head	1.2;
access;
symbols;
locks; strict;
comment	@# @;


1.2
date	2008.02.10.20.36.08;	author dinoex;	state dead;
branches;
next	1.1;

1.1
date	2008.01.23.08.00.43;	author dinoex;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- update to 1.3.41+2.8.31
@
text
@diff -ur conf/mime.types apache_1.3.41/conf/mime.types
--- conf/mime.types	2007-09-01 00:03:39.000000000 +0200
+++ apache_1.3.41/conf/mime.types	2008-01-02 23:12:12.000000000 +0100
@@@@ -82,6 +82,10 @@@@
 application/mbox				mbox
 application/mediaservercontrol+xml		mscml
 application/mikey
+application/moss-keys
+application/moss-signature
+application/mosskey-data
+application/mosskey-request
 application/mp4					mp4s
 application/mpeg4-generic
 application/mpeg4-iod
@@@@ -135,6 +139,10 @@@@
 application/samlassertion+xml
 application/samlmetadata+xml
 application/sbml+xml				sbml
+application/scvp-cv-request			scq
+application/scvp-cv-response			scs
+application/scvp-vp-request			spq
+application/scvp-vp-response			spp
 application/sdp					sdp
 application/set-payment
 application/set-payment-initiation		setpay
@@@@ -152,6 +160,8 @@@@
 application/smil+xml				smi smil
 application/soap+fastinfoset
 application/soap+xml
+application/sparql-query			rq
+application/sparql-results+xml			srx
 application/spirits-event+xml
 application/srgs				gram
 application/srgs+xml				grxml
@@@@ -159,6 +169,7 @@@@
 application/timestamp-query
 application/timestamp-reply
 application/tve-trigger
+application/ulpfec
 application/vemmi
 application/vividence.scriptfile
 application/vnd.3gpp.bsf+xml
@@@@ -168,6 +179,7 @@@@
 application/vnd.3gpp.sms
 application/vnd.3gpp2.bcmcsinfo+xml
 application/vnd.3gpp2.sms
+application/vnd.3gpp2.tcap			tcap
 application/vnd.3m.post-it-notes		pwn
 application/vnd.accpac.simply.aso		aso
 application/vnd.accpac.simply.imp		imp
@@@@ -317,6 +329,7 @@@@
 application/vnd.japannet-verification-wakeup
 application/vnd.jcp.javame.midlet-rms		rms
 application/vnd.jisp				jisp
+application/vnd.joost.joda-archive		joda
 application/vnd.kahootz				ktz ktr
 application/vnd.kde.karbon			karbon
 application/vnd.kde.kchart			chrt
@@@@ -393,9 +406,13 @@@@
 application/vnd.ms-xpsdocument			xps
 application/vnd.mseq				mseq
 application/vnd.msign
+application/vnd.multiad.creator
+application/vnd.multiad.creator.cif
 application/vnd.music-niff
 application/vnd.musician			mus
+application/vnd.muvee.style			msty
 application/vnd.ncd.control
+application/vnd.ncd.reference
 application/vnd.nervana
 application/vnd.netfpx
 application/vnd.neurolanguage.nlu		nlu
@@@@ -455,7 +472,10 @@@@
 application/vnd.oma.dd2+xml			dd2
 application/vnd.oma.drm.risd+xml
 application/vnd.oma.group-usage-list+xml
+application/vnd.oma.poc.detailed-progress-report+xml
+application/vnd.oma.poc.final-report+xml
 application/vnd.oma.poc.groups+xml
+application/vnd.oma.poc.optimized-progress-report+xml
 application/vnd.oma.xcap-directory+xml
 application/vnd.omads-email+xml
 application/vnd.omads-file+xml
@@@@ -495,6 +515,7 @@@@
 application/vnd.rn-realmedia			rm
 application/vnd.ruckus.download
 application/vnd.s3sms
+application/vnd.sbm.mid2
 application/vnd.scribus
 application/vnd.sealed.3df
 application/vnd.sealed.csf
@@@@ -571,6 +592,7 @@@@
 application/vnd.wap.wmlscriptc			wmlsc
 application/vnd.webturbo			wtb
 application/vnd.wfa.wsc
+application/vnd.wmc
 application/vnd.wordperfect			wpd
 application/vnd.wqd				wqd
 application/vnd.wrq-hp3000-labelled
@@@@ -742,6 +764,7 @@@@
 audio/t38
 audio/telephone-event
 audio/tone
+audio/ulpfec
 audio/vdvi
 audio/vmr-wb
 audio/vnd.3gpp.iufp
@@@@ -812,7 +835,7 @@@@
 image/vnd.fujixerox.edmics-mmr			mmr
 image/vnd.fujixerox.edmics-rlc			rlc
 image/vnd.globalgraphics.pgb
-image/vnd.microsoft.icon			ico
+image/vnd.microsoft.icon
 image/vnd.mix
 image/vnd.ms-modi				mdi
 image/vnd.net-fpx				npx
@@@@ -824,7 +847,7 @@@@
 image/vnd.xiff					xif
 image/x-cmu-raster				ras
 image/x-cmx					cmx
-image/x-icon
+image/x-icon					ico
 image/x-pcx					pcx
 image/x-pict					pic pct
 image/x-portable-anymap				pnm
@@@@ -847,6 +870,7 @@@@
 message/sip
 message/sipfrag
 message/tracking-status
+message/vnd.si.simp
 model/iges					igs iges
 model/mesh					msh mesh silo
 model/vnd.dwf					dwf
@@@@ -894,6 +918,7 @@@@
 text/t140
 text/tab-separated-values			tsv
 text/troff					t tr roff man me ms
+text/ulpfec
 text/uri-list					uri uris urls
 text/vnd.abc
 text/vnd.curl
@@@@ -909,6 +934,7 @@@@
 text/vnd.motorola.reflex
 text/vnd.ms-mediapackage
 text/vnd.net2phone.commcenter.command
+text/vnd.si.uricatalogue
 text/vnd.sun.j2me.app-descriptor		jad
 text/vnd.trolltech.linguist
 text/vnd.wap.si
@@@@ -957,6 +983,7 @@@@
 video/rtp-enc-aescm128
 video/rtx
 video/smpte292m
+video/ulpfec
 video/vc1
 video/vnd.dlna.mpeg-tts
 video/vnd.fvt					fvt
diff -ur src/CHANGES apache_1.3.41/src/CHANGES
--- src/CHANGES	2007-09-04 14:28:53.000000000 +0200
+++ apache_1.3.41/src/CHANGES	2008-01-09 15:33:07.000000000 +0100
@@@@ -1,3 +1,29 @@@@
+Changes with Apache 1.3.41
+
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs.
+     Reported by SecurityReason.  [Mark Cox]
+
+Changes with Apache 1.3.40 (not released)
+
+  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+     mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+     [Joe Orton]
+
+  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+     mod_proxy: Prevent reading past the end of a buffer when parsing
+     date-related headers.  PR 41144.
+     With Apache 1.3, the denial of service vulnerability applies only 
+     to the Windows and NetWare platforms.
+     [Jeff Trawick]
+
+  *) More efficient implementation of the CVE-2007-3304 PID table
+     patch. This fixes issues with excessive memory usage by the
+     parent process if long-running and with a high number of child
+     process forks during that timeframe. Also fixes bogus "Bad pid"
+     errors. [Jim Jagielski, Jeff Trawick]
+
 Changes with Apache 1.3.39
 
