- use full path setfib
PR: ports/153264
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com>
With Hat: apache@
Sponsored by: Apache Software Foundation (ASF)
- Resync proxy connect patch [2]
- Bump PORTREVISION since the proxy patch is unconditionally applied
which means we can remove that OPTION too
PR: ports/164698 [1], ports/164711 [2]
Submitted by: jgh@ [1], freebsd@nagilum.org [2]
With Hat: apache@
Sponsored by: RideCharge Inc. / TaxiMagic
Addresses:
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, allows local users to gain privileges via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
The log_cookie function in mod_log_config.c in the mod_log_config module in the
Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
properly handle a %{}C format string, which allows remote attackers to cause a
denial of service (daemon crash) via a cookie that lacks both a name and a
value.
* SECURITY: CVE-2012-0031 (cve.mitre.org)
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
users to cause a denial of service (daemon crash during shutdown) or possibly
have unspecified other impact by modifying a certain type field within a
scoreboard shared memory segment, leading to an invalid call to the free
function.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
place, does not properly interact with use of (1) RewriteRule and (2)
ProxyPassMatch pattern matches for configuration of a reverse proxy, which
allows remote attackers to send requests to intranet servers via a malformed URI
containing an @ (at sign) character and a : (colon) character in invalid
positions. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2011-3368.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
restrict header information during construction of Bad Request (aka 400) error
documents, which allows remote attackers to obtain the values of HTTPOnly
cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.
* SECURITY: CVE-2011-3368 (cve.mitre.org)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
(1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
reverse proxy, which allows remote attackers to send requests to intranet
servers via a malformed URI containing an initial @ (at sign) character.
PR: ports/164675
Reviewed by: pgollucci
Approved by: pgollucci, crees, rene (mentors, implicit)
With Hat: apache@
Note, you have to actually uncomment the include for this to take affect
- No PORTREVISION bump since nothing changes by default
PR: ports/156987
Reported by: Adrian Dimcev <adimcev@carbonwind.net>
With Hat: apache@
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
- add additional patch for mpm-itk [2]
- add mod_substitute to apache22 [3]
- add some documentation into the mpm-itk* patches
- bump portrevision
Changes:
[1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
* Fixed CVE-2011-1176: If NiceValue was set, the default with no
AssignUserID was to run as root:root instead of the default Apache user
and group, due to the configuration merger having an incorrect default
configuration.
* Rebase against Apache 2.2.17.
* Fix an issue where users can sometimes get spurious 403s on persistent
connections, if the .htaccess files are not world readable.
* In the config merger, don't reallocate the username, since it's already
in the correct pool. (This is not a memory leak, only a small inefficiency.)
[2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html
Source:
http://mpm-itk.sesse.net/ [1]
http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2]
http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3]
With Hat: apache@
PR: ports/156024 [1][2]
Submitted by: Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2]
Nick Gieczewski <sorongo _at_ gmail.com> [3]
correctly. This fixes the pid file name
PR: ports/151623
Submitted by: Vivek Khera <vivek@khera.org>
With Hat: apache@
Point hat to: myself (pgollucci)
pidfile
command
envvars
Without profiles, the old defaults remain unchanged. With profiles the old defaults
remain unchanged.
Sponsored by: RideCharge Inc. / TaxiMagic
Tested by: RideCharge Inc. / TaxiMagic (> 1 yr in production)
With Hat: apache@
login.conf(5). This is probably because resource limitations are handled
differently on various different platforms.
This modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.
Doesn't affect default package, so no PORTREVISION bumps.
I will follow up at dev@httpd.apache.org to see about adding this
with #ifdefs.
PR: ports/136091
Submitted by: Alexey V.Degtyarev <alexey@renatasystems.org>
With Hat: apache@
This is already being discussed at dev@httpd and will be committed upstream
Reported by: brad clawsie <clawsie@fastmail.fm> (on apache@ list)
With Hat: apache@
apxs -A comments out the LoadModule line
This adds custom FreeBSD mod to 'DELETE' the line so that it works with
our pkg-plists in packages.
- Remove -s form the cmp httpd.conf in pkg-plist to be blatant about why
it didn't get removed
- Tested with lang/php5
- Bump PORTREVISION
PR: ports/133704
With Hat: apache@
This will fix about 100 pkg-plist left overs for httpd.conf
- Bump PORTREVISION
- This will be in 2.2.16.
PR: ports/133704
Obtained from: http://svn.apache.org/viewvc?rev=942210&view=rev
Reported by: olli hauer <ohauer@gmx.de> (and very good pr!)
With Hat: apache@
piled up and additional patches conflict.
