Fix CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Credits: Hartmut Keil, Joe Orton
- Use "PORTDOCS= #" and get rid of docs entry in plist.
- Support for FreeBSD 6 in apr
- Move of cache modules from THREADS to EXPERIMENTAL category and make
sure we enable THREADS modules (cgid only) when a threaded MPM is
selected.
- Resurect WITH_EXTRA_MODULES knob
- powerlogo.gif is now hosted by FreeBSD mirrors
- WITH_<category> is definitively no longer supported.
- Add Includes dir when installed via a package [1]
PR: ports/72309 [1]
Submitted by: Christian Kratzer <ck at cksoft dot de> [1]
*) SECURITY: CAN-2004-0786 (cve.mitre.org)
Fix an input validation issue in apr-util which could be
triggered by malformed IPv6 literal addresses. [Joe Orton]
*) SECURITY: CAN-2004-0747 (cve.mitre.org)
Fix buffer overflow in expansion of environment variables in
configuration file parsing. [Andr<E9> Malo]
*) SECURITY: CAN-2004-0809 (cve.mitre.org)
mod_dav_fs: Fix a segfault in the handling of an indirect lock
refresh. PR 31183. [Joe Orton]
- Update documentation (finally!) and fix WITH_<CATEGORY>_MODULES
for special modules like LDAP or SSL [2]
Noticed by: nectar [1]
Requested by: Emile Heitor <imil at home dot imil dot net> [2]
Approved by: portmgr (marcus)
o Changes in httpd.conf
- mod_userdir:
. set Userdir if mod_userdir is loaded [1]
. Userdir is denied for users from /etc/ftpusers
- set more "secure" permissions.
By default, policy is to deny access to filesystem.
You HAVE to _ENABLE_ access to your filesystem in httpd.conf.
- Add an "Includes" directory to ${PREFIX}/etc/apache2/
to make configuration more flexible
${PREFIX}/etc/apache2/*.conf files are now automatically loaded.
o apache.sh
- be closer to apachectl, apache.sh need envvars [2]
It should restore subversion behavior.
Partially submitted by:
kuriyama [1],
Gregory (Grisha) Trubetskoy <grisha at apache dot org> [2]
Future changes are mostly written, they should be committed during the
week-end.
If you're interrested in changes, feel free contact me.
- Add WITHOUT_V4MAPPED knob and explicitly set --disable-v4-mapped
if WITHOUT_V4MAPPED or WITH_IPV6_V6ONLY
Also submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> [1]
Important changes:
*) SECURITY: CAN-2004-0493 (cve.mitre.org)
Close a denial of service vulnerability identified by Georgi
Guninski which could lead to memory exhaustion with certain
input data. [Jeff Trawick]
*) SECURITY: CAN-2004-0488 (cve.mitre.org)
mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[Joe Orton]
Details can be found here:
http://www.apache.org/dist/httpd/CHANGES_2.0
- Use autoconf 2.59
- Add add SUEXEC_LOGFILE tunable to set suexec logfile [1]
- Silently ignore removal of libexec/apache2 directory
- Import latest version of apr_reslit.c from apr CVS which
adds timeout feature to apr_reslist_acquire().
This is required for future mod_logio-st.
- Add explicit dependency on libiconv (so nowwe support libiconv)
- Move Windows Update fix from MASTER_SITE_LOCAL to ports tree
- add WITH_EXPERIMENTAL_PATCHES knobs:
These patches are backports from apache CVS HEAD or apr CVS HEAD.
They have positive impacts on apache responsiveness but can be
instable
and are NOT currently supported by apache/apr teams.
* exp-http-ready.patch: add "httpready" support for ACCEPT_FILTER
(currently apache 2 only support "dataready")
* exp-apr-kqueue.patch: add support for kqueue in apr_poll().
This patch greatly improves apache network performance (up to
18% according to the author, on my test box, between 13% and 21%)
Test and feedback on -STABLE are welcome ;)
For more details, please see:
http://marc.theaimsgroup.com/?t=108650227500001&r=1&w=2
Submitted by: knu [1]
NOTE:
Please set MASTER_SITE_APACHE_HTTPD to closest mirrors.
you can easily find them from:
http://www.apache.org/dyn/closer.cgi/httpd/
Thanks :
on > 4.8-STABLE (from september 2003) system because apache2 used
libc_r instead of libc.
Compiling with -lkse (on -CURRENT) was broken too.
- bump PORTREVISION to force users to upgrade.
