head 1.6; access; symbols pkgsrc-2013Q2:1.6.0.8 pkgsrc-2013Q2-base:1.6 pkgsrc-2012Q4:1.6.0.6 pkgsrc-2012Q4-base:1.6 pkgsrc-2011Q4:1.6.0.4 pkgsrc-2011Q4-base:1.6 pkgsrc-2011Q2:1.6.0.2 pkgsrc-2011Q2-base:1.6 pkgsrc-2010Q3:1.5.0.24 pkgsrc-2010Q3-base:1.5 pkgsrc-2010Q2:1.5.0.22 pkgsrc-2010Q2-base:1.5 pkgsrc-2010Q1:1.5.0.20 pkgsrc-2010Q1-base:1.5 pkgsrc-2009Q4:1.5.0.18 pkgsrc-2009Q4-base:1.5 pkgsrc-2009Q3:1.5.0.16 pkgsrc-2009Q3-base:1.5 pkgsrc-2009Q2:1.5.0.14 pkgsrc-2009Q2-base:1.5 pkgsrc-2009Q1:1.5.0.12 pkgsrc-2009Q1-base:1.5 pkgsrc-2008Q4:1.5.0.10 pkgsrc-2008Q4-base:1.5 pkgsrc-2008Q3:1.5.0.8 pkgsrc-2008Q3-base:1.5 cube-native-xorg:1.5.0.6 cube-native-xorg-base:1.5 pkgsrc-2008Q2:1.5.0.4 pkgsrc-2008Q2-base:1.5 cwrapper:1.5.0.2 pkgsrc-2008Q1:1.4.0.6 pkgsrc-2008Q1-base:1.4 pkgsrc-2007Q4:1.4.0.4 pkgsrc-2007Q4-base:1.4 pkgsrc-2007Q3:1.4.0.2 pkgsrc-2007Q3-base:1.4 pkgsrc-2007Q2:1.3.0.2 pkgsrc-2007Q2-base:1.3 pkgsrc-2007Q1:1.2.0.28 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.26 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.24 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.22 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.2.0.20 pkgsrc-2006Q1-base:1.2 pkgsrc-2005Q4:1.2.0.18 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.2.0.16 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.2.0.14 pkgsrc-2005Q2-base:1.2 pkgsrc-2005Q1:1.2.0.12 pkgsrc-2005Q1-base:1.2 pkgsrc-2004Q4:1.2.0.10 pkgsrc-2004Q4-base:1.2 pkgsrc-2004Q3:1.2.0.8 pkgsrc-2004Q3-base:1.2 pkgsrc-2004Q2:1.2.0.6 pkgsrc-2004Q2-base:1.2 pkgsrc-2004Q1:1.2.0.4 pkgsrc-2004Q1-base:1.2 pkgsrc-2003Q4:1.2.0.2 pkgsrc-2003Q4-base:1.2; locks; strict; comment @# @; 1.6 date 2010.11.01.18.03.04; author adam; state dead; branches; next 1.5; 1.5 date 2008.06.20.13.28.08; author he; state Exp; branches; next 1.4; 1.4 date 2007.09.07.23.28.23; author tron; state dead; branches 1.4.6.1; next 1.3; 1.3 date 2007.06.28.01.49.04; author lkundrak; state Exp; branches 1.3.2.1; next 1.2; 1.2 date 2003.05.25.08.58.11; author epg; state dead; branches; next 1.1; 1.1 date 2003.04.03.08.29.00; author itojun; state Exp; branches; next ; 1.4.6.1 date 2008.06.25.10.35.41; author tron; state Exp; branches; next ; 1.3.2.1 date 2007.09.08.09.54.46; author ghen; state dead; branches; next ; desc @@ 1.6 log @Changes 2.0.64: * SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. * SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. * SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. * SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. * SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. * SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. * SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. * SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. * SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. * SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. * Fix recursive ErrorDocument handling. * mod_ssl: Do not do overlapping memcpy. * Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. * apxs: Fix -A and -a options to ignore whitespace in httpd.conf @ text @$NetBSD: patch-ap,v 1.5 2008/06/20 13:28:08 he Exp $ This is directly from http://www.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt and as the name indicates a security-related patch. Index: modules/proxy/proxy_http.c =================================================================== --- modules/proxy/proxy_http.c (revision 666240) +++ modules/proxy/proxy_http.c (working copy) @@@@ -1290,6 +1290,16 @@@@ return 1; } +/* + * Limit the number of interim respones we sent back to the client. Otherwise + * we suffer from a memory build up. Besides there is NO sense in sending back + * an unlimited number of interim responses to the client. Thus if we cross + * this limit send back a 502 (Bad Gateway). + */ +#ifndef AP_MAX_INTERIM_RESPONSES +#define AP_MAX_INTERIM_RESPONSES 10 +#endif + static apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, proxy_http_conn_t *p_conn, @@@@ -1322,7 +1332,7 @@@@ */ rp->proxyreq = PROXYREQ_RESPONSE; - while (received_continue) { + while (received_continue && (received_continue <= AP_MAX_INTERIM_RESPONSES)) { apr_brigade_cleanup(bb); len = ap_getline(buffer, sizeof(buffer), rp, 0); @@@@ -1440,7 +1450,9 @@@@ if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { ap_set_content_type(r, apr_pstrdup(p, buf)); } - ap_proxy_pre_http_request(origin,rp); + if (!ap_is_HTTP_INFO(r->status)) { + ap_proxy_pre_http_request(origin, rp); + } /* handle Via header in response */ if (conf->viaopt != via_off && conf->viaopt != via_block) { @@@@ -1486,6 +1498,7 @@@@ if ( r->status != HTTP_CONTINUE ) { received_continue = 0; } else { + received_continue++; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "proxy: HTTP: received 100 CONTINUE"); } @@@@ -1622,6 +1635,14 @@@@ } } + /* See define of AP_MAX_INTERIM_RESPONSES for why */ + if (received_continue > AP_MAX_INTERIM_RESPONSES) { + return ap_proxyerror(r, HTTP_BAD_GATEWAY, + apr_psprintf(p, + "Too many (%d) interim responses from origin server", + received_continue)); + } + if ( conf->error_override ) { /* the code above this checks for 'OK' which is what the hook expects */ if ( r->status == HTTP_OK ) @ 1.5 log @Apply the patch for CVE-2008-2364 from apache. Bump pkg revision. @ text @d1 1 a1 1 $NetBSD$ @ 1.4 log @Remove obsolete patch files. @ text @d1 1 a1 1 $NetBSD: patch-ap,v 1.3 2007/06/28 01:49:04 lkundrak Exp $ d3 3 a5 1 Fix for CVE-2006-5752 XSS in mod_status with ExtendedStatus on. d7 7 a13 5 --- modules/generators/mod_status.c.orig 2006-07-12 09:40:55.000000000 +0200 +++ modules/generators/mod_status.c @@@@ -269,7 +269,7 @@@@ static int status_handler(request_rec *r if (r->method_number != M_GET) return DECLINED; d15 16 a30 2 - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); d32 39 a70 31 /* * Simple table-driven form data set parser that lets you alter the header @@@@ -298,7 +298,7 @@@@ static int status_handler(request_rec *r no_table_report = 1; break; case STAT_OPT_AUTO: - ap_set_content_type(r, "text/plain"); + ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); short_report = 1; break; } @@@@ -664,7 +664,8 @@@@ static int status_handler(request_rec *r ap_escape_html(r->pool, ws_record->client), ap_escape_html(r->pool, - ws_record->request), + ap_escape_logitem(r->pool, + ws_record->request)), ap_escape_html(r->pool, ws_record->vhost)); } @@@@ -753,7 +754,8 @@@@ static int status_handler(request_rec *r ap_escape_html(r->pool, ws_record->vhost), ap_escape_html(r->pool, - ws_record->request)); + ap_escape_logitem(r->pool, + ws_record->request))); } /* no_table_report */ } /* for (j...) */ } /* for (i...) */ @ 1.4.6.1 log @Pullup ticket #2434 - requested by he Security patch for apache2 Revisions pulled up: - www/apache2/Makefile.common 1.25 - www/apache2/distinfo 1.53 - www/apache2/patches/patch-ap 1.5 --- Module Name: pkgsrc Committed By: he Date: Fri Jun 20 13:28:08 UTC 2008 Modified Files: pkgsrc/www/apache2: Makefile.common distinfo Added Files: pkgsrc/www/apache2/patches: patch-ap Log Message: Apply the patch for CVE-2008-2364 from apache. Bump pkg revision. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 3 This is directly from http://www.