[BACK]Return to Makefile CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / www / apache24

File: [cvs.NetBSD.org] / pkgsrc / www / apache24 / Makefile (download)

Revision 1.111, Thu Jun 9 18:15:50 2022 UTC (21 months, 2 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2
Changes since 1.110: +2 -3 lines

apache24: updated to 2.4.54

Changes with Apache 2.4.54

*) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
   hop-by-hop mechanism (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier may not send the
   X-Forwarded-* headers to the origin server based on client side
   Connection header hop-by-hop mechanism.
   This may be used to bypass IP based authentication on the origin
   server/application.
   Credits: The Apache HTTP Server project would like to thank
   Gaetan Ferry (Synacktiv) for reporting this issue

*) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
   websockets (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier may return lengths to
   applications calling r:wsread() that point past the end of the
   storage allocated for the buffer.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-30522: mod_sed denial of service
   (cve.mitre.org)
   If Apache HTTP Server 2.4.53 is configured to do transformations
   with mod_sed in contexts where the input to mod_sed may be very
   large, mod_sed may make excessively large memory allocations and
   trigger an abort.
   Credits: This issue was found by Brian Moussalli from the JFrog
   Security Research team

*) SECURITY: CVE-2022-29404: Denial of service in mod_lua
   r:parsebody (cve.mitre.org)
   In Apache HTTP Server 2.4.53 and earlier, a malicious request to
   a lua script that calls r:parsebody(0) may cause a denial of
   service due to no default limit on possible input size.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28615: Read beyond bounds in
   ap_strcmp_match() (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier may crash or disclose
   information due to a read beyond bounds in ap_strcmp_match()
   when provided with an extremely large input buffer.  While no
   code distributed with the server can be coerced into such a
   call, third-party modules or lua scripts that use
   ap_strcmp_match() may hypothetically be affected.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
   (cve.mitre.org)
   The ap_rwrite() function in Apache HTTP Server 2.4.53 and
   earlier may read unintended memory if an attacker can cause the
   server to reflect very large input using ap_rwrite() or
   ap_rputs(), such as with mod_luas r:puts() function.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
   (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
   bounds when configured to process requests with the mod_isapi
   module.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
   smuggling (cve.mitre.org)
   Inconsistent Interpretation of HTTP Requests ('HTTP Request
   Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
   allows an attacker to smuggle requests to the AJP server it
   forwards requests to.  This issue affects Apache HTTP Server
   Apache HTTP Server 2.4 version 2.4.53 and prior versions.
   Credits: Ricter Z @ 360 Noah Lab

*) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

*) mod_md:  a bug was fixed that caused very large MDomains
   with the combined DNS names exceeding ~7k to fail, as
   request bodies would contain partially wrong data from
   uninitialized memory. This would have appeared as failure
   in signing-up/renewing such configurations.

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

*) MPM event: Restart children processes killed before idle maintenance.

*) ab: Allow for TLSv1.3 when the SSL library supports it.

*) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
   transmission delays.

*) MPM event: Fix accounting of active/total processes on ungraceful restart,

*) core: make ap_escape_quotes() work correctly on strings
   with more than MAX_INT/2 characters, counting quotes double.
   Credit to <generalbugs@zippenhop.com> for finding this.

*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
   an ACME CA. This gives a failover for renewals when several consecutive attempts
   to get a certificate failed.
   A new directive was added: `MDRetryDelay` sets the delay of retries.
   A new directive was added: `MDRetryFailover` sets the number of errored
   attempts before an alternate CA is selected for certificate renewals.

*) mod_http2: remove unused and insecure code.

*) mod_proxy: Add backend port to log messages to
   ease identification of involved service.

*) mod_http2: removing unscheduling of ongoing tasks when
   connection shows potential abuse by a client. This proved
   counter-productive and the abuse detection can false flag
   requests using server-side-events.
   Fixes <https://github.com/icing/mod_h2/issues/231>.