NOTE: on -STABLE DO NOT DEFINE WITH_THREADS.
(unless you use a threaded MPM)
Thanks to Fritz Heinrichmeyer <fritz.heinrichmeyer@fernuni-hagen.de>
who helped me to track the problem.
Noticed by: Fritz Heinrichmeyer <fritz.heinrichmeyer@fernuni-hagen.de>
HAYASHI, "Lef" Tatsuya <lef@st.rim.or.jp> [1]
PR: 61317 [1]
Approved by: erwin (mentor) (implicitly)
message option in pre-everything:: target.
- Change OpenSSL fix. (specially when WITH_BERKELEYDB=FreeBSD is defined)
There are too many cases of failure (at leat 3), so I can't force -STABLE
users to use SSL_EXPERIMENT_ENGINE [1]
- Add WITH_SSL_EXPERIMENTAL_ENGINE knob [2]
- Better db42 apr-util detection [3]
- Add fastest mirror to PATCH_SITES
- Add db42 to "make show-options"
Note to users:
Unless you have a *really* good request, no more features will be added.
Please send me with your bug reports:
- uname -a output
- all config.log files
- pkg_info output
- your make command line
Noticed by: apache2-test-ng.sh script [1]
Barry Pederson <bp@barryp.org> [3]
Requested by: jb@perso-web.com [2]
- Move docs-related stuff to Makefile.doc
- Better MPM handling (for slave ports)
- Fix HTTP_PORT behaviour
- Make suExec more configurable [1]
- Now config script are regenerated by buildconfig, to improve slave
ports support and minimize apr/apache2 ports conflict [2]
- Fix typo in AUTH_MODULES routine [3] [4]
- apr threaded support [5]
- Fix Segmentation fault with LDAP [6]
- Add db42 support. [7] (just uncomment related lines
if you installed it from shar)
- add SLAVE_DESIGNED_FOR variable for slave ports to
automaticaly mark them as BROKEN, if they are out of sync with
apache2
PRs: 60444 [1], 61030 [4]
Requested by: Matthias Andree <matthias.andree@gmx.de> [7]
Suggested by: kuriyama [2] [5]
Submitted by: Daniel Tasov <danielt@pilgerer.org> [1],
kuriyama [5],
motoyuki [3],
Scott Michel <scottm@cs.ucla.edu> [4]
Obtained from: Apache CVS [6]
Reviewed by: erwin, linimon
Approved by: erwin (mentor)
- fix nasty typo in DBM code (missing + in LIB_DEPENDS=)
- remove NO_{ERROR;WWWDATE;CGI;ICONS;WWW} and utilize WITHOUT_WWW and
WITH_CUSTOM_WWW [2]
- HTTP_PORT => WITH_HTTP_PORT and IPV6_ONLY => WITH_IPV6_ONLY [3]
- add support for FreeBSD libc db [4]
- add db41 support [5]
- more typos and a few things...
Notified by: Oliver Eikemeier <eikemeier@fillmore-labs.com> [1]
Discussed with: Oliver Eikemeier <eikemeier@fillmore-labs.com> [2] [3]
Requested by: Fritz Heinrichmeyer <fritz.heinrichmeyer@fernuni-hagen.de> [4]
Submitted by: <swp@uni-altai.ru> [5]
PR: 58739
Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org>
3rd party modules easy. [1]
o Include <limits.h> before <sys/syslimits.h> to reduce warnings on -CURRENT
PR: 44104 [1]
Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> [1]
Mark apache13-ssl FORBIDDEN because the new version does not yet exist.
Partially based on patches submitted by below authors.
Submitted by: "Sergey A. Osokin" <osa@freebsd.org.ru>,
Udo Schweigert <udo.schweigert@siemens.com>,
Lev A. Serebryakov <lev@serebryakov.spb.ru>
PR: ports/43682, ports/43688, ports/43666, ports/43681
(worker MPM with this hack seems to work without visible problems.
and still requires -DFORCE_THREADING_MPM to build for worker MPM.)
- Fix plist for worker MPM
- Comment out fancy modules from default httpd.conf
Tested on: ref5.freebsd.org, several 4-stable machines [1]
2. Port printed message to "pw userdel www" if port removed permanently.
However master.passwd 1.25.2.5 has user www by default, so this is no
longer correct advice. Removed pkg-deinstall to correct this.
PR: 37849 and 36907
Approved by: MAINTAINER: Hye-Shik Chang <perky@fallin.lv>
