diff options
| author | obache <obache@pkgsrc.org> | 2013-08-04 02:45:42 +0000 |
|---|---|---|
| committer | obache <obache@pkgsrc.org> | 2013-08-04 02:45:42 +0000 |
| commit | 7df99060e5ea22b5a60fe2b815c94f3a9ec19d42 (patch) | |
| tree | 91f4601ce59cbd0dbb87f42ef5ee38f8becfbf6f /www/apache2 | |
| parent | 5f48c2fb13a5c2b294d494eeed2c30adde4f148c (diff) | |
| download | pkgsrc-7df99060e5ea22b5a60fe2b815c94f3a9ec19d42.tar.gz | |
Update apache2 to 2.0.65.
Changes with Apache 2.0.65
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
to cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
bug#51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
Eric Covener, <lowprio20 gmail.com>]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
NOTE: it remains possible to exhaust all memory using a carefully
crafted .htaccess rule, which will not be addressed in 2.0; enabling
processing of .htaccess files authored by untrusted users is the root
of such security risks. Upgrade to httpd 2.2.25 or later to limit
this specific risk.
*) core: Add MaxRanges directive to control the number of ranges permitted
before returning the entire resource, with a default limit of 200.
[Eric Covener, Rainer Jung]
*) Set 'Accept-Ranges: none' in the case Ranges are being ignored with
MaxRanges none. [Eric Covener, Rainer Jung]
*) mod_rewrite: Allow merging RewriteBase down to subdirectories
if new option 'RewriteOptions MergeBase' is configured.
[Eric Covener]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]
*) mod_rewrite: Add "AllowAnyURI" option. bug#52774. [Joe Orton]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. bug#54893. [Rainer Jung]
*) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
OpenSSL 0.9.7 flag which uses the server's cipher order rather
than the client's. bug#28665.
[Jim Schneider <jschneid netilla.com>]
*) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
including multiple INCLUDES filters. bug#39369 [Joe Orton]
*) mod_rewrite: When evaluating a proxy rule in directory context, do
escape the filename by default. bug#46428 [Joe Orton]
*) Improve platform detection for bundled PCRE by updating config.guess
and config.sub. [Rainer Jung]
*) ssl-std.conf: Disable AECDH ciphers in example config. bug#51363.
[Rob Stradling <rob comodo com>]
*) ssl-std.conf: Change the SSLCipherSuite default to a shorter,
whitelist oriented definition. [Rainer Jung, Kaspar Brand]
*) ssl-std.conf: Only select old MSIE browsers for the downgrade
in http/https behavior. [Greg Stein, Stefan Fritsch]
Diffstat (limited to 'www/apache2')
| -rw-r--r-- | www/apache2/Makefile | 8 | ||||
| -rw-r--r-- | www/apache2/Makefile.common | 6 | ||||
| -rw-r--r-- | www/apache2/distinfo | 11 |
3 files changed, 9 insertions, 16 deletions
diff --git a/www/apache2/Makefile b/www/apache2/Makefile index 23a9c21564a..6438666f116 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -1,20 +1,16 @@ -# $NetBSD: Makefile,v 1.142 2013/07/12 10:45:04 jperkin Exp $ +# $NetBSD: Makefile,v 1.143 2013/08/04 02:45:42 obache Exp $ .include "Makefile.common" PKGNAME= apache-${APACHE_VERSION} -PKGREVISION= 6 CATEGORIES= www HOMEPAGE= http://httpd.apache.org/ COMMENT= Apache HTTP (Web) server, version 2 +LICENSE= apache-2.0 CONFLICTS= apache-*ssl-[0-9]* apache6-[0-9]* -CVE_2011_3192= CVE-2011-3192-${APACHE_VERSION}-byterange-fixes.patch -PATCHFILES+= ${CVE_2011_3192} -SITES.${CVE_2011_3192}= ${MASTER_SITE_APACHE:=httpd/patches/apply_to_${APACHE_VERSION}/} - BUILD_DEFS+= IPV6_READY BUILD_DEFS+= VARBASE diff --git a/www/apache2/Makefile.common b/www/apache2/Makefile.common index 28f47151d3c..e05bb7b96cd 100644 --- a/www/apache2/Makefile.common +++ b/www/apache2/Makefile.common @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.28 2011/09/21 11:06:09 obache Exp $ +# $NetBSD: Makefile.common,v 1.29 2013/08/04 02:45:42 obache Exp $ # used by devel/apr0/Makefile @@ -6,8 +6,8 @@ DISTNAME= httpd-${APACHE_VERSION} EXTRACT_SUFX= .tar.bz2 # When updating this version be sure to update the checksum and remove # any PKGREVISION for devel/apr also. -APACHE_VERSION= 2.0.64 -APR_VERSION= 0.9.19 +APACHE_VERSION= 2.0.65 +APR_VERSION= 0.9.20 MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ ${MASTER_SITE_APACHE:=httpd/old/} MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/www/apache2/distinfo b/www/apache2/distinfo index 03c0d73c08b..3bea3f37cff 100644 --- a/www/apache2/distinfo +++ b/www/apache2/distinfo @@ -1,11 +1,8 @@ -$NetBSD: distinfo,v 1.58 2011/12/18 09:13:11 obache Exp $ +$NetBSD: distinfo,v 1.59 2013/08/04 02:45:42 obache Exp $ -SHA1 (CVE-2011-3192-2.0.64-byterange-fixes.patch) = ffc6c0bb3089efca2705767eb20804ddab2dfb1a -RMD160 (CVE-2011-3192-2.0.64-byterange-fixes.patch) = dbe5f78ccff12222d99805d7ea045b968e6ef72f -Size (CVE-2011-3192-2.0.64-byterange-fixes.patch) = 19920 bytes -SHA1 (httpd-2.0.64.tar.bz2) = eeabe0fb428d9f11ce00559ff163740c6ceabf1c -RMD160 (httpd-2.0.64.tar.bz2) = 6a4bfe4dfc4119a70cabbec2e0865dc2f12e8ec4 -Size (httpd-2.0.64.tar.bz2) = 4954766 bytes +SHA1 (httpd-2.0.65.tar.bz2) = 0183866df73c7877ba9275a075a2ece7a67f6c95 +RMD160 (httpd-2.0.65.tar.bz2) = 1f0142a843486a53ba184ceb9214dc78f071e17e +Size (httpd-2.0.65.tar.bz2) = 4999802 bytes SHA1 (patch-aa) = bff1ef591f5361e7169ff9005dcf86437b9dac23 SHA1 (patch-ab) = 32c47bd5087269f530b7d52d6a1a719a50ae7260 SHA1 (patch-ac) = 7854294ae9c7fdcf7d6c9f5f2bee526952e583e3 |