1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-06 01:57:40 +00:00
Commit Graph

369 Commits

Author SHA1 Message Date
Martin Matuska
205f1ac23d Bump pcre library dependency due to 8.30 update
Add (vendor) patch for deprecated pcre_info()
2012-02-14 12:44:23 +00:00
Philip M. Gollucci
3ca1d8b46d - use $SYSCTL
- use full path setfib

PR:             ports/153264
Submitted by:   Jeremy Chadwick <freebsd@jdc.parodius.com>
With Hat:       apache@
Sponsored by:   Apache Software Foundation (ASF)
2012-02-09 02:49:55 +00:00
Philip M. Gollucci
bc1033f57f - Remove 0 length file breaking pkg
Reported by:    glarkin
2012-02-08 22:49:54 +00:00
Philip M. Gollucci
8f547039c4 - Convert to USERS/GROUPS [1]
- Resync proxy connect patch [2]
- Bump PORTREVISION since the proxy patch is unconditionally applied
  which means we can remove that OPTION too

PR:             ports/164698 [1], ports/164711 [2]
Submitted by:   jgh@ [1], freebsd@nagilum.org [2]
With Hat:       apache@
Sponsored by:   RideCharge Inc. / TaxiMagic
2012-02-08 04:35:31 +00:00
Jason Helfman
09c57f862b - Update to 2.2.22
Addresses:
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, allows local users to gain privileges via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.

* SECURITY: CVE-2012-0021 (cve.mitre.org)
The log_cookie function in mod_log_config.c in the mod_log_config module in the
Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
properly handle a %{}C format string, which allows remote attackers to cause a
denial of service (daemon crash) via a cookie that lacks both a name and a
value.

* SECURITY: CVE-2012-0031 (cve.mitre.org)
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
users to cause a denial of service (daemon crash during shutdown) or possibly
have unspecified other impact by modifying a certain type field within a
scoreboard shared memory segment, leading to an invalid call to the free
function.

* SECURITY: CVE-2011-4317 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
place, does not properly interact with use of (1) RewriteRule and (2)
ProxyPassMatch pattern matches for configuration of a reverse proxy, which
allows remote attackers to send requests to intranet servers via a malformed URI
containing an @ (at sign) character and a : (colon) character in invalid
positions. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2011-3368.

* SECURITY: CVE-2012-0053 (cve.mitre.org)
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
restrict header information during construction of Bad Request (aka 400) error
documents, which allows remote attackers to obtain the values of HTTPOnly
cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.

* SECURITY: CVE-2011-3368 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
(1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
reverse proxy, which allows remote attackers to send requests to intranet
servers via a malformed URI containing an initial @ (at sign) character.

PR: ports/164675
Reviewed by: pgollucci
Approved by: pgollucci, crees, rene (mentors, implicit)
With Hat: apache@
2012-02-01 18:56:08 +00:00
Philip M. Gollucci
bccdbf2387 - Restore inadvertently removed log renames from previous commit
Noticed by:	sunpoet@
Pointy Hat:	pgollucci@
2012-01-23 23:24:38 +00:00
Philip M. Gollucci
91fae18456 - Pull r1227293 from httpd svn
Note, you have to actually uncomment the include for this to take affect
- No PORTREVISION bump since nothing changes by default

PR:		ports/156987
Reported by:	Adrian Dimcev <adimcev@carbonwind.net>
With Hat:	apache@
2012-01-18 03:44:39 +00:00
Doug Barton
83eb2c3700 In the rc.d scripts, change assignments to rcvar to use the
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().

In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
2012-01-14 08:57:23 +00:00
Dmitry Marakasov
6f6fbe4bdf - Add LDFLAGS to CONFIGURE_ENV and MAKE_ENV (as it was done with LDFLAGS)
- Fix all ports that add {CPP,LD}FLAGS to *_ENV to modify flags instead

PR:		157936
Submitted by:	myself
Exp-runs by:	pav
Approved by:	pav
2011-09-23 22:26:39 +00:00
Olli Hauer
7f37b18a66 - update to version 2.2.21
Addresses:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
 mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
 unrecognized HTTP methods from marking ajp: balancer members
 in an error state, avoiding denial of service.

