lp:ubuntu/hardy-proposed/apache2

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

33. By Marc Deslauriers on 2010-08-16

* debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

32. By Dave Walker on 2010-05-21

debian/apache2.2-common.postinst: When dpkg-statoverride is used, the cut
delimiter has now been set to use ' ', as it was causing upgrades to fail.
(LP: #583698)

31. By Dave Walker on 2010-05-17

debian/patches/211_fix_mod_proxy_nocanon.dpatch: Fix duplicated query string
when using nocanon option to mod_proxy. Patch courtesy of James Troup, based
on upstream cherry pick. (LP: #455873)

30. By Chuck Short on 2009-11-02

debian/patches/999_fix_mod_proxy_nocanon.dpatch: Make all proxy modules
nocanon aware and do not add the query string again in this case.
Thanks to James Troup. (LP: #455873)

29. By Chuck Short on 2009-02-13

debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)

28. By Chuck Short on 2009-02-13

debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)

27. By Marc Deslauriers on 2009-03-05

[ Emanuele Gentili ]
* SECURITY UPDATE:
 + debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
  - The ap_proxy_http_process_response function in mod_proxy_http.c
    in the mod_proxy module does not limit the number of forwarded
    interim responses, which allows remote HTTP servers to cause a
    denial of service (memory consumption) via a large number of
    interim responses.
 + References
  - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
  mod_proxy_balancer
  - debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
    nonce in modules/proxy/mod_proxy_balancer.c.
  - CVE-2007-6420
* SECURITY UPDATE: Denial of service via large number of interim responses in
  mod_proxy module (LP: #239894)
  - debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
    version.
  - CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
  mod_proxy_ftp module
  - debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
    contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
  - CVE-2008-2939

26. By Stefan Fritsch on 2008-01-17

* New upstream version:
  - Fixes cross-site scripting issues in
    o mod_imagemap (CVE-2007-5000)
    o mod_status (CVE-2007-6388)
    o mod_proxy_balancer's balancer manager (CVE-2007-6421)
  - Fixes a denial of service issue in mod_proxy_balancer's balancer manager
    (CVE-2007-6422).
  - Fixes mod_proxy URL encoding in error messages (closes: #337325).
  - Adds explicit charset to the output of various modules to work around
    possible cross-site scripting flaws affecting web browsers that do not
    derive the response character set as required by RFC2616. For
    mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
    specify something else than ISO-8859-1 (CVE-2008-0005).
  - Adds mod_substitute which performs inline response content pattern
    matching (including regex) and substitution (like mod_line_edit).
  - Adds "DefaultType none" option.
  - Adds new "B" option to RewriteRule to suppress URL unescaping.
  - Adds an "if" directive for mod_include to test whether an URL is
    accessible, and if so, conditionally display content.
  - Adds support for mod_ssl to the event MPM.
* Move the configuration of User, Group, and PidFile to
  /etc/apache2/envvars. This makes it easier to use these settings in
  scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
  (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085)
* Make apache2ctl check the configuration syntax before trying to restart
  apache, to match the behaviour documented in the man page.
  (Closes: #459236)
* Convert docs to be directly viewable with a browser (and not use content
  negotiation).
* Add doc-base entry for the documentation. (closes: #311269)
* Don't ship default files in /var/www, but copy a sample file to
  /var/www/index.html on new installs. Also remove the now unneeded
  RedirectMatch line from sites-available/default.
  (Closes: #411774, #458093)
* Add some information to README.Debian (Apache wiki, default virtual host)
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
  dependencies, easing library transitions (closes: #458857).
* Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
  Patch by Nicolas Valcárcel. (Closes: #436441)
* Add reportbug script to list enabled modules.
* Fix some lintian warnings:
  - Pass --no-start to dh_installinit instead of omitting the debhelper token
    in various maintainer scripts. Also move the update-rc.d call to
    apache2.2-common.
  - Add Short-Description to init script.
* Remove unused apache2-mpm-prefork.prerm from source package and clean up
  debian/rules a bit.
* Don't ship NEWS.Debian with apache2-utils, as the contents are only
  relevant for the server.

25. By Soren Hansen on 2008-01-16

[ Nicolas Valcárcel ]
* Added icons for OpenDocuments by default on mime.conf
  (Closes: LP: #130836)
* Icons added to the package in uuencode format
* Added sharutils to Build-Depends on debian/control for uuencode
* debian/apache2.2-common.apache2.init:
  - Only look for *.conf files in /etc/apache2 when searching for pidfiles
    (Closes: LP: #112991) Thanks to Daniel Hahler for the patch

[ Soren Hansen ]
* Clean up after OpenDocument icon generation

24. By Martin Pitt on 2008-01-03

* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
  dependencies (including db4.5).
* Modify Maintainer value to match the DebianMaintainerField
  specification.