head 1.6; access; symbols pkgsrc-2026Q1:1.5.0.16 pkgsrc-2026Q1-base:1.5 pkgsrc-2025Q4:1.5.0.14 pkgsrc-2025Q4-base:1.5 pkgsrc-2025Q3:1.5.0.12 pkgsrc-2025Q3-base:1.5 pkgsrc-2025Q2:1.5.0.10 pkgsrc-2025Q2-base:1.5 pkgsrc-2025Q1:1.5.0.8 pkgsrc-2025Q1-base:1.5 pkgsrc-2024Q4:1.5.0.6 pkgsrc-2024Q4-base:1.5 pkgsrc-2024Q3:1.5.0.4 pkgsrc-2024Q3-base:1.5 pkgsrc-2024Q2:1.5.0.2 pkgsrc-2024Q2-base:1.5 pkgsrc-2024Q1:1.4.0.4 pkgsrc-2024Q1-base:1.4 pkgsrc-2023Q4:1.4.0.2 pkgsrc-2023Q4-base:1.4 pkgsrc-2023Q3:1.3.0.6 pkgsrc-2023Q3-base:1.3 pkgsrc-2023Q2:1.3.0.4 pkgsrc-2023Q2-base:1.3 pkgsrc-2023Q1:1.3.0.2 pkgsrc-2023Q1-base:1.3 pkgsrc-2022Q4:1.2.0.8 pkgsrc-2022Q4-base:1.2 pkgsrc-2022Q3:1.2.0.6 pkgsrc-2022Q3-base:1.2 pkgsrc-2022Q2:1.2.0.4 pkgsrc-2022Q2-base:1.2 pkgsrc-2022Q1:1.2.0.2 pkgsrc-2022Q1-base:1.2 pkgsrc-2021Q4:1.1.0.2 pkgsrc-2021Q4-base:1.1; locks; strict; comment @# @; 1.6 date 2026.05.05.00.12.30; author taca; state Exp; branches; next 1.5; commitid i3rrmntLFwYhCyEG; 1.5 date 2024.04.05.09.31.38; author adam; state Exp; branches 1.5.16.1; next 1.4; commitid gmOE3D4Aifrz8W4F; 1.4 date 2023.10.19.14.22.02; author wiz; state Exp; branches 1.4.4.1; next 1.3; commitid Kxb0Szx0Mi9cbfJE; 1.3 date 2023.01.20.14.03.16; author adam; state Exp; branches; next 1.2; commitid oGZKQnf9Uj8tOhaE; 1.2 date 2022.03.15.05.46.54; author adam; state Exp; branches 1.2.8.1; next 1.1; commitid ownaU2qkoLqW3hwD; 1.1 date 2021.12.21.09.18.38; author adam; state Exp; branches; next ; commitid nrJIRyKikLLTVulD; 1.5.16.1 date 2026.05.07.22.47.02; author maya; state Exp; branches; next ; commitid CgtBgf0iCpq63WEG; 1.4.4.1 date 2024.04.08.18.03.27; author bsiegert; state Exp; branches; next ; commitid 53sPPUA3TRcqSm5F; 1.2.8.1 date 2023.03.04.13.04.06; author spz; state Exp; branches; next ; commitid XflaxS4IJOkS6OfE; desc @@ 1.6 log @www/apache24: update to 2.4.67 Changes with Apache 2.4.67 (2026-05-04) * SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() (cve.mitre.org) Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Elhanan Haenel * SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) (cve.mitre.org) Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Tianshuo Han () * SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions (cve.mitre.org) Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Elhanan Haenel * SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line (cve.mitre.org) HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Haruki Oyama (Waseda University) * SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash (cve.mitre.org) A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: Pavel Kohout, Aisle Research, Aisle.com * SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack (cve.mitre.org) A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: Nitescu Lucian * SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash (cve.mitre.org) A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. Credits: Pavel Kohout, Aisle Research, Aisle.com * SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response (cve.mitre.org) Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Pavel Kohout, Aisle Research, Aisle.com * SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() (cve.mitre.org) Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Andrew Lacambra * SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr (cve.mitre.org) An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: y7syeu * SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset (cve.mitre.org) Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Bartlomiej Dmitruk, striga.ai * mod_md: update to version 2.6.10 - Fix issue #420 by ignoring job.json files that claim to have completely finished a certificate renewal, but have not produced the necessary result files. * mod_http2: update to version 2.0.39 Remove streams own memory allocator after reports of memory problems with third party modules. [Stefan Eissing] * mod_http2: update to version 2.0.38 Source sync with mod_h2 github repository. No functional change. [Stefan Eissing] * Updated conf/mime.types: added vnd.sqlite3, HEIC, HEIF [Alexandru Mărășteanu ] * mod_md: update to version 2.6.7 - Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer applied, no matter the configuration. * mod_md: update to version 2.6.9 - Pebble 2.9+ reports another error when terms of service agreement is not set. Treating all "userActionRequired" errors as permanent now. * mod_md: update to version 2.6.8 - Fix the ARI related `replaces` property in ACME order creation to only be used when the CA supports ARI and it is enabled in the menu config. - Fix compatibility with APR versions before 1.6.0 which do not have `apr_cstr_casecmp` and should use `apr_strnatcasecmp` instead. * mod_http2: update to version 2.0.37 Prevent double purge of a stream, resulting in a double free. Fixes PR 69899. [Stefan Eissing] * mod_md: Use correct function name when compiling against APR < 1.6.0. PR 69954 [Tần Quảng ] @ text @$NetBSD: patch-configure,v 1.5 2024/04/05 09:31:38 adam Exp $ --- configure.orig 2026-04-28 18:15:03.000000000 +0000 +++ configure @@@@ -42456,7 +42456,6 @@@@ cat >>confdefs.h <<_ACEOF _ACEOF -perlbin=`$ac_aux_dir/PrintPath perl` if test "x$perlbin" = "x"; then perlbin="/replace/with/path/to/perl/interpreter" fi @ 1.5 log @apache24: updated to 2.4.59 Changes with Apache 2.4.59 *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Credits: Orange Tsai (@@orange_8361) from DEVCORE *) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris ] *) Add CGIScriptTimeout to mod_cgi. [Eric Covener] *) mod_xml2enc: Tolerate libxml2 2.12.0 and later. [ttachi ] *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable. [Jean-Frederic Clere] *) mod_ssl: Use OpenSSL-standard functions to assemble CA name lists for SSLCACertificatePath/SSLCADNRequestPath. Names will now be consistently sorted. [Joe Orton] *) mod_xml2enc: Update check to accept any text/ media type or any XML media type per RFC 7303, avoiding corruption of Microsoft OOXML formats. [Joseph Heenan , Joe Orton] *) mod_http2: v2.0.26 with the following fixes: - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes . - Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix. *) htcacheclean: In -a/-A mode, list all files per subdirectory rather than only one. [Artem Egorenkov ] *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files which include CA certificates; those CA certs are treated as if configured with SSLProxyMachineCertificateChainFile. [Joe Orton] *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to "hashing", rather than "encrypting" passwords. [Michele Preziuso ] *) mod_ssl: Fix build with LibreSSL 2.0.7+. [Giovanni Bechis, Yann Ylavic] *) htpasswd: Add support for passwords using SHA-2. [Joe Orton, Yann Ylavic] *) core: Allow mod_env to override system environment vars. [Joe Orton] *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an operation which removes a directory/file between apr_dir_read() and apr_stat(). Current behaviour is to abort the connection which seems inferior to tolerating (and logging) the error. [Joe Orton] *) mod_ldap: HTML-escape data in the ldap-status handler. [Eric Covener, Chamal De Silva] *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton] *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice). [Yann Ylavic] *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when some dollar substitution (backreference) happens in the hostname or port part of the URL. [Yann Ylavic] *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend systems are cached. [Yann Ylavic] *) mod_proxy: Add optional third argument for ProxyRemote, which configures Basic authentication credentials to pass to the remote proxy. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.4 2023/10/19 14:22:02 wiz Exp $ d3 1 a3 1 --- configure.orig 2024-04-03 12:22:44.000000000 +0000 d5 2 a6 2 @@@@ -42821,7 +42821,6 @@@@ printf "%s\n" "#define SERVER_CONFIG_FIL printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h @ 1.5.16.1 log @Pullup ticket #7099 - requested by taca www/apache24: Security fix Revisions pulled up: - www/apache24/Makefile 1.143 - www/apache24/PLIST 1.39 - www/apache24/distinfo 1.71 - www/apache24/patches/patch-ad 1.3 - www/apache24/patches/patch-ae 1.2 - www/apache24/patches/patch-configure 1.6 --- Module Name: pkgsrc Committed By: taca Date: Tue May 5 00:12:30 UTC 2026 Modified Files: pkgsrc/www/apache24: Makefile PLIST distinfo pkgsrc/www/apache24/patches: patch-ad patch-ae patch-configure Log Message: www/apache24: update to 2.4.67 Changes with Apache 2.4.67 (2026-05-04) * SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() (cve.mitre.org) Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Elhanan Haenel * SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) (cve.mitre.org) Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Tianshuo Han () * SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions (cve.mitre.org) Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Elhanan Haenel * SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line (cve.mitre.org) HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Haruki Oyama (Waseda University) * SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash (cve.mitre.org) A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: Pavel Kohout, Aisle Research, Aisle.com * SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack (cve.mitre.org) A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: Nitescu Lucian * SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash (cve.mitre.org) A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. Credits: Pavel Kohout, Aisle Research, Aisle.com * SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response (cve.mitre.org) Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Pavel Kohout, Aisle Research, Aisle.com * SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() (cve.mitre.org) Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Andrew Lacambra * SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr (cve.mitre.org) An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: y7syeu * SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset (cve.mitre.org) Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Bartlomiej Dmitruk, striga.ai * mod_md: update to version 2.6.10 - Fix issue #420 by ignoring job.json files that claim to have completely finished a certificate renewal, but have not produced the necessary result files. * mod_http2: update to version 2.0.39 Remove streams own memory allocator after reports of memory problems with third party modules. [Stefan Eissing] * mod_http2: update to version 2.0.38 Source sync with mod_h2 github repository. No functional change. [Stefan Eissing] * Updated conf/mime.types: added vnd.sqlite3, HEIC, HEIF [Alexandru Mărășteanu ] * mod_md: update to version 2.6.7 - Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer applied, no matter the configuration. * mod_md: update to version 2.6.9 - Pebble 2.9+ reports another error when terms of service agreement is not set. Treating all "userActionRequired" errors as permanent now. * mod_md: update to version 2.6.8 - Fix the ARI related `replaces` property in ACME order creation to only be used when the CA supports ARI and it is enabled in the menu config. - Fix compatibility with APR versions before 1.6.0 which do not have `apr_cstr_casecmp` and should use `apr_strnatcasecmp` instead. * mod_http2: update to version 2.0.37 Prevent double purge of a stream, resulting in a double free. Fixes PR 69899. [Stefan Eissing] * mod_md: Use correct function name when compiling against APR < 1.6.0. PR 69954 [Tần Quảng ] @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- configure.orig 2026-04-28 18:15:03.000000000 +0000 d5 2 a6 2 @@@@ -42456,7 +42456,6 @@@@ cat >>confdefs.h <<_ACEOF _ACEOF @ 1.4 log @apache: update to 2.4.58. Changes with Apache 2.4.58 *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: SSL routines::unexpected eof while reading" when using OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if available. [Rainer Jung] *) mod_http2: improved early cleanup of streams. [Stefan Eissing] *) mod_proxy_http2: improved error handling on connection errors while response is already underway. [Stefan Eissing] *) mod_http2: fixed a bug that could lead to a crash in main connection output handling. This occured only when the last request on a HTTP/2 connection had been processed and the session decided to shut down. This could lead to an attempt to send a final GOAWAY while the previous write was still in progress. See PR 66646. [Stefan Eissing] *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value. Fixes PR66752. [Stefan Eissing] *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as described in RFC 8441. A new directive 'H2WebSockets on|off' has been added. The feature is by default not enabled. As also discussed in the manual, this feature should work for setups using "ProxyPass backend-url upgrade=websocket" without further changes. Special server modules for WebSockets will have to be adapted, most likely, as the handling if IO events is different with HTTP/2. HTTP/2 WebSockets are supported on platforms with native pipes. This excludes Windows. [Stefan Eissing] *) mod_rewrite: Fix a regression with both a trailing ? and [QSA]. in OCSP stapling. PR 66672. [Frank Meier , covener] *) mod_http2: fixed a bug in flushing pending data on an already closed connection that could lead to a busy loop, preventing the HTTP/2 session to close down successfully. Fixed PR 66624. [Stefan Eissing] *) mod_http2: v2.0.15 with the following fixes and improvements - New directive 'H2EarlyHint name value' to add headers to a response, picked up already when a "103 Early Hints" response is sent. 'name' and 'value' must comply to the HTTP field restrictions. This directive can be repeated several times and header fields of the same names add. Sending a 'Link' header with 'preload' relation will also cause a HTTP/2 PUSH if enabled and supported by the client. - Fixed an issue where requests were not logged and accounted in a timely fashion when the connection returns to "keepalive" handling, e.g. when the request served was the last outstanding one. This led to late appearance in access logs with wrong duration times reported. - Accurately report the bytes sent for a request in the '%O' Log format. This addresses #203, a long outstanding issue where mod_h2 has reported numbers over-eagerly from internal buffering and not what has actually been placed on the connection. The numbers are now the same with and without H2CopyFiles enabled. [Stefan Eissing] *) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection. [Stefan Eissing] *) mod_rewrite: Add server directory to include path as mod_rewrite requires test_char.h. PR 66571 [Valeria Petrov ] *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling of HTTP/2 requests in a forward proxy configuration. General forward proxying is enabled via `ProxyRequests`. If the HTTP/2 protocol is also enabled for such a server/host, this new directive is needed in addition. [Stefan Eissing] *) core: Updated conf/mime.types: - .js moved from 'application/javascript' to 'text/javascript' - .mjs