![[BACK]](/icons/back.gif){kind=icon}
Up to [NetBSD + pkgsrc-wip] / pkgsrc / www / apache2
Request diff between arbitrary revisions - Display revisions graphically
Keyword substitution: kv
Default branch: MAIN
Remove www.NetBSD.org from MASTER_SITES, not using sitedrivenby.gif logo
Changes 2.0.64: * SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. * SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. * SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. * SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. * SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. * SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. * SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. * SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. * SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. * SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. * Fix recursive ErrorDocument handling. * mod_ssl: Do not do overlapping memcpy. * Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. * apxs: Fix -A and -a options to ignore whitespace in httpd.conf
Pullup ticket #2434 - requested by he
Security patch for apache2
Revisions pulled up:
- devel/apr0/Makefile 1.5
- www/apache2/Makefile 1.124
- www/apache2/Makefile.common 1.26
---
Module Name: pkgsrc
Committed By: he
Date: Sun Jun 22 23:01:19 UTC 2008
Modified Files:
pkgsrc/devel/apr0: Makefile
pkgsrc/www/apache2: Makefile Makefile.common
Log Message:
As indicated by comments on pkgsrc-c, move PKGREVISION setting to
individual Makefile files and out of Makefile.common.
Pullup ticket #2434 - requested by he
Security patch for apache2
Revisions pulled up:
- www/apache2/Makefile.common 1.25
- www/apache2/distinfo 1.53
- www/apache2/patches/patch-ap 1.5
---
Module Name: pkgsrc
Committed By: he
Date: Fri Jun 20 13:28:08 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile.common distinfo
Added Files:
pkgsrc/www/apache2/patches: patch-ap
Log Message:
Apply the patch for CVE-2008-2364 from apache.
Bump pkg revision.
As indicated by comments on pkgsrc-c, move PKGREVISION setting to individual Makefile files and out of Makefile.common.
Apply the patch for CVE-2008-2364 from apache. Bump pkg revision.
Pullup ticket 2278 - requested by taca
security update for apache2
- pkgsrc/devel/arp0/distinfo 1.3
- pkgsrc/www/apache2/Makefile.common 1.23, 1.24
- pkgsrc/www/apache2/distinfo 1.52
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:30:01 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile.common
Log Message:
Start update of apr0 pacakge to 0.9.17 and apache2 package to 2.0.63.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:33:46 UTC 2008
Modified Files:
pkgsrc/devel/apr0: distinfo
Log Message:
Update apr0 package to 0.9.17.2.0.63.
Changes with APR 0.9.17
*) Fix DSO-related crash on z/OS caused by incorrect memory
allocation. [David Jones <oscaremma gmail.com>]
*) Define apr_ino_t in such a way that it doesn't change definition
based on the library consumer's -D'efines to the filesystem.
[Lucian Adrian Grijincu <lucian.grijincu gmail.com>]
*) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio
handles for fd-based and FILE * based I/O. [William Rowe]
*) Revert Win32 to the 0.9.14 behavior of apr_proc_create() for any
of the three stdio streams which are not initialized, through either
apr_procattr_io_set() or apr_procattr_child_XXX_set(), when given a
procattr_t with one or two streams which were initialized through
apr_procattr_child_XXX_set(). Once again, these do not inherit the
parent process stdio stream to WIN32 child processes (passing
INVALID_HANDLE_VALUE instead) as on Unix. Note APR 1.3.0 adopts
the Unix behavior of inheriting any uninitialized streams as the
parent's corresponding stdio stream, in such cases. [William Rowe]
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:37:22 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile distinfo
Log Message:
Update apache package to 2.0.63.
Changes with Apache 2.0.63
*) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
to /Device/Nul as the server is starting up, mirroring unix MPM's.
PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
*) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
by recreating the bucket allocator each time the trans pool is cleared.
PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
Changes with Apache 2.0.62 (not released)
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox, Joe Orton]
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) Introduce the ProxyFtpDirCharset directive, allowing the administrator
to identify a default, or specific servers or paths which list their
contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
*) log.c: Ensure Win32 resurrects its lost robust logger processes.
[William Rowe]
*) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
shutdown of the server when the MaxClients is higher then 257,
in a more responsive manner [Mladen Turk, William Rowe]
*) Add explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. One of these
reported by SecurityReason [Joe Orton]
*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings. [Jeff Trawick]
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:38:29 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile.common
Log Message:
Add comment that this file is used by devel/apr0/Makefile detected
by pkglint.
Add comment that this file is used by devel/apr0/Makefile detected by pkglint.
Start update of apr0 pacakge to 0.9.17 and apache2 package to 2.0.63.
Pullup ticket 2184 - requested by tron
security update for apache2
- pkgsrc/devel/apr0/Makefile 1.3
- pkgsrc/devel/apr0/distinfo 1.2
- pkgsrc/www/apache2/Makefile 1.118
- pkgsrc/www/apache2/Makefile.commom 1.22
- pkgsrc/www/apache2/PLIST 1.35
- pkgsrc/www/apache2/distinfo 1.51
- pkgsrc/www/apache2/patches/patch-ap removed
- pkgsrc/www/apache2/patches/patch-aq removed
Module Name: pkgsrc
Committed By: tron
Date: Fri Sep 7 23:11:41 UTC 2007
Modified Files:
pkgsrc/devel/apr0: Makefile distinfo
pkgsrc/www/apache2: Makefile Makefile.common PLIST distinfo
Log Message:
Update "apr" package to version 0.9.16.2.0.61 and "apache2" package
to version 2.0.61.
This update is a bug and security fix release. The following security
problem hasn't been fixed in "pkgsrc" before:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
parsing date-related headers.
---
Module Name: pkgsrc
Committed By: tron
Date: Fri Sep 7 23:28:23 UTC 2007
Removed Files:
pkgsrc/www/apache2/patches: patch-ap patch-aq
Log Message:
Remove obsolete patch files.
Update "apr" package to version 0.9.16.2.0.61 and "apache2" package to version 2.0.61. This update is a bug and security fix release. The following security problem hasn't been fixed in "pkgsrc" before: - CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers.
Pullup ticket 1757 - requested by tron
security update for apache2
Revisions pulled up:
- pkgsrc/devel/apr/distinfo 1.18
Updated via patch provided by the submitter.
Module Name: pkgsrc
Committed By: tron
Date: Fri Jul 28 10:38:36 UTC 2006
Modified Files:
pkgsrc/devel/apr: distinfo
pkgsrc/www/apache2: Makefile Makefile.common distinfo options.mk
Log Message:
Update "apr" package to version 0.9.12.2.0.59 and "apache2" package
to version 2.0.59. Changes since *2.0.58:
- SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
Update "apr" package to version 0.9.12.2.0.59 and "apache2" package to version 2.0.59. Changes since *2.0.58: - SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee.
Update "apr" package to version 0.9.12.2.0.58 and "apache" package
to version 2.0.58. Change since Apache relase 2.0.55:
- Legal: Restored original years in copyright notices.
- mod_cgid: run the get_suexec_identity hook within the request-handler
instead of within cgid. Apache#36410.
- core: Prevent read of unitialized memory in ap_rgetline_core.
Apache#39282.
- mod_proxy: Report the proxy server name correctly in the "Via:" header,
when UseCanonicalName is Off. Apache#11971.
- mod_isapi: Various trivial code-fixes to permit mod_isapi to load and
run on Unix.
- HTML-escape the Expect error message. Not classed as security as
an attacker has no way to influence the Expect header a victim will
send to a target site. Reported by Thiago Zaninotti
<thiango nstalker.com>.
- SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a possible crash during access control checks if a
non-SSL request is processed for an SSL vhost (such as the
"HTTP request received on SSL port" error message when an 400
ErrorDocument is configured, or if using "SSLEngine optional").
Apache#37791.
- SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
- Add APR/APR-Util Compiled and Runtime Version numbers to the
output of 'httpd -V'.
- Ensure that the proper status line is written to the client, fixing
incorrect status lines caused by filters which modify r->status without
resetting r->status_line, such as the built-in byterange filter.
- Default handler: Don't return output filter apr_status_t values.
Apache#31759.
- mod_speling: Stop crashing with certain non-file requests.
- keep the Content-Length header for a HEAD with no response body.
Apache#18757
- Modify apr[util] .h detection to avoid breakage on VPATH builds
using Solaris make (amoung others) and avoid breakage in ./buildconf
when srclib/apr[-util] are symlinks rather than directories proper.
- Avoid server-driven negotiation when a CGI script has emitted an
explicit "Status:" header. Apache#38070.
- mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
format is used. Apache#27787.
- mod_cache: Correctly handle responses with a 301 status. Apache#37347.
- mod_proxy_http: Prevent data corruption of POST request bodies when
client accesses proxied resources with SSL. Apache#37145.
- Elimiated the NET_TIME filter, restructuring the timeout logic.
This provides a working mod_echo on all platforms, and ensures any
custom protocol module is at least given an initial timeout value
based on the <VirtualHost > context's Timeout directive.
- mod_ssl: Correct issue where mod_ssl does not pick up the
ssl-unclean-shutdown setting when configured. Apache#34452.
- Document the ReceiveBufferSize change done in r157583.
- mod_deflate: Merge the Vary header, instead of Setting it. Fixes
applications that send the Vary Header themselves. Apache#37559.
- mod_dav: Fix a null pointer dereference in an error code path during the
handling of MKCOL.
- mod_mime_magic: Handle CRLF-format magic files so that it works with
the default installation on Windows.
- Write message to error log if AuthGroupFile cannot be opened.
Apache#37566.
- Add ReceiveBufferSize directive to control the TCP receive buffer.
- mod_cache: Fix 'Vary: *' behavior to be RFC compliant. Apache#16125.
- Remove the base href tag from proxy_ftp, as it breaks relative
links for clients not using an Authorization header.
- http_request.c: Add missing va_end call.
- Add httxt2dbm to support/ for creating RewriteMap DBM Files.
- support/check_forensic: Fix temp file usage
- Chunk filter: Fix chunk filter to create correct chunks in the case that
a flush bucket is surrounded by data buckets.
- mod_cgi(d): Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.
Apache#15242
- Added new module mod_version, which provides version dependent
configuration containers.
- Add core version query function (ap_get_server_revision) and
accompanying ap_version_t structure (minor MMN bump).
Pullup ticket 838 - requested by Matthias Scheler
sync devel/apr and www/apache2 with HEAD as precautionary/preventive step
Revisions pulled up:
- devel/apr/Makefile 1.37
- devel/apr/distinfo 1.16
- devel/apr/patches/patch-ao 1.3
- www/apache2/Makefile 1.84
- www/apache2/Makefile.common 1.19
- www/apache2/PLIST 1.31
- www/apache2/distinfo 1.43,1.44
- www/apache2/patches/patch-ac 1.6
- www/apache2/patches/patch-ae removed
- www/apache2/patches/patch-af removed
- www/apache2/patches/patch-ah removed
- www/apache2/patches/patch-aj removed
- www/apache2/patches/patch-ao 1.7
Module Name: pkgsrc
Committed By: joerg
Date: Tue Oct 11 20:10:35 UTC 2005
Modified Files:
pkgsrc/www/apache2: distinfo
Added Files:
pkgsrc/www/apache2/patches: patch-ao
Log Message:
Allow mod_ssl to build with OpenSSL 0.9.8. The patch is from
Georg v. Zezschwitz on dev@httpd.apache.org.
