The NetBSD Project

CVS log for pkgsrc/www/apache22/Attic/distinfo

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / apache22

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.69, Mon Jan 1 10:28:50 2018 UTC (21 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: HEAD
Changes since 1.68: +1 -1 lines
FILE REMOVED

apache22: remove package itself

Revision 1.67.4.1 / (download) - annotate - [select for diffs], Mon Nov 13 17:05:50 2017 UTC (23 months ago) by spz
Branch: pkgsrc-2017Q3
Changes since 1.67: +5 -1 lines
Diff to previous 1.67 (colored) next main 1.68 (colored)

Pullup ticket #5643 - requested by he
www/apache22: security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.114
- www/apache22/distinfo                                         1.68

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Thu Sep 28 04:58:29 UTC 2017

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo

   Log Message:
   apache: update to 2.2.34nb1.

   Apply upstream patch to fix CVE 2017-9798.


   To generate a diff of this commit:
   cvs rdiff -u -r1.113 -r1.114 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.67 -r1.68 pkgsrc/www/apache22/distinfo

Revision 1.68 / (download) - annotate - [select for diffs], Thu Sep 28 04:58:29 2017 UTC (2 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4
Changes since 1.67: +5 -1 lines
Diff to previous 1.67 (colored)

apache: update to 2.2.34nb1.

Apply upstream patch to fix CVE 2017-9798.

Revision 1.66.4.1 / (download) - annotate - [select for diffs], Sun Jul 23 16:35:18 2017 UTC (2 years, 2 months ago) by spz
Branch: pkgsrc-2017Q2
Changes since 1.66: +5 -5 lines
Diff to previous 1.66 (colored) next main 1.67 (colored)

Pullup ticket #5520 - requested by taca
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.113
- www/apache22/distinfo                                         1.67

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Jul 12 07:00:40 UTC 2017

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo

   Log Message:
   Changes with Apache 2.2.34

     *) Allow single-char field names inadvertantly disallowed in 2.2.32.

   Changes with Apache 2.2.33 (not released)

     *) SECURITY: CVE-2017-7668 (cve.mitre.org)
        The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
        bug in token list parsing, which allows ap_find_token() to search past
        the end of its input string. By maliciously crafting a sequence of
        request headers, an attacker may be able to cause a segmentation fault,
        or to force ap_find_token() to return an incorrect value.

     *) SECURITY: CVE-2017-3169 (cve.mitre.org)
        mod_ssl may dereference a NULL pointer when third-party modules call
        ap_hook_process_connection() during an HTTP request to an HTTPS port.

     *) SECURITY: CVE-2017-3167 (cve.mitre.org)
        Use of the ap_get_basic_auth_pw() by third-party modules outside of the
        authentication phase may lead to authentication requirements being
        bypassed.

     *) SECURITY: CVE-2017-7679 (cve.mitre.org)
        mod_mime can read one byte past the end of a buffer when sending a
        malicious Content-Type response header.

     *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.


   To generate a diff of this commit:
   cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.66 -r1.67 pkgsrc/www/apache22/distinfo

Revision 1.67 / (download) - annotate - [select for diffs], Wed Jul 12 07:00:40 2017 UTC (2 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-
Branch point for: pkgsrc-2017Q3
Changes since 1.66: +5 -5 lines
Diff to previous 1.66 (colored)

Changes with Apache 2.2.34

  *) Allow single-char field names inadvertantly disallowed in 2.2.32.

Changes with Apache 2.2.33 (not released)

  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
     bug in token list parsing, which allows ap_find_token() to search past
     the end of its input string. By maliciously crafting a sequence of
     request headers, an attacker may be able to cause a segmentation fault,
     or to force ap_find_token() to return an incorrect value.

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.

  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
     authentication phase may lead to authentication requirements being
     bypassed.

  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
     mod_mime can read one byte past the end of a buffer when sending a
     malicious Content-Type response header.

  *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.

Revision 1.65.4.1 / (download) - annotate - [select for diffs], Fri Feb 3 11:26:04 2017 UTC (2 years, 8 months ago) by bsiegert
Branch: pkgsrc-2016Q4
Changes since 1.65: +5 -10 lines
Diff to previous 1.65 (colored) next main 1.66 (colored)

Pullup ticket #5204 - requested by sevan
www/apache2: security fix

Revisions pulled up:
- www/apache22/Makefile                                         1.111
- www/apache22/distinfo                                         1.66
- www/apache22/patches/patch-include_ap_mmn.h                   deleted
- www/apache22/patches/patch-modules_proxy_mod_proxy.c          deleted
- www/apache22/patches/patch-modules_proxy_mod_proxy.h          deleted
- www/apache22/patches/patch-modules_proxy_proxy_util.c         deleted
- www/apache22/patches/patch-server_util__script.c              deleted

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jan 16 14:34:42 UTC 2017

   Modified Files:
           pkgsrc/www/apache22: Makefile distinfo
   Removed Files:
           pkgsrc/www/apache22/patches: patch-include_ap_mmn.h
               patch-modules_proxy_mod_proxy.c patch-modules_proxy_mod_proxy.h
               patch-modules_proxy_proxy_util.c patch-server_util__script.c

   Log Message:
   Changes with Apache 2.2.32

     *) SECURITY: CVE-2016-8743 (cve.mitre.org)
        Enforce HTTP request grammar corresponding to RFC7230 for request lines
        and request headers, to prevent response splitting and cache pollution by
        malicious clients or downstream proxies.

     *) Validate HTTP response header grammar defined by RFC7230, resulting
        in a 500 error in the event that invalid response header contents are
        detected when serving the response, to avoid response splitting and cache
        pollution by malicious clients, upstream servers or faulty modules.

     *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.

     *) core: Avoid a possible truncation of the faulty header included in the
        HTML response when LimitRequestFieldSize is reached.

     *) core: Enforce LimitRequestFieldSize after multiple headers with the same
        name have been merged.

     *) core: Drop Content-Length header and message-body from HTTP 204 responses.

     *) core: Permit unencoded ';' characters to appear in proxy requests and
        Location: response headers. Corresponds to modern browser behavior.

     *) core: ap_rgetline_core now pulls from r->proto_input_filters.

     *) core: Correctly parse an IPv6 literal host specification in an absolute
        URL in the request line.

     *) core: New directive RegisterHttpMethod for registering non-standard
        HTTP methods.

     *) core: Limit to ten the number of tolerated empty lines between request.

     *) core: reject NULLs in request line or request headers.

     *) mod_proxy: Use the correct server name for SNI in case the backend
        SSL connection itself is established via a proxy server.

     *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
        directives.

     *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.

     *) mod_proxy: Correctly consider error response codes by the backend when
        processing failonstatus.

     *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
        had to be issued because the remote closed the previous/reusable one
        during idle (keep-alive) time.

     *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.

     *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
        use a different scoreboard slot then the original one.

     *) mod_proxy: Fix a race condition that caused a failed worker to be retried
        before the retry period is over.

     *) mod_proxy: don't recyle backend announced "Connection: close" connections
        to avoid reusing it should the close be effective after some new request
        is ready to be sent.

     *) mod_mem_cache: Fix concurrent removal of stale entries which could lead
        to a crash.

     *) mime.types: add common extension "m4a" for MPEG 4 Audio.

     *) mod_substitute: Allow to configure the patterns merge order with the new
        SubstituteInheritBefore on|off directive.

     *) mod_mem_cache: Don't cache incomplete responses when the client
        connection is aborted before the body is fully read.

     *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
        failures under Visual Studio 2015 and other mismatched MSVCRT flavors.

     *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.

Revision 1.66 / (download) - annotate - [select for diffs], Mon Jan 16 14:34:42 2017 UTC (2 years, 9 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q1-base, pkgsrc-2017Q1
Branch point for: pkgsrc-2017Q2
Changes since 1.65: +5 -10 lines
Diff to previous 1.65 (colored)

Changes with Apache 2.2.32

  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies.

  *) Validate HTTP response header grammar defined by RFC7230, resulting
     in a 500 error in the event that invalid response header contents are
     detected when serving the response, to avoid response splitting and cache
     pollution by malicious clients, upstream servers or faulty modules.

  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.

  *) core: Avoid a possible truncation of the faulty header included in the
     HTML response when LimitRequestFieldSize is reached.

  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
     name have been merged.

  *) core: Drop Content-Length header and message-body from HTTP 204 responses.

  *) core: Permit unencoded ';' characters to appear in proxy requests and
     Location: response headers. Corresponds to modern browser behavior.

  *) core: ap_rgetline_core now pulls from r->proto_input_filters.

  *) core: Correctly parse an IPv6 literal host specification in an absolute
     URL in the request line.

  *) core: New directive RegisterHttpMethod for registering non-standard
     HTTP methods.

  *) core: Limit to ten the number of tolerated empty lines between request.

  *) core: reject NULLs in request line or request headers.

  *) mod_proxy: Use the correct server name for SNI in case the backend
     SSL connection itself is established via a proxy server.

  *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
     directives.

  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.

  *) mod_proxy: Correctly consider error response codes by the backend when
     processing failonstatus.

  *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
     had to be issued because the remote closed the previous/reusable one
     during idle (keep-alive) time.

  *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.

  *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
     use a different scoreboard slot then the original one.

  *) mod_proxy: Fix a race condition that caused a failed worker to be retried
     before the retry period is over.

  *) mod_proxy: don't recyle backend announced "Connection: close" connections
     to avoid reusing it should the close be effective after some new request
     is ready to be sent.

  *) mod_mem_cache: Fix concurrent removal of stale entries which could lead
     to a crash.

  *) mime.types: add common extension "m4a" for MPEG 4 Audio.

  *) mod_substitute: Allow to configure the patterns merge order with the new
     SubstituteInheritBefore on|off directive.

  *) mod_mem_cache: Don't cache incomplete responses when the client
     connection is aborted before the body is fully read.

  *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
     failures under Visual Studio 2015 and other mismatched MSVCRT flavors.

  *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.

Revision 1.65 / (download) - annotate - [select for diffs], Fri Jul 29 11:10:24 2016 UTC (3 years, 2 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q3-base, pkgsrc-2016Q3
Branch point for: pkgsrc-2016Q4
Changes since 1.64: +2 -1 lines
Diff to previous 1.64 (colored)

Fix httpoxy vulnerability.
Bump PKGREVISION.

Revision 1.64 / (download) - annotate - [select for diffs], Thu Nov 12 15:21:51 2015 UTC (3 years, 11 months ago) by prlw1
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1, pkgsrc-2015Q4-base, pkgsrc-2015Q4
Changes since 1.63: +5 -1 lines
Diff to previous 1.63 (colored)

Fix a regression with Apache 2.2.31 that caused inherited workers to
use a different scoreboard slot then the original one.

https://svn.apache.org/viewvc?view=revision&revision=1700408

Revision 1.63 / (download) - annotate - [select for diffs], Wed Nov 4 02:46:49 2015 UTC (3 years, 11 months ago) by agc
Branch: MAIN
Changes since 1.62: +2 -1 lines
Diff to previous 1.62 (colored)

Add SHA512 digests for distfiles for www category

Problems found locating distfiles:
	Package haskell-cgi: missing distfile haskell-cgi-20001206.tar.gz
	Package nginx: missing distfile array-var-nginx-module-0.04.tar.gz
	Package nginx: missing distfile encrypted-session-nginx-module-0.04.tar.gz
	Package nginx: missing distfile headers-more-nginx-module-0.261.tar.gz
	Package nginx: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package nginx-devel: missing distfile echo-nginx-module-0.58.tar.gz
	Package nginx-devel: missing distfile form-input-nginx-module-0.11.tar.gz
	Package nginx-devel: missing distfile lua-nginx-module-0.9.16.tar.gz
	Package nginx-devel: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx-devel: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package php-owncloud: missing distfile owncloud-8.2.0.tar.bz2

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.

Revision 1.61.2.1 / (download) - annotate - [select for diffs], Wed Sep 9 20:38:53 2015 UTC (4 years, 1 month ago) by tron
Branch: pkgsrc-2015Q2
Changes since 1.61: +4 -5 lines
Diff to previous 1.61 (colored) next main 1.62 (colored)

Pullup ticket #4813 - requested by he
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.105
- www/apache22/distinfo                                         1.62
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c      deleted

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Mon Jul 20 18:28:59 UTC 2015

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Removed Files:
   	pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c

   Log Message:
   Changes with Apache 2.2.31
     *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.

   Changes with Apache 2.2.30 (not released)
     *) SECURITY: CVE-2015-3183 (cve.mitre.org)
        core: Fix chunk header parsing defect.
        Remove apr_brigade_flatten(), buffering and duplicated code from
        the HTTP_IN filter, parse chunks in a single pass with zero copy.
        Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
        authorized characters.

     *) http: Fix LimitRequestBody checks when there is no more bytes to read.

     *) core: Allow spaces after chunk-size for compatibility with implementations
        using a pre-filled buffer.

     *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
        no longer send warning-level unrecognized_name(112) alerts.

     *) http: Make ap_die() robust against any HTTP error code and not modify
        response status (finally logged) when nothing is to be done.

     *) core, modules: Avoid error response/document handling by the core if some
        handler or input filter already did it while reading the request (causing
        a double response body).

     *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
        5+ instead of just for FreeBSD 5.

     *) mod_proxy: use the original (non absolute) form of the request-line's URI
        for requests embedded in CONNECT payloads used to connect SSL backends via
        a ProxyRemote forward-proxy.

     *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
        internationalization.

     *) mod_log_config: Implement logging for sub second timestamps and
        request end time.

     *) mod_log_config: Ensure that time data is consistent if multiple
        duration patterns are used in combination, e.g. %D and %{ms}T.

     *) mod_log_config: Add "%{UNIT}T" format to output request duration in
        seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").

     *) In alignment with RFC 7525, the default recommended SSLCipherSuite
        and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
        default recommended SSLProtocol and SSLProxyProtocol directives now
        exclude SSLv3. Existing configurations must be adjusted by the
        administrator.

     *) core: Avoid potential use of uninitialized (NULL) request data in
        request line error path.

     *) mod_proxy_http: Use the "Connection: close" header for requests to
        backends not recycling connections (disablereuse), including the default
        reverse and forward proxies.

     *) mod_proxy: Add ap_connection_reusable() for checking if a connection
        is reusable as of this point in processing.

     *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
        graceful restarts, even if new workers are added, old ones removed, or
        the order changes.

     *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.

     *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
        allowing custom parameters to be configured via SSLCertificateFile,
        and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
        Unless custom parameters are configured, the standardized parameters
        are applied based on the certificate's RSA/DSA key size.

     *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
        keys, and unconditionally disable aNULL, eNULL and EXP ciphers
        (not overridable via SSLCipherSuite).

     *) mod_ssl: Add support for configuring persistent TLS session ticket
        encryption/decryption keys (useful for clustered environments).

     *) SSLProtocol and SSLCipherSuite recommendations in the example/default
        conf/extra/httpd-ssl.conf file are now global in scope, affecting all
        VirtualHosts (matching 2.4 default configuration).

     *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
        selected DB engine.

     *) Turn static function get_server_name_for_url() into public
        ap_get_server_name_for_url() and use it where appropriate. This
        fixes mod_rewrite generating invalid URLs for redirects to IPv6
        literal addresses.

     *) dav_validate_request: avoid validating locks and ETags when there are
        no If headers providing them on a resource we aren't modifying.

     *) mod_ssl: New directive SSLSessionTickets (On|Off).
        The directive controls the use of TLS session tickets (RFC 5077),
        default value is "On" (unchanged behavior).
        Session ticket creation uses a random key created during web
        server startup and recreated during restarts. No other key
        recreation mechanism is available currently. Therefore using session
        tickets without restarting the web server with an appropriate frequency
        (e.g. daily) compromises perfect forward secrecy.

     *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
        compile against APR-1.2.x (minimum required version).

     *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
        computed for subsequent requests.

Revision 1.62 / (download) - annotate - [select for diffs], Mon Jul 20 18:28:59 2015 UTC (4 years, 2 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.61: +4 -5 lines
Diff to previous 1.61 (colored)

Changes with Apache 2.2.31
  *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.

