./www/apache24, Apache HTTP (Web) server, version 2.4

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 2.4.10nb3, Package name: apache-2.4.10nb3, Maintainer: ryoon

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

This package tracks 2.4.x release.

Required to run:
[devel/apr] [devel/apr-util] [devel/pcre] [devel/readline]

Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker

Master sites: (Expand)

SHA1: 00f5c3f8274139bd6160eda2cf514fa9b74549e5
RMD160: 254f4b9b8cc4e151aa46973311077baa0a3daad3
Filesize: 4913.9 KB

Version history: (Expand)

CVS history: (Expand)

   2015-01-22 21:02:37 by Matthias Scheler | Files touched by this commit (3)
Log message:
Add fix for CVE-2014-8109 taken for Apache SVN repository.
   2014-10-20 00:27:48 by Alexander Nasonov | Files touched by this commit (59) | Package updated
Log message:
Revbump after lang/lua51 update.
   2014-10-08 06:27:18 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
Add patch for CVE-2014-3581.

   2014-07-23 12:34:02 by Matthias Scheler | Files touched by this commit (3) | Package updated
Log message:
Update "apache24" package to version 2.4.10. Changes since 2.4.9:
- SECURITY: CVE-2014-0117 (cve.mitre.org)
  mod_proxy: Fix crash in Connection header handling which
  allowed a denial of service attack against a reverse proxy
  with a threaded MPM.  [Ben Reser]
- SECURITY: CVE-2014-0226 (cve.mitre.org)
  Fix a race condition in scoreboard handling, which could lead to
  a heap buffer overflow.  [Joe Orton, Eric Covener]
- SECURITY: CVE-2014-0118 (cve.mitre.org)
  mod_deflate: The DEFLATE input filter (inflates request bodies) now
  limits the length and compression ratio of inflated request bodies to avoid
  denial of sevice via highly compressed bodies.  See directives
  DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
  and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
- SECURITY: CVE-2014-0231 (cve.mitre.org)
  mod_cgid: Fix a denial of service against CGI scripts that do
  not consume stdin that could lead to lingering HTTPD child processes
  filling up the scoreboard and eventually hanging the server.  By
  default, the client I/O timeout (Timeout directive) now applies to
  communication with scripts.  The CGIDScriptTimeout directive can be
  used to set a different timeout for communication with scripts.
  [Rainer Jung, Eric Covener, Yann Ylavic]
- mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
  resumed by TLS session resumption (RFC 5077). [Rainer Jung]
- mod_deflate: Don't fail when flushing inflated data to the user-agent
  and that coincides with the end of stream ("Zlib error flushing inflate
  buffer"). Bug 56196. [Christoph Fausak <christoph fausak \ 
- mod_proxy_ajp: Forward local IP address as a custom request attribute
  like we already do for the remote port. [Rainer Jung]
- core: Include any error notes set by modules in the canned error
  response for 403 errors.  [Jeff Trawick]
- mod_ssl: Set an error note for requests rejected due to
  SSLStrictSNIVHostCheck.  [Jeff Trawick]
- mod_ssl: Fix issue with redirects to error documents when handling
  SNI errors.  [Jeff Trawick]
- mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
  larger keys and support up to 8192-bit keys.  [Ruediger Pluem,
  Joe Orton]
- mod_dav: Fix improper encoding in PROPFIND responses.  Bug 56480.
  [Ben Reser]
- WinNT MPM: Improve error handling for termination events in child.
  [Jeff Trawick]
- mod_proxy: When ping/pong is configured for a worker, don't send or
  forward "100 Continue" (interim) response to the client if it does
  not expect one. [Yann Ylavic]
- mod_ldap: Be more conservative with the last-used time for
  LDAPConnectionPoolTTL. Bug 54587 [Eric Covener]
- mod_ldap: LDAP connections used for authn were not respecting
  LDAPConnectionPoolTTL. Bug 54587 [Eric Covener]
- mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
  [Jeff Trawick]
- event MPM: Fix possible crashes (third-party modules accessing c->sbh)
  or occasional missed mod_status updates under load. Bug 56639.
  [Edward Lu <Chaosed0 gmail com>]
- mod_authnz_ldap: Support primitive LDAP servers do not accept
  filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
  filter "none" to be specified in AuthLDAPURL. [Eric Covener]
- mod_deflate: Fix inflation of files larger than 4GB. Bug 56062.
  [Lukas Bezdicka <social v3.sk>]
- mod_deflate: Handle Zlib header and validation bytes received in multiple
  chunks. Bug 46146. [Yann Ylavic]
- mod_proxy: Allow reverse-proxy to be set via explicit handler.
  [ryo takatsuki <ryotakatsuki gmail com>]
- ab: support custom HTTP method with -m argument. Bug 56604.
  [Roman Jurkov <winfinit gmail.com>]
- mod_proxy_balancer: Correctly encode user provided data in management
  interface. Bug 56532 [Maksymilian, <max cert.cx>]
- mod_proxy_fcgi: Support iobuffersize parameter.  [Jeff Trawick]
