From Changelog:
*) SECURITY: CAN-2005-2088
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length, mitigating some HTTP Request
Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
- Rename previous patch to CVE ID
- bump PORTREVISION
Security: CAN-2005-2088
Obtained From: Apache repository
I blindly committed a change from my dev tree. Since USE_APACHE design
is flacky, it had a very annoying impact.
PR: ports/77391 [1]
Also reported by: pointyhat via kris,
Scot Hetzel <swhetzel@gmail.com> [1]
Pointy hat to: clement
- Download bz2'd tarball [1]
- Add print-closest-mirrors target.
It allows you to find the 6 (3 http/3 ftp) closest mirror,
base on http://www.apache.org/dyn/closer.cgi/httpd/
make print-closest-mirrors >> /etc/make.conf automatically add
the six closest mirror to the head of ${MASTER_SITE_APACHE_HTTPD}.
Requested by: delphij
o Major change(s)
- in some cases, modules are still built as static modules, making
modules selection useless and generate a non-desired httpd
o Minor change(s)
- apxs detection is done only if port isn't a server one.
- Mark modules ports as IGNORED if apaxhe is built statically
- fix make show-modules when when WITH_ALL_STATIC_MODULES is defined
Most issues discovered by: Jason Mealins <jason_mealins@bigfix.com>
- Use apache{2,21}flags variable in apache{2,21}_checkconfig().
It fixes restart when apache2ssl_enable is set to YES in rc.conf
and httpd.conf is "old" (i.e. non -DSSL safe) [1]
o Makefile
- split post-install target to add install-startup-script:
User can now upgrade startup script without reinstalling apache2.
NOTE: this is NOT package-safe and NOT supported, even if in most of
cases they're no risk.
Noticed by: many [1]
- Add support for modular sbin/envvars
You can now put your own scripts you want to execute at envvars
stage in ${PREFIX}/etc/apache2/envvars.d
Only script ending by *.env are run.
Example:
/usr/local/etc/apache2/envvars.d/mod_python3.env
Discussed with: perky on -apache@
- Add a note to UPDATING, to warn users they won't be able to build apache2
if they keep apr 0.9.x
Discussed with: Craig Rodrigues (apr maintainer), kuriyama
WARNING: apache2 + apr 1.0 is BROKEN
I'm working on a small compat hack. But don't dream too much.
apache 2.0.x is not designed to work with apr 1.x.
Forgotten by: kuriyama
Fix CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Credits: Hartmut Keil, Joe Orton
- Use "PORTDOCS= #" and get rid of docs entry in plist.
- Support for FreeBSD 6 in apr
- Move of cache modules from THREADS to EXPERIMENTAL category and make
sure we enable THREADS modules (cgid only) when a threaded MPM is
selected.
- Resurect WITH_EXTRA_MODULES knob
- powerlogo.gif is now hosted by FreeBSD mirrors
- WITH_<category> is definitively no longer supported.
- Add Includes dir when installed via a package [1]
PR: ports/72309 [1]
Submitted by: Christian Kratzer <ck at cksoft dot de> [1]
*) SECURITY: CAN-2004-0786 (cve.mitre.org)
Fix an input validation issue in apr-util which could be
triggered by malformed IPv6 literal addresses. [Joe Orton]
*) SECURITY: CAN-2004-0747 (cve.mitre.org)
Fix buffer overflow in expansion of environment variables in
configuration file parsing. [Andr<E9> Malo]
*) SECURITY: CAN-2004-0809 (cve.mitre.org)
mod_dav_fs: Fix a segfault in the handling of an indirect lock
refresh. PR 31183. [Joe Orton]
- Update documentation (finally!) and fix WITH_<CATEGORY>_MODULES
for special modules like LDAP or SSL [2]
Noticed by: nectar [1]
Requested by: Emile Heitor <imil at home dot imil dot net> [2]
Approved by: portmgr (marcus)
* WITH_EXCEPTION_HOOK now exists
* Automatically add if WITH_DEBUG is set
* Update still-outdated-documentation
- Remove automatic debuf mode if DEBUG_FLAGS is set
Exception hook is very useful for debugging (upcoming www/mod_backtrace
and www/mod_whatkilledus modules)
Makefile.modules.3rd:
- Fix CONFIGURE_ARGS for dynamic module selection.
