Hello community, here is the log from the commit of package apache2 checked in at Wed Sep 24 14:59:22 CEST 2008. -------- --- apache2/apache2.changes 2008-08-26 23:01:24.000000000 +0200 +++ /mounts/work_src_done/STABLE/apache2/apache2.changes 2008-09-20 20:07:44.000000000 +0200 @@ -1,0 +2,9 @@ +Fri Sep 19 16:18:39 CEST 2008 - skh@suse.de + +- add httpd-2.x.x-logresolve.patch again [bnc#210904] +- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]: + mod_proxy_ftp: Prevent XSS attacks when using wildcards in + the path of the FTP URL. Discovered by Marc Bevand of Rapid7. + [Ruediger Pluem] + +------------------------------------------------------------------- New: ---- httpd-2.2.x-CVE-2008-2939.patch httpd-2.x.x-logresolve.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.zq7894/_old 2008-09-24 14:58:33.000000000 +0200 +++ /var/tmp/diff_new_pack.zq7894/_new 2008-09-24 14:58:33.000000000 +0200 @@ -63,7 +63,7 @@ Group: Productivity/Networking/Web/Servers %define realver 2.2.9 Version: 2.2.9 -Release: 1 +Release: 4 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -115,6 +115,8 @@ Patch65: httpd-2.0.49-log_server_status.dif Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif +Patch68: httpd-2.x.x-logresolve.patch +Patch69: httpd-2.2.x-CVE-2008-2939.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.0 @@ -332,6 +334,8 @@ %patch65 -p1 %patch66 -p1 %patch67 -p1 +%patch68 -p1 +%patch69 -p4 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -1021,6 +1025,12 @@ fi %changelog +* Fri Sep 19 2008 skh@suse.de +- add httpd-2.x.x-logresolve.patch again [bnc#210904] +- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]: + mod_proxy_ftp: Prevent XSS attacks when using wildcards in + the path of the FTP URL. Discovered by Marc Bevand of Rapid7. + [Ruediger Pluem] * Wed Aug 27 2008 poeml@suse.de - drop rc.config handling (was removed in or after SuSE Linux 8.0) - don't use fillup_insserv options which have been removed lately ++++++ httpd-2.2.x-CVE-2008-2939.patch ++++++ Taken from: http://svn.apache.org/viewvc?view=rev&revision=682870 --- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c 2008/08/05 19:00:05 682869 +++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c 2008/08/05 19:01:50 682870 @@ -383,6 +383,7 @@ c->bucket_alloc)); } if (wildcard != NULL) { + wildcard = ap_escape_html(p, wildcard); APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard, strlen(wildcard), p, c->bucket_alloc)); ++++++ httpd-2.x.x-logresolve.patch ++++++ diff -Naur ../httpd-2.2.4.orig/support/logresolve.pl.in ./support/logresolve.pl.in --- ../httpd-2.2.4.orig/support/logresolve.pl.in 2006-07-12 05:38:44.000000000 +0200 +++ ./support/logresolve.pl.in 2007-10-23 13:59:27.000000000 +0200 @@ -57,6 +57,7 @@ use FileHandle; use Socket; +use File::Temp; use strict; no strict 'refs'; @@ -71,11 +72,13 @@ my %hash = (); my $parent = $$; +my $tempdir = File::Temp::tempdir("logresolve.pl2.sockets.XXXXXX", CLEANUP => 1); + my @children = (); for (my $child = 1; $child <=$CHILDREN; $child++) { my $f = fork(); if (!$f) { - $filename = "./.socket.$parent.$child"; + $filename = "$tempdir/socket.$parent.$child"; if (-e $filename) { unlink($filename) || warn "$filename .. $!\n";} &child($child); exit(0); @@ -91,9 +94,9 @@ # die kiddies, die kill(15, @children); for (my $child = 1; $child <=$CHILDREN; $child++) { - if (-e "./.socket.$parent.$child") { - unlink("./.socket.$parent.$child") - || warn ".socket.$parent.$child $!"; + if (-e "$tempdir/socket.$parent.$child") { + unlink("$tempdir/socket.$parent.$child") + || warn "$tempdir/socket.$parent.$child $!"; } } } @@ -113,7 +116,7 @@ if (!socket($CHILDSOCK{$child}, AF_UNIX, SOCK_STREAM, $PROTOCOL)) { warn "parent socket to child failed $!"; } - $filename = "./.socket.$parent.$child"; + $filename = "$tempdir/socket.$parent.$child"; my $response; do { $response = connect($CHILDSOCK{$child}, sockaddr_un($filename)); @@ -176,7 +179,7 @@ # create a socket to communicate with parent socket(INBOUND, AF_UNIX, SOCK_STREAM, $PROTOCOL) || die "Error with Socket: !$\n"; - $filename = "./.socket.$parent.$me"; + $filename = "$tempdir/socket.$parent.$me"; bind(INBOUND, sockaddr_un($filename)) || die "Error Binding $filename: $!\n"; listen(INBOUND, 5) || die "Error Listening: $!\n"; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org