./www/apache24, Apache HTTP (Web) server, version 2.4

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.4.16, Package name: apache-2.4.16, Maintainer: ryoon

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

This package tracks 2.4.x release.


Required to run:
[devel/apr] [devel/apr-util] [devel/pcre] [devel/readline]


Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker

Master sites: (Expand)

SHA1: 9963e7482700dd50c53e47abfe2d1c5068875a9c
RMD160: ff29b1885d39e4ee96efdd6678c0881c921dedd8
Filesize: 4981.45 KB

Version history: (Expand)


CVS history: (Expand)


   2015-09-01 10:26:05 by Jonathan Perkin | Files touched by this commit (2)
Log message:
Add mod_session_crypto if apr-util is built with ssl.
   2015-07-20 02:08:35 by Takahiro Kambe | Files touched by this commit (5) | Package removed
Log message:
Update apache24 to 2.4.16 (Apache HTTP Server 2.4.16).

        Apache HTTP Server 2.4.16 Released

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.16 of the Apache
HTTP Server ("Apache").  This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a security, feature and bug fix release. NOTE: versions
2.4.13, 2.4.14 and 2.4.15 were not released.

CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.

CVE-2015-3185 (cve.mitre.org)
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.

CVE-2015-0253 (cve.mitre.org)
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.

CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.

Also in this release are some exciting new features including:

*) Better default recommended SSLCipherSuite and SSLProxyCipherSuite
*) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
response header to be used by the application
*) Event MPM improvements
*) Various mod_proxy_* improvements
*) mod_log_config: Add "%{UNIT}T" format to output request duration in
seconds, milliseconds or microseconds depending on UNIT ("s", \ 
"ms",
"us")
   2015-06-26 21:25:12 by Ryo ONODERA | Files touched by this commit (2)
Log message:
Fix configure stage error when both of -apache-mpm-event and
-apache-mpm-worker is set.
And fix PLIST mismatch error.
   2015-06-12 12:52:19 by Thomas Klausner | Files touched by this commit (3152)
Log message:
Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.
   2015-06-11 17:38:48 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
Add fix for CVE-2015-0253.

Bump PKGREVISION.
   2015-03-28 07:28:04 by Ryo ONODERA | Files touched by this commit (2)
Log message:
Fix CVE-2015-0228 (lua module) with upstream patch.
lua module is not enabled by default.
   2015-02-02 15:45:51 by Adam Ciarcinski | Files touched by this commit (5)
Log message:
Changes 2.4.12:

* CVE-2014-3583 mod_proxy_fcgi: Fix a potential crash due to buffer over-read, \ 
with response headers' size above 8K.
* CVE-2014-3581 mod_cache: Avoid a crash when Content-Type has an empty value. \ 
PR 56924.
* CVE-2014-8109 mod_lua: Fix handling of the Require line when a \ 
LuaAuthzProvider is used in multiple Require directives with different \ 
arguments.
* CVE-2013-5704 core: HTTP trailers could be used to replace HTTP headers late \ 
during request processing, potentially undoing or otherwise confusing modules \ 
that examined or modified request headers earlier. Adds \ 
"MergeTrailers" directive to restore legacy behavior.

* Proxy FGI and websockets improvements
* Proxy capability via handler
* Finer control over scoping of RewriteRules
* Unix Domain Socket (UDS) support for mod_proxy backends.
* Support for larger shared memory sizes for mod_socache_shmcb
* mod_lua and mod_ssl enhancements
* Support named groups and backreferences within the LocationMatch, \ 
DirectoryMatch, FilesMatch and ProxyMatch directives.
   2015-01-22 21:02:37 by Matthias Scheler | Files touched by this commit (3)
Log message:
Add fix for CVE-2014-8109 taken for Apache SVN repository.