# HG changeset patch # User Petr Sumbera # Date 1482334690 28800 # Node ID 3db1c2ef2aa915979cc002acc85b40dae99bd72a # Parent 65eec8af934cd0fa9d50b7353e026ccbe5191ef8 25305111 Upgrade Apache Web Server to version 2.4.25 25260686 problem in UTILITY/APACHE 25305144 problem in UTILITY/APACHE diff -r 65eec8af934c -r 3db1c2ef2aa9 components/apache24/Makefile --- a/components/apache24/Makefile Wed Jan 18 08:23:14 2017 -0800 +++ b/components/apache24/Makefile Wed Dec 21 07:38:10 2016 -0800 @@ -26,15 +26,15 @@ include ../../make-rules/shared-macros.mk COMPONENT_NAME= apache2 -COMPONENT_VERSION= 2.4.23 +COMPONENT_VERSION= 2.4.25 COMPONENT_PROJECT_URL= http://httpd.apache.org/ COMPONENT_SRC_NAME= httpd COMPONENT_ARCHIVE_HASH= \ - sha256:b71a13f56b8061c6b4086fdcc9ffdddd904449735eadec0f0e2947e33eec91d7 + sha256:be6c5eb805216ec205453bb02b1990c82609cb1b145bcb69dc6e99fff45493a9 COMPONENT_ARCHIVE_URL= http://archive.apache.org/dist/httpd/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= utility/apache -TPNO= 30187 +TPNO= 33113 CONFIGURE_DEFAULT_DIRS=no TEST_TARGET= $(NO_TESTS) diff -r 65eec8af934c -r 3db1c2ef2aa9 components/apache24/patches/bug60577.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/apache24/patches/bug60577.patch Wed Dec 21 07:38:10 2016 -0800 @@ -0,0 +1,80 @@ +https://bz.apache.org/bugzilla/show_bug.cgi?id=60577 + +Index: modules/cache/cache_util.c +=================================================================== +--- modules/cache/cache_util.c (revision 1778044) ++++ modules/cache/cache_util.c (working copy) +@@ -31,10 +31,8 @@ extern module AP_MODULE_DECLARE_DATA cache_module; + * in "filter". All but the path comparisons are case-insensitive. + */ + static int uri_meets_conditions(const apr_uri_t *filter, const int pathlen, +- request_rec *r) ++ const apr_uri_t *url) + { +- const apr_uri_t *url = &r->parsed_uri; +- + /* Scheme, hostname port and local part. The filter URI and the + * URI we test may have the following shapes: + * / +@@ -114,7 +112,7 @@ static int uri_meets_conditions(const apr_uri_t *f + /* For HTTP caching purposes, an empty (NULL) path is equivalent to + * a single "/" path. RFCs 3986/2396 + */ +- if (!r->uri) { ++ if (!url->path) { + if (*filter->path == '/' && pathlen == 1) { + return 1; + } +@@ -126,7 +124,7 @@ static int uri_meets_conditions(const apr_uri_t *f + /* Url has met all of the filter conditions so far, determine + * if the paths match. + */ +- return !strncmp(filter->path, r->uri, pathlen); ++ return !strncmp(filter->path, url->path, pathlen); + } + + static cache_provider_list *get_provider(request_rec *r, struct cache_enable *ent, +@@ -172,6 +170,7 @@ cache_provider_list *cache_get_providers(request_r + { + cache_dir_conf *dconf = ap_get_module_config(r->per_dir_config, &cache_module); + cache_provider_list *providers = NULL; ++ const apr_uri_t *url; + int i; + + /* per directory cache disable */ +@@ -179,11 +178,25 @@ cache_provider_list *cache_get_providers(request_r + return NULL; + } + ++ url = &r->parsed_uri; ++ if (url->path != r->uri || (r->uri && strcmp(url->path, r->uri))) { ++ apr_uri_t *uri = apr_pcalloc(r->pool, sizeof *uri); ++ if (r->uri && apr_uri_parse(r->pool, r->uri, uri)) { ++ return NULL; ++ } ++ if (!uri->scheme) { ++ char *path = uri->path; ++ memcpy(uri, url, sizeof *uri); ++ uri->path = path; ++ } ++ url = uri; ++ } ++ + /* global cache disable */ + for (i = 0; i < conf->cachedisable->nelts; i++) { + struct cache_disable *ent = + (struct cache_disable *)conf->cachedisable->elts; +- if (uri_meets_conditions(&ent[i].url, ent[i].pathlen, r)) { ++ if (uri_meets_conditions(&ent[i].url, ent[i].pathlen, url)) { + /* Stop searching now. */ + return NULL; + } +@@ -200,7 +213,7 @@ cache_provider_list *cache_get_providers(request_r + for (i = 0; i < conf->cacheenable->nelts; i++) { + struct cache_enable *ent = + (struct cache_enable *)conf->cacheenable->elts; +- if (uri_meets_conditions(&ent[i].url, ent[i].pathlen, r)) { ++ if (uri_meets_conditions(&ent[i].url, ent[i].pathlen, url)) { + providers = get_provider(r, &ent[i], providers); + } + } diff -r 65eec8af934c -r 3db1c2ef2aa9 components/apache24/patches/httpoxy.patch --- a/components/apache24/patches/httpoxy.patch Wed Jan 18 08:23:14 2017 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,39 +0,0 @@ -https://www.apache.org/security/asf-httpoxy-response.txt -http://svn.apache.org/viewvc?view=revision&revision=1753228 -http://svn.apache.org/viewvc?view=revision&revision=1753229 - ---- docs/conf/httpd.conf.in 2016/07/18 14:00:30 1753227 -+++ docs/conf/httpd.conf.in 2016/07/18 14:07:00 1753228 -@@ -283,6 +283,15 @@ - Require all granted - - -+ -+ # -+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied -+ # backend servers which have lingering "httpoxy" defects. -+ # 'Proxy' request header is undefined by the IETF, not listed by IANA -+ # -+ RequestHeader unset Proxy early -+ -+ - - # - # TypesConfig points to the file containing the list of mappings from ---- server/util_script.c 2016/07/18 14:00:30 1753227 -+++ server/util_script.c 2016/07/18 14:07:00 1753228 -@@ -186,6 +186,14 @@ - else if (!strcasecmp(hdrs[i].key, "Content-length")) { - apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); - } -+ /* HTTP_PROXY collides with a popular envvar used to configure -+ * proxies, don't let clients set/override it. But, if you must... -+ */ -+#ifndef SECURITY_HOLE_PASS_PROXY -+ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) { -+ ; -+ } -+#endif - /* - * You really don't want to disable this check, since it leaves you - * wide open to CGIs stealing passwords and people viewing them