kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/www/apache/distinfo

27 lines
1.5 KiB
Text
Raw Normal View History

Add fix for security vulnerability reported in CVE-2005-3352 taken from Apache SVN repository. Bump package revision because of that.
2005-12-15 13:57:29 +01:00
$NetBSD: distinfo,v 1.48 2005/12/15 12:57:30 tron Exp $
Add package patch checksum files.
1999-07-09 16:22:59 +02:00
Update to 1.3.34. This is a security fix release, fix pkg/31868 by Zafer Aydogan. Changes from 1.3.33: *) hsregex: fix potential core dumping on 64 bit machines, such as AMD64. PR 31858. [Glenn Strauss < gs-apache-dev gluelogic.com>] *) SECURITY: core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. This has no impact on mod_proxy_http, yet affects any module which supports chunked encoding yet fails to prefer T-E: chunked over the Content-Length purported value. [Paul Querna, Joe Orton] *) Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe] *) mod_digest: Fix another nonce string calculation issue. [Eric Covener]
2005-10-19 22:30:20 +02:00
SHA1 (apache_1.3.34.tar.gz) = df082b73f1220555dc416c0c5afa746e30a9e0de
RMD160 (apache_1.3.34.tar.gz) = e39dfc57b7f9164aa76641de3fa74f0314c9ec9e
Size (apache_1.3.34.tar.gz) = 2468056 bytes
Move to sha1 digests, and add distfile sizes.
2001-04-20 14:02:30 +02:00
SHA1 (sitedrivenby.gif) = 7671e9a8ec2cad3961b268befd33c0920e07c658
Add RMD160 checksums.
2005-02-24 15:08:26 +01:00
RMD160 (sitedrivenby.gif) = 2e350e6531a800da8796207509c12fb590d0affa
Move to sha1 digests, and add distfile sizes.
2001-04-20 14:02:30 +02:00
Size (sitedrivenby.gif) = 8519 bytes
Update to 1.3.34. This is a security fix release, fix pkg/31868 by Zafer Aydogan. Changes from 1.3.33: *) hsregex: fix potential core dumping on 64 bit machines, such as AMD64. PR 31858. [Glenn Strauss < gs-apache-dev gluelogic.com>] *) SECURITY: core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. This has no impact on mod_proxy_http, yet affects any module which supports chunked encoding yet fails to prefer T-E: chunked over the Content-Length purported value. [Paul Querna, Joe Orton] *) Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe] *) mod_digest: Fix another nonce string calculation issue. [Eric Covener]
2005-10-19 22:30:20 +02:00
SHA1 (mod_ssl-2.8.25-1.3.34.tar.gz) = 150f726539d74c0d2af02e482be78bbcdb811395
RMD160 (mod_ssl-2.8.25-1.3.34.tar.gz) = 90a3913d30c7f4d194907463125c90101005837a
Size (mod_ssl-2.8.25-1.3.34.tar.gz) = 820352 bytes
Update apache to 1.3.33 The main security vulnerabilities addressed in 1.3.33 are: * CAN-2004-0940 (cve.mitre.org) Fix potential buffer overflow with escaped characters in SSI tag string. * CAN-2004-0492 (cve.mitre.org) Reject responses from a remote server if sent an invalid (negative) Content-Length. New features * Win32: Improve error reporting after a failed attempt to spawn a piped log process or rewrite map process. * Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It controls how UseCanonicalName Off determines the port value if the client doesn't provide one in the Host header. If defined during compilation, UseCanonicalName Off will use the physical port number to generate the canonical name. If not defined, it tries the current Port value followed by the default port for the current scheme. The following bugs were found in Apache 1.3.31 (or earlier) and have been fixed in Apache 1.3.33: * mod_rewrite: Fix query string handling for proxied URLs. PR 14518. * mod_rewrite: Fix 0 bytes write into random memory position. PR 31036. * mod_digest: Fix nonce string calculation since 1.3.31 which would force re-authentication for every connection if AuthDigestRealmSeed was not configured. PR 30920. * Fix trivial bug in mod_log_forensic that caused the child to seg fault when certain invalid requests were fired at it with forensic logging is enabled. PR 29313. * No longer breaks mod_dav, frontpage and others. Repair a patch in 1.3.31 which prevented discarding the request body for requests that will be keptalive but are not currently keptalive. PR 29237.
2004-10-29 15:48:31 +02:00
SHA1 (patch-aa) = ae280b14dc0102ecfbe3675ca0b5d2b74ee790ca
SHA1 (patch-ab) = 084d52bb2afbacf18b9d0793293d8ae333c67802
SHA1 (patch-ac) = b961c90a58a94f48daff417af146df98d5ec428c
SHA1 (patch-ad) = c02cd1af3c4b5e0d49aaa7f0eff20a8d76a633aa
SHA1 (patch-ae) = 59318dd3376b10b84c0126d90f4b244a18268791
SHA1 (patch-af) = 55b27779b63cd86d3aef5b700c13600f0d840554
SHA1 (patch-ag) = 0c075960215e55525ffee15c381b82775614a2d2
Update apache to apache_1-3.33nb3: Previously rc.d/apache was updated to run stop & start for restart. '/etc/rc.d/apache restart' then picked up startssl if apache was not running, but if apache was running it has a large chance of the start running before the stop completes, leaving no httpd running. Instead, add a restartssl option to apachectl, and use it.
2005-03-01 00:30:48 +01:00
SHA1 (patch-ah) = 1db5811a74ecadb5f8db2d74483f95c537b9c18d
Regen after "patch-ai" was changed. (hi salo!)
2004-11-16 09:23:45 +01:00
SHA1 (patch-ai) = e2e48f48bec8cba85345e31541d4e4ddcc30e799
Update apache to 1.3.33 The main security vulnerabilities addressed in 1.3.33 are: * CAN-2004-0940 (cve.mitre.org) Fix potential buffer overflow with escaped characters in SSI tag string. * CAN-2004-0492 (cve.mitre.org) Reject responses from a remote server if sent an invalid (negative) Content-Length. New features * Win32: Improve error reporting after a failed attempt to spawn a piped log process or rewrite map process. * Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It controls how UseCanonicalName Off determines the port value if the client doesn't provide one in the Host header. If defined during compilation, UseCanonicalName Off will use the physical port number to generate the canonical name. If not defined, it tries the current Port value followed by the default port for the current scheme. The following bugs were found in Apache 1.3.31 (or earlier) and have been fixed in Apache 1.3.33: * mod_rewrite: Fix query string handling for proxied URLs. PR 14518. * mod_rewrite: Fix 0 bytes write into random memory position. PR 31036. * mod_digest: Fix nonce string calculation since 1.3.31 which would force re-authentication for every connection if AuthDigestRealmSeed was not configured. PR 30920. * Fix trivial bug in mod_log_forensic that caused the child to seg fault when certain invalid requests were fired at it with forensic logging is enabled. PR 29313. * No longer breaks mod_dav, frontpage and others. Repair a patch in 1.3.31 which prevented discarding the request body for requests that will be keptalive but are not currently keptalive. PR 29237.
2004-10-29 15:48:31 +02:00
SHA1 (patch-aj) = ac7337b51d7d4ca25cef4020961736404ec79f01
Pass the DL_* flags to the compiler when building httpd so that dlopen will work correctly on NetBSD-2.x. This should fix PR pkg/29398.
2004-11-26 19:52:47 +01:00
SHA1 (patch-ak) = 1be52fb5fca6c05c7cf489de541e0d52383ee43a
Add DragonFly support. (An httpd service was only briefly tested.)
2005-08-22 18:19:00 +02:00
SHA1 (patch-al) = f9d329ca9465af0254f76d732f80ed4bf57a846a
SHA1 (patch-am) = b8551fca1ec8a62b3b420435479a896a7de1dfe0
Update apache to 1.3.33 The main security vulnerabilities addressed in 1.3.33 are: * CAN-2004-0940 (cve.mitre.org) Fix potential buffer overflow with escaped characters in SSI tag string. * CAN-2004-0492 (cve.mitre.org) Reject responses from a remote server if sent an invalid (negative) Content-Length. New features * Win32: Improve error reporting after a failed attempt to spawn a piped log process or rewrite map process. * Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It controls how UseCanonicalName Off determines the port value if the client doesn't provide one in the Host header. If defined during compilation, UseCanonicalName Off will use the physical port number to generate the canonical name. If not defined, it tries the current Port value followed by the default port for the current scheme. The following bugs were found in Apache 1.3.31 (or earlier) and have been fixed in Apache 1.3.33: * mod_rewrite: Fix query string handling for proxied URLs. PR 14518. * mod_rewrite: Fix 0 bytes write into random memory position. PR 31036. * mod_digest: Fix nonce string calculation since 1.3.31 which would force re-authentication for every connection if AuthDigestRealmSeed was not configured. PR 30920. * Fix trivial bug in mod_log_forensic that caused the child to seg fault when certain invalid requests were fired at it with forensic logging is enabled. PR 29313. * No longer breaks mod_dav, frontpage and others. Repair a patch in 1.3.31 which prevented discarding the request body for requests that will be keptalive but are not currently keptalive. PR 29237.
2004-10-29 15:48:31 +02:00
SHA1 (patch-ao) = 9ec5f32b2e9cf4c423b5d819fc76f652b27c6c29
Add fix for security vulnerability reported in CVE-2005-3352 taken from Apache SVN repository. Bump package revision because of that.
2005-12-15 13:57:29 +01:00
SHA1 (patch-ap) = 90ac139c91dcc45abb04e9496273f2ef4742d260
Reference in a new issue Copy permalink