![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.netbsd.org] / pkgsrc / devel / apr0
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.5 / (download) - annotate - [select for diffs], Mon Nov 1 18:03:03 2010 UTC (18 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base,
pkgsrc-2012Q1,
pkgsrc-2011Q4-base,
pkgsrc-2011Q4,
pkgsrc-2011Q3-base,
pkgsrc-2011Q3,
pkgsrc-2011Q2-base,
pkgsrc-2011Q2,
pkgsrc-2011Q1-base,
pkgsrc-2011Q1,
pkgsrc-2010Q4-base,
pkgsrc-2010Q4,
HEAD
Changes since 1.4: +6 -8
lines
Diff to previous 1.4 (colored)
Changes 2.0.64: * SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. * SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. * SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. * SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. * SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. * SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. * SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. * SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. * SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. * SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. * Fix recursive ErrorDocument handling. * mod_ssl: Do not do overlapping memcpy. * Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. * apxs: Fix -A and -a options to ignore whitespace in httpd.conf
Revision 1.3.16.1 / (download) - annotate - [select for diffs], Fri Aug 14 10:18:19 2009 UTC (2 years, 9 months ago) by tron
Branch: pkgsrc-2009Q2
Changes since 1.3: +3 -1
lines
Diff to previous 1.3 (colored) next main 1.4 (colored)
Pullup ticket #2865 - requested by taca apr0: security patch Revisions pulled up: - devel/apr0/Makefile 1.6 - devel/apr0/distinfo 1.4 - devel/apr0/patches/patch-ab 1.1 - devel/apr0/patches/patch-ac 1.1 --- Module Name: pkgsrc Committed By: taca Date: Wed Aug 12 03:37:28 UTC 2009 Modified Files: pkgsrc/devel/apr0: Makefile distinfo Added Files: pkgsrc/devel/apr0/patches: patch-ab patch-ac Log Message: Fix security problem of CVE-2009-2412 adding patches described in it. Bump PKGREVISION.
Revision 1.4 / (download) - annotate - [select for diffs], Wed Aug 12 03:37:28 2009 UTC (2 years, 9 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base,
pkgsrc-2010Q3,
pkgsrc-2010Q2-base,
pkgsrc-2010Q2,
pkgsrc-2010Q1-base,
pkgsrc-2010Q1,
pkgsrc-2009Q4-base,
pkgsrc-2009Q4,
pkgsrc-2009Q3-base,
pkgsrc-2009Q3
Changes since 1.3: +3 -1
lines
Diff to previous 1.3 (colored)
Fix security problem of CVE-2009-2412 adding patches described in it. Bump PKGREVISION.
Revision 1.2.4.1 / (download) - annotate - [select for diffs], Tue Jan 29 13:54:20 2008 UTC (4 years, 3 months ago) by ghen
Branch: pkgsrc-2007Q4
Changes since 1.2: +4 -4
lines
Diff to previous 1.2 (colored) next main 1.3 (colored)
Pullup ticket 2278 - requested by taca
security update for apache2
- pkgsrc/devel/arp0/distinfo 1.3
- pkgsrc/www/apache2/Makefile.common 1.23, 1.24
- pkgsrc/www/apache2/distinfo 1.52
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:30:01 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile.common
Log Message:
Start update of apr0 pacakge to 0.9.17 and apache2 package to 2.0.63.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:33:46 UTC 2008
Modified Files:
pkgsrc/devel/apr0: distinfo
Log Message:
Update apr0 package to 0.9.17.2.0.63.
Changes with APR 0.9.17
*) Fix DSO-related crash on z/OS caused by incorrect memory
allocation. [David Jones <oscaremma gmail.com>]
*) Define apr_ino_t in such a way that it doesn't change definition
based on the library consumer's -D'efines to the filesystem.
[Lucian Adrian Grijincu <lucian.grijincu gmail.com>]
*) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio
handles for fd-based and FILE * based I/O. [William Rowe]
*) Revert Win32 to the 0.9.14 behavior of apr_proc_create() for any
of the three stdio streams which are not initialized, through either
apr_procattr_io_set() or apr_procattr_child_XXX_set(), when given a
procattr_t with one or two streams which were initialized through
apr_procattr_child_XXX_set(). Once again, these do not inherit the
parent process stdio stream to WIN32 child processes (passing
INVALID_HANDLE_VALUE instead) as on Unix. Note APR 1.3.0 adopts
the Unix behavior of inheriting any uninitialized streams as the
parent's corresponding stdio stream, in such cases. [William Rowe]
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:37:22 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile distinfo
Log Message:
Update apache package to 2.0.63.
Changes with Apache 2.0.63
*) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
to /Device/Nul as the server is starting up, mirroring unix MPM's.
PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
*) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
by recreating the bucket allocator each time the trans pool is cleared.
PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
Changes with Apache 2.0.62 (not released)
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox, Joe Orton]
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) Introduce the ProxyFtpDirCharset directive, allowing the administrator
to identify a default, or specific servers or paths which list their
contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
*) log.c: Ensure Win32 resurrects its lost robust logger processes.
