Index: branches/2016Q3/www/apache22/Makefile =================================================================== --- branches/2016Q3/www/apache22/Makefile (revision 418803) +++ branches/2016Q3/www/apache22/Makefile (revision 418804) @@ -1,204 +1,204 @@ # $FreeBSD$ PORTNAME= apache22 PORTVERSION= 2.2.31 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} DIST_SUBDIR= apache22 MAINTAINER?= apache@FreeBSD.org COMMENT?= Version 2.2.x of Apache web server with ${WITH_MPM} MPM. LIB_DEPENDS= libexpat.so:textproc/expat2 \ libapr-1.so:devel/apr1 \ libpcre.so:devel/pcre CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.2.* apache22-*-2.2.* \ apache-*-2.4.* apache24-*-2.4.* USE_APACHE= common22 USES= autoreconf cpe iconv libtool perl5 tar:bzip2 USE_PERL5= run USE_RC_SUBR= apache22 htcacheclean GNU_CONFIGURE= yes CPE_VENDOR= apache CPE_PRODUCT= http_server PORTDOCS= * USERS= www GROUPS= www # XXX: before running makepatch please run the command # `$SED -e 's/PATCH_PATH_SEPARATOR=/PATCH_PATH_SEPARATOR?=/' Mk/bsd.port.mk PATCH_PATH_SEPARATOR= __ # for slave ports .if !defined(MASTERDIR) APACHEDIR= ${.CURDIR} .else APACHEDIR= ${MASTERDIR} .endif WITH_MPM?= prefork # or worker, event, itk, peruser WITH_HTTP_PORT?= 80 WITH_SSL_PORT?= 443 .include "${APACHEDIR}/Makefile.options" AUTHNZ_LDAP_CONFIGURE_ON= --enable-authnz-ldap # http://httpd.apache.org/docs/2.2/bind.html IPV4_MAPPED_CONFIGURE_ENABLE= v4-mapped LDAP_CONFIGURE_ON= --enable-ldap=shared SSL_CFLAGS= -I${OPENSSLINC} SSL_CONFIGURE_ON= --with-ssl=${OPENSSLBASE} SSL_LDFLAGS= -L${OPENSSLLIB} SSL_USE= OPENSSL=yes SUEXEC_RSRCLIMIT_EXTRA_PATCHES= ${FILESDIR}/extra-patch-suexec_rsrclimit SUEXEC_USERDIR_EXTRA_PATCHES= ${FILESDIR}/extra-patch-suexec_userdir .include ETC_SUBDIRS= Includes envvars.d extra modules.d # PR: 182947 .if ${WITH_MPM} != "peruser" SUB_LIST+= RELOAD_CMD=graceful .else SUB_LIST+= RELOAD_CMD=hrestart .endif APR_CONFIG?= ${LOCALBASE}/bin/apr-1-config APU_CONFIG?= ${LOCALBASE}/bin/apu-1-config # APU modules used by AUTHN_DBD DBD APU_DBD_MYSQL?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_mysql.so APU_DBD_PGSQL?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_pgsql.so APU_DBD_SQLITE3?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_sqlite3.so # APU module used by AUTHNZ_LDAP LDAP APU_LDAP?= ${LOCALBASE}/lib/apr-util-1/apr_ldap.so # APU module used by SESSION_CRYPTO APU_CRYPTO_OPENSSL?= ${LOCALBASE}/lib/apr-util-1/apr_crypto_openssl.so APU_CRYPTO_NSS?= ${LOCALBASE}/lib/apr-util-1/apr_crypto_nss.so CONFIGURE_ARGS+=--prefix=${PREFIX} \ --enable-layout=FreeBSD \ --with-port=${WITH_HTTP_PORT} \ --with-sslport=${WITH_SSL_PORT} \ --with-expat=${LOCALBASE} \ --with-iconv=${ICONV_PREFIX} \ --enable-http \ --with-pcre=${LOCALBASE} \ --with-apr=${APR_CONFIG} \ --with-apr-util=${APU_CONFIG} CONFIGURE_ENV= CONFIG_SHELL="${SH}" \ LOCALBASE="${LOCALBASE}" MAKE_ENV+= EXPR_COMPAT=yes \ INSTALL_MAN="${INSTALL_MAN}" \ DATADIR=${DATADIR} #===================================================== # CONFIGURE_ARGS will be handled in Makefile.modules, # here we do only OPTIONS fixups .if ${PORT_OPTIONS:MSUEXEC_RSRCLIMIT} && !${PORT_OPTIONS:MSUEXEC} IGNORE= suEXEC resource limit patch requires mod_suexec.\ Please (re)run 'make config' and choose SUEXEC option also .endif .if ${PORT_OPTIONS:MSUEXEC_USERDIR} && !