Created by James Westby on 2009-11-06 and last modified on 2010-08-16
Get this branch:
bzr branch lp:ubuntu/hardy-proposed/apache2
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

33. By Marc Deslauriers on 2010-08-16

* debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

32. By Dave Walker on 2010-05-21

debian/apache2.2-common.postinst: When dpkg-statoverride is used, the cut
delimiter has now been set to use ' ', as it was causing upgrades to fail.
(LP: #583698)

31. By Dave Walker on 2010-05-17

debian/patches/211_fix_mod_proxy_nocanon.dpatch: Fix duplicated query string
when using nocanon option to mod_proxy. Patch courtesy of James Troup, based
on upstream cherry pick. (LP: #455873)

30. By Chuck Short on 2009-11-02

debian/patches/999_fix_mod_proxy_nocanon.dpatch: Make all proxy modules
nocanon aware and do not add the query string again in this case.
Thanks to James Troup. (LP: #455873)

29. By Chuck Short on 2009-02-13

debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)

28. By Chuck Short on 2009-02-13

debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)

27. By Marc Deslauriers on 2009-03-05

[ Emanuele Gentili ]
 + debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
  - The ap_proxy_http_process_response function in mod_proxy_http.c
    in the mod_proxy module does not limit the number of forwarded
    interim responses, which allows remote HTTP servers to cause a
    denial of service (memory consumption) via a large number of
    interim responses.
 + References
  - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
  - debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
    nonce in modules/proxy/mod_proxy_balancer.c.
  - CVE-2007-6420
* SECURITY UPDATE: Denial of service via large number of interim responses in
  mod_proxy module (LP: #239894)
  - debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
  - CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
  mod_proxy_ftp module
  - debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
    contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
  - CVE-2008-2939

26. By Stefan Fritsch on 2008-01-17

* New upstream version:
  - Fixes cross-site scripting issues in
    o mod_imagemap (CVE-2007-5000)
    o mod_status (CVE-2007-6388)
    o mod_proxy_balancer's balancer manager (CVE-2007-6421)
  - Fixes a denial of service issue in mod_proxy_balancer's balancer manager
  - Fixes mod_proxy URL encoding in error messages (closes: #337325).
  - Adds explicit charset to the output of various modules to work around
    possible cross-site scripting flaws affecting web browsers that do not
    derive the response character set as required by RFC2616. For
    mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
    specify something else than ISO-8859-1 (CVE-2008-0005).
  - Adds mod_substitute which performs inline response content pattern
    matching (including regex) and substitution (like mod_line_edit).
  - Adds "DefaultType none" option.
  - Adds new "B" option to RewriteRule to suppress URL unescaping.
  - Adds an "if" directive for mod_include to test whether an URL is
    accessible, and if so, conditionally display content.
  - Adds support for mod_ssl to the event MPM.
* Move the configuration of User, Group, and PidFile to
  /etc/apache2/envvars. This makes it easier to use these settings in
  scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
  (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085)
* Make apache2ctl check the configuration syntax before trying to restart
  apache, to match the behaviour documented in the man page.
  (Closes: #459236)
* Convert docs to be directly viewable with a browser (and not use content
* Add doc-base entry for the documentation. (closes: #311269)
* Don't ship default files in /var/www, but copy a sample file to
  /var/www/index.html on new installs. Also remove the now unneeded
  RedirectMatch line from sites-available/default.
  (Closes: #411774, #458093)
* Add some information to README.Debian (Apache wiki, default virtual host)
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
  dependencies, easing library transitions (closes: #458857).
* Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
  Patch by Nicolas Valcárcel. (Closes: #436441)
* Add reportbug script to list enabled modules.
* Fix some lintian warnings:
  - Pass --no-start to dh_installinit instead of omitting the debhelper token
    in various maintainer scripts. Also move the update-rc.d call to
  - Add Short-Description to init script.
* Remove unused apache2-mpm-prefork.prerm from source package and clean up
  debian/rules a bit.
* Don't ship NEWS.Debian with apache2-utils, as the contents are only
  relevant for the server.

25. By Soren Hansen on 2008-01-16

[ Nicolas Valcárcel ]
* Added icons for OpenDocuments by default on mime.conf
  (Closes: LP: #130836)
* Icons added to the package in uuencode format
* Added sharutils to Build-Depends on debian/control for uuencode
* debian/apache2.2-common.apache2.init:
  - Only look for *.conf files in /etc/apache2 when searching for pidfiles
    (Closes: LP: #112991) Thanks to Daniel Hahler for the patch

[ Soren Hansen ]
* Clean up after OpenDocument icon generation

24. By Martin Pitt on 2008-01-03

* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
  dependencies (including db4.5).
* Modify Maintainer value to match the DebianMaintainerField

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.