- use full path setfib
PR: ports/153264
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com>
With Hat: apache@
Sponsored by: Apache Software Foundation (ASF)
- Resync proxy connect patch [2]
- Bump PORTREVISION since the proxy patch is unconditionally applied
which means we can remove that OPTION too
PR: ports/164698 [1], ports/164711 [2]
Submitted by: jgh@ [1], freebsd@nagilum.org [2]
With Hat: apache@
Sponsored by: RideCharge Inc. / TaxiMagic
Addresses:
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, allows local users to gain privileges via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
The log_cookie function in mod_log_config.c in the mod_log_config module in the
Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
properly handle a %{}C format string, which allows remote attackers to cause a
denial of service (daemon crash) via a cookie that lacks both a name and a
value.
* SECURITY: CVE-2012-0031 (cve.mitre.org)
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
users to cause a denial of service (daemon crash during shutdown) or possibly
have unspecified other impact by modifying a certain type field within a
scoreboard shared memory segment, leading to an invalid call to the free
function.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
place, does not properly interact with use of (1) RewriteRule and (2)
ProxyPassMatch pattern matches for configuration of a reverse proxy, which
allows remote attackers to send requests to intranet servers via a malformed URI
containing an @ (at sign) character and a : (colon) character in invalid
positions. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2011-3368.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
restrict header information during construction of Bad Request (aka 400) error
documents, which allows remote attackers to obtain the values of HTTPOnly
cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.
* SECURITY: CVE-2011-3368 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
(1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
reverse proxy, which allows remote attackers to send requests to intranet
servers via a malformed URI containing an initial @ (at sign) character.
PR: ports/164675
Reviewed by: pgollucci
Approved by: pgollucci, crees, rene (mentors, implicit)
With Hat: apache@
Note, you have to actually uncomment the include for this to take affect
- No PORTREVISION bump since nothing changes by default
PR: ports/156987
Reported by: Adrian Dimcev <adimcev@carbonwind.net>
With Hat: apache@
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
Addresses:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
PR: ports/160743
Submitted by: Jason Helfman <jhelfman@experts-exchange.com>
Changes with Apache 2.2.19
*) Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
commit with hat apache@
Changes:
http://www.apache.org/dist/httpd/CHANGES_2.2.18
Changes with Apache 2.2.18
*) Log an error for failures to read a chunk-size, and return 408 instead
413 when this is due to a read timeout. This change also fixes some cases
of two error documents being sent in the response for the same scenario.
[Eric Covener] PR49167
*) core: Only log a 408 if it is no keepalive timeout. PR 39785
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
*) core: Treat timeout reading request as 408 error, not 400.
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
Dan Poirier]
*) Core HTTP: disable keepalive when the Client has sent
Expect: 100-continue
but we respond directly with a non-100 response. Keepalive here led
to data from clients continuing being treated as a new request.
PR 47087. [Nick Kew]
*) htpasswd: Change the default algorithm for htpasswd to MD5 on all
platforms. Crypt with its 8 character limit is not useful anymore;
improve out of disk space handling (PR 30877); print a warning if
a password is truncated by crypt. [Stefan Fritsch]
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
*) configure: Fix htpasswd/htdbm libcrypt link errors with some newer
linkers. [Stefan Fritsch]
*) MinGW build improvements. PR 49535. [John Vandenberg
<jayvdb gmail.com>, Jeff Trawick]
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. PR 35256,
PR 46830. [Dan Poirier]
*) mod_rewrite: Allow to unset environment variables. PR 50746.
[Rainer Jung]
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). [Jeff Trawick]
*) mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. PR 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
*) prefork: Update MPM state in children during a graceful restart.
Allow the HTTP connection handling loop to terminate early
during a graceful restart. PR 41743.
[Andrew Punch <andrew.punch 247realmedia.com>]
*) mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. PR 50481. [Ruediger Pluem]
*) mod_autoindex: Merge IndexOptions from server to directory context when
the directory has no mod_autoindex directives. PR 47766. [Eric Covener]
*) mod_cache: Make sure that we never allow a 304 Not Modified response
that we asked for to leak to the client should the 304 response be
uncacheable. PR45341 [Graham Leggett]
*) mod_dav: Send 400 error if malformed Content-Range header is received for
a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
*) mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
PR 44076 [Eric Covener]
*) core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. PR 50349.
[Eric Covener]
*) mod_cache: Check the request to determine whether we are allowed
to return cached content at all, and respect a "Cache-Control:
no-cache" header from a client. Previously, "no-cache" would
behave like "max-age=0". [Graham Leggett]
*) mod_mem_cache: Add a debug msg when a streaming response exceeds
MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
'memory allocation failed' debug message. PR 49604. [Eric Covener]
*) proxy_connect: Don't give up in the middle of a CONNECT tunnel
when the child process is starting to exit. PR50220. [Eric Covener]
PR: 156997
Submitted by: Tsurutani Naoki <turutani _at_ scphys.kyoto-u.ac.jp>
- add additional patch for mpm-itk [2]
- add mod_substitute to apache22 [3]
- add some documentation into the mpm-itk* patches
- bump portrevision
Changes:
[1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
* Fixed CVE-2011-1176: If NiceValue was set, the default with no
AssignUserID was to run as root:root instead of the default Apache user
and group, due to the configuration merger having an incorrect default
configuration.
