Subject: CVS commit: [pkgsrc-2007Q1] pkgsrc/www/ap-jk
To: None <pkgsrc-changes@NetBSD.org>
From: Lubomir Sedlacik <salo@netbsd.org>
List: pkgsrc-changes
Date: 05/31/2007 11:10:45
Module Name: pkgsrc
Committed By: salo
Date: Thu May 31 11:10:45 UTC 2007
Modified Files:
pkgsrc/www/ap-jk [pkgsrc-2007Q1]: Makefile.common distinfo
pkgsrc/www/ap-jk/patches [pkgsrc-2007Q1]: patch-aa
Log Message:
Pullup ticket 2100 - requested by obache
security update for ap-jk
Revisions pulled up:
- pkgsrc/www/ap-jk/Makefile.common 1.5, 1.6
- pkgsrc/www/ap-jk/distinfo 1.8, 1.9
- pkgsrc/www/ap-jk/patches/patch-aa 1.5
Module Name: pkgsrc
Committed By: obache
Date: Wed Apr 25 06:24:02 UTC 2007
Modified Files:
pkgsrc/www/ap-jk: Makefile.common distinfo
pkgsrc/www/ap-jk/patches: patch-aa
Log Message:
Update ap-jk to 1.2.22.
Changes between 1.2.21 and 1.2.22
Native
Refactor line endings logging to make it correct for all platforms and
webservers. (mturk)
Added command line windows make files. (mturk)
Allow fail_on_status directive to be multi line. (mturk)
42076: Fix name of new option from ForwardCertChain to
ForwardSSLCertChain as documented. (rjung)
Docs: Fix a couple of typos, change format of a few tables, fix links to
news pages. (rjung)
Fix correct URL for TC 6 examples in new IIS rewrite.properties
configuration example file. (rjung)
Add svn properties to several files. (rjung)
Add TC 6 examples to uriworkermap.properties in config examples. (rjung)
Allow multiple status codes for fail_on_status directive. The status
codes can be delimited by space or comma characters. (mturk)
IIS. Added pcre like regular expressions for url rewrite rules. (mturk)
41922: Apache 1.3. Enable JkEnvVar. (mturk)
Apache. Add --enable-flock configure parameter for explicit compilation
of faster flock() system calls for OS supporting those calls. By default
the fcntl system call for locking will be used that is a little bit slower
but it can work on NFS mounted volumes as well. (mturk)
41562: Add Debug logging for read from client in ISAPI Redirector.
Contributed by Tim Whittington. (mturk)
Apache. Add ForwardSSLCertChain JkOption. Contributed by Patrik
Schnellmann. (mturk)
IIS. Do not forbid access to web-inf or meta-inf if there is no mapped
worker. This allows to have resource with those names that are outside
mapped contexts. (mturk)
Apache. Use process id for creating shared memory name and delete shared
memory and shared memory lock files on exit. (mturk)
IIS. Fix Keep-Alive regression introduced in 1.2.21. (mturk)
Delete unused check for empty init_map during startup. (rjung)
41770: Fix startup error if no JkWorkersFile is used. (rjung)
Use JK_TRUE/JK_FALSE instead of OK/!OK as return values in init_jk().
(rjung)
Minor adjustments to apache startup log messages (when to use STDERR,
remove deprecated NOERRNO flag, shm warning and warnings for usage of
default files). (rjung)
Replace APR precompiler directive by httpd mpm_query to detect MPM
threading. Add a debug log message about auto-detected pool size. (rjung)
Make MMN check easier to understand and a little more precise (for new
ap_get_server_banner()/ap_get_server_description()). We use the new API
only for Apache httpd 2.3. This way our binaries are not tightly coupled
to a minor 2.0 version, and we don't use ap_get_server_banner() any way.
(rjung)
Use the full description string ap_get_server_description() instead of
the truncated info from ap_get_server_banner(), because this info gets
used internally (status worker display and ajp14 backend communication)
and is not send back to the normal user. (rjung)
41757: Document the "--enable-prefork" flag of configure. (rjung)
Enhance log messages for failures when parsing attribute maps. (rjung)
Correct log message during worker initialization, in case remote host
could not be resolved. We logged the default host name "localhost" instead
of the configured one. (rjung)
41770: Fix the second part of the bug: local_worker and local_worker_only
is missing from the list of deprecated attributes (and not supported
either), so prevents the web server from startup. (rjung)
Changes between 1.2.20 and 1.2.21
Native
CVE-2007-0774 : A denial of service and critical remote code execution
vulnerability. Caused by buffer overflow in map_uri_to_worker() when URL
were longer that 4095 bytes. Reported by ZDI (www.zerodayintiative.com).
Please note this issue only affected versions 1.2.19 and 1.2.20 of the
Apache Tomcat JK Web Server Connector and not previous versions. Tomcat
5.5.20 and Tomcat 4.1.34 included a vulnerable version in their source
packages. Other versions of Tomcat were not affected.
