Fix httpoxy vulnerability. Bump PKGREVISION.diff -r1.47 -r1.48 pkgsrc/www/apache24/Makefile
(wiz)
@@ -1,23 +1,23 @@ | @@ -1,23 +1,23 @@ | |||
1 | # $NetBSD: Makefile,v 1.47 2016/07/09 06:39:10 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.48 2016/07/29 11:11:24 wiz Exp $ | |
2 | # | 2 | # | |
3 | # When updating this package, make sure that no strings like | 3 | # When updating this package, make sure that no strings like | |
4 | # "PR 12345" are in the commit message. Upstream likes | 4 | # "PR 12345" are in the commit message. Upstream likes | |
5 | # to reference their own PRs this way, but this ends up | 5 | # to reference their own PRs this way, but this ends up | |
6 | # in NetBSD GNATS. | 6 | # in NetBSD GNATS. | |
7 | 7 | |||
8 | DISTNAME= httpd-2.4.23 | 8 | DISTNAME= httpd-2.4.23 | |
9 | PKGNAME= ${DISTNAME:S/httpd/apache/} | 9 | PKGNAME= ${DISTNAME:S/httpd/apache/} | |
10 | PKGREVISION= 1 | 10 | PKGREVISION= 2 | |
11 | CATEGORIES= www | 11 | CATEGORIES= www | |
12 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | 12 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | |
13 | http://archive.apache.org/dist/httpd/ \ | 13 | http://archive.apache.org/dist/httpd/ \ | |
14 | http://archive.eu.apache.org/dist/httpd/ | 14 | http://archive.eu.apache.org/dist/httpd/ | |
15 | EXTRACT_SUFX= .tar.bz2 | 15 | EXTRACT_SUFX= .tar.bz2 | |
16 | 16 | |||
17 | MAINTAINER= ryoon@NetBSD.org | 17 | MAINTAINER= ryoon@NetBSD.org | |
18 | HOMEPAGE= http://httpd.apache.org/ | 18 | HOMEPAGE= http://httpd.apache.org/ | |
19 | COMMENT= Apache HTTP (Web) server, version 2.4 | 19 | COMMENT= Apache HTTP (Web) server, version 2.4 | |
20 | LICENSE= apache-2.0 | 20 | LICENSE= apache-2.0 | |
21 | 21 | |||
22 | BUILD_DEFS+= IPV6_READY | 22 | BUILD_DEFS+= IPV6_READY | |
23 | BUILD_DEFS+= VARBASE | 23 | BUILD_DEFS+= VARBASE |
@@ -1,17 +1,18 @@ | @@ -1,17 +1,18 @@ | |||
1 | $NetBSD: distinfo,v 1.25 2016/07/05 16:13:53 taca Exp $ | 1 | $NetBSD: distinfo,v 1.26 2016/07/29 11:11:24 wiz Exp $ | |
2 | 2 | |||
3 | SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f | 3 | SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f | |
4 | RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc | 4 | RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc | |
5 | SHA512 (httpd-2.4.23.tar.bz2) = c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1 | 5 | SHA512 (httpd-2.4.23.tar.bz2) = c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1 | |
6 | Size (httpd-2.4.23.tar.bz2) = 6351875 bytes | 6 | Size (httpd-2.4.23.tar.bz2) = 6351875 bytes | |
7 | SHA1 (patch-aa) = 2d92b1340aaae40289421f164346348c6d7fe839 | 7 | SHA1 (patch-aa) = 2d92b1340aaae40289421f164346348c6d7fe839 | |
8 | SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324 | 8 | SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324 | |
9 | SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d | 9 | SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d | |
10 | SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157 | 10 | SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157 | |
11 | SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903 | 11 | SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903 | |
12 | SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1 | 12 | SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1 | |
13 | SHA1 (patch-ai) = 867ac81fd14b1bd6af048ec57390d915956e9568 | 13 | SHA1 (patch-ai) = 867ac81fd14b1bd6af048ec57390d915956e9568 | |
14 | SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 | 14 | SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 | |
15 | SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 | 15 | SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 | |
16 | SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df | 16 | SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df | |
17 | SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 | 17 | SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 | |
18 | SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2 |
$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:11:25 wiz Exp $
Fix httpoxy vulnerability.
https://www.apache.org/security/asf-httpoxy-response.txt
--- server/util_script.c.orig 2016-04-27 13:03:00.000000000 +0000
+++ server/util_script.c
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them