head 1.5; access; symbols pkgsrc-2013Q2:1.5.0.10 pkgsrc-2013Q2-base:1.5 pkgsrc-2012Q4:1.5.0.8 pkgsrc-2012Q4-base:1.5 pkgsrc-2011Q4:1.5.0.6 pkgsrc-2011Q4-base:1.5 pkgsrc-2011Q2:1.5.0.4 pkgsrc-2011Q2-base:1.5 pkgsrc-2009Q4:1.5.0.2 pkgsrc-2009Q4-base:1.5 pkgsrc-2009Q2:1.2.0.2 pkgsrc-2009Q2-base:1.2 pkgsrc-2009Q1:1.1.0.2; locks; strict; comment @# @; 1.5 date 2009.08.10.11.45.08; author tron; state dead; branches; next 1.4; 1.4 date 2009.08.06.08.21.44; author tron; state Exp; branches; next 1.3; 1.3 date 2009.08.06.07.07.23; author tron; state dead; branches; next 1.2; 1.2 date 2009.06.11.20.30.59; author tron; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2009.06.04.08.51.52; author tron; state Exp; branches 1.1.2.1; next ; 1.2.2.1 date 2009.08.07.21.08.15; author spz; state Exp; branches; next 1.2.2.2; 1.2.2.2 date 2009.10.04.13.26.13; author spz; state dead; branches; next ; 1.1.2.1 date 2009.06.04.08.51.52; author spz; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2009.06.04.20.41.20; author spz; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2009.06.12.21.38.06; author spz; state Exp; branches; next ; desc @@ 1.5 log @Update "apache22" package to version 2.2.13. Changes since 2.2.12: - mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report warnings compiling mod_ssl against OpenSSL to the httpd developers. [Guenter Knauf] - mod_cgid: Do not add an empty argument when calling the CGI script. Bug 46380 [Ruediger Pluem] - Fix potential segfaults with use of the legacy ap_rputs() etc interfaces, in cases where an output filter fails. Bug 36780. [Joe Orton] @ text @$NetBSD: patch-ba,v 1.4 2009/08/06 08:21:44 tron Exp $ Fix build problems with newer versions of OpenSSL. --- modules/ssl/ssl_engine_init.c.orig 2009-08-05 09:37:09.000000000 +0200 +++ modules/ssl/ssl_engine_init.c @@@@ -573,7 +573,7 @@@@ static void ssl_init_ctx_verify(server_r ssl_die(); } - SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list); + SSL_CTX_set_client_CA_list(ctx, ca_list); } /* @ 1.4 log @Add patches provided by Adam Ciarcinski to fix build with recent versions of OpenSSL (e.g. the version in NetBSD-current). @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @Update "apache22" package to version 2.2.12. Changes since version 2.2.11: - SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. Bug 39605. [Joe Orton, Ruediger Pluem] - SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. [Jonathan Peatfield , Joe Orton, Ruediger Pluem, Jeff Trawick] - SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] - SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. Bug 46949 [Ruediger Pluem] - SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules. - mod_include: fix potential segfault when handling back references on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] - mod_alias: check sanity in Redirect arguments. Bug 44729 [Sönke Tesch , Jim Jagielski] - mod_proxy_http: fix Host: header for literal IPv6 addresses. Bug 47177 [Carlos Garcia Braschi ] - mod_rewrite: Remove locking for writing to the rewritelog. Bug 46942 - mod_alias: Ensure Redirect emits HTTP-compliant URLs. Bug 44020 - mod_proxy_http: fix case sensitivity checking transfer encoding Bug 47383 [Ryuzo Yamamoto ] - mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". Bug 45082 [Vitaly Polonetsky ] - mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; BalancerMember balancer://alias http://example.com/foo ProxyPassReverse /bash balancer://alias/bar backend url http://example.com/foo/bar/that is now translated /bash/that [William Rowe] - New piped log syntax: Use "||process args" to launch the given process without invoking the shell/command interpreter. Use "|$command line" (the default behavior of "|command line" in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility. [William Rowe] - mod_ssl: Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. Bug 34607 [Peter Sylvester , Kaspar Brand , Guenter Knauf, Joe Orton, Ruediger Pluem] - mod_negotiation: Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. Bug 46837. [Geoff Keating ] - mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. Bug 39369 [Joe Orton] - mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. Bug 46428 [Joe Orton] - mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk] - mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem] - mod_substitute: Fix a memory leak. Bug 44948 [Dan Poirier ] - mod_proxy_ajp: Forward remote port information by default. [Rainer Jung] - mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. [Lars Eilebrecht] - mod_deflate: revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. Bug 39727 will require larger fixes and this fix was far more harmful than the original code. Bug 45023. [Roy