*) mod_md: Implement full auto status ("key: value" type status output).
   Especially not only status summary counts for certificates and
   OCSP stapling but also lists. Auto status format is similar to
   what was used for mod_proxy_balancer.

*) mod_md: fixed a bug leading to failed transfers for OCSP
   stapling information when more than 6 certificates needed
   updates in the same run.

*) mod_proxy: Set a status code of 502 in case the backend just closed the
   connection in reply to our forwarded request.

*) mod_md: a possible NULL pointer deref was fixed in
   the JSON code for persisting time periods (start+end).
   Fixes #282 on mod_md's github.
   Thanks to @marcstern for finding this.

*) mod_heartmonitor: Set the documented default value
   "10" for HeartbeatMaxServers instead of "0". With "0"
   no shared memory slotmem was initialized.

*) mod_md: added support for managing certificates via a
   local tailscale daemon for users of that secure networking.
   This gives trusted certificates for tailscale assigned
   domain names in the *.ts.net space.

# $NetBSD: Makefile,v 1.111 2022/06/09 18:15:50 adam Exp $
#
# When updating this package, make sure that no strings like
# "PR 12345" are in the commit message. Upstream likes
# to reference their own PRs this way, but this ends up
# in NetBSD GNATS.

DISTNAME=	httpd-2.4.54
PKGNAME=	${DISTNAME:S/httpd/apache/}
CATEGORIES=	www
MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/}
MASTER_SITES+=	https://archive.apache.org/dist/httpd/
EXTRACT_SUFX=	.tar.bz2

MAINTAINER=	ryoon@NetBSD.org
HOMEPAGE=	https://httpd.apache.org/
COMMENT=	Apache HTTP (Web) server, version 2.4
LICENSE=	apache-2.0

BUILD_DEFS+=	IPV6_READY
BUILD_DEFS+=	VARBASE

USE_LIBTOOL=		yes
USE_TOOLS+=		pax perl pkg-config
GNU_CONFIGURE=		yes
CONFIGURE_ARGS+=	--enable-layout=NetBSD
CONFIGURE_ARGS+=	--enable-mods-shared=all
CONFIGURE_ARGS+=	--enable-so
CONFIGURE_ARGS+=	--with-apr=${BUILDLINK_PREFIX.apr}
CONFIGURE_ARGS+=	--with-apr-util=${BUILDLINK_PREFIX.apr-util}
CONFIGURE_ARGS+=	--with-port=80
CONFIGURE_ENV+=		perlbin=${PERL5:Q}
CONFIGURE_ENV+=		ac_cv_path_RSYNC=/nonexistent

.include "../../mk/compiler.mk"

CFLAGS.SunOS+=	-D__EXTENSIONS__
.if !empty(CC_VERSION:Mgcc-[5-9]*) || !empty(CC_VERSION:Mgcc-1[0-9].*) || !empty(PKGSRC_COMPILER:Mclang)
CFLAGS.SunOS+=	-D_XOPEN_SOURCE=600
.else
CFLAGS.SunOS+=	-D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1
.endif

BUILDLINK_API_DEPENDS.apr+=	apr>=1.5.0
.include "../../devel/apr/buildlink3.mk"
BUILDLINK_API_DEPENDS.apr-util+=	apr-util>=1.5.3
.include "../../devel/apr-util/buildlink3.mk"
.include "../../devel/pcre2/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../textproc/expat/buildlink3.mk"
.include "../../mk/dlopen.buildlink3.mk"
.include "../../mk/pthread.buildlink3.mk"

CONFIGURE_ARGS+=	--enable-proxy-fdpass

DFLT_APACHE_MODULES+=	all
APACHE_MODULES?=	${DFLT_APACHE_MODULES}

.include "options.mk"

# LDAP support
PLIST_VARS+=		ldap
.if ${PKG_BUILD_OPTIONS.apr-util:Mldap}
DFLT_APACHE_MODULES+=	ldap authnz_ldap
PLIST.ldap=		yes
.endif

PLIST_VARS+=		ssl
.if ${PKG_BUILD_OPTIONS.apr-util:Mssl}
PLIST.ssl=		yes
.endif

APACHE_USER?=		www
APACHE_GROUP?=		www
PKG_GROUPS=		${APACHE_GROUP}
PKG_USERS=		${APACHE_USER}:${APACHE_GROUP}
PKG_GROUPS_VARS=	APACHE_GROUP
PKG_USERS_VARS=		APACHE_USER

PKG_SYSCONFVAR=		apache
PKG_SYSCONFSUBDIR=	httpd
EGDIR=			${PREFIX}/share/examples/httpd
SBINDIR=		${PREFIX}/sbin
CONF_FILES+=		${EGDIR}/httpd.conf ${PKG_SYSCONFDIR}/httpd.conf
.for f in autoindex dav default info languages manual mpm \
	multilang-errordoc ssl userdir vhosts
CONF_FILES+=		${EGDIR}/extra/httpd-${f}.conf \
				${PKG_SYSCONFDIR}/httpd-${f}.conf
.endfor
CONF_FILES+=		${EGDIR}/magic ${PKG_SYSCONFDIR}/magic
CONF_FILES+=		${EGDIR}/mime.types ${PKG_SYSCONFDIR}/mime.types
RCD_SCRIPTS=		apache

REQD_DIRS=		${PREFIX}/share/httpd
REQD_DIRS+=		${PREFIX}/share/httpd/htdocs
OWN_DIRS=		${VARBASE}/log/httpd
OWN_DIRS+=		${VARBASE}/db/httpd
OWN_DIRS_PERMS+=	${VARBASE}/db/httpd/proxy ${APACHE_USER} ${APACHE_GROUP} 0755
FIX_PERMS_SBIN=		apachectl envvars-std
FIX_PERMS_BIN=		apxs dbmmanage mkcert
FIX_MAN_PERMS=		man1/htdbm.1 man1/htpasswd.1 man1/htdigest.1
FIX_MAN_PERMS+=		man1/dbmmanage.1 man8/httpd.8 man8/suexec.8
FIX_MAN_PERMS+=		man8/rotatelogs.8 man1/logresolve.1 man1/apxs.1
FIX_MAN_PERMS+=		man8/apachectl.8 man1/ab.1 man1/httxt2dbm.1

# Fix paths in the apache manpages.
SUBST_CLASSES+=		man
SUBST_STAGE.man=	pre-configure
SUBST_MESSAGE.man=	Fixing paths in man pages.
SUBST_FILES.man=	docs/man/apxs.1 docs/man/htdbm.1 \
			docs/man/htpasswd.1 docs/man/httpd.8
SUBST_SED.man=		-e 's,/usr/local/etc/apache,${PKG_SYSCONFDIR},'
SUBST_SED.man+=		-e 's,/path/to/apache/etc,${PKG_SYSCONFDIR},'
SUBST_SED.man+=		-e 's,/usr/local/apache2,${PREFIX}/share/httpd/htdocs,'
SUBST_SED.man+=		-e 's,/usr/web,${PREFIX}/share/httpd/htdocs,'

SUBST_CLASSES+=		paths
SUBST_STAGE.paths=	pre-configure
SUBST_MESSAGE.paths=	Fixing paths.
SUBST_FILES.paths=	config.layout Makefile.in support/apxs.in
SUBST_VARS.paths=	PREFIX
SUBST_VARS.paths+=	VARBASE
SUBST_SED.paths+=	-e "s|@SYSCONFDIR@|${PKG_SYSCONFDIR}|g"
SUBST_VARS.paths+=	PAX PREFIX

SUBST_CLASSES+=		apr-lt
SUBST_STAGE.apr-lt=	post-configure
SUBST_MESSAGE.apr-lt=	Fixing libtool references.
SUBST_FILES.apr-lt=	build/config_vars.mk
SUBST_SED.apr-lt=	-e 's|^\(LIBTOOL =\) [^ ]*|\1 $$(SHELL) $$(top_builddir)/build/libtool|g'

