Return to Makefile CVS log | Up to [cvs.NetBSD.org] / pkgsrc / www / apache22 |
File: [cvs.NetBSD.org] / pkgsrc / www / apache22 / Attic / Makefile (download)
Revision 1.101.2.1, Fri Sep 19 11:35:30 2014 UTC (9 years, 6 months ago) by tron
Pullup ticket #4501 - requested by he www/apache22: security update Revisions pulled up: - www/apache22/Makefile 1.102 - www/apache22/distinfo 1.60 --- Module Name: pkgsrc Committed By: adam Date: Tue Sep 9 08:11:48 UTC 2014 Modified Files: pkgsrc/www/apache22: Makefile distinfo Log Message: Changes 2.4.10 *) SECURITY: CVE-2014-0117 (cve.mitre.org) mod_proxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM. *) SECURITY: CVE-2014-3523 (cve.mitre.org) Fix a memory consumption denial of service in the WinNT MPM (used in all Windows installations). Workaround: AcceptFilter <protocol> {none|connect} *) SECURITY: CVE-2014-0226 (cve.mitre.org) Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. *) SECURITY: CVE-2014-0118 (cve.mitre.org) mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts. *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions resumed by TLS session resumption (RFC 5077). *) mod_deflate: Don't fail when flushing inflated data to the user-agent and that coincides with the end of stream ("Zlib error flushing inflate buffer"). *) mod_proxy_ajp: Forward local IP address as a custom request attribute like we already do for the remote port. *) core: Include any error notes set by modules in the canned error response for 403 errors. *) mod_ssl: Set an error note for requests rejected due to SSLStrictSNIVHostCheck. *) mod_ssl: Fix issue with redirects to error documents when handling SNI errors. *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer larger keys and support up to 8192-bit keys. *) mod_dav: Fix improper encoding in PROPFIND responses. *) WinNT MPM: Improve error handling for termination events in child. *) mod_proxy: When ping/pong is configured for a worker, don't send or forward "100 Continue" (interim) response to the client if it does not expect one. *) mod_ldap: Be more conservative with the last-used time for LDAPConnectionPoolTTL. *) mod_ldap: LDAP connections used for authn were not respecting LDAPConnectionPoolTTL. *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies. *) event MPM: Fix possible crashes (third-party modules accessing c->sbh) or occasional missed mod_status updates under load. *) mod_authnz_ldap: Support primitive LDAP servers do not accept filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special filter "none" to be specified in AuthLDAPURL. *) mod_deflate: Fix inflation of files larger than 4GB. *) mod_deflate: Handle Zlib header and validation bytes received in multiple chunks. *) mod_proxy: Allow reverse-proxy to be set via explicit handler. *) ab: support custom HTTP method with -m argument. *) mod_proxy_balancer: Correctly encode user provided data in management interface. *) mod_proxy_fcgi: Support iobuffersize parameter. *) mod_auth_form: Add a debug message when the fields on a form are not recognised. *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304 response. *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" scheme. *) mod_socache_shmcb: Correct counting of expirations for status display. Expirations happening during retrieval were not counted. *) mod_cache: Retry unconditional request with the full URL (including the query-string) when the origin server's 304 response does not match the conditions used to revalidate the stale entry. *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment variables as a result of AliasMatch. *) mod_cache: Don't add cached/revalidated entity headers to a 304 response. *) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme(): Support default SCGI port (4000). *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive is enabled. *) mod_expires: don't add Expires header to error responses (4xx/5xx), be they generated or forwarded. *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend. (regression in 2.4.9 release) *) mod_authn_socache: Fix crash