[BACK]Return to distinfo CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / www / apache22

File: [cvs.NetBSD.org] / pkgsrc / www / apache22 / Attic / distinfo (download)

Revision 1.59.4.1, Fri Sep 19 11:35:30 2014 UTC (8 years, 4 months ago) by tron
Branch: pkgsrc-2014Q2
Changes since 1.59: +4 -4 lines

Pullup ticket #4501 - requested by he
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.102
- www/apache22/distinfo                                         1.60

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Tue Sep  9 08:11:48 UTC 2014

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo

   Log Message:
   Changes  2.4.10

     *) SECURITY: CVE-2014-0117 (cve.mitre.org)
        mod_proxy: Fix crash in Connection header handling which
        allowed a denial of service attack against a reverse proxy
        with a threaded MPM.

     *) SECURITY: CVE-2014-3523 (cve.mitre.org)
        Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
        installations). Workaround: AcceptFilter <protocol> {none|connect}

     *) SECURITY: CVE-2014-0226 (cve.mitre.org)
        Fix a race condition in scoreboard handling, which could lead to
        a heap buffer overflow.

     *) SECURITY: CVE-2014-0118 (cve.mitre.org)
        mod_deflate: The DEFLATE input filter (inflates request bodies) now
        limits the length and compression ratio of inflated request bodies to avoid
        denial of sevice via highly compressed bodies.  See directives
        DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
        and DeflateInflateRatioBurst.

     *) SECURITY: CVE-2014-0231 (cve.mitre.org)
        mod_cgid: Fix a denial of service against CGI scripts that do
        not consume stdin that could lead to lingering HTTPD child processes
        filling up the scoreboard and eventually hanging the server.  By
        default, the client I/O timeout (Timeout directive) now applies to
        communication with scripts.  The CGIDScriptTimeout directive can be
        used to set a different timeout for communication with scripts.

     *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
        resumed by TLS session resumption (RFC 5077).

     *) mod_deflate: Don't fail when flushing inflated data to the user-agent
        and that coincides with the end of stream ("Zlib error flushing inflate
        buffer").

     *) mod_proxy_ajp: Forward local IP address as a custom request attribute
        like we already do for the remote port.

     *) core: Include any error notes set by modules in the canned error
        response for 403 errors.

     *) mod_ssl: Set an error note for requests rejected due to
        SSLStrictSNIVHostCheck.

     *) mod_ssl: Fix issue with redirects to error documents when handling
        SNI errors.

     *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
        larger keys and support up to 8192-bit keys.

     *) mod_dav: Fix improper encoding in PROPFIND responses.

     *) WinNT MPM: Improve error handling for termination events in child.

     *) mod_proxy: When ping/pong is configured for a worker, don't send or
        forward "100 Continue" (interim) response to the client if it does
        not expect one.

     *) mod_ldap: Be more conservative with the last-used time for
        LDAPConnectionPoolTTL.

     *) mod_ldap: LDAP connections used for authn were not respecting
        LDAPConnectionPoolTTL.

     *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.

     *) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
        or occasional missed mod_status updates under load.

     *) mod_authnz_ldap: Support primitive LDAP servers do not accept
        filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
        filter "none" to be specified in AuthLDAPURL.

     *) mod_deflate: Fix inflation of files larger than 4GB.

     *) mod_deflate: Handle Zlib header and validation bytes received in multiple
        chunks.

     *) mod_proxy: Allow reverse-proxy to be set via explicit handler.

     *) ab: support custom HTTP method with -m argument.

     *) mod_proxy_balancer: Correctly encode user provided data in management
        interface.

     *) mod_proxy_fcgi: Support iobuffersize parameter.

     *) mod_auth_form: Add a debug message when the fields on a form are not
        recognised.

     *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
        response.

     *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
        scheme.

     *) mod_socache_shmcb: Correct counting of expirations for status display.
        Expirations happening during retrieval were not counted.

     *) mod_cache: Retry unconditional request with the full URL (including the
        query-string) when the origin server's 304 response does not match the
        conditions used to revalidate the stale entry.

     *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
        variables as a result of AliasMatch.

     *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.

     *) mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
        Support default SCGI port (4000).

     *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
        is enabled.

     *) mod_expires: don't add Expires header to error responses (4xx/5xx),
        be they generated or forwarded.

     *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
        (regression in 2.4.9 release)

     *) mod_authn_socache: Fix crash at startup in certain configurations.

     *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
        programs to the form used in releases up to 2.4.7, and emulate
        a backwards-compatible behavior for existing setups.

     *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
        OCSP requests should use a nonce to be checked against the responder's
        one.

     *) mod_ssl: "SSLEngine off" will now override a Listen-based default
        and does disable mod_ssl for the vhost.

     *) mod_lua: Enforce the max post size allowed via r:parsebody()

     *) mod_lua: Use binary comparison to find boundaries for multipart
        objects, as to not terminate our search prematurely when hitting
        a NULL byte.

     *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
        versions before 0.9.8h and not specifying an SSLCertificateChainFile
        (regression introduced with 2.4.8).

     *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
        no longer send warning-level unrecognized_name(112) alerts,
        and limit startup warnings to cases where an OpenSSL version
        without TLS extension support is used.

     *) mod_proxy_html: Avoid some possible memory access violation in case of
        specially crafted files, when the ProxyHTMLMeta directive is turned on.

     *) mod_auth_form: Make sure the optional functions are loaded even when
        the AuthFormProvider isn't specified.

     *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
        (and logging garbled file names).

     *) mod_ssl: fix merging of global and vhost-level settings with the
        SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
        directives.

     *) mod_headers: Allow the "value" parameter of Header and RequestHeader to
        contain an ap_expr expression if prefixed with "expr=".

     *) rotatelogs: Avoid creation of zombie processes when -p is used on
        Unix platforms.

     *) mod_authnz_fcgi: New module to enable FastCGI authorizer
        applications to authenticate and/or authorize clients.

     *) mod_proxy: Do not try to parse the regular expressions passed by
        ProxyPassMatch as URL as they do not follow their syntax.

     *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
        under the Event MPM.

     *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
        that might be set by filters.

     *) mod_proxy_html: Do not delete the wrong data from HTML code when a
        "http-equiv" meta tag specifies a Content-Type behind any other
        "http-equiv" meta tag.

     *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
        differs.

     *) Add suspend_connection and resume_connection hooks to notify modules
        when the thread/connection relationship changes.  (Should be implemented
        for any third-party async MPMs.)

     *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
        hangups from websockets origin servers.

     *) mod_proxy_wstunnel: Don't pool backend websockets connections,
        because we need to handshake every time.

     *) mod_lua: Redesign how request record table access behaves,
        in order to utilize the request record from within these tables.

     *) mod_lua: Add r:wspeek for peeking at WebSocket frames.

     *) mod_lua: Log an error when the initial parsing of a Lua file fails.

     *) mod_lua: Reformat and escape script error output.

     *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
        from causing response splitting.

     *) mod_lua: Disallow newlines in table values inside the request_rec,
        to prevent HTTP Response Splitting via tainted headers.

     *) mod_lua: Remove the non-working early/late arguments for
        LuaHookCheckUserID.

     *) mod_lua: Change IVM storage to use shm

     *) mod_lua: More verbose error logging when a handler function cannot be
        found.

$NetBSD: distinfo,v 1.59.4.1 2014/09/19 11:35:30 tron Exp $

SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5
RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b
Size (httpd-2.2.29.tar.bz2) = 5625498 bytes
SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7
SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150
SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1