| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Because htcacheclean has no dependencies set, it runs before the
file system is ready, even though it makes changes to the file system.
Define FILESYSTEMS as requirement to fix this race condition.
PR: 268216
Approved by: portmgr (maintainer timeout, 5+ months)
|
|
|
|
| |
With hat: apache
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes with Apache 2.4.56
*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
HTTP response splitting (cve.mitre.org)
HTTP Response Smuggling vulnerability in Apache HTTP Server via
mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
2.4.30 through 2.4.55.
Special characters in the origin response header can
truncate/split the response forwarded to the client.
Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
*) SECURITY: CVE-2023-25690: HTTP request splitting with
mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and
is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "
http://example.com:8080/elsewhere?$1"
http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/ http://example.com:8080/
http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
Credits: Lars Krapf of Adobe
*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated. [Eric Covener]
*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
[nailyk <bzapache nailyk.fr>, Christophe Jaillet]
*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers. [Ruediger Pluem]
*) mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
- MDChallengeDns01 can now be configured for individual domains.
Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
[Stefan Eissing]
*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
[Stefan Eissing]
*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
[Yann Ylavic]
PR: 270037
Reported by: Fabian Wenk <fabian@wenks.ch>
Sponsored by: Netzkommune GmbH
|
|
|
|
|
|
|
|
|
| |
Fixes multiple vulnerabilities.
PR: 269015
MFH: 2023Q1
Security: 00919005-96a3-11ed-86e9-d4c9ef517024
CVE-2022-37436, CVE-2022-36760, CVE-2006-20001
|
|
|
|
|
|
|
|
|
|
| |
Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.
This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.
Approved by: portmgr (tcberner)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.
Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.
There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.
This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.
There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.
The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.
Approved by: portmgr (tcberner)
|
|
|
|
|
|
| |
With hat: apache
Security: 49adfbe5-e7d1-11ec-8fbd-d4c9ef517024
MFH: 2022Q2
|
|
|
|
|
| |
PR: 262603
Sponsored by: Netzkommune GmbH
|
|
|
|
|
|
|
|
| |
This is a separate commit to facilitate easier cherry-picking for
quarterly.
PR: 262853, 262940, 262877, 263126
Approved by: fluffy (mentor)
|
|
|
|
|
| |
Security: 6601c08d-a46c-11ec-8be6-d4c9ef517024
MFH: 2022Q1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There have been lots of missing CONFLICTS_INSTALL entries, either
because conflicting ports were added without updating existing ports,
due to name changes of generated packages, due to mis-understanding
the format and semantics of the conflicts entries, or just due to
typoes in package names.
This patch is the result of a comparison of all files contained in
the official packages with each other. This comparison was based on
packages built with default options and may therefore have missed
further conflicts with optionally installed files.
Where possible, version numbers in conflicts entries have been
generalized, some times taking advantage of the fact that a port
cannot conflict with itself (due to logic in bsd.port.mk that
supresses the pattern match result in that case).
A few ports that set the conflicts variables depending on complex
conditions (e.g. port options), have been left unmodified, despite
probably containing outdated package names.
These changes should only affect the installation of locally built
ports, not the package building with poudriere. They should give an
early indication of the install conflict in cases where currently
the pkg command aborts an installation when it detects that an
existing file would be overwritten,
Approved by: portmgr (implicit)
|
|
|
|
|
| |
Security: ca982e2d-61a9-11ec-8be6-d4c9ef517024
MFH: 2021Q4
|
|
|
|
|
|
|
|
|
|
| |
Fixes: critical: Path Traversal and Remote Code Execution in Apache
HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
(CVE-2021-42013)
PR: 258988
MFH: 2021Q4
Security: CVE-2021-41773, CVE-2021-42013
|
|
|
|
|
|
| |
* Fixes hang with event MPM
PR: 258767
|
|
|
|
|
| |
Security: 38f9-17dd-11ec-b335-d4c9ef517024
MFH: 2021Q3
|
|
|
|
| |
Approved by: apache (with hat)
|
|
|
|
| |
Reported by: lwhsu
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
PR: 253394
Reported by: many
Approved by: apache (with hat)
MFH: 2021Q1
Sponsored by: Netzkommune GmbH
Differential Revision: https://reviews.freebsd.org/D28932
Notes:
svn path=/head/; revision=568256
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Use the dists build/rules.mk method
* cleanup of left-over files from strip
PR: 252792
Submitted by: meta
Approved by: joneum (apache)
Differential Revision: https://reviews.freebsd.org/D28217
Notes:
svn path=/head/; revision=566051
|
|
|
|
|
|
|
|
|
| |
PR: 248052
Submitted by: Michael Osipov <michael osipov siemens com>
Approved by: apache (brnrd)
Notes:
svn path=/head/; revision=544279
|
|
|
|
| |
Notes:
svn path=/head/; revision=544237
|
|
|
|
|
|
|
|
|
| |
PR: 237726
Submitted by: Igor Galic <me@igalic.co>
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=542789
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds another knob to configure apache with syslog-enabled suexec
PR: 239264
Submitted by: Robert Schulze <rs@bytecamp.net>
Approved by: apache (with hat)
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=542072
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.43
MFH: 2020Q2
Security: b360b120-74b1-11ea-a84a-4c72b94353b5
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=530372
|
|
|
|
| |
Notes:
svn path=/head/; revision=514145
|
|
|
|
|
|
|
|
|
| |
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.41
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=508964
|
|
|
|
| |
Notes:
svn path=/head/; revision=508913
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
as defined in Mk/bsd.default-versions.mk which has moved from GCC 8.3
to GCC 9.1 under most circumstances now after revision 507371.
