Created by James Westby on 2009-11-06 and last modified on 2009-11-06
Get this branch:
bzr branch lp:ubuntu/edgy-security/apache2
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

13. By Jamie Strandboge on 2008-01-29

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
  charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
  a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
* References

12. By Kees Cook on 2007-08-15

* SECURITY UPDATE: XSS in mod_status, bad signal passing.
* Backported fixes from upstream:
  - CVE-2007-3304: stop signals from being sent to other processes.
  - CVE-2006-5752: fixed XSS in status report.

11. By Martin Pitt on 2006-09-27

* Add debian/patches/054_restore_prefix_fix:
  - Fix autoconf macros to work with autoconf 2.60 (AC_CANONICAL_SYSTEM
    overwrites $@ in 2.60, see Debian bug #372179), so that the package
    builds again on recent Edgy.
  - Thanks to Daniel Schepler <email address hidden> for this patch
    (taken from Debian #374160)
  - Closes: LP#62242

10. By Martin Pitt on 2006-07-26

* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
  - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
  - Reported by Mark Dowd of McAfee Avert Labs.
  - CVE-2006-3747

9. By Adam Conrad on 2006-05-26

Include patch from SVN HEAD to make sure LFS works on 64-bit platforms
where sendfile() doesn't like dealing with anything larger than 32-bit
chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850)

8. By Adam Conrad on 2006-05-22

Restore the "a2enmod userdir" that went missing in the "cruft cleaning"
in the last upload, since it's required to sanely configure new setups.

7. By Adam Conrad on 2005-11-26

* Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
  mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
* Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
  threaded MPMs when making a non-SSL connection to an SSL-enabled port
  on a server with a custom 400 error document defined; see CVE-2005-3357
* Clean up our use of trailing slashes on directories in debian/rules, so
  the newer, pickier, obviously very improved coreutils doesn't bite us.
* Remove some cruft from apache2-common's postinst, dealing with upgrade
  scenarios from versions older than those released in Sarge or Warty.
* Use "SHELL := sh -e" in debian/rules, so the build will stop on shell
  errors, instead of blundering on to later make targets (closes: #340761)
* Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in
  case the user has /var/run and /var/lock on tmpfs, which is fasionable.
* Make our init script a /bin/bash script instead of a /bin/sh script, so
  we can abuse it with regex globbing (#348189, #347962, #340955, #342008)
* Take patch from Adrian Bridgett to output errors from our config test
  in the init script, but only do so when we're VERBOSE (closes: #339323)
* In the spirit of the LSB, make our init script exit 2 when called with
  incorrect arguments, and exit 4 when asked for status (closes: #330275)
* Fix the default site to not mix configuration syntax (closes: #345922)
* Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921)

6. By Matthias Klose on 2005-11-24

Rebuild for libstdc++ allocator change

5. By Adam Conrad on 2005-10-24

Brown paper bag release: Tidy up CFLAGS and APR configure call to make
sure that what we link to agrees with what apu-config tells others to do.

4. By Adam Conrad on 2005-10-04

Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request
body data to provide a limited but safe fix for the mod_ssl renegotiation
vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.