./www/apache22, Apache HTTP (Web) server, version 2.2

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.2.34, Package name: apache-2.2.34, Maintainer: pkgsrc-users

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.


Required to run:
[lang/perl5] [devel/apr] [devel/apr-util]

Required to build:
[pkgtools/cwrappers]

Package options: apache-mpm-prefork, apache-shared-modules

Master sites: (Expand)

SHA1: 829206394e238af0b800fc78d19c74ee466ecb23
RMD160: 7e913d60ac02c815edac6ab0614f5dc40618c073
Filesize: 5644.276 KB

Version history: (Expand)


CVS history: (Expand)


   2017-07-12 09:00:40 by Adam Ciarcinski | Files touched by this commit (2)
Log message:
Changes with Apache 2.2.34

  *) Allow single-char field names inadvertantly disallowed in 2.2.32.

Changes with Apache 2.2.33 (not released)

  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
     bug in token list parsing, which allows ap_find_token() to search past
     the end of its input string. By maliciously crafting a sequence of
     request headers, an attacker may be able to cause a segmentation fault,
     or to force ap_find_token() to return an incorrect value.

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.

  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
     authentication phase may lead to authentication requirements being
     bypassed.

  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
     mod_mime can read one byte past the end of a buffer when sending a
     malicious Content-Type response header.

  *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
   2017-01-19 19:52:30 by Alistair G. Crooks | Files touched by this commit (352)
Log message:
Convert all occurrences (353 by my count) of

	MASTER_SITES= 	site1 \
			site2

style continuation lines to be simple repeated

	MASTER_SITES+= site1
	MASTER_SITES+= site2

lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
   2017-01-16 15:34:42 by Adam Ciarcinski | Files touched by this commit (7) | Package removed
Log message:
Changes with Apache 2.2.32

  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies.

  *) Validate HTTP response header grammar defined by RFC7230, resulting
     in a 500 error in the event that invalid response header contents are
     detected when serving the response, to avoid response splitting and cache
     pollution by malicious clients, upstream servers or faulty modules.

  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.

  *) core: Avoid a possible truncation of the faulty header included in the
     HTML response when LimitRequestFieldSize is reached.

  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
     name have been merged.

  *) core: Drop Content-Length header and message-body from HTTP 204 responses.

  *) core: Permit unencoded ';' characters to appear in proxy requests and
     Location: response headers. Corresponds to modern browser behavior.

  *) core: ap_rgetline_core now pulls from r->proto_input_filters.

  *) core: Correctly parse an IPv6 literal host specification in an absolute
     URL in the request line.

  *) core: New directive RegisterHttpMethod for registering non-standard
     HTTP methods.

  *) core: Limit to ten the number of tolerated empty lines between request.

  *) core: reject NULLs in request line or request headers.

  *) mod_proxy: Use the correct server name for SNI in case the backend
     SSL connection itself is established via a proxy server.

  *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
     directives.

  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.

  *) mod_proxy: Correctly consider error response codes by the backend when
     processing failonstatus.

  *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
     had to be issued because the remote closed the previous/reusable one
     during idle (keep-alive) time.

  *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.

  *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
     use a different scoreboard slot then the original one.

  *) mod_proxy: Fix a race condition that caused a failed worker to be retried
     before the retry period is over.

  *) mod_proxy: don't recyle backend announced "Connection: close" \ 
connections
     to avoid reusing it should the close be effective after some new request
     is ready to be sent.

  *) mod_mem_cache: Fix concurrent removal of stale entries which could lead
     to a crash.

  *) mime.types: add common extension "m4a" for MPEG 4 Audio.

  *) mod_substitute: Allow to configure the patterns merge order with the new
     SubstituteInheritBefore on|off directive.

  *) mod_mem_cache: Don't cache incomplete responses when the client
     connection is aborted before the body is fully read.

  *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
     failures under Visual Studio 2015 and other mismatched MSVCRT flavors.

  *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
   2016-07-29 13:10:24 by Thomas Klausner | Files touched by this commit (3) | Package updated
Log message:
Fix httpoxy vulnerability.
Bump PKGREVISION.
   2016-07-09 08:39:18 by Thomas Klausner | Files touched by this commit (1068) | Package updated
Log message:
Bump PKGREVISION for perl-5.24.0 for everything mentioning perl.
   2016-06-08 12:16:57 by Jonathan Perkin | Files touched by this commit (89)
Log message:
Remove the stability entity, it has no meaning outside of an official context.
   2016-06-08 12:02:27 by Jonathan Perkin | Files touched by this commit (44)
Log message:
Change the service_bundle name to "export" to reduce diffs between the
original manifest.xml file and the output from "svccfg export".
   2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) | Package updated
Log message:
Bump PKGREVISION for security/openssl ABI bump.