---
Module Name: pkgsrc
Committed By: tron
Date: Mon Oct 17 10:28:46 UTC 2005
Modified Files:
pkgsrc/devel/apr: Makefile distinfo
pkgsrc/devel/apr/patches: patch-ao
pkgsrc/www/apache2: Makefile
Log Message:
Update "apr" package to version 0.9.7. Changes since version 0.9.6:
- Fix crash in apr_dir_make_recursive() for relative path
when the working directory has been deleted. [Joe Orton]
- Win32: fix apr_proc_mutex_trylock() to handle WAIT_TIMEOUT,
returning APR_EBUSY. [Ronen Mizrahi <ronen@tversity.com>]
- Fix apr_file_read() to catch write failures when flushing pending
writes for a buffered file. [Joe Orton]
- Fix apr_file_write() infinite loop on write failure for buffered
files. [Erik Huelsmann <ehuels gmail.com>]
- Fix error handling where apr_uid_* and apr_gid_* could segfault
or return APR_SUCCESS in failure cases. Bug 34053. [Joe Orton,
Paul Querna]
- Refactor Win32 condition variables code to address bugs 27654, 34336.
[Henry Jen <henryjen ztune.net>, E Holyat <eholyat yahoo.com>]
- Support APR_SO_SNDBUF and APR_SO_RCVBUF on Windows. Bug 32177.
[Sim <sgobbi datamanagement.it>, Jeff Trawick]
- Fix detection of rwlocks on Mac OS X. [Aaron Bannert]
- Fix issue with poll() followed by net I/O yielding EAGAIN on
Mac OS 10.4 (Darwin 8). [Wilfredo Sanchez]
Update based on patches supplied by Ben Collver. Addresses first part
of PR pkg/31817 by Zafer Aydogan.
---
Module Name: pkgsrc
Committed By: tron
Date: Mon Oct 17 10:37:11 UTC 2005
Modified Files:
pkgsrc/www/apache2: Makefile.common PLIST distinfo
pkgsrc/www/apache2/patches: patch-ac
Removed Files:
pkgsrc/www/apache2/patches: patch-ae patch-af patch-ah patch-aj
Log Message:
Update "apache2" package to version 2.0.55. Changes since version 2.0.54:
- worker MPM: Fix a memory leak which can occur after an aborted
connection in some limited circumstances. [Greg Ames]
- mod_ldap: Fix Bug 36563. Keep track of the number of attributes
retrieved from LDAP so that all of the values can be properly
cached even if the value is NULL.
[Brad Nicholes, Ondrej Sury <ondrej sury.org>]
- Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'. [William Rowe]
- Add ap_log_cerror() for logging messages associated with particular
client connections. [Jeff Trawick]
- Correct mod_cgid's argv[0] so that the full path can be delved by the
invoked cgi application, to conform to the behavior of mod_cgi.
[Pradeep Kumar S <pradeep.smani gmail.com>]
- mod_include: Fix possible environment variable corruption when
using nested includes. Bug 12655. [Joe Orton]
- Support the suppress-error-charset setting, as with Apache 1.3.x.
Bug 31274. [Jeff Trawick]
- EBCDIC: Handle chunked input from client or, with proxy, origin
server. [Jeff Trawick]
- Fix bad globbing comparison which could result in getting
a directory listing when a file was requested. Bug 34512.
[sean <infamous41md hotmail.com>]
- Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
was called even if mod_auth_ldap_check_user_id() was not
(or if it didn't succeed) for non-authoritative cases.
[Jim Jagielski]
- mod_proxy: Fix over-eager handling of '%' for reverse proxies.
Bug 15207. [Jim Jagielski]
- mod_ldap: Fix various shared memory cache handling bugs.
Bug 34209. [Joe Orton]
- Fix a file descriptor leak when starting piped loggers. Bug 33748.
[Joe Orton]
- mod_ldap: Avoid segfaults when opening connections if using a version
of OpenLDAP older than 2.2.21. Bug 34618. [Brad Nicholes]
- mod_ssl: Fix build with OpenSSL 0.9.8. Bug 35757. [William Rowe]
- proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]
- Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart. Bug 26467. [Jeff Trawick]
- SECURITY: CAN-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information
at "LogLevel debug" which could be triggered if configured
to use a "malicious" CRL. Bug 35081. [Marc Stern <mstern csc.com>]
- mod_userdir: Fix possible memory corruption issue. Bug 34588.
[David Leonard <dleonard vintela.com>]
- worker mpm: don't take down the whole server for a transient
thread creation failure. Bug 34514 [Greg Ames]
- mod_rewrite: use buffered I/O to improve performance with large
RewriteMap txt: files. [Greg Ames]
- proxy HTTP: Rework the handling of request bodies to handle
chunked input and input filters which modify content length, and
avoid spooling arbitrary-sized request bodies in memory.
Bug 15859. [Jeff Trawick]
Patches supplied by Ben Collver. Addresses PR pkg/31817 by Zafer Aydogan.
Update "apache2" package to version 2.0.55. Patches supplied by Ben Collver. Addresses PR pkg/31817 by Zafer Aydogan.
Move the PKGREVISION from the Makefile.common. It should be used for revisions for a single package. I don't think this "suexec" PKGREVISION was meant for the apr package, but since it was used it is now there. I noticed this problem when building wip/apachebench2 which has nothing to do with suexec. Although, I did not make this change for pkgsrc-wip's wip/apachebench2 since this is a work in progress.
- Add an option ${APACHE_SUEXEC_LOGFILE} so the user can specify
where they would like the suexec logfile to go. Ok'ed tron@
- Bump pkgrevision
Changes 2.0.54:
*) mod_cache: Add CacheIgnoreHeaders directive.
*) mod_ldap: Added the directive LDAPConnectionTimeout to configure
the ldap socket connection timeout value.
*) Correctly export all mod_dav public functions.
*) Add a build script to create a solaris package.
*) worker MPM: Fix a problem which could cause httpd processes to
remain active after shutdown.
*) Unix MPMs: Shut down the server more quickly when child processes are
slow to exit.
*) Remove formatting characters from ap_log_error() calls. These
were escaped as fallout from CAN-2003-0020.
*) mod_ssl: If SSLUsername is used, set r->user earlier.
