pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/apache24
Module Name: pkgsrc
Committed By: adam
Date: Fri Sep 17 12:49:57 UTC 2021
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Log Message:
apache24: updated to 2.4.49
Changes with Apache 2.4.49
*) SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
*) SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow
*) SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
*) SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request
*) SECURITY: CVE-2021-33193 (cve.mitre.org)
mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
*) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
*) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
*) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
*) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
*) core: fix ap_escape_quotes substitution logic. [Eric Covener]
*) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
*) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
*) mod_md:
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
[Stefan Eissing]
*) Add CPING to health check logic. [Jean-Frederic Clere]
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
*) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
*) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
*) htcacheclean: Improve help messages. [Christophe Jaillet]
To generate a diff of this commit:
cvs rdiff -u -r1.100 -r1.101 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.45 -r1.46 pkgsrc/www/apache24/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/apache24/Makefile
diff -u pkgsrc/www/apache24/Makefile:1.100 pkgsrc/www/apache24/Makefile:1.101
--- pkgsrc/www/apache24/Makefile:1.100 Fri Jun 4 09:47:15 2021
+++ pkgsrc/www/apache24/Makefile Fri Sep 17 12:49:57 2021
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.100 2021/06/04 09:47:15 wiz Exp $
+# $NetBSD: Makefile,v 1.101 2021/09/17 12:49:57 adam Exp $
#
# When updating this package, make sure that no strings like
# "PR 12345" are in the commit message. Upstream likes
# to reference their own PRs this way, but this ends up
# in NetBSD GNATS.
-DISTNAME= httpd-2.4.48
+DISTNAME= httpd-2.4.49
PKGNAME= ${DISTNAME:S/httpd/apache/}
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/}
Index: pkgsrc/www/apache24/distinfo
diff -u pkgsrc/www/apache24/distinfo:1.45 pkgsrc/www/apache24/distinfo:1.46
--- pkgsrc/www/apache24/distinfo:1.45 Fri Jun 4 09:47:15 2021
+++ pkgsrc/www/apache24/distinfo Fri Sep 17 12:49:57 2021
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.45 2021/06/04 09:47:15 wiz Exp $
+$NetBSD: distinfo,v 1.46 2021/09/17 12:49:57 adam Exp $
-SHA1 (httpd-2.4.48.tar.bz2) = 834876db80fc290e531f0e088d255434828b81b5
-RMD160 (httpd-2.4.48.tar.bz2) = ea98eeb29aacefb2a71e046bfc13dc3b6e88f2fc
-SHA512 (httpd-2.4.48.tar.bz2) = 6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724
-Size (httpd-2.4.48.tar.bz2) = 7194385 bytes
+SHA1 (httpd-2.4.49.tar.bz2) = 17e8efc1b178ce677202d71678e380459594f697
+RMD160 (httpd-2.4.49.tar.bz2) = 73c3e94bdb0da77c833590334a4ac288d782424c
+SHA512 (httpd-2.4.49.tar.bz2) = 418e277232cf30a81d02b8554e31aaae6433bbea842bdb81e47a609469395cc4891183fb6ee02bd669edb2392c2007869b19da29f5998b8fd5c7d3142db310dd
+Size (httpd-2.4.49.tar.bz2) = 7199599 bytes
SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d
Home |
Main Index |
Thread Index |
Old Index