summaryrefslogtreecommitdiff
path: root/www/apache2/distinfo
AgeCommit message (Collapse)AuthorFilesLines
2007-09-07Update "apr" package to version 0.9.16.2.0.61 and "apache2" packagetron1-6/+4
to version 2.0.61. This update is a bug and security fix release. The following security problem hasn't been fixed in "pkgsrc" before: - CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers.
2007-06-28Fixes for security issues and PKGREVISION bump;lkundrak1-1/+3
CVE-2006-5752 XSS in mod_status with ExtendedStatus on CVE-2007-1863 remote crash when mod_cache enabled
2006-08-30The directories for configuration files and log files are now set in therillig1-2/+2
config.layout file instead of CONFIGURE_ARGS, to avoid defining things twice. No actual change, since the paths are still the same. Added all necessary variables to BUILD_DEFS, as reported by pkglint.
2006-07-28Update "apr" package to version 0.9.12.2.0.59 and "apache2" packagetron1-4/+4
to version 2.0.59. Changes since *2.0.58: - SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee.
2006-05-07Update "apr" package to version 0.9.12.2.0.58 and "apache" packagetron1-6/+4
to version 2.0.58. Change since Apache relase 2.0.55: - Legal: Restored original years in copyright notices. - mod_cgid: run the get_suexec_identity hook within the request-handler instead of within cgid. Apache#36410. - core: Prevent read of unitialized memory in ap_rgetline_core. Apache#39282. - mod_proxy: Report the proxy server name correctly in the "Via:" header, when UseCanonicalName is Off. Apache#11971. - mod_isapi: Various trivial code-fixes to permit mod_isapi to load and run on Unix. - HTML-escape the Expect error message. Not classed as security as an attacker has no way to influence the Expect header a victim will send to a target site. Reported by Thiago Zaninotti <thiango nstalker.com>. - SECURITY: CVE-2005-3357 (cve.mitre.org) mod_ssl: Fix a possible crash during access control checks if a non-SSL request is processed for an SSL vhost (such as the "HTTP request received on SSL port" error message when an 400 ErrorDocument is configured, or if using "SSLEngine optional"). Apache#37791. - SECURITY: CVE-2005-3352 (cve.mitre.org) mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT. - Add APR/APR-Util Compiled and Runtime Version numbers to the output of 'httpd -V'. - Ensure that the proper status line is written to the client, fixing incorrect status lines caused by filters which modify r->status without resetting r->status_line, such as the built-in byterange filter. - Default handler: Don't return output filter apr_status_t values. Apache#31759. - mod_speling: Stop crashing with certain non-file requests. - keep the Content-Length header for a HEAD with no response body. Apache#18757 - Modify apr[util] .h detection to avoid breakage on VPATH builds using Solaris make (amoung others) and avoid breakage in ./buildconf when srclib/apr[-util] are symlinks rather than directories proper. - Avoid server-driven negotiation when a CGI script has emitted an explicit "Status:" header. Apache#38070. - mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o format is used. Apache#27787. - mod_cache: Correctly handle responses with a 301 status. Apache#37347. - mod_proxy_http: Prevent data corruption of POST request bodies when client accesses proxied resources with SSL. Apache#37145. - Elimiated the NET_TIME filter, restructuring the timeout logic. This provides a working mod_echo on all platforms, and ensures any custom protocol module is at least given an initial timeout value based on the <VirtualHost > context's Timeout directive. - mod_ssl: Correct issue where mod_ssl does not pick up the ssl-unclean-shutdown setting when configured. Apache#34452. - Document the ReceiveBufferSize change done in r157583. - mod_deflate: Merge the Vary header, instead of Setting it. Fixes applications that send the Vary Header themselves. Apache#37559. - mod_dav: Fix a null pointer dereference in an error code path during the handling of MKCOL. - mod_mime_magic: Handle CRLF-format magic files so that it works with the default installation on Windows. - Write message to error log if AuthGroupFile cannot be opened. Apache#37566. - Add ReceiveBufferSize directive to control the TCP receive buffer. - mod_cache: Fix 'Vary: *' behavior to be RFC compliant. Apache#16125. - Remove the base href tag from proxy_ftp, as it breaks relative links for clients not using an Authorization header. - http_request.c: Add missing va_end call. - Add httxt2dbm to support/ for creating RewriteMap DBM Files. - support/check_forensic: Fix temp file usage - Chunk filter: Fix chunk filter to create correct chunks in the case that a flush bucket is surrounded by data buckets. - mod_cgi(d): Remove block on OPTIONS method so that scripts can respond to OPTIONS directly rather than via server default. Apache#15242 - Added new module mod_version, which provides version dependent configuration containers. - Add core version query function (ap_get_server_revision) and accompanying ap_version_t structure (minor MMN bump).
2006-01-21Add fix for CVE-2005-3357 from Apache bug report 37791.tron1-1/+2
Bump package revision because of this fix.
2005-12-15Add fix for security vulnerability reported in CVE-2005-3352 taken fromtron1-1/+2
Apache SVN repository. Bump package revision because of that.
2005-10-17Update "apache2" package to version 2.0.55.tron1-9/+5
Patches supplied by Ben Collver. Addresses PR pkg/31817 by Zafer Aydogan.
2005-10-11Allow mod_ssl to build with OpenSSL 0.9.8. The patch is fromjoerg1-1/+2
Georg v. Zezschwitz on dev@httpd.apache.org.
2005-09-26Remove old 2003 patch that is actually no longer used. apr is its owntv1-2/+1
package now, and this header file is only directly used by apr itself, hidden from httpd. (Clarifies bug 36750 that I have on file with Apache Bugzilla.)
2005-09-02Add patch from Apache SVN repository to fix weak client certificatetron1-2/+2
validation reported in CAN-2005-2700. Bump package revision.
2005-08-28- Add security patch for CAN-2005-2491 from Apache SVN repository.tron1-1/+3
- Add patch for high memory usage caused by "Byterange" support from Apache SVN repository. Bump package revision because of the above changes.
2005-08-08Add fixes for CAN-2005-1268 (not really a security problem) andtron1-1/+3
CAN-2005-2088 from the Apache SVN repository.
2005-04-25Changes 2.0.54:adam1-10/+10
*) mod_cache: Add CacheIgnoreHeaders directive. *) mod_ldap: Added the directive LDAPConnectionTimeout to configure the ldap socket connection timeout value. *) Correctly export all mod_dav public functions. *) Add a build script to create a solaris package. *) worker MPM: Fix a problem which could cause httpd processes to remain active after shutdown. *) Unix MPMs: Shut down the server more quickly when child processes are slow to exit. *) Remove formatting characters from ap_log_error() calls. These were escaped as fallout from CAN-2003-0020. *) mod_ssl: If SSLUsername is used, set r->user earlier. *) htdigest: Fix permissions of created files. *) core_input_filter: Move buckets to a persistent brigade instead of creating a new brigade. This stop a memory leak when proxying a Streaming Media Server. *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid hiccups from additional path information passed in non-utf-8 format.