Check the worker. parameters and don't start if the parameter is not a
valid one. (jfclere)
41439: Allow session IDs to get stripped off URLs of static content in
Apache by adding JkStripSession directive (configurable per vhost). (mturk)
Change semantics of empty defaults for JkEnvVar variables. Until 1.2.19:
not allowed. In 1.2.20: send variables as empty strings, if neither set to
non empty in config, nor during runtime. Starting with 1.2.21: If config
has no second argument only send variable if set (even when set to empty
string) during runtime. Allows good combination with condition attribute
in tomcat access log. (rjung)
41610: Fix incorrect detection of missing Content-Length header leading
to duplicate headers. Contributed by Boris Maras. (rjung)
Better build support for SunONE (Netscape/iPlanet) webservers. (jim)
Add warning if duplicate map keys are read and are not allowed, e.g. when
parsing uriworkermap.properties. (rjung)
Don't concat worker names, if uriworkermap.properties has a duplicate
pattern, instead overwrite the worker. (rjung)
Log deprecation message even in duplication case. (rjung)
uriworkermap.properties: Fix off-by-one problem when deleting URL mapping
during reloading of uriworkermap.properties. (rjung)
41439: Allow session IDs to get stripped off URLs of static content in
IIS (configurable). (rjung)
41333: Re New attribute user (list) denies access, if the request
user in the sense of remote_user is not in this list. Empty list = no deny
(rjung)
Status Worker: New attribute read_only di (rjung)
36121: Don't change main uri when mod_jk serves included uri. (markt)
Apache VHosts: Merge JkOptions +base - -base + +vhost - -vhost. (rjung)
Apache Docs: Adding requirements, context information, default values and
inheritance rules tpe to status worker, remove the redundant
"context" column in the map listing (context=uri). (rjung)
uriworkermap: On reload of the file, all old entries from the previous
file versiops and exclusion maps internally separate. Don't treat them
as the same when adding a rule. (rjung)
Status Worker: Display mapping rules also for non-lb workers and in
global view. (r the main log. (rjung)
Apache VHosts: Allow individual timestamp formats by refactoring the
formatting method. (rjung)
Apache VHosts: Adding all missing config items to the virtual host level.
Don't overwrite the settings from the global server, but inherit them in
case they are not set in the virtual host. (rjung)
Apache: remove unnecessary function names from log messages. (rjung)
Apache: add a default log file location and a message, if the default
gets used. (rjung)
Apache: add missing JK_IS_DEBUG_LEVEL() (rjung)
Apache VHosts: Allow JkWorkersFile, JKWorkerProperty, JkShmFile and
JkShmFileSize only in global virtual server. (rjung)
Add some more jk_close_socket() and reduce log level for some info
messages. (rjung)
Load Balancer: Added the Sessions strategy. Contributed by Takayuki
Kaneko. (rjung)
Docs: Minor enhancements and syncing with more recent versions. (rjung)
40997: Separate uri mappings from their '!' counterpart when checking for
duplicates in(rjung)
40877: Make sure the shared memory is reset on attach for multiple web
server child processes. (mturk)
IIS: Added shm_size property to be able to deal with over 64 workers
case default thread count to 250, so its the same as Apache
Httpd default configuration. (mturk)
40966: Fix socket descriptor checks on windows. (mturk)
40965: Initialize missing servi(mturk)
40938: Fix releasing of rewrite map. Thanks to Chris Adams for spotting
that. (mturk)
Apache: Added +FlushHeader JkOptions. (mturk)
Added explicit flush when AJP body packet sensitivity bug in URL mapping. (rjung)
40793: Documentation: Improvements to Apache HowTo provided by Paul
Charles Leddy. (markt)
40774: Fixing wrong recursion termination. This one restricted the
"reference" feature unintentionally to 20 wor 40716: Adding "reference" feature to IIS and Netscape. (rjung)
Documentation: Corrected SetEnvIf syntax in JK_WORKER_NAME example.
(rjung)
Documentation: Added forgotten STATE and A Apache. (rjung)
Apache: Use instdso.sh instead libtool: libtool does not work on HP-UX
for example. (jfclere)
---
Module Name: pkgsrc
Committed By: obache
Date: Tue May 29 02:22:22 UTC 2007
Modified Files:
pkgsrc/www/ap-jk: Makefile.common distinfo
Log Message:
Update ap-jk to 1.2.23.
It fixes an Important vulnerability.
Changes between 1.2.22 and 1.2.23
Native
Change the default value of JkOptions to ForwardURICompatUnparsed. The
old default value was ForwardURICompat. This should make URL
interpretation between Apache httpd and Tomcat consistent (prevent
double decoding problems). (rjung)
To generate a diff of this commit:
cvs rdiff -r1.4 -r1.4.2.1 pkgsrc/www/ap-jk/Makefile.common
cvs rdiff -r1.7 -r1.7.4.1 pkgsrc/www/ap-jk/distinfo
cvs rdiff -r1.4 -r1.4.10.1 pkgsrc/www/ap-jk/patches/patch-aa
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.