| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
*) SECURITY: CVE-2014-0117 (cve.mitre.org)
mod_proxy: Fix crash in Connection header handling which
allowed a denial of service attack against a reverse proxy
with a threaded MPM.
*) SECURITY: CVE-2014-3523 (cve.mitre.org)
Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
installations). Workaround: AcceptFilter <protocol> {none|connect}
*) SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow.
*) SECURITY: CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst.
*) SECURITY: CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077).
*) mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer").
*) mod_proxy_ajp: Forward local IP address as a custom request attribute
like we already do for the remote port.
*) core: Include any error notes set by modules in the canned error
response for 403 errors.
*) mod_ssl: Set an error note for requests rejected due to
SSLStrictSNIVHostCheck.
*) mod_ssl: Fix issue with redirects to error documents when handling
SNI errors.
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys.
*) mod_dav: Fix improper encoding in PROPFIND responses.
*) WinNT MPM: Improve error handling for termination events in child.
*) mod_proxy: When ping/pong is configured for a worker, don't send or
forward "100 Continue" (interim) response to the client if it does
not expect one.
*) mod_ldap: Be more conservative with the last-used time for
LDAPConnectionPoolTTL.
*) mod_ldap: LDAP connections used for authn were not respecting
LDAPConnectionPoolTTL.
*) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
*) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
or occasional missed mod_status updates under load.
*) mod_authnz_ldap: Support primitive LDAP servers do not accept
filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
filter "none" to be specified in AuthLDAPURL.
*) mod_deflate: Fix inflation of files larger than 4GB.
*) mod_deflate: Handle Zlib header and validation bytes received in multiple
chunks.
*) mod_proxy: Allow reverse-proxy to be set via explicit handler.
*) ab: support custom HTTP method with -m argument.
*) mod_proxy_balancer: Correctly encode user provided data in management
interface.
*) mod_proxy_fcgi: Support iobuffersize parameter.
*) mod_auth_form: Add a debug message when the fields on a form are not
recognised.
*) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
response.
*) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
scheme.
*) mod_socache_shmcb: Correct counting of expirations for status display.
Expirations happening during retrieval were not counted.
*) mod_cache: Retry unconditional request with the full URL (including the
query-string) when the origin server's 304 response does not match the
conditions used to revalidate the stale entry.
*) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
variables as a result of AliasMatch.
*) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
*) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
Support default SCGI port (4000).
*) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
is enabled.
*) mod_expires: don't add Expires header to error responses (4xx/5xx),
be they generated or forwarded.
*) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
(regression in 2.4.9 release)
*) mod_authn_socache: Fix crash at startup in certain configurations.
*) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
programs to the form used in releases up to 2.4.7, and emulate
a backwards-compatible behavior for existing setups.
*) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
OCSP requests should use a nonce to be checked against the responder's
one.
*) mod_ssl: "SSLEngine off" will now override a Listen-based default
and does disable mod_ssl for the vhost.
*) mod_lua: Enforce the max post size allowed via r:parsebody()
*) mod_lua: Use binary comparison to find boundaries for multipart
objects, as to not terminate our search prematurely when hitting
a NULL byte.
*) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
versions before 0.9.8h and not specifying an SSLCertificateChainFile
(regression introduced with 2.4.8).
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts,
and limit startup warnings to cases where an OpenSSL version
without TLS extension support is used.
*) mod_proxy_html: Avoid some possible memory access violation in case of
specially crafted files, when the ProxyHTMLMeta directive is turned on.
*) mod_auth_form: Make sure the optional functions are loaded even when
the AuthFormProvider isn't specified.
*) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
(and logging garbled file names).
*) mod_ssl: fix merging of global and vhost-level settings with the
SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
directives.
*) mod_headers: Allow the "value" parameter of Header and RequestHeader to
contain an ap_expr expression if prefixed with "expr=".
*) rotatelogs: Avoid creation of zombie processes when -p is used on
Unix platforms.
*) mod_authnz_fcgi: New module to enable FastCGI authorizer
applications to authenticate and/or authorize clients.
*) mod_proxy: Do not try to parse the regular expressions passed by
ProxyPassMatch as URL as they do not follow their syntax.
*) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
under the Event MPM.
*) mod_proxy_fcgi: Fix sending of response without some HTTP headers
that might be set by filters.
*) mod_proxy_html: Do not delete the wrong data from HTML code when a
"http-equiv" meta tag specifies a Content-Type behind any other
"http-equiv" meta tag.
*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
differs.
*) Add suspend_connection and resume_connection hooks to notify modules
when the thread/connection relationship changes. (Should be implemented
for any third-party async MPMs.)
*) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
hangups from websockets origin servers.
*) mod_proxy_wstunnel: Don't pool backend websockets connections,
because we need to handshake every time.
