Give Apache a user and group by default, not only with suexec.
The variables for this have changed from APACHE_SUEXEC_USER and
APACHE_SUEXEC_GROUP to APACHE_USER and APACHE_GROUP.
Mention 'Apache' in COMMENT.
Use variables for the version number instead of copying it around.
Bump PKGREVISION.
For apache{,6}:
Change paths to /var/httpd instead of /var/spool/httpd.
Honour STRIPFLAG.
Add --without-confadjust as configure argument.
Enable the 'define' module.
For apache:
Enable proxy module on NOPIC platforms.
Some of these changes are based on pkg/17469 by Greg A. Woods, some on
comments by Johnny Lam.
Reviewed by Johnny Lam.
bump PKGREVISION.
Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002)
*) Fixed off-by-one buffer overflow bug in the compatibility
functionality (mapping of old directives to new ones).
*) Fixed memory leak in processing of CA certificates.
*) In case there is actually a certificate chain in the session cache,
we now use the value of SSL_get_peer_certificate(ssl) to verify as
it will have been removed from the chain before it was put in the
cache.
*) Seed the PRNG with a maximum of 1K from the internal scoreboard.
Custom mod_ssl eapi patch used for now, since update of mod_ssl for 1.3.26
isn't available yet.
This fixes the CAN-2002-0392 (mitre.org) [CERT VU#944335] security
issue. For full list of changes, see
http://www.apache.org/dist/httpd/CHANGES_1.3
Relevant changes from version 1.3.23 include:
* Prevent invalid client hostnames from appearing in the log file.
* Various mod_proxy improvements, such as the new ProxyIOBufferSize
directive.
* The new ''IgnoreCase' keyword to the IndexOptions directive.
* mod_rewrite's 'rnd' was broken and has been fixed.
* The '-S' option of 'apxs' was not able to handle quotes; also 'apxs'
is now rebuilt when options are changed.
* proxy now correctly handles Cookies and X-Cache headers.
* Fixed a problem in TPF when we were using the wrong subpool when
opening the error log.
* pthread accept() mutexes on Solaris were broken (since we were
not linking against pthread)
the EAPI patches from modssl-2.8.7-1.3.23. Also, link against the MM
Shared Memory library (devel/libmm) to provide shared memory support in
Apache/EAPI. For example, this allows mod_ssl to use a high-performance
RAM-based session cache instead of a disk-based one.
The main new features in 1.3.23 (compared to 1.3.22) are:
* HTTP/1.1 support for mod_proxy.
* Other mod_proxy improvements.
* The new 'FileETag' directive to allow one to build the
format of the ETag via runtime directives.
* Addition of a 'filter callback' function to enable modules to
intercept the output byte stream for dynamic page caching.
The following bugs were found in Apache 1.3.22 and have been fixed in
Apache 1.3.23:
* Fix incorrect "Content-Length" header in the 416 response.
* Revert mod_negotation's handling of path_info and query_args
to the 1.3.20 behavior (PRs: 8628, 8582, 8538).
* Prevent an Apache module from being loaded or added twice due
to duplicate LoadModule or AddModule directives.
from source instead of installing from a binary package (problem noted in
private email by George Coulouris <george@coulouris.org>. Also move the
ownership of SSL-related config directories to the www/ap-ssl package.
--suexec-* configure options that are passed directly to the Apache
configure script. This may be used to tune the suEXEC configuration
in more restrictive ways, e.g. --suexec-uidmin=1000. This solution
is more open-ended than the fix proposed in pkg/14973. Also, we
don't duplicate all of the options from the Apache configure script
in pkgsrc bsd.pkg.defaults.mk. This closes pkg/14973 by Eric
Schnoebelen <eric@cirr.com>
(2) For namespace consistency, deprecate APACHE_USER in favor of
APACHE_SUEXEC_USER. Move APACHE_USER into bsd.pkg.obsolete.mk.
(3) Create the suEXEC user when the functionality is enabled in the server
so that CGI scripts will work properly. This closes pkg/14903 by
Wojciech Puchar <wojtek@3miasto.net>
This value may be customized in various ways:
PKG_SYSCONFBASE is the main config directory under which all package
configuration files are to be found.
PKG_SYSCONFSUBDIR is the subdirectory of PKG_SYSCONFBASE under which the
configuration files for a particular package may be found.
PKG_SYSCONFDIR.${PKGBASE} overrides the value of ${PKG_SYSCONFDIR} for a
particular package.
Users will typically want to set PKG_SYSCONFBASE to /etc, or accept the
default location of ${PREFIX}/etc.
This obsoletes the use of CONFDIR, which was active for only 6 days, so no
need to have a workaround to still accept old CONFDIR settings.
bsd.pkg.install.mk:
* Remove old DEINSTALL/INSTALL scripts.
* Move some text printed at POST-INSTALL time into the MESSAGE file.
* Adjust rc.d scripts to respect rc.conf settings, so that the
script may be directly copied into /etc/rc.d.
apxs are now installed with "${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP}",
which should do the right thing regardless of the platform. ${INSTALL} is
replaced with the full path to the install program used by pkgsrc, which
should be /usr/bin/install on NetBSD, and /usr/ucb/install on Solaris.
