./www/apache24, Apache HTTP (Web) server, version 2.4

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.4.38, Package name: apache-2.4.38, Maintainer: ryoon

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

This package tracks 2.4.x release.


Required to run:
[devel/apr] [devel/apr-util] [devel/pcre] [devel/readline] [www/nghttp2]

Required to build:
[pkgtools/cwrappers]

Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker, http2

Master sites: (Expand)

SHA1: 810de74ea3ee59ff3205f2a46436fc1dcce4e4ab
RMD160: 192484b6c8714246a562dd187ea1bfce01e17014
Filesize: 6870.146 KB

Version history: (Expand)


CVS history: (Expand)


   2019-01-23 13:04:18 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
apache24: updated to 2.4.38

Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
   mod_session: mod_session_cookie does not respect expiry time allowing
   sessions to be reused.
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
   mod_http2: fixes a DoS attack vector. By sending slow request bodies
   to resources not consuming them, httpd cleanup code occupies a server
   thread unnecessarily. This was changed to an immediate stream reset
   which discards all stream state and incoming data.
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
   mod_ssl: Fix infinite loop triggered by a client-initiated
   renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
   later.
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
   AddLanguage behavior and HTTP specification.
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
   have been fixed.
*) mod_setenvif: We can have expressions that become true if a regex pattern
   in the expression does NOT match. In this case val is NULL
   and we should just set the value for the environment variable
   like in the pattern case.
*) mod_session: Always decode session attributes early.
*) core: Incorrect values for environment variables are substituted when
   multiple environment variables are specified in a directive.
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
   this type of map is present in the configuration.
*) mod_dav: Fix invalid Location header when a resource is created by
   passing an absolute URI on the request line
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
*) mod_ssl: clear *SSL errors before loading certificates and checking
   afterwards. Otherwise errors are reported when other SSL using modules
   are in play.
*) mod_ssl: Fix the error code returned in an error path of
   'ssl_io_filter_handshake()'. This messes-up error handling performed
   in 'ssl_io_filter_error()'
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
   authz provider so "Require ssl" works correctly in HTTP/2.
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
   redirects, subsequent ProxyPassReverse statements, whether they are
   relative or absolute, may fail.
*) mod_lua: Now marked as a stable module
   2018-12-13 20:52:27 by Adam Ciarcinski | Files touched by this commit (668)
Log message:
revbump for boost 1.69.0
   2018-10-24 12:08:00 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
apache24: updated to 2.4.37

Changes with Apache 2.4.37

  *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1.

  *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
     when client certificates are available from the original handshake
     but were originally not verified and should get verified now.
     This is a regression in 2.4.36 (unreleased).

  *) mod_ssl: Correctly merge configurations that have client certificates set
     by SSLProxyMachineCertificate{File|Path}.

Changes with Apache 2.4.36

  *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
     responses. Regression introduced in 2.4.35.

  *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
     body of the response.

  *) mod_http2: adding defensive code for stream EOS handling, in case the \ 
request handler
     missed to signal it the normal way (eos buckets).

  *) ab: Add client certificate support.

  *) ab: Disable printing temp key for OpenSSL before
     version 1.0.2. SSL_get_server_tmp_key is not available
     there.

  *) mod_ssl: Fix a regression that the configuration settings for verify mode
     and verify depth were taken from the frontend connection in case of
     connections by the proxy to the backend.

  *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
     before signals handling to avoid lifetime issues on restart or shutdown.

  *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3.  TLSv1.3 has
     behavioural changes compared to v1.2 and earlier; client and
     configuration changes should be expected.  SSLCipherSuite is
     enhanced for TLSv1.3 ciphers, but applies at vhost level only.

  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
     should be accepted after the authorization scheme. \t are also tolerated.

  *) mod_proxy_hcheck: Fix issues with interval determination.

  *) mod_proxy_hcheck: Fix issues with TCP health checks.

  *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.

  *) mod_status, mod_echo: Fix the display of client addresses.
    They were truncated to 31 characters which is not enough for IPv6 addresses.
    This is done by deprecating the use of the 'client' field and using
    the new 'client64' field in worker_score.
   2018-09-24 09:37:47 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
apache24: updated to 2.4.35

Changes with Apache 2.4.35

*) http: Enforce consistently no response body with both 204 and 304
   statuses.

*) mod_status: Cumulate CPU time of exited child processes in the
   "cu" and "cs" values. Add CPU time of the parent process \ 
to the
   "c" and "s" values.

*) mod_proxy: Improve the balancer member data shown in mod_status when
   "ProxyStatus" is "On": add "busy" count and \ 
show byte counts in
   auto mode always in units of kilobytes.

*) mod_status: Add cumulated response duration time in milliseconds.

*) mod_status: Complete the data shown for async MPMs in "auto" mode.
   Added number of processes, number of stopping processes and number
   of busy and idle workers.

