Subject: CVS commit: pkgsrc/www/apache24
From: Takahiro Kambe
Date: 2016-12-20 22:06:35
Message id: 20161220210635.1D84EFBA6@cvs.NetBSD.org
Log Message:
Update apache24 to 2.4.25 (Apache HTTPD 2.4.25).  2.4.24 was not released.

This release fixes several security problems, some of them are already
handled in pkgsrc.  Please refer CHANGES file in detail.

  *) SECURITY: CVE-2016-8740 (cve.mitre.org)
     mod_http2: Mitigate DoS memory exhaustion via endless
     CONTINUATION frames.
     [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
     University, Stefan Eissing]

  *) SECURITY: CVE-2016-5387 (cve.mitre.org)
     core: Mitigate [f]cgi "httpoxy" issues.
     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]

  *) SECURITY: CVE-2016-2161 (cve.mitre.org)
     mod_auth_digest: Prevent segfaults during client entry allocation when
     the shared memory space is exhausted.
     [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]

  *) SECURITY: CVE-2016-0736 (cve.mitre.org)
     mod_session_crypto: Authenticate the session data/cookie with a
     MAC (SipHash) to prevent deciphering or tampering with a padding
     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]

  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
Files:
RevisionActionfile
1.51modifypkgsrc/www/apache24/Makefile
1.28modifypkgsrc/www/apache24/distinfo
1.1removepkgsrc/www/apache24/patches/patch-CVE-2016-8740-2.4.23
1.1removepkgsrc/www/apache24/patches/patch-server_util__script.c