Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) by www.NetBSD.org (Postfix) with ESMTP id 43D1663DF20 for ; Wed, 1 Feb 2012 19:53:27 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 1318814A212; Wed, 1 Feb 2012 19:53:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 160D614A1DB for ; Wed, 1 Feb 2012 19:53:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id OeffzBeeb34H for ; Wed, 1 Feb 2012 19:53:22 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 0D72114A18F for ; Wed, 1 Feb 2012 19:53:22 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id EFDF6175DD; Wed, 1 Feb 2012 19:53:21 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Date: Wed, 1 Feb 2012 19:53:21 +0000 From: "Matthias Scheler" Subject: CVS commit: pkgsrc/www/apache22 To: pkgsrc-changes@NetBSD.org Reply-To: tron@netbsd.org X-Mailer: log_accum Message-Id: <20120201195321.EFDF6175DD@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: tron Date: Wed Feb 1 19:53:21 UTC 2012 Modified Files: pkgsrc/www/apache22: Makefile PLIST distinfo pkgsrc/www/apache22/patches: patch-af Removed Files: pkgsrc/www/apache22/patches: patch-CVE-2012-0021 patch-modules_mappers_mod_rewrite.c patch-modules_proxy_mod_proxy.c patch-server_protocol.c patch-server_scoreboard.c patch-server_util.c Log Message: Update "apache" package to version 2.2.22. Changes since 2.2.21: - SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton] - SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] - SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. [Joe Orton] - SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. Bug#52256. [Rainer Canavan ] - SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton] - SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener] - mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. [Jean-Frederic Clere] - config: Update the default mod_ssl configuration: Disable SSLv2, only allow >= 128bit ciphers, add commented example for speed optimized cipher list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand] - core: Fix segfault in ap_send_interim_response(). Bug#52315. [Stefan Fritsch] - mod_log_config: Prevent segfault. Bug#50861. [Torsten Foertsch ] - mod_win32: Invert logic for env var UTF-8 fixing. Now we exclude a list of vars which we know for sure they dont hold UTF-8 chars; all other vars will be fixed. This has the benefit that now also all vars from 3rd-party modules will be fixed. Bug#13029 / 34985. [Guenter Knauf] - core: Fix hook sorting for Perl modules, a regression introduced in 2.2.21. Bug#45076. [Torsten Foertsch ] - Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: A range of '0-' will now return 206 instead of 200. Bug#51878. [Jim Jagielski] - Example configuration: Fix entry for MaxRanges (use "unlimited" instead of "0"). [Rainer Jung] - mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung] Please note that all the security fixes had been integrated into "pkgsrc" as patches previously. To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.79 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/apache22/PLIST cvs rdiff -u -r1.49 -r1.50 pkgsrc/www/apache22/distinfo cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-CVE-2012-0021 \ pkgsrc/www/apache22/patches/patch-modules_mappers_mod_rewrite.c \ pkgsrc/www/apache22/patches/patch-modules_proxy_mod_proxy.c \ pkgsrc/www/apache22/patches/patch-server_scoreboard.c cvs rdiff -u -r1.5 -r1.6 pkgsrc/www/apache22/patches/patch-af cvs rdiff -u -r1.4 -r0 pkgsrc/www/apache22/patches/patch-server_protocol.c cvs rdiff -u -r1.2 -r0 pkgsrc/www/apache22/patches/patch-server_util.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.