Update of /cvsroot/fink/dists/10.7/stable/main/finkinfo/web
In directory vz-cvs-3.sog:/tmp/cvs-serv9738
Modified Files:
apache2.info apache2.patch
Log Message:
* Fix typo in conf.d/security comment. Closes: #678740
* CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent
a possible XSS for a site where untrusted users can upload files to a
location with MultiViews enabled.
* Add example for X-XSS-Protection to conf.d/security.
* Fix "contradictory comment in %p/etc/apache2/apache2.conf about the
.load suffix" (Closes: #676975).
Index: apache2.info
===================================================================
RCS file: /cvsroot/fink/dists/10.7/stable/main/finkinfo/web/apache2.info,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- apache2.info 28 Jun 2012 16:47:58 -0000 1.4
+++ apache2.info 3 Jul 2012 16:20:41 -0000 1.5
@@ -1,6 +1,6 @@
Package: apache2
Version: 2.2.22
-Revision: 7
+Revision: 9
###
Provides: httpd
BuildDepends: fink (>= 0.32), libaprutil.0-dev, libapr.0-dev, libpcap1,
libpcre1, pkgconfig, openssl, openssl100-dev, openldap24-dev
@@ -10,7 +10,7 @@
Source-MD5: d77fa5af23df96a8af68ea8114fa6ce1
###
PatchFile: %n.patch
-PatchFile-MD5: af412c7525b5cf433b53a71d6a3b5689
+PatchFile-MD5: f0b208f8d048cc31382fca13f92d54a2
PatchScript: <<
sed -e 's,@FINKPREFIX@,%p,g' %{PatchFile} | patch -p1
@@ -38,6 +38,7 @@
patch -p1 < fink/patches/customize_apxs.patch
patch -p1 < fink/patches/mod_cache_partial_content-2.2.x.patch
patch -p1 < fink/patches/upstream_trunk_bugfixes.patch
+ patch -p1 < fink/patches/mod_negotiation_CVE-2012-2687.patch
## decode new icons
for i in %b/fink/icons/*.txt; do cd %b/fink/icons; uudecode < $i; done
Index: apache2.patch
===================================================================
RCS file: /cvsroot/fink/dists/10.7/stable/main/finkinfo/web/apache2.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- apache2.patch 28 Jun 2012 16:47:58 -0000 1.4
+++ apache2.patch 3 Jul 2012 16:20:41 -0000 1.5
@@ -2399,7 +2399,7 @@
+This is a place holder package that makes depending on apache2 easier, this
file is just so the package will install.
diff -ruN httpd-2.2.22.orig/fink/config-dir/apache2.conf
httpd-2.2.22/fink/config-dir/apache2.conf
--- httpd-2.2.22.orig/fink/config-dir/apache2.conf 1969-12-31
17:00:00.000000000 -0700
-+++ httpd-2.2.22/fink/config-dir/apache2.conf 2012-06-21 08:42:40.000000000
-0600
++++ httpd-2.2.22/fink/config-dir/apache2.conf 2012-07-03 09:48:51.000000000
-0600
@@ -0,0 +1,266 @@
+# This is the main Apache server configuration file. It contains the
+# configuration directives that give the server its instructions.
@@ -2441,7 +2441,7 @@
+#
+# Yet we strongly suggest that all configuration files either end with a
+# .conf or .load suffix in the file name. The next Fink release will
-+# ignore files not ending with .conf.
++# ignore files not ending with .conf (or .load for mods-enabled).
+#
+# * ports.conf is always included from the main configuration file. It is
+# supposed to determine listening ports for incoming connections, and which
@@ -2458,9 +2458,9 @@
+#
+# * Configuration files in the conf.d directory are either provided by other
+# packages or may be added by the local administrator. Local additions
-+# should start with local- or end with .local or .local.conf to avoid name
-+# clashes. All files in conf.d are considered (excluding the exceptions
noted
-+# above) by the Apache 2 web server.
++# should start with local- or end with .local.conf to avoid name clashes.
All
++# files in conf.d are considered (excluding the exceptions noted above) by
++# the Apache 2 web server.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+# the default configuration, apache2 needs to be started/stopped with
@@ -2768,8 +2768,8 @@
+CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
diff -ruN httpd-2.2.22.orig/fink/config-dir/conf.d/security
httpd-2.2.22/fink/config-dir/conf.d/security
--- httpd-2.2.22.orig/fink/config-dir/conf.d/security 1969-12-31
17:00:00.000000000 -0700
-+++ httpd-2.2.22/fink/config-dir/conf.d/security 2012-06-21
08:43:52.000000000 -0600
-@@ -0,0 +1,75 @@
++++ httpd-2.2.22/fink/config-dir/conf.d/security 2012-07-03
09:49:42.000000000 -0600
+@@ -0,0 +1,85 @@
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
@@ -2840,6 +2840,16 @@
+#Header set X-Content-Type-Options: "nosniff"
+
+#
++# Some browsers have a built-in XSS filter that will detect some cross site
++# scripting attacks. By default, these browsers modify the suspicious part of
++# the page and display the result. This behavior can create various problems
++# including new security issues. This header will tell the XSS filter to
++# completely block access to the page instead.
