- security update to release 2.4.10

- add OPTION for new mod_authnz_fcgi module

- s/libluajit.so/libluajit-5.1.so/ (there is no libluajit.so)

- backport for mod_lua: Don't quote values in cookies
   Make IE happy again [#56734]
   http://svn.apache.org/viewvc?view=revision&revision=1611744

- disable sanity check on demand [1]

Release Notes:
 http://www.apache.org/dist/httpd/CHANGES_2.4.10

PR:		191398 [1]
Submitted by:	Robert Schulze <rs@bytecamp.net>
MFH:		2014Q3
Security:	4364e1f1-0f44-11e4-b090-20cf30e32f6d
		CVE-2014-0117
		CVE-2014-3523
		CVE-2014-0226
		CVE-2014-0118
		CVE-2014-0231

8 files changed, 53 insertions, 51 deletions

diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index 4ed47fdfc7a3..75df28cef55b 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,8 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	apache24
-PORTVERSION=	2.4.9
-PORTREVISION=	4
+PORTVERSION=	2.4.10
 CATEGORIES=	www ipv6
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
 DISTNAME=	httpd-${PORTVERSION}
@@ -53,7 +52,7 @@ IPV4_MAPPED_CONFIGURE_ENABLE=	v4-mapped
 
 LDAP_CONFIGURE_ON=		--enable-ldap=shared
 
-LUAJIT_LIB_DEPENDS=		libluajit.so:${PORTSDIR}/lang/luajit
+LUAJIT_LIB_DEPENDS=		libluajit-5.1.so:${PORTSDIR}/lang/luajit
 LUA_CONFIGURE_WITH=		lua
 LUA_USES=			lua
 
@@ -156,7 +155,7 @@ post-install:
 	@${MKDIR} ${STAGEDIR}/${EXAMPLESDIR}/modules.d
 	${INSTALL_DATA} ${FILESDIR}/README_modules.d ${STAGEDIR}/${EXAMPLESDIR}/modules.d
 
-# supress warnings about all the non binary files
+# suppress warning for non binary files
 	-@${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/* \
 		${STAGEDIR}${PREFIX}/bin/* \
 		${STAGEDIR}${PREFIX}/libexec/apache24/*.so 2>/dev/null
diff --git a/www/apache24/Makefile.options b/www/apache24/Makefile.options
index 10a85c14759c..dac2995e6959 100644
--- a/www/apache24/Makefile.options
+++ b/www/apache24/Makefile.options
@@ -57,7 +57,7 @@ MOST_ENABLED_MODULES= \
 	VERSION VHOST_ALIAS
 
 MOST_DISABLED_MODULES:= \
-	AUTHNZ_LDAP LDAP CHARSET_LITE DATA DAV_LOCK DIALUP IDENT LOG_FORENSIC \
+	AUTHNZ_LDAP AUTHNZ_FCGI LDAP CHARSET_LITE DATA DAV_LOCK DIALUP IDENT LOG_FORENSIC \
 	LUA REFLECTOR SLOTMEM_PLAIN SLOTMEM_SHM SOCACHE_DC SUEXEC USERTRACK \
 	XML2ENC WATCHDOG ${HEARTBEAT_MODULES} ${EXAMPLE_MODULES} ${DEV_MODULES}
 
