This commit was manufactured by cvs2svn to create tag
'APACHE_2_0_47'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/tags/2.0.47@100513 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/CHANGES b/CHANGES
index 7616063..9884dc6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,25 @@
Changes with Apache 2.0.47
- *) Prevent the server from crashing when entering infinite loops. The
- new LimitInternalRecursion directive configures limits of subsequent
- internal redirects and nested subrequests, after which the request
- will be aborted. PR 19753 (and probably others).
+ *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
+ of per-directory renegotiations and the SSLCipherSuite directive
+ being used to upgrade from a weak ciphersuite to a strong one
+ could result in the weak ciphersuite being used in place of the
+ strong one. [Ben Laurie]
+
+ *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
+ temporary denial of service when accept() on a rarely accessed port
+ returns certain errors. Reported by Saheed Akhtar
+ <S.Akhtar@talis.com>. [Jeff Trawick]
+
+ *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
+ of service when target host is IPv6 but proxy server can't create
+ IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo
+ <tsuneo.yoshioka@f-secure.com>]
+
+ *) SECURITY [VU#379828] Prevent the server from crashing when entering
+ infinite loops. The new LimitInternalRecursion directive configures
+ limits of subsequent internal redirects and nested subrequests, after
+ which the request will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, André Malo]
*) core_output_filter: don't split the brigade after a FLUSH bucket if
diff --git a/include/ap_release.h b/include/ap_release.h
index 8d6f437..7c9e742 100644
--- a/include/ap_release.h
+++ b/include/ap_release.h
@@ -75,7 +75,7 @@
#define AP_SERVER_BASEPRODUCT "Apache"
#define AP_SERVER_MAJORVERSION "2"
#define AP_SERVER_MINORVERSION "0"
-#define AP_SERVER_PATCHLEVEL "47-dev"
+#define AP_SERVER_PATCHLEVEL "47"
#define AP_SERVER_MINORREVISION AP_SERVER_MAJORVERSION "." AP_SERVER_MINORVERSION
#define AP_SERVER_BASEREVISION AP_SERVER_MINORREVISION "." AP_SERVER_PATCHLEVEL
#define AP_SERVER_BASEVERSION AP_SERVER_BASEPRODUCT "/" AP_SERVER_BASEREVISION
diff --git a/modules/proxy/proxy_ftp.c b/modules/proxy/proxy_ftp.c
index 2792058..c38773c 100644
--- a/modules/proxy/proxy_ftp.c
+++ b/modules/proxy/proxy_ftp.c
@@ -957,6 +957,7 @@
if ((rv = apr_socket_create(&sock, connect_addr->family, SOCK_STREAM, r->pool)) != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
"proxy: FTP: error creating socket");
+ connect_addr = connect_addr->next;
continue;
}
@@ -974,6 +975,7 @@
#ifndef _OSD_POSIX /* BS2000 has this option "always on" */
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
"proxy: FTP: error setting reuseaddr option: apr_socket_opt_set(APR_SO_REUSEADDR)");
+ connect_addr = connect_addr->next;
continue;
#endif /* _OSD_POSIX */
}
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 628d862..2d628b8 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -432,7 +432,7 @@
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether we've to force a renegotiation */
- if (verify != verify_old) {
+ if (!renegotiate && verify != verify_old) {
if (((verify_old == SSL_VERIFY_NONE) &&
(verify != SSL_VERIFY_NONE)) ||
diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c
index 64aea20..1b92f84 100644
--- a/server/mpm/prefork/prefork.c
+++ b/server/mpm/prefork/prefork.c
@@ -672,19 +672,17 @@
/* if we accept() something we don't want to die, so we have to
* defer the exit
*/
- for (;;) {
- status = listensocks[offset].accept_func(&csd,
- &listensocks[offset], ptrans);
+ status = listensocks[offset].accept_func(&csd,
+ &listensocks[offset], ptrans);
+ SAFE_ACCEPT(accept_mutex_off()); /* unlock after "accept" */
- if (status == APR_SUCCESS) {
- break;
- }
- if (status == APR_EGENERAL) {
- /* resource shortage or should-not-occur occured */
- clean_child_exit(1);
- }
+ if (status == APR_EGENERAL) {
+ /* resource shortage or should-not-occur occured */
+ clean_child_exit(1);
}
- SAFE_ACCEPT(accept_mutex_off()); /* unlock after "accept" */
+ else if (status != APR_SUCCESS) {
+ continue;
+ }
/*
* We now have a connection, so set it up with the appropriate
