---
- branch: MAIN
date: Sun Aug 9 15:01:55 UTC 2020
files:
- new: '1.94'
old: '1.93'
path: pkgsrc/www/apache24/Makefile
pathrev: pkgsrc/www/apache24/Makefile@1.94
type: modified
- new: '1.44'
old: '1.43'
path: pkgsrc/www/apache24/distinfo
pathrev: pkgsrc/www/apache24/distinfo@1.44
type: modified
id: 20200809T150155Z.074ab977d0c5819f033e0de9761c1d0cdef4e20d
log: "www/apache24: update to 2.4.46\n\nUpdate apache24 to 2.4.46 (Apache HTTPD
2.4.46). It fixes several\nsecurity problems:\n\nCVE-2020-9490: Push Diary Crash
on Specifically Crafted HTTP/2 Header\nCVE-2020-11984: mod_uwsgi buffer overlow\nCVE-2020-11985:
CWE-345: Insufficient verification of data authenticity\nCVE-2020-11993: Push
Diary Crash on Specifically Crafted HTTP/2 Header\n\npkgsrc changes: reduce warnings
by SUBST_* processing.\n\nChanges with Apache 2.4.46\n *) mod_proxy_fcgi: Fix
build warnings for Windows platform\n [Eric Covener, Christophe Jaillet]\n\nChanges
with Apache 2.4.45\n\n *) mod_http2: remove support for abandoned http-wg draft\n
\ .\n [Stefan
Eissing]\n\nChanges with Apache 2.4.44\n\n *) mod_proxy_uwsgi: Error out on HTTP
header larger than 16K (hard\n protocol limit). [Yann Ylavic]\n\n *) mod_http2:\n
\ Fixes :\n \"LimitRequestFields
0\" now disables the limit, as documented.\n Fixes :\n
\ Do not count repeated headers with same name against the field\n count
limit. The are merged internally, as if sent in a single HTTP/1 line.\n [Stefan
Eissing]\n\n *) mod_http2: Avoid segfaults in case of handling certain responses
for\n already aborted connections. [Stefan Eissing, Ruediger Pluem]\n\n *)
mod_http2: The module now handles master/secondary connections and has marked\n
\ methods according to use. [Stefan Eissing]\n\n *) core: Drop an invalid
Last-Modified header value coming\n from a FCGI/CGI script instead of replacing
it with Unix epoch.\n [Yann Ylavic, Luca Toscano]\n\n *) Add support for
strict content-length parsing through addition of\n ap_parse_strict_length()
[Yann Ylavic]\n\n *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when
expression\n evaluates to false. PR64365. [Michael Kæ\x97¦nig ]\n\n
\ *) mod_proxy_http: flush spooled request body in one go to avoid\n leaking
(or long lived) temporary file. PR 64452. [Yann Ylavic]\n\n *) mod_ssl: Fix a
race condition and possible crash when using a proxy client\n certificate
(SSLProxyMachineCertificateFile).\n [Armin Abfalterer ]\n\n
\ *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]\n\n
\ *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.\n
\ PR64330 [Stefan Eissing]\n\n *) mod_http2: Fixed regression that caused
connections to close when mod_reqtimeout\n was configured with a handshake
timeout. Fixes gitub issue #196.\n [Stefan Eissing]\n\n *) mod_proxy_http2:
the \"ping\" proxy parameter\n (see )
is now used\n when checking the liveliness of a new or reused h2 connection
to the backend.\n With short durations, this makes load-balancing more responsive.
The module\n will hold back requests until ping conditions are met, using
features of the\n HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]\n\n
\ *) core: httpd is no longer linked against -lsystemd if mod_systemd\n is
enabled (and built as a DSO). [Rainer Jung]\n\n *) mod_proxy_http2: respect
ProxyTimeout settings on backend connections\n while waiting on incoming data.
[Ruediger Pluem, Stefan Eissing]\n"
module: pkgsrc
subject: 'CVS commit: pkgsrc/www/apache24'
unixtime: '1596985315'
user: taca