Ubuntu
apache2 package

lp:ubuntu/dapper-proposed/apache2

  1. Dapper (6.06)
  2. dapper-proposed
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/dapper-proposed/apache2
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

20. By Marc Deslauriers

* debian/patches/119_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

19. By Marc Deslauriers

* SECURITY UPDATE: information disclosure via improper handling of
  headers in subrequests
  - debian/patches/118_CVE-2010-0434.dpatch: use a copy of r->headers_in
    in server/protocol.c.
  - CVE-2010-0434

18. By Jamie Strandboge

* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
  Partial fix for CVE-2009-3555. Configurations requiring renegotiation
  of per-directory/location access controls are still affected until
  OpenSSL is updated.
  - debian/patches/115_CVE-2009-3555.patch: disable all client
    renegotiations
  - based on http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
  - CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
  - debian/patches/116-CVE-2009-3094.patch: fix NULL pointer dereference
    in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
    in EPSV response parser
  - based on http://svn.apache.org/viewvc?revision=814652&view=revision
  - CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
  configured as a reverse proxy
  - debian/patches/117-CVE-2009-3095.patch: adjust proxy_ftp_handler()
    in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
    special characters.
  - based on http://svn.apache.org/viewvc?revision=814045&view=revision
  - CVE-2009-3095

17. By Marc Deslauriers

* SECURITY UPDATE: remote denial of service in mod_deflate module when
  the network connection was closed before compression completed
  - debian/patches/113_CVE-2009-1891.patch: update patch to fix
    regression that caused segfaults under certain circumstances.
    (LP: #409987)
  - CVE-2009-1891

16. By Jamie Strandboge

* SECURITY UPDATE: fix integer overflow in libapr
  - debian/patches/114_CVE-2009-2412.patch: adjust allocator_alloc() and
    apr_palloc() in apr_pools.c to check for overflow after aligning size
  - http://www.apache.org/dist/apr/patches/apr-0.9-CVE-2009-2412.patch
  - CVE-2009-2412
* SECURITY UPDATE: fix integer overflow in libaprutil
  - debian/patches/114_CVE-2009-2412b.patch: adjust apr_rmm_malloc,
    apr_rmm_calloc, apr_rmm_realloc to check for overflow after aligning
    size
  - http://www.apache.org/dist/apr/patches/apr-util-0.9-CVE-2009-2412.patch
  - CVE-2009-2412

15. By Marc Deslauriers

* SECURITY UPDATE: remote denial of service in mod_deflate module when
  the network connection was closed before compression completed
  - debian/patches/113_CVE-2009-1891.patch: fail if the connection has
    been aborted in server/core.c
  - CVE-2009-1891

14. By Jamie Strandboge

* SECURITY UPDATE: Fix underflow in apr_strmatch_precompile
  - debian/patches/110_CVE-2009-0023.dpatch: adjust
    srclib/apr-util/strmatch/apr_strmatch.c to properly evaluate strings as
    unsigned char rather than int
  - CVE-2009-0023
* SECURITY UPDATE: Prevent "billion laughs" attack against expat
  - debian/patches/111_CVE-2009-1955.dpatch: adjust
    srclib/apr-util/xml/apr_xml.c to disable internal entity expansion
  - CVE-2009-1955
* SECURITY UPDATE: Fix off by one overflow in apr_brigade_vprintf
  - debian/patches/112_CVE-2009-1956.dpatch: don't add null terminator to
    vd.vbuff.curpos in srclib/apr-util/buckets/apr_brigade.c
  - CVE-2009-1956

13. By Marc Deslauriers

* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
  Entity Too Large" error message
  - debian/patches/106_CVE-2007-6203.patch: properly escape some error
    messages in modules/http/http_protocol.c.
  - CVE-2007-6203
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
  URLs
  - debian/patches/107_CVE-2008-2168.patch: specify a default charset in
    modules/dav/main/mod_dav.c and modules/generators/mod_info.c.
  - CVE-2008-2168
* SECURITY UPDATE: Denial of service via large number of interim responses in
  mod_proxy module (LP: #239894)
  - debian/patches/108_CVE-2008-2364.patch: limit the number of interim
    responses in modules/proxy/proxy_http.c.
  - CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
  mod_proxy_ftp module
  - debian/patches/109_CVE-2008-2939.patch: escape the html contained in the
    wildcard value in modules/proxy/proxy_ftp.c.
  - CVE-2008-2939

12. By Jamie Strandboge

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
  charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
  a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
  ap_escape_html()
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2008-0005
  CVE-2006-3918

11. By Kees Cook

* SECURITY UPDATE: XSS in mod_status, bad signal passing.
* Backported fixes from upstream:
  - CVE-2007-3304: stop signals from being sent to other processes.
    http://svn.apache.org/viewvc?view=rev&revision=547987
  - CVE-2006-5752: fixed XSS in status report.
    http://svn.apache.org/viewvc?view=rev&revision=549159

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/natty/apache2
This branch contains Public information 
Everyone can see this information.

Subscribers