apache24: updated to 2.4.50
Changes with Apache 2.4.50
*) SECURITY: CVE-2021-41773: Path traversal and file disclosure
vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
A flaw was found in a change made to path normalization in
Apache HTTP Server 2.4.49. An attacker could use a path
traversal attack to map URLs to files outside the expected
document root.
If files outside of the document root are not protected by
"require all denied" these requests can succeed. Additionally
this flaw could leak the source of interpreted files like CGI
scripts.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
Credits: This issue was reported by Ash Daulton along with the
cPanel Security Team
*) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
(cve.mitre.org)
While fuzzing the 2.4.49 httpd, a new null pointer dereference
was detected during HTTP/2 request processing,
allowing an external source to DoS the server. This requires a
specially crafted request.
The vulnerability was recently introduced in version 2.4.49. No
exploit is known to the project.
Credits: Apache httpd team would like to thank LI ZHI XIN from
NSFocus Security Team for reporting this issue.
*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
the uri-path when it's preceded by a dot.
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
had no hostname ("unix:/...").
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
*) mod_rewrite: Fix UDS ("unix:") scheme for
*) event mpm: Correctly count active child processes in parent process if
child process dies due to MaxConnectionsPerChild.
*) mod_http2: when a server is restarted gracefully, any idle h2 worker
threads are shut down immediately.
Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
Adds all other, never proposed code changes to make a clean
sync of http2 sources.
*) mod_dav: Correctly handle errors returned by dav providers on REPORT
requests.
*) core: do not install core input/output filters on secondary
connections.
*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
and use it to prevent that failures in running the pre_connection
hook cause crashes afterwards.
*) mod_speling: Add CheckBasenameMatch.
(adam)
diff -r1.103 -r1.104 pkgsrc/www/apache24/Makefile| @@ -1,23 +1,22 @@ | @@ -1,23 +1,22 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.103 2021/09/29 19:01:26 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.104 2021/10/05 19:22:08 adam Exp $ | |
| 2 | # | 2 | # | |
| 3 | # When updating this package, make sure that no strings like | 3 | # When updating this package, make sure that no strings like | |
| 4 | # "PR 12345" are in the commit message. Upstream likes | 4 | # "PR 12345" are in the commit message. Upstream likes | |
| 5 | # to reference their own PRs this way, but this ends up | 5 | # to reference their own PRs this way, but this ends up | |
| 6 | # in NetBSD GNATS. | 6 | # in NetBSD GNATS. | |
| 7 | 7 | |||
| 8 | DISTNAME= httpd-2.4.49 | 8 | DISTNAME= httpd-2.4.50 | |
| 9 | PKGNAME= ${DISTNAME:S/httpd/apache/} | 9 | PKGNAME= ${DISTNAME:S/httpd/apache/} | |
| 10 | PKGREVISION= 1 | |||
| 11 | CATEGORIES= www | 10 | CATEGORIES= www | |
| 12 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} | 11 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} | |
| 13 | MASTER_SITES+= https://archive.apache.org/dist/httpd/ | 12 | MASTER_SITES+= https://archive.apache.org/dist/httpd/ | |
| 14 | EXTRACT_SUFX= .tar.bz2 | 13 | EXTRACT_SUFX= .tar.bz2 | |
| 15 | 14 | |||
| 16 | MAINTAINER= ryoon@NetBSD.org | 15 | MAINTAINER= ryoon@NetBSD.org | |
| 17 | HOMEPAGE= https://httpd.apache.org/ | 16 | HOMEPAGE= https://httpd.apache.org/ | |
| 18 | COMMENT= Apache HTTP (Web) server, version 2.4 | 17 | COMMENT= Apache HTTP (Web) server, version 2.4 | |
| 19 | LICENSE= apache-2.0 | 18 | LICENSE= apache-2.0 | |
| 20 | 19 | |||
| 21 | BUILD_DEFS+= IPV6_READY | 20 | BUILD_DEFS+= IPV6_READY | |
| 22 | BUILD_DEFS+= VARBASE | 21 | BUILD_DEFS+= VARBASE | |
| 23 | 22 |
| @@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
| 1 | $NetBSD: distinfo,v 1.46 2021/09/17 12:49:57 adam Exp $ | 1 | $NetBSD: distinfo,v 1.47 2021/10/05 19:22:08 adam Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (httpd-2.4.49.tar.bz2) = 17e8efc1b178ce677202d71678e380459594f697 | 3 | SHA1 (httpd-2.4.50.tar.bz2) = 560cea1589d107aa06ae7eabf144316b00338141 | |
| 4 | RMD160 (httpd-2.4.49.tar.bz2) = 73c3e94bdb0da77c833590334a4ac288d782424c | 4 | RMD160 (httpd-2.4.50.tar.bz2) = 5f93e67fccb703318115b921d670d12ec81ad3c8 | |
| 5 | SHA512 (httpd-2.4.49.tar.bz2) = 418e277232cf30a81d02b8554e31aaae6433bbea842bdb81e47a609469395cc4891183fb6ee02bd669edb2392c2007869b19da29f5998b8fd5c7d3142db310dd | 5 | SHA512 (httpd-2.4.50.tar.bz2) = b1afbaf44e503b822ff2b443881dcb44a93aa55d496f88ae399a2e7def05f78590f266a16da1f2c0aac88e463b76fba20843b1e20a102e76c8269de6fae3e158 | |
| 6 | Size (httpd-2.4.49.tar.bz2) = 7199599 bytes | 6 | Size (httpd-2.4.50.tar.bz2) = 7653174 bytes | |
| 7 | SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9 | 7 | SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9 | |
| 8 | SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324 | 8 | SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324 | |
| 9 | SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d | 9 | SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d | |
| 10 | SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157 | 10 | SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157 | |
| 11 | SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903 | 11 | SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903 | |
| 12 | SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1 | 12 | SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1 | |
| 13 | SHA1 (patch-ai) = d3870e46e41adc97c3fce86f9ffd224502ad6b0c | 13 | SHA1 (patch-ai) = d3870e46e41adc97c3fce86f9ffd224502ad6b0c | |
| 14 | SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 | 14 | SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 | |
| 15 | SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 | 15 | SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 | |
| 16 | SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df | 16 | SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df | |
| 17 | SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 | 17 | SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 | |
| 18 | SHA1 (patch-modules_filters_mod_substitute.c) = 730af0342b78de04fe51b7dcc3ed057b2b0c3a54 | 18 | SHA1 (patch-modules_filters_mod_substitute.c) = 730af0342b78de04fe51b7dcc3ed057b2b0c3a54 |