Changes with Apache 2.2.30 (not released)
  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.

  *) http: Fix LimitRequestBody checks when there is no more bytes to read.

  *) core: Allow spaces after chunk-size for compatibility with implementations
     using a pre-filled buffer.

  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts.

  *) http: Make ap_die() robust against any HTTP error code and not modify
     response status (finally logged) when nothing is to be done.

  *) core, modules: Avoid error response/document handling by the core if some
     handler or input filter already did it while reading the request (causing
     a double response body).

  *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
     5+ instead of just for FreeBSD 5.

  *) mod_proxy: use the original (non absolute) form of the request-line's URI
     for requests embedded in CONNECT payloads used to connect SSL backends via
     a ProxyRemote forward-proxy.

  *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
     internationalization.

  *) mod_log_config: Implement logging for sub second timestamps and
     request end time.

  *) mod_log_config: Ensure that time data is consistent if multiple
     duration patterns are used in combination, e.g. %D and %{ms}T.

  *) mod_log_config: Add "%{UNIT}T" format to output request duration in
     seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").

  *) In alignment with RFC 7525, the default recommended SSLCipherSuite
     and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
     default recommended SSLProtocol and SSLProxyProtocol directives now
     exclude SSLv3. Existing configurations must be adjusted by the
     administrator.

  *) core: Avoid potential use of uninitialized (NULL) request data in
     request line error path.

  *) mod_proxy_http: Use the "Connection: close" header for requests to
     backends not recycling connections (disablereuse), including the default
     reverse and forward proxies.

  *) mod_proxy: Add ap_connection_reusable() for checking if a connection
     is reusable as of this point in processing.

  *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
     graceful restarts, even if new workers are added, old ones removed, or
     the order changes.

  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.

  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size.

  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite).

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).

  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
     VirtualHosts (matching 2.4 default configuration).

  *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
     selected DB engine.

  *) Turn static function get_server_name_for_url() into public
     ap_get_server_name_for_url() and use it where appropriate. This
     fixes mod_rewrite generating invalid URLs for redirects to IPv6
     literal addresses.

  *) dav_validate_request: avoid validating locks and ETags when there are
     no If headers providing them on a resource we aren't modifying.

  *) mod_ssl: New directive SSLSessionTickets (On|Off).
     The directive controls the use of TLS session tickets (RFC 5077),
     default value is "On" (unchanged behavior).
     Session ticket creation uses a random key created during web
     server startup and recreated during restarts. No other key
     recreation mechanism is available currently. Therefore using session
     tickets without restarting the web server with an appropriate frequency
     (e.g. daily) compromises perfect forward secrecy.

  *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
     compile against APR-1.2.x (minimum required version).

  *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
     computed for subsequent requests.

Revision 1.60.6.1 / (download) - annotate - [select for diffs], Sun May 24 11:41:00 2015 UTC (4 years, 4 months ago) by tron
Branch: pkgsrc-2015Q1
Changes since 1.60: +2 -1 lines
Diff to previous 1.60 (colored) next main 1.61 (colored)

Pullup ticket #4733 - requested by sborrill
www/apache22: security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.103
- www/apache22/distinfo                                         1.61
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c      1.1

---
   Module Name:	pkgsrc
   Committed By:	sborrill
   Date:		Fri May 22 09:20:20 UTC 2015

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c

   Log Message:
   Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000).
   Based on FreeBSD ports.

Revision 1.61 / (download) - annotate - [select for diffs], Fri May 22 09:20:20 2015 UTC (4 years, 4 months ago) by sborrill
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base
Branch point for: pkgsrc-2015Q2
Changes since 1.60: +2 -1 lines
Diff to previous 1.60 (colored)

Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000).
Based on FreeBSD ports.

Revision 1.59.4.1 / (download) - annotate - [select for diffs], Fri Sep 19 11:35:30 2014 UTC (5 years ago) by tron
Branch: pkgsrc-2014Q2
Changes since 1.59: +4 -4 lines
Diff to previous 1.59 (colored) next main 1.60 (colored)

Pullup ticket #4501 - requested by he
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.102
- www/apache22/distinfo                                         1.60

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Tue Sep  9 08:11:48 UTC 2014

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo

   Log Message:
   Changes  2.4.10

     *) SECURITY: CVE-2014-0117 (cve.mitre.org)
        mod_proxy: Fix crash in Connection header handling which
        allowed a denial of service attack against a reverse proxy
        with a threaded MPM.

     *) SECURITY: CVE-2014-3523 (cve.mitre.org)
        Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
        installations). Workaround: AcceptFilter <protocol> {none|connect}

     *) SECURITY: CVE-2014-0226 (cve.mitre.org)
        Fix a race condition in scoreboard handling, which could lead to
        a heap buffer overflow.

     *) SECURITY: CVE-2014-0118 (cve.mitre.org)
        mod_deflate: The DEFLATE input filter (inflates request bodies) now
        limits the length and compression ratio of inflated request bodies to avoid
        denial of sevice via highly compressed bodies.  See directives
        DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
        and DeflateInflateRatioBurst.

     *) SECURITY: CVE-2014-0231 (cve.mitre.org)
        mod_cgid: Fix a denial of service against CGI scripts that do
        not consume stdin that could lead to lingering HTTPD child processes
        filling up the scoreboard and eventually hanging the server.  By
        default, the client I/O timeout (Timeout directive) now applies to
        communication with scripts.  The CGIDScriptTimeout directive can be
        used to set a different timeout for communication with scripts.

     *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
        resumed by TLS session resumption (RFC 5077).

     *) mod_deflate: Don't fail when flushing inflated data to the user-agent
        and that coincides with the end of stream ("Zlib error flushing inflate
        buffer").

     *) mod_proxy_ajp: Forward local IP address as a custom request attribute
        like we already do for the remote port.

     *) core: Include any error notes set by modules in the canned error
        response for 403 errors.

     *) mod_ssl: Set an error note for requests rejected due to
        SSLStrictSNIVHostCheck.

     *) mod_ssl: Fix issue with redirects to error documents when handling
        SNI errors.

     *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
        larger keys and support up to 8192-bit keys.

     *) mod_dav: Fix improper encoding in PROPFIND responses.

     *) WinNT MPM: Improve error handling for termination events in child.

     *) mod_proxy: When ping/pong is configured for a worker, don't send or
        forward "100 Continue" (interim) response to the client if it does
        not expect one.

     *) mod_ldap: Be more conservative with the last-used time for
        LDAPConnectionPoolTTL.

     *) mod_ldap: LDAP connections used for authn were not respecting
        LDAPConnectionPoolTTL.

     *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.

     *) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
        or occasional missed mod_status updates under load.

     *) mod_authnz_ldap: Support primitive LDAP servers do not accept
        filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
        filter "none" to be specified in AuthLDAPURL.

     *) mod_deflate: Fix inflation of files larger than 4GB.

     *) mod_deflate: Handle Zlib header and validation bytes received in multiple
        chunks.

     *) mod_proxy: Allow reverse-proxy to be set via explicit handler.

     *) ab: support custom HTTP method with -m argument.

     *) mod_proxy_balancer: Correctly encode user provided data in management
        interface.

     *) mod_proxy_fcgi: Support iobuffersize parameter.

     *) mod_auth_form: Add a debug message when the fields on a form are not
        recognised.

     *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
        response.

     *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
        scheme.

     *) mod_socache_shmcb: Correct counting of expirations for status display.
        Expirations happening during retrieval were not counted.

     *) mod_cache: Retry unconditional request with the full URL (including the
        query-string) when the origin server's 304 response does not match the
        conditions used to revalidate the stale entry.

     *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
        variables as a result of AliasMatch.

     *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.

     *) mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
        Support default SCGI port (4000).

     *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
        is enabled.

     *) mod_expires: don't add Expires header to error responses (4xx/5xx),
        be they generated or forwarded.

     *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
        (regression in 2.4.9 release)

     *) mod_authn_socache: Fix crash at startup in certain configurations.

     *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
        programs to the form used in releases up to 2.4.7, and emulate
        a backwards-compatible behavior for existing setups.

     *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
        OCSP requests should use a nonce to be checked against the responder's
        one.

     *) mod_ssl: "SSLEngine off" will now override a Listen-based default
        and does disable mod_ssl for the vhost.

     *) mod_lua: Enforce the max post size allowed via r:parsebody()

     *) mod_lua: Use binary comparison to find boundaries for multipart
        objects, as to not terminate our search prematurely when hitting
        a NULL byte.

     *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
        versions before 0.9.8h and not specifying an SSLCertificateChainFile
        (regression introduced with 2.4.8).

     *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
        no longer send warning-level unrecognized_name(112) alerts,
        and limit startup warnings to cases where an OpenSSL version
        without TLS extension support is used.

     *) mod_proxy_html: Avoid some possible memory access violation in case of
        specially crafted files, when the ProxyHTMLMeta directive is turned on.

     *) mod_auth_form: Make sure the optional functions are loaded even when
        the AuthFormProvider isn't specified.

     *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
        (and logging garbled file names).

     *) mod_ssl: fix merging of global and vhost-level settings with the
        SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
        directives.

     *) mod_headers: Allow the "value" parameter of Header and RequestHeader to
        contain an ap_expr expression if prefixed with "expr=".

     *) rotatelogs: Avoid creation of zombie processes when -p is used on
        Unix platforms.

     *) mod_authnz_fcgi: New module to enable FastCGI authorizer
        applications to authenticate and/or authorize clients.

     *) mod_proxy: Do not try to parse the regular expressions passed by
        ProxyPassMatch as URL as they do not follow their syntax.

     *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
        under the Event MPM.

     *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
        that might be set by filters.

     *) mod_proxy_html: Do not delete the wrong data from HTML code when a
        "http-equiv" meta tag specifies a Content-Type behind any other
        "http-equiv" meta tag.

     *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
        differs.

     *) Add suspend_connection and resume_connection hooks to notify modules
        when the thread/connection relationship changes.  (Should be implemented
        for any third-party async MPMs.)

     *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
        hangups from websockets origin servers.

     *) mod_proxy_wstunnel: Don't pool backend websockets connections,
        because we need to handshake every time.

     *) mod_lua: Redesign how request record table access behaves,
        in order to utilize the request record from within these tables.

     *) mod_lua: Add r:wspeek for peeking at WebSocket frames.

     *) mod_lua: Log an error when the initial parsing of a Lua file fails.

     *) mod_lua: Reformat and escape script error output.

     *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
        from causing response splitting.

     *) mod_lua: Disallow newlines in table values inside the request_rec,
        to prevent HTTP Response Splitting via tainted headers.

     *) mod_lua: Remove the non-working early/late arguments for
        LuaHookCheckUserID.

     *) mod_lua: Change IVM storage to use shm

     *) mod_lua: More verbose error logging when a handler function cannot be
        found.

Revision 1.60 / (download) - annotate - [select for diffs], Tue Sep 9 08:11:48 2014 UTC (5 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base, pkgsrc-2014Q4-base, pkgsrc-2014Q4, pkgsrc-2014Q3-base, pkgsrc-2014Q3
Branch point for: pkgsrc-2015Q1
Changes since 1.59: +4 -4 lines
Diff to previous 1.59 (colored)

Changes  2.4.10

  *) SECURITY: CVE-2014-0117 (cve.mitre.org)
     mod_proxy: Fix crash in Connection header handling which
     allowed a denial of service attack against a reverse proxy
     with a threaded MPM.

  *) SECURITY: CVE-2014-3523 (cve.mitre.org)
     Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
     installations). Workaround: AcceptFilter <protocol> {none|connect}

  *) SECURITY: CVE-2014-0226 (cve.mitre.org)
     Fix a race condition in scoreboard handling, which could lead to
     a heap buffer overflow.

  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to avoid
     denial of sevice via highly compressed bodies.  See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst.

  *) SECURITY: CVE-2014-0231 (cve.mitre.org)
     mod_cgid: Fix a denial of service against CGI scripts that do
     not consume stdin that could lead to lingering HTTPD child processes
     filling up the scoreboard and eventually hanging the server.  By
     default, the client I/O timeout (Timeout directive) now applies to
     communication with scripts.  The CGIDScriptTimeout directive can be
     used to set a different timeout for communication with scripts.

  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
     resumed by TLS session resumption (RFC 5077).

  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
     and that coincides with the end of stream ("Zlib error flushing inflate
     buffer").

  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
     like we already do for the remote port.

  *) core: Include any error notes set by modules in the canned error
     response for 403 errors.

  *) mod_ssl: Set an error note for requests rejected due to
     SSLStrictSNIVHostCheck.

  *) mod_ssl: Fix issue with redirects to error documents when handling
     SNI errors.

  *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
     larger keys and support up to 8192-bit keys.

  *) mod_dav: Fix improper encoding in PROPFIND responses.

  *) WinNT MPM: Improve error handling for termination events in child.

  *) mod_proxy: When ping/pong is configured for a worker, don't send or
     forward "100 Continue" (interim) response to the client if it does
     not expect one.

  *) mod_ldap: Be more conservative with the last-used time for
     LDAPConnectionPoolTTL.

  *) mod_ldap: LDAP connections used for authn were not respecting
     LDAPConnectionPoolTTL.

  *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.

  *) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
     or occasional missed mod_status updates under load.

  *) mod_authnz_ldap: Support primitive LDAP servers do not accept
     filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
     filter "none" to be specified in AuthLDAPURL.

  *) mod_deflate: Fix inflation of files larger than 4GB.

  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
     chunks.

  *) mod_proxy: Allow reverse-proxy to be set via explicit handler.

  *) ab: support custom HTTP method with -m argument.

  *) mod_proxy_balancer: Correctly encode user provided data in management
     interface.

  *) mod_proxy_fcgi: Support iobuffersize parameter.

  *) mod_auth_form: Add a debug message when the fields on a form are not
     recognised.

  *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
     response.

  *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
     scheme.

  *) mod_socache_shmcb: Correct counting of expirations for status display.
     Expirations happening during retrieval were not counted.

  *) mod_cache: Retry unconditional request with the full URL (including the
     query-string) when the origin server's 304 response does not match the
     conditions used to revalidate the stale entry.

  *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
     variables as a result of AliasMatch.

  *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.

  *) mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
     Support default SCGI port (4000).

  *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
     is enabled.

  *) mod_expires: don't add Expires header to error responses (4xx/5xx),
     be they generated or forwarded.

  *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
     (regression in 2.4.9 release)

  *) mod_authn_socache: Fix crash at startup in certain configurations.

  *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
     programs to the form used in releases up to 2.4.7, and emulate
     a backwards-compatible behavior for existing setups.

  *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
     OCSP requests should use a nonce to be checked against the responder's
     one.

  *) mod_ssl: "SSLEngine off" will now override a Listen-based default
     and does disable mod_ssl for the vhost.

  *) mod_lua: Enforce the max post size allowed via r:parsebody()

  *) mod_lua: Use binary comparison to find boundaries for multipart
     objects, as to not terminate our search prematurely when hitting
     a NULL byte.

  *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
     versions before 0.9.8h and not specifying an SSLCertificateChainFile
     (regression introduced with 2.4.8).

  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts,
     and limit startup warnings to cases where an OpenSSL version
     without TLS extension support is used.

  *) mod_proxy_html: Avoid some possible memory access violation in case of
     specially crafted files, when the ProxyHTMLMeta directive is turned on.

  *) mod_auth_form: Make sure the optional functions are loaded even when
     the AuthFormProvider isn't specified.

  *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
     (and logging garbled file names).

  *) mod_ssl: fix merging of global and vhost-level settings with the
     SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
     directives.

  *) mod_headers: Allow the "value" parameter of Header and RequestHeader to
     contain an ap_expr expression if prefixed with "expr=".

  *) rotatelogs: Avoid creation of zombie processes when -p is used on
     Unix platforms.

  *) mod_authnz_fcgi: New module to enable FastCGI authorizer
     applications to authenticate and/or authorize clients.

  *) mod_proxy: Do not try to parse the regular expressions passed by
     ProxyPassMatch as URL as they do not follow their syntax.

  *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
     under the Event MPM.

  *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
     that might be set by filters.

  *) mod_proxy_html: Do not delete the wrong data from HTML code when a
     "http-equiv" meta tag specifies a Content-Type behind any other
     "http-equiv" meta tag.

  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
     differs.

  *) Add suspend_connection and resume_connection hooks to notify modules
     when the thread/connection relationship changes.  (Should be implemented
     for any third-party async MPMs.)

  *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
     hangups from websockets origin servers.

  *) mod_proxy_wstunnel: Don't pool backend websockets connections,
     because we need to handshake every time.

  *) mod_lua: Redesign how request record table access behaves,
     in order to utilize the request record from within these tables.

  *) mod_lua: Add r:wspeek for peeking at WebSocket frames.

  *) mod_lua: Log an error when the initial parsing of a Lua file fails.

  *) mod_lua: Reformat and escape script error output.

  *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
     from causing response splitting.

  *) mod_lua: Disallow newlines in table values inside the request_rec,
     to prevent HTTP Response Splitting via tainted headers.

  *) mod_lua: Remove the non-working early/late arguments for
     LuaHookCheckUserID.

  *) mod_lua: Change IVM storage to use shm

  *) mod_lua: More verbose error logging when a handler function cannot be
     found.

Revision 1.59 / (download) - annotate - [select for diffs], Fri Mar 28 11:25:43 2014 UTC (5 years, 6 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base, pkgsrc-2014Q1-base, pkgsrc-2014Q1
Branch point for: pkgsrc-2014Q2
Changes since 1.58: +4 -4 lines
Diff to previous 1.58 (colored)

Changes 2.2.27:

  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
     Clean up cookie logging with fewer redundant string parsing passes.
     Log only cookies with a value assignment. Prevents segfaults when
     logging truncated cookies.

  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
     mod_dav: Keep track of length of cdata properly when removing
     leading spaces. Eliminates a potential denial of service from
     specifically crafted DAV WRITE requests

  *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
     TE/CL conflicts.

  *) mod_proxy_http: Core dumped under high load. PR 50335.

  *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.

  *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
     is equivalent to <ProxyMatch wildcard-url>.

  *) mod_ldap: Fix a potential memory leak or corruption.

  *) mod_ssl: Do not perform SNI / Host header comparison in case of a
     forward proxy request.

  *) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.

Revision 1.58 / (download) - annotate - [select for diffs], Mon Feb 17 17:32:55 2014 UTC (5 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.57: +5 -6 lines
Diff to previous 1.57 (colored)

Changes with Apache 2.2.26

  *) mod_dav: dav_resource->uri treated as unencoded. This was an
     unnecessary ABI changed introduced in 2.2.25.

  *) mod_dav: Do not validate locks against parent collection of COPY
     source URI.

  *) mod_ssl: Check SNI hostname against Host header case-insensitively.

  *) mod_ssl: enable support for ECC keys and ECDH ciphers.  Tested against
     OpenSSL 1.0.0b3.

  *) mod_ssl: Change default for SSLCompression to off, as compression
     causes security issues in most setups. (The so called "CRIME" attack).

  *) mod_ssl: Fix compilation error when OpenSSL does not contain
     support for SSLv2. Problem was introduced in 2.2.25.

  *) mod_dav: Fix double encoding of URIs in XML and Location header (caused
     by unintential ABI change in 2.2.25).

Revision 1.55.2.1 / (download) - annotate - [select for diffs], Mon Jul 15 20:19:16 2013 UTC (6 years, 3 months ago) by spz
Branch: pkgsrc-2013Q2
Changes since 1.55: +4 -5 lines
Diff to previous 1.55 (colored) next main 1.56 (colored)

Pullup ticket #4184 - requested by tron
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.92
- www/apache22/distinfo                                         1.57
- www/apache22/patches/patch-modules_mappers_mod_rewrite.c      deleted

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Mon Jul 15 18:15:49 UTC 2013

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Removed Files:
   	pkgsrc/www/apache22/patches: patch-modules_mappers_mod_rewrite.c

   Log Message:
   Update "apache22" package to version 2.2.25. Changes since 2.2.24:
   - SECURITY: CVE-2013-1862 (cve.mitre.org)
     mod_rewrite: Ensure that client data written to the RewriteLog is
     escaped to prevent terminal escape sequences from entering the
     log file.  [Eric Covener, Jeff Trawick, Joe Orton]
   - core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
     strings.  The default limit for ap_pregsub() can be adjusted at compile
      time by defining AP_PREGSUB_MAXLEN.  [Stefan Fritsch, Jeff Trawick]
   - core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
     on Linux kernel versions 3.x and above.  Bug#55121.  [Bradley Heilbrun
     <apache heilbrun.org>]
   - mod_setenvif: Log error on substitution overflow.
     [Stefan Fritsch]
   - mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]
   - mod_proxy: Use the the same hostname for SNI as for the HTTP request when
     forwarding to SSL backends. Bug#53134.
     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
   - mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
     in the error log to debug level.  [William Rowe]
   - mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
     with SSLProxyMachineCertificateFile/Path directives. Bug#52212, Bug#54698.
     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
   - mod_proxy_balancer: Added balancer parameter failontimeout to allow server
     admin to configure an IO timeout as an error in the balancer.
     [Daniel Ruggeri]
   - mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
     password.  [Daniel Ruggeri]
   - htdigest: Fix buffer overflow when reading digest password file
     with very long lines. Bug#54893. [Rainer Jung]
   - mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser
     <ben reser.org>]
   - mod_dav: Ensure URI is correctly uriencoded on return. Bug#54611
     [Timothy Wood <tjw omnigroup.com>]
   - mod_dav: Make sure that when we prepare an If URL for Etag comparison,
     we compare unencoded paths. Bug#53910 [Timothy Wood <tjw omnigroup.com>]
   - mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed for a COPY operation. PR54610
     [Timothy Wood <tjw omnigroup.com>]
   - mod_dav: When a PROPPATCH attempts to remove a non-existent dead
     property on a resource for which there is no dead property in the same
     namespace httpd segfaults. Bug#52559 [Diego Santa Cruz
     <diego.santaCruz spinetix.com>]
   - mod_dav: Do not fail PROPPATCH when prop namespace is not known.
     Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
   - mod_dav: Do not segfault on PROPFIND with a zero length DBM.
     Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]


   To generate a diff of this commit:
   cvs rdiff -u -r1.91 -r1.92 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.56 -r1.57 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r1.3 -r0 \
       pkgsrc/www/apache22/patches/patch-modules_mappers_mod_rewrite.c

Revision 1.57 / (download) - annotate - [select for diffs], Mon Jul 15 18:15:49 2013 UTC (6 years, 3 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base, pkgsrc-2013Q4, pkgsrc-2013Q3-base, pkgsrc-2013Q3
Changes since 1.56: +4 -5 lines
Diff to previous 1.56 (colored)

Update "apache22" package to version 2.2.25. Changes since 2.2.24:
- SECURITY: CVE-2013-1862 (cve.mitre.org)
  mod_rewrite: Ensure that client data written to the RewriteLog is
  escaped to prevent terminal escape sequences from entering the
  log file.  [Eric Covener, Jeff Trawick, Joe Orton]
- core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
  strings.  The default limit for ap_pregsub() can be adjusted at compile
   time by defining AP_PREGSUB_MAXLEN.  [Stefan Fritsch, Jeff Trawick]
- core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
  on Linux kernel versions 3.x and above.  Bug#55121.  [Bradley Heilbrun
  <apache heilbrun.org>]
- mod_setenvif: Log error on substitution overflow.
  [Stefan Fritsch]
- mod_ssl/proxy: enable the SNI extension for backend TLS connections
  [Kaspar Brand]
- mod_proxy: Use the the same hostname for SNI as for the HTTP request when
  forwarding to SSL backends. Bug#53134.
  [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
- mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
  in the error log to debug level.  [William Rowe]
- mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
  with SSLProxyMachineCertificateFile/Path directives. Bug#52212, Bug#54698.
  [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
- mod_proxy_balancer: Added balancer parameter failontimeout to allow server
  admin to configure an IO timeout as an error in the balancer.
  [Daniel Ruggeri]
- mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
  password.  [Daniel Ruggeri]
- htdigest: Fix buffer overflow when reading digest password file
  with very long lines. Bug#54893. [Rainer Jung]
- mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
  the source href (sent as part of the request body as XML) pointing to a
  URI that is not configured for DAV will trigger a segfault. [Ben Reser
  <ben reser.org>]
- mod_dav: Ensure URI is correctly uriencoded on return. Bug#54611
  [Timothy Wood <tjw omnigroup.com>]
- mod_dav: Make sure that when we prepare an If URL for Etag comparison,
  we compare unencoded paths. Bug#53910 [Timothy Wood <tjw omnigroup.com>]
- mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
  result in a 412 Precondition Failed for a COPY operation. PR54610
  [Timothy Wood <tjw omnigroup.com>]
- mod_dav: When a PROPPATCH attempts to remove a non-existent dead
  property on a resource for which there is no dead property in the same
  namespace httpd segfaults. Bug#52559 [Diego Santa Cruz
  <diego.santaCruz spinetix.com>]
- mod_dav: Do not fail PROPPATCH when prop namespace is not known.
  Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
- mod_dav: Do not segfault on PROPFIND with a zero length DBM.
  Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

Revision 1.56 / (download) - annotate - [select for diffs], Fri Jul 5 15:36:25 2013 UTC (6 years, 3 months ago) by manu
Branch: MAIN
Changes since 1.55: +2 -1 lines
Diff to previous 1.55 (colored)

Patch from upstream (fixed in trunk and 2.4 branch):
https://issues.apache.org/bugzilla/show_bug.cgi?id=29744

When using CONNECT inside a SSL connexion, fix a bug that caused
apache to reply in plain text.

Revision 1.54.2.1 / (download) - annotate - [select for diffs], Sun Jun 2 11:07:36 2013 UTC (6 years, 4 months ago) by spz
Branch: pkgsrc-2013Q1
Changes since 1.54: +2 -1 lines
Diff to previous 1.54 (colored) next main 1.55 (colored)

Pullup ticket #4148 - requested by tron
www/apache22: security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.88
- www/apache22/distinfo                                         1.55
- www/apache22/patches/patch-modules_mappers_mod_rewrite.c      1.3

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu May 30 22:58:15 UTC 2013

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-modules_mappers_mod_rewrite.c

   Log Message:
   Add Apache developer fix for security vulnerability reported
   in CVE-2013-1862.


   To generate a diff of this commit:
   cvs rdiff -u -r1.87 -r1.88 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.54 -r1.55 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.3 \
       pkgsrc/www/apache22/patches/patch-modules_mappers_mod_rewrite.c

Revision 1.55 / (download) - annotate - [select for diffs], Thu May 30 22:58:14 2013 UTC (6 years, 4 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base
Branch point for: pkgsrc-2013Q2
Changes since 1.54: +2 -1 lines
Diff to previous 1.54 (colored)

Add Apache developer fix for security vulnerability reported
in CVE-2013-1862.

Revision 1.53.2.1 / (download) - annotate - [select for diffs], Fri Mar 8 18:36:42 2013 UTC (6 years, 7 months ago) by spz
Branch: pkgsrc-2012Q4
Changes since 1.53: +4 -4 lines
Diff to previous 1.53 (colored) next main 1.54 (colored)

Pullup ticket #4088 - requested by tron
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.87
- www/apache22/PLIST                                            1.22
- www/apache22/distinfo                                         1.54

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Sun Mar  3 20:05:04 UTC 2013

   Modified Files:
   	pkgsrc/www/apache22: Makefile PLIST distinfo

   Log Message:
   Update "apache" package to version 2.2.24. Changes since 2.2.23:
   - SECURITY: CVE-2012-3499 (cve.mitre.org)
     Various XSS flaws due to unescaped hostnames and URIs HTML output in
     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
   - SECURITY: CVE-2012-4558 (cve.mitre.org)
     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
     Niels Heinen <heinenn google com>]
   - mod_rewrite: Stop merging RewriteBase down to subdirectories
     unless new option 'RewriteOptions MergeBase' is configured.
     Merging RewriteBase was unconditionally turned on in 2.2.23.
     Bug Report 53963. [Eric Covener]
   - mod_ssl: Send the error message for speaking http to an https port using
     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
     using SNI. Bug Report 50823. [Stefan Fritsch]
   - mod_ssl: log revoked certificates at level INFO
     instead of DEBUG. Bug Report 52162. [Stefan Fritsch]
   - mod_proxy_ajp: Support unknown HTTP methods. Bug Report 54416.
     [Rainer Jung]
   - mod_dir: Add support for the value 'disabled' in FallbackResource.
     [Vincent Deffontaines]
   - mod_ldap: Fix regression in handling "server unavailable" errors on
     Windows.  Bug Report 54140.  [Eric Covener]
   - mod_ssl: fix a regression with the string rendering of the "UID" RDN
     introduced in 2.2.15. Bug Report 54510. [Kaspar Brand]
   - ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
     to more accurately report the negotiated protocol. Bug Report 53916.
     [Nicol=E1s Pernas Maradei <nico emutex com>, Kaspar Brand]
   - mod_cache: Explicitly allow cache implementations to cache a 206 Partial
     Response if they so choose to do so. Previously an attempt to cache a 206
     was arbitrarily allowed if the response contained an Expires or
     Cache-Control header, and arbitrarily denied if both headers were missing.
     Currently the disk and memory cache providers do not cache 206 Partial
     Responses. [Graham Leggett]
   - core: Remove unintentional APR dependency introduced with
     Apache 2.2.22. [Eric Covener]
   - core: Use a TLS 1.0 close_notify alert for internal dummy connection if
     the chosen listener is configured for https. [Joe Orton]
   - mod_ssl: Add new directive SSLCompression to disable TLS-level
     compression. Bug Report 53219. [Bj=F6rn Jacke <bjoern j3e de>, Stefan Fri=
   tsch]


   To generate a diff of this commit:
   cvs rdiff -u -r1.86 -r1.87 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/apache22/PLIST
   cvs rdiff -u -r1.53 -r1.54 pkgsrc/www/apache22/distinfo

Revision 1.54 / (download) - annotate - [select for diffs], Sun Mar 3 20:05:03 2013 UTC (6 years, 7 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base
Branch point for: pkgsrc-2013Q1
Changes since 1.53: +4 -4 lines
Diff to previous 1.53 (colored)

Update "apache" package to version 2.2.24. Changes since 2.2.23:
- SECURITY: CVE-2012-3499 (cve.mitre.org)
  Various XSS flaws due to unescaped hostnames and URIs HTML output in
  mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
  [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
- SECURITY: CVE-2012-4558 (cve.mitre.org)
  XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
  Niels Heinen <heinenn google com>]
- mod_rewrite: Stop merging RewriteBase down to subdirectories
  unless new option 'RewriteOptions MergeBase' is configured.
  Merging RewriteBase was unconditionally turned on in 2.2.23.
  Bug Report 53963. [Eric Covener]
- mod_ssl: Send the error message for speaking http to an https port using
  HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
  using SNI. Bug Report 50823. [Stefan Fritsch]
- mod_ssl: log revoked certificates at level INFO
  instead of DEBUG. Bug Report 52162. [Stefan Fritsch]
- mod_proxy_ajp: Support unknown HTTP methods. Bug Report 54416.
  [Rainer Jung]
- mod_dir: Add support for the value 'disabled' in FallbackResource.
  [Vincent Deffontaines]
- mod_ldap: Fix regression in handling "server unavailable" errors on
  Windows.  Bug Report 54140.  [Eric Covener]
- mod_ssl: fix a regression with the string rendering of the "UID" RDN
  introduced in 2.2.15. Bug Report 54510. [Kaspar Brand]
- ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
  to more accurately report the negotiated protocol. Bug Report 53916.
  [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
- mod_cache: Explicitly allow cache implementations to cache a 206 Partial
  Response if they so choose to do so. Previously an attempt to cache a 206
  was arbitrarily allowed if the response contained an Expires or
  Cache-Control header, and arbitrarily denied if both headers were missing.
  Currently the disk and memory cache providers do not cache 206 Partial
  Responses. [Graham Leggett]
- core: Remove unintentional APR dependency introduced with
  Apache 2.2.22. [Eric Covener]
- core: Use a TLS 1.0 close_notify alert for internal dummy connection if
  the chosen listener is configured for https. [Joe Orton]
- mod_ssl: Add new directive SSLCompression to disable TLS-level
  compression. Bug Report 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]

Revision 1.53 / (download) - annotate - [select for diffs], Sun Dec 23 21:32:42 2012 UTC (6 years, 9 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base
Branch point for: pkgsrc-2012Q4
Changes since 1.52: +2 -1 lines
Diff to previous 1.52 (colored)

Apply patch https://issues.apache.org/bugzilla/show_bug.cgi?id=49491
from upstream for a bug that lets the devel/rt3 mailgate fail rather
dismally when present. Reviewed by tron.

Revision 1.51.2.1 / (download) - annotate - [select for diffs], Thu Sep 27 11:06:01 2012 UTC (7 years ago) by tron
Branch: pkgsrc-2012Q2
Changes since 1.51: +5 -6 lines
Diff to previous 1.51 (colored) next main 1.52 (colored)

Pullup ticket #3922 - requested by taca
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.81
- www/apache22/PLIST                                            1.21
- www/apache22/distinfo                                         1.52
- www/apache22/patches/patch-af                                 deleted
- www/apache22/patches/patch-docs_man_apxs.8                    1.1
- www/apache22/patches/patch-support_envvars-std.in             deleted

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Sep 16 03:33:10 UTC 2012

   Modified Files:
   	pkgsrc/www/apache22: Makefile PLIST distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-docs_man_apxs.8
   Removed Files:
   	pkgsrc/www/apache22/patches: patch-af patch-support_envvars-std.in

   Log Message:
   Update apache22 to 2.2.23.

   Changes with Apache 2.2.23

     *) SECURITY: CVE-2012-0883 (cve.mitre.org)
        envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
        current working directory to be searched for DSOs. [Stefan Fritsch]

     *) SECURITY: CVE-2012-2687 (cve.mitre.org)
        mod_negotiation: Escape filenames in variant list to prevent a
        possible XSS for a site where untrusted users can upload files to
        a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]

     *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
        [Paul Wouters <pwouters redhat.com>, Joe Orton]

     *) mod_ldap: Treat the "server unavailable" condition as a transient
        error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]

     *) core: Add filesystem paths to access denied / access failed messages.
        [Eric Covener]

     *) core: Fix error handling in ap_scan_script_header_err_brigade() if there
        is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]

     *) core: Prevent "httpd -k restart" from killing server in presence of
        config error. [Joe Orton]

     *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
        control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,
        adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.
        [Kaspar Brand, William Rowe]

     *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
        PR 53104. [Greg Ames]

     *) Unix MPMs: Fix small memory leak in parent process if connect()
        failed when waking up children.  [Joe Orton]

     *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
        [Peter Pramberger <peter pramberger.at>, Jim Jagielski]

     *) Added SSLProxyMachineCertificateChainFile directive so the proxy client
        can select the proper client certificate when using a chain and the
        remote server only lists the root CA as allowed.

     *) mpm_event, mpm_worker: Remain active amidst prevalent child process
        resource shortages.  [Jeff Trawick]

     *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]

     *) mod_rewrite: Fix the RewriteEngine directive to work within a
        location. Previously, once RewriteEngine was switched on globally,
        it was impossible to switch off. [Graham Leggett]

     *) mod_proxy_balancer: Restore balancing after a failed worker has
        recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]

     *) mod_dumpio: Properly handle errors from subsequent input filters.
        PR 52914. [Stefan Fritsch]

     *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child
        process resource shortages.  [Jeff Trawick]

     *) mpm_prefork: Reduce spawn rate after a child process exits due to
        unexpected poll or accept failure.  [Jeff Trawick]

     *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid
        from logging bogus data in case of errors. [Stefan Fritsch]

     *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the
        response is a 206 Partial Content. This stops a reverse proxied partial
        response from becoming cached, and then being served in subsequent
        responses. PR 49113. [Graham Leggett]

     *) configure: Fix usage with external apr and apu in non-default paths
        and recent gcc versions >= 4.6. [Jean-Frederic Clere]

     *) core: Fix building against PCRE 8.30 by switching from the obsolete
        pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]

     *) mod_proxy: Add the forcerecovery balancer parameter that determines if
        recovery for balancer workers is enforced. [Ruediger Pluem]

Revision 1.52 / (download) - annotate - [select for diffs], Sun Sep 16 03:33:10 2012 UTC (7 years, 1 month ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Changes since 1.51: +5 -6 lines
Diff to previous 1.51 (colored)

Update apache22 to 2.2.23.

Changes with Apache 2.2.23

  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
     current working directory to be searched for DSOs. [Stefan Fritsch]

  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
     mod_negotiation: Escape filenames in variant list to prevent a
     possible XSS for a site where untrusted users can upload files to
     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]

  *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
     [Paul Wouters <pwouters redhat.com>, Joe Orton]

  *) mod_ldap: Treat the "server unavailable" condition as a transient
     error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]

  *) core: Add filesystem paths to access denied / access failed messages.
     [Eric Covener]

  *) core: Fix error handling in ap_scan_script_header_err_brigade() if there
     is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]

  *) core: Prevent "httpd -k restart" from killing server in presence of
     config error. [Joe Orton]

  *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
     control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,
     adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.
     [Kaspar Brand, William Rowe]

  *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
     PR 53104. [Greg Ames]

  *) Unix MPMs: Fix small memory leak in parent process if connect()
     failed when waking up children.  [Joe Orton]

  *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
     [Peter Pramberger <peter pramberger.at>, Jim Jagielski]

  *) Added SSLProxyMachineCertificateChainFile directive so the proxy client
     can select the proper client certificate when using a chain and the
     remote server only lists the root CA as allowed.

  *) mpm_event, mpm_worker: Remain active amidst prevalent child process
     resource shortages.  [Jeff Trawick]

  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]

  *) mod_rewrite: Fix the RewriteEngine directive to work within a
     location. Previously, once RewriteEngine was switched on globally,
     it was impossible to switch off. [Graham Leggett]

  *) mod_proxy_balancer: Restore balancing after a failed worker has
     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]

  *) mod_dumpio: Properly handle errors from subsequent input filters.
     PR 52914. [Stefan Fritsch]

  *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child
     process resource shortages.  [Jeff Trawick]

  *) mpm_prefork: Reduce spawn rate after a child process exits due to
     unexpected poll or accept failure.  [Jeff Trawick]

  *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid
     from logging bogus data in case of errors. [Stefan Fritsch]

  *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the
     response is a 206 Partial Content. This stops a reverse proxied partial
     response from becoming cached, and then being served in subsequent
     responses. PR 49113. [Graham Leggett]

  *) configure: Fix usage with external apr and apu in non-default paths
     and recent gcc versions >= 4.6. [Jean-Frederic Clere]

  *) core: Fix building against PCRE 8.30 by switching from the obsolete
     pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]

  *) mod_proxy: Add the forcerecovery balancer parameter that determines if
     recovery for balancer workers is enforced. [Ruediger Pluem]

Revision 1.50.2.1 / (download) - annotate - [select for diffs], Sun Apr 22 22:05:25 2012 UTC (7 years, 5 months ago) by tron
Branch: pkgsrc-2012Q1
Changes since 1.50: +2 -1 lines
Diff to previous 1.50 (colored) next main 1.51 (colored)

Pullup ticket #3753 - requested by spz
www/apache22: security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.80
- www/apache22/distinfo                                         1.51
- www/apache22/patches/patch-support_envvars-std.in             1.1

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Sun Apr 22 19:08:03 UTC 2012

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-support_envvars-std.in

   Log Message:
   patch for CVE-2012-0883 taken from the Apache SVN
   bump pkgrev

Revision 1.51 / (download) - annotate - [select for diffs], Sun Apr 22 19:08:03 2012 UTC (7 years, 5 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base
Branch point for: pkgsrc-2012Q2
Changes since 1.50: +2 -1 lines
Diff to previous 1.50 (colored)

patch for CVE-2012-0883 taken from the Apache SVN
bump pkgrev

Revision 1.50 / (download) - annotate - [select for diffs], Wed Feb 1 19:53:21 2012 UTC (7 years, 8 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base
Branch point for: pkgsrc-2012Q1
Changes since 1.49: +5 -11 lines
Diff to previous 1.49 (colored)

Update "apache" package to version 2.2.22. Changes since 2.2.21:
- SECURITY: CVE-2011-3368 (cve.mitre.org)
  Reject requests where the request-URI does not match the HTTP
  specification, preventing unexpected expansion of target URLs in
  some reverse proxy configurations.  [Joe Orton]
- SECURITY: CVE-2011-3607 (cve.mitre.org)
  Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
  is enabled, could allow local users to gain privileges via a .htaccess
  file. [Stefan Fritsch, Greg Ames]
- SECURITY: CVE-2011-4317 (cve.mitre.org)
  Resolve additional cases of URL rewriting with ProxyPassMatch or
  RewriteRule, where particular request-URIs could result in undesired
  backend network exposure in some configurations.
  [Joe Orton]
- SECURITY: CVE-2012-0021 (cve.mitre.org)
  mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
  string is in use and a client sends a nameless, valueless cookie, causing
  a denial of service. The issue existed since version 2.2.17. Bug#52256.
  [Rainer Canavan <rainer-apache 7val com>]
- SECURITY: CVE-2012-0031 (cve.mitre.org)
  Fix scoreboard issue which could allow an unprivileged child process
  could cause the parent to crash at shutdown rather than terminate
  cleanly.  [Joe Orton]
- SECURITY: CVE-2012-0053 (cve.mitre.org)
  Fix an issue in error responses that could expose "httpOnly" cookies
  when no custom ErrorDocument is specified for status code 400.
  [Eric Covener]
- mod_proxy_ajp: Try to prevent a single long request from marking a worker
  in error. [Jean-Frederic Clere]
- config: Update the default mod_ssl configuration: Disable SSLv2, only
  allow >= 128bit ciphers, add commented example for speed optimized cipher
  list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
- core: Fix segfault in ap_send_interim_response(). Bug#52315.
  [Stefan Fritsch]
- mod_log_config: Prevent segfault. Bug#50861. [Torsten Foertsch
  <torsten.foertsch gmx.net>]
- mod_win32: Invert logic for env var UTF-8 fixing.
  Now we exclude a list of vars which we know for sure they dont hold UTF-8
  chars; all other vars will be fixed. This has the benefit that now also
  all vars from 3rd-party modules will be fixed. Bug#13029 / 34985.
  [Guenter Knauf]
- core: Fix hook sorting for Perl modules, a regression introduced in
  2.2.21. Bug#45076. [Torsten Foertsch <torsten foertsch gmx net>]
- Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
  A range of '0-' will now return 206 instead of 200. Bug#51878.
  [Jim Jagielski]
- Example configuration: Fix entry for MaxRanges (use "unlimited" instead
  of "0").  [Rainer Jung]
- mod_substitute: Fix buffer overrun.  [Ruediger Pluem, Rainer Jung]

Please note that all the security fixes had been integrated into
"pkgsrc" as patches previously.

Revision 1.47.2.2 / (download) - annotate - [select for diffs], Mon Jan 30 03:30:53 2012 UTC (7 years, 8 months ago) by sbd
Branch: pkgsrc-2011Q4
Changes since 1.47.2.1: +3 -2 lines
Diff to previous 1.47.2.1 (colored) to branchpoint 1.47 (colored) next main 1.48 (colored)

Pullup ticket #3664 - requested by tron
www/apache22 security update

Revisions pulled up:
- www/apache22/Makefile                                         1.78
- www/apache22/distinfo                                         1.49
- www/apache22/patches/patch-CVE-2012-0021                      1.1
- www/apache22/patches/patch-server_protocol.c                  1.4

---
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Sun Jan 29 12:29:08 UTC 2012

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   	pkgsrc/www/apache22/patches: patch-server_protocol.c
   Added Files:
   	pkgsrc/www/apache22/patches: patch-CVE-2012-0021

   Log Message:
   Add patch for security vulnerabilities reported in CVE-2012-0021
   and CVE-2012-0053 taken from Apache SVN repository.

Revision 1.49 / (download) - annotate - [select for diffs], Sun Jan 29 12:29:07 2012 UTC (7 years, 8 months ago) by tron
Branch: MAIN
Changes since 1.48: +3 -2 lines
Diff to previous 1.48 (colored)

Add patch for security vulnerabilities reported in CVE-2012-0021
and CVE-2012-0053 taken from Apache SVN repository.

Revision 1.47.2.1 / (download) - annotate - [select for diffs], Wed Jan 18 19:54:36 2012 UTC (7 years, 9 months ago) by tron
Branch: pkgsrc-2011Q4
Changes since 1.47: +3 -2 lines
Diff to previous 1.47 (colored)

Pullup ticket #3653 - requested by spz
www/apache22: security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.77
- www/apache22/distinfo                                         1.48
- www/apache22/patches/patch-server_scoreboard.c                1.1
- www/apache22/patches/patch-server_util.c                      1.2

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Tue Jan 17 20:48:29 UTC 2012

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   	pkgsrc/www/apache22/patches: patch-server_util.c
   Added Files:
   	pkgsrc/www/apache22/patches: patch-server_scoreboard.c

   Log Message:
   add patch for CVE-2012-0031 taken from Revision 1231058 of http://svn.apache.org/
   update patch for http://secunia.com/advisories/45793/

Revision 1.48 / (download) - annotate - [select for diffs], Tue Jan 17 20:48:28 2012 UTC (7 years, 9 months ago) by spz
Branch: MAIN
Changes since 1.47: +3 -2 lines
Diff to previous 1.47 (colored)

add patch for CVE-2012-0031 taken from Revision 1231058 of http://svn.apache.org/
update patch for http://secunia.com/advisories/45793/

Revision 1.42.2.4 / (download) - annotate - [select for diffs], Wed Dec 14 02:43:13 2011 UTC (7 years, 10 months ago) by sbd
Branch: pkgsrc-2011Q3
Changes since 1.42.2.3: +3 -1 lines
Diff to previous 1.42.2.3 (colored) to branchpoint 1.42 (colored) next main 1.43 (colored)

Pullup ticket #3631 - requested by spz
www/apache22 security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.76
- www/apache22/distinfo                                         1.47
- www/apache22/patches/patch-modules_mappers_mod_rewrite.c      1.1
- www/apache22/patches/patch-modules_proxy_mod_proxy.c          1.1

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Tue Dec 13 15:37:57 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-modules_mappers_mod_rewrite.c
   	    patch-modules_proxy_mod_proxy.c

   Log Message:
   add revision 1209432 from http://svn.apache.org/ as patches:
   fix for CVE-2011-4317

Revision 1.47 / (download) - annotate - [select for diffs], Tue Dec 13 15:37:56 2011 UTC (7 years, 10 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base
Branch point for: pkgsrc-2011Q4
Changes since 1.46: +3 -1 lines
Diff to previous 1.46 (colored)

add revision 1209432 from http://svn.apache.org/ as patches:
fix for CVE-2011-4317

Revision 1.46 / (download) - annotate - [select for diffs], Mon Dec 12 18:43:14 2011 UTC (7 years, 10 months ago) by tron
Branch: MAIN
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored)

Remove duplicate error check from security patch. No revision bump as
there is no functional change.

Problem pointed out by S.P. Zeidler.

Revision 1.42.2.3 / (download) - annotate - [select for diffs], Thu Dec 8 04:01:36 2011 UTC (7 years, 10 months ago) by sbd
Branch: pkgsrc-2011Q3
Changes since 1.42.2.2: +2 -2 lines
Diff to previous 1.42.2.2 (colored) to branchpoint 1.42 (colored)

Pullup ticket #3626 - requested by tron
www/apache22 security update

Revisions pulled up:
- www/apache22/Makefile                                         1.75
- www/apache22/distinfo                                         1.45
- www/apache22/patches/patch-server_protocol.c                  1.2

---
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Wed Dec  7 22:58:12 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   	pkgsrc/www/apache22/patches: patch-server_protocol.c

   Log Message:
   Add improved fix for proxy vulnerability reported in CVE-2011-3368.
   This should also fix CVE-2011-3639 and possibly CVE-2011-4317, both
   part of SA46987.

