---
- branch: pkgsrc-2021Q3
  date: Fri Oct  8 13:37:27 UTC 2021
  files:
  - new: 1.101.2.2
    old: 1.101.2.1
    path: pkgsrc/www/apache24/Makefile
    pathrev: pkgsrc/www/apache24/Makefile@1.101.2.2
    type: modified
  - new: 1.46.2.2
    old: 1.46.2.1
    path: pkgsrc/www/apache24/distinfo
    pathrev: pkgsrc/www/apache24/distinfo@1.46.2.2
    type: modified
  id: 20211008T133727Z.78cf8173cdb079e70e36e40895cbb1174ee74941
  log: "Pullup ticket #6506 - requested by taca\napache24: security fix\n\nRevisions
    pulled up:\n- www/apache24/Makefile                                         1.105\n-
    www/apache24/distinfo                                         1.49\n\n---\n   Module
    Name:\tpkgsrc\n   Committed By:\tadam\n   Date:\t\tThu Oct  7 19:05:25 UTC 2021\n\n
    \  Modified Files:\n   \tpkgsrc/www/apache24: Makefile distinfo\n\n   Log Message:\n
    \  apache24: updated to 2.4.51\n\n   Changes with Apache 2.4.51\n\n   *) SECURITY:
    CVE-2021-42013: Path Traversal and Remote Code\n      Execution in Apache HTTP
    Server 2.4.49 and 2.4.50 (incomplete\n      fix of CVE-2021-41773) (cve.mitre.org)\n
    \     It was found that the fix for CVE-2021-41773 in Apache HTTP\n      Server
    2.4.50 was insufficient.  An attacker could use a path\n      traversal attack
    to map URLs to files outside the directories\n      configured by Alias-like directives.\n
    \     If files outside of these directories are not protected by the\n      usual
    default configuration \"require all denied\", these requests\n      can succeed.
    If CGI scripts are also enabled for these aliased\n      pathes, this could allow
    for remote code execution.\n      This issue only affects Apache 2.4.49 and Apache
    2.4.50 and not\n      earlier versions.\n\n   *) core: Add ap_unescape_url_ex()
    for better decoding control, and deprecate\n      unused AP_NORMALIZE_DROP_PARAMETERS
    flag.\n"
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2021Q3] pkgsrc/www/apache24'
  unixtime: '1633700247'
  user: bsiegert