Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
|
|
|
|
on BSD but not on strict POSIX implementations, leading to failures when
building as an unprivileged user in the presence of symlinks.
Fixes recent breakage on SunOS when the '-h' flag was removed for MirBSD.
|
|
MirBSD) says: "The -R and -h options are mutually exclusive."
|
|
|
|
Changes with Apache 2.0.65
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
to cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
bug#51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
Eric Covener, <lowprio20 gmail.com>]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
NOTE: it remains possible to exhaust all memory using a carefully
crafted .htaccess rule, which will not be addressed in 2.0; enabling
processing of .htaccess files authored by untrusted users is the root
of such security risks. Upgrade to httpd 2.2.25 or later to limit
this specific risk.
*) core: Add MaxRanges directive to control the number of ranges permitted
before returning the entire resource, with a default limit of 200.
[Eric Covener, Rainer Jung]
*) Set 'Accept-Ranges: none' in the case Ranges are being ignored with
MaxRanges none. [Eric Covener, Rainer Jung]
*) mod_rewrite: Allow merging RewriteBase down to subdirectories
if new option 'RewriteOptions MergeBase' is configured.
[Eric Covener]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]
*) mod_rewrite: Add "AllowAnyURI" option. bug#52774. [Joe Orton]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. bug#54893. [Rainer Jung]
*) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
OpenSSL 0.9.7 flag which uses the server's cipher order rather
than the client's. bug#28665.
[Jim Schneider <jschneid netilla.com>]
*) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
including multiple INCLUDES filters. bug#39369 [Joe Orton]
*) mod_rewrite: When evaluating a proxy rule in directory context, do
escape the filename by default. bug#46428 [Joe Orton]
*) Improve platform detection for bundled PCRE by updating config.guess
and config.sub. [Rainer Jung]
*) ssl-std.conf: Disable AECDH ciphers in example config. bug#51363.
[Rob Stradling <rob comodo com>]
*) ssl-std.conf: Change the SSLCipherSuite default to a shorter,
whitelist oriented definition. [Rainer Jung, Kaspar Brand]
*) ssl-std.conf: Only select old MSIE browsers for the downgrade
in http/https behavior. [Greg Stein, Stefan Fritsch]
|
|
sysutils/user_* packages.
|
|
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
|
|
|
|
|
|
|
|
are called p5-*.
I hope that's all of them.
|
|
Bump PKGREVISION.
|
|
|
|
* SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav: Fix Handling of requests without a path segment.
* SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects.
* SECURITY: CVE-2009-3095 (cve.mitre.org)
mod_proxy_ftp: sanity check authn credentials.
* SECURITY: CVE-2009-3094 (cve.mitre.org)
mod_proxy_ftp: NULL pointer dereference on error paths.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
for OpenSSL versions prior to 0.9.8l; reject any client-initiated
renegotiations. Forcibly disable keepalive for the connection if there
is any buffered data readable. Any configuration which requires
renegotiation for per-directory/location access control is still
vulnerable, unless using openssl 0.9.8l or later.
* SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted. Elimiates a problematic
optimization in the case of no request body.
* SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage.
* SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
* SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7.
* Fix recursive ErrorDocument handling.
* mod_ssl: Do not do overlapping memcpy.
* Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass
through on a 304 response.
* apxs: Fix -A and -a options to ignore whitespace in httpd.conf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
name change).
|
|
bump PKGREVISION
|
|
mkdir.sh as expected e.g. by www/ap2-fcgid. Bump revision.
|
|
individual Makefile files and out of Makefile.common.
|
|
many packages used to use ${PAX}. Use the common way of directly calling
pax, it is created as tool after all.
|
|
through PLIST_SUBST to the plist module.
|
|
Changes with Apache 2.0.63
*) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
to /Device/Nul as the server is starting up, mirroring unix MPM's.
PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
*) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
by recreating the bucket allocator each time the trans pool is cleared.
PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
Changes with Apache 2.0.62 (not released)
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox, Joe Orton]
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) Introduce the ProxyFtpDirCharset directive, allowing the administrator
to identify a default, or specific servers or paths which list their
contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
*) log.c: Ensure Win32 resurrects its lost robust logger processes.
[William Rowe]
*) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
shutdown of the server when the MaxClients is higher then 257,
in a more responsive manner [Mladen Turk, William Rowe]
*) Add explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. One of these
reported by SecurityReason [Joe Orton]
*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings. [Jeff Trawick]
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
|
|
to version 2.0.61.
This update is a bug and security fix release. The following security
problem hasn't been fixed in "pkgsrc" before:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
parsing date-related headers.
|
|
and to support the "inet6" option instead.
Remaining usage of USE_INET6 was solely for the benefit of the scripts
that generate the README.html files. Replace:
BUILD_DEFS+= USE_INET6
with
BUILD_DEFS+= IPV6_READY
and teach the README-generation tools to look for that instead.
