[Midnightbsd-cvs] mports [21481] trunk/www/apache24: apache 2.4.23
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Tue Jul 26 21:59:21 EDT 2016
Revision: 21481
http://svnweb.midnightbsd.org/mports/?rev=21481
Author: laffer1
Date: 2016-07-26 21:59:20 -0400 (Tue, 26 Jul 2016)
Log Message:
-----------
apache 2.4.23
Modified Paths:
--------------
trunk/www/apache24/Makefile
trunk/www/apache24/distinfo
Added Paths:
-----------
trunk/www/apache24/files/patch-httpoxy
Removed Paths:
-------------
trunk/www/apache24/files/patch-modules_ssl_ssl__engine__io.c
Modified: trunk/www/apache24/Makefile
===================================================================
--- trunk/www/apache24/Makefile 2016-06-23 22:59:48 UTC (rev 21480)
+++ trunk/www/apache24/Makefile 2016-07-27 01:59:20 UTC (rev 21481)
@@ -1,7 +1,7 @@
# $MidnightBSD$
PORTNAME= apache24
-PORTVERSION= 2.4.18
+PORTVERSION= 2.4.23
PORTREVISION= 0
CATEGORIES= www ipv6
MASTER_SITES= APACHE_HTTPD
Modified: trunk/www/apache24/distinfo
===================================================================
--- trunk/www/apache24/distinfo 2016-06-23 22:59:48 UTC (rev 21480)
+++ trunk/www/apache24/distinfo 2016-07-27 01:59:20 UTC (rev 21481)
@@ -1,2 +1,3 @@
-SHA256 (apache24/httpd-2.4.18.tar.bz2) = 0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c
-SIZE (apache24/httpd-2.4.18.tar.bz2) = 5181291
+TIMESTAMP = 1467307196
+SHA256 (apache24/httpd-2.4.23.tar.bz2) = 0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58
+SIZE (apache24/httpd-2.4.23.tar.bz2) = 6351875
Added: trunk/www/apache24/files/patch-httpoxy
===================================================================
--- trunk/www/apache24/files/patch-httpoxy (rev 0)
+++ trunk/www/apache24/files/patch-httpoxy 2016-07-27 01:59:20 UTC (rev 21481)
@@ -0,0 +1,63 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+Apache HTTP Server may be configured to proxy HTTP requests as a forward
+or reverse (gateway) proxy server, can proxy requests to a FastCGI service
+using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
+or mod_cgid or the related mod_isapi service. The project's mod_fcgid
+subproject (available as a separate add-in module) directly manages CGI
+scripts using the FastCGI protocol.
+
+It may also be configured to directly host a number of external modules
+which run CGI-style applications in-process. The server itself does not
+modify the CGI environment in this case, however, these external modules
+may perform such modifications of their environment variables in-process.
+Such examples include mod_php, mod_perl and mod_wsgi.
+
+To mitigate "httpoxy" issues across all of the above mechanisms, the most
+direct solution is to drop any "Proxy:" header arriving from an upstream
+proxy server or the origin user-agent. this will mitigate the issue for any
+vulnerable back-end server or CGI across all traffic through this server.
+
+The two lines below enabled in the httpd.conf file will remove the "Proxy:"
+header from all incoming requests, before further processing;
+
+ LoadModule headers_module {path-to}/mod_headers.so
+
+ RequestHeader unset Proxy early
+
+(Users who have mod_headers compiled-in to the httpd binary must omit
+the LoadModule directive above, others must adjust the {path-to} to point
+to the mod_headers.so file.)
+
+If the administrator wishes to preserve the value of the "Proxy:" header
+for most traffic, and only eliminate it from the CGI environment variable
+HTTP_PROXY, a second mitigation is offered. This patch will address this
+behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
+along with all other consumers of httpd's built-in environment handling.
+
+The bundled httpd modules all rely on ap_add_common_vars() to set up the
+target CGI environment. The project will include the recommended patch
+below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
+Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
+recompile and re-install httpd to obtain this mitigation. This migitation
+has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
+
+======= Patch to httpd sources 2.4.x and 2.2.x =======
+
+--- server/util_script.c (revision 1752426)
++++ server/util_script.c (working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them
Property changes on: trunk/www/apache24/files/patch-httpoxy
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Deleted: trunk/www/apache24/files/patch-modules_ssl_ssl__engine__io.c
===================================================================
--- trunk/www/apache24/files/patch-modules_ssl_ssl__engine__io.c 2016-06-23 22:59:48 UTC (rev 21480)
+++ trunk/www/apache24/files/patch-modules_ssl_ssl__engine__io.c 2016-07-27 01:59:20 UTC (rev 21481)
@@ -1,17 +0,0 @@
-Backport openssl 0.9.8x patch:
-http://svn.apache.org/r1719967
-
-For discussion see:
-http://marc.info/?t=145011265700003&r=1&w=2
-===============================================================
---- modules/ssl/ssl_engine_io.c.orig 2015-11-19 19:55:25 UTC
-+++ modules/ssl/ssl_engine_io.c
-@@ -217,7 +217,7 @@ static int bio_filter_out_write(BIO *bio
- * so limit the performance impact to handshake time.
- */
- #if OPENSSL_VERSION_NUMBER < 0x0009080df
-- need_flush = !SSL_is_init_finished(outctx->filter_ctx->pssl)
-+ need_flush = !SSL_is_init_finished(outctx->filter_ctx->pssl);
- #else
- need_flush = SSL_in_connect_init(outctx->filter_ctx->pssl);
- #endif
More information about the Midnightbsd-cvs
mailing list