pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/apache24
Module Name: pkgsrc
Committed By: taca
Date: Sun Dec 7 15:55:55 UTC 2025
Modified Files:
pkgsrc/www/apache24: Makefile PLIST distinfo
Log Message:
www/apache24: update to 2.4.66
Apache 2.4.66 (2025-12-04)
Security changes with Apache 2.4.66:
*) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
bypass via AllowOverride FileInfo (cve.mitre.org)
mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use
the RequestHeader directive in htaccess can cause some CGI
scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through
2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
variable override (cve.mitre.org)
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly
superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
Windows through UNC SSRF (cve.mitre.org)
Server-Side Request Forgery (SSRF) vulnerability
 in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to
potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or
content
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=... (cve.mitre.org)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes
(SSI) enabled and mod_cgid (but not mod_cgi) passes the
shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Anthony Parfenov (United Rentals, Inc.)
*) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
unintended retry intervals (cve.mitre.org)
An integer overflow in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to
renew the certificate then are repeated without delays until it
succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Aisle Research
To generate a diff of this commit:
cvs rdiff -u -r1.139 -r1.140 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.37 -r1.38 pkgsrc/www/apache24/PLIST
cvs rdiff -u -r1.69 -r1.70 pkgsrc/www/apache24/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.139 pkgsrc/www/apache24/Makefile:1.140
--- pkgsrc/www/apache24/Makefile:1.139 Thu Oct 23 20:39:44 2025
+++ pkgsrc/www/apache24/Makefile Sun Dec 7 15:55:55 2025
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.139 2025/10/23 20:39:44 wiz Exp $
+# $NetBSD: Makefile,v 1.140 2025/12/07 15:55:55 taca Exp $
#
# When updating this package, make sure that no strings like
# "PR 12345" are in the commit message. Upstream likes
# to reference their own PRs this way, but this ends up
# in NetBSD GNATS.
-DISTNAME= httpd-2.4.65
+DISTNAME= httpd-2.4.66
PKGNAME= ${DISTNAME:S/httpd/apache/}
-PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/}
EXTRACT_SUFX= .tar.bz2
Index: pkgsrc/www/apache24/PLIST
diff -u pkgsrc/www/apache24/PLIST:1.37 pkgsrc/www/apache24/PLIST:1.38
--- pkgsrc/www/apache24/PLIST:1.37 Fri Jan 24 08:57:05 2025
+++ pkgsrc/www/apache24/PLIST Sun Dec 7 15:55:55 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.37 2025/01/24 08:57:05 adam Exp $
+@comment $NetBSD: PLIST,v 1.38 2025/12/07 15:55:55 taca Exp $
bin/ab
bin/apxs
bin/dbmmanage
@@ -684,6 +684,7 @@ share/httpd/manual/images/caching_fig1.t
share/httpd/manual/images/custom_errordocs.png
share/httpd/manual/images/down.gif
share/httpd/manual/images/favicon.ico
+share/httpd/manual/images/favicon.png
share/httpd/manual/images/feather.gif
share/httpd/manual/images/feather.png
share/httpd/manual/images/filter_arch.png
Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.69 pkgsrc/www/apache24/distinfo:1.70
--- pkgsrc/www/apache24/distinfo:1.69 Thu Jul 24 13:23:23 2025
+++ pkgsrc/www/apache24/distinfo Sun Dec 7 15:55:55 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.69 2025/07/24 13:23:23 adam Exp $
+$NetBSD: distinfo,v 1.70 2025/12/07 15:55:55 taca Exp $
-BLAKE2s (httpd-2.4.65.tar.bz2) = e80a265bf2b162d52c472f3522ed048008f3f0789378cf1960d47a59c071fa9e
-SHA512 (httpd-2.4.65.tar.bz2) = 202f8bfe2aafcfbcd7315191d466e9c10b9a8c0abafb7864510b6e1abe4cb660aaacc2456aa77d43e48ef7a49e591d0b54170d3daf67abc3e06c3da1c63fdffc
-Size (httpd-2.4.65.tar.bz2) = 7506711 bytes
+BLAKE2s (httpd-2.4.66.tar.bz2) = dd4c444d80320c65ec0d154e5f15468b2d10c2e5c87285ef6de4204689cf3564
+SHA512 (httpd-2.4.66.tar.bz2) = 49031a3465d956ee3b755e65810b6c35561ddd5fac2c624a273b733c238e115b914cd7b246837e5a3090ccfded6e0b8b3059bfd1f8ce4419081c805a38d05a4b
+Size (httpd-2.4.66.tar.bz2) = 7504564 bytes
SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903
Home |
Main Index |
Thread Index |
Old Index