View Bazaar branches
Get this repository:
git clone https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this repository. Log in for directions.

Branches

Name Last Modified Last Commit
applied/ubuntu/warty-devel 2006-01-30 21:13:52 UTC 2006-01-30
Import patches-applied version 2.0.50-12ubuntu4.10 to applied/ubuntu/warty-se...

Author: Adam Conrad
Author Date: 2006-01-07 13:00:08 UTC

Import patches-applied version 2.0.50-12ubuntu4.10 to applied/ubuntu/warty-security

Imported using git-ubuntu import.

Changelog parent: 237574061f5ccaf15d2806b628a316260a40856c
Unapplied parent: feb77dcc33754598833d5f204d0543cdbddbbf26

New changelog entries:
  * SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability.
    - Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
      mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
    - Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
      threaded MPMs when making a non-SSL connection to an SSL-enabled port
      on a server with a custom 400 error document defined; see CVE-2005-3357

ubuntu/warty-devel 2006-01-30 21:13:52 UTC 2006-01-30
Import patches-unapplied version 2.0.50-12ubuntu4.10 to ubuntu/warty-security

Author: Adam Conrad
Author Date: 2006-01-07 13:00:08 UTC

Import patches-unapplied version 2.0.50-12ubuntu4.10 to ubuntu/warty-security

Imported using git-ubuntu import.

Changelog parent: 647a5b8326262640555988ea5bbcc1822207d1bc

New changelog entries:
  * SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability.
    - Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
      mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
    - Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
      threaded MPMs when making a non-SSL connection to an SSL-enabled port
      on a server with a custom 400 error document defined; see CVE-2005-3357

ubuntu/breezy 2005-12-21 04:40:26 UTC 2005-12-21
Import patches-unapplied version 2.0.54-5ubuntu2 to ubuntu/breezy

Author: Adam Conrad
Author Date: 2005-10-04 01:53:01 UTC

Import patches-unapplied version 2.0.54-5ubuntu2 to ubuntu/breezy

Imported using git-ubuntu import.

Changelog parent: 73744c193d222d0f26e574f101087459ca9b700a

New changelog entries:
  * Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request
    body data to provide a limited but safe fix for the mod_ssl renegotiation
    vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991)
  * Resynchronise with Debian, bringing in several security patches.
  * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL
    certificate validation; see CAN-2005-1268 (closes: #320048, #320063)
  * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy
    where, when a response contains both Transfer-Encoding and Content-Length
    headers, the connection can be used for HTTP request smuggling and HTTP
    request spoofing attacks; see CAN-2005-2088 (closes: #316173)
  * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache
    when large byte ranges are requested; see CAN-2005-2728 (closes: #326435)
  * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context
    of the SSLVerifyClient directive is not honoured within a <Location>
    nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700
  * Resynchronise with Debian.
  * Alter 041_util_ldap_fix.patch to revert util_ldap.c to the known
    good version from 2.0.53 (closes: #308648, and re-fixes #307567)
  * Resync with Debian to bring in several useful bugfixes.
  * Add 042_htdigest_CAN-2005-1344 to fix a buffer overflow in
    htdigest, which is described in CAN-2005-1344 (closes: #307134)
  * Add 041_util_ldap_fix.patch from upstream bug #34618 to fix
    issues with mod_auth_ldap sometimes segfaulting and sometimes
    locking up and spinning the CPU to oblivion (closes: #307567)
  * Alter 011_fix_ap-config to make apr-config point us at the system
    libtool, and make libapr0-dev depend on libtool (closes: #306481)
  * Alter 008_make_include_safe to prevent apache2 from including dpkg
    conffile leftovers (.dpkg-old et al) (closes: #304786, #296728)
  * Resync again, bringing in brown-paper-bag bugfix from Debian.
  * Set suexec2's ownership properly, so it's actually executable by
    apache2 with the newly-restrictive permissions (closes: #305242)
  * Resync with Debian, bringing in new upstream.
  * New upstream bugfix-only release (closes: #305121)
  * Fix debian/watch file to only look at apache 2.0.x, so we stop being
    told about the 2.1 beta releases (and I'll notice new 2.0.x releases)
  * Drop o+rx permissions from suexec2; while it has code in place to
    make sure the caller is www-data, if that code should be buggy,
    filesystem permissions will help mitigate fallout (closes: #301045)
  * Update the 003_build_with_autoconf_2.5 patch to make sure both
    apr and apr-util have an AC_PREREQ for autoconf 2.50, so we don't get
    weird autoconf mix-and-match FTBFS issues (closes: #301819)

applied/ubuntu/breezy 2005-12-21 04:40:26 UTC 2005-12-21
Import patches-applied version 2.0.54-5ubuntu2 to applied/ubuntu/breezy

