The NetBSD Project

CVS log for pkgsrc/www/apache24/distinfo

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / apache24

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: pkgsrc-2018Q4


Revision 1.38.2.1 / (download) - annotate - [select for diffs], Tue Jan 29 13:58:59 2019 UTC (8 months, 2 weeks ago) by bsiegert
Branch: pkgsrc-2018Q4
Changes since 1.38: +5 -5 lines
Diff to previous 1.38 (colored) next main 1.39 (colored)

Pullup ticket #5903 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.76
- www/apache24/distinfo                                         1.39

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Jan 23 12:04:18 UTC 2019

   Modified Files:
   	pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.38

   Changes with Apache 2.4.38
   *) SECURITY: CVE-2018-17199 (cve.mitre.org)
      mod_session: mod_session_cookie does not respect expiry time allowing
      sessions to be reused.
   *) SECURITY: CVE-2018-17189 (cve.mitre.org)
      mod_http2: fixes a DoS attack vector. By sending slow request bodies
      to resources not consuming them, httpd cleanup code occupies a server
      thread unnecessarily. This was changed to an immediate stream reset
      which discards all stream state and incoming data.
   *) SECURITY: CVE-2019-0190 (cve.mitre.org)
      mod_ssl: Fix infinite loop triggered by a client-initiated
      renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
      later.
   *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
   *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
      AddLanguage behavior and HTTP specification.
   *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
      have been fixed.
   *) mod_setenvif: We can have expressions that become true if a regex pattern
      in the expression does NOT match. In this case val is NULL
      and we should just set the value for the environment variable
      like in the pattern case.
   *) mod_session: Always decode session attributes early.
   *) core: Incorrect values for environment variables are substituted when
      multiple environment variables are specified in a directive.
   *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
      this type of map is present in the configuration.
   *) mod_dav: Fix invalid Location header when a resource is created by
      passing an absolute URI on the request line
   *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
   *) mod_ssl: clear *SSL errors before loading certificates and checking
      afterwards. Otherwise errors are reported when other SSL using modules
      are in play.
   *) mod_ssl: Fix the error code returned in an error path of
      'ssl_io_filter_handshake()'. This messes-up error handling performed
      in 'ssl_io_filter_error()'
   *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
      authz provider so "Require ssl" works correctly in HTTP/2.
   *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
      redirects, subsequent ProxyPassReverse statements, whether they are
      relative or absolute, may fail.
   *) mod_lua: Now marked as a stable module

Revision 1.38 / (download) - annotate - [select for diffs], Wed Oct 24 10:08:00 2018 UTC (11 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base
Branch point for: pkgsrc-2018Q4
Changes since 1.37: +5 -5 lines
Diff to previous 1.37 (colored)

apache24: updated to 2.4.37

Changes with Apache 2.4.37

  *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1.

  *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
     when client certificates are available from the original handshake
     but were originally not verified and should get verified now.
     This is a regression in 2.4.36 (unreleased).

  *) mod_ssl: Correctly merge configurations that have client certificates set
     by SSLProxyMachineCertificate{File|Path}.

Changes with Apache 2.4.36

  *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
     responses. Regression introduced in 2.4.35.

  *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
     body of the response.

  *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
     missed to signal it the normal way (eos buckets).

  *) ab: Add client certificate support.

  *) ab: Disable printing temp key for OpenSSL before
     version 1.0.2. SSL_get_server_tmp_key is not available
     there.

  *) mod_ssl: Fix a regression that the configuration settings for verify mode
     and verify depth were taken from the frontend connection in case of
     connections by the proxy to the backend.

  *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
     before signals handling to avoid lifetime issues on restart or shutdown.

  *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3.  TLSv1.3 has
     behavioural changes compared to v1.2 and earlier; client and
     configuration changes should be expected.  SSLCipherSuite is
     enhanced for TLSv1.3 ciphers, but applies at vhost level only.

  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
     should be accepted after the authorization scheme. \t are also tolerated.

  *) mod_proxy_hcheck: Fix issues with interval determination.

  *) mod_proxy_hcheck: Fix issues with TCP health checks.

  *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.

  *) mod_status, mod_echo: Fix the display of client addresses.
    They were truncated to 31 characters which is not enough for IPv6 addresses.
    This is done by deprecating the use of the 'client' field and using
    the new 'client64' field in worker_score.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>