Age | Commit message (Collapse) | Author |
|
and include *.conf files from the modules directory by default.
The modules.sample directory will be used by some ports to place their
configuration files.
ok deraadt@, jsign@
|
|
|
|
tech@ by Jung.
|
|
ok pyr@, ray@, millert@, moritz@, chl@
|
|
From: Alex Holst <a@mongers.org>
|
|
of open filedescriptors (like RLimitNPROC for the number of processes).
ok ckuethe, "no objection" henning
|
|
The Apache HTTP server did not verify that a process was an Apache child
process before sending it signals. A local attacker with the ability to
run scripts on the HTTP server could manipulate the scoreboard and cause
arbitrary processes to be terminated which could lead to a denial of
service.
ok miod@ (who also noticed to protect reclaim_child_processes); henning@;
djm@
|
|
A flaw was found in the mod_status module. On sites where the
server-status page is publicly accessible and ExtendedStatus is enabled
this could lead to a cross-site scripting attack. Note that the
server-status page is not enabled by default and it is best practice to
not make this publicly available.
ok miod@, henning@
|
|
PR5549, From: veins@evilkittens.org
|
|
overflow in SSL session id parsing (by reaching a negative size arg)
ok henning
|
|
|
|
|
|
|
|
This unbreaks some configuration scripts.
ok henning@, xsa@, espie@
|
|
noticed by Igor Sobrado
ok henning
|
|
|
|
programs.
prompted by deraadt@ and cloder@, ok cloder@, henning@, xsa@
|
|
ok deraadt millert
|
|
- Use sizeof(buf) instead of BUFSIZ.
- Only overwrite '\n'.
From Charles Longeau.
OK millert@ and moritz@.
|
|
|
|
sizeof(buf) - 1 to sizeof(buf), since fgets takes the whole buffer size.
Based on diff from Charles Longeau <chl at tuxfamily dot org> long ago.
OK millert@.
|
|
case), ok espie, also noticed by simon
|
|
|
|
configure system.
the mod_auth_digest module has such a section, and there (via two other
indirections, of course!) -DDEV_RANDOM=/dev/arandom is added to CFLAGS.
via a few more bizarre indicrections that ends up in ap_config_auto.h.
Since ap_config_auto.h gets installed in /usr/lib/apache/include/ and
thus might be used by 3rd party modules, we must be very careful with
removing shitz there. But I kinda doubt anything relies on a define
that is only there when a module marked as experimental is compiled in.
since we long ago made mod_auth_digest use arc4random and do not use
said DEV_RANDOM define at all any more, we don't need it ourselves.
so nuke the mod_auth_digest ConfigStart/End section, which doesn't do
anything else, alltogether.
Since mod_auth_digest is only compiled as DSO, the define was missing
on static archs, therefore breaking the build on vax an friends since
espie put the pregenerated ap_config_auto.h in. ok millert deraadt
|
|
|
|
|
|
be MI since we removed stuff that was arch-dependent). The Configure script
still rebuilds a copy of that file, and we check it for diffs.
okay millert@
|
|
- ap_snprintf can grab needed types from stdint.h
- expat-lite can grab byte-order from system includes.
no breakage in modules in the ports tree.
work by me and millert@, ok miod@.
|
|
is good! so let's do it in all cases...
missed case: on restart and graceful, when apachectl figures out that no
httpd is running, it tries to start one.
found out the hard way by yours truly
|
|
'preceeding' -> 'preceding'
'preceeds' -> 'precedes'
'preceeded' -> 'preceded'
|
|
an ip address, that's for sure; pr 5232 arjones@simultan.dyndns.org
|
|
CVE-2006-3918; ok cloder@
|
|
Host header to the backend. default off. henning@ ok.
|
|
|
|
leave the function there of course, it's part of the API
|
|
be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused by a off-by-one error in mod_rewrite and can be
exploited to cause a one-byte buffer overflow.
http://secunia.com/advisories/21197/
report "Alexey E. Suslikov" <cruel@texnika.com.ua>, the obvious fix
mailed in by Stuart Henderson <stu@spacehopper.org>
|
|
From: John Wong <johnw@wonghome.net>, ok ckuethe
|
|
case where an ssl connection is not found in the scache dbm
Reported by, and fix suggested by
Darrin Chandler <darrin@puffy.asicommunications.com>
testing by me, ok henning@
|
|
|
|
From: Daniel Ouellet <daniel@presscom.net>
|
|
From: Daniel Ouellet <daniel@presscom.net>
|
|
From: "Alex Holst" <a@mongers.org>
"It's the brave new world of rss/atom feeds. It's what the kids want."
|
|
put_scoreboard_info, and update_scoreboard_global.
From Daniel Ouellet, plus one line he missed.
OK henning@ and otto@
|
|
ok millert@ jmc@ ketennis@ and others from before 3.9 lock
|
|
|
|
from Chris Kuethe <chris.kuethe@gmail.com>
running at UofA for months now, ok beck niallo, also tested mbalmer
|
|
From: Alex Holst <a@mongers.org>
|
|
|
|
ok kettenis@
|
|
CVE-2005-3352
ok niallo@; henning@ no objections
|