head 1.7; access; symbols pkgsrc-2013Q2:1.7.0.4 pkgsrc-2013Q2-base:1.7 pkgsrc-2012Q4:1.7.0.2 pkgsrc-2012Q4-base:1.7 pkgsrc-2012Q2:1.6.0.4 pkgsrc-2012Q2-base:1.6 pkgsrc-2012Q1:1.6.0.2 pkgsrc-2012Q1-base:1.6 pkgsrc-2011Q4:1.5.0.8 pkgsrc-2011Q4-base:1.5 pkgsrc-2011Q3:1.5.0.6 pkgsrc-2011Q3-base:1.5 pkgsrc-2011Q2:1.5.0.4 pkgsrc-2011Q2-base:1.5 pkgsrc-2011Q1:1.5.0.2 pkgsrc-2011Q1-base:1.5 pkgsrc-2010Q2:1.3.0.4 pkgsrc-2010Q2-base:1.3 pkgsrc-2010Q1:1.3.0.2 pkgsrc-2009Q4:1.2.0.2 pkgsrc-2009Q4-base:1.2 pkgsrc-2009Q2:1.1.0.2; locks; strict; comment @# @; 1.7 date 2012.09.16.03.33.10; author taca; state dead; branches; next 1.6; 1.6 date 2012.02.01.19.53.21; author tron; state Exp; branches 1.6.4.1; next 1.5; 1.5 date 2011.03.20.03.18.21; author dholland; state Exp; branches; next 1.4; 1.4 date 2010.07.26.21.38.51; author tron; state dead; branches; next 1.3; 1.3 date 2010.06.12.10.40.26; author tron; state Exp; branches 1.3.2.1 1.3.4.1; next 1.2; 1.2 date 2009.08.06.07.07.23; author tron; state dead; branches; next 1.1; 1.1 date 2009.07.14.12.23.40; author tron; state Exp; branches 1.1.2.1; next ; 1.6.4.1 date 2012.09.27.11.06.02; author tron; state dead; branches; next ; 1.3.2.1 date 2010.06.12.10.40.26; author spz; state dead; branches; next 1.3.2.2; 1.3.2.2 date 2010.06.12.20.57.46; author spz; state Exp; branches; next ; 1.3.4.1 date 2010.07.27.17.25.35; author spz; state dead; branches; next ; 1.1.2.1 date 2009.07.14.12.23.40; author spz; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2009.07.16.05.37.25; author spz; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2009.08.07.21.08.15; author spz; state dead; branches; next ; desc @@ 1.7 log @Update apache22 to 2.2.23. Changes with Apache 2.2.23 *) SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. [Stefan Fritsch] *) SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. [Niels Heinen ] *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). [Paul Wouters , Joe Orton] *) mod_ldap: Treat the "server unavailable" condition as a transient error with all LDAP SDKs. [Filip Valder ] *) core: Add filesystem paths to access denied / access failed messages. [Eric Covener] *) core: Fix error handling in ap_scan_script_header_err_brigade() if there is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch] *) core: Prevent "httpd -k restart" from killing server in presence of config error. [Joe Orton] *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive, adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'. [Kaspar Brand, William Rowe] *) mod_log_config: Fix %{abc}C truncating cookie values at first "=". PR 53104. [Greg Ames] *) Unix MPMs: Fix small memory leak in parent process if connect() failed when waking up children. [Joe Orton] *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. [Peter Pramberger , Jim Jagielski] *) Added SSLProxyMachineCertificateChainFile directive so the proxy client can select the proper client certificate when using a chain and the remote server only lists the root CA as allowed. *) mpm_event, mpm_worker: Remain active amidst prevalent child process resource shortages. [Jeff Trawick] *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] *) mod_rewrite: Fix the RewriteEngine directive to work within a location. Previously, once RewriteEngine was switched on globally, it was impossible to switch off. [Graham Leggett] *) mod_proxy_balancer: Restore balancing after a failed worker has recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] *) mod_dumpio: Properly handle errors from subsequent input filters. PR 52914. [Stefan Fritsch] *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child process resource shortages. [Jeff Trawick] *) mpm_prefork: Reduce spawn rate after a child process exits due to unexpected poll or accept failure. [Jeff Trawick] *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid from logging bogus data in case of errors. [Stefan Fritsch] *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the response is a 206 Partial Content. This stops a reverse proxied partial response from becoming cached, and then being served in subsequent responses. PR 49113. [Graham Leggett] *) configure: Fix usage with external apr and apu in non-default paths and recent gcc versions >= 