![[BACK]](/icons/back.gif){kind=icon}
Up to [NetBSD + pkgsrc-wip] / pkgsrc / www / apache
Request diff between arbitrary revisions - Display revisions graphically
Keyword substitution: kv
Default branch: MAIN
Convert @exec/@unexec to @pkgdir or drop it.
Update apache to 1.3.41.
Changes with Apache 1.3.41
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox]
Changes with Apache 1.3.40 (not released)
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
With Apache 1.3, the denial of service vulnerability applies only
to the Windows and NetWare platforms.
[Jeff Trawick]
*) More efficient implementation of the CVE-2007-3304 PID table
patch. This fixes issues with excessive memory usage by the
parent process if long-running and with a high number of child
process forks during that timeframe. Also fixes bogus "Bad pid"
errors. [Jim Jagielski, Jeff Trawick]
Changes with Apache 1.3.39
*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]
*) SECURITY: CVE-2007-3304 (cve.mitre.org)
Ensure that the parent process cannot be forced to kill non-child
processes by checking scoreboard PID data with parent process
privately stored PID data. [Jim Jagielski]
*) mime.types: Many updates to sync with IANA registry and common
unregistered types that the owners refuse to register. Admins
are encouraged to update their installed mime.types file.
pr: 35550, 37798, 39317, 31483 [Roy T. Fielding]
There was no Apache 1.3.38
Pullup ticket 842 - requested by Manuel Bouyer
security update for apache
Revisions pulled up:
- pkgsrc/www/apache/Makefile 1.173
- pkgsrc/www/apache/distinfo 1.47
- pkgsrc/www/apache/PLIST 1.14
- pkgsrc/www/ap-ssl/Makefile 1.92
- pkgsrc/www/ap-ssl/distinfo 1.30
Module Name: pkgsrc
Committed By: bouyer
Date: Wed Oct 19 20:30:21 UTC 2005
Modified Files:
pkgsrc/www/apache: Makefile distinfo
Log Message:
Update to 1.3.34. This is a security fix release, fix pkg/31868 by
Zafer Aydogan. Changes from 1.3.33:
*) hsregex: fix potential core dumping on 64 bit machines, such as
AMD64. bug 31858. [Glenn Strauss < gs-apache-dev gluelogic.com>]
*) SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]
*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'.
[William Rowe]
*) mod_digest: Fix another nonce string calculation issue.
[Eric Covener]
---
Module Name: pkgsrc
Committed By: bouyer
Date: Wed Oct 19 20:33:44 UTC 2005
Modified Files:
pkgsrc/www/ap-ssl: Makefile distinfo
Log Message:
Update to mod_ssl 2.8.25. The only change is support for apache 1.3.34.
---
Module Name: pkgsrc
Committed By: bouyer
Date: Wed Oct 19 21:42:59 UTC 2005
Modified Files:
pkgsrc/www/apache: PLIST
Log Message:
Add missing entry for a new file. Pointed out by Lubomir Sedlacik.
Close enouth to the package update to not bump pkgrevision.
Add missing entry for a new file. Pointed out by Lubomir Sedlacik. Close enouth to the package update to not bump pkgrevision.
RCD_SCRIPTS_EXAMPLEDIR is no longer customizable. And always is defined as share/examples/rc.d which was the default before. This rc.d scripts are not automatically added to PLISTs now also. So add to each corresponding PLIST as required. This was discussed on tech-pkg in late January and late April. Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
Pullup ticket 141 - requested by David Brownlee
security fix for apache
Module Name: pkgsrc
Committed By: tron
Date: Mon Oct 25 08:44:16 UTC 2004
Modified Files:
pkgsrc/www/apache: Makefile PLIST distinfo
Removed Files:
pkgsrc/www/apache/patches: patch-ap
Log Message:
Update "apache" package to version 1.3.32. Changes since version 1.3.31:
- mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
[michael teitler <michael.teitler cetelem.fr>,
Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
- mod_rewrite: Fix 0 bytes write into random memory position.
