1 |
commit: 692a27baa1b889755b928d2766f9efee17462291 |
2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Nov 2 14:38:57 2016 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 2 14:39:15 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=692a27ba |
7 |
|
8 |
www-servers/apache: Security revbumps for CVE-2016-5387 (bug #589226). |
9 |
|
10 |
Also fixes fcgi bug in apache-2.4.23 (bug #591288). |
11 |
|
12 |
Package-Manager: portage-2.3.2 |
13 |
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> |
14 |
|
15 |
www-servers/apache/Manifest | 1 + |
16 |
www-servers/apache/apache-2.2.31-r1.ebuild | 119 +++++++++++ |
17 |
www-servers/apache/apache-2.4.23-r2.ebuild | 245 ++++++++++++++++++++++ |
18 |
www-servers/apache/files/apache-asf-httpoxy.patch | 20 ++ |
19 |
4 files changed, 385 insertions(+) |
20 |
|
21 |
diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest |
22 |
index 5482f14..a266c24 100644 |
23 |
--- a/www-servers/apache/Manifest |
24 |
+++ b/www-servers/apache/Manifest |
25 |
@@ -1,3 +1,4 @@ |
26 |
+DIST apache-2.4.23-fcgi_fix.patch 1186 SHA256 2943092f4d16f998bed1839d762be6b12254bb59b54e027ae17a2f8042c0eac7 SHA512 5dd1d2eee99322d7af398e7e9c46da4275b83d47bbdac663c022fab734715aabaf5cf0e7abe9bf7b90b69a7b6456f4df55ec33519844124906ad9021f0331e01 WHIRLPOOL 80b03d44e861b08ade36fb317a7aa8cb13a7b79b80b6d59d90d404c9ce99590d8466cb098812b4e2fbb85e69fc7a69ce973269b1ec6ce516e2ad835566534f8e |
27 |
DIST gentoo-apache-2.2.29-20140922.tar.bz2 64135 SHA256 8c69c36c2f40fb81ee905b4dd72ab74aab4563c75149d302f372a451498e2678 SHA512 1d9aa12aa3ab79b5f80ee3fda020b33ff6798e5b1abbcbc138acea06a1ab9968ad240d2bdf9c5dbb9640fa9fb6718eec7175df7cc0fb8574cc4d7d5cdfb5bcc4 WHIRLPOOL f655300f0dcd2f4503cbdb25983fed902e4b717ff57e06f66486bebd0ed7cb8df56387be74b4259bfffad949bb446c5ec28f89065b6d5239585324b610be7b88 |
28 |
DIST gentoo-apache-2.4.18-r1-20160303.tar.bz2 24505 SHA256 d81e32d876594b48a7ff6d9123bf776c5bea5453eddd2fe40f4a9b79c11537aa SHA512 68f0c4de38ae05c45839fe692cbb7de641e331ca133b8aaaf69f3659dec15833cda95e6e074edb3a5b6b6d59b3fc5a4ee3589fff810707fe27417a25cd8a4c4d WHIRLPOOL fb61224b2104e611237e1d09eb4dfb3d2b8f023348c9622f7f19434b6b77d63786c41af17a300d994c14d983676f3753ab6fa52f7a7fcd07b9cea3d7eeacc9b9 |
29 |
DIST httpd-2.2.31.tar.bz2 5610489 SHA256 f32f9d19f535dac63b06cb55dfc023b40dcd28196b785f79f9346779e22f26ac SHA512 5aa47d4b76f692bbd8b309135ff99152df98cf69b505b9daf3f13f7f2a31443eaf4995161adfbc47a133b4d0e091fda2d95fc6b87a956f0ada18d7466ee28e74 WHIRLPOOL a2e3e53c51719cb6f7e641b41788cd89ce7b4d2ea105b403bfa3b3d4479b69c5604228269062f66722594e105e91121d05b1c9f27ca7dc4ecfcf339da8b8375c |
30 |
|
31 |
diff --git a/www-servers/apache/apache-2.2.31-r1.ebuild b/www-servers/apache/apache-2.2.31-r1.ebuild |
32 |
new file mode 100644 |
33 |
index 00000000..5e2b8c7 |
34 |
--- /dev/null |
35 |
+++ b/www-servers/apache/apache-2.2.31-r1.ebuild |
36 |
@@ -0,0 +1,119 @@ |
37 |
+# Copyright 1999-2016 Gentoo Foundation |
38 |
+# Distributed under the terms of the GNU General Public License v2 |
39 |
+# $Id$ |
40 |
+ |
41 |
+EAPI=5 |
42 |
+ |
43 |
+# latest gentoo apache files |
44 |
+GENTOO_PATCHSTAMP="20140922" |
45 |
+GENTOO_DEVELOPER="polynomial-c" |
46 |
+GENTOO_PATCHNAME="gentoo-apache-2.2.29" |
47 |
+ |
48 |
+# IUSE/USE_EXPAND magic |
49 |
+IUSE_MPMS_FORK="itk peruser prefork" |
50 |
+IUSE_MPMS_THREAD="event worker" |
51 |
+ |
52 |
+IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon |
53 |
+authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default |
54 |
+authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta |
