• https://dlcdn.apache.org/httpd/ (Download)
• https://archive.apache.org/dist/httpd/ (Download)

• ldap

• (2023-01-23) Updated to version: apache-httpd-2.4.55
• (2022-06-09) Updated to version: apache-httpd-2.4.54
• (2022-03-14) Updated to version: apache-httpd-2.4.53
• (2021-12-21) Updated to version: apache-httpd-2.4.52
• (2021-10-08) Updated to version: apache-httpd-2.4.51
• (2021-10-05) Updated to version: apache-httpd-2.4.50
• (2021-09-17) Updated to version: apache-httpd-2.4.49
• (2021-06-04) Updated to version: apache-httpd-2.4.48
• (2020-08-07) Updated to version: apache-httpd-2.4.46
• (2020-03-31) Updated to version: apache-httpd-2.4.43

Log message:
update to Apache httpd 2.4.51, the previous fix for CVE-2021-41773 was
insufficient. ok giovanni@
"It was found that the fix for CVE-2021-41773 in Apache HTTP Server
2.4.50 was insufficient. An attacker could use a path traversal attack
to map URLs to files outside the directories configured by Alias-like
directives.
If files outside of these directories are not protected by the usual
default configuration "require all denied", these requests can succeed.
If CGI scripts are also enabled for these aliased pathes, this could
allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier
versions."

Log message:
update to Apache httpd 2.4.51, the previous fix for CVE-2021-41773 was
insufficient. ok giovanni@
"It was found that the fix for CVE-2021-41773 in Apache HTTP Server
2.4.50 was insufficient. An attacker could use a path traversal attack
to map URLs to files outside the directories configured by Alias-like
directives.
If files outside of these directories are not protected by the usual
default configuration "require all denied", these requests can succeed.
If CGI scripts are also enabled for these aliased pathes, this could
allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier
versions."

Log message:
update to Apache httpd 2.4.51, the previous fix for CVE-2021-41773 was
insufficient. ok giovanni@
"It was found that the fix for CVE-2021-41773 in Apache HTTP Server
2.4.50 was insufficient. An attacker could use a path traversal attack
to map URLs to files outside the directories configured by Alias-like
directives.
If files outside of these directories are not protected by the usual
default configuration "require all denied", these requests can succeed.
If CGI scripts are also enabled for these aliased pathes, this could
allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier
versions."

Log message:
Security update to 2.4.50
fixes CVE-2021-41524 and CVE-2021-41773

Log message:
Security update to 2.4.50
fixes CVE-2021-41524 and CVE-2021-41773

Log message:
Security update to 2.4.50
fixes CVE-2021-41524 and CVE-2021-41773

Log message:
Update to 2.4.49
fixes CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275
and CVE-2021-40438.
Full changelog at https://downloads.apache.org/httpd/CHANGES_2.4.49

Log message:
Update to 2.4.49
fixes CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275
and CVE-2021-40438.
Full changelog at https://downloads.apache.org/httpd/CHANGES_2.4.49

Log message:
Update to 2.4.48
bug fixes and improvements
also fixes CVE-2021-31618, CVE-2021-30641, CVE-2020-35452, CVE-2021-26691,
CVE-2021-26690, CVE-2020-13950, CVE-2020-13938, CVE-2019-17567
mod_ssl patch by tb@

Log message:
Update to 2.4.48
bug fixes and improvements
also fixes CVE-2021-31618, CVE-2021-30641, CVE-2020-35452, CVE-2021-26691,
CVE-2021-26690, CVE-2020-13950, CVE-2020-13938, CVE-2019-17567
mod_ssl patch by tb@

Log message:
Correctly stop Apache Httpd when daemon_flags is set
from Maxim Tarasov

Log message:
restore a patch removed in previous commit

Log message:
Update 2.4.46
fixes CVE-2020-11984 and CVE-2020-11993
full changelog at https://downloads.apache.org/httpd/CHANGES_2.4.46

Log message:
Avoid NULL pointer dereference, from upstream
ok kn@

Log message:
fix a memory leak in mod_ssl
ok sthen@

Log message:
fix a memory leak in mod_ssl and take maintainership
ok sthen@ on a similar diff

Log message:
MFC update to Apache httpd 2.4.43

Log message:
update to Apache httpd 2.4.43

Log message:
rm old patch to unbreak -stable; from Ian McWilliam

Log message:
MFC update to apache-httpd 2.4.41;
CVE-2019-10081: mod_http2, memory corruption on early pushes
CVE-2019-10082: mod_http2, read-after-free in h2 connection shutdown
CVE-2019-10092: Limited cross-site scripting in mod_proxy
CVE-2019-10097: mod_remoteip stack buffer overflow and NULL pointer dereference
CVE-2019-10098: mod_rewrite configurations vulnerable to open redirect
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers

Log message:
update to apache-httpd 2.4.41

Log message:
replace simple PERMIT_PACKAGE_CDROM=Yes with PERMIT_PACKAGE=Yes

Log message:
enable mod_authnz_fcgi in Apache httpd, requested by Bartosz Ku??ma

Log message:
move apache-httpd in -stable back to MODSSL_USE_OPENSSL_PRE_1_1_API codepaths,
in the 2.4.35->37 timeframe they switched to newer-API codepaths which seem to
be working in -current but fall over easily on 6.4/-stable, at least with the
event mpm.
problem reported by Frank Groeneveld.

