Path to this page:
./
www/apache24,
Apache HTTP (Web) server, version 2.4
Branch: CURRENT,
Version: 2.4.57nb2,
Package name: apache-2.4.57nb2,
Maintainer: ryoonThe Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.
This package tracks 2.4.x release.
Required to run:[
textproc/libxml2] [
security/openssl] [
devel/apr] [
devel/apr-util] [
devel/pcre] [
devel/readline] [
www/nghttp2] [
archivers/brotli]
Required to build:[
pkgtools/cwrappers]
Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker, brotli, http2, xml
Master sites: (Expand)
Filesize: 7282.248 KB
Version history: (Expand)
- (2023-04-21) Updated to version: apache-2.4.57nb2
- (2023-04-19) Updated to version: apache-2.4.57nb1
- (2023-04-07) Updated to version: apache-2.4.57
- (2023-03-08) Updated to version: apache-2.4.56
- (2023-01-20) Updated to version: apache-2.4.55
- (2022-11-23) Updated to version: apache-2.4.54nb3
CVS history: (Expand)
2023-04-21 15:52:33 by Emmanuel Dreyfus | Files touched by this commit (14) |
Log message:
One patch file per partched file, as requested by sketch@
|
2023-04-21 02:34:01 by Emmanuel Dreyfus | Files touched by this commit (3) |
Log message:
RFC4331 quotas from upstream trunk
http://svn.apache.org/viewvc?view=revision&revision=1907974
http://svn.apache.org/viewvc?view=revision&revision=1907984
http://svn.apache.org/viewvc?view=revision&revision=1907989
http://svn.apache.org/viewvc?view=revision&revision=1908143
http://svn.apache.org/viewvc?view=revision&revision=1908144
|
2023-04-19 10:12:01 by Adam Ciarcinski | Files touched by this commit (2359) |  |
Log message:
revbump after textproc/icu update
|
2023-04-07 11:38:53 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
apache24: updated to 2.4.57
Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing.
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend.
*) mod_http2: fixed a crash during connection termination.
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark.
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. \
Re-allow encoded
characters on redirections without the "NE" flag.
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet.
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
|
2023-03-08 09:52:02 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
apache24: updated to 2.4.56
Changes with Apache 2.4.56
*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
HTTP response splitting (cve.mitre.org)
HTTP Response Smuggling vulnerability in Apache HTTP Server via
mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
2.4.30 through 2.4.55.
Special characters in the origin response header can
truncate/split the response forwarded to the client.
Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
*) SECURITY: CVE-2023-25690: HTTP request splitting with
mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and
is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "
http://example.com:8080/elsewhere?$1"
http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/ http://example.com:8080/
http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
Credits: Lars Krapf of Adobe
*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated. [Eric Covener]
*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file.
[nailyk <bzapache nailyk.fr>, Christophe Jaillet]
*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers. [Ruediger Pluem]
*) mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
- MDChallengeDns01 can now be configured for individual domains.
Thanks to JĂŠrĂ´me Billiras (@bilhackmac) for the initial PR.
- Fixed a bug found by JĂŠrĂ´me Billiras (@bilhackmac) that caused the \
challenge
teardown not being invoked as it should.
[Stefan Eissing]
*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
[Stefan Eissing]
*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
[Yann Ylavic]
|
2023-01-20 15:03:16 by Adam Ciarcinski | Files touched by this commit (4) |  |
Log message:
apache24: updated to 2.4.55
Changes with Apache 2.4.55
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
*) mod_dav: Open the lock database read-only when possible.
*) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do.
*) mod_dav: mod_dav overrides dav_fs response on PUT failure.
*) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
*) mod_http2: version 2.0.10 of the module, synchronizing changes
with the gitgub version. This is a partial rewrite of how connections
and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor
the main connection and react to IO for request/response handling.
This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect.
- Clients that seemingly misbehave still get less resources allocated,
but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied \
requests
were overwritten instead of preserved.
- A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall.
- Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 \
connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
- :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading
and trialing space/tab characters. This is equivalent behaviour to what
Apache httpd's http/1.1 parser does.
The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
*) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
*) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
*) mod_proxy: The AH03408 warning for a forcibly closed backend
connection is now logged at INFO level. [Yann Ylavic]
*) mod_ssl: When dumping the configuration, the existence of
certificate/key files is no longer tested. [Joe Orton]
*) mod_authn_core: Add expression support to AuthName and AuthType.
[Graham Leggett]
*) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error.
*) mod_proxy_hcheck: Re-enable workers in standard ERROR state.
*) mod_proxy_hcheck: Detect AJP/CPING support correctly.
*) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
restarted at the same time. Store locks are not enabled by default.
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that.
Fixes <https://github.com/icing/mod_md/issues/293>.
*) core: Avoid an overflow on large inputs in ap_is_matchexp.
*) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
storage instead of slotmem. Needed after setting
HeartbeatMaxServers default to the documented value 10 in 2.4.54.
*) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
This is a game changer for performances if client use PROPFIND a lot.
|
2022-11-23 17:21:30 by Adam Ciarcinski | Files touched by this commit (1878) |  |
Log message:
massive revision bump after textproc/icu update
|
2022-10-26 12:32:08 by Thomas Klausner | Files touched by this commit (687) |
Log message:
*: bump PKGREVISION for libunistring shlib major bump
|