This should fix pkg/14232 by Pierre Bourgin.
using the pkgsrc expat library instead of the builtin one (this is to
avoid conflicts between expat libraries when an expat XML parser is loaded
by either mod_perl or mod_php), and:
Security vulnerabilities
* A vulnerability was found in the split-logfile support program. A
request with a specially crafted Host: header could allow any file
with a .log extension on the system to be written to.
* A vulnerability was found when Multiviews are used to negotiate
the directory index. In some configurations, requesting a URI with
a QUERY_STRING of M=D could return a directory listing rather than
the expected index page.
General bug fixes and improvements
* Bug fixes
* The supplied icons are now also distributed in PNG format
* New directives have been added to the mod_usertrack module, The
first, CookieDomain, can be used to customise the Domain
attribute.
* A new directive, AcceptMutex, allows run-time configuration of the
mutex type used for accept serialization.
* mod_auth has been enhanced to allow access to a document to be
controlled based on the owner of the file being served.
* A new directive, AcceptFilter, has been added to control BSD
accept filters at run-time. The functionality can postpone the
requirement for a child process to handle a new connection until
an HTTP request has arrived, therefore increasing the number of
connections that a given number of child processes can handle
On NetBSD, we need to link libgcc.a whole-archive so that certain symbols
from the C++ implementation (__get_eh_context, etc.) referenced by DSOs
written in C++ will resolve correctly. This makes php4-sablot work with
mod_php4.so (from ap-php4) on ELF platforms when loaded by Apache's httpd.
foo-* to foo-[0-9]*. This is to cause the dependencies to match only the
packages whose base package name is "foo", and not those named "foo-bar".
A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net. Also
change dependency examples in Packages.txt to reflect this.
NetBSD Packages Collection (pkgsrc) changes:
* Modify French page in same way as the English page. Translation
provided by Remi Zara <remi_zara@mac.com> in private e-mail.
* Use EAPI patches from mod_ssl-2.8.4-1.3.20.
* Unify repeated SED replacement info for config.layout, apache.sh,
DEINSTALL, and INSTALL into one location, FILES_SUBST.
* Modify patch to apxs to use 0:0 instead of root:wheel, as some
non-NetBSD systems don't have a wheel group.
The general bug fixes:
* Eliminate a potential segfault if an invalid floating point value
is passed to the ap_snprintf() function, on platforms supporting
isnan() and isinf().
* Fix a possible segfault at startup in the detection of a default
ServerName or IP string when no ServerName was specified.
* Fixed mod_proxy to retain empty headers, as allowed by RFC2068.
* Properly resolve the location of ndbm on Linux and some glibc2
builds, where ndbm.h is in the nonstandard db1/ subdir.
The main new features include:
* Enhanced rotatelogs to allow a UTC offset to be specified, and
the format logfile names with human-readable date/time stamps.
* Added the NOESCAPE (NS) flag to RewriteRule, to disable *all*
normal URI escaping. Note incautious use can give unexpected
results or introduce security risks.
* Added the '\' character to RewriteRule to allow escaping of
special characters. Allows embedding of both the '$' and '%'
characters in the results, so 'foo\$1' translates to 'foo$1'
rather than 'foo\<value of $1>'.
* Added the -V flag to suexec, to display the compile-time settings
with which it was built. (Only valid for root or the HTTPD_USER
username.)
* Introduced EBCDIC conversion configuration options, controlling the
conversion based on MIME type or file suffix.
the updated EAPI patches from mod_ssl-2.8.3-1.3.19 which includes the
following fix:
*) Fixed EAPI context usage in http_request.c: a context pointer
potentially can be NULL requests and can cause a segfault if
dereferenced.
config.layout file instead of specifying every directory as on option to
the Apache configure script. This layout file might be useful later when
we package Apache 2.x. I also reordered a few lines so that it's easier
to diff apache/Makefile and apache6/Makefile (hi itojun!). Also build
the mod_define shared module from the mod_ssl sources.
Relevant changes from version 1.3.17.1 include:
*) Rewrite ap_unparse_uri_components() to make it safer and more readable
*) Under certain circumstances, Apache did not supply the
right response headers when requiring authentication.
*) Clean up some end-of-loop not reached warnings
*) Add the correct language tag for interoperation with the Taiwanese
versions of MSIE and Netscape.
*) Workaround enabled for a core dump which appeared in broken
NameVirtualHost configurations.
*) Sporadic core dump in ap_default_port_for_scheme() with
internal requests
*) SECURITY: The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created artificially
by using many slashes. Now a 403 FORBIDDEN is returned.
*) Trailing slashes (if they exist) are now removed from ServerRoot,
because there were known problems with them.
*) TPF startup/shutdown fixes.
*) Correct a typo in httpd.conf.
*) Get the correct IP address if ServerName isn't set and we can't
find a fully-qualified domain name at startup.
*) Fix pointer arithmetic in mod_rewrite map expansion.