Log message:
MFC: backport Apache httpd fix affecting file uploads, they were broken in 2.4.39
unless the admin specifies an explicit RequestReadTimeout.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63325
https://svn.apache.org/viewvc?view=revision&revision=1857129

Log message:
backport Apache httpd fix affecting file uploads, they were broken in 2.4.39
unless the admin specifies an explicit RequestReadTimeout.  ok naddy@
https://bz.apache.org/bugzilla/show_bug.cgi?id=63325
https://svn.apache.org/viewvc?view=revision&revision=1857129

Log message:
bump REVISION in -current apache-httpd to ensure that the packages for
6.5 (which have a subpackage restructuring) have higher version numbers
than -stable

Log message:
update -stable to apache httpd 2.4.39 - important security fixes
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.39

Log message:
uodate to apache httpd 2.4.39 - important security fixes
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.39

Log message:
merge apache-httpd-common and apache-httpd, there is no need to split
the files now that the openbsd-patched apache-httpd is no more

Log message:
move the REVISION line where it's more likely to be seen next time

Log message:
Update to apache-httpd-2.4.38
ok giovanni@

Log message:
- add libressl patch needed to unbreak startup with ssl enabled
(SSL_CTX_set_post_handshake_auth), problem reported by Helmut Kiessling
- remove no-longer-needed chunk of the patch

Log message:
update to apache-httpd-2.4.37

Log message:
security update to apache httpd 2.4.35, ok giovanni@
Since we no longer have Apache 1.x there's no point renaming most of the
installed files any more, only the ones that conflict with base (httpd and
htpasswd), which avoids some tiresome hand merges that are needed in the
manpages for most updates. Courtesy symlinks added for now so that the
'xxx2' variants still work.

Log message:
security update to apache-httpd 2.4.33

Log message:
fix, now we havef DH_set0_pqg, BIO_set_init, BIO_get_data, BIO_set_data
(code in same ifdef also wants #define BN_get_*_prime_*, BIO_get_shutdown,
BIO_set_shutdown, DH_bits)

Log message:
regen patches, no change

Log message:
LibreSSL has had SSL_CTX_set_{min,max}_proto_version() for a while now,
so we do not gain much from carrying this diff in ports.
ok sthen@

Log message:
update to apache-httpd 2.4.29, from David CARLIER (slightly overdue commit!)

Log message:
Change the shebang line from /bin/sh to /bin/ksh in all ports rc.d
daemon scripts and bump subpackages that contain the *.rc scripts.
discussed with and OK aja@
OK tb

Log message:
MFC security update to Apache httpd-2.4.27
fixed in 2.4.26:
ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
mod_ssl Null Pointer Dereference CVE-2017-3169
mod_http2 Null Pointer Dereference CVE-2017-7659
ap_find_token() Buffer Overread CVE-2017-7668
mod_mime Buffer Overread CVE-2017-7679
fixed in 2.4.27:
Read after free in mod_http2 CVE-2017-9789
Uninitialized memory reflection in mod_auth_digest CVE-2017-9788

Log message:
update to httpd-2.4.27

Log message:
additional patch for ab with earlier libressl (SSL_CTX_set_*_proto_version),
not needed for -current, but easier to keep in sync for -stable if it's here

Log message:
oops, reinstate a line i dropped by mistake

Log message:
security update to apache-httpd-2.4.26, from David CARLIER with minor tweaks from me
(2.4.27 to follow)

Log message:
Backport Apache CVE fixes from sthen@.
%--------------------------------------------------------------------
[PATCH] update to apache-httpd-2.4.25 CVE-2016-8740 CVE-2016-5387
CVE-2016-2161 CVE-2016-0736 CVE-2016-8743
%--------------------------------------------------------------------
OK robert@

Log message:
update to apache-httpd-2.4.25
CVE-2016-8740 CVE-2016-5387 CVE-2016-2161 CVE-2016-0736 CVE-2016-8743

Log message:
update to apache-httpd 2.4.23, ok ajacoutot

Log message:
Properly bump REVISION.
spotted by Markus Lude

Log message:
So, mod_perl will reset $0 to argv[0] which will break the rc.d script
functionality. So let's use apachectl2 for start and stop, disable rc_reload
(which should have been done anyway) and relax the default pexp (workaround).
breakage reported by Michael Lechtermann
ok sthen@

Log message:
replace apache-httpd-openbsd, keeping -common separate for now to avoid pain
with PLISTs

Log message:
http2 works here now, so enable it

Log message:
Update to apache-httpd-2.4.20.