Author: Adam Conrad
Author Date: 2005-10-04 01:53:01 UTC

Import patches-applied version 2.0.54-5ubuntu2 to applied/ubuntu/breezy

Imported using git-ubuntu import.

Changelog parent: be60ea610bf848625c0d1c116355a017b010ed02
Unapplied parent: 134b87fd2ce08ad6fe8ee0e17807745640dbf1dd

New changelog entries:
  * Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request
    body data to provide a limited but safe fix for the mod_ssl renegotiation
    vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991)
  * Resynchronise with Debian, bringing in several security patches.
  * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL
    certificate validation; see CAN-2005-1268 (closes: #320048, #320063)
  * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy
    where, when a response contains both Transfer-Encoding and Content-Length
    headers, the connection can be used for HTTP request smuggling and HTTP
    request spoofing attacks; see CAN-2005-2088 (closes: #316173)
  * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache
    when large byte ranges are requested; see CAN-2005-2728 (closes: #326435)
  * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context
    of the SSLVerifyClient directive is not honoured within a <Location>
    nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700
  * Resynchronise with Debian.
  * Alter 041_util_ldap_fix.patch to revert util_ldap.c to the known
    good version from 2.0.53 (closes: #308648, and re-fixes #307567)
  * Resync with Debian to bring in several useful bugfixes.
  * Add 042_htdigest_CAN-2005-1344 to fix a buffer overflow in
    htdigest, which is described in CAN-2005-1344 (closes: #307134)
  * Add 041_util_ldap_fix.patch from upstream bug #34618 to fix
    issues with mod_auth_ldap sometimes segfaulting and sometimes
    locking up and spinning the CPU to oblivion (closes: #307567)
  * Alter 011_fix_ap-config to make apr-config point us at the system
    libtool, and make libapr0-dev depend on libtool (closes: #306481)
  * Alter 008_make_include_safe to prevent apache2 from including dpkg
    conffile leftovers (.dpkg-old et al) (closes: #304786, #296728)
  * Resync again, bringing in brown-paper-bag bugfix from Debian.
  * Set suexec2's ownership properly, so it's actually executable by
    apache2 with the newly-restrictive permissions (closes: #305242)
  * Resync with Debian, bringing in new upstream.
  * New upstream bugfix-only release (closes: #305121)
  * Fix debian/watch file to only look at apache 2.0.x, so we stop being
    told about the 2.1 beta releases (and I'll notice new 2.0.x releases)
  * Drop o+rx permissions from suexec2; while it has code in place to
    make sure the caller is www-data, if that code should be buggy,
    filesystem permissions will help mitigate fallout (closes: #301045)
  * Update the 003_build_with_autoconf_2.5 patch to make sure both
    apr and apr-util have an AC_PREREQ for autoconf 2.50, so we don't get
    weird autoconf mix-and-match FTBFS issues (closes: #301819)

applied/ubuntu/hoary 2005-12-20 20:38:23 UTC 2005-12-20
Import patches-applied version 2.0.53-5ubuntu5 to applied/ubuntu/hoary

Author: Adam Conrad
Author Date: 2005-04-01 16:30:56 UTC

Import patches-applied version 2.0.53-5ubuntu5 to applied/ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: 9a5f9c785daeaa9728d3bb764cf344070423111b
Unapplied parent: 73744c193d222d0f26e574f101087459ca9b700a

New changelog entries:
  * Fix the init script to not exit with an error when asked to
    stop a daemon that isn't running (Was the root cause of #8374)
  * Make sure package removals don't fail even if the init script
    doesn't stop apache2 (Ubuntu #8374)
  * Add dependency on lsb-base (>= 1.3-9ubuntu2) to guarantee
    availability of lsb init functions (Ubuntu #7765)
  * Really remove /etc/apache2/conf.d/charset on purge, rather
    than just writing about it in the changelog.
  * Resynchronise with Debian, resolving minor conflicts.
  * Remove /etc/apache2/conf.d/charset on purge.
  * Update 040_link_external_pcre to require autoconf 2.50, so it
    doesn't fail when autoconf2.13 is installed (closes: #295428)
  * Further mangle the apache_stop function in the init script so it
    attempts as hard as possible to make sure apache2 is stopped before
    it tries to restart. Thanks to Andre Tomt <andre@tomt.net> for
    the bug and patch this fix was based on (closes: #295915, #281557)
  * Resynchronise with Debian.
  * Add 040_link_external_pcre to allow us to link to an external libpcre
    rather than statically compiling the bundled version.
  * Add --with-external-pcre to the configure flags in debian/rules
    (closes: #294673, #294675, #282606, #294740)
  * Stop hardcoding the path to netstat in postinst (closes: #294737)
  * Resync from Debian
  * Drop Andres Salomon's PCRE manglig patch in favour of hand-merging
    Joe Orton's patch against head to completely internalise apache's
    copy of PCRE, only exposing a wrapper API. (closes: #294395)
  * Make apache2-threaded-dev and apache2-prefork-dev both arch:any
    as they contain architecture-dependant defines (closes: #294257)
  * Resync from Debian