4.6. [Jean-Frederic Clere] *) core: Fix building against PCRE 8.30 by switching from the obsolete pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] *) mod_proxy: Add the forcerecovery balancer parameter that determines if recovery for balancer workers is enforced. [Ruediger Pluem] @ text @$NetBSD: patch-af,v 1.6 2012/02/01 19:53:21 tron Exp $ Fix markup glitch. --- docs/man/apxs.1.orig 2012-01-10 23:32:02.000000000 +0000 +++ docs/man/apxs.1 2012-02-01 19:18:34.000000000 +0000 @@@@ -96,7 +96,11 @@@@ .TP -q -Performs a query for apxs's knowledge about certain settings\&. The \fIquery\fR parameters can be one or more of the following strings: CC, CFLAGS, CFLAGS_SHLIB, INCLUDEDIR, LD_SHLIB, LDFLAGS_SHLIB, LIBEXECDIR, LIBS_SHLIB, SBINDIR, SYSCONFDIR, TARGET\&. .PP Use this for manually determining settings\&. For instance use INC=-I`apxs -q INCLUDEDIR` .PP inside your own Makefiles if you need manual access to Apache's C header files\&. +Performs a query for apxs's knowledge about certain settings\&. The \fIquery\fR parameters can be one or more of the following strings: CC, CFLAGS, CFLAGS_SHLIB, INCLUDEDIR, LD_SHLIB, LDFLAGS_SHLIB, LIBEXECDIR, LIBS_SHLIB, SBINDIR, SYSCONFDIR, TARGET\&. +.PP +Use this for manually determining settings\&. For instance use INC=-I`apxs -q INCLUDEDIR` +.PP +inside your own Makefiles if you need manual access to Apache's C header files\&. .SS "Configuration Options" @ 1.6 log @Update "apache" package to version 2.2.22. Changes since 2.2.21: - SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton] - SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] - SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. [Joe Orton] - SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. Bug#52256. [Rainer Canavan ] - SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton] - SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener] - mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. [Jean-Frederic Clere] - config: Update the default mod_ssl configuration: Disable SSLv2, only allow >= 128bit ciphers, add commented example for speed optimized cipher list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand] - core: Fix segfault in ap_send_interim_response(). Bug#52315. [Stefan Fritsch] - mod_log_config: Prevent segfault. Bug#50861. [Torsten Foertsch ] - mod_win32: Invert logic for env var UTF-8 fixing. Now we exclude a list of vars which we know for sure they dont hold UTF-8 chars; all other vars will be fixed. This has the benefit that now also all vars from 3rd-party modules will be fixed. Bug#13029 / 34985. [Guenter Knauf] - core: Fix hook sorting for Perl modules, a regression introduced in 2.2.21. Bug#45076. [Torsten Foertsch ] - Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: A range of '0-' will now return 206 instead of 200. Bug#51878. [Jim Jagielski] - Example configuration: Fix entry for MaxRanges (use "unlimited" instead of "0"). [Rainer Jung] - mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung] Please note that all the security fixes had been integrated into "pkgsrc" as patches previously. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.5 2011/03/20 03:18:21 dholland Exp $ @ 1.6.4.1 log @Pullup ticket #3922 - requested by taca www/apache22: security update Revisions pulled up: - www/apache22/Makefile 1.81 - www/apache22/PLIST 1.21 - www/apache22/distinfo 1.52 - www/apache22/patches/patch-af deleted - www/apache22/patches/patch-docs_man_apxs.8 1.1 - www/apache22/patches/patch-support_envvars-std.in deleted --- Module Name: pkgsrc Committed By: taca Date: Sun Sep 16 03:33:10 UTC 2012 Modified Files: pkgsrc/www/apache22: Makefile PLIST distinfo Added Files: pkgsrc/www/apache22/patches: patch-docs_man_apxs.8 Removed Files: pkgsrc/www/apache22/patches: patch-af patch-support_envvars-std.in Log Message: Update apache22 to 2.2.23. Changes with Apache 2.2.23 *) SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. [Stefan Fritsch] *) SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. [Niels Heinen ] *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). [Paul Wouters , Joe Orton] *) mod_ldap: Treat the "server unavailable" condition as a transient error with all LDAP SDKs. [Filip Valder ] *) core: Add filesystem paths to access denied / access failed messages. [Eric Covener] *) core: Fix error handling in ap_scan_script_header_err_brigade() if there is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch] *) core: Prevent "httpd -k restart" from killing server in presence of config error. [Joe Orton] *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive, adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'. [Kaspar Brand, William Rowe] *) mod_log_config: Fix %{abc}C truncating cookie values at first "=". PR 53104. [Greg Ames] *) Unix MPMs: Fix small memory leak in parent process if connect() failed when waking up children. [Joe Orton] *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. [Peter Pramberger , Jim Jagielski] *) Added SSLProxyMachineCertificateChainFile directive so the proxy client can select the proper client certificate when using a chain and the remote server only lists the root CA as allowed. *) mpm_event, mpm_worker: Remain active amidst prevalent child process resource shortages. [Jeff Trawick] *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] *) mod_rewrite: Fix the RewriteEngine directive to work within a location. Previously, once RewriteEngine was switched on globally, it was impossible to switch off. [Graham Leggett] *) mod_proxy_balancer: Restore balancing after a failed worker has recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] *) mod_dumpio: Properly handle errors from subsequent input filters. PR 52914. [Stefan Fritsch] *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child process resource shortages. [Jeff Trawick] *) mpm_prefork: Reduce spawn rate after a child process exits due to unexpected poll or accept failure. [Jeff Trawick] *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid from logging bogus data in case of errors. [Stefan Fritsch] *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the response is a 206 Partial Content. This stops a reverse proxied partial response from becoming cached, and then being served in subsequent responses. PR 49113. [Graham Leggett] *) configure: Fix usage with external apr and apu in non-default paths and recent gcc versions >= 4.6. [Jean-Frederic Clere] *) core: Fix building against PCRE 8.30 by switching from the obsolete pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] *) mod_proxy: Add the forcerecovery balancer parameter that determines if recovery for balancer workers is enforced. [Ruediger Pluem] @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.6 2012/02/01 19:53:21 tron Exp $ @ 1.5 log @Patch a minor markup glitch in the apxs(8) man page: .PP needs to be at the beginning of a line. (Properly this should bump the PKGREVISION, but I'm not going to bother.) @ text @d1 1 a1 1 $NetBSD$ d5 3 a7 3 --- docs/man/apxs.8~ 2011-03-20 02:48:50.000000000 +0000 +++ docs/man/apxs.8 @@@@ -96,7 +96,11 @@@@ This explicitly sets the module name for @ 1.4 log @Update "apache22" package to version 2.2.16. Changes since version 2.2.15: - SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav, mod_cache: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] - SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] - core: Filter init functions are now run strictly once per request before handler invocation. The init functions are no longer run for connection filters. PR 49328. [Joe Orton] - mod_filter: enable it to act on non-200 responses. PR 48377 [Nick Kew] - mod_ldap: LDAP caching was suppressed (and ldap-status handler returns title page only) when any mod_ldap directives were used in VirtualHost context. [Eric Covener] - mod_ssl: Fix segfault at startup if proxy client certs are shared across multiple vhosts. PR 39915. [Joe Orton] - mod_proxy_http: Log the port of the remote server in various messages. PR 48812. [Igor Galić ] - apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] - mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] - mod_rewrite: Allow to set environment variables without explicitely giving a value. [Rainer Jung] @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.3 2010/06/12 10:40:26 tron Exp $ d3 1 a3 1 Patch to fix CVE-2010-2068, taken from here: d5 15 a19 31 http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch --- modules/proxy/mod_proxy_http.c.orig 2010-02-27 