Log message:
remove SHARED_ONLY from simple ports that use the gettext or libiconv module

Log message:
Disable Apache httpd's mod_http2.so for now, as reported by
Pedro de Oliveira it isn't working on OpenBSD yet.

Log message:
Don't sample /var/www/conf/modules.samples/, let webapps do that.
Optionaly include /var/www/conf/modules/*.conf instead of /etc/apache2/modules/*.conf,
this allows the usual MESSAGE linking from modules.samples/ to modules/ to work
out-of-the-box.
ok sthen@

Log message:
Update to apache-httpd-2.4.18.

Log message:
As found by ajacoutot, nghttp2 was getting picked up by httpd's autoconf;
make it an explicit dependency and package mod_http2.

Log message:
update to apache-httpd-2.4.17, and add scaffolding to use the same type of
modules.sample mechanism as apache-httpd-openbsd

Log message:
sync Apache httpd in 5.8-stable with -current:
- build mod_cgi.so, for CGI use with the default prefork mpm
- install mod_cgid.so (it was already built but not installed),
for CGI use with optional multi-threaded mpm
- add patches to guard SSLv3 (not required for 5.8 but doesn't hurt,
and simplifies any future syncs)

Log message:
Make sure mod_cgi and mod_cgid are built and installed. Depending if apache
is prefork or threaded one or the other needs to be used to allow CGI handling.
For fast cgi mod_proxy_fcgi should be used.
OK sthen@ tested by Alessandro DE LAURENZIS

Log message:
fix miscommit that removed @rcscript (thanks, update-plist!)

Log message:
Move to improved version of no_ssl3 patch for apache-httpd, thanks to
Kaspar Brand (https://bz.apache.org/bugzilla/show_bug.cgi?id=58349)
- small tweak from Kaspar's patch for 2.4 backport.

Log message:
Do not pick up gawk.

Log message:
Guard use of SSLv3*method.  Die if SSLv3 forced in conf but unavail.
Fixes "undefined symbol" errors at dlopen time.
Reported by Pedro de Oliveira, ok sthen@

Log message:
Don't own /var/www/htdocs/, it's part of mtree.
Don't ship the empty example logs directory.

Log message:
cope with sslv3 being disabled

Log message:
adjust @pkgpath depending on flavour, so updates for apache-httpd--ldap work
correctly. (in reality this wasn't a big problem as we don't build the ldap
flavoured version in bulk builds anyway, due to dependence on conflicting
versions of apr-util).

Log message:
Update to apache-httpd-2.4.16.
ok sthen@

Log message:
Cleanup.

Log message:
Move default document root to /var/www to be able to switch between web
servers easily; idea from stsp@
Split the package into -main and -common (which holds common files for
apache 1 and 2).
discussed with stsp@ sthen@
ok stsp@

Log message:
Change the default user to "www".
This makes it easier to switch from one web server to the other.
discussed with stsp@ sthen@
ok sthen@

Log message:
Update www/apache-httpd to 2.4.12.
Manual configuration updates might be required, see
http://httpd.apache.org/docs/2.4/upgrading.html
MPMs can now be loaded at runtime. The default config keeps using 'prefork'.
Based on an initial diff by claudio@
ok sthen@ ajacoutot@

Log message:
Drop USE_GROFF from ports where the formatting differences are acceptable
or mandoc provides the more useful output.

Log message:
Drop some patches; libressl renamed SSL_CTX_use_certificate_chain to
SSL_CTX_use_certificate_chain_mem (libssl/src/ssl/ssl.h r1.79 et al) so
this no longer conflicts.

Log message:
sync WANTLIB to fix the -ldap flavour, as found by Joe Price
(missed during the heimdal removal because this isn't linked to the build
to avoid conflicting dependencies on apr-util and apr-util--ldap by
different ports in the tree).

