---
- branch: MAIN
  date: Wed Jul 12 07:00:40 UTC 2017
  files:
  - new: '1.113'
    old: '1.112'
    path: pkgsrc/www/apache22/Makefile
    pathrev: pkgsrc/www/apache22/Makefile@1.113
    type: modified
  - new: '1.67'
    old: '1.66'
    path: pkgsrc/www/apache22/distinfo
    pathrev: pkgsrc/www/apache22/distinfo@1.67
    type: modified
  id: 20170712T070040Z.b50d89126f758dd37582e40736d00a09f28a8472
  log: |
    Changes with Apache 2.2.34

      *) Allow single-char field names inadvertantly disallowed in 2.2.32.

    Changes with Apache 2.2.33 (not released)

      *) SECURITY: CVE-2017-7668 (cve.mitre.org)
         The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
         bug in token list parsing, which allows ap_find_token() to search past
         the end of its input string. By maliciously crafting a sequence of
         request headers, an attacker may be able to cause a segmentation fault,
         or to force ap_find_token() to return an incorrect value.

      *) SECURITY: CVE-2017-3169 (cve.mitre.org)
         mod_ssl may dereference a NULL pointer when third-party modules call
         ap_hook_process_connection() during an HTTP request to an HTTPS port.

      *) SECURITY: CVE-2017-3167 (cve.mitre.org)
         Use of the ap_get_basic_auth_pw() by third-party modules outside of the
         authentication phase may lead to authentication requirements being
         bypassed.

      *) SECURITY: CVE-2017-7679 (cve.mitre.org)
         mod_mime can read one byte past the end of a buffer when sending a
         malicious Content-Type response header.

      *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/apache22'
  unixtime: '1499842840'
  user: adam