diff --git a/www/apache24/Makefile.options.desc b/www/apache24/Makefile.options.desc
index 428484e7b524..aa6cd17dc941 100644
--- a/www/apache24/Makefile.options.desc
+++ b/www/apache24/Makefile.options.desc
@@ -42,6 +42,7 @@ ACTIONS_DESC=			Action triggering on requests
 ALIAS_DESC=			Mapping of requests to different filesystem parts
 ALLOWMETHODS_DESC=		Easily restrict what HTTP methods can be used on the server
 ASIS_DESC=			Sends files that contain their own HTTP headers
+AUTHNZ_FCGI_DESC=		Allows a FastCGI authorizer to handle the check_authn hook
 AUTHNZ_LDAP_DESC=		LDAP based authentication
 AUTHN_ANON_DESC=		Anonymous user authentication control
 AUTHN_CORE_DESC=		Core authentication module
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index b409cec0853a..c671eb1c9ace 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,2 +1,2 @@
-SHA256 (apache24/httpd-2.4.9.tar.bz2) = f78cc90dfa47caf3d83ad18fd6b4e85f237777c1733fc9088594b70ce2847603
-SIZE (apache24/httpd-2.4.9.tar.bz2) = 4994460
+SHA256 (apache24/httpd-2.4.10.tar.bz2) = 176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a
+SIZE (apache24/httpd-2.4.10.tar.bz2) = 5031834
diff --git a/www/apache24/files/apache24.in b/www/apache24/files/apache24.in
index e5fd89e8dac3..768e5cdc8218 100644
--- a/www/apache24/files/apache24.in
+++ b/www/apache24/files/apache24.in
@@ -23,6 +23,7 @@
 #                             Set to yes to check for accf_http kernel
 #                             module on start up and load if not loaded.
 # apache24_fib (str):	      Set an altered default network view for apache
+# apache24_configcheck_disable (bool): Set to "YES" to disable sanity check on startup
 
 . /etc/rc.subr
 
@@ -46,6 +47,7 @@ envvars="%%PREFIX%%/sbin/envvars"
 [ -z "$apache24limits_enable" ] && apache24limits_enable="NO"
 [ -z "$apache24limits_args" ]   && apache24limits_args="-e -C daemon"
 [ -z "$apache24_http_accept_enable" ] && apache24_http_accept_enable="NO"
+[ -z "$apache24_configcheck_disable" ] && apache24_configcheck_disable="NO"
 
 apache24_accf()
 {
@@ -75,6 +77,7 @@ if [ -n "$2" ]; then
 		eval apache24limits_enable="\${apache24limits_${profile}_enable:-${apache24limits_enable}}"
 		eval apache24limits_args="\${apache24limits_${profile}_args:-${apache24limits_args}}"
 		eval apache24_fib="\${apache24_${profile}_fib:-${apache24_fib}}"
+		eval apache24_configcheck_disable="\${apache24_${profile}_configcheck_disable:-${apache24_configcheck_disable}}"
 		eval command="\${apache24_${profile}_command:-${command}}"
 		eval pidfile="\${apache24_${profile}_pidfile:-${pidfile}}"
 		eval apache24_envvars="\${apache24_${profile}_envvars:-${envvars}}"
@@ -123,10 +126,14 @@ if [ "${1}" != "stop" ] ; then \
 	apache24_accf
 fi
 
+if checkyesno apache24_configcheck_disable
+then
+        unset restart_precmd
+        unset reload_precmd
+fi
+
 apache24_requirepidfile()
 {
-    apache24_checkconfig
-
 	if [ ! "0`check_pidfile ${pidfile} ${command}`" -gt 1 ]; then
 		echo "${name} not running? (check $pidfile)."
 		exit 1
@@ -147,6 +154,11 @@ apache24_checkconfig()
 apache24_graceful() {
 	apache24_requirepidfile
 
+	if ! checkyesno apache24_configcheck_disable
+	then
+		apache24_checkconfig
+	fi
+
 	echo "Performing a graceful restart"
 	eval ${command} ${apache24_flags} -k graceful
 }
@@ -154,13 +166,21 @@ apache24_graceful() {
 apache24_gracefulstop() {
 	apache24_requirepidfile
 
+	if ! checkyesno apache24_configcheck_disable
+	then
+		apache24_checkconfig
+	fi
+
 	echo "Performing a graceful stop"
 	eval ${command} ${apache24_flags} -k graceful-stop
 }
 
 apache24_precmd()
 {
-	apache24_checkconfig
+	if ! checkyesno apache24_configcheck_disable
+	then
+		apache24_checkconfig
+	fi
 
