head 1.6; access; symbols pkgsrc-2013Q2:1.6.0.44 pkgsrc-2013Q2-base:1.6 pkgsrc-2012Q4:1.6.0.42 pkgsrc-2012Q4-base:1.6 pkgsrc-2011Q4:1.6.0.40 pkgsrc-2011Q4-base:1.6 pkgsrc-2011Q2:1.6.0.38 pkgsrc-2011Q2-base:1.6 pkgsrc-2009Q4:1.6.0.36 pkgsrc-2009Q4-base:1.6 pkgsrc-2008Q4:1.6.0.34 pkgsrc-2008Q4-base:1.6 pkgsrc-2008Q3:1.6.0.32 pkgsrc-2008Q3-base:1.6 cube-native-xorg:1.6.0.30 cube-native-xorg-base:1.6 pkgsrc-2008Q2:1.6.0.28 pkgsrc-2008Q2-base:1.6 pkgsrc-2008Q1:1.6.0.26 pkgsrc-2008Q1-base:1.6 pkgsrc-2007Q4:1.6.0.24 pkgsrc-2007Q4-base:1.6 pkgsrc-2007Q3:1.6.0.22 pkgsrc-2007Q3-base:1.6 pkgsrc-2007Q2:1.6.0.20 pkgsrc-2007Q2-base:1.6 pkgsrc-2007Q1:1.6.0.18 pkgsrc-2007Q1-base:1.6 pkgsrc-2006Q4:1.6.0.16 pkgsrc-2006Q4-base:1.6 pkgsrc-2006Q3:1.6.0.14 pkgsrc-2006Q3-base:1.6 pkgsrc-2006Q2:1.6.0.12 pkgsrc-2006Q2-base:1.6 pkgsrc-2006Q1:1.6.0.10 pkgsrc-2006Q1-base:1.6 pkgsrc-2005Q4:1.6.0.8 pkgsrc-2005Q4-base:1.6 pkgsrc-2005Q3:1.6.0.6 pkgsrc-2005Q3-base:1.6 pkgsrc-2005Q2:1.6.0.4 pkgsrc-2005Q2-base:1.6 pkgsrc-2005Q1:1.6.0.2 pkgsrc-2005Q1-base:1.6 pkgsrc-2004Q4:1.5.0.2 pkgsrc-2004Q4-base:1.5 pkgsrc-2004Q3:1.4.0.2 pkgsrc-2004Q3-base:1.4 pkgsrc-2004Q2:1.1.0.2 pkgsrc-2004Q2-base:1.1; locks; strict; comment @# @; 1.6 date 2005.02.09.14.57.52; author tron; state dead; branches; next 1.5; 1.5 date 2004.12.18.08.42.12; author adrianp; state Exp; branches 1.5.2.1; next 1.4; 1.4 date 2004.09.20.17.19.34; author adrianp; state dead; branches; next 1.3; 1.3 date 2004.09.07.19.43.03; author adrianp; state Exp; branches; next 1.2; 1.2 date 2004.07.14.08.28.51; author adrianp; state dead; branches; next 1.1; 1.1 date 2004.06.05.16.21.44; author taca; state Exp; branches 1.1.2.1; next ; 1.5.2.1 date 2005.02.10.15.22.24; author salo; state dead; branches; next ; 1.1.2.1 date 2004.07.14.12.39.00; author agc; state dead; branches; next ; desc @@ 1.6 log @Update "apache2" package to version 2.0.53. Changes since version 2.0.52: - Fix --with-apr=/usr and/or --with-apr-util=/usr. Problem report 29740. [Max Bowsher ] - mod_proxy: Fix ProxyRemoteMatch directive. Problem report 33170. [Rici Lake ] - mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick] - --with-module can now take more than one module to be statically linked: --with-module=:,:,... If the -subdirectory doesn't exist it will be created and populated with a standard Makefile.in. [Erik Abele] - Fix the RPM spec file so that an RPM build now works. An RPM build now requires system installations of APR and APR-util. Remove some arbitrary moving around of binaries - the RPM now maps to the ASF build of httpd. [Graham Leggett] - mod_dumpio, an I/O logging/dumping module, added to the modules/expermimental subdirectory. [Jim Jagielski] - mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. Problem report 24437. [Jess Holle] - Win32 MPM: Correct typo in debugging output. [William Rowe] - conf: Remove AddDefaultCharset from the default configuration because setting a site-wide default does more harm than good. Problem report 23421. [Roy Fielding] - Add charset to example CGI scripts. [Roy Fielding] - mod_ssl: fail quickly if SSL connection is aborted rather than making many doomed ap_pass_brigade calls. Problem report 32699. [Joe Orton] - Remove compiled-in upper limit on LimitRequestFieldSize. [Bill Stoddard] - Start keeping track of time-taken-to-process-request again for mod_status if ExtendedStatus is enabled. [Jim Jagielski] - mod_proxy: Handle client-aborted connections correctly. Problem report 32443. [Janne Hietamäki, Joe Orton] - Fix handling of files >2Gb on all platforms (or builds) where apr_off_t is larger than apr_size_t. Problem report 28898. [Joe Orton] - mod_include: Fix bug which could truncate variable expansions of N*64 characters by one byte. Problem report 32985. [Joe Orton] - Correct handling of certain bucket types in ap_save_brigade, fixing possible segfaults