CVS commit: [pkgsrc-2009Q4] pkgsrc/www/apache22

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2009Q4] pkgsrc/www/apache22
From: Matthias Scheler <tron%netbsd.org@localhost>
Date: Sun, 28 Mar 2010 13:02:33 +0000

Module Name:    pkgsrc
Committed By:   tron
Date:           Sun Mar 28 13:02:33 UTC 2010

Modified Files:
        pkgsrc/www/apache22 [pkgsrc-2009Q4]: Makefile PLIST distinfo
Removed Files:
        pkgsrc/www/apache22/patches [pkgsrc-2009Q4]: patch-aq patch-as patch-au

Log Message:
Pullup ticket #3068 - requested by taca
apache22: security update

Revisions pulled up:
- www/apache22/Makefile                         1.56
- www/apache22/PLIST                            1.16
- www/apache22/distinfo                         1.30-1.31
- www/apache22/patches/patch-aq                 delete
- www/apache22/patches/patch-as                 delete
- www/apache22/patches/patch-au                 delete
---
Module Name:    pkgsrc
Committed By:   taca
Date:           Fri Mar  5 00:22:59 UTC 2010

Modified Files:
        pkgsrc/www/apache22: distinfo
Removed Files:
        pkgsrc/www/apache22/patches: patch-aq patch-as patch-au

Log Message:
Remove CVE-2007-3304 related patches.  CVE-2007-3304 was fixed
in Apache 2.2.6 and these patches are noop.
---
Module Name:    pkgsrc
Committed By:   taca
Date:           Tue Mar  9 02:30:15 UTC 2010

Modified Files:
        pkgsrc/www/apache22: Makefile PLIST distinfo

Log Message:
Update apache22 package to 2.2.15.

For full changes information please refer:
http://www.apache.org/dist/httpd/Announcement2.2.html.

Here is security related changes from ChangeLog
(http://www.apache.org/dist/httpd/CHANGES_2.2.15).

Changes with Apache 2.2.15

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]


To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.54.2.1 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.15 -r1.15.2.1 pkgsrc/www/apache22/PLIST
cvs rdiff -u -r1.29 -r1.29.2.1 pkgsrc/www/apache22/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-aq \
    pkgsrc/www/apache22/patches/patch-as pkgsrc/www/apache22/patches/patch-au

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/devel/hdf
Next by Date: CVS commit: [pkgsrc-2009Q4] pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/devel/hdf
Next by Thread: CVS commit: [pkgsrc-2009Q4] pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index