DIYMacServer » Apache

Apache updated to 2.4.2

Richard — Tue, 24 Apr 2012 19:44:36 +0000

Apache got updated last week, finally got round to getting this tested. It’s now running on all my servers without a problem. Please note that the APR modules are not updated, you could copy them from the 2.4.1 directory.

For compiling read the last update and the additional notes that followed.

Follow up on Apache 2.4.1, Xcode 4.3.2

Richard — Fri, 30 Mar 2012 20:05:24 +0000

During the last week I’ve seen comments regarding the failing of the compilation. The first one was that I completely missed the dependency on PCRE. Because it’s also required for out Postfix installation I already had it installed and didn’t notice it. You can download it from the sourceforge PCRE site. The latest tested version is 8.30. Download it, unpack it and run the following commands in the source directory:

./configure
make
sudo make install

The other thing I missed was the new release of Xcode. Apple released a new version of Xcode 4.3.2 which has a new method of installing. Instead of downloading the Installer from the App Store you can now install Xcode directly from the App Store. However somehow i think they needed to make the package smaller and they left out some the for us essential parts. Luckily its all still free. If you install Xcode from the App Store you need to perform some follow up actions to make it work. Startup Xcode, then let Xcode uninstall the older version, go to the preferences and go for the download tab.

Then select to install the command line tools. Use your apple-id and password to make it happen. After this you’ll be up and running in no time.

Update: If you have a developer account and can login to http://developer.apple.com you can also download the command line tools as a standalone package. Go to the download section and try it there. I’ve got the full Xcode installation as I sometimes try to write that one iPhone app that will make me a millionaire. Let me know if this works for you.

Apache update to 2.4.1

Richard — Mon, 05 Mar 2012 20:00:15 +0000

The upgrade to 2.4.x was a bit more complicated then first expected as there is more to it then just a compilation and check if it works. This release has some more changes to it then just a bug fix and some new features.

First most apparent change is that the APR stuff is no longer included in the download. You now have go get it yourself from http://apr.apache.org/.

Download the APR and APR-util from the site, unpack them and copy them into the ‘./srclib‘ directory (after you downloaded Apache and unpacked the archive). Rename the directories to ‘./srclib/apr‘ and ‘./srclib/apr-util‘ (without the version number). For instance by using these commands:

cp -R apr-1.4.6 httpd-2.4.1/srclib/apr
cp -R apr-util-1.4.1 httpd-2.4.1/srclib/apr-util

From then on you can follow the regular instructions on Compiling Apache.

The only problem is the change in the modules that are compiled and included by this new version. Please comment the following list of modules out of the httpd.conf configuration file located in /etc/httpd/.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so

We are not using the proxy anyway

You need to recompile PHP as well to get it working with this version of Apache. Next I will change the actual compilation instructions.

Note: this works on Snow Leopard and Leopard as well as PowerPC!

Too much at once

Richard — Thu, 23 Feb 2012 04:31:30 +0000

I feel the need to ask for patience as this week we got bombarders by a lot of updates. Dovecot did a major upgrade to 2.1, Apache released a major upgrade to 2.4, postfix released 2.9.1 a small bugfix and MySQL released 5.5.21.

I need to compile, test and adjust everything where necessary and as you might understand with major upgrade there is more going on then just a compile, run and test. There are new configuration options to be evaluated and older ones deprecated that might need a new one or a workaround for lost functionality.

So I’m working on it but it take a bit longer then usual…

Apache updated to 2.2.22

Richard — Fri, 03 Feb 2012 10:38:59 +0000

The Apache team have released a security update to the popular webserver. This version of Apache is a security and bug fix release. I strongly suggest you should upgrade to this latest version as it solves the following securtiy issues:

SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations.
SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.
SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations.
SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the ‘%{cookiename}C’ log format string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17.
SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly.
SECURITY: CVE-2012-0053 (cve.mitre.org) Fixed an issue in error responses that could expose “httpOnly” cookies when no custom ErrorDocument is specified for status code 400.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Apache updated to 2.2.21

Richard — Sun, 18 Sep 2011 12:51:58 +0000

The Apache team have released a security update to the popular webserver. This version of Apache is a security and bug fix release:

SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service.
SECURITY: CVE-2011-3192 (cve.mitre.org) core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.

