./www/apache24, Apache HTTP (Web) server, version 2.4

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 2.4.57nb2, Package name: apache-2.4.57nb2, Maintainer: ryoon

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

This package tracks 2.4.x release.

Required to run:
[textproc/libxml2] [security/openssl] [devel/apr] [devel/apr-util] [devel/pcre] [devel/readline] [www/nghttp2] [archivers/brotli]

Required to build:

Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker, brotli, http2, xml

Master sites: (Expand)

Filesize: 7282.248 KB

Version history: (Expand)

CVS history: (Expand)

   2023-04-21 15:52:33 by Emmanuel Dreyfus | Files touched by this commit (14)
Log message:
One patch file per partched file, as requested by sketch@
   2023-04-21 02:34:01 by Emmanuel Dreyfus | Files touched by this commit (3)
Log message:
RFC4331 quotas from upstream trunk

   2023-04-19 10:12:01 by Adam Ciarcinski | Files touched by this commit (2359) | Package updated
Log message:
revbump after textproc/icu update
   2023-04-07 11:38:53 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
apache24: updated to 2.4.57

Changes with Apache 2.4.57

*) mod_proxy: Check before forwarding that a nocanon path has not been
   rewritten with spaces during processing.

*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
   double encode encoded slashes in the URL sent by the reverse proxy to the

*) mod_http2: fixed a crash during connection termination.

*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
   in a question mark.

*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. \ 
Re-allow encoded
   characters on redirections without the "NE" flag.

*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
   to the origin server, when using mapping=encoded|servlet.

*) mod_mime: Do not match the extention against possible query string
   parameters in case ProxyPass was used with the nocanon option.
   2023-03-08 09:52:02 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
apache24: updated to 2.4.56

Changes with Apache 2.4.56

*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
   HTTP response splitting (cve.mitre.org)
   HTTP Response Smuggling vulnerability in Apache HTTP Server via
   mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
   2.4.30 through 2.4.55.
   Special characters in the origin response header can
   truncate/split the response forwarded to the client.
   Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

*) SECURITY: CVE-2023-25690: HTTP request splitting with
   mod_rewrite and mod_proxy (cve.mitre.org)
   Some mod_proxy configurations on Apache HTTP Server versions
   2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
   Configurations are affected when mod_proxy is enabled along with
   some form of RewriteRule
   or ProxyPassMatch in which a non-specific pattern matches
   some portion of the user-supplied request-target (URL) data and
   is then
   re-inserted into the proxied request-target using variable
   substitution. For example, something like:
   RewriteEngine on
   RewriteRule "^/here/(.*)" "
   http://example.com:8080/elsewhere ; [P]
   ProxyPassReverse /here/  http://example.com:8080/
   Request splitting/smuggling could result in bypass of access
   controls in the proxy server, proxying unintended URLs to
   existing origin servers, and cache poisoning.
   Credits: Lars Krapf of Adobe

*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
   truncated without the initial logfile being truncated.  [Eric Covener]

*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
   allow connections of any age to be reused. Up to now, a negative value
   was handled as an error when parsing the configuration file.
   [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
   of headers. [Ruediger Pluem]

*) mod_md:
   - Enabling ED25519 support and certificate transparency information when
     building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
   - MDChallengeDns01 can now be configured for individual domains.
     Thanks to JĂŠrĂ´me Billiras (@bilhackmac) for the initial PR.
   - Fixed a bug found by JĂŠrĂ´me Billiras (@bilhackmac) that caused the \ 
     teardown not being invoked as it should.
   [Stefan Eissing]

*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
   reported in access logs and error documents. The processing of the
   reset was correct, only unneccesary reporting was caused.
   [Stefan Eissing]

*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
   [Yann Ylavic]
   2023-01-20 15:03:16 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
apache24: updated to 2.4.55

Changes with Apache 2.4.55

  *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
     2.4.55 allows a backend to trigger HTTP response splitting
     Prior to Apache HTTP Server 2.4.55, a malicious backend can
     cause the response headers to be truncated early, resulting in
     some headers being incorporated into the response body. If the
     later headers have any security purpose, they will not be
     interpreted by the client.
     Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)

  *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
     Possible request smuggling (cve.mitre.org)
     Inconsistent Interpretation of HTTP Requests ('HTTP Request
     Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
     allows an attacker to smuggle requests to the AJP server it
     forwards requests to.  This issue affects Apache HTTP Server
     Apache HTTP Server 2.4 version 2.4.54 and prior versions.
     Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
     at Qi'anxin Group

  *) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
     of zero byte (cve.mitre.org)
     A carefully crafted If: request header can cause a memory read,
     or write of a single zero byte, in a pool (heap) memory location
     beyond the header value sent. This could cause the process to
     This issue affects Apache HTTP Server 2.4.54 and earlier.