 	if checkyesno apache24limits_enable
 	then
diff --git a/www/apache24/files/patch-mod_authn_socache.c b/www/apache24/files/patch-mod_authn_socache.c
deleted file mode 100644
index a0d6c2fbf1ec..000000000000
--- a/www/apache24/files/patch-mod_authn_socache.c
+++ /dev/null
@@ -1,41 +0,0 @@
-mod_authn_socache.c: fix creation of default socache_instance.
-
-In pre_config, default socache_provider is created, but socache_instance
-initialization is missing. This leads to crash on startup if default
-socache_provider is used (AuthnCacheSOCache is not called) and
-AuthnCacheEnable or AuthnCacheProvideFor is used.
-
-
-Optained from: http://svn.apache.org/viewvc?view=revision&revision=1576233
-======================================================================================
---- ./modules/aaa/mod_authn_socache.c	2014/03/11 08:51:11	1576232
-+++ ./modules/aaa/mod_authn_socache.c	2014/03/11 08:52:54	1576233
-@@ -86,6 +86,7 @@
- {
-     apr_status_t rv;
-     static struct ap_socache_hints authn_cache_hints = {64, 32, 60000000};
-+    const char *errmsg;
- 
-     if (!configured) {
-         return OK;    /* don't waste the overhead of creating mutex & cache */
-@@ -98,6 +99,20 @@
-         return 500; /* An HTTP status would be a misnomer! */
-     }
- 
-+    /* We have socache_provider, but do not have socache_instance. This should
-+     * happen only when using "default" socache_provider, so create default
-+     * socache_instance in this case. */
-+    if (socache_instance == NULL) {
-+        errmsg = socache_provider->create(&socache_instance, NULL,
-+                                          ptmp, pconf);
-+        if (errmsg) {
-+            ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, plog, APLOGNO(02612)
-+                        "failed to create mod_socache_shmcb socache "
-+                        "instance: %s", errmsg);
-+            return 500;
-+        }
-+    }
-+
-     rv = ap_global_mutex_create(&authn_cache_mutex, NULL,
-                                 authn_cache_id, NULL, s, pconf, 0);
-     if (rv != APR_SUCCESS) {
diff --git a/www/apache24/files/patch-r1611744-modules__lua__lua_request.c b/www/apache24/files/patch-r1611744-modules__lua__lua_request.c
new file mode 100644
index 000000000000..15b0e05cb33f
--- /dev/null
+++ b/www/apache24/files/patch-r1611744-modules__lua__lua_request.c
@@ -0,0 +1,22 @@
+backport for mod_lua: Don't quote values in cookies; Make IE happy again [#56734]
+http://svn.apache.org/viewvc?view=revision&revision=1611744
+
+
+--- ./modules/lua/lua_request.c.orig	2014-07-20 10:48:19.000000000 +0200
++++ ./modules/lua/lua_request.c	2014-07-20 10:48:46.000000000 +0200
+@@ -2086,13 +2086,13 @@
+     if (expires > 0) {
+         rv = apr_rfc822_date(cdate, apr_time_from_sec(expires));
+         if (rv == APR_SUCCESS) {
+-            strexpires = apr_psprintf(r->pool, "Expires=\"%s\";", cdate);
++            strexpires = apr_psprintf(r->pool, "Expires=%s;", cdate);
+         }
+     }
+     
+     /* Create path segment */
+     if (path != NULL && strlen(path) > 0) {
+-        strpath = apr_psprintf(r->pool, "Path=\"%s\";", path);
++        strpath = apr_psprintf(r->pool, "Path=%s;", path);
+     }
+     
+     /* Create domain segment */
diff --git a/www/apache24/pkg-plist b/www/apache24/pkg-plist
index 37cb0a832c19..906b72e155df 100644
--- a/www/apache24/pkg-plist
+++ b/www/apache24/pkg-plist
@@ -78,6 +78,7 @@ libexec/apache24/httpd.exp
 %%MOD_ALIAS%%libexec/apache24/mod_alias.so
 %%MOD_ALLOWMETHODS%%libexec/apache24/mod_allowmethods.so
 %%MOD_ASIS%%libexec/apache24/mod_asis.so
+%%MOD_AUTHNZ_FCGI%%libexec/apache24/mod_authnz_fcgi.so
 %%MOD_AUTHNZ_LDAP%%libexec/apache24/mod_authnz_ldap.so
 %%MOD_AUTHN_ANON%%libexec/apache24/mod_authn_anon.so
 %%MOD_AUTHN_CORE%%libexec/apache24/mod_authn_core.so