2005-02-24Add RMD160 checksums.wiz1-1/+2
2005-02-09Update "apache2" package to version 2.0.53. Changes since version 2.0.52:tron1-6/+4
- Fix --with-apr=/usr and/or --with-apr-util=/usr. Problem report 29740. [Max Bowsher <maxb ukf.net>] - mod_proxy: Fix ProxyRemoteMatch directive. Problem report 33170. [Rici Lake <rici ricilake.net>] - mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick] - --with-module can now take more than one module to be statically linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,... If the <modtype>-subdirectory doesn't exist it will be created and populated with a standard Makefile.in. [Erik Abele] - Fix the RPM spec file so that an RPM build now works. An RPM build now requires system installations of APR and APR-util. Remove some arbitrary moving around of binaries - the RPM now maps to the ASF build of httpd. [Graham Leggett] - mod_dumpio, an I/O logging/dumping module, added to the modules/expermimental subdirectory. [Jim Jagielski] - mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. Problem report 24437. [Jess Holle] - Win32 MPM: Correct typo in debugging output. [William Rowe] - conf: Remove AddDefaultCharset from the default configuration because setting a site-wide default does more harm than good. Problem report 23421. [Roy Fielding] - Add charset to example CGI scripts. [Roy Fielding] - mod_ssl: fail quickly if SSL connection is aborted rather than making many doomed ap_pass_brigade calls. Problem report 32699. [Joe Orton] - Remove compiled-in upper limit on LimitRequestFieldSize. [Bill Stoddard] - Start keeping track of time-taken-to-process-request again for mod_status if ExtendedStatus is enabled. [Jim Jagielski] - mod_proxy: Handle client-aborted connections correctly. Problem report 32443. [Janne Hietamäki, Joe Orton] - Fix handling of files >2Gb on all platforms (or builds) where apr_off_t is larger than apr_size_t. Problem report 28898. [Joe Orton] - mod_include: Fix bug which could truncate variable expansions of N*64 characters by one byte. Problem report 32985. [Joe Orton] - Correct handling of certain bucket types in ap_save_brigade, fixing possible segfaults in mod_cgi with #include virtual. Problem report 31247. [Joe Orton] - Allow for the use of --with-module=foo:bar where the ./modules/foo directory is local only. Assumes, of course, that the required files are in ./modules/foo, but makes it easier to statically build/log "external" modules. [Jim Jagielski] - Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that ldap authorization only modules have access to the util_ldap user cache without having to require ldap authentication as well. Problem report 31898. [Jari Ahonen jah progress.com, Brad Nicholes] - mod_auth_ldap: Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. Problem report 31913 [Ryan Morgan <rmorgan pobox.com>] - SECURITY: CAN-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] - SECURITY: CAN-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. Problem report 31505. [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton] - mod_ssl: Fail at startup rather than segfault at runtime if a client cert is configured with an encrypted private key. Problem report 24030. [Joe Orton] - apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". Problem report 31448 [Joe Orton] - mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick] - mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. Problem report 31128. [Edward Rudd <eddie omegaware.com>, Paul Querna] - mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale cache responses. [Justin Erenkrantz] - mod_rewrite: Handle per-location rules when r->filename is unset. Previously this would segfault or simply not match as expected, depending on the platform. [Jeff Trawick] - mod_rewrite: Fix 0 bytes write into random memory position. Problem report 31036. [André Malo] - mod_disk_cache: Do not store aborted content. Problem report 21492. [Rüdiger Plüm <r.pluem t-online.de>] - mod_disk_cache: Correctly store cached content type. Problem report 30278. [Rüdiger Plüm <r.pluem t-online.de>] - mod_ldap: prevent the possiblity of an infinite loop in the LDAP statistics display. Problem report 29216. [Graham Leggett] - mod_ldap: fix a bogus error message to tell the user which file is causing a potential problem with the LDAP shared memory cache. Problem report 31431 [Graham Leggett] - mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] - Fix the re-linking issue when purging elements from the LDAP cache Problem report 24801. [Jess Holle <jessh ptc.com>] - mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz] - Fix Expires handling in mod_cache. [Justin Erenkrantz] - Alter mod_expires to run at a different filter priority to allow proper Expires storage by mod_cache. [Justin Erenkrantz]
2005-01-03Do not use supplementary groups on Interix, which doesn't have setgroups.minskim1-1/+2
Patch provided by HIRAMATSU Yoshifumi in PR pkg/27567.
2005-01-01Always use ${PERL5} as a perl path, instead of depending on PrintPath.minskim1-1/+2
Bump PKGREVISION.
2004-12-18- Bump to nb5 to specifically address a new apache vuln:adrianp1-1/+3
http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 - Changes backported from apache CVS HEAD: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129
2004-11-30Modify the apxs(8) script to use ${APR_LIBTOOL} as the libtool tojlam1-1/+2
build modules if APR_LIBTOOL is defined in the environment. Force the use of the libtool wrapper by module packages by setting APR_LIBTOOL in apache2/buildlink3.mk. Bump the PKGREVISION.
2004-11-26Pass DL_* flags to the compiler when linking httpd since it dlopensjlam1-2/+2
shared modules. Bump the PKGREVISION.
2004-10-02Update apache to apache-2.0.52.reed1-4/+3
Also added comment to www/apache2/Makefile.common to remind to update checksum in devel/apr also. No actual devel/apr changes seen. Also removed www/apache2/patches/patch-ab because it is identical to fix for security in new version. Changes with Apache 2.0.52 *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo] *) Fix the global mutex crash when the global mutex is never allocated due to disabled/empty caches. [Jess Holle <jessh ptc.com>] *) Fix a segfault in the LDAP cache when it is configured switched off. [Jess Holle <jessh ptc.com>] *) SECURITY: CAN-2004-0811 (cve.mitre.org) Fix merging of the Satisfy directive, which was applied to the surrounding context and could allow access despite configured authentication. PR 31315. [Rici Lake <rici ricilake.net>] *) Fix the handling of URIs containing %2F when AllowEncodedSlashes is enabled. Previously, such urls would still be rejected. [Jeff Trawick, Bill Stoddard] *) mod_mem_cache: Fixed race condition causing segfault because of memory being freed twice, or reused after being freed. [J. Clar, W. Stoddard, G. Ames] *) Add -l option to rotatelogs to let it use local time rather than UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>] *) mod_log_config: Fix a bug which prevented request completion time from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE processing. PR 29696. [Alois Treindl <alois astro.ch>]
2004-09-23update checksum for patch-ab (hi, reed!)grant1-1/+2
2004-09-20- Update apache to 2.0.51adrianp1-6/+4
- Remove patch-as and patch-ah as they are now outdated and included in the src - ok'ed snj@, wiz@ - Thanks to epg@ for final check This version of Apache is principally a bug fix release. Of particular note is that 2.0.51 addresses five security vulnerabilities: An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy. [CAN-2004-0786] A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file. [CAN-2004-0747] A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured. [CAN-2004-0751] A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort. [CAN-2004-0748] A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request. [CAN-2004-0809] For further details, see http://www.apache.org/dist/httpd/Announcement2.html and http://apache.rmplc.co.uk/httpd/CHANGES_2.0.
