Addresses:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
PR: ports/160743
Submitted by: Jason Helfman <jhelfman@experts-exchange.com>
Changes with Apache 2.2.19
*) Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
commit with hat apache@
Changes:
http://www.apache.org/dist/httpd/CHANGES_2.2.18
Changes with Apache 2.2.18
*) Log an error for failures to read a chunk-size, and return 408 instead
413 when this is due to a read timeout. This change also fixes some cases
of two error documents being sent in the response for the same scenario.
[Eric Covener] PR49167
*) core: Only log a 408 if it is no keepalive timeout. PR 39785
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
*) core: Treat timeout reading request as 408 error, not 400.
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
Dan Poirier]
*) Core HTTP: disable keepalive when the Client has sent
Expect: 100-continue
but we respond directly with a non-100 response. Keepalive here led
to data from clients continuing being treated as a new request.
PR 47087. [Nick Kew]
*) htpasswd: Change the default algorithm for htpasswd to MD5 on all
platforms. Crypt with its 8 character limit is not useful anymore;
improve out of disk space handling (PR 30877); print a warning if
a password is truncated by crypt. [Stefan Fritsch]
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
*) configure: Fix htpasswd/htdbm libcrypt link errors with some newer
linkers. [Stefan Fritsch]
*) MinGW build improvements. PR 49535. [John Vandenberg
<jayvdb gmail.com>, Jeff Trawick]
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. PR 35256,
PR 46830. [Dan Poirier]
*) mod_rewrite: Allow to unset environment variables. PR 50746.
[Rainer Jung]
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). [Jeff Trawick]
*) mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. PR 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
*) prefork: Update MPM state in children during a graceful restart.
Allow the HTTP connection handling loop to terminate early
during a graceful restart. PR 41743.
[Andrew Punch <andrew.punch 247realmedia.com>]
*) mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. PR 50481. [Ruediger Pluem]
*) mod_autoindex: Merge IndexOptions from server to directory context when
the directory has no mod_autoindex directives. PR 47766. [Eric Covener]
*) mod_cache: Make sure that we never allow a 304 Not Modified response
that we asked for to leak to the client should the 304 response be
uncacheable. PR45341 [Graham Leggett]
*) mod_dav: Send 400 error if malformed Content-Range header is received for
a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
*) mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
PR 44076 [Eric Covener]
*) core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. PR 50349.
[Eric Covener]
*) mod_cache: Check the request to determine whether we are allowed
to return cached content at all, and respect a "Cache-Control:
no-cache" header from a client. Previously, "no-cache" would
behave like "max-age=0". [Graham Leggett]
*) mod_mem_cache: Add a debug msg when a streaming response exceeds
MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
'memory allocation failed' debug message. PR 49604. [Eric Covener]
*) proxy_connect: Don't give up in the middle of a CONNECT tunnel
when the child process is starting to exit. PR50220. [Eric Covener]
PR: 156997
Submitted by: Tsurutani Naoki <turutani _at_ scphys.kyoto-u.ac.jp>
- add additional patch for mpm-itk [2]
- add mod_substitute to apache22 [3]
- add some documentation into the mpm-itk* patches
- bump portrevision
Changes:
[1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
* Fixed CVE-2011-1176: If NiceValue was set, the default with no
AssignUserID was to run as root:root instead of the default Apache user
and group, due to the configuration merger having an incorrect default
configuration.
* Rebase against Apache 2.2.17.
* Fix an issue where users can sometimes get spurious 403s on persistent
connections, if the .htaccess files are not world readable.
* In the config merger, don't reallocate the username, since it's already
in the correct pool. (This is not a memory leak, only a small inefficiency.)
[2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html
Source:
http://mpm-itk.sesse.net/ [1]
http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2]
http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3]
With Hat: apache@
PR: ports/156024 [1][2]
Submitted by: Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2]
Nick Gieczewski <sorongo _at_ gmail.com> [3]
correctly. This fixes the pid file name
PR: ports/151623
Submitted by: Vivek Khera <vivek@khera.org>
With Hat: apache@
Point hat to: myself (pgollucci)
**
* Note, no CVE affects the FREEBSD port. devel/apr1 was updated to
* apr-util 1.3.10 on 2010/10/06 05:32:24.