55 |
+charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache dumpio |
56 |
+env expires ext_filter file_cache filter headers ident imagemap include info |
57 |
+log_config log_forensic logio mem_cache mime mime_magic negotiation proxy |
58 |
+proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite |
59 |
+reqtimeout setenvif speling status substitute unique_id userdir usertrack |
60 |
+version vhost_alias" |
61 |
+# The following are also in the source as of this version, but are not available |
62 |
+# for user selection: |
63 |
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export |
64 |
+# optional_fn_import optional_hook_export optional_hook_import |
65 |
+ |
66 |
+# inter-module dependencies |
67 |
+# TODO: this may still be incomplete |
68 |
+MODULE_DEPENDS=" |
69 |
+ dav_fs:dav |
70 |
+ dav_lock:dav |
71 |
+ deflate:filter |
72 |
+ disk_cache:cache |
73 |
+ ext_filter:filter |
74 |
+ file_cache:cache |
75 |
+ log_forensic:log_config |
76 |
+ logio:log_config |
77 |
+ mem_cache:cache |
78 |
+ mime_magic:mime |
79 |
+ proxy_ajp:proxy |
80 |
+ proxy_balancer:proxy |
81 |
+ proxy_connect:proxy |
82 |
+ proxy_ftp:proxy |
83 |
+ proxy_http:proxy |
84 |
+ proxy_scgi:proxy |
85 |
+ substitute:filter |
86 |
+" |
87 |
+ |
88 |
+# module<->define mappings |
89 |
+MODULE_DEFINES=" |
90 |
+ auth_digest:AUTH_DIGEST |
91 |
+ authnz_ldap:AUTHNZ_LDAP |
92 |
+ cache:CACHE |
93 |
+ dav:DAV |
94 |
+ dav_fs:DAV |
95 |
+ dav_lock:DAV |
96 |
+ disk_cache:CACHE |
97 |
+ file_cache:CACHE |
98 |
+ info:INFO |
99 |
+ ldap:LDAP |
100 |
+ mem_cache:CACHE |
101 |
+ proxy:PROXY |
102 |
+ proxy_ajp:PROXY |
103 |
+ proxy_balancer:PROXY |
104 |
+ proxy_connect:PROXY |
105 |
+ proxy_ftp:PROXY |
106 |
+ proxy_http:PROXY |
107 |
+ ssl:SSL |
108 |
+ status:STATUS |
109 |
+ suexec:SUEXEC |
110 |
+ userdir:USERDIR |
111 |
+" |
112 |
+ |
113 |
+# critical modules for the default config |
114 |
+MODULE_CRITICAL=" |
115 |
+ authz_host |
116 |
+ dir |
117 |
+ mime |
118 |
+" |
119 |
+ |
120 |
+inherit apache-2 systemd toolchain-funcs |
121 |
+ |
122 |
+DESCRIPTION="The Apache Web Server" |
123 |
+HOMEPAGE="https://httpd.apache.org/" |
124 |
+ |
125 |
+# some helper scripts are Apache-1.1, thus both are here |
126 |
+LICENSE="Apache-2.0 Apache-1.1" |
127 |
+SLOT="2" |
128 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd" |
129 |
+IUSE="" |
130 |
+ |
131 |
+PATCHES=( |
132 |
+ "${FILESDIR}/${PN}-asf-httpoxy.patch" |
133 |
+) |
134 |
+ |
135 |
+src_configure() { |
136 |
+ # Brain dead check. |
137 |
+ tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" |
138 |
+ |
139 |
+ apache-2_src_configure |
140 |
+} |
141 |
+ |
142 |
+src_install() { |
143 |
+ apache-2_src_install |
144 |
+ |
145 |
+ # install apxs in /usr/bin (bug #502384) and put a symlink into the |
146 |
+ # old location until all ebuilds and eclasses have been modified to |
147 |
+ # use the new location. |
148 |
+ local apxs_dir="/usr/bin" |
149 |
+ dodir ${apxs_dir} |
150 |
+ mv "${D}"/usr/sbin/apxs "${D}"${apxs_dir} || die |
151 |
+ ln -s ../bin/apxs "${D}"/usr/sbin/apxs || die |
152 |
+ |
153 |
+ systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service" |
154 |
+ systemd_dotmpfilesd "${FILESDIR}/apache.conf" |
155 |
+} |
156 |
|
157 |
diff --git a/www-servers/apache/apache-2.4.23-r2.ebuild b/www-servers/apache/apache-2.4.23-r2.ebuild |
158 |
new file mode 100644 |
159 |
index 00000000..80874b3 |
160 |
--- /dev/null |
161 |
+++ b/www-servers/apache/apache-2.4.23-r2.ebuild |
162 |
@@ -0,0 +1,245 @@ |
163 |
+# Copyright 1999-2016 Gentoo Foundation |
