From owner-svn-ports-all@freebsd.org  Tue Dec  6 12:52:29 2016
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3431CC692AC;
 Tue,  6 Dec 2016 12:52:29 +0000 (UTC)
 (envelope-from brnrd@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id EAAEA1070;
 Tue,  6 Dec 2016 12:52:28 +0000 (UTC)
 (envelope-from brnrd@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB6CqRWo073718;
 Tue, 6 Dec 2016 12:52:27 GMT (envelope-from brnrd@FreeBSD.org)
Received: (from brnrd@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB6CqRpj073716;
 Tue, 6 Dec 2016 12:52:27 GMT (envelope-from brnrd@FreeBSD.org)
Message-Id: <201612061252.uB6CqRpj073716@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: brnrd set sender to
 brnrd@FreeBSD.org using -f
From: Bernard Spil <brnrd@FreeBSD.org>
Date: Tue, 6 Dec 2016 12:52:27 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-branches@freebsd.org
Subject: svn commit: r427954 - in branches/2016Q4/www/apache24: . files
X-SVN-Group: ports-branches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 12:52:29 -0000

Author: brnrd
Date: Tue Dec  6 12:52:27 2016
New Revision: 427954
URL: https://svnweb.freebsd.org/changeset/ports/427954

Log:
  MFH: r427953
  
  www/apache24: Fix HTTP/2 DoS vulnerability
  
    - Add patch from upstream security advisory
    - Bump PORTREVISION
  
  PR:		215096
  Security:	cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-8740
  
  Approved by:	ports-secteam (implicit, "Backport of security and reliability fixes")

Added:
  branches/2016Q4/www/apache24/files/patch-CVE-2016-8740
     - copied unchanged from r427953, head/www/apache24/files/patch-CVE-2016-8740
Modified:
  branches/2016Q4/www/apache24/Makefile
Directory Properties:
  branches/2016Q4/   (props changed)

Modified: branches/2016Q4/www/apache24/Makefile
==============================================================================
--- branches/2016Q4/www/apache24/Makefile	Tue Dec  6 12:43:36 2016	(r427953)
+++ branches/2016Q4/www/apache24/Makefile	Tue Dec  6 12:52:27 2016	(r427954)
@@ -2,7 +2,7 @@
 
 PORTNAME=	apache24
 PORTVERSION=	2.4.23
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www ipv6
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}

Copied: branches/2016Q4/www/apache24/files/patch-CVE-2016-8740 (from r427953, head/www/apache24/files/patch-CVE-2016-8740)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q4/www/apache24/files/patch-CVE-2016-8740	Tue Dec  6 12:52:27 2016	(r427954, copy of r427953, head/www/apache24/files/patch-CVE-2016-8740)
@@ -0,0 +1,116 @@
+        Security Advisory - Apache Software Foundation
+              Apache HTTPD WebServer  / httpd.apache.org
+
+   Server memory can be exhausted and service denied when HTTP/2 is used
+
+                CVE-2016-8740
+
+The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations
+on request headers correctly when experimental module for the HTTP/2 
+protocol is used to access a resource. 
+
+The net result is that a the server allocates too much memory instead of denying
+the request. This can lead to memory exhaustion of the server by a properly
+crafted request.
+
+Background:
+- -----------
+
+Apache has limits on the number and length of request header fields. which
+limits the amount of memory a client can allocate on the server for a request.
+
+Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
+mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as 
+Google SPDY).
+
+This module is NOT compiled in by default -and- is not enabled by default, 
+although some distribution may have chosen to do so.
+
+It is generally needs to be enabled in the 'Protocols' line in httpd by 
+adding 'h2' and/or 'h2c' to the 'http/1.1' only default. 
+
+The default distributions of the Apache Software Foundation do not include 
+this experimental feature. 
+
+Details:
+- --------
+
+- From version 2.4.17, upto and including version 2.4.23 the server failed
+to take the limitations on request memory use into account when providing 
+access to a resource over HTTP/2. This issue has been fixed 
+in version 2.4.23 (r1772576).
+
+As a result - with a request using the HTTP/2 protocol a specially crafted
+request can allocate memory on the server until it reaches its limit. This can
+lead to denial of service for all requests against the server.
+
+Impact:
+- -------
+
+This can lead to denial of service for all server resources.
+Versions affected: 
+- ------------------
+All versions from  2.4.17 to  2.4.23. 
+
+Resolution:
+- -----------
+
+For a 2.4.23 version a patch is supplied. This will be included in the
+next release. 
+
+Mitigations and work arounds:
+- -----------------------------
+
+As a temporary workaround - HTTP/2 can be disabled by changing
+the configuration by removing h2 and h2c from the Protocols
+line(s) in the configuration file. 
+
+The resulting line should read:
+
+		Protocols http/1.1
+
+Credits and timeline
+- --------------------
+
+The flaw was found and reported by Naveen Tiwari <naveen.tiwari@asu.edu> 
+and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was 
+resolved by Stefan Eissing and incorporated in the Apache repository,
+ready for inclusion in the next release.
+
+Apache would like to thank all involved for their help with this.
+
+Index: modules/http2/h2_stream.c
+===================================================================
+--- modules/http2/h2_stream.c	(revision 1771866)
++++ modules/http2/h2_stream.c	(working copy)
+@@ -322,18 +322,18 @@
+                                            HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
+             }
+         }
+-    }
+-    
+-    if (h2_stream_is_scheduled(stream)) {
+-        return h2_request_add_trailer(stream->request, stream->pool,
+-                                      name, nlen, value, vlen);
+-    }
+-    else {
+-        if (!input_open(stream)) {
+-            return APR_ECONNRESET;
++        
++        if (h2_stream_is_scheduled(stream)) {
++            return h2_request_add_trailer(stream->request, stream->pool,
++                                          name, nlen, value, vlen);
+         }
+-        return h2_request_add_header(stream->request, stream->pool,
+-                                     name, nlen, value, vlen);
++        else {
++            if (!input_open(stream)) {
++                return APR_ECONNRESET;
++            }
++            return h2_request_add_header(stream->request, stream->pool,
++                                         name, nlen, value, vlen);
++        }
+     }
+ }
+ 
+