Hi, update to apache-httpd 2.4.59 which fixes CVE-2024-27316, CVE-2024-24795 and CVE-2023-38709 Comments ? ok ? Cheers Giovanni
Index: Makefile =================================================================== RCS file: /cvs/ports/www/apache-httpd/Makefile,v retrieving revision 1.129 diff -u -p -r1.129 Makefile --- Makefile 30 Jan 2024 10:01:48 -0000 1.129 +++ Makefile 9 Apr 2024 20:32:44 -0000 @@ -1,9 +1,8 @@ COMMENT= apache HTTP server -V= 2.4.58 +V= 2.4.59 DISTNAME= httpd-${V} PKGNAME= apache-httpd-${V} -REVISION= 1 CATEGORIES= www net Index: distinfo =================================================================== RCS file: /cvs/ports/www/apache-httpd/distinfo,v retrieving revision 1.46 diff -u -p -r1.46 distinfo --- distinfo 19 Oct 2023 10:35:27 -0000 1.46 +++ distinfo 9 Apr 2024 20:32:44 -0000 @@ -1,2 +1,2 @@ -SHA256 (httpd-2.4.58.tar.gz) = UDp9pKSif9SWA3mYsXB43J/gBNsyxlfJbM6DVriqLrY= -SIZE (httpd-2.4.58.tar.gz) = 9825177 +SHA256 (httpd-2.4.59.tar.gz) = 5OxM4Sxsj1p5TcImPRJssdbvZn8DTEZ47JRdYShuiw8= +SIZE (httpd-2.4.59.tar.gz) = 9843252 Index: patches/patch-docs_man_htpasswd_1 =================================================================== RCS file: /cvs/ports/www/apache-httpd/patches/patch-docs_man_htpasswd_1,v retrieving revision 1.9 diff -u -p -r1.9 patch-docs_man_htpasswd_1 --- patches/patch-docs_man_htpasswd_1 11 Mar 2022 20:09:38 -0000 1.9 +++ patches/patch-docs_man_htpasswd_1 9 Apr 2024 20:32:44 -0000 @@ -5,8 +5,8 @@ Index: docs/man/htpasswd.1 .el .ne 3 .IP "\\$1" \\$2 .. --.TH "HTPASSWD" 1 "2019-08-09" "Apache HTTP Server" "htpasswd" -+.TH "HTPASSWD2" 1 "2019-08-09" "Apache HTTP Server" "htpasswd2" +-.TH "HTPASSWD" 1 "2024-04-02" "Apache HTTP Server" "htpasswd" ++.TH "HTPASSWD2" 1 "2024-04-02" "Apache HTTP Server" "htpasswd2" .SH NAME -htpasswd \- Manage user files for basic authentication @@ -15,20 +15,20 @@ Index: docs/man/htpasswd.1 .SH "SYNOPSIS" .PP --\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR -+\fB\fBhtpasswd2\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR +-\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR ++\fB\fBhtpasswd2\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR .PP --\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR -+\fB\fBhtpasswd2\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR +-\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR ++\fB\fBhtpasswd2\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR .PP --\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR -+\fB\fBhtpasswd2\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR +-\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR ++\fB\fBhtpasswd2\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR .PP --\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR -+\fB\fBhtpasswd2\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR +-\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR ++\fB\fBhtpasswd2\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR .SH "SUMMARY" @@ -38,17 +38,17 @@ Index: docs/man/htpasswd.1 +\fBhtpasswd2\fR is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users\&. If \fBhtpasswd2\fR cannot access a file, such as not being able to write to the output file or not being able to read the file in order to update it, it returns an error status and makes no changes\&. .PP --Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&. -+Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd2\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&. +-Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can hash and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&. ++Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd2\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can hash and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&. .PP --\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. -+\fBhtpasswd2\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd2\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. +-\fBhtpasswd\fR hashes passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-hashed passwords while others in the same file may have passwords hashed with \fBcrypt()\fR\&. ++\fBhtpasswd2\fR hashes passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd2\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-hashed passwords while others in the same file