CVS commit: pkgsrc/www/apache24

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/apache24
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Wed, 8 Mar 2023 08:52:03 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Wed Mar  8 08:52:02 UTC 2023

Modified Files:
        pkgsrc/www/apache24: Makefile distinfo

Log Message:
apache24: updated to 2.4.56

Changes with Apache 2.4.56

*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
   HTTP response splitting (cve.mitre.org)
   HTTP Response Smuggling vulnerability in Apache HTTP Server via
   mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
   2.4.30 through 2.4.55.
   Special characters in the origin response header can
   truncate/split the response forwarded to the client.
   Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

*) SECURITY: CVE-2023-25690: HTTP request splitting with
   mod_rewrite and mod_proxy (cve.mitre.org)
   Some mod_proxy configurations on Apache HTTP Server versions
   2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
   Configurations are affected when mod_proxy is enabled along with
   some form of RewriteRule
   or ProxyPassMatch in which a non-specific pattern matches
   some portion of the user-supplied request-target (URL) data and
   is then
   re-inserted into the proxied request-target using variable
   substitution. For example, something like:
   RewriteEngine on
   RewriteRule "^/here/(.*)" "
   http://example.com:8080/elsewhere?$1";
   http://example.com:8080/elsewhere ; [P]
   ProxyPassReverse /here/  http://example.com:8080/
   http://example.com:8080/
   Request splitting/smuggling could result in bypass of access
   controls in the proxy server, proxying unintended URLs to
   existing origin servers, and cache poisoning.
   Credits: Lars Krapf of Adobe

*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
   truncated without the initial logfile being truncated.  [Eric Covener]

*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
   allow connections of any age to be reused. Up to now, a negative value
   was handled as an error when parsing the configuration file.
   [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
   of headers. [Ruediger Pluem]

*) mod_md:
   - Enabling ED25519 support and certificate transparency information when
     building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
   - MDChallengeDns01 can now be configured for individual domains.
     Thanks to JĂŠrĂ´me Billiras (@bilhackmac) for the initial PR.
   - Fixed a bug found by JĂŠrĂ´me Billiras (@bilhackmac) that caused the challenge
     teardown not being invoked as it should.
   [Stefan Eissing]

*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
   reported in access logs and error documents. The processing of the
   reset was correct, only unneccesary reporting was caused.
   [Stefan Eissing]

*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
   [Yann Ylavic]


To generate a diff of this commit:
cvs rdiff -u -r1.115 -r1.116 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.54 -r1.55 pkgsrc/www/apache24/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.115 pkgsrc/www/apache24/Makefile:1.116
--- pkgsrc/www/apache24/Makefile:1.115  Fri Jan 20 14:03:16 2023
+++ pkgsrc/www/apache24/Makefile        Wed Mar  8 08:52:02 2023
@@ -1,15 +1,14 @@
-# $NetBSD: Makefile,v 1.115 2023/01/20 14:03:16 adam Exp $
+# $NetBSD: Makefile,v 1.116 2023/03/08 08:52:02 adam Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.55
+DISTNAME=      httpd-2.4.56
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
-MASTER_SITES+= https://archive.apache.org/dist/httpd/
 EXTRACT_SUFX=  .tar.bz2
 
 MAINTAINER=    ryoon%NetBSD.org@localhost
@@ -70,8 +69,6 @@ PLIST_VARS+=          ssl
 PLIST.ssl=             yes
 .endif
 
-APACHE_USER?=          www
-APACHE_GROUP?=         www
 PKG_GROUPS=            ${APACHE_GROUP}
 PKG_USERS=             ${APACHE_USER}:${APACHE_GROUP}
 PKG_GROUPS_VARS=       APACHE_GROUP

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.54 pkgsrc/www/apache24/distinfo:1.55
--- pkgsrc/www/apache24/distinfo:1.54   Fri Jan 20 14:03:16 2023
+++ pkgsrc/www/apache24/distinfo        Wed Mar  8 08:52:02 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.54 2023/01/20 14:03:16 adam Exp $
+$NetBSD: distinfo,v 1.55 2023/03/08 08:52:02 adam Exp $
 
-BLAKE2s (httpd-2.4.55.tar.bz2) = e822cdaece492e04d2b4bd5761ae64ab2d26def4a7f534e2977991ec8cfb995f
-SHA512 (httpd-2.4.55.tar.bz2) = 94982f7a1fedac8961fc17b5a22cf763ac28cb27ee6facab2e6a15b249b927773667493fd3f7354fb13fcb34a6f1afc1bdd5cf4b7be030cba1dfb523e40d43fb
-Size (httpd-2.4.55.tar.bz2) = 7456187 bytes
+BLAKE2s (httpd-2.4.56.tar.bz2) = 01467c03e62c69f119a46332f77b866a311ee51b5c11c476041b31e082515feb
+SHA512 (httpd-2.4.56.tar.bz2) = 5f12cd9878d822384b1bb163fea4d8edee5e7a0dd8b2389264387971268145cccc6a5a27ddf0436c5f1f631acc5fdc4874da2a47911483e421ca40bf783e0e12
+Size (httpd-2.4.56.tar.bz2) = 7456418 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157

Prev by Date: CVS commit: pkgsrc/lang
Next by Date: CVS commit: pkgsrc/lang/nodejs18
Previous by Thread: CVS commit: pkgsrc/lang
Next by Thread: CVS commit: pkgsrc/lang/nodejs18
Indexes:

Home | Main Index | Thread Index | Old Index