lp:ubuntu/feisty-updates/apache2

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

15. By Jamie Strandboge on 2008-01-29

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to
  use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
  mod_proxy_balancer when MPM is used
* debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to
  check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
  charset is not defined
* debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define
  a charset
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2007-6421
  CVE-2007-6422
  CVE-2008-0005

14. By Kees Cook on 2007-08-15

* SECURITY UPDATE: XSS in mod_status, DoS in mod_cache, signal passing.
* Backported fixes from upstream and Debian updates:
  - CVE-2007-1863: fixed DoS via mod_cache headers.
    http://svn.apache.org/viewvc?view=rev&revision=551944
  - CVE-2007-3304: stop signals from being sent to other processes.
    http://svn.apache.org/viewvc?view=rev&revision=547987
  - CVE-2006-5752: fixed XSS in status report.
    http://svn.apache.org/viewvc?view=rev&revision=549159

13. By Martin Pitt on 2007-01-15

No-change upload for the libpq4->libpq5 transition.

12. By Andreas Barth <email address hidden> on 2006-12-09

* Non-maintainer upload.
* 043_ajp_connection_reuse: Patch from upstream Bugzilla, fixing a critical
  issue with regard to connection reuse in mod_proxy_ajp.
  Closes: #396265

11. By Martin Pitt on 2006-09-27

* Add debian/patches/054_restore_prefix_fix:
  - Fix autoconf macros to work with autoconf 2.60 (AC_CANONICAL_SYSTEM
    overwrites $@ in 2.60, see Debian bug #372179), so that the package
    builds again on recent Edgy.
  - Thanks to Daniel Schepler <email address hidden> for this patch
    (taken from Debian #374160)
  - Closes: LP#62242

10. By Martin Pitt on 2006-07-26

* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
  - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
  - Reported by Mark Dowd of McAfee Avert Labs.
  - CVE-2006-3747

9. By Adam Conrad on 2006-05-26

Include patch from SVN HEAD to make sure LFS works on 64-bit platforms
where sendfile() doesn't like dealing with anything larger than 32-bit
chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850)

8. By Adam Conrad on 2006-05-22

Restore the "a2enmod userdir" that went missing in the "cruft cleaning"
in the last upload, since it's required to sanely configure new setups.

7. By Adam Conrad on 2005-11-26

* Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
  mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
* Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
  threaded MPMs when making a non-SSL connection to an SSL-enabled port
  on a server with a custom 400 error document defined; see CVE-2005-3357
* Clean up our use of trailing slashes on directories in debian/rules, so
  the newer, pickier, obviously very improved coreutils doesn't bite us.
* Remove some cruft from apache2-common's postinst, dealing with upgrade
  scenarios from versions older than those released in Sarge or Warty.
* Use "SHELL := sh -e" in debian/rules, so the build will stop on shell
  errors, instead of blundering on to later make targets (closes: #340761)
* Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in
  case the user has /var/run and /var/lock on tmpfs, which is fasionable.
* Make our init script a /bin/bash script instead of a /bin/sh script, so
  we can abuse it with regex globbing (#348189, #347962, #340955, #342008)
* Take patch from Adrian Bridgett to output errors from our config test
  in the init script, but only do so when we're VERBOSE (closes: #339323)
* In the spirit of the LSB, make our init script exit 2 when called with
  incorrect arguments, and exit 4 when asked for status (closes: #330275)
* Fix the default site to not mix configuration syntax (closes: #345922)
* Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921)

6. By Matthias Klose on 2005-11-24

Rebuild for libstdc++ allocator change