ports@,
Here an update for devel/apr to 1.7.5 which was released August 26, 2024 and
which contains fix CVE-2023-49582.
Tested on -current/amd64 by rebuilding:
- devel/apr-util
- devel/subversion
- net/serf
- www/ap2-mod_dnssd
- www/ap2-mod_perl
- www/apache-httpd
- www/p5-libapreq2
/usr/src/lib/check_sym confrims that only one symbols was added.
Ok for -current and 7.6?
Changelog:
Changes for APR 1.7.5
*) SECURITY: CVE-2023-49582: Apache Portable Runtime (APR):
Unexpected lax shared memory permissions (cve.mitre.org)
Lax permissions set by the Apache Portable Runtime library on
Unix platforms would allow local users read access to named
shared memory segments, potentially revealing sensitive
application data.
This issue does not affect non-Unix platforms, or builds with
APR_USE_SHMEM_SHMGET=1 (apr.h)
Users are recommended to upgrade to APR version 1.7.5, which
fixes this issue.
Credits: Thomas Stangner
*) Unix: Implement apr_shm_perms_set() for the "POSIX shm_open()"
and "classic mmap" shared memory implementations. [Joe Orton,
Ruediger Pluem]
*) Fix missing ';' for XML/HTML hex entities from apr_escape_entity().
[Yann Ylavic]
*) Fix crash in apr_pool_create() with --enable-pool-debug=all|owner.
[Yann Ylavic]
*) Improve platform detection by updating config.guess and config.sub.
[Rainer Jung]
*) CMake: Add support for CMAKE_WARNING_AS_ERROR. [Ivan Zhakov]
*) CMake: Enable support for MSVC runtime library selection by abstraction.
[Ivan Zhakov]
*) CMake: Export installed targets (libapr-1, apr-1, libaprapp-1, aprapp-1)
to apr:: namespace. [Ivan Zhakov]
Changes for APR 1.7.4
*) Fix a regression where writing to a file opened with both APR_FOPEN_APPEND
and APR_FOPEN_BUFFERED did not properly append the data on Windows.
(This regression was introduced in APR 1.7.3) [Evgeny Kotkov]
Changes for APR 1.7.3
*) apr-1-config: Fix crosscompiling detection in apr-1-config. PR 66510
[Ruediger Pluem]
*) configure: Add --enable-sysv-shm to use SysV shared memory (shmget) if
available. [Ruediger Pluem]
*) apr_socket_sendfile: Use WSAIoctl() to get TransmitFile function
pointer on Windows. [Ivan Zhakov]
*) apr_dir_read: Do not request short file names on Windows 7
and later. [Ivan Zhakov]
*) apr_file_gets: Optimize for buffered files on Windows.
[Evgeny Kotkov]
*) Fix a deadlock when writing to locked files opened with APR_FOPEN_APPEND
on Windows. PR 50058. [Evgeny Kotkov]
*) Don't seek to the end when opening files with APR_FOPEN_APPEND on Windows.
[Evgeny Kotkov]
*) apr_file_write: Optimize large writes to buffered files on Windows.
[Evgeny Kotkov]
*) apr_file_read: Optimize large reads from buffered files on Windows.
[Evgeny Kotkov]
The diff:
Index: Makefile
===================================================================
RCS file: /home/cvs/ports/devel/apr/Makefile,v
diff -u -p -r1.51 Makefile
--- Makefile 21 Sep 2023 09:49:47 -0000 1.51
+++ Makefile 7 Nov 2024 00:42:21 -0000
@@ -1,8 +1,8 @@
COMMENT= Apache Portable Runtime
-V= 1.7.2
+V= 1.7.5
DISTNAME= apr-$V
-SHARED_LIBS += apr-1 7.1 # .6.2
+SHARED_LIBS += apr-1 7.2 # .6.2
CATEGORIES= devel
Index: distinfo
===================================================================
RCS file: /home/cvs/ports/devel/apr/distinfo,v
diff -u -p -r1.17 distinfo
--- distinfo 2 Feb 2023 21:03:32 -0000 1.17
+++ distinfo 7 Nov 2024 00:27:19 -0000
@@ -1,2 +1,2 @@
-SHA256 (apr-1.7.2.tar.gz) = PYmZshb3tiNTQ6Tj1FbOk3mqmjgP+zCFEvEz8MXrLbk=
-SIZE (apr-1.7.2.tar.gz) = 1115676
+SHA256 (apr-1.7.5.tar.gz) = M3X6Nl1nvPlF5StSy6B6vqV+9TD0Cygf++l3qSUTYds=
+SIZE (apr-1.7.5.tar.gz) = 1131871
Index: patches/patch-apr-config_in
===================================================================
RCS file: /home/cvs/ports/devel/apr/patches/patch-apr-config_in,v
diff -u -p -r1.5 patch-apr-config_in
--- patches/patch-apr-config_in 1 Feb 2023 14:09:56 -0000 1.5
+++ patches/patch-apr-config_in 7 Nov 2024 00:24:02 -0000
@@ -1,7 +1,7 @@
Index: apr-config.in
--- apr-config.in.orig
+++ apr-config.in
-@@ -243,13 +243,7 @@ while test $# -gt 0; do
+@@ -258,13 +258,7 @@ while test $# -gt 0; do
exit 0
;;
--apr-libtool)
Index: patches/patch-configure_in
===================================================================
RCS file: /home/cvs/ports/devel/apr/patches/patch-configure_in,v
diff -u -p -r1.5 patch-configure_in
--- patches/patch-configure_in 1 Feb 2023 14:09:56 -0000 1.5
+++ patches/patch-configure_in 7 Nov 2024 00:24:00 -0000
@@ -1,7 +1,7 @@
Index: configure.in
--- configure.in.orig
+++ configure.in
-@@ -1585,6 +1585,10 @@ case $host in
+@@ -1622,6 +1622,10 @@ case $host in
*)
AC_CHECK_FUNCS(mkstemp)
;;
@@ -12,7 +12,7 @@ Index: configure.in
esac
AC_SUBST(fork)
-@@ -2098,6 +2102,14 @@ elif test "$ac_cv_type_off_t" = "yes"; then
+@@ -2135,6 +2139,14 @@ elif test "$ac_cv_type_off_t" = "yes"; then
*)
AC_ERROR([could not determine the size of off_t])
;;
@@ -27,7 +27,7 @@ Index: configure.in
esac
])])])])
else
-@@ -2466,7 +2478,7 @@ APR_IFALLYES(header:semaphore.h func:sem_open func:sem
+@@ -2503,7 +2515,7 @@ APR_IFALLYES(header:semaphore.h func:sem_open func:sem
func:sem_unlink func:sem_post func:sem_wait,
hasposixser="1", hasposixser="0")
APR_IFALLYES(func:semget func:semctl func:semop define:SEM_UNDO,
--
wbr, Kirill
