[Sysadmins] [backports] I: apache-1.3.41rusPL30.23-alt0.M24.1

[Sysadmins] [backports] I: apache-1.3.41rusPL30.23-alt0.M24.1

[Michael Shigorin]

[-- Attachment #1.1: Type: text/plain, Size: 7942 bytes --]

	Здравствуйте.
В backports/2.4 отправлен довольно сильно изменившийся за полтора
года пакет apache; мне лично кажется, что правки были к лучшему,
но если здесь есть пользователи apache на M24 -- наверное, их 
следует почитать и принять во внимание.

Эта сборка мной используется (хотя, скорее всего, является
последней для 2.4).


* Tue Jan 29 2008 Michael Shigorin <mike@altlinux> 1.3.41rusPL30.23-alt0.M24.1
- built for M24
- dropped old backports-specific changelog part

* Sat Jan 19 2008 Michael Shigorin <mike@altlinux> 1.3.41rusPL30.23-alt1
- 1.3.41 contains security fix for:
  + CVE-2007-6388: mod_status: ensure refresh parameter is numeric to prevent
    a possible XSS attack caused by redirecting to other URLs)
- 1.3.40 (unreleased) contains security fixes for:
  + CVE-2007-5000: mod_imap: fix cross-site scripting issue
  + CVE-2007-3847: mod_proxy Windows/NetWare-specific DoS
  + CVE-2007-3304: more efficient patch, also fixes bogus "Bad pid" errors
- http://www.apache.org/dist/httpd/CHANGES_1.3.41 for details
- updated EAPI to hand-made 2.8.30a with build fix kindly sent in 
  by Dan Muey <dan cpanel net> (rolled into EAPI tarball by me;
  releasing as 2.8.30a-1.3.41 along with mod_ssl)

* Wed Oct 03 2007 Michael Shigorin <mike@altlinux> 1.3.39rusPL30.23-alt2
- modify packaged httpd.conf to disable directory autoindexing by default
  (/home/*/public_html stay indexed though); you might want to reconsider
  that in case the configuration wasn't touched at all (thus will be replaced
  during package upgrade) but directory indexes are needed (fixes #12898,
  thanks Timur Batyrshin <batyrshin ieml ru> for proposal/discussion/patch)

* Thu Sep 13 2007 Michael Shigorin <mike@altlinux> 1.3.39rusPL30.23-alt1
- 1.3.39 merges security fixes for:
  + CVE-2006-5752: possible XSS attack against mod_status
    (exploitation requires public server-status page and ExtendedStatus enabled
    and a browser which performs charset "detection")
  + CVE-2007-3304: ensure that the parent process cannot be forced to kill
    non-child processes by checking scoreboard PID data with parent process
    privately stored PID data [this one was fixed by a patch before]
- upstream mime.types updated to current IANA registry and common unregistered
  types that the owners refuse to register (see apache-mime.types.default)
- icons/README.html instead of icons/small/README.txt
- there was no Apache 1.3.38
- updated EAPI to 2.8.30

* Thu Aug 30 2007 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.23-alt6
- changed conftest() usage in initscript so that running processes
  which are still using valid configuration wouldn't be terminated
  if current configuration test fails; thanks nginx.init by mithraen@
  for bringing this to my attention

* Tue Jul 31 2007 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.23-alt5
- merged security fix from RHEL2.1 (RH#245116):
  + CVE-2007-3304 (DoS by referencing an arbitrary process ID in scoreboard
    which then gets SIGUSR1 from master process; requires scripting ability)

* Tue Jun 26 2007 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.23-alt4
- verified and disambiguated mime types; thanks Denis Smirnov (mithraen@)
  for a linter pass (fixes: #12141, #11461)

* Fri Apr 06 2007 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.23-alt3
- rebuilt against recent libmm

