| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
- s/USE_APACHE= 20+/USE_APACHE= 22+/
- unify s/YES/yes/
- cleanup APACHE_VERSION <= 22 usage
- add entry to MOVED
with hat apache@
|
| |
|
|
| |
Add (vendor) patch for deprecated pcre_info()
|
| |
|
|
|
|
|
|
|
|
|
| |
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- normalize patch-pcre.diff into makepatch format
- All 4 CVE patches are included upstream and part of 2.0.64
- part of the local apxs.in changes are upstream now too
- some patches were regenerated for offset updates
** There is NO security update here. **
Changes: http://www.apache.org/dist/httpd/CHANGES_2.0
With Hat: apache@
<ChangeLog>
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav: Fix Handling of requests without a path segment.
PR: 49246 [Mark Drayton, Jeff Trawick]
*) SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects. PR 39605.
[Joe Orton, Ruediger Pluem]
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
mod_proxy_ftp: sanity check authn credentials.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
[Joe Orton, and with thanks to the OpenSSL Team]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
for OpenSSL versions prior to 0.9.8l; reject any client-initiated
renegotiations. Forcibly disable keepalive for the connection if there
is any buffered data readable. Any configuration which requires
renegotiation for per-directory/location access control is still
vulnerable, unless using openssl 0.9.8l or later.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>,
Rainer Jung]
*) SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted. Elimiates a problematic
optimization in the case of no request body. PR 48359
[Jake Scott, William Rowe, Ruediger Pluem]
*) SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
Joe Orton, Jim Jagielski]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
*) SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
*) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch]
*) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
*) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass
through on a 304 response. [Nick Kew]
*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
[Philip M. Gollucci]
</ChangeLog>
|
| |
|
|
|
|
|
| |
- This is a non default option in the compile so no PORTREVISION bump
Reported by: henrik@iaeste.dk
With Hat: apache@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[http://svn.apache.org/viewvc?view=revision&revision=153384]
Essentially this internalizes the pcre POSIX API in the ap_ namespace.
Thus fixing the use of an external pcre library and hence mod_redirect
and other consumers.
- This includes an MMN bump which means you will need to recompile all your
modules. With ports this will happen when you upgrade via portmaster or
portupgrade. If you have any modules outside of ports they will need to
be recompiled too.
- There is a small chance you will need to change some of your custom modules
to adapt to the ap_regex_t and ap_regmatch_t api changes.
- For security, speed, maintenance, and simplification in the ports/ framework
this route was chosen instead of reverting the devel/pcre change in 2.0.63_4.
PR: ports/146604
Reported by: Stefan Bethke <stb@lassitu.de>, serveral on ports@, apache@
With Hat: apache@
|
| |
|
|
|
|
|
| |
to ports apr.
Reported by: pav via pointyhat
With Hat: apache@
|
| |
|
|
| |
With Hat: apache@
|
| |
|
|
|
|
| |
Patches to devel/apr0 are welcome, send-pr.
With Hat: apache@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
login.conf(5). This is probably because resource limitations are handled
differently on various different platforms.
This modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.
Doesn't affect default package, so no PORTREVISION bumps.
I will follow up at dev@httpd.apache.org to see about adding this
with #ifdefs.
PR: ports/136928
Submitted by: Alexey V.Degtyarev <alexey@renatasystems.org>
With Hat: apache@
|
| |
|
|
|
|
|
| |
- Rename rc.d script apache2.sh -> apache2
- Bump PORTREVISION
With Hat: apache@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Fix the openssl from ports flag
- Bump PORTREVISION
- Also patch 2 more CVEs
*) SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted. Elimiates a problematic
optimization in the case of no request body. PR 48359
[Jake Scott, William Rowe, Ruediger Pluem]
*) SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
Joe Orton, Jim Jagielski]
PR: ports/146389 [1]
Submitted by: several [1]
With Hat: apache@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will fix about 100 pkg-plist left overs for httpd.conf
apxs -A comments out the LoadModule line
This adds custom FreeBSD mod to 'DELETE' the line so that it works with
our pkg-plists in packages.
- Remove -s form the cmp httpd.conf in pkg-plist to be blatant about why
it didn't get removed
- Bump PORTREVISION
- This will be in 2.0.64
PR: ports/133704
Obtained from: http://svn.apache.org/viewvc?rev=942211&view=rev
Reported by: olli hauer <ohauer@gmx.de> (and very good pr!)
With Hat: apache@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
--with-ldap switches on LDAP library linking in apr-util
--enable-ldap option switches on the LDAP caching module
--enable-auth-ldap option switches on the LDAP authentication module
also apply a custom patch to fix the linking
- add a missing quote to OPTIONS desc
- ldap is not in the default package, so no PORTREVISION bump
PR: ports/128079
Reported by: koitsu, skreuzer
With Hat: apache@
|
| |
|
|
|
|
|
|
| |
to www/apache20 as well.
