main/apache2: security upgrade to 2.4.38

fixes #9909
author: J0WI <J0WI@users.noreply.github.com> 2019-01-22 19:33:40 +0100
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2019-01-25 22:13:50 +0200
commit: 86686eac58e8b2cd03eb04fdcdab2afdd4871e0c (patch)
tree: 0cc1fe3d6513d92ee20de92227269c3db7c9e93c
parent: 67f3e45bd49581c9d21308a73dd85f972a57e24c (diff)
download: aports-86686eac58e8b2cd03eb04fdcdab2afdd4871e0c.tar.bz2
aports-86686eac58e8b2cd03eb04fdcdab2afdd4871e0c.tar.xz
2 files changed, 9 insertions, 82 deletions
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index 7d23c4c08d..9ee2d35159 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,10 +2,10 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=apache2
 _pkgreal=httpd
-pkgver=2.4.35
+pkgver=2.4.38
 pkgrel=0
 pkgdesc="A high performance Unix-based HTTP server"
-url="http://httpd.apache.org/"
+url="https://httpd.apache.org/"
 arch="all"
 license="ASL 2.0"
 depends=""
@@ -26,12 +26,11 @@ subpackages="$pkgname-dev
              $pkgname-ssl
              $pkgname-utils
              $pkgname-webdav"
-source="http://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
+source="https://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
 	apache2.confd
 	apache2.logrotate
 	apache2.initd
 	alpine.layout
-	apache-2.4.34-libressl-compatibility.patch
 	libressl-compat-patch-fix.patch
 	conf/0001-httpd.conf-ServerRoot.patch
 	conf/0002-httpd.conf-ServerTokens.patch
@@ -52,6 +51,10 @@ options="suid"
 builddir="$srcdir"/$_pkgreal-$pkgver
 
 # secfixes:
+#   2.4.38-r0:
+#     - CVE-2018-17189
+#     - CVE-2018-17199
+#     - CVE-2019-0190
 #   2.4.35-r0:
 #     - CVE-2018-11763
 #   2.4.34-r0:
@@ -271,7 +274,7 @@ ssl() {
 
 ldap() {
 	pkgdesc="LDAP authentication/authorization module for the Apache HTTP Server"
-	url="http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html"
+	url="https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html"
 	depends="apache2 apr-util-ldap"
 
 	install -d "$subpkgdir"/usr/lib/apache2 || return 1
@@ -321,12 +324,11 @@ _lua() {
 		"$subpkgdir"/usr/lib/apache2/ || return 1
 	_load_mods
 }
-sha512sums="f5d6a849850ebdf4e38b586c84cc1063d68ac4c6737895c9ac1c8796c22655681c55b4de77ed9f1f807338fdb9f7824faf911361aa31cc46f3c3a2cbabe20543  httpd-2.4.35.tar.bz2
+sha512sums="8bdc36fa2bd13fd83feee17fdce4a5316ed8f96c1ac32b636ba106572ba257815438c72068d2d0e900783a3fa25c90a5da34c3f83fc2c04a1dbdbf234f7ad448  httpd-2.4.38.tar.bz2
 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc  apache2.confd
 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b  apache2.logrotate
 81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701  apache2.initd
 177c58d049fc4476fd9b9b36b67725145777c84cf81948105c9314cb09312dff6c1931fe21aaa243597abaefded6c6dfd80d83839e45a23950b50de615d73b06  alpine.layout
-fb0e896666126fd2c79cf12533a09f19ff991a44ede33ab7933381fbe5ebf94008ffb4c824a9958e47d2277fd4b985f14597fa533b2964666e3d4684e8ede9d9  apache-2.4.34-libressl-compatibility.patch
 470b1c472094e59a812be3e7a68889b7ef8b3c985c9c211dabf9274ec95c1f01f606df57a4aebe75f7007e0832258415b9236645f059fbe7bfdf6bd0ea73b2f5  libressl-compat-patch-fix.patch
 361e0a74f6f8f5734f074dc2f2001ff64896ecc81f88ea384b6db7db33b7738eb92b4e16163b356259581a8e7dd86adeac971d36d2584abb781e8f9b8fae6356  0001-httpd.conf-ServerRoot.patch
 40f3b7579c403952ba1efcb8dfd6ffd91c2695a06a2e5530ab5a583946558790fbfa16cad259d273ac1aa7a6335dd79636aa82fd844dc3a60a34c34d90db5e17  0002-httpd.conf-ServerTokens.patch
diff --git a/main/apache2/apache-2.4.34-libressl-compatibility.patch b/main/apache2/apache-2.4.34-libressl-compatibility.patch
deleted file mode 100644
index 8eb2854901..0000000000
--- a/main/apache2/apache-2.4.34-libressl-compatibility.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-# based on upstream commit from:
-# https://github.com/apache/httpd/commit/8134addfabf2685e08da6d51167775b628fda0dc
-# this should be included in the next release (2.4.34?)
-
-diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
-index 48d64cb624..2392019aed 100644
---- a/modules/ssl/mod_ssl.c
-+++ b/modules/ssl/mod_ssl.c
-@@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
-     /* We must register the library in full, to ensure our configuration
-      * code can successfully test the SSL environment.
-      */
--#if MODSSL_USE_OPENSSL_PRE_1_1_API
-+#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
-     (void)CRYPTO_malloc_init();
- #else
-     OPENSSL_malloc_init();
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index a3a74f474c..88c0939cab 100644
---- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -546,7 +546,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
-     char *cp;
-     int protocol = mctx->protocol;
-     SSLSrvConfigRec *sc = mySrvConfig(s);
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
-+	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
-     int prot;
- #endif
- 
-@@ -616,7 +617,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
- 
-     SSL_CTX_set_options(ctx, SSL_OP_ALL);
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-+	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
-     /* always disable SSLv2, as per RFC 6176 */
-     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- 
-diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
-index a39569cbf7..e0e1b37087 100644
---- a/modules/ssl/ssl_private.h
-+++ b/modules/ssl/ssl_private.h
-@@ -132,13 +132,14 @@
-         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
- #define SSL_CTX_set_max_proto_version(ctx, version) \
-         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
--#endif
--/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
-- * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
-- * we have to work around this...
-+#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
-+/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
-+ * include most changes from OpenSSL >= 1.1 (new functions, macros, 
-+ * deprecations, ...), so we have to work around this...
-  */
- #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
--#else
-+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
-+#else /* defined(LIBRESSL_VERSION_NUMBER) */
- #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
- #endif
- 
-@@ -238,7 +239,8 @@ void init_bio_methods(void);
- void free_bio_methods(void);
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10002000L || \
-+	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
- #define X509_STORE_CTX_get0_store(x) (x->ctx)
- #endif
-
author	J0WI <J0WI@users.noreply.github.com>	2019-01-22 19:33:40 +0100
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2019-01-25 22:13:50 +0200
commit	86686eac58e8b2cd03eb04fdcdab2afdd4871e0c (patch)
tree	0cc1fe3d6513d92ee20de92227269c3db7c9e93c
parent	67f3e45bd49581c9d21308a73dd85f972a57e24c (diff)
download	aports-86686eac58e8b2cd03eb04fdcdab2afdd4871e0c.tar.bz2 aports-86686eac58e8b2cd03eb04fdcdab2afdd4871e0c.tar.xz