CVS commit: [pkgsrc-2025Q2] pkgsrc/www/apache24

["Maya Rashish" <maya%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   maya
Date:           Thu Jul 17 02:51:20 UTC 2025

Modified Files:
        pkgsrc/www/apache24 [pkgsrc-2025Q2]: Makefile distinfo

Log Message:
Pullup ticket #6989 - requested by taca
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.136
- www/apache24/distinfo                                         1.68

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Sun Jul 13 16:33:04 UTC 2025

   Modified Files:
           pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.64

   Changes with Apache 2.4.64

     *) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by
        Memory Increase (cve.mitre.org)
        Late Release of Memory after Effective Lifetime vulnerability in
        Apache HTTP Server.
        This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.
        Users are recommended to upgrade to version 2.4.64, which fixes
        the issue.
        Credits: Gal Bar Nahum

     *) SECURITY: CVE-2025-49812: Apache HTTP Server: mod_ssl TLS
        upgrade attack (cve.mitre.org)
        In some mod_ssl configurations on Apache HTTP Server versions
        through to 2.4.63, an HTTP desynchronisation attack allows a
        man-in-the-middle attacker to hijack an HTTP session via a TLS
        upgrade.
        Only configurations using "SSLEngine optional" to enable TLS
        upgrades are affected. Users are recommended to upgrade to
        version 2.4.64, which removes support for TLS upgrade.
        Credits: Robert Merget (Technology Innovation Institute)

     *) SECURITY: CVE-2025-49630: Apache HTTP Server: mod_proxy_http2
        denial of service (cve.mitre.org)
        In certain proxy configurations, a denial of service attack
        against Apache HTTP Server versions 2.4.26 through to 2.4.63
        can be triggered by untrusted clients causing an assertion in
        mod_proxy_http2.
        Configurations affected are a reverse proxy is configured for an
        HTTP/2 backend, with ProxyPreserveHost set to "on".
        Credits: Anthony CORSIEZ

     *) SECURITY: CVE-2025-23048: Apache HTTP Server: mod_ssl access
        control bypass with session resumption (cve.mitre.org)
        In some mod_ssl configurations on Apache HTTP Server 2.4.35
        through to 2.4.62, an access control bypass by trusted clients
        is possible using TLS 1.3 session resumption.
        Configurations are affected when mod_ssl is configured for
        multiple virtual hosts, with each restricted to a different set
        of trusted client certificates (for example with a different
        SSLCACertificateFile/Path setting). In such a case, a client
        trusted to access one virtual host may be able to access another
        virtual host, if SSLStrictSNIVHostCheck is not enabled in either
        virtual host.
        Credits: Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy,
        and Juraj Somorovsky at Paderborn University

     *) SECURITY: CVE-2024-47252: Apache HTTP Server: mod_ssl error log
        variable escaping (cve.mitre.org)
        Insufficient escaping of user-supplied data in mod_ssl in Apache
        HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS
        client to insert escape characters into log files in some
        configurations.
        In a logging configuration where CustomLog is used with
        "%{varname}x" or "%{varname}c" to log variables provided by
        mod_ssl such as SSL_TLS_SNI, no escaping is performed by either
        mod_log_config or mod_ssl and unsanitized data provided by the
        client may appear in log files.
        Credits: John Runyon

     *) SECURITY: CVE-2024-43394: Apache HTTP Server: SSRF on Windows
        due to UNC paths (cve.mitre.org)
        Server-Side Request Forgery (SSRF) in Apache HTTP Server on
        Windows allows to potentially leak NTLM hashes to a malicious
        server via
        mod_rewrite or apache expressions that pass unvalidated request
        input.
        This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.
        Note:  The Apache HTTP Server Project will be setting a higher
        bar for accepting vulnerability reports regarding SSRF via UNC
        paths.
        The server offers limited protection against administrators
        directing the server to open UNC paths.
        Windows servers should limit the hosts they will connect over
        via SMB based on the nature of NTLM authentication.
        Credits: Kainan Zhang (@4xpl0r3r) from Fortinet

     *) SECURITY: CVE-2024-43204: Apache HTTP Server: SSRF with
        mod_headers setting Content-Type header (cve.mitre.org)
        SSRF in Apache HTTP Server with mod_proxy loaded allows an
        attacker to send outbound proxy requests to a URL controlled by
        the attacker.  Requires an unlikely configuration where
        mod_headers is configured to modify the Content-Type request or
        response header with a value provided in the HTTP request.
        Users are recommended to upgrade to version 2.4.64 which fixes
        this issue.
        Credits: xiaojunjie@ĺŽ\211ć\201\222俥ć\201Żć\235ĺˇ\236ĺ¸\202杨ćą\237ĺ\214şć\212\200č\203˝ĺ¤§ĺ¸\210塼ä˝\234厤

     *) SECURITY: CVE-2024-42516: Apache HTTP Server: HTTP response
        splitting (cve.mitre.org)
        HTTP response splitting in the core of Apache HTTP Server allows
        an attacker who can manipulate the Content-Type response headers
        of applications hosted or proxied by the server can split the
        HTTP response.
        This vulnerability was described as CVE-2023-38709 but the patch
        included in Apache HTTP Server 2.4.59 did not address the issue.
        Users are recommended to upgrade to version 2.4.64, which fixes
        this issue.

     *) mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer
        size.