T. Fielding] - mod_disk_cache: The module now turns off sendfile support if 'EnableSendfile off' is defined globally. Bug 41218. [Lars Eilebrecht, Issac Goldstand] - prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. Bug 42829. [Joe Orton, Jeff Trawick] - mod_ssl: Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. Bug 39243. [Joe Orton] - mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. Bug 38642 [Eric Covener] - mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. Bug 46342 [Dan Poirier] - mod_cache: Introduce 'no-cache' per-request environment variable to prevent the saving of an otherwise cacheable response. [Eric Covener] - core: Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated "100 Continue" responses. [Eric Covener] - CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. Bug 42190 [Nick Kew] - prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. Bug 46467. [Jeff Trawick] - mod_ext_filter: fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort All the security problems mentioned above had already been fixed in "pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me know that new version had finally been released. @ text @d1 1 a1 1 $NetBSD: patch-ba,v 1.2 2009/06/11 20:30:59 tron Exp $ d3 1 a3 1 Patch for CVE-2009-1195 taken from: d5 9 a13 21 http://svn.apache.org/viewvc?view=rev&revision=773881 http://svn.apache.org/viewvc?view=rev&revision=779472 --- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000 +++ include/http_core.h 2009-06-11 20:53:26.000000000 +0100 @@@@ -65,7 +65,7 @@@@ #define OPT_NONE 0 /** Indexes directive */ #define OPT_INDEXES 1 -/** Includes directive */ +/** SSI is enabled without exec= permission */ #define OPT_INCLUDES 2 /** FollowSymLinks directive */ #define OPT_SYM_LINKS 4 @@@@ -80,9 +80,22 @@@@ /** MultiViews directive */ #define OPT_MULTI 128 /** All directives */ -#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) +#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI) /** @@} */ d15 1 a15 16 +#ifdef CORE_PRIVATE +/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is + * internally replaced by OPT_INC_WITH_EXEC. The internal semantics + * of the two SSI-related bits are hence: + * + * OPT_INCLUDES => "enable SSI, without exec= permission" + * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec=" + * + * The set of options exposed via ap_allow_options() retains the + * semantics of OPT_INCNOEXEC by flipping the bit. */ +#define OPT_INC_WITH_EXEC OPT_INCNOEXEC +#endif + /** * @@defgroup get_remote_host Remote Host Resolution * @@ingroup APACHE_CORE_HTTPD @ 1.2 log @Import improved version of the fix for CVE-2009-1195 to restore backwards compatibility with e.g. "mod_perl". @ text @d1 1 a1 1 $NetBSD$ @ 1.2.2.1 log @Pullup ticket 2852 - requested by tron bug fix update Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.48 - pkgsrc/www/apache22/PLIST 1.13 - pkgsrc/www/apache22/distinfo 1.23 - pkgsrc/www/apache22/patches/patch-ba 1.4 - pkgsrc/www/apache22/patches/patch-bb 1.3 Files added: pkgsrc/www/apache22/patches/patch-bb Files deleted: pkgsrc/www/apache22/patches/patch-ab pkgsrc/www/apache22/patches/patch-af pkgsrc/www/apache22/patches/patch-ah pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd Module Name: pkgsrc Committed By: tron Date: Thu Aug 6 07:07:23 UTC 2009 Modified Files: pkgsrc/www/apache22: Makefile PLIST distinfo Removed Files: pkgsrc/www/apache22/patches: patch-ab patch-af patch-ah patch-ba patch-bc patch-bd Log Message: Update "apache22" package to version 2.2.12. Changes since version 2.2.11: - SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. Bug 39605. [Joe Orton, Ruediger Pluem] - SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. [Jonathan Peatfield , Joe Orton, Ruediger Pluem, Jeff Trawick] - SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] - SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. Bug 46949 [Ruediger Pluem] - SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules. - mod_include: fix potential segfault when handling back references on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] - mod_alias: check sanity in Redirect arguments. Bug 44729 [S??nke Tesch , Jim Jagielski] - mod_proxy_http: fix Host: header for literal IPv6 addresses. Bug 47177 [Carlos Garcia Braschi ] - mod_rewrite: Remove locking for writing to the rewritelog. Bug 46942 - mod_alias: Ensure Redirect emits HTTP-compliant URLs. Bug 44020 - mod_proxy_http: fix case sensitivity checking transfer encoding Bug 47383 [Ryuzo Yamamoto ] - mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". Bug 45082 [Vitaly Polonetsky ] - mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; BalancerMember balancer://alias http://example.com/foo ProxyPassReverse /bash