2004-09-07Security update for apache2 with the changes backported from theadrianp1-1/+2
Apache CVS tree. CAN-2004-0748 http://issues.apache.org/bugzilla/show_bug.cgi?id=29964 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.124&r2=1.125 CAN-2004-0751 http://issues.apache.org/bugzilla/show_bug.cgi?id=30134 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
2004-07-14- Update to apache 2.0.50adrianp1-5/+4
- Add new build def APACHE_DEFAULT_FILES Changes with Apache 2.0.50 *) SECURITY: CAN-2004-0493 (cve.mitre.org) Close a denial of service vulnerability identified by Georgi Guninski which could lead to memory exhaustion with certain input data. [Jeff Trawick] *) mod_cgi: Handle output on stderr during script execution on Unix platforms; preventing deadlock when stderr output fills pipe buffer. Also fixes case where stderr from nph- scripts could be lost. PR 22030, 18348. [Joe Orton, Jeff Trawick] *) mod_alias now emits a warning if it detects overlapping *Alias* directives. [André Malo] *) mod_rewrite no longer turns forward proxy requests into reverse proxy requests. PR 28125 [ast domdv.de, André Malo] *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now exported on Win32 and Netware as well (minor MMN bump). PR 28523. [Edward Rudd <eddie omegaware.com>, André Malo] *) Restore the ability to disable the use of AcceptEx on Win9x systems automatically (broken in 2.0.49). PR 28529. [André Malo] *) <VirtualHost myhost> now applies to all IP addresses for myhost instead of just the first one reported by the resolver. This corrects a regression since 1.3. [Jeff Trawick] *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes] *) SECURITY: CAN-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton] *) mod_dav_fs: Fix MKCOL response for missing parent collections, which caused issues for the Eclipse WebDAV extension. PR 29034. [Joe Orton] *) mod_deflate: Fix memory consumption (which was proportional to the response size). PR 29318. [Joe Orton] *) mod_ssl: Log the errors returned on failure to load or initialize a crypto accelerator engine. [Joe Orton] *) Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines <vincent gryzor.com>, André Malo] *) Allow LimitRequestBody to be reset to unlimited. PR 29106 [André Malo] *) Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects: mod_setenvif, mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo] *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>] *) Remove 2Gb log file size restriction on some 32-bit platforms. PR 13511. [Joe Orton] *) mod_logio no longer removes the EOS bucket. PR 27928. [Bojan Smojver <bojan rexursive.com>] *) htpasswd no longer refuses to process files that contain empty lines. [André Malo] *) Regression from 1.3: At startup, suexec now will be checked for availability, the setuid bit and user root. The works only if httpd is compiled with the shipped APR version (0.9.5). PR 28287. [André Malo] *) Unix MPMs: Stop dropping connections when the file descriptor is at least FD_SETSIZE. [Jeff Trawick] *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick] *) mod_isapi: send_response_header() failed to copy status string's last character. PR 20619. [Jesse Pelton <jsp pkc.com>] *) Fix a segfault when requests for shared memory fails and returns NULL. Fix a segfault caused by a lack of bounds checking on the cache. PR 24801. [Graham Leggett] *) Throw an error message if an attempt is made to use the LDAPTrustedCA or LDAPTrustedCAType directives in a VirtualHost. PR 26390 [Brad Nicholes] *) Fix a potential segfault if the bind password in the LDAP cache is NULL. PR 28250. [Jari Ahonen <jah progress.com>] *) Quotes cannot be used around require group and require dn directives, update the documentation to reflect this. Also add quotes around the dn and group within debug messages, to make it more obvious why authentication is failing if quotes are used in error. PR 19304. [Graham Leggett] *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap from escaping filters twice when the backslash character is used. PR 24437. [Jess Holle <jessh ptc.com>] *) Overhaul handling of LDAP error conditions, so that the util_ldap_* functions leave the connections in a sane state after errors have occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271 [Graham Leggett] *) mod_ldap calls ldap_simple_bind_s() to validate the user credentials. If the bind fails, the connection is left in an unbound state. Make sure that the ldap connection record is updated to show that the connection is no longer bound. [Brad Nicholes] *) Ensure that lines in the request which are too long are properly terminated before logging. [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>] *) Update the bind credentials for the cached LDAP connection to reflect the last bind. This prevents util_ldap from creating unnecessary connections rather than reusing cached connections. [Brad Nicholes] *) mod_isapi: GetServerVariable returned improperly terminated header fields given "ALL_HTTP" or "ALL_RAW". PR 20656. [Jesse Pelton <jsp pkc.com>] *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer size. PR 20617. [Jesse Pelton <jsp pkc.com>] *) mod_dav: Fix a problem that could cause crashes when manipulating locks on some platforms. [Jeff Trawick] *) mod_headers no longer crashes if an empty header value should be added. [André Malo] *) Fix segfault in mod_expires, which occured under certain circumstances. PR 28047. [André Malo] *) htpasswd: use apr_temp_dir_get() and general cleanup [Guenter Knauf <eflash gmx.net>, Thom May] *) mod_ssl: Fix memory leak in session cache handling. PR 26562 [Madhusudan Mathihalli] *) mod_ssl: Fix potential segfaults when performing SSL shutdown from a pool cleanup. PR 27945. [Joe Orton] *) Add forensic logging module (mod_log_forensic). [Ben Laurie] *) logresolve: Allow size of log line buffer to be overridden at build time (MAXLINE). PR 27793. [Jeff Trawick] *) Fix the comment delimiter in htdbm so that it correctly parses the username comment. Also add a terminate function to allow NetWare to pause the output before the screen is destroyed. [Guenter Knauf <eflash gmx.net>, Brad Nicholes] *) Fix crash when Apache was started with no Listen directives. [Michael Corcoran <mcorcoran warpsolutions.com>] *) core_output_filter: Fix bug that could result in sending garbage over the network when module handlers construct bucket brigades containing multiple file buckets all referencing the same open file descriptor. [Bojan Smojver] *) Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe] *) Win32: Tweak worker thread accounting routines to eliminate server hang when number of Listen directives in httpd.conf is greater than or equal to the setting of ThreadsPerChild. [Bill Stoddard]
2004-06-05Add patch from apache's CVS to fix SSL_Util_UUEncode_Binaty stack buffertaca1-1/+2
overflow vulnerability. http://www.securityfocus.com/bid/10355 Bump package revision.
2004-03-22Update apache2 to 2.0.49. This includes various changes since last releasereed1-3/+3
including: *) SECURITY: CAN-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. With Apache 2.x there is no performance concern about enabling the logic for platforms which don't need it, so it is enabled everywhere except for Win32. [Jeff Trawick] *) SECURITY: CAN-2004-0113 (cve.mitre.org) mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling. PR 27106. [Joe Orton] *) SECURITY: CAN-2003-0020 (cve.mitre.org) Escape arbitrary data before writing into the errorlog. Unescaped errorlogs are still possible using the compile time switch "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, Andr<E9> Malo] Complete changelog is at http://www.apache.org/dist/httpd/CHANGES_2.0 Package changes include: buildlink depends increased for apache2 (but not for apr). apr package version changes, but APR_VERSION stays same. more files installed and added to PLIST. share/httpd/manual/search/manual-index.cgi removed from PLIST. Also removing share/httpd/htdocs and share/httpd directories removed from PLIST because already handled by MAKE_DIRS. (I think this should use OWN_DIRS.) (jlam@ said he would like this update done during freeze.)