It's now fully usuable for apache13 ports
- Remove an useless WANT_APACHE check
- Move apxs detection at the beginning of the file, to use APXS_PREFIX
for apache major version detection [1]
The main advantage of this patch is to provide a nice way to
have multiple apache versions, without altering ${LOCALBASE}.
Submitted by: "ports/c0decafe.net" <ports at c0decafe dot net> [1]
Makefile.modules:
- Export rewritten modules selection from Makefile.modules
to Makefile.modules.3rd
- Remove proxy support by default.
Makefile.modules.3rd:
- Add support for WANT_APACHE common13/common2 to share
code/functionalities between apache13 and apache2 server ports.
Rewrite of modules selection:
- WITH_MODULES and WITHOUT_MODULES are no more conflicting
WITHOUT_MODULES can be safely used internally to remove conflicting
modules
- Selection is based on modules categories to improve flexibility
- WITH_${category}[_MODULES]
- WITHOUT_${category}
- WITH_CUSTOM_${category}
- Support apache13, apache2{0,1}
This is EXPERIMENTAL. I'll test it IRL with www/apache13-ssl,
and it should be easily usuable in future bsd.apache.mk
o Changes in httpd.conf
- mod_userdir:
. set Userdir if mod_userdir is loaded [1]
. Userdir is denied for users from /etc/ftpusers
- set more "secure" permissions.
By default, policy is to deny access to filesystem.
You HAVE to _ENABLE_ access to your filesystem in httpd.conf.
- Add an "Includes" directory to ${PREFIX}/etc/apache2/
to make configuration more flexible
${PREFIX}/etc/apache2/*.conf files are now automatically loaded.
o apache.sh
- be closer to apachectl, apache.sh need envvars [2]
It should restore subversion behavior.
Partially submitted by:
kuriyama [1],
Gregory (Grisha) Trubetskoy <grisha at apache dot org> [2]
Future changes are mostly written, they should be committed during the
week-end.
If you're interrested in changes, feel free contact me.
- Add WITHOUT_V4MAPPED knob and explicitly set --disable-v4-mapped
if WITHOUT_V4MAPPED or WITH_IPV6_V6ONLY
Also submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> [1]
when --enable-v4-mapped is used (default).
Use WITHOUT_IPV6 knob if you have problem with "HostnameLookup On" on
IPv4-only server(s).
I hope I can provide a real fix soon.
Important changes:
*) SECURITY: CAN-2004-0493 (cve.mitre.org)
Close a denial of service vulnerability identified by Georgi
Guninski which could lead to memory exhaustion with certain
input data. [Jeff Trawick]
*) SECURITY: CAN-2004-0488 (cve.mitre.org)
mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[Joe Orton]
Details can be found here:
http://www.apache.org/dist/httpd/CHANGES_2.0
- Use autoconf 2.59
- Add add SUEXEC_LOGFILE tunable to set suexec logfile [1]
- Silently ignore removal of libexec/apache2 directory
- Import latest version of apr_reslit.c from apr CVS which
adds timeout feature to apr_reslist_acquire().
This is required for future mod_logio-st.
- Add explicit dependency on libiconv (so nowwe support libiconv)
- Move Windows Update fix from MASTER_SITE_LOCAL to ports tree
- add WITH_EXPERIMENTAL_PATCHES knobs:
These patches are backports from apache CVS HEAD or apr CVS HEAD.
They have positive impacts on apache responsiveness but can be
instable
and are NOT currently supported by apache/apr teams.
* exp-http-ready.patch: add "httpready" support for ACCEPT_FILTER
(currently apache 2 only support "dataready")
* exp-apr-kqueue.patch: add support for kqueue in apr_poll().
This patch greatly improves apache network performance (up to
18% according to the author, on my test box, between 13% and 21%)
Test and feedback on -STABLE are welcome ;)
For more details, please see:
http://marc.theaimsgroup.com/?t=108650227500001&r=1&w=2
Submitted by: knu [1]
NOTE:
Please set MASTER_SITE_APACHE_HTTPD to closest mirrors.
you can easily find them from:
http://www.apache.org/dyn/closer.cgi/httpd/
Thanks :
- Cosmectic change in autogenerated plist (run apxs before the removal
of the module file, it can make apxs fail if you change module
name/shortname)
Forgotten by: me [1]
Reminded by: discussion with kris [1]
It can not be used with USE_APACHE knob.
Most important knobs:
WANT_APACHE= {13,2}
Apache version required. if undefined, both apache version
are allowed.