164 |
+# Distributed under the terms of the GNU General Public License v2 |
165 |
+# $Id$ |
166 |
+ |
167 |
+EAPI=5 |
168 |
+ |
169 |
+# latest gentoo apache files |
170 |
+GENTOO_PATCHSTAMP="20160303" |
171 |
+GENTOO_DEVELOPER="polynomial-c" |
172 |
+GENTOO_PATCHNAME="gentoo-apache-2.4.18-r1" |
173 |
+ |
174 |
+# IUSE/USE_EXPAND magic |
175 |
+IUSE_MPMS_FORK="prefork" |
176 |
+IUSE_MPMS_THREAD="event worker" |
177 |
+ |
178 |
+# << obsolete modules: |
179 |
+# authn_default authz_default mem_cache |
180 |
+# mem_cache is replaced by cache_disk |
181 |
+# ?? buggy modules |
182 |
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found |
183 |
+# >> added modules for reason: |
184 |
+# compat: compatibility with 2.2 access control |
185 |
+# authz_host: new module for access control |
186 |
+# authn_core: functionality provided by authn_alias in previous versions |
187 |
+# authz_core: new module, provides core authorization capabilities |
188 |
+# cache_disk: replacement for mem_cache |
189 |
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3 |
190 |
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3 |
191 |
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3 |
192 |
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3 |
193 |
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests). |
194 |
+# socache_shmcb: shared object cache provider. Default config with ssl needs it |
195 |
+# unixd: fixes startup error: Invalid command 'User' |
196 |
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest |
197 |
+authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core |
198 |
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex |
199 |
+cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate |
200 |
+dir dumpio env expires ext_filter file_cache filter headers http2 ident imagemap |
201 |
+include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness |
202 |
+lbmethod_heartbeat log_config log_forensic logio macro mime mime_magic negotiation |
203 |
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi |
204 |
+proxy_fcgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif |
205 |
+slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack |
206 |
+unixd version vhost_alias" |
207 |
+# The following are also in the source as of this version, but are not available |
208 |
+# for user selection: |
209 |
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export |
210 |
+# optional_fn_import optional_hook_export optional_hook_import |
211 |
+ |
212 |
+# inter-module dependencies |
213 |
+# TODO: this may still be incomplete |
214 |
+MODULE_DEPENDS=" |
215 |
+ dav_fs:dav |
216 |
+ dav_lock:dav |
217 |
+ deflate:filter |
218 |
+ cache_disk:cache |
219 |
+ ext_filter:filter |
220 |
+ file_cache:cache |
221 |
+ lbmethod_byrequests:proxy_balancer |
222 |
+ lbmethod_byrequests:slotmem_shm |
223 |
+ lbmethod_bytraffic:proxy_balancer |
224 |
+ lbmethod_bybusyness:proxy_balancer |
225 |
+ lbmethod_heartbeat:proxy_balancer |
226 |
+ log_forensic:log_config |
227 |
+ logio:log_config |
228 |
+ cache_disk:cache |
229 |
+ mime_magic:mime |
230 |
+ proxy_ajp:proxy |
231 |
+ proxy_balancer:proxy |
232 |
+ proxy_balancer:slotmem_shm |
233 |
+ proxy_connect:proxy |
234 |
+ proxy_ftp:proxy |
235 |
+ proxy_html:proxy |
236 |
+ proxy_http:proxy |
237 |
+ proxy_scgi:proxy |
238 |
+ proxy_fcgi:proxy |
239 |
+ proxy_wstunnel:proxy |
240 |
+ substitute:filter |
241 |
+" |
242 |
+ |
243 |
+# module<->define mappings |
244 |
+MODULE_DEFINES=" |
245 |
+ auth_digest:AUTH_DIGEST |
