Subject: CVS commit: pkgsrc/www/apache2
To: None <>
From: Martti Kuparinen <>
List: pkgsrc-changes
Date: 08/29/2002 17:12:30
Module Name:	pkgsrc
Committed By:	martti
Date:		Thu Aug 29 14:12:29 UTC 2002

Modified Files:
	pkgsrc/www/apache2: Makefile PLIST distinfo
	pkgsrc/www/apache2/patches: patch-aa patch-al patch-an patch-ao

Log Message:
Updated apache to 2.0.40

  *  SECURITY: [CAN-2002-0661] Close a very significant security hole that
     applies only to the Win32, OS2 and Netware platforms.  Unix was not
     affected, Cygwin may be affected.  Certain URIs will bypass security
     and allow users to invoke or access any file depending on the system
     configuration.  Without upgrading, a single .conf change will close
     the vulnerability.  Add the following directive in the global server
     httpd.conf context before any other Alias or Redirect directives;
         RedirectMatch 400 "\\\.\."
     Reported by Auriemma Luigi <>.
     [Brad Nicholes]

  *  SECURITY:  Close a path-revealing exposure in multiview type
     map negotiation (such as the default error documents) where the
     module would report the full path of the typemapped .var file when
     multiple documents or no documents could be served based on the mime
     negotiation.  Reported by Auriemma Luigi <>.
     [CAN-2002-0654]  [William Rowe]

  *  SECURITY:  Close a path-revealing exposure in cgi/cgid when we
     fail to invoke a script.  The modules would report "couldn't create
     child process /path-to-script/" revealing the full path
     of the script.  Reported by Jim Race <>.
     [CAN-2002-0654]  [Bill Stoddard]

  *  More bug fixes (see the CHANGES file)

To generate a diff of this commit:
cvs rdiff -r1.11 -r1.12 pkgsrc/www/apache2/Makefile
cvs rdiff -r1.6 -r1.7 pkgsrc/www/apache2/PLIST
cvs rdiff -r1.9 -r1.10 pkgsrc/www/apache2/distinfo
cvs rdiff -r1.6 -r1.7 pkgsrc/www/apache2/patches/patch-aa
cvs rdiff -r1.1 -r1.2 pkgsrc/www/apache2/patches/patch-al
cvs rdiff -r1.3 -r1.4 pkgsrc/www/apache2/patches/patch-an \

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.