* SECURITY: CVE-2011-3192 (cve.mitre.org)
 core: Further fixes to the handling of byte-range requests to use
 less memory, to avoid denial of service. This patch includes fixes
 to the patch introduced in release 2.2.20 for protocol compliance,
 as well as the MaxRanges directive.

PR:		ports/160743
Submitted by:	Jason Helfman <jhelfman@experts-exchange.com>
2011-09-15 05:00:28 +00:00
Gabor Kovesdan
d6753a0164 - Track dependencies after databases/gdbm update 2011-09-12 23:17:32 +00:00
Gabor Kovesdan
2fc6a06a9b - Track dependencies after databases/gdbm update 2011-09-12 13:46:58 +00:00
Ade Lovett
b61f0076de Emergency upgrade to 2.2.20 - CVE-2011-3192. Any complaints, talk to me.
PR:		160381
2011-09-02 06:18:02 +00:00
Olli Hauer
3381c15ff3 - Close a race condition that sometimes resulted in configure.in
patches being ignored
2011-06-29 17:28:44 +00:00
Olli Hauer
42c28c2891 - update to httpd-2.2.19
Changes with Apache 2.2.19

  *) Revert ABI breakage in 2.2.18 caused by the function signature change
     of ap_unescape_url_keep2f().  This release restores the signature from
     2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
     [Eric Covener]

commit with hat apache@
2011-05-22 21:33:31 +00:00
Olli Hauer
26894a3437 - unbreak mpm-itk-20110321-01 patch
PR:		ports/157041
Submitted by:	zlopi.ru <zlopi.ru _at gmail.com>
2011-05-14 21:53:21 +00:00
Olli Hauer
92dcc59c86 - update to version 2.2.18
Changes:
http://www.apache.org/dist/httpd/CHANGES_2.2.18

Changes with Apache 2.2.18

  *) Log an error for failures to read a chunk-size, and return 408 instead
     413 when this is due to a read timeout.  This change also fixes some cases
     of two error documents being sent in the response for the same scenario.
     [Eric Covener] PR49167

  *) core: Only log a 408 if it is no keepalive timeout. PR 39785
     [Ruediger Pluem,  Mark Montague <markmont umich.edu>]

  *) core: Treat timeout reading request as 408 error, not 400.
     Log 408 errors in access log as was done in Apache 1.3.x.
     PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
     Dan Poirier]

  *) Core HTTP: disable keepalive when the Client has sent
     Expect: 100-continue
     but we respond directly with a non-100 response.  Keepalive here led
     to data from clients continuing being treated as a new request.
     PR 47087.  [Nick Kew]

  *) htpasswd: Change the default algorithm for htpasswd to MD5 on all
     platforms. Crypt with its 8 character limit is not useful anymore;
     improve out of disk space handling (PR 30877); print a warning if
     a password is truncated by crypt. [Stefan Fritsch]

  *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
     Win32's cscript interpreter can only use a single quote as comment char.
     [Guenter Knauf]

  *) configure: Fix htpasswd/htdbm libcrypt link errors with some newer
     linkers. [Stefan Fritsch]

  *) MinGW build improvements.  PR 49535.  [John Vandenberg
     <jayvdb gmail.com>, Jeff Trawick]

  *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
     [Stefan Fritsch]

  *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
     in request URL path info but not decode them. PR 35256,
     PR 46830.  [Dan Poirier]

  *) mod_rewrite: Allow to unset environment variables. PR 50746.
     [Rainer Jung]

  *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
     binary (Suexec Off), or force startup failure if suEXEC is required
     but not supported (Suexec On).  [Jeff Trawick]

  *) mod_proxy: Put the worker in error state if the SSL handshake with the
     backend fails. PR 50332.
     [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]

  *) prefork: Update MPM state in children during a graceful restart.
     Allow the HTTP connection handling loop to terminate early
     during a graceful restart.  PR 41743.
     [Andrew Punch <andrew.punch 247realmedia.com>]

  *) mod_ssl: Correctly read full lines in input filter when the line is
     incomplete during first read. PR 50481. [Ruediger Pluem]

  *) mod_autoindex: Merge IndexOptions from server to directory context when
     the directory has no mod_autoindex directives. PR 47766. [Eric Covener]

  *) mod_cache: Make sure that we never allow a 304 Not Modified response
     that we asked for to leak to the client should the 304 response be
     uncacheable. PR45341 [Graham Leggett]

