pkgsrc/www/apache/patches/patch-af

$NetBSD: patch-af,v 1.11 2008/02/23 05:16:34 obache Exp $

--- src/modules/standard/mod_so.c.orig	2008-02-23 04:22:56.000000000 +0000
+++ src/modules/standard/mod_so.c
@@ -322,7 +322,15 @@ static const char *load_file(cmd_parms *
         return err;
     }
     
-    file = ap_server_root_relative(cmd->pool, filename);
+    /*
+     * If the filename starts with '!', then just dlopen() it without
+     * translating it to a pathname relative to ServerRoot.
+     */
+    if (filename[0] == '!') {
+	file = filename + 1;
+    } else {
+	file = ap_server_root_relative(cmd->pool, filename);
+    }
     
     if (!(handle = ap_os_dso_load(file))) {
 	const char *my_error = ap_os_dso_error();
Update apache to 1.3.41. Changes with Apache 1.3.41 ) SECURITY: CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox] Changes with Apache 1.3.40 (not released) ) SECURITY: CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton] ) SECURITY: CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms. [Jeff Trawick] ) More efficient implementation of the CVE-2007-3304 PID table patch. This fixes issues with excessive memory usage by the parent process if long-running and with a high number of child process forks during that timeframe. Also fixes bogus "Bad pid" errors. [Jim Jagielski, Jeff Trawick] Changes with Apache 1.3.39 ) SECURITY: CVE-2006-5752 (cve.mitre.org) mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. [Joe Orton] ) SECURITY: CVE-2007-3304 (cve.mitre.org) Ensure that the parent process cannot be forced to kill non-child processes by checking scoreboard PID data with parent process privately stored PID data. [Jim Jagielski] *) mime.types: Many updates to sync with IANA registry and common unregistered types that the owners refuse to register. Admins are encouraged to update their installed mime.types file. pr: 35550, 37798, 39317, 31483 [Roy T. Fielding] There was no Apache 1.3.38 2008-02-23 06:16:33 +01:00			$NetBSD: patch-af,v 1.11 2008/02/23 05:16:34 obache Exp $
Update Apache and mod_ssl using new build layout (see post to tech-pkg for details). No security fixes in Apache 1.3.3, so immediate upgrade from 1.3.2 is not necessary. 1998-12-03 18:23:51 +01:00
Update apache to 1.3.41. Changes with Apache 1.3.41 ) SECURITY: CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox] Changes with Apache 1.3.40 (not released) ) SECURITY: CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton] ) SECURITY: CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms. [Jeff Trawick] ) More efficient implementation of the CVE-2007-3304 PID table patch. This fixes issues with excessive memory usage by the parent process if long-running and with a high number of child process forks during that timeframe. Also fixes bogus "Bad pid" errors. [Jim Jagielski, Jeff Trawick] Changes with Apache 1.3.39 ) SECURITY: CVE-2006-5752 (cve.mitre.org) mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. [Joe Orton] ) SECURITY: CVE-2007-3304 (cve.mitre.org) Ensure that the parent process cannot be forced to kill non-child processes by checking scoreboard PID data with parent process privately stored PID data. [Jim Jagielski] *) mime.types: Many updates to sync with IANA registry and common unregistered types that the owners refuse to register. Admins are encouraged to update their installed mime.types file. pr: 35550, 37798, 39317, 31483 [Roy T. Fielding] There was no Apache 1.3.38 2008-02-23 06:16:33 +01:00			`--- src/modules/standard/mod_so.c.orig 2008-02-23 04:22:56.000000000 +0000`
Update build to work with mod_ssl-2.6.6-1.3.12 to keep in sync with ap-ssl. EAPI didn't change so no need to change Apache's version number. Also standardize package builds to have Apache listen on ports 80/443 regardless of UID of user that builds the package, and make MAINTAINER point to me. 2000-09-12 16:17:31 +02:00			`+++ src/modules/standard/mod_so.c`
Update apache to 1.3.41. Changes with Apache 1.3.41 ) SECURITY: CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox] Changes with Apache 1.3.40 (not released) ) SECURITY: CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton] ) SECURITY: CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms. [Jeff Trawick] ) More efficient implementation of the CVE-2007-3304 PID table patch. This fixes issues with excessive memory usage by the parent process if long-running and with a high number of child process forks during that timeframe. Also fixes bogus "Bad pid" errors. [Jim Jagielski, Jeff Trawick] Changes with Apache 1.3.39 ) SECURITY: CVE-2006-5752 (cve.mitre.org) mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. [Joe Orton] ) SECURITY: CVE-2007-3304 (cve.mitre.org) Ensure that the parent process cannot be forced to kill non-child processes by checking scoreboard PID data with parent process privately stored PID data. [Jim Jagielski] *) mime.types: Many updates to sync with IANA registry and common unregistered types that the owners refuse to register. Admins are encouraged to update their installed mime.types file. pr: 35550, 37798, 39317, 31483 [Roy T. Fielding] There was no Apache 1.3.38 2008-02-23 06:16:33 +01:00			`@@ -322,7 +322,15 @@ static const char load_file(cmd_parms `
Update apache to 1.3.17. Important changes from version 1.3.14 include: -) Remove patch to avoid dlclose()ing on NetBSD. The mod_perl vs. perl CGI mis-interaction seems to be gone and I wasn't able to reproduce it on my system. ) Fix the declaration of the module structure in mod_example. ) Fix the handling of variable expansion look-ahead in mod_rewrite, i.e. syntax like %{LA-U:REMOTE_USER}, and also fix the parsing of more complicated nested RewriteMap lookups. ) mod_status now respects ?refresh=n of 1 or greater. If the given refresh value is not a number, ?refresh is set to 1 second. ) Accomodate an out-of-space condition in the piped logs and the rotatelogs.c code, and no longer churn log processes for this condition. ) Make cgi-bin work as a regular directory when using mod_vhost_alias with no VirtualScriptAlias directives. ) Move the check of the Expect request header field after the hook for ap_post_read_request, since that is the only opportunity for modules to handle Expect extensions. ) Eliminate caching problems of mod_autoindex results, so the last modified date of the directory is returned as the Last-Modified and ETag HTTP header tags are sent if IndexOptions TrackModified directive/option is used. ) Correct an issue with Alias and ScriptAlias directives that file path arguments were not normalized in canonical form. This correction makes no attempt to normalize regular expression forms of Alias or ScriptAlias. ) Add a new LogFormat directive, %c, that will log connection status at the end of the response. ) Update the mime.types file to the registered media types as of 2000-10-19. *) Restore functionality broken by the mod_rewrite security fix: rewrite map lookup keys and default values are now expanded so that the lookup can depend on the requested URI etc. 2001-02-02 17:39:56 +01:00			`return err;`
			`}`

