, André Malo]
- mod_rewrite no longer confuses the RewriteMap caches if
different maps defined in different virtual hosts use the
same map name. PR 26462. [André Malo]
- mod_setenvif: Remove "support" for Remote_User variable which
never worked at all. PR 25725. [André Malo]
- mod_usertrack: Escape the cookie name before pasting into the
regexp. [André Malo]
- Win32: Improve error reporting after a failed attempt to spawn a
piped log process or rewrite map process. [Jeff Trawick]
- SECURITY: CAN-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid (negative)
Content-Length. [Mark Cox]
- Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects mod_usertrack and
core. PR 28218. [André Malo]
- No longer breaks mod_dav, frontpage and others. Repair a patch
in 1.3.31 which prevented discarding the request body for requests
that will be keptalive but are not currently keptalive. PR 29237.
[Jim Jagielski, Rasmus Lerdorf]
- COMPATIBILITY: Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
It controls how UseCanonicalName Off determines the port value if
the client doesn't provide one in the Host header. If defined during
compilation, UseCanonicalName Off will use the physical port number to
generate the canonical name. If not defined, it tries the current Port
value followed by the default port for the current scheme.
[Jim Jagielski]
---
Module Name: pkgsrc
Committed By: abs
Date: Fri Oct 29 13:48:31 UTC 2004
Modified Files:
pkgsrc/www/apache: Makefile distinfo
pkgsrc/www/apache/patches: patch-aa patch-ab patch-ac patch-ad
patch-ae patch-af patch-ag patch-ah patch-ai patch-aj
patch-ak patch-am patch-ao
Removed Files:
pkgsrc/www/apache/patches: patch-al
Log Message:
Update apache to 1.3.33
The main security vulnerabilities addressed in 1.3.33 are:
* CAN-2004-0940 (cve.mitre.org)
Fix potential buffer overflow with escaped characters in SSI
tag string.
* CAN-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid
(negative) Content-Length.
New features
* Win32: Improve error reporting after a failed attempt to
spawn a piped log process or rewrite map process.
* Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It
controls how UseCanonicalName Off determines the port value if
the client doesn't provide one in the Host header. If defined
during compilation, UseCanonicalName Off will use the physical
port number to generate the canonical name. If not defined, it
tries the current Port value followed by the default port for
the current scheme.
The following bugs were found in Apache 1.3.31 (or earlier) and
have been fixed in Apache 1.3.33:
* mod_rewrite: Fix query string handling for proxied URLs.
PR 14518.
* mod_rewrite: Fix 0 bytes write into random memory position.
PR 31036.
* mod_digest: Fix nonce string calculation since 1.3.31 which
would force re-authentication for every connection if
AuthDigestRealmSeed was not configured. PR 30920.
* Fix trivial bug in mod_log_forensic that caused the child to
seg fault when certain invalid requests were fired at it with
forensic logging is enabled. PR 29313.
* No longer breaks mod_dav, frontpage and others. Repair a
patch in 1.3.31 which prevented discarding the request body
for requests that will be keptalive but are not currently
keptalive. PR 29237.
---
Module Name: pkgsrc
Committed By: salo
Date: Mon Nov 15 19:13:41 UTC 2004
Modified Files:
pkgsrc/www/apache/patches: patch-ai
Log Message:
Revert rev 1.9, do not expand @@INSTALL@@, it's done in post-patch.
(hi abs!)
---
Module Name: pkgsrc
Committed By: tron
Date: Tue Nov 16 08:23:45 UTC 2004
Modified Files:
pkgsrc/www/apache: distinfo
Log Message:
Regen after "patch-ai" was changed. (hi salo!)
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.11 2004/10/29 13:48:31 abs Exp $
d3 1
a3 1
--- conf/httpd.conf-dist.orig 2004-10-29 14:44:35.000000000 +0100
d5 1
a5 1
@@@@ -197,7 +197,12 @@@@ MaxRequestsPerChild 0
@
1.9
log
@Update apache to 1.3.19. The pkgsrc-related changes include adding a
config.layout file instead of specifying every directory as on option to
the Apache configure script. This layout file might be useful later when
we package Apache 2.x. I also reordered a few lines so that it's easier
to diff apache/Makefile and apache6/Makefile (hi itojun!). Also build
the mod_define shared module from the mod_ssl sources.