*) htdigest: Fix permissions of created files.
*) core_input_filter: Move buckets to a persistent brigade instead of
creating a new brigade. This stop a memory leak when proxying a
Streaming Media Server.
*) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid
hiccups from additional path information passed in non-utf-8 format.
tron volunteered to maintain this package.
Pullup ticket 277 - requested by Matthias Scheler
security fix for apache2
Revisions pulled up:
- pkgsrc/devel/apr/Makefile 1.31
- pkgsrc/devel/apr/distinfo 1.11
- pkgsrc/www/apache2/Makefile 1.66 (merged by hand)
- pkgsrc/www/apache2/Makefile.common 1.13
- pkgsrc/www/apache2/PLIST 1.27
- pkgsrc/www/apache2/distinfo 1.36 (merged by hand)
- pkgsrc/www/apache2/patches/patch-aa 1.14
- pkgsrc/www/apache2/patches/patch-as removed
- pkgsrc/www/apache2/patches/patch-at removed
Module Name: pkgsrc
Committed By: tron
Date: Wed Feb 9 14:52:12 UTC 2005
Modified Files:
pkgsrc/devel/apr: Makefile distinfo
Log Message:
Update "apr" package to version 0.9.6.2.0.53. Changes since
version 0.9.5.2.0.52:
- Add apr_threadattr_stacksize_set() for overriding the default
stack size for threads created by apr_thread_create().
- Add an RPM spec file.
- Add a build script to create a solaris package.
---
Module Name: pkgsrc
Committed By: tron
Date: Wed Feb 9 14:57:52 UTC 2005
Modified Files:
pkgsrc/www/apache2: Makefile Makefile.common PLIST distinfo
pkgsrc/www/apache2/patches: patch-aa
Removed Files:
pkgsrc/www/apache2/patches: patch-as patch-at
Log Message:
Update "apache2" package to version 2.0.53. Changes since version 2.0.52:
- Fix --with-apr=/usr and/or --with-apr-util=/usr. Bug report 29740.
[Max Bowsher <maxb ukf.net>]
- mod_proxy: Fix ProxyRemoteMatch directive. Bug report 33170.
[Rici Lake <rici ricilake.net>]
- mod_proxy: Respect errors reported by pre_connection hooks.
[Jeff Trawick]
- --with-module can now take more than one module to be statically
linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
If the <modtype>-subdirectory doesn't exist it will be created and
populated with a standard Makefile.in. [Erik Abele]
- Fix the RPM spec file so that an RPM build now works. An RPM
build now requires system installations of APR and APR-util.
Remove some arbitrary moving around of binaries - the RPM now
maps to the ASF build of httpd.
[Graham Leggett]
- mod_dumpio, an I/O logging/dumping module, added to the
modules/expermimental subdirectory. [Jim Jagielski]
- mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
library handles special characters. Bug report 24437.
[Jess Holle]
- Win32 MPM: Correct typo in debugging output. [William Rowe]
- conf: Remove AddDefaultCharset from the default configuration because
setting a site-wide default does more harm than good.
Bug report 23421. [Roy Fielding]
- Add charset to example CGI scripts. [Roy Fielding]
- mod_ssl: fail quickly if SSL connection is aborted rather than
making many doomed ap_pass_brigade calls.
Bug report 32699. [Joe Orton]
- Remove compiled-in upper limit on LimitRequestFieldSize.
[Bill Stoddard]
- Start keeping track of time-taken-to-process-request again for
mod_status if ExtendedStatus is enabled. [Jim Jagielski]
- mod_proxy: Handle client-aborted connections correctly.
Bug report 32443. [Janne Hietamäki, Joe Orton]
- Fix handling of files >2Gb on all platforms (or builds) where
apr_off_t is larger than apr_size_t.
Bug report 28898. [Joe Orton]
- mod_include: Fix bug which could truncate variable expansions
of N*64 characters by one byte. Bug report 32985. [Joe Orton]
- Correct handling of certain bucket types in ap_save_brigade, fixing
possible segfaults in mod_cgi with #include virtual.
Bug report 31247. [Joe Orton]
- Allow for the use of --with-module=foo:bar where the ./modules/foo
directory is local only. Assumes, of course, that the required
files are in ./modules/foo, but makes it easier to statically
build/log "external" modules. [Jim Jagielski]
- Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that
ldap authorization only modules have access to the util_ldap
user cache without having to require ldap authentication as well.
Bug report 31898. [Jari Ahonen jah progress.com, Brad Nicholes]
- mod_auth_ldap: Added the directive "Requires ldap-attribute" that
allows the module to only authorize a user if the attribute value
specified matches the value of the user object. Bug report 31913
[Ryan Morgan <rmorgan pobox.com>]
- SECURITY: CAN-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]
- SECURITY: CAN-2004-0885 (cve.mitre.org)
mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
bypassed during an SSL renegotiation. Bug report 31505.
[Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
- mod_ssl: Fail at startup rather than segfault at runtime if a
client cert is configured with an encrypted private key.
Bug report 24030. [Joe Orton]
- apxs: fix handling of -Wc/-Wl and "-o mod_foo.so".
Bug report 31448 [Joe Orton]
- mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
[Jeff Trawick]
- mod_cache: CacheDisable will only disable the URLs it was meant to
disable, not all caching. Bug report 31128.
[Edward Rudd <eddie omegaware.com>, Paul Querna]
- mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
cache responses. [Justin Erenkrantz]
- mod_rewrite: Handle per-location rules when r->filename is unset.
Previously this would segfault or simply not match as expected,
depending on the platform. [Jeff Trawick]
- mod_rewrite: Fix 0 bytes write into random memory position.
Bug report 31036. [André Malo]
- mod_disk_cache: Do not store aborted content. Bug report 21492.
[Rüdiger Plüm <r.pluem t-online.de>]
- mod_disk_cache: Correctly store cached content type.
Bug report 30278.
