Thema: Mini/Test/DHCP/Webserver und Tools diverses

[SiLæncer]

Whats new:>>

Security: a specially crafted request might result in an integer overflow and incorrect processing of ranges in the range filter, potentially resulting in sensitive information leak

http://nginx.org/

[SiLæncer]

Changelog

Changes with Apache 2.4.27

  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
     global variable when using Lua 5.2 or later. This was exported as a
     side effect from luaL_register, which is no longer supported as of
     Lua 5.2 which deprecates pollution of the global namespace.
     [Rainer Jung]

  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
     The server will continue to run, but HTTP/2 will no longer be negotiated.
     [Stefan Eissing]

  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
     [Jacob Champion, Jim Jagielski]

  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
     PR58188, PR60831, PR61245. [Rainer Jung]
 
  *) mod_http2: Simplify ready queue, less memory and better performance. Update
     mod_http2 version to 1.10.7. [Stefan Eissing]
 
  *) Allow single-char field names inadvertently disallowed in 2.4.25.
     PR 61220. [Yann Ylavic]

  *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
     passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]

  *) core: Avoid duplicate HEAD in Allow header.
     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
     PR 61207. [Christophe Jaillet]

[close]

http://httpd.apache.org/

[SiLæncer]

Whats new:>>

Mainline version has been released, featuring the mirror module.

http://nginx.org/

[SiLæncer]

Whats new:>>

Feature: the $ssl_client_escaped_cert variable.
Bugfix: the "ssl_session_ticket_key" directive and the "include" parameter of the "geo" directive did not work on Windows.
Bugfix: incorrect response length was returned on 32-bit platforms when requesting more than 4 gigabytes with multiple ranges.
Bugfix: the "expires modified" directive and processing of the "If-Range" request header line did not use the response last modification time if proxying without caching was used.

http://nginx.org/

[SiLæncer]

Changelog

Changes with Apache 2.4.28

  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
     Corrupted or freed memory access. <Limit[Except]> must now be used in the
     main configuration file (httpd.conf) to register HTTP methods before the
     .htaccess files.  [Yann Ylavic]

  *) event: Avoid possible blocking in the listener thread when shutting down
     connections. PR 60956.  [Yann Ylavic]

  *) mod_speling: Don't embed referer data in a link in error page.
     PR 38923 [Nick Kew]

  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
     length in a password file.
     [Luca Toscano, Hanno Böck <hanno hboeck de>]

  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
     [Jim Jagielski]

  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
     PR 61142.

  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]

  *) mod_http2: Fix for stalling when more than 32KB are written to a
     suspended stream.  [Stefan Eissing]

  *) build: allow configuration without APR sources.  [Jacob Champion]

  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
      Yann Ylavic]

  *) core/log: Support use of optional "tag" in syslog entries.
     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]

  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
 
  *) core: Disallow multiple Listen on the same IP:port when listener buckets
     are configured (ListenCoresBucketsRatio > 0), consistently with the single
     bucket case (default), thus avoiding the leak of the corresponding socket
     descriptors on graceful restart.  [Yann Ylavic]

  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]

  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
     led to spurious HTTP 502 error messages sent on upgrade connections.
     PR 61283.  [Yann Ylavic]

[close]

http://httpd.apache.org/

[SiLæncer]

Changelog

Bugfix: client SSL connections were immediately closed if deferred accept and the "proxy_protocol" parameter of the "listen" directive were used.
Bugfix: client connections might be dropped during configuration testing when using the "reuseport" parameter of the "listen" directive on Linux.
Bugfix: incorrect response length was returned on 32-bit platforms when requesting more than 4 gigabytes with multiple ranges.
Bugfix: switching to the next upstream server in the stream module did not work when using the "ssl_preread" directive.
Bugfix: when using HTTP/2 client request body might be corrupted.
Bugfix: in handling of client addresses when using unix domain sockets.

[close]

http://nginx.org/

[SiLæncer]

Whats new:>>

new modules: mod_openssl, mod_vhostdb, mod_wstunnel
new protocols: Upgrade: websocket, HAProxy PROXY, RFC7239 Forwarded
bug fixes

http://www.lighttpd.net/

[SiLæncer]

Whats new:>>

bug fixes: fix two regressions in 1.4.46

http://www.lighttpd.net/

[SiLæncer]

Changelog

mod_unique_id: Use output of the PRNG rather than IP address and pid, avoiding sleep() call and possible DNS issues at startup, plus improving randomness for IPv6-only hosts.
mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST is used in a condition that evaluates to true. PR 58231
mod_http2: v0.10.12, removed optimization for mutex handling in bucket beams that could lead to assertion failure in edge cases.
mod_proxy: Fix regression for non decimal loadfactor parameter introduced in 2.4.28.
mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set. PR 61546.
mod_rewrite: Add support for starting External Rewriting Programs as non-root user on UNIX systems by specifying username and group name as third argument of RewriteMap directive.
core: Rewrite the Content-Length filter to avoid excessive memory consumption. Chunked responses will be generated in more cases than in previous releases. PR 61222.
mod_ssl: Fix SessionTicket callback return value, which does seem to matter with OpenSSL 1.1.

[close]

http://httpd.apache.org/

[SiLæncer]

An easy to configure RADIUS server that can be used in various applications that require network or Internet authorization and authentication.

Freeware

Changelog

FEATURE IMPROVEMENTS:

Provide HOSTNAME in default systemd files.
Incorporate RedHat specific files.
Update dictionary.starent, dictionary.ruckus.
Allow builds without TCP or DHCP.

