From owner-cvs-all@FreeBSD.ORG Fri May 7 01:46:06 2010 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F2D81065676; Fri, 7 May 2010 01:46:06 +0000 (UTC) (envelope-from pgollucci@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 606968FC14; Fri, 7 May 2010 01:46:06 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o471k6J5014021; Fri, 7 May 2010 01:46:06 GMT (envelope-from pgollucci@repoman.freebsd.org) Received: (from pgollucci@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o471k63J014020; Fri, 7 May 2010 01:46:06 GMT (envelope-from pgollucci) Message-Id: <201005070146.o471k63J014020@repoman.freebsd.org> From: "Philip M. Gollucci" Date: Fri, 7 May 2010 01:46:06 +0000 (UTC) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: ports/www/apache22 Makefile X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2010 01:46:06 -0000 pgollucci 2010-05-07 01:46:06 UTC FreeBSD ports repository Modified files: www/apache22 Makefile Log: - Forced commit to note the following CVEs were fixed in 2.2.15 [from CHANGES file] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil ] *) SECURITY: CVE-2010-0408 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola ] *) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni , Jeff Trawick] *) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Eliminates a problematic optimization in the case of no request body. PR 48359. [Jake Scott, William Rowe, Ruediger Pluem] Revision Changes Path 1.259 +0 -0 ports/www/apache22/Makefile