Navigation:
Browse pkgsrc
(this page)
New packages:Log Message:
Pullup ticket #3068 - requested by taca
apache22: security update
Revisions pulled up:
- www/apache22/Makefile 1.56
- www/apache22/PLIST 1.16
- www/apache22/distinfo 1.30-1.31
- www/apache22/patches/patch-aq delete
- www/apache22/patches/patch-as delete
- www/apache22/patches/patch-au delete
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Mar 5 00:22:59 UTC 2010
Modified Files:
pkgsrc/www/apache22: distinfo
Removed Files:
pkgsrc/www/apache22/patches: patch-aq patch-as patch-au
Log Message:
Remove CVE-2007-3304 related patches. CVE-2007-3304 was fixed
in Apache 2.2.6 and these patches are noop.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Mar 9 02:30:15 UTC 2010
Modified Files:
pkgsrc/www/apache22: Makefile PLIST distinfo
Log Message:
Update apache22 package to 2.2.15.
For full changes information please refer:
http://www.apache.org/dist/httpd/Announcement2.2.html.
Here is security related changes from ChangeLog
(http://www.apache.org/dist/httpd/CHANGES_2.2.15).
Changes with Apache 2.2.15
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]