Update build to work with mod_ssl-2.6.6-1.3.12 to keep in sync with ap-ssl. EAPI didn't change so no need to change Apache's version number. Also standardize package builds to have Apache listen on ports 80/443 regardless of UID of user that builds the package, and make MAINTAINER point to me. 2000-09-12 16:17:31 +02:00			`- file = ap_server_root_relative(cmd->pool, filename);`
			`+ /*`
Update apache to 1.3.17. Important changes from version 1.3.14 include: -) Remove patch to avoid dlclose()ing on NetBSD. The mod_perl vs. perl CGI mis-interaction seems to be gone and I wasn't able to reproduce it on my system. ) Fix the declaration of the module structure in mod_example. ) Fix the handling of variable expansion look-ahead in mod_rewrite, i.e. syntax like %{LA-U:REMOTE_USER}, and also fix the parsing of more complicated nested RewriteMap lookups. ) mod_status now respects ?refresh=n of 1 or greater. If the given refresh value is not a number, ?refresh is set to 1 second. ) Accomodate an out-of-space condition in the piped logs and the rotatelogs.c code, and no longer churn log processes for this condition. ) Make cgi-bin work as a regular directory when using mod_vhost_alias with no VirtualScriptAlias directives. ) Move the check of the Expect request header field after the hook for ap_post_read_request, since that is the only opportunity for modules to handle Expect extensions. ) Eliminate caching problems of mod_autoindex results, so the last modified date of the directory is returned as the Last-Modified and ETag HTTP header tags are sent if IndexOptions TrackModified directive/option is used. ) Correct an issue with Alias and ScriptAlias directives that file path arguments were not normalized in canonical form. This correction makes no attempt to normalize regular expression forms of Alias or ScriptAlias. ) Add a new LogFormat directive, %c, that will log connection status at the end of the response. ) Update the mime.types file to the registered media types as of 2000-10-19. *) Restore functionality broken by the mod_rewrite security fix: rewrite map lookup keys and default values are now expanded so that the lookup can depend on the requested URI etc. 2001-02-02 17:39:56 +01:00			`+ * If the filename starts with '!', then just dlopen() it without`
			`+ * translating it to a pathname relative to ServerRoot.`
Update build to work with mod_ssl-2.6.6-1.3.12 to keep in sync with ap-ssl. EAPI didn't change so no need to change Apache's version number. Also standardize package builds to have Apache listen on ports 80/443 regardless of UID of user that builds the package, and make MAINTAINER point to me. 2000-09-12 16:17:31 +02:00			`+ */`
			`+ if (filename[0] == '!') {`
			`+ file = filename + 1;`
			`+ } else {`
			`+ file = ap_server_root_relative(cmd->pool, filename);`
			`+ }`

			`if (!(handle = ap_os_dso_load(file))) {`
			`const char *my_error = ap_os_dso_error();`