./www/apache24, Apache HTTP (Web) server, version 2.4

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.4.62nb3, Package name: apache-2.4.62nb3, Maintainer: ryoon

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

This package tracks 2.4.x release.


Required to run:
[textproc/libxml2] [security/openssl] [devel/apr] [devel/apr-util] [devel/pcre] [devel/readline] [www/nghttp2] [archivers/brotli]

Required to build:
[pkgtools/cwrappers]

Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker, brotli, http2, xml

Master sites:

Filesize: 7345.372 KB

Version history: (Expand)


CVS history: (Expand)


   2024-04-05 11:31:38 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
apache24: updated to 2.4.59

Changes with Apache 2.4.59

*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
   memory exhaustion on endless continuation frames (cve.mitre.org)
   HTTP/2 incoming headers exceeding the limit are temporarily
   buffered in nghttp2 in order to generate an informative HTTP 413
   response. If a client does not stop sending headers, this leads
   to memory exhaustion.
   Credits: Bartek Nowotarski (https://nowotarski.info/)

*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
   Splitting in multiple modules (cve.mitre.org)
   HTTP Response splitting in multiple modules in Apache HTTP
   Server allows an attacker that can inject malicious response
   headers into backend applications to cause an HTTP
   desynchronization attack.
   Users are recommended to upgrade to version 2.4.59, which fixes
   this issue.
   Credits: Keran Mu, Tsinghua University and Zhongguancun
   Laboratory.

*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
   splitting (cve.mitre.org)
   Faulty input validation in the core of Apache allows malicious
   or exploitable backend/content generators to split HTTP
   responses.
   This issue affects Apache HTTP Server: through 2.4.58.
   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) mod_deflate: Fixes and better logging for handling various
   error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
   Eric Norris <enorris etsy.com>]

*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]

*) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
   [ttachi <tachihara AT hotmail.com>]

*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
   [Jean-Frederic Clere]

*) mod_ssl: Use OpenSSL-standard functions to assemble CA
   name lists for SSLCACertificatePath/SSLCADNRequestPath.
   Names will now be consistently sorted.
   [Joe Orton]

*) mod_xml2enc: Update check to accept any text/ media type
   or any XML media type per RFC 7303, avoiding
   corruption of Microsoft OOXML formats.
   [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]

*) mod_http2: v2.0.26 with the following fixes:
   - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
     <https://github.com/icing/mod_h2/issues/272>.
   - Fixed small memory leak in h2 header bucket free. Thanks to
     Michael Kaufmann for finding this and providing the fix.

*) htcacheclean: In -a/-A mode, list all files per subdirectory
   rather than only one.
   [Artem Egorenkov <aegorenkov.91 gmail.com>]

*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
   which include CA certificates; those CA certs are treated as if
   configured with SSLProxyMachineCertificateChainFile.  [Joe Orton]

*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
   "hashing", rather than "encrypting" passwords.
   [Michele Preziuso <mpreziuso kaosdynamics.com>]

*) mod_ssl: Fix build with LibreSSL 2.0.7+.
   [Giovanni Bechis, Yann Ylavic]

*) htpasswd: Add support for passwords using SHA-2.  [Joe Orton,
   Yann Ylavic]

*) core: Allow mod_env to override system environment vars. [Joe Orton]

*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
   operation which removes a directory/file between apr_dir_read() and
   apr_stat(). Current behaviour is to abort the connection which seems
   inferior to tolerating (and logging) the error. [Joe Orton]

*) mod_ldap: HTML-escape data in the ldap-status handler.
   [Eric Covener, Chamal De Silva]

*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
   Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
   notably with OpenSSL >= 3.  [Yann Ylavic, Joe Orton]

*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
   deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
   to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
   [Yann Ylavic]

*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]

*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
   some dollar substitution (backreference) happens in the hostname or port
   part of the URL.  [Yann Ylavic]

*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
   systems are cached. [Yann Ylavic]

*) mod_proxy: Add optional third argument for ProxyRemote, which
   configures Basic authentication credentials to pass to the remote
   proxy.
   2024-03-20 02:45:52 by Nia Alarie | Files touched by this commit (1)
Log message:
apache24: Fix building with Xcode 7 and earlier
   2024-01-31 10:38:13 by Takahiro Kambe | Files touched by this commit (2)
Log message:
www/apache24: use upstream fix

Use upstream fix for fixing build problem with libxml2-2.12.4.