[Rüdiger Plüm <r.pluem t-online.de>]
- mod_ldap: prevent the possiblity of an infinite loop in the LDAP
statistics display. Bug report 29216. [Graham Leggett]
- mod_ldap: fix a bogus error message to tell the user which file
is causing a potential problem with the LDAP shared memory cache.
Bug report 31431 [Graham Leggett]
- mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
- Fix the re-linking issue when purging elements from the LDAP cache
Bug report 24801. [Jess Holle <jessh ptc.com>]
- mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz]
- Fix Expires handling in mod_cache. [Justin Erenkrantz]
- Alter mod_expires to run at a different filter priority to allow
proper Expires storage by mod_cache. [Justin Erenkrantz]
add rcsid.
Update "apache2" package to version 2.0.53. Changes since version 2.0.52: - Fix --with-apr=/usr and/or --with-apr-util=/usr. Problem report 29740. [Max Bowsher <maxb ukf.net>] - mod_proxy: Fix ProxyRemoteMatch directive. Problem report 33170. [Rici Lake <rici ricilake.net>] - mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick] - --with-module can now take more than one module to be statically linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,... If the <modtype>-subdirectory doesn't exist it will be created and populated with a standard Makefile.in. [Erik Abele] - Fix the RPM spec file so that an RPM build now works. An RPM build now requires system installations of APR and APR-util. Remove some arbitrary moving around of binaries - the RPM now maps to the ASF build of httpd. [Graham Leggett] - mod_dumpio, an I/O logging/dumping module, added to the modules/expermimental subdirectory. [Jim Jagielski] - mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. Problem report 24437. [Jess Holle] - Win32 MPM: Correct typo in debugging output. [William Rowe] - conf: Remove AddDefaultCharset from the default configuration because setting a site-wide default does more harm than good. Problem report 23421. [Roy Fielding] - Add charset to example CGI scripts. [Roy Fielding] - mod_ssl: fail quickly if SSL connection is aborted rather than making many doomed ap_pass_brigade calls. Problem report 32699. [Joe Orton] - Remove compiled-in upper limit on LimitRequestFieldSize. [Bill Stoddard] - Start keeping track of time-taken-to-process-request again for mod_status if ExtendedStatus is enabled. [Jim Jagielski] - mod_proxy: Handle client-aborted connections correctly. Problem report 32443. [Janne Hietamäki, Joe Orton] - Fix handling of files >2Gb on all platforms (or builds) where apr_off_t is larger than apr_size_t. Problem report 28898. [Joe Orton] - mod_include: Fix bug which could truncate variable expansions of N*64 characters by one byte. Problem report 32985. [Joe Orton] - Correct handling of certain bucket types in ap_save_brigade, fixing possible segfaults in mod_cgi with #include virtual. Problem report 31247. [Joe Orton] - Allow for the use of --with-module=foo:bar where the ./modules/foo directory is local only. Assumes, of course, that the required files are in ./modules/foo, but makes it easier to statically build/log "external" modules. [Jim Jagielski] - Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that ldap authorization only modules have access to the util_ldap user cache without having to require ldap authentication as well. Problem report 31898. [Jari Ahonen jah progress.com, Brad Nicholes] - mod_auth_ldap: Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. Problem report 31913 [Ryan Morgan <rmorgan pobox.com>] - SECURITY: CAN-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] - SECURITY: CAN-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. Problem report 31505. [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton] - mod_ssl: Fail at startup rather than segfault at runtime if a client cert is configured with an encrypted private key. Problem report 24030. [Joe Orton] - apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". Problem report 31448 [Joe Orton] - mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick] - mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. Problem report 31128. [Edward Rudd <eddie omegaware.com>, Paul Querna] - mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale cache responses. [Justin Erenkrantz] - mod_rewrite: Handle per-location rules when r->filename is unset. Previously this would segfault or simply not match as expected, depending on the platform. [Jeff Trawick] - mod_rewrite: Fix 0 bytes write into random memory position. Problem report 31036. [André Malo] - mod_disk_cache: Do not store aborted content. Problem report 21492. [Rüdiger Plüm <r.pluem t-online.de>] - mod_disk_cache: Correctly store cached content type. Problem report 30278. [Rüdiger Plüm <r.pluem t-online.de>] - mod_ldap: prevent the possiblity of an infinite loop in the LDAP statistics display. Problem report 29216. [Graham Leggett] - mod_ldap: fix a bogus error message to tell the user which file is causing a potential problem with the LDAP shared memory cache. Problem report 31431 [Graham Leggett] - mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] - Fix the re-linking issue when purging elements from the LDAP cache Problem report 24801. [Jess Holle <jessh ptc.com>] - mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz] - Fix Expires handling in mod_cache. [Justin Erenkrantz] - Alter mod_expires to run at a different filter priority to allow proper Expires storage by mod_cache. [Justin Erenkrantz]
Pullup ticket 119 - requested by Jeremy C. Reed
security fix for apache2
Module Name: pkgsrc
Committed By: reed
Date: Sat Oct 2 15:47:03 UTC 2004
Modified Files:
pkgsrc/devel/apr: distinfo
pkgsrc/www/apache2: Makefile Makefile.common distinfo
Removed Files:
pkgsrc/www/apache2/patches: patch-ab
Log Message:
Update apache to apache-2.0.52.
Also added comment to www/apache2/Makefile.common to remind to
update checksum in devel/apr also.
No actual devel/apr changes seen.
Also removed www/apache2/patches/patch-ab because it is identical to
fix for security in new version.
Changes with Apache 2.0.52
*) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
*) Fix the global mutex crash when the global mutex is never allocated
due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
*) Fix a segfault in the LDAP cache when it is configured switched
off. [Jess Holle <jessh ptc.com>]
*) SECURITY: CAN-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication. PR 31315. [Rici Lake <rici ricilake.net>]
*) Fix the handling of URIs containing %2F when AllowEncodedSlashes
is enabled. Previously, such urls would still be rejected.
