* SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav: Fix Handling of requests without a path segment.
* SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects.
* SECURITY: CVE-2009-3095 (cve.mitre.org)
mod_proxy_ftp: sanity check authn credentials.
* SECURITY: CVE-2009-3094 (cve.mitre.org)
mod_proxy_ftp: NULL pointer dereference on error paths.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
for OpenSSL versions prior to 0.9.8l; reject any client-initiated
renegotiations. Forcibly disable keepalive for the connection if there
is any buffered data readable. Any configuration which requires
renegotiation for per-directory/location access control is still
vulnerable, unless using openssl 0.9.8l or later.
* SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted. Elimiates a problematic
optimization in the case of no request body.
* SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage.
* SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
* SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7.
* Fix recursive ErrorDocument handling.
* mod_ssl: Do not do overlapping memcpy.
* Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass
through on a 304 response.
* apxs: Fix -A and -a options to ignore whitespace in httpd.conf
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
Changes with APR 0.9.17
*) Fix DSO-related crash on z/OS caused by incorrect memory
allocation. [David Jones <oscaremma gmail.com>]
*) Define apr_ino_t in such a way that it doesn't change definition
based on the library consumer's -D'efines to the filesystem.
[Lucian Adrian Grijincu <lucian.grijincu gmail.com>]
*) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio
handles for fd-based and FILE * based I/O. [William Rowe]
*) Revert Win32 to the 0.9.14 behavior of apr_proc_create() for any
of the three stdio streams which are not initialized, through either
apr_procattr_io_set() or apr_procattr_child_XXX_set(), when given a
procattr_t with one or two streams which were initialized through
apr_procattr_child_XXX_set(). Once again, these do not inherit the
parent process stdio stream to WIN32 child processes (passing
INVALID_HANDLE_VALUE instead) as on Unix. Note APR 1.3.0 adopts
the Unix behavior of inheriting any uninitialized streams as the
parent's corresponding stdio stream, in such cases. [William Rowe]
to version 2.0.61.
This update is a bug and security fix release. The following security
problem hasn't been fixed in "pkgsrc" before:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
parsing date-related headers.
package records the package subdir in the +BUILD_INFO, which is used by
several pkgtools to look up metainformation about the package, and that
metainfo will be wrong until the package is rebuilt (now as nb3).
devel/apr0/buildlink3.mk:
Add apr<1.0 to BUILDLINK_API_DEPENDS.apr .
devel/subversion/Makefile.common:
Drop --with-apr and --with-apr-util from CONFIGURE_ARGS; these
have not been needed since the buildlink framework started
ensuring the PATH is correct. Drop --with-ssl from
CONFIGURE_ARGS; this has not been necessary since this stopped
using the built-in neon. Include new options.mk .
devel/subversion-base/Makefile:
devel/subversion-base/buildlink3.mk:
Use devel/apr0 or devel/apr & devel/apr-util if
PKG_OPTIONS.subversion has the apr1 option.
devel/subversion-base/options.mk:
Provide apache22 and apr1 options; currently these must be set
together, so enforce that.
www/ap2-subversion/Makefile:
Use apache22 if PKG_OPTIONS.subversion has the apache22 option,
else use apache2.