| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
For full changes information please refer:
http://www.apache.org/dist/httpd/Announcement2.2.html.
Here is security related changes from ChangeLog
(http://www.apache.org/dist/httpd/CHANGES_2.2.15).
Changes with Apache 2.2.15
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
|
|
in Apache 2.2.6 and these patches are noop.
|
|
|
|
It initially existed originally came from PR#27567 for www/apache2.
CVE-2007-3304 parts was added in rev 1.2, then whole patch file was removed in
rev 1.3 as update to apache-2.2.6, because the update contains fix for
CVE-2007-3304 and comments of patch-ab only mentioned about the CVE.
To prevent a recurrence of such a accident, added PR#27567 as comments
for patch-ab.
|
|
|
|
|
|
|
|
in CVE-2009-3095.
|
|
|
|
in CVE-2009-3094.
|
|
- mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report
warnings compiling mod_ssl against OpenSSL to the httpd developers.
[Guenter Knauf]
- mod_cgid: Do not add an empty argument when calling the CGI script.
Bug 46380 [Ruediger Pluem]
- Fix potential segfaults with use of the legacy ap_rputs() etc
interfaces, in cases where an output filter fails. Bug 36780.
[Joe Orton]
|
|
of OpenSSL (e.g. the version in NetBSD-current).
|
|
- SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects. Bug 39605.
[Joe Orton, Ruediger Pluem]
- SECURITY: CVE-2009-1195 (cve.mitre.org)
Prevent the "Includes" Option from being enabled in an .htaccess
file if the AllowOverride restrictions do not permit it.
[Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
Ruediger Pluem, Jeff Trawick]
- SECURITY: CVE-2009-1890 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_proxy in a
reverse proxy configuration, where a remote attacker can force a
proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
- SECURITY: CVE-2009-1191 (cve.mitre.org)
mod_proxy_ajp: Avoid delivering content from a previous request which
failed to send a request body. Bug 46949 [Ruediger Pluem]
- SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
The bundled copy of the APR-util library has been updated, fixing three
different security issues which may affect particular configurations
and third-party modules.
- mod_include: fix potential segfault when handling back references
on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
- mod_alias: check sanity in Redirect arguments.
Bug 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
- mod_proxy_http: fix Host: header for literal IPv6 addresses.
Bug 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
- mod_rewrite: Remove locking for writing to the rewritelog.
Bug 46942
- mod_alias: Ensure Redirect emits HTTP-compliant URLs.
Bug 44020
- mod_proxy_http: fix case sensitivity checking transfer encoding
Bug 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
- mod_rewrite: Fix the error string returned by RewriteRule.
RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
argument of RewriteRule was not started with "[" or not ended with "]".
Bug 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
- mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given;
BalancerMember balancer://alias http://example.com/foo
ProxyPassReverse /bash balancer://alias/bar
backend url http://example.com/foo/bar/that is now translated /bash/that
[William Rowe]
- New piped log syntax: Use "||process args" to launch the given process
without invoking the shell/command interpreter. Use "|$command line"
(the default behavior of "|command line" in 2.2) to invoke using shell,
consuming an additional shell process for the lifetime of the logging
pipe program but granting additional process invocation flexibility.
[William Rowe]
- mod_ssl: Add server name indication support (RFC 4366) and better
support for name based virtual hosts with SSL. Bug 34607
[Peter Sylvester <peter.sylvester edelweb.fr>,
Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
Ruediger Pluem]
- mod_negotiation: Escape pathes of filenames in 406 responses to avoid
HTML injections and HTTP response splitting. Bug 46837.
[Geoff Keating <geoffk apple.com>]
- mod_include: Prevent a case of SSI timefmt-smashing with filter chains
including multiple INCLUDES filters. Bug 39369 [Joe Orton]
- mod_rewrite: When evaluating a proxy rule in directory context, do
escape the filename by default. Bug 46428 [Joe Orton]
- mod_proxy_ajp: Check more strictly that the backend follows the AJP
protocol. [Mladen Turk]
- mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
[Ruediger Pluem]
- mod_substitute: Fix a memory leak. Bug 44948
[Dan Poirier <poirier pobox.com>]
- mod_proxy_ajp: Forward remote port information by default.