[William Rowe]
*) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
shutdown of the server when the MaxClients is higher then 257,
in a more responsive manner [Mladen Turk, William Rowe]
*) Add explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. One of these
reported by SecurityReason [Joe Orton]
*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings. [Jeff Trawick]
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 21 14:38:29 UTC 2008
Modified Files:
pkgsrc/www/apache2: Makefile.common
Log Message:
Add comment that this file is used by devel/apr0/Makefile detected
by pkglint.
Revision 1.3 / (download) - annotate - [select for diffs], Mon Jan 21 14:33:46 2008 UTC (4 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base,
pkgsrc-2009Q1-base,
pkgsrc-2009Q1,
pkgsrc-2008Q4-base,
pkgsrc-2008Q4,
pkgsrc-2008Q3-base,
pkgsrc-2008Q3,
pkgsrc-2008Q2-base,
pkgsrc-2008Q2,
pkgsrc-2008Q1-base,
pkgsrc-2008Q1,
cwrapper,
cube-native-xorg-base,
cube-native-xorg
Branch point for: pkgsrc-2009Q2
Changes since 1.2: +4 -4
lines
Diff to previous 1.2 (colored)
Update apr0 package to 0.9.17.2.0.63.
Changes with APR 0.9.17
*) Fix DSO-related crash on z/OS caused by incorrect memory
allocation. [David Jones <oscaremma gmail.com>]
*) Define apr_ino_t in such a way that it doesn't change definition
based on the library consumer's -D'efines to the filesystem.
[Lucian Adrian Grijincu <lucian.grijincu gmail.com>]
*) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio
handles for fd-based and FILE * based I/O. [William Rowe]
*) Revert Win32 to the 0.9.14 behavior of apr_proc_create() for any
of the three stdio streams which are not initialized, through either
apr_procattr_io_set() or apr_procattr_child_XXX_set(), when given a
procattr_t with one or two streams which were initialized through
apr_procattr_child_XXX_set(). Once again, these do not inherit the
parent process stdio stream to WIN32 child processes (passing
INVALID_HANDLE_VALUE instead) as on Unix. Note APR 1.3.0 adopts
the Unix behavior of inheriting any uninitialized streams as the
parent's corresponding stdio stream, in such cases. [William Rowe]
Revision 1.1.1.1.4.1 / (download) - annotate - [select for diffs], Sat Sep 8 09:54:45 2007 UTC (4 years, 8 months ago) by ghen
Branch: pkgsrc-2007Q2
Changes since 1.1.1.1: +4 -4
lines
Diff to previous 1.1.1.1 (colored) next main 1.2 (colored)
Pullup ticket 2184 - requested by tron
security update for apache2
- pkgsrc/devel/apr0/Makefile 1.3
- pkgsrc/devel/apr0/distinfo 1.2
- pkgsrc/www/apache2/Makefile 1.118
- pkgsrc/www/apache2/Makefile.commom 1.22
- pkgsrc/www/apache2/PLIST 1.35
- pkgsrc/www/apache2/distinfo 1.51
- pkgsrc/www/apache2/patches/patch-ap removed
- pkgsrc/www/apache2/patches/patch-aq removed
Module Name: pkgsrc
Committed By: tron
Date: Fri Sep 7 23:11:41 UTC 2007
Modified Files:
pkgsrc/devel/apr0: Makefile distinfo
pkgsrc/www/apache2: Makefile Makefile.common PLIST distinfo
Log Message:
Update "apr" package to version 0.9.16.2.0.61 and "apache2" package
to version 2.0.61.
This update is a bug and security fix release. The following security
problem hasn't been fixed in "pkgsrc" before:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
parsing date-related headers.
---
Module Name: pkgsrc
Committed By: tron
Date: Fri Sep 7 23:28:23 UTC 2007
Removed Files:
pkgsrc/www/apache2/patches: patch-ap patch-aq
Log Message:
Remove obsolete patch files.
Revision 1.2 / (download) - annotate - [select for diffs], Fri Sep 7 23:11:41 2007 UTC (4 years, 8 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2007Q4-base,
pkgsrc-2007Q3-base,
pkgsrc-2007Q3
Branch point for: pkgsrc-2007Q4
Changes since 1.1: +4 -4
lines
Diff to previous 1.1 (colored)
Update "apr" package to version 0.9.16.2.0.61 and "apache2" package to version 2.0.61. This update is a bug and security fix release. The following security problem hasn't been fixed in "pkgsrc" before: - CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers.
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Wed Jan 24 19:31:24 2007 UTC (5 years, 3 months ago) by epg
Branch: TNF
CVS Tags: pkgsrc-base,
pkgsrc-2007Q2-base,
pkgsrc-2007Q1-base,
pkgsrc-2007Q1
Branch point for: pkgsrc-2007Q2
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored)
Import renamed devel/apr (0.9.x) so that can upgrade to 1.2.x.
Revision 1.1 / (download) - annotate - [select for diffs], Wed Jan 24 19:31:24 2007 UTC (5 years, 3 months ago) by epg
Branch: MAIN
Initial revision