Author: Martin Pitt
Revision Date: 2012-07-16 08:02:23 UTC

releasing version 2.2.22-6ubuntu2

Author: Martin Pitt
Revision Date: 2012-07-16 08:02:23 UTC

releasing version 2.2.22-6ubuntu2

Author: Martin Pitt
Revision Date: 2012-07-16 08:02:23 UTC

releasing version 2.2.22-6ubuntu2

Author: Martin Pitt
Revision Date: 2012-07-16 08:02:23 UTC

releasing version 2.2.22-6ubuntu2

Author: Martin Pitt
Revision Date: 2012-07-16 08:02:23 UTC

releasing version 2.2.22-6ubuntu2

Author: Martin Pitt
Revision Date: 2012-07-16 08:02:23 UTC

releasing version 2.2.22-6ubuntu2

Author: Martin Pitt
Revision Date: 2012-07-16 08:02:23 UTC

releasing version 2.2.22-6ubuntu2

Author: Matthieu Baerts
Revision Date: 2012-07-02 17:45:23 UTC

* debian/apache2.py
 - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
 - Check if this directory exists: /etc/apache2/sites-enabled/

Author: Robie Basak
Revision Date: 2012-06-08 15:45:02 UTC

debian/patches/083_dlopen_search_path: use dlopen() search path to
enable modules that use multiarch, such as libapache2-modsecurity.
These modules can now use no path and apache2 will be able to find
them (LP: #988819).

Author: Robie Basak
Revision Date: 2012-06-08 14:56:19 UTC

debian/patches/083_dlopen_search_path: use dlopen() search path to
enable modules that use multiarch, such as libapache2-modsecurity.
These modules can now use no path and apache2 will be able to find
them (LP: #988819).

Author: Chuck Short
Revision Date: 2012-03-02 14:43:08 UTC

debian/patches/99-fix-mod-dav-permissions.dpatch: Fix webdav permissions,
backported from trunk Thanks to James M. Leady (LP: #540747)

Author: Chuck Short
Revision Date: 2012-03-02 14:43:08 UTC

debian/patches/99-fix-mod-dav-permissions.dpatch: Fix webdav permissions,
backported from trunk Thanks to James M. Leady (LP: #540747)

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:49:11 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/220_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/222_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:02:26 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
  - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
    modules/loggers/mod_log_config.c.
  - CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:36:43 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:11:29 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 09:35:36 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
  - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
    modules/loggers/mod_log_config.c.
  - CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:49:11 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/220_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/222_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:11:29 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:02:26 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
  - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
    modules/loggers/mod_log_config.c.
  - CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 09:35:36 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
  - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
    modules/loggers/mod_log_config.c.
  - CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Chuck Short
Revision Date: 2012-02-12 20:06:35 UTC

* Merge from Debian testing. Remaining changes:
  - debian/{control, rules}: Enable PIE hardening.
  - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
  - debian/control: Add bzr tag and point it to our tree
  - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
  - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
    Plymouth aware passphrase dialog program ask-for-passphrase.

Author: Clint Byrum
Revision Date: 2011-12-07 00:50:43 UTC

d/ask-for-passphrase: Flip the logic of this script so that it checks
first to see if apache is being started from a TTY, and then if not,
tries plymouth. (LP: #887410)

Author: Steve Beattie
Revision Date: 2011-09-06 01:17:15 UTC

* Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
  Remaining changes:
  - debian/{control, rules}: Enable PIE hardening.
  - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
  - debian/control: Add bzr tag and point it to our tree
  - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
  - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
    Plymouth aware passphrase dialog program ask-for-passphrase.

Author: Marc Cluet
Revision Date: 2011-08-19 12:48:51 UTC

* Expanded changelog to explain more in depth the problem we solved with this fix

Author: Steve Beattie
Revision Date: 2011-05-22 21:17:32 UTC

* SECURITY UPDATE: denial of service in apr_fnmatch exploitable via
  apache's mod_index
  - debian/patches/122_fnmatch_CVE-2011-0419.patch: rewrite
    apr_fnmatch to have a better time bounds on execution.
  - CVE-2011-0419
  - debian/patches/123_fnmatch_CVE-2011-1928.patch: fix possible
    DoS introduced by patch for CVE-2011-0419.
  - CVE-2011-1928

Author: Steve Beattie
Revision Date: 2011-05-22 21:17:32 UTC

* SECURITY UPDATE: denial of service in apr_fnmatch exploitable via
  apache's mod_index
  - debian/patches/122_fnmatch_CVE-2011-0419.patch: rewrite
    apr_fnmatch to have a better time bounds on execution.
  - CVE-2011-0419
  - debian/patches/123_fnmatch_CVE-2011-1928.patch: fix possible
    DoS introduced by patch for CVE-2011-0419.
  - CVE-2011-1928

Author: Chuck Short
Revision Date: 2011-02-22 13:02:08 UTC

* Merge from debian unstable, remaining changes:
  - debian/{control, rules}: Enable PIE hardening.
  - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
  - debian/control: Add bzr tag and point it to our tree
  - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
  - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
    Plymouth aware passphrase dialog program ask-for-passphrase.