${PORT_OPTIONS:MSUEXEC} IGNORE= suEXEC UserDir patch requires mod_suexec.\ Please (re)run 'make config' and choose SUEXEC option also .endif .include .include "${APACHEDIR}/Makefile.modules" show-options: @${SED} -ne 's/^##//p' ${APACHEDIR}/Makefile.doc pre-everything:: @${CAT} ${FILESDIR}/HEADS_UP .if !defined(BATCH) || !defined(PORT_BUILDING) @/bin/sleep 5 .endif post-extract: # remove possible leftover .svn directories in the sources @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r # limit grep results ... ${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete # make sure the configure script contains our patches, # preserve the original script for comparsion -${MV} ${WRKSRC}/configure ${WRKSRC}/configure.upstream # make stage-qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set # use RMDIR in case upstream ever place some files into this directories .for d in xsl/util xsl lang -${RMDIR} ${WRKSRC}/docs/manual/style/${d} .endfor post-patch: ${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c ${REINPLACE_CMD} -e 's|logs/error_log|/var/log/httpd-error.log|' \ ${WRKSRC}/include/httpd.h ${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \ ${WRKSRC}/configure.in ${RM} ${WRKSRC}/docs/docroot/*.bak ${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual # we use devel/apr and devel/pcre ${RM} -r ${WRKSRC}/srclib ${REINPLACE_CMD} -e 's/srclib//' ${WRKSRC}/Makefile.in pre-configure:: @${ECHO_MSG} "" @${ECHO_MSG} " You can check your modules configuration by using make show-modules" @${ECHO_MSG} "" pre-configure-SSL-on:: # Fix build with OpenSSL from ports .if ${OPSYS} == FreeBSD . if (defined(OPENSSL_INSTALLED) && ${OPENSSL_INSTALLED} != "") || ${MAKE_ENV:M*${LOCALBASE}/openssl*} @${ECHO_MSG} "===> apply fix for FreeBSD-${OSREL} (${OSVERSION}) for usage with ${OPENSSL_INSTALLED}" @${ECHO_MSG} "" ${REINPLACE_CMD} -e "s|(ALL_CFLAGS)|(ALL_CFLAGS) -L${OPENSSLLIB}|" ${WRKSRC}/build/rules.mk.in . endif .endif post-configure: @FTPUSERS=`${EGREP} -v '^#' /etc/ftpusers| ${TR} -s "\n" " "` ;\ ${REINPLACE_CMD} -e "s,%%FTPUSERS%%,$${FTPUSERS}," ${WRKSRC}/docs/conf/extra/httpd-userdir.conf ${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf ${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std post-install: @${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|} ${INSTALL_DATA} ${FILESDIR}/no-accf.conf ${STAGEDIR}${ETCDIR}/Includes/ # place for 3rd party module configuration ${INSTALL_DATA} ${FILESDIR}/README_modules.d ${STAGEDIR}${ETCDIR}/modules.d/ # strip returns an error for non binary files, but we have a big mix -${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/* 2>/dev/null -${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/apache22/mod_*.so post-install-LOG_FORENSIC-on: ${INSTALL_SCRIPT} ${WRKSRC}/support/check_forensic ${STAGEDIR}${PREFIX}/sbin # maintainer only, check for new modules modlist: extract @${AWK} '/: checking whether to enable mod_/ \ {printf "%%%%%s%%%%libexec/apache22/%s.so\n", \ toupper($$8), $$8}' ${WRKSRC}/configure \ | ${TR} -d '"' \ | ${SORT} -u \ | ${GREP} -E -v '^%%MOD_(ECHO|EXAMPLE|HTTP|IDENT|ISAPI|SO)%%' .include Index: branches/2016Q3/www/apache22/files/patch-httpoxy =================================================================== --- branches/2016Q3/www/apache22/files/patch-httpoxy (nonexistent) +++ branches/2016Q3/www/apache22/files/patch-httpoxy (revision 418804) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 . + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them Property changes on: branches/2016Q3/www/apache22/files/patch-httpoxy ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2016Q3/www/apache24/Makefile =================================================================== --- branches/2016Q3/www/apache24/Makefile (revision 418803) +++ branches/2016Q3/www/apache24/Makefile (revision 418804) @@ -1,210 +1,211 @@ # $FreeBSD$ PORTNAME= apache24 PORTVERSION= 2.4.23 +PORTREVISION= 1 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} DIST_SUBDIR= apache24 MAINTAINER= apache@FreeBSD.org COMMENT= Version 2.4.x of Apache web server LIB_DEPENDS= libexpat.so:textproc/expat2 \ libapr-1.so:devel/apr1 \ libpcre.so:devel/pcre CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.2.* apache22-* USE_APACHE= common24 USES= autoreconf cpe iconv libtool perl5 tar:bzip2 USE_PERL5= run USE_RC_SUBR= apache24 htcacheclean GNU_CONFIGURE= yes CPE_VENDOR= apache CPE_PRODUCT= http_server PORTDOCS= * SUB_FILES= pkg-install pkg-deinstall # XXX: before running makepatch please run the command # `$SED -e 's/PATCH_PATH_SEPARATOR=/PATCH_PATH_SEPARATOR?=/' Mk/bsd.port.mk PATCH_PATH_SEPARATOR= __ # Fallback MPM after switching from static to modular MPM SUB_LIST+= MPMF="000_mpm_prefork_fallback.conf" USERS= www GROUPS= www # for slave ports .if !defined(MASTERDIR) APACHEDIR= ${.CURDIR} .else APACHEDIR= ${MASTERDIR} .endif WITH_HTTP_PORT?= 80 WITH_SSL_PORT?= 443 .if !defined(WITH_DEBUG) EXTRA_PATCHES+= ${FILESDIR}/extra-patch-server_buildmark.c .endif .include "${APACHEDIR}/Makefile.options" .include "${APACHEDIR}/Makefile.options.desc" # IMPLIES AUTHN_DBD_IMPLIES= DBD HEARTBEAT_IMPLIES= WATCHDOG STATUS HEARTMONITOR_IMPLIES= WATCHDOG STATUS LBMETHOD_HEARTBEAT_IMPLIES= WATCHDOG STATUS HEARTMONITOR PROXY_HCHECK_IMPLIES= WATCHDOG # MPM MPM_PREFORK_CONFIGURE_ON= --with-mpm=prefork MPM_WORKER_CONFIGURE_ON= --with-mpm=worker MPM_EVENT_CONFIGURE_ON= --with-mpm=event AUTHNZ_LDAP_CONFIGURE_ON= --enable-authnz-ldap # http://httpd.apache.org/docs/2.4/bind.html IPV4_MAPPED_CONFIGURE_ENABLE= v4-mapped LDAP_CONFIGURE_ON= --enable-ldap=shared HTTP2_CONFIGURE_ON= --with-nghttp2=${LOCALBASE} HTTP2_LIB_DEPENDS= libnghttp2.so:www/nghttp2 LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit LUA_CONFIGURE_WITH= lua LUA_USES= lua PROXY_HTTP2_CONFIGURE_ON= --with-nghttp2=${LOCALBASE} PROXY_HTTP2_LIB_DEPENDS= libnghttp2.so:www/nghttp2 SOCACHE_DC_CONFIGURE_ON= --with-distcache=${LOCALBASE} SOCACHE_DC_LIB_DEPENDS= libdistcache.so:security/distcache # Note: # OpenSSL version (base/ports) depends how devel/apr1 was build # apu-1-config --(includes|ldflags) and apr_rules.mk SSL_CFLAGS= -I${OPENSSLINC} SSL_CONFIGURE_ON= --with-ssl=${OPENSSLBASE} SSL_LDFLAGS= -L${OPENSSLLIB} SSL_USES= ssl .include ETC_SUBDIRS= Includes envvars.d extra modules.d APR_CONFIG?= ${LOCALBASE}/bin/apr-1-config APU_CONFIG?= ${LOCALBASE}/bin/apu-1-config # APU modules used by AUTHN_DBD DBD APU_DBD_MYSQL?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_mysql.so APU_DBD_PGSQL?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_pgsql.so APU_DBD_SQLITE3?