Fri Jul 29 11:10:24 2016 UTC ()

Fix httpoxy vulnerability.
Bump PKGREVISION.


(wiz)

diff -r1.109 -r1.110 pkgsrc/www/apache22/Makefile
diff -r1.64 -r1.65 pkgsrc/www/apache22/distinfo
diff -r0 -r1.1 pkgsrc/www/apache22/patches/patch-server_util__script.c

--- pkgsrc/www/apache22/Attic/Makefile 2016/07/09 06:39:10 1.109
+++ pkgsrc/www/apache22/Attic/Makefile 2016/07/29 11:10:24 1.110

 @@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.109 2016/07/09 06:39:10 wiz Exp $
+# $NetBSD: Makefile,v 1.110 2016/07/29 11:10:24 wiz Exp $
 DISTNAME=	httpd-2.2.31
 PKGNAME=	${DISTNAME:S/httpd/apache/}
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
 		http://archive.apache.org/dist/httpd/ \
 		http://archive.eu.apache.org/dist/httpd/
 EXTRACT_SUFX=	.tar.bz2
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://httpd.apache.org/
 COMMENT=	Apache HTTP (Web) server, version 2.2
 LICENSE=	apache-2.0
 BUILD_DEFS+=	IPV6_READY
 BUILD_DEFS+=	VARBASE

--- pkgsrc/www/apache22/Attic/distinfo 2015/11/12 15:21:51 1.64
+++ pkgsrc/www/apache22/Attic/distinfo 2016/07/29 11:10:24 1.65

 @@ -1,24 +1,25 @@
-$NetBSD: distinfo,v 1.64 2015/11/12 15:21:51 prlw1 Exp $
+$NetBSD: distinfo,v 1.65 2016/07/29 11:10:24 wiz Exp $
 SHA1 (httpd-2.2.31.tar.bz2) = e3b55387112206307ba76526820a2627472f3787
 RMD160 (httpd-2.2.31.tar.bz2) = 5b073f5f556c74e19eba8e40faa5c5fa308e018a
 SHA512 (httpd-2.2.31.tar.bz2) = 5aa47d4b76f692bbd8b309135ff99152df98cf69b505b9daf3f13f7f2a31443eaf4995161adfbc47a133b4d0e091fda2d95fc6b87a956f0ada18d7466ee28e74
 Size (httpd-2.2.31.tar.bz2) = 5610489 bytes
 SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7
 SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
 SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
 SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
 SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
 SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
 SHA1 (patch-include_ap_mmn.h) = 2fec04379f38ecc90debc69faafe38932099e5e1
 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
 SHA1 (patch-modules_proxy_mod_proxy.c) = 67d8d441c546a46aa729ed82673da4883f73dec8
 SHA1 (patch-modules_proxy_mod_proxy.h) = a4453d85f6a3cf43df44f4e491aee07aaff44905
 SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
 SHA1 (patch-modules_proxy_proxy_util.c) = 1368694ef3141c3a1e9a1ddd73664bbb33465271
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
 SHA1 (patch-server_util__script.c) = 770f773ba278ec774f1f5a812fa9956fad9cc3f8

$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:10:24 wiz Exp $

Fix httpoxy vulnerability.
https://www.apache.org/security/asf-httpoxy-response.txt

--- server/util_script.c.orig	2012-08-21 17:42:49.000000000 +0000
+++ server/util_script.c
@@ -165,6 +165,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them