Subject: CVS commit: [pkgsrc-2021Q3] pkgsrc/www/apache24
From: Benny Siegert
Date: 2021-10-08 15:37:27
Message id: 20211008133727.685A8FA97@cvs.NetBSD.org

Log Message:
Pullup ticket #6506 - requested by taca
apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.105
- www/apache24/distinfo                                         1.49

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Thu Oct  7 19:05:25 UTC 2021

   Modified Files:
   	pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.51

   Changes with Apache 2.4.51

   *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
      Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
      fix of CVE-2021-41773) (cve.mitre.org)
      It was found that the fix for CVE-2021-41773 in Apache HTTP
      Server 2.4.50 was insufficient.  An attacker could use a path
      traversal attack to map URLs to files outside the directories
      configured by Alias-like directives.
      If files outside of these directories are not protected by the
      usual default configuration "require all denied", these requests
      can succeed. If CGI scripts are also enabled for these aliased
      pathes, this could allow for remote code execution.
      This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
      earlier versions.

   *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
      unused AP_NORMALIZE_DROP_PARAMETERS flag.

Files:
RevisionActionfile
1.101.2.2modifypkgsrc/www/apache24/Makefile
1.46.2.2modifypkgsrc/www/apache24/distinfo