in mod_cgi with #include virtual. Problem report 31247. [Joe Orton] - Allow for the use of --with-module=foo:bar where the ./modules/foo directory is local only. Assumes, of course, that the required files are in ./modules/foo, but makes it easier to statically build/log "external" modules. [Jim Jagielski] - Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that ldap authorization only modules have access to the util_ldap user cache without having to require ldap authentication as well. Problem report 31898. [Jari Ahonen jah progress.com, Brad Nicholes] - mod_auth_ldap: Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. Problem report 31913 [Ryan Morgan ] - SECURITY: CAN-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] - SECURITY: CAN-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. Problem report 31505. [Hartmut Keil , Joe Orton] - mod_ssl: Fail at startup rather than segfault at runtime if a client cert is configured with an encrypted private key. Problem report 24030. [Joe Orton] - apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". Problem report 31448 [Joe Orton] - mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick] - mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. Problem report 31128. [Edward Rudd , Paul Querna] - mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale cache responses. [Justin Erenkrantz] - mod_rewrite: Handle per-location rules when r->filename is unset. Previously this would segfault or simply not match as expected, depending on the platform. [Jeff Trawick] - mod_rewrite: Fix 0 bytes write into random memory position. Problem report 31036. [André Malo] - mod_disk_cache: Do not store aborted content. Problem report 21492. [Rüdiger Plüm ] - mod_disk_cache: Correctly store cached content type. Problem report 30278. [Rüdiger Plüm ] - mod_ldap: prevent the possiblity of an infinite loop in the LDAP statistics display. Problem report 29216. [Graham Leggett] - mod_ldap: fix a bogus error message to tell the user which file is causing a potential problem with the LDAP shared memory cache. Problem report 31431 [Graham Leggett] - mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] - Fix the re-linking issue when purging elements from the LDAP cache Problem report 24801. [Jess Holle ] - mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz] - Fix Expires handling in mod_cache. [Justin Erenkrantz] - Alter mod_expires to run at a different filter priority to allow proper Expires storage by mod_cache. [Justin Erenkrantz] @ text @$NetBSD: patch-as,v 1.5 2004/12/18 08:42:12 adrianp Exp $ --- modules/ssl/ssl_engine_kernel.c.orig 2004-12-18 07:10:37.000000000 +0000 +++ modules/ssl/ssl_engine_kernel.c 2004-12-18 07:13:50.000000000 +0000 @@@@ -719,6 +719,21 @@@@ X509_free(peercert); } } + + /* + * Also check that SSLCipherSuite has been enforced as expected. + */ + if (cipher_list) { + cipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, + SSL_CIPHER_get_name(cipher)); + return HTTP_FORBIDDEN; + } + } } /* @ 1.5 log @- Bump to nb5 to specifically address a new apache vuln: http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 - Changes backported from apache CVS HEAD: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129 @ text @d1 1 a1 1 $NetBSD$ @ 1.5.2.1 log @Pullup ticket 277 - requested by Matthias Scheler security fix for apache2 Revisions pulled up: - pkgsrc/devel/apr/Makefile 1.31 - pkgsrc/devel/apr/distinfo 1.11 - pkgsrc/www/apache2/Makefile 1.66 (merged by hand) - pkgsrc/www/apache2/Makefile.common 1.13 - pkgsrc/www/apache2/PLIST 1.27 - pkgsrc/www/apache2/distinfo 1.36 (merged by hand) - pkgsrc/www/apache2/patches/patch-aa 1.14 - pkgsrc/www/apache2/patches/patch-as removed - pkgsrc/www/apache2/patches/patch-at removed Module Name: pkgsrc Committed By: tron Date: Wed Feb 9 14:52:12 UTC 2005 Modified Files: pkgsrc/devel/apr: Makefile distinfo Log Message: Update "apr" package to version 0.9.6.2.0.53. Changes since version 0.9.5.2.0.52: - Add apr_threadattr_stacksize_set() for overriding the default stack size for threads created by apr_thread_create(). - Add an RPM spec file. - Add a build script to create a solaris package. --- Module Name: pkgsrc Committed By: tron Date: Wed Feb 9 14:57:52 UTC 2005 Modified Files: pkgsrc/www/apache2: Makefile Makefile.common PLIST distinfo pkgsrc/www/apache2/patches: patch-aa Removed Files: pkgsrc/www/apache2/patches: patch-as patch-at Log Message: Update "apache2" package to version 2.0.53. Changes since version 2.0.52: - Fix --with-apr=/usr and/or --with-apr-util=/usr. Bug report 29740. [Max Bowsher ] - mod_proxy: Fix ProxyRemoteMatch directive. Bug report 33170. [Rici Lake ] - mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick] - --with-module can now take more than one module to be statically linked: --with-module=:,:,... If the -subdirectory doesn't exist it will be created and populated with a standard Makefile.in. [Erik Abele] - Fix the RPM spec file so that an RPM build now works. An RPM build now requires system installations of APR and APR-util. Remove some arbitrary moving around of binaries - the RPM now maps to the ASF build of httpd. [Graham Leggett] - mod_dumpio, an I/O logging/dumping module, added to the modules/expermimental subdirectory. [Jim Jagielski] - mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. Bug report 24437. [Jess Holle] - Win32 MPM: Correct typo in debugging output. [William Rowe] - conf: Remove AddDefaultCharset from the default configuration because setting a site-wide default does more harm than good. Bug report 23421. [Roy Fielding] - Add charset to example CGI scripts. [Roy Fielding] - mod_ssl: fail quickly if SSL connection is aborted rather than making many doomed ap_pass_brigade calls. Bug report 32699. [Joe Orton] - Remove compiled-in upper limit on LimitRequestFieldSize. [Bill Stoddard] - Start keeping track of time-taken-to-process-request again for mod_status if ExtendedStatus is enabled. [Jim Jagielski] - mod_proxy: Handle client-aborted connections correctly. Bug report 32443. [Janne Hietamäki, Joe Orton] - Fix handling of files >2Gb on all platforms (or builds) where apr_off_t is larger than apr_size_t. Bug report 28898. [Joe Orton] - mod_include: Fix bug which could truncate variable expansions of N*64 characters by one byte. Bug report 32985. [Joe Orton] - Correct handling of certain bucket types in ap_save_brigade, fixing possible segfaults in mod_cgi with #include virtual. Bug report 31247. [Joe Orton] - Allow for the use of --with-module=foo:bar where the ./modules/foo directory is local only. Assumes, of course, that the required files are in ./modules/foo, but makes it easier to statically build/log "external" modules. [Jim Jagielski] - Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that ldap authorization only modules have access to the util_ldap user cache without having to require ldap authentication as well. Bug report 31898. [Jari Ahonen jah progress.com, Brad Nicholes] - mod_auth_ldap: Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. Bug report 31913 [Ryan Morgan ] - SECURITY: CAN-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] - SECURITY: CAN-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. Bug report 31505. [Hartmut Keil , Joe Orton] - mod_ssl: Fail at startup rather than segfault at runtime if a client cert is configured with an encrypted private key. Bug report 24030. [Joe Orton] - apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". Bug report 31448 [Joe Orton] - mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick] - mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. Bug report 31128. [Edward Rudd , Paul Querna] - mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale cache responses. [Justin Erenkrantz] - mod_rewrite: Handle per-location rules when r->filename is unset. Previously this would segfault or simply not match as expected, depending on the platform. [Jeff Trawick] - mod_rewrite: Fix 0 bytes write into random memory position. Bug report 31036. [André Malo] - mod_disk_cache: Do not store aborted content. Bug report 21492. [Rüdiger Plüm ] - mod_disk_cache: Correctly store cached content type. Bug report 30278. [Rüdiger Plüm ] - mod_ldap: prevent the possiblity of an infinite loop in the LDAP statistics display. Bug report 29216. [Graham Leggett] - mod_ldap: fix a bogus error message to tell the user which file is causing a potential problem with the LDAP shared memory cache. Bug report 31431 [Graham Leggett] - mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] - Fix the re-linking issue when purging elements from the LDAP cache Bug report 24801. [Jess Holle ] - mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz] - Fix Expires handling in mod_cache. [Justin Erenkrantz] - Alter mod_expires to run at a different filter priority to allow proper Expires storage by mod_cache. [Justin Erenkrantz] @ text @d1 1 a1 1 $NetBSD: patch-as,v 1.5 2004/12/18 08:42:12 adrianp Exp $ @ 1.4 log @- Update apache to 2.0.51 - Remove patch-as and patch-ah as they are now outdated and included in the src - ok'ed snj@@, wiz@@ - Thanks to epg@@ for final check This version of Apache is principally a bug fix release. Of particular note is that 2.0.51 addresses five security vulnerabilities: An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy. [CAN-2004-0786] A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file. [CAN-2004-0747] A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured. [CAN-2004-0751] A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort. [CAN-2004-0748] A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request. [CAN-2004-0809] For further details, see http://www.apache.org/dist/httpd/Announcement2.html and http://apache.rmplc.co.uk/httpd/CHANGES_2.0. @ text @d1 1 a1 1 $NetBSD: patch-as,v 1.3 2004/09/07 19:43:03 adrianp Exp $ d3 5 a7 26 --- modules/ssl/ssl_engine_io.c.orig 2004-09-06 18:25:31.000000000 +0000 +++ modules/ssl/ssl_engine_io.c 2004-09-06 18:27:21.000000000 +0000 @@@@ -562,8 +562,12 @@@@ *len = bytes; if (inctx->mode == AP_MODE_SPECULATIVE) { /* We want to rollback this read. */ - inctx->cbuf.value -= bytes; - inctx->cbuf.length += bytes; + if (inctx->cbuf.length > 0) { + inctx->cbuf.value -= bytes; + inctx->cbuf.length += bytes; + } else { + char_buffer_write(&inctx->cbuf, buf, (int)bytes); + } return APR_SUCCESS; } /* This could probably be *len == wanted, but be safe from stray @@@@ -587,6 +591,10 @@@@ while (1) { if (!inctx->filter_ctx->pssl) { + /* Ensure a non-zero error code is returned */ + if (inctx->rc == APR_SUCCESS) { + inctx->rc = APR_EGENERAL; + } break; d9 16 d26 1 @ 1.3 log @Security update for apache2 with the changes backported from the Apache CVS tree. CAN-2004-0748 http://issues.apache.org/bugzilla/show_bug.cgi?id=29964 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.124&r2=1.125 CAN-2004-0751 http://issues.apache.org/bugzilla/show_bug.cgi?id=30134 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126 @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @- Update to apache 2.0.50 - Add new build def APACHE_DEFAULT_FILES Changes with Apache 2.0.50 *) SECURITY: CAN-2004-0493 (cve.mitre.org) Close a denial of service vulnerability identified by Georgi Guninski which could lead to memory exhaustion with certain input data. [Jeff Trawick] *) mod_cgi: Handle output on stderr during script execution on Unix platforms; preventing deadlock when stderr output fills pipe buffer. Also fixes case where stderr from nph- scripts could be lost. PR 22030, 18348. [Joe Orton, Jeff Trawick] *) mod_alias now