CVS commit: pkgsrc/www/apache2

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/apache2
From: Takahiro Kambe <taca%netbsd.org@localhost>
Date: Mon, 21 Jan 2008 14:37:22 +0000 (UTC)

Module Name:    pkgsrc
Committed By:   taca
Date:           Mon Jan 21 14:37:22 UTC 2008

Modified Files:
        pkgsrc/www/apache2: Makefile distinfo

Log Message:
Update apache package to 2.0.63.

Changes with Apache 2.0.63

  *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
     to /Device/Nul as the server is starting up, mirroring unix MPM's.
     PR: 43534  [Tom Donovan <Tom.Donovan acm.org>, William Rowe]

  *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
     by recreating the bucket allocator each time the trans pool is cleared.
     PR: 11427 #16 (follow-on)  [Tom Donovan <Tom.Donovan acm.org>]

Changes with Apache 2.0.62 (not released)

  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
     mod_status: Ensure refresh parameter is numeric to prevent
     a possible XSS attack caused by redirecting to other URLs.
     Reported by SecurityReason.  [Mark Cox, Joe Orton]

  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
     mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
     [Joe Orton]

  *) Introduce the ProxyFtpDirCharset directive, allowing the administrator
     to identify a default, or specific servers or paths which list their
     contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]

  *) log.c: Ensure Win32 resurrects its lost robust logger processes.
     [William Rowe]

  *) mpm_winnt: Eliminate wait_for_many_objects.  Allows the clean
     shutdown of the server when the MaxClients is higher then 257,
     in a more responsive manner [Mladen Turk, William Rowe]

  *) Add explicit charset to the output of various modules to work around
     possible cross-site scripting flaws affecting web browsers that do not
     derive the response character set as required by  RFC2616.  One of these
     reported by SecurityReason [Joe Orton]

  *) http_protocol: Escape request method in 405 error reporting.
     This has no security impact since the browser cannot be tricked
     into sending arbitrary method strings.  [Jeff Trawick]

  *) http_protocol: Escape request method in 413 error reporting.
     Determined to be not generally exploitable, but a flaw in any case.
     PR 44014 [Victor Stinner <victor.stinner inl.fr>]


To generate a diff of this commit:
cvs rdiff -r1.120 -r1.121 pkgsrc/www/apache2/Makefile
cvs rdiff -r1.51 -r1.52 pkgsrc/www/apache2/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/devel/apr0
Next by Date: CVS commit: pkgsrc/www/apache2
Previous by Thread: CVS commit: pkgsrc/devel/apr0
Next by Thread: CVS commit: pkgsrc/www/apache2
Indexes:

Home | Main Index | Thread Index | Old Index