2003-10-28upgrade to 2.0.48itojun1-4/+4
Changes with Apache 2.0.48 *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo] *) mod_include: fix segfault which occured if the filename was not set, for example, when processing some error conditions. PR 23836. [Brian Akins <bakins@web.turner.com>, André Malo] *) fix the config parser to support <Foo>..</Foo> containers (no arguments in the opening tag) supported by httpd 1.3. Without this change mod_perl 2.0's <Perl> sections are broken. ["Philippe M. Chiasson" <gozer@cpan.org>] *) mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. [Jeff Trawick] *) Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding] *) mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André Malo] *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira <eider@bol.com.br>] *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. [Thomas Castelle tcastelle@generali.fr] *) Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May] *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil <Hartmut.Keil@adnovum.ch>] *) mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane Holden <dpejesh@yahoo.com>] *) Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood <manniwood@planet-save.com>] *) mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. [bjorn@exoweb.net] *) mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response codes). [Astrid Keßler] *) Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz] *) Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo] *) Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. [André Malo] *) mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick] *) Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick] *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick] *) Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick] *) Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. PR 9011 [Jeff Trawick] *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar] *) Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive] *) Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman] *) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker] *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. [André Malo] *) ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo] *) mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz] *) Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves <David.Deaves@dd.id.au>, William Rowe] *) Update mime.types to include latest IANA and W3C types. [Roy Fielding] *) mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff Trawick] *) Fix buildconf errors when libtool version changes. [Jeff Trawick] *) Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [André Malo] *) mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095. [Ron Park <ronald.park@cnet.com>, André Malo, Cliff Woolley] *) Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris Verbeeck <kris.verbeeck@advalvas.be>, Nicel KM <mnicel@yahoo.com>] *) Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer <joe+gmane@sunstarsys.com>] *) Added FreeBSD directory layout. PR 21100. [Sander Holthaus <info@orangexl.com>, André Malo] *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo] *) mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick] *) Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick]
2003-07-09upgrade to apache-2.0.47/apr-0.9.4.2.0.47.itojun1-3/+3
Changes with Apache 2.0.47 *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [Ben Laurie] *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing temporary denial of service when accept() on a rarely accessed port returns certain errors. Reported by Saheed Akhtar <S.Akhtar@talis.com>. [Jeff Trawick] *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial of service when target host is IPv6 but proxy server can't create IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo <tsuneo.yoshioka@f-secure.com>] *) SECURITY [VU#379828] Prevent the server from crashing when entering infinite loops. The new LimitInternalRecursion directive configures limits of subsequent internal redirects and nested subrequests, after which the request will be aborted. PR 19753 (and probably others). [William Rowe, Jeff Trawick, André Malo] *) core_output_filter: don't split the brigade after a FLUSH bucket if it's the last bucket. This prevents creating unneccessary empty brigades which may not be destroyed until the end of a keepalive connection. [Juan Rivera <Juan.Rivera@citrix.com>] *) Add support for "streamy" PROPFIND responses. [Ben Collins-Sussman <sussman@collab.net>] *) mod_cgid: Eliminate a double-close of a socket. This resolves various operational problems in a threaded MPM, since on the second attempt to close the socket, the same descriptor was often already in use by another thread for another purpose. [Jeff Trawick] *) mod_negotiation: Introduce "prefer-language" environment variable, which allows to influence the negotiation process on request basis to prefer a certain language. [André Malo] *) Make mod_expires' ExpiresByType work properly, including for dynamically-generated documents. [Ken Coar, Bill Stoddard]
2003-07-02Avoid hardcoding /usr/pkg in patch files.jmmv1-2/+2
2003-05-29upgrade to apache 2.0.46. fixes two vulnerabilities:itojun1-5/+5
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189
2003-05-25Restore checksum of patch-ar, accidentally removed in last.epg1-1/+2
2003-05-25Split some stuff out into a new Makefile.common so that the newepg1-7/+2
deve/apr package can use it. Depend on the new apr package. Approved by jlam@netbsd.org.
2003-04-15Not all machines that define __sparc__ run ${SOMEOTHEROS} - fix bogusmartin1-1/+2
#ifdef and make it work on NetBSD/sparc{,64} again.
2003-04-03forgot to additojun1-3/+3
2003-04-03upgrade to 2.0.45. security bug fixesitojun1-3/+5
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132 - file descriptor leak to child process (i.e. cgi)
2003-02-02Always install apache htdocs, instead of checking to preserve any existingjlam1-2/+2
htdocs. Fixes PR 20153.
2003-01-28Updated apache2 to 2.0.44 (patch provided by Eric Gillespie in pkg/20086)martti1-6/+6
* lots of bug fixes
2002-10-04upgrade to 2.0.43.itojun1-3/+3
Changes with Apache 2.0.43 *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by ap_server_signature() against this cross-site scripting vulnerability exposed by the directive 'UseCanonicalName Off'. Also HTML-escape the SERVER_NAME environment variable for CGI and SSI requests. It's safe to escape as only the '<', '>', and '&' characters are affected, which won't appear in a valid hostname. Reported by Matthew Murphy <mattmurphy@kc.rr.com>. [Brian Pane] *) Fix a core dump in mod_cache when it attemtped to store uncopyable buckets. This happened, for instance, when a file to be cached contained SSI tags to execute a CGI script (passed as a pipe bucket). [Paul J. Reder] *) Ensure that output already available is flushed to the network when the content-length filter realizes that no new output will be available for a while. This helps some streaming CGIs as well as some other dynamically-generated content. [Jeff Trawick] *) Fix a mutex problem in mod_ssl session cache support which could lead to an infinite loop. PR 12705 [amund.elstad@ergo.no (Amund Elstad), Jeff Trawick] *) SECURITY: Allow POST requests and CGI scripts to work when DAV is enabled on the location. [Ryan Bloom] *) Allow the UserDir directive to accept a list of directories. This matches what Apache 1.3 does. Also add documentation for this feature. [Jay Ball <jay@veggiespam.com>] *) New Module: mod_logio. adds the ability to log bytes sent and received. [Bojan Smojver <bojan@rexursive.com>] *) SuExec needs to use the same default directory as the rest of server, namely /usr/local/apache2. [SangBeom han <sbhan@os.korea.ac.kr>] *) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN. [Thomas Bennett <thomas.bennett@eds.com>, Graham Leggett] *) Make sure the contents of the WWW-Authenticate header is passed on a 4xx error by proxy. Previously all headers were dropped, resulting in the browser being unable to authenticate. [Dr Richard Reiner <rreiner@fscinternet.com>, Richard Danielli <rdanielli@fscinternet.com>, Graham Wiseman <gwiseman@fscinternet.com>, David Henderson <dhenderson@fscinternet.com>] *) Make mod_cache's CacheMaxStreamingBuffer directive work properly for virtual hosts that override server-wide mod_cache setttings. [Matthieu Estrade <estrade-m@ifrance.com>] *) Add -p option to apxs to allow programs to be compiled with apxs. [Justin Erenkrantz]