++# Requires mod_headers to be enabled.
++#
++#Header set X-XSS-Protection: "1; mode=block"
++
++#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
@@ -5791,43 +5801,6 @@
+ fi; \
+ endscript
+}
-diff -ruN httpd-2.2.22.orig/fink/make-ssl-cert.8
httpd-2.2.22/fink/make-ssl-cert.8
---- httpd-2.2.22.orig/fink/make-ssl-cert.8 1969-12-31 17:00:00.000000000
-0700
-+++ httpd-2.2.22/fink/make-ssl-cert.8 2012-06-12 08:46:21.000000000 -0600
-@@ -0,0 +1,33 @@
-+.TH make-ssl-cert 8
-+.SH NAME
-+make-ssl-cert - Wrapper for openssl
-+.SH SYNOPSIS
-+.B make-ssl-cert
-+\fItemplate\fR \fIoutput-certificate\fR [\fB\-\-force\-overwrite\fR]
-+.br
-+.B make-ssl-cert generate-default-snakeoil
-+[\fB\-\-force\-overwrite\fR]
-+.br
-+.SH "DESCRIPTION"
-+make-ssl-cert is a simple wrapper to openssl wrapper to create self-signed
-+certificates.
-+It requires a source template (Ex: @FINKPREFIX@/share/ssl-cert/ssleay.cnf)
-+and it will place the new generated certificate in the specified
-+output file.
-+.br
-+Invoked with "generate-default-snakeoil", it will generate
-+@FINKPREFIX@/etc/ssl/certs/ssl-cert-snakeoil.pem and
@FINKPREFIX@/etc/ssl/private/ssl-cert-snakeoil.key.
-+.SH OPTIONS
-+A summary of options are included below.
-+.TP
-+.B \-\-force\-overwrite
-+Use this option
-+.B ONLY
-+when strictly required since it will overwrite the output certificate.
-+.SH "SEE ALSO"
-+.IR "openssl" (1)
-+.SH AUTHOR
-+The program author is Thom May <[email protected]>, manual
-+page was written for completness by Fabio M. Di Nitto
-+<[email protected]>, for the Debian GNU/Linux system
-+(but may be used by others).
diff -ruN
httpd-2.2.22.orig/fink/patches/CacheIgnoreURLSessionIdentifiers.patch
httpd-2.2.22/fink/patches/CacheIgnoreURLSessionIdentifiers.patch
--- httpd-2.2.22.orig/fink/patches/CacheIgnoreURLSessionIdentifiers.patch
1969-12-31 17:00:00.000000000 -0700
+++ httpd-2.2.22/fink/patches/CacheIgnoreURLSessionIdentifiers.patch
2012-06-12 08:46:21.000000000 -0600
@@ -7401,6 +7374,43 @@
+ /*
+ * Open writable. Unless an error occurs, we'll be
+ * writing into the database.
+diff -ruN httpd-2.2.22.orig/fink/patches/mod_negotiation_CVE-2012-2687.patch
httpd-2.2.22/fink/patches/mod_negotiation_CVE-2012-2687.patch
+--- httpd-2.2.22.orig/fink/patches/mod_negotiation_CVE-2012-2687.patch
1969-12-31 17:00:00.000000000 -0700
++++ httpd-2.2.22/fink/patches/mod_negotiation_CVE-2012-2687.patch
2012-07-03 09:50:33.000000000 -0600
+@@ -0,0 +1,33 @@
++commit 706691e6fd5445f6d60456f55c5647e788e7b3ad
++Author: Joe Orton <[email protected]>
++Date: Wed Jun 13 15:33:48 2012 +0000
++
++ SECURITY: CVE-2012-2687 (cve.mitre.org):
++
++ mod_negotiation: Escape filenames in variant list to prevent an
++ possible XSS for a site where untrusted users can upload files to a
++ location with MultiViews enabled.
++
++ * modules/mappers/mod_negotiation.c (make_variant_list): Escape
++ filenames in variant list.
++
++ Submitted by: Niels Heinen <heinenn google.com>
++
++
++ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1349905
13f79535-47bb-0310-9956-ffa450edef68
++Index: apache2/modules/mappers/mod_negotiation.c
++===================================================================
++--- apache2.orig/modules/mappers/mod_negotiation.c 2012-06-22
23:17:12.000000000 +0200
+++++ apache2/modules/mappers/mod_negotiation.c 2012-06-22 23:22:12.775905499
+0200
++@@ -2658,9 +2658,9 @@
++ * need to change the calculation of max_vlist_array above.
