| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- use PTHREAD_LIBS/CFLAGS instead -pthread
Changes with Apache 2.2.29
http://www.apache.org/dist/httpd/CHANGES_2.2.29
*) Corrected docs/manual pages for new MergeTrailers directive and other
out of date documentation. [William Rowe]
Changes with Apache 2.2.28
*) SECURITY: CVE-2014-0118 (cve.mitre.org) [1]
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of service via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
*) SECURITY: CVE-2014-0231 (cve.mitre.org) [1]
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
[Rainer Jung, Eric Covener, Yann Ylavic]
*) SECURITY: CVE-2014-0226 (cve.mitre.org) [1]
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow. [Joe Orton, Eric Covener, Jeff Trawick]
*) SECURITY: CVE-2013-5704 (cve.mitre.org) [2]
core: HTTP trailers could be used to replace HTTP headers
late during request processing, potentially undoing or
otherwise confusing modules that examined or modified
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
*) core: Detect incomplete request and response bodies, log an error and
forward it to the underlying filters. PR 55475. [Yann Ylavic]
*) mod_deflate: Handle Zlib header and validation bytes received in multiple
chunks. PR 46146. [Yann Ylavic]
*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
differs. PR 55782. [Yann Ylavic]
*) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
[Lukas Bezdicka <social v3.sk>]
*) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480.
[Ben Reser]
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077). [Rainer Jung]
*) mod_proxy_ajp: Forward local IP address as a custom request attribute
like we already do for the remote port. [Rainer Jung]
*) mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
*) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary
header might not get the benefit of the thundering herd protection due to
an incorrect internal cache key. PR 50317.
[Ruediger Pluem, Jan Kaluza, Yann Ylavic]
*) mod_rewrite: Support session cookies with the CO= flag when later
parameters are used. The doc for this implied the feature had been
backported for quite some time. PR56014 [Eric Covener]
*) mod_cache: Don't remove stale cache entries that cannot be conditionally
revalidated. This prevents the thundering herd protection from serving
stale responses during a revalidation. PR 50317.
[Eric Covener, Jan Kaluza, Ruediger Pluem]
*) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds.
PR 41270. [Dean Gaudet <dean arctic org>]
[1] CVE issues already fixed since FreeBSD-ports r362845
[2] new CVE-2013-5704 issue fixed in 2.2.29
MFH: 2014Q3
Security: f927e06c-1109-11e4-b090-20cf30e32f6d
Security: CVE-2013-5704
Notes:
svn path=/head/; revision=367227
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- fix build with SSL from ports [1]
SECURITY: CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to
avoid denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst.
http://svn.apache.org/viewvc?view=revision&revision=1611426
SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling,
which could lead to a heap buffer overflow. Thanks to Marek Kroemeke
working with HP's Zero Day Initiative for reporting this.
* include/scoreboard.h: Add ap_copy_scoreboard_worker.
* server/scoreboard.c (ap_copy_scoreboard_worker): New function.
* modules/generators/mod_status.c (status_handler): Use it.
http://svn.apache.org/viewvc?view=revision&revision=1610515
SECURITY: CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do not consume
stdin that could lead to lingering HTTPD child processes filling up the
scoreboard and eventually hanging the server.
http://svn.apache.org/viewvc?view=revision&revision=1611185
[1] noted and testd by mat@
MFH: 2014Q3
Security: f927e06c-1109-11e4-b090-20cf30e32f6d
CVE-2014-0118
CVE-2014-0231
CVE-2014-0226
Notes:
svn path=/head/; revision=362845
|
| |
|
|
| |
Notes:
svn path=/head/; revision=361691
|
| |
|
|
| |
Notes:
svn path=/head/; revision=361317
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- sort pkg-plist
- always install DOCS (remove Makefile hack)
- reflect modules.d in EXAMPLESDIR, next target
will be a new keyword for pkg-plist to handle
module installation.
- bump PORTREVISION
- add warning about default version change (2014-07-11)
(pkg-message, files/HEADS_UP)
Notes:
svn path=/head/; revision=361294
|
| |
|
|
|
|
|
|
|
| |
library version change.
Approved by: portmgr (implicit)
Notes:
svn path=/head/; revision=357574
|
| |
|
|
|
|
|
| |
With hat: ports-secteam
Notes:
svn path=/head/; revision=356512
|
| |
|
|
|
|
|
| |
with hat apache@
Notes:
svn path=/head/; revision=355919
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in case port is build with tinderbox or poudriere.
openssl is registered as BUILD/RUN dependency not
as LIB dependency, therefore the check for openssl
fails since it will be installed in a later stage
by tinderbox / poudriere.
