notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
Want a good monitor light? See my photosAll times are UTC
Ukraine
This referral link gives you 10% off a Fastmail.com account and gives me a discount on my Fastmail account.
New feature planned: get notified when the package is available. Now is the time to contribute ideas/suggestions.
non port: www/apache22/files/patch-CVE-2015-3183

Number of commits found: 2

Sunday, 2 Aug 2015
19:39 ohauer search for other commits by this committer
- update to 2.2.31
- remove backports
- minor cleanups
- always rebuild configure script
- add patch for acinclude.m4 [1]

Changes with Apache 2.2.31 [2]

  *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
     [Yann Ylavic, Gregg Smith]

Changes with Apache 2.2.30 (not released)

  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.  [Graham Leggett, Yann Ylavic]

  *) http: Fix LimitRequestBody checks when there is no more bytes to read.
     [Michael Kaufmann <mail michael-kaufmann.ch>]

  *) core: Allow spaces after chunk-size for compatibility with implementations
     using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]

  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts. PR 56241.
     [Kaspar Brand]

  *) http: Make ap_die() robust against any HTTP error code and not modify
     response status (finally logged) when nothing is to be done. PR 56035.
     [Yann Ylavic]

  *) core, modules: Avoid error response/document handling by the core if some
     handler or input filter already did it while reading the request (causing
     a double response body).  [Yann Ylavic]

  *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
     5+ instead of just for FreeBSD 5. PR 53824.  [Jeff Trawick,
     Olli Hauer <ohauer gmx de>]

  *) mod_proxy: use the original (non absolute) form of the request-line's URI
     for requests embedded in CONNECT payloads used to connect SSL backends via
     a ProxyRemote forward-proxy.  PR 55892.  [Hendrik Harms <hendrik.harms
     gmail com>, William Rowe, Yann Ylavic]

  *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
     internationalization.  [William Rowe]

  *) mod_log_config: Implement logging for sub second timestamps and
     request end time.  [Rainer Jung]

  *) mod_log_config: Ensure that time data is consistent if multiple
     duration patterns are used in combination, e.g. %D and %{ms}T.
     [Rainer Jung]

  *) mod_log_config: Add "%{UNIT}T" format to output request duration in
     seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
     [Ben Reser, Rainer Jung]

  *) In alignment with RFC 7525, the default recommended SSLCipherSuite
     and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
     default recommended SSLProtocol and SSLProxyProtocol directives now
     exclude SSLv3. Existing configurations must be adjusted by the
     administrator. [William Rowe]

  *) core: Avoid potential use of uninitialized (NULL) request data in
     request line error path. [Yann Ylavic]

  *) mod_proxy_http: Use the "Connection: close" header for requests to
     backends not recycling connections (disablereuse), including the default
     reverse and forward proxies.  [Yann Ylavic]

  *) mod_proxy: Add ap_connection_reusable() for checking if a connection
     is reusable as of this point in processing.  [Jeff Trawick]

  *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
     graceful restarts, even if new workers are added, old ones removed, or
     the order changes.  [Jan Kaluza, Yann Ylavic]

  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
     PR 57100.  [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
     Yann Ylavic]

  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]

  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite). [Kaspar Brand]

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]

  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
     VirtualHosts (matching 2.4 default configuration). [William Rowe]

  *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
     selected DB engine.  PR 46421.  [Jan Kaluza].

  *) Turn static function get_server_name_for_url() into public
     ap_get_server_name_for_url() and use it where appropriate. This
     fixes mod_rewrite generating invalid URLs for redirects to IPv6
     literal addresses. PR 52831 [Stefan Fritsch]

  *) dav_validate_request: avoid validating locks and ETags when there are
     no If headers providing them on a resource we aren't modifying.
     [Ben Reser]

  *) mod_ssl: New directive SSLSessionTickets (On|Off).
     The directive controls the use of TLS session tickets (RFC 5077),
     default value is "On" (unchanged behavior).
     Session ticket creation uses a random key created during web
     server startup and recreated during restarts. No other key
     recreation mechanism is available currently. Therefore using session
     tickets without restarting the web server with an appropriate frequency
     (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]

  *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
     compile against APR-1.2.x (minimum required version). [Yann Ylavic]

  *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
     computed for subsequent requests.  PR 56729.  [Eric Covener]

[1]	https://issues.apache.org/bugzilla/show_bug.cgi?id=58126
[2]	http://www.apache.org/dist/httpd/CHANGES_2.2.31

With Head apache@

MFH:		2015Q3 ( in case no new issues are reported during the next 7 days )
Original commitRevision:393440 
Monday, 20 Jul 2015
16:37 feld search for other commits by this committer
Backport patch for CVE and bump PORTREVISION

Approved by:	pgollucci
MFH:		2015Q3
Security:	CVE-2015-3183
Security:	29083f8e-2ca8-11e5-86ff-14dae9d210b8
Original commitRevision:392591 

Number of commits found: 2