Subject: CVS commit: pkgsrc/www/apache2
From: OBATA Akio
Date: 2013-08-04 04:45:42
Message id: 20130804024542.3FF9896@cvs.netbsd.org

Log Message:
Update apache2 to 2.0.65.

Changes with Apache 2.0.65

  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
     mod_rewrite: Ensure that client data written to the RewriteLog is
     escaped to prevent terminal escape sequences from entering the
     log file.  [Eric Covener, Jeff Trawick, Joe Orton]

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.
     [Eric Covener]

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process
     to cause the parent to crash at shutdown rather than terminate
     cleanly.  [Joe Orton]

  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.  [Joe Orton]

  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
     core: Fix handling of byte-range requests to use less memory, to avoid
     denial of service. If the sum of all ranges in a request is larger than
     the original file, ignore the ranges and send the complete file.
     bug#51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
     Eric Covener, <lowprio20 gmail.com>]

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
     is enabled, could allow local users to gain privileges via a .htaccess
     file. [Stefan Fritsch, Greg Ames]

       NOTE: it remains possible to exhaust all memory using a carefully
       crafted .htaccess rule, which will not be addressed in 2.0; enabling
       processing of .htaccess files authored by untrusted users is the root
       of such security risks.  Upgrade to httpd 2.2.25 or later to limit
       this specific risk.

  *) core: Add MaxRanges directive to control the number of ranges permitted
     before returning the entire resource, with a default limit of 200.
     [Eric Covener, Rainer Jung]

  *) Set 'Accept-Ranges: none' in the case Ranges are being ignored with
     MaxRanges none.  [Eric Covener, Rainer Jung]

  *) mod_rewrite: Allow merging RewriteBase down to subdirectories
     if new option 'RewriteOptions MergeBase' is configured.
     [Eric Covener]

  *) mod_rewrite: Fix the RewriteEngine directive to work within a
     location. Previously, once RewriteEngine was switched on globally,
     it was impossible to switch off. [Graham Leggett]

  *) mod_rewrite: Add "AllowAnyURI" option. bug#52774. [Joe Orton]

  *) htdigest: Fix buffer overflow when reading digest password file
     with very long lines. bug#54893. [Rainer Jung]

  *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
     OpenSSL 0.9.7 flag which uses the server's cipher order rather
     than the client's.  bug#28665.
     [Jim Schneider <jschneid netilla.com>]

  *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
     including multiple INCLUDES filters. bug#39369 [Joe Orton]

  *) mod_rewrite: When evaluating a proxy rule in directory context, do
     escape the filename by default. bug#46428 [Joe Orton]

  *) Improve platform detection for bundled PCRE by updating config.guess
     and config.sub.  [Rainer Jung]

  *) ssl-std.conf: Disable AECDH ciphers in example config. bug#51363.
     [Rob Stradling <rob comodo com>]

  *) ssl-std.conf: Change the SSLCipherSuite default to a shorter,
     whitelist oriented definition.  [Rainer Jung, Kaspar Brand]

  *) ssl-std.conf: Only select old MSIE browsers for the downgrade
     in http/https behavior.  [Greg Stein, Stefan Fritsch]

Files:
RevisionActionfile
1.143modifypkgsrc/www/apache2/Makefile
1.29modifypkgsrc/www/apache2/Makefile.common
1.59modifypkgsrc/www/apache2/distinfo