All people using mod_rewrite are strongly encouraged to update.
An off-by-one flaw exists in the Rewrite module, mod_rewrite.
Depending on the manner in which Apache httpd was compiled, this
software defect may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration
files, could be triggered remotely. For vulnerable builds, the nature
of the vulnerability can be denial of service (crashing of web server
processes) or potentially allow arbitrary code execution.
This issue has been rated as having important security impact
by the Apache HTTP Server Security Team
Updates to latest versions will follow soon.
Notified by: so@ (simon)
Obtained from: Apache Security Team
Security: CVE-2006-3747
We have not checked for this KEYWORD for a long time now, so this
is a complete noop, and thus no PORTREVISION bump. Removing it at
this point is mostly for pedantic reasons, and partly to avoid
perpetuating this anachronism by copy and paste to future scripts.
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
Reported by: simon
- Add suexec support
- Misc changes
- Add a footnote for users, to announce them that next version
will be a complete resync with apache13 ports layout.
PR: 57300
Submitted by: sheepkiller@cultdeadsheep.org
defaults to openssl port (now 0.9.6.h)
New options:
use the lastest version (now 0.9.7)
USE_OPENSSL_BETA=yes
use the base version with
USE_OPENSSL_BASE=yes
the port had been updated to 1.2.27 and ssl-1.48 which simply did not
exist then.
Now they do exist. Since it builds, installs and runs correctly with
no further changes, and all the other apache-1.2.27-based ports are
back alive again, there's no reason to keep this one forbidden.
Don't be alarmed that the MD5 sum changes: the previous one in
distinfo was actually the checksum from apache_1.3.26+ssl_1.48.tar.gz,
since the last update to that file only changed the name but not the
MD5 sum. Alas, i could not find any authoritative MD5 on
http://www.apache-ssl.org/ to verify against.
Mark apache13-ssl FORBIDDEN because the new version does not yet exist.
Partially based on patches submitted by below authors.
Submitted by: "Sergey A. Osokin" <osa@freebsd.org.ru>,
Udo Schweigert <udo.schweigert@siemens.com>,
Lev A. Serebryakov <lev@serebryakov.spb.ru>
PR: ports/43682, ports/43688, ports/43666, ports/43681