PR 31036. [André Malo]
- mod_digest: Fix nonce string calculation since 1.3.31 which
would force re-authentication for every connection if
AuthDigestRealmSeed was not configured. PR 30920. [Joe Orton]
- Trigger an error when a LoadModule directive attempts to
load a module which is built-in. This is a common error when
switching from a DSO build to a static build.
[Jeff Trawick, Geoffrey Young]
- Fix trivial bug in mod_log_forensic that caused the child
to seg fault when certain invalid requests were fired at it with
forensic logging is enabled. PR 29313.
[Will Slater <Will Slater orbisuk.com>]
- Fix memory leak in the cache handling of mod_rewrite. PR 27862.
[chunyan sheng <shengperson yahoo.com>, André Malo]
- mod_rewrite no longer confuses the RewriteMap caches if
different maps defined in different virtual hosts use the
same map name. PR 26462. [André Malo]
- mod_setenvif: Remove "support" for Remote_User variable which
never worked at all. PR 25725. [André Malo]
- mod_usertrack: Escape the cookie name before pasting into the
regexp. [André Malo]
- Win32: Improve error reporting after a failed attempt to spawn a
piped log process or rewrite map process. [Jeff Trawick]
- SECURITY: CAN-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid (negative)
Content-Length. [Mark Cox]
- Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects mod_usertrack and
core. PR 28218. [André Malo]
- No longer breaks mod_dav, frontpage and others. Repair a patch
in 1.3.31 which prevented discarding the request body for requests
that will be keptalive but are not currently keptalive. PR 29237.
[Jim Jagielski, Rasmus Lerdorf]
- COMPATIBILITY: Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
It controls how UseCanonicalName Off determines the port value if
the client doesn't provide one in the Host header. If defined during
compilation, UseCanonicalName Off will use the physical port number to
generate the canonical name. If not defined, it tries the current Port
value followed by the default port for the current scheme.
[Jim Jagielski]
---
Module Name: pkgsrc
Committed By: abs
Date: Fri Oct 29 13:48:31 UTC 2004
Modified Files:
pkgsrc/www/apache: Makefile distinfo
pkgsrc/www/apache/patches: patch-aa patch-ab patch-ac patch-ad
patch-ae patch-af patch-ag patch-ah patch-ai patch-aj
patch-ak patch-am patch-ao
Removed Files:
pkgsrc/www/apache/patches: patch-al
Log Message:
Update apache to 1.3.33
The main security vulnerabilities addressed in 1.3.33 are:
* CAN-2004-0940 (cve.mitre.org)
Fix potential buffer overflow with escaped characters in SSI
tag string.
* CAN-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid
(negative) Content-Length.
New features
* Win32: Improve error reporting after a failed attempt to
spawn a piped log process or rewrite map process.
* Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It
controls how UseCanonicalName Off determines the port value if
the client doesn't provide one in the Host header. If defined
during compilation, UseCanonicalName Off will use the physical
port number to generate the canonical name. If not defined, it
tries the current Port value followed by the default port for
the current scheme.
The following bugs were found in Apache 1.3.31 (or earlier) and
have been fixed in Apache 1.3.33:
* mod_rewrite: Fix query string handling for proxied URLs.
PR 14518.
* mod_rewrite: Fix 0 bytes write into random memory position.
PR 31036.
* mod_digest: Fix nonce string calculation since 1.3.31 which
would force re-authentication for every connection if
AuthDigestRealmSeed was not configured. PR 30920.
* Fix trivial bug in mod_log_forensic that caused the child to
seg fault when certain invalid requests were fired at it with
forensic logging is enabled. PR 29313.
* No longer breaks mod_dav, frontpage and others. Repair a
patch in 1.3.31 which prevented discarding the request body
for requests that will be keptalive but are not currently
keptalive. PR 29237.
---
Module Name: pkgsrc
Committed By: salo
Date: Mon Nov 15 19:13:41 UTC 2004
Modified Files:
pkgsrc/www/apache/patches: patch-ai
Log Message:
Revert rev 1.9, do not expand @INSTALL@, it's done in post-patch.
(hi abs!)
---
Module Name: pkgsrc
Committed By: tron
Date: Tue Nov 16 08:23:45 UTC 2004
Modified Files:
pkgsrc/www/apache: distinfo
Log Message:
Regen after "patch-ai" was changed. (hi salo!)
Update "apache" package to version 1.3.32. Changes since version 1.3.31: - mod_rewrite: Fix query string handling for proxied URLs. PR 14518. [michael teitler <michael.teitler cetelem.fr>, Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>] - mod_rewrite: Fix 0 bytes write into random memory position. PR 31036. [André Malo] - mod_digest: Fix nonce string calculation since 1.3.31 which would force re-authentication for every connection if AuthDigestRealmSeed was not configured. PR 30920. [Joe Orton] - Trigger an error when a LoadModule directive attempts to load a module which is built-in. This is a common error when switching from a DSO build to a static build. [Jeff Trawick, Geoffrey Young] - Fix trivial bug in mod_log_forensic that caused the child to seg fault when certain invalid requests were fired at it with forensic logging is enabled. PR 29313. [Will Slater <Will Slater orbisuk.com>] - Fix memory leak in the cache handling of mod_rewrite. PR 27862. [chunyan sheng <shengperson yahoo.com>, André Malo] - mod_rewrite no longer confuses the RewriteMap caches if different maps defined in different virtual hosts use the same map name. PR 26462. [André Malo] - mod_setenvif: Remove "support" for Remote_User variable which never worked at all. PR 25725. [André Malo] - mod_usertrack: Escape the cookie name before pasting into the regexp. [André Malo] - Win32: Improve error reporting after a failed attempt to spawn a piped log process or rewrite map process. [Jeff Trawick] - SECURITY: CAN-2004-0492 (cve.mitre.org) Reject responses from a remote server if sent an invalid (negative) Content-Length. [Mark Cox] - Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects mod_usertrack and core. PR 28218. [André Malo] - No longer breaks mod_dav, frontpage and others. Repair a patch in 1.3.31 which prevented discarding the request body for requests that will be keptalive but are not currently keptalive. PR 29237. [Jim Jagielski, Rasmus Lerdorf] - COMPATIBILITY: Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It controls how UseCanonicalName Off determines the port value if the client doesn't provide one in the Host header. If defined during compilation, UseCanonicalName Off will use the physical port number to generate the canonical name. If not defined, it tries the current Port value followed by the default port for the current scheme. [Jim Jagielski]
Apply patch (requested by taca in ticket #31):
Update apache package to 1.3.31.
* CAN-2003-0987 (cve.mitre.org)
* CAN-2003-0020 (cve.mitre.org)
* CAN-2004-0174 (cve.mitre.org)
* CAN-2003-0993 (cve.mitre.org)
Update apache package to 1.3.31.
Apache 1.3.31 Major changes
Security vulnerabilities
* CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client
response is one we issued ourselves. This problem does not affect
mod_auth_digest.
* CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog.
* CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
* CAN-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a
netmask; issue is only known to affect big-endian 64-bit
platforms
New features
New features that relate to specific platforms:
* Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, core dumps are enabled via the prctl() syscall.
New features that relate to all platforms:
* Add mod_whatkilledus and mod_backtrace (experimental) for
reporting diagnostic information after a child process crash.
* Add fatal exception hook for running diagnostic code after a
crash.
* Forensic logging module added (mod_log_forensic)
* '%X' is now accepted as an alias for '%c' in the
LogFormat directive. This allows you to configure logging
to still log the connection status even with mod_ssl
Bugs fixed
The following noteworthy bugs were found in Apache 1.3.29 (or earlier)
and have been fixed in Apache 1.3.31:
* Fix memory corruption problem with ap_custom_response() function.
The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.
* mod_usertrack no longer inspects the Cookie2 header for
the cookie name. It also no longer overwrites other cookies.
* Fix bug causing core dump when using CookieTracking without
specifying a CookieName directly.
* UseCanonicalName off was ignoring the client provided
port information.
mk/bsd.pkg.install.mk now automatically registers
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
Updated apache to 1.3.29.