may have passwords hashed with \fBcrypt()\fR\&. .PP This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&. -@@ -86,13 +86,13 @@ Use \fBcrypt()\fR encryption for passwords\&. This is - Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. +@@ -95,13 +95,13 @@ Use \fBcrypt()\fR hashing for passwords\&. This is not + Use SHA-1 (160-bit) hashing for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. .TP \fB-p\fR -Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&. @@ -64,7 +64,7 @@ Index: docs/man/htpasswd.1 .TP \fB\fIpasswdfile\fR\fR Name of the file to contain the user name and password\&. If \fB-c\fR is given, this file is created if it does not already exist, or rewritten and truncated if it does exist\&. -@@ -106,31 +106,31 @@ The plaintext password to be encrypted and stored in t +@@ -115,31 +115,31 @@ The plaintext password to be hashed and stored in the .SH "EXIT STATUS" .PP @@ -81,8 +81,8 @@ Index: docs/man/htpasswd.1 .fi .PP --Adds or modifies the password for user \fBjsmith\fR\&. The user is prompted for the password\&. The password will be encrypted using the modified Apache MD5 algorithm\&. If the file does not exist, \fBhtpasswd\fR will do nothing except return an error\&. -+Adds or modifies the password for user \fBjsmith\fR\&. The user is prompted for the password\&. The password will be encrypted using the modified Apache MD5 algorithm\&. If the file does not exist, \fBhtpasswd2\fR will do nothing except return an error\&. +-Adds or modifies the password for user \fBjsmith\fR\&. The user is prompted for the password\&. The password will be hashed using the modified Apache MD5 algorithm\&. If the file does not exist, \fBhtpasswd\fR will do nothing except return an error\&. ++Adds or modifies the password for user \fBjsmith\fR\&. The user is prompted for the password\&. The password will be hashed using the modified Apache MD5 algorithm\&. If the file does not exist, \fBhtpasswd2\fR will do nothing except return an error\&. .nf @@ -102,7 +102,7 @@ Index: docs/man/htpasswd.1 .fi -@@ -140,7 +140,7 @@ Encrypts the password from the command line (\fBPwd4St +@@ -149,7 +149,7 @@ Encrypts the password from the command line (\fBPwd4St .SH "SECURITY CONSIDERATIONS" .PP @@ -111,16 +111,16 @@ Index: docs/man/htpasswd.1 .PP This program is not safe as a setuid executable\&. Do \fInot\fR make it setuid\&. -@@ -160,10 +160,10 @@ The SHA and \fBcrypt()\fR formats are insecure by toda +@@ -172,10 +172,10 @@ The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA .SH "RESTRICTIONS" .PP --On the Windows platform, passwords encrypted with \fBhtpasswd\fR are limited to no more than \fB255\fR characters in length\&. Longer passwords will be truncated to 255 characters\&. -+On the Windows platform, passwords encrypted with \fBhtpasswd2\fR are limited to no more than \fB255\fR characters in length\&. Longer passwords will be truncated to 255 characters\&. +-On the Windows platform, passwords hashed with \fBhtpasswd\fR are limited to no more than \fB255\fR characters in length\&. Longer passwords will be truncated to 255 characters\&. ++On the Windows platform, passwords hashed with \fBhtpasswd2\fR are limited to no more than \fB255\fR characters in length\&. Longer passwords will be truncated to 255 characters\&. .PP --The MD5 algorithm used by \fBhtpasswd\fR is specific to the Apache software; passwords encrypted using it will not be usable with other Web servers\&. -+The MD5 algorithm used by \fBhtpasswd2\fR is specific to the Apache software; passwords encrypted using it will not be usable with other Web servers\&. +-The MD5 algorithm used by \fBhtpasswd\fR is specific to the Apache software; passwords hashed using it will not be usable with other Web servers\&. ++The MD5 algorithm used by \fBhtpasswd2\fR is specific to the Apache software; passwords hashed using it will not be usable with other Web servers\&. .PP Usernames are limited to \fB255\fR bytes and may not include the character \fB:\fR\&. Index: patches/patch-modules_filters_mod_xml2enc_c =================================================================== RCS file: patches/patch-modules_filters_mod_xml2enc_c diff -N patches/patch-modules_filters_mod_xml2enc_c --- patches/patch-modules_filters_mod_xml2enc_c 24 Dec 2023 10:53:02 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,23 +0,0 @@ -From 27a68e54b7c6d2ae80dca396fd2727852897dab1 Mon Sep 17 00:00:00 2001 -From: Eric Covener <cove...