Author: Marc Deslauriers
Revision Date: 2010-11-18 14:02:43 UTC

* SECURITY UPDATE: denial of service via request that lacks a path in
  mod_dav.
  - debian/patches/906_CVE-2010-1452.dpatch: fix path handling in
    modules/dav/main/util.c.
  - CVE-2010-1452

Author: Marc Deslauriers
Revision Date: 2010-08-16 13:34:47 UTC

* debian/patches/909_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

Author: Marc Deslauriers
Revision Date: 2010-08-16 13:26:28 UTC

* debian/patches/905_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

Author: Marc Deslauriers
Revision Date: 2010-08-16 13:44:28 UTC

* debian/patches/119_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

Author: Marc Deslauriers
Revision Date: 2010-08-16 13:34:47 UTC

* debian/patches/909_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

Author: Marc Deslauriers
Revision Date: 2010-11-18 14:02:43 UTC

* SECURITY UPDATE: denial of service via request that lacks a path in
  mod_dav.
  - debian/patches/906_CVE-2010-1452.dpatch: fix path handling in
    modules/dav/main/util.c.
  - CVE-2010-1452

Author: Chuck Short
Revision Date: 2010-09-08 08:33:17 UTC

Revert "stty sane" to unbreak apache starting, this will have to be
fixed a different way. (LP: #626723)

Author: Marc Deslauriers
Revision Date: 2010-08-16 13:39:40 UTC

* debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

Author: Marc Deslauriers
Revision Date: 2010-08-16 13:34:47 UTC

* debian/patches/909_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

Author: Chuck Short
Revision Date: 2010-07-05 18:16:52 UTC

Initial commit

Author: Chuck Short
Revision Date: 2009-12-23 18:05:53 UTC

Fix debian/rules

Author: Chuck Short
Revision Date: 2010-04-13 15:09:57 UTC

debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
(LP: #562370)

Author: Marc Deslauriers
Revision Date: 2010-03-08 11:29:11 UTC

* SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
  - debian/patches/907_CVE-2010-0408.dpatch: return the right error code
    in modules/proxy/mod_proxy_ajp.c.
  - CVE-2010-0408
* SECURITY UPDATE: information disclosure via improper handling of
  headers in subrequests
  - debian/patches/908_CVE-2010-0434.dpatch: use a copy of r->headers_in
    in server/protocol.c.
  - CVE-2010-0434

Author: Marc Deslauriers
Revision Date: 2010-03-08 11:29:11 UTC

* SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
  - debian/patches/907_CVE-2010-0408.dpatch: return the right error code
    in modules/proxy/mod_proxy_ajp.c.
  - CVE-2010-0408
* SECURITY UPDATE: information disclosure via improper handling of
  headers in subrequests
  - debian/patches/908_CVE-2010-0434.dpatch: use a copy of r->headers_in
    in server/protocol.c.
  - CVE-2010-0434

Author: Chuck Short
Revision Date: 2009-12-23 18:05:53 UTC

Fix debian/rules

Author: Chuck Short
Revision Date: 2009-11-27 20:28:31 UTC

debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using a really
high number. (LP: #450501)

Author: Marc Deslauriers
Revision Date: 2009-08-17 15:38:47 UTC

* debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
  - Fix potential segfaults with the use of the legacy ap_rputs() etc
    interfaces, in cases where an output filter fails. This happens
    frequently after CVE-2009-1891 got fixed. (LP: #409987)

Author: Chuck Short
Revision Date: 2009-04-01 11:39:17 UTC

debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
Fix timefmt is ignored when XBitHack is on. (LP: #258914)

Author: Chuck Short
Revision Date: 2008-09-19 09:32:01 UTC

Revert logrotate change since it will break it for everyone.