Major changes since 1.3.28:
Security vulnerabilities
* CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
Bugs fixed
The following noteworthy bugs were found in Apache 1.3.28 (or earlier)
and have been fixed in Apache 1.3.29:
* Within ap_bclose(), ap_pclosesocket() is now called
* consistently
for sockets and ap_pclosef() for files. Also, closesocket()
is used consistenly to close socket fd's. The previous
confusion between socket and file fd's would cause problems
with some applications now that we proactively close fd's to
prevent leakage.
* Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name.
* Prevent creation of subprocess Zombies when using CGI wrappers
such as suEXEC and cgiwrap.
Pull up revision 1.8 (requested by x in ticket #1380): Update "apache" package to version 1.3.28.
Update "apache" package to version 1.3.28. Changes since version 1.3.27: - SECURITY: CAN-2003-0460 (cve.mitre.org) Fix the rotatelogs support program on Win32 and OS/2 to ignore special control characters received over the pipe. Previously such characters could cause it to quit logging and exit. [André Malo] - Prevent the server from crashing when entering infinite loops. The new LimitInternalRecursion directive configures limits of subsequent internal redirects and nested subrequests, after which the request will be aborted. PR 19753 (and probably others). [William Rowe, Jeff Trawick, Jim Jagielski, André Malo] - Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo] - Removed BIND_NOSTART from HP/UX shl_load() logic for loadable Apache modules, so that statics are initialized when the module is loaded (especially critical for c++ modules on HPUX.) [William Rowe, Noah Arliss <narliss@netegrity.com>] - Win32 build system changes; always recompile buildmark.c (used for Apache -v 'server built' messages) even when Apache is built from within the IDE; build test_char.h and uri_delims.h from within the ApacheCore.dsp project. PR 12706. [William Rowe] - Introduce Win32 .pdb diagnostic symbols into the Apache 1.3 build (as created in Apache 2.0.45 and later.) Makes debugging and analysis of crash dumps and Dr. Watson logs trivial. Requires the Win32 binary builder to set aside the exact .pdb files that match the released binaries (.exe/.so files) for reference by users and developers. [William Rowe] - Make sure the accept mutex is released before calling child exit hooks and cleanups. Otherwise, modules can segfault in such code and, with pthread mutexes, leave the server deadlocked. Even if the module doesn't segfault, if it performs extensive processing it can temporarily prevent the server from accepting new connections. [Jeff Trawick] - Fix mod_rewrite's handling of absolute URIs. The escaping routines now work scheme dependent and the query string will only be appended if supported by the particular scheme. [André Malo] - Use appropriate language codes for Czech (cs) and Traditional Chinese (zh-tw) in default config files. PR 9427. [André Malo] - Don't block synchronous signals (e.g., SIGSEGV) while waiting for and holding a pthread accept mutex. [Jeff Trawick] - AIX: Change the default accept mechanism from pthread back to fcntl. Idle child cleanup doesn't work when the child selected for termination by the parent is waiting on a pthread mutex, and because the AIX kernel's notion of hot process is apparently the same as Apache's, it is common for the Apache parent to continually select a child for termination that the kernel will leave waiting on the mutex for extended periods of time. There are other concerns with pthread mutexes as well, such as the ability to deadlock the server if a child process segfaults while holding the mutex. [Jeff Trawick] - Fix a pair of potential buffer overflows in htdigest [Martin Schulze <joey@infodrom.org>, Thom May] - A newly created child now has a start_time of 0, to prevent mod_status from displaying a bogus value for the "time to process most recent request" column for freshly-started children in a previously-used scoreboard slot. [Martin Kraemer] - When using Redirect in directory context, append requested query string if there's no one supplied by configuration. PR 10961. [André Malo] - Fix path handling of mod_rewrite, especially on non-unix systems. There was some confusion between local paths and URL paths. PR 12902. [André Malo] - backport from 2.x series: Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462. [André Malo] - Use the correct locations of srm.conf and access.conf when tailoring the httpd.conf during the install process. PR 9446. [Stanislav Brabec <utx@penguin.cz>] - suexec: Be more pedantic when cleaning environment. Clean it immediately after startup. PR 2790, 10449. [Jeff Stewart <jws@purdue.edu>, André Malo] - Fix apxs to insert LoadModule/AddModule directives only outside of sections. PR 8712, 9012. [André Malo] - Fix suexec compile error under SUNOS4, where strerror() doesn't exist. PR 5913, 9977. [Jonathan W Miner <Jonathan.W.Miner@lmco.com>] - Unix build: Add support for environment variable EXTRA_LDFLAGS_SHLIB, which allows the user to add to the hard-coded ld flags specified for DSOs. Compare with the existing LDFLAGS_SHLIB environment variable, which allows the user to completely replace the hard-coded ld flags specified for DSOs. [Jeff Trawick] - mod_auth_digest no longer tries to guess AuthDigestDomain, if it's not specified. Now it assumes "/" as already documented. PR 16937. [André Malo] - In configure always assume suexec-umask to be an octal value by prepending a "0". PR 16984. [André Malo] - Fix typo in suexec -V output. PR 9034. [Youichirou Koga <y-koga@apache.or.jp>] - Fix bug where 'Satisfy Any' without an AuthType resulted in an "Internal Server Error" response. PR 9076. [André Malo] - mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks" (or SymlinksIfOwnermatch) is set. PR 12395. [André Malo] - Change the log messages for setsockopt(TCP_NODELAY) and getsockname() failures to log the client IP address and to change the log level to debug. [Jeff Trawick] - Correction to mod_negotation for Win32, OS2, Netware etc, where case insensitive requests such as the HEADER or README search from autoindex would fail to match HEADER.html (because the system internally looked for the case-sensitive header.* pattern.) PR 7300 [William Rowe] - Correction to mod_autoindex so that only text/* files (prefering /html, then /plain, then some other flavor) can be recovered from a multiview-based HEADER or README subrequest. [William Rowe] - Improvements to mod_usertrack that allows for a regular (verbose) as well as "compact" version of the tracking cookie (the new 'CookieFormat' directive), and the ability to prepend a string to the cookie via the 'CookiePrefix' directive. [Pål Løberg <pallo@initio.no>, with cleanup by Jim Jagielski] - Certain 3rd party modules would bypass the Apache API and not invoke ap_cleanup_for_exec() before creating sub-processes. To such a child process, Apache's file descriptors (lock fd's, log files, sockets) were accessible, allowing them direct access to Apache log file etc. Where the OS allows, we now add proactive close functions to prevent these file descriptors from leaking to the child processes. [Jim Jagielski, Martin Kraemer] - Prevent obscenely large values of precision in ap_vformatter from clobbering a buffer. [Sander Striker, Jim Jagielski] - NetWare: implemented ap_os_default_port() to resolve the correct default port based on the request method. This fixes a URL reconstruction problem on a redirect. [Pavel Novy (novy@feld.cvut.cz)] - Added new ap_register_cleanup_ex() API function which allows for a "magic" cleanup function to be run at register time rather than at cleanup time. Also added the ap_note_cleanups_for_(socket|fd|file)_ex() API functions which allows for control over whether that magic cleanup should be called or not. This does not change the default behavior of the non-"ex" function (eg: ap_register_cleanup). [Jim Jagielski, concept by Ben Laurie] - PORT: Take advantage of OpenBSD's arc4random() function for the initial secret [Henning Brauer <hb-apache-dev at bsws.de>] - If Listen directive is not a port, but just an IP, emit an error condition as this case is ambiguous. [Rich Bowen, Justin Erenkrantz, Cliff Woolley] - Update timeout algorithm in free_proc_chain. If a subprocess did not exit immediately, the thread would sleep for 3 seconds before checking the subprocess exit status again. In a very common case when the subprocess was an HTTP server CGI script, the CGI script actually exited a fraction of a second into the 3 second sleep, which effectively limited the server to serving one CGI request every 3 seconds across a persistent connection. PRs 6961, 8664 [Bill Stoddard] - mod_setenvif: Add SERVER_ADDR special keyword to allow envariable setting according to the server IP address which received the request. [Ken Coar] - PORT: Enable SINGLE_LISTEN_UNSERIALIZED_ACCEPT for AIX 4.3.2 and above. Update AIX configure logic to allow higher AIX release numbers without having to change Apache. [Jeff Trawick]
Pullup the following versions: ap-ssl/Makefile 1.61 ap-ssl/distinfo 1.14 apache/Makefile 1.108 apache/PLIST 1.7 apache/distinfo 1.23 to the netbsd-1-6 branch of pkgsrc. Requested by Manuel Bouyer. These patches update apache and ap-ssl for securities issues. Tested on one 1.6 and 2 1.5.3 servers with a few other modules (ap-php, ap-roaming) without problems.
