diff options
author | (no author) <(no author)@unknown> | 2003-07-09 11:37:39 +0000 |
---|---|---|
committer | (no author) <(no author)@unknown> | 2003-07-09 11:37:39 +0000 |
commit | 2c9dfbb7bac6e086b6c72f739a5a5b952f28d6c0 (patch) | |
tree | 7f53ff50dd950beeb8048e9849a9b8711170315c | |
parent | 410b68930ad6a97d7a4873fb04bec2a311197c1e (diff) | |
download | httpd-2c9dfbb7bac6e086b6c72f739a5a5b952f28d6c0.tar.gz |
This commit was manufactured by cvs2svn to create tag2.0.47
'APACHE_2_0_47'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/tags/2.0.47@100513 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 24 | ||||
-rw-r--r-- | include/ap_release.h | 2 | ||||
-rw-r--r-- | modules/proxy/proxy_ftp.c | 2 | ||||
-rw-r--r-- | modules/ssl/ssl_engine_kernel.c | 2 | ||||
-rw-r--r-- | server/mpm/prefork/prefork.c | 20 |
5 files changed, 33 insertions, 17 deletions
@@ -1,9 +1,25 @@ Changes with Apache 2.0.47 - *) Prevent the server from crashing when entering infinite loops. The - new LimitInternalRecursion directive configures limits of subsequent - internal redirects and nested subrequests, after which the request - will be aborted. PR 19753 (and probably others). + *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences + of per-directory renegotiations and the SSLCipherSuite directive + being used to upgrade from a weak ciphersuite to a strong one + could result in the weak ciphersuite being used in place of the + strong one. [Ben Laurie] + + *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing + temporary denial of service when accept() on a rarely accessed port + returns certain errors. Reported by Saheed Akhtar + <S.Akhtar@talis.com>. [Jeff Trawick] + + *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial + of service when target host is IPv6 but proxy server can't create + IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo + <tsuneo.yoshioka@f-secure.com>] + + *) SECURITY [VU#379828] Prevent the server from crashing when entering + infinite loops. The new LimitInternalRecursion directive configures + limits of subsequent internal redirects and nested subrequests, after + which the request will be aborted. PR 19753 (and probably others). [William Rowe, Jeff Trawick, André Malo] *) core_output_filter: don't split the brigade after a FLUSH bucket if diff --git a/include/ap_release.h b/include/ap_release.h index 8d6f43752e..7c9e742cfa 100644 --- a/include/ap_release.h +++ b/include/ap_release.h @@ -75,7 +75,7 @@ #define AP_SERVER_BASEPRODUCT "Apache" #define AP_SERVER_MAJORVERSION "2" #define AP_SERVER_MINORVERSION "0" -#define AP_SERVER_PATCHLEVEL "47-dev" +#define AP_SERVER_PATCHLEVEL "47" #define AP_SERVER_MINORREVISION AP_SERVER_MAJORVERSION "." AP_SERVER_MINORVERSION #define AP_SERVER_BASEREVISION AP_SERVER_MINORREVISION "." AP_SERVER_PATCHLEVEL #define AP_SERVER_BASEVERSION AP_SERVER_BASEPRODUCT "/" AP_SERVER_BASEREVISION diff --git a/modules/proxy/proxy_ftp.c b/modules/proxy/proxy_ftp.c index 279205884e..c38773cb6b 100644 --- a/modules/proxy/proxy_ftp.c +++ b/modules/proxy/proxy_ftp.c @@ -957,6 +957,7 @@ int ap_proxy_ftp_handler(request_rec *r, proxy_server_conf *conf, if ((rv = apr_socket_create(&sock, connect_addr->family, SOCK_STREAM, r->pool)) != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: FTP: error creating socket"); + connect_addr = connect_addr->next; continue; } @@ -974,6 +975,7 @@ int ap_proxy_ftp_handler(request_rec *r, proxy_server_conf *conf, #ifndef _OSD_POSIX /* BS2000 has this option "always on" */ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: FTP: error setting reuseaddr option: apr_socket_opt_set(APR_SO_REUSEADDR)"); + connect_addr = connect_addr->next; continue; #endif /* _OSD_POSIX */ } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 628d862ff2..2d628b8529 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -432,7 +432,7 @@ int ssl_hook_Access(request_rec *r) SSL_set_verify_result(ssl, X509_V_OK); /* determine whether we've to force a renegotiation */ - if (verify != verify_old) { + if (!renegotiate && verify != verify_old) { if (((verify_old == SSL_VERIFY_NONE) && (verify != SSL_VERIFY_NONE)) || diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c index 64aea20367..1b92f8471e 100644 --- a/server/mpm/prefork/prefork.c +++ b/server/mpm/prefork/prefork.c @@ -672,19 +672,17 @@ static void child_main(int child_num_arg) /* if we accept() something we don't want to die, so we have to * defer the exit */ - for (;;) { - status = listensocks[offset].accept_func(&csd, - &listensocks[offset], ptrans); + status = listensocks[offset].accept_func(&csd, + &listensocks[offset], ptrans); + SAFE_ACCEPT(accept_mutex_off()); /* unlock after "accept" */ - if (status == APR_SUCCESS) { - break; - } - if (status == APR_EGENERAL) { - /* resource shortage or should-not-occur occured */ - clean_child_exit(1); - } + if (status == APR_EGENERAL) { + /* resource shortage or should-not-occur occured */ + clean_child_exit(1); + } + else if (status != APR_SUCCESS) { + continue; } - SAFE_ACCEPT(accept_mutex_off()); /* unlock after "accept" */ /* * We now have a connection, so set it up with the appropriate |