66dbe664de
Requested by Moritz Wilhelmy on IRC. Vulnerabilities fixed: * CVE-2011-2191 Cross-site request forgery (CSRF) vulnerability in Cherokee-admin in Cherokee before 1.2.99 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences, as demonstrated by a crafted nickname field to vserver/apply. * CVE-2011-2190 The generate_admin_password function in Cherokee before 1.2.99 uses time and PID values for seeding of a random number generator, which makes it easier for local users to determine admin passwords via a brute-force attack. New features (excerpt): * Caching policies support * Custom header can be defined inside rules * Improved Index Page * Kqueue is now used by default on MacOS X and *BSD * New option to disable the use of SSLv2 * Wild cards are now supported in dirlist fields * Redirection entries can be reordered * ${vserver_name_req} in logger 'Custom' * Cherokee-admin can be shut down from within * TLS/SSL supports the 'IP per VServer' workaround now * Virtual Server complex match support (OR rules) * Redirection error handler has a 'default' option now * New ${root_domain} macro in Advanced Virtual Hosting * Failover load balancing plug-in * cherokee-admin-launcher tool * Information Source name resolution pre-caching * Gzip and Default is configurable now (#1054) * ${http_host}, ${http_referrer}, and ${http_user_agent} (#896) * Much better OPTIONS support * Documentation improvements * Information Sources can be reordered now (*CGI handlers) * X-Sendfile and X-Accel-Redirect support in the proxy * Shared memory implementation (no longer SysV) (#537) * Logger custom. New macro: ${http_cookie} * Virtual Host regex group replacement (^ parameters) * --with-cgiroot in configure * -i / --disable-iocache param in cherokee-admin * 'Server Info' extended to support accepts and timeouts * cherokee-admin-launcher accepts SIGHUP now * CTK_COOKIE security enhancement * Enhanced pre-saving validations * Interpreter env. vars can embedded $VARs evaluation * QA bench can be run without installing Cherokee first * OS tuning documentation * Regex against full header match * Nick name match is optional on VServers (#1075) * Front-Line Cache (beta) * Cherokee Distribution (beta) * CHEROKEE_TRACE special "from=<ip>" support * SSL/TLS Wizard * SSI recursive includes * "UNIX socket in a abstract namespace" support * Adds SHA512 support to the MySQL validator * HSTS (HTTP Strict Transport Security) support |
||
---|---|---|
.. | ||
files | ||
patches | ||
DESCR | ||
distinfo | ||
Makefile | ||
MESSAGE | ||
options.mk | ||
PLIST |