14:23 brnrd 

Mk/Uses/apache.mk: Migrate Mk/bsd.apache.mk to Uses

 - Chase required changes in framework (bsd.sanity.mk, bsd.port.mk)
 - Chase required changes in ports (version checks)
 - Chase required changes in PHP ports (include bsd.apache.mk)
 - exp-run by antoine, brnrd, joneum

PR:             223691 (exp-run)
Reviewed by:    joneum (hat apache), mat (portmgr), antoine (portmgr)
Approved by:    joneum (hat apache)
Approved by:	portmgr
With hat:       apache

 

14:20 mat 

Remove UNIQUENAME and LATEST_LINK.

UNIQUENAME was never unique, it was only used by USE_LDCONFIG and now,
we won't have conflicts there.

Use PKGBASE instead of LATEST_LINK in PKGLATESTFILE, the *only* consumer
is pkg-devel, and it works just fine without LATEST_LINK as pkg-devel
has the correct PKGNAME anyway.

Now that UNIQUENAME is gone, OPTIONSFILE is too. (it's been called
OPTIONS_FILE now.)

Reviewed by:	antoine, bapt
Exp-run by:	antoine
Sponsored by:	Absolight
Differential Revision:	https://reviews.freebsd.org/D3336

 

18:50 ohauer 

apache24

- remove check if apr is build with threads
- bump PORTREVISION
- adopt new pkg-plist @dir

@with hat apache@

 

20:20 ohauer 

- update to 2.2.29
- use PTHREAD_LIBS/CFLAGS instead -pthread

Changes with Apache 2.2.29
http://www.apache.org/dist/httpd/CHANGES_2.2.29

  *) Corrected docs/manual pages for new MergeTrailers directive and other
     out of date documentation. [William Rowe]

Changes with Apache 2.2.28

  *) SECURITY: CVE-2014-0118 (cve.mitre.org) [1]
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to avoid
     denial of service via highly compressed bodies.  See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]

  *) SECURITY: CVE-2014-0231 (cve.mitre.org) [1]
     mod_cgid: Fix a denial of service against CGI scripts that do
     not consume stdin that could lead to lingering HTTPD child processes
     filling up the scoreboard and eventually hanging the server.  By
     default, the client I/O timeout (Timeout directive) now applies to
     communication with scripts.  The CGIDScriptTimeout directive can be
     used to set a different timeout for communication with scripts.
     [Rainer Jung, Eric Covener, Yann Ylavic]

  *) SECURITY: CVE-2014-0226 (cve.mitre.org) [1]
     Fix a race condition in scoreboard handling, which could lead to
     a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]

  *) SECURITY: CVE-2013-5704 (cve.mitre.org) [2]
     core: HTTP trailers could be used to replace HTTP headers
     late during request processing, potentially undoing or
     otherwise confusing modules that examined or modified
     request headers earlier.  Adds "MergeTrailers" directive to restore
     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]

  *) core: Detect incomplete request and response bodies, log an error and
     forward it to the underlying filters. PR 55475.  [Yann Ylavic]

  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
     chunks. PR 46146. [Yann Ylavic]

  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
     differs. PR 55782.  [Yann Ylavic]

  *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
     [Lukas Bezdicka <social v3.sk>]

  *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
     [Ben Reser]

  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
     resumed by TLS session resumption (RFC 5077). [Rainer Jung]

  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
     like we already do for the remote port. [Rainer Jung]

  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
     and that coincides with the end of stream ("Zlib error flushing inflate
     buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]

  *) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary
     header might not get the benefit of the thundering herd protection due to
     an incorrect internal cache key.  PR 50317.
     [Ruediger Pluem, Jan Kaluza, Yann Ylavic]

  *) mod_rewrite: Support session cookies with the CO= flag when later
     parameters are used.  The doc for this implied the feature had been
     backported for quite some time.  PR56014 [Eric Covener]