*) mod_lua: Redesign how request record table access behaves,
in order to utilize the request record from within these tables.
*) mod_lua: Add r:wspeek for peeking at WebSocket frames.
*) mod_lua: Log an error when the initial parsing of a Lua file fails.
*) mod_lua: Reformat and escape script error output.
*) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
from causing response splitting.
*) mod_lua: Disallow newlines in table values inside the request_rec,
to prevent HTTP Response Splitting via tainted headers.
*) mod_lua: Remove the non-working early/late arguments for
LuaHookCheckUserID.
*) mod_lua: Change IVM storage to use shm
*) mod_lua: More verbose error logging when a handler function cannot be
found.
|
|
|
|
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
|
|
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
Clean up cookie logging with fewer redundant string parsing passes.
Log only cookies with a value assignment. Prevents segfaults when
logging truncated cookies.
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
TE/CL conflicts.
*) mod_proxy_http: Core dumped under high load. PR 50335.
*) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
is equivalent to <ProxyMatch wildcard-url>.
*) mod_ldap: Fix a potential memory leak or corruption.
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
forward proxy request.
*) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.
|
|
|
|
These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
|
|
*) mod_dav: dav_resource->uri treated as unencoded. This was an
unnecessary ABI changed introduced in 2.2.25.
*) mod_dav: Do not validate locks against parent collection of COPY
source URI.
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
*) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3.
*) mod_ssl: Change default for SSLCompression to off, as compression
causes security issues in most setups. (The so called "CRIME" attack).
*) mod_ssl: Fix compilation error when OpenSSL does not contain
support for SSLv2. Problem was introduced in 2.2.25.
*) mod_dav: Fix double encoding of URIs in XML and Location header (caused
by unintential ABI change in 2.2.25).
|
|
|
|
the fastest and most widely support way to get Perfect Forward Secrecy
with modern web browsers if your server uses an RSA key.
Bump package revision because of this change.
|
|
on BSD but not on strict POSIX implementations, leading to failures when
building as an unprivileged user in the presence of symlinks.
Fixes recent breakage on SunOS when the '-h' flag was removed for MirBSD.
|
|
MirBSD) says: "The -R and -h options are mutually exclusive."
|
|
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=40132
|
|
to Apache 2.4.6.
|
|
- SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
- core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
- core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. Bug#55121. [Bradley Heilbrun
<apache heilbrun.org>]
- mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
- mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
- mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. Bug#53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
- mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
- mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. Bug#52212, Bug#54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
- mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
- mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
- htdigest: Fix buffer overflow when reading digest password file
with very long lines. Bug#54893. [Rainer Jung]
- mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
- mod_dav: Ensure URI is correctly uriencoded on return. Bug#54611
[Timothy Wood <tjw omnigroup.com>]
- mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. Bug#53910 [Timothy Wood <tjw omnigroup.com>]
- mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
- mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. Bug#52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
- mod_dav: Do not fail PROPPATCH when prop namespace is not known.
Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
- mod_dav: Do not segfault on PROPFIND with a zero length DBM.
Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
|
|
sysutils/user_* packages.
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=29744
When using CONNECT inside a SSL connexion, fix a bug that caused
apache to reply in plain text.
|
|
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
|
|
in CVE-2013-1862.
|
|
- SECURITY: CVE-2012-3499 (cve.mitre.org)
Various XSS flaws due to unescaped hostnames and URIs HTML output in
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
[Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
- SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
Niels Heinen <heinenn google com>]
- mod_rewrite: Stop merging RewriteBase down to subdirectories
unless new option 'RewriteOptions MergeBase' is configured.
Merging RewriteBase was unconditionally turned on in 2.2.23.
Bug Report 53963. [Eric Covener]
- mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. Bug Report 50823. [Stefan Fritsch]
- mod_ssl: log revoked certificates at level INFO
instead of DEBUG. Bug Report 52162. [Stefan Fritsch]
- mod_proxy_ajp: Support unknown HTTP methods. Bug Report 54416.
[Rainer Jung]
- mod_dir: Add support for the value 'disabled' in FallbackResource.
[Vincent Deffontaines]
- mod_ldap: Fix regression in handling "server unavailable" errors on
Windows. Bug Report 54140. [Eric Covener]
- mod_ssl: fix a regression with the string rendering of the "UID" RDN
introduced in 2.2.15. Bug Report 54510. [Kaspar Brand]
- ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
to more accurately report the negotiated protocol. Bug Report 53916.
[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
- mod_cache: Explicitly allow cache implementations to cache a 206 Partial
Response if they so choose to do so. Previously an attempt to cache a 206
was arbitrarily allowed if the response contained an Expires or
Cache-Control header, and arbitrarily denied if both headers were missing.
