notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
Want a good monitor light? See my photosAll times are UTC
Ukraine
This referral link gives you 10% off a Fastmail.com account and gives me a discount on my Fastmail account.
New feature planned: get notified when the package is available. Now is the time to contribute ideas/suggestions.
non port: www/apache22/files/patch-CVE-2014-0231__mod_cgid.c

Number of commits found: 2

Wednesday, 3 Sep 2014
20:20 ohauer search for other commits by this committer
- update to 2.2.29
- use PTHREAD_LIBS/CFLAGS instead -pthread

Changes with Apache 2.2.29
http://www.apache.org/dist/httpd/CHANGES_2.2.29

  *) Corrected docs/manual pages for new MergeTrailers directive and other
     out of date documentation. [William Rowe]

Changes with Apache 2.2.28

  *) SECURITY: CVE-2014-0118 (cve.mitre.org) [1]
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to avoid
     denial of service via highly compressed bodies.  See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]

  *) SECURITY: CVE-2014-0231 (cve.mitre.org) [1]
     mod_cgid: Fix a denial of service against CGI scripts that do
     not consume stdin that could lead to lingering HTTPD child processes
     filling up the scoreboard and eventually hanging the server.  By
     default, the client I/O timeout (Timeout directive) now applies to
     communication with scripts.  The CGIDScriptTimeout directive can be
     used to set a different timeout for communication with scripts.
     [Rainer Jung, Eric Covener, Yann Ylavic]

  *) SECURITY: CVE-2014-0226 (cve.mitre.org) [1]
     Fix a race condition in scoreboard handling, which could lead to
     a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]

  *) SECURITY: CVE-2013-5704 (cve.mitre.org) [2]
     core: HTTP trailers could be used to replace HTTP headers
     late during request processing, potentially undoing or
     otherwise confusing modules that examined or modified
     request headers earlier.  Adds "MergeTrailers" directive to restore
     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]

  *) core: Detect incomplete request and response bodies, log an error and
     forward it to the underlying filters. PR 55475.  [Yann Ylavic]

  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
     chunks. PR 46146. [Yann Ylavic]

  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
     differs. PR 55782.  [Yann Ylavic]

  *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
     [Lukas Bezdicka <social v3.sk>]

  *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
     [Ben Reser]

  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
     resumed by TLS session resumption (RFC 5077). [Rainer Jung]

  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
     like we already do for the remote port. [Rainer Jung]

  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
     and that coincides with the end of stream ("Zlib error flushing inflate
     buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]

  *) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary
     header might not get the benefit of the thundering herd protection due to
     an incorrect internal cache key.  PR 50317.
     [Ruediger Pluem, Jan Kaluza, Yann Ylavic]

  *) mod_rewrite: Support session cookies with the CO= flag when later
     parameters are used.  The doc for this implied the feature had been
     backported for quite some time.  PR56014 [Eric Covener]

  *) mod_cache: Don't remove stale cache entries that cannot be conditionally
     revalidated. This prevents the thundering herd protection from serving
     stale responses during a revalidation. PR 50317.
     [Eric Covener, Jan Kaluza,  Ruediger Pluem]

  *) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds.
     PR 41270. [Dean Gaudet <dean arctic org>]

[1] CVE issues already fixed since FreeBSD-ports r362845
[2] new CVE-2013-5704 issue fixed in 2.2.29

MFH:		2014Q3
Security:	f927e06c-1109-11e4-b090-20cf30e32f6d
Security:	CVE-2013-5704
Original commitRevision:367227 
Thursday, 24 Jul 2014
20:22 ohauer search for other commits by this committer
- backport upstream security fixes
- fix build with SSL from ports [1]

SECURITY: CVE-2014-0118 (cve.mitre.org)

mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to
avoid denial of sevice via highly compressed bodies.  See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst.

http://svn.apache.org/viewvc?view=revision&revision=1611426

SECURITY: CVE-2014-0226 (cve.mitre.org)
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Original commitRevision:362845 

Number of commits found: 2