Author: Marc Deslauriers
Revision Date: 2009-03-05 15:54:32 UTC

[ Emanuele Gentili ]
* SECURITY UPDATE:
 + debian/patches/111_CVE-2008-2364.dpatch (LP: #239894)
  - The ap_proxy_http_process_response function in mod_proxy_http.c
    in the mod_proxy module does not limit the number of forwarded
    interim responses, which allows remote HTTP servers to cause a
    denial of service (memory consumption) via a large number of
    interim responses.
 + References
  - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
  Entity Too Large" error message
  - debian/patches/107_CVE-2007-6203.dpatch: properly escape some error
    messages in modules/http/http_protocol.c.
  - CVE-2007-6203
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
  mod_proxy_balancer
  - debian/patches/108_CVE-2007-6420.dpatch: generate and validate a nonce in
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2007-6420
* SECURITY UPDATE: Denial of service via memory leak in the zlib_stateful_init
  function (LP: #224945)
  - debian/patches/109_CVE-2008-1678.dpatch: don't call
    CRYPTO_cleanup_all_ex_data in modules/ssl/mod_ssl.c.
  - CVE-2008-1678
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
  URLs
  - debian/patches/110_CVE-2008-2168.dpatch: specify a default charset in
    modules/dav/main/mod_dav.c, modules/generators/mod_info.c and
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2008-2168
* SECURITY UPDATE: Denial of service via large number of interim responses in
  mod_proxy module (LP: #239894)
  - debian/patches/111_CVE-2008-2364.dpatch: updated patch to newer version.
  - CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
  mod_proxy_ftp module
  - debian/patches/112_CVE-2008-2939.dpatch: escape the html
    contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
  - CVE-2008-2939

Author: Stefan Fritsch
Revision Date: 2008-01-17 20:27:56 UTC

* New upstream version:
  - Fixes cross-site scripting issues in
    o mod_imagemap (CVE-2007-5000)
    o mod_status (CVE-2007-6388)
    o mod_proxy_balancer's balancer manager (CVE-2007-6421)
  - Fixes a denial of service issue in mod_proxy_balancer's balancer manager
    (CVE-2007-6422).
  - Fixes mod_proxy URL encoding in error messages (closes: #337325).
  - Adds explicit charset to the output of various modules to work around
    possible cross-site scripting flaws affecting web browsers that do not
    derive the response character set as required by RFC2616. For
    mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
    specify something else than ISO-8859-1 (CVE-2008-0005).
  - Adds mod_substitute which performs inline response content pattern
    matching (including regex) and substitution (like mod_line_edit).
  - Adds "DefaultType none" option.
  - Adds new "B" option to RewriteRule to suppress URL unescaping.
  - Adds an "if" directive for mod_include to test whether an URL is
    accessible, and if so, conditionally display content.
  - Adds support for mod_ssl to the event MPM.
* Move the configuration of User, Group, and PidFile to
  /etc/apache2/envvars. This makes it easier to use these settings in
  scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
  (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085)
* Make apache2ctl check the configuration syntax before trying to restart
  apache, to match the behaviour documented in the man page.
  (Closes: #459236)
* Convert docs to be directly viewable with a browser (and not use content
  negotiation).
* Add doc-base entry for the documentation. (closes: #311269)
* Don't ship default files in /var/www, but copy a sample file to
  /var/www/index.html on new installs. Also remove the now unneeded
  RedirectMatch line from sites-available/default.
  (Closes: #411774, #458093)
* Add some information to README.Debian (Apache wiki, default virtual host)
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
  dependencies, easing library transitions (closes: #458857).
* Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
  Patch by Nicolas Valcárcel. (Closes: #436441)
* Add reportbug script to list enabled modules.
* Fix some lintian warnings:
  - Pass --no-start to dh_installinit instead of omitting the debhelper token
    in various maintainer scripts. Also move the update-rc.d call to
    apache2.2-common.
  - Add Short-Description to init script.
* Remove unused apache2-mpm-prefork.prerm from source package and clean up
  debian/rules a bit.
* Don't ship NEWS.Debian with apache2-utils, as the contents are only
  relevant for the server.