  * New upstream release
    - Remove 036_HEAD_CAN-2004-0942, integrated upstream
    - Remove 037_HEAD_CAN-2004-0885, integrated upstream
  * Drop support for the threadpool MPM, as it's abandoned upstream.
    - Make apache2-mpm-threadpool an empty package depending on
      apache2-mpm-worker, and make worker replace the old threadpool
  * Make SYSCONFDIR configurable at the top of a2{en,dis}{mod,site}
  * Drop the build-conflict on gawk, and use ac_cv_prog_AWK=mawk
    instead (closes: #283396)
  * Make the apache_stop() function stop trying to do the equivalent
    of "killall apache2", and instead issue a nasty warning if it can't
    stop apache2 on its own
  * Make "restart" an alias for "force-reload" in the init script, as
    apache2ctl restart doesn't match policy's requirements for restart
  * Swapping between threaded and unthreaded MPMs could leave one with
    both mod_cgi and mod_cgid enabled. Fixed the postinsts so that
    no longer happens
  * Update 021-pcre_mangle_symbols.patch from Andres Salomon, now also
    mangling typedefs, which should fix PHP (closes: #280823)
  * Hardcode a dependency on libgcc1 (>= 1:3.3.5) so pthread_cancel
    will work correctly with partial upgrades (closes: #287033)
  * When removing ssl_scache, make sure to remove its db transation logs
    and other garbage as well (closes: #293831)
  * Remove duplicate /icons/ from the default site (closes: #291856)
  * Yank 039_fix_forensic_tmpfiles from Ubuntu's apache2 packages
  * Split out utils into seperate apache2-utils. This will also
    supercede the apache-utils package (closes: #285219)
  * Add split-logfile to apache2-utils (closes: #290814)
  * Make the MPM postinsts scream loudly, but not fail, if you've
    deleted cgi{,d}.load before swapping MPMs (closes: #283141)
  * Fix up temp file usage in check_forensic (Ubuntu: #5606)
  * Comment out the RedirectMatch in default site for Ubuntu
  * Ensure that we're sending out UTF-8 by default (Ubuntu: #5222)
  * Resynchronise with Debian.
  * Nuke duplicate patches; use Debian's not ours.
  * No longer build-conflict with gawk, instead use mawk specifically.
  * Brown paper bag release to fix apache2-common's postinst, by judiciously
    sprinkling ||true in a couple of needed places (closes: #280527)
  * While hunting for unclean uses of VAR=`command` in the package, found
    the cause of the "can't purge with broken config" bugs and fixed that
    too with yet another ||true (closes: #263511, #273759, #279875)
  * Include two patches, 036_HEAD_CAN-2004-0942 and 037_HEAD_CAN-2004-0885
    - CAN-2004-0942: Memory leak in header parsing in server/protocol.c
    - CAN-2004-0885: Incorrect SSLCipherSuite selection in mod_ssl
  * Fix up our use of netstat in apache2-common's postinst to clean up some
    unnecessary output to stderr, as well as detect when netstat believes
    we don't have AF_INET support. This should allow for installation in
    chroots where the /proc filesystem isn't mounted (closes: #245487)
  * Add 035_HEAD_Content-Length_Fix_From_CVS, which should solve problems
    with Content-Length being set incorrectly on proxied HEAD requests,
    breaking Windows Update from proxied machines (closes: #277787)
  * Take out the reload/start magic in the postinst, and just call start in
    all cases, as we stop the daemon in the prerm (closes: #275175, #222786)
  * Copy config.guess/config.sub/ltmain.sh in from /usr/share/libtool at
    build time. (closes: #257228, #263101)
  * Clean up the clean target in debian/rules to remove some duplicate
    maintainer scripts from the debian/ directory that we don't need to be
    shipping in the source package.
  * Move envvars to /etc/apache2/ and add patch 038_no_LD_LIBRARY_PATH to
    remove the extraneous LD_LIBRARY_PATH from envvars (closes: #276670)
  * SECURITY UPDATE to fix remote Denial of Service
  * added patch 035_CAN-2004-0942.patch:
    - server/protocol.c - Trim trailing whitespace here, after reading a
      complete field including continuation lines. Also simplify code to remove
      whitespace between field-name and colon.
    - This fixes a denial of service (CPU consumption) via an HTTP GET request
      with a MIME header containing multiple lines with a large number of space
      characters.
  * References:
    CAN-2004-0942
    http://lists.netsys.com/pipermail/full-disclosure/2004-November/028248.html
  * Thanks to Gerardo Di Giacomo <gerardo@linux.it> for preparing this update.
  * Resynchronise with Debian.
  * Drop included security fixes which are upstream.
  * New upstream bugfix/security release:
    - Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412)
  * Add '|| true' to a2enmod to stop it from dying when the installed MPM
    isn't prefork (closes: #273017, #273019, #272865, #273021, #273258)
  * Touch /var/log/apache2/error.log on new installs to ensure that our log
    directory isn't removed until the package is purged, so logrotate doesn't
    complain about its inability to find it (closes: #239571)
  * Add 032_suexec_is_shared, which makes sure suEXEC is only searched for
    and enabled when mod_suexec is loaded (closes: #227653)
  * Use '$APACHE2CTL startssl' consistently in init script to make sure the
    SSL define doesn't disappear on force-reload (closes: #272531)
  * Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open
    and manipulate DB_BTREE databases, while still defaulting to creating
    DB_HASH databases as before. This should clear up incompatibilities
    with other applications (such as PHP) which default to DB_BTREE.
  * Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool.
  * Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit
    of munging, to compile a working ab2 with SSL support (closes: #261820)
  * Test for the existence of /usr/sbin/apache2 before we go trying to invoke
    it to determine what MPM we have installed (closes: #272103, #272207)
  * Make the default httpd.conf created in apache2-common's postinst contain
    a fake LoadModule line (commented out), and make apxs2 default to
    installing modules to /etc/apache2/httpd.conf, so people using apxs2
    rather than the mods-{enabled,available} directories get the expected
    behaviour, rather than obscure errors (closes: #167552, #231134)
  * apxs2 now writes the correct path to modules in httpd.conf, including
    the mysteriously missing slash (closes: #231450, #167557)
  * Make apxs2 install modules with mode 644, since 755 makes no sense.
  * Added a bit of magic to a2{en,dis}site to treat the default site as a
    special case and add a "000-" priority to the beginning of its symlink.
    Patches welcome to turn this into something robust, like update-rc.d.
  * New upstream release, including the following security fixes:
    - CAN-2004-0747: ap_resolve_env buffer overflow
    - CAN-2004-0786: apr_uri_parse segfault in memcpy
    - CAN-2004-0809: mod_dav crash/DoS via NULL pointer dereference
  * Drop the following patches which are now included upstream:
    - 025_CAN-2004-0748.patch
    - 026_CAN-2004-0751.patch
    - 027_autoindex_ignore_bad_files.patch
    - 028_apr_sticky_bits.patch
  * Install a properly sanitised config_vars.mk so that apxs2 behaves in
    a reasonably sane way (closes: #243340, #270768)
  * Relax www-browser dependency to a Suggests, as the mod_status dump from
    apache2ctl is a pretty minor (and oft unused) feature (closes: #269309)
  * init script now allows you to stop (but not start, restart, etc) the web
    server, even if NO_START is set to 1 (closes: #269398)
  * Make the apache2 -> apache2-mpm-* dependency tighter, so it does what
    one expects when installing it (closes: #269580)
  * Remove the ^/doc/apache2-doc/manual(.*)$ /manual$1 RedirectMatch from
    the default site which was confusing and useless (closes: #270216)
  * Add debian/watch file to track upstream versions.
  * Add some magic to a2enmod to map cgi to cgid if using a threaded MPM.
  * Add a2ensite and a2dissite which do the same thing as a2{en,dis}mod,
    but for sites rather than modules (closes: #269251)

