The NetBSD Project

CVS log for pkgsrc/www/apache24/distinfo

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / apache24

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: pkgsrc-2019Q1


Revision 1.39.2.1 / (download) - annotate - [select for diffs], Wed Apr 10 09:31:27 2019 UTC (2 months, 1 week ago) by bsiegert
Branch: pkgsrc-2019Q1
Changes since 1.39: +5 -5 lines
Diff to previous 1.39 (colored) next main 1.40 (colored)

Pullup ticket #5930 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.77
- www/apache24/PLIST                                            1.28
- www/apache24/distinfo                                         1.40

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Tue Apr  2 07:25:38 UTC 2019

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache24: updated to 2.4.39

   Changes with Apache 2.4.39

   *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
      connection is recycled/reused to avoid a possible crash with some SSLProxy
      configurations in <Location> or <Proxy> context.

   *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.

   *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host

   *) mod_socache_redis: Support for Redis as socache storage provider.

   *) core: new configuration option 'MergeSlashes on|off' that controls handling of
      multiple, consecutive slash ('/') characters in the path component of the request URL.

   *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
      in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.

   *) mod_http2: new configuration directive: `H2Padding numbits` to control
      padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
      controlling the range of padding bytes added to a frame. The actual number
      added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
      frames equally. The default continues to be 0, e.g. no padding.

   *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
      has no more need for it. Optional functions are still declared but no longer implemented.
      While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
      versions of both modules.

   *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
      resolve bug 63170. The proxy module does now a single h2 request on the (reused)
      connection and returns.

   *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
      to trigger immediate shutdown of backend connections. This is now always signalled
      by mod_http2 when the the session is being released.
      proxy_http2 now only sends a PING frame to the backend when there is not already one
      in flight.

   *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
      loop when encountering certain errors on the backend connection.

   *) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
      Location/Directory, e.g. disabling PUSH for a specific set of resources.

   *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
      terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.

   *) http: Fix possible empty response with mod_ratelimit for HEAD requests.

   *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
      lifetime.

   *) MPMs unix: bind the bucket number of each child to its slot number, for a
      more efficient per bucket maintenance.

   *) mod_auth_digest: Fix a race condition. Authentication with valid
      credentials could be refused in case of concurrent accesses from
      different users.

   *) mod_http2: enable re-use of slave connections again. Fixed slave connection
      keepalives counter.

   *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.

   *) mod_proxy_wstunnel: Fix websocket proxy over UDS.

   *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
      configuration (SSLFIPS on) and not active by default in OpenSSL.

Revision 1.39 / (download) - annotate - [select for diffs], Wed Jan 23 12:04:18 2019 UTC (4 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base
Branch point for: pkgsrc-2019Q1
Changes since 1.38: +5 -5 lines
Diff to previous 1.38 (colored)

apache24: updated to 2.4.38

Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
   mod_session: mod_session_cookie does not respect expiry time allowing
   sessions to be reused.
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
   mod_http2: fixes a DoS attack vector. By sending slow request bodies
   to resources not consuming them, httpd cleanup code occupies a server
   thread unnecessarily. This was changed to an immediate stream reset
   which discards all stream state and incoming data.
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
   mod_ssl: Fix infinite loop triggered by a client-initiated
   renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
   later.
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
   AddLanguage behavior and HTTP specification.
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
   have been fixed.
*) mod_setenvif: We can have expressions that become true if a regex pattern
   in the expression does NOT match. In this case val is NULL
   and we should just set the value for the environment variable
   like in the pattern case.
*) mod_session: Always decode session attributes early.
*) core: Incorrect values for environment variables are substituted when
   multiple environment variables are specified in a directive.
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
   this type of map is present in the configuration.
*) mod_dav: Fix invalid Location header when a resource is created by
   passing an absolute URI on the request line
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
*) mod_ssl: clear *SSL errors before loading certificates and checking
   afterwards. Otherwise errors are reported when other SSL using modules
   are in play.
*) mod_ssl: Fix the error code returned in an error path of
   'ssl_io_filter_handshake()'. This messes-up error handling performed
   in 'ssl_io_filter_error()'
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
   authz provider so "Require ssl" works correctly in HTTP/2.
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
   redirects, subsequent ProxyPassReverse statements, whether they are
   relative or absolute, may fail.
*) mod_lua: Now marked as a stable module

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>