Number of commits found: 23

- Update to 2.2.22

Addresses:
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, allows local users to gain privileges via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.

* SECURITY: CVE-2012-0021 (cve.mitre.org)
The log_cookie function in mod_log_config.c in the mod_log_config module in the
Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
properly handle a %{}C format string, which allows remote attackers to cause a
denial of service (daemon crash) via a cookie that lacks both a name and a

(Only the first 15 lines of the commit message are shown above )

- update to version 2.2.21

Addresses:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
 mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
 unrecognized HTTP methods from marking ajp: balancer members
 in an error state, avoiding denial of service.

* SECURITY: CVE-2011-3192 (cve.mitre.org)
 core: Further fixes to the handling of byte-range requests to use
 less memory, to avoid denial of service. This patch includes fixes
 to the patch introduced in release 2.2.20 for protocol compliance,
 as well as the MaxRanges directive.

PR:             ports/160743
Submitted by:   Jason Helfman <jhelfman@experts-exchange.com>

Emergency upgrade to 2.2.20 - CVE-2011-3192.  Any complaints, talk to me.

PR:             160381

- update to httpd-2.2.19

Changes with Apache 2.2.19

  *) Revert ABI breakage in 2.2.18 caused by the function signature change
     of ap_unescape_url_keep2f().  This release restores the signature from
     2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
     [Eric Covener]

commit with hat apache@

- update to version 2.2.18

Changes:
http://www.apache.org/dist/httpd/CHANGES_2.2.18

Changes with Apache 2.2.18

  *) Log an error for failures to read a chunk-size, and return 408 instead
     413 when this is due to a read timeout.  This change also fixes some cases
     of two error documents being sent in the response for the same scenario.
     [Eric Covener] PR49167

  *) core: Only log a 408 if it is no keepalive timeout. PR 39785
     [Ruediger Pluem,  Mark Montague <markmont umich.edu>]

(Only the first 15 lines of the commit message are shown above )

- Get Rid MD5 support

- Update to 2.2.17

**
* Note, no CVE affects the FREEBSD port.  devel/apr1 was updated to
* apr-util 1.3.10 on 2010/10/06 05:32:24.
**

Changes:        http://www.apache.org/dist/httpd/CHANGES_2.2
PR:             ports/151594
Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
With Hat:       apache@

<ChangeLog>
  *) prefork MPM: Run cleanups for final request when process exits gracefully
     to work around a flaw in apr-util.  PR 43857.  [Tom Donovan]

(Only the first 15 lines of the commit message are shown above )

- Upgrade to 2.2.16.

Security:       CVE-2010-1452 (mod_{cache,dev} remote DoS),
                CVE-2010-2068 (mod_{proxy_{ajp,http},reqtimeout} related on some
platforms)

2/5: Update to httpd 2.2.15, default to using devel/apr instead of bundled apr

PR:             ports/146130
Approved by:    portmgr (pav)
Tested by:      -exp run (pav)
With Hat:       apache@

- Update to 2.2.14
- With hat apache@

Note: The 3 CVE's are a no-op for the FreeBSD port --

date: 2009/08/25 05:33:03;  author: kuriyama;  state: Exp;  lines: +0 -0
(Forced commit)

- 2.2.13 (acutally 2.2.12) includes fixes for several CVEs. [1]
  but in our ports tree, APR related ones (CVE-2009-0023,
  CVE-2009-1955, CVE-2009-1956) were already backported in 2.2.11_5.

References:     http://www.apache.org/dist/httpd/CHANGES_2.2.12 [1]

Changes:

(Only the first 15 lines of the commit message are shown above )

- Upgrade to 2.2.13.

PR:             ports/137651
Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

- Update to 2.2.11
- Always depend on pcre from ports [1]
- Fix plist with LDAP/without apr-util DSO
- source envvars as late as possible [2]

Requested by:           ale
                        Eygene Ryabinkin <rea-fbsd at codelabs dot ru> [2]
PR:                     ports/127418 [2]

 - Update to 2.2.9
 - Add a note to UPDATING about the forced build of subversion
   because of apr/apu bumped version.

- Update to 2.2.8
- Update documentation
- Use BDB from bsd.databases.mk instead of homebrew [1]

PR:             ports/119711 [1]
Submitted by:   mm [1]

- Update to 2.2.6
- Fix restart when profiles are used [1]

Submitted by:   Jarrod Sayers <jarrod at netleader dot com dot au>

- Update to 2.2.4
- Add dumpio module
- Fix rcorder [1]

PR:             ports/106429 [1]
Submitted by:   Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> [1]

- Update MySQL apr_dbd to rev 57
- Add support for itk mpm
- Update doc [1]

Reported by:    Volodymyr Kostyrko <arcade@synergetica.dn.ua> [1]

- Fix apr_dbd_mysql stuff.

Pointyhat to:   clement
Spotted by:     Sean McNeil <sean@mcneil.com>

- Update to 2.2.3
- Update apr_dbd to latest version [1]
- Add forgotten mod_authn_alias [2]

Spotted by:     Jim Riggs <freebsd-lists@jimandlissa.com> [1]
                Alexander Wittig <alexander@wittig.name> [2

- Update to 2.2.2
- Enable mod_version by default

- remove useless powerlogo.gif

- Fix envvars.d [1]
- Add apache22_http_accept_enable to load accf_http kernel module [2]
  Additionnally, if it's not defined, we drop accept filter support
- Drop obsolete apache22ssl_enable rc.conf option
- Sync apache22.sh behavior with apachectl
  Add graceful and graceful-stop targets
- Rework categories (add CACHE_MODULES)
- Add support for apr_dbd: MySQL, PostgrSQL and SQLite3 backends are supported
  It adds mod_auth_dbd and mod_dbd automatically

more fixes to come soon...

PR:             ports/90309 [1],
                ports/90103 [2]
Submitted by:   Simun Mikecin <sime@data.home.hr> [1],
                Melvyn Sopacua <melvyn@melvyn.homeunix.net> [2]

- Add apache 2.2.0
  It's a temporary layout, I need more time to find the best.
  note that ${PREFIX}/www/(data|errors|cgi)(-dist) disappeared in favor of
  ${PREFIX}/www/apache22

Number of commits found: 23

12 vulnerabilities affecting 17 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities