populated with an extra, empty argument. Full details can be found at
https://issues.apache.org/bugzilla/show_bug.cgi?id=46380
Note, this fix has already been committed to the Apache trunk and will be
in the next version so this patch can be removed then.
- SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
- Allow for smax to be 0 for balancer members so that all idle
connections are able to be dropped should they exceed ttl.
Apache Bug #43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,
Jim Jagielski]
- mod_proxy_http: Don't trigger a retry by the client if a failure to
read the response line was the result of a timeout.
[Adam Woodworth <mirkperl gmail.com>]
- Support chroot on Unix-family platforms
Apache Bug #43596 [Dimitar Pashev <mitko banksoft-bg.com>]
- mod_ssl: implement dynamic mutex callbacks for the benefit of
OpenSSL. [Sander Temme]
- mod_proxy_balancer: Add 'bybusyness' load balance method.
[Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski]
- mod_authn_alias: Detect during startup when AuthDigestProvider
is configured to use an incompatible provider via AuthnProviderAlias.
Apache Bug #45196 [Eric Covener]
- mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
used as a session path separator/delim Apache Bug #45158. [Jim Jagielski]
- mod_charset_lite: Avoid dropping error responses by handling meta buckets
correctly. Apache Bug #45687 [Dan Poirier <poirier pobox.com>]
- mod_proxy_http: Introduce environment variable proxy-initial-not-pooled to
avoid reusing pooled connections if the client connection is an initial
connection. Apache Bug #37770. [Ruediger Pluem]
- mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
Apache Bug #44799 [Christian Wenz <christian wenz.org>]
- mod_ssl: Rewrite shmcb to avoid memory alignment issues.
Apache Bug #42101. [Geoff Thorpe]
- mod_proxy: Add connectiontimeout parameter for proxy workers in order to
be able to set the timeout for connecting to the backend separately.
Apache Bug #45445. [Ruediger Pluem, rahul <rahul sun.com>]
- mod_dav_fs: Retrieve minimal system information about directory
entries when walking a DAV fs, resolving a performance degradation on
Windows. Apache Bug #45464. [Joe Orton, Jeff Trawick]
- mod_cgid: Pass along empty command line arguments from an ISINDEX
query that has consecutive '+' characters in the QUERY_STRING,
matching the behavior of mod_cgi.
[Eric Covener]
- mod_headers: Prevent Header edit from processing only the first header
of possibly multiple headers with the same name and deleting the
remaining ones. Apache Bug #45333. [Ruediger Pluem]
- mod_proxy_balancer: Move nonce field in the balancer manager page inside
the html form where it belongs. Apache Bug #45578. [Ruediger Pluem]
- mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
[Ruediger Pluem]
- mod_rewrite: Preserve the query string when [proxy,noescape].
Apache Bug #45247. [Tom Donovan]
pkgsrc related note:
The security fix for CVE-2008-2939 has already been integrated as patch
before this update.
This version of Apache is principally a bug and security fix release.
The following potential security flaws are addressed:
- CVE-2008-2364: mod_proxy_http: Better handling of excessive interim
responses from origin server to prevent potential denial of service and
high memory usage. Reported by Ryujiro Shibuya.
- CVE-2007-6420: mod_proxy_balancer: Prevent CSRF attacks against the
balancer-manager interface.
pkgsrc related notes:
- CVE-2008-2364 was already fixed in "pkgsrc"
- CVE-2007-6420 doesn't affect the package in the default configuration
because the "proxy_balancer" isn't enabled.
Add apache SVN revision 574884 to fix garbage characters in Server header
http://issues.apache.org/bugzilla/show_bug.cgi?id=43334
When it hits, this issue can completely screw up returned pages if the
Server header gets embedded newlines
This update is a bug and security fix release. The following security
problem hasn't been fixed in "pkgsrc" before:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
parsing date-related headers.
* Bugfixes, please see http://www.apache.org/dist/httpd/CHANGES_2.2
pkgsrc changes:
* Do not use the included pcre source in apache22.
* devel/apr1 now uses the apache22 version (increased to 1.2.8.2.2.4) to
sync the source with the httpd distfile.
* Remove patches in devel/apr1 which were applied upstream.
