From 7403a572c9762c3c2e45763ebab9b010c291f7b6 Mon Sep 17 00:00:00 2001 From: Olli Hauer Date: Thu, 22 Dec 2016 06:27:09 +0000 Subject: MFH: r425421 r429063 - Add LICENSE - update to 2.4.25 PR: 215457 Reported by: Apache Software Foundation Security: vid 862d6ab3-c75e-11e6-9f98-20cf30e32f6d CVE-2016-8743 CVE-2016-2161 CVE-2016-0736 CVE-2016-8740 CVE-2016-5387 Approved by: ports-secteam (junovitch) --- www/apache24/Makefile | 10 +-- www/apache24/distinfo | 6 +- www/apache24/files/patch-CVE-2016-8740 | 116 --------------------------------- www/apache24/files/patch-httpoxy | 63 ------------------ 4 files changed, 9 insertions(+), 186 deletions(-) delete mode 100644 www/apache24/files/patch-CVE-2016-8740 delete mode 100644 www/apache24/files/patch-httpoxy diff --git a/www/apache24/Makefile b/www/apache24/Makefile index 755a17c69879..9fa4bc9837c3 100644 --- a/www/apache24/Makefile +++ b/www/apache24/Makefile @@ -1,8 +1,7 @@ # $FreeBSD$ PORTNAME= apache24 -PORTVERSION= 2.4.23 -PORTREVISION= 2 +PORTVERSION= 2.4.25 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} @@ -11,6 +10,9 @@ DIST_SUBDIR= apache24 MAINTAINER= apache@FreeBSD.org COMMENT= Version 2.4.x of Apache web server +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/LICENSE + LIB_DEPENDS= libexpat.so:textproc/expat2 \ libapr-1.so:devel/apr1 \ libpcre.so:devel/pcre @@ -150,7 +152,7 @@ USE_GNOME= libxml2 post-extract: # remove possible leftover .svn directories in the sources - @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -rf + @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r # limit grep results ... @${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete # make sure the configure script contains our patches, preserve the original script for comparsion @@ -168,7 +170,7 @@ post-patch: ${WRKSRC}/include/httpd.h ${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \ ${WRKSRC}/configure.in - ${RM} -f ${WRKSRC}/docs/docroot/*.bak + ${RM} ${WRKSRC}/docs/docroot/*.bak ${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual pre-configure:: diff --git a/www/apache24/distinfo b/www/apache24/distinfo index 1022f66cfbb7..499d85b248c8 100644 --- a/www/apache24/distinfo +++ b/www/apache24/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1467307196 -SHA256 (apache24/httpd-2.4.23.tar.bz2) = 0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58 -SIZE (apache24/httpd-2.4.23.tar.bz2) = 6351875 +TIMESTAMP = 1482168542 +SHA256 (apache24/httpd-2.4.25.tar.bz2) = f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2 +SIZE (apache24/httpd-2.4.25.tar.bz2) = 6398218 diff --git a/www/apache24/files/patch-CVE-2016-8740 b/www/apache24/files/patch-CVE-2016-8740 deleted file mode 100644 index 04b00be52062..000000000000 --- a/www/apache24/files/patch-CVE-2016-8740 +++ /dev/null @@ -1,116 +0,0 @@ - Security Advisory - Apache Software Foundation - Apache HTTPD WebServer / httpd.apache.org - - Server memory can be exhausted and service denied when HTTP/2 is used - - CVE-2016-8740 - -The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations -on request headers correctly when experimental module for the HTTP/2 -protocol is used to access a resource. - -The net result is that a the server allocates too much memory instead of denying -the request. This can lead to memory exhaustion of the server by a properly -crafted request. - -Background: -- ----------- - -Apache has limits on the number and length of request header fields. which -limits the amount of memory a client can allocate on the server for a request. - -Version 2.4.17 of the Apache HTTP Server introduced an experimental feature: -mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as -Google SPDY). - -This module is NOT compiled in by default -and- is not enabled by default, -although some distribution may have chosen to do so. - -It is generally needs to be enabled in the 'Protocols' line in httpd by -adding 'h2' and/or 'h2c' to the 'http/1.1' only default. - -The default distributions of the Apache Software Foundation do not include -this experimental feature. - -Details: -- -------- - -- From version 2.4.17, upto and including version 2.4.23 the server failed -to take the limitations on request memory use into account when providing -access to a resource over HTTP/2. This issue has been fixed -in version 2.4.23 (r1772576). - -As a result - with a request using the HTTP/2 protocol a specially crafted -request can allocate memory on the server until it reaches its limit. This can -lead to denial of service for all requests against the server. - -Impact: -- ------- - -This can lead to denial of service for all server resources. -Versions affected: -- ------------------ -All versions from 2.4.17 to 2.4.23. - -Resolution: -- ----------- - -For a 2.4.23 version a patch is supplied. This