was added as 'text/javascript' - add .opus ('audio/ogg') - add 'application/vnd.geogebra.slides' - add WebAssembly MIME types and extension [Mathias Bynens <@@mathiasbynens> via PR 318, Richard de Boer , Dave Hodder , Zbynek Konecny ] *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend connection when sending data on the frontend one. This caused crashes or infinite loops in rare situations. *) mod_proxy_http2: fixed a bug in retry/response handling that could lead to wrong status codes or HTTP messages send at the end of response bodies exceeding the announced content-length. *) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection. *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in the wrong order when a bucket_beam was destroyed. [Stefan Eissing] *) mod_http2: avoid double chunked-encoding on internal redirects. PR 66597 [Yann Ylavic, Stefan Eissing] *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count HTTP/2 requests twice. Fixes PR 66801. [Stefan Eissing] *) mod_ssl: Fix handling of Certificate Revoked messages in OCSP stapling. PR 66626. [] *) mod_http2: fixed a bug in handling of stream timeouts. [Stefan Eissing] *) mod_tls: updating to rustls-ffi version 0.9.2 or higher. Checking in configure for proper version installed. Code fixes for changed clienthello member name. [Stefan Eissing] *) mod_md: - New directive `MDMatchNames all|servernames` to allow more control over how MDomains are matched to VirtualHosts. - New directive `MDChallengeDns01Version`. Setting this to `2` will provide the command also with the challenge value on `teardown` invocation. In version 1, the default, only the `setup` invocation gets this parameter. Refs #312. Thanks to @@domrim for the idea. - For Managed Domain in "manual" mode, the checks if all used ServerName and ServerAlias are part of the MDomain now reports a warning instead of an error (AH10040) when not all names are present. - MDChallengeDns01 can now be configured for individual domains. Using PR from Jérôme Billiras (@@bilhackmac) and adding test case and fixing proper working - Fixed a bug found by Jérôme Billiras (@@bilhackmac) that caused the challenge teardown not being invoked as it should. *) mod_ldap: Avoid performance overhead of APR-util rebind cache for OpenLDAP 2.2+. PR 64414. [Joe Orton] *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum amount of response body bytes put into a single HTTP/2 DATA frame. Setting this to 0 places no limit (but the max size allowed by the protocol is observed). The module, by default, tries to use the maximum size possible, which is somewhat around 16KB. This sets the maximum. When less response data is available, smaller frames will be sent. *) mod_md: fixed passing of the server environment variables to programs started via MDMessageCmd and MDChallengeDns01 on *nix system. See . [Stefan Eissing] *) mod_dav: Add DavBasePath directive to configure the repository root path. PR 35077. [Joe Orton] *) mod_alias: Add AliasPreservePath directive to map the full path after the alias in a location. [Graham Leggett] *) mod_alias: Add RedirectRelative to allow relative redirect targets to be issued as-is. [Eric Covener, Graham Leggett] *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make sure that if the format is configured early enough it applies to every log line. PR 62161. [Yann Ylavic] *) mod_deflate: Add DeflateAlterETag to control how the ETag is modified. The 'NoChange' parameter mimics 2.2.x behavior. PR 45023, PR 39727. [Eric Covener] *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet] *) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers". Resolve inconsistency between the previous two occurrences by counting workers in state SERVER_GRACEFUL no longer as busy, but instead in a new counter "GracefulWorkers" (or on HTML view as "workers gracefully restarting"). Also add the graceful counter as a new column to the existing HTML per process table for async MPMs. PR 63300. [Rainer Jung] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.3 2023/01/20 14:03:16 adam Exp $ d3 1 a3 1 --- configure.orig 2023-10-16 15:06:18.000000000 +0000 d5 2 a6 2 @@@@ -41305,7 +41305,6 @@@@ cat >>confdefs.h <<_ACEOF _ACEOF @ 1.4.4.1 log @Pullup ticket #6843 - requested by taca www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.124 - www/apache24/distinfo 1.62 - www/apache24/patches/patch-configure 1.5 - www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted --- Module Name: pkgsrc Committed By: adam Date: Fri Apr 5 09:31:38 UTC 2024 Modified Files: pkgsrc/www/apache24: Makefile distinfo pkgsrc/www/apache24/patches: patch-configure Removed Files: pkgsrc/www/apache24/patches: patch-modules_filters_mod__xml2enc.c Log Message: apache24: updated to 2.4.59 Changes with Apache 2.4.59 *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Credits: Orange Tsai (@@orange_8361) from DEVCORE *) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris ] *) Add CGIScriptTimeout to mod_cgi. [Eric Covener] *) mod_xml2enc: Tolerate libxml2 2.12.0 and later. [ttachi ] *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable. [Jean-Frederic Clere] *) mod_ssl: Use OpenSSL-standard functions to assemble CA name lists for SSLCACertificatePath/SSLCADNRequestPath. Names will now be consistently sorted. [Joe Orton] *) mod_xml2enc: Update check to accept any text/ media type or any XML media type per RFC 7303, avoiding corruption of Microsoft OOXML formats. [Joseph Heenan , Joe Orton] *) mod_http2: v2.0.26 with the following fixes: - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes . - Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix. *) htcacheclean: In -a/-A mode, list all files per subdirectory rather than only one. [Artem Egorenkov ] *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files which include CA certificates; those CA certs are treated as if configured with SSLProxyMachineCertificateChainFile. [Joe Orton] *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to "hashing", rather than "encrypting" passwords. [Michele Preziuso ] *) mod_ssl: Fix build with LibreSSL 2.0.7+. [Giovanni Bechis, Yann Ylavic] *) htpasswd: Add support for passwords using SHA-2. [Joe Orton, Yann Ylavic] *) core: Allow mod_env to override system environment vars. [Joe Orton] *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an operation which removes a directory/file between apr_dir_read() and apr_stat(). Current behaviour is to abort the connection which seems inferior to tolerating (and logging) the error. [Joe Orton] *) mod_ldap: HTML-escape data in the ldap-status handler. [Eric Covener, Chamal De Silva] *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton] *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice). [Yann Ylavic] *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when some dollar substitution (backreference) happens in the hostname or port part of the URL. [Yann Ylavic] *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend systems are cached. [Yann Ylavic] *) mod_proxy: Add optional third argument for ProxyRemote, which configures Basic authentication credentials to pass to the remote proxy. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- configure.orig 2024-04-03 12:22:44.000000000 +0000 d5 2 a6 2 @@@@ -42821,7 +42821,6 @@@@ printf "%s\n" "#define SERVER_CONFIG_FIL printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h @ 1.3 log @apache24: updated to 2.4.55 Changes with Apache 2.4.55 *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@@nyxsorcerer) *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group *) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. *) mod_dav: Open the lock database read-only when possible. *) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. *) mod_dav: mod_dav overrides dav_fs response on PUT failure. *) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic] *) mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled. - an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions. - H2SerializeHeaders directive still exists, but has no longer an effect. - Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted. - Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. - A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. - Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well. - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. - :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes #230. - A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See #233 where it prevented gRPC responses to be properly generated. - Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled. - Extensive testing in production done by Alessandro Bianchi (@@alexskynet) on the v2.0.x versions for stability. Many thanks! *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect. *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski] *) mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level. [Yann Ylavic] *) mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested. [Joe Orton] *) mod_authn_core: Add expression support to AuthName and AuthType. [Graham Leggett] *) mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. *) mod_proxy_hcheck: Re-enable workers in standard ERROR state. *) mod_proxy_hcheck: Detect AJP/CPING support correctly. *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing] *) mod_md: a new directive `MDStoreLocks` can be used on cluster setups with a shared file system for `MDStoreDir` to order activation of renewed certificates when several cluster nodes are restarted at the same time. Store locks are not enabled by default. Restored curl_easy cleanup behaviour from v2.4.14 and refactored the use of curl_multi for OCSP requests to work with that. Fixes . *) core: Avoid an overflow on large inputs in ap_is_matchexp. *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based storage instead of slotmem. Needed after setting HeartbeatMaxServers default to the documented value 10 in 2.4.54. *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery This is a game changer for performances if client use PROPFIND a lot. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- configure.orig 2023-01-10 13:38:25.000000000 +0000 d5 2 a6 2 @@@@ -42087,7 +42087,6 @@@@ printf "%s\n" "#define SERVER_CONFIG_FIL printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h @ 1.2 log @apache24: updated to 2.4.53 Changes with Apache 2.4.53 *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds (cve.mitre.org) Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (cve.mitre.org) If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Anonymous working with Trend Micro Zero Day Initiative *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of in r:parsebody (cve.mitre.org) A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. *) core: Make sure and check that LimitXMLRequestBody fits in system memory. *) core: Simpler connection close logic if discarding the request body fails. *) mod_http2: preserve the port number given in a HTTP/1.1 request that was Upgraded to HTTP/2. *) mod_proxy: Allow for larger worker name. *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When an attempt to load a dbm driver fails, log clearly which driver triggered the error (not "default"), and what the error was. *) mod_proxy: Use the maxium of front end and backend timeouts instead of the minimum when tunneling requests (websockets, CONNECT requests). Backend timeouts can be configured more selectively (per worker if needed) as front end timeouts and typically the backend timeouts reflect the application requirements better. *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers when an efficient TLS implementation is available. *) core, mod_info: Add compiled and loaded PCRE versions to version number display. *) mod_md: do not interfere with requests to /.well-known/acme-challenge/ resources if challenge type 'http-01' is not configured for a domain. Fixes . *) mod_dav: Fix regression when gathering properties which could lead to huge memory consumption proportional to the number of resources. *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x) for regular expression evaluation. This depends on locating pcre2-config. *) Add the ldap function to the expression API, allowing LDAP filters and distinguished names based on expressions to be escaped correctly to guard against LDAP injection. *) mod_md: the status description in MDomain's JSON, exposed in the md-status handler (if configured) did sometimes not carry the correct message when certificates needed renew. *) mpm_event: Fix a possible listener deadlock on heavy load when restarting and/or reaching MaxConnectionsPerChild. @ text @d3 1 a3 1 --- configure.orig 2022-03-09 14:17:37.000000000 +0000 d5 2 a6 2 @@@@ -41155,7 +41155,6 @@@@ cat >>confdefs.h <<_ACEOF _ACEOF @ 1.2.8.1 log @Pullup ticket #6739 - requested by taca www/apache24: security update Revisions pulled up: - www/apache24/Makefile 1.115 - www/apache24/PLIST 1.36 - www/apache24/distinfo 1.54 - www/apache24/patches/patch-configure 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: adam Date: Fri Jan 20 14:03:16 UTC 2023 Modified Files: pkgsrc/www/apache24: Makefile PLIST distinfo pkgsrc/www/apache24/patches: patch-configure Log Message: apache24: updated to 2.4.55 Changes with Apache 2.4.55 *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@@nyxsorcerer) *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group *) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. *) mod_dav: Open the lock database read-only when possible. *) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. *) mod_dav: mod_dav overrides dav_fs response on PUT failure. *) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic] *) mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled. - an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions. - H2SerializeHeaders directive still exists, but has no longer an effect. - Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted. - Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. - A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. - Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well. - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. - :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes #230. - A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See #233 where it prevented gRPC responses to be properly generated. - Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled. - Extensive testing in production done by Alessandro Bianchi (@@alexskynet) on the v2.0.x versions for stability. Many thanks! *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect. *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski] *) mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level. [Yann Ylavic] *) mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested. [Joe Orton] *) mod_authn_core: Add expression support to AuthName and AuthType. [Graham Leggett] *) mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. *) mod_proxy_hcheck: Re-enable workers in standard ERROR state. *) mod_proxy_hcheck: Detect AJP/CPING support correctly. *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing] *) mod_md: a new directive `MDStoreLocks` can be used on cluster