**
Changes: http://www.apache.org/dist/httpd/CHANGES_2.2
PR: ports/151594
Submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
With Hat: apache@
<ChangeLog>
*) prefork MPM: Run cleanups for final request when process exits gracefully
to work around a flaw in apr-util. PR 43857. [Tom Donovan]
*) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
connections and other protocol handlers (like mod_ftp). Enforce the
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
close time from 30 to 2 seconds. [Stefan Fritsch]
*) Proxy balancer: support setting error status according to HTTP response
code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
*) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
password to UTF-8. PR 45318.
[Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
*) core: check symlink ownership if both FollowSymlinks and
SymlinksIfOwnerMatch are set [Nick Kew]
*) core: fix origin checking in SymlinksIfOwnerMatch
PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
*) mod_headers: Enable multi-match-and-replace edit option
PR 46594 [Nick Kew]
*) mod_log_config: Make ${cookie}C correctly match whole cookie names
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
Stefan Fritsch]
*) mod_dir, mod_negotiation: Pass the output filter information
to newly created sub requests; as these are later on used
as true requests with an internal redirect. This allows for
mod_cache et.al. to trap the results of the redirect.
PR 17629, 43939
[Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]
*) rotatelogs: Fix possible buffer overflow if admin configures a
mongo log file path. [Jeff Trawick]
*) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
*) vhost: A purely-numeric Host: header should not be treated as a port.
PR 44979 [Nick Kew]
*) core: (re)-introduce -T commandline option to suppress documentroot
check at startup.
PR 41887 [Jan van den Berg <janvdberg gmail.com>]
</ChangeLog>
pidfile
command
envvars
Without profiles, the old defaults remain unchanged. With profiles the old defaults
remain unchanged.
Sponsored by: RideCharge Inc. / TaxiMagic
Tested by: RideCharge Inc. / TaxiMagic (> 1 yr in production)
With Hat: apache@
login.conf(5). This is probably because resource limitations are handled
differently on various different platforms.
This modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.
Doesn't affect default package, so no PORTREVISION bumps.
I will follow up at dev@httpd.apache.org to see about adding this
with #ifdefs.
PR: ports/136091
Submitted by: Alexey V.Degtyarev <alexey@renatasystems.org>
With Hat: apache@
This is already being discussed at dev@httpd and will be committed upstream
Reported by: brad clawsie <clawsie@fastmail.fm> (on apache@ list)
With Hat: apache@
apxs -A comments out the LoadModule line
This adds custom FreeBSD mod to 'DELETE' the line so that it works with
our pkg-plists in packages.
- Remove -s form the cmp httpd.conf in pkg-plist to be blatant about why
it didn't get removed
- Tested with lang/php5
- Bump PORTREVISION
PR: ports/133704
With Hat: apache@
This will fix about 100 pkg-plist left overs for httpd.conf
- Bump PORTREVISION
- This will be in 2.2.16.
PR: ports/133704
Obtained from: http://svn.apache.org/viewvc?rev=942210&view=rev
Reported by: olli hauer <ohauer@gmx.de> (and very good pr!)
With Hat: apache@
This fixes both bundled apr using the port (devel/apr for WITH_APR_FROM_PORTS)
PR: ports/134577
Requested by: Pascal Vizeli <pvizeli@yahoo.de>
With Hat: apache@
--with-ldap switches on LDAP library linking in apr-util
--enable-ldap option switches on the LDAP caching module
--enable-authnz-ldap option switches on the LDAP authentication module
[AAA was rewritten in 3 peices in 2.4.x, hence the option change]
- no custom patch, the linking was fixed in 2.2.x
- ldap is not in the default package, so no PORTREVISION bump
PR: ports/128079
Reported by: koitsu, skreuzer
With Hat: apache@
piled up and additional patches conflict.
This also will help when we try to syncronize www/apache20&www/apache22
- Unconditionally apply the mod_proxy_connect patch, you just may or may
not actually compile the file to save some logic in Makefile
With Hat: apache@
Note if you already have www/apache20 or www/apache22 installed this is
not worth updating for; however, you should verify your [if you use it]
${PREFIX}/etc/apacheXX/extra/httpd-userdir.conf:
DisableUser dir setting correct lists the users you don't want
to have the ~/dir visible via http requests.
PR: ports/144422
Reported by: several
With hat: apache@
o Note, don't use required_modules you can not check the return value
to conditionalize the -DNOHTTPACCEPT flag
PR: ports/138373
Submitted by: Helmut Schneider <jumper99@gmx.de>
