SECURITY: CVE-2012-0031 (cve.mitre.org)

                                                         -*- coding: utf-8 -*-

Changes with Apache 2.0.65

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)

     Fix scoreboard issue which could allow an unprivileged child process 

     could cause the parent to crash at shutdown rather than terminate 

     cleanly.  [Joe Orton]

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)

     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.

     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

        http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch

       +1: trawick

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)

     Fix scoreboard issue which could allow an unprivileged child process 

     could cause the parent to crash at shutdown rather than terminate 

     cleanly.  [Joe Orton]

     r1231058 on 2.0.x:

       http://people.apache.org/~trawick/2.0-CVE-2012-0031-r1231058.patch

     +1: trawick, wrowe, rjung

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)

     Fix an issue in error responses that could expose "httpOnly" cookies

     when no custom ErrorDocument is specified for status code 400.

AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL;

AP_DECLARE_DATA int ap_extended_status = 0;

static ap_scoreboard_e scoreboard_type;

#if APR_HAS_SHARED_MEMORY

#include "apr_shm.h"

    if (ap_scoreboard_image == NULL) {

        return APR_SUCCESS;

    }

    if (ap_scoreboard_image->global->sb_type == SB_SHARED) {

    if (scoreboard_type == SB_SHARED) {

        ap_cleanup_shared_mem(NULL);

    }

    else {

        ap_init_scoreboard(sb_mem);

    }

    ap_scoreboard_image->global->sb_type = sb_type;

    ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type;

    ap_scoreboard_image->global->running_generation = running_gen;

    ap_scoreboard_image->global->restart_time = apr_time_now();