úÄÒÁ×ÓÔ×ÕÊÔÅ.
÷ backports/2.4 ÏÔÐÒÁ×ÌÅÎ ÄÏ×ÏÌØÎÏ ÓÉÌØÎÏ ÉÚÍÅÎÉ×ÛÉÊÓÑ ÚÁ ÐÏÌÔÏÒÁ
ÇÏÄÁ ÐÁËÅÔ apache; ÍÎÅ ÌÉÞÎÏ ËÁÖÅÔÓÑ, ÞÔÏ ÐÒÁ×ËÉ ÂÙÌÉ Ë ÌÕÞÛÅÍÕ,
ÎÏ ÅÓÌÉ ÚÄÅÓØ ÅÓÔØ ÐÏÌØÚÏ×ÁÔÅÌÉ apache ÎÁ M24 -- ÎÁ×ÅÒÎÏÅ, ÉÈ
ÓÌÅÄÕÅÔ ÐÏÞÉÔÁÔØ É ÐÒÉÎÑÔØ ×Ï ×ÎÉÍÁÎÉÅ.

üÔÁ ÓÂÏÒËÁ ÍÎÏÊ ÉÓÐÏÌØÚÕÅÔÓÑ (ÈÏÔÑ, ÓËÏÒÅÅ ×ÓÅÇÏ, Ñ×ÌÑÅÔÓÑ
ÐÏÓÌÅÄÎÅÊ ÄÌÑ 2.4).


* Tue Jan 29 2008 Michael Shigorin <mike ÎÁ altlinux> 1.3.41rusPL30.23-alt0.M24.1
- built for M24
- dropped old backports-specific changelog part

* Sat Jan 19 2008 Michael Shigorin <mike ÎÁ altlinux> 1.3.41rusPL30.23-alt1
- 1.3.41 contains security fix for:
+ CVE-2007-6388: mod_status: ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs)
- 1.3.40 (unreleased) contains security fixes for:
+ CVE-2007-5000: mod_imap: fix cross-site scripting issue
+ CVE-2007-3847: mod_proxy Windows/NetWare-specific DoS
+ CVE-2007-3304: more efficient patch, also fixes bogus "Bad pid" errors
- http://www.apache.org/dist/httpd/CHANGES_1.3.41 for details
- updated EAPI to hand-made 2.8.30a with build fix kindly sent in
by Dan Muey <dan cpanel net> (rolled into EAPI tarball by me;
releasing as 2.8.30a-1.3.41 along with mod_ssl)

* Wed Oct 03 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.39rusPL30.23-alt2
- modify packaged httpd.conf to disable directory autoindexing by default
(/home/*/public_html stay indexed though); you might want to reconsider
that in case the configuration wasn't touched at all (thus will be replaced
during package upgrade) but directory indexes are needed (fixes #12898,
thanks Timur Batyrshin <batyrshin ieml ru> for proposal/discussion/patch)

* Thu Sep 13 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.39rusPL30.23-alt1
- 1.3.39 merges security fixes for:
+ CVE-2006-5752: possible XSS attack against mod_status
(exploitation requires public server-status page and ExtendedStatus enabled
and a browser which performs charset "detection")
+ CVE-2007-3304: ensure that the parent process cannot be forced to kill
non-child processes by checking scoreboard PID data with parent process
privately stored PID data [this one was fixed by a patch before]
- upstream mime.types updated to current IANA registry and common unregistered
types that the owners refuse to register (see apache-mime.types.default)
- icons/README.html instead of icons/small/README.txt
- there was no Apache 1.3.38
- updated EAPI to 2.8.30

* Thu Aug 30 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.23-alt6
- changed conftest() usage in initscript so that running processes
which are still using valid configuration wouldn't be terminated
if current configuration test fails; thanks nginx.init by mithraen@
for bringing this to my attention

* Tue Jul 31 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.23-alt5
- merged security fix from RHEL2.1 (RH#245116):
+ CVE-2007-3304 (DoS by referencing an arbitrary process ID in scoreboard
which then gets SIGUSR1 from master process; requires scripting ability)

* Tue Jun 26 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.23-alt4
- verified and disambiguated mime types; thanks Denis Smirnov (mithraen@)
for a linter pass (fixes: #12141, #11461)

* Fri Apr 06 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.23-alt3
- rebuilt against recent libmm

