Current status

Number of commits found XX: 21

www/apache24: Don't install suexec manpage when option is off

PR:		248052
Submitted by:	Michael Osipov <michael osipov siemens com>
Approved by:	apache (brnrd)

www/apache24: Security update to 2.4.39

 - Adds mod_socache_redis feature

Changes: https://www.apache.org/dist/httpd/CHANGES_2.4.39

MFH:		2019Q2
Security:	cf2105c6-551b-11e9-b95c-b499baebfeaf

www/apache24: Update to 2.4.34

 - fixes vulns in mod_http2 and mod_md
 - include SSL_* options in alphabetic ordering
 - Remove unneeded SSL_CFLAGS and _LDFLAGS
 - Remove WITH_HTTP_PORT and WITH_SSL_PORT
 - Remove trailing whitespace
 - Fix build with HTTP2 but without SSL [1]

PR:		229802, 227944 [1]
With hat:	apache
Approved by:	brnrd (apache)
MFH:		2018Q3
Security:	8b1a50ab-8a8e-11e8-add2-b499baebfeaf
Differential Revision:	https://reviews.freebsd.org/D16294

www/apache24: Fix runtime failure with LibreSSL 2.7

 - Fix LOG_FORENSIC in plist while here

PR:		227868
Reported by:	Jens K. Loewe <mozilla tuxproject de>
Approved by:	hat (apache@)

www/apache24: Update to 2.4.33

 - Add new uwsgi and md modules
 - Fix LibreSSL 2.7.x builds
 - Remove conflicts for non-existent ports
 - There are no slave-ports
 - Coalesce .if WITH_DEBUG blocks
 - Use OPTIONS where possible
 - Remove dead code
 - Actually enable/disable modules in ALL_MODULES loop
 - Add suexec warning
 - Move Makefile.options to Makefile (too small)

PR:		226647
With hat:	apache
Approved by:	brnrd (apache)
MFH:		MFH2018Q1
Security:	f38187e7-2f6e-11e8-8f07-b499baebfeaf

www/apache24: Update to 2.4.27

 - Bugfix update to 2.4.27
 - Fix build with LibreSSL [1]
 - Add brotli compression option
 - Add pkg-message for 10.3 base-ssl users
 - HTTP/2 is production ready, default enable
   - warn users of 10.3 for mod_http2/OpenSSL 1.0.1

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

PR:             220160 [1]
Reported by:    Markus Kohlmeyer <rootservice@gmail.com>
Reviewed by:    ohauer (hat)
Approved by:    ohauer (hat)
Differential Revision:  https://reviews.freebsd.org/D11285

o update to 2.4.23
o disable build time stamp in favor of reproducible build
o remove obsolate scoreboard/status patch
o s/USE_OPENSSL=yes/USES=ssl/
o add OPTION for two new modules:
   mod_proxy_hcheck (default=on)
   mod_http2_proxy (experimental => default=off)

Changelog:
 http://www.apache.org/dist/httpd/CHANGES_2.4.23

MFH:		2016Q3

- update to 2.4.20
- use ${OPTION}_IMPLIES and remove some IGNORES
- turn on proxy_html and xml2enc as default [1]

[1] Often requested by users. The modules are not enabled in
    the default configuration.

Full changelog for apache version 2.4.19/2.4.20:
 http://www.apache.org/dist/httpd/CHANGES_2.4.20

Note: Apache httpd 2.4.19 was not released.

MFH:	2016Q2

- use new $opt-target
- improve kldstat check
- use new defined postexec, preunexec in pkg-plist

with hat apache@

- update to 2.4.17
- add support for HTTP/2 (RFC 7540)
- remove obsolate libressl patches [1]

In this release are some exciting new features including:

 *) HTTP/2 support via mod_http2 module
 *) Support for SO_REUSEPORT in MPMs for significant scalability

Changes with Apache 2.4.17

 *) mod_http2: added donated HTTP/2 implementation via core module. Similar
    configuration options to mod_ssl. [Stefan Eissing]

 *) mod_proxy: don't recyle backend announced "Connection: close" connections

(Only the first 15 lines of the commit message are shown above )

