- use PTHREAD_LIBS/CFLAGS instead -pthread
Changes with Apache 2.2.29
http://www.apache.org/dist/httpd/CHANGES_2.2.29
*) Corrected docs/manual pages for new MergeTrailers directive and other
out of date documentation. [William Rowe]
Changes with Apache 2.2.28
*) SECURITY: CVE-2014-0118 (cve.mitre.org) [1]
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of service via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
*) SECURITY: CVE-2014-0231 (cve.mitre.org) [1]
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
[Rainer Jung, Eric Covener, Yann Ylavic]
*) SECURITY: CVE-2014-0226 (cve.mitre.org) [1]
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow. [Joe Orton, Eric Covener, Jeff Trawick]
*) SECURITY: CVE-2013-5704 (cve.mitre.org) [2]
core: HTTP trailers could be used to replace HTTP headers
late during request processing, potentially undoing or
otherwise confusing modules that examined or modified
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
*) core: Detect incomplete request and response bodies, log an error and
forward it to the underlying filters. PR 55475. [Yann Ylavic]
*) mod_deflate: Handle Zlib header and validation bytes received in multiple
chunks. PR 46146. [Yann Ylavic]
*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
differs. PR 55782. [Yann Ylavic]
*) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
[Lukas Bezdicka <social v3.sk>]
*) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480.
[Ben Reser]
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077). [Rainer Jung]
*) mod_proxy_ajp: Forward local IP address as a custom request attribute
like we already do for the remote port. [Rainer Jung]
*) mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
*) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary
header might not get the benefit of the thundering herd protection due to
an incorrect internal cache key. PR 50317.
[Ruediger Pluem, Jan Kaluza, Yann Ylavic]
*) mod_rewrite: Support session cookies with the CO= flag when later
parameters are used. The doc for this implied the feature had been
backported for quite some time. PR56014 [Eric Covener]
*) mod_cache: Don't remove stale cache entries that cannot be conditionally
revalidated. This prevents the thundering herd protection from serving
stale responses during a revalidation. PR 50317.
[Eric Covener, Jan Kaluza, Ruediger Pluem]
*) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds.
PR 41270. [Dean Gaudet <dean arctic org>]
[1] CVE issues already fixed since FreeBSD-ports r362845
[2] new CVE-2013-5704 issue fixed in 2.2.29
MFH: 2014Q3
Security: f927e06c-1109-11e4-b090-20cf30e32f6d
Security: CVE-2013-5704
- fix build with SSL from ports [1]
SECURITY: CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to
avoid denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst.
http://svn.apache.org/viewvc?view=revision&revision=1611426
SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling,
which could lead to a heap buffer overflow. Thanks to Marek Kroemeke
working with HP's Zero Day Initiative for reporting this.
* include/scoreboard.h: Add ap_copy_scoreboard_worker.
* server/scoreboard.c (ap_copy_scoreboard_worker): New function.
* modules/generators/mod_status.c (status_handler): Use it.
http://svn.apache.org/viewvc?view=revision&revision=1610515
SECURITY: CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do not consume
stdin that could lead to lingering HTTPD child processes filling up the
scoreboard and eventually hanging the server.
http://svn.apache.org/viewvc?view=revision&revision=1611185
[1] noted and testd by mat@
MFH: 2014Q3
Security: f927e06c-1109-11e4-b090-20cf30e32f6d
CVE-2014-0118
CVE-2014-0231
CVE-2014-0226
- sort pkg-plist
- always install DOCS (remove Makefile hack)
- reflect modules.d in EXAMPLESDIR, next target
will be a new keyword for pkg-plist to handle
module installation.
- bump PORTREVISION
- add warning about default version change (2014-07-11)
(pkg-message, files/HEADS_UP)
in case port is build with tinderbox or poudriere.
openssl is registered as BUILD/RUN dependency not
as LIB dependency, therefore the check for openssl
fails since it will be installed in a later stage
by tinderbox / poudriere.
Thanks to Katsuya Higuchi who noted this issue on
the apache@ mailing list.
http://lists.freebsd.org/pipermail/freebsd-apache/2014-April/003490.html
MFH: 2014Q2
Submitted by: Katsuya Higuchi <higuchi@jt-sys.co.jp>
- fix apache-mpm-peruser graceful reload [1]
Changes with Apache 2.2.27
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
Clean up cookie logging with fewer redundant string parsing passes.
Log only cookies with a value assignment. Prevents segfaults when
logging truncated cookies.
[William Rowe, Ruediger Pluem, Jim Jagielski]
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
[Amin Tora <Amin.Tora neustar.biz>]
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski]
*) mod_proxy_http: Core dumped under high load. PR 50335.
[Jan Kaluza <jkaluza redhat.com>]
*) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
[Christophe Jaillet]
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
*) mod_ldap: Fix a potential memory leak or corruption. PR 54936.
[Zhenbo Xu <zhenbo1987 gmail com>]
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
forward proxy request. [Ruediger Pluem]
*) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.
PR46679 [Bob Ionescu]
PR: ports/182947 [1]
Submitted by: Andrew Azarov <andrew@azar-a.net> [1]
- add new directory for modules (APACHEETCDIR/modules.d)
New modules can be registered here with a simple
file that contains the LoadModule directives.
Additonal Maintaines can write instructions to the
conf file and keep pkg-message short.
As bonus the config file can be installed like every
other config file with a .sample extention so modules
are not disabled during pkg upgrades.
Module config files should begin with three digits
followed by '_' e.g. 100_php5.conf.
The load order can be controlled via the three digits.