246 |
+ authnz_ldap:AUTHNZ_LDAP |
247 |
+ cache:CACHE |
248 |
+ cache_disk:CACHE |
249 |
+ dav:DAV |
250 |
+ dav_fs:DAV |
251 |
+ dav_lock:DAV |
252 |
+ file_cache:CACHE |
253 |
+ http2:HTTP2 |
254 |
+ info:INFO |
255 |
+ ldap:LDAP |
256 |
+ proxy:PROXY |
257 |
+ proxy_ajp:PROXY |
258 |
+ proxy_balancer:PROXY |
259 |
+ proxy_connect:PROXY |
260 |
+ proxy_ftp:PROXY |
261 |
+ proxy_html:PROXY |
262 |
+ proxy_http:PROXY |
263 |
+ proxy_fcgi:PROXY |
264 |
+ proxy_scgi:PROXY |
265 |
+ proxy_wstunnel:PROXY |
266 |
+ socache_shmcb:SSL |
267 |
+ ssl:SSL |
268 |
+ status:STATUS |
269 |
+ suexec:SUEXEC |
270 |
+ userdir:USERDIR |
271 |
+" |
272 |
+ |
273 |
+# critical modules for the default config |
274 |
+MODULE_CRITICAL=" |
275 |
+ authn_core |
276 |
+ authz_core |
277 |
+ authz_host |
278 |
+ dir |
279 |
+ mime |
280 |
+ unixd |
281 |
+" |
282 |
+inherit eutils apache-2 systemd toolchain-funcs |
283 |
+ |
284 |
+DESCRIPTION="The Apache Web Server" |
285 |
+HOMEPAGE="https://httpd.apache.org/" |
286 |
+ |
287 |
+# some helper scripts are Apache-1.1, thus both are here |
288 |
+LICENSE="Apache-2.0 Apache-1.1" |
289 |
+SLOT="2" |
290 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris" |
291 |
+ |
292 |
+# Upstream fixes |
293 |
+SRC_URI+=" http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1751970&r2=1751969&pathrev=1751970&view=patch -> ${PN}-2.4.23-fcgi_fix.patch" |
294 |
+ |
295 |
+DEPEND+="apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )" |
296 |
+ |
297 |
+REQUIRED_USE="apache2_modules_http2? ( ssl )" |
298 |
+ |
299 |
+PATCHES=( |
300 |
+ "${DISTDIR}"/${P}-fcgi_fix.patch |
301 |
+ "${FILESDIR}"/apache-asf-httpoxy.patch |
302 |
+) |
303 |
+ |
304 |
+pkg_setup() { |
305 |
+ # dependend critical modules which are not allowed in global scope due |
306 |
+ # to USE flag conditionals (bug #499260) |
307 |
+ use ssl && MODULE_CRITICAL+=" socache_shmcb" |
308 |
+ use doc && MODULE_CRITICAL+=" alias negotiation setenvif" |
309 |
+ apache-2_pkg_setup |
310 |
+} |
311 |
+ |
312 |
+src_configure() { |
313 |
+ # Brain dead check. |
314 |
+ tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" |
315 |
+ |
316 |
+ apache-2_src_configure |
317 |
+} |
318 |
+ |
319 |
+src_compile() { |
320 |
+ if tc-is-cross-compiler; then |
321 |
+ # This header is the same across targets, so use the build compiler. |
322 |
+ pushd server >/dev/null |
323 |
+ emake gen_test_char |
324 |
+ tc-export_build_env BUILD_CC |
325 |
+ ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \ |
326 |
+ gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die |
327 |
+ popd >/dev/null |
328 |
+ fi |
329 |
+ |
330 |
+ default |
331 |
+} |
332 |
+ |
333 |
+src_install() { |
334 |
+ apache-2_src_install |
335 |
+ for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do |
336 |
+ rm "${ED}"/$i || die "Failed to prune apache-tools bits" |
337 |
+ done |
338 |
+ for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do |
339 |
+ rm "${ED}"/$i || die "Failed to prune apache-tools bits" |
340 |
+ done |
341 |
+ for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do |
342 |
+ rm "${ED}"/$i || die "Failed to prune apache-tools bits" |
343 |
+ done |
344 |
+ for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do |
345 |
+ rm "${ED}/"$i || die "Failed to prune apache-tools bits" |
346 |
+ done |
347 |
+ |
348 |
+ # install apxs in /usr/bin (bug #502384) and put a symlink into the |
349 |
+ # old location until all ebuilds and eclasses have been modified to |
350 |
+ # use the new location. |
351 |
+ local apxs="/usr/bin/apxs" |
