Index: head/www/apache24/Makefile =================================================================== --- head/www/apache24/Makefile (revision 429062) +++ head/www/apache24/Makefile (revision 429063) @@ -1,214 +1,213 @@ # $FreeBSD$ PORTNAME= apache24 -PORTVERSION= 2.4.23 -PORTREVISION= 3 +PORTVERSION= 2.4.25 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} DIST_SUBDIR= apache24 MAINTAINER= apache@FreeBSD.org COMMENT= Version 2.4.x of Apache web server LICENSE= APACHE20 LICENSE_FILE= ${WRKSRC}/LICENSE LIB_DEPENDS= libexpat.so:textproc/expat2 \ libapr-1.so:devel/apr1 \ libpcre.so:devel/pcre CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.2.* apache22-* USE_APACHE= common24 USES= autoreconf cpe iconv libtool perl5 tar:bzip2 USE_PERL5= run USE_RC_SUBR= apache24 htcacheclean GNU_CONFIGURE= yes CPE_VENDOR= apache CPE_PRODUCT= http_server PORTDOCS= * SUB_FILES= pkg-install pkg-deinstall # XXX: before running makepatch please run the command # `$SED -e 's/PATCH_PATH_SEPARATOR=/PATCH_PATH_SEPARATOR?=/' Mk/bsd.port.mk PATCH_PATH_SEPARATOR= __ # Fallback MPM after switching from static to modular MPM SUB_LIST+= MPMF="000_mpm_prefork_fallback.conf" USERS= www GROUPS= www # for slave ports .if !defined(MASTERDIR) APACHEDIR= ${.CURDIR} .else APACHEDIR= ${MASTERDIR} .endif WITH_HTTP_PORT?= 80 WITH_SSL_PORT?= 443 .if !defined(WITH_DEBUG) EXTRA_PATCHES+= ${FILESDIR}/extra-patch-server_buildmark.c .endif .include "${APACHEDIR}/Makefile.options" .include "${APACHEDIR}/Makefile.options.desc" # IMPLIES AUTHN_DBD_IMPLIES= DBD HEARTBEAT_IMPLIES= WATCHDOG STATUS HEARTMONITOR_IMPLIES= WATCHDOG STATUS LBMETHOD_HEARTBEAT_IMPLIES= WATCHDOG STATUS HEARTMONITOR PROXY_HCHECK_IMPLIES= WATCHDOG # MPM MPM_PREFORK_CONFIGURE_ON= --with-mpm=prefork MPM_WORKER_CONFIGURE_ON= --with-mpm=worker MPM_EVENT_CONFIGURE_ON= --with-mpm=event AUTHNZ_LDAP_CONFIGURE_ON= --enable-authnz-ldap # http://httpd.apache.org/docs/2.4/bind.html IPV4_MAPPED_CONFIGURE_ENABLE= v4-mapped LDAP_CONFIGURE_ON= --enable-ldap=shared HTTP2_CONFIGURE_ON= --with-nghttp2=${LOCALBASE} HTTP2_LIB_DEPENDS= libnghttp2.so:www/libnghttp2 LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit LUA_CONFIGURE_WITH= lua LUA_USES= lua PROXY_HTTP2_CONFIGURE_ON= --with-nghttp2=${LOCALBASE} PROXY_HTTP2_LIB_DEPENDS= libnghttp2.so:www/libnghttp2 SOCACHE_DC_CONFIGURE_ON= --with-distcache=${LOCALBASE} SOCACHE_DC_LIB_DEPENDS= libdistcache.so:security/distcache # Note: # OpenSSL version (base/ports) depends how devel/apr1 was build # apu-1-config --(includes|ldflags) and apr_rules.mk SSL_CFLAGS= -I${OPENSSLINC} SSL_CONFIGURE_ON= --with-ssl=${OPENSSLBASE} SSL_LDFLAGS= -L${OPENSSLLIB} SSL_USES= ssl .include ETC_SUBDIRS= Includes envvars.d extra modules.d APR_CONFIG?= ${LOCALBASE}/bin/apr-1-config APU_CONFIG?= ${LOCALBASE}/bin/apu-1-config # APU modules used by AUTHN_DBD DBD APU_DBD_MYSQL?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_mysql.so APU_DBD_PGSQL?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_pgsql.so APU_DBD_SQLITE3?= ${LOCALBASE}/lib/apr-util-1/apr_dbd_sqlite3.so # APU module used by AUTHNZ_LDAP LDAP APU_LDAP?= ${LOCALBASE}/lib/apr-util-1/apr_ldap.so # APU module used by SESSION_CRYPTO APU_CRYPTO_OPENSSL?= ${LOCALBASE}/lib/apr-util-1/apr_crypto_openssl.so APU_CRYPTO_NSS?