Path to this page:
Next | Query returned 1 messages, browsing 1 to 10 | previous
CVS Commit History:
2017-07-23 18:35:18 by S.P.Zeidler | Files touched by this commit (2) | |
Log message:
Pullup ticket #5520 - requested by taca
www/apache22: security update
Revisions pulled up:
- www/apache22/Makefile 1.113
- www/apache22/distinfo 1.67
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Wed Jul 12 07:00:40 UTC 2017
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Log message:
Changes with Apache 2.2.34
*) Allow single-char field names inadvertantly disallowed in 2.2.32.
Changes with Apache 2.2.33 (not released)
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
To generate a diff of this commit:
cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.66 -r1.67 pkgsrc/www/apache22/distinfo
|
Next | Query returned 1 messages, browsing 1 to 10 | previous