[PR PATCH] apache: update to 2.4.53.

[PR PATCH] apache: update to 2.4.53.

[ologantr]

[-- Attachment #1: Type: text/plain, Size: 561 bytes --]

There is a new pull request by ologantr against master on the void-packages repository

https://github.com/ologantr/void-packages apache-update
https://github.com/void-linux/void-packages/pull/36919

apache: update to 2.4.53.
Fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
CVE-2022-22719.

#### Testing the changes
- I tested the changes in this PR: **briefly**

#### Local build testing
- I built this PR locally for my native architecture (x86_64-glibc)

A patch file from https://github.com/void-linux/void-packages/pull/36919.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apache-update-36919.patch --]
[-- Type: text/x-diff, Size: 1094 bytes --]

From 2b364ec61ea3a36f030d0e9a7f5cdd97f7e9f5bc Mon Sep 17 00:00:00 2001
From: ologantr <mrphyber@protonmail.com>
Date: Sat, 30 Apr 2022 10:38:10 +0200
Subject: [PATCH] apache: update to 2.4.53.

Fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
CVE-2022-22719.
---
 srcpkgs/apache/template | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/apache/template b/srcpkgs/apache/template
index 2cdb6ca2f449..4cdb90a6ab04 100644
--- a/srcpkgs/apache/template
+++ b/srcpkgs/apache/template
@@ -1,6 +1,6 @@
 # Template file for 'apache'
 pkgname=apache
-version=2.4.52
+version=2.4.53
 revision=1
 wrksrc="httpd-${version}"
 build_style=gnu-configure
@@ -36,7 +36,7 @@ license="Apache-2.0"
 homepage="http://httpd.apache.org/"
 changelog="http://www.apache.org/dist/httpd/CHANGES_2.4"
 distfiles="https://dlcdn.apache.org/httpd/httpd-${version}.tar.bz2"
-checksum=0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
+checksum=d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63
 
 system_accounts="_apache"
 _apache_homedir="/srv/www/$pkgname"

Re: [PR PATCH] [Updated] apache: update to 2.4.53.

[ologantr]

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

There is an updated pull request by ologantr against master on the void-packages repository

https://github.com/ologantr/void-packages apache-update
https://github.com/void-linux/void-packages/pull/36919

apache: update to 2.4.53.
Fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
CVE-2022-22719.

#### Testing the changes
- I tested the changes in this PR: **briefly**

#### Local build testing
- I built this PR locally for my native architecture (x86_64-glibc)

A patch file from https://github.com/void-linux/void-packages/pull/36919.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apache-update-36919.patch --]
[-- Type: text/x-diff, Size: 3397 bytes --]

From 444551f222b58e3f5dee327d17c8f403465acda0 Mon Sep 17 00:00:00 2001
From: ologantr <mrphyber@protonmail.com>
Date: Sat, 30 Apr 2022 10:38:10 +0200
Subject: [PATCH] apache: update to 2.4.53.

Fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
CVE-2022-22719.
---
 srcpkgs/apache/patches/libressl.patch | 11 -----------
 srcpkgs/apache/template               | 13 ++++++++-----
 2 files changed, 8 insertions(+), 16 deletions(-)
 delete mode 100644 srcpkgs/apache/patches/libressl.patch