= ${LOCALBASE}/lib/apr-util-1/apr_crypto_nss.so PREFIX_RELDEST= ${PREFIX:S,^${DESTDIR},,} CONFIGURE_ARGS+=--prefix=${PREFIX_RELDEST} \ --enable-layout=FreeBSD \ --with-port=${WITH_HTTP_PORT} \ --with-sslport=${WITH_SSL_PORT} \ --with-expat=${LOCALBASE} \ --with-iconv=${ICONV_PREFIX} \ --enable-http \ --with-pcre=${LOCALBASE} \ --with-apr=${APR_CONFIG} \ --with-apr-util=${APU_CONFIG} CONFIGURE_ENV= LOCALBASE="${LOCALBASE}" \ CONFIG_SHELL="${SH}" MAKE_ENV+= EXPR_COMPAT=yes \ INSTALL_MAN="${INSTALL_MAN}" \ DATADIR=${DATADIR} #===================================================== # CONFIGURE_ARGS will be handled in Makefile.modules, # here we do only OPTIONS fixups .if ${PORT_OPTIONS:MLUA} CONFIGURE_ENV+= LUA_CFLAGS="-I${LUA_INCDIR}" \ LUA_LIBS="-L${LUA_LIBDIR} -llua-${LUA_VER}" .endif .if ${PORT_OPTIONS:MPROXY_HTML} || ${PORT_OPTIONS:MXML2ENC} USE_GNOME= libxml2 .endif .include .include "${APACHEDIR}/Makefile.modules" post-extract: # remove possible leftover .svn directories in the sources @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r # limit grep results ... @${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete # make sure the configure script contains our patches, preserve the original script for comparsion -${MV} -v ${WRKSRC}/configure ${WRKSRC}/configure.upstream # make stage-qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set # use RMDIR in case upstream ever place some files into this directories .for d in xsl/util xsl lang -${RMDIR} ${WRKSRC}/docs/manual/style/${d} .endfor post-patch: ${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c ${REINPLACE_CMD} -e 's|logs/error_log|/var/log/httpd-error.log|' \ ${WRKSRC}/include/httpd.h ${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \ ${WRKSRC}/configure.in ${RM} ${WRKSRC}/docs/docroot/*.bak ${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual pre-configure:: @${ECHO_MSG} "" @${ECHO_MSG} " You can check your modules configuration by using make show-modules" @${ECHO_MSG} "" # silence autotools -${MV} -v ${WRKSRC}/configure.in ${WRKSRC}/configure.ac post-configure: @FTPUSERS=`${EGREP} -v '^#' /etc/ftpusers| ${TR} -s "\n" " "` ;\ ${REINPLACE_CMD} -e "s,%%FTPUSERS%%,$${FTPUSERS}," \ ${WRKSRC}/docs/conf/extra/httpd-userdir.conf ${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," \ ${WRKSRC}/docs/conf/httpd.conf ${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std post-install: @${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|} ${INSTALL_DATA} ${FILESDIR}/no-accf.conf ${STAGEDIR}${ETCDIR}/Includes/ # place for 3rd party module configuration ${INSTALL_DATA} ${FILESDIR}/README_modules.d ${STAGEDIR}${ETCDIR}/modules.d/ # strip returns an error for non binary files, but we have a big mix -${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/* 2>/dev/null -${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/* -${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/apache24/mod_*.so post-install-LOG_FORENSIC-on: ${INSTALL_SCRIPT} ${WRKSRC}/support/check_forensic ${STAGEDIR}${PREFIX}/sbin # maintainer only, check for new modules modlist: extract @${AWK} '/: checking whether to enable mod_/ \ {printf "%%%%%s%%%%libexec/apache24/%s.so\n", \ toupper($$8), $$8}' ${WRKSRC}/configure.upstream \ | ${TR} -d '"' \ | ${SORT} -u \ | ${GREP} -E -v '^%%MOD_(HTTP|ISAPI|LOG_CONFIG|PRIVILEGES|SO|UNIXD)%%' .include Index: head/www/apache24/distinfo =================================================================== --- head/www/apache24/distinfo (revision 429062) +++ head/www/apache24/distinfo (revision 429063) @@ -1,3 +1,3 @@ -TIMESTAMP = 1467307196 -SHA256 (apache24/httpd-2.4.23.tar.bz2) = 0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58 -SIZE (apache24/httpd-2.4.23.tar.bz2) = 6351875 +TIMESTAMP = 1482168542 +SHA256 (apache24/httpd-2.4.25.tar.bz2) = f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2 +SIZE (apache24/httpd-2.4.25.tar.bz2) = 6398218 Index: head/www/apache24/files/patch-httpoxy =================================================================== --- head/www/apache24/files/patch-httpoxy (revision 429062) +++ head/www/apache24/files/patch-httpoxy (nonexistent) @@ -1,63 +0,0 @@ -https://www.apache.org/security/asf-httpoxy-response.txt - -Apache HTTP Server may be configured to proxy HTTP requests as a forward -or reverse (gateway) proxy server, can proxy requests to a FastCGI service -using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi -or mod_cgid or the related mod_isapi service. The project's mod_fcgid -subproject (available as a separate add-in module) directly manages CGI -scripts using the FastCGI protocol. - -It may also be configured to directly host a number of external modules -which run CGI-style applications in-process. The server itself does not -modify the CGI environment in this case, however, these external modules -may perform such modifications of their environment variables in-process. -Such examples include mod_php, mod_perl and mod_wsgi. - -To mitigate "httpoxy" issues across all of the above mechanisms, the most -direct solution is to drop any "Proxy:" header arriving from an upstream -proxy server or the origin user-agent. this will mitigate the issue for any -vulnerable back-end server or CGI across all traffic through this server. - -The two lines below enabled in the httpd.conf file will remove the "Proxy:" -header from all incoming requests, before further processing; - - LoadModule headers_module {path-to}/mod_headers.so - - RequestHeader unset Proxy early - -(Users who have mod_headers compiled-in to the httpd binary must omit -the LoadModule directive above, others must adjust the {path-to} to point -to the mod_headers.so file.) - -If the administrator wishes to preserve the value of the "Proxy:" header -for most traffic, and only eliminate it from the CGI environment variable -HTTP_PROXY, a second mitigation is offered. This patch will address this -behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, -along with all other consumers of httpd's built-in environment handling. - -The bundled httpd modules all rely on ap_add_common_vars() to set up the -target CGI environment. The project will include the recommended patch -below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. -Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, -recompile and re-install httpd to obtain this mitigation. This migitation -has been assigned the identifier CVE-2016-5387 . - -======= Patch to httpd sources 2.4.x and 2.2.x ======= - ---- server/util_script.c (revision 1752426) -+++ server/util_script.c (working copy) -@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r - else if (!strcasecmp(hdrs[i].key, "Content-length")) { - apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); - } -+ /* HTTP_PROXY collides with a popular envvar used to configure -+ * proxies, don't let clients set/override it. But, if you must... -+ */ -+#ifndef SECURITY_HOLE_PASS_PROXY -+ else if (!strcasecmp(hdrs[i].key, "Proxy")) { -+ ; -+ } -+#endif - /* - * You really don't want to disable this check, since it leaves you - * wide open to CGIs stealing passwords and people viewing them Property changes on: head/www/apache24/files/patch-httpoxy ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/www/apache24/files/patch-CVE-2016-8740 =================================================================== --- head/www/apache24/files/patch-CVE-2016-8740 (revision 429062) +++ head/www/apache24/files/patch-CVE-2016-8740 (nonexistent) @@ -1,116 +0,0 @@ - Security Advisory - Apache Software Foundation - Apache HTTPD WebServer / httpd.apache.org - - Server memory can be exhausted and service denied when HTTP/2 is used - - CVE-2016-8740 - -The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations -on request headers correctly when experimental module for the HTTP/2 -protocol is used to access a resource. - -The net result is that a the server allocates too much memory instead of denying -the request. This can lead to memory exhaustion of the server by a properly -crafted request. - -Background: -- ----------- - -Apache has limits on the number and length of request header fields. which -limits the amount of memory a client can allocate on the server for a request. - -Version 2.4.17 of the Apache HTTP Server introduced an experimental feature: -mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as -Google SPDY). - -This module is NOT compiled in by default -and- is not enabled by default, -although some distribution may have chosen to do so. - -It is generally needs to be enabled in the 'Protocols' line in httpd by -adding 'h2' and/or 'h2c' to the 'http/1.1' only default. - -The default distributions of the Apache Software Foundation do not include -this experimental feature. - -Details: -- -------- - -- From version 2.4.17, upto and including version 2.4.23 the server failed -to take the limitations on request memory use into account when providing -access to a resource over HTTP/2. This issue has been fixed -in version 2.4.23 (r1772576). - -As a result - with a request using the HTTP/2 protocol a specially crafted -request can allocate memory on the server until it reaches its limit. This can -lead to denial of service for all requests against the server. - -Impact: -- ------- - -This can lead to denial of service for all server resources. -Versions affected: -- ------------------ -All versions from 2.4.17 to 2.4.23. - -Resolution: -- ----------- - -For a 2.4.23 version a patch is supplied. This will be included in the -next release. - -Mitigations and work arounds: -- ----------------------------- - -As a temporary workaround - HTTP/2 can be disabled by changing -the configuration by removing h2 and h2c from the Protocols -line(s) in the configuration file. - -The resulting line should read: - - Protocols http/1.1 - -Credits and timeline -- -------------------- - -The flaw was found and reported by Naveen Tiwari -and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was -resolved by Stefan Eissing and incorporated in the Apache repository, -ready for inclusion in the next release. - -Apache would like to thank all involved for their help with this. - -Index: modules/http2/h2_stream.c -=================================================================== ---- modules/http2/h2_stream.c (revision 1771866) -+++ modules/http2/h2_stream.c (working copy) -@@ -322,18 +322,18 @@ - HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); - } - } -- } -- -- if (h2_stream_is_scheduled(stream)) { -- return h2_request_add_trailer(stream->request, stream->pool, -- name, nlen, value, vlen); -- } -- else { -- if (!input_open(stream)) { -- return APR_ECONNRESET; -+ -+ if (h2_stream_is_scheduled(stream)) { -+ return h2_request_add_trailer(stream->request, stream->pool, -+ name, nlen, value, vlen); - } -- return h2_request_add_header(stream->request, stream->pool, -- name, nlen, value, vlen); -+ else { -+ if (!input_open(stream)) { -+ return APR_ECONNRESET; -+ } -+ return h2_request_add_header(stream->request, stream->pool, -+ name, nlen, value, vlen); -+ } - } - } - - Property changes on: head/www/apache24/files/patch-CVE-2016-8740 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property