lp:ubuntu/lucid-updates/apache2
- Get this branch:
- bzr branch lp:ubuntu/lucid-updates/apache2
Branch merges
Branch information
Recent revisions
- 69. By Chuck Short
-
debian/
patches/ 99-fix- mod-dav- permissions. dpatch: Fix webdav permissions,
backported from trunk Thanks to James M. Leady (LP: #540747) - 68. By Marc Deslauriers
-
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/ 215_CVE- 2011-3607. dpatch: validate length in
server/util.c.
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/patches/ 216_CVE- 2011-4317. dpatch: validate additional URIs in
modules/mappers/ mod_rewrite. c, modules/ proxy/mod_ proxy.c,
server/protocol. c.
- CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/patches/ 218_CVE- 2012-0031. dpatch: check type field in
server/scoreboard. c.
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/patches/ 219_CVE- 2012-0053. dpatch: check lengths in
server/protocol. c.
- CVE-2012-0053 - 67. By Steve Beattie
-
[ Michael Jeanson ]
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/patches/ 212_CVE- 2011-3368. dpatch: return 400
on invalid requests.
- debian/patches/ 214_CVE- 2011-3368_ part2.dpatch: fix same for http
0.9 protocol
- CVE-2011-3368[ Steve Beattie ]
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/patches/ 213_CVE- 2011-3348. dpatch: return
HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
- CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
configurations
- debian/mpm-itk/ patches/ 11-CVE- 2011-1176. patch: merge
configurations correctly
- CVE-2011-1176
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/patches/ 215_CVE- 2011-3192_ regression_ part2.dpatch:
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option along
with a fix staged for 2.2.22. - 66. By Steve Beattie
-
* SECURITY UPDATE: Range header DoS vulnerability
- debian/patches/ 207_CVE- 2011-3192. dpatch: filter out large
byte ranges and improve memory efficiency in handling buckets.
(thanks to Debian and upstream)
- CVE-2011-3192
* Include fix for regressions introduced by above patch:
- debian/patches/ 208_CVE- 2011-3192_ regression. dpatch: return 206
and 416 response codes where appropriate (see deban bug 639825) - 65. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via request that lacks a path in
mod_cache and mod_dav.
- debian/patches/ 201_CVE- 2010-1452. dpatch: fix path handling in
modules/cache/cache_ storage. c and modules/ dav/main/ util.c.
- CVE-2010-1452 - 64. By Chuck Short
-
* debian/
apache2. 2-common. postinst: Don't fail if you can load the reqtimeout module.
(LP: #621837)
* debian/patches/ Backport fix for upstream bug PR 45444: https:/ /issues. apache. org/bugzilla/ show_bug. cgi?id= 45444. (LP: #609290, #589611, #595116) - 63. By Marc Deslauriers
-
* debian/
patches/ 211-sslinsecure renegotiation- directive. dpatch: once
openssl gets updated to fix CVE-2009-3555, server renegotiations with
unpatched clients will fail. This patch adds the ability to revert to
the previous unsafe behaviour with a new SSLInsecureRenegotiation
directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
CVE-2009-3555 fix. - 62. By Chuck Short
-
debian/
patches/ upstream- fix-for- lp-609290. patch: Backport fix for upstream bug PR 45444.
https://issues. apache. org/bugzilla/ show_bug. cgi?id= 45444. (LP: #609290, #589611, #595116) - 61. By Chuck Short
-
debian/
patches/ 210-backport- mod-reqtimeout- ftbfs.dpatch: Add missing mod_reqtime.so
(LP: #562370) - 60. By Chuck Short
-
* debian/
patches/ 206-fix- potential- memory- leaks.dpatch: Fix potential memory
leaks by making sure to not destroy bucket brigades that have been created
by earlier filters. Backported from 2.2.15.
* debian/patches/ 206-report- max-client- mpm-worker. dpatch: Don't report server
has reached MaxClients until it has. Backported from 2.2.15
* debian/config- dir/apache2. conf: Make the Files ~ "^\.ht" block in apache2.conf
more secure by adding Satisfy all. (Debian bug: #572075)
* debian/rules, debian/patches/ 209-backport- mod-reqtimeout. dpatch,
debian/config2- dir/mods- available/ reqtimeout. load,
debian/config2- dir/mods- available/ reqtimeout. conf debian/NEWS : Backport the
mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
bug in apache. Enable it by default. (LP: #392759)
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/natty/apache2