352 |
+ cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs" |
353 |
+ ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die |
354 |
+ chmod 0755 "${ED}"${apxs} || die |
355 |
+ |
356 |
+ # Note: wait for mod_systemd to be included in the next release, |
357 |
+ # then apache2.4.service can be used and systemd support controlled |
358 |
+ # through --enable-systemd |
359 |
+ systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service" |
360 |
+ systemd_dotmpfilesd "${FILESDIR}/apache.conf" |
361 |
+ #insinto /etc/apache2/modules.d |
362 |
+ #doins "${FILESDIR}/00_systemd.conf" |
363 |
+ |
364 |
+ # Install http2 module config |
365 |
+ insinto /etc/apache2/modules.d |
366 |
+ doins "${FILESDIR}"/41_mod_http2.conf |
367 |
+} |
368 |
+ |
369 |
+pkg_postinst() |
370 |
+{ |
371 |
+ apache-2_pkg_postinst || die "apache-2_pkg_postinst failed" |
372 |
+ # warnings that default config might not work out of the box |
373 |
+ for mod in $MODULE_CRITICAL; do |
374 |
+ if ! use "apache2_modules_${mod}"; then |
375 |
+ echo |
376 |
+ ewarn "Warning: Critical module not installed!" |
377 |
+ ewarn "Modules 'authn_core', 'authz_core' and 'unixd'" |
378 |
+ ewarn "are highly recomended but might not be in the base profile yet." |
379 |
+ ewarn "Default config for ssl needs module 'socache_shmcb'." |
380 |
+ ewarn "Enabling the following flags is highly recommended:" |
381 |
+ for cmod in $MODULE_CRITICAL; do |
382 |
+ use "apache2_modules_${cmod}" || \ |
383 |
+ ewarn "+ apache2_modules_${cmod}" |
384 |
+ done |
385 |
+ echo |
386 |
+ break |
387 |
+ fi |
388 |
+ done |
389 |
+ # warning for proxy_balancer and missing load balancing scheduler |
390 |
+ if use apache2_modules_proxy_balancer; then |
391 |
+ local lbset= |
392 |
+ for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do |
393 |
+ if use "apache2_modules_${mod}"; then |
394 |
+ lbset=1 && break |
395 |
+ fi |
396 |
+ done |
397 |
+ if [ ! $lbset ]; then |
398 |
+ echo |
399 |
+ ewarn "Info: Missing load balancing scheduler algorithm module" |
400 |
+ ewarn "(They were split off from proxy_balancer in 2.3)" |
401 |
+ ewarn "In order to get the ability of load balancing, at least" |
402 |
+ ewarn "one of these modules has to be present:" |
403 |
+ ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat" |
404 |
+ echo |
405 |
+ fi |
406 |
+ fi |
407 |
+} |
408 |
|
409 |
diff --git a/www-servers/apache/files/apache-asf-httpoxy.patch b/www-servers/apache/files/apache-asf-httpoxy.patch |
410 |
new file mode 100644 |
411 |
index 00000000..68e3d86 |
412 |
--- /dev/null |
413 |
+++ b/www-servers/apache/files/apache-asf-httpoxy.patch |
414 |
@@ -0,0 +1,20 @@ |
415 |
+https://bugs.gentoo.org/589226 |
416 |
+https://www.apache.org/security/asf-httpoxy-response.txt |
417 |
+ |
418 |
+--- server/util_script.c (revision 1752426) |
419 |
++++ server/util_script.c (working copy) |
420 |
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r |
421 |
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) { |
422 |
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); |
423 |
+ } |
424 |
++ /* HTTP_PROXY collides with a popular envvar used to configure |
425 |
++ * proxies, don't let clients set/override it. But, if you must... |
426 |
++ */ |
427 |
++#ifndef SECURITY_HOLE_PASS_PROXY |
428 |
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { |
429 |
++ ; |
430 |
++ } |
431 |
++#endif |
432 |
+ /* |
433 |
+ * You really don't want to disable this check, since it leaves you |
434 |
+ * wide open to CGIs stealing passwords and people viewing them |