BUG FIXES:

Fix multiple issues. See this web page for details: http://freeradius.org/security/fuzzer-2017.html.
Pass correct statement length into sqlite3_prepare[_v2].
Bind the lifetime of program name and python path to the module.
Check input / output length in make_secret() FR-GV-201.
Fix read overflow when decoding DHCP option 63 FR-GV-206.
Fix write overflow in data2vp_wimax() FR-GV-301.
Fix infinite loop and memory exhaustion with 'concat' attributes FR-GV-302.
Fix infinite read in dhcp_attr2vp() FR-GV-303.
Fix buffer over-read in fr_dhcp_decode_suboptions() FR-GV-304.
Decode 'signed' attributes correctly FR-GV-305.
use strncmp() instead of memcmp() for bounded data FR-AD-001.
Bind the lifetime of program name and python path to the module FR-AD-002.
Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003.
print messages when we see deprecated configuration items.
show reasons why we couldn't parse a certificate expiry time.
be more accepting about truncated ASN1 times.
Fix OpenSSL API issue which could leak small amounts of memory. Issue reported by Guido Vranken.
For Access-Reject, call rad_authlog() after running the post-auth section, just like for Access-Accept.
don't crash when reading corrupted data from session resumption cache. Fixes #1999.
Parse port in dhcpclient. Fixes #2000.
Don't leak memory for OpenSSL Patch from Guido Vranken.
Portability fixes taken from OpenBSD port collection.
run rad_authlog after post-auth for Access-Reject.
Don't process VMPS packets twice.
Fix attribute truncation in rlm_perl.
Fix bug when processing huntgroups.

[close]

http://freeradius.org/

[SiLæncer]

Whats new:>>

mod_authn_sasl (new), meson build system (new), revamp build systems
bug fixes

http://www.lighttpd.net/

[SiLæncer]

AMPPS installiert eine Webserver-Laufzeitumgebung mit einer riesigen Auswahl an Web-Anwendungen. AMPPS ist ein lokales Server-Paket inklusive Apache-Webserver, MySQL-Datenbank, PHP, Perl – und mehr als 250 Web-Anwendungen. Damit lassen sich zum Beispiel erste Schritte in einem neuen Content Management System (CMS) unternehmen oder Designs ausprobieren. Für den Produktivbetrieb eignet sich AMPPS nicht – der Rechner, auf dem es läuft, sollte tunlichst nicht von außen zugänglich sein. Nach der Installation startet man den Apache-Server und die MySQL-Datenbank über ein kleines Applet.

Lizenz: Open Source

Changelog

New Features:

Added Apps section, user can now add, remove and update Apps like Apache, MySQL, PHP directly from Softaculous Enduser Panel.
Added option to close AMPPS directly i.e. without any prompt for confirmation. This option can be enabled from AMPPS Panel –> Options –> Settings–> Do not prompt for message while closing Ampps.
User can now open Configuration files in default editor instead of notepad. This option can be enabled from AMPPS Panel –> Options –> Settings –> Open Configuration file in default editor.
Apache will restart automatically after adding Domain.
All new versions of Apache, MySQL, PHP, MongoDB are added.
Ioncube Loader added for PHP 7.1.
Fixed minor bugs in AMPPS.

[close]

http://www.ampps.com/

[SiLæncer]

Open DHCP Server is an Open Source multi-subnet DHCP Server that supports dynamic, static leases, relay agents, BOOTP, PXEBOOT as well as global, range and client specific options.

Features:

Support all Industry Standard Features
Dynamic and Static Leases
Options can be Client Specific, Range Specific or Global
Multi-subnet supports Relay Agents and PXE Boot
Lease Status in auto refreshing HTML page
Supports Duplicated Replicated Operation
Very simple to install and use, even by person not having DHCP concepts
Very low memory and CPU use

License: Open Source

https://sourceforge.net/projects/dhcpserver/

[SiLæncer]

Changelog

Bugfix: in the $upstream_status variable.
Bugfix: a segmentation fault might occur in a worker process if a backend returned a "101 Switching Protocols" response to a subrequest.
Bugfix: a segmentation fault occurred in a master process if a shared memory zone size was changed during a reconfiguration and the reconfiguration failed.
Bugfix: in the ngx_http_fastcgi_module.
Bugfix: nginx returned the 500 error if parameters without variables were specified in the "xslt_stylesheet" directive.
Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using a zlib library variant from Intel.
Bugfix: the "worker_shutdown_timeout" directive did not work when using mail proxy and when proxying WebSocket connections.

[close]

http://nginx.org/

[SiLæncer]

Abyss Web Server is a full-featured web server with a small footprint. It supports HTTP/1.1, dynamic content generation through CGI/1.1 scripts, ISAPI extensions, Server Side Includes (SSI), custom error pages, password protection, IP address control, anti-leeching, and bandwidth throttling. It also features also automatic anti-hacking as well as a multilingual remote web management interface that makes its configuration as easy as browsing a web site.

License: Freeware

Changelog

The new version is a maintenance release with the following changes:

    Updated the SSL/TLS engine;

    Added minimal support for modern macOS versions (Sierra and High Sierra).
    Fixed a bug with wildcard domain names when used in conjunction with SNI.
    Fixed FastCGI preloading by adding the URI mapping step when creating the initial internal request. Reduced the number of internal HEAD requests to only occur when a new FastCGI process is launched.
    Fixed a bug with reverse proxing when custom headers are included in the parameters.
    Enforced timeout respect on SSL/TLS connections during all their lifetime and all their states.
    Fixed a heap corruption bug when stopping the server while the console is under heavy load. While considered dangerous in theory, this issue does not affect the security of the server and cannot be exploited since it occurs when the server process is being shutdown. It was reported to Aprelium by hyp3rlinx.

[close]

http://www.aprelium.com/abyssws/