From owner-cvs-all@FreeBSD.ORG Thu Oct 21 05:55:25 2010 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35698106566C; Thu, 21 Oct 2010 05:55:25 +0000 (UTC) (envelope-from pgollucci@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 1FDA08FC12; Thu, 21 Oct 2010 05:55:25 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id o9L5tPnh008889; Thu, 21 Oct 2010 05:55:25 GMT (envelope-from pgollucci@repoman.freebsd.org) Received: (from pgollucci@localhost) by repoman.freebsd.org (8.14.4/8.14.4/Submit) id o9L5tPa8008888; Thu, 21 Oct 2010 05:55:25 GMT (envelope-from pgollucci) Message-Id: <201010210555.o9L5tPa8008888@repoman.freebsd.org> From: "Philip M. Gollucci" Date: Thu, 21 Oct 2010 05:55:25 +0000 (UTC) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: ports/www/apache20 Makefile distinfo ports/www/apache20/files patch-CVE-2008-2364 patch-CVE-2008-2939 patch-CVE-2009-3555 patch-CVE-2010-0434 patch-configure.in patch-docs__conf__httpd-std.conf.in patch-include__ap_regex.h patch-include__http_core.h ... X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2010 05:55:25 -0000 pgollucci 2010-10-21 05:55:25 UTC FreeBSD ports repository Modified files: www/apache20 Makefile distinfo www/apache20/files patch-configure.in patch-docs__conf__httpd-std.conf.in patch-support__apxs.in Added files: www/apache20/files patch-include__ap_regex.h patch-include__http_core.h patch-include__httpd.h patch-modules__filters__mod_include.c patch-modules__filters__mod_include.h patch-modules__mappers__mod_alias.c patch-modules__mappers__mod_rewrite.c patch-modules__mappers__mod_rewrite.h patch-modules__metadata__mod_headers.c patch-modules__metadata__mod_setenvif.c patch-modules__metadata__mod_usertrack.c patch-modules__metadata__mod_version.c patch-modules__proxy__mod_proxy.c patch-modules__proxy__mod_proxy.h patch-modules__proxy__proxy_ftp.c patch-modules__ssl__ssl_expr_eval.c patch-modules__ssl__ssl_expr_parse.c patch-modules__ssl__ssl_expr_parse.y patch-server__Makefile.in patch-server__core.c patch-server__request.c patch-server__util.c patch-server__util_pcre.c Removed files: www/apache20/files patch-CVE-2008-2364 patch-CVE-2008-2939 patch-CVE-2009-3555 patch-CVE-2010-0434 patch-pcre.diff Log: - Update to 2.0.64 - normalize patch-pcre.diff into makepatch format - All 4 CVE patches are included upstream and part of 2.0.64 - part of the local apxs.in changes are upstream now too - some patches were regenerated for offset updates ** There is NO security update here. ** Changes: http://www.apache.org/dist/httpd/CHANGES_2.0 With Hat: apache@ *) SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick] *) SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem] *) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch , Joe Orton] *) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil , Rainer Jung] *) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] *) SECURITY: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, Joe Orton, Jim Jagielski] *) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni , Jeff Trawick] *) SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] *) Fix recursive ErrorDocument handling. PR 36090 [Chris Darroch] *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] *) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci] Revision Changes Path 1.296 +1 -2 ports/www/apache20/Makefile 1.74 +3 -3 ports/www/apache20/distinfo 1.2 +0 -62 ports/www/apache20/files/patch-CVE-2008-2364 (dead) 1.2 +0 -11 ports/www/apache20/files/patch-CVE-2008-2939 (dead) 1.3 +0 -81 ports/www/apache20/files/patch-CVE-2009-3555 (dead) 1.2 +0 -11 ports/www/apache20/files/patch-CVE-2010-0434 (dead) 1.6 +4 -4 ports/www/apache20/files/patch-configure.in 1.2 +3 -3 ports/www/apache20/files/patch-docs__conf__httpd-std.conf.in 1.1 +148 -0 ports/www/apache20/files/patch-include__ap_regex.h (new) 1.1 +11 -0 ports/www/apache20/files/patch-include__http_core.h (new) 1.1 +65 -0 ports/www/apache20/files/patch-include__httpd.h (new) 1.1 +17 -0 ports/www/apache20/files/patch-modules__filters__mod_include.c (new) 1.1 +11 -0 ports/www/apache20/files/patch-modules__filters__mod_include.h (new) 1.1 +47 -0 ports/www/apache20/files/patch-modules__mappers__mod_alias.c (new) 1.1 +66 -0 ports/www/apache20/files/patch-modules__mappers__mod_rewrite.c (new) 1.1 +28 -0 ports/www/apache20/files/patch-modules__mappers__mod_rewrite.h (new) 1.1 +27 -0 ports/www/apache20/files/patch-modules__metadata__mod_headers.c (new) 1.1 +63 -0 ports/www/apache20/files/patch-modules__metadata__mod_setenvif.c (new) 1.1 +29 -0 ports/www/apache20/files/patch-modules__metadata__mod_usertrack.c (new) 1.1 +16 -0 ports/www/apache20/files/patch-modules__metadata__mod_version.c (new) 1.1 +47 -0 ports/www/apache20/files/patch-modules__proxy__mod_proxy.c (new) 1.1 +30 -0 ports/www/apache20/files/patch-modules__proxy__mod_proxy.h (new) 1.1 +17 -0 ports/www/apache20/files/patch-modules__proxy__proxy_ftp.c (new) 1.1 +31 -0 ports/www/apache20/files/patch-modules__ssl__ssl_expr_eval.c (new) 1.1 +26 -0 ports/www/apache20/files/patch-modules__ssl__ssl_expr_parse.c (new) 1.1 +25 -0 ports/www/apache20/files/patch-modules__ssl__ssl_expr_parse.y (new) 1.3 +0 -1314 ports/www/apache20/files/patch-pcre.diff (dead) 1.1 +11 -0 ports/www/apache20/files/patch-server__Makefile.in (new) 1.1 +88 -0 ports/www/apache20/files/patch-server__core.c (new) 1.1 +11 -0 ports/www/apache20/files/patch-server__request.c (new) 1.1 +88 -0 ports/www/apache20/files/patch-server__util.c (new) 1.1 +228 -0 ports/www/apache20/files/patch-server__util_pcre.c (new) 1.5 +5 -17 ports/www/apache20/files/patch-support__apxs.in