Pullup ticket 141 - requested by David Brownlee

security fix for apache

        Module Name:	pkgsrc
        Committed By:	tron
        Date:		Mon Oct 25 08:44:16 UTC 2004

        Modified Files:
        	pkgsrc/www/apache: Makefile PLIST distinfo
        Removed Files:
        	pkgsrc/www/apache/patches: patch-ap

        Log Message:
        Update "apache" package to version 1.3.32. Changes since version 1.3.31:
        - mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
          [michael teitler <michael.teitler cetelem.fr>,
           Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
        - mod_rewrite: Fix 0 bytes write into random memory position.
          PR 31036. [André Malo]
        - mod_digest: Fix nonce string calculation since 1.3.31 which
          would force re-authentication for every connection if
          AuthDigestRealmSeed was not configured.  PR 30920.  [Joe Orton]
        - Trigger an error when a LoadModule directive attempts to
          load a module which is built-in.  This is a common error when
          switching from a DSO build to a static build.
          [Jeff Trawick, Geoffrey Young]
        - Fix trivial bug in mod_log_forensic that caused the child
          to seg fault when certain invalid requests were fired at it with
          forensic logging is enabled.  PR 29313.
          [Will Slater <Will Slater orbisuk.com>]
        - Fix memory leak in the cache handling of mod_rewrite. PR 27862.
          [chunyan sheng <shengperson yahoo.com>, André Malo]
        - mod_rewrite no longer confuses the RewriteMap caches if
          different maps defined in different virtual hosts use the
          same map name. PR 26462.  [André Malo]
        - mod_setenvif: Remove "support" for Remote_User variable which
          never worked at all. PR 25725.  [André Malo]
        - mod_usertrack: Escape the cookie name before pasting into the
          regexp.  [André Malo]
        - Win32: Improve error reporting after a failed attempt to spawn a
          piped log process or rewrite map process.  [Jeff Trawick]
        - SECURITY: CAN-2004-0492 (cve.mitre.org)
          Reject responses from a remote server if sent an invalid (negative)
          Content-Length.  [Mark Cox]
        - Fix a bunch of cases where the return code of the regex compiler
          was not checked properly. This affects mod_usertrack and
          core. PR 28218.  [André Malo]
        - No longer breaks mod_dav, frontpage and others.  Repair a patch
          in 1.3.31 which prevented discarding the request body for requests
          that will be keptalive but are not currently keptalive. PR 29237.
          [Jim Jagielski, Rasmus Lerdorf]
        - COMPATIBILITY: Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
          It controls how UseCanonicalName Off determines the port value if
          the client doesn't provide one in the Host header. If defined during
          compilation, UseCanonicalName Off will use the physical port number to
          generate the canonical name. If not defined, it tries the current Port
          value followed by the default port for the current scheme.
          [Jim Jagielski]
---
        Module Name:	pkgsrc
        Committed By:	abs
        Date:		Fri Oct 29 13:48:31 UTC 2004

        Modified Files:
        	pkgsrc/www/apache: Makefile distinfo
        	pkgsrc/www/apache/patches: patch-aa patch-ab patch-ac patch-ad
                    patch-ae patch-af patch-ag patch-ah patch-ai patch-aj
                    patch-ak patch-am patch-ao
        Removed Files:
        	pkgsrc/www/apache/patches: patch-al

        Log Message:
        Update apache to 1.3.33

        The main security vulnerabilities addressed in 1.3.33 are:

            * CAN-2004-0940 (cve.mitre.org)
              Fix potential buffer overflow with escaped characters in SSI
              tag string.
            * CAN-2004-0492 (cve.mitre.org)
              Reject responses from a remote server if sent an invalid
              (negative) Content-Length.

        New features

            * Win32: Improve error reporting after a failed attempt to
              spawn a piped log process or rewrite map process.
            * Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It
              controls how UseCanonicalName Off determines the port value if
              the client doesn't provide one in the Host header. If defined
              during compilation, UseCanonicalName Off will use the physical
              port number to generate the canonical name. If not defined, it
              tries the current Port value followed by the default port for
              the current scheme.

        The following bugs were found in Apache 1.3.31 (or earlier) and
        have been fixed in Apache 1.3.33:

            * mod_rewrite: Fix query string handling for proxied URLs.
              PR 14518.
            * mod_rewrite: Fix 0 bytes write into random memory position.
              PR 31036.
            * mod_digest: Fix nonce string calculation since 1.3.31 which
              would force re-authentication for every connection if
              AuthDigestRealmSeed was not configured. PR 30920.
            * Fix trivial bug in mod_log_forensic that caused the child to
              seg fault when certain invalid requests were fired at it with
              forensic logging is enabled. PR 29313.
            * No longer breaks mod_dav, frontpage and others. Repair a
              patch in 1.3.31 which prevented discarding the request body
              for requests that will be keptalive but are not currently
              keptalive. PR 29237.
---
        Module Name:	pkgsrc
        Committed By:	salo
        Date:		Mon Nov 15 19:13:41 UTC 2004

        Modified Files:
        	pkgsrc/www/apache/patches: patch-ai

        Log Message:
        Revert rev 1.9, do not expand @INSTALL@, it's done in post-patch.
        (hi abs!)
---
        Module Name:	pkgsrc
        Committed By:	tron
        Date:		Tue Nov 16 08:23:45 UTC 2004

        Modified Files:
        	pkgsrc/www/apache: distinfo

        Log Message:
        Regen after "patch-ai" was changed. (hi salo!)

1 files changed, 4 insertions, 5 deletions

diff --git a/www/apache/Makefile b/www/apache/Makefile
index ae3a06b98b3..f74b73c57ab 100644
--- a/www/apache/Makefile
+++ b/www/apache/Makefile
@@ -1,11 +1,10 @@
-# $NetBSD: Makefile,v 1.150.2.1 2004/09/30 13:58:22 agc Exp $
+# $NetBSD: Makefile,v 1.150.2.2 2004/12/01 00:25:56 salo Exp $
 #
 # This pkg does not compile in mod_ssl, only the `mod_ssl EAPI' (a set of
 # code hooks that allow mod_ssl to be compiled separately later, if desired).
 
-DISTNAME=		apache_1.3.31
+DISTNAME=		apache_1.3.33
 PKGNAME=		${DISTNAME:S/_/-/}
-PKGREVISION=		5
 CATEGORIES=		www
 MASTER_SITES=		${MASTER_SITE_APACHE:=httpd/} \
 			${MASTER_SITE_APACHE:=httpd/old/}
@@ -18,8 +17,8 @@ COMMENT=		Apache HTTP (Web) server
 NETBSD_LOGO=		sitedrivenby.gif
 SITES_${NETBSD_LOGO}=	http://www.NetBSD.org/images/logos/
 
-MODSSL_VERSION=		2.8.19
-MODSSL_DISTNAME=	mod_ssl-${MODSSL_VERSION}-1.3.31
+MODSSL_VERSION=		2.8.21
+MODSSL_DISTNAME=	mod_ssl-${MODSSL_VERSION}-1.3.32
 MODSSL_DIST=		${MODSSL_DISTNAME}.tar.gz
 MODSSL_SRC=		${WRKDIR}/${MODSSL_DISTNAME}
 SITES_${MODSSL_DIST}=	http://www.modssl.org/source/ \