balancer://alias/bar backend url http://example.com/foo/bar/that is now translated /bash/that [William Rowe] - New piped log syntax: Use "||process args" to launch the given process without invoking the shell/command interpreter. Use "|$command line" (the default behavior of "|command line" in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility. [William Rowe] - mod_ssl: Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. Bug 34607 [Peter Sylvester , Kaspar Brand , Guenter Knauf, Joe Orton, Ruediger Pluem] - mod_negotiation: Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. Bug 46837. [Geoff Keating ] - mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. Bug 39369 [Joe Orton] - mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. Bug 46428 [Joe Orton] - mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk] - mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem] - mod_substitute: Fix a memory leak. Bug 44948 [Dan Poirier ] - mod_proxy_ajp: Forward remote port information by default. [Rainer Jung] - mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. [Lars Eilebrecht] - mod_deflate: revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. Bug 39727 will require larger fixes and this fix was far more harmful than the original code. Bug 45023. [Roy T. Fielding] - mod_disk_cache: The module now turns off sendfile support if 'EnableSendfile off' is defined globally. Bug 41218. [Lars Eilebrecht, Issac Goldstand] - prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. Bug 42829. [Joe Orton, Jeff Trawick] - mod_ssl: Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. Bug 39243. [Joe Orton] - mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. Bug 38642 [Eric Covener] - mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. Bug 46342 [Dan Poirier] - mod_cache: Introduce 'no-cache' per-request environment variable to prevent the saving of an otherwise cacheable response. [Eric Covener] - core: Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated "100 Continue" responses. [Eric Covener] - CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. Bug 42190 [Nick Kew] - prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. Bug 46467. [Jeff Trawick] - mod_ext_filter: fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort All the security problems mentioned above had already been fixed in "pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me know that new version had finally been released. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/apache22/PLIST cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/apache22/distinfo cvs rdiff -u -r1.10 -r0 pkgsrc/www/apache22/patches/patch-ab cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-af \ pkgsrc/www/apache22/patches/patch-ah cvs rdiff -u -r1.2 -r0 pkgsrc/www/apache22/patches/patch-ba \ pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd ----- Module Name: pkgsrc Committed By: tron Date: Thu Aug 6 08:21:44 UTC 2009 Modified Files: pkgsrc/www/apache22: distinfo Added Files: pkgsrc/www/apache22/patches: patch-ba patch-bb Log Message: Add patches provided by Adam Ciarcinski to fix build with recent versions of OpenSSL (e.g. the version in NetBSD-current). To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/apache22/distinfo cvs rdiff -u -r0 -r1.4 pkgsrc/www/apache22/patches/patch-ba cvs rdiff -u -r0 -r1.3 pkgsrc/www/apache22/patches/patch-bb @ text @d1 1 a1 1 $NetBSD: patch-ba,v 1.4 2009/08/06 08:21:44 tron Exp $ d3 1 a3 1 Fix build problems with newer versions of OpenSSL. d5 21 a25 9 --- modules/ssl/ssl_engine_init.c.orig 2009-08-05 09:37:09.000000000 +0200 +++ modules/ssl/ssl_engine_init.c @@@@ -573,7 +573,7 @@@@ static void ssl_init_ctx_verify(server_r ssl_die(); } - SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list); + SSL_CTX_set_client_CA_list(ctx, ca_list); } d27 16 a42 1 /* @ 1.2.2.2 log @Pullup ticket 2908 - requested by tron security update Revisions pulled up: - pkgsrc/www/apache22/Makefile by patch to 1.52 - pkgsrc/www/apache22/distinfo by patch to 1.27 - pkgsrc/www/apache22/patches/patch-ab by patch to 1.14 Files removed: pkgsrc/www/apache22/patches/patch-av pkgsrc/www/apache22/patches/patch-ba pkgsrc/www/apache22/patches/patch-bb The patches update the package to the state in HEAD. ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Sun Oct 4 12:21:35 UTC 2009 Modified Files: pkgsrc/www/apache22: Makefile distinfo pkgsrc/www/apache22/patches: patch-ab Log Message: Add patch from the Apache SVN repository to the vulnerability reported in CVE-2009-3095. To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.26 -r1.27 pkgsrc/www/apache22/distinfo cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/apache22/patches/patch-ab @ text @d1 1 a1 1 $NetBSD: patch-ba,v 1.2.2.1 2009/08/07 21:08:15 spz Exp $ @ 1.1 log @Add patches from the Apache SVN repository to fix the security bypass vulnerability reported in CVE-2009-1195. @ text @d5 2 a6 1 http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?r1=739382&r2=772997&pathrev=772997 d9 1 a9 1 +++ include/http_core.h 2009-06-04 09:39:58.000000000 +0100 d19 1 a19 10 @@@@ -73,14 +73,14 @@@@ #define OPT_EXECCGI 8 /** directive unset */ #define OPT_UNSET 16 -/** IncludesNOEXEC directive */ -#define OPT_INCNOEXEC 32 +/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ +#define OPT_INC_WITH_EXEC 32 /** SymLinksIfOwnerMatch directive */ #define OPT_SYM_OWNER 64 d24 1 a24 1 +#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) d27 13 d41 2 @ 1.1.2.1 log @file patch-ba was added on branch pkgsrc-2009Q1 on 2009-06-04 20:41:20 +0000 @ text @d1 35 @ 1.1.2.2 log @Pullup ticket 2786 - requested by tron Security update Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.45 - pkgsrc/www/apache22/distinfo 1.19 Files added: - pkgsrc/www/apache22/patches/patch-ba 1.1 - pkgsrc/www/apache22/patches/patch-bb 1.1 - pkgsrc/www/apache22/patches/patch-bc 1.1 - pkgsrc/www/apache22/patches/patch-bd 1.1 Module Name: pkgsrc Committed By: tron Date: Thu Jun 4 08:51:52 UTC 2009 Modified Files: pkgsrc/www/apache22: Makefile distinfo Added Files: pkgsrc/www/apache22/patches: patch-ba patch-bb patch-bc patch-bd Log Message: Add patches from the Apache SVN repository to fix the security bypass vulnerability reported in CVE-2009-1195. To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.45 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/apache22/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/www/apache22/patches/patch-ba \ pkgsrc/www/apache22/patches/patch-bb pkgsrc/www/apache22/patches/patch-bc \ pkgsrc/www/apache22/patches/patch-bd @ text @a0 35 $NetBSD: patch-ba,v 1.1 2009/06/04 08:51:52 tron Exp $ Patch for CVE-2009-1195 taken from: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?r1=739382&r2=772997&pathrev=772997 --- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000 +++ include/http_core.h 2009-06-04 09:39:58.000000000 +0100 @@@@ -65,7 +65,7 @@@@ #define OPT_NONE 0 /** Indexes directive */ #define OPT_INDEXES 1 -/** Includes directive */ +/** SSI is enabled without exec= permission */ #define OPT_INCLUDES 2 /** FollowSymLinks directive */ #define OPT_SYM_LINKS 4 @@@@ -73,14 +73,14 @@@@ #define OPT_EXECCGI 8 /** directive unset */ #define OPT_UNSET 16 -/** IncludesNOEXEC directive */ -#define OPT_INCNOEXEC 32 +/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ +#define OPT_INC_WITH_EXEC 32 /** SymLinksIfOwnerMatch directive */ #define OPT_SYM_OWNER 64 /** MultiViews directive */ #define OPT_MULTI 128 /** All directives */ -#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) +#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) /** @@} */ /** @ 1.1.2.3 log @Pullup ticket 2795 - requested by tron Compatibility update Fixes PR 41550 Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.46 - pkgsrc/www/apache22/distinfo 1.20 - pkgsrc/www/apache22/patches/patch-ba 1.2 - pkgsrc/www/apache22/patches/patch-bc 1.2 - pkgsrc/www/apache22/patches/patch-bd 1.2 Files deleted: pkgsrc/www/apache22/patches/patch-bb Module Name: pkgsrc Committed By: tron Date: Thu Jun 11 20:30:59 UTC 2009 Modified Files: pkgsrc/www/apache22: Makefile distinfo pkgsrc/www/apache22/patches: patch-ba patch-bc patch-bd Removed Files: pkgsrc/www/apache22/patches: patch-bb Log Message: Import improved version of the fix for CVE-2009-1195 to restore backwards compatibility with e.g. "mod_perl". To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/apache22/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/apache22/patches/patch-ba \ pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-bb @ text @d1 1 a1 1 $NetBSD: patch-ba,v 1.2 2009/06/11 20:30:59 tron Exp $ d5 1 a5 2 http://svn.apache.org/viewvc?view=rev&revision=773881 http://svn.apache.org/viewvc?view=rev&revision=779472 d8 1 a8 1 +++ include/http_core.h 2009-06-11 20:53:26.000000000 +0100 d18 10 a27 1 @@@@ -80,9 +80,22 @@@@ d32 1 a32 1 +#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI) a34 13 +#ifdef CORE_PRIVATE +/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is + * internally replaced by OPT_INC_WITH_EXEC. The internal semantics + * of the two SSI-related bits are hence: + * + * OPT_INCLUDES => "enable SSI, without exec= permission" + * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec=" + * + * The set of options exposed via ap_allow_options() retains the + * semantics of OPT_INCNOEXEC by flipping the bit. */ +#define OPT_INC_WITH_EXEC OPT_INCNOEXEC +#endif + a35 2 * @@defgroup get_remote_host Remote Host Resolution * @@ingroup APACHE_CORE_HTTPD @