* Rebase against Apache 2.2.17.
* Fix an issue where users can sometimes get spurious 403s on persistent
connections, if the .htaccess files are not world readable.
* In the config merger, don't reallocate the username, since it's already
in the correct pool. (This is not a memory leak, only a small inefficiency.)
[2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html
Source:
http://mpm-itk.sesse.net/ [1]
http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2]
http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3]
With Hat: apache@
PR: ports/156024 [1][2]
Submitted by: Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2]
Nick Gieczewski <sorongo _at_ gmail.com> [3]
correctly. This fixes the pid file name
PR: ports/151623
Submitted by: Vivek Khera <vivek@khera.org>
With Hat: apache@
Point hat to: myself (pgollucci)
**
* Note, no CVE affects the FREEBSD port. devel/apr1 was updated to
* apr-util 1.3.10 on 2010/10/06 05:32:24.
**
Changes: http://www.apache.org/dist/httpd/CHANGES_2.2
PR: ports/151594
Submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
With Hat: apache@
<ChangeLog>
*) prefork MPM: Run cleanups for final request when process exits gracefully
to work around a flaw in apr-util. PR 43857. [Tom Donovan]
*) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
connections and other protocol handlers (like mod_ftp). Enforce the
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
close time from 30 to 2 seconds. [Stefan Fritsch]
*) Proxy balancer: support setting error status according to HTTP response
code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
*) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
password to UTF-8. PR 45318.
[Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
*) core: check symlink ownership if both FollowSymlinks and
SymlinksIfOwnerMatch are set [Nick Kew]
*) core: fix origin checking in SymlinksIfOwnerMatch
PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
*) mod_headers: Enable multi-match-and-replace edit option
PR 46594 [Nick Kew]
*) mod_log_config: Make ${cookie}C correctly match whole cookie names
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
Stefan Fritsch]
*) mod_dir, mod_negotiation: Pass the output filter information
to newly created sub requests; as these are later on used
as true requests with an internal redirect. This allows for
mod_cache et.al. to trap the results of the redirect.
PR 17629, 43939
[Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]
*) rotatelogs: Fix possible buffer overflow if admin configures a
mongo log file path. [Jeff Trawick]
*) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
*) vhost: A purely-numeric Host: header should not be treated as a port.
PR 44979 [Nick Kew]
*) core: (re)-introduce -T commandline option to suppress documentroot
check at startup.
PR 41887 [Jan van den Berg <janvdberg gmail.com>]
</ChangeLog>
pidfile
command
envvars
Without profiles, the old defaults remain unchanged. With profiles the old defaults
remain unchanged.
Sponsored by: RideCharge Inc. / TaxiMagic
Tested by: RideCharge Inc. / TaxiMagic (> 1 yr in production)
With Hat: apache@
login.conf(5). This is probably because resource limitations are handled
differently on various different platforms.
This modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.
Doesn't affect default package, so no PORTREVISION bumps.
I will follow up at dev@httpd.apache.org to see about adding this
with #ifdefs.
PR: ports/136091
Submitted by: Alexey V.Degtyarev <alexey@renatasystems.org>
With Hat: apache@
This is already being discussed at dev@httpd and will be committed upstream
Reported by: brad clawsie <clawsie@fastmail.fm> (on apache@ list)
With Hat: apache@
apxs -A comments out the LoadModule line
This adds custom FreeBSD mod to 'DELETE' the line so that it works with
our pkg-plists in packages.
- Remove -s form the cmp httpd.conf in pkg-plist to be blatant about why
it didn't get removed
- Tested with lang/php5
- Bump PORTREVISION
PR: ports/133704
With Hat: apache@
This will fix about 100 pkg-plist left overs for httpd.conf
- Bump PORTREVISION
- This will be in 2.2.16.
PR: ports/133704
Obtained from: http://svn.apache.org/viewvc?rev=942210&view=rev
Reported by: olli hauer <ohauer@gmx.de> (and very good pr!)
With Hat: apache@
This fixes both bundled apr using the port (devel/apr for WITH_APR_FROM_PORTS)
PR: ports/134577
Requested by: Pascal Vizeli <pvizeli@yahoo.de>
With Hat: apache@
--with-ldap switches on LDAP library linking in apr-util
--enable-ldap option switches on the LDAP caching module
--enable-authnz-ldap option switches on the LDAP authentication module
[AAA was rewritten in 3 peices in 2.4.x, hence the option change]
- no custom patch, the linking was fixed in 2.2.x
- ldap is not in the default package, so no PORTREVISION bump
PR: ports/128079
Reported by: koitsu, skreuzer
With Hat: apache@