a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
- SECURITY: CVE-2012-3499 (cve.mitre.org)
Various XSS flaws due to unescaped hostnames and URIs HTML output in
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
[Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
- SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
Niels Heinen <heinenn google com>]
- mod_rewrite: Stop merging RewriteBase down to subdirectories
unless new option 'RewriteOptions MergeBase' is configured.
Merging RewriteBase was unconditionally turned on in 2.2.23.
Bug Report 53963. [Eric Covener]
- mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. Bug Report 50823. [Stefan Fritsch]
- mod_ssl: log revoked certificates at level INFO
instead of DEBUG. Bug Report 52162. [Stefan Fritsch]
- mod_proxy_ajp: Support unknown HTTP methods. Bug Report 54416.
[Rainer Jung]
- mod_dir: Add support for the value 'disabled' in FallbackResource.
[Vincent Deffontaines]
- mod_ldap: Fix regression in handling "server unavailable" errors on
Windows. Bug Report 54140. [Eric Covener]
- mod_ssl: fix a regression with the string rendering of the "UID" RDN
introduced in 2.2.15. Bug Report 54510. [Kaspar Brand]
- ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
to more accurately report the negotiated protocol. Bug Report 53916.
[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
- mod_cache: Explicitly allow cache implementations to cache a 206 Partial
Response if they so choose to do so. Previously an attempt to cache a 206
was arbitrarily allowed if the response contained an Expires or
Cache-Control header, and arbitrarily denied if both headers were missing.
Currently the disk and memory cache providers do not cache 206 Partial
Responses. [Graham Leggett]
- core: Remove unintentional APR dependency introduced with
Apache 2.2.22. [Eric Covener]
- core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
- mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. Bug Report 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
Changes with Apache 2.2.23
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent a
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
*) mod_ldap: Treat the "server unavailable" condition as a transient
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
*) core: Add filesystem paths to access denied / access failed messages.
[Eric Covener]
*) core: Fix error handling in ap_scan_script_header_err_brigade() if there
is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]
*) core: Prevent "httpd -k restart" from killing server in presence of
config error. [Joe Orton]
*) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,
adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.
[Kaspar Brand, William Rowe]
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
PR 53104. [Greg Ames]
*) Unix MPMs: Fix small memory leak in parent process if connect()
failed when waking up children. [Joe Orton]
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
[Peter Pramberger <peter pramberger.at>, Jim Jagielski]
*) Added SSLProxyMachineCertificateChainFile directive so the proxy client
can select the proper client certificate when using a chain and the
remote server only lists the root CA as allowed.
*) mpm_event, mpm_worker: Remain active amidst prevalent child process
resource shortages. [Jeff Trawick]
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]
*) mod_proxy_balancer: Restore balancing after a failed worker has
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
*) mod_dumpio: Properly handle errors from subsequent input filters.
PR 52914. [Stefan Fritsch]
*) mpm_worker: Fix cases where the spawn rate wasn't reduced after child
process resource shortages. [Jeff Trawick]
*) mpm_prefork: Reduce spawn rate after a child process exits due to
unexpected poll or accept failure. [Jeff Trawick]
*) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid
from logging bogus data in case of errors. [Stefan Fritsch]
*) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the
response is a 206 Partial Content. This stops a reverse proxied partial
response from becoming cached, and then being served in subsequent
responses. PR 49113. [Graham Leggett]
*) configure: Fix usage with external apr and apu in non-default paths
and recent gcc versions >= 4.6. [Jean-Frederic Clere]
*) core: Fix building against PCRE 8.30 by switching from the obsolete
pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
*) mod_proxy: Add the forcerecovery balancer parameter that determines if
recovery for balancer workers is enforced. [Ruediger Pluem]
- SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
- SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
- SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[Joe Orton]
- SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. Bug#52256.
[Rainer Canavan <rainer-apache 7val com>]
- SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
- SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
- mod_proxy_ajp: Try to prevent a single long request from marking a worker
in error. [Jean-Frederic Clere]
- config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
- core: Fix segfault in ap_send_interim_response(). Bug#52315.
[Stefan Fritsch]
- mod_log_config: Prevent segfault. Bug#50861. [Torsten Foertsch
<torsten.foertsch gmx.net>]
- mod_win32: Invert logic for env var UTF-8 fixing.
Now we exclude a list of vars which we know for sure they dont hold UTF-8
chars; all other vars will be fixed. This has the benefit that now also
all vars from 3rd-party modules will be fixed. Bug#13029 / 34985.
[Guenter Knauf]
- core: Fix hook sorting for Perl modules, a regression introduced in
2.2.21. Bug#45076. [Torsten Foertsch <torsten foertsch gmx net>]
- Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
A range of '0-' will now return 206 instead of 200. Bug#51878.
[Jim Jagielski]
- Example configuration: Fix entry for MaxRanges (use "unlimited" instead
of "0"). [Rainer Jung]
- mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]
Please note that all the security fixes had been integrated into
"pkgsrc" as patches previously.
Quote from release announce:
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.21 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
Note the further advisories on the state of CVE-2011-3192 will no longer
be broadcast, but will be kept up to date at;
http://httpd.apache.org/security/CVE-2011-3192.txt
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- mod_authnz_ldap: If the LDAP server returns constraint violation,
don't treat this as an error but as "auth denied". [Stefan Fritsch]
- mod_filter: Fix FilterProvider conditions of type "resp=" (response
headers) for CGI. [Joe Orton, Rainer Jung]
- mod_reqtimeout: Fix a timed out connection going into the keep-alive
state after a timeout when discarding a request body. Bug 51103.
[Stefan Fritsch]
- core: Do the hook sorting earlier so that the hooks are properly sorted
for the pre_config hook and during parsing the config. [Stefan Fritsch]
- Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
- Log an error for failures to read a chunk-size, and return 408 instead
413 when this is due to a read timeout. This change also fixes some cases
of two error documents being sent in the response for the same scenario.
[Eric Covener] Bug 49167
- core: Only log a 408 if it is no keepalive timeout. Bug 39785
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
- core: Treat timeout reading request as 408 error, not 400.
Log 408 errors in access log as was done in Apache 1.3.x.
Bug 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
Dan Poirier]
- Core HTTP: disable keepalive when the Client has sent
Expect: 100-continue
but we respond directly with a non-100 response. Keepalive here led
to data from clients continuing being treated as a new request.
Bug 47087. [Nick Kew]
- htpasswd: Change the default algorithm for htpasswd to MD5 on all
platforms. Crypt with its 8 character limit is not useful anymore;
improve out of disk space handling (Bug 30877); print a warning if
a password is truncated by crypt. [Stefan Fritsch]
- mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
- configure: Fix htpasswd/htdbm libcrypt link errors with some newer
linkers. [Stefan Fritsch]
- MinGW build improvements. Bug 49535. [John Vandenberg
<jayvdb gmail.com>, Jeff Trawick]
- mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
- core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. Bug 35256,
Bug 46830. [Dan Poirier]
- mod_rewrite: Allow to unset environment variables. Bug 50746.
[Rainer Jung]
- suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). [Jeff Trawick]
- mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. Bug 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
- prefork: Update MPM state in children during a graceful restart.
Allow the HTTP connection handling loop to terminate early
during a graceful restart. Bug 41743.
[Andrew Punch <andrew.punch 247realmedia.com>]
- mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. Bug 50481. [Ruediger Pluem]
- mod_autoindex: Merge IndexOptions from server to directory context when
the directory has no mod_autoindex directives. Bug 47766. [Eric Covener]
- mod_cache: Make sure that we never allow a 304 Not Modified response
that we asked for to leak to the client should the 304 response be
uncacheable. Bug 45341 [Graham Leggett]
- mod_dav: Send 400 error if malformed Content-Range header is received for
a put request (RFC 2616 14.16). Bug 49825. [Stefan Fritsch]
- mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
Bug 44076 [Eric Covener]
- core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. Bug 50349.