  *) mod_dav: Send 400 error if malformed Content-Range header is received for
     a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]

  *) mod_userdir: Add merging of enable, disable, and filename arguments
     to UserDir directive, leaving enable/disable of userlists unmerged.
     PR 44076 [Eric Covener]

  *) core: Honor 'AcceptPathInfo OFF' during internal redirects,
     such as per-directory mod_rewrite substitutions.  PR 50349.
     [Eric Covener]

  *) mod_cache: Check the request to determine whether we are allowed
     to return cached content at all, and respect a "Cache-Control:
     no-cache" header from a client. Previously, "no-cache" would
     behave like "max-age=0". [Graham Leggett]

  *) mod_mem_cache: Add a debug msg when a streaming response exceeds
     MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
     'memory allocation failed' debug message. PR 49604. [Eric Covener]

  *) proxy_connect: Don't give up in the middle of a CONNECT tunnel
     when the child process is starting to exit.  PR50220. [Eric Covener]

PR:		156997
Submitted by:	Tsurutani Naoki <turutani _at_ scphys.kyoto-u.ac.jp>
2011-05-13 23:02:38 +00:00
Olli Hauer
83546441a9 - fix Ports with version numbers going backwards for www/apache22-peruser-mpm
- by changing PORTREVISION= to ?=

   Issue reported by erwin@
2011-04-18 20:32:33 +00:00
Olli Hauer
611bdd4c01 - update Apache 2 ITK MPM patch to version 20110321-01 [1]
- add additional patch for mpm-itk [2]
 - add mod_substitute to apache22 [3]
 - add some documentation into the mpm-itk* patches
 - bump portrevision

 Changes:
 [1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
  * Fixed CVE-2011-1176: If NiceValue was set, the default with no
    AssignUserID was to run as root:root instead of the default Apache user
    and group, due to the configuration merger having an incorrect default
    configuration.
  * Rebase against Apache 2.2.17.
  * Fix an issue where users can sometimes get spurious 403s on persistent
    connections, if the .htaccess files are not world readable.
  * In the config merger, don't reallocate the username, since it's already
    in the correct pool. (This is not a memory leak, only a small inefficiency.)

 [2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html

 Source:
  http://mpm-itk.sesse.net/ [1]
  http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2]
  http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3]

 With Hat:  apache@

PR:		ports/156024 [1][2]
Submitted by:	Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2]
		Nick Gieczewski <sorongo _at_ gmail.com> [3]
2011-03-31 17:00:37 +00:00
Martin Wilke
a9481afc8a - Get Rid MD5 support 2011-03-19 12:38:54 +00:00
Philip M. Gollucci
811824fc15 - update conflicts 2010-12-07 20:38:17 +00:00
Ade Lovett
4a8684e352 Sync to new bsd.autotools.mk 2010-12-04 07:34:27 +00:00
Philip M. Gollucci
96fa3156a8 - The previous update to the rc.d script didn't quite maintain the old behavior
correctly.  This fixes the pid file name

PR:				ports/151623
Submitted by:	Vivek Khera <vivek@khera.org>
With Hat:		apache@
Point hat to:	myself (pgollucci)
2010-10-21 18:00:15 +00:00
Philip M. Gollucci
12bfc2c01b - Update to 2.2.17
**
* Note, no CVE affects the FREEBSD port.  devel/apr1 was updated to
* apr-util 1.3.10 on 2010/10/06 05:32:24.
**

Changes:        http://www.apache.org/dist/httpd/CHANGES_2.2
PR:             ports/151594
Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
With Hat:       apache@

<ChangeLog>
  *) prefork MPM: Run cleanups for final request when process exits gracefully
     to work around a flaw in apr-util.  PR 43857.  [Tom Donovan]

  *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
     connections and other protocol handlers (like mod_ftp). Enforce the
     timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
     close time from 30 to 2 seconds. [Stefan Fritsch]

  *) Proxy balancer: support setting error status according to HTTP response
     code from a backend.  PR 48939.  [Daniel Ruggeri <DRuggeri primary.net>]

  *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
     password to UTF-8. PR 45318.
     [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]

  *) core: check symlink ownership if both FollowSymlinks and
     SymlinksIfOwnerMatch are set [Nick Kew]