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt and as the name indicates a security-related patch. d5 5 a9 7 Index: modules/proxy/proxy_http.c =================================================================== --- modules/proxy/proxy_http.c (revision 666240) +++ modules/proxy/proxy_http.c (working copy) @@@@ -1290,6 +1290,16 @@@@ return 1; } d11 2 a12 16 +/* + * Limit the number of interim respones we sent back to the client. Otherwise + * we suffer from a memory build up. Besides there is NO sense in sending back + * an unlimited number of interim responses to the client. Thus if we cross + * this limit send back a 502 (Bad Gateway). + */ +#ifndef AP_MAX_INTERIM_RESPONSES +#define AP_MAX_INTERIM_RESPONSES 10 +#endif + static apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, proxy_http_conn_t *p_conn, @@@@ -1322,7 +1332,7 @@@@ */ rp->proxyreq = PROXYREQ_RESPONSE; d14 31 a44 39 - while (received_continue) { + while (received_continue && (received_continue <= AP_MAX_INTERIM_RESPONSES)) { apr_brigade_cleanup(bb); len = ap_getline(buffer, sizeof(buffer), rp, 0); @@@@ -1440,7 +1450,9 @@@@ if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { ap_set_content_type(r, apr_pstrdup(p, buf)); } - ap_proxy_pre_http_request(origin,rp); + if (!ap_is_HTTP_INFO(r->status)) { + ap_proxy_pre_http_request(origin, rp); + } /* handle Via header in response */ if (conf->viaopt != via_off && conf->viaopt != via_block) { @@@@ -1486,6 +1498,7 @@@@ if ( r->status != HTTP_CONTINUE ) { received_continue = 0; } else { + received_continue++; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "proxy: HTTP: received 100 CONTINUE"); } @@@@ -1622,6 +1635,14 @@@@ } } + /* See define of AP_MAX_INTERIM_RESPONSES for why */ + if (received_continue > AP_MAX_INTERIM_RESPONSES) { + return ap_proxyerror(r, HTTP_BAD_GATEWAY, + apr_psprintf(p, + "Too many (%d) interim responses from origin server", + received_continue)); + } + if ( conf->error_override ) { /* the code above this checks for 'OK' which is what the hook expects */ if ( r->status == HTTP_OK ) @ 1.3 log @Fixes for security issues and PKGREVISION bump; CVE-2006-5752 XSS in mod_status with ExtendedStatus on CVE-2007-1863 remote crash when mod_cache enabled @ text @d1 1 a1 1 $NetBSD$ @ 1.3.2.1 log @Pullup ticket 2184 - requested by tron security update for apache2 - pkgsrc/devel/apr0/Makefile 1.3 - pkgsrc/devel/apr0/distinfo 1.2 - pkgsrc/www/apache2/Makefile 1.118 - pkgsrc/www/apache2/Makefile.commom 1.22 - pkgsrc/www/apache2/PLIST 1.35 - pkgsrc/www/apache2/distinfo 1.51 - pkgsrc/www/apache2/patches/patch-ap removed - pkgsrc/www/apache2/patches/patch-aq removed Module Name: pkgsrc Committed By: tron Date: Fri Sep 7 23:11:41 UTC 2007 Modified Files: pkgsrc/devel/apr0: Makefile distinfo pkgsrc/www/apache2: Makefile Makefile.common PLIST distinfo Log Message: Update "apr" package to version 0.9.16.2.0.61 and "apache2" package to version 2.0.61. This update is a bug and security fix release. The following security problem hasn't been fixed in "pkgsrc" before: - CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. --- Module Name: pkgsrc Committed By: tron Date: Fri Sep 7 23:28:23 UTC 2007 Removed Files: pkgsrc/www/apache2/patches: patch-ap patch-aq Log Message: Remove obsolete patch files. @ text @d1 1 a1 1 $NetBSD: patch-ap,v 1.3 2007/06/28 01:49:04 lkundrak Exp $ @ 1.2 log @Split some stuff out into a new Makefile.common so that the new deve/apr package can use it. Depend on the new apr package. Approved by jlam@@netbsd.org. @ text @d1 1 a1 1 $NetBSD: patch-ap,v 1.1 2003/04/03 08:29:00 itojun Exp $ d3 42 a44 20 --- srclib/apr-util/config.layout.orig Thu Apr 3 17:15:08 2003 +++ srclib/apr-util/config.layout Thu Apr 3 17:14:15 2003 @@@@ -229,3 +229,17 @@@@ infodir: ${exec_prefix}/share/info libsuffix -${APRUTIL_MAJOR_VERSION} + +# NetBSD (pkgsrc) layout + + prefix: /usr/pkg + exec_prefix: ${prefix} + bindir: ${exec_prefix}/bin + sbindir: ${exec_prefix}/sbin + libexecdir: ${exec_prefix}/lib/httpd + mandir: ${prefix}/man + datadir: ${prefix}/share/httpd + includedir: ${prefix}/include/apr + localstatedir: /var + runtimedir: ${localstatedir}/run + @ 1.1 log @forgot to add @ text @d1 1 a1 1 $NetBSD$ @