Relevant changes from version 1.3.17.1 include:
*) Rewrite ap_unparse_uri_components() to make it safer and more readable
*) Under certain circumstances, Apache did not supply the
right response headers when requiring authentication.
*) Clean up some end-of-loop not reached warnings
*) Add the correct language tag for interoperation with the Taiwanese
versions of MSIE and Netscape.
*) Workaround enabled for a core dump which appeared in broken
NameVirtualHost configurations.
*) Sporadic core dump in ap_default_port_for_scheme() with
internal requests
*) SECURITY: The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created artificially
by using many slashes. Now a 403 FORBIDDEN is returned.
*) Trailing slashes (if they exist) are now removed from ServerRoot,
because there were known problems with them.
*) TPF startup/shutdown fixes.
*) Correct a typo in httpd.conf.
*) Get the correct IP address if ServerName isn't set and we can't
find a fully-qualified domain name at startup.
*) Fix pointer arithmetic in mod_rewrite map expansion.
*) Fixed a problem with file extensions being truncated during
the call to ap_os_canonical_filename().
@
text
@d1 1
a1 1
$NetBSD$
d5 1
a5 1
@@@@ -197,7 +197,14 @@@@
a12 2
+LoadFile !libcrypto.so
+LoadFile !libssl.so
@
1.8
log
@Update apache to 1.3.14. Changes from version 1.3.12 are listed below.
The security fixes are:
* A problem with the Rewrite module, mod_rewrite, allowed access to
any file on the web server under certain circumstances
* The handling of Host: headers in mass virtual hosting
configurations, mod_vhost_alias, could allow access to any file on
the server
* If a cgi-bin directory is under the document root, the source to
the scripts inside it could be sent if using mass virtual hosting
The main new features include:
* Support for a directory-based configuration system. If any of the
configuration directives point to directories instead of files,
all files in that directory (and in subdirectories) will be also
parsed as configuration files
* Support name-based virtual hosting without needing to specify an
IP address in the Apache configuration file. This enables sites
that use dynamic IP addresses to support name-based virtual
hosting as well as allowing identical machines to share a
configuration file, say in a load-balanced cluster
* The SetEnvIf and BrowserMatch range of directives are now able to
be used in .htaccess files.
* Administrators who are nervous about their full server version
details being public can use the new keyword 'ProductOnly' in the
ServerTokens directive. This keyword forces the server to only
return the string "Apache" as the server version.
* The new digest authentication module, mod_auth_digest has had a
number of fixes and upgrades applied
@
text
@d3 1
a3 1
--- conf/httpd.conf-dist.orig Fri Oct 13 15:58:57 2000
d5 1
a5 1
@@@@ -199,7 +199,14 @@@@
@
1.7
log
@Update build to work with mod_ssl-2.6.6-1.3.12 to keep in sync with ap-ssl.
EAPI didn't change so no need to change Apache's version number.
Also standardize package builds to have Apache listen on ports 80/443
regardless of UID of user that builds the package, and make MAINTAINER
point to me.
@
text
@d3 1
a3 1
--- conf/httpd.conf-dist.orig Thu Sep 7 01:19:50 2000
d5 1
a5 1
@@@@ -199,7 +199,16 @@@@
a12 2
+### Uncomment the following if you wish to use SSL and you need RSAREF: ###
+#LoadFile !librsaref.so
@
1.6
log
@update for 1.3.11
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.5 1998/12/03 17:23:52 tv Exp $
d3 17
a19 3
--- htdocs/index.html.en.orig Sat Nov 20 16:29:40 1999
+++ htdocs/index.html.en Sun Jan 30 17:00:58 2000
@@@@ -28,11 +28,29 @@@@
d21 2
a22 32
-The Apache documentation has been included with this distribution.
-
+The Apache documentation
+has been included with this distribution.
+If the mod_ssl SSL extension has been installed, read the
+SSL documentation
+carefully.
+
+
+Information on the NetBSD multiplatform operating system can be found
+at NetBSD's homepage on the net.
+
-You are free to use the image below on an Apache-powered web server. Thanks for using Apache!
+The Webmaster of this site is free to use the images below on
+an Apache/NetBSD-powered Web server. Thanks for using
+Apache on
+NetBSD!
+
-
+
+
+
+