at startup in certain configurations. *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog programs to the form used in releases up to 2.4.7, and emulate a backwards-compatible behavior for existing setups. *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not OCSP requests should use a nonce to be checked against the responder's one. *) mod_ssl: "SSLEngine off" will now override a Listen-based default and does disable mod_ssl for the vhost. *) mod_lua: Enforce the max post size allowed via r:parsebody() *) mod_lua: Use binary comparison to find boundaries for multipart objects, as to not terminate our search prematurely when hitting a NULL byte. *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL versions before 0.9.8h and not specifying an SSLCertificateChainFile (regression introduced with 2.4.8). *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: no longer send warning-level unrecognized_name(112) alerts, and limit startup warnings to cases where an OpenSSL version without TLS extension support is used. *) mod_proxy_html: Avoid some possible memory access violation in case of specially crafted files, when the ProxyHTMLMeta directive is turned on. *) mod_auth_form: Make sure the optional functions are loaded even when the AuthFormProvider isn't specified. *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values (and logging garbled file names). *) mod_ssl: fix merging of global and vhost-level settings with the SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd directives. *) mod_headers: Allow the "value" parameter of Header and RequestHeader to contain an ap_expr expression if prefixed with "expr=". *) rotatelogs: Avoid creation of zombie processes when -p is used on Unix platforms. *) mod_authnz_fcgi: New module to enable FastCGI authorizer applications to authenticate and/or authorize clients. *) mod_proxy: Do not try to parse the regular expressions passed by ProxyPassMatch as URL as they do not follow their syntax. *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests under the Event MPM. *) mod_proxy_fcgi: Fix sending of response without some HTTP headers that might be set by filters. *) mod_proxy_html: Do not delete the wrong data from HTML code when a "http-equiv" meta tag specifies a Content-Type behind any other "http-equiv" meta tag. *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI differs. *) Add suspend_connection and resume_connection hooks to notify modules when the thread/connection relationship changes. (Should be implemented for any third-party async MPMs.) *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine hangups from websockets origin servers. *) mod_proxy_wstunnel: Don't pool backend websockets connections, because we need to handshake every time. *) mod_lua: Redesign how request record table access behaves, in order to utilize the request record from within these tables. *) mod_lua: Add r:wspeek for peeking at WebSocket frames. *) mod_lua: Log an error when the initial parsing of a Lua file fails. *) mod_lua: Reformat and escape script error output. *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data from causing response splitting. *) mod_lua: Disallow newlines in table values inside the request_rec, to prevent HTTP Response Splitting via tainted headers. *) mod_lua: Remove the non-working early/late arguments for LuaHookCheckUserID. *) mod_lua: Change IVM storage to use shm *) mod_lua: More verbose error logging when a handler function cannot be found. |
