Sun Sep 13 13:32:50 2009 UTC ()
Add a fix for the remote Denial of Service vulnerability reported
in CVE-2009-3094.


(tron)
diff -r1.49 -r1.50 pkgsrc/www/apache22/Makefile
diff -r1.24 -r1.25 pkgsrc/www/apache22/distinfo
diff -r0 -r1.12 pkgsrc/www/apache22/patches/patch-ab
cvs diff -r1.49 -r1.50 pkgsrc/www/apache22/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/www/apache22/Attic/Makefile 2009/08/10 11:45:08 1.49
+++ pkgsrc/www/apache22/Attic/Makefile 2009/09/13 13:32:50 1.50
@@ -1,17 +1,18 @@ @@ -1,17 +1,18 @@
1# $NetBSD: Makefile,v 1.49 2009/08/10 11:45:08 tron Exp $ 1# $NetBSD: Makefile,v 1.50 2009/09/13 13:32:50 tron Exp $
2 2
3DISTNAME= httpd-2.2.13 3DISTNAME= httpd-2.2.13
4PKGNAME= ${DISTNAME:S/httpd/apache/} 4PKGNAME= ${DISTNAME:S/httpd/apache/}
 5PKGREVISION= 1
5CATEGORIES= www 6CATEGORIES= www
6MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ 7MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
7 ${MASTER_SITE_APACHE:=httpd/old/} 8 ${MASTER_SITE_APACHE:=httpd/old/}
8EXTRACT_SUFX= .tar.bz2 9EXTRACT_SUFX= .tar.bz2
9 10
10MAINTAINER= tron@NetBSD.org 11MAINTAINER= tron@NetBSD.org
11HOMEPAGE= http://httpd.apache.org/ 12HOMEPAGE= http://httpd.apache.org/
12COMMENT= Apache HTTP (Web) server, version 2.2 13COMMENT= Apache HTTP (Web) server, version 2.2
13LICENSE= apache-2.0 14LICENSE= apache-2.0
14 15
15PKG_DESTDIR_SUPPORT= user-destdir 16PKG_DESTDIR_SUPPORT= user-destdir
16 17
17CONFLICTS= apache-{,*ssl}-[0-9]* apache6-[0-9]* 18CONFLICTS= apache-{,*ssl}-[0-9]* apache6-[0-9]*
cvs diff -r1.24 -r1.25 pkgsrc/www/apache22/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/www/apache22/Attic/distinfo 2009/08/10 11:45:08 1.24
+++ pkgsrc/www/apache22/Attic/distinfo 2009/09/13 13:32:50 1.25
@@ -1,17 +1,18 @@ @@ -1,17 +1,18 @@
1$NetBSD: distinfo,v 1.24 2009/08/10 11:45:08 tron Exp $ 1$NetBSD: distinfo,v 1.25 2009/09/13 13:32:50 tron Exp $
2 2
3SHA1 (httpd-2.2.13.tar.bz2) = 44d85da1b8e6c579d4514cfefbea00b284717b69 3SHA1 (httpd-2.2.13.tar.bz2) = 44d85da1b8e6c579d4514cfefbea00b284717b69
4RMD160 (httpd-2.2.13.tar.bz2) = 4a6a2247cc118175a9a36f1e14344ee71da24627 4RMD160 (httpd-2.2.13.tar.bz2) = 4a6a2247cc118175a9a36f1e14344ee71da24627
5Size (httpd-2.2.13.tar.bz2) = 5300199 bytes 5Size (httpd-2.2.13.tar.bz2) = 5300199 bytes
6SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf 6SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf
 7SHA1 (patch-ab) = 76e50e1603c37e982a6ae9179009457aa9589e87
7SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad 8SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
8SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 9SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
9SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 10SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
10SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 11SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
11SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 12SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
12SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 13SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
13SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 14SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
14SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1 15SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1
15SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c 16SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c
16SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1 17SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1
17SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 18SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
File Added: pkgsrc/www/apache22/patches/Attic/patch-ab
$NetBSD: patch-ab,v 1.12 2009/09/13 13:32:50 tron Exp $

Fix for CVE-2009-3094 based on the description of the problem:

http://www.intevydis.com/blog/?p=59

--- modules/proxy/mod_proxy_ftp.c.orig	2008-11-11 20:04:34.000000000 +0000
+++ modules/proxy/mod_proxy_ftp.c	2009-09-13 14:23:13.000000000 +0100
@@ -1274,7 +1274,9 @@
             }
             else {
                 /* and try the regular way */
-                apr_socket_close(data_sock);
+                if (data_sock != NULL) {
+                    apr_socket_close(data_sock);
+                }
             }
         }
     }