This also will help when we try to syncronize www/apache20&www/apache22
- Unconditionally apply the mod_proxy_connect patch, you just may or may
not actually compile the file to save some logic in Makefile
With Hat: apache@
updating patch to dbm.m4. Old patch for dbm.m4 is for db47. But
recent apache dist already includes code block for db47, so update a
patch by replacing it to db48.
- No $PORTREVISION bump (no effect to packages with default options).
Submitted by: ume
o Note, don't use required_modules you can not check the return value
to conditionalize the -DNOHTTPACCEPT flag
PR: ports/138373
Submitted by: Helmut Schneider <jumper99@gmx.de>
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.
It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.
With help: marcus and kwm
Pointyhat-exp: a few times by pav
Tested by: pgollucci, "Romain Tartière" <romain@blogreen.org>, and
a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by: marcus
Approved by: portmgr
propogated by copy and paste.
1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).
No PORTREVISION bumps because all of these changes are noops.
- Commit the final part of the bdb patch improving the value passed
to --with-berkely-db [1]
- Silence the blasted warnings about accf [2]
(Will send this upstream)
- Address httpd issue 42829* - graceful restart with multiple listeners
using prefork MPM can result in hung processes [3]
- Address httpd issue 29744+ - CONNECT does not work over existing
SSL connection [4]
- Drop .sh suffices on rc.d scripts, add note to UPDATING [5]
- Bump PORTREVISION
PRs: ports/110651 [1], ports/132528 [2], ports/134457 [3]
ports/135478
Submitted by: "Timur I. Bakeyev" <timur@gnu.org> [1]
bz@ [2]
Alexander <freebsd@nagilum.org> [4]
myself (pgollucci@) [5]
Requested by: apache@ (several) [3]
Tested by: P6 TB (running live > 5 days)
RideCharge TB (running live > 3 days)
Apache Software Foundation (ASF) TB (running live > 1 day)
Sponosored by: RideCharge Inc.
on FreeBSD)
- Move mpm-itk patch to EXTRA_PATCHES to avoid conflicts with
alternative mpm patches [1]
- update PLIST_SUBS when SLAVE_PORT_MPM is defined
Requested by: Jille Timmermans [1]
- Completely shut up rc.d script when no profiles are enabled
(add add support to disable profiles) [2]
- Fix CVE-2008-2939 for mod_proxy_ftp
(XSS attacks when using wildcards in the path of the FTP URL)
- Add "apache22_fib" to start apache22 prefixed by
"setfib -F ${apache22_fib}", so apache can use an alternate
network view (not carefully tested yet)
- Revert previous patch to "fix" missing rc.d scripts. It
actually breaks profiles.
- Bump PORTREVISION
PR: ports/126670 [1],
ports/116627 [2]
Submitted by: Joseph S. Atkinson [1],
Eygene Ryabinkin [2]
Security: CVE-2008-2939
Special thanks to: pgollucci@
- Add WITH_SVN knob. It enables BDB for apache22 port and
force dependency on dev/apr-svn when WITH_APR_FROM_PORTS is
defined. (should help fixing [2]).
Introduce APR_PORT.
- Add support for db-4.7 [3]
- Add mod_ldap OPTIONS fixup [4]
- Sometimes, rc scripts aren't included in package
Try to fix this. [5]
PR: ports/126053 [2], ports/125520 [3]
ports/124651 [4], ports/126670 [5] (partially)
Reported by: QA Tindy [1],
Crazig Leres [2],
Larry Rosenman [4]
Kirk Strauser [3],
Joseph S. Atkinson [5]
- Preserve index.html
- We no longer install images in default DocumentRoot (there're still in icons/)
- Various plist cleanup
- bump PORTREVISION since we are now safe with index.html
Reminded by: bland@
- add PCRE_FROM_PORTS to OPTIONS
- use @dirrmtry for include/apache22
- workaround plist issues when upgrading, but it's not as safe as I
would expect, it requires more work.
Spotted by: bland@ [1]
From UPDATING:
By popular request, OPTIONS support has been added. When actived
(default), these knobs are ignored:
* WITH_<CATEGORY>_MODULES
* WITHOUT_<CATEGORY>_MODULES
* WITH_CUSTOM_<CATEGORY>
* WITH_MODULES
* WITHOUT_MODULES
* WITH_STATIC_MODULES
However, you can disable OPTIONS by defining WITHOUT_APACHE_OPTIONS.
- move envvars support to the beginning of apache22_checkconfig() to be
sure we're using envvars during configtest [1]
PR: ports/116329 [1]
Submitted by: Ruud Althuizen <ruud@il.fontys.nl> [1]