[Jeff Trawick, Bill Stoddard]
*) mod_mem_cache: Fixed race condition causing segfault because of memory being
freed twice, or reused after being freed.
[J. Clar, W. Stoddard, G. Ames]
*) Add -l option to rotatelogs to let it use local time rather than
UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
*) mod_log_config: Fix a bug which prevented request completion time
from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
processing. PR 29696. [Alois Treindl <alois astro.ch>]
---
Module Name: pkgsrc
Committed By: reed
Date: Sat Oct 2 16:38:38 UTC 2004
Modified Files:
pkgsrc/www/apache2: Makefile PLIST
Log Message:
Sort the share/httpd/manual entries in the PLIST.
Added 35 share/httpd/manual entries to PLIST. Most are .ko.euc-kr,
.ko, ja.euc-jp, and .ja files.
I don't know when these were added.
Bump PKGREVISION because now package has several more files.
Just added a comment to remember to look at removing PKGREVISION for devel/apr when updating the apache2 version.
Update apache to apache-2.0.52.
Also added comment to www/apache2/Makefile.common to remind to
update checksum in devel/apr also.
No actual devel/apr changes seen.
Also removed www/apache2/patches/patch-ab because it is identical to
fix for security in new version.
Changes with Apache 2.0.52
*) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
*) Fix the global mutex crash when the global mutex is never allocated
due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
*) Fix a segfault in the LDAP cache when it is configured switched
off. [Jess Holle <jessh ptc.com>]
*) SECURITY: CAN-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication. PR 31315. [Rici Lake <rici ricilake.net>]
*) Fix the handling of URIs containing %2F when AllowEncodedSlashes
is enabled. Previously, such urls would still be rejected.
[Jeff Trawick, Bill Stoddard]
*) mod_mem_cache: Fixed race condition causing segfault because of memory being
freed twice, or reused after being freed.
[J. Clar, W. Stoddard, G. Ames]
*) Add -l option to rotatelogs to let it use local time rather than
UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
*) mod_log_config: Fix a bug which prevented request completion time
from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
processing. PR 29696. [Alois Treindl <alois astro.ch>]
- Update apache to 2.0.51 - Remove patch-as and patch-ah as they are now outdated and included in the src - ok'ed snj@, wiz@ - Thanks to epg@ for final check This version of Apache is principally a bug fix release. Of particular note is that 2.0.51 addresses five security vulnerabilities: An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy. [CAN-2004-0786] A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file. [CAN-2004-0747] A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured. [CAN-2004-0751] A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort. [CAN-2004-0748] A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request. [CAN-2004-0809] For further details, see http://www.apache.org/dist/httpd/Announcement2.html and http://apache.rmplc.co.uk/httpd/CHANGES_2.0.
Pullup ticket 57 to the pkgsrc-2004Q2 branch, requested by Grant Beattie. Security and other bug fixes for apache2. Module Name: pkgsrc Committed By: adrianp Date: Wed Jul 14 08:28:51 UTC 2004 Modified Files: pkgsrc/www/apache2: Makefile Makefile.common PLIST buildlink3.mk distinfo pkgsrc/www/apache2/patches: patch-aa Added Files: pkgsrc/www/apache2: PLIST.deffiles Removed Files: pkgsrc/www/apache2/patches: patch-as Log Message: - Update to apache 2.0.50 - Add new build def APACHE_DEFAULT_FILES and Module Name: pkgsrc Committed By: adrianp Date: Wed Jul 14 08:31:12 UTC 2004 Modified Files: pkgsrc/devel/apr: buildlink3.mk distinfo Log Message: - Update to apache 2.0.50 - Add new build def APACHE_DEFAULT_FILES
- Update to apache 2.0.50
- Add new build def APACHE_DEFAULT_FILES
Changes with Apache 2.0.50
*) SECURITY: CAN-2004-0493 (cve.mitre.org)
Close a denial of service vulnerability identified by Georgi
Guninski which could lead to memory exhaustion with certain
input data. [Jeff Trawick]
*) mod_cgi: Handle output on stderr during script execution on Unix
platforms; preventing deadlock when stderr output fills pipe buffer.
Also fixes case where stderr from nph- scripts could be lost.
PR 22030, 18348. [Joe Orton, Jeff Trawick]
*) mod_alias now emits a warning if it detects overlapping *Alias*
directives. [André Malo]
*) mod_rewrite no longer turns forward proxy requests into reverse proxy
requests. PR 28125 [ast domdv.de, André Malo]
*) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
exported on Win32 and Netware as well (minor MMN bump). PR 28523.
[Edward Rudd <eddie omegaware.com>, André Malo]
*) Restore the ability to disable the use of AcceptEx on Win9x systems
automatically (broken in 2.0.49). PR 28529. [André Malo]
*) <VirtualHost myhost> now applies to all IP addresses for myhost
instead of just the first one reported by the resolver. This
corrects a regression since 1.3. [Jeff Trawick]
*) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
against ServerRoot PR#26602 [Brad Nicholes]
*) SECURITY: CAN-2004-0488 (cve.mitre.org)
mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[Joe Orton]
*) mod_dav_fs: Fix MKCOL response for missing parent collections, which
caused issues for the Eclipse WebDAV extension.
PR 29034. [Joe Orton]
*) mod_deflate: Fix memory consumption (which was proportional to the
response size). PR 29318. [Joe Orton]
*) mod_ssl: Log the errors returned on failure to load or initialize
a crypto accelerator engine. [Joe Orton]
*) Allow RequestHeader directives to be conditional. PR 27951.
[Vincent Deffontaines <vincent gryzor.com>, André Malo]
*) Allow LimitRequestBody to be reset to unlimited. PR 29106
[André Malo]
*) Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects: mod_setenvif, mod_usertrack,
mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
*) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
*) Remove 2Gb log file size restriction on some 32-bit platforms.
PR 13511. [Joe Orton]
*) mod_logio no longer removes the EOS bucket. PR 27928.
