This commit was manufactured by cvs2svn to create tag2.0.47

'APACHE_2_0_47'.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/tags/2.0.47@100513 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 33 insertions, 17 deletions

diff --git a/CHANGES b/CHANGES
index 7616063306..9884dc6a48 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,25 @@
 Changes with Apache 2.0.47
 
-  *) Prevent the server from crashing when entering infinite loops. The
-     new LimitInternalRecursion directive configures limits of subsequent
-     internal redirects and nested subrequests, after which the request
-     will be aborted.  PR 19753 (and probably others).
+  *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
+     of per-directory renegotiations and the SSLCipherSuite directive
+     being used to upgrade from a weak ciphersuite to a strong one
+     could result in the weak ciphersuite being used in place of the
+     strong one.  [Ben Laurie]
+
+  *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
+     temporary denial of service when accept() on a rarely accessed port
+     returns certain errors.  Reported by Saheed Akhtar 
+     <S.Akhtar@talis.com>.  [Jeff Trawick]
+
+  *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
+     of service when target host is IPv6 but proxy server can't create
+     IPv6 socket.  Fixed by the reporter.  [Yoshioka Tsuneo
+     <tsuneo.yoshioka@f-secure.com>]
+
+  *) SECURITY [VU#379828] Prevent the server from crashing when entering
+     infinite loops. The new LimitInternalRecursion directive configures
+     limits of subsequent internal redirects and nested subrequests, after
+     which the request will be aborted.  PR 19753 (and probably others).
      [William Rowe, Jeff Trawick, André Malo]
 		      
   *) core_output_filter: don't split the brigade after a FLUSH bucket if
diff --git a/include/ap_release.h b/include/ap_release.h
index 8d6f43752e..7c9e742cfa 100644
--- a/include/ap_release.h
+++ b/include/ap_release.h
@@ -75,7 +75,7 @@
 #define AP_SERVER_BASEPRODUCT "Apache"
 #define AP_SERVER_MAJORVERSION "2"
 #define AP_SERVER_MINORVERSION "0"
-#define AP_SERVER_PATCHLEVEL "47-dev"
+#define AP_SERVER_PATCHLEVEL "47"
 #define AP_SERVER_MINORREVISION AP_SERVER_MAJORVERSION "." AP_SERVER_MINORVERSION
 #define AP_SERVER_BASEREVISION  AP_SERVER_MINORREVISION "." AP_SERVER_PATCHLEVEL
 #define AP_SERVER_BASEVERSION AP_SERVER_BASEPRODUCT "/" AP_SERVER_BASEREVISION
diff --git a/modules/proxy/proxy_ftp.c b/modules/proxy/proxy_ftp.c
index 279205884e..c38773cb6b 100644
--- a/modules/proxy/proxy_ftp.c
+++ b/modules/proxy/proxy_ftp.c
@@ -957,6 +957,7 @@ int ap_proxy_ftp_handler(request_rec *r, proxy_server_conf *conf,
 	    if ((rv = apr_socket_create(&sock, connect_addr->family, SOCK_STREAM, r->pool)) != APR_SUCCESS) {
 		ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
 			      "proxy: FTP: error creating socket");
+                connect_addr = connect_addr->next;
 		continue;
 	    }
 
@@ -974,6 +975,7 @@ int ap_proxy_ftp_handler(request_rec *r, proxy_server_conf *conf,
 #ifndef _OSD_POSIX              /* BS2000 has this option "always on" */
 		ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
 			      "proxy: FTP: error setting reuseaddr option: apr_socket_opt_set(APR_SO_REUSEADDR)");
+                connect_addr = connect_addr->next;
 		continue;
 #endif                          /* _OSD_POSIX */
 	    }
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 628d862ff2..2d628b8529 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -432,7 +432,7 @@ int ssl_hook_Access(request_rec *r)
         SSL_set_verify_result(ssl, X509_V_OK);
 
         /* determine whether we've to force a renegotiation */
-        if (verify != verify_old) {
+        if (!renegotiate && verify != verify_old) {
             if (((verify_old == SSL_VERIFY_NONE) &&
                  (verify     != SSL_VERIFY_NONE)) ||
 
diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c
index 64aea20367..1b92f8471e 100644
--- a/server/mpm/prefork/prefork.c
+++ b/server/mpm/prefork/prefork.c
@@ -672,19 +672,17 @@ static void child_main(int child_num_arg)
 	/* if we accept() something we don't want to die, so we have to
 	 * defer the exit
 	 */
-	for (;;) {
-            status = listensocks[offset].accept_func(&csd, 
-                                       &listensocks[offset], ptrans);
+        status = listensocks[offset].accept_func(&csd, 
+                                                 &listensocks[offset], ptrans);
+        SAFE_ACCEPT(accept_mutex_off());	/* unlock after "accept" */
 
-            if (status == APR_SUCCESS) {
-                break;
-            }
-            if (status == APR_EGENERAL) {
-                /* resource shortage or should-not-occur occured */
-                clean_child_exit(1);
-            }
+        if (status == APR_EGENERAL) {
+            /* resource shortage or should-not-occur occured */
+            clean_child_exit(1);
+        }
+        else if (status != APR_SUCCESS) {
+            continue;
         }
-	SAFE_ACCEPT(accept_mutex_off());	/* unlock after "accept" */
 
 	/*
 	 * We now have a connection, so set it up with the appropriate