Received: by mail.netbsd.org (Postfix, from userid 605)
	id ECC3384DED; Mon, 18 Sep 2017 13:24:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 7FA8884D9C
	for <pkgsrc-changes@NetBSD.org>; Mon, 18 Sep 2017 13:24:06 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id KfgyEfV-ZXj5 for <pkgsrc-changes@netbsd.org>;
	Mon, 18 Sep 2017 13:24:06 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197])
	by mail.netbsd.org (Postfix) with ESMTP id F32A084CE4
	for <pkgsrc-changes@NetBSD.org>; Mon, 18 Sep 2017 13:24:05 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id F1150FA9A; Mon, 18 Sep 2017 13:24:05 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1505741045125180"
MIME-Version: 1.0
Date: Mon, 18 Sep 2017 13:24:05 +0000
From: "Thomas Klausner" <wiz@netbsd.org>
Subject: CVS commit: pkgsrc/www/apache24
To: pkgsrc-changes@NetBSD.org
Reply-To: wiz@netbsd.org
X-Mailer: log_accum
Message-Id: <20170918132405.F1150FA9A@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: pkgsrc-changes.NetBSD.org
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1505741045125180
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	wiz
Date:		Mon Sep 18 13:24:05 UTC 2017

Modified Files:
	pkgsrc/www/apache24: Makefile distinfo
Added Files:
	pkgsrc/www/apache24/patches: patch-server_core.c

Log Message:
apache24: fix "Optionsbleed" security bug

See https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/www/apache24/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/apache24/patches/patch-server_core.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1505741045125180
Content-Disposition: inline
Content-Length: 2897
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.60 pkgsrc/www/apache24/Makefile:1.61
--- pkgsrc/www/apache24/Makefile:1.60	Thu Aug 24 20:03:41 2017
+++ pkgsrc/www/apache24/Makefile	Mon Sep 18 13:24:05 2017
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.60 2017/08/24 20:03:41 adam Exp $
+# $NetBSD: Makefile,v 1.61 2017/09/18 13:24:05 wiz Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,7 +7,7 @@
 
 DISTNAME=	httpd-2.4.27
 PKGNAME=	${DISTNAME:S/httpd/apache/}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+=	http://archive.apache.org/dist/httpd/

Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.30 pkgsrc/www/apache24/distinfo:1.31
--- pkgsrc/www/apache24/distinfo:1.30	Wed Jul 12 07:01:34 2017
+++ pkgsrc/www/apache24/distinfo	Mon Sep 18 13:24:05 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2017/07/12 07:01:34 adam Exp $
+$NetBSD: distinfo,v 1.31 2017/09/18 13:24:05 wiz Exp $
 
 SHA1 (httpd-2.4.27.tar.bz2) = 699e4e917e8fb5fd7d0ce7e009f8256ed02ec6fc
 RMD160 (httpd-2.4.27.tar.bz2) = 46f601f58de77eb11fa4c7ea35fa0858d2f4d289
@@ -15,3 +15,4 @@ SHA1 (patch-al) = 02d9ade5aac4270182063d
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_core.c) = 9f32577f350553b40848bef6af5e9db1d40af3d8

Added files:

Index: pkgsrc/www/apache24/patches/patch-server_core.c
diff -u /dev/null pkgsrc/www/apache24/patches/patch-server_core.c:1.1
--- /dev/null	Mon Sep 18 13:24:05 2017
+++ pkgsrc/www/apache24/patches/patch-server_core.c	Mon Sep 18 13:24:05 2017
@@ -0,0 +1,20 @@
+$NetBSD: patch-server_core.c,v 1.1 2017/09/18 13:24:05 wiz Exp $
+
+Fix security problem using upstream patch.
+://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
+
+--- server/core.c.orig	2016-12-05 14:34:29.000000000 +0000
++++ server/core.c
+@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_
+             /* method has not been registered yet, but resource restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method '%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+         }


--_----------=_1505741045125180--