I would strongly advise you to upgrade your server accordingly as this will solve the problem of the apache killer security issue by which someone could take over your server.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

First documentation set for Lion

Richard — Fri, 22 Jul 2011 13:44:35 +0000

Alright here is the first result of adapting the instructions to Mac OS X 10.7 aka Lion. First some remarks, to get the quickest results I decided to first do everything in a virtual machine as I wanted to take the time to upgrade my desktop. It was remarkably easy to install Lion as a virtual OS using VMWare. First I tried with Virtualbox which works with Snow Leopard but that didn’t work for Lion. So I tried with the current beta of VMWare Fusion which I am currently testing and that one went without any problem. Just do a “Show Package Contents” of “Install Mac OS X Lion” and copy the file “InstallESD.dmg”. Create a new virtual machine and point it to this DMG file for installing and it will install like a regular Mac. If anyone has a regular version of VMWare Fusion 3.1.x can you verify that this works?

Next step was getting XCode on the machine for which I had to use the “App Store” but luckily XCode is again free! Everything installed I was ready to go. One of the things I noticed is that I can install everything in 64 bits without needing to explicitly specifying it which we had to do on Snow Leopard. Also note that there is no more 32 bits on Lion! This is why it won’t run on some of the older Intel Macs.

So if you’ve already upgraded your Mac to Lion or just have bought a new one and need to install MAMP, that part is no finished. Next step is me taking the time to upgrade my desktop and then attack the mail-server documentation.

http://diymacserver.com/lion/

Update: Just got this in my RSS reader, VMWare 3.1.3 does not support Lion as a guest. The current Beta does so I guess you have to wait till 3.1.4 or join the beta program!

Also found that PostgresSQL 9.0.4 is installed with OS X Lion! There is documentation in /Library/Webserver/Documents and the psql command is available. Let’s see what we can find out more…

Found this in the official Apple documentation What is new in Mac OS X 10.7

Beginning in Mac OS X v10.7, Mac OS X Server ships with PostgreSQL instead of MySQL as its database server. If you are using other software that requires MySQL, you must install it yourself.

Apache updated to 2.2.19

Richard — Sun, 22 May 2011 19:07:12 +0000

The Apache team have released a security update to the popular webserver. This version of Apache is principally a bug fix release, correcting regressions in the httpd 2.2.18 package; the use of that previous 2.2.18 package is discouraged due to these flaws:

SECURITY: CVE-2011-1928 (cve.mitre.org) A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. httpd workers enter a hung state (100% cpu utilization) after updating to APR 1.4.4. Upgrading to APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
or prior with the ‘IgnoreClient’ option of the ‘IndexOptions’ directive will circumvent both issues.
httpd 2.2.18: The ap_unescape_url_keep2f() function signature was inadvertantly changed. This breaks binary compatibility of a number of third-party modules. This httpd-2.2.19 package restores the function signature provided by 2.2.17 and prior.

I would strongly advise you to upgrade your server accordingly and not to use the httpd 2.2.18 package. i’ve installed it on several machines without an error.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Apache updated to 2.2.18

Richard — Sat, 14 May 2011 20:15:16 +0000

The Apache team have released a security update to the popular webserver. This version of Apache is principally a bug fix release, and a security fix release of the APR 1.4.4 dependency; I would advise you to upgrade your server accordingly. I’ve tested and updated all my servers without any problem. Read all about the changes and bugs fixed in the 2.2.18 changelog.

SECURITY: CVE-2011-0419 (cve.mitre.org) apr_fnmatch flaw leads to mod_autoindex remote DoS. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a carefully crafted request may cause excessive CPU usage. Upgrading to APR 1.4.4, or setting the ‘IgnoreClient’ option of the ‘IndexOptions’ directive circumvents this risk.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Apache updated to 2.2.17

Richard — Sun, 24 Oct 2010 10:00:40 +0000

The Apache team have released a security update to the popular webserver. This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; I would advise you to upgrade your server accordingly. I’ve tested and updated all my servers without any problem. Read all about the changes and bugs fixed in the 2.2.17 changelog.

SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line().
SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache