[no description] https://git.osdyson.ru/mirror/pkgsrc/atom?h=pkgsrc-2011Q3 2011-05-12T06:50:44Z 2011-05-12T06:50:44Z tron tron@pkgsrc.org 2011-05-12T06:50:44Z urn:sha1:df2fe3b15bbcde3433ab032ff507763a9ad98b92 - Log an error for failures to read a chunk-size, and return 408 instead 413 when this is due to a read timeout. This change also fixes some cases of two error documents being sent in the response for the same scenario. [Eric Covener] Bug 49167 - core: Only log a 408 if it is no keepalive timeout. Bug 39785 [Ruediger Pluem, Mark Montague <markmont umich.edu>] - core: Treat timeout reading request as 408 error, not 400. Log 408 errors in access log as was done in Apache 1.3.x. Bug 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch, Dan Poirier] - Core HTTP: disable keepalive when the Client has sent Expect: 100-continue but we respond directly with a non-100 response. Keepalive here led to data from clients continuing being treated as a new request. Bug 47087. [Nick Kew] - htpasswd: Change the default algorithm for htpasswd to MD5 on all platforms. Crypt with its 8 character limit is not useful anymore; improve out of disk space handling (Bug 30877); print a warning if a password is truncated by crypt. [Stefan Fritsch] - mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. Win32's cscript interpreter can only use a single quote as comment char. [Guenter Knauf] - configure: Fix htpasswd/htdbm libcrypt link errors with some newer linkers. [Stefan Fritsch] - MinGW build improvements. Bug 49535. [John Vandenberg <jayvdb gmail.com>, Jeff Trawick] - mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. [Stefan Fritsch] - core: AllowEncodedSlashes new option NoDecode to allow encoded slashes in request URL path info but not decode them. Bug 35256, Bug 46830. [Dan Poirier] - mod_rewrite: Allow to unset environment variables. Bug 50746. [Rainer Jung] - suEXEC: Add Suexec directive to disable suEXEC without renaming the binary (Suexec Off), or force startup failure if suEXEC is required but not supported (Suexec On). [Jeff Trawick] - mod_proxy: Put the worker in error state if the SSL handshake with the backend fails. Bug 50332. [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem] - prefork: Update MPM state in children during a graceful restart. Allow the HTTP connection handling loop to terminate early during a graceful restart. Bug 41743. [Andrew Punch <andrew.punch 247realmedia.com>] - mod_ssl: Correctly read full lines in input filter when the line is incomplete during first read. Bug 50481. [Ruediger Pluem] - mod_autoindex: Merge IndexOptions from server to directory context when the directory has no mod_autoindex directives. Bug 47766. [Eric Covener] - mod_cache: Make sure that we never allow a 304 Not Modified response that we asked for to leak to the client should the 304 response be uncacheable. Bug 45341 [Graham Leggett] - mod_dav: Send 400 error if malformed Content-Range header is received for a put request (RFC 2616 14.16). Bug 49825. [Stefan Fritsch] - mod_userdir: Add merging of enable, disable, and filename arguments to UserDir directive, leaving enable/disable of userlists unmerged. Bug 44076 [Eric Covener] - core: Honor 'AcceptPathInfo OFF' during internal redirects, such as per-directory mod_rewrite substitutions. Bug 50349. [Eric Covener] - mod_cache: Check the request to determine whether we are allowed to return cached content at all, and respect a "Cache-Control: no-cache" header from a client. Previously, "no-cache" would behave like "max-age=0". [Graham Leggett] - mod_mem_cache: Add a debug msg when a streaming response exceeds MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary 'memory allocation failed' debug message. Bug 49604. [Eric Covener] - proxy_connect: Don't give up in the middle of a CONNECT tunnel when the child process is starting to exit. Bug 50220. [Eric Covener] 2010-05-03T20:10:33Z tron tron@pkgsrc.org 2010-05-03T20:10:33Z urn:sha1:9e89c5f98c5b2b827b39181e7c9745e22f42a54a package gets build with "apache-shared-modules suexec ..." as the options. Bump package revision for the benefit of users which previously compiled the package these options and don't have the "suexec" module available. Problem pointed out by Filip Hajny in private e-mail. 2010-04-30T16:30:09Z tron tron@pkgsrc.org 2010-04-30T16:30:09Z urn:sha1:9871f93dc65943f8ef2a21d3cff0dcae27f14958 1.) Add missing modules "mod_proxy_scgi.so" and "mod_reqtimeout.so" if the package is built with shared modules enabled. This fixes PR pkg/43229 by Ryo HAYASAKA. 2.) Get rid of "PLIST.worker" and use "PLIST_VARS" instead. 3.) Use an option group instead of the "APACHE_MPM" configuration variable to configure the worker model. 4.) Enable the "apache-shared-modules" options by default. This provides more flexibility and matches the behaviour of a lot of other platforms e.g. Solaris or Linux distributions like Ubuntu. Bump the package revision as the binary package will change by default. 