./www/apache24, Apache HTTP (Web) server, version 2.4

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ]

Branch: CURRENT, Version: 2.4.67nb1, Package name: apache-2.4.67nb1, Maintainer: ryoon

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

This package tracks 2.4.x release.


Required to run:
[textproc/libxml2] [security/openssl] [devel/apr] [devel/apr-util] [devel/pcre] [devel/readline] [www/nghttp2] [archivers/brotli]

Required to build:
[pkgtools/cwrappers]

Package options: apache-mpm-event, apache-mpm-prefork, apache-mpm-worker, brotli, http2, xml

Master sites:

Filesize: 7317.448 KB

Version history: (Expand)

CVS history: (Expand)


   2026-05-14 18:42:34 by Ryo ONODERA | Files touched by this commit (1335) 
Log message:
*: Recursive revbump from security/nettle-4.0
   2026-05-05 02:12:30 by Takahiro Kambe | Files touched by this commit (6) | Package updated
Log message:
www/apache24: update to 2.4.67

Changes with Apache 2.4.67 (2026-05-04)

* SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap
  Over-Read and memory disclosure in ajp_parse_data() (cve.mitre.org)
  Buffer Over-read vulnerability in Apache HTTP Server.  This issue affects
  Apache HTTP Server: through 2.4.66.  Users are recommended to upgrade to
  version 2.4.67, which fixes the issue.  Credits: Elhanan Haenel

* SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer
  Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
  (cve.mitre.org) Improper Null Termination, Out-of-bounds Read
  vulnerability in Apache HTTP Server.  This issue affects Apache HTTP
  Server: through 2.4.66.  Users are recommended to upgrade to version
  2.4.67, which fixes the issue.  Credits: Tianshuo Han
  (<hantianshuo233@gmail.com>)

* SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP
  getter functions (cve.mitre.org) Out-of-bounds Read vulnerability in
  mod_proxy_ajp of Apache HTTP Server.  This issue affects Apache HTTP
  Server: through 2.4.66.  Users are recommended to upgrade to version
  2.4.67, which fixes the issue.  Credits: Elhanan Haenel

* SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP
  response splitting forwarding malicious status line (cve.mitre.org) HTTP
  response splitting vulnerability in multiple Apache HTTP Server modules
  with untrusted or compromised backend servers.  This issue affects Apache
  HTTP Server: from through 2.4.66.  Users are recommended to upgrade to
  version 2.4.67, which fixes the issue.  Credits: Haruki Oyama (Waseda
  University)

* SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash
  (cve.mitre.org) A NULL pointer dereference in the mod_authn_socache in
  Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote
  user to crash a child process in a caching forward proxy configuration.
  Users are recommended to upgrade to version 2.4.67, which fixes this
  issue.  Credits: Pavel Kohout, Aisle Research, Aisle.com

* SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing
  attack (cve.mitre.org) A timing attack against mod_auth_digest in Apache
  HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote
  attacker.  Users are recommended to upgrade to version 2.4.67, which fixes
  this issue.  Credits: Nitescu Lucian

* SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock
  crash (cve.mitre.org) A NULL pointer dereference in mod_dav_lock in Apache
  HTTP Server 2.4.66 and earlier may allow an attacker to crash the server
  with a malicious request.mod_dav_lock is not used internally by mod_dav or
  mod_dav_fs.  The only known use-case for mod_dav_lock was mod_dav_svn from
  Apache Subversion earlier than version 1.2.0.  Users are recommended to
  upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
  Credits: Pavel Kohout, Aisle Research, Aisle.com

* SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP
  response (cve.mitre.org) Allocation of Resources Without Limits or
  Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response
  data.  This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.
  Users are recommended to upgrade to version 2.4.67, which fixes the issue.
  Credits: Pavel Kohout, Aisle Research, Aisle.com

* SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in
  mod_proxy_ajp via ajp_msg_check_header() (cve.mitre.org) Heap-based Buffer
  Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.  If
  mod_proxy_ajp connects to a malicious AJP server this AJP server can send
  a malicious AJP message back to mod_proxy_ajp and cause it to write 4
  attacker controlled bytes after the end of a heap based buffer.  This
  issue affects Apache HTTP Server: through 2.4.66.  Users are recommended
  to upgrade to version 2.4.67, which fixes the issue.  Credits: Andrew
  Lacambra

* SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of
  privileges via ap_expr (cve.mitre.org) An escalation of privilege bug in
  various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess
  authors to read files with the privileges of the httpd user.  Users are
  recommended to upgrade to version 2.4.67, which fixes this issue.
  Credits: y7syeu

* SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and
  possible RCE on early reset (cve.mitre.org) Double Free and possible RCE
  vulnerability in Apache HTTP Server with the HTTP/2 protocol.  This issue
  affects Apache HTTP Server: 2.4.66.  Users are recommended to upgrade to
  version 2.4.67, which fixes the issue.  Credits: Bartlomiej Dmitruk,
  striga.ai

* mod_md: update to version 2.6.10
  - Fix issue #420 <https://github.com/icing/mod_md/issues/420> by ignoring
    job.json files that claim to have completely finished a certificate
    renewal, but have not produced the necessary result files.

* mod_http2: update to version 2.0.39
  Remove streams own memory allocator after reports of memory problems with
  third party modules.  [Stefan Eissing]

* mod_http2: update to version 2.0.38
  Source sync with mod_h2 github repository. No functional change.  [Stefan
  Eissing]

* Updated conf/mime.types: added vnd.sqlite3, HEIC, HEIF
  [Alexandru Mărășteanu <hello alexei.ro>]

* mod_md: update to version 2.6.7
  - Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer
    applied, no matter the configuration.

* mod_md: update to version 2.6.9
  - Pebble 2.9+ reports another error when terms of service agreement is not
    set. Treating all "userActionRequired" errors as permanent now.

* mod_md: update to version 2.6.8
  - Fix the ARI related `replaces` property in ACME order creation to only
    be used when the CA supports ARI and it is enabled in the menu config.
  - Fix compatibility with APR versions before 1.6.0 which do not have
    `apr_cstr_casecmp` and should use `apr_strnatcasecmp` instead.

* mod_http2: update to version 2.0.37
  Prevent double purge of a stream, resulting in a double free.  Fixes PR
  69899.  [Stefan Eissing]

* mod_md: Use correct function name when compiling against APR < 1.6.0.
  PR 69954 [Tần Quảng <baobaoxich@gmail.com>]
   2026-02-06 11:06:21 by Thomas Klausner | Files touched by this commit (1305) 
Log message:
*: recursive bump for nettle 4.0 shlib major bump
   2026-01-07 09:49:50 by Thomas Klausner | Files touched by this commit (2525) 
Log message:
*: recursive bump for icu 78.1
   2025-12-07 16:55:55 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
www/apache24: update to 2.4.66

Apache 2.4.66 (2025-12-04)

Security changes with Apache 2.4.66:

  *) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
     bypass via AllowOverride FileInfo (cve.mitre.org)
     mod_userdir+suexec bypass via AllowOverride FileInfo
     vulnerability in Apache HTTP Server. Users with access to use
     the RequestHeader directive in htaccess can cause some CGI
     scripts to run under an unexpected userid.
     This issue affects Apache HTTP Server: from 2.4.7 through
     2.4.65.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Mattias Åsander (Umeå University)

  *) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
     variable override (cve.mitre.org)
     Improper Neutralization of Escape, Meta, or Control Sequences
     vulnerability in Apache HTTP Server through environment
     variables set via the Apache configuration unexpectedly
     superseding variables calculated by the server for CGI programs.
     This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
     Users are recommended to upgrade to version 2.4.66 which fixes
     the issue.
     Credits: Mattias Åsander (Umeå University)

  *) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
     Windows through UNC SSRF (cve.mitre.org)
     Server-Side Request Forgery (SSRF) vulnerability
     Â in Apache HTTP Server on Windows
     with AllowEncodedSlashes On and MergeSlashes Off  allows to
     potentially leak NTLM
     hashes to a malicious server via SSRF and malicious requests or
     content
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
     Includes adds query string to #exec cmd=... (cve.mitre.org)
     Apache HTTP Server 2.4.65 and earlier with Server Side Includes
     (SSI) enabled and mod_cgid (but not mod_cgi) passes the
     shell-escaped query string to #exec cmd="..." directives.
     This issue affects Apache HTTP Server before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Anthony Parfenov (United Rentals, Inc.)

  *) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
     unintended retry intervals (cve.mitre.org)
     An integer overflow in the case of failed ACME certificate
     renewal leads, after a number of failures (~30 days in default
     configurations), to the backoff timer becoming 0. Attempts to
     renew the certificate then are repeated without delays until it
     succeeds.
     This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Aisle Research
   2025-10-23 22:40:24 by Thomas Klausner | Files touched by this commit (2999) 
Log message:
*: recursive bump for pcre2

Running an old binary against the new pcre doesn't work:
/usr/pkg/lib/libpcre2-8.so.0: version PCRE2_10.47 required by \ 
/usr/pkg/lib/libglib-2.0.so.0 not defined
   2025-10-05 21:26:29 by Jonathan Schleifer | Files touched by this commit (485) 
Log message:
*: rev bump for curl
   2025-07-24 15:23:23 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
apache24: updated to 2.4.65

Changes with Apache 2.4.65

*) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
   always evaluates to true in 2.4.64 (cve.mitre.org)
   A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
   expr ..." tests evaluating as "true".
   Users are recommended to upgrade to version 2.4.65, which fixes
   the issue.