     *) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
        builds which enable it in libssl natively.  [Joe Orton]
     *) mod_asis: Fix the log level of the message AH01236.

     *) mod_session_dbd: ensure format used with SessionDBDCookieName and
        SessionDBDCookieName2 are correct.

     *) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could
        inadvertently modify the Content-Type _response_ header. Applies to
        Content-Type only and likely to only affect static file responses.
        [Eric Covener]

     *) mod_ssl: Remove warning over potential uninitialised value
        for ssl protocol prior to protocol selection.
        [Graham Leggett]

     *) mod_proxy: Reuse ProxyRemote connections when possible, like prior
        to 2.4.59.  [Jean-Frederic Clere, Yann Ylavic]

     *) mod_systemd: Add systemd socket activation support.  [Paul Querna,
        Jan Kaluza, Lubos Uhliarik <luhliari redhat.com>, Joe Orton]

     *) mod_systemd: Log the SELinux context at startup if available and
        enabled.  [Joe Orton]

     *) mod_http2: update to version 2.0.32
        The code setting the connection window size was set wrong,
        preventing `H2WindowSize` to work.
        Fixed <https://github.com/icing/mod_h2/issues/300>.
        [Stefan Eissing, Michael Kaufmann]

     *) mod_http2: update to version 2.0.30
        - Fixed bug in handling over long response headers. When the 64 KB limit
          of nghttp2 was exceeded, the request was not reset and the client was
          left hanging, waiting for it. Now the stream is reset.
        - Added new directive `H2MaxHeaderBlockLen` to set the limit on response
          header sizes.
        - Fixed handling of Timeout vs. KeepAliveTimeout when first request on a

          connection was reset.

     *) mod_lua: Fix memory handling in LuaOutputFilter.

     * mod_proxy_http2: revert r1912193 for detecting broken backend connections
       as this interferes with backend selection who a node is unresponsive.

     *) mod_proxy_balancer: Fix a regression that caused stickysession keys no
        longer be recognized if they are provided as query parameter in the URL.

     *) mod_md: update to version 2.5.2
        - Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
          with EC keys before RSA ones.
        - Fixed missing newlines in the status page output. [Andreas Groth]

     *) mod_dav: Add API to expose DavBasePath setting.  [Joe Orton]

     *) mod_md: update to version 2.5.1
        - Added support for ACME profiles with new directives MDProfile and
          MDProfileMandatory.
        - When installing a custom CA file via `MDCACertificateFile`, also set the
          libcurl option CURLSSLOPT_NO_REVOKE that suppresses complains by Schannel
          (when curl is linked with it) about missing CRL/OCSP in certificates.
        - Fixed handling of corrupted httpd.json and added test 300_30 for it.
          File is removed on error and written again.
        - Added explanation in log for how to proceed when md_store.json could not be
          parsed and prevented the server start.
        - restored fixed to 336 and 337 which got lost in a sync with Apache svn
        - Add Issue Name/Uris to certificate information in md-status handler
        - MDomains with static certificate files have MDRenewMode "manual", unless
          "always" is configured.

     *) core: Report invalid Options= argument when parsing AllowOverride
        directives.

     *) scoreboard/mod_http2: record durations of HTTP/2 requests.


To generate a diff of this commit:
cvs rdiff -u -r1.135 -r1.135.2.1 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.67 -r1.67.2.1 pkgsrc/www/apache24/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.135 pkgsrc/www/apache24/Makefile:1.135.2.1
--- pkgsrc/www/apache24/Makefile:1.135  Sat Apr 19 07:58:31 2025
+++ pkgsrc/www/apache24/Makefile        Thu Jul 17 02:51:20 2025
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.135 2025/04/19 07:58:31 wiz Exp $
+# $NetBSD: Makefile,v 1.135.2.1 2025/07/17 02:51:20 maya Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.63
+DISTNAME=      httpd-2.4.64
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.67 pkgsrc/www/apache24/distinfo:1.67.2.1
--- pkgsrc/www/apache24/distinfo:1.67   Mon Apr 21 21:30:02 2025
+++ pkgsrc/www/apache24/distinfo        Thu Jul 17 02:51:20 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.67 2025/04/21 21:30:02 wiz Exp $
+$NetBSD: distinfo,v 1.67.2.1 2025/07/17 02:51:20 maya Exp $
 
-BLAKE2s (httpd-2.4.63.tar.bz2) = 8a0d09d2a0b8f32aaac1927fd519e843e826a69a6b4bbeff91c88e73bb7f4a95
-SHA512 (httpd-2.4.63.tar.bz2) = a804ca564dfee5907fe4ce4f36884815bace0621bc7b8c9aa7c99472a954aa19cb13733f90678ff3d58ab3c76cc0e33a27e1035dc1d8cb597a9622154c59ef48
-Size (httpd-2.4.63.tar.bz2) = 7517972 bytes
+BLAKE2s (httpd-2.4.64.tar.bz2) = 04480017e5f76ee609ee3c10b19cb08f8d25129395a1272f6341315b9ea2e06d
+SHA512 (httpd-2.4.64.tar.bz2) = 299cb0d87a7e0e0a99d22bba7349b6b07c69222897410f9670af29896288d1f4e1da81d22ac9e1d8d6ea096e88044ab1dd34555b40a4b1b1cb3fd4b1d1897a7a
+Size (httpd-2.4.64.tar.bz2) = 7293281 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
 SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903