| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
from sthen@. discussed w/ millert@. "yep" sthen@.
|
| | |
|
| |
|
|
|
|
|
|
| |
port to be set in the config file instead of using HTTP_DEFAULT_PORT
in all cases. Prevent a segfault that would happen when the SSL
connection from the proxy fails.
Problem found and analyzed by Mischa Diehm; fix by me.
|
| |
|
|
|
|
|
|
| |
It has also been moved to /usr/share/doc/html/httpd/. This will
ease sysmerge upgrades and help keep htdocs clean.
Help from okan and phessler, doc tweaks by jmc
ok deraadt@ millert@ beck@
|
| |
|
|
| |
ok henning
|
| |
|
|
|
|
| |
markers.
no binary changes
|
| |
|
|
|
|
| |
Add OpenBSD cvs markers.
No binary changes.
|
| | |
|
| |
|
|
| |
no binary changes.
|
| |
|
|
| |
no binary changes.
|
| |
|
|
| |
No binary changes.
|
| |
|
|
| |
Suggested by djm a while ago. No binary changes.
|
| |
|
|
| |
Documentation corrections and spelling by jmc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
no options are given on the commandline, it is set to PF_INET.
The configuration file parser did not use this variable in all cases, but
used PF_UNSPEC for getaddrinfo/getnameinfo, leading to bogus error messages
in some cases (but httpd operated as expected). Use the global variable
instead of the hardcode PF_UNSPEC in the cases.
Add a new commandline flag, -U, to set the default address family to
PF_UNSPEC for ambigous directives.
Discussed with sthen.
|
| |
|
|
|
| |
not tested on them. Older gcc's require decl before code, and this
is supposed to be portable code in that sense.
|
| |
|
|
| |
ok (some time ago) jmc@
|
| |
|
|
| |
no binary change.
|
| | |
|
| |
|
|
| |
no binary changes.
|
| |
|
|
| |
no binary changes.
|
| |
|
|
| |
no binary change.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
to merge from upstream, we can safely sanitize the code and hopefully
the build system.
Discussed with and feedback from sthen, todd, dlg and henning.
no binary changes.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
existing installations. See the documentation for the IPv6 related
configuration.
This changes the module ABI since addresses are now struct addrinfo.
This has been tested by many people and run on production machines
for several months.
feedback many, ok todd
|
| | |
|
| |
|
|
|
|
|
| |
Use arc4random_uniform() when the desired random number upper bound
is not a power of two
ok deraadt@ millert@
|
| |
|
|
|
|
|
|
| |
does an unsigned comparison and read() can return -1. Use '!=' instead
of '<' since read() can't return more than 'sizeof Y'. Not perfect
(that would require a separate test for -1) but a very common usage.
ok henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A flaw was found in the mod_status module. On sites where mod_status
is enabled and the status pages were publicly accessible, a cross-site
scripting attack is possible. Note that the server-status page is
not enabled by default and it is best practice to not make this
publicly available.
Fix mod_imap XSS CVE-2007-5000:
A flaw was found in the mod_imap module. On sites where mod_imap
is enabled and an imagemap file is publicly available, a cross-site
scripting attack is possible.
ok miod@
|
| | |
|
| |
|
|
|
|
|
| |
or -T option is specified, which is only going to do a syntax check on
the config file(s)
ok henning@, deraadt@
|
| | |
|
| |
|
|
| |
tech@ by Jung.
|
| |
|
|
| |
ok pyr@, ray@, millert@, moritz@, chl@
|
| |
|
|
|
|
| |
of open filedescriptors (like RLimitNPROC for the number of processes).
ok ckuethe, "no objection" henning
|
| |
|
|
|
|
|
|
|
|
|
| |
The Apache HTTP server did not verify that a process was an Apache child
process before sending it signals. A local attacker with the ability to
run scripts on the HTTP server could manipulate the scoreboard and cause
arbitrary processes to be terminated which could lead to a denial of
service.
ok miod@ (who also noticed to protect reclaim_child_processes); henning@;
djm@
|
| |
|
|
|
|
|
|
|
|
| |
A flaw was found in the mod_status module. On sites where the
server-status page is publicly accessible and ExtendedStatus is enabled
this could lead to a cross-site scripting attack. Note that the
server-status page is not enabled by default and it is best practice to
not make this publicly available.
ok miod@, henning@
|
| |
|
|
| |
PR5549, From: veins@evilkittens.org
|
| |
|
|
|
| |
overflow in SSL session id parsing (by reaching a negative size arg)
ok henning
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This unbreaks some configuration scripts.
ok henning@, xsa@, espie@
|
| |
|
|
|
| |
noticed by Igor Sobrado
ok henning
|
| | |
|
| |
|
|
|
| |
programs.
prompted by deraadt@ and cloder@, ok cloder@, henning@, xsa@
|
| |
|
|
| |
ok deraadt millert
|
| |
|
|
|
|
|
|
|
| |
- Use sizeof(buf) instead of BUFSIZ.
- Only overwrite '\n'.
From Charles Longeau.
OK millert@ and moritz@.
|
| | |
|
| |
|
|
|
|
|
|
| |
sizeof(buf) - 1 to sizeof(buf), since fgets takes the whole buffer size.
Based on diff from Charles Longeau <chl at tuxfamily dot org> long ago.
OK millert@.
|
| | |
|
martynas
mbalmer
jdixon
jmc
deraadt
sobrado
djm
krw
espie
robert
gilles
henning
pvalchev
tedu
pyr
ray
david