Now
MAIN commitmail json YAML
pkgsrc/www/apache24/Makefile@1.124
/
diff
pkgsrc/www/apache24/distinfo@1.62 / diff
pkgsrc/www/apache24/patches/patch-configure@1.5 / diff
pkgsrc/www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted
pkgsrc/www/apache24/distinfo@1.62 / diff
pkgsrc/www/apache24/patches/patch-configure@1.5 / diff
pkgsrc/www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted
apache24: updated to 2.4.59
Changes with Apache 2.4.59
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
[ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
[Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA
name lists for SSLCACertificatePath/SSLCADNRequestPath.
Names will now be consistently sorted.
[Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type
or any XML media type per RFC 7303, avoiding
corruption of Microsoft OOXML formats.
[Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one.
[Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile. [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
[Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+.
[Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2. [Joe Orton,
Yann Ylavic]
*) core: Allow mod_env to override system environment vars. [Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
operation which removes a directory/file between apr_dir_read() and
apr_stat(). Current behaviour is to abort the connection which seems
inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler.
[Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
[Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname or port
part of the URL. [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy.
Changes with Apache 2.4.59
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
[ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
[Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA
name lists for SSLCACertificatePath/SSLCADNRequestPath.
Names will now be consistently sorted.
[Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type
or any XML media type per RFC 7303, avoiding
corruption of Microsoft OOXML formats.
[Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one.
[Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile. [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
[Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+.
[Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2. [Joe Orton,
Yann Ylavic]
*) core: Allow mod_env to override system environment vars. [Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
operation which removes a directory/file between apr_dir_read() and
apr_stat(). Current behaviour is to abort the connection which seems
inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler.
[Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
[Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname or port
part of the URL. [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy.