lp:ubuntu/feisty-updates/apache2
- Get this branch:
- bzr branch lp:ubuntu/feisty-updates/apache2
Branch merges
Branch information
Recent revisions
- 15. By Jamie Strandboge
-
* SECURITY UPDATE: denial of service (application crash) when using
mod_proxy in threaded MPM via crafted date headers.
* debian/patches/ 100_CVE- 2007-3847. dpatch: fix proxy_util.c to use
apr_date_parse_http( ) and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
when charset not defined
* debian/patches/ 101_CVE- 2007-4465. dpatch: fix mod_autoindex.c to properly
check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/ 102_CVE- 2007-5000. dpatch: fix for mod_imagemap.c to use
ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
server-status is enabled
* debian/patches/ 103_CVE- 2007-6388. dpatch: fix for mod_status.c to properly
setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/ 104_CVE- 2007-6421. dpatch: fix for mod_proxy_ balancer. c to
use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
mod_proxy_balancer when MPM is used
* debian/patches/ 105_CVE- 2007-6422. dpatch: fix for /mod_proxy_ balancer. c to
check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
charset is not defined
* debian/patches/ 106_CVE- 2008-0005. dpatch: fix for mod_proxy_ftp.c to define
a charset
* References
CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2007-6421
CVE-2007-6422
CVE-2008-0005 - 14. By Kees Cook
-
* SECURITY UPDATE: XSS in mod_status, DoS in mod_cache, signal passing.
* Backported fixes from upstream and Debian updates:
- CVE-2007-1863: fixed DoS via mod_cache headers.
http://svn.apache. org/viewvc? view=rev& revision= 551944
- CVE-2007-3304: stop signals from being sent to other processes.
http://svn.apache. org/viewvc? view=rev& revision= 547987
- CVE-2006-5752: fixed XSS in status report.
http://svn.apache. org/viewvc? view=rev& revision= 549159 - 12. By Andreas Barth <email address hidden>
-
* Non-maintainer upload.
* 043_ajp_connection_ reuse: Patch from upstream Bugzilla, fixing a critical
issue with regard to connection reuse in mod_proxy_ajp.
Closes: #396265 - 11. By Martin Pitt
-
* Add debian/
patches/ 054_restore_ prefix_ fix:
- Fix autoconf macros to work with autoconf 2.60 (AC_CANONICAL_SYSTEM
overwrites $@ in 2.60, see Debian bug #372179), so that the package
builds again on recent Edgy.
- Thanks to Daniel Schepler <email address hidden> for this patch
(taken from Debian #374160)
- Closes: LP#62242 - 10. By Martin Pitt
-
* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/ 053_mod_ rewite_ CVE-2006- 3747:
- Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
- Reported by Mark Dowd of McAfee Avert Labs.
- CVE-2006-3747 - 9. By Adam Conrad
-
Include patch from SVN HEAD to make sure LFS works on 64-bit platforms
where sendfile() doesn't like dealing with anything larger than 32-bit
chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850) - 8. By Adam Conrad
-
Restore the "a2enmod userdir" that went missing in the "cruft cleaning"
in the last upload, since it's required to sanely configure new setups. - 7. By Adam Conrad
-
* Add 050_mod_
imap_CVE- 2005-3352 to escape untrusted referer headers in
mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
* Add 051_mod_ssl_CVE- 2005-3357 to avoid a remote denial of service in
threaded MPMs when making a non-SSL connection to an SSL-enabled port
on a server with a custom 400 error document defined; see CVE-2005-3357
* Clean up our use of trailing slashes on directories in debian/rules, so
the newer, pickier, obviously very improved coreutils doesn't bite us.
* Remove some cruft from apache2-common's postinst, dealing with upgrade
scenarios from versions older than those released in Sarge or Warty.
* Use "SHELL := sh -e" in debian/rules, so the build will stop on shell
errors, instead of blundering on to later make targets (closes: #340761)
* Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in
case the user has /var/run and /var/lock on tmpfs, which is fasionable.
* Make our init script a /bin/bash script instead of a /bin/sh script, so
we can abuse it with regex globbing (#348189, #347962, #340955, #342008)
* Take patch from Adrian Bridgett to output errors from our config test
in the init script, but only do so when we're VERBOSE (closes: #339323)
* In the spirit of the LSB, make our init script exit 2 when called with
incorrect arguments, and exit 4 when asked for status (closes: #330275)
* Fix the default site to not mix configuration syntax (closes: #345922)
* Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921)
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/lucid/apache2