  *) mod_cache: Don't remove stale cache entries that cannot be conditionally
     revalidated. This prevents the thundering herd protection from serving
     stale responses during a revalidation. PR 50317.
     [Eric Covener, Jan Kaluza,  Ruediger Pluem]

  *) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds.
     PR 41270. [Dean Gaudet <dean arctic org>]

[1] CVE issues already fixed since FreeBSD-ports r362845
[2] new CVE-2013-5704 issue fixed in 2.2.29

MFH:		2014Q3
Security:	f927e06c-1109-11e4-b090-20cf30e32f6d
Security:	CVE-2013-5704

 

17:40 ohauer 

- support staging
- partitial adopt new ${opt}_ notation

 

19:01 ohauer 

- update to apache-2.2.25
- update vuxml with additional CVE-2013-1896 entry

Changes with Apache 2.2.25
  http://www.apache.org/dist/httpd/CHANGES_2.2.25

  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser
     <ben reser.org>]

  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
     mod_rewrite: Ensure that client data written to the RewriteLog is
     escaped to prevent terminal escape sequences from entering the
     log file.  [Eric Covener, Jeff Trawick, Joe Orton]

  *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
     strings.  The default limit for ap_pregsub() can be adjusted at compile
      time by defining AP_PREGSUB_MAXLEN.  [Stefan Fritsch, Jeff Trawick]

  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
     <apache heilbrun.org>]

  *) mod_setenvif: Log error on substitution overflow.
     [Stefan Fritsch]

  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]

  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
     forwarding to SSL backends. PR 53134.
     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]

  *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
     in the error log to debug level.  [William Rowe]

  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]

  *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
     admin to configure an IO timeout as an error in the balancer.
     [Daniel Ruggeri]

  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
     password.  [Daniel Ruggeri]

  *) htdigest: Fix buffer overflow when reading digest password file
     with very long lines. PR 54893. [Rainer Jung]

  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed for a COPY operation. PR54610
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
     property on a resource for which there is no dead property in the same
     namespace httpd segfaults. PR 52559 [Diego Santa Cruz
     <diego.santaCruz spinetix.com>]

  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

PR:		ports/180248
Submitted by:	Jason Helfman jgh@

 

19:31 ohauer 

- update to version 2.2.24
- move mpm itk patches to itk-mpm/files dir
- add sshd to REQUIRE line in the rc script to prevent boot
  issues in case a SSL cert is password protected [1]

Changes with Apache 2.2.24
 SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to
 unescaped hostnames and URIs HTML output in mod_info, mod_status,
 mod_imagemap, mod_ldap, and mod_proxy_ftp.  [Jim Jagielski, Stefan
 Fritsch, Niels Heinen <heinenn google com>]

 SECURITY: CVE-2012-4558 (cve.mitre.org)
 XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
 Niels Heinen <heinenn google com>]

 mod_rewrite: Stop merging RewriteBase down to subdirectories
 unless new option 'RewriteOptions MergeBase' is configured.
 Merging RewriteBase was unconditionally turned on in 2.2.23.
 PR 53963. [Eric Covener]

 mod_ssl: Send the error message for speaking http to an https port using
 HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
 using SNI. PR 50823. [Stefan Fritsch]

 mod_ssl: log revoked certificates at level INFO
 instead of DEBUG. PR 52162. [Stefan Fritsch]

 mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
 [Rainer Jung]

 mod_dir: Add support for the value 'disabled' in FallbackResource.
 [Vincent Deffontaines]

 mod_ldap: Fix regression in handling "server unavailable" errors on
 Windows.  PR 54140.  [Eric Covener]

 mod_ssl: fix a regression with the string rendering of the "UID" RDN
 introduced in 2.2.15. PR 54510. [Kaspar Brand]

 ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
 to more accurately report the negotiated protocol. PR 53916.
 [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]

 mod_cache: Explicitly allow cache implementations to cache a 206 Partial
 Response if they so choose to do so. Previously an attempt to cache a 206
 was arbitrarily allowed if the response contained an Expires or
 Cache-Control header, and arbitrarily denied if both headers were missing
 Currently the disk and memory cache providers do not cache 206 Partial
 Responses. [Graham Leggett]

 core: Remove unintentional APR 1.3 dependency introduced with
 Apache 2.2.22. [Eric Covener]

 core: Use a TLS 1.0 close_notify alert for internal dummy connection if
 the chosen listener is configured for https. [Joe Orton]

 mod_ssl: Add new directive SSLCompression to disable TLS-level
   compression. PR 53219.

[1] requested by Andrew Filonov
    (freebsd-apache/2012-September/002962.html)

with head apache@

 

12:37 gahr 

- Get rid of PTHREAD_CFLAGS and PTHREAD_LIBS (category: www)

Approved by:	portmgr

 

16:35 ohauer 

- add a note about devel/apr1 and apache22 updates
- adjust DBD IGNORE message

 

21:17 ohauer 

- Simplify options with the removal of the last APR only related parameter [1]

- disallow IPv6 sockets to handle IPv4 requests per default. [2]

- move extra-patch-server__config.c
    -> patch-server__config.c
    https://issues.apache.org/bugzilla/show_bug.cgi?id=53823

- bump PORTREVISION

[1] Credits to Hajimu UMEMOTO (ume@) for finding the last APR related parameter
[2] http://httpd.apache.org/docs/2.2/bind.html

with hat apache@

 

14:31 ohauer 

devel/apr1 [1]
- update APR to 1.4.6
- update APR-util to 1.4.1
- remove PKGNAMESUFFIX'es

www/apache-(event|itk|peruser|worker)-mpm
- adopt new Makefile header, adjust
  PKGNAMESUFFIX in apache22 masterport
  PKGNAME match now LATEST_LINK

www/apache22 [2]-[6]
- rewrite for options NG
- PORTNAME s|apache|apache22|
- remove APR APR-util specific otions,
  will be checked now with help of apr/u-1-config

Mk/bsd.apache.mk
- rewrite for options NG
- remove no longer needet make targets
  (show-categories, make-options-list)

[1]
PR: 165143

[2]-[6]
PR: 130479
PR: 153406
PR: 158565
PR: 168769
PR: 167965

with hat apache@

 

04:49 ohauer 

- rewite apache port
 - remove all apr/apu related parts (leftovers from bundled apr)
 - remove invalid parts from Makefile.doc
 - move MODULES to Makefile.options

- remove apache20 parts
- remove category handling

with hat apache@

19:51 ohauer 

- rewrite bsd.apache.mk  (prepare for options NG support)
   keep full backward support until apache20 is removed from the tree
   comment code to remove with MFC TODO:

- adjust apache20 and apache22 ports
   changes are transparent for users (no PORTREVISION bump)

 Users who are using special build instructions in make.conf, such as
  - WITH_STATIC_MODULES= alias dir log_config mime rewrite setenvif vhost_alias

 should convert the values to UPPERCASE
  - WITH_STATIC_MODULES= ALIAS DIR LOG_CONFIG MIME REWRITE SETENVIF VHOST_ALIAS

 At the moment code to support old lowercase style is in place, but
 target to remove in favor for options NG.

with hat apache@

21:13 ohauer 

apache22
- centralise OPTIONS in Makefile.options
- s/Enable// in OPTIONS
- rewrite Makefile.modules (last defined SLAVE_PORT_MPM port use now WITH_MPM
var)
- no REVISION bump, nothing changed in the logic / functionality

apache22-peruser-mpm
- use WITH_MPM instead SLAVE_PORT_MPM

21:32 ohauer 

- cleanup conflicts (remove no longer existent ports)
- remove explicit ABI version number from LIB_DEPENDS

