lp:ubuntu/lucid-security/apache2

Created by James Westby on 2011-01-21 and last modified on 2012-02-16
Get this branch:
bzr branch lp:ubuntu/lucid-security/apache2
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

66. By Marc Deslauriers on 2012-02-14

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

65. By Steve Beattie on 2011-11-02

[ Michael Jeanson ]
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
  - debian/patches/212_CVE-2011-3368.dpatch: return 400
    on invalid requests.
  - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
    0.9 protocol
  - CVE-2011-3368

[ Steve Beattie ]
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
  - debian/patches/213_CVE-2011-3348.dpatch: return
    HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
  - CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
  configurations
  - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
    configurations correctly
  - CVE-2011-1176
* Include additional fixes for regressions introduced by
  CVE-2011-3192 fixes
  - debian/patches/215_CVE-2011-3192_regression_part2.dpatch:
    take upstream fixes for byterange_filter.c through the 2.2.21
    release except for the added MaxRanges configuration option along
    with a fix staged for 2.2.22.

64. By Steve Beattie on 2011-09-01

* SECURITY UPDATE: Range header DoS vulnerability
  - debian/patches/207_CVE-2011-3192.dpatch: filter out large
    byte ranges and improve memory efficiency in handling buckets.
    (thanks to Debian and upstream)
  - CVE-2011-3192
* Include fix for regressions introduced by above patch:
  - debian/patches/208_CVE-2011-3192_regression.dpatch: return 206
    and 416 response codes where appropriate (see deban bug 639825)

63. By Marc Deslauriers on 2010-11-18

* SECURITY UPDATE: denial of service via request that lacks a path in
  mod_cache and mod_dav.
  - debian/patches/201_CVE-2010-1452.dpatch: fix path handling in
    modules/cache/cache_storage.c and modules/dav/main/util.c.
  - CVE-2010-1452

62. By Marc Deslauriers on 2010-08-18

* debian/patches/211-sslinsecurerenegotiation-directive.dpatch: once
  openssl gets updated to fix CVE-2009-3555, server renegotiations with
  unpatched clients will fail. This patch adds the ability to revert to
  the previous unsafe behaviour with a new SSLInsecureRenegotiation
  directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
  CVE-2009-3555 fix.

61. By Chuck Short on 2010-04-13

debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
(LP: #562370)

60. By Chuck Short on 2010-04-05

* debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
  leaks by making sure to not destroy bucket brigades that have been created
  by earlier filters. Backported from 2.2.15.
* debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
  has reached MaxClients until it has. Backported from 2.2.15
* debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
  more secure by adding Satisfy all. (Debian bug: #572075)
* debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
  debian/config2-dir/mods-available/reqtimeout.load,
  debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
  mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
  bug in apache. Enable it by default. (LP: #392759)

59. By Chuck Short on 2010-03-30

debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)

58. By Chuck Short on 2010-03-30

Revert 99-fix-mod-dav-permissions.dpatch

57. By Chuck Short on 2010-03-29

* debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
  downloading files from webdav (LP: #540747)
* debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/natty/apache2
This branch contains Public information 
Everyone can see this information.

Subscribers