svn commit: r367232 - branches/2014Q3/security/vuxml

Olli Hauer ohauer at FreeBSD.org
Wed Sep 3 20:32:12 UTC 2014 

Author: ohauer
Date: Wed Sep  3 20:32:11 2014
New Revision: 367232
URL: http://svnweb.freebsd.org/changeset/ports/367232
QAT: https://qat.redports.org/buildarchive/r367232/

Log:
  MFH: r367225
  
  - update vid f927e06c-1109-11e4-b090-20cf30e32f6d
    (httpd-2.2.29 was released today)
  
  Approved by:	portmgr (erwin@)

Modified:
  branches/2014Q3/security/vuxml/vuln.xml
Directory Properties:
  branches/2014Q3/   (props changed)

Modified: branches/2014Q3/security/vuxml/vuln.xml
==============================================================================
--- branches/2014Q3/security/vuxml/vuln.xml	Wed Sep  3 20:31:48 2014	(r367231)
+++ branches/2014Q3/security/vuxml/vuln.xml	Wed Sep  3 20:32:11 2014	(r367232)
@@ -653,29 +653,29 @@ Notes:
     <affects>
       <package>
 	<name>apache22</name>
-	<range><gt>2.2.0</gt><lt>2.2.27_6</lt></range>
+	<range><gt>2.2.0</gt><lt>2.2.29</lt></range>
       </package>
       <package>
 	<name>apache22-event-mpm</name>
-	<range><gt>2.2.0</gt><lt>2.2.27_6</lt></range>
+	<range><gt>2.2.0</gt><lt>2.2.29</lt></range>
       </package>
       <package>
 	<name>apache22-itk-mpm</name>
-	<range><gt>2.2.0</gt><lt>2.2.27_6</lt></range>
+	<range><gt>2.2.0</gt><lt>2.2.29</lt></range>
       </package>
       <package>
 	<name>apache22-peruser-mpm</name>
-	<range><gt>2.2.0</gt><lt>2.2.27_6</lt></range>
+	<range><gt>2.2.0</gt><lt>2.2.29</lt></range>
       </package>
       <package>
 	<name>apache22-worker-mpm</name>
-	<range><gt>2.2.0</gt><lt>2.2.27_6</lt></range>
+	<range><gt>2.2.0</gt><lt>2.2.29</lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
 	<p>Apache HTTP SERVER PROJECT reports:</p>
-	<blockquote cite="http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?revision=1611816&view=markup">
+	  <blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.29">
 	  <p> mod_deflate: The DEFLATE input filter (inflates request bodies) now
 	    limits the length and compression ratio of inflated request bodies to
 	    avoid denial of service via highly compressed bodies.  See directives
@@ -689,6 +689,10 @@ Notes:
 	    communication with scripts.</p>
 	  <p>Fix a race condition in scoreboard handling, which could lead to a heap
 	    buffer overflow.</p>
+	  <p>core: HTTP trailers could be used to replace HTTP headers late during
+	    request processing, potentially undoing or otherwise confusing modules
+	    that examined or modified request headers earlier.  Adds "MergeTrailers"
+	    directive to restore legacy behavior.</p>
 	</blockquote>
       </body>
     </description>
@@ -696,10 +700,12 @@ Notes:
       <cvename>CVE-2014-0118</cvename>
       <cvename>CVE-2014-0231</cvename>
       <cvename>CVE-2014-0226</cvename>
+      <cvename>CVE-2013-5704</cvename>
     </references>
     <dates>
       <discovery>2014-07-19</discovery>
       <entry>2014-07-24</entry>
+      <modified>2014-09-03</modified>
     </dates>
   </vuln>

More information about the svn-ports-branches mailing list