Update "apache" package to version 1.3.27. This version fixes many bugs discovered in version 1.3.26 including these security fixes: - SECURITY: CAN-2002-0840 (cve.mitre.org) Prevent a cross-site scripting vulnerability in the default error page. The issue could only be exploited if the directive UseCanonicalName is set to Off and a server is being run at a domain that allows wildcard DNS. [Matthew Murphy] - SECURITY CAN-2002-0843 (cve.mitre.org) Fix some possible overflows in ab.c that could be exploited by a malicious server. Reported by David Wagner. [Jim Jagielski] - SECURITY CAN-2002-0839 (cve.mitre.org) Add the new directive 'ShmemUIDisUser'. By default, Apache will no longer set the uid/gid of SysV shared memory scoreboard to User/Group, and it will therefore stay the uid/gid of the parent Apache process. This is actually the way it should be, however, some implementations may still require this, which can be enabled by 'ShmemUIDisUser On'. Reported by iDefense. [Jim Jagielski]
Merge changes in packages from the buildlink2 branch that have buildlink2.mk files back into the main trunk. This provides sufficient buildlink2 infrastructure to start merging other packages from the buildlink2 branch that have already been converted to use the buildlink2 framework.
Merge from pkgsrc-current to buildlink2 branch.
- Add share/httpd/htdocs/index.html.lb.utf8 to PLIST.
- Prevent chown whole files under ${PREFIX}/share/httpd.
Update apache to 1.3.26. Custom mod_ssl eapi patch used for now, since update of mod_ssl for 1.3.26 isn't available yet. This fixes the CAN-2002-0392 (mitre.org) [CERT VU#944335] security issue. For full list of changes, see http://www.apache.org/dist/httpd/CHANGES_1.3
Update www/apache to 1.3.24 with EAPI patch from mod_ssl-2.8.8-1.3.24.
Relevant changes from version 1.3.23 include:
* Prevent invalid client hostnames from appearing in the log file.
* Various mod_proxy improvements, such as the new ProxyIOBufferSize
directive.
* The new ''IgnoreCase' keyword to the IndexOptions directive.
* mod_rewrite's 'rnd' was broken and has been fixed.
* The '-S' option of 'apxs' was not able to handle quotes; also 'apxs'
is now rebuilt when options are changed.
* proxy now correctly handles Cookies and X-Cache headers.
* Fixed a problem in TPF when we were using the wrong subpool when
opening the error log.
* pthread accept() mutexes on Solaris were broken (since we were
not linking against pthread)
Update apache to 1.3.23 with the EAPI patch from mod_ssl-2.8.6-1.3.23.
The main new features in 1.3.23 (compared to 1.3.22) are:
* HTTP/1.1 support for mod_proxy.
* Other mod_proxy improvements.
* The new 'FileETag' directive to allow one to build the
format of the ETag via runtime directives.
* Addition of a 'filter callback' function to enable modules to
intercept the output byte stream for dynamic page caching.
The following bugs were found in Apache 1.3.22 and have been fixed in
Apache 1.3.23:
* Fix incorrect "Content-Length" header in the 416 response.
* Revert mod_negotation's handling of path_info and query_args
to the 1.3.20 behavior (PRs: 8628, 8582, 8538).
* Prevent an Apache module from being loaded or added twice due
to duplicate LoadModule or AddModule directives.
Move pkg/ files into package's toplevel directory