18:49:36.000000000 +0000 +++ modules/proxy/mod_proxy_http.c 2010-06-12 11:33:45.000000000 +0100 @@@@ -1401,7 +1401,7 @@@@ ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, "proxy: error reading status line from remote " "server %s", backend->hostname); - if (rc == APR_TIMEUP) { + if (APR_STATUS_IS_TIMEUP(rc)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "proxy: read timeout"); } @@@@ -1417,7 +1417,7 @@@@ * we normally would handle timeouts */ if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives && - rc != APR_TIMEUP) { + !APR_STATUS_IS_TIMEUP(rc)) { apr_bucket *eos; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, @@@@ -1449,6 +1449,8 @@@@ APR_BUCKET_INSERT_BEFORE(eos, e); } ap_pass_brigade(r->output_filters, bb); + /* Mark the backend connection for closing */ + backend->close = 1; /* Need to return OK to avoid sending an error message */ return OK; } @ 1.3 log @Add patch provided by the Apache foundation to close the privacy leak reported in CVE-2010-2068. @ text @d1 1 a1 1 $NetBSD$ @ 1.3.4.1 log @Pullup ticket 3187 - requested by tron security update Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.61 - pkgsrc/www/apache22/distinfo 1.34 Files deleted: pkgsrc/www/apache22/patches/patch-af ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Mon Jul 26 21:38:52 UTC 2010 Modified Files: pkgsrc/www/apache22: Makefile distinfo Removed Files: pkgsrc/www/apache22/patches: patch-af Log Message: Update "apache22" package to version 2.2.16. Changes since version 2.2.15: - SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav, mod_cache: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] - SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] - core: Filter init functions are now run strictly once per request before handler invocation. The init functions are no longer run for connection filters. PR 49328. [Joe Orton] - mod_filter: enable it to act on non-200 responses. PR 48377 [Nick Kew] - mod_ldap: LDAP caching was suppressed (and ldap-status handler returns title page only) when any mod_ldap directives were used in VirtualHost context. [Eric Covener] - mod_ssl: Fix segfault at startup if proxy client certs are shared across multiple vhosts. PR 39915. [Joe Orton] - mod_proxy_http: Log the port of the remote server in various messages. PR 48812. [Igor Gali?? ] - apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] - mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] - mod_rewrite: Allow to set environment variables without explicitely giving a value. [Rainer Jung] To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.33 -r1.34 pkgsrc/www/apache22/distinfo cvs rdiff -u -r1.3 -r0 pkgsrc/www/apache22/patches/patch-af @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.3 2010/06/12 10:40:26 tron Exp $ @ 1.3.2.1 log @file patch-af was added on branch pkgsrc-2010Q1 on 2010-06-12 20:57:46 +0000 @ text @d1 35 @ 1.3.2.2 log @Pullup ticket 3145 - requested by tron security fix Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.59 - pkgsrc/www/apache22/distinfo 1.33 - pkgsrc/www/apache22/patches/patch-af 1.3 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Sat Jun 12 10:40:27 UTC 2010 Modified Files: pkgsrc/www/apache22: Makefile distinfo Added Files: pkgsrc/www/apache22/patches: patch-af Log Message: Add patch provided by the Apache foundation to close the privacy leak reported in CVE-2010-2068. To generate a diff of this commit: cvs rdiff -u -r1.58 -r1.59 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.32 -r1.33 pkgsrc/www/apache22/distinfo cvs rdiff -u -r0 -r1.3 pkgsrc/www/apache22/patches/patch-af @ text @a0 35 $NetBSD: patch-af,v 1.3 2010/06/12 10:40:26 tron Exp $ Patch to fix CVE-2010-2068, taken from here: http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch --- modules/proxy/mod_proxy_http.c.orig 2010-02-27 18:49:36.000000000 +0000 +++ modules/proxy/mod_proxy_http.c 2010-06-12 11:33:45.000000000 +0100 @@@@ -1401,7 +1401,7 @@@@ ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, "proxy: error reading status line from remote " "server %s", backend->hostname); - if (rc == APR_TIMEUP) { + if (APR_STATUS_IS_TIMEUP(rc)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "proxy: read timeout"); } @@@@ -1417,7 +1417,7 @@@@ * we normally