Currently the disk and memory cache providers do not cache 206 Partial
Responses. [Graham Leggett]
- core: Remove unintentional APR dependency introduced with
Apache 2.2.22. [Eric Covener]
- core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
- mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. Bug Report 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
|
|
under restricted pbulk.
|
|
|
|
from upstream for a bug that lets the devel/rt3 mailgate fail rather
dismally when present. Reviewed by tron.
|
|
|
|
|
|
are called p5-*.
I hope that's all of them.
|
|
Changes with Apache 2.2.23
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent a
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
*) mod_ldap: Treat the "server unavailable" condition as a transient
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
*) core: Add filesystem paths to access denied / access failed messages.
[Eric Covener]
*) core: Fix error handling in ap_scan_script_header_err_brigade() if there
is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]
*) core: Prevent "httpd -k restart" from killing server in presence of
config error. [Joe Orton]
*) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,
adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.
[Kaspar Brand, William Rowe]
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
PR 53104. [Greg Ames]
*) Unix MPMs: Fix small memory leak in parent process if connect()
failed when waking up children. [Joe Orton]
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
[Peter Pramberger <peter pramberger.at>, Jim Jagielski]
*) Added SSLProxyMachineCertificateChainFile directive so the proxy client
can select the proper client certificate when using a chain and the
remote server only lists the root CA as allowed.
*) mpm_event, mpm_worker: Remain active amidst prevalent child process
resource shortages. [Jeff Trawick]
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]
*) mod_proxy_balancer: Restore balancing after a failed worker has
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
*) mod_dumpio: Properly handle errors from subsequent input filters.
PR 52914. [Stefan Fritsch]
*) mpm_worker: Fix cases where the spawn rate wasn't reduced after child
process resource shortages. [Jeff Trawick]
*) mpm_prefork: Reduce spawn rate after a child process exits due to
unexpected poll or accept failure. [Jeff Trawick]
*) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid
from logging bogus data in case of errors. [Stefan Fritsch]
*) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the
response is a 206 Partial Content. This stops a reverse proxied partial
response from becoming cached, and then being served in subsequent
responses. PR 49113. [Graham Leggett]
*) configure: Fix usage with external apr and apu in non-default paths
and recent gcc versions >= 4.6. [Jean-Frederic Clere]
*) core: Fix building against PCRE 8.30 by switching from the obsolete
pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
*) mod_proxy: Add the forcerecovery balancer parameter that determines if
recovery for balancer workers is enforced. [Ruediger Pluem]
|
|
It turns out there were a lot of these.
|
|
bump pkgrev
|
|
XXX It would be nice if lessons were learned and no new cases of
XXX multiple versions with the same base name were introduced...
|
|
- SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
- SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
- SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[Joe Orton]
- SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. Bug#52256.
[Rainer Canavan <rainer-apache 7val com>]
- SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
- SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
- mod_proxy_ajp: Try to prevent a single long request from marking a worker
in error. [Jean-Frederic Clere]
- config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
- core: Fix segfault in ap_send_interim_response(). Bug#52315.
[Stefan Fritsch]
- mod_log_config: Prevent segfault. Bug#50861. [Torsten Foertsch
<torsten.foertsch gmx.net>]
- mod_win32: Invert logic for env var UTF-8 fixing.
Now we exclude a list of vars which we know for sure they dont hold UTF-8
chars; all other vars will be fixed. This has the benefit that now also
all vars from 3rd-party modules will be fixed. Bug#13029 / 34985.
[Guenter Knauf]
- core: Fix hook sorting for Perl modules, a regression introduced in
2.2.21. Bug#45076. [Torsten Foertsch <torsten foertsch gmx net>]
- Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
A range of '0-' will now return 206 instead of 200. Bug#51878.
[Jim Jagielski]
- Example configuration: Fix entry for MaxRanges (use "unlimited" instead
of "0"). [Rainer Jung]
- mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]
Please note that all the security fixes had been integrated into
"pkgsrc" as patches previously.
|
|
and CVE-2012-0053 taken from Apache SVN repository.
|
|
http://svn.apache.org/
update patch for http://secunia.com/advisories/45793/
|
|
fix for CVE-2011-4317
|
|
there is no functional change.
Problem pointed out by S.P. Zeidler.
|
|
This should also fix CVE-2011-3639 and possibly CVE-2011-4317, both
part of SA46987.
|
|
|
|
snarfed (with adjustment regarding location) from
http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?r1=1198940&r2=1198939&pathrev=1198940
|
|
Bump PKGREVISION.
|
|
|
|
Quote from release announce:
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.21 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
Note the further advisories on the state of CVE-2011-3192 will no longer
be broadcast, but will be kept up to date at;
http://httpd.apache.org/security/CVE-2011-3192.txt
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
|
|
From:
https://issues.apache.org/bugzilla/show_bug.cgi?id=39815
Bump PKGREVISION.