*) Fixed a problem with file extensions being truncated during
the call to ap_os_canonical_filename().
(hope it is the right way).
>There's another bug in RewriteMap handling in Apache 1.3.17, which
>causes ${} expansions to be completely ignored. This patch fixes it.
-) Remove patch to avoid dlclose()ing on NetBSD. The mod_perl vs. perl CGI
mis-interaction seems to be gone and I wasn't able to reproduce it on my
system.
*) Fix the declaration of the module structure in mod_example.
*) Fix the handling of variable expansion look-ahead in mod_rewrite,
i.e. syntax like %{LA-U:REMOTE_USER}, and also fix the parsing of
more complicated nested RewriteMap lookups.
*) mod_status now respects ?refresh=n of 1 or greater. If the given
refresh value is not a number, ?refresh is set to 1 second.
*) Accomodate an out-of-space condition in the piped logs and the
rotatelogs.c code, and no longer churn log processes for this condition.
*) Make cgi-bin work as a regular directory when using mod_vhost_alias
with no VirtualScriptAlias directives.
*) Move the check of the Expect request header field after the hook
for ap_post_read_request, since that is the only opportunity for
modules to handle Expect extensions.
*) Eliminate caching problems of mod_autoindex results, so the last
modified date of the directory is returned as the Last-Modified
and ETag HTTP header tags are sent if IndexOptions TrackModified
directive/option is used.
*) Correct an issue with Alias and ScriptAlias directives that
file path arguments were not normalized in canonical form.
This correction makes no attempt to normalize regular expression
forms of Alias or ScriptAlias.
*) Add a new LogFormat directive, %c, that will log connection
status at the end of the response.
*) Update the mime.types file to the registered media types as of 2000-10-19.
*) Restore functionality broken by the mod_rewrite security fix:
rewrite map lookup keys and default values are now expanded
so that the lookup can depend on the requested URI etc.
1.3.14.1, adding a superminor version number to indicate possible EAPI
update.
*) Fixed the parsing of SSLSessionCache directives. The prefixes were
incorrectly skipped and leaded to "unable to open semaphore file"
errors.
The security fixes are:
* A problem with the Rewrite module, mod_rewrite, allowed access to
any file on the web server under certain circumstances
* The handling of Host: headers in mass virtual hosting
configurations, mod_vhost_alias, could allow access to any file on
the server
* If a cgi-bin directory is under the document root, the source to
the scripts inside it could be sent if using mass virtual hosting
The main new features include:
* Support for a directory-based configuration system. If any of the
configuration directives point to directories instead of files,
all files in that directory (and in subdirectories) will be also
parsed as configuration files
* Support name-based virtual hosting without needing to specify an
IP address in the Apache configuration file. This enables sites
that use dynamic IP addresses to support name-based virtual
hosting as well as allowing identical machines to share a
configuration file, say in a load-balanced cluster
* The SetEnvIf and BrowserMatch range of directives are now able to
be used in .htaccess files.
* Administrators who are nervous about their full server version
details being public can use the new keyword 'ProductOnly' in the
ServerTokens directive. This keyword forces the server to only
return the string "Apache" as the server version.
* The new digest authentication module, mod_auth_digest has had a
number of fixes and upgrades applied
EAPI didn't change so no need to change Apache's version number.
Also standardize package builds to have Apache listen on ports 80/443
regardless of UID of user that builds the package, and make MAINTAINER
point to me.
package admin where the cruft is that may need to be manually removed.
* Factor out the making of extra directories and the copying of config files
into a separate INSTALL script.
* Rearrange the Makefile a bit to handle changes in the PLIST.
* Remove erroneous information from pkg/DESCR.
bump; EAPI is unchanged)
- Remove restriction of mod_include to disallow "../" or "/" prefixed
file names in <!--#include file=""--> if Includes (but not
IncludesNOEXEC) is set; proposed in Apache PR mod_include/3500
- Add signature for hook function used to do mod_include callbacks
(perl-embedded SSI was not working with new 4 argument call)
ap_include_extern_func's (needed for a couple upcoming XSSI-extending
modules). Also fix apxs to use `install' and fix the cgi-bin
`preservation' while we're here.
- Now that bsd.pkg.mk filters out dlopen style .so's on NOPIC systems,
re-merge the PLIST.
- Rewrite apache-modssl's Makefile and PLIST to share apache's, reducing
logic duplication.
- New, optional Makefile variable HOMEPAGE, specifies a URL for
the home page of the software if it has one.
- The value of HOMEPAGE is used to add a link from the
README.html files.
- pkglint updated to know about it. The "correct" location for
HOMEPAGE in the Makefile is after MAINTAINER, in that same
section.
the package (albeit in a rather kludgy way).
* Update order of @dirrm statements in PLIST files so that the
pkg_delete deletes the directories properly.
* Note in description that proxy support is in.
- Now uses APACI, Apache's GNU-autoconf-style (but not GNU autoconf)
configuration system to configure, build, and install
- Enables build and install of all `support' tools
- Enables use of shared modules, and compiles mod_include dynamically
- Installs the Apache user manual by default.
