www/apache22 is vulnerable. ref: CVE-2011-0419 (cve.mitre.org) Fix: please upgrade to 2.2.18.
Responsible Changed From-To: freebsd-ports-bugs->apache Over to maintainer (via the GNATS Auto Assign Tool)
State Changed From-To: open->analyzed Fix synopsis (issue is apr1 related) I'll take it
Responsible Changed From-To: apache->ohauer Fix synopsis (issue is apr1 related) I'll take it
ohauer 2011-05-13 23:00:18 UTC FreeBSD ports repository Modified files: devel/apr1 Makefile distinfo devel/apr1/files patch-apr_hints.m4 Removed files: devel/apr1/files patch-apr_buildconf Log: - update apr1 to version 1.4.4 (security update CVE-2011-0419) Changes: (trimmed non FreeBSD related to keep the list shorter) http://www.apache.org/dist/apr/CHANGES-APR-1.4 Changes for APR 1.4.4 Changes for APR 1.4.3 *) Security: CVE-2011-0419 Reimplement apr_fnmatch() from scratch using a non-recursive algorithm; now has improved compliance with the fnmatch() spec. [William Rowe] *) poll, pollset, pollcb on Windows: Handle calls with no file/socket descriptors. PR 49882. [Stefan Ruppert <sr myarm.com>, Jeff Trawick] *) Fix address handling when accepting an AF_INET socket from a socket bound as AF_INET6. PR 49678. [Joe Orton] *) Add new experimental configure option --enable-allocator-uses-mmap to use mmap instead of malloc in apr_allocator_alloc(). This greatly reduces memory fragmentation with malloc implementations (e.g. glibc) that don't handle allocationss of a page-size-multiples in an efficient way. It also makes apr_allocator_max_free_set() actually have some effect on such platforms. [Stefan Fritsch] *) configure: Make definition of apr_ino_t independent of _FILE_OFFSET_BITS even on platforms where ino_t is 'unsigned int'. [Stefan Fritsch] *) apr_ring: Workaround for aliasing problem that causes gcc 4.5 to miscompile some brigade related code. PR 50190. [Stefan Fritsch] *) apr_file_flush_locked(): Handle short writes. [Stefan Fritsch] *) apr_pollset_create_ex(): Trap errors from pollset providers. PR 49094. [Sami Tolvanen <sami.tolvanen mywot.com>] *) apr_pollset_create*(): Fix memory lifetime problem with the wakeup pipe when the pollset was created with APR_POLLSET_NOCOPY. [Neil Conway <nrc cs.berkeley.edu>] *) Fix detection of some Linux variants when configure is built with recent GNU tools. [Eric Covener] *) Avoid a redundant fcntl() call in apr_file_open() where O_CLOEXEC is supported. PR 46297. [Joe Orton] *) Improve platform detection by updating config.guess and config.sub. [Rainer Jung] commit with apache@ hat PR: 156997 Submitted by: Tsurutani Naoki <turutani _at_ scphys.kyoto-u.ac.jp> Revision Changes Path 1.114 +2 -2 ports/devel/apr1/Makefile 1.28 +4 -6 ports/devel/apr1/distinfo 1.7 +0 -13 ports/devel/apr1/files/patch-apr_buildconf (dead) 1.22 +3 -3 ports/devel/apr1/files/patch-apr_hints.m4 _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
ohauer 2011-05-13 23:02:38 UTC FreeBSD ports repository Modified files: www/apache22 Makefile distinfo Log: - update to version 2.2.18 Changes: http://www.apache.org/dist/httpd/CHANGES_2.2.18 Changes with Apache 2.2.18 *) Log an error for failures to read a chunk-size, and return 408 instead 413 when this is due to a read timeout. This change also fixes some cases of two error documents being sent in the response for the same scenario. [Eric Covener] PR49167 *) core: Only log a 408 if it is no keepalive timeout. PR 39785 [Ruediger Pluem, Mark Montague <markmont umich.edu>] *) core: Treat timeout reading request as 408 error, not 400. Log 408 errors in access log as was done in Apache 1.3.x. PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch, Dan Poirier] *) Core HTTP: disable keepalive when the Client has sent Expect: 100-continue but we respond directly with a non-100 response. Keepalive here led to data from clients continuing being treated as a new request. PR 47087. [Nick Kew] *) htpasswd: Change the default algorithm for htpasswd to MD5 on all platforms. Crypt with its 8 character limit is not useful anymore; improve out of disk space handling (PR 30877); print a warning if a password is truncated by crypt. [Stefan Fritsch] *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. Win32's cscript interpreter can only use a single quote as comment char. [Guenter Knauf] *) configure: Fix htpasswd/htdbm libcrypt link errors with some newer linkers. [Stefan Fritsch] *) MinGW build improvements. PR 49535. [John Vandenberg <jayvdb gmail.com>, Jeff Trawick] *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. [Stefan Fritsch] *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes in request URL path info but not decode them. PR 35256, PR 46830. [Dan Poirier] *) mod_rewrite: Allow to unset environment variables. PR 50746. [Rainer Jung] *) suEXEC: Add Suexec directive to disable suEXEC without renaming the binary (Suexec Off), or force startup failure if suEXEC is required but not supported (Suexec On). [Jeff Trawick] *) mod_proxy: Put the worker in error state if the SSL handshake with the backend fails. PR 50332. [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem] *) prefork: Update MPM state in children during a graceful restart. Allow the HTTP connection handling loop to terminate early during a graceful restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>] *) mod_ssl: Correctly read full lines in input filter when the line is incomplete during first read. PR 50481. [Ruediger Pluem] *) mod_autoindex: Merge IndexOptions from server to directory context when the directory has no mod_autoindex directives. PR 47766. [Eric Covener] *) mod_cache: Make sure that we never allow a 304 Not Modified response that we asked for to leak to the client should the 304 response be uncacheable. PR45341 [Graham Leggett] *) mod_dav: Send 400 error if malformed Content-Range header is received for a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] *) mod_userdir: Add merging of enable, disable, and filename arguments to UserDir directive, leaving enable/disable of userlists unmerged. PR 44076 [Eric Covener] *) core: Honor 'AcceptPathInfo OFF' during internal redirects, such as per-directory mod_rewrite substitutions. PR 50349. [Eric Covener] *) mod_cache: Check the request to determine whether we are allowed to return cached content at all, and respect a "Cache-Control: no-cache" header from a client. Previously, "no-cache" would behave like "max-age=0". [Graham Leggett] *) mod_mem_cache: Add a debug msg when a streaming response exceeds MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary 'memory allocation failed' debug message. PR 49604. [Eric Covener] *) proxy_connect: Don't give up in the middle of a CONNECT tunnel when the child process is starting to exit. PR50220. [Eric Covener] PR: 156997 Submitted by: Tsurutani Naoki <turutani _at_ scphys.kyoto-u.ac.jp> Revision Changes Path 1.288 +2 -2 ports/www/apache22/Makefile 1.83 +2 -2 ports/www/apache22/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: analyzed->closed Thanks for reporting! - updated apache to 2.2.18 - updated apr1 to 1.4.4 (security update)