emits a warning if it detects overlapping *Alias* directives. [André Malo] *) mod_rewrite no longer turns forward proxy requests into reverse proxy requests. PR 28125 [ast domdv.de, André Malo] *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now exported on Win32 and Netware as well (minor MMN bump). PR 28523. [Edward Rudd , André Malo] *) Restore the ability to disable the use of AcceptEx on Win9x systems automatically (broken in 2.0.49). PR 28529. [André Malo] *) now applies to all IP addresses for myhost instead of just the first one reported by the resolver. This corrects a regression since 1.3. [Jeff Trawick] *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes] *) SECURITY: CAN-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton] *) mod_dav_fs: Fix MKCOL response for missing parent collections, which caused issues for the Eclipse WebDAV extension. PR 29034. [Joe Orton] *) mod_deflate: Fix memory consumption (which was proportional to the response size). PR 29318. [Joe Orton] *) mod_ssl: Log the errors returned on failure to load or initialize a crypto accelerator engine. [Joe Orton] *) Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines , André Malo] *) Allow LimitRequestBody to be reset to unlimited. PR 29106 [André Malo] *) Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects: mod_setenvif, mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo] *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for small cache sizes. PR 27751. [Geoff Thorpe ] *) Remove 2Gb log file size restriction on some 32-bit platforms. PR 13511. [Joe Orton] *) mod_logio no longer removes the EOS bucket. PR 27928. [Bojan Smojver ] *) htpasswd no longer refuses to process files that contain empty lines. [André Malo] *) Regression from 1.3: At startup, suexec now will be checked for availability, the setuid bit and user root. The works only if httpd is compiled with the shipped APR version (0.9.5). PR 28287. [André Malo] *) Unix MPMs: Stop dropping connections when the file descriptor is at least FD_SETSIZE. [Jeff Trawick] *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick] *) mod_isapi: send_response_header() failed to copy status string's last character. PR 20619. [Jesse Pelton ] *) Fix a segfault when requests for shared memory fails and returns NULL. Fix a segfault caused by a lack of bounds checking on the cache. PR 24801. [Graham Leggett] *) Throw an error message if an attempt is made to use the LDAPTrustedCA or LDAPTrustedCAType directives in a VirtualHost. PR 26390 [Brad Nicholes] *) Fix a potential segfault if the bind password in the LDAP cache is NULL. PR 28250. [Jari Ahonen ] *) Quotes cannot be used around require group and require dn directives, update the documentation to reflect this. Also add quotes around the dn and group within debug messages, to make it more obvious why authentication is failing if quotes are used in error. PR 19304. [Graham Leggett] *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap from escaping filters twice when the backslash character is used. PR 24437. [Jess Holle ] *) Overhaul handling of LDAP error conditions, so that the util_ldap_* functions leave the connections in a sane state after errors have occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271 [Graham Leggett] *) mod_ldap calls ldap_simple_bind_s() to validate the user credentials. If the bind fails, the connection is left in an unbound state. Make sure that the ldap connection record is updated to show that the connection is no longer bound. [Brad Nicholes] *) Ensure that lines in the request which are too long are properly terminated before logging. [Tsurutani Naoki ] *) Update the bind credentials for the cached LDAP connection to reflect the last bind. This prevents util_ldap from creating unnecessary connections rather than reusing cached connections. [Brad