This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code
to continue to support USE_INET6 for pkgsrc-wip until it has been nuked
from there as well.
|
|
|
|
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
|
|
CVE-2006-5752 XSS in mod_status with ExtendedStatus on
CVE-2007-1863 remote crash when mod_cache enabled
|
|
dependency is added, as the wildcard pattern in apr0 is necessary
to pick the right version of APR.
|
|
|
|
Patch provided by Sergey Svishchev in private mail.
|
|
Update to 1.2.8 (formerly in devel/apr1), no longer build from the
httpd distfile.
devel/rapidsvn:
devel/subversion-base:
parallel/ganglia-monitor-core:
security/hydra:
www/apache2:
Use devel/apr0.
www/apache22:
Use devel/apr and devel/apr-util.
|
|
apache, apache2 and apache22.
|
|
cube said so.
|
|
properly.
Bump PKGREVISION.
|
|
installed config_vars.mk. Any package pulling in config_vars.mk will
now find libtool.
PKGREVISION++
ok'ed tron@
|
|
config.layout file instead of CONFIGURE_ARGS, to avoid defining things
twice. No actual change, since the paths are still the same.
Added all necessary variables to BUILD_DEFS, as reported by pkglint.
|
|
when installing a binary package. Problem pointed out by Lubomir Sedlacik
in private e-mail.
Bump package revision because of this fix.
|
|
to version 2.0.59. Changes since *2.0.58:
- SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
|
|
|
|
to version 2.0.58. Change since Apache relase 2.0.55:
- Legal: Restored original years in copyright notices.
- mod_cgid: run the get_suexec_identity hook within the request-handler
instead of within cgid. Apache#36410.
- core: Prevent read of unitialized memory in ap_rgetline_core.
Apache#39282.
- mod_proxy: Report the proxy server name correctly in the "Via:" header,
when UseCanonicalName is Off. Apache#11971.
- mod_isapi: Various trivial code-fixes to permit mod_isapi to load and
run on Unix.
- HTML-escape the Expect error message. Not classed as security as
an attacker has no way to influence the Expect header a victim will
send to a target site. Reported by Thiago Zaninotti
<thiango nstalker.com>.
- SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a possible crash during access control checks if a
non-SSL request is processed for an SSL vhost (such as the
"HTTP request received on SSL port" error message when an 400
ErrorDocument is configured, or if using "SSLEngine optional").
Apache#37791.
- SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
- Add APR/APR-Util Compiled and Runtime Version numbers to the
output of 'httpd -V'.
- Ensure that the proper status line is written to the client, fixing
incorrect status lines caused by filters which modify r->status without
resetting r->status_line, such as the built-in byterange filter.
- Default handler: Don't return output filter apr_status_t values.
Apache#31759.
- mod_speling: Stop crashing with certain non-file requests.
- keep the Content-Length header for a HEAD with no response body.
Apache#18757
- Modify apr[util] .h detection to avoid breakage on VPATH builds
using Solaris make (amoung others) and avoid breakage in ./buildconf
when srclib/apr[-util] are symlinks rather than directories proper.
- Avoid server-driven negotiation when a CGI script has emitted an
explicit "Status:" header. Apache#38070.
- mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
format is used. Apache#27787.
- mod_cache: Correctly handle responses with a 301 status. Apache#37347.
- mod_proxy_http: Prevent data corruption of POST request bodies when
client accesses proxied resources with SSL. Apache#37145.
- Elimiated the NET_TIME filter, restructuring the timeout logic.
This provides a working mod_echo on all platforms, and ensures any
custom protocol module is at least given an initial timeout value
based on the <VirtualHost > context's Timeout directive.
- mod_ssl: Correct issue where mod_ssl does not pick up the
ssl-unclean-shutdown setting when configured. Apache#34452.
- Document the ReceiveBufferSize change done in r157583.
- mod_deflate: Merge the Vary header, instead of Setting it. Fixes
applications that send the Vary Header themselves. Apache#37559.
- mod_dav: Fix a null pointer dereference in an error code path during the
handling of MKCOL.
- mod_mime_magic: Handle CRLF-format magic files so that it works with
the default installation on Windows.
- Write message to error log if AuthGroupFile cannot be opened.
Apache#37566.
- Add ReceiveBufferSize directive to control the TCP receive buffer.
- mod_cache: Fix 'Vary: *' behavior to be RFC compliant. Apache#16125.
- Remove the base href tag from proxy_ftp, as it breaks relative
links for clients not using an Authorization header.
- http_request.c: Add missing va_end call.
- Add httxt2dbm to support/ for creating RewriteMap DBM Files.
- support/check_forensic: Fix temp file usage
- Chunk filter: Fix chunk filter to create correct chunks in the case that
a flush bucket is surrounded by data buckets.
- mod_cgi(d): Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.
Apache#15242
- Added new module mod_version, which provides version dependent
configuration containers.
- Add core version query function (ap_get_server_revision) and
accompanying ap_version_t structure (minor MMN bump).
|
|
way that using APACHE_MODULES+= (additive) in mk.conf can work correctly.
|