ports/180248: commit references a PR
dfilter service
dfilter at FreeBSD.ORG
Wed Jul 10 19:10:01 UTC 2013
The following reply was made to PR ports/180248; it has been noted by GNATS.
From: dfilter at FreeBSD.ORG (dfilter service)
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: ports/180248: commit references a PR
Date: Wed, 10 Jul 2013 19:01:53 +0000 (UTC)
Author: ohauer
Date: Wed Jul 10 19:01:44 2013
New Revision: 322728
URL: http://svnweb.freebsd.org/changeset/ports/322728
Log:
- update to apache-2.2.25
- update vuxml with additional CVE-2013-1896 entry
Changes with Apache 2.2.25
http://www.apache.org/dist/httpd/CHANGES_2.2.25
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
<apache heilbrun.org>]
*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
*) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. PR 54893. [Rainer Jung]
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
PR: ports/180248
Submitted by: Jason Helfman jgh@
Deleted:
head/www/apache22/files/patch-modules__mappers__mod_rewrite.c
Modified:
head/security/vuxml/vuln.xml
head/www/apache22/Makefile
head/www/apache22/Makefile.modules
head/www/apache22/distinfo
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Wed Jul 10 17:57:38 2013 (r322727)
+++ head/security/vuxml/vuln.xml Wed Jul 10 19:01:44 2013 (r322728)
@@ -121,27 +121,27 @@ Note: Please add new entries to the beg
</vuln>
<vuln vid="f3d24aee-e5ad-11e2-b183-20cf30e32f6d">
- <topic>apache22 -- mod_rewrite vulnerability</topic>
+ <topic>apache22 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache22</name>
- <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
+ <range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-event-mpm</name>
- <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
+ <range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-itk-mpm</name>
- <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
+ <range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-peruser-mpm</name>
- <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
+ <range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-worker-mpm</name>
- <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range>
+ <range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
</affects>
<description>
@@ -153,16 +153,21 @@ Note: Please add new entries to the beg
non-printable characters, which might allow remote attackers to
execute arbitrary commands via an HTTP request containing an
escape sequence for a terminal emulator.</p>
+ <p>mod_dav: Sending a MERGE request against a URI handled by
+ mod_dav_svn with the source href (sent as part of the request
+ body as XML) pointing to a URI that is not configured for DAV
+ will trigger a segfault.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1862</cvename>
+ <cvename>CVE-2013-1896</cvename>
</references>
<dates>
<discovery>2013-06-21</discovery>
<entry>2013-07-05</entry>
- <modified>2013-07-06</modified>
+ <modified>2013-07-10</modified>
</dates>
</vuln>
Modified: head/www/apache22/Makefile
==============================================================================
--- head/www/apache22/Makefile Wed Jul 10 17:57:38 2013 (r322727)
+++ head/www/apache22/Makefile Wed Jul 10 19:01:44 2013 (r322728)
@@ -1,8 +1,8 @@
# $FreeBSD$
PORTNAME= apache22
-PORTVERSION= 2.2.24
-PORTREVISION?= 1
+PORTVERSION= 2.2.25
+#PORTREVISION?= 1
CATEGORIES= www ipv6
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
DISTNAME= httpd-${PORTVERSION}
@@ -98,7 +98,7 @@ IGNORE= suEXEC resource limit patch req
.endif
.if ${PORT_OPTIONS:MSUEXEC_USERDIR}
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir
. if empty(PORT_OPTIONS:MSUEXEC)
IGNORE= suEXEC UserDir patch requires mod_suexec.\
Please (re)run 'make config' and choose SUEXEC option also
Modified: head/www/apache22/Makefile.modules
==============================================================================
--- head/www/apache22/Makefile.modules Wed Jul 10 17:57:38 2013 (r322727)
+++ head/www/apache22/Makefile.modules Wed Jul 10 19:01:44 2013 (r322728)
@@ -72,7 +72,7 @@ LATEST_LINK= apache22-${WITH_MPM}-mpm
.if ${WITH_MPM} == "worker" || ${WITH_MPM} == "event"
PORT_OPTIONS+= CGID
.if ${PORT_OPTIONS:MCGI}
-IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \
+IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \
Please de-select CGI and select CGID instead. \
See http://httpd.apache.org/docs/2.2/mod/mod_cgi.html
.endif
Modified: head/www/apache22/distinfo
==============================================================================
--- head/www/apache22/distinfo Wed Jul 10 17:57:38 2013 (r322727)
+++ head/www/apache22/distinfo Wed Jul 10 19:01:44 2013 (r322728)
@@ -1,2 +1,2 @@
-SHA256 (apache22/httpd-2.2.24.tar.bz2) = 0453f5d2d7e3b1975a1c6a8a22b6d6ff768715a3b0a89b51e5f7b5851628fad7
-SIZE (apache22/httpd-2.2.24.tar.bz2) = 5490439
+SHA256 (apache22/httpd-2.2.25.tar.bz2) = 4bcaf3524796a514b31aa5c64ce80b0cdb484bab5735416de29d00f6d50fa65a
+SIZE (apache22/httpd-2.2.25.tar.bz2) = 5524905
_______________________________________________
svn-ports-all at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe at freebsd.org"
More information about the freebsd-apache
mailing list