Thanks to Katsuya Higuchi who noted this issue on
the apache@ mailing list.
http://lists.freebsd.org/pipermail/freebsd-apache/2014-April/003490.html
MFH: 2014Q2
Submitted by: Katsuya Higuchi <higuchi@jt-sys.co.jp>
Notes:
svn path=/head/; revision=350852
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- bump PORTVERSION because of CVE-2014-0076 / CVE-2014-0160
Special Thanks to Philip Jocks for reporting and testing!
http://lists.freebsd.org/pipermail/freebsd-apache/2014-April/003483.html
with hat apache@
Notes:
svn path=/head/; revision=350649
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- fix apache-mpm-peruser graceful reload [1]
Changes with Apache 2.2.27
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
Clean up cookie logging with fewer redundant string parsing passes.
Log only cookies with a value assignment. Prevents segfaults when
logging truncated cookies.
[William Rowe, Ruediger Pluem, Jim Jagielski]
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
[Amin Tora <Amin.Tora neustar.biz>]
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski]
*) mod_proxy_http: Core dumped under high load. PR 50335.
[Jan Kaluza <jkaluza redhat.com>]
*) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
[Christophe Jaillet]
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
*) mod_ldap: Fix a potential memory leak or corruption. PR 54936.
[Zhenbo Xu <zhenbo1987 gmail com>]
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
forward proxy request. [Ruediger Pluem]
*) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.
PR46679 [Bob Ionescu]
PR: ports/182947 [1]
Submitted by: Andrew Azarov <andrew@azar-a.net> [1]
Notes:
svn path=/head/; revision=349319
|
| |
|
|
|
|
|
|
| |
- USE_BZIP2 -> USES= tar:bzip2
- LICENSE=BSD -> BSD[n]CLAUSE
Notes:
svn path=/head/; revision=348417
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add new directory for modules (APACHEETCDIR/modules.d)
New modules can be registered here with a simple
file that contains the LoadModule directives.
Additonal Maintaines can write instructions to the
conf file and keep pkg-message short.
As bonus the config file can be installed like every
other config file with a .sample extention so modules
are not disabled during pkg upgrades.
Module config files should begin with three digits
followed by '_' e.g. 100_php5.conf.
The load order can be controlled via the three digits.
Please wait some time before adopting the new directory
so users have time to update and adjust axisting configs
Changes with Apache 2.2.26
*) mod_dav: dav_resource->uri treated as unencoded. This was an
unnecessary ABI changed introduced in 2.2.25 PR 55397. [Ben Reser]
*) mod_dav: Do not validate locks against parent collection of COPY
source URI. PR 55304. [Ben Reser]
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
*) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme,
Stefan Fritsch]
*) mod_ssl: Change default for SSLCompression to off, as compression
causes security issues in most setups. (The so called "CRIME" attack).
[Stefan Fritsch]
*) mod_ssl: Fix compilation error when OpenSSL does not contain
support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
[Rainer Jung, Kaspar Brand]
*) mod_dav: Fix double encoding of URIs in XML and Location header (caused
by unintential ABI change in 2.2.25). PR 55397. [Ben Reser]
Notes:
svn path=/head/; revision=334783
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed because of a bug [2] due to an incorrect
implementation of RFC 4918.
The symptoms are a failure to copy a svn tree via DAV:
- fix package installation with old pkg tools (create empty
folders in pkg-plist even staging is enabled)
[1] http://svn.apache.org/viewvc?view=revision&revision=1528718
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=55306
PR: ports/183685
Submitted by: Pietro Cerutti <gahr@FreeBSD.org>
Notes:
svn path=/head/; revision=332914
|
| |
|
|
|
|
|
| |
- partitial adopt new ${opt}_ notation
Notes:
svn path=/head/; revision=331788
|
| |
|
|
|
|
|
| |
www)
Notes:
svn path=/head/; revision=327776
|
| |
|
|
|
|
|
|
|
| |
- convert USE_GMAKE to Uses
Approved by: portmgr (bapt@, blanket)
Notes:
svn path=/head/; revision=327283
|
| |
|
|
|
|
|
|
|
|
| |
pre 100043 is ${LOCALBASE} and /usr otherwise. Convert all ports to
new variable usage.
