Makefiles simply need to use this value often, for better or for
worse.
(2) Create a new variable FIX_RPATH that lists variables that should
be cleansed of -R or -rpath values if ${_USE_RPATH} is "no". By
default, FIX_RPATH contains LIBS, X11_LDFLAGS, and LDFLAGS, and
additional variables may be appended from package Makefiles.
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
the precedence of the contents of this file changes depending on whether
it's started at boot time or started manually, and it's not really
necessary to add the extra complexity since it's valid (and easier) to just
set apache_start in /etc/rc.conf.
Use "${NONBINMODE}" instead of mode "0" so that "pkg_admin check" still
works for a normal user. Also invoke "chmod" only once because fork()
and exec() is expensive on certain platforms.
Previously, if apache_start was set in /etc/rc.conf and /etc/rc.d/apache was
loaded as part of the /etc/rc start sequence, apache_start's value would
be overridden by "apache_start=start" in this script, because /etc/rc.conf
would have already been loaded and load_rc_config() would not reload it again.
This problem would not have been seen if /etc/rc.d/apache was started
manually, or /etc/rc.conf.d/apache or @PKG_SYSCONFDIR@/apache_start.conf
was used to set apache_start.
(I am using /etc/rc.conf, and was wondering why apache wasn't starting
with ssl support at boot, but worked after a manual restart...)
discovered in version 1.3.26 including these security fixes:
- SECURITY: CAN-2002-0840 (cve.mitre.org)
Prevent a cross-site scripting vulnerability in the default
error page. The issue could only be exploited if the directive
UseCanonicalName is set to Off and a server is being run at
a domain that allows wildcard DNS. [Matthew Murphy]
- SECURITY CAN-2002-0843 (cve.mitre.org)
Fix some possible overflows in ab.c that could be exploited by
a malicious server. Reported by David Wagner. [Jim Jagielski]
- SECURITY CAN-2002-0839 (cve.mitre.org)
Add the new directive 'ShmemUIDisUser'. By default, Apache
will no longer set the uid/gid of SysV shared memory scoreboard
to User/Group, and it will therefore stay the uid/gid of
the parent Apache process. This is actually the way it should
be, however, some implementations may still require this, which
can be enabled by 'ShmemUIDisUser On'. Reported by iDefense.
[Jim Jagielski]
Give Apache a user and group by default, not only with suexec.
The variables for this have changed from APACHE_SUEXEC_USER and
APACHE_SUEXEC_GROUP to APACHE_USER and APACHE_GROUP.
Mention 'Apache' in COMMENT.
Use variables for the version number instead of copying it around.
Bump PKGREVISION.
For apache{,6}:
Change paths to /var/httpd instead of /var/spool/httpd.
Honour STRIPFLAG.
Add --without-confadjust as configure argument.
Enable the 'define' module.
For apache:
Enable proxy module on NOPIC platforms.
Some of these changes are based on pkg/17469 by Greg A. Woods, some on
comments by Johnny Lam.
Reviewed by Johnny Lam.
that was lost in the previous commit.
"${apache_start}" is the subcommand sent to apachectl to control how
httpd is started. It's value may be overridden in:
@PKG_SYSCONFDIR@/apache_start.conf
/etc/rc.conf
/etc/rc.conf.d/apache,
in order of increasing precedence. Its possible values are "start"
and "startssl", and defaults to "start".
--suexec-* configure options that are passed directly to the Apache
configure script. This may be used to tune the suEXEC configuration
in more restrictive ways, e.g. --suexec-uidmin=1000. This solution
is more open-ended than the fix proposed in pkg/14973. Also, we
don't duplicate all of the options from the Apache configure script
in pkgsrc bsd.pkg.defaults.mk. This closes pkg/14973 by Eric
Schnoebelen <eric@cirr.com>
(2) For namespace consistency, deprecate APACHE_USER in favor of
APACHE_SUEXEC_USER. Move APACHE_USER into bsd.pkg.obsolete.mk.