  *) core: fix origin checking in SymlinksIfOwnerMatch
     PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]

  *) mod_headers: Enable multi-match-and-replace edit option
     PR 46594 [Nick Kew]

  *) mod_log_config: Make ${cookie}C correctly match whole cookie names
     instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
     Stefan Fritsch]

  *) mod_dir, mod_negotiation: Pass the output filter information
     to newly created sub requests; as these are later on used
     as true requests with an internal redirect. This allows for
     mod_cache et.al. to trap the results of the redirect.
     PR 17629, 43939
     [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]

  *) rotatelogs: Fix possible buffer overflow if admin configures a
     mongo log file path. [Jeff Trawick]

  *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]

  *) vhost: A purely-numeric Host: header should not be treated as a port.
     PR 44979 [Nick Kew]

  *) core: (re)-introduce -T commandline option to suppress documentroot
     check at startup.
     PR 41887 [Jan van den Berg <janvdberg gmail.com>]
</ChangeLog>
2010-10-20 21:04:58 +00:00
Ade Lovett
6abd00a86b Punt autoconf267->autoconf268 2010-10-16 11:52:47 +00:00
Philip M. Gollucci
a47922410b - s,/usr/local,%%PREFIX%%,'
Reported by:	stas
2010-10-14 20:20:06 +00:00
Philip M. Gollucci
e5d53ce9b2 - Allow overriding of the following on a profile basis.
pidfile
    command
    envvars

Without profiles, the old defaults remain unchanged.  With profiles the old defaults
remain unchanged.

Sponsored by:		RideCharge Inc. / TaxiMagic
Tested by:			RideCharge Inc. / TaxiMagic (> 1 yr in production)
With Hat:			apache@
2010-10-14 19:53:25 +00:00
Ade Lovett
8262a7b51d Autotools update. Read ports/UPDATING 20100915 for details.
Approved by:	portmgr (for Mk/bsd.port.mk part)
Tested by:	Multiple -exp runs
2010-09-15 18:35:24 +00:00
Jun Kuriyama
4766daabfe - Upgrade to 2.2.16.
Security:	CVE-2010-1452 (mod_{cache,dev} remote DoS),
		CVE-2010-2068 (mod_{proxy_{ajp,http},reqtimeout} related on some platforms)
2010-07-26 01:28:40 +00:00
Philip M. Gollucci
e5cd151434 Bump PORTREVISION forgotten in last commit, by /home/ncvs lied to me.
- Fix misnamed patch that was unconditionally applied.

PR:             ports/146789
Submitted by:   Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>
With Hat:       apache@
2010-05-21 16:28:25 +00:00
Philip M. Gollucci
4ec4974de3 - Fix misnamed patch that was unconditionally applied.
PR:             ports/146789
Submitted by:   Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>
With Hat:       apache@
2010-05-21 16:27:10 +00:00
Philip M. Gollucci
99d3f4c2b0 - Enable,build, and install mod_reqtimeout.so which mitigates solaris attacks.
- Default on, so bump PORTREVISION

Reuested by:        Jonas Eckerman <jonas@fsdb.org> (via apache@)
With Hat:           apache@
2010-05-20 21:43:47 +00:00
Philip M. Gollucci
291d2c2963 - Bump PORTREVISION
With Hat:   apache@
2010-05-18 04:58:08 +00:00
Philip M. Gollucci
b7a56df6ee - Whitespace only
With Hat:   apache@
2010-05-18 04:57:46 +00:00
Philip M. Gollucci
5afcb1b1e9 - only need to set grandfather deps
the dbm maze is a bit harder so is left alone for now

With Hat:   apache@
2010-05-18 04:57:10 +00:00
Philip M. Gollucci
ce9159739d - file is only in devel/apr[01] now.
With Hat:   apache@
2010-05-18 04:55:44 +00:00
Philip M. Gollucci
61a0dda84e - remove apr/apr-util vestiges
- fullbuild not needed anymore
- buildconf not needed anymore
- scripts_env not needed anymore

With Hat:   apache@
2010-05-18 04:55:15 +00:00
Philip M. Gollucci
9d17de2112 - Remove WITH_APR_FROM_PORTS option. Always use devel/apr1 port now.
Bundled srclib/apr is never used now.

