---
- branch: MAIN
  date: Mon Jan 21 14:37:22 UTC 2008
  files:
  - new: '1.121'
    old: '1.120'
    path: pkgsrc/www/apache2/Makefile
    pathrev: pkgsrc/www/apache2/Makefile@1.121
    type: modified
  - new: '1.52'
    old: '1.51'
    path: pkgsrc/www/apache2/distinfo
    pathrev: pkgsrc/www/apache2/distinfo@1.52
    type: modified
  id: 20080121T143722Z.3ff91a47dccff498f75358042fa1db14ef61f3db
  log: |
    Update apache package to 2.0.63.

    Changes with Apache 2.0.63

      *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
         to /Device/Nul as the server is starting up, mirroring unix MPM's.
         PR: 43534  [Tom Donovan <Tom.Donovan acm.org>, William Rowe]

      *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
         by recreating the bucket allocator each time the trans pool is cleared.
         PR: 11427 #16 (follow-on)  [Tom Donovan <Tom.Donovan acm.org>]

    Changes with Apache 2.0.62 (not released)

      *) SECURITY: CVE-2007-6388 (cve.mitre.org)
         mod_status: Ensure refresh parameter is numeric to prevent
         a possible XSS attack caused by redirecting to other URLs.
         Reported by SecurityReason.  [Mark Cox, Joe Orton]

      *) SECURITY: CVE-2007-5000 (cve.mitre.org)
         mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
         [Joe Orton]

      *) Introduce the ProxyFtpDirCharset directive, allowing the administrator
         to identify a default, or specific servers or paths which list their
         contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]

      *) log.c: Ensure Win32 resurrects its lost robust logger processes.
         [William Rowe]

      *) mpm_winnt: Eliminate wait_for_many_objects.  Allows the clean
         shutdown of the server when the MaxClients is higher then 257,
         in a more responsive manner [Mladen Turk, William Rowe]

      *) Add explicit charset to the output of various modules to work around
         possible cross-site scripting flaws affecting web browsers that do not
         derive the response character set as required by  RFC2616.  One of these
         reported by SecurityReason [Joe Orton]

      *) http_protocol: Escape request method in 405 error reporting.
         This has no security impact since the browser cannot be tricked
         into sending arbitrary method strings.  [Jeff Trawick]

      *) http_protocol: Escape request method in 413 error reporting.
         Determined to be not generally exploitable, but a flaw in any case.
         PR 44014 [Victor Stinner <victor.stinner inl.fr>]
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/apache2'
  unixtime: '1200926242'
  user: taca