2010-03-09T02:30:15Z taca taca@pkgsrc.org 2010-03-09T02:30:15Z urn:sha1:f83cc1fb1b7f7ea95e90b4e90ab69dfd1dcf986e For full changes information please refer: http://www.apache.org/dist/httpd/Announcement2.2.html. Here is security related changes from ChangeLog (http://www.apache.org/dist/httpd/CHANGES_2.2.15). Changes with Apache 2.2.15 *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using OpenSSL >= 0.9.8l. [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>] *) SECURITY: CVE-2010-0408 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>] *) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] 2009-10-30T21:10:57Z christos christos@pkgsrc.org 2009-10-30T21:10:57Z urn:sha1:8e8f1339253c4d2cd916b16137084c8698b1276d 2009-10-30T21:08:55Z christos christos@pkgsrc.org 2009-10-30T21:08:55Z urn:sha1:e8da956d74ff70d0dc532c756640ef8239fb95ea 2009-08-06T07:07:23Z tron tron@pkgsrc.org 2009-08-06T07:07:23Z urn:sha1:394ce01d6f854ed0ab44a35bacbabda375b0ac9f - SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. Bug 39605. [Joe Orton, Ruediger Pluem] - SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton, Ruediger Pluem, Jeff Trawick] - SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] - SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. Bug 46949 [Ruediger Pluem] - SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules. - mod_include: fix potential segfault when handling back references on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] - mod_alias: check sanity in Redirect arguments. Bug 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski] - mod_proxy_http: fix Host: header for literal IPv6 addresses. Bug 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>] - mod_rewrite: Remove locking for writing to the rewritelog. Bug 46942 - mod_alias: Ensure Redirect emits HTTP-compliant URLs. Bug 44020 - mod_proxy_http: fix case sensitivity checking transfer encoding Bug 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>] - mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". Bug 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>] - mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; BalancerMember balancer://alias http://example.com/foo ProxyPassReverse /bash balancer://alias/bar backend url http://example.com/foo/bar/that is now translated /bash/that [William Rowe] - New piped log syntax: Use "||process args" to launch the given process without invoking the shell/command interpreter. Use "|$command line" (the default behavior of "|command line" in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility. [William Rowe] - mod_ssl: Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. Bug 34607 [Peter Sylvester <peter.sylvester edelweb.fr>, Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton, Ruediger Pluem] - mod_negotiation: Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. Bug 46837. [Geoff Keating <geoffk apple.com>] - mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. Bug 39369 [Joe Orton] - mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. Bug 46428 [Joe Orton] - mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk] - mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem] - mod_substitute: Fix a memory leak. Bug 44948 [Dan Poirier <poirier pobox.com>] - mod_proxy_ajp: Forward remote port information by default. [Rainer Jung] - mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. [Lars Eilebrecht] - mod_deflate: revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. Bug 39727 will require larger fixes and this fix was far more harmful than the original code. Bug 45023. [Roy T. Fielding] - mod_disk_cache: The module now turns off sendfile support if 'EnableSendfile off' is defined globally. Bug 41218. [Lars Eilebrecht, Issac Goldstand] - prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. Bug 42829. [Joe Orton, Jeff Trawick] - mod_ssl: Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. Bug 39243. [Joe Orton] - mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. Bug 38642 [Eric Covener] - mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. Bug 46342 [Dan Poirier] - mod_cache: Introduce 'no-cache' per-request environment variable to prevent the saving of an otherwise cacheable response. [Eric Covener] - core: Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated "100 Continue" responses. [Eric Covener] - CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. Bug 42190 [Nick Kew] - prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. Bug 46467. [Jeff Trawick] - mod_ext_filter: fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort All the security problems mentioned above had already been fixed in "pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me know that new version had finally been released. 2009-06-14T22:00:14Z joerg joerg@pkgsrc.org 2009-06-14T22:00:14Z urn:sha1:30e9948198969737329321ae598bb5b6baad3e05 2009-04-14T18:26:34Z sno sno@pkgsrc.org 2009-04-14T18:26:34Z urn:sha1:52cd6293c57b1896adabd869a315f63664da4e3c - add entries for ldap related shared modules to PLIST in case of apr-util is build with ldap - PKGREVISION is not bumped, because ldap is no default option for apr-util so it wont change anything in default-case Reviewed by tron@ 2009-04-08T17:03:25Z tron tron@pkgsrc.org 2009-04-08T17:03:25Z urn:sha1:def2e43c4b1dbe2088be83e440d6457daf345ec0 - If option "suexec" is used we must manually build the binary because the top level makefile doesn't do that. This fixes PR pkg/41141 by Anton Blajev. - Move the handling of the "all-shared" option into "options.mk" and don't use a seperate package list that will cause failure to remove the "lib/httpd" directory on deinstallation.