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang,
c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib
plus, everything INDEX-11 shows with a dependency on lang/gcc9 now.
PR: 238330
Notes:
svn path=/head/; revision=507372
|
|
|
|
|
|
|
|
|
| |
PR: 238488
Reported by: girgen
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=503960
|
|
|
|
|
|
|
|
|
| |
This is needed to fix build of www/mod_maxminddb.
Approved by: mentors (implicit approval)
Notes:
svn path=/head/; revision=500652
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Adds mod_socache_redis feature
Changes: https://www.apache.org/dist/httpd/CHANGES_2.4.39
MFH: 2019Q2
Security: cf2105c6-551b-11e9-b95c-b499baebfeaf
Notes:
svn path=/head/; revision=497554
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused. [Hank Ibell]
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data. [Stefan Eissing]
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
PR 63052 [Joe Orton]
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
have been fixed. [Michael Kaufmann, Stefan Eissing]
*) mod_setenvif: We can have expressions that become true if a regex pattern
in the expression does NOT match. In this case val is NULL
and we should just set the value for the environment variable
like in the pattern case. [Ruediger Pluem]
*) mod_session: Always decode session attributes early. [Hank Ibell]
*) core: Incorrect values for environment variables are substituted when
multiple environment variables are specified in a directive. [Hank Ibell]
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
this type of map is present in the configuration. PR62311.
[Hank Ibell <hwibell gmail.com>]
*) mod_dav: Fix invalid Location header when a resource is created by
passing an absolute URI on the request line [Jim Jagielski]
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
[Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
*) mod_ssl: clear *SSL errors before loading certificates and checking
afterwards. Otherwise errors are reported when other SSL using modules
are in play. Fixes PR 62880. [Michael Kaufmann]
*) mod_ssl: Fix the error code returned in an error path of
'ssl_io_filter_handshake()'. This messes-up error handling performed
in 'ssl_io_filter_error()' [Yann Ylavic]
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
authz provider so "Require ssl" works correctly in HTTP/2.
PR 61519, 62654. [Joe Orton, Stefan Eissing]
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
redirects, subsequent ProxyPassReverse statements, whether they are
relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
*) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
MFH: 2019Q1
Security: eb888ce5-1f19-11e9-be05-4c72b94353b5
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=491041
|
|
|
|
|
|
|
|
|
|
| |
Simplify some ports where DragonFlyBSD no longer needs to be special-cased.
Submitted by: rene
Reviewed by: bapt, jbeich
Differential Revision: https://reviews.freebsd.org/D17724
Notes:
svn path=/head/; revision=483807
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Adds TLSv1.3 support with security/openssl111
PR: 232687
Submitted by: Pascal Christen <pascal christen hostpoint.ch>
Reported by: Markus Kohlmeyer <rootservice gmail com>
Reviewed by: ohauer
Approved by: joneum
Differential Revision: https://reviews.freebsd.org/D17668
Notes:
svn path=/head/; revision=483139
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
*) http: Enforce consistently no response body with both 204 and 304
statuses. [Yann Ylavic]
*) mod_status: Cumulate CPU time of exited child processes in the
"cu" and "cs" values. Add CPU time of the parent process to the
"c" and "s" values.
[Rainer Jung]
*) mod_proxy: Improve the balancer member data shown in mod_status when
"ProxyStatus" is "On": add "busy" count and show byte counts in
auto mode always in units of kilobytes. [Rainer Jung]
*) mod_status: Add cumulated response duration time in milliseconds.
[Rainer Jung]
*) mod_status: Complete the data shown for async MPMs in "auto" mode.