@apache.org> -Date: Tue, 21 Nov 2023 12:58:47 +0000 -Subject: [PATCH] mod_xml2enc: remove dependency on xmlstring header - -Index: modules/filters/mod_xml2enc.c ---- modules/filters/mod_xml2enc.c.orig -+++ modules/filters/mod_xml2enc.c -@@ -206,11 +206,11 @@ static void sniff_encoding(request_rec* r, xml2ctx* ct - } - } - } -- -+ - /* to sniff, first we look for BOM */ - if (ctx->xml2enc == XML_CHAR_ENCODING_NONE) { -- ctx->xml2enc = xmlDetectCharEncoding((const xmlChar*)ctx->buf, -- ctx->bytes); -+ ctx->xml2enc = xmlDetectCharEncoding((const unsigned char*)ctx->buf, -+ ctx->bytes); - if (HAVE_ENCODING(ctx->xml2enc)) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01432) - "Got charset from XML rules.") ; Index: patches/patch-modules_ssl_ssl_engine_init_c =================================================================== RCS file: /cvs/ports/www/apache-httpd/patches/Attic/patch-modules_ssl_ssl_engine_init_c,v retrieving revision 1.22 diff -u -p -r1.22 patch-modules_ssl_ssl_engine_init_c --- patches/patch-modules_ssl_ssl_engine_init_c 30 Jan 2024 10:01:48 -0000 1.22 +++ patches/patch-modules_ssl_ssl_engine_init_c 9 Apr 2024 20:32:44 -0000 @@ -1,12 +1,54 @@ +Fix a regression that causes the default DH parameters for a key +no longer set and thus effectively disabling DH ciphers when no explicit +DH parameters are set. + Index: modules/ssl/ssl_engine_init.c --- modules/ssl/ssl_engine_init.c.orig +++ modules/ssl/ssl_engine_init.c -@@ -1689,7 +1689,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s - X509_STORE_CTX *sctx; - X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx); - --#if OPENSSL_VERSION_NUMBER >= 0x1010100fL -+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) - /* For OpenSSL >=1.1.1, turn on client cert support which is - * otherwise turned off by default (by design). - * https://github.com/openssl/openssl/issues/6933 */ +@@ -1346,6 +1346,7 @@ static apr_status_t ssl_init_server_certs(server_rec * + const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; + int i; + EVP_PKEY *pkey; ++ int custom_dh_done = 0; + #ifdef HAVE_ECC + EC_GROUP *ecgroup = NULL; + int curve_nid = 0; +@@ -1518,14 +1519,14 @@ static apr_status_t ssl_init_server_certs(server_rec * + */ + certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); + if (certfile && !modssl_is_engine_id(certfile)) { +- int done = 0, num_bits = 0; ++ int num_bits = 0; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + DH *dh = modssl_dh_from_file(certfile); + if (dh) { + num_bits = DH_bits(dh); + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); + DH_free(dh); +- done = 1; ++ custom_dh_done = 1; + } + #else + pkey = modssl_dh_pkey_from_file(certfile); +@@ -1535,18 +1536,18 @@ static apr_status_t ssl_init_server_certs(server_rec * + EVP_PKEY_free(pkey); + } + else { +- done = 1; ++ custom_dh_done = 1; + } + } + #endif +- if (done) { ++ if (custom_dh_done) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) + "Custom DH parameters (%d bits) for %s loaded from %s", + num_bits, vhost_id, certfile); + } + } + #if !MODSSL_USE_OPENSSL_PRE_1_1_API +- else { ++ if (!custom_dh_done) { + /* If no parameter is manually configured, enable auto + * selection. */ + SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); Index: patches/patch-modules_ssl_ssl_private_h =================================================================== RCS file: patches/patch-modules_ssl_ssl_private_h diff -N patches/patch-modules_ssl_ssl_private_h --- patches/patch-modules_ssl_ssl_private_h 15 Nov 2022 23:14:12 -0000 1.11 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -Index: modules/ssl/ssl_private.h ---- modules/ssl/ssl_private.h.orig -+++ modules/ssl/ssl_private.h -@@ -232,9 +232,11 @@ - #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 - #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 - #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192 -+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL - #define BIO_set_init(x,v) (x->init=v) - #define BIO_get_data(x) (x->ptr) - #define BIO_set_data(x,v) (x->ptr=v) -+#endif - #define BIO_get_shutdown(x) (x->shutdown) - #define BIO_set_shutdown(x,v) (x->shutdown=v) - #define DH_bits(x) (BN_num_bits(x->p))
signature.asc
Description: PGP signature