Revision 1.45 / (download) - annotate - [select for diffs], Wed Dec 7 22:58:12 2011 UTC (7 years, 10 months ago) by tron
Branch: MAIN
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)

Add improved fix for proxy vulnerability reported in CVE-2011-3368.
This should also fix CVE-2011-3639 and possibly CVE-2011-4317, both
part of SA46987.

Revision 1.42.2.2 / (download) - annotate - [select for diffs], Sat Nov 12 04:25:37 2011 UTC (7 years, 11 months ago) by sbd
Branch: pkgsrc-2011Q3
Changes since 1.42.2.1: +2 -1 lines
Diff to previous 1.42.2.1 (colored) to branchpoint 1.42 (colored)

Pullup ticket #3596 - requested by spz
www/apache22 security update

Revisions pulled up:
- www/apache22/Makefile                                         1.73
- www/apache22/distinfo                                         1.44
- www/apache22/patches/patch-server_util.c                      1.1

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Fri Nov 11 07:58:03 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-server_util.c

   Log Message:
   fix for http://secunia.com/advisories/45793/
   snarfed (with adjustment regarding location) from
   http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?r1=1198940&r2=1198939&pathrev=1198940

Revision 1.44 / (download) - annotate - [select for diffs], Fri Nov 11 07:58:03 2011 UTC (7 years, 11 months ago) by spz
Branch: MAIN
Changes since 1.43: +2 -1 lines
Diff to previous 1.43 (colored)

fix for http://secunia.com/advisories/45793/
snarfed (with adjustment regarding location) from
http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?r1=1198940&r2=1198939&pathrev=1198940

Revision 1.42.2.1 / (download) - annotate - [select for diffs], Mon Oct 10 18:00:06 2011 UTC (8 years ago) by tron
Branch: pkgsrc-2011Q3
Changes since 1.42: +2 -1 lines
Diff to previous 1.42 (colored)

Pullup ticket #3550 - requested by taca
www/apache22: security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.72
- www/apache22/distinfo                                         1.43
- www/apache22/patches/patch-server_protocol.c                  1.1

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon Oct 10 10:13:42 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-server_protocol.c

   Log Message:
   Add patch for CVE-2011-3368 from Apache's repository.

   Bump PKGREVISION.

Revision 1.43 / (download) - annotate - [select for diffs], Mon Oct 10 10:13:42 2011 UTC (8 years ago) by taca
Branch: MAIN
Changes since 1.42: +2 -1 lines
Diff to previous 1.42 (colored)

Add patch for CVE-2011-3368 from Apache's repository.

Bump PKGREVISION.

Revision 1.38.2.2 / (download) - annotate - [select for diffs], Wed Sep 14 18:03:18 2011 UTC (8 years, 1 month ago) by tron
Branch: pkgsrc-2011Q2
Changes since 1.38.2.1: +5 -4 lines
Diff to previous 1.38.2.1 (colored) to branchpoint 1.38 (colored) next main 1.39 (colored)

Pullup ticket #3526 - requested by taca
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.68-1.70
- www/apache22/distinfo                                         1.40-1.42
- www/apache22/patches/patch-CVE-2011-3192                      deleted
- www/apache22/patches/patch-lock.c                             1.1
- www/apache22/patches/patch-repos.c                            1.1

---
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Wed Aug 31 12:52:45 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Removed Files:
   	pkgsrc/www/apache22/patches: patch-CVE-2011-3192

   Log Message:
   Update "apache22" package to version 2.2.20. Changes since version 2.2.19:
   - mod_authnz_ldap: If the LDAP server returns constraint violation,
     don't treat this as an error but as "auth denied". [Stefan Fritsch]
   - mod_filter: Fix FilterProvider conditions of type "resp=" (response
     headers) for CGI. [Joe Orton, Rainer Jung]
   - mod_reqtimeout: Fix a timed out connection going into the keep-alive
     state after a timeout when discarding a request body. Bug 51103.
     [Stefan Fritsch]
   - core: Do the hook sorting earlier so that the hooks are properly sorted
     for the pre_config hook and during parsing the config. [Stefan Fritsch]

---
   Module Name:	pkgsrc
   Committed By:	sborrill
   Date:		Mon Sep 12 17:18:46 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-lock.c patch-repos.c

   Log Message:
   Atomically create files when using DAV to stop files being deleted on error

   From:
   https://issues.apache.org/bugzilla/show_bug.cgi?id=39815

   Bump PKGREVISION.

   OK tron@

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Wed Sep 14 07:10:21 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo

   Log Message:
   Update apahce22 package to 2.2.21.

   Quote from release announce:

      The Apache Software Foundation and the Apache HTTP Server Project are
      pleased to announce the release of version 2.2.21 of the Apache HTTP
      Server ("Apache").  This version of Apache is principally a security
      and bug fix release:

        * SECURITY: CVE-2011-3348 (cve.mitre.org)
          mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
          unrecognized HTTP methods from marking ajp: balancer members
          in an error state, avoiding denial of service.

        * SECURITY: CVE-2011-3192 (cve.mitre.org)
          core: Further fixes to the handling of byte-range requests to use
          less memory, to avoid denial of service. This patch includes fixes
          to the patch introduced in release 2.2.20 for protocol compliance,
          as well as the MaxRanges directive.

      Note the further advisories on the state of CVE-2011-3192 will no longer
      be broadcast, but will be kept up to date at;

        http://httpd.apache.org/security/CVE-2011-3192.txt

      We consider this release to be the best version of Apache available, and
      encourage users of all prior versions to upgrade.

Revision 1.42 / (download) - annotate - [select for diffs], Wed Sep 14 07:10:21 2011 UTC (8 years, 1 month ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base
Branch point for: pkgsrc-2011Q3
Changes since 1.41: +4 -4 lines
Diff to previous 1.41 (colored)

Update apahce22 package to 2.2.21.

Quote from release announce:

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.21 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a security
   and bug fix release:

     * SECURITY: CVE-2011-3348 (cve.mitre.org)
       mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
       unrecognized HTTP methods from marking ajp: balancer members
       in an error state, avoiding denial of service.

     * SECURITY: CVE-2011-3192 (cve.mitre.org)
       core: Further fixes to the handling of byte-range requests to use
       less memory, to avoid denial of service. This patch includes fixes
       to the patch introduced in release 2.2.20 for protocol compliance,
       as well as the MaxRanges directive.

   Note the further advisories on the state of CVE-2011-3192 will no longer
   be broadcast, but will be kept up to date at;

     http://httpd.apache.org/security/CVE-2011-3192.txt

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

Revision 1.41 / (download) - annotate - [select for diffs], Mon Sep 12 17:18:46 2011 UTC (8 years, 1 month ago) by sborrill
Branch: MAIN
Changes since 1.40: +3 -1 lines
Diff to previous 1.40 (colored)

Atomically create files when using DAV to stop files being deleted on error

From:
https://issues.apache.org/bugzilla/show_bug.cgi?id=39815

Bump PKGREVISION.

OK tron@

Revision 1.40 / (download) - annotate - [select for diffs], Wed Aug 31 12:52:45 2011 UTC (8 years, 1 month ago) by tron
Branch: MAIN
Changes since 1.39: +4 -5 lines
Diff to previous 1.39 (colored)

Update "apache22" package to version 2.2.20. Changes since version 2.2.19:
- mod_authnz_ldap: If the LDAP server returns constraint violation,
  don't treat this as an error but as "auth denied". [Stefan Fritsch]
- mod_filter: Fix FilterProvider conditions of type "resp=" (response
  headers) for CGI. [Joe Orton, Rainer Jung]
- mod_reqtimeout: Fix a timed out connection going into the keep-alive
  state after a timeout when discarding a request body. Bug 51103.
  [Stefan Fritsch]
- core: Do the hook sorting earlier so that the hooks are properly sorted
  for the pre_config hook and during parsing the config. [Stefan Fritsch]

Revision 1.38.2.1 / (download) - annotate - [select for diffs], Tue Aug 30 08:10:22 2011 UTC (8 years, 1 month ago) by sbd
Branch: pkgsrc-2011Q2
Changes since 1.38: +2 -1 lines
Diff to previous 1.38 (colored)

Pullup ticket #3514 - requested by tron
www/apache22 security update

Revisions pulled up:
- www/apache22/Makefile                                         1.67
- www/apache22/distinfo                                         1.39
- www/apache22/patches/patch-CVE-2011-3192                      1.1

---
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Mon Aug 29 22:07:05 UTC 2011

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-CVE-2011-3192

   Log Message:
   Add patch for security vulnerability reported in CVE-2011-3192 taken
   from Apache SVN repository.

Revision 1.39 / (download) - annotate - [select for diffs], Mon Aug 29 22:07:05 2011 UTC (8 years, 1 month ago) by tron
Branch: MAIN
Changes since 1.38: +2 -1 lines
Diff to previous 1.38 (colored)

Add patch for security vulnerability reported in CVE-2011-3192 taken
from Apache SVN repository.

Revision 1.38 / (download) - annotate - [select for diffs], Sun May 22 22:54:50 2011 UTC (8 years, 4 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base
Branch point for: pkgsrc-2011Q2
Changes since 1.37: +4 -4 lines
Diff to previous 1.37 (colored)

Update "apache22" package to version 2.2.19. Changes since version 2.2.18:
- Revert ABI breakage in 2.2.18 caused by the function signature change
  of ap_unescape_url_keep2f().  This release restores the signature from
  2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
  [Eric Covener]

Revision 1.37 / (download) - annotate - [select for diffs], Thu May 12 06:50:44 2011 UTC (8 years, 5 months ago) by tron
Branch: MAIN
Changes since 1.36: +4 -4 lines
Diff to previous 1.36 (colored)

Update "apache22" package to version 2.2.18. Changes since version 2.2.17:
- Log an error for failures to read a chunk-size, and return 408 instead
  413 when this is due to a read timeout.  This change also fixes some cases
  of two error documents being sent in the response for the same scenario.
  [Eric Covener] Bug 49167
- core: Only log a 408 if it is no keepalive timeout. Bug 39785
  [Ruediger Pluem,  Mark Montague <markmont umich.edu>]
- core: Treat timeout reading request as 408 error, not 400.
  Log 408 errors in access log as was done in Apache 1.3.x.
  Bug 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
  Dan Poirier]
- Core HTTP: disable keepalive when the Client has sent
  Expect: 100-continue
  but we respond directly with a non-100 response.  Keepalive here led
  to data from clients continuing being treated as a new request.
  Bug 47087.  [Nick Kew]
- htpasswd: Change the default algorithm for htpasswd to MD5 on all
  platforms. Crypt with its 8 character limit is not useful anymore;
  improve out of disk space handling (Bug 30877); print a warning if
  a password is truncated by crypt. [Stefan Fritsch]
- mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
  Win32's cscript interpreter can only use a single quote as comment char.
  [Guenter Knauf]
- configure: Fix htpasswd/htdbm libcrypt link errors with some newer
  linkers. [Stefan Fritsch]
- MinGW build improvements.  Bug 49535.  [John Vandenberg
  <jayvdb gmail.com>, Jeff Trawick]
- mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
  [Stefan Fritsch]
- core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
  in request URL path info but not decode them. Bug 35256,
  Bug 46830.  [Dan Poirier]
- mod_rewrite: Allow to unset environment variables. Bug 50746.
  [Rainer Jung]
- suEXEC: Add Suexec directive to disable suEXEC without renaming the
  binary (Suexec Off), or force startup failure if suEXEC is required
  but not supported (Suexec On).  [Jeff Trawick]
- mod_proxy: Put the worker in error state if the SSL handshake with the
  backend fails. Bug 50332.
  [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
- prefork: Update MPM state in children during a graceful restart.
  Allow the HTTP connection handling loop to terminate early
  during a graceful restart.  Bug 41743.
  [Andrew Punch <andrew.punch 247realmedia.com>]
- mod_ssl: Correctly read full lines in input filter when the line is
  incomplete during first read. Bug 50481. [Ruediger Pluem]
- mod_autoindex: Merge IndexOptions from server to directory context when
  the directory has no mod_autoindex directives. Bug 47766. [Eric Covener]
- mod_cache: Make sure that we never allow a 304 Not Modified response
  that we asked for to leak to the client should the 304 response be
  uncacheable. Bug 45341 [Graham Leggett]
- mod_dav: Send 400 error if malformed Content-Range header is received for
  a put request (RFC 2616 14.16). Bug 49825. [Stefan Fritsch]
- mod_userdir: Add merging of enable, disable, and filename arguments
  to UserDir directive, leaving enable/disable of userlists unmerged.
  Bug 44076 [Eric Covener]
- core: Honor 'AcceptPathInfo OFF' during internal redirects,
  such as per-directory mod_rewrite substitutions.  Bug 50349.
  [Eric Covener]
- mod_cache: Check the request to determine whether we are allowed
  to return cached content at all, and respect a "Cache-Control:
  no-cache" header from a client. Previously, "no-cache" would
  behave like "max-age=0". [Graham Leggett]
- mod_mem_cache: Add a debug msg when a streaming response exceeds
  MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
  'memory allocation failed' debug message. Bug 49604. [Eric Covener]
- proxy_connect: Don't give up in the middle of a CONNECT tunnel
  when the child process is starting to exit. Bug 50220. [Eric Covener]

Revision 1.36 / (download) - annotate - [select for diffs], Sun Mar 20 03:18:21 2011 UTC (8 years, 7 months ago) by dholland
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base, pkgsrc-2011Q1
Changes since 1.35: +2 -1 lines
Diff to previous 1.35 (colored)

Patch a minor markup glitch in the apxs(8) man page: .PP needs to be at
the beginning of a line.

(Properly this should bump the PKGREVISION, but I'm not going to bother.)

Revision 1.35 / (download) - annotate - [select for diffs], Mon Nov 1 17:28:49 2010 UTC (8 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2010Q4-base, pkgsrc-2010Q4
Changes since 1.34: +4 -4 lines
Diff to previous 1.34 (colored)

Changes 2.2.17:
* prefork MPM: Run cleanups for final request when process exits gracefully
  to work around a flaw in apr-util.
* mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
  connections and other protocol handlers (like mod_ftp). Enforce the
  timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
  close time from 30 to 2 seconds.
* Proxy balancer: support setting error status according to HTTP response
  code from a backend.
* mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
  password to UTF-8.
* core: check symlink ownership if both FollowSymlinks and
  SymlinksIfOwnerMatch are set
* core: fix origin checking in SymlinksIfOwnerMatch
* mod_headers: Enable multi-match-and-replace edit option
* mod_log_config: Make ${cookie}C correctly match whole cookie names
  instead of substrings.
* mod_dir, mod_negotiation: Pass the output filter information
  to newly created sub requests; as these are later on used
  as true requests with an internal redirect. This allows for
  mod_cache et.al. to trap the results of the redirect.
* rotatelogs: Fix possible buffer overflow if admin configures a
  mongo log file path.
* mod_ssl: Do not do overlapping memcpy.
* vhost: A purely-numeric Host: header should not be treated as a port.
* core: (re)-introduce -T commandline option to suppress documentroot
  check at startup.