(3) Create the suEXEC user when the functionality is enabled in the server
so that CGI scripts will work properly. This closes pkg/14903 by
Wojciech Puchar <wojtek@3miasto.net>
pkgsrc. Instead, a new variable PKGREVISION is invented that can get
bumped independent of DISTNAME and PKGNAME.
Example #1:
DISTNAME= foo-X.Y
PKGREVISION= Z
=> PKGNAME= foo-X.YnbZ
Example #2:
DISTNAME= barthing-X.Y
PKGNAME= bar-X.Y
PKGREVISION= Z
=> PKGNAME= bar=X.YnbZ (!)
On subsequent changes, only PKGREVISION needs to be bumped, no more risk
of getting DISTNAME changed accidentally.
This value may be customized in various ways:
PKG_SYSCONFBASE is the main config directory under which all package
configuration files are to be found.
PKG_SYSCONFSUBDIR is the subdirectory of PKG_SYSCONFBASE under which the
configuration files for a particular package may be found.
PKG_SYSCONFDIR.${PKGBASE} overrides the value of ${PKG_SYSCONFDIR} for a
particular package.
Users will typically want to set PKG_SYSCONFBASE to /etc, or accept the
default location of ${PREFIX}/etc.
This obsoletes the use of CONFDIR, which was active for only 6 days, so no
need to have a workaround to still accept old CONFDIR settings.
bsd.pkg.install.mk:
* Remove old DEINSTALL/INSTALL scripts.
* Move some text printed at POST-INSTALL time into the MESSAGE file.
* Adjust rc.d scripts to respect rc.conf settings, so that the
script may be directly copied into /etc/rc.d.
- Whitespace changes to Makefile
- From the commit log for apache/Makefile:
Don't do the dance with ROOT_GROUP. Apache extension modules installed by
apxs are now installed with "${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP}",
which should do the right thing regardless of the platform. ${INSTALL} is
replaced with the full path to the install program used by pkgsrc, which
should be /usr/bin/install on NetBSD, and /usr/ucb/install on Solaris.
This should fix pkg/14232 by Pierre Bourgin.
- Updated the IPv6 patch
Apache 1.3.20 - 1.3.22 Major changes
Security vulnerabilities
* A vulnerability was found in the Win32 port of Apache 1.3.20. A
client submitting a very long URI could cause a directory listing
to be returned rather than the default index page. A 403 Forbidden
will now be returned. CAN-2001-0729
* A vulnerability was found in the split-logfile support program. A
request with a specially crafted Host: header could allow any file
with a .log extension on the system to be written to. PR#7848
CAN-2001-0730
* A vulnerability was found when Multiviews are used to negotiate
the directory index. In some configurations, requesting a URI with
a QUERY_STRING of M=D could return a directory listing rather than
the expected index page. CAN-2001-0731
The security issues above have been assigned standardized names, CAN-
by the Common Vulnerabilities and Exposures project (cve.mitre.org)
New features
The main new features in 1.3.22 (compared to 1.3.20) are:
* The user manual has been updated. As well as a number of small
fixes these updates include new translations into French and
Japanese, a guide to using Apache httpd on Cygwin, a lexicon of
Apache error messages, updated TPF documentation, and a
comprehensive guide to using log files
* The user manual can now be moved out of the htdocs DocumentRoot
during installation by invoking configure with the --manualdir=
switch, to allow separation of on-line docs from regular contents.
* The supplied icons are now also distributed in PNG format
* A significant overhaul to the Apache Bench program, ab has taken
place, as first reported in April. The new Apache Bench includes
fixes, additional statistics, csv and gnuplot output, and some
SSL support
* New directives have been added to the mod_usertrack module, The
first, CookieDomain, can be used to customise the Domain
attribute. The patch to add the CookieDomain directive was first
submitted over two years ago. Historically mod_usertrack has used
the obsolete Netscape cookie syntax. The new CookieStyle directive
allows use of the RFC2109 or RFC2965 syntax instead. PR#5023,
PR#5920, PR#6140.