OK tron@
|
|
- mod_authnz_ldap: If the LDAP server returns constraint violation,
don't treat this as an error but as "auth denied". [Stefan Fritsch]
- mod_filter: Fix FilterProvider conditions of type "resp=" (response
headers) for CGI. [Joe Orton, Rainer Jung]
- mod_reqtimeout: Fix a timed out connection going into the keep-alive
state after a timeout when discarding a request body. Bug 51103.
[Stefan Fritsch]
- core: Do the hook sorting earlier so that the hooks are properly sorted
for the pre_config hook and during parsing the config. [Stefan Fritsch]
|
|
from Apache SVN repository.
|
|
- Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
|
|
|
|
- Log an error for failures to read a chunk-size, and return 408 instead
413 when this is due to a read timeout. This change also fixes some cases
of two error documents being sent in the response for the same scenario.
[Eric Covener] Bug 49167
- core: Only log a 408 if it is no keepalive timeout. Bug 39785
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
- core: Treat timeout reading request as 408 error, not 400.
Log 408 errors in access log as was done in Apache 1.3.x.
Bug 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
Dan Poirier]
- Core HTTP: disable keepalive when the Client has sent
Expect: 100-continue
but we respond directly with a non-100 response. Keepalive here led
to data from clients continuing being treated as a new request.
Bug 47087. [Nick Kew]
- htpasswd: Change the default algorithm for htpasswd to MD5 on all
platforms. Crypt with its 8 character limit is not useful anymore;
improve out of disk space handling (Bug 30877); print a warning if
a password is truncated by crypt. [Stefan Fritsch]
- mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
- configure: Fix htpasswd/htdbm libcrypt link errors with some newer
linkers. [Stefan Fritsch]
- MinGW build improvements. Bug 49535. [John Vandenberg
<jayvdb gmail.com>, Jeff Trawick]
- mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
- core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. Bug 35256,
Bug 46830. [Dan Poirier]
- mod_rewrite: Allow to unset environment variables. Bug 50746.
[Rainer Jung]
- suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). [Jeff Trawick]
- mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. Bug 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
- prefork: Update MPM state in children during a graceful restart.
Allow the HTTP connection handling loop to terminate early
during a graceful restart. Bug 41743.
[Andrew Punch <andrew.punch 247realmedia.com>]
- mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. Bug 50481. [Ruediger Pluem]
- mod_autoindex: Merge IndexOptions from server to directory context when
the directory has no mod_autoindex directives. Bug 47766. [Eric Covener]
- mod_cache: Make sure that we never allow a 304 Not Modified response
that we asked for to leak to the client should the 304 response be
uncacheable. Bug 45341 [Graham Leggett]
- mod_dav: Send 400 error if malformed Content-Range header is received for
a put request (RFC 2616 14.16). Bug 49825. [Stefan Fritsch]
- mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
Bug 44076 [Eric Covener]
- core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. Bug 50349.
[Eric Covener]
- mod_cache: Check the request to determine whether we are allowed
to return cached content at all, and respect a "Cache-Control:
no-cache" header from a client. Previously, "no-cache" would
behave like "max-age=0". [Graham Leggett]
- mod_mem_cache: Add a debug msg when a streaming response exceeds
MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
'memory allocation failed' debug message. Bug 49604. [Eric Covener]
- proxy_connect: Don't give up in the middle of a CONNECT tunnel
when the child process is starting to exit. Bug 50220. [Eric Covener]
|
|
the beginning of a line.
(Properly this should bump the PKGREVISION, but I'm not going to bother.)
|
|
|
|
* prefork MPM: Run cleanups for final request when process exits gracefully
to work around a flaw in apr-util.
* mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
connections and other protocol handlers (like mod_ftp). Enforce the
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
close time from 30 to 2 seconds.
* Proxy balancer: support setting error status according to HTTP response
code from a backend.
* mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
password to UTF-8.
* core: check symlink ownership if both FollowSymlinks and
SymlinksIfOwnerMatch are set
* core: fix origin checking in SymlinksIfOwnerMatch
* mod_headers: Enable multi-match-and-replace edit option
* mod_log_config: Make ${cookie}C correctly match whole cookie names
instead of substrings.
* mod_dir, mod_negotiation: Pass the output filter information
to newly created sub requests; as these are later on used
as true requests with an internal redirect. This allows for
mod_cache et.al. to trap the results of the redirect.
* rotatelogs: Fix possible buffer overflow if admin configures a
mongo log file path.
* mod_ssl: Do not do overlapping memcpy.
* vhost: A purely-numeric Host: header should not be treated as a port.
* core: (re)-introduce -T commandline option to suppress documentroot
check at startup.
|