Please wait some time before adopting the new directory
so users have time to update and adjust axisting configs
Changes with Apache 2.2.26
*) mod_dav: dav_resource->uri treated as unencoded. This was an
unnecessary ABI changed introduced in 2.2.25 PR 55397. [Ben Reser]
*) mod_dav: Do not validate locks against parent collection of COPY
source URI. PR 55304. [Ben Reser]
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
*) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme,
Stefan Fritsch]
*) mod_ssl: Change default for SSLCompression to off, as compression
causes security issues in most setups. (The so called "CRIME" attack).
[Stefan Fritsch]
*) mod_ssl: Fix compilation error when OpenSSL does not contain
support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
[Rainer Jung, Kaspar Brand]
*) mod_dav: Fix double encoding of URIs in XML and Location header (caused
by unintential ABI change in 2.2.25). PR 55397. [Ben Reser]
- update vuxml with additional CVE-2013-1896 entry
Changes with Apache 2.2.25
http://www.apache.org/dist/httpd/CHANGES_2.2.25
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
<apache heilbrun.org>]
*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
*) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. PR 54893. [Rainer Jung]
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
PR: ports/180248
Submitted by: Jason Helfman jgh@
only builds with OpenSSL from ports are affected which is
not default, so no version bump.
Noted on the apache@ list by Jukka A. Ukkonen <jau@iki.fi>
and per PR by Arnis Rozentals <admin@liepajaport.lv>
PR: 176659
- move mpm itk patches to itk-mpm/files dir
- add sshd to REQUIRE line in the rc script to prevent boot
issues in case a SSL cert is password protected [1]
Changes with Apache 2.2.24
SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to
unescaped hostnames and URIs HTML output in mod_info, mod_status,
mod_imagemap, mod_ldap, and mod_proxy_ftp. [Jim Jagielski, Stefan
Fritsch, Niels Heinen <heinenn google com>]
SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
Niels Heinen <heinenn google com>]
mod_rewrite: Stop merging RewriteBase down to subdirectories
unless new option 'RewriteOptions MergeBase' is configured.
Merging RewriteBase was unconditionally turned on in 2.2.23.
PR 53963. [Eric Covener]
mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
mod_ssl: log revoked certificates at level INFO
instead of DEBUG. PR 52162. [Stefan Fritsch]
mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
[Rainer Jung]
mod_dir: Add support for the value 'disabled' in FallbackResource.
[Vincent Deffontaines]
mod_ldap: Fix regression in handling "server unavailable" errors on
Windows. PR 54140. [Eric Covener]
mod_ssl: fix a regression with the string rendering of the "UID" RDN
introduced in 2.2.15. PR 54510. [Kaspar Brand]
ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
to more accurately report the negotiated protocol. PR 53916.
[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
mod_cache: Explicitly allow cache implementations to cache a 206 Partial
Response if they so choose to do so. Previously an attempt to cache a 206
was arbitrarily allowed if the response contained an Expires or
Cache-Control header, and arbitrarily denied if both headers were missing
Currently the disk and memory cache providers do not cache 206 Partial
Responses. [Graham Leggett]
core: Remove unintentional APR 1.3 dependency introduced with
Apache 2.2.22. [Eric Covener]
core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. PR 53219.
[1] requested by Andrew Filonov
(freebsd-apache/2012-September/002962.html)
with head apache@
PR: ports/175331
Submitted by: Christoph Mallon
Approved by: No objections within three weeks from any maintainer
While here, style and duplicate phrase fixes in bsdcflow pkg-descr
Submitted by: mi
LockFile "/var/run/accept.lock"
instead of previous
LockFile "/var/log/accept.lock"
If system is crashed and rebooted, Apache refuses to start in case
/var/log/accept.lock.<pid> is found. That <pid> is almost always the same
due to minimum pid variance right after boot.
So use /var/run instead, which is cleaned on each boot.
- update APR to 1.4.6
- update APR-util to 1.4.1
- remove PKGNAMESUFFIX'es
www/apache-(event|itk|peruser|worker)-mpm
- adopt new Makefile header, adjust
PKGNAMESUFFIX in apache22 masterport
PKGNAME match now LATEST_LINK
www/apache22 [2]-[6]
- rewrite for options NG
- PORTNAME s|apache|apache22|
- remove APR APR-util specific otions,
will be checked now with help of apr/u-1-config
Mk/bsd.apache.mk
- rewrite for options NG
- remove no longer needet make targets
(show-categories, make-options-list)
[1]
PR: 165143
[2]-[6]
PR: 130479
PR: 153406
PR: 158565
PR: 168769
PR: 167965
with hat apache@
- remove all apr/apu related parts (leftovers from bundled apr)
- remove invalid parts from Makefile.doc
- move MODULES to Makefile.options
- remove apache20 parts
- remove category handling
with hat apache@
keep full backward support until apache20 is removed from the tree
comment code to remove with MFC TODO:
- adjust apache20 and apache22 ports
changes are transparent for users (no PORTREVISION bump)
Users who are using special build instructions in make.conf, such as
- WITH_STATIC_MODULES= alias dir log_config mime rewrite setenvif vhost_alias
should convert the values to UPPERCASE
- WITH_STATIC_MODULES= ALIAS DIR LOG_CONFIG MIME REWRITE SETENVIF VHOST_ALIAS
At the moment code to support old lowercase style is in place, but
target to remove in favor for options NG.
with hat apache@
- centralise OPTIONS in Makefile.options
- s/Enable// in OPTIONS
- rewrite Makefile.modules (last defined SLAVE_PORT_MPM port use now WITH_MPM var)
- no REVISION bump, nothing changed in the logic / functionality
apache22-peruser-mpm
- use WITH_MPM instead SLAVE_PORT_MPM