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_sqlite3.so # APU module used by AUTHNZ_LDAP LDAP APU_LDAP?= ${LOCALBASE}/lib/apr-util-1/apr_ldap.so # APU module used by SESSION_CRYPTO APU_CRYPTO_OPENSSL?= ${LOCALBASE}/lib/apr-util-1/apr_crypto_openssl.so APU_CRYPTO_NSS?= ${LOCALBASE}/lib/apr-util-1/apr_crypto_nss.so PREFIX_RELDEST= ${PREFIX:S,^${DESTDIR},,} CONFIGURE_ARGS+=--prefix=${PREFIX_RELDEST} \ --enable-layout=FreeBSD \ --with-port=${WITH_HTTP_PORT} \ --with-sslport=${WITH_SSL_PORT} \ --with-expat=${LOCALBASE} \ --with-iconv=${ICONV_PREFIX} \ --enable-http \ --with-pcre=${LOCALBASE} \ --with-apr=${APR_CONFIG} \ --with-apr-util=${APU_CONFIG} CONFIGURE_ENV= LOCALBASE="${LOCALBASE}" \ CONFIG_SHELL="${SH}" MAKE_ENV+= EXPR_COMPAT=yes \ INSTALL_MAN="${INSTALL_MAN}" \ DATADIR=${DATADIR} #===================================================== # CONFIGURE_ARGS will be handled in Makefile.modules, # here we do only OPTIONS fixups .if ${PORT_OPTIONS:MLUA} CONFIGURE_ENV+= LUA_CFLAGS="-I${LUA_INCDIR}" \ LUA_LIBS="-L${LUA_LIBDIR} -llua-${LUA_VER}" .endif .if ${PORT_OPTIONS:MPROXY_HTML} || ${PORT_OPTIONS:MXML2ENC} USE_GNOME= libxml2 .endif .include .include "${APACHEDIR}/Makefile.modules" post-extract: # remove possible leftover .svn directories in the sources @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -rf # limit grep results ... @${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete # make sure the configure script contains our patches, preserve the original script for comparsion -${MV} -v ${WRKSRC}/configure ${WRKSRC}/configure.upstream # make stage-qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set # use RMDIR in case upstream ever place some files into this directories .for d in xsl/util xsl lang -${RMDIR} ${WRKSRC}/docs/manual/style/${d} .endfor post-patch: ${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c ${REINPLACE_CMD} -e 's|logs/error_log|/var/log/httpd-error.log|' \ ${WRKSRC}/include/httpd.h ${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \ ${WRKSRC}/configure.in ${RM} -f ${WRKSRC}/docs/docroot/*.bak ${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual pre-configure:: @${ECHO_MSG} "" @${ECHO_MSG} " You can check your modules configuration by using make show-modules" @${ECHO_MSG} "" # silence autotools -${MV} -v ${WRKSRC}/configure.in ${WRKSRC}/configure.ac post-configure: @FTPUSERS=`${EGREP} -v '^#' /etc/ftpusers| ${TR} -s "\n" " "` ;\ ${REINPLACE_CMD} -e "s,%%FTPUSERS%%,$${FTPUSERS}," \ ${WRKSRC}/docs/conf/extra/httpd-userdir.conf ${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," \ ${WRKSRC}/docs/conf/httpd.conf ${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std post-install: @${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|} ${INSTALL_DATA} ${FILESDIR}/no-accf.conf ${STAGEDIR}${ETCDIR}/Includes/ # place for 3rd party module configuration ${INSTALL_DATA} ${FILESDIR}/README_modules.d ${STAGEDIR}${ETCDIR}/modules.d/ # strip returns an error for non binary files, but we have a big mix -${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/* 2>/dev/null -${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/* -${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/apache24/mod_*.so post-install-LOG_FORENSIC-on: ${INSTALL_SCRIPT} ${WRKSRC}/support/check_forensic ${STAGEDIR}${PREFIX}/sbin # maintainer only, check for new