mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-29 10:18:30 +00:00
Code Issues Releases Activity

- update to apache-2.2.25

Browse Source 
- update vuxml with additional CVE-2013-1896 entry

Changes with Apache 2.2.25
  http://www.apache.org/dist/httpd/CHANGES_2.2.25

  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser
     <ben reser.org>]

  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
     mod_rewrite: Ensure that client data written to the RewriteLog is
     escaped to prevent terminal escape sequences from entering the
     log file.  [Eric Covener, Jeff Trawick, Joe Orton]

  *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
     strings.  The default limit for ap_pregsub() can be adjusted at compile
      time by defining AP_PREGSUB_MAXLEN.  [Stefan Fritsch, Jeff Trawick]

  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
     <apache heilbrun.org>]

  *) mod_setenvif: Log error on substitution overflow.
     [Stefan Fritsch]

  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]

  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
     forwarding to SSL backends. PR 53134.
     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]

  *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
     in the error log to debug level.  [William Rowe]

  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]

  *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
     admin to configure an IO timeout as an error in the balancer.
     [Daniel Ruggeri]

  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
     password.  [Daniel Ruggeri]

  *) htdigest: Fix buffer overflow when reading digest password file
     with very long lines. PR 54893. [Rainer Jung]

  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed for a COPY operation. PR54610
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
     property on a resource for which there is no dead property in the same
     namespace httpd segfaults. PR 52559 [Diego Santa Cruz
     <diego.santaCruz spinetix.com>]

  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

PR:		ports/180248
Submitted by:	Jason Helfman jgh@
This commit is contained in:
Olli Hauer 2013-07-10 19:01:44 +00:00
parent 38c98059bc
commit 5183b40651
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=322728
5 changed files with 18 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
security/vuxml/vuln.xml
View File

@ -121,27 +121,27 @@ Note: Please add new entries to the beginning of this file.
</vuln>
<vuln vid="f3d24aee-e5ad-11e2-b183-20cf30e32f6d">
<topic>apache22 -- mod_rewrite vulnerability</topic>
<topic>apache22 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache22</name>
<range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-event-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-itk-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-peruser-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-worker-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
</affects>
<description>
@ -153,16 +153,21 @@ Note: Please add new entries to the beginning of this file.
non-printable characters, which might allow remote attackers to
execute arbitrary commands via an HTTP request containing an
escape sequence for a terminal emulator.</p>
<p>mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request
body as XML) pointing to a URI that is not configured for DAV
will trigger a segfault.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1862</cvename>
<cvename>CVE-2013-1896</cvename>
</references>
<dates>
<discovery>2013-06-21</discovery>
<entry>2013-07-05</entry>
<modified>2013-07-06</modified>
<modified>2013-07-10</modified>
</dates>
</vuln>

6
www/apache22/Makefile
View File

@ -1,8 +1,8 @@
# $FreeBSD$
PORTNAME= apache22
PORTVERSION= 2.2.24
PORTREVISION?= 1
PORTVERSION= 2.2.25
#PORTREVISION?= 1
CATEGORIES= www ipv6
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
DISTNAME= httpd-${PORTVERSION}
@ -98,7 +98,7 @@ IGNORE= suEXEC resource limit patch requires mod_suexec.\
.endif
.if ${PORT_OPTIONS:MSUEXEC_USERDIR}
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir
. if empty(PORT_OPTIONS:MSUEXEC)
IGNORE= suEXEC UserDir patch requires mod_suexec.\
Please (re)run 'make config' and choose SUEXEC option also

2
www/apache22/Makefile.modules
View File

@ -72,7 +72,7 @@ LATEST_LINK= apache22-${WITH_MPM}-mpm
.if ${WITH_MPM} == "worker" || ${WITH_MPM} == "event"
PORT_OPTIONS+= CGID
.if ${PORT_OPTIONS:MCGI}
IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \
IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \
Please de-select CGI and select CGID instead. \
See http://httpd.apache.org/docs/2.2/mod/mod_cgi.html
.endif

4
www/apache22/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (apache22/httpd-2.2.24.tar.bz2) = 0453f5d2d7e3b1975a1c6a8a22b6d6ff768715a3b0a89b51e5f7b5851628fad7
SIZE (apache22/httpd-2.2.24.tar.bz2) = 5490439
SHA256 (apache22/httpd-2.2.25.tar.bz2) = 4bcaf3524796a514b31aa5c64ce80b0cdb484bab5735416de29d00f6d50fa65a
SIZE (apache22/httpd-2.2.25.tar.bz2) = 5524905

27
www/apache22/files/patch-modules__mappers__mod_rewrite.c
View File

@ -1,27 +0,0 @@
--- ./modules/mappers/mod_rewrite.c.orig 2013-02-18 22:31:42.000000000 +0100
+++ ./modules/mappers/mod_rewrite.c 2013-05-14 16:41:30.000000000 +0200
@@ -500,11 +500,11 @@
logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
"(%d) %s%s%s%s" APR_EOL_STR,
- rhost ? rhost : "UNKNOWN-HOST",
- rname ? rname : "-",
- r->user ? (*r->user ? r->user : "\"\"") : "-",
+ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
+ rname ? ap_escape_logitem(r->pool, rname) : "-",
+ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
current_logtime(r),
- ap_get_server_name(r),
+ ap_escape_logitem(r->pool, ap_get_server_name(r)),
(void *)(r->server),
(void *)r,
r->main ? "subreq" : "initial",
@@ -514,7 +514,7 @@
perdir ? "[perdir " : "",
perdir ? perdir : "",
perdir ? "] ": "",
- text);
+ ap_escape_logitem(r->pool, text));
nbytes = strlen(logline);
apr_file_write(conf->rewritelogfp, logline, &nbytes);