lp:ubuntu/gutsy-security/apache2

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

23. By Marc Deslauriers on 2009-03-05

[ Emanuele Gentili ]
* SECURITY UPDATE:
 + debian/patches/111_CVE-2008-2364.dpatch (LP: #239894)
  - The ap_proxy_http_process_response function in mod_proxy_http.c
    in the mod_proxy module does not limit the number of forwarded
    interim responses, which allows remote HTTP servers to cause a
    denial of service (memory consumption) via a large number of
    interim responses.
 + References
  - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
  Entity Too Large" error message
  - debian/patches/107_CVE-2007-6203.dpatch: properly escape some error
    messages in modules/http/http_protocol.c.
  - CVE-2007-6203
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
  mod_proxy_balancer
  - debian/patches/108_CVE-2007-6420.dpatch: generate and validate a nonce in
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2007-6420
* SECURITY UPDATE: Denial of service via memory leak in the zlib_stateful_init
  function (LP: #224945)
  - debian/patches/109_CVE-2008-1678.dpatch: don't call
    CRYPTO_cleanup_all_ex_data in modules/ssl/mod_ssl.c.
  - CVE-2008-1678
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
  URLs
  - debian/patches/110_CVE-2008-2168.dpatch: specify a default charset in
    modules/dav/main/mod_dav.c, modules/generators/mod_info.c and
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2008-2168
* SECURITY UPDATE: Denial of service via large number of interim responses in
  mod_proxy module (LP: #239894)
  - debian/patches/111_CVE-2008-2364.dpatch: updated patch to newer version.
  - CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
  mod_proxy_ftp module
  - debian/patches/112_CVE-2008-2939.dpatch: escape the html
    contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
  - CVE-2008-2939

22. By Jamie Strandboge on 2008-01-22

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to
  use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
  mod_proxy_balancer when MPM is used
* debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to
  check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
  charset is not defined
* debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define
  a charset
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2007-6421
  CVE-2007-6422
  CVE-2008-0005

21. By LaMont Jones on 2007-10-04

Trigger rebuild for hppa

20. By Stefan Fritsch on 2007-08-07

[ Stefan Fritsch ]
* enable default site on new installs again (Closes: #436341)
* make mod_authn_dbd depend on mod_dbd
* make a2dissite return 0 if a site is already disabled (Closes: #435398)
* make a2 scripts print errors to stderr (Closes: #435400)
* move TypesConfig directive from apache2.conf to mime.conf
  (Closes: #434248)

[ Adam Conrad ]
* Special case apache2-dbg magic in debian/rules, so we don't do
  this on Ubuntu, which has an archive of detached debug packages.

19. By Martin Pitt on 2007-08-01

debian/rules: Also remove apache2-dbg from debian/files on Ubuntu, so that
dpkg-genchanges does not choke.

18. By Martin Pitt on 2007-08-01

debian/rules: Do not do the black magic for producing the -dbg package on
Ubuntu, since it breaks with pkg-create-dbgsym and is not needed for the
same reason.

17. By Stefan Fritsch on 2007-07-03

* Modularize config: Move module specific configuration from apache2.conf
  to mods-available/*conf (Closes: #338472)
* Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable
  apache2. (Closes: #408462, #275561)
* Create run and lock directores in apache2ctl to make it work on fresh
  installations before the first call of the init script. Together with
  the previous item, this closes: #418499
* Disable AddDefaultCharset again (Closes: #397886)
* Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles
  managed by dpkg
* Listen on port 443 by default if mod_ssl is loaded (Closes: #404598)
* Add logic to start htcacheclean as daemon or cronjob. The configuration
  is in /etc/default/apache2
* Fix security issues:
  - CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary
    processes
  - CVE-2006-5752: XSS in mod_status
* Add init.d dependency info from insserv overrides to /etc/init.d/apache2
* Replace apachectl with apache2ctl in docs (Closes: #164493)
* Add usage message to apache2ctl (Closes: #359008)
* Make -dev packages priority extra
* Add secure example cipher/protocol configuration to ssl.conf
* Update watch file (Closes: #433552)
* Bump dh_compat to 5
* Add new package apache2-dbg with debugging symbols
* Fix mod_cache returning 304 instead of 200 on HEAD requests

