Subject: CVS commit: pkgsrc/www/apache
To: None <pkgsrc-changes@netbsd.org>
From: Matthias Scheler <tron@netbsd.org>
List: pkgsrc-changes
Date: 10/04/2002 22:14:04
Module Name:	pkgsrc
Committed By:	tron
Date:		Fri Oct  4 19:14:04 UTC 2002

Modified Files:
	pkgsrc/www/apache: Makefile PLIST distinfo

Log Message:
Update "apache" package to version 1.3.27. This version fixes many bugs
discovered in version 1.3.26 including these security fixes:
- SECURITY: CAN-2002-0840 (cve.mitre.org)
  Prevent a cross-site scripting vulnerability in the default
  error page.  The issue could only be exploited if the directive
  UseCanonicalName is set to Off and a server is being run at
  a domain that allows wildcard DNS.  [Matthew Murphy]
- SECURITY CAN-2002-0843 (cve.mitre.org)
  Fix some possible overflows in ab.c that could be exploited by
  a malicious server. Reported by David Wagner. [Jim Jagielski]
- SECURITY CAN-2002-0839 (cve.mitre.org)
  Add the new directive 'ShmemUIDisUser'. By default, Apache
  will no longer set the uid/gid of SysV shared memory scoreboard
  to User/Group, and it will therefore stay the uid/gid of
  the parent Apache process. This is actually the way it should
  be, however, some implementations may still require this, which
  can be enabled by 'ShmemUIDisUser On'.  Reported by iDefense.
  [Jim Jagielski]


To generate a diff of this commit:
cvs rdiff -r1.107 -r1.108 pkgsrc/www/apache/Makefile
cvs rdiff -r1.6 -r1.7 pkgsrc/www/apache/PLIST
cvs rdiff -r1.22 -r1.23 pkgsrc/www/apache/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.