summaryrefslogtreecommitdiffstats
path: root/package/apache/apache.mk
Commit message (Collapse)AuthorAgeFilesLines
* package/apache: bump version to 2.4.27Bernd Kuhls2017-07-111-1/+1
| | | | | | | | Announcement: http://www.apache.org/dist/httpd/Announcement2.4.html Release notes: http://www.apache.org/dist/httpd/CHANGES_2.4.27 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* apache: security bump to version 2.4.26Peter Korsgaard2017-06-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. While we're at it, use the upstream sha256 checksum instead of sha1. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* package/apache: security bump version to 2.4.25Bernd Kuhls2016-12-221-1/+1
| | | | | | | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.25 Fixes CVE-2016-8740, CVE-2016-5387, CVE-2016-2161, CVE-2016-0736, CVE-2016-8743. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* apache: add customization of MPMFabrice Fontaine2016-09-121-1/+9
| | | | | | | | | | MPM can be selected between event, prefork or worker Set worker as the default one as it was before even if event MPM is better on system supporting thread safe polling Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* package/apache: security bump to version 2.4.23Bernd Kuhls2016-07-071-1/+1
| | | | | | | | | Fixes CVE-2016-4979: TLS/SSL X.509 client certificate auth bypass with HTTP/2 http://httpd.apache.org/security/vulnerabilities_24.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* apache: bump to version 2.4.20Gustavo Zacarias2016-04-131-1/+1
| | | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* apache, apr: fix atomic handlingThomas Petazzoni2016-02-061-4/+0
| | | | | | | | | | | | | | | | Since the apache package was introduced, --enable-nonportable-atomics=yes was passed when BR2_ARCH_HAS_ATOMICS. However, Apache doesn't take this option: it only passes it down when building the APR library. But since we're building APR separately, this statement had no effect. So this commit removes the useless code from the Apache package, and instead adds the appropriate logic to the apr package, using the new BR2_TOOLCHAIN_HAS_SYNC_x symbols rather than BR2_ARCH_HAS_ATOMICS. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
* package/apache: bump version to 2.4.18Bernd Kuhls2015-12-191-1/+1
| | | | | Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* apache: bump to version 2.4.17Vicente Olivert Riera2015-10-141-1/+1
| | | | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* package/apache: security bump to version 2.4.16Bernd Kuhls2015-07-161-1/+1
| | | | | | | | Fixes CVE-2015-3183, CVE-2015-3185, CVE-2015-0253, CVE-2015-0228 http://marc.info/?l=apache-httpd-announce&m=143704705330655&w=2 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* apache: new packageBernd Kuhls2015-02-221-0/+85
[Thomas: - Don't explicitly pass CC_FOR_BUILD and CFLAGS_FOR_BUILD, those are already part of the default environment passed by the autotools-package infrastructure. - Explicitly disable Lua and LuaJIT support to avoid mis-detection of host installation. - Explicitly handle the optional support of libxml2, OpenSSL and zlib. Especially, the absence of explicit handling for libxml2 was causing a build failure due to the host libxml2 being detected. - Remove /usr/manual and /usr/build from the target. This saves 20+ MB of target space.] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
OpenPOWER on IntegriCloud