Author: Marc Deslauriers
Revision Date: 2009-03-05 15:54:32 UTC

[ Emanuele Gentili ]
* SECURITY UPDATE:
 + debian/patches/111_CVE-2008-2364.dpatch (LP: #239894)
  - The ap_proxy_http_process_response function in mod_proxy_http.c
    in the mod_proxy module does not limit the number of forwarded
    interim responses, which allows remote HTTP servers to cause a
    denial of service (memory consumption) via a large number of
    interim responses.
 + References
  - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
  Entity Too Large" error message
  - debian/patches/107_CVE-2007-6203.dpatch: properly escape some error
    messages in modules/http/http_protocol.c.
  - CVE-2007-6203
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
  mod_proxy_balancer
  - debian/patches/108_CVE-2007-6420.dpatch: generate and validate a nonce in
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2007-6420
* SECURITY UPDATE: Denial of service via memory leak in the zlib_stateful_init
  function (LP: #224945)
  - debian/patches/109_CVE-2008-1678.dpatch: don't call
    CRYPTO_cleanup_all_ex_data in modules/ssl/mod_ssl.c.
  - CVE-2008-1678
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
  URLs
  - debian/patches/110_CVE-2008-2168.dpatch: specify a default charset in
    modules/dav/main/mod_dav.c, modules/generators/mod_info.c and
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2008-2168
* SECURITY UPDATE: Denial of service via large number of interim responses in
  mod_proxy module (LP: #239894)
  - debian/patches/111_CVE-2008-2364.dpatch: updated patch to newer version.
  - CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
  mod_proxy_ftp module
  - debian/patches/112_CVE-2008-2939.dpatch: escape the html
    contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
  - CVE-2008-2939

Author: LaMont Jones
Revision Date: 2007-10-04 11:58:34 UTC

Trigger rebuild for hppa

Author: Jamie Strandboge
Revision Date: 2008-01-29 17:34:21 UTC

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to
  use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
  mod_proxy_balancer when MPM is used
* debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to
  check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
  charset is not defined
* debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define
  a charset
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2007-6421
  CVE-2007-6422
  CVE-2008-0005

Author: Mathias Gug
Revision Date: 2007-11-21 16:55:25 UTC

debian/apache2.2-common.init.d: make sure that /var/lock/apache2 is owned
by www-data. Fixes LP: #129920.

Author: Jamie Strandboge
Revision Date: 2008-01-29 17:34:21 UTC

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to
  use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
  mod_proxy_balancer when MPM is used
* debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to
  check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
  charset is not defined
* debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define
  a charset
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2007-6421
  CVE-2007-6422
  CVE-2008-0005

Author: Martin Pitt
Revision Date: 2007-01-15 17:10:39 UTC

No-change upload for the libpq4->libpq5 transition.

Author: Jamie Strandboge
Revision Date: 2008-01-29 20:12:00 UTC

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
  charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
  a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
  ap_escape_html()
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2008-0005
  CVE-2006-3918

Author: Jamie Strandboge
Revision Date: 2008-01-29 20:12:00 UTC

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
  charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
  a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
  ap_escape_html()
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2008-0005
  CVE-2006-3918

Author: Martin Pitt
Revision Date: 2006-09-27 16:23:09 UTC

* Add debian/patches/054_restore_prefix_fix:
  - Fix autoconf macros to work with autoconf 2.60 (AC_CANONICAL_SYSTEM
    overwrites $@ in 2.60, see Debian bug #372179), so that the package
    builds again on recent Edgy.
  - Thanks to Daniel Schepler <schepler@math.berkeley.edu> for this patch
    (taken from Debian #374160)
  - Closes: LP#62242

Author: Adam Conrad
Revision Date: 2006-05-26 20:12:28 UTC

Include patch from SVN HEAD to make sure LFS works on 64-bit platforms
where sendfile() doesn't like dealing with anything larger than 32-bit
chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850)

Author: Martin Pitt
Revision Date: 2006-07-26 07:18:39 UTC

* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
  - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
  - Reported by Mark Dowd of McAfee Avert Labs.
  - CVE-2006-3747

Author: Adam Conrad
Revision Date: 2005-10-04 11:53:01 UTC

Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request
body data to provide a limited but safe fix for the mod_ssl renegotiation
vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991)

Author: Martin Pitt
Revision Date: 2006-07-26 07:20:37 UTC

* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
  - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
  - Reported by Mark Dowd of McAfee Avert Labs.
  - CVE-2006-3747

Author: Adam Conrad
Revision Date: 2005-04-01 16:30:56 UTC

Fix the init script to not exit with an error when asked to
stop a daemon that isn't running (Was the root cause of #8374)

Author: Adam Conrad
Revision Date: 2006-01-08 00:00:08 UTC

* SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability.
  - Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
    mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
  - Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
    threaded MPMs when making a non-SSL connection to an SSL-enabled port
    on a server with a custom 400 error document defined; see CVE-2005-3357

Author: Thom May
Revision Date: 2004-10-13 19:46:10 UTC

Security Release. Patch from upstream for the following:
CAN-2004-0885SSLCypherSuite can be bypassed during renegotiation.