Zafer Aydogan. Changes from 1.3.33:
*) hsregex: fix potential core dumping on 64 bit machines, such as
AMD64. PR 31858. [Glenn Strauss < gs-apache-dev gluelogic.com>]
*) SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]
*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'.
[William Rowe]
*) mod_digest: Fix another nonce string calculation issue.
[Eric Covener]
- Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require"
was not enforced in per-location context if "SSLVerifyClient optional"
was configured in the global virtual host configuration.
Sync apache with the latest ap-ssl.
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
that these directories will be conditionally removed (based on reference
counts), regardless of the value of PKG_CONFIG. Bump the PKGREVISION
for packages that were modified as a result.
as the INSTALL and DEINSTALL scripts no longer distinguish between
the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the
packages in pkgsrc accordingly.
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
Remove an instance of ${TYPE} from pkgsrc. The use of the private
variable _INSTALL_CMD is only temporary until we switch over to the
new tools framework.
The committed version has an additional | (pipe) character in it,
breaking the sed and causing an empty apxs file.
Replacing the pipes with commas does not help either, because then
the backquoted command gets embedded into apxs instead of the
correct pathname.
Bump PKGREVISION because this broke at least ap-php and ap-ssl.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
gets restarted when "/etc/rc.d/apache restart" is used. This fixes
PR pkg/24179 for the "apache" package.
Based on a similar change for the apache2 package.
Bump PKGREVISION.
by other package Makefiles, and with the deprecation of USE_BUILDLINK3
support in the infrastructure files, these had the potential to break
existing packages.
Previously rc.d/apache was updated to run stop & start for restart.
'/etc/rc.d/apache restart' then picked up startssl if apache was not
running, but if apache was running it has a large chance of the
start running before the stop completes, leaving no httpd running.
Instead, add a restartssl option to apachectl, and use it.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
header file #includes <dlfcn.h>, so we need to include
dlopen.buildlink3.mk so that dlfcn.h can be found by packages which
use httpd/os.h.
XXX this is not entirely correct, but works around the problem
XXX sufficiently. the problem is that Darwin (7.7.x) has dlopen() and
XXX friends but does not provide prototypes in dlfcn.h (or anywhere else).
The main security vulnerabilities addressed in 1.3.33 are:
* CAN-2004-0940 (cve.mitre.org)
Fix potential buffer overflow with escaped characters in SSI tag string.
* CAN-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid
(negative) Content-Length.
New features
* Win32: Improve error reporting after a failed attempt to
spawn a piped log process or rewrite map process.
* Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It
controls how UseCanonicalName Off determines the port value if
the client doesn't provide one in the Host header. If defined
during compilation, UseCanonicalName Off will use the physical
port number to generate the canonical name. If not defined, it
tries the current Port value followed by the default port for
the current scheme.
The following bugs were found in Apache 1.3.31 (or earlier) and
have been fixed in Apache 1.3.33:
* mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
* mod_rewrite: Fix 0 bytes write into random memory position. PR 31036.
* mod_digest: Fix nonce string calculation since 1.3.31 which
would force re-authentication for every connection if
AuthDigestRealmSeed was not configured. PR 30920.
* Fix trivial bug in mod_log_forensic that caused the child to
seg fault when certain invalid requests were fired at it with
forensic logging is enabled. PR 29313.
* No longer breaks mod_dav, frontpage and others. Repair a
patch in 1.3.31 which prevented discarding the request body
for requests that will be keptalive but are not currently
keptalive. PR 29237.
- mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
[michael teitler <michael.teitler cetelem.fr>,
Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
- mod_rewrite: Fix 0 bytes write into random memory position.
PR 31036. [André Malo]
- mod_digest: Fix nonce string calculation since 1.3.31 which
would force re-authentication for every connection if
AuthDigestRealmSeed was not configured. PR 30920. [Joe Orton]
- Trigger an error when a LoadModule directive attempts to
load a module which is built-in. This is a common error when
switching from a DSO build to a static build.
[Jeff Trawick, Geoffrey Young]
- Fix trivial bug in mod_log_forensic that caused the child
to seg fault when certain invalid requests were fired at it with
forensic logging is enabled. PR 29313.
[Will Slater <Will Slater orbisuk.com>]
- Fix memory leak in the cache handling of mod_rewrite. PR 27862.
[chunyan sheng <shengperson yahoo.com>, André Malo]
- mod_rewrite no longer confuses the RewriteMap caches if
different maps defined in different virtual hosts use the
same map name. PR 26462. [André Malo]
- mod_setenvif: Remove "support" for Remote_User variable which
never worked at all. PR 25725. [André Malo]
- mod_usertrack: Escape the cookie name before pasting into the
regexp. [André Malo]
- Win32: Improve error reporting after a failed attempt to spawn a
piped log process or rewrite map process. [Jeff Trawick]
- SECURITY: CAN-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid (negative)
Content-Length. [Mark Cox]
- Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects mod_usertrack and
core. PR 28218. [André Malo]
- No longer breaks mod_dav, frontpage and others. Repair a patch
in 1.3.31 which prevented discarding the request body for requests
that will be keptalive but are not currently keptalive. PR 29237.
[Jim Jagielski, Rasmus Lerdorf]
- COMPATIBILITY: Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
It controls how UseCanonicalName Off determines the port value if
the client doesn't provide one in the Host header. If defined during
compilation, UseCanonicalName Off will use the physical port number to
generate the canonical name. If not defined, it tries the current Port
value followed by the default port for the current scheme.
[Jim Jagielski]
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
into the bsd.options.mk framework. Instead of appending to
${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes
the default options to be the union of PKG_DEFAULT_OPTIONS and any
old USE_* and FOO_USE_* settings.
This fixes PR pkg/26590.
Fix rc.d/apache restart to 'apache_doit stop; apache_doit start'
Now in the case of apache_start=startssl and apache not running,
'rc.d/apache restart' will start apache with startssl.
for each package can be determined by invoking:
make show-var VARNAME=PKG_OPTIONS_VAR
The old options are still supported unless the variable named in
PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
Apache 1.3.31 Major changes
Security vulnerabilities
* CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client
response is one we issued ourselves. This problem does not affect
mod_auth_digest.
* CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog.
* CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
* CAN-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a
netmask; issue is only known to affect big-endian 64-bit
platforms
New features
New features that relate to specific platforms:
* Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, core dumps are enabled via the prctl() syscall.
New features that relate to all platforms:
* Add mod_whatkilledus and mod_backtrace (experimental) for
reporting diagnostic information after a child process crash.
* Add fatal exception hook for running diagnostic code after a
crash.
* Forensic logging module added (mod_log_forensic)
* '%X' is now accepted as an alias for '%c' in the
LogFormat directive. This allows you to configure logging
to still log the connection status even with mod_ssl
Bugs fixed
The following noteworthy bugs were found in Apache 1.3.29 (or earlier)
and have been fixed in Apache 1.3.31:
* Fix memory corruption problem with ap_custom_response() function.
The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.
* mod_usertrack no longer inspects the Cookie2 header for
the cookie name. It also no longer overwrites other cookies.
* Fix bug causing core dump when using CookieTracking without
specifying a CookieName directly.
* UseCanonicalName off was ignoring the client provided
port information.
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
SECURITY [CAN-2003-0020]: escape arbitrary data before writing into the errorlog
The three patches are from Apache cvs.
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/
Also bump PKGREVISION too.
