./www/apache22, Apache HTTP (Web) server, version 2.2

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.2.31, Package name: apache-2.2.31, Maintainer: pkgsrc-users

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.


Required to run:
[lang/perl5] [devel/apr] [devel/apr-util]


Package options: apache-mpm-prefork, apache-shared-modules

Master sites: (Expand)

SHA1: e3b55387112206307ba76526820a2627472f3787
RMD160: 5b073f5f556c74e19eba8e40faa5c5fa308e018a
Filesize: 5478.993 KB

Version history: (Expand)


CVS history: (Expand)


   2015-07-20 20:28:59 by Adam Ciarcinski | Files touched by this commit (3)
Log message:
Changes with Apache 2.2.31
  *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.

Changes with Apache 2.2.30 (not released)
  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.

  *) http: Fix LimitRequestBody checks when there is no more bytes to read.

  *) core: Allow spaces after chunk-size for compatibility with implementations
     using a pre-filled buffer.

  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts.

  *) http: Make ap_die() robust against any HTTP error code and not modify
     response status (finally logged) when nothing is to be done.

  *) core, modules: Avoid error response/document handling by the core if some
     handler or input filter already did it while reading the request (causing
     a double response body).

  *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
     5+ instead of just for FreeBSD 5.

  *) mod_proxy: use the original (non absolute) form of the request-line's URI
     for requests embedded in CONNECT payloads used to connect SSL backends via
     a ProxyRemote forward-proxy.

  *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
     internationalization.

  *) mod_log_config: Implement logging for sub second timestamps and
     request end time.

  *) mod_log_config: Ensure that time data is consistent if multiple
     duration patterns are used in combination, e.g. %D and %{ms}T.

  *) mod_log_config: Add "%{UNIT}T" format to output request duration in
     seconds, milliseconds or microseconds depending on UNIT ("s", \ 
"ms", "us").

  *) In alignment with RFC 7525, the default recommended SSLCipherSuite
     and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
     default recommended SSLProtocol and SSLProxyProtocol directives now
     exclude SSLv3. Existing configurations must be adjusted by the
     administrator.

  *) core: Avoid potential use of uninitialized (NULL) request data in
     request line error path.

  *) mod_proxy_http: Use the "Connection: close" header for requests to
     backends not recycling connections (disablereuse), including the default
     reverse and forward proxies.

  *) mod_proxy: Add ap_connection_reusable() for checking if a connection
     is reusable as of this point in processing.

  *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
     graceful restarts, even if new workers are added, old ones removed, or
     the order changes.

  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.

  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size.

  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite).

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).

  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
     VirtualHosts (matching 2.4 default configuration).

  *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
     selected DB engine.

  *) Turn static function get_server_name_for_url() into public
     ap_get_server_name_for_url() and use it where appropriate. This
     fixes mod_rewrite generating invalid URLs for redirects to IPv6
     literal addresses.

  *) dav_validate_request: avoid validating locks and ETags when there are
     no If headers providing them on a resource we aren't modifying.

  *) mod_ssl: New directive SSLSessionTickets (On|Off).
     The directive controls the use of TLS session tickets (RFC 5077),
     default value is "On" (unchanged behavior).
     Session ticket creation uses a random key created during web
     server startup and recreated during restarts. No other key
     recreation mechanism is available currently. Therefore using session
     tickets without restarting the web server with an appropriate frequency
     (e.g. daily) compromises perfect forward secrecy.

  *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
     compile against APR-1.2.x (minimum required version).

  *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
     computed for subsequent requests.
   2015-06-12 12:52:19 by Thomas Klausner | Files touched by this commit (3152)
Log message:
Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.
   2015-05-22 11:20:20 by Stephen Borrill | Files touched by this commit (3)
Log message:
Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000).
Based on FreeBSD ports.
   2014-09-09 10:11:48 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
Changes  2.4.10

  *) SECURITY: CVE-2014-0117 (cve.mitre.org)
     mod_proxy: Fix crash in Connection header handling which
     allowed a denial of service attack against a reverse proxy
     with a threaded MPM.

  *) SECURITY: CVE-2014-3523 (cve.mitre.org)
     Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
     installations). Workaround: AcceptFilter <protocol> {none|connect}

  *) SECURITY: CVE-2014-0226 (cve.mitre.org)
     Fix a race condition in scoreboard handling, which could lead to
     a heap buffer overflow.

  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to avoid
     denial of sevice via highly compressed bodies.  See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst.

  *) SECURITY: CVE-2014-0231 (cve.mitre.org)
     mod_cgid: Fix a denial of service against CGI scripts that do
     not consume stdin that could lead to lingering HTTPD child processes
     filling up the scoreboard and eventually hanging the server.  By
     default, the client I/O timeout (Timeout directive) now applies to
     communication with scripts.  The CGIDScriptTimeout directive can be
     used to set a different timeout for communication with scripts.

  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
     resumed by TLS session resumption (RFC 5077).

  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
     and that coincides with the end of stream ("Zlib error flushing inflate
     buffer").

  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
     like we already do for the remote port.

  *) core: Include any error notes set by modules in the canned error
     response for 403 errors.

  *) mod_ssl: Set an error note for requests rejected due to
     SSLStrictSNIVHostCheck.

  *) mod_ssl: Fix issue with redirects to error documents when handling
     SNI errors.

  *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
     larger keys and support up to 8192-bit keys.

  *) mod_dav: Fix improper encoding in PROPFIND responses.

  *) WinNT MPM: Improve error handling for termination events in child.

  *) mod_proxy: When ping/pong is configured for a worker, don't send or
     forward "100 Continue" (interim) response to the client if it does
     not expect one.

  *) mod_ldap: Be more conservative with the last-used time for
     LDAPConnectionPoolTTL.