modules modlist: extract @${AWK} '/: checking whether to enable mod_/ \ {printf "%%%%%s%%%%libexec/apache24/%s.so\n", \ toupper($$8), $$8}' ${WRKSRC}/configure.upstream \ | ${TR} -d '"' \ | ${SORT} -u \ | ${GREP} -E -v '^%%MOD_(HTTP|ISAPI|LOG_CONFIG|PRIVILEGES|SO|UNIXD)%%' .include Index: branches/2016Q3/www/apache24/files/patch-httpoxy =================================================================== --- branches/2016Q3/www/apache24/files/patch-httpoxy (nonexistent) +++ branches/2016Q3/www/apache24/files/patch-httpoxy (revision 418804) @@ -0,0 +1,63 @@ +https://www.apache.org/security/asf-httpoxy-response.txt + +Apache HTTP Server may be configured to proxy HTTP requests as a forward +or reverse (gateway) proxy server, can proxy requests to a FastCGI service +using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi +or mod_cgid or the related mod_isapi service. The project's mod_fcgid +subproject (available as a separate add-in module) directly manages CGI +scripts using the FastCGI protocol. + +It may also be configured to directly host a number of external modules +which run CGI-style applications in-process. The server itself does not +modify the CGI environment in this case, however, these external modules +may perform such modifications of their environment variables in-process. +Such examples include mod_php, mod_perl and mod_wsgi. + +To mitigate "httpoxy" issues across all of the above mechanisms, the most +direct solution is to drop any "Proxy:" header arriving from an upstream +proxy server or the origin user-agent. this will mitigate the issue for any +vulnerable back-end server or CGI across all traffic through this server. + +The two lines below enabled in the httpd.conf file will remove the "Proxy:" +header from all incoming requests, before further processing; + + LoadModule headers_module {path-to}/mod_headers.so + + RequestHeader unset Proxy early + +(Users who have mod_headers compiled-in to the httpd binary must omit +the LoadModule directive above, others must adjust the {path-to} to point +to the mod_headers.so file.) + +If the administrator wishes to preserve the value of the "Proxy:" header +for most traffic, and only eliminate it from the CGI environment variable +HTTP_PROXY, a second mitigation is offered. This patch will address this +behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, +along with all other consumers of httpd's built-in environment handling. + +The bundled httpd modules all rely on ap_add_common_vars() to set up the +target CGI environment. The project will include the recommended patch +below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. +Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, +recompile and re-install httpd to obtain this mitigation. This migitation +has been assigned the identifier CVE-2016-5387 . + +======= Patch to httpd sources 2.4.x and 2.2.x ======= + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them Property changes on: branches/2016Q3/www/apache24/files/patch-httpoxy ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2016Q3 =================================================================== --- branches/2016Q3 (revision 418803) +++ branches/2016Q3 (revision 418804) Property changes on: branches/2016Q3 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r418743