ubuntu/hoary 2005-12-20 20:38:23 UTC 2005-12-20
Import patches-unapplied version 2.0.53-5ubuntu5 to ubuntu/hoary

Author: Adam Conrad
Author Date: 2005-04-01 16:30:56 UTC

Import patches-unapplied version 2.0.53-5ubuntu5 to ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: a9b7db731beb72eeafe0a61ed091b780fedf1025

New changelog entries:
  * Fix the init script to not exit with an error when asked to
    stop a daemon that isn't running (Was the root cause of #8374)
  * Make sure package removals don't fail even if the init script
    doesn't stop apache2 (Ubuntu #8374)
  * Add dependency on lsb-base (>= 1.3-9ubuntu2) to guarantee
    availability of lsb init functions (Ubuntu #7765)
  * Really remove /etc/apache2/conf.d/charset on purge, rather
    than just writing about it in the changelog.
  * Resynchronise with Debian, resolving minor conflicts.
  * Remove /etc/apache2/conf.d/charset on purge.
  * Update 040_link_external_pcre to require autoconf 2.50, so it
    doesn't fail when autoconf2.13 is installed (closes: #295428)
  * Further mangle the apache_stop function in the init script so it
    attempts as hard as possible to make sure apache2 is stopped before
    it tries to restart. Thanks to Andre Tomt <andre@tomt.net> for
    the bug and patch this fix was based on (closes: #295915, #281557)
  * Resynchronise with Debian.
  * Add 040_link_external_pcre to allow us to link to an external libpcre
    rather than statically compiling the bundled version.
  * Add --with-external-pcre to the configure flags in debian/rules
    (closes: #294673, #294675, #282606, #294740)
  * Stop hardcoding the path to netstat in postinst (closes: #294737)
  * Resync from Debian
  * Drop Andres Salomon's PCRE manglig patch in favour of hand-merging
    Joe Orton's patch against head to completely internalise apache's
    copy of PCRE, only exposing a wrapper API. (closes: #294395)
  * Make apache2-threaded-dev and apache2-prefork-dev both arch:any
    as they contain architecture-dependant defines (closes: #294257)
  * Resync from Debian