will be included in the -next release. - -Mitigations and work arounds: -- ----------------------------- - -As a temporary workaround - HTTP/2 can be disabled by changing -the configuration by removing h2 and h2c from the Protocols -line(s) in the configuration file. - -The resulting line should read: - - Protocols http/1.1 - -Credits and timeline -- -------------------- - -The flaw was found and reported by Naveen Tiwari -and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was -resolved by Stefan Eissing and incorporated in the Apache repository, -ready for inclusion in the next release. - -Apache would like to thank all involved for their help with this. - -Index: modules/http2/h2_stream.c -=================================================================== ---- modules/http2/h2_stream.c (revision 1771866) -+++ modules/http2/h2_stream.c (working copy) -@@ -322,18 +322,18 @@ - HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); - } - } -- } -- -- if (h2_stream_is_scheduled(stream)) { -- return h2_request_add_trailer(stream->request, stream->pool, -- name, nlen, value, vlen); -- } -- else { -- if (!input_open(stream)) { -- return APR_ECONNRESET; -+ -+ if (h2_stream_is_scheduled(stream)) { -+ return h2_request_add_trailer(stream->request, stream->pool, -+ name, nlen, value, vlen); - } -- return h2_request_add_header(stream->request, stream->pool, -- name, nlen, value, vlen); -+ else { -+ if (!input_open(stream)) { -+ return APR_ECONNRESET; -+ } -+ return h2_request_add_header(stream->request, stream->pool, -+ name, nlen, value, vlen); -+ } - } - } - - diff --git a/www/apache24/files/patch-httpoxy b/www/apache24/files/patch-httpoxy deleted file mode 100644 index 9331f3c053ae..000000000000 --- a/www/apache24/files/patch-httpoxy +++ /dev/null @@ -1,63 +0,0 @@ -https://www.apache.org/security/asf-httpoxy-response.txt - -Apache HTTP Server may be configured to proxy HTTP requests as a forward -or reverse (gateway) proxy server, can proxy requests to a FastCGI service -using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi -or mod_cgid or the related mod_isapi service. The project's mod_fcgid -subproject (available as a separate add-in module) directly manages CGI -scripts using the FastCGI protocol. - -It may also be configured to directly host a number of external modules -which run CGI-style applications in-process. The server itself does not -modify the CGI environment in this case, however, these external modules -may perform such modifications of their environment variables in-process. -Such examples include mod_php, mod_perl and mod_wsgi. - -To mitigate "httpoxy" issues across all of the above mechanisms, the most -direct solution is to drop any "Proxy:" header arriving from an upstream -proxy server or the origin user-agent. this will mitigate the issue for any -vulnerable back-end server or CGI across all traffic through this server. - -The two lines below enabled in the httpd.conf file will remove the "Proxy:" -header from all incoming requests, before further processing; - - LoadModule headers_module {path-to}/mod_headers.so - - RequestHeader unset Proxy early - -(Users who have mod_headers compiled-in to the httpd binary must omit -the LoadModule directive above, others must adjust the {path-to} to point -to the mod_headers.so file.) - -If the administrator wishes to preserve the value of the "Proxy:" header -for most traffic, and only eliminate it from the CGI environment variable -HTTP_PROXY, a second mitigation is offered. This patch will address this -behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, -along with all other consumers of httpd's built-in environment handling. - -The bundled httpd modules all rely on ap_add_common_vars() to set up the -target CGI environment. The project will include the recommended patch -below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. -Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, -recompile and re-install httpd to obtain this mitigation. This migitation -has been assigned the identifier CVE-2016-5387 . - -======= Patch to httpd sources 2.4.x and 2.2.x ======= - ---- server/util_script.c (revision 1752426) -+++ server/util_script.c (working copy) -@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r - else if (!strcasecmp(hdrs[i].key, "Content-length")) { - apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); - } -+ /* HTTP_PROXY collides with a popular envvar used to configure -+ * proxies, don't let clients set/override it. But, if you must... -+ */ -+#ifndef SECURITY_HOLE_PASS_PROXY -+ else if (!strcasecmp(hdrs[i].key, "Proxy")) { -+ ; -+ } -+#endif - /* - * You really don't want to disable this check, since it leaves you - * wide open to CGIs stealing passwords and people viewing them -- cgit v1.2.3