Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Pullup ticket #6301 - requested by taca
www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.94 - www/apache24/distinfo 1.44 --- Module Name: pkgsrc Committed By: taca Date: Sun Aug 9 15:01:55 UTC 2020 Modified Files: pkgsrc/www/apache24: Makefile distinfo Log Message: www/apache24: update to 2.4.46 Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several security problems: CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header CVE-2020-11984: mod_uwsgi buffer overlow CVE-2020-11985: CWE-345: Insufficient verification of data authenticity CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header pkgsrc changes: reduce warnings by SUBST_* processing. Changes with Apache 2.4.46 *) mod_proxy_fcgi: Fix build warnings for Windows platform [Eric Covener, Christophe Jaillet] Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
- Loading branch information