pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2026Q1] pkgsrc/www/apache24
Module Name: pkgsrc
Committed By: maya
Date: Thu May 7 22:47:02 UTC 2026
Modified Files:
pkgsrc/www/apache24 [pkgsrc-2026Q1]: Makefile PLIST distinfo
pkgsrc/www/apache24/patches [pkgsrc-2026Q1]: patch-ad patch-ae
patch-configure
Log Message:
Pullup ticket #7099 - requested by taca
www/apache24: Security fix
Revisions pulled up:
- www/apache24/Makefile 1.143
- www/apache24/PLIST 1.39
- www/apache24/distinfo 1.71
- www/apache24/patches/patch-ad 1.3
- www/apache24/patches/patch-ae 1.2
- www/apache24/patches/patch-configure 1.6
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 5 00:12:30 UTC 2026
Modified Files:
pkgsrc/www/apache24: Makefile PLIST distinfo
pkgsrc/www/apache24/patches: patch-ad patch-ae patch-configure
Log Message:
www/apache24: update to 2.4.67
Changes with Apache 2.4.67 (2026-05-04)
* SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap
Over-Read and memory disclosure in ajp_parse_data() (cve.mitre.org)
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects
Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to
version 2.4.67, which fixes the issue. Credits: Elhanan Haenel
* SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer
Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
(cve.mitre.org) Improper Null Termination, Out-of-bounds Read
vulnerability in Apache HTTP Server. This issue affects Apache HTTP
Server: through 2.4.66. Users are recommended to upgrade to version
2.4.67, which fixes the issue. Credits: Tianshuo Han
(<hantianshuo233%gmail.com@localhost>)
* SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP
getter functions (cve.mitre.org) Out-of-bounds Read vulnerability in
mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP
Server: through 2.4.66. Users are recommended to upgrade to version
2.4.67, which fixes the issue. Credits: Elhanan Haenel
* SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP
response splitting forwarding malicious status line (cve.mitre.org) HTTP
response splitting vulnerability in multiple Apache HTTP Server modules
with untrusted or compromised backend servers. This issue affects Apache
HTTP Server: from through 2.4.66. Users are recommended to upgrade to
version 2.4.67, which fixes the issue. Credits: Haruki Oyama (Waseda
University)
* SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash
(cve.mitre.org) A NULL pointer dereference in the mod_authn_socache in
Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote
user to crash a child process in a caching forward proxy configuration.
Users are recommended to upgrade to version 2.4.67, which fixes this
issue. Credits: Pavel Kohout, Aisle Research, Aisle.com
* SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing
attack (cve.mitre.org) A timing attack against mod_auth_digest in Apache
HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote
attacker. Users are recommended to upgrade to version 2.4.67, which fixes
this issue. Credits: Nitescu Lucian
* SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock
crash (cve.mitre.org) A NULL pointer dereference in mod_dav_lock in Apache
HTTP Server 2.4.66 and earlier may allow an attacker to crash the server
with a malicious request.mod_dav_lock is not used internally by mod_dav or
mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from
Apache Subversion earlier than version 1.2.0. Users are recommended to
upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
Credits: Pavel Kohout, Aisle Research, Aisle.com
* SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP
response (cve.mitre.org) Allocation of Resources Without Limits or
Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response
data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Credits: Pavel Kohout, Aisle Research, Aisle.com
* SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in
mod_proxy_ajp via ajp_msg_check_header() (cve.mitre.org) Heap-based Buffer
Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If
mod_proxy_ajp connects to a malicious AJP server this AJP server can send
a malicious AJP message back to mod_proxy_ajp and cause it to write 4
attacker controlled bytes after the end of a heap based buffer. This
issue affects Apache HTTP Server: through 2.4.66. Users are recommended
to upgrade to version 2.4.67, which fixes the issue. Credits: Andrew
Lacambra
* SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of
privileges via ap_expr (cve.mitre.org) An escalation of privilege bug in
various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess
authors to read files with the privileges of the httpd user. Users are
recommended to upgrade to version 2.4.67, which fixes this issue.
Credits: y7syeu
* SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and
possible RCE on early reset (cve.mitre.org) Double Free and possible RCE
vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue
affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to
version 2.4.67, which fixes the issue. Credits: Bartlomiej Dmitruk,
striga.ai
* mod_md: update to version 2.6.10
- Fix issue #420 <https://github.com/icing/mod_md/issues/420> by ignoring
job.json files that claim to have completely finished a certificate
renewal, but have not produced the necessary result files.
* mod_http2: update to version 2.0.39
Remove streams own memory allocator after reports of memory problems with
third party modules. [Stefan Eissing]
* mod_http2: update to version 2.0.38
Source sync with mod_h2 github repository. No functional change. [Stefan
Eissing]
* Updated conf/mime.types: added vnd.sqlite3, HEIC, HEIF
[Alexandru Mărășteanu <hello alexei.ro>]
* mod_md: update to version 2.6.7
- Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer
applied, no matter the configuration.