   *) SECURITY: CVE-2006-5752 (cve.mitre.org)
diff -ur src/Configure apache_1.3.41/src/Configure
--- src/Configure	2007-08-10 17:45:50.000000000 +0200
+++ apache_1.3.41/src/Configure	2008-01-04 15:40:05.000000000 +0100
@@@@ -1936,7 +1936,7 @@@@
 	#    select the special subtarget for shared core generation
 	SUBTARGET=target_shared
 	#    determine additional suffixes for libhttpd.so
-	V=1 R=3 P=39
+	V=1 R=3 P=41
 	if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
 	    SHLIB_SUFFIX_LIST=""
 	fi
diff -ur src/include/httpd.h apache_1.3.41/src/include/httpd.h
--- src/include/httpd.h	2007-09-04 14:28:53.000000000 +0200
+++ apache_1.3.41/src/include/httpd.h	2008-01-10 17:20:45.000000000 +0100
@@@@ -389,7 +389,7 @@@@
 
 #define SERVER_BASEVENDOR   "Apache Group"
 #define SERVER_BASEPRODUCT  "Apache"
-#define SERVER_BASEREVISION "1.3.39"
+#define SERVER_BASEREVISION "1.3.41"
 #define SERVER_BASEVERSION  SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
 
 #define SERVER_PRODUCT  SERVER_BASEPRODUCT
@@@@ -410,7 +410,7 @@@@
  * Always increases along the same track as the source branch.
  * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
  */
-#define APACHE_RELEASE 10339100
+#define APACHE_RELEASE 10341100
 
 #define SERVER_PROTOCOL "HTTP/1.1"
 #ifndef SERVER_SUPPORT
diff -ur src/main/http_main.c apache_1.3.41/src/main/http_main.c
--- src/main/http_main.c	2007-06-04 21:26:21.000000000 +0200
+++ apache_1.3.41/src/main/http_main.c	2007-11-15 22:31:15.000000000 +0100
@@@@ -362,7 +362,7 @@@@
 /*
  * Parent process local storage of child pids
  */
-static table *pid_table;
+static int pid_table[HARD_SERVER_LIMIT];
 