++ */
++ *((const char **) apr_array_push(arr)) = "<li><a href=\"";
++- *((const char **) apr_array_push(arr)) = filename;
+++ *((const char **) apr_array_push(arr)) =
ap_escape_path_segment(r->pool, filename);
++ *((const char **) apr_array_push(arr)) = "\">";
++- *((const char **) apr_array_push(arr)) = filename;
+++ *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool,
filename);
++ *((const char **) apr_array_push(arr)) = "</a> ";
++ *((const char **) apr_array_push(arr)) = description;
++
diff -ruN
httpd-2.2.22.orig/fink/patches/mod_rewrite_literal_ipv6_redirect.patch
httpd-2.2.22/fink/patches/mod_rewrite_literal_ipv6_redirect.patch
--- httpd-2.2.22.orig/fink/patches/mod_rewrite_literal_ipv6_redirect.patch
1969-12-31 17:00:00.000000000 -0700
+++ httpd-2.2.22/fink/patches/mod_rewrite_literal_ipv6_redirect.patch
2012-06-12 08:46:21.000000000 -0600
@@ -7739,79 +7749,6 @@
+
+.SH "EXAMPLES"
+split-logfile < @FINKPREFIX@/var/log/apache2/other_vhosts_access.log
-diff -ruN httpd-2.2.22.orig/fink/ssl-certificate
httpd-2.2.22/fink/ssl-certificate
---- httpd-2.2.22.orig/fink/ssl-certificate 1969-12-31 17:00:00.000000000
-0700
-+++ httpd-2.2.22/fink/ssl-certificate 2012-06-12 08:46:21.000000000 -0600
-@@ -0,0 +1,31 @@
-+#!/bin/sh -e
-+
-+if [ "$1" != "--force" -a -f @FINKPREFIX@/etc/apache2/ssl/apache.pem ]; then
-+ echo "@FINKPREFIX@/etc/apache2/ssl/apache.pem exists! Use \"$0 --force.\""
-+ exit 0
-+fi
-+
-+if [ "$1" = "--force" ]; then
-+ shift
-+fi
-+
-+echo
-+echo creating selfsigned certificate
-+echo "replace it with one signed by a certification authority (CA)"
-+echo
-+echo enter your ServerName at the Common Name prompt
-+echo
-+echo If you want your certificate to expire after x days call this programm
-+echo with "-days x"
-+
-+# use special .cnf, because with normal one no valid selfsigned
-+# certificate is created
-+
-+export RANDFILE=/dev/random
-+openssl req $@ -config @FINKPREFIX@/share/apache2/ssleay.cnf \
-+ -new -x509 -nodes -out @FINKPREFIX@/etc/apache2/ssl/apache.pem \
-+ -keyout @FINKPREFIX@/etc/apache2/ssl/apache.pem
-+chmod 600 @FINKPREFIX@/etc/apache2/ssl/apache.pem
-+ln -sf @FINKPREFIX@/etc/apache2/ssl/apache.pem \
-+ @FINKPREFIX@/etc/apache2/ssl/`/usr/bin/openssl \
-+ x509 -noout -hash < @FINKPREFIX@/etc/apache2/ssl/apache.pem`.0
-diff -ruN httpd-2.2.22.orig/fink/ssleay.cnf httpd-2.2.22/fink/ssleay.cnf
---- httpd-2.2.22.orig/fink/ssleay.cnf 1969-12-31 17:00:00.000000000 -0700
-+++ httpd-2.2.22/fink/ssleay.cnf 2012-06-12 08:46:21.000000000 -0600
-@@ -0,0 +1,34 @@
-+#
-+# SSLeay example configuration file.
-+#
-+
-+RANDFILE = $ENV::HOME/.rnd
-+
-+[ req ]
-+default_bits = 1024
-+default_keyfile = privkey.pem
-+distinguished_name = req_distinguished_name
-+
-+[ req_distinguished_name ]
-+countryName = Country Name (2 letter code)
-+countryName_default = GB
-+countryName_min = 2
-+countryName_max = 2
-+
-+stateOrProvinceName = State or Province Name (full name)
-+stateOrProvinceName_default = Some-State
-+
-+localityName = Locality Name (eg, city)
-+
-+organizationName = Organization Name (eg, company; recommended)
-+organizationName_max = 64
-+
-+organizationalUnitName = Organizational Unit Name (eg, section)
-+organizationalUnitName_max = 64
-+
-+commonName = server name (eg. ssl.domain.tld;
required!!!)
-+commonName_max = 64
-+
-+emailAddress = Email Address
-+emailAddress_max = 40
-+
diff -ruN httpd-2.2.22.orig/fink/suexec.8 httpd-2.2.22/fink/suexec.8
--- httpd-2.2.22.orig/fink/suexec.8 1969-12-31 17:00:00.000000000 -0700
+++ httpd-2.2.22/fink/suexec.8 2012-06-12 08:46:21.000000000 -0600
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fink-commits mailing list
[email protected]
http://news.gmane.org/gmane.os.apple.fink.cvs