2002-10-02upgrade to 2.0.42.itojun1-3/+3
--- Changes with Apache 2.0.42 *) mod_dav: Check for versioning hooks before using them. [Greg Stein] Changes with Apache 2.0.41 *) The protocol version (eg: HTTP/1.1) in the request line parsing is now case insensitive. [Jim Jagielski] *) Allow AddOutputFilterByType to add multiple filters per directive. [Justin Erenkrantz] *) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz] *) Fixed mod_disk_cache's generation of 304s [Kris Verbeeck <Kris.Verbeeck@ubizen.com>] *) Add support for using fnmatch patterns in the final path segment of an Include statement (eg.. include /foo/bar/*.conf). and remove the noise on stderr during config dir processing. [Joe Orton <jorton@redhat.com>] *) mod_cache: cache_storage.c. Add the hostname and any request args to the key generated for caching. This provides a unique key for each virtual host and for each request with unique args. [Paul J. Reder, args code provided by Kris Verbeeck] *) mod_cache: Do not cache responses to GET requests with query URLs if the origin server does not explicitly provide an Expires header on the response (RFC 2616 Section 13.9) [Kris Verbeeck krisv@be.ubizen.com] *) Fix memory leak in core_output_filter. [Justin Erenkrantz] *) Update OpenSSL detection to work on Darwin. [Sander Temme <sctemme@covalent.net>] *) Update the xslt and css to give the documentation a more modern style. [André Malo <nd@perlig.de>, Gernot Winkler <greh@o3media.de>] *) Fix some bucket memory leaks in the chunking code [Joe Schaefer <joe+apache@sunstarsys.com>] *) Add ModMimeUsePathInfo directive. [Justin Erenkrantz] *) mod_cache: added support for caching streamed responses (proxy, CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane] *) Add image/x-icon to httpd.conf PR 10993. [Ian Holsman, Peter Bieringer <pb@bieringer.de>] *) Fix FileETags none operation. PR 12207. [Justin Erenkrantz, Andrew Ho <andrew@tellme.com>] *) Restored the experimental leader/followers MPM to working condition and converted its thread synchronization from mutexes to atomic CAS. [Brian Pane] *) Fix Logic on non-html file removal in mod_deflate [Kris Verbeeck <Kris.Verbeeck@ubizen.com>] *) Fix "ab -g"'s truncated year: the last digit was cut off. [Leon Brocard <acme@astray.com>] *) mod_rewrite can now sets cookies in err_headers, uses the correct expiry date, and can now set the path as well PR 12132,12181,12172. [Ian Holsman / Rob Cromwell <apachechangelog@robcromwell.com>] *) The content-length filter no longer tries to buffer up the entire output of a long-running request before sending anything to the client. [Brian Pane] *) Win32: Lower the default stack size from 1MB to 256K. This will allow around 8000 threads to be started per child process. 'EDITBIN /STACK:size apache.exe' can be used to change this value directly in the apache.exe executable. [Bill Stoddard] *) Win32: Implement ThreadLimit directive in the Windows MPM. [Bill Stoddard] *) Remove CacheOn config directive since it is set but never checked. No sense wasting cycles on unused code. Besides, the only truly bug free code is deleted code. :) [Paul J. Reder] *) BufferLogs are now run-time enabled, and the log_config now has 2 new callbacks to allow a 3rd party module to actually do the writing of the log file [Ian Holsman] *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs. [André Malo, Astrid Keßler <kess@kess-net.de>] *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>] *) Fix a null pointer dereference in the merge_env_dir_configs function of the mod_env module. PR 11791 [Paul J. Reder] *) New option to ServerTokens 'maj[or]'. Only show the major version Also Surfaced this directive in the standard config (default FULL) [Ian Holsman] *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite maps. The dbm type (e.g., ndbm, gdbm) can be specified on the RewriteMap directive. PR 10644 [Jeff Trawick] *) Fixed mod_rewrite's RewriteMap prg: support so that request/response pairs will no longer get out of sync with each other. PR 9534 [Cliff Woolley] *) Fixes required to get quoted and escaped command args working in mod_ext_filter. PR 11793 [Paul J. Reder] *) mod-proxy: handle proxied responses with no status lines [JD Silvester <jsilves@uwo.ca>, Brett Huttley <brett@huttley.net>] *) Fix bug where environment or command line arguments containing non-ASCII-7 characters would cause the Win32 child process creation to fail. PR 11854 [William Rowe] *) Bug #11213.. make module loading error messages more informative [Ian Darwin <Ian779@darwinsys.com>] *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman] *) mod_disk_cache works much better. This module should still be considered experimental. [Eric Prud'hommeaux] *) Performance improvement for keepalive requests: when setting aside a small file for potential concatenation with the next response on the connection, set aside the file descriptor rather than copying the file into the heap. [Brian Pane]
2002-08-29Updated apache to 2.0.40martti1-7/+7
* SECURITY: [CAN-2002-0661] Close a very significant security hole that applies only to the Win32, OS2 and Netware platforms. Unix was not affected, Cygwin may be affected. Certain URIs will bypass security and allow users to invoke or access any file depending on the system configuration. Without upgrading, a single .conf change will close the vulnerability. Add the following directive in the global server httpd.conf context before any other Alias or Redirect directives; RedirectMatch 400 "\\\.\." Reported by Auriemma Luigi <bugtest@sitoverde.com>. [Brad Nicholes] * SECURITY: Close a path-revealing exposure in multiview type map negotiation (such as the default error documents) where the module would report the full path of the typemapped .var file when multiple documents or no documents could be served based on the mime negotiation. Reported by Auriemma Luigi <bugtest@sitoverde.com>. [CAN-2002-0654] [William Rowe] * SECURITY: Close a path-revealing exposure in cgi/cgid when we fail to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path of the script. Reported by Jim Race <jrace@qualys.com>. [CAN-2002-0654] [Bill Stoddard] * More bug fixes (see the CHANGES file)
2002-08-25Merge packages from the buildlink2 branch back into the main trunk thatjlam1-1/+1
have been converted to USE_BUILDLINK2.
