non port: www/apache20/files/patch-configure.in |
Number of commits found: 4 |
Thursday, 21 Oct 2010
|
05:55 pgollucci
- Update to 2.0.64
- normalize patch-pcre.diff into makepatch format
- All 4 CVE patches are included upstream and part of 2.0.64
- part of the local apxs.in changes are upstream now too
- some patches were regenerated for offset updates
** There is NO security update here. **
Changes: http://www.apache.org/dist/httpd/CHANGES_2.0
With Hat: apache@
<ChangeLog>
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav: Fix Handling of requests without a path segment.
PR: 49246 [Mark Drayton, Jeff Trawick]
*) SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects. PR 39605.
[Joe Orton, Ruediger Pluem]
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
mod_proxy_ftp: sanity check authn credentials.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
[Joe Orton, and with thanks to the OpenSSL Team]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
for OpenSSL versions prior to 0.9.8l; reject any client-initiated
renegotiations. Forcibly disable keepalive for the connection if there
is any buffered data readable. Any configuration which requires
renegotiation for per-directory/location access control is still
vulnerable, unless using openssl 0.9.8l or later.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>,
Rainer Jung]
*) SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted. Elimiates a problematic
optimization in the case of no request body. PR 48359
[Jake Scott, William Rowe, Ruediger Pluem]
*) SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
Joe Orton, Jim Jagielski]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
*) SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
*) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch]
*) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
*) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass
through on a 304 response. [Nick Kew]
*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
[Philip M. Gollucci]
</ChangeLog>
|
Tuesday, 18 May 2010
|
04:49 pgollucci
- Force devel/apr0. Bundled srclib/apr is never used now.
With Hat: apache@
|
Friday, 7 May 2010
|
01:29 pgollucci
- Force devel/pcre and abandon the bundled pcre:
0) its like 7yrs old
0) the new version have speed,bug,&security fixes
0) www/apache22 already does this
0) www/apache23+ no longer bundle pcre [or apr* for that matter]
- Bump PORTREVISION
With Hat: apache@
|
Thursday, 6 May 2010
|
23:10 pgollucci
- Regenerate patch files with make makepatch for they have
piled up and additional patches conflict.
This also will help when we try to syncronize www/apache20&www/apache22
With Hat: apache@
|
Number of commits found: 4 |