Revision 1.33.2.1 / (download) - annotate - [select for diffs], Tue Jul 27 17:25:35 2010 UTC (9 years, 2 months ago) by spz
Branch: pkgsrc-2010Q2
Changes since 1.33: +4 -5 lines
Diff to previous 1.33 (colored) next main 1.34 (colored)

Pullup ticket 3187 - requested by tron
security update

Revisions pulled up:
- pkgsrc/www/apache22/Makefile		1.61
- pkgsrc/www/apache22/distinfo		1.34

Files deleted:
pkgsrc/www/apache22/patches/patch-af

-------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tron
   Date:           Mon Jul 26 21:38:52 UTC 2010

   Modified Files:
           pkgsrc/www/apache22: Makefile distinfo
   Removed Files:
           pkgsrc/www/apache22/patches: patch-af

   Log Message:
   Update "apache22" package to version 2.2.16. Changes since version 2.2.15:
   - SECURITY: CVE-2010-1452 (cve.mitre.org)
     mod_dav, mod_cache: Fix Handling of requests without a path segment.
     PR: 49246 [Mark Drayton, Jeff Trawick]
   - SECURITY: CVE-2010-2068 (cve.mitre.org)
     mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
     for platforms Windows, Netware and OS2.  PR: 49417. [Rainer Jung]
   - core: Filter init functions are now run strictly once per request
     before handler invocation.  The init functions are no longer run
     for connection filters.  PR 49328.  [Joe Orton]
   - mod_filter: enable it to act on non-200 responses.
     PR 48377 [Nick Kew]
   - mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
     title page only) when any mod_ldap directives were used in VirtualHost
     context.  [Eric Covener]
   - mod_ssl: Fix segfault at startup if proxy client certs are shared
     across multiple vhosts.  PR 39915.  [Joe Orton]
   - mod_proxy_http: Log the port of the remote server in various messages.
     PR 48812. [Igor Gali?? <i galic brainsware org>]
   - apxs: Fix -A and -a options to ignore whitespace in httpd.conf
     [Philip M. Gollucci]
   - mod_dir: add FallbackResource directive, to enable admin to specify
     an action to happen when a URL maps to no file, without resorting
     to ErrorDocument or mod_rewrite.  PR 47184 [Nick Kew]
   - mod_rewrite: Allow to set environment variables without explicitely
     giving a value. [Rainer Jung]


   To generate a diff of this commit:
   cvs rdiff -u -r1.60 -r1.61 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.33 -r1.34 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r1.3 -r0 pkgsrc/www/apache22/patches/patch-af

Revision 1.34 / (download) - annotate - [select for diffs], Mon Jul 26 21:38:51 2010 UTC (9 years, 2 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base, pkgsrc-2010Q3
Changes since 1.33: +4 -5 lines
Diff to previous 1.33 (colored)

Update "apache22" package to version 2.2.16. Changes since version 2.2.15:
- SECURITY: CVE-2010-1452 (cve.mitre.org)
  mod_dav, mod_cache: Fix Handling of requests without a path segment.
  PR: 49246 [Mark Drayton, Jeff Trawick]
- SECURITY: CVE-2010-2068 (cve.mitre.org)
  mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
  for platforms Windows, Netware and OS2.  PR: 49417. [Rainer Jung]
- core: Filter init functions are now run strictly once per request
  before handler invocation.  The init functions are no longer run
  for connection filters.  PR 49328.  [Joe Orton]
- mod_filter: enable it to act on non-200 responses.
  PR 48377 [Nick Kew]
- mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
  title page only) when any mod_ldap directives were used in VirtualHost
  context.  [Eric Covener]
- mod_ssl: Fix segfault at startup if proxy client certs are shared
  across multiple vhosts.  PR 39915.  [Joe Orton]
- mod_proxy_http: Log the port of the remote server in various messages.
  PR 48812. [Igor Gali <i galic brainsware org>]
- apxs: Fix -A and -a options to ignore whitespace in httpd.conf
  [Philip M. Gollucci]
- mod_dir: add FallbackResource directive, to enable admin to specify
  an action to happen when a URL maps to no file, without resorting
  to ErrorDocument or mod_rewrite.  PR 47184 [Nick Kew]
- mod_rewrite: Allow to set environment variables without explicitely
  giving a value. [Rainer Jung]

Revision 1.31.2.1 / (download) - annotate - [select for diffs], Sat Jun 12 20:57:46 2010 UTC (9 years, 4 months ago) by spz
Branch: pkgsrc-2010Q1
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored) next main 1.32 (colored)

Pullup ticket 3145 - requested by tron
security fix

Revisions pulled up:
- pkgsrc/www/apache22/Makefile		1.59
- pkgsrc/www/apache22/distinfo		1.33
- pkgsrc/www/apache22/patches/patch-af	1.3

   -------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tron
   Date:           Sat Jun 12 10:40:27 UTC 2010

   Modified Files:
           pkgsrc/www/apache22: Makefile distinfo
   Added Files:
           pkgsrc/www/apache22/patches: patch-af

   Log Message:
   Add patch provided by the Apache foundation to close the privacy leak
   reported in CVE-2010-2068.


   To generate a diff of this commit:
   cvs rdiff -u -r1.58 -r1.59 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.32 -r1.33 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.3 pkgsrc/www/apache22/patches/patch-af

Revision 1.33 / (download) - annotate - [select for diffs], Sat Jun 12 10:40:26 2010 UTC (9 years, 4 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2010Q2-base
Branch point for: pkgsrc-2010Q2
Changes since 1.32: +2 -1 lines
Diff to previous 1.32 (colored)

Add patch provided by the Apache foundation to close the privacy leak
reported in CVE-2010-2068.

Revision 1.32 / (download) - annotate - [select for diffs], Wed Apr 28 07:43:56 2010 UTC (9 years, 5 months ago) by obache
Branch: MAIN
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)

Fixes omiting of pre-creating directory for pax in patch-aa.
It break installation on SUA 6.0 with native pax.

Revision 1.29.2.1 / (download) - annotate - [select for diffs], Sun Mar 28 13:02:33 2010 UTC (9 years, 6 months ago) by tron
Branch: pkgsrc-2009Q4
Changes since 1.29: +4 -7 lines
Diff to previous 1.29 (colored) next main 1.30 (colored)

Pullup ticket #3068 - requested by taca
apache22: security update

Revisions pulled up:
- www/apache22/Makefile				1.56
- www/apache22/PLIST				1.16
- www/apache22/distinfo				1.30-1.31
- www/apache22/patches/patch-aq			delete
- www/apache22/patches/patch-as			delete
- www/apache22/patches/patch-au			delete
---
Module Name:	pkgsrc
Committed By:	taca
Date:		Fri Mar  5 00:22:59 UTC 2010

Modified Files:
	pkgsrc/www/apache22: distinfo
Removed Files:
	pkgsrc/www/apache22/patches: patch-aq patch-as patch-au

Log Message:
Remove CVE-2007-3304 related patches.  CVE-2007-3304 was fixed
in Apache 2.2.6 and these patches are noop.
---
Module Name:	pkgsrc
Committed By:	taca
Date:		Tue Mar  9 02:30:15 UTC 2010

Modified Files:
	pkgsrc/www/apache22: Makefile PLIST distinfo

Log Message:
Update apache22 package to 2.2.15.

For full changes information please refer:
http://www.apache.org/dist/httpd/Announcement2.2.html.

Here is security related changes from ChangeLog
(http://www.apache.org/dist/httpd/CHANGES_2.2.15).

Changes with Apache 2.2.15

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]

Revision 1.31 / (download) - annotate - [select for diffs], Tue Mar 9 02:30:15 2010 UTC (9 years, 7 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2010Q1-base
Branch point for: pkgsrc-2010Q1
Changes since 1.30: +4 -4 lines
Diff to previous 1.30 (colored)

Update apache22 package to 2.2.15.

For full changes information please refer:
http://www.apache.org/dist/httpd/Announcement2.2.html.

Here is security related changes from ChangeLog
(http://www.apache.org/dist/httpd/CHANGES_2.2.15).


Changes with Apache 2.2.15

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]

Revision 1.30 / (download) - annotate - [select for diffs], Fri Mar 5 00:22:59 2010 UTC (9 years, 7 months ago) by taca
Branch: MAIN
Changes since 1.29: +1 -4 lines
Diff to previous 1.29 (colored)

Remove CVE-2007-3304 related patches.  CVE-2007-3304 was fixed
in Apache 2.2.6 and these patches are noop.

Revision 1.29 / (download) - annotate - [select for diffs], Sat Dec 26 04:51:01 2009 UTC (9 years, 9 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base
Branch point for: pkgsrc-2009Q4
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored)

Re-add patch-ab, fixes runtime error on Interix.

It initially existed originally came from PR#27567 for www/apache2.
CVE-2007-3304 parts was added in rev 1.2, then whole patch file was removed in
rev 1.3 as update to apache-2.2.6, because the update contains fix for
CVE-2007-3304 and comments of patch-ab only mentioned about the CVE.

To prevent a recurrence of such a accident, added PR#27567 as comments
for patch-ab.

Revision 1.28 / (download) - annotate - [select for diffs], Fri Oct 30 21:08:55 2009 UTC (9 years, 11 months ago) by christos
Branch: MAIN
Changes since 1.27: +4 -5 lines
Diff to previous 1.27 (colored)

update to 2.2.14; 2.2.13 is gone.

Revision 1.20.2.4 / (download) - annotate - [select for diffs], Sun Oct 4 13:26:13 2009 UTC (10 years ago) by spz
Branch: pkgsrc-2009Q2
Changes since 1.20.2.3: +5 -8 lines
Diff to previous 1.20.2.3 (colored) to branchpoint 1.20 (colored) next main 1.21 (colored)

Pullup ticket 2908 - requested by tron
security update

Revisions pulled up:
- pkgsrc/www/apache22/Makefile			by patch to 1.52
- pkgsrc/www/apache22/distinfo			by patch to 1.27
- pkgsrc/www/apache22/patches/patch-ab		by patch to 1.14

Files removed:
pkgsrc/www/apache22/patches/patch-av
pkgsrc/www/apache22/patches/patch-ba
pkgsrc/www/apache22/patches/patch-bb

The patches update the package to the state in HEAD.

   -------------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Sun Oct  4 12:21:35 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   	pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Add patch from the Apache SVN repository to the vulnerability reported
   in CVE-2009-3095.


   To generate a diff of this commit:
   cvs rdiff -u -r1.51 -r1.52 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.26 -r1.27 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/apache22/patches/patch-ab

Revision 1.27 / (download) - annotate - [select for diffs], Sun Oct 4 12:21:34 2009 UTC (10 years ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base, pkgsrc-2009Q3
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)

Add patch from the Apache SVN repository to the vulnerability reported
in CVE-2009-3095.

Revision 1.26 / (download) - annotate - [select for diffs], Mon Sep 14 22:09:33 2009 UTC (10 years, 1 month ago) by tron
Branch: MAIN
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)

Use official fix for CVE-2009-3094 taken from the Apache SVN repository.

Revision 1.20.2.3 / (download) - annotate - [select for diffs], Sun Sep 13 15:03:35 2009 UTC (10 years, 1 month ago) by spz
Branch: pkgsrc-2009Q2
Changes since 1.20.2.2: +2 -1 lines
Diff to previous 1.20.2.2 (colored) to branchpoint 1.20 (colored)

Pullup ticket 2892 - requested by tron
security fix

Revisions pulled up:
- pkgsrc/www/apache22/Makefile		by patch
- pkgsrc/www/apache22/distinfo		by patch

Files added:
pkgsrc/www/apache22/patches/patch-ab	1.12

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Sun Sep 13 13:32:50 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Add a fix for the remote Denial of Service vulnerability reported
   in CVE-2009-3094.


   To generate a diff of this commit:
   cvs rdiff -u -r1.49 -r1.50 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.12 pkgsrc/www/apache22/patches/patch-ab

Revision 1.25 / (download) - annotate - [select for diffs], Sun Sep 13 13:32:50 2009 UTC (10 years, 1 month ago) by tron
Branch: MAIN
Changes since 1.24: +2 -1 lines
Diff to previous 1.24 (colored)

Add a fix for the remote Denial of Service vulnerability reported
in CVE-2009-3094.

Revision 1.24 / (download) - annotate - [select for diffs], Mon Aug 10 11:45:08 2009 UTC (10 years, 2 months ago) by tron
Branch: MAIN
Changes since 1.23: +4 -7 lines
Diff to previous 1.23 (colored)

Update "apache22" package to version 2.2.13. Changes since 2.2.12:
- mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas.  Report
  warnings compiling mod_ssl against OpenSSL to the httpd developers.
  [Guenter Knauf]
- mod_cgid: Do not add an empty argument when calling the CGI script.
  Bug 46380 [Ruediger Pluem]
- Fix potential segfaults with use of the legacy ap_rputs() etc
  interfaces, in cases where an output filter fails.  Bug 36780.
  [Joe Orton]

Revision 1.20.2.2 / (download) - annotate - [select for diffs], Fri Aug 7 21:08:15 2009 UTC (10 years, 2 months ago) by spz
Branch: pkgsrc-2009Q2
Changes since 1.20.2.1: +6 -10 lines
Diff to previous 1.20.2.1 (colored) to branchpoint 1.20 (colored)

Pullup ticket 2852 - requested by tron
bug fix update

Revisions pulled up:
- pkgsrc/www/apache22/Makefile		1.48
- pkgsrc/www/apache22/PLIST		1.13
- pkgsrc/www/apache22/distinfo		1.23
- pkgsrc/www/apache22/patches/patch-ba	1.4
- pkgsrc/www/apache22/patches/patch-bb	1.3

Files added:
pkgsrc/www/apache22/patches/patch-bb

Files deleted:
pkgsrc/www/apache22/patches/patch-ab
pkgsrc/www/apache22/patches/patch-af
pkgsrc/www/apache22/patches/patch-ah
pkgsrc/www/apache22/patches/patch-bc
pkgsrc/www/apache22/patches/patch-bd

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu Aug  6 07:07:23 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/www/apache22/patches: patch-ab patch-af patch-ah patch-ba
   	    patch-bc patch-bd

   Log Message:
   Update "apache22" package to version 2.2.12. Changes since version 2.2.11:
   - SECURITY: CVE-2009-1891 (cve.mitre.org)
     Fix a potential Denial-of-Service attack against mod_deflate or other
     modules, by forcing the server to consume CPU time in compressing a
     large file after a client disconnects. Bug 39605.
     [Joe Orton, Ruediger Pluem]
   - SECURITY: CVE-2009-1195 (cve.mitre.org)
     Prevent the "Includes" Option from being enabled in an .htaccess
     file if the AllowOverride restrictions do not permit it.
     [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
      Ruediger Pluem, Jeff Trawick]
   - SECURITY: CVE-2009-1890 (cve.mitre.org)
     Fix a potential Denial-of-Service attack against mod_proxy in a
     reverse proxy configuration, where a remote attacker can force a
     proxy process to consume CPU time indefinitely.  [Nick Kew, Joe Orton]
   - SECURITY: CVE-2009-1191 (cve.mitre.org)
     mod_proxy_ajp: Avoid delivering content from a previous request which
     failed to send a request body. Bug 46949 [Ruediger Pluem]
   - SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
     The bundled copy of the APR-util library has been updated, fixing three
     different security issues which may affect particular configurations
     and third-party modules.
   - mod_include: fix potential segfault when handling back references
     on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
   - mod_alias: check sanity in Redirect arguments.
     Bug 44729 [S??nke Tesch <st kino-fahrplan.de>, Jim Jagielski]
   - mod_proxy_http: fix Host: header for literal IPv6 addresses.
     Bug 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
   - mod_rewrite: Remove locking for writing to the rewritelog.
     Bug 46942
   - mod_alias: Ensure Redirect emits HTTP-compliant URLs.
     Bug 44020
   - mod_proxy_http: fix case sensitivity checking transfer encoding
     Bug 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
   - mod_rewrite: Fix the error string returned by RewriteRule.
     RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
     argument of RewriteRule was not started with "[" or not ended with "]".
     Bug 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
   - mod_proxy: Complete ProxyPassReverse to handle balancer URL's.  Given;
       BalancerMember balancer://alias http://example.com/foo
       ProxyPassReverse /bash balancer://alias/bar
     backend url http://example.com/foo/bar/that is now translated /bash/that
     [William Rowe]
   - New piped log syntax: Use "||process args" to launch the given process
     without invoking the shell/command interpreter.  Use "|$command line"
     (the default behavior of "|command line" in 2.2) to invoke using shell,
     consuming an additional shell process for the lifetime of the logging
     pipe program but granting additional process invocation flexibility.
     [William Rowe]
   - mod_ssl: Add server name indication support (RFC 4366) and better
     support for name based virtual hosts with SSL. Bug 34607
     [Peter Sylvester <peter.sylvester edelweb.fr>,
      Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
      Ruediger Pluem]
   - mod_negotiation: Escape pathes of filenames in 406 responses to avoid
     HTML injections and HTTP response splitting.  Bug 46837.
     [Geoff Keating <geoffk apple.com>]
   - mod_include: Prevent a case of SSI timefmt-smashing with filter chains
     including multiple INCLUDES filters. Bug 39369 [Joe Orton]
   - mod_rewrite: When evaluating a proxy rule in directory context, do
     escape the filename by default. Bug 46428 [Joe Orton]
   - mod_proxy_ajp: Check more strictly that the backend follows the AJP
     protocol. [Mladen Turk]
   - mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
     to enable stricter checking of remote server certificates.
     [Ruediger Pluem]
   - mod_substitute: Fix a memory leak. Bug 44948
     [Dan Poirier <poirier pobox.com>]
   - mod_proxy_ajp: Forward remote port information by default.
     [Rainer Jung]
   - mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
     directive to correctly remove headers before storing them.
     [Lars Eilebrecht]
   - mod_deflate: revert changes in 2.2.8 that caused an invalid
     etag to be emitted for on-the-fly gzip content-encoding.
     Bug 39727 will require larger fixes and this fix was far more
     harmful than the original code. Bug 45023. [Roy T. Fielding]
   - mod_disk_cache: The module now turns off sendfile support if
     'EnableSendfile off' is defined globally. Bug 41218.
     [Lars Eilebrecht, Issac Goldstand]
   - prefork: Fix child process hang during graceful restart/stop in
     configurations with multiple listening sockets.  Bug 42829.  [Joe Orton,
     Jeff Trawick]
   - mod_ssl: Add SSLRenegBufferSize directive to allow changing the
     size of the buffer used for the request-body where necessary
     during a per-dir renegotiation.  Bug 39243.  [Joe Orton]
   - mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
     way that per-directory rewrites append the previous notion of PATH_INFO
     to each substitution before evaluating subsequent rules.
     Bug 38642 [Eric Covener]
   - mod_authnz_ldap: Reduce number of initialization debug messages and make
     information more clear. Bug 46342 [Dan Poirier]
   - mod_cache: Introduce 'no-cache' per-request environment variable
     to prevent the saving of an otherwise cacheable response.
     [Eric Covener]
   - core: Translate the status line to ASCII on EBCDIC platforms in
     ap_send_interim_response() and for locally generated "100 Continue"
     responses.  [Eric Covener]
   - CGI: return 504 (Gateway timeout) rather than 500 when a script
     times out before returning status line/headers.
     Bug 42190 [Nick Kew]
   - prefork: Log an error instead of segfaulting when child startup fails
     due to pollset creation failures.  Bug 46467.  [Jeff Trawick]
   - mod_ext_filter: fix error handling when the filter prog fails to start,
     and introduce an onfail configuration option to abort

   All the security problems mentioned above had already been fixed in
   "pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me
   know that new version had finally been released.


   To generate a diff of this commit:
   cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/apache22/PLIST
   cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r1.10 -r0 pkgsrc/www/apache22/patches/patch-ab
   cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-af \
       pkgsrc/www/apache22/patches/patch-ah
   cvs rdiff -u -r1.2 -r0 pkgsrc/www/apache22/patches/patch-ba \
       pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd

   -----

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu Aug  6 08:21:44 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-ba patch-bb

   Log Message:
   Add patches provided by Adam Ciarcinski to fix build with recent versions
   of OpenSSL (e.g. the version in NetBSD-current).


   To generate a diff of this commit:
   cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.4 pkgsrc/www/apache22/patches/patch-ba
   cvs rdiff -u -r0 -r1.3 pkgsrc/www/apache22/patches/patch-bb

Revision 1.23 / (download) - annotate - [select for diffs], Thu Aug 6 08:21:44 2009 UTC (10 years, 2 months ago) by tron
Branch: MAIN
Changes since 1.22: +3 -1 lines
Diff to previous 1.22 (colored)

Add patches provided by Adam Ciarcinski to fix build with recent versions
of OpenSSL (e.g. the version in NetBSD-current).

Revision 1.22 / (download) - annotate - [select for diffs], Thu Aug 6 07:07:23 2009 UTC (10 years, 2 months ago) by tron
Branch: MAIN
Changes since 1.21: +4 -10 lines
Diff to previous 1.21 (colored)

Update "apache22" package to version 2.2.12. Changes since version 2.2.11:
- SECURITY: CVE-2009-1891 (cve.mitre.org)
  Fix a potential Denial-of-Service attack against mod_deflate or other
  modules, by forcing the server to consume CPU time in compressing a
  large file after a client disconnects. Bug 39605.
  [Joe Orton, Ruediger Pluem]
- SECURITY: CVE-2009-1195 (cve.mitre.org)
  Prevent the "Includes" Option from being enabled in an .htaccess
  file if the AllowOverride restrictions do not permit it.
  [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
   Ruediger Pluem, Jeff Trawick]
- SECURITY: CVE-2009-1890 (cve.mitre.org)
  Fix a potential Denial-of-Service attack against mod_proxy in a
  reverse proxy configuration, where a remote attacker can force a
  proxy process to consume CPU time indefinitely.  [Nick Kew, Joe Orton]
- SECURITY: CVE-2009-1191 (cve.mitre.org)
  mod_proxy_ajp: Avoid delivering content from a previous request which
  failed to send a request body. Bug 46949 [Ruediger Pluem]
- SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
  The bundled copy of the APR-util library has been updated, fixing three
  different security issues which may affect particular configurations
  and third-party modules.
- mod_include: fix potential segfault when handling back references
  on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
- mod_alias: check sanity in Redirect arguments.
  Bug 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
- mod_proxy_http: fix Host: header for literal IPv6 addresses.
  Bug 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
- mod_rewrite: Remove locking for writing to the rewritelog.
  Bug 46942
- mod_alias: Ensure Redirect emits HTTP-compliant URLs.
  Bug 44020
- mod_proxy_http: fix case sensitivity checking transfer encoding
  Bug 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
- mod_rewrite: Fix the error string returned by RewriteRule.
  RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
  argument of RewriteRule was not started with "[" or not ended with "]".
  Bug 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
- mod_proxy: Complete ProxyPassReverse to handle balancer URL's.  Given;
    BalancerMember balancer://alias http://example.com/foo
    ProxyPassReverse /bash balancer://alias/bar
  backend url http://example.com/foo/bar/that is now translated /bash/that
  [William Rowe]
- New piped log syntax: Use "||process args" to launch the given process
  without invoking the shell/command interpreter.  Use "|$command line"
  (the default behavior of "|command line" in 2.2) to invoke using shell,
  consuming an additional shell process for the lifetime of the logging
  pipe program but granting additional process invocation flexibility.
  [William Rowe]
- mod_ssl: Add server name indication support (RFC 4366) and better
  support for name based virtual hosts with SSL. Bug 34607
  [Peter Sylvester <peter.sylvester edelweb.fr>,
   Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
   Ruediger Pluem]
- mod_negotiation: Escape pathes of filenames in 406 responses to avoid
  HTML injections and HTTP response splitting.  Bug 46837.
  [Geoff Keating <geoffk apple.com>]
- mod_include: Prevent a case of SSI timefmt-smashing with filter chains
  including multiple INCLUDES filters. Bug 39369 [Joe Orton]
- mod_rewrite: When evaluating a proxy rule in directory context, do
  escape the filename by default. Bug 46428 [Joe Orton]
- mod_proxy_ajp: Check more strictly that the backend follows the AJP
  protocol. [Mladen Turk]
- mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
  to enable stricter checking of remote server certificates.
  [Ruediger Pluem]
- mod_substitute: Fix a memory leak. Bug 44948
  [Dan Poirier <poirier pobox.com>]
- mod_proxy_ajp: Forward remote port information by default.
  [Rainer Jung]
- mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
  directive to correctly remove headers before storing them.
  [Lars Eilebrecht]
- mod_deflate: revert changes in 2.2.8 that caused an invalid
  etag to be emitted for on-the-fly gzip content-encoding.
  Bug 39727 will require larger fixes and this fix was far more
  harmful than the original code. Bug 45023. [Roy T. Fielding]
- mod_disk_cache: The module now turns off sendfile support if
  'EnableSendfile off' is defined globally. Bug 41218.
  [Lars Eilebrecht, Issac Goldstand]
- prefork: Fix child process hang during graceful restart/stop in
  configurations with multiple listening sockets.  Bug 42829.  [Joe Orton,
  Jeff Trawick]
- mod_ssl: Add SSLRenegBufferSize directive to allow changing the
  size of the buffer used for the request-body where necessary
  during a per-dir renegotiation.  Bug 39243.  [Joe Orton]
- mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
  way that per-directory rewrites append the previous notion of PATH_INFO
  to each substitution before evaluating subsequent rules.
  Bug 38642 [Eric Covener]
- mod_authnz_ldap: Reduce number of initialization debug messages and make
  information more clear. Bug 46342 [Dan Poirier]
- mod_cache: Introduce 'no-cache' per-request environment variable
  to prevent the saving of an otherwise cacheable response.
  [Eric Covener]
- core: Translate the status line to ASCII on EBCDIC platforms in
  ap_send_interim_response() and for locally generated "100 Continue"
  responses.  [Eric Covener]
- CGI: return 504 (Gateway timeout) rather than 500 when a script
  times out before returning status line/headers.
  Bug 42190 [Nick Kew]
- prefork: Log an error instead of segfaulting when child startup fails
  due to pollset creation failures.  Bug 46467.  [Jeff Trawick]
- mod_ext_filter: fix error handling when the filter prog fails to start,
  and introduce an onfail configuration option to abort

All the security problems mentioned above had already been fixed in
"pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me
know that new version had finally been released.

Revision 1.20.2.1 / (download) - annotate - [select for diffs], Thu Jul 16 05:37:24 2009 UTC (10 years, 3 months ago) by spz
Branch: pkgsrc-2009Q2
Changes since 1.20: +3 -1 lines
Diff to previous 1.20 (colored)

Pullup ticket 2812 - requested by tron
Security update

Revisions pulled up:
- pkgsrc/www/apache22/Makefile		1.47
- pkgsrc/www/apache22/distinfo		1.21

Files added:
pkgsrc/www/apache22/patches/patch-af
pkgsrc/www/apache22/patches/patch-ah

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Tue Jul 14 12:23:40 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-af patch-ah

   Log Message:
   Add patches from the Apache SVN repository to fix the security
   vulnerabilities reported in CVE-2009-1890 and CVE-2009-1891.


   To generate a diff of this commit:
   cvs rdiff -u -r1.46 -r1.47 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.20 -r1.21 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/www/apache22/patches/patch-af \
       pkgsrc/www/apache22/patches/patch-ah

Revision 1.21 / (download) - annotate - [select for diffs], Tue Jul 14 12:23:39 2009 UTC (10 years, 3 months ago) by tron
Branch: MAIN
Changes since 1.20: +3 -1 lines
Diff to previous 1.20 (colored)

Add patches from the Apache SVN repository to fix the security
vulnerabilities reported in CVE-2009-1890 and CVE-2009-1891.

Revision 1.17.2.3 / (download) - annotate - [select for diffs], Fri Jun 12 21:38:06 2009 UTC (10 years, 4 months ago) by spz
Branch: pkgsrc-2009Q1
Changes since 1.17.2.2: +4 -5 lines
Diff to previous 1.17.2.2 (colored) to branchpoint 1.17 (colored) next main 1.18 (colored)

Pullup ticket 2795 - requested by tron
Compatibility update
Fixes PR 41550

Revisions pulled up:
- pkgsrc/www/apache22/Makefile			1.46
- pkgsrc/www/apache22/distinfo			1.20
- pkgsrc/www/apache22/patches/patch-ba		1.2
- pkgsrc/www/apache22/patches/patch-bc		1.2
- pkgsrc/www/apache22/patches/patch-bd		1.2

Files deleted:
pkgsrc/www/apache22/patches/patch-bb

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu Jun 11 20:30:59 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   	pkgsrc/www/apache22/patches: patch-ba patch-bc patch-bd
   Removed Files:
   	pkgsrc/www/apache22/patches: patch-bb

   Log Message:
   Import improved version of the fix for CVE-2009-1195 to restore
   backwards compatibility with e.g. "mod_perl".


   To generate a diff of this commit:
   cvs rdiff -u -r1.45 -r1.46 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/apache22/patches/patch-ba \
       pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd
   cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-bb

Revision 1.20 / (download) - annotate - [select for diffs], Thu Jun 11 20:30:58 2009 UTC (10 years, 4 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base
Branch point for: pkgsrc-2009Q2
Changes since 1.19: +4 -5 lines
Diff to previous 1.19 (colored)

Import improved version of the fix for CVE-2009-1195 to restore
backwards compatibility with e.g. "mod_perl".

Revision 1.17.2.2 / (download) - annotate - [select for diffs], Thu Jun 4 20:41:20 2009 UTC (10 years, 4 months ago) by spz
Branch: pkgsrc-2009Q1
Changes since 1.17.2.1: +5 -1 lines
Diff to previous 1.17.2.1 (colored) to branchpoint 1.17 (colored)

Pullup ticket 2786 - requested by tron
Security update

Revisions pulled up:
- pkgsrc/www/apache22/Makefile			1.45
- pkgsrc/www/apache22/distinfo			1.19

Files added:
- pkgsrc/www/apache22/patches/patch-ba		1.1
- pkgsrc/www/apache22/patches/patch-bb		1.1
- pkgsrc/www/apache22/patches/patch-bc		1.1
- pkgsrc/www/apache22/patches/patch-bd		1.1

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu Jun  4 08:51:52 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-ba patch-bb patch-bc patch-bd

   Log Message:
   Add patches from the Apache SVN repository to fix the security bypass
   vulnerability reported in CVE-2009-1195.


   To generate a diff of this commit:
   cvs rdiff -u -r1.44 -r1.45 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/www/apache22/patches/patch-ba \
       pkgsrc/www/apache22/patches/patch-bb pkgsrc/www/apache22/patches/patch-bc \
       pkgsrc/www/apache22/patches/patch-bd

Revision 1.19 / (download) - annotate - [select for diffs], Thu Jun 4 08:51:52 2009 UTC (10 years, 4 months ago) by tron
Branch: MAIN
Changes since 1.18: +5 -1 lines
Diff to previous 1.18 (colored)

Add patches from the Apache SVN repository to fix the security bypass
vulnerability reported in CVE-2009-1195.

Revision 1.17.2.1 / (download) - annotate - [select for diffs], Sat May 23 07:15:36 2009 UTC (10 years, 4 months ago) by spz
Branch: pkgsrc-2009Q1
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)

Pullup ticket 2778 - requested by tron
Security fix

Revisions pulled up:
- pkgsrc/www/apache22/Makefile			1.43
- pkgsrc/www/apache22/distinfo			1.18
- pkgsrc/www/apache22/patches/patch-ab		1.10

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Fri May 22 09:46:06 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Add patch from the Apache SVN repository to fix the information leak
   in the "mod_proxy_ajp" module reported in CVE-2009-1191.


   To generate a diff of this commit:
   cvs rdiff -u -r1.42 -r1.43 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.17 -r1.18 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.10 pkgsrc/www/apache22/patches/patch-ab

Revision 1.18 / (download) - annotate - [select for diffs], Fri May 22 09:46:06 2009 UTC (10 years, 4 months ago) by tron
Branch: MAIN
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)

Add patch from the Apache SVN repository to fix the information leak
in the "mod_proxy_ajp" module reported in CVE-2009-1191.

Revision 1.17 / (download) - annotate - [select for diffs], Sun Feb 15 23:14:40 2009 UTC (10 years, 8 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2009Q1-base
Branch point for: pkgsrc-2009Q1
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)

QNX needs a little compatibility patch.

Revision 1.16 / (download) - annotate - [select for diffs], Sun Jan 25 09:59:51 2009 UTC (10 years, 8 months ago) by tron
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)

Fix broken patch.

