrc/www/apache24

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Oct  8 13:37:27 UTC 2021

Modified Files:
        pkgsrc/www/apache24 [pkgsrc-2021Q3]: Makefile distinfo

Log Message:
Pullup ticket #6506 - requested by taca
apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.105
- www/apache24/distinfo                                         1.49

---
   Module Name: pkgsrc
   Committed By:        adam
   Date:                Thu Oct  7 19:05:25 UTC 2021

   Modified Files:
        pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.51

   Changes with Apache 2.4.51

   *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
      Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
      fix of CVE-2021-41773) (cve.mitre.org)
      It was found that the fix for CVE-2021-41773 in Apache HTTP
      Server 2.4.50 was insufficient.  An attacker could use a path
      traversal attack to map URLs to files outside the directories
      configured by Alias-like directives.
      If files outside of these directories are not protected by the
      usual default configuration "require all denied", these requests
      can succeed. If CGI scripts are also enabled for these aliased
      pathes, this could allow for remote code execution.
      This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
      earlier versions.

   *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
      unused AP_NORMALIZE_DROP_PARAMETERS flag.


To generate a diff of this commit:
cvs rdiff -u -r1.101.2.1 -r1.101.2.2 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.46.2.1 -r1.46.2.2 pkgsrc/www/apache24/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.101.2.1 pkgsrc/www/apache24/Makefile:1.101.2.2
--- pkgsrc/www/apache24/Makefile:1.101.2.1      Wed Oct  6 21:59:03 2021
+++ pkgsrc/www/apache24/Makefile        Fri Oct  8 13:37:27 2021
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.101.2.1 2021/10/06 21:59:03 tm Exp $
+# $NetBSD: Makefile,v 1.101.2.2 2021/10/08 13:37:27 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.50
+DISTNAME=      httpd-2.4.51
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.46.2.1 pkgsrc/www/apache24/distinfo:1.46.2.2
--- pkgsrc/www/apache24/distinfo:1.46.2.1       Wed Oct  6 21:59:03 2021
+++ pkgsrc/www/apache24/distinfo        Fri Oct  8 13:37:27 2021
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.46.2.1 2021/10/06 21:59:03 tm Exp $
+$NetBSD: distinfo,v 1.46.2.2 2021/10/08 13:37:27 bsiegert Exp $
 
-SHA1 (httpd-2.4.50.tar.bz2) = 560cea1589d107aa06ae7eabf144316b00338141
-RMD160 (httpd-2.4.50.tar.bz2) = 5f93e67fccb703318115b921d670d12ec81ad3c8
-SHA512 (httpd-2.4.50.tar.bz2) = b1afbaf44e503b822ff2b443881dcb44a93aa55d496f88ae399a2e7def05f78590f266a16da1f2c0aac88e463b76fba20843b1e20a102e76c8269de6fae3e158
-Size (httpd-2.4.50.tar.bz2) = 7653174 bytes
+RMD160 (httpd-2.4.51.tar.bz2) = 339cf2df89613855dc44affe6296ba1b1652db14
+SHA512 (httpd-2.4.51.tar.bz2) = 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66
+Size (httpd-2.4.51.tar.bz2) = 7653609 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d