---
- branch: pkgsrc-2007Q4
  date: Tue Jan 29 13:54:21 UTC 2008
  files:
  - new: 1.2.4.1
    old: '1.2'
    path: pkgsrc/devel/apr0/distinfo
    pathrev: pkgsrc/devel/apr0/distinfo@1.2.4.1
    type: modified
  - new: 1.22.4.1
    old: '1.22'
    path: pkgsrc/www/apache2/Makefile.common
    pathrev: pkgsrc/www/apache2/Makefile.common@1.22.4.1
    type: modified
  - new: 1.51.4.1
    old: '1.51'
    path: pkgsrc/www/apache2/distinfo
    pathrev: pkgsrc/www/apache2/distinfo@1.51.4.1
    type: modified
  id: 20080129T135421Z.d73a0871f61fcb9b4833f2118619d9d1e80ecc9c
  log: "Pullup ticket 2278 - requested by taca\nsecurity update for apache2\n\n- pkgsrc/devel/arp0/distinfo\t\t\t\t1.3\n-
    pkgsrc/www/apache2/Makefile.common\t\t\t1.23, 1.24\n- pkgsrc/www/apache2/distinfo\t\t\t\t1.52\n\n
    \  Module Name:\tpkgsrc\n   Committed By:\ttaca\n   Date:\t\tMon Jan 21 14:30:01
    UTC 2008\n\n   Modified Files:\n\t   pkgsrc/www/apache2: Makefile.common\n\n   Log
    Message:\n   Start update of apr0 pacakge to 0.9.17 and apache2 package to 2.0.63.\n---\n
    \  Module Name:\tpkgsrc\n   Committed By:\ttaca\n   Date:\t\tMon Jan 21 14:33:46
    UTC 2008\n\n   Modified Files:\n\t   pkgsrc/devel/apr0: distinfo\n\n   Log Message:\n
    \  Update apr0 package to 0.9.17.2.0.63.\n\n   Changes with APR 0.9.17\n\n     *)
    Fix DSO-related crash on z/OS caused by incorrect memory\n        allocation.
    \ [David Jones <oscaremma gmail.com>]\n\n     *) Define apr_ino_t in such a way
    that it doesn't change definition\n        based on the library consumer's -D'efines
    to the filesystem.\n        [Lucian Adrian Grijincu <lucian.grijincu gmail.com>]\n\n
    \    *) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio\n        handles
    for fd-based and FILE * based I/O.  [William Rowe]\n\n     *) Revert Win32 to
    the 0.9.14 behavior of apr_proc_create() for any\n        of the three stdio streams
    which are not initialized, through either\n        apr_procattr_io_set() or apr_procattr_child_XXX_set(),
    when given a\n        procattr_t with one or two streams which were initialized
    through\n        apr_procattr_child_XXX_set().  Once again, these do not inherit
    the\n        parent process stdio stream to WIN32 child processes (passing\n        INVALID_HANDLE_VALUE
    instead) as on Unix.  Note APR 1.3.0 adopts\n        the Unix behavior of inheriting
    any uninitialized streams as the\n        parent's corresponding stdio stream,
    in such cases.  [William Rowe]\n---\n   Module Name:\tpkgsrc\n   Committed By:\ttaca\n
    \  Date:\t\tMon Jan 21 14:37:22 UTC 2008\n\n   Modified Files:\n\t   pkgsrc/www/apache2:
    Makefile distinfo\n\n   Log Message:\n   Update apache package to 2.0.63.\n\n
    \  Changes with Apache 2.0.63\n\n     *) winnt_mpm: Resolve modperl issues by
    redirecting console mode stdout\n        to /Device/Nul as the server is starting
    up, mirroring unix MPM's.\n        PR: 43534  [Tom Donovan <Tom.Donovan acm.org>,
    William Rowe]\n\n     *) winnt_mpm: Restore Win32DisableAcceptEx On directive
    and Win9x platform\n        by recreating the bucket allocator each time the trans
    pool is cleared.\n        PR: 11427 #16 (follow-on)  [Tom Donovan <Tom.Donovan
    acm.org>]\n\n   Changes with Apache 2.0.62 (not released)\n\n     *) SECURITY:
    CVE-2007-6388 (cve.mitre.org)\n        mod_status: Ensure refresh parameter is
    numeric to prevent\n        a possible XSS attack caused by redirecting to other
    URLs.\n        Reported by SecurityReason.  [Mark Cox, Joe Orton]\n\n     *) SECURITY:
    CVE-2007-5000 (cve.mitre.org)\n        mod_imagemap: Fix a cross-site scripting
    issue.  Reported by JPCERT.\n        [Joe Orton]\n\n     *) Introduce the ProxyFtpDirCharset
    directive, allowing the administrator\n        to identify a default, or specific
    servers or paths which list their\n        contents in other-than ISO-8859-1 charset
    (e.g. utf-8). [Ruediger Pluem]\n\n     *) log.c: Ensure Win32 resurrects its lost
    robust logger processes.\n        [William Rowe]\n\n     *) mpm_winnt: Eliminate
    wait_for_many_objects.  Allows the clean\n        shutdown of the server when
    the MaxClients is higher then 257,\n        in a more responsive manner [Mladen
    Turk, William Rowe]\n\n     *) Add explicit charset to the output of various modules
    to work around\n        possible cross-site scripting flaws affecting web browsers
    that do not\n        derive the response character set as required by  RFC2616.
    \ One of these\n        reported by SecurityReason [Joe Orton]\n\n     *) http_protocol:
    Escape request method in 405 error reporting.\n        This has no security impact
    since the browser cannot be tricked\n        into sending arbitrary method strings.
    \ [Jeff Trawick]\n\n     *) http_protocol: Escape request method in 413 error
    reporting.\n        Determined to be not generally exploitable, but a flaw in
    any case.\n        PR 44014 [Victor Stinner <victor.stinner inl.fr>]\n---\n   Module
    Name:\tpkgsrc\n   Committed By:\ttaca\n   Date:\t\tMon Jan 21 14:38:29 UTC 2008\n\n
    \  Modified Files:\n\t   pkgsrc/www/apache2: Makefile.common\n\n   Log Message:\n
    \  Add comment that this file is used by devel/apr0/Makefile detected\n   by pkglint.\n"
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2007Q4] pkgsrc'
  unixtime: '1201614861'
  user: ghen