SUBST_CLASSES+=		confs
SUBST_STAGE.confs=	post-configure
SUBST_MESSAGE.confs=	Fixing configuration files.
SUBST_FILES.confs=	docs/conf/httpd.conf
SUBST_FILES.confs+=	docs/conf/extra/httpd-ssl.conf
SUBST_SED.confs=	-e "s|${EGDIR}|${PKG_SYSCONFDIR}|g"
SUBST_SED.confs+=	-e "s|${PREFIX}/htdocs|${PREFIX}/share/httpd/htdocs|g"
SUBST_SED.confs+=	-e "s|${PREFIX}/conf|${PKG_SYSCONFDIR}|g"
SUBST_SED.confs+=	-e 's|^\(User[	 ]\).*|\1${APACHE_USER}|g'
SUBST_SED.confs+=	-e 's|^\(Group[	 ]\).*|\1${APACHE_GROUP}|g'
SUBST_SED.confs+=	-e 's|^Listen \(.*\)|Listen 0.0.0.0:\1|g'

# abs_srcdir in config_vars.mk is used during install so needs to reference
# the work dir path, and by other packages such as ap2-fastcgi after install,
# so we fix after install to reference the installed path
SUBST_CLASSES+=			abs_srcdir
SUBST_STAGE.abs_srcdir=		post-install
SUBST_MESSAGE.abs_srcdir=	Fixing abs_srcdir
SUBST_FILES.abs_srcdir=		${DESTDIR}${PREFIX}/share/httpd/build/config_vars.mk
SUBST_SED.abs_srcdir=		-e 's|^\(abs_srcdir =\) .*|\1 ${PREFIX}/share/httpd|'

#REPLACE_PERL=		docs/cgi-examples/printenv

.include "../../devel/zlib/buildlink3.mk"
CONFIGURE_ARGS+=	--with-ssl=${BUILDLINK_PREFIX.openssl}
CONFIGURE_ARGS+=	--with-z=${BUILDLINK_PREFIX.zlib}

post-extract:
	${TOUCH} ${WRKSRC}/build/libtool
	${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in

post-build:
	${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g"			\
		< ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert

INSTALL_TARGET=		install-conf install
INSTALL_MAKE_FLAGS+=	sysconfdir="${EGDIR}"

post-install:
	${LN} -sf ${PREFIX}/libexec/apr/libtool ${DESTDIR}${PREFIX}/share/httpd/build
	${LN} -sf ${SBINDIR}/envvars-std ${DESTDIR}${SBINDIR}/envvars

	${INSTALL_SCRIPT} ${WRKDIR}/mkcert ${DESTDIR}${PREFIX}/bin

.for file in ${FIX_PERMS_SBIN}
	${CHOWN} ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/sbin/${file}
	${CHMOD} ${BINMODE} ${DESTDIR}${PREFIX}/sbin/${file}
.endfor

.for file in ${FIX_PERMS_BIN}
	${CHOWN} ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/bin/${file}
	${CHMOD} ${BINMODE} ${DESTDIR}${PREFIX}/bin/${file}
.endfor

	${CHOWN} -RP ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/share/httpd
	${CHOWN} -RP ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/include/httpd
	${CHOWN} -RP ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/lib/httpd
	${CHOWN} ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/libexec/cgi-bin/test-cgi
	${CHOWN} ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/libexec/cgi-bin/printenv

.for file in ${FIX_MAN_PERMS}
	${CHOWN} ${MANOWN}:${MANGRP} ${DESTDIR}${PREFIX}/${PKGMANDIR}/${file}
.endfor

	${CHMOD} a-x ${DESTDIR}${PREFIX}/sbin/envvars-std
.if exists(${DESTDIR}${PREFIX}/sbin/suexec)
	${CHMOD} a-w ${DESTDIR}${PREFIX}/sbin/suexec
.endif

.include "../../mk/pthread.buildlink3.mk"
.include "../../devel/readline/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"