PR: ports/140357
Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
With Hat: apache@
|
| |
|
|
|
|
|
|
|
|
| |
0) its like 7yrs old
0) the new version have speed,bug,&security fixes
0) www/apache22 already does this
0) www/apache23+ no longer bundle pcre [or apr* for that matter]
- Bump PORTREVISION
With Hat: apache@
|
| |
|
|
|
|
| |
apply this patch. [Note, they are different revisions]
With Hat: apache@
|
| |
|
|
|
|
|
| |
piled up and additional patches conflict.
This also will help when we try to syncronize www/apache20&www/apache22
With Hat: apache@
|
| |
|
|
|
|
|
|
|
| |
duplicated from www/apache22 and devel/apr
Originally:
PR: ports/13876 [based on]
Submitted by: Mel Flynn <mel@rachie.is-a-geek.net>
With Hat: apache@
|
| |
|
|
|
|
|
|
|
|
|
| |
- No PORTREVISION bump [security/openssl is not the default]
PR: ports/146218
Submitted by: Kazuo Dohzono <dohzono@axion-software.com>
Obtained from: http://mail-index.netbsd.org/pkgsrc-users/2009/08/25/msg010537.html
With Hat: apache@
[I will contemplate sending this back to dev@httpd for branches/2.0.x for 2.0.64]
|
| |
|
|
| |
With Hat: apache@
|
| |
|
|
| |
Approved by: pgolluci
|
| |
|
|
| |
s#. %%RC_SUBR%%#. /etc/rc.subr#
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.
It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.
With help: marcus and kwm
Pointyhat-exp: a few times by pav
Tested by: pgollucci, "Romain Tartière" <romain@blogreen.org>, and
a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by: marcus
Approved by: portmgr
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
propogated by copy and paste.
1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).
No PORTREVISION bumps because all of these changes are noops.
|
| |
|
|
|
|
|
| |
Security: http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812
PR: ports/135310
Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
With Hat: apache
|
| |
|
|
|
|
|
| |
actually breaks profiles.
- Fix CVE-2008-2939 for mod_proxy_ftp
(XSS attacks when using wildcards in the path of the FTP URL)
- Bump PORTREVISION
|
| |
|
|
|
|
|
|
|
|
| |
- move envvars support to the beginning of apache2_checkconfig() to be
sure we're using envvars during configtest [2]
PR: ports/116401 [1],
ports/116329 [2]
Submitted by: kevin brintnall <kbrint@rufus.net> [1],
Ruud Althuizen <ruud@il.fontys.nl>
|
| |
|
|
| |
Noticed by: Oliver Brandmueller <ob at e-Gitt dot NET>
|
| |
|
|
| |
- sync' startup script with www/apache22
|
| |
|
|
|
|
| |
mpm-itk allows you to run each of your vhost under a separate UID and GID
WWW: http://home.samfundet.no/~sesse/mpm-itk/
- use LD_CONFIG
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All people using mod_rewrite are strongly encouraged to update.
An off-by-one flaw exists in the Rewrite module, mod_rewrite.
Depending on the manner in which Apache httpd was compiled, this
software defect may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration
files, could be triggered remotely. For vulnerable builds, the nature
of the vulnerability can be denial of service (crashing of web server
processes) or potentially allow arbitrary code execution.
This issue has been rated as having important security impact
by the Apache HTTP Server Security Team
Updates to latest versions will follow soon.
Notified by: so@ (simon)
Obtained from: Apache Security Team
Security: CVE-2006-3747
|
| |
|
|
|
|
| |
apache acts as a proxy.
Reported by: Bjoern Voigt <bjoern@cs.tu-berlin.de>
|
| |
|
|
| |
Pointed out by: Marian Cerny <cerny@icomvision.com>
|
| |
|
|
| |
Spotted by: krion
|
| | |
|
| |
|
|
|
|
|
| |
We have not checked for this KEYWORD for a long time now, so this
is a complete noop, and thus no PORTREVISION bump. Removing it at
this point is mostly for pedantic reasons, and partly to avoid
perpetuating this anachronism by copy and paste to future scripts.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- remove useless options (and fix thread stuff) [1]
- move print-closest-mirror to bsd.apache.mk
- move threads configure options out of Makefile.modules
- Fix stupid logic to disable v4mapped address [2]
- and more...
Submitted/spotted by: many, Hirohisa Yamaguchi <umq@ueo.co.jp> [1]
ume[2]
PR: ports/91813 [1]
|
| |
|
|
|
|
|
|
|
| |
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
Reported by: simon
|
| | |
|
| |
|
|
|
|
|
| |
normally
PR: ports/86402
Submitted by: Jarrod Sayers <jarrod@netleader.com.au>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
From Changelog:
*) SECURITY: CAN-2005-2088
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length, mitigating some HTTP Request
Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
- Rename previous patch to CVE ID
- bump PORTREVISION
Security: CAN-2005-2088
Obtained From: Apache repository
|
| |
|
|
| |
Reported by: thierry
|
| | |
|
| |
|
|
| |
It's a little bit experimental, but it works.
|