- mod_auth_form: Add a debug message when the fields on a form are not
  recognised. [Graham Leggett]
- mod_cache: Preserve non-cacheable headers forwarded from an origin 304
  response. Bug 55547.  [Yann Ylavic]
- mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
  scheme. Bug 55320. [Alex Liu <alex.leo.ca gmail.com>]
- mod_socache_shmcb: Correct counting of expirations for status display.
  Expirations happening during retrieval were not counted. [Rainer Jung]
- mod_cache: Retry unconditional request with the full URL (including the
  query-string) when the origin server's 304 response does not match the
  conditions used to revalidate the stale entry.  [Yann Ylavic].
- mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
  variables as a result of AliasMatch. [Eric Covener]
- mod_cache: Don't add cached/revalidated entity headers to a 304 response.
  Bug 55547.  [Yann Ylavic]
- mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
  Support default SCGI port (4000).  [Jeff Trawick]
- mod_expires: don't add Expires header to error responses (4xx/5xx),
  be they generated or forwarded. Bug 55669.  [Yann Ylavic]
- mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
  (regression in 2.4.9 release) [Jeff Trawick]
- mod_authn_socache: Fix crash at startup in certain configurations.
  Bug 56371. (regression in 2.4.7) [Jan Kaluza]
- mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
  programs to the form used in releases up to 2.4.7, and emulate
  a backwards-compatible behavior for existing setups. [Kaspar Brand]
- mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
  OCSP requests should use a nonce to be checked against the responder's
  one. Bug 56233. [Yann Ylavic, Kaspar Brand]
- mod_ssl: "SSLEngine off" will now override a Listen-based default
  and does disable mod_ssl for the vhost.  [Joe Orton]
- mod_lua: Enforce the max post size allowed via r:parsebody()
  [Daniel Gruno]
- mod_lua: Use binary comparison to find boundaries for multipart
  objects, as to not terminate our search prematurely when hitting
  a NULL byte. [Daniel Gruno]
- mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
  versions before 0.9.8h and not specifying an SSLCertificateChainFile
  (regression introduced with 2.4.8). Bug 56410. [Kaspar Brand]
- mod_ssl: bring SNI behavior into better conformance with RFC 6066:
  no longer send warning-level unrecognized_name(112) alerts,
  and limit startup warnings to cases where an OpenSSL version
  without TLS extension support is used. Bug 56241. [Kaspar Brand]
- mod_proxy_html: Avoid some possible memory access violation in case of
  specially crafted files, when the ProxyHTMLMeta directive is turned on.
  Follow up of Bug 56287 [Christophe Jaillet]
- mod_auth_form: Make sure the optional functions are loaded even when
  the AuthFormProvider isn't specified. [Graham Leggett]
- mod_ssl: avoid processing bogus SSLCertificateKeyFile values
  (and logging garbled file names). Bug 56306. [Kaspar Brand]
- mod_ssl: fix merging of global and vhost-level settings with the
  SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
  directives. Bug 56353. [Kaspar Brand]
- mod_headers: Allow the "value" parameter of Header and RequestHeader to
  contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
- rotatelogs: Avoid creation of zombie processes when -p is used on
  Unix platforms.  [Joe Orton]
- mod_authnz_fcgi: New module to enable FastCGI authorizer
  applications to authenticate and/or authorize clients.
  [Jeff Trawick]
- mod_proxy: Do not try to parse the regular expressions passed by
  ProxyPassMatch as URL as they do not follow their syntax.
  Bug 56074. [Ruediger Pluem]
- mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
  under the Event MPM. Bug 56216.  [Frank Meier <frank meier ergon ch>]
- mod_proxy_fcgi: Fix sending of response without some HTTP headers
  that might be set by filters.  [Jim Riggs <jim riggs.me>]
- mod_proxy_html: Do not delete the wrong data from HTML code when a
  "http-equiv" meta tag specifies a Content-Type behind any other
  "http-equiv" meta tag. Bug 56287 [Micha Lenk <micha lenk info>]
- mod_proxy: Don't reuse a SSL backend connection whose requested SNI
  differs. Bug 55782.  [Yann Ylavic]
- Add suspend_connection and resume_connection hooks to notify modules
  when the thread/connection relationship changes.  (Should be implemented
  for any third-party async MPMs.)  [Jeff Trawick]
- mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
  hangups from websockets origin servers. Bug 56299
  [Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener]
- mod_proxy_wstunnel: Don't pool backend websockets connections,
  because we need to handshake every time. Bug 55890.
  [Eric Covener]
- mod_lua: Redesign how request record table access behaves,
  in order to utilize the request record from within these tables.
  [Daniel Gruno]
- mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]

