|Commit found by message id
Sat, 2 Mar 2013
[ 19:31:50 ohauer ] |
www Version 2.2.x of Apache web server with prefork MPM.
www Version 2.2.x of Apache web server with itk MPM.
- update to version 2.2.24
- move mpm itk patches to itk-mpm/files dir
- add sshd to REQUIRE line in the rc script to prevent boot
issues in case a SSL cert is password protected 
Changes with Apache 2.2.24
SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to
unescaped hostnames and URIs HTML output in mod_info, mod_status,
mod_imagemap, mod_ldap, and mod_proxy_ftp. [Jim Jagielski, Stefan
Fritsch, Niels Heinen <heinenn google com>]
SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
Niels Heinen <heinenn google com>]
mod_rewrite: Stop merging RewriteBase down to subdirectories
unless new option 'RewriteOptions MergeBase' is configured.
Merging RewriteBase was unconditionally turned on in 2.2.23.
PR 53963. [Eric Covener]
mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
mod_ssl: log revoked certificates at level INFO
instead of DEBUG. PR 52162. [Stefan Fritsch]
mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
mod_dir: Add support for the value 'disabled' in FallbackResource.
mod_ldap: Fix regression in handling "server unavailable" errors on
Windows. PR 54140. [Eric Covener]
mod_ssl: fix a regression with the string rendering of the "UID" RDN
introduced in 2.2.15. PR 54510. [Kaspar Brand]
ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
to more accurately report the negotiated protocol. PR 53916.
[NicolÃ¡s Pernas Maradei <nico emutex com>, Kaspar Brand]
mod_cache: Explicitly allow cache implementations to cache a 206 Partial
Response if they so choose to do so. Previously an attempt to cache a 206
was arbitrarily allowed if the response contained an Expires or
Cache-Control header, and arbitrarily denied if both headers were missing
Currently the disk and memory cache providers do not cache 206 Partial
Responses. [Graham Leggett]
core: Remove unintentional APR 1.3 dependency introduced with
Apache 2.2.22. [Eric Covener]
core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. PR 53219.
 requested by Andrew Filonov
with head apache@
Number of ports [& non-ports] in this commit: 2
show all files
12 vulnerabilities affecting 23 ports have been reported in the past 14 days
* - modified, not new