Revision 1.15 / (download) - annotate - [select for diffs], Sat Jan 24 21:55:31 2009 UTC (10 years, 8 months ago) by darcy
Branch: MAIN
Changes since 1.14: +2 -1 lines
Diff to previous 1.14 (colored)

Patch mod_cgid to fix a known bug.  Without this patch a CGI script will be
populated with an extra, empty argument.  Full details can be found at
https://issues.apache.org/bugzilla/show_bug.cgi?id=46380

Note, this fix has already been committed to the Apache trunk and will be
in the next version so this patch can be removed then.

Revision 1.14 / (download) - annotate - [select for diffs], Sun Dec 28 14:00:59 2008 UTC (10 years, 9 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2008Q4-base, pkgsrc-2008Q4
Changes since 1.13: +4 -4 lines
Diff to previous 1.13 (colored)

Update "apache22" package to version 2.2.11. This update is a bug-fix
only release.

Approved by Thomas Klausner.

Revision 1.13 / (download) - annotate - [select for diffs], Sat Nov 1 19:49:38 2008 UTC (10 years, 11 months ago) by tron
Branch: MAIN
Changes since 1.12: +4 -5 lines
Diff to previous 1.12 (colored)

Update "apache22" package to version 2.2.10. Changes since 2.2.9:
- SECURITY: CVE-2008-2939 (cve.mitre.org)
  mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
  the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
- Allow for smax to be 0 for balancer members so that all idle
  connections are able to be dropped should they exceed ttl.
  Apache Bug #43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,
  Jim Jagielski]
- mod_proxy_http: Don't trigger a retry by the client if a failure to
  read the response line was the result of a timeout.
  [Adam Woodworth <mirkperl gmail.com>]
- Support chroot on Unix-family platforms
  Apache Bug #43596 [Dimitar Pashev <mitko banksoft-bg.com>]
- mod_ssl: implement dynamic mutex callbacks for the benefit of
  OpenSSL.  [Sander Temme]
- mod_proxy_balancer: Add 'bybusyness' load balance method.
  [Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski]
- mod_authn_alias: Detect during startup when AuthDigestProvider
  is configured to use an incompatible provider via AuthnProviderAlias.
  Apache Bug #45196 [Eric Covener]
- mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
  used as a session path separator/delim  Apache Bug #45158. [Jim Jagielski]
- mod_charset_lite: Avoid dropping error responses by handling meta buckets
  correctly. Apache Bug #45687 [Dan Poirier <poirier pobox.com>]
- mod_proxy_http: Introduce environment variable proxy-initial-not-pooled to
  avoid reusing pooled connections if the client connection is an initial
  connection. Apache Bug #37770. [Ruediger Pluem]
- mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
  Apache Bug #44799 [Christian Wenz <christian wenz.org>]
- mod_ssl: Rewrite shmcb to avoid memory alignment issues.
  Apache Bug #42101. [Geoff Thorpe]
- mod_proxy: Add connectiontimeout parameter for proxy workers in order to
  be able to set the timeout for connecting to the backend separately.
  Apache Bug #45445. [Ruediger Pluem, rahul <rahul sun.com>]
- mod_dav_fs: Retrieve minimal system information about directory
  entries when walking a DAV fs, resolving a performance degradation on
  Windows.  Apache Bug #45464.  [Joe Orton, Jeff Trawick]
- mod_cgid: Pass along empty command line arguments from an ISINDEX
  query that has consecutive '+' characters in the QUERY_STRING,
  matching the behavior of mod_cgi.
  [Eric Covener]
- mod_headers: Prevent Header edit from processing only the first header
  of possibly multiple headers with the same name and deleting the
  remaining ones. Apache Bug #45333.  [Ruediger Pluem]
- mod_proxy_balancer: Move nonce field in the balancer manager page inside
  the html form where it belongs. Apache Bug #45578. [Ruediger Pluem]
- mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
  known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
  [Ruediger Pluem]
- mod_rewrite: Preserve the query string when [proxy,noescape].
  Apache Bug #45247. [Tom Donovan]

pkgsrc related note:
The security fix for CVE-2008-2939 has already been integrated as patch
before this update.

Revision 1.11.4.1 / (download) - annotate - [select for diffs], Tue Aug 12 18:16:33 2008 UTC (11 years, 2 months ago) by spz
Branch: pkgsrc-2008Q2
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored) next main 1.12 (colored)

Pullup ticket 2476 - requested by tron
Security fix

Revisions pulled up:
- pkgsrc/www/apache22/Makefile			1.28
- pkgsrc/www/apache22/distinfo			1.12
- pkgsrc/www/apache22/patches/patch-ab		1.8

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Sat Aug  9 22:16:44 UTC 2008

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Add patch from Apache SVN repository to avoid cross-site scripting attacks
   in the FTP proxy module. This fixes the security vulnerability reported
   in CVE-2008-2939.


   To generate a diff of this commit:
   cvs rdiff -r1.27 -r1.28 pkgsrc/www/apache22/Makefile
   cvs rdiff -r1.11 -r1.12 pkgsrc/www/apache22/distinfo
   cvs rdiff -r0 -r1.8 pkgsrc/www/apache22/patches/patch-ab

Revision 1.12 / (download) - annotate - [select for diffs], Sat Aug 9 22:16:44 2008 UTC (11 years, 2 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2008Q3-base, pkgsrc-2008Q3, cube-native-xorg-base, cube-native-xorg
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)

Add patch from Apache SVN repository to avoid cross-site scripting attacks
in the FTP proxy module. This fixes the security vulnerability reported
in CVE-2008-2939.

Revision 1.11 / (download) - annotate - [select for diffs], Wed Jun 18 21:38:01 2008 UTC (11 years, 4 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2008Q2-base, cwrapper
Branch point for: pkgsrc-2008Q2
Changes since 1.10: +5 -6 lines
Diff to previous 1.10 (colored)

Update "apache22" package to version 2.2.9.
This version of Apache is principally a bug and security fix release.
The following potential security flaws are addressed:
- CVE-2008-2364: mod_proxy_http: Better handling of excessive interim
  responses from origin server to prevent potential denial of service and
  high memory usage. Reported by Ryujiro Shibuya.
- CVE-2007-6420: mod_proxy_balancer: Prevent CSRF attacks against the
  balancer-manager interface.

pkgsrc related notes:
- CVE-2008-2364 was already fixed in "pkgsrc"
- CVE-2007-6420 doesn't affect the package in the default configuration
  because the "proxy_balancer" isn't enabled.

Revision 1.9.2.1 / (download) - annotate - [select for diffs], Mon Jun 16 09:00:02 2008 UTC (11 years, 4 months ago) by ghen
Branch: pkgsrc-2008Q1
Changes since 1.9: +2 -1 lines
Diff to previous 1.9 (colored) next main 1.10 (colored)

Pullup ticket 2425 - requested by tron
security patch for apache22

- pkgsrc/www/apache22/Makefile				1.26
- pkgsrc/www/apache22/distinfo				1.10
- pkgsrc/www/apache22/patches/patch-ab			1.6

   Module Name:		pkgsrc
   Committed By:	tron
   Date:		Thu Jun 12 14:12:19 UTC 2008

   Modified Files:
	   pkgsrc/www/apache22: Makefile distinfo
   Added Files:
	   pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Add patch for CVE-2008-2364 from the Apache SVN repository.

Revision 1.10 / (download) - annotate - [select for diffs], Thu Jun 12 14:12:19 2008 UTC (11 years, 4 months ago) by tron
Branch: MAIN
Changes since 1.9: +2 -1 lines
Diff to previous 1.9 (colored)

Add patch for CVE-2008-2364 from the Apache SVN repository.

Revision 1.8.2.1 / (download) - annotate - [select for diffs], Tue Jan 29 14:24:36 2008 UTC (11 years, 8 months ago) by ghen
Branch: pkgsrc-2007Q4
Changes since 1.8: +4 -5 lines
Diff to previous 1.8 (colored) next main 1.9 (colored)

Pullup ticket 2282 - requested by tron
security update for apache22

- pkgsrc/www/apache22/Makefile				1.24 via patch
- pkgsrc/www/apache22/Makefile.common			1.7
- pkgsrc/www/apache22/PLIST				1.4
- pkgsrc/www/apache22/distinfo				1.9
- pkgsrc/www/apache22/patches/patch-ab			removed

   Module Name:		pkgsrc
   Committed By:	xtraeme
   Date:		Mon Jan 21 15:07:11 UTC 2008

   Modified Files:
	   pkgsrc/www/apache22: Makefile Makefile.common PLIST distinfo
   Removed Files:
	   pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Update to 2.2.8, please check http://www.apache.org/dist/httpd/CHANGES_2.2.8
   for the list of changes.

Revision 1.9 / (download) - annotate - [select for diffs], Mon Jan 21 15:07:11 2008 UTC (11 years, 8 months ago) by xtraeme
Branch: MAIN
CVS Tags: pkgsrc-2008Q1-base
Branch point for: pkgsrc-2008Q1
Changes since 1.8: +4 -5 lines
Diff to previous 1.8 (colored)

Update to 2.2.8, please check http://www.apache.org/dist/httpd/CHANGES_2.2.8
for the list of changes.

Revision 1.8 / (download) - annotate - [select for diffs], Tue Dec 4 12:08:45 2007 UTC (11 years, 10 months ago) by abs
Branch: MAIN
CVS Tags: pkgsrc-2007Q4-base
Branch point for: pkgsrc-2007Q4
Changes since 1.7: +2 -1 lines
Diff to previous 1.7 (colored)

Update www/apache to 2.2.6nb1

Add apache SVN revision 574884 to fix garbage characters in Server header
http://issues.apache.org/bugzilla/show_bug.cgi?id=43334

When it hits, this issue can completely screw up returned pages if the
Server header gets embedded newlines

Revision 1.6.2.1 / (download) - annotate - [select for diffs], Mon Sep 10 20:57:50 2007 UTC (12 years, 1 month ago) by ghen
Branch: pkgsrc-2007Q2
Changes since 1.6: +5 -11 lines
Diff to previous 1.6 (colored) next main 1.7 (colored)

Pullup ticket 2185 - requested by tron
security update for apache22

- pkgsrc/www/apache22/Makefile				1.18, 1.20
- pkgsrc/www/apache22/Makefile.common			1.6
- pkgsrc/www/apache22/PLIST				1.2, 1.3
- pkgsrc/www/apache22/distinfo				1.7
- pkgsrc/www/apache22/patches/patch-aa			1.2
- pkgsrc/www/apache22/patches/patch-ab			removed
- pkgsrc/www/apache22/patches/patch-an			removed
- pkgsrc/www/apache22/patches/patch-ao			removed
- pkgsrc/www/apache22/patches/patch-ap			removed
- pkgsrc/www/apache22/patches/patch-ar			removed
- pkgsrc/www/apache22/patches/patch-at			removed

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Sat Sep  8 11:02:11 UTC 2007

   Modified Files:
	   pkgsrc/www/apache22: Makefile Makefile.common PLIST distinfo
	   pkgsrc/www/apache22/patches: patch-aa
   Removed Files:
	   pkgsrc/www/apache22/patches: patch-ab patch-an patch-ao patch-ap
	       patch-ar patch-at

   Log Message:
   Update "apache22" package to version 2.2.6.

   This update is a bug and security fix release. The following security
   problem hasn't been fixed in "pkgsrc" before:
   - CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
     parsing date-related headers.
---
   Module Name:    pkgsrc
   Committed By:   rillig
   Date:           Sun Sep  9 08:12:58 UTC 2007

   Modified Files:
           pkgsrc/www/apache22: Makefile

   Log Message:
   Only fix the suexec permissions if the file exists.
---
   Module Name:    pkgsrc
   Committed By:   tron
   Date:           Mon Sep 10 20:36:41 UTC 2007

   Modified Files:
           pkgsrc/www/apache22: PLIST

   Log Message:
   Remove duplicate entry for "share/httpd/icons/README.html".
   Pointed out by Geert Hendrickx in private e-mail.

Revision 1.7 / (download) - annotate - [select for diffs], Sat Sep 8 11:02:07 2007 UTC (12 years, 1 month ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2007Q3-base, pkgsrc-2007Q3
Changes since 1.6: +5 -11 lines
Diff to previous 1.6 (colored)

Update "apache22" package to version 2.2.6.

This update is a bug and security fix release. The following security
problem hasn't been fixed in "pkgsrc" before:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
  parsing date-related headers.

Revision 1.6 / (download) - annotate - [select for diffs], Thu Jun 28 01:20:52 2007 UTC (12 years, 3 months ago) by lkundrak
Branch: MAIN
CVS Tags: pkgsrc-2007Q2-base
Branch point for: pkgsrc-2007Q2
Changes since 1.5: +9 -2 lines
Diff to previous 1.5 (colored)

Fixes for security issues, PKGREVISION bump.
CVE-2007-3304 Denial of Service.
CVE-2006-5752 XSS in mod_status with ExtendedStatus on.
CVE-2007-1863 remote crash when mod_cache enabled.

Revision 1.4.2.1 / (download) - annotate - [select for diffs], Wed Jun 13 14:16:32 2007 UTC (12 years, 4 months ago) by salo
Branch: pkgsrc-2007Q1
Changes since 1.4: +2 -1 lines
Diff to previous 1.4 (colored) next main 1.5 (colored)

Pullup ticket 2105 - requested by lkundrak
security fix for apache22

Revisions pulled up:
- pkgsrc/www/apache22/Makefile				1.12
- pkgsrc/www/apache22/distinfo				1.5
- pkgsrc/www/apache22/patches/patch-an			1.1

   Module Name:		pkgsrc
   Committed By:	lkundrak
   Date:		Tue Jun  5 01:43:45 UTC 2007

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-an

   Log Message:
   Bump apache22 to 2.2.4nb4 due to:
   Security fix for CVE-2007-1862 sensitive information disclosure
   http://issues.apache.org/bugzilla/show_bug.cgi?id=41551
   http://issues.apache.org/bugzilla/attachment.cgi?id=20065

Revision 1.5 / (download) - annotate - [select for diffs], Tue Jun 5 01:43:44 2007 UTC (12 years, 4 months ago) by lkundrak
Branch: MAIN
Changes since 1.4: +2 -1 lines
Diff to previous 1.4 (colored)

Bump apache22 to 2.2.4nb4 due to:
Security fix for CVE-2007-1862 sensitive information disclosure
http://issues.apache.org/bugzilla/show_bug.cgi?id=41551
http://issues.apache.org/bugzilla/attachment.cgi?id=20065

Revision 1.4 / (download) - annotate - [select for diffs], Sun Feb 25 00:02:35 2007 UTC (12 years, 7 months ago) by sborrill
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base
Branch point for: pkgsrc-2007Q1
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)

apr-config is called apr-1-config now.

Revision 1.3 / (download) - annotate - [select for diffs], Fri Feb 2 18:06:27 2007 UTC (12 years, 8 months ago) by sborrill
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)

Correct path to apr-config in apxs.
Bump PKGREVISION

Revision 1.2 / (download) - annotate - [select for diffs], Sun Jan 21 17:11:53 2007 UTC (12 years, 8 months ago) by xtraeme
Branch: MAIN
Changes since 1.1: +4 -4 lines
Diff to previous 1.1 (colored)

Update www/apache22 to 2.2.4:

* Bugfixes, please see http://www.apache.org/dist/httpd/CHANGES_2.2

pkgsrc changes:

* Do not use the included pcre source in apache22.
* devel/apr1 now uses the apache22 version (increased to 1.2.8.2.2.4) to
  sync the source with the httpd distfile.
* Remove patches in devel/apr1 which were applied upstream.

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Fri Dec 8 23:31:52 2006 UTC (12 years, 10 months ago) by xtraeme
Branch: TNF
CVS Tags: pkgsrc-base, pkgsrc-2006Q4-base, pkgsrc-2006Q4
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

Apache 2.2.3 - latest stable version.

Please see http://httpd.apache.org/docs/2.2/new_features_2_2.html
for the list of changes.

Revision 1.1 / (download) - annotate - [select for diffs], Fri Dec 8 23:31:52 2006 UTC (12 years, 10 months ago) by xtraeme
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>