All people using mod_rewrite are strongly encouraged to update.
An off-by-one flaw exists in the Rewrite module, mod_rewrite.
Depending on the manner in which Apache httpd was compiled, this
software defect may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration
files, could be triggered remotely. For vulnerable builds, the nature
of the vulnerability can be denial of service (crashing of web server
processes) or potentially allow arbitrary code execution.
This issue has been rated as having important security impact
by the Apache HTTP Server Security Team
Updates to latest versions will follow soon.
Notified by: so@ (simon)
Obtained from: Apache Security Team
Security: CVE-2006-3747
We have not checked for this KEYWORD for a long time now, so this
is a complete noop, and thus no PORTREVISION bump. Removing it at
this point is mostly for pedantic reasons, and partly to avoid
perpetuating this anachronism by copy and paste to future scripts.
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
Reported by: simon
- workaround apr detection. Now apache22 build his own apr, even if apr
is installed, unless you define WITH_APR_FROM_PORTS.
Reported by: pointyhat via kris [1]
- Use apache{2,21}flags variable in apache{2,21}_checkconfig().
It fixes restart when apache2ssl_enable is set to YES in rc.conf
and httpd.conf is "old" (i.e. non -DSSL safe) [1]
o Makefile
- split post-install target to add install-startup-script:
User can now upgrade startup script without reinstalling apache2.
NOTE: this is NOT package-safe and NOT supported, even if in most of
cases they're no risk.
Noticed by: many [1]
dist config files installed in ${PREFIX}/etc/apache21
- Add support for Event MPM and add backport from apr to support
APR_POLLSET_THREADSAFE (needed by Event MPM and forgotten @ release
time) [1]
- misc cleanups
- Bump PORTREVISION to reflect all cool changes which occured today ;)
Obtained from: apr svn repository
3rd party modules easy. [1]
o Include <limits.h> before <sys/syslimits.h> to reduce warnings on -CURRENT
PR: 44104 [1]
Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> [1]
Mark apache13-ssl FORBIDDEN because the new version does not yet exist.
Partially based on patches submitted by below authors.
Submitted by: "Sergey A. Osokin" <osa@freebsd.org.ru>,
Udo Schweigert <udo.schweigert@siemens.com>,
Lev A. Serebryakov <lev@serebryakov.spb.ru>
PR: ports/43682, ports/43688, ports/43666, ports/43681
(worker MPM with this hack seems to work without visible problems.
and still requires -DFORCE_THREADING_MPM to build for worker MPM.)
- Fix plist for worker MPM
- Comment out fancy modules from default httpd.conf
Tested on: ref5.freebsd.org, several 4-stable machines [1]
2. Port printed message to "pw userdel www" if port removed permanently.
However master.passwd 1.25.2.5 has user www by default, so this is no
longer correct advice. Removed pkg-deinstall to correct this.
PR: 37849 and 36907
Approved by: MAINTAINER: Hye-Shik Chang <perky@fallin.lv>