Log message:
Fix CVE-2010-1452
ok sthen@, landry@

Log message:
new depends

Log message:
new-style LIB_DEPENDS/REVISION/WANTLIB

Log message:
USE_GROFF=Yes

Log message:
update to 2.2.15

Log message:
MFC:
Security update to apache-httpd-2.2.14. (CVE-2009-3095, CVE-2009-3094)
ok jasper@ bernd@

Log message:
Security update to apache-httpd-2.2.14. (CVE-2009-3095, CVE-2009-3094)

Log message:
MFC:
SECURITY FIX
Update to 2.2.13
SECURITY: CVE-2009-2412, CVE-2009-1891, CVE-2009-1195, CVE-2009-1890,
CVE-2009-1191, CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
Update the Makefile to properly depend on the mt version of apr-util
in ldap flavour. (from bernd@)

Log message:
MFC:
SECURITY FIX
Update to 2.2.13
SECURITY: CVE-2009-2412, CVE-2009-1891, CVE-2009-1195, CVE-2009-1890,
CVE-2009-1191, CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
Update the Makefile to properly depend on the mt version of apr-util
in ldap flavour. (from bernd@)
ok jasper@

Log message:
Update to 2.2.13
SECURITY: CVE-2009-2412, CVE-2009-1891, CVE-2009-1195, CVE-2009-1890,
CVE-2009-1191, CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
Update the Makefile to properly depend on the mt version of apr-util
in ldap flavour. (from bernd@)
ok jasper@, ajacoutot@

Log message:
SECURITY FIX
MFC:
Update to apache-httpd-2.2.11.
Lots of bugfixes and a security fix for CVE-2008-2939.
ok robert@

Log message:
Enable suexec for apache2 with these config changes:
- install the binary under ${TRUEPREFIX}/sbin/suexec2
- change suexec-caller to _apache2
- log to /var/log/suexec2_log similar to the suexec in base
Inputs and OK sthen@, simon@

Log message:
Update to apache-httpd-2.2.11.
Lots of bugfixes and a security fix for CVE-2008-2939.
Enable usage of the threaded apr which is needed for
an upcoming port.
ok simon@

Log message:
Security update to apache-httpd-2.2.9. (CVE-2008-2364 and CVE-2007-6420)
http://www.apache.org/dist/httpd/CHANGES_2.2.9
Also fix LIB_DEPENDS and use the external pcre library instead of the shipped
one.
ok dlg@, simon@, merdely@ (pre-lock)

Log message:
Security update to apache2 2.2.8.
(CVE-2007-6420, CVE-2007-6421, CVE-2007-6422, CVE-2007-6423,
CVE-2008-0005, CVE-2007-6388)
http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059626.html
http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059560.html
http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059561.html
ok dlg@

Log message:
SECURITY update to 2.2.6
fixes various vulnerabilities:
CVE-2007-3847, CVE-2007-1863, CVE-2007-3304, CVE-2006-5752, CVE-2007-1862
more details can be found at:
http://www.apache.org/dist/httpd/CHANGES_2.2.6
ok merdely@

Log message:
Added ldap flavor which includes mod_authnz_ldap + mod_ldap
Removed quotes around COMMENT while here.
From Peter Hessler with tweaks by me.
Advice from Brad.  Help from deanna@, simon@.
ok dlg@, simon@

Log message:
more base64 checksums

Log message:
Update to 2.2.4.  This is principally a bugfix release.  See
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.2
While here, regen patches with the new diff.
ok dlg

Log message:
Append a 2 to every mention of anything that exists in both the base
httpd and this port.  Hopefully we got them all.
Requested by robert@, ok dlg@.

Log message:
enable the cache, disk_cache, and all the proxy modules. mem_cache wont
build since we arent using a threaded worker.
requested by ssehic

Log message:
enable all the modules, and build them as shared objects. mark the port
SHARED_ONLY.
ok robert@

Log message:
switch apache2 from a gnu style configure to a simple one so we can
define prefix the way apache likes it.
this is because apache2 has a different understanding of what the prefix
means, and our understanding and application of it on this port leads to
extremely confused paths in a lot of its generated files.
our understanding of prefix is to mean the path at which the binaries,
libs, manpages, and so on are stored, ie, /usr/local. apache2 understands
prefix to mean "install architecture-independent files", or in real terms
the ServerRoot. obviously using /usr/local as the server root when we want
to use /var/apache2 for that purpose is uncomfortable for it, and it leads
to things like broken paths in the default config files and builds of
modules.
ok robert@

Log message:
move the dir with the build files out of /var/apache2 and into
/usr/local/share/apache2.
based on a suggestion from robert@

Log message:
revert the part of the previous commit that removed the install of the
build dir. you can build apache 2 modules again now.

Log message:
- stop setting SYSCONFDIR
- put config files in /etc/apache2 instead of /var since this is not
chrooted
- make a couple of comments that refer to 'httpd' refer to 'httpd2'
instead
- don't install the build makefiles
ideas from bernd@ and steven@, ok steven@

Log message:
To avoid name clashes with the system httpd, configure with program
name httpd2. Rename the support programs and their manual pages
accordingly.
bump pkgname.
ok steven@, bernd@.

Log message:
use MASTER_SITE_APACHE, pointed out by dlg