Pullup ticket 277 - requested by Matthias Scheler

2005-02-10T15:22:24Z

security fix for apache2 Revisions pulled up: - pkgsrc/devel/apr/Makefile 1.31 - pkgsrc/devel/apr/distinfo 1.11 - pkgsrc/www/apache2/Makefile 1.66 (merged by hand) - pkgsrc/www/apache2/Makefile.common 1.13 - pkgsrc/www/apache2/PLIST 1.27 - pkgsrc/www/apache2/distinfo 1.36 (merged by hand) - pkgsrc/www/apache2/patches/patch-aa 1.14 - pkgsrc/www/apache2/patches/patch-as removed - pkgsrc/www/apache2/patches/patch-at removed Module Name: pkgsrc Committed By: tron Date: Wed Feb 9 14:52:12 UTC 2005 Modified Files: pkgsrc/devel/apr: Makefile distinfo Log Message: Update "apr" package to version 0.9.6.2.0.53. Changes since version 0.9.5.2.0.52: - Add apr_threadattr_stacksize_set() for overriding the default stack size for threads created by apr_thread_create(). - Add an RPM spec file. - Add a build script to create a solaris package. --- Module Name: pkgsrc Committed By: tron Date: Wed Feb 9 14:57:52 UTC 2005 Modified Files: pkgsrc/www/apache2: Makefile Makefile.common PLIST distinfo pkgsrc/www/apache2/patches: patch-aa Removed Files: pkgsrc/www/apache2/patches: patch-as patch-at Log Message: Update "apache2" package to version 2.0.53. Changes since version 2.0.52: - Fix --with-apr=/usr and/or --with-apr-util=/usr. Bug report 29740. [Max Bowsher ] - mod_proxy: Fix ProxyRemoteMatch directive. Bug report 33170. [Rici Lake ] - mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick] - --with-module can now take more than one module to be statically linked: --with-module=:,:,... If the -subdirectory doesn't exist it will be created and populated with a standard Makefile.in. [Erik Abele] - Fix the RPM spec file so that an RPM build now works. An RPM build now requires system installations of APR and APR-util. Remove some arbitrary moving around of binaries - the RPM now maps to the ASF build of httpd. [Graham Leggett] - mod_dumpio, an I/O logging/dumping module, added to the modules/expermimental subdirectory. [Jim Jagielski] - mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. Bug report 24437. [Jess Holle] - Win32 MPM: Correct typo in debugging output. [William Rowe] - conf: Remove AddDefaultCharset from the default configuration because setting a site-wide default does more harm than good. Bug report 23421. [Roy Fielding] - Add charset to example CGI scripts. [Roy Fielding] - mod_ssl: fail quickly if SSL connection is aborted rather than making many doomed ap_pass_brigade calls. Bug report 32699. [Joe Orton] - Remove compiled-in upper limit on LimitRequestFieldSize. [Bill Stoddard] - Start keeping track of time-taken-to-process-request again for mod_status if ExtendedStatus is enabled. [Jim Jagielski] - mod_proxy: Handle client-aborted connections correctly. Bug report 32443. [Janne Hietamäki, Joe Orton] - Fix handling of files >2Gb on all platforms (or builds) where apr_off_t is larger than apr_size_t. Bug report 28898. [Joe Orton] - mod_include: Fix bug which could truncate variable expansions of N*64 characters by one byte. Bug report 32985. [Joe Orton] - Correct handling of certain bucket types in ap_save_brigade, fixing possible segfaults in mod_cgi with #include virtual. Bug report 31247. [Joe Orton] - Allow for the use of --with-module=foo:bar where the ./modules/foo directory is local only. Assumes, of course, that the required files are in ./modules/foo, but makes it easier to statically build/log "external" modules. [Jim Jagielski] - Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that ldap authorization only modules have access to the util_ldap user cache without having to require ldap authentication as well. Bug report 31898. [Jari Ahonen jah progress.com, Brad Nicholes] - mod_auth_ldap: Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. Bug report 31913 [Ryan Morgan ] - SECURITY: CAN-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] - SECURITY: CAN-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. Bug report 31505. [Hartmut Keil , Joe Orton] - mod_ssl: Fail at startup rather than segfault at runtime if a client cert is configured with an encrypted private key. Bug report 24030. [Joe Orton] - apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". Bug report 31448 [Joe Orton] - mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick] - mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. Bug report 31128. [Edward Rudd , Paul Querna] - mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale cache responses. [Justin Erenkrantz] - mod_rewrite: Handle per-location rules when r->filename is unset. Previously this would segfault or simply not match as expected, depending on the platform. [Jeff Trawick] - mod_rewrite: Fix 0 bytes write into random memory position. Bug report 31036. [André Malo] - mod_disk_cache: Do not store aborted content. Bug report 21492. [Rüdiger Plüm ] - mod_disk_cache: Correctly store cached content type. Bug report 30278. [Rüdiger Plüm ] - mod_ldap: prevent the possiblity of an infinite loop in the LDAP statistics display. Bug report 29216. [Graham Leggett] - mod_ldap: fix a bogus error message to tell the user which file is causing a potential problem with the LDAP shared memory cache. Bug report 31431 [Graham Leggett] - mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] - Fix the re-linking issue when purging elements from the LDAP cache Bug report 24801. [Jess Holle ] - mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz] - Fix Expires handling in mod_cache. [Justin Erenkrantz] - Alter mod_expires to run at a different filter priority to allow proper Expires storage by mod_cache. [Justin Erenkrantz]

- Bump to nb5 to specifically address a new apache vuln:

2004-12-18T08:42:12Z

http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 - Changes backported from apache CVS HEAD: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129

Classes must be appended to SUBST_CLASSES.

2004-12-07T22:25:50Z

Modify the apxs(8) script to use ${APR_LIBTOOL} as the libtool to

2004-11-30T23:21:43Z

build modules if APR_LIBTOOL is defined in the environment. Force the use of the libtool wrapper by module packages by setting APR_LIBTOOL in apache2/buildlink3.mk. Bump the PKGREVISION.

Pass DL_* flags to the compiler when linking httpd since it dlopens

2004-11-26T23:07:58Z

shared modules. Bump the PKGREVISION.

There are additional headers installed if APACHE_MPM == "worker".

2004-11-24T07:39:50Z

Handle this with the usual PLIST_SUBST magic.

buildlink3.mk files should be included outside of the multiple inclusion

2004-11-23T20:17:55Z

protected region (see mk/buildlink3/bsd.buildlink.mk).

We don't need to check for APR_USE_* or generate our own _APR_OPTIONS

2004-11-23T00:37:04Z

variable since the apr/buildlink3.mk file does the right thing for us already; we simply need to include it and check the value of PKG_OPTIONS.apr.

* Create APACHE_MPM variable that can be either "prefork" or "worker"

2004-11-22T22:52:53Z

(defaulting to "prefork") that chooses the multi-processing model for apache to handle requests. "Prefork" is the method used by Apache-1.3, which is non-threaded. "Worker" uses threads to handle requests. * Fix libtool usage in this package. Apache uses libtool, but is hardcoded to use the libtool installed by devel/apr. Patch the generated makefile fragment to use a local libtool instead, and allow the usual libtool wrapper to take its place.

Convert to use bsd.options.mk: APACHE_SUEXEC is now the "suexec" option.

2004-11-22T20:25:26Z

pkgsrc/www/apache2, branch pkgsrc_2004Q4