Approved by: portmgr (bapt, implicit)
Notes:
svn path=/head/; revision=326683
|
| |
|
|
|
|
|
| |
Approved by: portmgr (bdrewery)
Notes:
svn path=/head/; revision=324744
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- update vuxml with additional CVE-2013-1896 entry
Changes with Apache 2.2.25
http://www.apache.org/dist/httpd/CHANGES_2.2.25
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
<apache heilbrun.org>]
*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
*) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. PR 54893. [Rainer Jung]
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
PR: ports/180248
Submitted by: Jason Helfman jgh@
Notes:
svn path=/head/; revision=322728
|
| |
|
|
|
|
|
| |
- adjust vuxml
Notes:
svn path=/head/; revision=322368
|
| |
|
|
|
|
|
|
| |
- Change USE_GNOME=pkgconfig|gnomehack to USES=pathfix|pkgconfig and
USE_GETTEXT=yes to USES=gettext while here
Notes:
svn path=/head/; revision=316683
|
| |
|
|
| |
Notes:
svn path=/head/; revision=315333
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- move mpm itk patches to itk-mpm/files dir
- add sshd to REQUIRE line in the rc script to prevent boot
issues in case a SSL cert is password protected [1]
Changes with Apache 2.2.24
SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to
unescaped hostnames and URIs HTML output in mod_info, mod_status,
mod_imagemap, mod_ldap, and mod_proxy_ftp. [Jim Jagielski, Stefan
Fritsch, Niels Heinen <heinenn google com>]
SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
Niels Heinen <heinenn google com>]
mod_rewrite: Stop merging RewriteBase down to subdirectories
unless new option 'RewriteOptions MergeBase' is configured.
Merging RewriteBase was unconditionally turned on in 2.2.23.
PR 53963. [Eric Covener]
mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
mod_ssl: log revoked certificates at level INFO
instead of DEBUG. PR 52162. [Stefan Fritsch]
mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
[Rainer Jung]
mod_dir: Add support for the value 'disabled' in FallbackResource.
[Vincent Deffontaines]
mod_ldap: Fix regression in handling "server unavailable" errors on
Windows. PR 54140. [Eric Covener]
mod_ssl: fix a regression with the string rendering of the "UID" RDN
introduced in 2.2.15. PR 54510. [Kaspar Brand]
ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
to more accurately report the negotiated protocol. PR 53916.
[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
mod_cache: Explicitly allow cache implementations to cache a 206 Partial
Response if they so choose to do so. Previously an attempt to cache a 206
was arbitrarily allowed if the response contained an Expires or
Cache-Control header, and arbitrarily denied if both headers were missing
Currently the disk and memory cache providers do not cache 206 Partial
Responses. [Graham Leggett]
core: Remove unintentional APR 1.3 dependency introduced with
Apache 2.2.22. [Eric Covener]
core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. PR 53219.
[1] requested by Andrew Filonov
(freebsd-apache/2012-September/002962.html)
with head apache@
Notes:
svn path=/head/; revision=313287
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
LockFile "/var/run/accept.lock"
instead of previous
LockFile "/var/log/accept.lock"
If system is crashed and rebooted, Apache refuses to start in case
/var/log/accept.lock.<pid> is found. That <pid> is almost always the same
due to minimum pid variance right after boot.
So use /var/run instead, which is cleaned on each boot.
Notes:
svn path=/head/; revision=309798
|
| |
|
|
|
|
|
|
| |
Introduces the UTF-32 library pcre32
Bump PORTREVISION in dependent ports
Notes:
svn path=/head/; revision=308630
|
| |
|
|
|
|
|
|
|
| |
Spotted by: ume
Pointy hat to: hrs
Feature safe: yes
Notes:
svn path=/head/; revision=307544
|
| |
|
|
|
|
|
|
|
| |
into rc.subr. Bump PORTREVISION.