* mod_md: update to version 2.6.9
- Pebble 2.9+ reports another error when terms of service agreement is not
set. Treating all "userActionRequired" errors as permanent now.
* mod_md: update to version 2.6.8
- Fix the ARI related `replaces` property in ACME order creation to only
be used when the CA supports ARI and it is enabled in the menu config.
- Fix compatibility with APR versions before 1.6.0 which do not have
`apr_cstr_casecmp` and should use `apr_strnatcasecmp` instead.
* mod_http2: update to version 2.0.37
Prevent double purge of a stream, resulting in a double free. Fixes PR
69899. [Stefan Eissing]
* mod_md: Use correct function name when compiling against APR < 1.6.0.
PR 69954 [Tần Quảng <baobaoxich%gmail.com@localhost>]
To generate a diff of this commit:
cvs rdiff -u -r1.142 -r1.142.2.1 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.38 -r1.38.4.1 pkgsrc/www/apache24/PLIST
cvs rdiff -u -r1.70 -r1.70.4.1 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r1.2 -r1.2.106.1 pkgsrc/www/apache24/patches/patch-ad
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.112.1 pkgsrc/www/apache24/patches/patch-ae
cvs rdiff -u -r1.5 -r1.5.16.1 pkgsrc/www/apache24/patches/patch-configure
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.142 pkgsrc/www/apache24/Makefile:1.142.2.1
--- pkgsrc/www/apache24/Makefile:1.142 Fri Feb 6 10:06:06 2026
+++ pkgsrc/www/apache24/Makefile Thu May 7 22:47:02 2026
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.142 2026/02/06 10:06:06 wiz Exp $
+# $NetBSD: Makefile,v 1.142.2.1 2026/05/07 22:47:02 maya Exp $
#
# When updating this package, make sure that no strings like
# "PR 12345" are in the commit message. Upstream likes
# to reference their own PRs this way, but this ends up
# in NetBSD GNATS.
-DISTNAME= httpd-2.4.66
+DISTNAME= httpd-2.4.67
PKGNAME= ${DISTNAME:S/httpd/apache/}
-PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/}
EXTRACT_SUFX= .tar.bz2
Index: pkgsrc/www/apache24/PLIST
diff -u pkgsrc/www/apache24/PLIST:1.38 pkgsrc/www/apache24/PLIST:1.38.4.1
--- pkgsrc/www/apache24/PLIST:1.38 Sun Dec 7 15:55:55 2025
+++ pkgsrc/www/apache24/PLIST Thu May 7 22:47:02 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.38 2025/12/07 15:55:55 taca Exp $
+@comment $NetBSD: PLIST,v 1.38.4.1 2026/05/07 22:47:02 maya Exp $
bin/ab
bin/apxs
bin/dbmmanage
@@ -553,6 +553,8 @@ share/httpd/manual/developer/hooks.html.
share/httpd/manual/developer/index.html
share/httpd/manual/developer/index.html.en
share/httpd/manual/developer/index.html.zh-cn.utf8
+share/httpd/manual/developer/mod_example_1.c
+share/httpd/manual/developer/mod_example_2.c
share/httpd/manual/developer/modguide.html
share/httpd/manual/developer/modguide.html.en
share/httpd/manual/developer/modules.html
@@ -1377,10 +1379,6 @@ share/httpd/manual/platform/netware.html
share/httpd/manual/platform/netware.html.en
share/httpd/manual/platform/netware.html.fr.utf8
share/httpd/manual/platform/netware.html.ko.euc-kr
-share/httpd/manual/platform/perf-hp.html
-share/httpd/manual/platform/perf-hp.html.en
-share/httpd/manual/platform/perf-hp.html.fr.utf8
-share/httpd/manual/platform/perf-hp.html.ko.euc-kr
share/httpd/manual/platform/rpm.html
share/httpd/manual/platform/rpm.html.en
share/httpd/manual/platform/rpm.html.fr.utf8
Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.70 pkgsrc/www/apache24/distinfo:1.70.4.1
--- pkgsrc/www/apache24/distinfo:1.70 Sun Dec 7 15:55:55 2025
+++ pkgsrc/www/apache24/distinfo Thu May 7 22:47:02 2026
@@ -1,16 +1,16 @@
-$NetBSD: distinfo,v 1.70 2025/12/07 15:55:55 taca Exp $
+$NetBSD: distinfo,v 1.70.4.1 2026/05/07 22:47:02 maya Exp $
-BLAKE2s (httpd-2.4.66.tar.bz2) = dd4c444d80320c65ec0d154e5f15468b2d10c2e5c87285ef6de4204689cf3564
-SHA512 (httpd-2.4.66.tar.bz2) = 49031a3465d956ee3b755e65810b6c35561ddd5fac2c624a273b733c238e115b914cd7b246837e5a3090ccfded6e0b8b3059bfd1f8ce4419081c805a38d05a4b
-Size (httpd-2.4.66.tar.bz2) = 7504564 bytes
+BLAKE2s (httpd-2.4.67.tar.bz2) = f7ba66aa40f0c8b494cf526293041219a048ee43be6c8ba42e31fbce2eefd93f
+SHA512 (httpd-2.4.67.tar.bz2) = 5ae29fc8edb253453271613cb18754de0d943d1f82361059c81f8ebe1f057b894675506550bd1341bfa9416226b569a7bac08f497c53e8bb6dede87f4f41eae4
+Size (httpd-2.4.67.tar.bz2) = 7493067 bytes
SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
-SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
-SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903
+SHA1 (patch-ad) = dd4dbffaa8d784bbbf37b85e17977ff0c73e9074
+SHA1 (patch-ae) = 0a54d96ca77394b1ca725df76819caa95c381f39
SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1
SHA1 (patch-ai) = d3870e46e41adc97c3fce86f9ffd224502ad6b0c
SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
-SHA1 (patch-configure) = d529df410f564571a8cc7c2a31c3b446479a71df
+SHA1 (patch-configure) = 4fc4083c601f67205a10c6d887b69026268c8575
SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
SHA1 (patch-modules_filters_mod_substitute.c) = d47ee06e70942ab522acf119eb2c4b313aed9bbd
Index: pkgsrc/www/apache24/patches/patch-ad
diff -u pkgsrc/www/apache24/patches/patch-ad:1.2 pkgsrc/www/apache24/patches/patch-ad:1.2.106.1
--- pkgsrc/www/apache24/patches/patch-ad:1.2 Mon Feb 25 21:16:38 2013
+++ pkgsrc/www/apache24/patches/patch-ad Thu May 7 22:47:02 2026
@@ -1,4 +1,6 @@
-$NetBSD: patch-ad,v 1.2 2013/02/25 21:16:38 ryoon Exp $
+$NetBSD: patch-ad,v 1.2.106.1 2026/05/07 22:47:02 maya Exp $
+
+Add layout for NetBSD.
--- config.layout.orig 2012-04-17 14:01:41.000000000 +0000
+++ config.layout
Index: pkgsrc/www/apache24/patches/patch-ae
diff -u pkgsrc/www/apache24/patches/patch-ae:1.1.1.1 pkgsrc/www/apache24/patches/patch-ae:1.1.1.1.112.1
--- pkgsrc/www/apache24/patches/patch-ae:1.1.1.1 Fri Apr 13 18:50:49 2012
+++ pkgsrc/www/apache24/patches/patch-ae Thu May 7 22:47:02 2026
@@ -1,8 +1,10 @@
-$NetBSD: patch-ae,v 1.1.1.1 2012/04/13 18:50:49 ryoon Exp $
+$NetBSD: patch-ae,v 1.1.1.1.112.1 2026/05/07 22:47:02 maya Exp $
---- docs/conf/httpd.conf.in.orig 2012-02-06 16:55:22.000000000 +0000
+Directory structure for pkgsrc.
+
+--- docs/conf/httpd.conf.in.orig 2026-03-16 06:19:31.000000000 +0000
+++ docs/conf/httpd.conf.in
-@@ -361,42 +361,42 @@ LogLevel warn
+@@ -370,42 +370,42 @@ LogLevel warn
# necessary.
# Server-pool management (MPM specific)
@@ -55,5 +57,5 @@ $NetBSD: patch-ae,v 1.1.1.1 2012/04/13 1
-#Include @rel_sysconfdir@/extra/httpd-ssl.conf
+#Include @rel_sysconfdir@/httpd-ssl.conf
#
- # Note: The following must must be present to support
+ # Note: The following must be present to support
# starting without SSL on platforms with no /dev/random equivalent
Index: pkgsrc/www/apache24/patches/patch-configure
diff -u pkgsrc/www/apache24/patches/patch-configure:1.5 pkgsrc/www/apache24/patches/patch-configure:1.5.16.1
--- pkgsrc/www/apache24/patches/patch-configure:1.5 Fri Apr 5 09:31:38 2024
+++ pkgsrc/www/apache24/patches/patch-configure Thu May 7 22:47:02 2026
@@ -1,9 +1,9 @@
-$NetBSD: patch-configure,v 1.5 2024/04/05 09:31:38 adam Exp $
+$NetBSD: patch-configure,v 1.5.16.1 2026/05/07 22:47:02 maya Exp $
---- configure.orig 2024-04-03 12:22:44.000000000 +0000
+--- configure.orig 2026-04-28 18:15:03.000000000 +0000
+++ configure
-@@ -42821,7 +42821,6 @@ printf "%s\n" "#define SERVER_CONFIG_FIL
- printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h
+@@ -42456,7 +42456,6 @@ cat >>confdefs.h <<_ACEOF
+ _ACEOF
-perlbin=`$ac_aux_dir/PrintPath perl`
Home |
Main Index |
Thread Index |
Old Index