ports/164675: commit references a PR
    dfilter service 
    dfilter at FreeBSD.ORG
       
    Wed Feb  1 19:00:25 UTC 2012
    
    
  
The following reply was made to PR ports/164675; it has been noted by GNATS.
From: dfilter at FreeBSD.ORG (dfilter service)
To: bug-followup at FreeBSD.org
Cc:  
Subject: Re: ports/164675: commit references a PR
Date: Wed,  1 Feb 2012 18:56:20 +0000 (UTC)
 jgh         2012-02-01 18:56:08 UTC
 
   FreeBSD ports repository
 
   Modified files:
     www/apache22         Makefile Makefile.doc distinfo 
     www/apache22/files   patch-Makefile.in 
                          patch-docs__conf__extra__httpd-ssl.conf.in 
   Log:
   - Update to 2.2.22
   
   Addresses:
   * SECURITY: CVE-2011-3607 (cve.mitre.org)
   Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
   Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
   module is enabled, allows local users to gain privileges via a .htaccess file
   with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
   header, leading to a heap-based buffer overflow.
   
   * SECURITY: CVE-2012-0021 (cve.mitre.org)
   The log_cookie function in mod_log_config.c in the mod_log_config module in the
   Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
   properly handle a %{}C format string, which allows remote attackers to cause a
   denial of service (daemon crash) via a cookie that lacks both a name and a
   value.
   
   * SECURITY: CVE-2012-0031 (cve.mitre.org)
   scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
   users to cause a denial of service (daemon crash during shutdown) or possibly
   have unspecified other impact by modifying a certain type field within a
   scoreboard shared memory segment, leading to an invalid call to the free
   function.
   
   * SECURITY: CVE-2011-4317 (cve.mitre.org)
   The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
   through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
   place, does not properly interact with use of (1) RewriteRule and (2)
   ProxyPassMatch pattern matches for configuration of a reverse proxy, which
   allows remote attackers to send requests to intranet servers via a malformed URI
   containing an @ (at sign) character and a : (colon) character in invalid
   positions. NOTE: this vulnerability exists because of an incomplete fix for
   CVE-2011-3368.
   
   * SECURITY: CVE-2012-0053 (cve.mitre.org)
   protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
   restrict header information during construction of Bad Request (aka 400) error
   documents, which allows remote attackers to obtain the values of HTTPOnly
   cookies via vectors involving a (1) long or (2) malformed header in conjunction
   with crafted web script.
   
   * SECURITY: CVE-2011-3368 (cve.mitre.org)
   The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
   through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
   (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
   reverse proxy, which allows remote attackers to send requests to intranet
   servers via a malformed URI containing an initial @ (at sign) character.
   
   PR: ports/164675
   Reviewed by: pgollucci
   Approved by: pgollucci, crees, rene (mentors, implicit)
   With Hat: apache@
   
   Revision  Changes    Path
   1.295     +1 -1      ports/www/apache22/Makefile
   1.16      +3 -3      ports/www/apache22/Makefile.doc
   1.87      +2 -2      ports/www/apache22/distinfo
   1.26      +2 -2      ports/www/apache22/files/patch-Makefile.in
   1.4       +4 -40     ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in
 _______________________________________________
 cvs-all at freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe at freebsd.org"
 
    
    
More information about the freebsd-apache
mailing list