forked from Lainports/freebsd-ports
75fd8aa481
- normalize patch-pcre.diff into makepatch format - All 4 CVE patches are included upstream and part of 2.0.64 - part of the local apxs.in changes are upstream now too - some patches were regenerated for offset updates ** There is NO security update here. ** Changes: http://www.apache.org/dist/httpd/CHANGES_2.0 With Hat: apache@ <ChangeLog> *) SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] *) SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem] *) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch <sf fritsch.de>, Joe Orton] *) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch <sf fritsch.de>, Joe Orton] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>, Rainer Jung] *) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] *) SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, Joe Orton, Jim Jagielski] *) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] *) SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] *) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch] *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] *) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] </ChangeLog>
127 lines
3.5 KiB
Text
127 lines
3.5 KiB
Text
--- ./docs/conf/httpd-std.conf.in.orig 2008-03-22 00:00:26.000000000 +0000
|
|
+++ ./docs/conf/httpd-std.conf.in 2010-10-21 05:40:35.666621609 +0000
|
|
@@ -68,7 +68,7 @@
|
|
#
|
|
<IfModule !mpm_netware.c>
|
|
<IfModule !perchild.c>
|
|
-#ScoreBoardFile @rel_logfiledir@/apache_runtime_status
|
|
+#ScoreBoardFile @rel_runtimedir@/apache_runtime_status
|
|
</IfModule>
|
|
</IfModule>
|
|
|
|
@@ -265,8 +265,8 @@
|
|
# when the value of (unsigned)Group is above 60000;
|
|
# don't use Group #-1 on these systems!
|
|
#
|
|
-User nobody
|
|
-Group #-1
|
|
+User %%WWWOWN%%
|
|
+Group %%WWWGRP%%
|
|
</IfModule>
|
|
</IfModule>
|
|
|
|
@@ -314,10 +314,11 @@
|
|
#
|
|
# First, we configure the "default" to be a very restrictive set of
|
|
# features.
|
|
-#
|
|
+#
|
|
<Directory />
|
|
- Options FollowSymLinks
|
|
AllowOverride None
|
|
+ Order Deny,Allow
|
|
+ Deny from all
|
|
</Directory>
|
|
|
|
#
|
|
@@ -330,7 +331,7 @@
|
|
#
|
|
# This should be changed to whatever you set DocumentRoot to.
|
|
#
|
|
-<Directory "@exp_htdocsdir@">
|
|
+<Directory "%%WWWBASEDIR%%">
|
|
|
|
#
|
|
# Possible values for the Options directive are "None", "All",
|
|
@@ -365,24 +366,29 @@
|
|
# UserDir: The name of the directory that is appended onto a user's home
|
|
# directory if a ~user request is received.
|
|
#
|
|
+<IfModule mod_userdir.c>
|
|
UserDir public_html
|
|
|
|
+UserDir disabled %%FTPUSERS%%
|
|
+
|
|
#
|
|
# Control access to UserDir directories. The following is an example
|
|
# for a site where these directories are restricted to read-only.
|
|
#
|
|
-#<Directory /home/*/public_html>
|
|
-# AllowOverride FileInfo AuthConfig Limit Indexes
|
|
-# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
-# <Limit GET POST OPTIONS PROPFIND>
|
|
-# Order allow,deny
|
|
-# Allow from all
|
|
-# </Limit>
|
|
-# <LimitExcept GET POST OPTIONS PROPFIND>
|
|
-# Order deny,allow
|
|
-# Deny from all
|
|
-# </LimitExcept>
|
|
-#</Directory>
|
|
+<Directory /home/*/public_html>
|
|
+ AllowOverride FileInfo AuthConfig Limit Indexes
|
|
+ Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
+ <Limit GET POST OPTIONS PROPFIND>
|
|
+ Order allow,deny
|
|
+ Allow from all
|
|
+ </Limit>
|
|
+ <LimitExcept GET POST OPTIONS PROPFIND>
|
|
+ Order deny,allow
|
|
+ Deny from all
|
|
+ </LimitExcept>
|
|
+</Directory>
|
|
+
|
|
+</IfModule>
|
|
|
|
#
|
|
# DirectoryIndex: sets the file that Apache will serve if a directory
|
|
@@ -472,7 +478,7 @@
|
|
# logged here. If you *do* define an error logfile for a <VirtualHost>
|
|
# container, that host's errors will be logged there and not here.
|
|
#
|
|
-ErrorLog @rel_logfiledir@/error_log
|
|
+ErrorLog @rel_logfiledir@/httpd-error.log
|
|
|
|
#
|
|
# LogLevel: Control the number of messages logged to the error_log.
|
|
@@ -500,20 +506,20 @@
|
|
# define per-<VirtualHost> access logfiles, transactions will be
|
|
# logged therein and *not* in this file.
|
|
#
|
|
-CustomLog @rel_logfiledir@/access_log common
|
|
+#CustomLog @rel_logfiledir@/httpd-access.log common
|
|
|
|
#
|
|
# If you would like to have agent and referer logfiles, uncomment the
|
|
# following directives.
|
|
#
|
|
-#CustomLog @rel_logfiledir@/referer_log referer
|
|
-#CustomLog @rel_logfiledir@/agent_log agent
|
|
+#CustomLog @rel_logfiledir@/httpd-referer.log referer
|
|
+#CustomLog @rel_logfiledir@/httpd-agent.log agent
|
|
|
|
#
|
|
# If you prefer a single logfile with access, agent, and referer information
|
|
# (Combined Logfile Format) you can use the following directive.
|
|
#
|
|
-#CustomLog @rel_logfiledir@/access_log combined
|
|
+CustomLog @rel_logfiledir@/httpd-access.log combined
|
|
|
|
#
|
|
# ServerTokens
|
|
@@ -1040,3 +1046,5 @@
|
|
# ErrorLog @rel_logfiledir@/dummy-host.example.com-error_log
|
|
# CustomLog @rel_logfiledir@/dummy-host.example.com-access_log common
|
|
#</VirtualHost>
|
|
+
|
|
+Include @rel_sysconfdir@/Includes/*.conf
|