Added number of processes, number of stopping processes and number
of busy and idle workers. [Rainer Jung]
*) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
introduced in 2.4.34. PR 62568. [Yann Ylavic]
*) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
*) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
and <IfModule> to be quoted. This is primarily for the benefit of
<IfFile>. [Eric Covener]
*) mod_watchdog: Correct some log messages. [Rainer Jung]
*) mod_md: When the last domain name from an MD is moved to another one,
that now empty MD gets moved to the store archive. PR 62572.
[Stefan Eissing]
*) mod_ssl: Fix merging of SSLOCSPOverrideResponder. [Jeff Trawick,
[Frank Meier <frank meier ergon.ch>]
*) mod_proxy_balancer: Restore compatibility with APR 1.4. [Joe Orton]
With hat: apache
Notes:
svn path=/head/; revision=480688
|
|
|
|
|
|
|
|
|
|
|
| |
Also various fixes related to said option.
PR: 230864
Submitted by: mat
exp-runs by: antoine
Notes:
svn path=/head/; revision=479406
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- fixes vulns in mod_http2 and mod_md
- include SSL_* options in alphabetic ordering
- Remove unneeded SSL_CFLAGS and _LDFLAGS
- Remove WITH_HTTP_PORT and WITH_SSL_PORT
- Remove trailing whitespace
- Fix build with HTTP2 but without SSL [1]
PR: 229802, 227944 [1]
With hat: apache
Approved by: brnrd (apache)
MFH: 2018Q3
Security: 8b1a50ab-8a8e-11e8-add2-b499baebfeaf
Differential Revision: https://reviews.freebsd.org/D16294
Notes:
svn path=/head/; revision=475018
|
|
|
|
| |
Notes:
svn path=/head/; revision=474734
|
|
|
|
|
|
|
|
|
|
|
| |
- Fix LOG_FORENSIC in plist while here
PR: 227868
Reported by: Jens K. Loewe <mozilla tuxproject de>
Approved by: hat (apache@)
Notes:
svn path=/head/; revision=468867
|
|
|
|
| |
Notes:
svn path=/head/; revision=465983
|
|
|
|
|
|
|
| |
- While here, fix a regression with mod_session
Notes:
svn path=/head/; revision=465982
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Remove -L/usr/lib from LDFLAGS [1]
- Remove non-working show-modules target
- Use new style patch filenames
PR: 227108 [1]
With hat: apache
Submitted by: mat [1]
Reported by: eugen [1]
MFH: 2018Q1
Notes:
svn path=/head/; revision=465978
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add new uwsgi and md modules
- Fix LibreSSL 2.7.x builds
- Remove conflicts for non-existent ports
- There are no slave-ports
- Coalesce .if WITH_DEBUG blocks
- Use OPTIONS where possible
- Remove dead code
- Actually enable/disable modules in ALL_MODULES loop
- Add suexec warning
- Move Makefile.options to Makefile (too small)
PR: 226647
With hat: apache
Approved by: brnrd (apache)
MFH: MFH2018Q1
Security: f38187e7-2f6e-11e8-8f07-b499baebfeaf
Notes:
svn path=/head/; revision=465461
|
|
|
|
|
|
|
|
|
|
| |
- Repair my rookie mistake of earlier today
- Bump revision of dependent ports (again)
Reported by: antoine
Notes:
svn path=/head/; revision=465240
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- iconv is in base in all supported FreeBSD versions
- Fix build with MariaDB 10.2 [2]
- Bump portrevision in dependencies
PR: 226705 [1], 226026 [2]
With hat: apache
Approved by: joneum (apache)
Notes:
svn path=/head/; revision=465232
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Chase required changes in framework (bsd.sanity.mk, bsd.port.mk)
- Chase required changes in ports (version checks)
- Chase required changes in PHP ports (include bsd.apache.mk)
- exp-run by antoine, brnrd, joneum
PR: 223691 (exp-run)
Reviewed by: joneum (hat apache), mat (portmgr), antoine (portmgr)
Approved by: joneum (hat apache)
Approved by: portmgr
With hat: apache
Notes:
svn path=/head/; revision=464175
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Remove patch for CVE-2017-9798 (included upstream)
- Remove mod_ssl LibreSSL patches (included upstream)
- Fix SSL stapling patch for LibreSSL
- mod_http2 no longer experimental
PR: 222814
With hat: apache
Notes:
svn path=/head/; revision=452732
|
|
|
|
|
|
|
|
|
| |
- Bump PORTREVISION
Security: 76b085e2-9d33-11e7-9260-000c292ee6b8
Notes:
svn path=/head/; revision=450116
|