Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2020Q2]: pkgsrc/www/apache24 Pullup ticket #6301 - requested b...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/f158d3fa6212
branches:  pkgsrc-2020Q2
changeset: 437406:f158d3fa6212
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sun Aug 23 18:52:33 2020 +0000

description:
Pullup ticket #6301 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.94
- www/apache24/distinfo                                         1.44

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Sun Aug  9 15:01:55 UTC 2020

   Modified Files:
           pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   www/apache24: update to 2.4.46

   Update apache24 to 2.4.46 (Apache HTTPD 2.4.46).  It fixes several
   security problems:

   CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
   CVE-2020-11984: mod_uwsgi buffer overlow
   CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
   CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

   pkgsrc changes: reduce warnings by SUBST_* processing.

   Changes with Apache 2.4.46
     *) mod_proxy_fcgi: Fix build warnings for Windows platform
        [Eric Covener, Christophe Jaillet]

   Changes with Apache 2.4.45

     *) mod_http2: remove support for abandoned http-wg draft
        <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
        [Stefan Eissing]

   Changes with Apache 2.4.44

     *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
        protocol limit).  [Yann Ylavic]

     *) mod_http2:
        Fixes <https://github.com/icing/mod_h2/issues/200>:
        "LimitRequestFields 0" now disables the limit, as documented.
        Fixes <https://github.com/icing/mod_h2/issues/201>:
        Do not count repeated headers with same name against the field
        count limit. The are merged internally, as if sent in a single HTTP/1 line.
        [Stefan Eissing]

     *) mod_http2: Avoid segfaults in case of handling certain responses for
        already aborted connections.  [Stefan Eissing, Ruediger Pluem]

     *) mod_http2: The module now handles master/secondary connections and has marked
        methods according to use. [Stefan Eissing]

     *) core: Drop an invalid Last-Modified header value coming
        from a FCGI/CGI script instead of replacing it with Unix epoch.
        [Yann Ylavic, Luca Toscano]

     *) Add support for strict content-length parsing through addition of
        ap_parse_strict_length() [Yann Ylavic]

     *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
        evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]

     *) mod_proxy_http: flush spooled request body in one go to avoid
        leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]

     *) mod_ssl: Fix a race condition and possible crash when using a proxy client
        certificate (SSLProxyMachineCertificateFile).
        [Armin Abfalterer <a.abfalterer gmail.com>]

     *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]

     *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
        PR64330 [Stefan Eissing]

     *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
        was configured with a handshake timeout. Fixes gitub issue #196.
        [Stefan Eissing]

     *) mod_proxy_http2: the "ping" proxy parameter
        (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
        when checking the liveliness of a new or reused h2 connection to the backend.
        With short durations, this makes load-balancing more responsive. The module
        will hold back requests until ping conditions are met, using features of the
        HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

     *) core: httpd is no longer linked against -lsystemd if mod_systemd
        is enabled (and built as a DSO).  [Rainer Jung]

     *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
        while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]

diffstat:

 www/apache24/Makefile |  10 +++++-----
 www/apache24/distinfo |  10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diffs (56 lines):

diff -r f2a3d18af176 -r f158d3fa6212 www/apache24/Makefile
--- a/www/apache24/Makefile     Sun Aug 23 18:52:28 2020 +0000
+++ b/www/apache24/Makefile     Sun Aug 23 18:52:33 2020 +0000
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.93 2020/06/23 14:33:22 bacon Exp $
+# $NetBSD: Makefile,v 1.93.2.1 2020/08/23 18:52:33 bsiegert Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=      httpd-2.4.43
+DISTNAME=      httpd-2.4.46
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   4
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+= http://archive.apache.org/dist/httpd/
@@ -109,7 +108,8 @@
 SUBST_CLASSES+=                man
 SUBST_STAGE.man=       pre-configure
 SUBST_MESSAGE.man=     Fixing paths in man pages.
-SUBST_FILES.man=       docs/man/*.1 docs/man/*.8
+SUBST_FILES.man=       docs/man/apxs.1 docs/man/htdbm.1 \
+                       docs/man/htpasswd.1 docs/man/httpd.8
 SUBST_SED.man=         -e 's,/usr/local/etc/apache,${PKG_SYSCONFDIR},'
 SUBST_SED.man+=                -e 's,/path/to/apache/etc,${PKG_SYSCONFDIR},'
 SUBST_SED.man+=                -e 's,/usr/local/apache2,${PREFIX}/share/httpd/htdocs,'
@@ -151,7 +151,7 @@
 SUBST_FILES.abs_srcdir=                ${DESTDIR}${PREFIX}/share/httpd/build/config_vars.mk
 SUBST_SED.abs_srcdir=          -e 's|^\(abs_srcdir =\) .*|\1 ${PREFIX}/share/httpd|'
 
-REPLACE_PERL=          docs/cgi-examples/printenv
+#REPLACE_PERL=         docs/cgi-examples/printenv
 
 .include "../../devel/zlib/buildlink3.mk"
 CONFIGURE_ARGS+=       --with-ssl=${BUILDLINK_PREFIX.openssl}
diff -r f2a3d18af176 -r f158d3fa6212 www/apache24/distinfo
--- a/www/apache24/distinfo     Sun Aug 23 18:52:28 2020 +0000
+++ b/www/apache24/distinfo     Sun Aug 23 18:52:33 2020 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.43 2020/05/04 12:26:37 manu Exp $
+$NetBSD: distinfo,v 1.43.2.1 2020/08/23 18:52:33 bsiegert Exp $
 
-SHA1 (httpd-2.4.43.tar.bz2) = fc078df062503ffcf19319c4bf4e8cf27fe30cb4
-RMD160 (httpd-2.4.43.tar.bz2) = 8ccc599b50478330e5505bf75780145d80f4f4ce
-SHA512 (httpd-2.4.43.tar.bz2) = 16cfeecc8f6fab6eca478065a384bdf1872f7ac42206b0bc2bcac6c0d9c576f392c07107201f39e0601dec1bbafcb33d66153544de4d87d79b9a52094d334b64
-Size (httpd-2.4.43.tar.bz2) = 7155865 bytes
+SHA1 (httpd-2.4.46.tar.bz2) = 1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb
+RMD160 (httpd-2.4.46.tar.bz2) = 8e5365222be2b53bed955f6f658fc4b6cc6c60a2
+SHA512 (httpd-2.4.46.tar.bz2) = 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13
+Size (httpd-2.4.46.tar.bz2) = 7187805 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d



Home | Main Index | Thread Index | Old Index