Feature safe: yes
Notes:
svn path=/head/; revision=307542
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- trim vuxml/Makefile header
with hat apache@
Feature safe: yes
Security: CVE-2012-2687
Notes:
svn path=/head/; revision=306878
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Point them to the wiki
Thanks to crees@ for this suggestion to
implement this direct in the port
PR: 171509
Notes:
svn path=/head/; revision=303982
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- disallow IPv6 sockets to handle IPv4 requests per default. [2]
- move extra-patch-server__config.c
-> patch-server__config.c
https://issues.apache.org/bugzilla/show_bug.cgi?id=53823
- bump PORTREVISION
[1] Credits to Hajimu UMEMOTO (ume@) for finding the last APR related parameter
[2] http://httpd.apache.org/docs/2.2/bind.html
with hat apache@
Notes:
svn path=/head/; revision=303674
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- update APR to 1.4.6
- update APR-util to 1.4.1
- remove PKGNAMESUFFIX'es
www/apache-(event|itk|peruser|worker)-mpm
- adopt new Makefile header, adjust
PKGNAMESUFFIX in apache22 masterport
PKGNAME match now LATEST_LINK
www/apache22 [2]-[6]
- rewrite for options NG
- PORTNAME s|apache|apache22|
- remove APR APR-util specific otions,
will be checked now with help of apr/u-1-config
Mk/bsd.apache.mk
- rewrite for options NG
- remove no longer needet make targets
(show-categories, make-options-list)
[1]
PR: 165143
[2]-[6]
PR: 130479
PR: 153406
PR: 158565
PR: 168769
PR: 167965
with hat apache@
Notes:
svn path=/head/; revision=303550
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- remove all apr/apu related parts (leftovers from bundled apr)
- remove invalid parts from Makefile.doc
- move MODULES to Makefile.options
- remove apache20 parts
- remove category handling
with hat apache@
Notes:
svn path=/head/; revision=302979
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
keep full backward support until apache20 is removed from the tree
comment code to remove with MFC TODO:
- adjust apache20 and apache22 ports
changes are transparent for users (no PORTREVISION bump)
Users who are using special build instructions in make.conf, such as
- WITH_STATIC_MODULES= alias dir log_config mime rewrite setenvif vhost_alias
should convert the values to UPPERCASE
- WITH_STATIC_MODULES= ALIAS DIR LOG_CONFIG MIME REWRITE SETENVIF VHOST_ALIAS
At the moment code to support old lowercase style is in place, but
target to remove in favor for options NG.
with hat apache@
Notes:
svn path=/head/; revision=302481
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add patch[1] to address problem to apache port.
[1]: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/envvars-std.in?view=log&pathrev=1296428
Approved by: apache@ (pgollucci@)
Obtained from: Apache SVN
Notes:
svn path=/head/; revision=301849
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- centralise OPTIONS in Makefile.options
- s/Enable// in OPTIONS
- rewrite Makefile.modules (last defined SLAVE_PORT_MPM port use now WITH_MPM var)
- no REVISION bump, nothing changed in the logic / functionality
apache22-peruser-mpm
- use WITH_MPM instead SLAVE_PORT_MPM
Notes:
svn path=/head/; revision=301353
|
| |
|
|
|
|
|
| |
- remove explicit ABI version number from LIB_DEPENDS
Notes:
svn path=/head/; revision=300636
|
| |
|
|
|
|
|
| |
Add (vendor) patch for deprecated pcre_info()
Notes:
svn path=/head/; revision=291337
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- use full path setfib
PR: ports/153264
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com>
With Hat: apache@
Sponsored by: Apache Software Foundation (ASF)
Notes:
svn path=/head/; revision=290765
|
| |
|
|
|
|
|
| |
Reported by: glarkin
Notes:
svn path=/head/; revision=290745
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Resync proxy connect patch [2]
- Bump PORTREVISION since the proxy patch is unconditionally applied
which means we can remove that OPTION too
PR: ports/164698 [1], ports/164711 [2]
Submitted by: jgh@ [1], freebsd@nagilum.org [2]
With Hat: apache@
Sponsored by: RideCharge Inc. / TaxiMagic
Notes:
svn path=/head/; revision=290685
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Addresses:
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, allows local users to gain privileges via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
The log_cookie function in mod_log_config.c in the mod_log_config module in the
Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
properly handle a %{}C format string, which allows remote attackers to cause a
denial of service (daemon crash) via a cookie that lacks both a name and a
value.
* SECURITY: CVE-2012-0031 (cve.mitre.org)
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
users to cause a denial of service (daemon crash during shutdown) or possibly
have unspecified other impact by modifying a certain type field within a
scoreboard shared memory segment, leading to an invalid call to the free
function.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
place, does not properly interact with use of (1) RewriteRule and (2)
ProxyPassMatch pattern matches for configuration of a reverse proxy, which
allows remote attackers to send requests to intranet servers via a malformed URI
containing an @ (at sign) character and a : (colon) character in invalid
positions. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2011-3368.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
restrict header information during construction of Bad Request (aka 400) error
documents, which allows remote attackers to obtain the values of HTTPOnly
cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.
