MFH: r425421 r429063

- Add LICENSE
- update to 2.4.25

PR:		215457
Reported by:	Apache Software Foundation
Security:	vid 862d6ab3-c75e-11e6-9f98-20cf30e32f6d
		CVE-2016-8743
		CVE-2016-2161
		CVE-2016-0736
		CVE-2016-8740
		CVE-2016-5387

Approved by:	ports-secteam (junovitch)

4 files changed, 9 insertions, 186 deletions

diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index 755a17c69879..9fa4bc9837c3 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,8 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	apache24
-PORTVERSION=	2.4.23
-PORTREVISION=	2
+PORTVERSION=	2.4.25
 CATEGORIES=	www ipv6
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}
@@ -11,6 +10,9 @@ DIST_SUBDIR=	apache24
 MAINTAINER=	apache@FreeBSD.org
 COMMENT=	Version 2.4.x of Apache web server
 
+LICENSE=	APACHE20
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
 LIB_DEPENDS=	libexpat.so:textproc/expat2 \
 		libapr-1.so:devel/apr1 \
 		libpcre.so:devel/pcre
@@ -150,7 +152,7 @@ USE_GNOME=	libxml2
 
 post-extract:
 # remove possible leftover .svn directories in the sources
-	@${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -rf
+	@${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r
 # limit grep results ...
 	@${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete
 # make sure the configure script contains our patches, preserve the original script for comparsion
@@ -168,7 +170,7 @@ post-patch:
 		${WRKSRC}/include/httpd.h
 	${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \
 		${WRKSRC}/configure.in
-	${RM} -f ${WRKSRC}/docs/docroot/*.bak
+	${RM} ${WRKSRC}/docs/docroot/*.bak
 	${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual
 