  * New upstream release
    - Remove 036_HEAD_CAN-2004-0942, integrated upstream
    - Remove 037_HEAD_CAN-2004-0885, integrated upstream
  * Drop support for the threadpool MPM, as it's abandoned upstream.
    - Make apache2-mpm-threadpool an empty package depending on
      apache2-mpm-worker, and make worker replace the old threadpool
  * Make SYSCONFDIR configurable at the top of a2{en,dis}{mod,site}
  * Drop the build-conflict on gawk, and use ac_cv_prog_AWK=mawk
    instead (closes: #283396)
  * Make the apache_stop() function stop trying to do the equivalent
    of "killall apache2", and instead issue a nasty warning if it can't
    stop apache2 on its own
  * Make "restart" an alias for "force-reload" in the init script, as
    apache2ctl restart doesn't match policy's requirements for restart
  * Swapping between threaded and unthreaded MPMs could leave one with
    both mod_cgi and mod_cgid enabled. Fixed the postinsts so that
    no longer happens
  * Update 021-pcre_mangle_symbols.patch from Andres Salomon, now also
    mangling typedefs, which should fix PHP (closes: #280823)
  * Hardcode a dependency on libgcc1 (>= 1:3.3.5) so pthread_cancel
    will work correctly with partial upgrades (closes: #287033)
  * When removing ssl_scache, make sure to remove its db transation logs
    and other garbage as well (closes: #293831)
  * Remove duplicate /icons/ from the default site (closes: #291856)
  * Yank 039_fix_forensic_tmpfiles from Ubuntu's apache2 packages
  * Split out utils into seperate apache2-utils. This will also
    supercede the apache-utils package (closes: #285219)
  * Add split-logfile to apache2-utils (closes: #290814)
  * Make the MPM postinsts scream loudly, but not fail, if you've
    deleted cgi{,d}.load before swapping MPMs (closes: #283141)
  * Fix up temp file usage in check_forensic (Ubuntu: #5606)
  * Comment out the RedirectMatch in default site for Ubuntu
  * Ensure that we're sending out UTF-8 by default (Ubuntu: #5222)
  * Resynchronise with Debian.
  * Nuke duplicate patches; use Debian's not ours.
  * No longer build-conflict with gawk, instead use mawk specifically.
  * Brown paper bag release to fix apache2-common's postinst, by judiciously
    sprinkling ||true in a couple of needed places (closes: #280527)
  * While hunting for unclean uses of VAR=`command` in the package, found
    the cause of the "can't purge with broken config" bugs and fixed that
    too with yet another ||true (closes: #263511, #273759, #279875)
  * Include two patches, 036_HEAD_CAN-2004-0942 and 037_HEAD_CAN-2004-0885
    - CAN-2004-0942: Memory leak in header parsing in server/protocol.c
    - CAN-2004-0885: Incorrect SSLCipherSuite selection in mod_ssl
  * Fix up our use of netstat in apache2-common's postinst to clean up some
    unnecessary output to stderr, as well as detect when netstat believes
    we don't have AF_INET support. This should allow for installation in
    chroots where the /proc filesystem isn't mounted (closes: #245487)
  * Add 035_HEAD_Content-Length_Fix_From_CVS, which should solve problems
    with Content-Length being set incorrectly on proxied HEAD requests,
    breaking Windows Update from proxied machines (closes: #277787)
  * Take out the reload/start magic in the postinst, and just call start in
    all cases, as we stop the daemon in the prerm (closes: #275175, #222786)
  * Copy config.guess/config.sub/ltmain.sh in from /usr/share/libtool at
    build time. (closes: #257228, #263101)
  * Clean up the clean target in debian/rules to remove some duplicate
    maintainer scripts from the debian/ directory that we don't need to be
    shipping in the source package.
  * Move envvars to /etc/apache2/ and add patch 038_no_LD_LIBRARY_PATH to
    remove the extraneous LD_LIBRARY_PATH from envvars (closes: #276670)
  * SECURITY UPDATE to fix remote Denial of Service
  * added patch 035_CAN-2004-0942.patch:
    - server/protocol.c - Trim trailing whitespace here, after reading a
      complete field including continuation lines. Also simplify code to remove
      whitespace between field-name and colon.
    - This fixes a denial of service (CPU consumption) via an HTTP GET request
      with a MIME header containing multiple lines with a large number of space
      characters.
  * References:
    CAN-2004-0942
    http://lists.netsys.com/pipermail/full-disclosure/2004-November/028248.html
  * Thanks to Gerardo Di Giacomo <gerardo@linux.it> for preparing this update.
  * Resynchronise with Debian.
  * Drop included security fixes which are upstream.
  * New upstream bugfix/security release:
    - Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412)
  * Add '|| true' to a2enmod to stop it from dying when the installed MPM
    isn't prefork (closes: #273017, #273019, #272865, #273021, #273258)
  * Touch /var/log/apache2/error.log on new installs to ensure that our log
    directory isn't removed until the package is purged, so logrotate doesn't
    complain about its inability to find it (closes: #239571)
  * Add 032_suexec_is_shared, which makes sure suEXEC is only searched for
    and enabled when mod_suexec is loaded (closes: #227653)
  * Use '$APACHE2CTL startssl' consistently in init script to make sure the
    SSL define doesn't disappear on force-reload (closes: #272531)
  * Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open
    and manipulate DB_BTREE databases, while still defaulting to creating
    DB_HASH databases as before. This should clear up incompatibilities
    with other applications (such as PHP) which default to DB_BTREE.
  * Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool.
  * Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit
    of munging, to compile a working ab2 with SSL support (closes: #261820)
  * Test for the existence of /usr/sbin/apache2 before we go trying to invoke
    it to determine what MPM we have installed (closes: #272103, #272207)
  * Make the default httpd.conf created in apache2-common's postinst contain
    a fake LoadModule line (commented out), and make apxs2 default to
    installing modules to /etc/apache2/httpd.conf, so people using apxs2
    rather than the mods-{enabled,available} directories get the expected
    behaviour, rather than obscure errors (closes: #167552, #231134)
  * apxs2 now writes the correct path to modules in httpd.conf, including
    the mysteriously missing slash (closes: #231450, #167557)
  * Make apxs2 install modules with mode 644, since 755 makes no sense.
  * Added a bit of magic to a2{en,dis}site to treat the default site as a
    special case and add a "000-" priority to the beginning of its symlink.
    Patches welcome to turn this into something robust, like update-rc.d.
  * New upstream release, including the following security fixes:
    - CAN-2004-0747: ap_resolve_env buffer overflow
    - CAN-2004-0786: apr_uri_parse segfault in memcpy
    - CAN-2004-0809: mod_dav crash/DoS via NULL pointer dereference
  * Drop the following patches which are now included upstream:
    - 025_CAN-2004-0748.patch
    - 026_CAN-2004-0751.patch
    - 027_autoindex_ignore_bad_files.patch
    - 028_apr_sticky_bits.patch
  * Install a properly sanitised config_vars.mk so that apxs2 behaves in
    a reasonably sane way (closes: #243340, #270768)
  * Relax www-browser dependency to a Suggests, as the mod_status dump from
    apache2ctl is a pretty minor (and oft unused) feature (closes: #269309)
  * init script now allows you to stop (but not start, restart, etc) the web
    server, even if NO_START is set to 1 (closes: #269398)
  * Make the apache2 -> apache2-mpm-* dependency tighter, so it does what
    one expects when installing it (closes: #269580)
  * Remove the ^/doc/apache2-doc/manual(.*)$ /manual$1 RedirectMatch from
    the default site which was confusing and useless (closes: #270216)
  * Add debian/watch file to track upstream versions.
  * Add some magic to a2enmod to map cgi to cgid if using a threaded MPM.
  * Add a2ensite and a2dissite which do the same thing as a2{en,dis}mod,
    but for sites rather than modules (closes: #269251)