* SECURITY: CVE-2011-3368 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
(1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
reverse proxy, which allows remote attackers to send requests to intranet
servers via a malformed URI containing an initial @ (at sign) character.
PR: ports/164675
Reviewed by: pgollucci
Approved by: pgollucci, crees, rene (mentors, implicit)
With Hat: apache@
Notes:
svn path=/head/; revision=290249
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Fix all ports that add {CPP,LD}FLAGS to *_ENV to modify flags instead
PR: 157936
Submitted by: myself
Exp-runs by: pav
Approved by: pav
Notes:
svn path=/head/; revision=282282
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Addresses:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
PR: ports/160743
Submitted by: Jason Helfman <jhelfman@experts-exchange.com>
Notes:
svn path=/head/; revision=281790
|
| |
|
|
| |
Notes:
svn path=/head/; revision=281708
|
| |
|
|
|
|
|
| |
PR: 160381
Notes:
svn path=/head/; revision=281020
|
| |
|
|
|
|
|
| |
patches being ignored
Notes:
svn path=/head/; revision=276676
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes with Apache 2.2.19
*) Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
commit with hat apache@
Notes:
svn path=/head/; revision=274472
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
http://www.apache.org/dist/httpd/CHANGES_2.2.18
Changes with Apache 2.2.18
*) Log an error for failures to read a chunk-size, and return 408 instead
413 when this is due to a read timeout. This change also fixes some cases
of two error documents being sent in the response for the same scenario.
[Eric Covener] PR49167
*) core: Only log a 408 if it is no keepalive timeout. PR 39785
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
*) core: Treat timeout reading request as 408 error, not 400.
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
Dan Poirier]
*) Core HTTP: disable keepalive when the Client has sent
Expect: 100-continue
but we respond directly with a non-100 response. Keepalive here led
to data from clients continuing being treated as a new request.
PR 47087. [Nick Kew]
*) htpasswd: Change the default algorithm for htpasswd to MD5 on all
platforms. Crypt with its 8 character limit is not useful anymore;
improve out of disk space handling (PR 30877); print a warning if
a password is truncated by crypt. [Stefan Fritsch]
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
*) configure: Fix htpasswd/htdbm libcrypt link errors with some newer
linkers. [Stefan Fritsch]
*) MinGW build improvements. PR 49535. [John Vandenberg
<jayvdb gmail.com>, Jeff Trawick]
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. PR 35256,
PR 46830. [Dan Poirier]
*) mod_rewrite: Allow to unset environment variables. PR 50746.
[Rainer Jung]
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). [Jeff Trawick]
*) mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. PR 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
*) prefork: Update MPM state in children during a graceful restart.
Allow the HTTP connection handling loop to terminate early
during a graceful restart. PR 41743.
[Andrew Punch <andrew.punch 247realmedia.com>]
*) mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. PR 50481. [Ruediger Pluem]
*) mod_autoindex: Merge IndexOptions from server to directory context when
the directory has no mod_autoindex directives. PR 47766. [Eric Covener]
*) mod_cache: Make sure that we never allow a 304 Not Modified response
that we asked for to leak to the client should the 304 response be
uncacheable. PR45341 [Graham Leggett]
*) mod_dav: Send 400 error if malformed Content-Range header is received for
a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
*) mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
PR 44076 [Eric Covener]
*) core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. PR 50349.
[Eric Covener]
*) mod_cache: Check the request to determine whether we are allowed
to return cached content at all, and respect a "Cache-Control:
no-cache" header from a client. Previously, "no-cache" would
behave like "max-age=0". [Graham Leggett]
*) mod_mem_cache: Add a debug msg when a streaming response exceeds
MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
'memory allocation failed' debug message. PR 49604. [Eric Covener]
*) proxy_connect: Don't give up in the middle of a CONNECT tunnel
when the child process is starting to exit. PR50220. [Eric Covener]
PR: 156997
Submitted by: Tsurutani Naoki <turutani _at_ scphys.kyoto-u.ac.jp>
Notes:
svn path=/head/; revision=274073
|
| |
|
|
|
|
|
|
|
| |
- by changing PORTREVISION= to ?=
Issue reported by erwin@
Notes:
svn path=/head/; revision=272893
|