  *) mod_dav: Open the lock database read-only when possible.

  *) mod_proxy_http2: apply the standard httpd content type handling
     to responses from the backend, as other proxy modules do.

  *) mod_dav: mod_dav overrides dav_fs response on PUT failure.

  *) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]

  *) mod_http2: version 2.0.10 of the module, synchronizing changes
     with the gitgub version. This is a partial rewrite of how connections
     and streams are handled.
     - an APR pollset and pipes (where supported) are used to monitor
       the main connection and react to IO for request/response handling.
       This replaces the stuttered timed waits of earlier versions.
     - H2SerializeHeaders directive still exists, but has no longer an effect.
     - Clients that seemingly misbehave still get less resources allocated,
       but ongoing requests are no longer disrupted.
     - Fixed an issue since 1.15.24 that "Server" headers in proxied \ 
       were overwritten instead of preserved.
     - A regression in v1.15.24 was fixed that could lead to httpd child
       processes not being terminated on a graceful reload or when reaching
       MaxConnectionsPerChild. When unprocessed h2 requests were queued at
       the time, these could stall.
     - Improved information displayed in 'server-status' for H2 connections when
       Extended Status is enabled. Now one can see the last request that IO
       operations happened on and transferred IO stats are updated as well.
     - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 \ 
       send a GOAWAY frame much too early on new connections, leading to invalid
       protocol state and a client failing the request.
       The module now initializes the HTTP/2 protocol correctly and allows the
       client to submit one request before the shutdown via a GOAWAY frame
       is being announced.
     - :scheme pseudo-header values, not matching the
       connection scheme, are forwarded via absolute uris to the
       http protocol processing to preserve semantics of the request.
       Checks on combinations of pseudo-headers values/absence
       have been added as described in RFC 7540. Fixes #230.
     - A bug that prevented trailers (e.g. HEADER frame at the end) to be
       generated in certain cases was fixed. See #233 where it prevented
       gRPC responses to be properly generated.
     - Request and response header values are automatically stripped of leading
       and trialing space/tab characters. This is equivalent behaviour to what
       Apache httpd's http/1.1 parser does.
       The checks for this in nghttp2 v1.50.0+ are disabled.
     - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
       on the v2.0.x versions for stability. Many thanks!
  *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
     request ':authority' is known. Improved test case that did not catch that
     the previous 'fix' was incorrect.

  *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
     using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]

  *) mod_proxy: The AH03408 warning for a forcibly closed backend
     connection is now logged at INFO level.  [Yann Ylavic]

  *) mod_ssl: When dumping the configuration, the existence of
     certificate/key files is no longer tested.  [Joe Orton]

  *) mod_authn_core: Add expression support to AuthName and AuthType.
     [Graham Leggett]

  *) mod_ssl: when a proxy connection had handled a request using SSL, an
     error was logged when "SSLProxyEngine" was only configured in the
     location/proxy section and not the overall server. The connection
     continued to work, the error log was in error.

  *) mod_proxy_hcheck: Re-enable workers in standard ERROR state.

  *) mod_proxy_hcheck: Detect AJP/CPING support correctly.

  *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]

  *) mod_md: a new directive `MDStoreLocks` can be used on cluster
     setups with a shared file system for `MDStoreDir` to order
     activation of renewed certificates when several cluster nodes are
     restarted at the same time. Store locks are not enabled by default.
     Restored curl_easy cleanup behaviour from v2.4.14 and refactored
     the use of curl_multi for OCSP requests to work with that.
     Fixes <https://github.com/icing/mod_md/issues/293>.

  *) core: Avoid an overflow on large inputs in ap_is_matchexp.

  *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
     storage instead of slotmem. Needed after setting
     HeartbeatMaxServers default to the documented value 10 in 2.4.54.

  *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
     This is a game changer for performances if client use PROPFIND a lot.
   2022-11-23 17:21:30 by Adam Ciarcinski | Files touched by this commit (1878) | Package updated
Log message:
massive revision bump after textproc/icu update
   2022-10-26 12:32:08 by Thomas Klausner | Files touched by this commit (687)
Log message:
*: bump PKGREVISION for libunistring shlib major bump