16. By Stefan Fritsch on 2007-07-01

[ Stefan Fritsch ]
* Urgency medium for security fix
* Fix CVE-2007-1863: DoS in mod_cache
* New upstream version (Closes: #427050)
  - Fixes "proxy: error reading status line from remote server"
    (Closes: #410331)
* Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4)
* Change logrotate script to use reload instead of restart.
  (Closes: #298689)
* chmod o-rx /var/log/apache2 (Closes: #291841)
* chmod o-x suexec (Closes: #431048)
* Update patch for truncated mod_cgi 500 responses from upstream SVN
  (Closes: #412580)
* Don't use AddDefaultCharset for our docs (Closes: #414429)
* fix options syntax in sites-available/default (Closes: #419539)
* Move conf.d include to the end of apache2.conf (Closes: #305933)
* Remove log, cache, and lock files on purge (Closes: #428887)
* Ship /usr/lib/cgi-bin (Closes: #415698)
* Add note to README.Debian how to read docs (Closes: #350822)
* Document pid file name (Closes: #350286)
* Update Standards-Version (no changes needed)
* Fix some lintian warnings, add some overrides
* Start apache when doing a "restart" even if it was not running
  (Closes: #384682)
* reload config in apache2-doc postinst (Closes: #289289)
* don't fail in prerm if apache is not running (Closes: #418536)
* Suggest apache2-doc and www-browser (Closes: #399056)
* Make init script always display a warning if NO_START=1 since
  VERBOSE=yes is not the default anymore (Closes: #430116)
* Replace apache2(8) man page with a more current version
* Add httxt2dbm(8) man page
* Show -X option in help message (Closes: #391817)
* remove sick-hack-to-update-modules
* don't depend on procps on hurd (Closes: #431125)

[ Peter Samuelson ]
* Add shlibs:Depends to apache2.2-common.

15. By Stefan Fritsch on 2007-06-10

[ Tollef Fog Heen ]
* Fix up apache2-src so the .tar.gz contains an apache2 top level
  directory.
* Make apache2 MPMs provide and conflict with apache2-mpm so other
  packages can provide MPMs too.
* Get rid of 2.1 references from descriptions. (Closes: #400981)

[ Thom May ]
* Let the init script cope with multiple pid files correctly. Probably we
  shouldn't be doing this at all, but we might as well do it properly!
  (Closes: #396162)
* Add a sensible autoindex default config
* Add patch from upstream to ensure that mod_cgi 500 responses aren't
  truncated (Closes: #412580)
* Use graceful-stop to shutdown apache to ensure we cope nicely with long
  running or blocked children

[ Peter Samuelson ]
* Ship apache2 manpage in apache2.2-common. (Closes: #391813)
* Rearrange init script so that 'force-reload' is the same as 'reload'.
  (Closes: #401053)
* Add Build-Depends: mawk. (Closes: #403682)
* Add a needed <IfModule mod_include.c> guard to apache2.conf.
  (Closes: #407307)
* Stop shipping /var/run/apache2/ as it is created at runtime anyway.
* Move the /var/lock/apache2 owner fix from the apache2.2-common
  postinst to the init script, as /var/lock may not persist across
  reboots. (Closes: #420101)

[ Stefan Fritsch ]
* Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043)
* Add XS-Vcs-* to debian/control
* Improve handling of empty $MODNAME in a2enmod (Closes: #422589)
* Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602)
* Re-add README.Debian and describe
  - the config dir layout (closes: #419552)
  - which files are ignored by Include
  - when and how to change "restart" to "reload" in the logrotate script
* When purging, remove {mods,sites}-enabled symlinks and the config files
  created by postinst (Closes: #397789)
* Fix suexec to log after a cgi error (Closes: #312385)
* Add watch file
* Add AddType for .bz2 (Closes: #416322)
* Make init script messages conform better to policy (Closes: #390348)
  and exit with failure if called with unknown parameter (Closes: #412407)
* Fix segfault in mod_proxy_ftp when FTP server sends back no spaces
  (Closes: #413727)
* Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464)
* Tell the user when selecting cgid instead of cgi (Closes: #428058)
* Add a2ensite/a2dissite man pages (Closes: #322385)
* Comment out CacheEnable by default, to prevent filling up /var.
  Document the problem in README.Debian and NEWS.Debian, point to
  htcacheclean and give a warning when doing a2enmod disk_cache
  (Closes: #423653).
* Add myself to Uploaders.

14. By Peter Samuelson <email address hidden> on 2007-03-27

* High-urgency upload for RC bugfixes.
* Ack NMUs - thanks Andi, Steve.
* Refactor apache2.2-common.postinst slightly, to account for sarge
  upgrades (since it's a new package name, rather than an upgrade).
  (Closes: #396782, #415775)
* If mod_proxy was configured in sarge, add proxy_http and
  disk_cache modules, which used to be included in the mod_proxy config.
  (Closes: #407171)