Subject: CVS commit: [pkgsrc-2019Q2] pkgsrc/www/apache24
From: Benny Siegert
Date: 2019-09-05 12:21:28
Message id: 20190905102128.CDB29FBF4@cvs.NetBSD.org

Log Message:
Pullup ticket #6037 - requested by taca
www/apache24: SunOS build fix, security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.82,1.84
- www/apache24/PLIST                                            1.31
- www/apache24/distinfo                                         1.41
- www/apache24/patches/patch-ai                                 1.2

---
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Mon Jul  1 04:08:55 UTC 2019

   Modified Files:

   	pkgsrc/www/apache24: Makefile

   Log Message:
   Recursive revbump from boost-1.70.0

---
   Module Name:	pkgsrc
   Committed By:	jperkin
   Date:		Mon Jul 22 10:34:22 UTC 2019

   Modified Files:
   	pkgsrc/www/apache24: Makefile

   Log Message:
   apache24: Extend SunOS C99 compilers list to gcc-5.

   Should fix PR#54385 from Hiroshi Hakoyama.

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sun Aug 11 13:25:21 UTC 2019

   Modified Files:

   	pkgsrc/www/apache24: Makefile buildlink3.mk

   Log Message:
   Bump PKGREVISIONs for perl 5.30.0

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Thu Aug 15 08:03:39 UTC 2019

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo
   	pkgsrc/www/apache24/patches: patch-ai

   Log Message:
   apache24: updated to 2.4.41

   Changes with Apache 2.4.41

     *) SECURITY: CVE-2019-10081 (cve.mitre.org)
        mod_http2: HTTP/2 very early pushes, for example configured with \ 
"H2PushResource",
        could lead to an overwrite of memory in the pushing request's pool,
        leading to crashes. The memory copied is that of the configured push
        link header values, not data supplied by the client.

     *) SECURITY: CVE-2019-9517 (cve.mitre.org)
        mod_http2: a malicious client could perform a DoS attack by flooding
        a connection with requests and basically never reading responses
        on the TCP connection. Depending on h2 worker dimensioning, it was
        possible to block those with relatively few connections.

     *) SECURITY: CVE-2019-10098 (cve.mitre.org)
        rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
        matches and substitutions with encoded line break characters.

     *) SECURITY: CVE-2019-10092 (cve.mitre.org)
        Remove HTML-escaped URLs from canned error responses to prevent misleading
        text/links being displayed via crafted links.

     *) SECURITY: CVE-2019-10097 (cve.mitre.org)
        mod_remoteip: Fix stack buffer overflow and NULL pointer deference
        when reading the PROXY protocol header.

     *) SECURITY: CVE-2019-10082 (cve.mitre.org)
        mod_http2: Using fuzzed network input, the http/2 session
        handling could be made to read memory after being freed,
        during connection shutdown.

     *) mod_proxy_balancer: Improve balancer-manager protection against
        XSS/XSRF attacks from trusted users.

     *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
        configure the session/cookie expiry's update interval.

     *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).

     *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
        configured for a domain managed by mod_md.

Files:
RevisionActionfile
1.80.2.1modifypkgsrc/www/apache24/Makefile
1.30.2.1modifypkgsrc/www/apache24/PLIST
1.40.2.1modifypkgsrc/www/apache24/distinfo
1.1.1.1.60.1modifypkgsrc/www/apache24/patches/patch-ai