*) mod_ratelimit: Don't interfere with "chunked" encoding, fixing \ 
regression
   introduced in 2.4.34.

*) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
   modules and mod_proxy.

*) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, \ 
<IfDirective>,
   and <IfModule> to be quoted.  This is primarily for the benefit of
   <IfFile>.

*) mod_watchdog: Correct some log messages.

*) mod_md: When the last domain name from an MD is moved to another one,
   that now empty MD gets moved to the store archive.

*) mod_ssl: Fix merging of SSLOCSPOverrideResponder.

*) mod_proxy_balancer: Restore compatibility with APR 1.4.
   2018-08-22 11:48:07 by Thomas Klausner | Files touched by this commit (3558)
Log message:
Recursive bump for perl5-5.28.0
   2018-08-16 20:55:17 by Adam Ciarcinski | Files touched by this commit (653) | Package updated
Log message:
revbump after boost-libs update
   2018-07-19 10:53:58 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
apache24: updated to 2.4.34

Apache 2.4.34
*) SECURITY: CVE-2018-8011 (cve.mitre.org)
   mod_md: DoS via Coredumps on specially crafted requests
*) SECURITY: CVE-2018-1333 (cve.mitre.org)
   mod_http2: DoS for HTTP/2 connections by specially crafted requests
*) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
   document translations.
*) event: avoid possible race conditions with modules on the child pool.
*) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
   ProxyPassReverseCookiePath directive could fail to update correctly
   'domain=' or 'path=' in the 'Set-Cookie' header.
*) mod_ratelimit: fix behavior when proxing content.
*) core: Re-allow '_' (underscore) in hostnames.
*) mod_authz_core: If several parameters are used in a AuthzProviderAlias
   directive, if these parameters are not enclosed in quotation mark, only
   the first one is handled. The other ones are silently ignored.
   Add a message to warn about such a spurious configuration.
*) mod_md: improvements and bugfixes
   - MDNotifyCmd now takes additional parameter that are passed on to the called \ 
command.
   - ACME challenges have better checks for interference with other modules
   - ACME challenges are only handled for domains managed by the module, allowing
     other ACME clients to operate for other domains in the server.
   - better libressl integration
*) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
*) logging: Some early logging-related startup messages could be lost
   when using syslog for the global ErrorLog.
*) mod_cache: Handle case of an invalid Expires header value RFC compliant
   like the case of an Expires time in the past: allow to overwrite the
   non-caching decision using CacheStoreExpired and respect Cache-Control
   "max-age" and "s-maxage".
*) mod_xml2enc: Fix forwarding of error metadata/responses.
*) mod_proxy_http: Fix response header thrown away after the previous one
   was considered too large and truncated.
*) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
   of functions to consume the end of line when the buffer is exhausted.
*) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
   allow maximum HTTP response header size to be increased past 8192
   bytes.
*) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
   of a certificate chain.
*) http: Fix small memory leak per request when handling persistent
   connections.
*) mod_proxy_html: Fix variable interpolation and memory allocation failure
   in ProxyHTMLURLMap.
*) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
*) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
   zero out what had been initialized as the connection-level port.
*) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
*) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
   Hot spare members are used as drop-in replacements for unusable workers
   in the same load balancer set. This differs from hot standbys which are
   only used when all workers in a set are unusable.
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
   setuid/setgid capability bits rather than a setuid root binary.
*) suexec: Add support for logging to syslog as an alternative to
   logging to a file; use --without-suexec-logfile --with-suexec-syslog.
*) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
   which broke some rare but previously-working configs.
*) core, log: improve sanity checks for the ErrorLog's syslog config, and
   explicitly allow only lowercase 'syslog' settings.
*) mod_http2: accurate reporting of h2 data input/output per request via
   mod_logio. Fixes an issue where output sizes where counted n-times on
   reused slave connections.
*) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
*) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
*) mod_proxy: Do not restrict the maximum pool size for backend connections
   any longer by the maximum number of threads per process and use a better
   default if mod_http2 is loaded.
*) mod_slotmem_shm: Add generation number to shm filename to fix races
   with graceful restarts.
*) core: Preserve the original HTTP request method in the '%<m' LogFormat
   when an path-based ErrorDocument is used.
*) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
   HTTP/2 requests.
*) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
   regression introduced in 2.4.30.
*) mod_md: Fix compilation with OpenSSL before version 1.0.2.
*) mod_dumpio: do nothing below log level TRACE7.
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
*) core: On ECBDIC platforms, some errors related to oversized headers
   may be misreported or be logged as ASCII escapes.
*) mod_ssl: Fix cmake-based build.
*) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
   section containers.
   2018-07-04 15:40:45 by Jonathan Perkin | Files touched by this commit (423)
Log message:
*: Move SUBST_STAGE from post-patch to pre-configure

Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.