- mod_lua: Log an error when the initial parsing of a Lua file fails.
  [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: Reformat and escape script error output.
  [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
  from causing response splitting.
  [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: Disallow newlines in table values inside the request_rec,
  to prevent HTTP Response Splitting via tainted headers.
  [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: Remove the non-working early/late arguments for
  LuaHookCheckUserID. [Daniel Gruno]
- mod_lua: Change IVM storage to use shm [Daniel Gruno]
- mod_lua: More verbose error logging when a handler function cannot be
  found. [Daniel Gruno]
   2014-06-23 13:49:36 by Thomas Klausner | Files touched by this commit (3) | Package updated
Log message:
Fix path to apache_runtime_status file.
From ISIHARA Takanori in PR 48939.
   2014-05-30 01:38:20 by Thomas Klausner | Files touched by this commit (3049)
Log message:
Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
   2014-05-03 15:01:25 by Alexander Nasonov | Files touched by this commit (33)
Log message:
Adapt to Lua multiversion support.
   2014-03-18 21:09:08 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
Changes 2.4.9:
*) mod_ssl: Work around a bug in some older versions of OpenSSL that
   would cause a crash in SSL_get_certificate for servers where the
   certificate hadn't been sent.
*) mod_lua: Add a fixups hook that checks if the original request is intended
   for LuaMapHandler. This fixes a bug where FallbackResource invalidates the
   LuaMapHandler directive in certain cases by changing the URI before the map
   handler code executes

Changes 2.4.8:
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
   Clean up cookie logging with fewer redundant string parsing passes.
   Log only cookies with a value assignment. Prevents segfaults when
   logging truncated cookies.
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
   mod_dav: Keep track of length of cdata properly when removing
   leading spaces. Eliminates a potential denial of service from
   specifically crafted DAV WRITE requests
*) core: Support named groups and backreferences within the LocationMatch,
   DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
   non-ancient PCRE library)
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
   TE/CL conflicts.
*) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping
   execution when a handler is already set.
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
   forward proxy request.
*) mod_ssl: Remove the hardcoded algorithm-type dependency for the
   SSLCertificateFile and SSLCertificateKeyFile directives, to enable
   future algorithm agility, and deprecate the SSLCertificateChainFile
   directive (obsoleted by SSLCertificateFile).
*) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
   and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
   to child scopes without explicitly configuring each child scope.
*) prefork: Fix long delays when doing a graceful restart.
*) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
   5+ instead of just for FreeBSD 5.
*) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
   IDs 02445, 02446, and 02448 to TRACE1 from DEBUG.
*) mod_remoteip: Correct the trusted proxy match test.
*) mod_proxy_fcgi: Fix error message when an unexpected protocol version
   number is received from the application.
*) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field.
*) mod_lua: Update r:setcookie() to accept a table of options and add domain,
   path and httponly to the list of options available to set.
*) mod_lua: Fix r:setcookie() to add, rather than replace,
   the Set-Cookie header.
*) mod_lua: Allow for database results to be returned as a hash with
   row-name/value pairs instead of just row-number/value.
*) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
*) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
   save the socket for reuse by the next worker as if it were an
   APR_SO_DISCONNECTED socket. Restores 2.2 behavior.
*) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
   that was just rewritten by mod_rewrite.
*) mod_session: When we have a session we were unable to decode,
   behave as if there was no session at all.
*) mod_session: Fix problems interpreting the SessionInclude and
   SessionExclude configuration.
*) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
   stanzas under virtual hosts.
*) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded
   30 seconds timeout.
*) mod_proxy: Added support for unix domain sockets as the
   backend server endpoint
*) build: only search for modules (config*.m4) in known subdirectories, see
*) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk.
*) mod_ssl: Add support for OpenSSL configuration commands by introducing
   the SSLOpenSSLConfCmd directive.
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
   is equivalent to <ProxyMatch wildcard-url>.
*) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
   mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
   require directives.
*) mod_proxy_http: Core dumped under high load.
*) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size
   previously limited to 64MB.
*) mod_lua: Use binary copy when dealing with uploads through r:parsebody()
   to prevent truncating files.