pkgsrc-changes: CVS commit: pkgsrc/www/apache

Subject: CVS commit: pkgsrc/www/apache
To: None <pkgsrc-changes@NetBSD.org>
From: Takahiro Kambe <taca@netbsd.org>
List: pkgsrc-changes
Date: 05/13/2004 11:39:10
Module Name:	pkgsrc
Committed By:	taca
Date:		Thu May 13 11:39:10 UTC 2004

Modified Files:
	pkgsrc/www/apache: Makefile PLIST distinfo
Removed Files:
	pkgsrc/www/apache/patches: patch-ap patch-aq patch-ar patch-as

Log Message:
Update apache package to 1.3.31.

                     Apache 1.3.31 Major changes

  Security vulnerabilities

     * CAN-2003-0987 (cve.mitre.org)
       In mod_digest, verify whether the nonce returned in the client
       response is one we issued ourselves.  This problem does not affect
       mod_auth_digest.

     * CAN-2003-0020 (cve.mitre.org)
       Escape arbitrary data before writing into the errorlog.

     * CAN-2004-0174 (cve.mitre.org)
       Fix starvation issue on listening sockets where a short-lived
       connection on a rarely-accessed listening socket will cause a
       child to hold the accept mutex and block out new connections until
       another connection arrives on that rarely-accessed listening socket.

     * CAN-2003-0993 (cve.mitre.org)
       Fix parsing of Allow/Deny rules using IP addresses without a
       netmask; issue is only known to affect big-endian 64-bit
       platforms

  New features

   New features that relate to specific platforms:

     * Linux 2.4+: If Apache is started as root and you code
       CoreDumpDirectory, core dumps are enabled via the prctl() syscall.

   New features that relate to all platforms:

     * Add mod_whatkilledus and mod_backtrace (experimental) for
       reporting diagnostic information after a child process crash.

     * Add fatal exception hook for running diagnostic code after a
       crash.

     * Forensic logging module added (mod_log_forensic)

     * '%X' is now accepted as an alias for '%c' in the
       LogFormat directive. This allows you to configure logging
       to still log the connection status even with mod_ssl

  Bugs fixed

   The following noteworthy bugs were found in Apache 1.3.29 (or earlier)
   and have been fixed in Apache 1.3.31:

     * Fix memory corruption problem with ap_custom_response() function.
       The core per-dir config would later point to request pool data
       that would be reused for different purposes on different requests.

     * mod_usertrack no longer inspects the Cookie2 header for
       the cookie name. It also no longer overwrites other cookies.

     * Fix bug causing core dump when using CookieTracking without
       specifying a CookieName directly.

     * UseCanonicalName off was ignoring the client provided
       port information.


To generate a diff of this commit:
cvs rdiff -r1.144 -r1.145 pkgsrc/www/apache/Makefile
cvs rdiff -r1.10 -r1.11 pkgsrc/www/apache/PLIST
cvs rdiff -r1.32 -r1.33 pkgsrc/www/apache/distinfo
cvs rdiff -r1.3 -r0 pkgsrc/www/apache/patches/patch-ap \
    pkgsrc/www/apache/patches/patch-aq pkgsrc/www/apache/patches/patch-ar \
    pkgsrc/www/apache/patches/patch-as

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.