setups with a shared file system for `MDStoreDir` to order activation of renewed certificates when several cluster nodes are restarted at the same time. Store locks are not enabled by default. Restored curl_easy cleanup behaviour from v2.4.14 and refactored the use of curl_multi for OCSP requests to work with that. Fixes . *) core: Avoid an overflow on large inputs in ap_is_matchexp. *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based storage instead of slotmem. Needed after setting HeartbeatMaxServers default to the documented value 10 in 2.4.54. *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery This is a game changer for performances if client use PROPFIND a lot. To generate a diff of this commit: cvs rdiff -u -r1.114 -r1.115 pkgsrc/www/apache24/Makefile cvs rdiff -u -r1.35 -r1.36 pkgsrc/www/apache24/PLIST cvs rdiff -u -r1.53 -r1.54 pkgsrc/www/apache24/distinfo cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/apache24/patches/patch-configure @ text @d3 1 a3 1 --- configure.orig 2023-01-10 13:38:25.000000000 +0000 d5 2 a6 2 @@@@ -42087,7 +42087,6 @@@@ printf "%s\n" "#define SERVER_CONFIG_FIL printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h @ 1.1 log @apache24: updated to 2.4.52 Changes with Apache 2.4.52 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. Credits: Chamal *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). Credits: ćź‚äşŽéź TengMA(@@Te3t123) *) http: Enforce that fully qualified uri-paths not to be forward-proxied have an http(s) scheme, and that the ones to be forward proxied have a hostname, per HTTP specifications. *) OpenSSL autoconf detection improvement: pick up openssl.pc in the specified openssl path. *) mod_proxy_connect, mod_proxy: Do not change the status code after we already sent it to the client. *) mod_http: Correctly sent a 100 Continue status code when sending an interim response as result of an Expect: 100-Continue in the request and not the current status code of the request. *) mod_dav: Some DAV extensions, like CalDAV, specify both document elements and property elements that need to be taken into account when generating a property. The document element and property element are made available in the dav_liveprop_elem structure by calling dav_get_liveprop_element(). *) mod_dav: Add utility functions dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() so that other modules get to play too. *) mpm_event: Restart stopping of idle children after a load peak. *) mod_http2: fixes 2 regressions in server limit handling. 1. When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. 2. A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See . *) mod_ssl: Add build support for OpenSSL v3. *) mod_proxy_connect: Honor the smallest of the backend or client timeout while tunneling. *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP half-close forwarding when tunneling protocols. *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by a third-party module. *) mod_md: Fix memory leak in case of failures to load the private key. *) mod_md: adding v2.4.8 with the following changes - Added support for ACME External Account Binding (EAB). Use the new directive `MDExternalAccountBinding` to provide the server with the value for key identifier and hmac as provided by your CA. While working on some servers, EAB handling is not uniform across CAs. First tests with a Sectigo Certificate Manager in demo mode are successful. But ZeroSSL, for example, seems to regard EAB values as a one-time-use-only thing, which makes them fail if you create a seconde account or retry the creation of the first account with the same EAB. - The directive 'MDCertificateAuthority' now checks if its parameter is a http/https url or one of a set of known names. Those are 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test' for now and they are not case-sensitive. The default of LetsEncrypt is unchanged. - `MDContactEmail` can now be specified inside a `` section. - Treating 401 HTTP status codes for orders like 403, since some ACME servers seem to prefer that for accessing oders from other accounts. - When retrieving certificate chains, try to read the repsonse even if the HTTP Content-Type is unrecognized. - Fixed a bug that reset the error counter of a certificate renewal and prevented the increasing delays in further attempts. - Fixed the renewal process giving up every time on an already existing order with some invalid domains. Now, if such are seen in a previous order, a new order is created for a clean start over again. See - Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. *) mod_md: values for External Account Binding (EAB) can now also be configured to be read from a separate JSON file. This allows to keep server configuration permissions world readable without exposing secrets. *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. @ text @d3 1 a3 1 --- configure.orig 2021-12-16 13:49:07.000000000 +0000 d5 2 a6 2 @@@@ -41857,7 +41857,6 @@@@ printf "%s\n" "#define SERVER_CONFIG_FIL printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h @