This is a use after free error that causes a corrupted Allow header to
be constructed in response to HTTP OPTIONS requests. It can leak pieces
of arbitrary memory from the server process that may contain secrets.
The memory pieces change after multiple requests, so for a vulnerable
host an arbitrary number of memory chunks can be leaked.
The bug appears if a webmaster tries to use the "Limit" directive with
an invalid HTTP method.
functionality. So let's use apachectl2 for start and stop, disable rc_reload
(which should have been done anyway) and relax the default pexp (workaround).
breakage reported by Michael Lechtermann
ok sthen@
Optionaly include /var/www/conf/modules/*.conf instead of /etc/apache2/modules/*.conf,
this allows the usual MESSAGE linking from modules.samples/ to modules/ to work
out-of-the-box.
ok sthen@
is prefork or threaded one or the other needs to be used to allow CGI handling.
For fast cgi mod_proxy_fcgi should be used.
OK sthen@ tested by Alessandro DE LAURENZIS
correctly. (in reality this wasn't a big problem as we don't build the ldap
flavoured version in bulk builds anyway, due to dependence on conflicting
versions of apr-util).
servers easily; idea from stsp@
Split the package into -main and -common (which holds common files for
apache 1 and 2).
discussed with stsp@ sthen@
ok stsp@
Manual configuration updates might be required, see
http://httpd.apache.org/docs/2.4/upgrading.html
MPMs can now be loaded at runtime. The default config keeps using 'prefork'.
Based on an initial diff by claudio@
ok sthen@ ajacoutot@
(missed during the heimdal removal because this isn't linked to the build
to avoid conflicting dependencies on apr-util and apr-util--ldap by
different ports in the tree).
privileges, but the file in the fake directory is mode 4555 owned by the
user building the port, so triggering checks at package creation time
because the plist doesn't have a @mode 4555 annotation. Change the PLIST
to explicitly install this file as mode 555 (no setuid bit) to allow
packaging to succeed. This commit does not change the mode of the file
installed by the package, users wanting suexec will still need to chmod
it themselves, just allows a FAKE_AS_ROOT=No build to work.
While there, swap some /var for LOCALSTATEDIR.