Nicholes] *) mod_isapi: GetServerVariable returned improperly terminated header fields given "ALL_HTTP" or "ALL_RAW". PR 20656. [Jesse Pelton ] *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer size. PR 20617. [Jesse Pelton ] *) mod_dav: Fix a problem that could cause crashes when manipulating locks on some platforms. [Jeff Trawick] *) mod_headers no longer crashes if an empty header value should be added. [André Malo] *) Fix segfault in mod_expires, which occured under certain circumstances. PR 28047. [André Malo] *) htpasswd: use apr_temp_dir_get() and general cleanup [Guenter Knauf , Thom May] *) mod_ssl: Fix memory leak in session cache handling. PR 26562 [Madhusudan Mathihalli] *) mod_ssl: Fix potential segfaults when performing SSL shutdown from a pool cleanup. PR 27945. [Joe Orton] *) Add forensic logging module (mod_log_forensic). [Ben Laurie] *) logresolve: Allow size of log line buffer to be overridden at build time (MAXLINE). PR 27793. [Jeff Trawick] *) Fix the comment delimiter in htdbm so that it correctly parses the username comment. Also add a terminate function to allow NetWare to pause the output before the screen is destroyed. [Guenter Knauf , Brad Nicholes] *) Fix crash when Apache was started with no Listen directives. [Michael Corcoran ] *) core_output_filter: Fix bug that could result in sending garbage over the network when module handlers construct bucket brigades containing multiple file buckets all referencing the same open file descriptor. [Bojan Smojver] *) Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe] *) Win32: Tweak worker thread accounting routines to eliminate server hang when number of Listen directives in httpd.conf is greater than or equal to the setting of ThreadsPerChild. [Bill Stoddard] @ text @d1 1 a1 1 $NetBSD: patch-as,v 1.1 2004/06/05 16:21:44 taca Exp $ d3 19 a21 9 --- modules/ssl/ssl_engine_kernel.c.orig 2004-02-10 05:53:20.000000000 +0900 +++ modules/ssl/ssl_engine_kernel.c @@@@ -793,7 +793,6 @@@@ int ssl_hook_UserCheck(request_rec *r) SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN]; char *clientdn; const char *auth_line, *username, *password; d23 7 a29 15 @@@@ -872,14 +871,16 @@@@ int ssl_hook_UserCheck(request_rec *r) * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-) */ - apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn); - ssl_util_uuencode(buf2, buf1, FALSE); - - apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2); - apr_table_set(r->headers_in, "Authorization", buf1); + auth_line = apr_pstrcat(r->pool, "Basic ", + ap_pbase64encode(r->pool, + apr_pstrcat(r->pool, clientdn, + ":password", NULL)), + NULL); + apr_table_set(r->headers_in, "Authorization", auth_line); a30 7 ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1); + "Faking HTTP Basic Auth header: \"Authorization: %s\"", + auth_line); return DECLINED; } @ 1.1 log @Add patch from apache's CVS to fix SSL_Util_UUEncode_Binaty stack buffer overflow vulnerability. http://www.securityfocus.com/bid/10355 Bump package revision. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @Pullup ticket 57 to the pkgsrc-2004Q2 branch, requested by Grant Beattie. Security and other bug fixes for apache2. Module Name: pkgsrc Committed By: adrianp Date: Wed Jul 14 08:28:51 UTC 2004 Modified Files: pkgsrc/www/apache2: Makefile Makefile.common PLIST buildlink3.mk distinfo pkgsrc/www/apache2/patches: patch-aa Added Files: pkgsrc/www/apache2: PLIST.deffiles Removed Files: pkgsrc/www/apache2/patches: patch-as Log Message: - Update to apache 2.0.50 - Add new build def APACHE_DEFAULT_FILES and Module Name: pkgsrc Committed By: adrianp Date: Wed Jul 14 08:31:12 UTC 2004 Modified Files: pkgsrc/devel/apr: buildlink3.mk distinfo Log Message: - Update to apache 2.0.50 - Add new build def APACHE_DEFAULT_FILES @ text @d1 1 a1 1 $NetBSD: patch-as,v 1.1 2004/06/05 16:21:44 taca Exp $ @