[pkgsrc/pkgsrc-2007Q4]: pkgsrc Pullup ticket 2278 - requested by taca

[ghen <ghen%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/54c5e923745f
branches:  pkgsrc-2007Q4
changeset: 537043:54c5e923745f
user:      ghen <ghen%pkgsrc.org@localhost>
date:      Tue Jan 29 13:54:20 2008 +0000

description:
Pullup ticket 2278 - requested by taca
security update for apache2

- pkgsrc/devel/arp0/distinfo                            1.3
- pkgsrc/www/apache2/Makefile.common                    1.23, 1.24
- pkgsrc/www/apache2/distinfo                           1.52

   Module Name: pkgsrc
   Committed By:        taca
   Date:                Mon Jan 21 14:30:01 UTC 2008

   Modified Files:
           pkgsrc/www/apache2: Makefile.common

   Log Message:
   Start update of apr0 pacakge to 0.9.17 and apache2 package to 2.0.63.
---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Mon Jan 21 14:33:46 UTC 2008

   Modified Files:
           pkgsrc/devel/apr0: distinfo

   Log Message:
   Update apr0 package to 0.9.17.2.0.63.

   Changes with APR 0.9.17

     *) Fix DSO-related crash on z/OS caused by incorrect memory
        allocation.  [David Jones <oscaremma gmail.com>]

     *) Define apr_ino_t in such a way that it doesn't change definition
        based on the library consumer's -D'efines to the filesystem.
        [Lucian Adrian Grijincu <lucian.grijincu gmail.com>]

     *) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio
        handles for fd-based and FILE * based I/O.  [William Rowe]

     *) Revert Win32 to the 0.9.14 behavior of apr_proc_create() for any
        of the three stdio streams which are not initialized, through either
        apr_procattr_io_set() or apr_procattr_child_XXX_set(), when given a
        procattr_t with one or two streams which were initialized through
        apr_procattr_child_XXX_set().  Once again, these do not inherit the
        parent process stdio stream to WIN32 child processes (passing
        INVALID_HANDLE_VALUE instead) as on Unix.  Note APR 1.3.0 adopts
        the Unix behavior of inheriting any uninitialized streams as the
        parent's corresponding stdio stream, in such cases.  [William Rowe]
---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Mon Jan 21 14:37:22 UTC 2008

   Modified Files:
           pkgsrc/www/apache2: Makefile distinfo

   Log Message:
   Update apache package to 2.0.63.

   Changes with Apache 2.0.63

     *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
        to /Device/Nul as the server is starting up, mirroring unix MPM's.
        PR: 43534  [Tom Donovan <Tom.Donovan acm.org>, William Rowe]

     *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
        by recreating the bucket allocator each time the trans pool is cleared.
        PR: 11427 #16 (follow-on)  [Tom Donovan <Tom.Donovan acm.org>]

   Changes with Apache 2.0.62 (not released)

     *) SECURITY: CVE-2007-6388 (cve.mitre.org)
        mod_status: Ensure refresh parameter is numeric to prevent
        a possible XSS attack caused by redirecting to other URLs.
        Reported by SecurityReason.  [Mark Cox, Joe Orton]

     *) SECURITY: CVE-2007-5000 (cve.mitre.org)
        mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
        [Joe Orton]

     *) Introduce the ProxyFtpDirCharset directive, allowing the administrator
        to identify a default, or specific servers or paths which list their
        contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]

     *) log.c: Ensure Win32 resurrects its lost robust logger processes.
        [William Rowe]

     *) mpm_winnt: Eliminate wait_for_many_objects.  Allows the clean
        shutdown of the server when the MaxClients is higher then 257,
        in a more responsive manner [Mladen Turk, William Rowe]

     *) Add explicit charset to the output of various modules to work around
        possible cross-site scripting flaws affecting web browsers that do not
        derive the response character set as required by  RFC2616.  One of these
        reported by SecurityReason [Joe Orton]

     *) http_protocol: Escape request method in 405 error reporting.
        This has no security impact since the browser cannot be tricked
        into sending arbitrary method strings.  [Jeff Trawick]

     *) http_protocol: Escape request method in 413 error reporting.
        Determined to be not generally exploitable, but a flaw in any case.
        PR 44014 [Victor Stinner <victor.stinner inl.fr>]
---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Mon Jan 21 14:38:29 UTC 2008

