Subject: CVS commit: [pkgsrc-2013Q4] pkgsrc/www/apache24
From: S.P.Zeidler
Date: 2014-03-21 09:02:35
Message id: 20140321080235.5DBA596@cvs.netbsd.org

Log Message:
Pullup ticket #4349 - requested by tron
www/apache24: security update

Revisions pulled up:
- www/apache24/Makefile                                         1.26
- www/apache24/PLIST                                            1.15
- www/apache24/distinfo                                         1.13

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Tue Mar 18 20:09:08 UTC 2014

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   Changes 2.4.9:
   *) mod_ssl: Work around a bug in some older versions of OpenSSL that
      would cause a crash in SSL_get_certificate for servers where the
      certificate hadn't been sent.
   *) mod_lua: Add a fixups hook that checks if the original request is intend=
   ed
      for LuaMapHandler. This fixes a bug where FallbackResource invalidates t=
   he
      LuaMapHandler directive in certain cases by changing the URI before the =
   map
      handler code executes

   Changes 2.4.8:
   *) SECURITY: CVE-2014-0098 (cve.mitre.org)
      Clean up cookie logging with fewer redundant string parsing passes.
      Log only cookies with a value assignment. Prevents segfaults when
      logging truncated cookies.
   *) SECURITY: CVE-2013-6438 (cve.mitre.org)
      mod_dav: Keep track of length of cdata properly when removing
      leading spaces. Eliminates a potential denial of service from
      specifically crafted DAV WRITE requests
   *) core: Support named groups and backreferences within the LocationMatch,
      DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
      non-ancient PCRE library)
   *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
      TE/CL conflicts.
   *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping
      execution when a handler is already set.
   *) mod_ssl: Do not perform SNI / Host header comparison in case of a
      forward proxy request.
   *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
      SSLCertificateFile and SSLCertificateKeyFile directives, to enable
      future algorithm agility, and deprecate the SSLCertificateChainFile
      directive (obsoleted by SSLCertificateFile).
   *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
      and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
      to child scopes without explicitly configuring each child scope.
   *) prefork: Fix long delays when doing a graceful restart.
   *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
      5+ instead of just for FreeBSD 5.
   *) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
      IDs 02445, 02446, and 02448 to TRACE1 from DEBUG.
   *) mod_remoteip: Correct the trusted proxy match test.
   *) mod_proxy_fcgi: Fix error message when an unexpected protocol version
      number is received from the application.
   *) mod_remoteip: Use the correct IP addresses to populate the proxy_ips fie=
   ld.
   *) mod_lua: Update r:setcookie() to accept a table of options and add domai=
   n,
      path and httponly to the list of options available to set.
   *) mod_lua: Fix r:setcookie() to add, rather than replace,
      the Set-Cookie header.
   *) mod_lua: Allow for database results to be returned as a hash with
      row-name/value pairs instead of just row-number/value.
   *) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
      %{REMOTE_ADDR}.
   *) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
      save the socket for reuse by the next worker as if it were an
      APR_SO_DISCONNECTED socket. Restores 2.2 behavior.
   *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
      that was just rewritten by mod_rewrite.
   *) mod_session: When we have a session we were unable to decode,
      behave as if there was no session at all.
   *) mod_session: Fix problems interpreting the SessionInclude and
      SessionExclude configuration.
   *) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
      stanzas under virtual hosts.
   *) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded
      30 seconds timeout.
   *) mod_proxy: Added support for unix domain sockets as the
      backend server endpoint
   *) build: only search for modules (config*.m4) in known subdirectories, see
      build/config-stubs.
   *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk.
   *) mod_ssl: Add support for OpenSSL configuration commands by introducing
      the SSLOpenSSLConfCmd directive.
   *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
      is equivalent to <ProxyMatch wildcard-url>.
   *) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
      mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
      require directives.
   *) mod_proxy_http: Core dumped under high load.
   *) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size
      previously limited to 64MB.
   *) mod_lua: Use binary copy when dealing with uploads through r:parsebody()
      to prevent truncating files.

   To generate a diff of this commit:
   cvs rdiff -u -r1.25 -r1.26 pkgsrc/www/apache24/Makefile
   cvs rdiff -u -r1.14 -r1.15 pkgsrc/www/apache24/PLIST
   cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/apache24/distinfo

Files:
RevisionActionfile
1.24.2.1modifypkgsrc/www/apache24/Makefile
1.12.2.1modifypkgsrc/www/apache24/PLIST
1.11.2.1modifypkgsrc/www/apache24/distinfo