[Eric Covener]
- mod_cache: Check the request to determine whether we are allowed
to return cached content at all, and respect a "Cache-Control:
no-cache" header from a client. Previously, "no-cache" would
behave like "max-age=0". [Graham Leggett]
- mod_mem_cache: Add a debug msg when a streaming response exceeds
MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
'memory allocation failed' debug message. Bug 49604. [Eric Covener]
- proxy_connect: Don't give up in the middle of a CONNECT tunnel
when the child process is starting to exit. Bug 50220. [Eric Covener]
* prefork MPM: Run cleanups for final request when process exits gracefully
to work around a flaw in apr-util.
* mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
connections and other protocol handlers (like mod_ftp). Enforce the
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
close time from 30 to 2 seconds.
* Proxy balancer: support setting error status according to HTTP response
code from a backend.
* mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
password to UTF-8.
* core: check symlink ownership if both FollowSymlinks and
SymlinksIfOwnerMatch are set
* core: fix origin checking in SymlinksIfOwnerMatch
* mod_headers: Enable multi-match-and-replace edit option
* mod_log_config: Make ${cookie}C correctly match whole cookie names
instead of substrings.
* mod_dir, mod_negotiation: Pass the output filter information
to newly created sub requests; as these are later on used
as true requests with an internal redirect. This allows for
mod_cache et.al. to trap the results of the redirect.
* rotatelogs: Fix possible buffer overflow if admin configures a
mongo log file path.
* mod_ssl: Do not do overlapping memcpy.
* vhost: A purely-numeric Host: header should not be treated as a port.
* core: (re)-introduce -T commandline option to suppress documentroot
check at startup.
- SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav, mod_cache: Fix Handling of requests without a path segment.
PR: 49246 [Mark Drayton, Jeff Trawick]
- SECURITY: CVE-2010-2068 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
- core: Filter init functions are now run strictly once per request
before handler invocation. The init functions are no longer run
for connection filters. PR 49328. [Joe Orton]
- mod_filter: enable it to act on non-200 responses.
PR 48377 [Nick Kew]
- mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
title page only) when any mod_ldap directives were used in VirtualHost
context. [Eric Covener]
- mod_ssl: Fix segfault at startup if proxy client certs are shared
across multiple vhosts. PR 39915. [Joe Orton]
- mod_proxy_http: Log the port of the remote server in various messages.
PR 48812. [Igor Galić <i galic brainsware org>]
- apxs: Fix -A and -a options to ignore whitespace in httpd.conf
[Philip M. Gollucci]
- mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
- mod_rewrite: Allow to set environment variables without explicitely
giving a value. [Rainer Jung]
package gets build with "apache-shared-modules suexec ..." as the options.
Bump package revision for the benefit of users which previously compiled
the package these options and don't have the "suexec" module available.
Problem pointed out by Filip Hajny in private e-mail.
1.) Add missing modules "mod_proxy_scgi.so" and "mod_reqtimeout.so"
if the package is built with shared modules enabled.
This fixes PR pkg/43229 by Ryo HAYASAKA.
2.) Get rid of "PLIST.worker" and use "PLIST_VARS" instead.
3.) Use an option group instead of the "APACHE_MPM" configuration variable
to configure the worker model.
4.) Enable the "apache-shared-modules" options by default. This provides
more flexibility and matches the behaviour of a lot of other
platforms e.g. Solaris or Linux distributions like Ubuntu.
Bump the package revision as the binary package will change by default.
For full changes information please refer:
http://www.apache.org/dist/httpd/Announcement2.2.html.
Here is security related changes from ChangeLog
(http://www.apache.org/dist/httpd/CHANGES_2.2.15).
Changes with Apache 2.2.15
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
It initially existed originally came from PR#27567 for www/apache2.
CVE-2007-3304 parts was added in rev 1.2, then whole patch file was removed in
rev 1.3 as update to apache-2.2.6, because the update contains fix for
CVE-2007-3304 and comments of patch-ab only mentioned about the CVE.
To prevent a recurrence of such a accident, added PR#27567 as comments
for patch-ab.