  *) mod_ldap: LDAP connections used for authn were not respecting
     LDAPConnectionPoolTTL.

  *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.

  *) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
     or occasional missed mod_status updates under load.

  *) mod_authnz_ldap: Support primitive LDAP servers do not accept
     filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
     filter "none" to be specified in AuthLDAPURL.

  *) mod_deflate: Fix inflation of files larger than 4GB.

  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
     chunks.

  *) mod_proxy: Allow reverse-proxy to be set via explicit handler.

  *) ab: support custom HTTP method with -m argument.

  *) mod_proxy_balancer: Correctly encode user provided data in management
     interface.

  *) mod_proxy_fcgi: Support iobuffersize parameter.

  *) mod_auth_form: Add a debug message when the fields on a form are not
     recognised.

  *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
     response.

  *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
     scheme.

  *) mod_socache_shmcb: Correct counting of expirations for status display.
     Expirations happening during retrieval were not counted.

  *) mod_cache: Retry unconditional request with the full URL (including the
     query-string) when the origin server's 304 response does not match the
     conditions used to revalidate the stale entry.

  *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
     variables as a result of AliasMatch.

  *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.

  *) mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
     Support default SCGI port (4000).

  *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
     is enabled.

  *) mod_expires: don't add Expires header to error responses (4xx/5xx),
     be they generated or forwarded.

  *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
     (regression in 2.4.9 release)

  *) mod_authn_socache: Fix crash at startup in certain configurations.

  *) mod_ssl: restore argument structure for "exec"-type \ 
SSLPassPhraseDialog
     programs to the form used in releases up to 2.4.7, and emulate
     a backwards-compatible behavior for existing setups.

  *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
     OCSP requests should use a nonce to be checked against the responder's
     one.

  *) mod_ssl: "SSLEngine off" will now override a Listen-based default
     and does disable mod_ssl for the vhost.

  *) mod_lua: Enforce the max post size allowed via r:parsebody()

  *) mod_lua: Use binary comparison to find boundaries for multipart
     objects, as to not terminate our search prematurely when hitting
     a NULL byte.

  *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
     versions before 0.9.8h and not specifying an SSLCertificateChainFile
     (regression introduced with 2.4.8).

  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts,
     and limit startup warnings to cases where an OpenSSL version
     without TLS extension support is used.

  *) mod_proxy_html: Avoid some possible memory access violation in case of
     specially crafted files, when the ProxyHTMLMeta directive is turned on.

  *) mod_auth_form: Make sure the optional functions are loaded even when
     the AuthFormProvider isn't specified.

  *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
     (and logging garbled file names).

  *) mod_ssl: fix merging of global and vhost-level settings with the
     SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
     directives.

  *) mod_headers: Allow the "value" parameter of Header and \ 
RequestHeader to
     contain an ap_expr expression if prefixed with "expr=".

  *) rotatelogs: Avoid creation of zombie processes when -p is used on
     Unix platforms.

  *) mod_authnz_fcgi: New module to enable FastCGI authorizer
     applications to authenticate and/or authorize clients.

  *) mod_proxy: Do not try to parse the regular expressions passed by
     ProxyPassMatch as URL as they do not follow their syntax.

  *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
     under the Event MPM.

  *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
     that might be set by filters.

  *) mod_proxy_html: Do not delete the wrong data from HTML code when a
     "http-equiv" meta tag specifies a Content-Type behind any other
     "http-equiv" meta tag.

  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
     differs.

  *) Add suspend_connection and resume_connection hooks to notify modules
     when the thread/connection relationship changes.  (Should be implemented
     for any third-party async MPMs.)

  *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
     hangups from websockets origin servers.

  *) mod_proxy_wstunnel: Don't pool backend websockets connections,
     because we need to handshake every time.

  *) mod_lua: Redesign how request record table access behaves,
     in order to utilize the request record from within these tables.

  *) mod_lua: Add r:wspeek for peeking at WebSocket frames.

  *) mod_lua: Log an error when the initial parsing of a Lua file fails.

  *) mod_lua: Reformat and escape script error output.

  *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
     from causing response splitting.

  *) mod_lua: Disallow newlines in table values inside the request_rec,
     to prevent HTTP Response Splitting via tainted headers.

  *) mod_lua: Remove the non-working early/late arguments for
     LuaHookCheckUserID.

  *) mod_lua: Change IVM storage to use shm

  *) mod_lua: More verbose error logging when a handler function cannot be
     found.
   2014-08-20 11:09:32 by OBATA Akio | Files touched by this commit (1) | Package updated
Log message:
After four years of the update, such migration is not required anymore.
   2014-05-30 01:38:20 by Thomas Klausner | Files touched by this commit (3049)
Log message:
Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
   2014-03-28 12:25:43 by Adam Ciarcinski | Files touched by this commit (3)
Log message:
Changes 2.2.27:

  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
     Clean up cookie logging with fewer redundant string parsing passes.
     Log only cookies with a value assignment. Prevents segfaults when
     logging truncated cookies.

  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
     mod_dav: Keep track of length of cdata properly when removing
     leading spaces. Eliminates a potential denial of service from
     specifically crafted DAV WRITE requests

  *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
     TE/CL conflicts.

  *) mod_proxy_http: Core dumped under high load. PR 50335.

  *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.

  *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
     is equivalent to <ProxyMatch wildcard-url>.

  *) mod_ldap: Fix a potential memory leak or corruption.

  *) mod_ssl: Do not perform SNI / Host header comparison in case of a
     forward proxy request.

  *) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.
   2014-03-11 15:34:41 by Jonathan Perkin | Files touched by this commit (99)
Log message:
Import initial SMF support for individual packages.