Subject: CVS commit: pkgsrc/www/apache
To: None <pkgsrc-changes@netbsd.org>
From: Matthias Scheler <tron@netbsd.org>
List: pkgsrc-changes
Date: 10/04/2002 22:14:04
Module Name: pkgsrc
Committed By: tron
Date: Fri Oct 4 19:14:04 UTC 2002
Modified Files:
pkgsrc/www/apache: Makefile PLIST distinfo
Log Message:
Update "apache" package to version 1.3.27. This version fixes many bugs
discovered in version 1.3.26 including these security fixes:
- SECURITY: CAN-2002-0840 (cve.mitre.org)
Prevent a cross-site scripting vulnerability in the default
error page. The issue could only be exploited if the directive
UseCanonicalName is set to Off and a server is being run at
a domain that allows wildcard DNS. [Matthew Murphy]
- SECURITY CAN-2002-0843 (cve.mitre.org)
Fix some possible overflows in ab.c that could be exploited by
a malicious server. Reported by David Wagner. [Jim Jagielski]
- SECURITY CAN-2002-0839 (cve.mitre.org)
Add the new directive 'ShmemUIDisUser'. By default, Apache
will no longer set the uid/gid of SysV shared memory scoreboard
to User/Group, and it will therefore stay the uid/gid of
the parent Apache process. This is actually the way it should
be, however, some implementations may still require this, which
can be enabled by 'ShmemUIDisUser On'. Reported by iDefense.
[Jim Jagielski]
To generate a diff of this commit:
cvs rdiff -r1.107 -r1.108 pkgsrc/www/apache/Makefile
cvs rdiff -r1.6 -r1.7 pkgsrc/www/apache/PLIST
cvs rdiff -r1.22 -r1.23 pkgsrc/www/apache/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.