From owner-cvs-ports@FreeBSD.ORG  Wed Feb  1 18:56:09 2012
Return-Path: <owner-cvs-ports@FreeBSD.ORG>
Delivered-To: cvs-ports@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 457C6106566B;
	Wed,  1 Feb 2012 18:56:09 +0000 (UTC) (envelope-from jgh@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 19B0D8FC0C;
	Wed,  1 Feb 2012 18:56:09 +0000 (UTC)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id q11Iu8YT085817;
	Wed, 1 Feb 2012 18:56:08 GMT (envelope-from jgh@repoman.freebsd.org)
Received: (from jgh@localhost)
	by repoman.freebsd.org (8.14.4/8.14.4/Submit) id q11Iu8cN085816;
	Wed, 1 Feb 2012 18:56:08 GMT (envelope-from jgh)
Message-Id: <201202011856.q11Iu8cN085816@repoman.freebsd.org>
From: Jason Helfman <jgh@FreeBSD.org>
Date: Wed, 1 Feb 2012 18:56:08 +0000 (UTC)
To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: ports/www/apache22 Makefile Makefile.doc distinfo
 ports/www/apache22/files patch-Makefile.in
 patch-docs__conf__extra__httpd-ssl.conf.in
X-BeenThere: cvs-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the ports tree <cvs-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-ports>
List-Post: <mailto:cvs-ports@freebsd.org>
List-Help: <mailto:cvs-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2012 18:56:09 -0000

jgh         2012-02-01 18:56:08 UTC

  FreeBSD ports repository

  Modified files:
    www/apache22         Makefile Makefile.doc distinfo 
    www/apache22/files   patch-Makefile.in 
                         patch-docs__conf__extra__httpd-ssl.conf.in 
  Log:
  - Update to 2.2.22
  
  Addresses:
  * SECURITY: CVE-2011-3607 (cve.mitre.org)
  Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
  Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
  module is enabled, allows local users to gain privileges via a .htaccess file
  with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
  header, leading to a heap-based buffer overflow.
  
  * SECURITY: CVE-2012-0021 (cve.mitre.org)
  The log_cookie function in mod_log_config.c in the mod_log_config module in the
  Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
  properly handle a %{}C format string, which allows remote attackers to cause a
  denial of service (daemon crash) via a cookie that lacks both a name and a
  value.
  
  * SECURITY: CVE-2012-0031 (cve.mitre.org)
  scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
  users to cause a denial of service (daemon crash during shutdown) or possibly
  have unspecified other impact by modifying a certain type field within a
  scoreboard shared memory segment, leading to an invalid call to the free
  function.
  
  * SECURITY: CVE-2011-4317 (cve.mitre.org)
  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
  through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
  place, does not properly interact with use of (1) RewriteRule and (2)
  ProxyPassMatch pattern matches for configuration of a reverse proxy, which
  allows remote attackers to send requests to intranet servers via a malformed URI
  containing an @ (at sign) character and a : (colon) character in invalid
  positions. NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2011-3368.
  
  * SECURITY: CVE-2012-0053 (cve.mitre.org)
  protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
  restrict header information during construction of Bad Request (aka 400) error
  documents, which allows remote attackers to obtain the values of HTTPOnly
  cookies via vectors involving a (1) long or (2) malformed header in conjunction
  with crafted web script.
  
  * SECURITY: CVE-2011-3368 (cve.mitre.org)
  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
  through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
  (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
  reverse proxy, which allows remote attackers to send requests to intranet
  servers via a malformed URI containing an initial @ (at sign) character.
  
  PR: ports/164675
  Reviewed by: pgollucci
  Approved by: pgollucci, crees, rene (mentors, implicit)
  With Hat: apache@
  
  Revision  Changes    Path
  1.295     +1 -1      ports/www/apache22/Makefile
  1.16      +3 -3      ports/www/apache22/Makefile.doc
  1.87      +2 -2      ports/www/apache22/distinfo
  1.26      +2 -2      ports/www/apache22/files/patch-Makefile.in
  1.4       +4 -40     ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in