NFCI.
   2024-01-30 15:41:30 by Takahiro Kambe | Files touched by this commit (2)
Log message:
www/apache24: fix build with libxml2-2.12.4
   2023-11-22 09:05:43 by Thomas Klausner | Files touched by this commit (1)
Log message:
apache24: let apache default to a full dependency

If this is too much for some packages, they can set the depmethod to build.
   2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377)
Log message:
*: recursive bump for icu 74.1
   2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298)
Log message:
*: bump for openssl 3
   2023-10-19 16:22:02 by Thomas Klausner | Files touched by this commit (16) | Package removed
Log message:
apache: update to 2.4.58.

Changes with Apache 2.4.58

  *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
     SSL routines::unexpected eof while reading" when using
     OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
     available. [Rainer Jung]

  *) mod_http2: improved early cleanup of streams.
     [Stefan Eissing]

  *) mod_proxy_http2: improved error handling on connection errors while
     response is already underway.
     [Stefan Eissing]

  *) mod_http2: fixed a bug that could lead to a crash in main connection
     output handling. This occured only when the last request on a HTTP/2
     connection had been processed and the session decided to shut down.
     This could lead to an attempt to send a final GOAWAY while the previous
     write was still in progress. See PR 66646.
     [Stefan Eissing]

  *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
     Fixes PR66752.
     [Stefan Eissing]

  *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
     described in RFC 8441. A new directive 'H2WebSockets on|off' has been
     added. The feature is by default not enabled.
     As also discussed in the manual, this feature should work for setups
     using "ProxyPass backend-url upgrade=websocket" without further \ 
changes.
     Special server modules for WebSockets will have to be adapted,
     most likely, as the handling if IO events is different with HTTP/2.
     HTTP/2 WebSockets are supported on platforms with native pipes. This
     excludes Windows.
     [Stefan Eissing]

  *) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
     in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]

  *) mod_http2: fixed a bug in flushing pending data on an already closed
     connection that could lead to a busy loop, preventing the HTTP/2 session
     to close down successfully. Fixed PR 66624.
     [Stefan Eissing]

  *) mod_http2: v2.0.15 with the following fixes and improvements
     - New directive 'H2EarlyHint name value' to add headers to a response,
       picked up already when a "103 Early Hints" response is sent. \ 
'name' and
       'value' must comply to the HTTP field restrictions.
       This directive can be repeated several times and header fields of the
       same names add. Sending a 'Link' header with 'preload' relation will
       also cause a HTTP/2 PUSH if enabled and supported by the client.
     - Fixed an issue where requests were not logged and accounted in a timely
       fashion when the connection returns to "keepalive" handling, \ 
e.g. when
       the request served was the last outstanding one.
       This led to late appearance in access logs with wrong duration times
       reported.
     - Accurately report the bytes sent for a request in the '%O' Log format.
       This addresses #203, a long outstanding issue where mod_h2 has reported
       numbers over-eagerly from internal buffering and not what has actually
       been placed on the connection.
       The numbers are now the same with and without H2CopyFiles enabled.
     [Stefan Eissing]

  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
     [Stefan Eissing]

  *) mod_rewrite: Add server directory to include path as mod_rewrite requires
     test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]

  *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
     of HTTP/2 requests in a forward proxy configuration.
     General forward proxying is enabled via `ProxyRequests`. If the
     HTTP/2 protocol is also enabled for such a server/host, this new
     directive is needed in addition.
     [Stefan Eissing]