* Thu Mar 29 2007 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.23-alt2
- added minimal patch for mod_perl aimed at fixing CVE-2007-1349:
  DoS possibility with specially crafted requests in "PerlRun.pm"
  that uses the "path_info" variable without properly escaping it;
  thanks Randal L. Schwartz (merlyn stonehenge com) for a patch
  (seems to be also in mod_perl SVN)
- NB: mod_perl 1.30 is released but differs quite significantly,
  no time to fix/build/test properly

* Mon Mar 12 2007 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.23-alt1
- updated RA to PL30.23
- wrapped LogFormat in default httpd{,-perl}.conf with IfModule
  (#11053; lakostis@ proposed to borrow from apache2 package)

* Fri Dec 22 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt9
- disable httpd, httpd-perl services startup by default:
  that might lead to undesired consequences in case of 
  "accidentally" installed packages and/or forgetting
  about them while configuring services; see also [ru]:
  http://lists.altlinux.org/pipermail/devel/2006-December/039909.html

* Thu Nov 23 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt8
- bring SysV vhosts configuration support to mod_perl part of apache
  (thanks Alexey I. Froloff (raorn@) for nice #10308):
  + httpd-perl.conf: Include conf/vhosts/Vhosts-perl.conf
  + add vhosts/Vhosts-perl.conf and vhosts-perl.d/
- got back some changes from alt6 (reverted wholesale in alt7):
  + removed remnants of libdb1
  + fixed gdbm support for mod_rewrite
  + move server child hard limit constant to a macro 
    (still 1024 by default, just as in patch9 still left
    in src.rpm just in case too but not applied anymore)
    (the bug was #5748, for reference)
- added TUNING.ALT file with tips on performance tuning 
  (regarding #5748 again)
- minor spec cleanup (more intrusive one pending)

* Sat Oct 21 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt7
- roll back alt6* changes since they are too intrusive by now,
  those who need log files or static content larger than 2Gb
  are advised to rotate logs, use nginx for downloads, or look
  at https://bugzilla.altlinux.org/show_bug.cgi?id=9382 for
  working, but resulting in binary incompatible apache, spec
- added hint on mod_rewrite/mod_security order to default httpd.conf

* Tue Oct 17 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt6.1
- few more feeble tweaks at LFS (these will likely fail -- upstream
  seems to have had hostile enough stand to "that 1.3 being preferred
  to 2.0" to break former ways of enabling LFS on it, telling people
  should wait until 2.2; see also apache bugs #17453, #36417)

* Sun Oct 15 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt6
- scalability improvements:
  + support large logfiles (>2Gb) by default (#9382);
    thanks eostapets@ for alarm and raorn@ for sample spec
  + hopefully fixed gdbm support for mod_rewrite (by raorn@
    in the same stripped-down/fixed-up spec)
  + move server child hard limit constant to a macro
    (still 1024 by default, just as in patch9 still left
    just in case too)
- s/libdb1-devel/libdb4-devel/ (might break 2.2 build?)
- folks, I need proposals on #2907...

* Sat Oct 14 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt5
- added application/x-java-jnlp-file, application/x-xpinstall
  to mime.types (courtesy of zerg@, see bug #10088)
- added commented-out example of editor backup file protection
  to default httpd.conf, httpd-perl.conf (#8489)

* Sat Sep 30 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt4.1
- oops, ServerSignature was really belonging to later 
  section (and "off" was overridden with "on" there");
  thanks to Pavel Usischev <Usischev/gmail> for #10055

* Tue Sep 26 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt4
- implement bugchancement #10038 (ServerSignature Off;
  ServerTokens ProductOnly in default configuration)
  thanks thresh@ and hiddenman@ for reminder

* Fri Sep 01 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt3
- fix #9928 (default mod_realip.conf); thanks vvk@

* Wed Aug 16 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt2
- NameVirtualHost-related fix for default sample configuration
  (what a shame on me!, and thanks Pavel Usischev for #8385)

* Sat Aug 05 2006 Michael Shigorin <mike@altlinux> 1.3.37rusPL30.22-alt1

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
backports mailing list
backports@lists.altlinux.org
https://lists.altlinux.org/mailman/listinfo/backports