Commit graph

21 commits

Author SHA1 Message Date
obache
64deda1dc9 recursive bump from cyrus-sasl libsasl2 shlib major bump. 2012-12-16 01:51:57 +00:00
asau
e1ab7079b6 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-31 11:16:30 +00:00
adam
dd18a7c0c9 Changes 2.0.64:
* SECURITY: CVE-2010-1452 (cve.mitre.org)
  mod_dav: Fix Handling of requests without a path segment.
* SECURITY: CVE-2009-1891 (cve.mitre.org)
  Fix a potential Denial-of-Service attack against mod_deflate or other
  modules, by forcing the server to consume CPU time in compressing a
  large file after a client disconnects.
* SECURITY: CVE-2009-3095 (cve.mitre.org)
  mod_proxy_ftp: sanity check authn credentials.
* SECURITY: CVE-2009-3094 (cve.mitre.org)
  mod_proxy_ftp: NULL pointer dereference on error paths.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
  mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
  attack when compiled against OpenSSL version 0.9.8m or later. Introduces
  the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
  and offer unsafe legacy renegotiation with clients which do not yet
  support the new secure renegotiation protocol, RFC 5746.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
  mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
  for OpenSSL versions prior to 0.9.8l; reject any client-initiated
  renegotiations. Forcibly disable keepalive for the connection if there
  is any buffered data readable. Any configuration which requires
  renegotiation for per-directory/location access control is still
  vulnerable, unless using openssl 0.9.8l or later.
* SECURITY: CVE-2010-0434 (cve.mitre.org)
  Ensure each subrequest has a shallow copy of headers_in so that the
  parent request headers are not corrupted.  Elimiates a problematic
  optimization in the case of no request body.
* SECURITY: CVE-2008-2364 (cve.mitre.org)
  mod_proxy_http: Better handling of excessive interim responses
  from origin server to prevent potential denial of service and high
  memory usage.
* SECURITY: CVE-2010-0425 (cve.mitre.org)
  mod_isapi: Do not unload an isapi .dll module until the request
  processing is completed, avoiding orphaned callback pointers.
* SECURITY: CVE-2008-2939 (cve.mitre.org)
  mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
  the FTP URL. Discovered by Marc Bevand of Rapid7.
* Fix recursive ErrorDocument handling.
* mod_ssl: Do not do overlapping memcpy.
* Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass
  through on a 304 response.
* apxs: Fix -A and -a options to ignore whitespace in httpd.conf
2010-11-01 18:03:03 +00:00
wiz
579796a3e5 Recursive PKGREVISION bump for jpeg update to 8. 2010-01-17 12:02:03 +00:00
taca
2d4386c360 Fix security problem of CVE-2009-2412 adding patches described in it.
Bump PKGREVISION.
2009-08-12 03:37:28 +00:00
joerg
0268c554bd Remove @dirrm entries from PLISTs 2009-06-14 17:38:38 +00:00
joerg
2d1ba244e9 Simply and speed up buildlink3.mk files and processing.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
2009-03-20 19:23:50 +00:00
wiz
03b53774ba Recursive PKGREVISION/ABI-depends bump for db4 4.6->4.7 update (shlib
name change).
2008-09-06 20:54:31 +00:00
he
90685b8411 As indicated by comments on pkgsrc-c, move PKGREVISION setting to
individual Makefile files and out of Makefile.common.
2008-06-22 23:01:19 +00:00
joerg
f0c7d032fa PKG_BUILD_OPTIONS.apr is used, so make sure it is present when
this file is included again.
2008-03-11 18:32:28 +00:00
taca
a04a9a48eb Update apr0 package to 0.9.17.2.0.63.
Changes with APR 0.9.17

  *) Fix DSO-related crash on z/OS caused by incorrect memory
     allocation.  [David Jones <oscaremma gmail.com>]

  *) Define apr_ino_t in such a way that it doesn't change definition
     based on the library consumer's -D'efines to the filesystem.
     [Lucian Adrian Grijincu <lucian.grijincu gmail.com>]

  *) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio
     handles for fd-based and FILE * based I/O.  [William Rowe]

  *) Revert Win32 to the 0.9.14 behavior of apr_proc_create() for any
     of the three stdio streams which are not initialized, through either
     apr_procattr_io_set() or apr_procattr_child_XXX_set(), when given a
     procattr_t with one or two streams which were initialized through
     apr_procattr_child_XXX_set().  Once again, these do not inherit the
     parent process stdio stream to WIN32 child processes (passing
     INVALID_HANDLE_VALUE instead) as on Unix.  Note APR 1.3.0 adopts
     the Unix behavior of inheriting any uninitialized streams as the
     parent's corresponding stdio stream, in such cases.  [William Rowe]
2008-01-21 14:33:46 +00:00
adam
707dd64033 db4 update related revision bump 2008-01-12 11:36:28 +00:00
adrianp
f83f238106 Fix build on Darwin 9.x 2007-11-18 16:22:06 +00:00
tron
21e14a632b Update "apr" package to version 0.9.16.2.0.61 and "apache2" package
to version 2.0.61.

This update is a bug and security fix release. The following security
problem hasn't been fixed in "pkgsrc" before:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
  parsing date-related headers.
2007-09-07 23:11:40 +00:00
wiz
5d4498b5fc PKGREVISION bump for db4 shlib name change. 2007-06-08 12:24:59 +00:00
rillig
7f125459d8 Removed some code duplication from the buildlink3 files by using the new
pkg-build-options.mk procedure.
2007-05-30 08:54:28 +00:00
schmonz
38ecd9aaaa Add "include/apr-0" to BUILDLINK_INCDIRS.apr, as programs using
this library apparently expect to find it in their include path.
2007-05-29 22:13:41 +00:00
tv
55140b809c When this moved to devel/apr0, PKGREVISION should have been bumped. The
package records the package subdir in the +BUILD_INFO, which is used by
several pkgtools to look up metainformation about the package, and that
metainfo will be wrong until the package is rebuilt (now as nb3).
2007-02-11 16:05:51 +00:00
epg
a35d529fec Fix dependency problem noted by Joerg Sonnenberger. 2007-01-25 19:38:30 +00:00
epg
b8ebd68d2f Allow subversion to be built with either apr0 or apr & apr-util.
devel/apr0/buildlink3.mk:
    Add apr<1.0 to BUILDLINK_API_DEPENDS.apr .

devel/subversion/Makefile.common:
    Drop --with-apr and --with-apr-util from CONFIGURE_ARGS; these
    have not been needed since the buildlink framework started
    ensuring the PATH is correct.  Drop --with-ssl from
    CONFIGURE_ARGS; this has not been necessary since this stopped
    using the built-in neon.  Include new options.mk .

devel/subversion-base/Makefile:
devel/subversion-base/buildlink3.mk:
    Use devel/apr0 or devel/apr & devel/apr-util if
    PKG_OPTIONS.subversion has the apr1 option.

devel/subversion-base/options.mk:
    Provide apache22 and apr1 options; currently these must be set
    together, so enforce that.

www/ap2-subversion/Makefile:
    Use apache22 if PKG_OPTIONS.subversion has the apache22 option,
    else use apache2.
2007-01-25 07:35:30 +00:00
epg
5e1c322cc9 Import renamed devel/apr (0.9.x) so that can upgrade to 1.2.x. 2007-01-24 19:31:24 +00:00