Most or all of the changes were already included in patches. I'm not sure whether the minor PLIST changes make sense - couldn't find anything in the cvs logs.
Index: Makefile =================================================================== RCS file: /cvs/ports/www/sthttpd/Makefile,v retrieving revision 1.5 diff -u -p -r1.5 Makefile --- Makefile 22 Jan 2016 17:07:41 -0000 1.5 +++ Makefile 7 Apr 2016 17:35:03 -0000 @@ -2,8 +2,7 @@ COMMENT= tiny/turbo/throttling HTTP server -DISTNAME= sthttpd-2.26.4 -REVISION= 2 +DISTNAME= sthttpd-2.27.0 CATEGORIES= www MASTER_SITES= http://opensource.dyc.edu/pub/sthttpd/ Index: distinfo =================================================================== RCS file: /cvs/ports/www/sthttpd/distinfo,v retrieving revision 1.2 diff -u -p -r1.2 distinfo --- distinfo 6 May 2014 09:00:37 -0000 1.2 +++ distinfo 7 Apr 2016 17:35:03 -0000 @@ -1,2 +1,2 @@ -SHA256 (sthttpd-2.26.4.tar.gz) = eOh5eRQMvaEjyBtAUVUiQtu/+13sGhfl+V7Egmserds= -SIZE (sthttpd-2.26.4.tar.gz) = 194544 +SHA256 (sthttpd-2.27.0.tar.gz) = l9ZgqIEzHpOBjocs4RU29GEQXXChjfxd5YlYUcSyr9s= +SIZE (sthttpd-2.27.0.tar.gz) = 206781 Index: patches/patch-extras_th_htpasswd_c =================================================================== RCS file: patches/patch-extras_th_htpasswd_c diff -N patches/patch-extras_th_htpasswd_c --- patches/patch-extras_th_htpasswd_c 6 May 2014 09:00:37 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,20 +0,0 @@ -$OpenBSD: patch-extras_th_htpasswd_c,v 1.1 2014/05/06 09:00:37 jasper Exp $ - -A local attacker with the ability to alter .htpasswd files could -cause a Denial of Service in thttpd by specially-crafting them. -CVE-2012-5640 - ---- extras/th_htpasswd.c.orig Thu May 1 10:49:44 2014 -+++ extras/th_htpasswd.c Thu May 1 10:50:16 2014 -@@ -140,7 +140,10 @@ add_password( char* user, FILE* f ) - (void) srandom( (int) time( (time_t*) 0 ) ); - to64( &salt[0], random(), 2 ); - cpw = crypt( pw, salt ); -- (void) fprintf( f, "%s:%s\n", user, cpw ); -+ if (cpw) -+ (void) fprintf( f, "%s:%s\n", user, cpw ); -+ else -+ (void) fprintf( stderr, "crypt() returned NULL, sorry\n" ); - } - - static void usage(void) { Index: patches/patch-src_libhttpd_c =================================================================== RCS file: patches/patch-src_libhttpd_c diff -N patches/patch-src_libhttpd_c --- patches/patch-src_libhttpd_c 10 Aug 2013 02:48:26 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,40 +0,0 @@ -$OpenBSD: patch-src_libhttpd_c,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $ - -A local attacker with the ability to alter .htpasswd files could -cause a Denial of Service in thttpd by specially-crafting them. -CVE-2012-5640 - ---- src/libhttpd.c.orig Thu Mar 14 04:11:40 2013 -+++ src/libhttpd.c Thu Mar 14 04:13:02 2013 -@@ -1017,6 +1017,7 @@ auth_check2( httpd_conn* hc, char* dirname ) - static size_t maxprevuser = 0; - static char* prevcryp; - static size_t maxprevcryp = 0; -+ char *crypt_result; - - /* Construct auth filename. */ - httpd_realloc_str( -@@ -1063,7 +1064,10 @@ auth_check2( httpd_conn* hc, char* dirname ) - strcmp( authinfo, prevuser ) == 0 ) - { - /* Yes. Check against the cached encrypted password. */ -- if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 ) -+ crypt_result = crypt( authpass, prevcryp ); -+ if ( ! crypt_result ) -+ return -1; -+ if ( strcmp( crypt_result, prevcryp ) == 0 ) - { - /* Ok! */ - httpd_realloc_str( -@@ -1112,7 +1116,10 @@ auth_check2( httpd_conn* hc, char* dirname ) - /* Yes. */ - (void) fclose( fp ); - /* So is the password right? */ -- if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 ) -+ crypt_result = crypt( authpass, cryp ); -+ if ( ! crypt_result ) -+ return -1; -+ if ( strcmp( crypt_result, cryp ) == 0 ) - { - /* Ok! */ - httpd_realloc_str( Index: patches/patch-src_thttpd_c =================================================================== RCS file: patches/patch-src_thttpd_c diff -N patches/patch-src_thttpd_c --- patches/patch-src_thttpd_c 10 Aug 2013 02:48:26 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,43 +0,0 @@ -$OpenBSD: patch-src_thttpd_c,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $ - -Make sure that the logfile is created or reopened as read/write -by thttpd user only. CVE-2013-0348 - ---- src/thttpd.c.orig Thu Mar 14 04:08:35 2013 -+++ src/thttpd.c Thu Mar 14 04:10:23 2013 -@@ -326,6 +326,7 @@ static void - re_open_logfile( void ) - { - FILE* logfp; -+ int retchmod; - - if ( no_log || hs == (httpd_server*) 0 ) - return; -@@ -335,7 +336,8 @@ re_open_logfile( void ) - { - syslog( LOG_NOTICE, "re-opening logfile" ); - logfp = fopen( logfile, "a" ); -- if ( logfp == (FILE*) 0 ) -+ retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); -+ if ( logfp == (FILE*) 0 || retchmod != 0 ) - { - syslog( LOG_CRIT, "re-opening %.80s - %m", logfile ); - return; -@@ -355,6 +357,7 @@ main( int argc, char** argv ) - gid_t gid = 32767; - char cwd[MAXPATHLEN+1]; - FILE* logfp; -+ int retchmod; - int num_ready; - int cnum; - connecttab* c; -@@ -424,7 +427,8 @@ main( int argc, char** argv ) - else - { - logfp = fopen( logfile, "a" ); -- if ( logfp == (FILE*) 0 ) -+ retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); -+ if ( logfp == (FILE*) 0 || retchmod != 0 ) - { - syslog( LOG_CRIT, "%.80s - %m", logfile ); - perror( logfile ); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/www/sthttpd/pkg/PLIST,v retrieving revision 1.3 diff -u -p -r1.3 PLIST --- pkg/PLIST 22 Jan 2016 17:07:41 -0000 1.3 +++ pkg/PLIST 7 Apr 2016 17:35:03 -0000 @@ -2,14 +2,14 @@ @conflict thttpd-* @pkgpath www/thttpd libexec/sthttpd/ +@bin libexec/sthttpd/phf +libexec/sthttpd/printenv @bin libexec/sthttpd/redirect @bin libexec/sthttpd/ssi -@man man/man1/th_htpasswd.1 @man man/man8/redirect.8 @man man/man8/ssi.8 @man man/man8/syslogtocern.8 @man man/man8/thttpd.8 sbin/syslogtocern -@bin sbin/th_htpasswd @bin sbin/thttpd @rcscript ${RCDIR}/thttpd