   Modified Files:
           pkgsrc/www/apache2: Makefile.common

   Log Message:
   Add comment that this file is used by devel/apr0/Makefile detected
   by pkglint.

diffstat:

 devel/apr0/distinfo         |  8 ++++----
 www/apache2/Makefile.common |  8 +++++---
 www/apache2/distinfo        |  8 ++++----
 3 files changed, 13 insertions(+), 11 deletions(-)

diffs (52 lines):

diff -r 2b0db2642df5 -r 54c5e923745f devel/apr0/distinfo
--- a/devel/apr0/distinfo       Tue Jan 15 09:03:55 2008 +0000
+++ b/devel/apr0/distinfo       Tue Jan 29 13:54:20 2008 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.2 2007/09/07 23:11:41 tron Exp $
+$NetBSD: distinfo,v 1.2.4.1 2008/01/29 13:54:20 ghen Exp $
 
-SHA1 (httpd-2.0.61.tar.bz2) = 665017829022d287ffe3cec749e2b5b61252d7b4
-RMD160 (httpd-2.0.61.tar.bz2) = a2c2c90976a967112a9129b9716d880d71261882
-Size (httpd-2.0.61.tar.bz2) = 4580339 bytes
+SHA1 (httpd-2.0.63.tar.bz2) = 20e2b64944e38e96491af788a37cb709d2c5b755
+RMD160 (httpd-2.0.63.tar.bz2) = f6a7de59860f627ac40b245fcf742fb07e1b4870
+Size (httpd-2.0.63.tar.bz2) = 4587670 bytes
 SHA1 (patch-aa) = c84bdb6bcb14bf6bc7ea0d8f13334dd8c3ef2ef9
 SHA1 (patch-an) = 76d9ac0cdddec7c0f41535baee63bf0aa26ed596
 SHA1 (patch-ao) = e35630af53a78fce9aa5347a81cb1bcf8fb3058e
diff -r 2b0db2642df5 -r 54c5e923745f www/apache2/Makefile.common
--- a/www/apache2/Makefile.common       Tue Jan 15 09:03:55 2008 +0000
+++ b/www/apache2/Makefile.common       Tue Jan 29 13:54:20 2008 +0000
@@ -1,11 +1,13 @@
-# $NetBSD: Makefile.common,v 1.22 2007/09/07 23:11:40 tron Exp $
+# $NetBSD: Makefile.common,v 1.22.4.1 2008/01/29 13:54:20 ghen Exp $
+
+# used by devel/apr0/Makefile
 
 DISTNAME=              httpd-${APACHE_VERSION}
 EXTRACT_SUFX=          .tar.bz2
 # When updating this version be sure to update the checksum and remove
 # any PKGREVISION for devel/apr also.
-APACHE_VERSION=                2.0.61
-APR_VERSION=           0.9.16
+APACHE_VERSION=                2.0.63
+APR_VERSION=           0.9.17
 MASTER_SITES=          ${MASTER_SITE_APACHE:=httpd/} \
                        ${MASTER_SITE_APACHE:=httpd/old/} \
                        http://www.NetBSD.org/images/logos/
diff -r 2b0db2642df5 -r 54c5e923745f www/apache2/distinfo
--- a/www/apache2/distinfo      Tue Jan 15 09:03:55 2008 +0000
+++ b/www/apache2/distinfo      Tue Jan 29 13:54:20 2008 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.51 2007/09/07 23:11:40 tron Exp $
+$NetBSD: distinfo,v 1.51.4.1 2008/01/29 13:54:20 ghen Exp $
 
-SHA1 (httpd-2.0.61.tar.bz2) = 665017829022d287ffe3cec749e2b5b61252d7b4
-RMD160 (httpd-2.0.61.tar.bz2) = a2c2c90976a967112a9129b9716d880d71261882
-Size (httpd-2.0.61.tar.bz2) = 4580339 bytes
+SHA1 (httpd-2.0.63.tar.bz2) = 20e2b64944e38e96491af788a37cb709d2c5b755
+RMD160 (httpd-2.0.63.tar.bz2) = f6a7de59860f627ac40b245fcf742fb07e1b4870
+Size (httpd-2.0.63.tar.bz2) = 4587670 bytes
 SHA1 (patch-aa) = bff1ef591f5361e7169ff9005dcf86437b9dac23
 SHA1 (patch-ab) = 387892276efd49fd081a187c1123de26fb6486ba
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad