From 4b2246e47e421dda60661ec978505e8f04efd4f2 Mon Sep 17 00:00:00 2001 From: Lucas Holt Date: Sun, 16 Aug 2020 13:46:50 -0400 Subject: [PATCH] Update apache to 2.4.46 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes with Apache 2.4.46 *) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic] *) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing] *) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefen Eissing, Eric Covener, Christophe Jaillet] *) mod_proxy_fcgi: Fix build warnings for Windows platform Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft . [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes : "LimitRequestFields 0" now disables the limit, as documented. Fixes : Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König ] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer ] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see ) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing] --- www/apache24/Makefile | 4 ++-- www/apache24/Makefile.options | 5 +++-- www/apache24/Makefile.options.desc | 1 + www/apache24/distinfo | 6 +++--- www/apache24/pkg-plist | 2 +- 5 files changed, 10 insertions(+), 8 deletions(-) diff --git a/www/apache24/Makefile b/www/apache24/Makefile index e329b3425c..03ceec0515 100644 --- a/www/apache24/Makefile +++ b/www/apache24/Makefile @@ -1,6 +1,5 @@ PORTNAME= apache24 -PORTVERSION= 2.4.43 -PORTREVISION= 1 +PORTVERSION= 2.4.46 CATEGORIES= www MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} @@ -89,6 +88,7 @@ SOCACHE_DC_LIB_DEPENDS= libdistcache.so:security/distcache # apu-1-config --(includes|ldflags) and apr_rules.mk SSL_CONFIGURE_ON= --with-ssl=${OPENSSLBASE} SSL_USES= ssl +SUEXEC_SYSLOG_CONFIGURE_ON= --without-suexec-logfile --with-suexec-syslog XML2ENC_USE= GNOME=libxml2 XML2ENC_USES= gnome diff --git a/www/apache24/Makefile.options b/www/apache24/Makefile.options index 504aca28be..c0e6a60b8c 100644 --- a/www/apache24/Makefile.options +++ b/www/apache24/Makefile.options @@ -42,7 +42,7 @@ MOST_ENABLED_MODULES= \ IMAGEMAP INCLUDE INFO \ LBMETHOD_BYBUSYNESS LBMETHOD_BYREQUESTS LBMETHOD_BYTRAFFIC \ LBMETHOD_HEARTBEAT LOGIO LOG_DEBUG LOG_FORENSIC \ - MACRO MIME MIME_MAGIC \ + MACRO MD MIME MIME_MAGIC \ NEGOTIATION \ RATELIMIT REFLECTOR REMOTEIP REQTIMEOUT REQUEST REWRITE \ SED SETENVIF \ @@ -53,7 +53,8 @@ MOST_ENABLED_MODULES= \ WATCHDOG XML2ENC MOST_DISABLED_MODULES= \ - AUTHNZ_LDAP BROTLI IDENT LDAP LUA MD SOCACHE_DC SOCACHE_REDIS SUEXEC + AUTHNZ_LDAP BROTLI IDENT LDAP LUA SOCACHE_DC SOCACHE_REDIS SUEXEC \ + SUEXEC_SYSLOG # enable/disable additional PROXY/SESSION modules META_MODULES= PROXY SESSION diff --git a/www/apache24/Makefile.options.desc b/www/apache24/Makefile.options.desc index 0600683d3b..353658c36b 100644 --- a/www/apache24/Makefile.options.desc +++ b/www/apache24/Makefile.options.desc @@ -154,6 +154,7 @@ SSL_DESC= SSL/TLS support (mod_ssl) STATUS_DESC= Process/thread monitoring SUBSTITUTE_DESC= Response content rewrite-like filtering SUEXEC_DESC= Set uid and gid for spawned processes +SUEXEC_SYSLOG_DESC= Enable syslog for suexec UNIQUE_ID_DESC= Per-request unique ids UNIXD_DESC= (required) security for Unix-family platforms diff --git a/www/apache24/distinfo b/www/apache24/distinfo index efe26d45e0..e2cdb4c4ef 100644 --- a/www/apache24/distinfo +++ b/www/apache24/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1587061858 -SHA256 (apache24/httpd-2.4.43.tar.bz2) = a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 -SIZE (apache24/httpd-2.4.43.tar.bz2) = 7155865 +TIMESTAMP = 1597599810 +SHA256 (apache24/httpd-2.4.46.tar.bz2) = 740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea +SIZE (apache24/httpd-2.4.46.tar.bz2) = 7187805 diff --git a/www/apache24/pkg-plist b/www/apache24/pkg-plist index 0b6bea2117..25962ee54f 100644 --- a/www/apache24/pkg-plist +++ b/www/apache24/pkg-plist @@ -228,7 +228,7 @@ man/man8/fcgistarter.8.gz man/man8/htcacheclean.8.gz man/man8/httpd.8.gz man/man8/rotatelogs.8.gz -man/man8/suexec.8.gz +%%SUEXEC%%man/man8/suexec.8.gz sbin/apachectl sbin/apxs %%LOG_FORENSIC%%sbin/check_forensic