 /*
  * Pieces for managing the contents of the Server response header
@@@@ -384,26 +384,34 @@@@
  */
 
 static int in_pid_table(int pid) {
-    char apid[64];      /* WAY generous! */
-    const char *spid;
-    ap_snprintf(apid, sizeof(apid), "%d", pid);
-    spid = ap_table_get(pid_table, apid);
-    if (spid && spid[0] == '1' && spid[1] == '\0')
-        return 1;
-    else
-        return 0;
+    int i;
+    for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+        if (pid_table[i] == pid) {
+            return 1;
+        }
+    }
+    return 0;
 }
 
 static void set_pid_table(int pid) {
-    char apid[64];
-    ap_snprintf(apid, sizeof(apid), "%d", pid);
-    ap_table_set(pid_table, apid, "1");
+    int i;
+    for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+        if (pid_table[i] == 0) {
+            pid_table[i] = pid;
+            break;
+        }
+    }
+    /* NOTE: Error detection?? */
 }
 
 static void unset_pid_table(int pid) {
-    char apid[64];
-    ap_snprintf(apid, sizeof(apid), "%d", pid);
-    ap_table_unset(pid_table, apid);
+    int i;
+    for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+        if (pid_table[i] == pid) {
+            pid_table[i] = 0;
+            break;
+        }
+    }
 }
 
 /*
@@@@ -2680,7 +2688,10 @@@@
 	    ss->vhostrec =  r->server;
 	}
     }
-    if (status == SERVER_STARTING && r == NULL) {
+    if (status == SERVER_DEAD) {
+        ap_scoreboard_image->parent[child_num].pid = 0;
+    }
+    else if (status == SERVER_STARTING && r == NULL) {
 	/* clean up the slot's vhostrec pointer (maybe re-used)
 	 * and mark the slot as belonging to a new generation.
 	 */
@@@@ -4370,6 +4381,7 @@@@
  */
 static void common_init(void)
 {
+    int i;
     INIT_SIGLIST()
 #ifdef AUX3
     (void) set42sig();
@@@@ -4465,6 +4477,9 @@@@
     ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *));
     ap_server_config_defines   = ap_make_array(pcommands, 1, sizeof(char *));
-    pid_table                  = ap_make_table(pglobal, HARD_SERVER_LIMIT);
+    /* overkill since static */
+    for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+        pid_table[i] = 0;
+    }
 
 #ifdef EAPI
     ap_hook_init();
diff -ur src/modules/proxy/proxy_util.c apache_1.3.41/src/modules/proxy/proxy_util.c
--- src/modules/proxy/proxy_util.c	2006-07-12 10:16:05.000000000 +0200
+++ apache_1.3.41/src/modules/proxy/proxy_util.c	2007-10-30 20:17:03.000000000 +0100
@@@@ -282,7 +282,8 @@@@
         *q = ',';
         if (wk == 7)
             return x;           /* not a valid date */
-        if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
+        if (strlen(q) != 24 ||
+            q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
             q[17] != ':' || strcmp(&q[20], " GMT") != 0)
             return x;
         if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year,
@@@@ -294,8 +295,9 @@@@
             year += 1900;
     }
     else {
-/* check for acstime() date */
-        if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
+/* check for asctime() date */
+        if (strlen(x) != 24 ||
+            x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
             x[16] != ':' || x[19] != ' ' || x[24] != '\0')
             return x;
         if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour,
diff -ur src/modules/standard/mod_imap.c apache_1.3.41/src/modules/standard/mod_imap.c
--- src/modules/standard/mod_imap.c	2006-07-12 10:16:05.000000000 +0200
+++ apache_1.3.41/src/modules/standard/mod_imap.c	2007-12-12 13:36:54.000000000 +0100
@@@@ -463,7 +463,7 @@@@
 
 static void menu_header(request_rec *r, char *menu)
 {
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     ap_send_http_header(r);
 #ifdef CHARSET_EBCDIC
     /* Server-generated response, converted */
@@@@ -471,11 +471,13 @@@@
 #endif
     ap_hard_timeout("send menu", r);       /* killed in menu_footer */
 
-    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-           "</title>\n</head><body>\n", NULL);
+    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 
+              ap_escape_html(r->pool, r->uri),
+              "</title>\n</head><body>\n", NULL);
 
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
+        ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
+                  "</h1>\n<hr>\n\n", NULL);
     }
 
     return;
diff -ur src/modules/standard/mod_status.c apache_1.3.41/src/modules/standard/mod_status.c
--- src/modules/standard/mod_status.c	2007-07-24 20:03:56.000000000 +0200
+++ apache_1.3.41/src/modules/standard/mod_status.c	2008-01-07 03:31:11.000000000 +0100
@@@@ -232,17 +232,15 @@@@
 	while (status_options[i].id != STAT_OPT_END) {
 	    if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {
 		switch (status_options[i].id) {
-		case STAT_OPT_REFRESH:
-		    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str) 
-                                    + 1) > 0)
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str,
-			      loc + strlen(status_options[i].hdr_out_str) + 1);
-		    else
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str, "1");
-		    break;
+                case STAT_OPT_REFRESH: {
+                    long refreshtime = 0;
+                    if (*(loc + strlen(status_options[i].form_data_str)) == '=')
+                        refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);
+                    ap_table_set(r->headers_out,
+                                 status_options[i].hdr_out_str,
+                                 ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime));
+                    break;
+                }
 		case STAT_OPT_NOTABLE:
 		    no_table_report = 1;
 		    break;
@


1.1
log
@- Security patch
Security: CVE-2007-6388
Security: CVE-2007-5000
Security: CVE-2007-3847
Reported by:	Thomas Vogt
@
text
@@