[Bojan Smojver <bojan rexursive.com>]
*) htpasswd no longer refuses to process files that contain empty
lines. [André Malo]
*) Regression from 1.3: At startup, suexec now will be checked for
availability, the setuid bit and user root. The works only if
httpd is compiled with the shipped APR version (0.9.5).
PR 28287. [André Malo]
*) Unix MPMs: Stop dropping connections when the file descriptor
is at least FD_SETSIZE. [Jeff Trawick]
*) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
*) mod_isapi: send_response_header() failed to copy status string's
last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
*) Fix a segfault when requests for shared memory fails and returns
NULL. Fix a segfault caused by a lack of bounds checking on the
cache. PR 24801. [Graham Leggett]
*) Throw an error message if an attempt is made to use the LDAPTrustedCA
or LDAPTrustedCAType directives in a VirtualHost. PR 26390
[Brad Nicholes]
*) Fix a potential segfault if the bind password in the LDAP cache
is NULL. PR 28250. [Jari Ahonen <jah progress.com>]
*) Quotes cannot be used around require group and require dn
directives, update the documentation to reflect this. Also add
quotes around the dn and group within debug messages, to make it
more obvious why authentication is failing if quotes are used in
error. PR 19304. [Graham Leggett]
*) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
from escaping filters twice when the backslash character is used.
PR 24437. [Jess Holle <jessh ptc.com>]
*) Overhaul handling of LDAP error conditions, so that the util_ldap_*
functions leave the connections in a sane state after errors have
occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
27271 [Graham Leggett]
*) mod_ldap calls ldap_simple_bind_s() to validate the user
credentials. If the bind fails, the connection is left
in an unbound state. Make sure that the ldap connection
record is updated to show that the connection is no longer
bound. [Brad Nicholes]
*) Ensure that lines in the request which are too long are
properly terminated before logging.
[Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
*) Update the bind credentials for the cached LDAP connection to
reflect the last bind. This prevents util_ldap from creating
unnecessary connections rather than reusing cached connections.
[Brad Nicholes]
*) mod_isapi: GetServerVariable returned improperly terminated header
fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
[Jesse Pelton <jsp pkc.com>]
*) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
size. PR 20617. [Jesse Pelton <jsp pkc.com>]
*) mod_dav: Fix a problem that could cause crashes when manipulating
locks on some platforms. [Jeff Trawick]
*) mod_headers no longer crashes if an empty header value should
be added. [André Malo]
*) Fix segfault in mod_expires, which occured under certain
circumstances. PR 28047. [André Malo]
*) htpasswd: use apr_temp_dir_get() and general cleanup
[Guenter Knauf <eflash gmx.net>, Thom May]
*) mod_ssl: Fix memory leak in session cache handling. PR 26562
[Madhusudan Mathihalli]
*) mod_ssl: Fix potential segfaults when performing SSL shutdown from
a pool cleanup. PR 27945. [Joe Orton]
*) Add forensic logging module (mod_log_forensic).
[Ben Laurie]
*) logresolve: Allow size of log line buffer to be overridden at
build time (MAXLINE). PR 27793. [Jeff Trawick]
*) Fix the comment delimiter in htdbm so that it correctly parses the
username comment. Also add a terminate function to allow NetWare
to pause the output before the screen is destroyed.
[Guenter Knauf <eflash gmx.net>, Brad Nicholes]
*) Fix crash when Apache was started with no Listen directives.
[Michael Corcoran <mcorcoran warpsolutions.com>]
*) core_output_filter: Fix bug that could result in sending
garbage over the network when module handlers construct
bucket brigades containing multiple file buckets all referencing
the same open file descriptor. [Bojan Smojver]
*) Fix memory corruption problem with ap_custom_response() function.
The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.
[Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
*) Win32: Tweak worker thread accounting routines to eliminate
server hang when number of Listen directives in httpd.conf
is greater than or equal to the setting of ThreadsPerChild.
[Bill Stoddard]
Relinquish maintainership of packages to tech-pkg@NetBSD.org.
Update apache2 to 2.0.49. This includes various changes since last release
including:
*) SECURITY: CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
With Apache 2.x there is no performance concern about enabling the
logic for platforms which don't need it, so it is enabled everywhere
except for Win32. [Jeff Trawick]
*) SECURITY: CAN-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]
*) SECURITY: CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, Andr<E9> Malo]
Complete changelog is at http://www.apache.org/dist/httpd/CHANGES_2.0
Package changes include:
buildlink depends increased for apache2 (but not for apr).
apr package version changes, but APR_VERSION stays same.
more files installed and added to PLIST.
share/httpd/manual/search/manual-index.cgi removed from PLIST.
Also removing share/httpd/htdocs and share/httpd directories
removed from PLIST because already handled by MAKE_DIRS.
(I think this should use OWN_DIRS.)
(jlam@ said he would like this update done during freeze.)
apr shipped with apache-2.0.48 is 0.9.5.
upgrade to 2.0.48
Changes with Apache 2.0.48
*) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
the AF_UNIX socket used to communicate with the cgid daemon and
the CGI script. [Jeff Trawick]
*) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
mod_rewrite which occurred if one configured a regular expression
with more than 9 captures. [André Malo]
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
PR 23836. [Brian Akins <bakins@web.turner.com>, André Malo]
*) fix the config parser to support <Foo>..</Foo> containers (no
arguments in the opening tag) supported by httpd 1.3. Without
this change mod_perl 2.0's <Perl> sections are broken.
["Philippe M. Chiasson" <gozer@cpan.org>]
*) mod_cgid: fix a hash table corruption problem which could
result in the wrong script being cleaned up at the end of a
request. [Jeff Trawick]
*) Update httpd-*.conf to be clearer in describing the connection
between AddType and AddEncoding for defining the meaning of
compressed file extensions. [Roy Fielding]
*) mod_rewrite: Don't die silently when failing to open RewriteLogs.
