freebsd-ports/www/apache20/files/patch-support__apxs.in

--- ./support/apxs.in.orig	2010-05-07 20:43:34.000000000 +0000
+++ ./support/apxs.in	2010-10-21 05:40:35.682625070 +0000
@@ -83,7 +83,6 @@
     my ($argumentative, @ARGV) = @_;
     my $errs = 0;
     local $_;
-    local $[ = 0;
 
     my @args = split / */, $argumentative;
     while (@ARGV && ($_ = $ARGV[0]) =~ /^-(.)(.*)/) {
@@ -614,7 +613,13 @@
                 }
             } else {
                 # replace already existing LoadModule line
-                $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1$c$lmd\n|s;
+                # Custom FreeBSD mod
+                if ($opt_A) {
+                    $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1|s;
+                }
+                else {
+                    $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1$c$lmd\n|s;
+                }
             }
             $lmd =~ m|LoadModule\s+(.+?)_module.*|;
             notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_TARGET.conf]");
@@ -631,8 +636,7 @@
             if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) {
                 print FP $content;
                 close(FP);
-                system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " .
-                       "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .
+                system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .
                        "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new");
             } else {
                 notice("unable to open configuration file");
- Update to 2.0.64 - normalize patch-pcre.diff into makepatch format - All 4 CVE patches are included upstream and part of 2.0.64 - part of the local apxs.in changes are upstream now too - some patches were regenerated for offset updates There is NO security update here. Changes: http://www.apache.org/dist/httpd/CHANGES_2.0 With Hat: apache@ <ChangeLog> ) SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] ) SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem] ) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>, Rainer Jung] ) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] ) SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, Joe Orton, Jim Jagielski] ) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] ) SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] ) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch] ) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] ) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] ) apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] </ChangeLog> 2010-10-21 07:55:24 +02:00			`--- ./support/apxs.in.orig 2010-05-07 20:43:34.000000000 +0000`
			`+++ ./support/apxs.in 2010-10-21 05:40:35.682625070 +0000`
- Dupliate $] fix in apxs in www/apache22 - Rename rc.d script apache2.sh -> apache2 - Bump PORTREVISION With Hat: apache@ 2010-05-13 03:13:19 +02:00			`@@ -83,7 +83,6 @@`
			`my ($argumentative, @ARGV) = @_;`
			`my $errs = 0;`
			`local $_;`
			`- local $[ = 0;`

			`my @args = split / */, $argumentative;`
			`while (@ARGV && ($_ = $ARGV[0]) =~ /^-(.)(.*)/) {`
- Update to 2.0.64 - normalize patch-pcre.diff into makepatch format - All 4 CVE patches are included upstream and part of 2.0.64 - part of the local apxs.in changes are upstream now too - some patches were regenerated for offset updates There is NO security update here. Changes: http://www.apache.org/dist/httpd/CHANGES_2.0 With Hat: apache@ <ChangeLog> ) SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] ) SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem] ) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>, Rainer Jung] ) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] ) SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, Joe Orton, Jim Jagielski] ) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] ) SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] ) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch] ) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] ) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] ) apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] </ChangeLog> 2010-10-21 07:55:24 +02:00			`@@ -614,7 +613,13 @@`
- Fix -A and -a options for apxs to correctly ignore whitespace. This will fix about 100 pkg-plist left overs for httpd.conf apxs -A comments out the LoadModule line This adds custom FreeBSD mod to 'DELETE' the line so that it works with our pkg-plists in packages. - Remove -s form the cmp httpd.conf in pkg-plist to be blatant about why it didn't get removed - Bump PORTREVISION - This will be in 2.0.64 PR: ports/133704 Obtained from: http://svn.apache.org/viewvc?rev=942211&view=rev Reported by: olli hauer <ohauer@gmx.de> (and very good pr!) With Hat: apache@ 2010-05-07 23:48:58 +02:00			`}`
			`} else {`
			`# replace already existing LoadModule line`
- Update to 2.0.64 - normalize patch-pcre.diff into makepatch format - All 4 CVE patches are included upstream and part of 2.0.64 - part of the local apxs.in changes are upstream now too - some patches were regenerated for offset updates There is NO security update here. Changes: http://www.apache.org/dist/httpd/CHANGES_2.0 With Hat: apache@ <ChangeLog> ) SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] ) SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem] ) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>, Rainer Jung] ) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] ) SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, Joe Orton, Jim Jagielski] ) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] ) SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] ) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch] ) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] ) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] ) apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] </ChangeLog> 2010-10-21 07:55:24 +02:00			`- $content =~ s\|^(.\n)#?\s$lmd_re[^\n]*\n\|$1$c$lmd\n\|s;`
- That was the wrong patch file, too much git/cvs for me 2010-05-07 23:54:13 +02:00			`+ # Custom FreeBSD mod`
			`+ if ($opt_A) {`
			`+ $content =~ s\|^(.\n)#?\s$lmd_re[^\n]*\n\|$1\|s;`
			`+ }`
			`+ else {`
			`+ $content =~ s\|^(.\n)#?\s$lmd_re[^\n]*\n\|$1$c$lmd\n\|s;`
			`+ }`
- Fix -A and -a options for apxs to correctly ignore whitespace. This will fix about 100 pkg-plist left overs for httpd.conf apxs -A comments out the LoadModule line This adds custom FreeBSD mod to 'DELETE' the line so that it works with our pkg-plists in packages. - Remove -s form the cmp httpd.conf in pkg-plist to be blatant about why it didn't get removed - Bump PORTREVISION - This will be in 2.0.64 PR: ports/133704 Obtained from: http://svn.apache.org/viewvc?rev=942211&view=rev Reported by: olli hauer <ohauer@gmx.de> (and very good pr!) With Hat: apache@ 2010-05-07 23:48:58 +02:00			`}`
			`$lmd =~ m\|LoadModule\s+(.+?)_module.*\|;`
			notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_TARGET.conf]");
- Update to 2.0.64 - normalize patch-pcre.diff into makepatch format - All 4 CVE patches are included upstream and part of 2.0.64 - part of the local apxs.in changes are upstream now too - some patches were regenerated for offset updates There is NO security update here. Changes: http://www.apache.org/dist/httpd/CHANGES_2.0 With Hat: apache@ <ChangeLog> ) SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] ) SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem] ) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch <sf fritsch.de>, Joe Orton] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] ) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>, Rainer Jung] ) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] ) SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, Joe Orton, Jim Jagielski] ) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] ) SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] ) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch] ) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] ) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] ) apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] </ChangeLog> 2010-10-21 07:55:24 +02:00			`@@ -631,8 +636,7 @@`
- As discussed on apache@, don't create httpd.conf.bak, and remove stalled httpd.conf.bak file at deinstall time. 2004-11-29 10:38:45 +01:00			`if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) {`
			`print FP $content;`
			`close(FP);`
			`- system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " .`
			`- "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .`
			`+ system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .`
			`"rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new");`
			`} else {`
			`notice("unable to open configuration file");`