 pre-configure::
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index 1022f66cfbb7..499d85b248c8 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1467307196
-SHA256 (apache24/httpd-2.4.23.tar.bz2) = 0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58
-SIZE (apache24/httpd-2.4.23.tar.bz2) = 6351875
+TIMESTAMP = 1482168542
+SHA256 (apache24/httpd-2.4.25.tar.bz2) = f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2
+SIZE (apache24/httpd-2.4.25.tar.bz2) = 6398218
diff --git a/www/apache24/files/patch-CVE-2016-8740 b/www/apache24/files/patch-CVE-2016-8740
deleted file mode 100644
index 04b00be52062..000000000000
--- a/www/apache24/files/patch-CVE-2016-8740
+++ /dev/null
@@ -1,116 +0,0 @@
-        Security Advisory - Apache Software Foundation
-              Apache HTTPD WebServer  / httpd.apache.org
-
-   Server memory can be exhausted and service denied when HTTP/2 is used
-
-                CVE-2016-8740
-
-The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations
-on request headers correctly when experimental module for the HTTP/2 
-protocol is used to access a resource. 
-
-The net result is that a the server allocates too much memory instead of denying
-the request. This can lead to memory exhaustion of the server by a properly
-crafted request.
-
-Background:
-- -----------
-
-Apache has limits on the number and length of request header fields. which
-limits the amount of memory a client can allocate on the server for a request.
-
-Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
-mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as 
-Google SPDY).
-
-This module is NOT compiled in by default -and- is not enabled by default, 
-although some distribution may have chosen to do so.
-
-It is generally needs to be enabled in the 'Protocols' line in httpd by 
-adding 'h2' and/or 'h2c' to the 'http/1.1' only default. 
-
-The default distributions of the Apache Software Foundation do not include 
-this experimental feature. 
-
-Details:
-- --------
-
-- From version 2.4.17, upto and including version 2.4.23 the server failed
-to take the limitations on request memory use into account when providing 
-access to a resource over HTTP/2. This issue has been fixed 
-in version 2.4.23 (r1772576).
-
-As a result - with a request using the HTTP/2 protocol a specially crafted
-request can allocate memory on the server until it reaches its limit. This can
-lead to denial of service for all requests against the server.
-
-Impact:
-- -------
-
-This can lead to denial of service for all server resources.
-Versions affected: 
-- ------------------
-All versions from  2.4.17 to  2.4.23. 
-
-Resolution:
-- -----------
-
-For a 2.4.23 version a patch is supplied. This will be included in the
-next release. 
-
-Mitigations and work arounds:
-- -----------------------------
-
-As a temporary workaround - HTTP/2 can be disabled by changing
-the configuration by removing h2 and h2c from the Protocols
-line(s) in the configuration file. 
-
-The resulting line should read:
-
-		Protocols http/1.1
-
-Credits and timeline
-- --------------------
-
-The flaw was found and reported by Naveen Tiwari <naveen.tiwari@asu.edu> 
-and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was 
-resolved by Stefan Eissing and incorporated in the Apache repository,
-ready for inclusion in the next release.
-
-Apache would like to thank all involved for their help with this.
-
-Index: modules/http2/h2_stream.c
-===================================================================
---- modules/http2/h2_stream.c	(revision 1771866)
-+++ modules/http2/h2_stream.c	(working copy)
-@@ -322,18 +322,18 @@
-                                            HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
-             }
-         }
--    }
--    
--    if (h2_stream_is_scheduled(stream)) {
--        return h2_request_add_trailer(stream->request, stream->pool,
--                                      name, nlen, value, vlen);
--    }
--    else {
--        if (!input_open(stream)) {
--            return APR_ECONNRESET;
-+        
-+        if (h2_stream_is_scheduled(stream)) {
-+            return h2_request_add_trailer(stream->request, stream->pool,
-+                                          name, nlen, value, vlen);
-         }
--        return h2_request_add_header(stream->request, stream->pool,
--                                     name, nlen, value, vlen);
-+        else {
-+            if (!input_open(stream)) {
-+                return APR_ECONNRESET;
-+            }
-+            return h2_request_add_header(stream->request, stream->pool,
-+                                         name, nlen, value, vlen);
-+        }
-     }
- }
- 
-
diff --git a/www/apache24/files/patch-httpoxy b/www/apache24/files/patch-httpoxy
deleted file mode 100644
index 9331f3c053ae..000000000000
--- a/www/apache24/files/patch-httpoxy
+++ /dev/null
@@ -1,63 +0,0 @@
-https://www.apache.org/security/asf-httpoxy-response.txt
-
-Apache HTTP Server may be configured to proxy HTTP requests as a forward
-or reverse (gateway) proxy server, can proxy requests to a FastCGI service
-using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
-or mod_cgid or the related mod_isapi service. The project's mod_fcgid
-subproject (available as a separate add-in module) directly manages CGI
-scripts using the FastCGI protocol.
-
-It may also be configured to directly host a number of external modules
-which run CGI-style applications in-process. The server itself does not 
-modify the CGI environment in this case, however, these external modules
-may perform such modifications of their environment variables in-process.
-Such examples include mod_php, mod_perl and mod_wsgi.
-
-To mitigate "httpoxy" issues across all of the above mechanisms, the most
-direct solution is to drop any "Proxy:" header arriving from an upstream
-proxy server or the origin user-agent. this will mitigate the issue for any
-vulnerable back-end server or CGI across all traffic through this server. 
-
-The two lines below enabled in the httpd.conf file will remove the "Proxy:"
-header from all incoming requests, before further processing;
-
-    LoadModule headers_module {path-to}/mod_headers.so
-
-    RequestHeader unset Proxy early
-
-(Users who have mod_headers compiled-in to the httpd binary must omit
-the LoadModule directive above, others must adjust the {path-to} to point
-to the mod_headers.so file.)
-
-If the administrator wishes to preserve the value of the "Proxy:" header
-for most traffic, and only eliminate it from the CGI environment variable
-HTTP_PROXY, a second mitigation is offered. This patch will address this
-behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
-along with all other consumers of httpd's built-in environment handling.
-
-The bundled httpd modules all rely on ap_add_common_vars() to set up the
-target CGI environment. The project will include the recommended patch
-below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
-Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
-recompile and re-install httpd to obtain this mitigation. This migitation
-has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
-
-======= Patch to httpd sources 2.4.x and 2.2.x =======
-
---- server/util_script.c	(revision 1752426)
-+++ server/util_script.c	(working copy)
-@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
-         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
-             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
-         }
-+        /* HTTP_PROXY collides with a popular envvar used to configure
-+         * proxies, don't let clients set/override it.  But, if you must...
-+         */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+            ;
-+        }
-+#endif
-         /*
-          * You really don't want to disable this check, since it leaves you
-          * wide open to CGIs stealing passwords and people viewing them