2002-06-18upgrade to 2.0.39, which should correct chunk encoding security issue.itojun1-10/+9
Changes with Apache 2.0.39 *) Fixed a build problem in htpasswd.c on Win32. [Guenter Knauf <eflash@gmx.net>, Cliff Woolley] Changes with Apache 2.0.38 *) Rewrite htpasswd to use APR. The removes the annoying warning about tmpnam being unsafe. [Ryan Bloom] *) We must set the MIME-type for .shtml files to text/html if we want them to be parsed for SSI tags. Add the config for that to the default config file so that it is easier to enable .shtml parsing. [Dave Dyer <ddyer@real-me.net>] *) Fixed a problem with 'make install' on ReliantUnix. [Jean-frederic Clere <jfrederic.clere@fujitsu-siemens.com>] *) Make the default_handler catch all requests that aren't served by another handler. This also gets us to return a 404 if a directory is requested, there is no DirectoryIndex, and mod_autoindex isn't loaded. [Justin Erenkrantz] *) Fixed the handling of nested if-statements in shtml files. PR 9866 [Brian Pane] *) Allow 'make install DESTDIR=/path'. This allows packagers to install into a directory different from the one that was configured. This also mirrors the root= feature from 1.3. We cannot use prefix=, because both APR and APR-util resolve their installation paths at configuration time. This means that there is no variable prefix to replace. [Andreas Hasenack <andreas@netbank.com.br>] *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT. These levels of AIX don't have a thundering herd problem with accept(). [Jeff Trawick] *) prefork MPM: Ignore mutex errors during graceful restart. For certain types of mutexes (particularly SysV semaphores), we should expect to occasionally fail to obtain or release the mutex during restart processing. [Jeff Trawick] *) Fix install-bindist.sh so that it finds any perl instead of just early perl 5.x versions. This is consistent with a build/install from source, and it allows the perl scripts installed by a bindist to work on systems with perl 5.6. [Jeff Trawick] *) Fix apxs so that the makefile created by "apxs -g" works on AIX and Tru64 (and probably some other platforms). [Jeff Trawick] *) Allow CGI scripts to return their Content-Length. This also fixes a hang on HEAD requests seen on certain platforms (such as FreeBSD). [Justin Erenkrantz] *) Added log rotation based on file size to the RotateLog support utility. [Brad Nicholes] *) Fix some casting in mod_rewrite which broke random maps. PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick] Changes with Apache 2.0.37 *) allow POST method over SSL when per-directory client cert authentication is used with 'SSLOptions +OptRenegotiate' enabled and a client cert was found in the ssl session cache. *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl session cache when there is no cert chain in the cache. prior to the fix this situation would result in a FORBIDDEN response and error message "Cannot find peer certificate chain" [Doug MacEachern] *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if one was already sent. PR 9644 [Jeff Trawick] *) Fix the display of the default name for the mime types config file. PR 9729 [Matthew Brecknell <mbrecknell@orchestream.com>] *) Fix the working directory *for WinNT/2K/XP services only* to change to the Apache directory (one level above the location of Apache.exe, in the case that Apache.exe resides in bin/.) Solves the case of ServerRoot /foo paths where /foo was not on the same drive as /winnt/system32. [William Rowe] *) Make 2.0's "AcceptMutex" startup message now "completely" match how 1.3 does it. [Jim Jagielski] *) Implement a fixed size memory cache using a priority queue [Ian Holsman] *) Fix apxs to allow "apxs -q installbuilddir" and to allow querying certain other variables from config_vars.mk. PR 9316 [Jeff Trawick] *) Added the "detached" attribute to the cgi_exec_info_t internals so that Win32 and Netware won't create a new window or console for each CGI invoked. PR 8387 [Brad Nicholes, William Rowe] *) Consolidated the command line parameters and attributes that are manipulated by the optional function ap_cgi_build_command() in mod_cgi into a single structure. [Brad Nicholes] *) Get rid of uninitialized value errors with "apxs -q" on certain variables. [Stas Bekman <stas@stason.org>] *) Fix apxs to allow it to work when the build directory is somewhere besides server-root/build. PR 8453 [Jeff Trawick and a host of others] *) Allow ap_discard_request_body to be called multiple times in the same request. Essentially, ap_http_filter keeps track of whether it has sent an EOS bucket up the stack, if so, it will only ever send an EOS bucket for this request. [Ryan Bloom, Justin Erenkrantz, Greg Stein] *) Remove all special mod_ssl URIs. This also fixes the bug where redirecting (.*) will allow an SSL protected page to be viewed without SSL. [Ryan Bloom] *) Fix the binary build install script so that the build logic created by "apxs -g" will work when the user has a binary build. [Jeff Trawick] *) Allow instdso.sh to work with full paths to the shared module. [Justin Erenkrantz] *) NetWare: Enabled CGI functionality and added mod_cgi as a built in module for NetWare [Brad Nicholes] *) Changed cgi and piped log behavior to accept 65536 characters on Win32 (matching Linux) before deadlocking between outputing client stdin, slurping the output from stdout and then the stderr stream. PR 8179 [William Rowe] *) Fixed Win32 wintty.exe support to assure the window title is valid. Elimiates possible gpfault or garbage title without the -t option. [William Rowe] *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use brigades and input filters. [Justin Erenkrantz] *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request body. [Justin Erenkrantz] *) NetWare: Piping log entries through RotateLogs using the CustomLogs directive is finally supported now that we have the pipes and spawning functionality working. [Brad Nicholes] *) Detect overflow when reading the hex bytes forming a chunk line. [Aaron Bannert] *) Allow RewriteMap prg:'s to take command-line arguments. PR 8464. [James Tait <JTait@wyrddreams.demon.co.uk>] *) Correctly return 413 when an invalid chunk size is given on input. Also modify ap_discard_request_body to not do anything on sub-requests or when the connection will be dropped. [Justin Erenkrantz] *) Fix the TIME_* SSL var lookups to be threadsafe. PR 9469. [Cliff Woolley] *) Ensure that apr_brigade_write() flushes in all of the cases that it should to avoid conditions in some modules that could cause large amounts of data to be buffered. [Cliff Woolley] *) Fix problem where mod_cache/mod_disk_cache was incorrectly stripping the content_type from cached responses. [Bill Stoddard] *) apachectl passes through any httpd options. Note: apachectl should be used in preference to httpd since it ensures that any appropriate environment variables have been set up. [Jeff Trawick] *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir. PR 7810 [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>] *) Fix suexec execution of CGI scripts from mod_include. PR 7791, 8291 [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>] *) Fix segfaults at startup on some platforms when mod_auth_digest, mod_suexec, or mod_ssl were used as DSO's due to the way they were tracking the current init phase since DSO's get completely unloaded and reloaded between phases. PR 9413. [Tsuyoshi Sasamoto <nazonazo@super.win.ne.jp>, Brad Nicholes] *) Fix mod_include's handling of regular expressions in "<!