Sun Dec 11 23:52:56 2016 UTC ()
Add patch for CVE-2016-8740.

Bump PKGREVISION.


(taca)
diff -r1.49 -r1.50 pkgsrc/www/apache24/Makefile
diff -r1.26 -r1.27 pkgsrc/www/apache24/distinfo
diff -r0 -r1.1 pkgsrc/www/apache24/patches/patch-CVE-2016-8740-2.4.23
cvs diff -r1.49 -r1.50 pkgsrc/www/apache24/Makefile (expand / switch to unified diff)

--- pkgsrc/www/apache24/Makefile 2016/10/07 18:26:12 1.49
+++ pkgsrc/www/apache24/Makefile 2016/12/11 23:52:55 1.50
@@ -1,23 +1,23 @@ @@ -1,23 +1,23 @@
1# $NetBSD: Makefile,v 1.49 2016/10/07 18:26:12 adam Exp $ 1# $NetBSD: Makefile,v 1.50 2016/12/11 23:52:55 taca Exp $
2# 2#
3# When updating this package, make sure that no strings like 3# When updating this package, make sure that no strings like
4# "PR 12345" are in the commit message. Upstream likes 4# "PR 12345" are in the commit message. Upstream likes
5# to reference their own PRs this way, but this ends up 5# to reference their own PRs this way, but this ends up
6# in NetBSD GNATS. 6# in NetBSD GNATS.
7 7
8DISTNAME= httpd-2.4.23 8DISTNAME= httpd-2.4.23
9PKGNAME= ${DISTNAME:S/httpd/apache/} 9PKGNAME= ${DISTNAME:S/httpd/apache/}
10PKGREVISION= 3 10PKGREVISION= 4
11CATEGORIES= www 11CATEGORIES= www
12MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ 12MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
13 http://archive.apache.org/dist/httpd/ \ 13 http://archive.apache.org/dist/httpd/ \
14 http://archive.eu.apache.org/dist/httpd/ 14 http://archive.eu.apache.org/dist/httpd/
15EXTRACT_SUFX= .tar.bz2 15EXTRACT_SUFX= .tar.bz2
16 16
17MAINTAINER= ryoon@NetBSD.org 17MAINTAINER= ryoon@NetBSD.org
18HOMEPAGE= http://httpd.apache.org/ 18HOMEPAGE= http://httpd.apache.org/
19COMMENT= Apache HTTP (Web) server, version 2.4 19COMMENT= Apache HTTP (Web) server, version 2.4
20LICENSE= apache-2.0 20LICENSE= apache-2.0
21 21
22BUILD_DEFS+= IPV6_READY 22BUILD_DEFS+= IPV6_READY
23BUILD_DEFS+= VARBASE 23BUILD_DEFS+= VARBASE
cvs diff -r1.26 -r1.27 pkgsrc/www/apache24/distinfo (expand / switch to unified diff)

--- pkgsrc/www/apache24/distinfo 2016/07/29 11:11:24 1.26
+++ pkgsrc/www/apache24/distinfo 2016/12/11 23:52:55 1.27
@@ -1,18 +1,19 @@ @@ -1,18 +1,19 @@
1$NetBSD: distinfo,v 1.26 2016/07/29 11:11:24 wiz Exp $ 1$NetBSD: distinfo,v 1.27 2016/12/11 23:52:55 taca Exp $
2 2
3SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f 3SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
4RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc 4RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
5SHA512 (httpd-2.4.23.tar.bz2) = c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1 5SHA512 (httpd-2.4.23.tar.bz2) = c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1
6Size (httpd-2.4.23.tar.bz2) = 6351875 bytes 6Size (httpd-2.4.23.tar.bz2) = 6351875 bytes
 7SHA1 (patch-CVE-2016-8740-2.4.23) = 286afd11a07f4bb1acb0ca9b89086c79930ca562
7SHA1 (patch-aa) = 2d92b1340aaae40289421f164346348c6d7fe839 8SHA1 (patch-aa) = 2d92b1340aaae40289421f164346348c6d7fe839
8SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324 9SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
9SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d 10SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d
10SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157 11SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
11SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903 12SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903
12SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1 13SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1
13SHA1 (patch-ai) = 867ac81fd14b1bd6af048ec57390d915956e9568 14SHA1 (patch-ai) = 867ac81fd14b1bd6af048ec57390d915956e9568
14SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 15SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
15SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 16SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
16SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df 17SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
17SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 18SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
18SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2 19SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2
File Added: pkgsrc/www/apache24/patches/Attic/patch-CVE-2016-8740-2.4.23
$NetBSD: patch-CVE-2016-8740-2.4.23,v 1.1 2016/12/11 23:52:55 taca Exp $

Patch for CVE-2016-8740.

--- modules/http2/h2_stream.c.orig	2016-06-09 10:38:10.000000000 +0000
+++ modules/http2/h2_stream.c
@@ -322,18 +322,18 @@ apr_status_t h2_stream_add_header(h2_str
                                            HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
             }
         }
-    }
-    
-    if (h2_stream_is_scheduled(stream)) {
-        return h2_request_add_trailer(stream->request, stream->pool,
-                                      name, nlen, value, vlen);
-    }
-    else {
-        if (!input_open(stream)) {
-            return APR_ECONNRESET;
+        
+        if (h2_stream_is_scheduled(stream)) {
+            return h2_request_add_trailer(stream->request, stream->pool,
+                                          name, nlen, value, vlen);
+        }
+        else {
+            if (!input_open(stream)) {
+                return APR_ECONNRESET;
+            }
+            return h2_request_add_header(stream->request, stream->pool,
+                                         name, nlen, value, vlen);
         }
-        return h2_request_add_header(stream->request, stream->pool,
-                                     name, nlen, value, vlen);
     }
 }