ubuntu/warty 2005-12-20 14:14:55 UTC 2005-12-20
Import patches-unapplied version 2.0.50-12ubuntu4 to ubuntu/warty

Author: Thom May
Author Date: 2004-10-13 18:46:10 UTC

Import patches-unapplied version 2.0.50-12ubuntu4 to ubuntu/warty

Imported using git-ubuntu import.

applied/ubuntu/warty 2005-12-20 14:14:55 UTC 2005-12-20
Import patches-applied version 2.0.50-12ubuntu4 to applied/ubuntu/warty

Author: Thom May
Author Date: 2004-10-13 18:46:10 UTC

Import patches-applied version 2.0.50-12ubuntu4 to applied/ubuntu/warty

Imported using git-ubuntu import.

Unapplied parent: a9b7db731beb72eeafe0a61ed091b780fedf1025

301308 of 308 results

Other repositories

Name Last Modified
lp:ubuntu/+source/apache2 2019-11-16
lp:~ddstreet/ubuntu/+source/apache2 2019-10-16
lp:~paelzer/ubuntu/+source/apache2 2019-09-09
lp:~ahasenack/ubuntu/+source/apache2 2019-08-14
lp:~nacc/ubuntu/+source/apache2 2017-07-27
lp:~evarlast/ubuntu/+source/apache2 2016-11-30
16 of 6 results
You can't create new repositories for apache2 in Ubuntu.