--#if" directives [Julius Gawlas <julius_gawlas@hp.com>] *) Fix the worker MPM deadlock problem [Brian Pane] *) Modify the module documentation to allow for translations. [Yoshiki Hayashi, Joshua Slive] *) Fix a file permissions problem which prevented mod_disk_cache from working on Unix. [Jeff Trawick] *) Add "-k start|restart|graceful|stop" support to httpd for the Unix MPMs. These have semantics very similar to the old apachectl commands of the same name. [Justin Erenkrantz, Jeff Trawick] *) Make sure that the runtime dir is created by make install. PR 9233. [Jeff Trawick] *) Fix an unusual set of ./configure arguments that could cause mod_http to be built as a DSO, which it currently doesn't support. PR 9244. [Cliff Woolley, Robin Johnson <robbat2@orbis-terrarum.net>] *) Win32: Fix bug in apr_sendfile() that caused incorrect operation of the %X, %b and %B logformat options. PR 8253, 8996. [Bill Stoddard] *) If content-encoding is already present, do not run deflate (PR 9222) [Kazuhisa ASADA <kaz@asada.sytes.net>] *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated. It is currently ignored and it will be removed in a future release of Apache. [Jeff Trawick] *) Removed documentation references to the no-longer-supported "make certificate" feature of mod_ssl for Apache 1.3.x. Test certificates, if truly desired, can be generated using openssl commands. PR 8724. [Cliff Woolley] *) Remove SSLLog and SSLLogLevel directives in favor of having mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz] *) OS/390: LIBPATH no longer has to be manually uncommented in envvars to get apachectl to set up httpd properly. [Jeff Trawick] *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile, may now be specified to the <File/Directory > container, rather than by vhost. [William Rowe] *) mod_isapi: Experimental support for faux async support for ISAPI modules. [William Rowe] *) mod_isapi: Major refactoring of the code to rely on apr internals rather than MS APIs (using our own mod_isapi.h headers for ISAPI symbol definitions.) [William Rowe] *) mod_isapi: Fixed the return string length from GetServerVariable callback, it was not including the trailing null in the consumed buffer size. This was particularly bad for Delphi 6.0 users. PR 8934 [Sebastian Hantsch <sebastian.hantsch@gmx.de>] *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net). [William Rowe] *) Make apxs look in the correct directory for envvars. It was broken when sbindir != bindir. PR 8869 [Andreas Sundström <sunkan@zappa.cx>] *) Fix mod_deflate corruption when using multiple buckets. PR 9014. [Asada Kazuhisa <kaz@asada.sytes.net>] *) Performance enhancements for access logger when using default timestamp formatting [Brian Pane] *) Added EnableMMAP config directive to enable the server administrator to disable memory-mapping of delivered files on a per-directory basis. [Brian Pane] *) Performance enhancements for mod_setenvif [Brian Pane] *) Fix a mod_ssl build problem on OS/390. [Jeff Trawick] *) Fixed If-Modified-Since on Win32, which would give false positives because of the sub-second resolution of file timestamps on that platform. [Cliff Woolley] *) Reverse the hook ordering for mod_userdir and mod_alias so that Alias/ScriptAlias will override Userdir. PR 8841 [Joshua Slive] *) Move mod_deflate out of experimental and into filters. [Justin Erenkrantz] *) Get proxy CONNECT basically working. [Jeff Trawick] *) Fix mod_rewrite hang when APR uses SysV Semaphores and RewriteLogLevel is set to anything other than 0. PR: 8143 [Aaron Bannert, Cliff Woolley] *) Fix byterange requests from returning 416 when using dynamic data (such as filters like mod_include). [Justin Erenkrantz] *) Allow mod_rewrite's set of "int:" internal RewriteMap functions to be extended by third-party modules via an optional function. [Tahiry Ramanamampanoharana <nomentsoa@hotmail.com>, Cliff Woolley] *) Fix mod_include expression parser's handling of unquoted strings followed immediately by a closing paren. PR 8462. [Brian Pane] *) Remove autom4te.cache in 'make distclean'. [Thom May <thom@planetarytramp.net>] *) Fix generated httpd.conf to respect layout for LoadModule lines. PR 8170. [Thom May <thom@planetarytramp.net>] *) Win32: During a graceful restart, threads in the new process were accessing scoreboard slots still in use by active threads in the the old process. [Bill Stoddard]
2002-06-18use /dev/urandom, not /dev/random, for random number source.itojun1-1/+3
(if you don't have Pentium 4, httpd will need more than 1 minutes to start up)
2002-06-01upgrade to 2.0.36. (this is still a leaf package so it shouldn't affect others)itojun1-7/+7
Changes with Apache 2.0.36 *) Close sockets on worker MPM when doing a graceless restart. [Aaron Bannert] *) Reverted a minor optimization in mod_ssl.c that used the vhost ID as the session id context rather that a MD5 hash of that vhost ID, because it caused very long vhost id's to be unusable with mod_ssl. PR 8572. [Cliff Woolley] *) Fix the link to the description of the CoredumpDirectory directive in the server-wide document. PR 8643. [Jeff Trawick] *) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley] *) Synced with remaining changes from mod_ssl 2.8.8-1.3.24: - Avoid SIGBUS on sparc machines with SHMCB session caches - Allow whitespace between the pipe and the name of the program in SSLLog "| /path/to/program". [Cliff Woolley] *) Introduce mod_ext_filter and mod_deflate experimental modules to the Win32 build (zlib sources must be in srclib\zlib.) [William Rowe] *) Changes to the worker MPM's queue management and thread synchronization code to reduce mutex contention [Brian Pane] *) Don't install *.in configuration files since we already install *-std.conf files. [Aaron Bannert] *) Many improvements to the threadpool MPM. [Aaron Bannert] *) Fix subreqs that are promoted via fast_redirect from having invalid frec->r structures. This would cause subtle errors later on in request processing such as seen in PR 7966. [Justin Erenkrantz] *) More efficient pool recycling logic for the worker MPM [Brian Pane] *) Modify the worker MPM to not accept() new connections until there is an available worker thread. This prevents queued connections from starving for processing time while long-running connections were hogging all the available threads. [Aaron Bannert] *) Convert the worker MPM's fdqueue from a LIFO back into a FIFO. [Aaron Bannert] *) Get basic HTTP proxy working on EBCDIC machines. [Jeff Trawick] *) Allow mod_unique_id to work on systems with no IPv4 address corresponding to their host name. [Jeff Trawick] *) Fix suexec behavior with user directories. PR 7810. [Colm <colmmacc@redbrick.dcu.ie>] *) Reject a blank UserDir directive since it is ambiguous. PR 8472. [Justin Erenkrantz] *) Make mod_mime use case-insensitive matching when examining extensions on all platforms. PR 8223. [Justin Erenkrantz] *) Add an intelligent error message should no proxy submodules be valid to handle a request. PR 8407 [Graham Leggett] *) Major improvements in concurrent processing for AB by enabling non-blocking connect()s and preventing APR from doing blocking read()s. Also implement fatal error checking for apr_recv(). [Aaron Bannert] *) Fix Win32 NTFS Junctions (symlinks). PR 8014 [William Rowe] *) Fix Win32 'short name' aliases in httpd.conf directives. PR 8009 [William Rowe] *) Fix generation of default httpd.conf when the layout paths are disjoint. PR 7979, 8227. [Justin Erenkrantz] *) Swap downgrade-1.0 and force-response-1.0 conditional checks so that downgraded responses can have force-response. PR 8357. [Justin Erenkrantz] *) Fix perchild MPM so that it can be configured with the move to the experimental directory. [Scott Lamb <slamb@slamb.org>] *) Fix perchild MPM so that it uses ap_gname2id for groups instead of ap_uname2id. [Scott Lamb <slamb@slamb.org>] *) Fix AcceptPathInfo. PR 8234 [Cliff Woolley] *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to explicitly tell the server that warning messages should be sent to the client in addition to being recorded in the error log. Prior to this change, ap_log_rerror() always sent warning messages to the client. In one case, a faulty CGI script caused the server to send a warning message to the client that contained the full path to the CGI script. This could be considered a minor security exposure. [Bill Stoddard] *) mod_autoindex output when SuppressRules was specified would omit the first carriage return so the first item in the list would appear to the right of the column headings instead of underneath them. PR 8016 [David Shane Holden <dpejesh@yahoo.com>] *) Moved the call to apr_mmap_dup outside the error branch so that it would actually get called. This fixes a core dump at init everytime you use the MMapFile