Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/hardy-updates/apache2
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

37. By Marc Deslauriers

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/220_CVE-2011-3607.dpatch: validate length in
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/222_CVE-2012-0031.dpatch: check type field in
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
  - CVE-2012-0053

36. By Steve Beattie

[ Michael Jeanson ]
* SECURITY UPDATE: mod_proxy reverse proxy exposure
  * debian/patches/216_CVE-2011-3368.dpatch: return 400
    on invalid requests.
  - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
    0.9 protocol

[ Steve Beattie ]
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
  - debian/patches/213_CVE-2011-3348.dpatch: return
  - CVE-2011-3348
* Include additional fixes for regressions introduced by
  CVE-2011-3192 fixes
  - debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
    take upstream fixes for byterange_filter.c through the 2.2.21
    release except for the added MaxRanges configuration option.

35. By Steve Beattie

* SECURITY UPDATE: Range header DoS vulnerability
  * debian/patches/214_CVE-2011-3192.dpatch: filter out large
    byte ranges and improve memory efficiency in handling buckets.
    (thanks to Debian and upstream)
  * CVE-2011-3192
* Include fix for regressions introduced by above patch:
  - debian/patches/084_CVE-2011-3192_regression.dpatch: return 206
    and 416 response codes where appropriate (see deban bug 639825)

34. By Marc Deslauriers

* SECURITY UPDATE: denial of service via request that lacks a path in
  - debian/patches/213_CVE-2010-1452.dpatch: fix path handling in
  - CVE-2010-1452

33. By Marc Deslauriers

* debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

32. By Dave Walker

debian/apache2.2-common.postinst: When dpkg-statoverride is used, the cut
delimiter has now been set to use ' ', as it was causing upgrades to fail.
(LP: #583698)

31. By Dave Walker

debian/patches/211_fix_mod_proxy_nocanon.dpatch: Fix duplicated query string
when using nocanon option to mod_proxy. Patch courtesy of James Troup, based
on upstream cherry pick. (LP: #455873)

30. By Chuck Short

debian/patches/999_fix_mod_proxy_nocanon.dpatch: Make all proxy modules
nocanon aware and do not add the query string again in this case.
Thanks to James Troup. (LP: #455873)

29. By Chuck Short

debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)

28. By Chuck Short

debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.