Fri Oct 8 13:37:27 2021 UTC ()
Pullup ticket #6506 - requested by taca
apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.105
- www/apache24/distinfo                                         1.49

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Thu Oct  7 19:05:25 UTC 2021

   Modified Files:
   	pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.51

   Changes with Apache 2.4.51

   *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
      Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
      fix of CVE-2021-41773) (cve.mitre.org)
      It was found that the fix for CVE-2021-41773 in Apache HTTP
      Server 2.4.50 was insufficient.  An attacker could use a path
      traversal attack to map URLs to files outside the directories
      configured by Alias-like directives.
      If files outside of these directories are not protected by the
      usual default configuration "require all denied", these requests
      can succeed. If CGI scripts are also enabled for these aliased
      pathes, this could allow for remote code execution.
      This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
      earlier versions.

   *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
      unused AP_NORMALIZE_DROP_PARAMETERS flag.


(bsiegert)
diff -r1.101.2.1 -r1.101.2.2 pkgsrc/www/apache24/Makefile
diff -r1.46.2.1 -r1.46.2.2 pkgsrc/www/apache24/distinfo
cvs diff -r1.101.2.1 -r1.101.2.2 pkgsrc/www/apache24/Makefile (expand / switch to unified diff)

--- pkgsrc/www/apache24/Makefile 2021/10/06 21:59:03 1.101.2.1
+++ pkgsrc/www/apache24/Makefile 2021/10/08 13:37:27 1.101.2.2
@@ -1,21 +1,21 @@ @@ -1,21 +1,21 @@
1# $NetBSD: Makefile,v 1.101.2.1 2021/10/06 21:59:03 tm Exp $ 1# $NetBSD: Makefile,v 1.101.2.2 2021/10/08 13:37:27 bsiegert Exp $
2# 2#
3# When updating this package, make sure that no strings like 3# When updating this package, make sure that no strings like
4# "PR 12345" are in the commit message. Upstream likes 4# "PR 12345" are in the commit message. Upstream likes
5# to reference their own PRs this way, but this ends up 5# to reference their own PRs this way, but this ends up
6# in NetBSD GNATS. 6# in NetBSD GNATS.
7 7
8DISTNAME= httpd-2.4.50 8DISTNAME= httpd-2.4.51
9PKGNAME= ${DISTNAME:S/httpd/apache/} 9PKGNAME= ${DISTNAME:S/httpd/apache/}
10CATEGORIES= www 10CATEGORIES= www
11MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} 11MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/}
12MASTER_SITES+= https://archive.apache.org/dist/httpd/ 12MASTER_SITES+= https://archive.apache.org/dist/httpd/
13EXTRACT_SUFX= .tar.bz2 13EXTRACT_SUFX= .tar.bz2
14 14
15MAINTAINER= ryoon@NetBSD.org 15MAINTAINER= ryoon@NetBSD.org
16HOMEPAGE= https://httpd.apache.org/ 16HOMEPAGE= https://httpd.apache.org/
17COMMENT= Apache HTTP (Web) server, version 2.4 17COMMENT= Apache HTTP (Web) server, version 2.4
18LICENSE= apache-2.0 18LICENSE= apache-2.0
19 19
20BUILD_DEFS+= IPV6_READY 20BUILD_DEFS+= IPV6_READY
21BUILD_DEFS+= VARBASE 21BUILD_DEFS+= VARBASE
cvs diff -r1.46.2.1 -r1.46.2.2 pkgsrc/www/apache24/distinfo (expand / switch to unified diff)

--- pkgsrc/www/apache24/distinfo 2021/10/06 21:59:03 1.46.2.1
+++ pkgsrc/www/apache24/distinfo 2021/10/08 13:37:27 1.46.2.2
@@ -1,18 +1,17 @@ @@ -1,18 +1,17 @@
1$NetBSD: distinfo,v 1.46.2.1 2021/10/06 21:59:03 tm Exp $ 1$NetBSD: distinfo,v 1.46.2.2 2021/10/08 13:37:27 bsiegert Exp $
2 2
3SHA1 (httpd-2.4.50.tar.bz2) = 560cea1589d107aa06ae7eabf144316b00338141 3RMD160 (httpd-2.4.51.tar.bz2) = 339cf2df89613855dc44affe6296ba1b1652db14
4RMD160 (httpd-2.4.50.tar.bz2) = 5f93e67fccb703318115b921d670d12ec81ad3c8 4SHA512 (httpd-2.4.51.tar.bz2) = 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66
5SHA512 (httpd-2.4.50.tar.bz2) = b1afbaf44e503b822ff2b443881dcb44a93aa55d496f88ae399a2e7def05f78590f266a16da1f2c0aac88e463b76fba20843b1e20a102e76c8269de6fae3e158 5Size (httpd-2.4.51.tar.bz2) = 7653609 bytes
6Size (httpd-2.4.50.tar.bz2) = 7653174 bytes 
7SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9 6SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
8SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324 7SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
9SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d 8SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d
10SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157 9SHA1 (patch-ad) = 4ba4a9c812951f533fa316e5dbf17eaab5494157
11SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903 10SHA1 (patch-ae) = 5bd3bf54e792bf8a2916d7e1b49b1702b02c6903
12SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1 11SHA1 (patch-ag) = 50c7f0fab1cb90ac573f1c47f2d37f9c2a6247e1
13SHA1 (patch-ai) = d3870e46e41adc97c3fce86f9ffd224502ad6b0c 12SHA1 (patch-ai) = d3870e46e41adc97c3fce86f9ffd224502ad6b0c
14SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911 13SHA1 (patch-al) = 02d9ade5aac4270182063d5ad413970c832ee911
15SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777 14SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
16SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df 15SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
17SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96 16SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
18SHA1 (patch-modules_filters_mod_substitute.c) = 730af0342b78de04fe51b7dcc3ed057b2b0c3a54 17SHA1 (patch-modules_filters_mod_substitute.c) = 730af0342b78de04fe51b7dcc3ed057b2b0c3a54