# $NetBSD: Makefile,v 1.101.2.1 2014/09/19 11:35:30 tron Exp $ DISTNAME= httpd-2.2.29 PKGNAME= ${DISTNAME:S/httpd/apache/} CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ http://archive.eu.apache.org/dist/httpd/ EXTRACT_SUFX= .tar.bz2 MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://httpd.apache.org/ COMMENT= Apache HTTP (Web) server, version 2.2 LICENSE= apache-2.0 BUILD_DEFS+= IPV6_READY BUILD_DEFS+= VARBASE USE_TOOLS+= pax perl perl:run pkg-config USE_LIBTOOL= yes GNU_CONFIGURE= yes CONFIGURE_ARGS+= --enable-layout=NetBSD CONFIGURE_ARGS+= --with-port=80 CONFIGURE_ARGS+= --enable-so CONFIGURE_ENV+= perlbin=${PERL5:Q} CONFIGURE_ENV+= ac_cv_path_RSYNC=/nonexistent CONFIGURE_ARGS+= CFLAGS=${APACHE_CUSTOM_CFLAGS:M*:Q} BUILD_DEFS+= APACHE_CUSTOM_CFLAGS # Apache Portable Runtime library configure options CONFIGURE_ARGS+= --with-apr=${BUILDLINK_PREFIX.apr} CONFIGURE_ARGS+= --with-apr-util=${BUILDLINK_PREFIX.apr-util} CHECK_INTERPRETER_SKIP+= lib/httpd/httpd.exp CHECK_PORTABILITY_SKIP+= srclib/pcre/* \ srclib/apr-util/* \ srclib/apr/* # the following must be set before bsd.prefs.mk in order to make += work # in mk.conf; however, it isn't expanded until referenced, so we can # define DFLT_APACHE_MODULES later # APACHE_MODULES?= ${DFLT_APACHE_MODULES} .include "../../mk/bsd.prefs.mk" .include "../../devel/apr/buildlink3.mk" .include "../../devel/apr-util/buildlink3.mk" .include "../../textproc/expat/buildlink3.mk" .include "../../mk/dlopen.buildlink3.mk" .include "../../mk/pthread.buildlink3.mk" CONFIGURE_ARGS+= --disable-include CONFIGURE_ARGS+= --disable-log-config CONFIGURE_ARGS+= --disable-env CONFIGURE_ARGS+= --disable-mime CONFIGURE_ARGS+= --disable-setenvif CONFIGURE_ARGS+= --disable-status CONFIGURE_ARGS+= --disable-autoindex CONFIGURE_ARGS+= --disable-asis CONFIGURE_ARGS+= --disable-cgi CONFIGURE_ARGS+= --disable-negotiation CONFIGURE_ARGS+= --disable-dir CONFIGURE_ARGS+= --disable-actions CONFIGURE_ARGS+= --disable-userdir CONFIGURE_ARGS+= --disable-alias DFLT_APACHE_MODULES= all DFLT_APACHE_MODULES+= proxy proxy_connect proxy_ftp proxy_http DFLT_APACHE_MODULES+= ssl deflate access auth authn_alias DFLT_APACHE_MODULES+= include log_config env mime setenvif DFLT_APACHE_MODULES+= status autoindex asis cgi negotiation dir imap DFLT_APACHE_MODULES+= actions userdir alias isapi file_cache DFLT_APACHE_MODULES+= cache disk_cache mem_cache bucketeer echo DFLT_APACHE_MODULES+= example case_filter case_filter_in DFLT_APACHE_MODULES+= charset_lite DFLT_APACHE_MODULES+= cgid dav_lock proxy_ajp proxy_balancer PLIST_SRC+= ${PKGDIR}/PLIST .include "options.mk" # LDAP support PLIST_VARS+= ldap .if !empty(PKG_BUILD_OPTIONS.apr-util:Mldap) DFLT_APACHE_MODULES+= ldap authnz_ldap . if !empty(PKG_OPTIONS:Mapache-shared-modules) PLIST.ldap= yes . endif .endif APACHE_USER?= www APACHE_GROUP?= www PKG_GROUPS= ${APACHE_GROUP} PKG_USERS= ${APACHE_USER}:${APACHE_GROUP} PKG_GROUPS_VARS+= APACHE_GROUP PKG_USERS_VARS+= APACHE_USER PKG_SYSCONFVAR= apache PKG_SYSCONFSUBDIR?= httpd EGDIR= ${PREFIX}/share/examples/httpd SBINDIR= ${PREFIX}/sbin CONF_FILES+= ${EGDIR}/httpd.conf ${PKG_SYSCONFDIR}/httpd.conf .for f in autoindex dav default info languages manual mpm \ multilang-errordoc ssl userdir vhosts CONF_FILES+= ${EGDIR}/extra/httpd-${f}.conf \ ${PKG_SYSCONFDIR}/httpd-${f}.conf .endfor CONF_FILES+= ${EGDIR}/magic ${PKG_SYSCONFDIR}/magic CONF_FILES+= ${EGDIR}/mime.types ${PKG_SYSCONFDIR}/mime.types RCD_SCRIPTS= apache REQD_DIRS= ${PREFIX}/share/httpd REQD_DIRS+= ${PREFIX}/share/httpd/htdocs OWN_DIRS= ${VARBASE}/log/httpd OWN_DIRS+= ${VARBASE}/db/httpd OWN_DIRS_PERMS+= ${VARBASE}/db/httpd/proxy ${APACHE_USER} ${APACHE_GROUP} 0755 FIX_PERMS= apachectl apxs dbmmanage envvars-std mkcert FIX_MAN_PERMS= man1/htdbm.1 man1/htpasswd.1 man1/htdigest.1 FIX_MAN_PERMS+= man1/dbmmanage.1 man8/httpd.8 man8/suexec.8 FIX_MAN_PERMS+= man8/rotatelogs.8 man1/logresolve.1 man1/apxs.1 FIX_MAN_PERMS+= man8/apachectl.8 man1/ab.1 man1/httxt2dbm.1 # Fix paths in the apache manpages. SUBST_CLASSES+= man SUBST_STAGE.man= post-patch SUBST_FILES.man= docs/man/*.1 docs/man/*.8 SUBST_SED.man= -e 's,/usr/local/etc/apache,${PKG_SYSCONFDIR},' SUBST_SED.man+= -e 's,/path/to/apache/etc,${PKG_SYSCONFDIR},' SUBST_SED.man+= -e 's,/usr/local/apache2,${PREFIX}/share/httpd/htdocs,' SUBST_SED.man+= -e 's,/usr/web,${PREFIX}/share/httpd/htdocs,' SUBST_CLASSES+= paths SUBST_STAGE.paths= pre-configure SUBST_FILES.paths= config.layout Makefile.in support/apxs.in SUBST_SED.paths= -e "s|@PREFIX@|${PREFIX}|g" SUBST_SED.paths+= -e "s|@VARBASE@|${VARBASE}|g" SUBST_SED.paths+= -e "s|@SYSCONFDIR@|${PKG_SYSCONFDIR}|g" SUBST_SED.paths+= -e "s|@PAX@|${PAX}|g" SUBST_SED.paths+= -e "s|@LOCALBASE@|${LOCALBASE}|g" SUBST_MESSAGE.paths= Fixing paths. SUBST_CLASSES+= apr-lt SUBST_STAGE.apr-lt= post-configure SUBST_FILES.apr-lt= build/config_vars.mk SUBST_SED.apr-lt= -e 's|^\(LIBTOOL =\) [^ ]*|\1 $$(SHELL) $$(top_builddir)/build/libtool|g' SUBST_MESSAGE.apr-lt= Fixing libtool references. SUBST_CLASSES+= confs SUBST_STAGE.confs= post-configure SUBST_MESSAGE.confs= Fixing configuration files. SUBST_FILES.confs= docs/conf/httpd.conf SUBST_FILES.confs+= docs/conf/extra/httpd-ssl.conf SUBST_SED.confs= -e "s|${EGDIR}|${PKG_SYSCONFDIR}|g" SUBST_SED.confs+= -e "s|${PREFIX}/htdocs|${PREFIX}/share/httpd/htdocs|g" SUBST_SED.confs+= -e "s|${PREFIX}/conf|${PKG_SYSCONFDIR}|g" SUBST_SED.confs+= -e "s|logs/|${VARBASE}/log/httpd/|g" SUBST_SED.confs+= -e 's|/var/log/httpd/foo\.log|logs/foo.log/|g' SUBST_SED.confs+= -e 's|^\(User[ ]\).*|\1${APACHE_USER}|g' SUBST_SED.confs+= -e 's|^\(Group[ ]\).*|\1${APACHE_GROUP}|g' SUBST_SED.confs+= -e 's|^Listen \(.*\)|Listen 0.0.0.0:\1|g' # abs_srcdir in config_vars.mk is used during install so needs to reference # the work dir path, and by other packages such as ap2-fastcgi after install, # so we fix after install to reference the installed path SUBST_CLASSES+= abs_srcdir SUBST_STAGE.abs_srcdir= post-install SUBST_FILES.abs_srcdir= ${DESTDIR}${PREFIX}/share/httpd/build/config_vars.mk SUBST_SED.abs_srcdir= -e 's|^\(abs_srcdir =\) .*|\1 ${PREFIX}/share/httpd|' SUBST_MESSAGE.abs_srcdir= Fixing abs_srcdir REPLACE_PERL= docs/cgi-examples/printenv # Add dependencies for the modules that will be built. For each module # ap_mod listed in ${APACHE_MODULES}, _AP_DEPENDS.ap_mod is a whitespace # separated list of dependencies or buildlink3.mk files needed to build # ap_mod, and _AP_CFG_ARGS.ap_mod is a whitespace separated list of # configure script options for ap_mod. # AP_DEPENDS.ssl= ../../security/openssl/buildlink3.mk AP_DEPENDS.deflate= ../../devel/zlib/buildlink3.mk AP_CFG_ARGS.ssl= --with-ssl=${BUILDLINK_PREFIX.openssl} AP_CFG_ARGS.deflate= --with-z=${BUILDLINK_PREFIX.zlib} #.if ${APACHE_MODULES} == "all-shared" .if !empty(PKG_OPTIONS:Mapache-shared-modules) . include "${AP_DEPENDS.ssl}" . include "${AP_DEPENDS.deflate}" CONFIGURE_ARGS+= ${AP_CFG_ARGS.ssl} ${AP_CFG_ARGS.deflate} .else . for ap_mod in ${APACHE_MODULES} . if defined(AP_DEPENDS.${ap_mod}) && !empty(AP_DEPENDS.${ap_mod}) . for ap_depend in ${AP_DEPENDS.${ap_mod}} . if exists(${ap_depend}) . include "${ap_depend}" . else DEPENDS+= ${ap_depend} . endif . endfor . endif . if defined(AP_CFG_ARGS.${ap_mod}) && !empty(AP_CFG_ARGS.${ap_mod}) CONFIGURE_ARGS+= ${AP_CFG_ARGS.${ap_mod}} . endif . endfor .endif post-extract: ${TOUCH} ${WRKSRC}/build/libtool ${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in post-build: ${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g" \ < ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert INSTALL_TARGET= install-conf install INSTALL_MAKE_FLAGS+= sysconfdir="${EGDIR}" post-install: ${LN} -sf ${LOCALBASE}/libexec/apr/libtool ${DESTDIR}${PREFIX}/share/httpd/build ${LN} -sf ${SBINDIR}/envvars-std ${DESTDIR}${SBINDIR}/envvars ${INSTALL_SCRIPT} ${WRKDIR}/mkcert ${DESTDIR}${PREFIX}/sbin for file in ${FIX_PERMS}; do \ ${CHOWN} ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/sbin/$$file && \ ${CHMOD} ${BINMODE} ${DESTDIR}${PREFIX}/sbin/$$file; \ done ${CHOWN} -RP ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/share/httpd ${CHOWN} -RP ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/include/httpd ${CHOWN} -RP ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/lib/httpd ${CHOWN} ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/libexec/cgi-bin/test-cgi ${CHOWN} ${BINOWN}:${BINGRP} ${DESTDIR}${PREFIX}/libexec/cgi-bin/printenv for file in ${FIX_MAN_PERMS}; do \ ${CHOWN} ${MANOWN}:${MANGRP} ${DESTDIR}${PREFIX}/${PKGMANDIR}/$$file; \ done ${CHMOD} -x ${DESTDIR}${PREFIX}/sbin/envvars-std ${TEST} ! -f ${DESTDIR}${PREFIX}/sbin/suexec || ${CHMOD} -w ${DESTDIR}${PREFIX}/sbin/suexec .include "../../mk/pthread.buildlink3.mk" .include "../../mk/bsd.pkg.mk"