- Update to 2.2.22

Addresses:
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, allows local users to gain privileges via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.

* SECURITY: CVE-2012-0021 (cve.mitre.org)
The log_cookie function in mod_log_config.c in the mod_log_config module in the
Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
properly handle a %{}C format string, which allows remote attackers to cause a
denial of service (daemon crash) via a cookie that lacks both a name and a
value.

* SECURITY: CVE-2012-0031 (cve.mitre.org)
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
users to cause a denial of service (daemon crash during shutdown) or possibly
have unspecified other impact by modifying a certain type field within a
scoreboard shared memory segment, leading to an invalid call to the free
function.

* SECURITY: CVE-2011-4317 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
place, does not properly interact with use of (1) RewriteRule and (2)
ProxyPassMatch pattern matches for configuration of a reverse proxy, which
allows remote attackers to send requests to intranet servers via a malformed URI
containing an @ (at sign) character and a : (colon) character in invalid
positions. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2011-3368.

* SECURITY: CVE-2012-0053 (cve.mitre.org)
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
restrict header information during construction of Bad Request (aka 400) error
documents, which allows remote attackers to obtain the values of HTTPOnly
cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.

* SECURITY: CVE-2011-3368 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
(1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
reverse proxy, which allows remote attackers to send requests to intranet
servers via a malformed URI containing an initial @ (at sign) character.

PR: ports/164675
Reviewed by: pgollucci
Approved by: pgollucci, crees, rene (mentors, implicit)
With Hat: apache@

5 files changed, 11 insertions, 47 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 6fdea35a220b..157457d28ee0 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -8,7 +8,7 @@
 #
 
 PORTNAME=	apache
-PORTVERSION=	2.2.21
+PORTVERSION=	2.2.22
 #PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
diff --git a/www/apache22/Makefile.doc b/www/apache22/Makefile.doc
index 0c57cdc51e5c..7e3c9c083325 100644
--- a/www/apache22/Makefile.doc
+++ b/www/apache22/Makefile.doc
@@ -102,7 +102,7 @@ MAKE_ENV+=	EXAMPLESDIR=${EXAMPLESDIR}
 MAKE_ENV+=	NOPORTDOCS=yes
 .endif
 
-MAN1=		dbmmanage.1 htdigest.1 htpasswd.1 htdbm.1
-MAN8=		ab.8 apachectl.8 apxs.8 httpd.8 logresolve.8 rotatelogs.8 suexec.8 htcacheclean.8
+MAN1=		ab.1 apxs.1 dbmmanage.1 htdbm.1 htdigest.1 htpasswd.1 httxt2dbm.1 logresolve.1
+MAN8=		apachectl.8 htcacheclean.8 httpd.8 rotatelogs.8 suexec.8
 
 PORTDOCS=	* #don't blame me ;-)
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index 8051dad22485..83575cc46e94 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,2 +1,2 @@
-SHA256 (apache22/httpd-2.2.21.tar.bz2) = 18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f
-SIZE (apache22/httpd-2.2.21.tar.bz2) = 5324905
+SHA256 (apache22/httpd-2.2.22.tar.bz2) = dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231
+SIZE (apache22/httpd-2.2.22.tar.bz2) = 5378934
diff --git a/www/apache22/files/patch-Makefile.in b/www/apache22/files/patch-Makefile.in
index 8f7b23d7c4e0..1e375390a0fd 100644
--- a/www/apache22/files/patch-Makefile.in
+++ b/www/apache22/files/patch-Makefile.in
@@ -96,10 +96,10 @@
  	@test -d $(DESTDIR)$(manualdir)   || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir)
 -	@cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1
 -	@cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8
-+	for i in dbmmanage htdbm htdigest htpasswd; do \
++	for i in ab apxs dbmmanage htdbm htdigest htpasswd httxt2dbm logresolve; do \
 +	  ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.1 $(DESTDIR)$(mandir)/man1; \
 +	done
-+	for i in ab apachectl apxs htcacheclean httpd logresolve rotatelogs suexec; do \
++	for i in apachectl htcacheclean httpd rotatelogs suexec; do \
 +	  ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.8 $(DESTDIR)$(mandir)/man8; \
 +	done
 +.if !defined(NOPORTDOCS)
diff --git a/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in b/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in
index 3adaedb412e7..ef6184629ad4 100644
--- a/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in
+++ b/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in
@@ -1,6 +1,6 @@
---- ./docs/conf/extra/httpd-ssl.conf.in.orig	2008-02-04 23:00:07.000000000 +0000
-+++ ./docs/conf/extra/httpd-ssl.conf.in	2012-01-23 23:20:06.446390870 +0000
-@@ -77,17 +77,35 @@
+--- ./docs/conf/extra/httpd-ssl.conf.in.orig	2012-02-01 08:25:55.000000000 -0800
++++ ./docs/conf/extra/httpd-ssl.conf.in	2012-02-01 08:27:23.000000000 -0800
+@@ -77,8 +77,8 @@
  DocumentRoot "@exp_htdocsdir@"
  ServerName www.example.com:@@SSLPort@@
  ServerAdmin you@example.com
@@ -11,43 +11,7 @@
  
  #   SSL Engine Switch:
  #   Enable/Disable SSL for this virtual host.
- SSLEngine on
- 
-+#   SSL Protocol support:
-+#   List the protocol versions which clients are allowed to
-+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
-+SSLProtocol all -SSLv2
-+
- #   SSL Cipher Suite:
- #   List the ciphers that the client is permitted to negotiate.
- #   See the mod_ssl documentation for a complete list.
--SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-+
-+#   Speed-optimized SSL Cipher configuration:
-+#   If speed is your main concern (on busy HTTPS servers e.g.),
-+#   you might want to force clients to specific, performance
-+#   optimized ciphers. In this case, prepend those ciphers
-+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
-+#   (as in the example below), most connections will no longer
-+#   have perfect forward secrecy - if the server's key is
-+#   compromised, captures of past or future traffic must be
-+#   considered compromised, too.
-+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-+#SSLHonorCipherOrder on 
- 
- #   Server Certificate:
- #   Point SSLCertificateFile at a PEM encoded certificate.  If
-@@ -218,14 +236,14 @@
- #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
- #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
- #   "force-response-1.0" for this.
--BrowserMatch ".*MSIE.*" \
-+BrowserMatch "MSIE [2-5]" \
-          nokeepalive ssl-unclean-shutdown \
-          downgrade-1.0 force-response-1.0
- 
+@@ -243,7 +243,7 @@
  #   Per-Server Logging:
  #   The home of a custom SSL log file. Use this when you want a
  #   compact non-error SSL logfile on a virtual host basis.