13:46 gabor 

- Track dependencies after databases/gdbm update

17:00 ohauer 

 - update Apache 2 ITK MPM patch to version 20110321-01 [1]
 - add additional patch for mpm-itk [2]
 - add mod_substitute to apache22 [3]
 - add some documentation into the mpm-itk* patches
 - bump portrevision

 Changes:
 [1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
  * Fixed CVE-2011-1176: If NiceValue was set, the default with no
    AssignUserID was to run as root:root instead of the default Apache user
    and group, due to the configuration merger having an incorrect default
    configuration.
  * Rebase against Apache 2.2.17.
  * Fix an issue where users can sometimes get spurious 403s on persistent
    connections, if the .htaccess files are not world readable.
  * In the config merger, don't reallocate the username, since it's already
    in the correct pool. (This is not a memory leak, only a small inefficiency.)

 [2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html

 Source:
  http://mpm-itk.sesse.net/ [1]
  http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2]
  http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3]

 With Hat:  apache@

PR:             ports/156024 [1][2]
Submitted by:   Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2]
                Nick Gieczewski <sorongo _at_ gmail.com> [3]

21:43 pgollucci 

- Enable,build, and install mod_reqtimeout.so which mitigates solaris attacks.
- Default on, so bump PORTREVISION

Reuested by:        Jonas Eckerman <jonas@fsdb.org> (via apache@)
With Hat:           apache@

04:57 pgollucci 

-  only need to set grandfather deps
   the dbm maze is a bit harder so is left alone for now

With Hat:   apache@

13:44 kuriyama 

- Fix plist with WITH_BDB case.

08:09 pgollucci 

- OPTIONS+= PROXY_SCGI

PR:             ports/140137
Submitted by:   olli hauer <ohauer@gmx.de>

19:36 mezz 

-Repocopy devel/libtool15 -> libtool22 and libltdl15 -> libltdl22.
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.

It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.

With help:      marcus and kwm
Pointyhat-exp:  a few times by pav
Tested by:      pgollucci, "Romain Tartière" <romain@blogreen.org>, and
                a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by:    marcus
Approved by:    portmgr

17:24 pgollucci 

- Revert the bdb change in the last batch

- Reported by: Serveral

With Hat:   apache@

00:33 pgollucci 

- Drop .sh suffices on rc.d scripts, add note to UPDATING
- Commit the final part of the bdb patch improving the value passed
  to --with-berkely-db [1]
- Silence the blasted warnings about accf [2]
  (Will send this upstream)
- Address httpd issue 42829* -  graceful restart with multiple listeners
   using prefork MPM can result in hung processes [3]
- Address httpd issue 29744+ - CONNECT does not work over existing
   SSL connection [4]
- Drop .sh suffices on rc.d scripts, add note to UPDATING [5]
- Bump PORTREVISION

PRs:                ports/110651 [1], ports/132528 [2], ports/134457 [3]
                    ports/135478
Submitted by:       "Timur I. Bakeyev" <timur@gnu.org> [1]
                    bz@ [2]
                    Alexander <freebsd@nagilum.org> [4]
                    myself (pgollucci@) [5]
Requested by:       apache@ (several) [3]

Tested by:          P6 TB (running live > 5 days)
                    RideCharge TB (running live > 3 days)
                    Apache Software Foundation (ASF) TB (running live > 1 day)

Sponosored by:      RideCharge Inc.

19:08 clement 

- Fix @comment string

Pointy hat to:  clement
Reported by:    Christer Solskogen

13:19 clement 

- Fix plist where apr_dbd is used
- Fix Postgresql build, don't trust pg_config
- Don't overwrite apr_dbd_mysql.c
- Bump PORTREVISION

No cookie for:  clement

12:26 clement 

- Update MPM itk patch to 20080727-00 (it is actually a no op
  on FreeBSD)
- Move mpm-itk patch to EXTRA_PATCHES to avoid conflicts with
  alternative mpm patches [1]
- update PLIST_SUBS when SLAVE_PORT_MPM is defined

Requested by:           Jille Timmermans [1]

20:42 clement 

- Fix recursive use of WITH_BDB_VER when WITH_BERKELEYDB and WITH_BDB_VER
  are both defined.

Reported by:    Vivek Khera <VIVEK@KHERA.ORG>

11:29 clement 

- Update to 2.2.8
- Update documentation
- Use BDB from bsd.databases.mk instead of homebrew [1]

PR:             ports/119711 [1]
Submitted by:   mm [1]

09:33 mm 

- Add support for db45 and db46

PR:             ports/117937
Submitted by:   mm
Approved by:    maintainer timeout

10:22 clement 

- Make port more OPTIONS compliant (more OPTIONS workarounds)
- Add some IGNORE entries to warn users when the choose conflicting options

21:05 clement 

- remove duplicate entry of mod_charset_lite [1]
- add PCRE_FROM_PORTS to OPTIONS
- use @dirrmtry for include/apache22
- workaround plist issues when upgrading, but it's not as safe as I
  would expect, it requires more work.

Spotted by:     bland@ [1]

19:15 clement 

\

- Cleanup MPM selection
- Update mpm itk to 20070425-00

13:18 clement 

- Ensure configure script won't force us to use an unwanted apr dbd backend.

12:13 clement 

- Update to 2.2.4
- Add dumpio module
- Fix rcorder [1]

PR:             ports/106429 [1]
Submitted by:   Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> [1]

10:49 clement 

- Update MySQL apr_dbd to rev 57
- Add support for itk mpm
- Update doc [1]

Reported by:    Volodymyr Kostyrko <arcade@synergetica.dn.ua> [1]

12:29 mr 

Add support for setting WITH_BERKELEYDB to db44

09:05 clement 

- Fix apr_dbd_mysql build

20:46 clement 

- Force to add ${PTHREAD_CFLAGS} and ${PTHREAD_LIBS} to force detection
  of pthread_kill(3).

20:37 clement 

- Update to 2.2.3
- Update apr_dbd to latest version [1]
- Add forgotten mod_authn_alias [2]

Spotted by:     Jim Riggs <freebsd-lists@jimandlissa.com> [1]
                Alexander Wittig <alexander@wittig.name> [2

09:07 clement 

- Update to 2.2.2
- Enable mod_version by default

18:58 clement 

Cleanups and fixes
- remove useless options (and fix thread stuff) [1]
- move print-closest-mirror to bsd.apache.mk
- move threads configure options out of Makefile.modules
- Fix stupid logic to disable v4mapped address [2]
- and more...

Submitted/spotted by:   many, Hirohisa Yamaguchi <umq@ueo.co.jp> [1]
                        ume[2]
PR:                     ports/91813 [1]

15:51 clement 

- Fix plist and improve dbd /mem_cache logic

21:38 clement 

- Grrrrr. mod_mem_cache needs threads-capable APR

Reported by:            pointyhat via kris

22:26 clement 

- Fix envvars.d [1]
- Add apache22_http_accept_enable to load accf_http kernel module [2]
  Additionnally, if it's not defined, we drop accept filter support
- Drop obsolete apache22ssl_enable rc.conf option
- Sync apache22.sh behavior with apachectl
  Add graceful and graceful-stop targets
- Rework categories (add CACHE_MODULES)
- Add support for apr_dbd: MySQL, PostgrSQL and SQLite3 backends are supported
  It adds mod_auth_dbd and mod_dbd automatically

more fixes to come soon...

PR:             ports/90309 [1],
                ports/90103 [2]
Submitted by:   Simun Mikecin <sime@data.home.hr> [1],
                Melvyn Sopacua <melvyn@melvyn.homeunix.net> [2]

20:54 clement 

- Add forgotten mod_filter

Spotted by:             Cheese Lottery <cheeselottery@gmail.com>

11:10 clement 

- Fix duplicated modules