pkgsrc.se | The NetBSD package collection

./www/apache22, Apache HTTP (Web) server, version 2.2

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2017Q2, Version: 2.2.34, Package name: apache-2.2.34, Maintainer: pkgsrc-users

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.

Required to run:
[devel/apr-util] [devel/apr] [lang/perl5]

Required to build:
[pkgtools/cwrappers]

Package options: apache-mpm-prefork, apache-shared-modules

Master sites: (Expand)

SHA1: 829206394e238af0b800fc78d19c74ee466ecb23
RMD160: 7e913d60ac02c815edac6ab0614f5dc40618c073
Filesize: 5644.276 KB

Version history: (Expand)

(2017-07-23) Updated to version: apache-2.2.34
(2017-07-04) Package added to pkgsrc.se, version apache-2.2.32 (created)

CVS history: (Expand)

2017-07-23 18:35:18 by S.P.Zeidler | Files touched by this commit (2) | Package updated

Log message:
Pullup ticket #5520 - requested by taca
www/apache22: security update

Revisions pulled up:
- www/apache22/Makefile                                         1.113
- www/apache22/distinfo                                         1.67

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Jul 12 07:00:40 UTC 2017

   Modified Files:
   	pkgsrc/www/apache22: Makefile distinfo

   Log message:
   Changes with Apache 2.2.34

     *) Allow single-char field names inadvertantly disallowed in 2.2.32.

   Changes with Apache 2.2.33 (not released)

     *) SECURITY: CVE-2017-7668 (cve.mitre.org)
        The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
        bug in token list parsing, which allows ap_find_token() to search past
        the end of its input string. By maliciously crafting a sequence of
        request headers, an attacker may be able to cause a segmentation fault,
        or to force ap_find_token() to return an incorrect value.

     *) SECURITY: CVE-2017-3169 (cve.mitre.org)
        mod_ssl may dereference a NULL pointer when third-party modules call
        ap_hook_process_connection() during an HTTP request to an HTTPS port.

     *) SECURITY: CVE-2017-3167 (cve.mitre.org)
        Use of the ap_get_basic_auth_pw() by third-party modules outside of the
        authentication phase may lead to authentication requirements being
        bypassed.

     *) SECURITY: CVE-2017-7679 (cve.mitre.org)
        mod_mime can read one byte past the end of a buffer when sending a
        malicious Content-Type response header.

     *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.

   To generate a diff of this commit:
   cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.66 -r1.67 pkgsrc/www/apache22/distinfo