- update to 2.4.12

- change MPM backend from static to dynamic,
  but keep mpm_prefork for compatiblity with e.g. php modules
- install dedicated MPM load file in case httpd was build with modular MPM
  (modules.d/000_mpm_prefork_fallback.conf)
- disable SSLv3 and SSLv2 fallback in sample httpd-ssl-conf
- use @sample macro instead EXAMPLESDIR
- add some SSLCipherSuite examples for OpenSSL >= 1.0.x
- add libressl support [1]
- add pkg-install script (to handle new modular MPM build)
- build now most all modules, so users using packages don't have
  to run a custom build for missing modules
- fix suexec mode

PR:		196139 [1]
MFH:		2015Q1

apache24

- remove check if apr is build with threads
- bump PORTREVISION
- adopt new pkg-plist @dir

@with hat apache@

- security update to release 2.4.10

- add OPTION for new mod_authnz_fcgi module

- s/libluajit.so/libluajit-5.1.so/ (there is no libluajit.so)

- backport for mod_lua: Don't quote values in cookies
   Make IE happy again [#56734]
   http://svn.apache.org/viewvc?view=revision&revision=1611744

- disable sanity check on demand [1]

Release Notes:
 http://www.apache.org/dist/httpd/CHANGES_2.4.10

PR:		191398 [1]
Submitted by:	Robert Schulze <rs@bytecamp.net>
MFH:		2014Q3
Security:	4364e1f1-0f44-11e4-b090-20cf30e32f6d
		CVE-2014-0117
		CVE-2014-3523
		CVE-2014-0226
		CVE-2014-0118
		CVE-2014-0231

- strip
- remove obsolete apache-*-2.2.* conflict
- add modules.d to EXAMPLESDIR
- always install DOC (remove Makefile hack)
- bump PORREVISION
- sort pkg-plist

- update to 2.4.9
- enforcing use libapr-1.so.5 (apr-1.5.0 instead apr-1.4.8)

Changes with Apache 2.4.9

  *) mod_ssl: Work around a bug in some older versions of OpenSSL that
     would cause a crash in SSL_get_certificate for servers where the
     certificate hadn't been sent. [Stephen Henson]

   *) mod_lua: Add a fixups hook that checks if the original request is intended
      for LuaMapHandler. This fixes a bug where FallbackResource invalidates the
      LuaMapHandler directive in certain cases by changing the URI before the
map
      handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail
com>].

Changes with Apache 2.4.8

(Only the first 15 lines of the commit message are shown above )

Fix properties on pkg-plist

  - add new directory for modules (APACHEETCDIR/modules.d)

    New modules can be registered here with a simple
    file that contains the LoadModule directives.
    Additonal Maintaines can write instructions to the
    conf file and keep pkg-message short.
    As bonus the config file can be installed like every
    other config file with a .sample extention so modules
    are not disabled during pkg upgrades.

    Module config files should begin with three digits
    followed by '_' e.g. 100_php5.conf.
    The load order can be controlled via the three digits.

    Please wait some time before adopting the new directory
    so users have time to update and adjust axisting configs

- no revision bump, devel/apr was updated and we will see
  apache 2.2.7 in the next days (I only want to have the
  modules.d directory adopted)

 - fix package installation with old pkg tools (create empty
   folders in pkg-plist even staging is enabled)

  - support staging
  - partitial adopt new ${opt}_ notation

- update to apache24-2.4.6
 - new modules: mod_cache_socache, mod_macro and mod_proxy_wstunnel

- add enty to vuxml

SECURITY: CVE-2013-1896 (cve.mitre.org)
 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
 the source href (sent as part of the request body as XML) pointing to a
 URI that is not configured for DAV will trigger a segfault.

SECURITY: CVE-2013-2249 (cve.mitre.org)
 mod_session_dbd: Make sure that dirty flag is respected when saving
 sessions, and ensure the session ID is changed each time the session
 changes. This changes the format of the updatesession SQL statement.
 Existing configurations must be changed.

Changelog:
http://www.apache.org/dist/httpd/CHANGES_2.4.6

with hat apache@

Security:	ca4d63fb-f15c-11e2-b183-20cf30e32f6d

- new port www/apache24

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.
The 2.x branch of Apache Web Server includes several improvements like
threading, use of APR, native IPv6 and SSL support, and many more.

WWW: http://httpd.apache.org/

Note:
 Since apache24 does not enable every module by default in httpd.conf the
 list of modules to build was preselected to match build param

(Only the first 15 lines of the commit message are shown above )

Number of commits found XX: 21

10 vulnerabilities affecting 79 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities

Last updated:
2021-03-05 21:21:29