* Thu Mar 29 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.23-alt2
- added minimal patch for mod_perl aimed at fixing CVE-2007-1349:
DoS possibility with specially crafted requests in "PerlRun.pm"
that uses the "path_info" variable without properly escaping it;
thanks Randal L. Schwartz (merlyn stonehenge com) for a patch
(seems to be also in mod_perl SVN)
- NB: mod_perl 1.30 is released but differs quite significantly,
no time to fix/build/test properly

* Mon Mar 12 2007 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.23-alt1
- updated RA to PL30.23
- wrapped LogFormat in default httpd{,-perl}.conf with IfModule
(#11053; lakostis@ proposed to borrow from apache2 package)

* Fri Dec 22 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt9
- disable httpd, httpd-perl services startup by default:
that might lead to undesired consequences in case of
"accidentally" installed packages and/or forgetting
about them while configuring services; see also [ru]:
http://lists.altlinux.org/pipermail/devel/2006-December/039909.html

* Thu Nov 23 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt8
- bring SysV vhosts configuration support to mod_perl part of apache
(thanks Alexey I. Froloff (raorn@) for nice #10308):
+ httpd-perl.conf: Include conf/vhosts/Vhosts-perl.conf
+ add vhosts/Vhosts-perl.conf and vhosts-perl.d/
- got back some changes from alt6 (reverted wholesale in alt7):
+ removed remnants of libdb1
+ fixed gdbm support for mod_rewrite
+ move server child hard limit constant to a macro
(still 1024 by default, just as in patch9 still left
in src.rpm just in case too but not applied anymore)
(the bug was #5748, for reference)
- added TUNING.ALT file with tips on performance tuning
(regarding #5748 again)
- minor spec cleanup (more intrusive one pending)

* Sat Oct 21 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt7
- roll back alt6* changes since they are too intrusive by now,
those who need log files or static content larger than 2Gb
are advised to rotate logs, use nginx for downloads, or look
at https://bugzilla.altlinux.org/show_bug.cgi?id=9382 for
working, but resulting in binary incompatible apache, spec
- added hint on mod_rewrite/mod_security order to default httpd.conf

* Tue Oct 17 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt6.1
- few more feeble tweaks at LFS (these will likely fail -- upstream
seems to have had hostile enough stand to "that 1.3 being preferred
to 2.0" to break former ways of enabling LFS on it, telling people
should wait until 2.2; see also apache bugs #17453, #36417)

* Sun Oct 15 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt6
- scalability improvements:
+ support large logfiles (>2Gb) by default (#9382);
thanks eostapets@ for alarm and raorn@ for sample spec
+ hopefully fixed gdbm support for mod_rewrite (by raorn@
in the same stripped-down/fixed-up spec)
+ move server child hard limit constant to a macro
(still 1024 by default, just as in patch9 still left
just in case too)
- s/libdb1-devel/libdb4-devel/ (might break 2.2 build?)
- folks, I need proposals on #2907...

* Sat Oct 14 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt5
- added application/x-java-jnlp-file, application/x-xpinstall
to mime.types (courtesy of zerg@, see bug #10088)
- added commented-out example of editor backup file protection
to default httpd.conf, httpd-perl.conf (#8489)

* Sat Sep 30 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt4.1
- oops, ServerSignature was really belonging to later
section (and "off" was overridden with "on" there");
thanks to Pavel Usischev <Usischev/gmail> for #10055

* Tue Sep 26 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt4
- implement bugchancement #10038 (ServerSignature Off;
ServerTokens ProductOnly in default configuration)
thanks thresh@ and hiddenman@ for reminder

* Fri Sep 01 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt3
- fix #9928 (default mod_realip.conf); thanks vvk@

* Wed Aug 16 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt2
- NameVirtualHost-related fix for default sample configuration
(what a shame on me!, and thanks Pavel Usischev for #8385)

* Sat Aug 05 2006 Michael Shigorin <mike ÎÁ altlinux> 1.3.37rusPL30.22-alt1
--
---- WBR, Michael Shigorin <mike ÎÁ altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
----------- ÓÌÅÄÕÀÝÁÑ ÞÁÓÔØ -----------
âÙÌÏ ÕÄÁÌÅÎÏ ×ÌÏÖÅÎÉÅ ÎÅ × ÔÅËÓÔÏ×ÏÍ ÆÏÒÍÁÔÅ...
éÍÑ : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
ôÉÐ : application/pgp-signature
òÁÚÍÅÒ : 189 ÂÁÊÔÏ×
ïÐÉÓÁÎÉÅ: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url : <http://lists.altlinux.org/pipermail/backports/attachments/20080130/8fec053f/attachment-0002.bin>