From Changelog:
*) SECURITY: CAN-2005-2088
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length, mitigating some HTTP Request
Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
- Rename previous patch to CVE ID
- bump PORTREVISION
Security: CAN-2005-2088
Obtained From: Apache repository
I blindly committed a change from my dev tree. Since USE_APACHE design
is flacky, it had a very annoying impact.
PR: ports/77391 [1]
Also reported by: pointyhat via kris,
Scot Hetzel <swhetzel@gmail.com> [1]
Pointy hat to: clement
- Download bz2'd tarball [1]
- Add print-closest-mirrors target.
It allows you to find the 6 (3 http/3 ftp) closest mirror,
base on http://www.apache.org/dyn/closer.cgi/httpd/
make print-closest-mirrors >> /etc/make.conf automatically add
the six closest mirror to the head of ${MASTER_SITE_APACHE_HTTPD}.
Requested by: delphij
o Major change(s)
- in some cases, modules are still built as static modules, making
modules selection useless and generate a non-desired httpd
o Minor change(s)
- apxs detection is done only if port isn't a server one.
- Mark modules ports as IGNORED if apaxhe is built statically
- fix make show-modules when when WITH_ALL_STATIC_MODULES is defined
Most issues discovered by: Jason Mealins <jason_mealins@bigfix.com>
- Use apache{2,21}flags variable in apache{2,21}_checkconfig().
It fixes restart when apache2ssl_enable is set to YES in rc.conf
and httpd.conf is "old" (i.e. non -DSSL safe) [1]
o Makefile
- split post-install target to add install-startup-script:
User can now upgrade startup script without reinstalling apache2.
NOTE: this is NOT package-safe and NOT supported, even if in most of
cases they're no risk.
Noticed by: many [1]
- Add support for modular sbin/envvars
You can now put your own scripts you want to execute at envvars
stage in ${PREFIX}/etc/apache2/envvars.d
Only script ending by *.env are run.
Example:
/usr/local/etc/apache2/envvars.d/mod_python3.env
Discussed with: perky on -apache@
- Add a note to UPDATING, to warn users they won't be able to build apache2
if they keep apr 0.9.x
Discussed with: Craig Rodrigues (apr maintainer), kuriyama
WARNING: apache2 + apr 1.0 is BROKEN
I'm working on a small compat hack. But don't dream too much.
apache 2.0.x is not designed to work with apr 1.x.
Forgotten by: kuriyama
Fix CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Credits: Hartmut Keil, Joe Orton
- Use "PORTDOCS= #" and get rid of docs entry in plist.
- Support for FreeBSD 6 in apr
- Move of cache modules from THREADS to EXPERIMENTAL category and make
sure we enable THREADS modules (cgid only) when a threaded MPM is
selected.
- Resurect WITH_EXTRA_MODULES knob
- powerlogo.gif is now hosted by FreeBSD mirrors
- WITH_<category> is definitively no longer supported.
- Add Includes dir when installed via a package [1]
PR: ports/72309 [1]
Submitted by: Christian Kratzer <ck at cksoft dot de> [1]
*) SECURITY: CAN-2004-0786 (cve.mitre.org)
Fix an input validation issue in apr-util which could be
triggered by malformed IPv6 literal addresses. [Joe Orton]
*) SECURITY: CAN-2004-0747 (cve.mitre.org)
Fix buffer overflow in expansion of environment variables in
configuration file parsing. [Andr<E9> Malo]
*) SECURITY: CAN-2004-0809 (cve.mitre.org)
mod_dav_fs: Fix a segfault in the handling of an indirect lock
refresh. PR 31183. [Joe Orton]
- Update documentation (finally!) and fix WITH_<CATEGORY>_MODULES
for special modules like LDAP or SSL [2]
Noticed by: nectar [1]
Requested by: Emile Heitor <imil at home dot imil dot net> [2]
Approved by: portmgr (marcus)
* WITH_EXCEPTION_HOOK now exists
* Automatically add if WITH_DEBUG is set
* Update still-outdated-documentation
- Remove automatic debuf mode if DEBUG_FLAGS is set
Exception hook is very useful for debugging (upcoming www/mod_backtrace
and www/mod_whatkilledus modules)
Makefile.modules.3rd:
- Fix CONFIGURE_ARGS for dynamic module selection.
It's now fully usuable for apache13 ports
- Remove an useless WANT_APACHE check
- Move apxs detection at the beginning of the file, to use APXS_PREFIX
for apache major version detection [1]
The main advantage of this patch is to provide a nice way to
have multiple apache versions, without altering ${LOCALBASE}.
Submitted by: "ports/c0decafe.net" <ports at c0decafe dot net> [1]