[Rainer Jung]
- mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
directive to correctly remove headers before storing them.
[Lars Eilebrecht]
- mod_deflate: revert changes in 2.2.8 that caused an invalid
etag to be emitted for on-the-fly gzip content-encoding.
Bug 39727 will require larger fixes and this fix was far more
harmful than the original code. Bug 45023. [Roy T. Fielding]
- mod_disk_cache: The module now turns off sendfile support if
'EnableSendfile off' is defined globally. Bug 41218.
[Lars Eilebrecht, Issac Goldstand]
- prefork: Fix child process hang during graceful restart/stop in
configurations with multiple listening sockets. Bug 42829. [Joe Orton,
Jeff Trawick]
- mod_ssl: Add SSLRenegBufferSize directive to allow changing the
size of the buffer used for the request-body where necessary
during a per-dir renegotiation. Bug 39243. [Joe Orton]
- mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
way that per-directory rewrites append the previous notion of PATH_INFO
to each substitution before evaluating subsequent rules.
Bug 38642 [Eric Covener]
- mod_authnz_ldap: Reduce number of initialization debug messages and make
information more clear. Bug 46342 [Dan Poirier]
- mod_cache: Introduce 'no-cache' per-request environment variable
to prevent the saving of an otherwise cacheable response.
[Eric Covener]
- core: Translate the status line to ASCII on EBCDIC platforms in
ap_send_interim_response() and for locally generated "100 Continue"
responses. [Eric Covener]
- CGI: return 504 (Gateway timeout) rather than 500 when a script
times out before returning status line/headers.
Bug 42190 [Nick Kew]
- prefork: Log an error instead of segfaulting when child startup fails
due to pollset creation failures. Bug 46467. [Jeff Trawick]
- mod_ext_filter: fix error handling when the filter prog fails to start,
and introduce an onfail configuration option to abort
All the security problems mentioned above had already been fixed in
"pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me
know that new version had finally been released.
|
|
vulnerabilities reported in CVE-2009-1890 and CVE-2009-1891.
|
|
|
|
backwards compatibility with e.g. "mod_perl".
|
|
vulnerability reported in CVE-2009-1195.
|
|
|
|
in the "mod_proxy_ajp" module reported in CVE-2009-1191.
|
|
has it, and shared modules option is not activated: LDAP related
modules are, like other modules, not installed as shared objects
so they should not be added to the PLIST.
Approved by MAINTAINER.
|
|
- add entries for ldap related shared modules to PLIST in case of
apr-util is build with ldap
- PKGREVISION is not bumped, because ldap is no default option for
apr-util so it wont change anything in default-case
Reviewed by tron@
|
|
- If option "suexec" is used we must manually build the binary because
the top level makefile doesn't do that. This fixes PR pkg/41141
by Anton Blajev.
- Move the handling of the "all-shared" option into "options.mk" and
don't use a seperate package list that will cause failure to remove
the "lib/httpd" directory on deinstallation.
|
|
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
|
|
|
|
1.) On platforms which provide "/etc/rc.subr" we use its process id check
to figure out when Apache actually has been stopped.
2.) On other platforms we just implement "restart" by "stop and a 10 second
delay followed by "start". If you want a better fix for please submit
a bug report to the Apache project.
This finally fixes PR pkg/39713.
|
|
|
|
|
|
|
|
populated with an extra, empty argument. Full details can be found at
https://issues.apache.org/bugzilla/show_bug.cgi?id=46380
Note, this fix has already been committed to the Apache trunk and will be
in the next version so this patch can be removed then.
|
|
only release.
Approved by Thomas Klausner.
|
|
- SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
- Allow for smax to be 0 for balancer members so that all idle
connections are able to be dropped should they exceed ttl.
Apache Bug #43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,
Jim Jagielski]
- mod_proxy_http: Don't trigger a retry by the client if a failure to
read the response line was the result of a timeout.
[Adam Woodworth <mirkperl gmail.com>]
- Support chroot on Unix-family platforms
Apache Bug #43596 [Dimitar Pashev <mitko banksoft-bg.com>]
- mod_ssl: implement dynamic mutex callbacks for the benefit of
OpenSSL. [Sander Temme]
- mod_proxy_balancer: Add 'bybusyness' load balance method.
[Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski]
- mod_authn_alias: Detect during startup when AuthDigestProvider
is configured to use an incompatible provider via AuthnProviderAlias.
Apache Bug #45196 [Eric Covener]
- mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
used as a session path separator/delim Apache Bug #45158. [Jim Jagielski]
- mod_charset_lite: Avoid dropping error responses by handling meta buckets
correctly. Apache Bug #45687 [Dan Poirier <poirier pobox.com>]
- mod_proxy_http: Introduce environment variable proxy-initial-not-pooled to
avoid reusing pooled connections if the client connection is an initial
connection. Apache Bug #37770. [Ruediger Pluem]
- mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
Apache Bug #44799 [Christian Wenz <christian wenz.org>]
- mod_ssl: Rewrite shmcb to avoid memory alignment issues.
Apache Bug #42101. [Geoff Thorpe]
- mod_proxy: Add connectiontimeout parameter for proxy workers in order to
be able to set the timeout for connecting to the backend separately.
Apache Bug #45445. [Ruediger Pluem, rahul <rahul sun.com>]
- mod_dav_fs: Retrieve minimal system information about directory
entries when walking a DAV fs, resolving a performance degradation on
Windows. Apache Bug #45464. [Joe Orton, Jeff Trawick]
- mod_cgid: Pass along empty command line arguments from an ISINDEX
query that has consecutive '+' characters in the QUERY_STRING,
matching the behavior of mod_cgi.
[Eric Covener]
- mod_headers: Prevent Header edit from processing only the first header
of possibly multiple headers with the same name and deleting the
remaining ones. Apache Bug #45333. [Ruediger Pluem]
- mod_proxy_balancer: Move nonce field in the balancer manager page inside
the html form where it belongs. Apache Bug #45578. [Ruediger Pluem]
- mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
[Ruediger Pluem]
- mod_rewrite: Preserve the query string when [proxy,noescape].
Apache Bug #45247. [Tom Donovan]
pkgsrc related note:
The security fix for CVE-2008-2939 has already been integrated as patch
before this update.
|
|
|
|
make "/etc/rc.d/apache restart" work more reliable and fix PR pkg/39713 by
Martti Kuparinen.
Bump package revision because of this fix.
|
|
2007/01/24 19:46:45, I left Makefile.common in apache22 for no
reason at all. Drop it.
approved by tron
|
|
- add missing modules to DFLT_APACHE_MODULES
- bump PKGREVISION for new modules
- replace APACHE_MODULES=all-shared with apache-shared-modules option
- '--enable-mods-shared=all' is not sufficient, that's why DFLT_APACHE_MODULES
lists all those others; use DFLT_APACHE_MODULES instead of 'all'
- add apache-shared-modules to options.description
approved by tron
|
|
name change).
|
|
approved by tron
|
|
|
|
in the FTP proxy module. This fixes the security vulnerability reported
in CVE-2008-2939.
|
|
This version of Apache is principally a bug and security fix release.
The following potential security flaws are addressed:
- CVE-2008-2364: mod_proxy_http: Better handling of excessive interim
responses from origin server to prevent potential denial of service and
high memory usage. Reported by Ryujiro Shibuya.
- CVE-2007-6420: mod_proxy_balancer: Prevent CSRF attacks against the
balancer-manager interface.
pkgsrc related notes:
- CVE-2008-2364 was already fixed in "pkgsrc"
- CVE-2007-6420 doesn't affect the package in the default configuration
because the "proxy_balancer" isn't enabled.
|
|
|
|
many packages used to use ${PAX}. Use the common way of directly calling
pax, it is created as tool after all.
|
|
through PLIST_SUBST to the plist module.
|
|
for the list of changes.
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
|
|
Add apache SVN revision 574884 to fix garbage characters in Server header
http://issues.apache.org/bugzilla/show_bug.cgi?id=43334
When it hits, this issue can completely screw up returned pages if the
Server header gets embedded newlines
|
|
Pointed out by Geert Hendrickx in private e-mail.
|
|
|
|
exist later had been embedded in config_vars.mk. PKGREVISION++
|