directive. PR 8314 [Paul J. Reder] *) Trigger an error when a LoadModule directive attempts to load a module which is built-in. This is a common error when switching from a DSO build to a static build. [Jeff Trawick] *) Change instdso.sh to use libtool --install everywhere and then clean up some stray files and symlinks that libtool leaves around on some platforms. This gets subversion building properly since it needed a re-link to be performed by libtool at install time, and the old instdso.sh logic to simply cp the DSO didn't handle that requirement. [Sander Striker] *) Allow VPATH builds to succeed when configured from an empty directory. [Thom May <thom@planetarytramp.net>] *) Fix 'control reaches end of non-void function' warning in server/log.c. [Ben Collins-Sussman <sussman@collab.net>] *) Perchild MPM is now correctly deemed as experimental and is now located in server/mpm/experimental. [Justin Erenkrantz] *) Fix segfault in mod_mem_cache when garabge collecting an expired cache entry. [Bill Stoddard] *) Introduced -E startup_logfile_name option to httpd to allow admins to begin logging errors immediately. This provides Win32 users an alternative to sending startup errors to the event viewer, and allows other daemon tool authors an alternative to logging to stderr. [William Rowe] *) Fix subreqs with non-defined Content-Types being served improperly. [Justin Erenkrantz] *) Merge in latest GNU config.guess and config.sub files. PR 7818. [Justin Erenkrantz] *) Move 100 - Continue support to the HTTP_IN filter so that filters are guaranteed to support 100 - Continue logic without any intervention. [Justin Erenkrantz] *) Add HTTP chunked input trailer support. [Justin Erenkrantz] *) Rename and export get_mime_headers as ap_get_mime_headers. [Justin Erenkrantz] *) Allow empty Host: header arguments. PR 7441. [Justin Erenkrantz] *) Properly substitute sbindir as httpd's location in apachectl. PR 7840. [Andreas Hasenack <andreas@netbank.com.br>] *) Allow Win32 shebang scripts to follow the path (or omit the .exe suffix from the shebang command), and allow ScriptInterpreterSource Registry or RegistryStrict to override shebang lines, as 1.3 did. PR 8004 [William Rowe] *) worker MPM: Fix a situation where a child exited without releasing the accept mutex. Depending on the OS and mutex mechanism this could result in a hang. [Jeff Trawick] *) Update the instructions for how to get started with mod_example. [Stas Bekman] *) Fix PidFile to default to rel_runtimedir instead of rel_logfiledir. PR 7841. [Andreas Hasenack <andreas@netbank.com.br>] *) Win32: Fix problem that caused rapid performance degradation when number of connecting clients exceeded ThreadsPerChild. [Bill Stoddard] *) Fixed a segfault parsing large SSIs on non-mmap systems. [Brian Havard] *) Proxy was bombing out every second keepalive request, caused by a stray CRLF before the second response's status line. Proxy now tries to read one more line if it encounters a CRLF where it expected a status. PR 10010 [Graham Leggett] *) Deprecated the apr_lock.h API. Please see the following files for the improved thread and process locking and signaling: apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h, apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert] *) Change mod_status to use scoreboard accessor functions so it can be used in any MPM without having to be recompiled. [Ryan Morgan <rmorgan@covalent.net>] *) Fix parsing of some AP_DECLARE_DATA declarations so that the filter handle declarations are recognized. This fixes problems loading mod_autoindex on some platforms. [Brian Havard] *) add optional fixup hook to proxy [Daniel Lopez <daniel@covalent.net>] *) Remind the admin about the User and Group directives when we are unable to set permissions on a semaphore. PR 7812 [Jeff Trawick] *) fix possible compilation problem in ssl_engine_kernel.c. PR 7802 [Doug MacEachern] *) fix possible infinite loop in mod_ssl triggered by certain netscape clients [Doug MacEachern] *) fix ProxyPass when frontend is https and backend is http [Doug MacEachern] *) Add DASL support to mod_dav [Sung Kim <hunkim@cse.ucsc.edu>]
2002-04-13--------------------------------------------------------------------------------jlam1-13/+11
Update www/apache2 to 2.0.35, the first stable release of Apache 2.x. Pkgsrc changes include: *) Compiling the included modules statically. Add-ons will be built dynamically. *) Match improvements to www/apache rc.d script. *) Automatically add "Listen 0.0.0.0:80" to the sample config files as the default install of NetBSD is IPv4/IPv6 and we want the default install of Apache to work out-of-the-box. *) Automatically reset the User and Group directives to match the ones for suEXEC in the config files to ease the use of suEXEC in Apache. Changes from version 2.0.32 beta include: *) Small bug fixes across the board. *) Bug fixes to the various MPMs. *) Performance improvements. *) Fixes for mod_include errors on boundary conditions *) Bug fixes for mod_proxy to prevent hangs and for RFC2616 compliance. *) Improvements to mod_dav for improved API and for RFC 3253 compliance *) Improvemants to mod_ssl to support SSL proxy and RSA SSLC 1.x/2.x *) Greatly improve mod_cache (disk/mem) [this is disabled in pkgsrc] *) New scoreboard file implementation that is readable by 3rd-party apps. *) Allow all Perchild directives to accept either numerical UID/GID or logical user/group names. *) Add support for macro expansion within the variable names in <!--#echo--> and <!--#set--> directives *) Implement SSLSessionCache shmht and shmcb. *) New directive ProxyIOBufferSize. Sets the size of the buffer used when reading from a remote HTTP server in proxy. *) Scrap CacheMaxExpireMin and CacheDefaultExpireMin. Change CacheMaxExpire and CacheDefaultExpire to use seconds rather than hours. *) New Directive SSIUndefinedEcho. to change the '(none)' echoed for a undefined variable. *) Introduce PassPhraseDialog "|/path/to/pipe" mechanism to mod_ssl. *) New Directive for mod_proxy: ProxyRemoteMatch. *) Fix IPv6 name-based virtual hosts. *) Introduce AddOutputFilterByType directive.
2002-03-06Find the pkgsrc-installed expat libraries.jlam1-1/+2
XXX This patch will go away once the changes to buildlink to handle libtool XXX archives properly are committed.
2002-03-06Add the scripts to the build target so that they are created and installedjlam1-2/+2
properly.
2002-03-05Update www/apache2 to 2.0.32 beta. Pkgsrc changes from the previous versionjlam1-11/+12
include: *) Move the binaries back into ${PREFIX}/sbin to match the locations for www/apache. *) Build the Apache modules (including mod_ssl) so that apache2 has the same functionality as apache. *) Support shared modules on platforms that support them. Otherwise, link the modules statically into the server. *) Support suEXEC in the same way as for www/apache. *) Honor PKG_SYSCONFDIR. *) Add a rc.d-style control script based on www/apache/files/apache.sh. *) Strongly buildlinkify again after previous changes broke it. Relevant changes from version 2.0.28 beta include: *) A ton of bug fixes in both the main server code and the module code (it _is_ a beta release following a previous beta release). *) Several performance and memory optimizations. *) The Location: response header field, used for external redirect, *must* be an absoluteURI. The Redirect directive tested for that, but RedirectMatch didn't -- it would allow almost anything through. Now it will try to turn an abs_path into an absoluteURI, but it will correctly varf like Redirect if the final redirection target isn't an absoluteURI. *) Add several new mod_proxy directives: ProxyTimeout, ProxyPreserveHost, ProxyPass. *) FTP directory listings are now always retrieved in ASCII mode. The FTP proxy properly escapes URI's and HTML in the generated listing, and escapes the path components when talking to the FTP server. *) Add FileETag directive to allow configurable control of what data are used to form ETag values for file-based URIs. *) Introduced the ForceLanguagePriority directive, to prevent returning MULTIPLE_CHOICES or NONE_ACCEPTABLE in some cases, when using Multiviews.