With Hat:   apache@
2010-05-18 04:53:40 +00:00
Philip M. Gollucci
61bcae45bc - Chase devel/apr -> devel/apr1 shuffling
PR:             ports/146553
Submitted by:   myself (pgollucci@)
With Hat:       apache@
2010-05-18 04:08:05 +00:00
Philip M. Gollucci
55544fc2be - Convert ports/ to devel/apr1
PR:             ports/146553
Submitted by:   myself (pgollucci@)
With Hat:       apache@
2010-05-18 04:05:05 +00:00
Philip M. Gollucci
7e4300807c - blasted whitespace 2010-05-14 05:05:13 +00:00
Philip M. Gollucci
dac9992061 By default suexec doesn't enforces different resource limitations configured in
login.conf(5). This is probably because resource limitations are handled
differently on various different platforms.

This modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.

Doesn't affect default package, so no PORTREVISION bumps.

I will follow up at dev@httpd.apache.org to see about adding this
with #ifdefs.

PR:             ports/136091
Submitted by:   Alexey V.Degtyarev <alexey@renatasystems.org>
With Hat:       apache@
2010-05-14 05:03:30 +00:00
Philip M. Gollucci
6aee801e30 - Remove use of $] which is deprecated in perl and gone in perl 5.12
This is already being discussed at dev@httpd and will be committed upstream

Reported by:    brad clawsie <clawsie@fastmail.fm> (on apache@ list)
With Hat:       apache@
2010-05-13 00:59:32 +00:00
Philip M. Gollucci
3f811ff308 - Continuation of ports/133704
apxs -A comments out the LoadModule line
  This adds custom FreeBSD mod to 'DELETE' the line so that it works with
  our pkg-plists in packages.
- Remove -s form the cmp httpd.conf in pkg-plist to be blatant about why
  it didn't get removed
- Tested with lang/php5
- Bump PORTREVISION

PR:             ports/133704
With Hat:       apache@
2010-05-07 21:46:21 +00:00
Philip M. Gollucci
3366a8de36 - Fix -A and -a options for apxs to correctly ignore whitespace.
This will fix about 100 pkg-plist left overs for httpd.conf
- Bump PORTREVISION
-  This will be in 2.2.16.

PR:             ports/133704
Obtained from:  http://svn.apache.org/viewvc?rev=942210&view=rev
Reported by:    olli hauer <ohauer@gmx.de> (and very good pr!)
With Hat:       apache@
2010-05-07 20:53:45 +00:00
Philip M. Gollucci
e8d8b59a91 - FreeBSD doesn't use EGD sockets. Also the option handling doesn't honor
without-egd.
  Carry the devel/apr fix through

PR:             ports/146376
Submitted by:   Guido Fals
2010-05-07 18:33:45 +00:00
Philip M. Gollucci
feb214d3d7 2/2: fix mod_auth_digest builds which needs EGD and DEVRANDOM.
This fixes both bundled apr using the port (devel/apr for WITH_APR_FROM_PORTS)

PR: ports/134577
Requested by: Pascal Vizeli <pvizeli@yahoo.de>
With Hat: apache@
2010-05-07 05:56:58 +00:00
Philip M. Gollucci
591d019abc - silence this warning -- libtool: ignoring unknown tag CXX
With Hat:   apache@
2010-05-07 05:16:39 +00:00
Philip M. Gollucci
02a2b9d8f0 - fix ldap support (duplicate www/apache20 fix)
--with-ldap switches on LDAP library linking in apr-util
    --enable-ldap option switches on the LDAP caching module
    --enable-authnz-ldap option switches on the LDAP authentication module
   [AAA was rewritten in 3 peices in 2.4.x, hence the option change]
  - no custom patch, the linking was fixed in 2.2.x
  - ldap is not in the default package, so no PORTREVISION bump

PR:             ports/128079
Reported by:    koitsu, skreuzer
With Hat:       apache@
2010-05-07 05:14:38 +00:00
Philip M. Gollucci
f3fd2dc043 - Fix the owner to be root:wheel on files* when running sudo make ...
This doesn't affect the package b/c pointyhat/tb run as root

PR:             ports/134456
With Hat:       apache@
2010-05-07 03:15:44 +00:00