  *) core: Updated conf/mime.types:
     - .js moved from 'application/javascript' to 'text/javascript'
     - .mjs was added as 'text/javascript'
     - add .opus ('audio/ogg')
     - add 'application/vnd.geogebra.slides'
     - add WebAssembly MIME types and extension
     [Mathias Bynens <@mathiasbynens> via PR 318,
      Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
      Zbynek Konecny <zbynek1729 gmail.com>]

  *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
     connection when sending data on the frontend one. This caused crashes
     or infinite loops in rare situations.
  *) mod_proxy_http2: fixed a bug in retry/response handling that could lead
     to wrong status codes or HTTP messages send at the end of response bodies
     exceeding the announced content-length.
  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
  *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
     the wrong order when a bucket_beam was destroyed.
     [Stefan Eissing]

  *) mod_http2: avoid double chunked-encoding on internal redirects.
     PR 66597 [Yann Ylavic, Stefan Eissing]

  *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
     HTTP/2 requests twice. Fixes PR 66801.
     [Stefan Eissing]

  *) mod_ssl: Fix handling of Certificate Revoked messages
     in OCSP stapling. PR 66626. [<gmoniker gmail.com>]

  *) mod_http2: fixed a bug in handling of stream timeouts.
     [Stefan Eissing]

  *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
     Checking in configure for proper version installed. Code
     fixes for changed clienthello member name.
     [Stefan Eissing]

  *) mod_md:
     - New directive `MDMatchNames all|servernames` to allow more control over how
       MDomains are matched to VirtualHosts.
     - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
       the command also with the challenge value on `teardown` invocation. In version
       1, the default, only the `setup` invocation gets this parameter.
       Refs #312. Thanks to @domrim for the idea.
     - For Managed Domain in "manual" mode, the checks if all used \ 
ServerName and
       ServerAlias are part of the MDomain now reports a warning instead of an error
       (AH10040) when not all names are present.
     - MDChallengeDns01 can now be configured for individual domains.
       Using PR from Jérôme Billiras (@bilhackmac) and adding test case and \ 
fixing proper working
     - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.

  *) mod_ldap: Avoid performance overhead of APR-util rebind cache for
     OpenLDAP 2.2+.  PR 64414.  [Joe Orton]

  *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
     amount of response body bytes put into a single HTTP/2 DATA frame.
     Setting this to 0 places no limit (but the max size allowed by the
     protocol is observed).
     The module, by default, tries to use the maximum size possible, which is
     somewhat around 16KB. This sets the maximum. When less response data is
     available, smaller frames will be sent.

  *) mod_md: fixed passing of the server environment variables to programs
     started via MDMessageCmd and MDChallengeDns01 on *nix system.
     See <https://github.com/icing/mod_md/issues/319>.
     [Stefan Eissing]

  *) mod_dav: Add DavBasePath directive to configure the repository root
     path.  PR 35077.  [Joe Orton]

  *) mod_alias: Add AliasPreservePath directive to map the full
     path after the alias in a location. [Graham Leggett]

  *) mod_alias: Add RedirectRelative to allow relative redirect targets to be
     issued as-is. [Eric Covener, Graham Leggett]

  *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
     sure that if the format is configured early enough it applies to every log
     line.  PR 62161.  [Yann Ylavic]

  *) mod_deflate: Add DeflateAlterETag to control how the ETag
     is modified. The 'NoChange' parameter mimics 2.2.x behavior.
     PR 45023, PR 39727. [Eric Covener]

  *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]

  *) mod_status: Remove duplicate keys "BusyWorkers" and \ 
"IdleWorkers".
     Resolve inconsistency between the previous two occurrences by
     counting workers in state SERVER_GRACEFUL no longer as busy,
     but instead in a new counter "GracefulWorkers" (or on HTML
     view as "workers gracefully restarting"). Also add the graceful
     counter as a new column to the existing HTML per process table
     for async MPMs. PR 63300. [Rainer Jung]