diff --git a/srcpkgs/apache/patches/libressl.patch b/srcpkgs/apache/patches/libressl.patch
deleted file mode 100644
index 300bd7ee1fa6..000000000000
--- a/srcpkgs/apache/patches/libressl.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/modules/ssl/ssl_engine_init.c.orig  2018-10-30 16:25:09.084840429 +0100
-+++ b/modules/ssl/ssl_engine_init.c       2018-10-30 16:25:55.019411636 +0100
-@@ -1492,7 +1492,7 @@
-     X509_STORE_CTX *sctx;
-     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
-
--#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
-+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)
-     /* For OpenSSL >=1.1.1, turn on client cert support which is
-      * otherwise turned off by default (by design).
-      * https://github.com/openssl/openssl/issues/6933 */
diff --git a/srcpkgs/apache/template b/srcpkgs/apache/template
index 2cdb6ca2f449..d64f307ccdf1 100644
--- a/srcpkgs/apache/template
+++ b/srcpkgs/apache/template
@@ -1,6 +1,6 @@
 # Template file for 'apache'
 pkgname=apache
-version=2.4.52
+version=2.4.53
 revision=1
 wrksrc="httpd-${version}"
 build_style=gnu-configure
@@ -19,15 +19,14 @@ configure_args="--prefix= --sbindir=/usr/bin --enable-pie --enable-modules=all
  --enable-dav --enable-info --enable-cgi --enable-cgid --enable-dav-fs
  --enable-dav-lock --enable-vhost-alias --enable-imagemap --enable-so
  --enable-rewrite --enable-layout=XBPS --sysconfdir=/etc/${pkgname}
- --enable-mpms-shared=all --with-pcre=${XBPS_CROSS_BASE}/usr
- --with-z=${XBPS_CROSS_BASE}/usr"
+ --enable-mpms-shared=all --with-z=${XBPS_CROSS_BASE}/usr"
 conf_files="
 	/etc/${pkgname}/extra/*.conf
 	/etc/${pkgname}/httpd.conf
 	/etc/${pkgname}/magic
 	/etc/${pkgname}/mime.types"
 hostmakedepends="pkg-config perl apr-util-devel"
-makedepends="zlib-devel libuuid-devel pcre-devel nghttp2-devel
+makedepends="zlib-devel libuuid-devel pcre2-devel nghttp2-devel
  openssl-devel db-devel gdbm-devel expat-devel libldap-devel apr-util-devel"
 depends="apache-htpasswd"
 short_desc="Apache http server"
@@ -36,7 +35,7 @@ license="Apache-2.0"
 homepage="http://httpd.apache.org/"
 changelog="http://www.apache.org/dist/httpd/CHANGES_2.4"
 distfiles="https://dlcdn.apache.org/httpd/httpd-${version}.tar.bz2"
-checksum=0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
+checksum=d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63
 
 system_accounts="_apache"
 _apache_homedir="/srv/www/$pkgname"
@@ -63,6 +62,10 @@ pre_configure() {
 
 	cat ${FILESDIR}/xbps.layout >> config.layout
 	if [ "$CROSS_BUILD" ]; then
+		# pcre{,2}-config detection doesn't work on cross
+		# since httpd-2.4.53, manually export PCRE_CONFIG
+		# to let configure know where it is
+		export PCRE_CONFIG="${XBPS_CROSS_BASE}/usr/bin/pcre2-config"
 		configure_args+=" --with-apr=$XBPS_WRAPPERDIR/apr-1-config
 		 --with-apr-util=$XBPS_WRAPPERDIR/apu-1-config"
 	else

Re: [PR REVIEW] apache: update to 2.4.53.

[paper42]

[-- Attachment #1: Type: text/plain, Size: 241 bytes --]

New review comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/36919#discussion_r862384476

Comment:
Could you report this issue upstream and watch it so we know when we can drop this workaround?

Re: [PR REVIEW] apache: update to 2.4.53.

[ologantr]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

New review comment by ologantr on void-packages repository

https://github.com/void-linux/void-packages/pull/36919#discussion_r862387905

Comment:
Turns out it has already been reported: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=66000
I'll follow this issue and wait for it to be fixed.

Re: [PR REVIEW] apache: update to 2.4.53.

[paper42]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]

New review comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/36919#discussion_r862444060

Comment:
in that case, --with-pcre with the full path might be prettier

Re: [PR REVIEW] apache: update to 2.4.53.

[paper42]

[-- Attachment #1: Type: text/plain, Size: 241 bytes --]

New review comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/36919#discussion_r862445478

Comment:
@ologantr mentioned on IRC that that wouldn't work on cross, so let's use $PCRE_CONFIG for now

Re: [PR PATCH] [Updated] apache: update to 2.4.53.

[ologantr]

[-- Attachment #1: Type: text/plain, Size: 589 bytes --]

There is an updated pull request by ologantr against master on the void-packages repository

https://github.com/ologantr/void-packages apache-update
https://github.com/void-linux/void-packages/pull/36919

apache: update to 2.4.53.
Fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
CVE-2022-22719.

#### Testing the changes
- I tested the changes in this PR: **briefly**

#### Local build testing
- I built this PR locally for my native architecture (x86_64-glibc)

Edit: ping @paper42

A patch file from https://github.com/void-linux/void-packages/pull/36919.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apache-update-36919.patch --]
[-- Type: text/x-diff, Size: 3484 bytes --]

From 7258797bfd1a15d5e3321c16bef4a4e0e6df5278 Mon Sep 17 00:00:00 2001
From: ologantr <mrphyber@protonmail.com>
Date: Sat, 30 Apr 2022 10:38:10 +0200
Subject: [PATCH] apache: update to 2.4.53, adopt.

Fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
CVE-2022-22719.
---
 srcpkgs/apache/patches/libressl.patch | 11 -----------
 srcpkgs/apache/template               | 15 +++++++++------
 2 files changed, 9 insertions(+), 17 deletions(-)
 delete mode 100644 srcpkgs/apache/patches/libressl.patch

diff --git a/srcpkgs/apache/patches/libressl.patch b/srcpkgs/apache/patches/libressl.patch
deleted file mode 100644
index 300bd7ee1fa6..000000000000
--- a/srcpkgs/apache/patches/libressl.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/modules/ssl/ssl_engine_init.c.orig  2018-10-30 16:25:09.084840429 +0100
-+++ b/modules/ssl/ssl_engine_init.c       2018-10-30 16:25:55.019411636 +0100
-@@ -1492,7 +1492,7 @@
-     X509_STORE_CTX *sctx;
-     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
-
--#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
-+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)
-     /* For OpenSSL >=1.1.1, turn on client cert support which is
-      * otherwise turned off by default (by design).
-      * https://github.com/openssl/openssl/issues/6933 */
diff --git a/srcpkgs/apache/template b/srcpkgs/apache/template
index 2cdb6ca2f449..812286b52f20 100644
--- a/srcpkgs/apache/template
+++ b/srcpkgs/apache/template
@@ -1,6 +1,6 @@
 # Template file for 'apache'
 pkgname=apache
-version=2.4.52
+version=2.4.53
 revision=1
 wrksrc="httpd-${version}"
 build_style=gnu-configure
@@ -19,24 +19,23 @@ configure_args="--prefix= --sbindir=/usr/bin --enable-pie --enable-modules=all
  --enable-dav --enable-info --enable-cgi --enable-cgid --enable-dav-fs
  --enable-dav-lock --enable-vhost-alias --enable-imagemap --enable-so
  --enable-rewrite --enable-layout=XBPS --sysconfdir=/etc/${pkgname}
- --enable-mpms-shared=all --with-pcre=${XBPS_CROSS_BASE}/usr
- --with-z=${XBPS_CROSS_BASE}/usr"
+ --enable-mpms-shared=all --with-z=${XBPS_CROSS_BASE}/usr"
 conf_files="
 	/etc/${pkgname}/extra/*.conf
 	/etc/${pkgname}/httpd.conf
 	/etc/${pkgname}/magic
 	/etc/${pkgname}/mime.types"
 hostmakedepends="pkg-config perl apr-util-devel"
-makedepends="zlib-devel libuuid-devel pcre-devel nghttp2-devel
+makedepends="zlib-devel libuuid-devel pcre2-devel nghttp2-devel
  openssl-devel db-devel gdbm-devel expat-devel libldap-devel apr-util-devel"
 depends="apache-htpasswd"
 short_desc="Apache http server"
-maintainer="Orphaned <orphan@voidlinux.org>"
+maintainer="ologantr <mrphyber@protonmail.com>"
 license="Apache-2.0"
 homepage="http://httpd.apache.org/"
 changelog="http://www.apache.org/dist/httpd/CHANGES_2.4"
 distfiles="https://dlcdn.apache.org/httpd/httpd-${version}.tar.bz2"
-checksum=0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
+checksum=d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63
 
 system_accounts="_apache"
 _apache_homedir="/srv/www/$pkgname"
@@ -63,6 +62,10 @@ pre_configure() {
 
 	cat ${FILESDIR}/xbps.layout >> config.layout
 	if [ "$CROSS_BUILD" ]; then
+		# pcre{,2}-config detection doesn't work on cross
+		# since httpd-2.4.53, manually export PCRE_CONFIG
+		# to let configure know where it is
+		export PCRE_CONFIG="${XBPS_CROSS_BASE}/usr/bin/pcre2-config"
 		configure_args+=" --with-apr=$XBPS_WRAPPERDIR/apr-1-config
 		 --with-apr-util=$XBPS_WRAPPERDIR/apu-1-config"
 	else

Re: [PR PATCH] [Merged]: apache: update to 2.4.53.

[paper42]

[-- Attachment #1: Type: text/plain, Size: 425 bytes --]

There's a merged pull request on the void-packages repository

apache: update to 2.4.53.
https://github.com/void-linux/void-packages/pull/36919

Description:
Fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
CVE-2022-22719.

#### Testing the changes
- I tested the changes in this PR: **briefly**

#### Local build testing
- I built this PR locally for my native architecture (x86_64-glibc)

Edit: ping @paper42