Fix httpoxy vulnerability.
Bump PKGREVISION.
This commit is contained in:
parent
fc8e415dac
commit
71d4389b6f
3 changed files with 26 additions and 3 deletions
|
@ -1,8 +1,8 @@
|
|||
# $NetBSD: Makefile,v 1.109 2016/07/09 06:39:10 wiz Exp $
|
||||
# $NetBSD: Makefile,v 1.110 2016/07/29 11:10:24 wiz Exp $
|
||||
|
||||
DISTNAME= httpd-2.2.31
|
||||
PKGNAME= ${DISTNAME:S/httpd/apache/}
|
||||
PKGREVISION= 3
|
||||
PKGREVISION= 4
|
||||
CATEGORIES= www
|
||||
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
|
||||
http://archive.apache.org/dist/httpd/ \
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
$NetBSD: distinfo,v 1.64 2015/11/12 15:21:51 prlw1 Exp $
|
||||
$NetBSD: distinfo,v 1.65 2016/07/29 11:10:24 wiz Exp $
|
||||
|
||||
SHA1 (httpd-2.2.31.tar.bz2) = e3b55387112206307ba76526820a2627472f3787
|
||||
RMD160 (httpd-2.2.31.tar.bz2) = 5b073f5f556c74e19eba8e40faa5c5fa308e018a
|
||||
|
@ -22,3 +22,4 @@ SHA1 (patch-modules_proxy_mod_proxy.h) = a4453d85f6a3cf43df44f4e491aee07aaff4490
|
|||
SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
|
||||
SHA1 (patch-modules_proxy_proxy_util.c) = 1368694ef3141c3a1e9a1ddd73664bbb33465271
|
||||
SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
|
||||
SHA1 (patch-server_util__script.c) = 770f773ba278ec774f1f5a812fa9956fad9cc3f8
|
||||
|
|
22
www/apache22/patches/patch-server_util__script.c
Normal file
22
www/apache22/patches/patch-server_util__script.c
Normal file
|
@ -0,0 +1,22 @@
|
|||
$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:10:24 wiz Exp $
|
||||
|
||||
Fix httpoxy vulnerability.
|
||||
https://www.apache.org/security/asf-httpoxy-response.txt
|
||||
|
||||
--- server/util_script.c.orig 2012-08-21 17:42:49.000000000 +0000
|
||||
+++ server/util_script.c
|
||||
@@ -165,6 +165,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
|
||||
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
|
||||
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
|
||||
}
|
||||
+ /* HTTP_PROXY collides with a popular envvar used to configure
|
||||
+ * proxies, don't let clients set/override it. But, if you must...
|
||||
+ */
|
||||
+#ifndef SECURITY_HOLE_PASS_PROXY
|
||||
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
|
||||
+ ;
|
||||
+ }
|
||||
+#endif
|
||||
/*
|
||||
* You really don't want to disable this check, since it leaves you
|
||||
* wide open to CGIs stealing passwords and people viewing them
|
Loading…
Reference in a new issue