./www/apache24, Apache HTTP (Web) server, version 2.4

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2018Q4, Version: 2.4.38, Package name: apache-2.4.38, Maintainer: ryoon

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

This package tracks 2.4.x release.


Required to run:
[devel/readline] [devel/apr] [devel/pcre] [devel/apr-util] [www/nghttp2]

Required to build:
[pkgtools/cwrappers]

Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker, http2

Master sites: (Expand)

SHA1: 810de74ea3ee59ff3205f2a46436fc1dcce4e4ab
RMD160: 192484b6c8714246a562dd187ea1bfce01e17014
Filesize: 6870.146 KB

Version history: (Expand)

CVS history: (Expand)


   2019-01-29 14:58:59 by Benny Siegert | Files touched by this commit (2) | Package updated
Log message:
Pullup ticket #5903 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.76
- www/apache24/distinfo                                         1.39

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Jan 23 12:04:18 UTC 2019

   Modified Files:
   	pkgsrc/www/apache24: Makefile distinfo

   Log message:
   apache24: updated to 2.4.38

   Changes with Apache 2.4.38
   *) SECURITY: CVE-2018-17199 (cve.mitre.org)
      mod_session: mod_session_cookie does not respect expiry time allowing
      sessions to be reused.
   *) SECURITY: CVE-2018-17189 (cve.mitre.org)
      mod_http2: fixes a DoS attack vector. By sending slow request bodies
      to resources not consuming them, httpd cleanup code occupies a server
      thread unnecessarily. This was changed to an immediate stream reset
      which discards all stream state and incoming data.
   *) SECURITY: CVE-2019-0190 (cve.mitre.org)
      mod_ssl: Fix infinite loop triggered by a client-initiated
      renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
      later.
   *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
   *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
      AddLanguage behavior and HTTP specification.
   *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
      have been fixed.
   *) mod_setenvif: We can have expressions that become true if a regex pattern
      in the expression does NOT match. In this case val is NULL
      and we should just set the value for the environment variable
      like in the pattern case.
   *) mod_session: Always decode session attributes early.
   *) core: Incorrect values for environment variables are substituted when
      multiple environment variables are specified in a directive.
   *) mod_rewrite: Only create the global mutex used by "RewriteMap \ 
prg:" when
      this type of map is present in the configuration.
   *) mod_dav: Fix invalid Location header when a resource is created by
      passing an absolute URI on the request line
   *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
   *) mod_ssl: clear *SSL errors before loading certificates and checking
      afterwards. Otherwise errors are reported when other SSL using modules
      are in play.
   *) mod_ssl: Fix the error code returned in an error path of
      'ssl_io_filter_handshake()'. This messes-up error handling performed
      in 'ssl_io_filter_error()'
   *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
      authz provider so "Require ssl" works correctly in HTTP/2.
   *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
      redirects, subsequent ProxyPassReverse statements, whether they are
      relative or absolute, may fail.
   *) mod_lua: Now marked as a stable module