* The server will now display a warning if line-end comments (#) are
found in the configuration file. Not all directives are able to
handle comments on the same line
* A new directive, AcceptMutex, allows run-time configuration of the
mutex type used for accept serialization, currently a compile-time
only setting in 1.3. Since different types of mutex have different
performance characteristics on different platforms, this directive
will allow administrators to tune their Apache server more easily.
The current list of possible methods is: uslock, pthread, sysvsem,
fcntl, flock, os2sem, tpfcore, none. Not all platforms support all
methods
* mod_auth has been enhanced to allow access to a document to be
controlled based on the owner of the file being served. Require
file-owner will only allow files to be served where the
authenticated username matches the user that owns the document.
Require file-group works in a similar way checking that the group
matches
New features that relate to specific platforms:
* A new directive, AcceptFilter, has been added to control BSD
accept filters at run-time. This should make it easier to move
server binaries across different BSD machines without requiring
recompilation. Support for accept filters was first added to
version 1.3.14, the functionality can postpone the requirement for
a child process to handle a new connection until an HTTP request
has arrived, therefore increasing the number of connections that a
given number of child processes can handle
* On Win32 mod_unique_id, mod_mime_magic, and the mod_vhost_alias
modules are now enabled
* The Cygwin port includes a number of fixes and updates. Cygwin
support was first introduced in version 1.3.20
* On Windows 2000, the service display names can now be modified
by the user (use the service control panel applet)
* On Win32 a new option -W can be used to set up a dependency on
another service, see win_service.html
* The server will now take advantage of recent improvements to the
TPF operating system which include an enhanced system fork and
exec, updates to allow non-blocking file descriptors, and an
update to shutdown processing
Bugs fixed
The following bugs were found in Apache 1.3.20 and have been fixed in
Apache 1.3.22:
* Under certain circumstances a child may crash due to a bug in
mod_include. If a server uses an ErrorDocument for 404 (request
not found) errors which points to a server-parsed HTML file which
uses a <!--#include virtual="file" --> section, then a request
containing %2f will result in a segfault. The segfault is harmless
and does not cause a security problem, but is being triggered by
the recent IIS worm
* The Multiviews functionality has been fixed to prevent
mod_negotiation from serving any multiview variant that contains
unknown filename extensions. PR#8130
* Apache will prefer installed version of the Expat library over the
bundled version. This fixes conflicts when multiple copies of the
Expat library get loaded (notably when using mod_perl and
XML::Parsers::Expat)
* UnsetEnv now works from the main body of a configuration file.
PR#8254
* When used as a reverse proxy any headers set by other modules
(such as mod_usertrack or mod_securid) now get passed on to the
back-end server. PR#6055
* Server response headers can now be logged via the proxy. PR#7461
* mod_proxy will now pay attention to HTTP headers that specify the
request is not to be cached. PR#5668
* When a client making a request via mod_proxy died unexpectedly,
mod_proxy did not close its connection. PR#8090
* The CacheForceCompletion directive has been fixed PR#7383,
PR#8067, PR#6585
* A memory leak has been fixed in the mod_mime_magic module
* A Satisfy All option has been added to the default container
designed to stop access to .htaccess files. Without this
directive, these files could still be fetched if they were within
the scope of a Satisfy Any directive.
The following bugs relate to specific platforms:
* A number of fixes for NetWare have been added. These include:
enabling long file names in htpasswd and htdigest, protection
against ill behaved modules, better handling of abnormal
shutdowns, dealing with the limited stack space during server side
includes, and recognising special filenames such as proxy:http://
correctly
* A shutdown hang could occur on Solaris when using lots of piped
TransferLogs and at least one piped ErrorLog
* On EBCDIC platforms a bug in the proxy module stopped SSL proxying
working
* On Win32, mod_unique_id did not guarantee a unique ID due to
threading
* The Win32 Makefiles are now 100% compatible with the Microsoft
Visual C++ compiler versions 5,6,7