AP_FAST_BUILD
Do ${APXS} -c ${APXS} -i for you
AP_GENPLIST
Autogenerate a _SIMPLE_ plist:
See future commits to know how to use this file.
This shouldn't have been fixed, but I don't like setting UID and GID
variables.
so ${*} -> ${WWW*}
PR: 64032
Noticed by: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
WITH_PTHREAD_LIBS and WITH_PTHREAD_CFLAGS are now working again
WARNING: This option is still NOT offically supported.
You can't flame me,but you still cansend me some backtrace ;-)
Begin autotools sanitization sequence by requiring ports to explicitly
specify which version of {libtool,autoconf,automake} they need, erasing
the concept of a "system default".
For ports-in-waiting:
USE_LIBTOOL=YES -> USE_LIBTOOL_VER=13
USE_AUTOCONF=YES -> USE_AUTOCONF_VER=213
USE_AUTOMAKE=YES -> USE_AUTOMAKE_VER=14
Ports attempting to use the old style system after June 1st 2004 will be
sorely disappointed.
the USE_<x> equivalents. In the current scheme of things, the WANT_
variables in this case are synonymous with the USE_ ones, and thus need
to be exterminated.
First in a series of major autotools cleanups.
- Make ldap fix optional, since it may break LDAP auth [2]
Please use WITH_LDAPFIX if you need the fix.
- Improve pthreads support
- SIZEify distinfo
Submitted by: mharo [1]
Discussed with: Robin P. Blanchard <robin.blanchard@gactr.uga.edu> [2]
These options are for people who want to directly link
apache against libkse and libthr.
Usage:
WITH_EXPERIMENTAL_THREADS=YES
Overrides default pthread detection behaviour.
WITH_PTHREAD_LIBS={kse;thr}
Lets you choose your pthread lib.
Don't even try to use "c_r"...
*** These options are unsupported ***
But all gdb backtraces are welcome :-)
AFAIK, apache works well, but mod_php4 (worker MPM) behavior
is quite funny.
All modules which use apr mutexes may crash with KSE.
Since I'm working on it, if you have coredumps, feel free
to send me the backtrace (you must compile libkse, apache
and modules with debugging symbols).
Don't forget to set kern.sugid_coredump to 1.
(using CoreDumpDirectory in httpd.conf can help too)
This is due to partial revert of apr improvment.
setting LIBS=${PTHREAD_LIBS} conflicts with libtool.
All should be OK now...
If someone can explain me why libtool impose using
-pthread (ltshmain), I'm all ears...
Note:
You CAN NOT override -lc_r (i.e. setting -lkse) at compile time.
I must fix it...
- Move patchset to MASTER_SITE_LOCAL
Noticed by: Martin Nilsson <martin@gneto.com>
Approved by: erwin (mentor) (implicitly)
on > 4.8-STABLE (from september 2003) system because apache2 used
libc_r instead of libc.
Compiling with -lkse (on -CURRENT) was broken too.
- bump PORTREVISION to force users to upgrade.
NOTE: on -STABLE DO NOT DEFINE WITH_THREADS.
(unless you use a threaded MPM)
Thanks to Fritz Heinrichmeyer <fritz.heinrichmeyer@fernuni-hagen.de>
who helped me to track the problem.
Noticed by: Fritz Heinrichmeyer <fritz.heinrichmeyer@fernuni-hagen.de>
HAYASHI, "Lef" Tatsuya <lef@st.rim.or.jp> [1]
PR: 61317 [1]
Approved by: erwin (mentor) (implicitly)
message option in pre-everything:: target.
- Change OpenSSL fix. (specially when WITH_BERKELEYDB=FreeBSD is defined)
There are too many cases of failure (at leat 3), so I can't force -STABLE
users to use SSL_EXPERIMENT_ENGINE [1]
- Add WITH_SSL_EXPERIMENTAL_ENGINE knob [2]
- Better db42 apr-util detection [3]
- Add fastest mirror to PATCH_SITES
- Add db42 to "make show-options"
Note to users:
Unless you have a *really* good request, no more features will be added.
Please send me with your bug reports:
- uname -a output
- all config.log files
- pkg_info output
- your make command line
Noticed by: apache2-test-ng.sh script [1]
Barry Pederson <bp@barryp.org> [3]
Requested by: jb@perso-web.com [2]
