- update APR to 1.4.6
- update APR-util to 1.4.1
- remove PKGNAMESUFFIX'es
www/apache-(event|itk|peruser|worker)-mpm
- adopt new Makefile header, adjust
PKGNAMESUFFIX in apache22 masterport
PKGNAME match now LATEST_LINK
www/apache22 [2]-[6]
- rewrite for options NG
- PORTNAME s|apache|apache22|
- remove APR APR-util specific otions,
will be checked now with help of apr/u-1-config
Mk/bsd.apache.mk
- rewrite for options NG
- remove no longer needet make targets
(show-categories, make-options-list)
[1]
PR: 165143
[2]-[6]
PR: 130479
PR: 153406
PR: 158565
PR: 168769
PR: 167965
with hat apache@
- remove all apr/apu related parts (leftovers from bundled apr)
- remove invalid parts from Makefile.doc
- move MODULES to Makefile.options
- remove apache20 parts
- remove category handling
with hat apache@
keep full backward support until apache20 is removed from the tree
comment code to remove with MFC TODO:
- adjust apache20 and apache22 ports
changes are transparent for users (no PORTREVISION bump)
Users who are using special build instructions in make.conf, such as
- WITH_STATIC_MODULES= alias dir log_config mime rewrite setenvif vhost_alias
should convert the values to UPPERCASE
- WITH_STATIC_MODULES= ALIAS DIR LOG_CONFIG MIME REWRITE SETENVIF VHOST_ALIAS
At the moment code to support old lowercase style is in place, but
target to remove in favor for options NG.
with hat apache@
- centralise OPTIONS in Makefile.options
- s/Enable// in OPTIONS
- rewrite Makefile.modules (last defined SLAVE_PORT_MPM port use now WITH_MPM var)
- no REVISION bump, nothing changed in the logic / functionality
apache22-peruser-mpm
- use WITH_MPM instead SLAVE_PORT_MPM
- use full path setfib
PR: ports/153264
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com>
With Hat: apache@
Sponsored by: Apache Software Foundation (ASF)
- Resync proxy connect patch [2]
- Bump PORTREVISION since the proxy patch is unconditionally applied
which means we can remove that OPTION too
PR: ports/164698 [1], ports/164711 [2]
Submitted by: jgh@ [1], freebsd@nagilum.org [2]
With Hat: apache@
Sponsored by: RideCharge Inc. / TaxiMagic
Addresses:
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, allows local users to gain privileges via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
The log_cookie function in mod_log_config.c in the mod_log_config module in the
Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
properly handle a %{}C format string, which allows remote attackers to cause a
denial of service (daemon crash) via a cookie that lacks both a name and a
value.
* SECURITY: CVE-2012-0031 (cve.mitre.org)
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
users to cause a denial of service (daemon crash during shutdown) or possibly
have unspecified other impact by modifying a certain type field within a
scoreboard shared memory segment, leading to an invalid call to the free
function.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
place, does not properly interact with use of (1) RewriteRule and (2)
ProxyPassMatch pattern matches for configuration of a reverse proxy, which
allows remote attackers to send requests to intranet servers via a malformed URI
containing an @ (at sign) character and a : (colon) character in invalid
positions. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2011-3368.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
restrict header information during construction of Bad Request (aka 400) error
documents, which allows remote attackers to obtain the values of HTTPOnly
cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.
* SECURITY: CVE-2011-3368 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
(1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
reverse proxy, which allows remote attackers to send requests to intranet
servers via a malformed URI containing an initial @ (at sign) character.
PR: ports/164675
Reviewed by: pgollucci
Approved by: pgollucci, crees, rene (mentors, implicit)
With Hat: apache@
Note, you have to actually uncomment the include for this to take affect
- No PORTREVISION bump since nothing changes by default
PR: ports/156987
Reported by: Adrian Dimcev <adimcev@carbonwind.net>
With Hat: apache@
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
Addresses:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
PR: ports/160743
Submitted by: Jason Helfman <jhelfman@experts-exchange.com>
Changes with Apache 2.2.19
*) Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
commit with hat apache@
Changes:
http://www.apache.org/dist/httpd/CHANGES_2.2.18
Changes with Apache 2.2.18
*) Log an error for failures to read a chunk-size, and return 408 instead
413 when this is due to a read timeout. This change also fixes some cases
of two error documents being sent in the response for the same scenario.
[Eric Covener] PR49167
*) core: Only log a 408 if it is no keepalive timeout. PR 39785
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
*) core: Treat timeout reading request as 408 error, not 400.
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
Dan Poirier]
*) Core HTTP: disable keepalive when the Client has sent
Expect: 100-continue
but we respond directly with a non-100 response. Keepalive here led
to data from clients continuing being treated as a new request.
PR 47087. [Nick Kew]
*) htpasswd: Change the default algorithm for htpasswd to MD5 on all
platforms. Crypt with its 8 character limit is not useful anymore;
improve out of disk space handling (PR 30877); print a warning if
a password is truncated by crypt. [Stefan Fritsch]
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
*) configure: Fix htpasswd/htdbm libcrypt link errors with some newer
linkers. [Stefan Fritsch]
*) MinGW build improvements. PR 49535. [John Vandenberg
<jayvdb gmail.com>, Jeff Trawick]
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. PR 35256,
PR 46830. [Dan Poirier]
*) mod_rewrite: Allow to unset environment variables. PR 50746.
[Rainer Jung]
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). [Jeff Trawick]
*) mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. PR 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
*) prefork: Update MPM state in children during a graceful restart.
Allow the HTTP connection handling loop to terminate early
during a graceful restart. PR 41743.
[Andrew Punch <andrew.punch 247realmedia.com>]
*) mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. PR 50481. [Ruediger Pluem]
*) mod_autoindex: Merge IndexOptions from server to directory context when
the directory has no mod_autoindex directives. PR 47766. [Eric Covener]
*) mod_cache: Make sure that we never allow a 304 Not Modified response
that we asked for to leak to the client should the 304 response be
uncacheable. PR45341 [Graham Leggett]
*) mod_dav: Send 400 error if malformed Content-Range header is received for
a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
*) mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
PR 44076 [Eric Covener]
*) core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. PR 50349.
[Eric Covener]
*) mod_cache: Check the request to determine whether we are allowed
to return cached content at all, and respect a "Cache-Control:
no-cache" header from a client. Previously, "no-cache" would
behave like "max-age=0". [Graham Leggett]
*) mod_mem_cache: Add a debug msg when a streaming response exceeds
MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
'memory allocation failed' debug message. PR 49604. [Eric Covener]
*) proxy_connect: Don't give up in the middle of a CONNECT tunnel
when the child process is starting to exit. PR50220. [Eric Covener]
PR: 156997
Submitted by: Tsurutani Naoki <turutani _at_ scphys.kyoto-u.ac.jp>
- add additional patch for mpm-itk [2]
- add mod_substitute to apache22 [3]
- add some documentation into the mpm-itk* patches
- bump portrevision
Changes:
[1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
* Fixed CVE-2011-1176: If NiceValue was set, the default with no
AssignUserID was to run as root:root instead of the default Apache user
and group, due to the configuration merger having an incorrect default
configuration.
* Rebase against Apache 2.2.17.
* Fix an issue where users can sometimes get spurious 403s on persistent
connections, if the .htaccess files are not world readable.
* In the config merger, don't reallocate the username, since it's already
in the correct pool. (This is not a memory leak, only a small inefficiency.)
[2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html
Source:
http://mpm-itk.sesse.net/ [1]
http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2]
http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3]
With Hat: apache@
PR: ports/156024 [1][2]
Submitted by: Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2]
Nick Gieczewski <sorongo _at_ gmail.com> [3]
correctly. This fixes the pid file name
PR: ports/151623
Submitted by: Vivek Khera <vivek@khera.org>
With Hat: apache@
Point hat to: myself (pgollucci)
**
* Note, no CVE affects the FREEBSD port. devel/apr1 was updated to
* apr-util 1.3.10 on 2010/10/06 05:32:24.
**
Changes: http://www.apache.org/dist/httpd/CHANGES_2.2
PR: ports/151594
Submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
With Hat: apache@
<ChangeLog>
*) prefork MPM: Run cleanups for final request when process exits gracefully
to work around a flaw in apr-util. PR 43857. [Tom Donovan]
*) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
connections and other protocol handlers (like mod_ftp). Enforce the
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
close time from 30 to 2 seconds. [Stefan Fritsch]
*) Proxy balancer: support setting error status according to HTTP response
code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
*) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
password to UTF-8. PR 45318.
[Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
*) core: check symlink ownership if both FollowSymlinks and
SymlinksIfOwnerMatch are set [Nick Kew]
*) core: fix origin checking in SymlinksIfOwnerMatch
PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
*) mod_headers: Enable multi-match-and-replace edit option
PR 46594 [Nick Kew]
*) mod_log_config: Make ${cookie}C correctly match whole cookie names
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
Stefan Fritsch]
*) mod_dir, mod_negotiation: Pass the output filter information
to newly created sub requests; as these are later on used
as true requests with an internal redirect. This allows for
mod_cache et.al. to trap the results of the redirect.
PR 17629, 43939
[Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]
*) rotatelogs: Fix possible buffer overflow if admin configures a
mongo log file path. [Jeff Trawick]
*) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
*) vhost: A purely-numeric Host: header should not be treated as a port.
PR 44979 [Nick Kew]
*) core: (re)-introduce -T commandline option to suppress documentroot
check at startup.
PR 41887 [Jan van den Berg <janvdberg gmail.com>]
</ChangeLog>
pidfile
command
envvars
Without profiles, the old defaults remain unchanged. With profiles the old defaults
remain unchanged.
Sponsored by: RideCharge Inc. / TaxiMagic
Tested by: RideCharge Inc. / TaxiMagic (> 1 yr in production)
With Hat: apache@