would handle timeouts */ if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives && - rc != APR_TIMEUP) { + !APR_STATUS_IS_TIMEUP(rc)) { apr_bucket *eos; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, @@@@ -1449,6 +1449,8 @@@@ APR_BUCKET_INSERT_BEFORE(eos, e); } ap_pass_brigade(r->output_filters, bb); + /* Mark the backend connection for closing */ + backend->close = 1; /* Need to return OK to avoid sending an error message */ return OK; } @ 1.2 log @Update "apache22" package to version 2.2.12. Changes since version 2.2.11: - SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. Bug 39605. [Joe Orton, Ruediger Pluem] - SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. [Jonathan Peatfield , Joe Orton, Ruediger Pluem, Jeff Trawick] - SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] - SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. Bug 46949 [Ruediger Pluem] - SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules. - mod_include: fix potential segfault when handling back references on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] - mod_alias: check sanity in Redirect arguments. Bug 44729 [Sönke Tesch , Jim Jagielski] - mod_proxy_http: fix Host: header for literal IPv6 addresses. Bug 47177 [Carlos Garcia Braschi ] - mod_rewrite: Remove locking for writing to the rewritelog. Bug 46942 - mod_alias: Ensure Redirect emits HTTP-compliant URLs. Bug 44020 - mod_proxy_http: fix case sensitivity checking transfer encoding Bug 47383 [Ryuzo Yamamoto ] - mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". Bug 45082 [Vitaly Polonetsky ] - mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; BalancerMember balancer://alias http://example.com/foo ProxyPassReverse /bash balancer://alias/bar backend url http://example.com/foo/bar/that is now translated /bash/that [William Rowe] - New piped log syntax: Use "||process args" to launch the given process without invoking the shell/command interpreter. Use "|$command line" (the default behavior of "|command line" in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility. [William Rowe] - mod_ssl: Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. Bug 34607 [Peter Sylvester , Kaspar Brand , Guenter Knauf, Joe Orton, Ruediger Pluem] - mod_negotiation: Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. Bug 46837. [Geoff Keating ] - mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. Bug 39369 [Joe Orton] - mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. Bug 46428 [Joe Orton] - mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk] - mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem] - mod_substitute: Fix a memory leak. Bug 44948 [Dan Poirier ] - mod_proxy_ajp: Forward remote port information by default. [Rainer Jung] - mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. [Lars Eilebrecht] - mod_deflate: revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. Bug 39727 will require larger fixes and this fix was far more harmful than the original code. Bug 45023. [Roy T. Fielding] - mod_disk_cache: The module now turns off sendfile support if 'EnableSendfile off' is defined globally. Bug 41218. [Lars Eilebrecht, Issac Goldstand] - prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. Bug 42829. [Joe Orton, Jeff Trawick] - mod_ssl: Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. Bug 39243. [Joe Orton] - mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. Bug 38642 [Eric Covener] - mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. Bug 46342 [Dan Poirier] - mod_cache: Introduce 'no-cache' per-request environment variable to prevent the saving of an otherwise cacheable response. [Eric Covener] - core: Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated "100 Continue" responses. [Eric Covener] - CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. Bug 42190 [Nick Kew] - prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. Bug 46467. [Jeff Trawick] - mod_ext_filter: fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort All the security problems mentioned above had already been fixed in "pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me know that new version had finally been released. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.1 2009/07/14 12:23:40 tron Exp $ d3 1 a3 1 Fix for CVE-2009-1891 taken from here: d5 1 a5 1 http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454 d7 18 a24 5 --- server/core_filters.c.orig 2006-07-12 04:38:44.000000000 +0100 +++ server/core_filters.c 2009-07-14 13:01:09.000000000 +0100 @@@@ -542,6 +542,12 @@@@ apr_read_type_e eblock = APR_NONBLOCK_READ; apr_pool_t *input_pool = b->p; d26 9 a34 14 + /* Fail quickly if the connection has already been aborted. */ + if (c->aborted) { + apr_brigade_cleanup(b); + return APR_ECONNABORTED; + } + if (ctx == NULL) { ctx = apr_pcalloc(c->pool, sizeof(*ctx)); net->out_ctx = ctx; @@@@ -909,12 +915,9 @@@@ /* No need to check for SUCCESS, we did that above. */ if (!APR_STATUS_IS_EAGAIN(rv)) { c->aborted = 1; + return APR_ECONNABORTED; a35 8 - /* The client has aborted, but the request was successful. We - * will report success, and leave it to the access and error - * logs to note that the connection was aborted. - */ return APR_SUCCESS; } @ 1.1 log @Add patches from the Apache SVN repository to fix the security vulnerabilities reported in CVE-2009-1890 and CVE-2009-1891. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-af was added on branch pkgsrc-2009Q2 on 2009-07-16 05:37:25 +0000 @ text @d1 35 @ 1.1.2.2 log @Pullup ticket 2812 - requested by tron Security update Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.47 - pkgsrc/www/apache22/distinfo 1.21 Files added: pkgsrc/www/apache22/patches/patch-af pkgsrc/www/apache22/patches/patch-ah Module Name: pkgsrc Committed By: tron Date: Tue Jul 14 12:23:40 UTC 2009 Modified Files: pkgsrc/www/apache22: Makefile distinfo Added Files: pkgsrc/www/apache22/patches: patch-af patch-ah Log Message: Add patches from the Apache SVN repository to fix the security vulnerabilities reported in CVE-2009-1890 and CVE-2009-1891. To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.20 -r1.21 pkgsrc/www/apache22/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/www/apache22/patches/patch-af \ pkgsrc/www/apache22/patches/patch-ah @ text @a0 35 $NetBSD: patch-af,v 1.1 2009/07/14 12:23:40 tron Exp $ Fix for CVE-2009-1891 taken from here: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454 --- server/core_filters.c.orig 2006-07-12 04:38:44.000000000 +0100 +++ server/core_filters.c 2009-07-14 13:01:09.000000000 +0100 @@@@ -542,6 +542,12 @@@@ apr_read_type_e eblock = APR_NONBLOCK_READ; apr_pool_t *input_pool = b->p; + /* Fail quickly if the connection has already been aborted. */ + if (c->aborted) { + apr_brigade_cleanup(b); + return APR_ECONNABORTED; + } + if (ctx == NULL) { ctx = apr_pcalloc(c->pool, sizeof(*ctx)); net->out_ctx = ctx; @@@@ -909,12 +915,9 @@@@ /* No need to check for SUCCESS, we did that above. */ if (!APR_STATUS_IS_EAGAIN(rv)) { c->aborted = 1; + return APR_ECONNABORTED; } - /* The client has aborted, but the request was successful. We - * will report success, and leave it to the access and error - * logs to note that the connection was aborted. - */ return APR_SUCCESS; } @ 1.1.2.3 log @Pullup ticket 2852 - requested by tron bug fix update Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.48 - pkgsrc/www/apache22/PLIST 1.13 - pkgsrc/www/apache22/distinfo 1.23 - pkgsrc/www/apache22/patches/patch-ba 1.4 - pkgsrc/www/apache22/patches/patch-bb 1.3 Files added: pkgsrc/www/apache22/patches/patch-bb Files deleted: pkgsrc/www/apache22/patches/patch-ab pkgsrc/www/apache22/patches/patch-af pkgsrc/www/apache22/patches/patch-ah pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd Module Name: pkgsrc Committed By: tron Date: Thu Aug 6 07:07:23 UTC 2009 Modified Files: pkgsrc/www/apache22: Makefile PLIST distinfo Removed Files: pkgsrc/www/apache22/patches: patch-ab patch-af patch-ah patch-ba patch-bc patch-bd Log Message: Update "apache22" package to version 2.2.12. Changes since version 2.2.11: - SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. Bug 39605. [Joe Orton, Ruediger Pluem] - SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. [Jonathan Peatfield , Joe Orton, Ruediger Pluem, Jeff Trawick] - SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] - SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. Bug 46949 [Ruediger Pluem] - SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules. - mod_include: fix potential segfault when handling back references on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] - mod_alias: check sanity in Redirect arguments. Bug 44729 [S??nke Tesch , Jim Jagielski] - mod_proxy_http: fix Host: header for literal IPv6 addresses. Bug 47177 [Carlos Garcia Braschi ] - mod_rewrite: Remove locking for writing to the rewritelog. Bug 46942 - mod_alias: Ensure Redirect emits HTTP-compliant URLs. Bug 44020 - mod_proxy_http: fix case sensitivity checking transfer encoding Bug 47383 [Ryuzo Yamamoto ] - mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". Bug 45082 [Vitaly Polonetsky ] - mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; BalancerMember balancer://alias http://example.com/foo ProxyPassReverse /bash balancer://alias/bar backend url http://example.com/foo/bar/that is now translated /bash/that [William Rowe] - New piped log syntax: Use "||process args" to launch the given process without invoking the shell/command interpreter. Use "|$command line" (the default behavior of "|command line" in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility. [William Rowe] - mod_ssl: Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. Bug 34607 [Peter Sylvester , Kaspar Brand , Guenter Knauf, Joe Orton, Ruediger Pluem] - mod_negotiation: Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. Bug 46837. [Geoff Keating ] - mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. Bug 39369 [Joe Orton] - mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. Bug 46428 [Joe Orton] - mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk] - mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem] - mod_substitute: Fix a memory leak. Bug 44948 [Dan Poirier ] - mod_proxy_ajp: Forward remote port information by default. [Rainer Jung] - mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. [Lars Eilebrecht] - mod_deflate: revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. Bug 39727 will require larger fixes and this fix was far more harmful than the original code. Bug 45023. [Roy T. Fielding] - mod_disk_cache: The module now turns off sendfile support if 'EnableSendfile off' is defined globally. Bug 41218. [Lars Eilebrecht, Issac Goldstand] - prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. Bug 42829. [Joe Orton, Jeff Trawick] - mod_ssl: Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. Bug 39243. [Joe Orton] - mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. Bug 38642 [Eric Covener] - mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. Bug 46342 [Dan Poirier] - mod_cache: Introduce 'no-cache' per-request environment variable to prevent the saving of an otherwise cacheable response. [Eric Covener] - core: Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated "100 Continue" responses. [Eric Covener] - CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. Bug 42190 [Nick Kew] - prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. Bug 46467. [Jeff Trawick] - mod_ext_filter: fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort All the security problems mentioned above had already been fixed in "pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me know that new version had finally been released. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/apache22/PLIST cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/apache22/distinfo cvs rdiff -u -r1.10 -r0 pkgsrc/www/apache22/patches/patch-ab cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-af \ pkgsrc/www/apache22/patches/patch-ah cvs rdiff -u -r1.2 -r0 pkgsrc/www/apache22/patches/patch-ba \ pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd ----- Module Name: pkgsrc Committed By: tron Date: Thu Aug 6 08:21:44 UTC 2009 Modified Files: pkgsrc/www/apache22: distinfo Added Files: pkgsrc/www/apache22/patches: patch-ba patch-bb Log Message: Add patches provided by Adam Ciarcinski to fix build with recent versions of OpenSSL (e.g. the version in NetBSD-current). To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/apache22/distinfo cvs rdiff -u -r0 -r1.4 pkgsrc/www/apache22/patches/patch-ba cvs rdiff -u -r0 -r1.3 pkgsrc/www/apache22/patches/patch-bb @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.1.2.2 2009/07/16 05:37:25 spz Exp $ @