PR 23416. [André Malo]
*) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
rewritten request using "proxy:". The code was adding multiple "proxy:"
fields in the rewritten URI. PR: 13946.
[Eider Oliveira <eider@bol.com.br>]
*) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
expires as directed in RFC 2616. [Thomas Castelle tcastelle@generali.fr]
*) Ensure that ssl-std.conf is generated at configure time, and switch
to using the expanded config variables to work the same as
httpd-std.conf PR: 19611
[Thom May]
*) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
[Hartmut Keil <Hartmut.Keil@adnovum.ch>]
*) mod_autoindex: If a directory contains a file listed in the
DirectoryIndex directive, the folder icon is no longer replaced
by the icon of that file. PR 9587.
[David Shane Holden <dpejesh@yahoo.com>]
*) Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name. PR 16661.
[Manni Wood <manniwood@planet-save.com>]
*) mod_cache: Fix the cache code so that responses can be cached
if they have an Expires header but no Etag or Last-Modified
headers. PR 23130.
[bjorn@exoweb.net]
*) mod_log_config: Fix %b log format to write really "-" when 0 bytes
were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
*) Modify ap_get_client_block() to note if it has seen EOS.
[Justin Erenkrantz]
*) Fix a bug, where mod_deflate sometimes unconditionally compressed the
content if the Accept-Encoding header contained only other tokens than
"gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
*) Avoid an infinite recursion, which occured if the name of an included
config file or directory contained a wildcard character. PR 22194.
[André Malo]
*) mod_ssl: Fix a problem setting variables that represent the
client certificate chain. PR 21371 [Jeff Trawick]
*) Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex. PR 20312 [Jeff Trawick]
*) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
*) Fix a misleading message from the some of the threaded MPMs when
MaxClients has to be lowered due to the setting of ServerLimit.
[Jeff Trawick]
*) Lower the severity of the "listener thread didn't exit" message
to debug, as it is of interest only to developers. PR 9011
[Jeff Trawick]
*) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
[Cliff Woolley, Jean-Jacques Clar]
*) Install config.nice into the build/ directory to make
minor version upgrades easier. [Joshua Slive]
*) Fix mod_deflate so that it does not call deflate() without checking
first whether it has something to deflate. (Currently this causes
deflate to generate a fatal error according to the zlib spec.)
PR 22259. [Stas Bekman]
*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
identity spoof is encountered.
[Sander Striker]
*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
containing the .htaccess file is requested without a trailing slash.
PR 20195. [André Malo]
*) ab: Overlong credentials given via command line no longer clobber
the buffer. [André Malo]
*) mod_deflate: Don't attempt to hold all of the response until we're
done. [Justin Erenkrantz]
*) Assure that we block properly when reading input bodies with SSL.
PR 19242. [David Deaves <David.Deaves@dd.id.au>, William Rowe]
*) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
*) mod_ext_filter: Set additional environment variables for use by
the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
*) Fix buildconf errors when libtool version changes. [Jeff Trawick]
*) Remember an authenticated user during internal redirects if the
redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.
PR 10678, 11602. [André Malo]
*) mod_include: Fix a trio of bugs that would cause various unusual
sequences of parsed bytes to omit portions of the output stream.
PR 21095. [Ron Park <ronald.park@cnet.com>, André Malo, Cliff Woolley]
*) Update the header token parsing code to allow LWS between the
token word and the ':' seperator. [PR 16520]
[Kris Verbeeck <kris.verbeeck@advalvas.be>, Nicel KM <mnicel@yahoo.com>]
*) Eliminate creation of a temporary table in ap_get_mime_headers_core()
[Joe Schaefer <joe+gmane@sunstarsys.com>]
*) Added FreeBSD directory layout. PR 21100.
[Sander Holthaus <info@orangexl.com>, André Malo]
*) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo]
*) mod_rewrite: Perform child initialization on the rewrite log lock.
This fixes a log corruption issue when flock-based serialization
is used (e.g., FreeBSD). [Jeff Trawick]
*) Don't respect the Server header field as set by modules and CGIs.
As with 1.3, for proxy requests any such field is from the origin
server; otherwise it will have our server info as controlled by
the ServerTokens directive. [Jeff Trawick]
s/netbsd.org/NetBSD.org/
upgrade to apache-2.0.47/apr-0.9.4.2.0.47.
Changes with Apache 2.0.47
*) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]
*) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
temporary denial of service when accept() on a rarely accessed port
returns certain errors. Reported by Saheed Akhtar
<S.Akhtar@talis.com>. [Jeff Trawick]
*) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
of service when target host is IPv6 but proxy server can't create
IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo
<tsuneo.yoshioka@f-secure.com>]
*) SECURITY [VU#379828] Prevent the server from crashing when entering
infinite loops. The new LimitInternalRecursion directive configures
limits of subsequent internal redirects and nested subrequests, after
which the request will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, André Malo]
*) core_output_filter: don't split the brigade after a FLUSH bucket if
it's the last bucket. This prevents creating unneccessary empty
brigades which may not be destroyed until the end of a keepalive
connection.
[Juan Rivera <Juan.Rivera@citrix.com>]
*) Add support for "streamy" PROPFIND responses.
[Ben Collins-Sussman <sussman@collab.net>]
*) mod_cgid: Eliminate a double-close of a socket. This resolves
various operational problems in a threaded MPM, since on the
second attempt to close the socket, the same descriptor was
often already in use by another thread for another purpose.
[Jeff Trawick]
*) mod_negotiation: Introduce "prefer-language" environment variable,
which allows to influence the negotiation process on request basis
to prefer a certain language. [André Malo]
*) Make mod_expires' ExpiresByType work properly, including for
dynamically-generated documents. [Ken Coar, Bill Stoddard]
upgrade to apache 2.0.46. fixes two vulnerabilities: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189
Split some stuff out into a new Makefile.common so that the new deve/apr package can use it. Depend on the new apr package. Approved by jlam@netbsd.org.