ubuntu/+source/apache2:applied/debian/lenny

Last commit made on 2012-03-10
Get this branch:
git clone -b applied/debian/lenny https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/lenny
Repository:
lp:ubuntu/+source/apache2

Recent commits

bcda8a1... by Stefan Fritsch on 2012-02-05

Import patches-applied version 2.2.9-10+lenny12 to applied/debian/lenny

Imported using git-ubuntu import.

Changelog parent: 9ecb7b754570f35d5e823dfb557ff6a5107ada66
Unapplied parent: 5f8cb05538217c8aafa57310d7bd5ce0dbe01736

New changelog entries:
  * Prevent unintended pattern expansion in some reverse proxy
    configurations by strictly validating the request-URI. Fixes
    CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
  * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
    privilege escalation.
  * CVE-2012-0031: Fix client process being able to crash parent process
    during shutdown.
  * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
    "httpOnly" cookies.

5f8cb05... by Stefan Fritsch on 2012-02-05

Import patches-unapplied version 2.2.9-10+lenny12 to debian/lenny

Imported using git-ubuntu import.

Changelog parent: 2d405ec019c68ebd88ee66c4f910627555922d12

New changelog entries:
  * Prevent unintended pattern expansion in some reverse proxy
    configurations by strictly validating the request-URI. Fixes
    CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
  * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
    privilege escalation.
  * CVE-2012-0031: Fix client process being able to crash parent process
    during shutdown.
  * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
    "httpOnly" cookies.

9ecb7b7... by Stefan Fritsch on 2011-09-04

Import patches-applied version 2.2.9-10+lenny11 to applied/debian/lenny

Imported using git-ubuntu import.

Changelog parent: f4bd67d640e5cbd779101e3c2ba157884c5871be
Unapplied parent: 2d405ec019c68ebd88ee66c4f910627555922d12

New changelog entries:
  * Fix regressions related to range requests introduced by 2.2.9-10+lenny10.
    Closes: #639825
  * Fix CVE-2011-3192: DoS by high memory usage for a large number of
    overlapping ranges.
  * Fix CVE-2010-1452: Crash in mod_dav.

2d405ec... by Stefan Fritsch on 2011-09-04

Import patches-unapplied version 2.2.9-10+lenny11 to debian/lenny

Imported using git-ubuntu import.

Changelog parent: 6d0a2f0655efb6029e666064dbf2a9ad3c70149a

New changelog entries:
  * Fix regressions related to range requests introduced by 2.2.9-10+lenny10.
    Closes: #639825
  * Fix CVE-2011-3192: DoS by high memory usage for a large number of
    overlapping ranges.
  * Fix CVE-2010-1452: Crash in mod_dav.

f4bd67d... by Stefan Fritsch on 2010-12-11

Import patches-applied version 2.2.9-10+lenny9 to applied/debian/lenny

Imported using git-ubuntu import.

Changelog parent: 99e9a701cad02e4955ab9d34a8a59a5f2f314763
Unapplied parent: 6d0a2f0655efb6029e666064dbf2a9ad3c70149a

New changelog entries:
  * Add the new SSLInsecureRenegotiation directive to configure if clients
    that have not been patched to support secure renegotiation (RFC 5746)
    are allowed to connect (CVE-2009-3555).
    Together with the recent openssl upgrade, this closes: #587037
    This upgrade also adds support for the SSL_SECURE_RENEG variable, to
    allow testing if secure renegotiation is supported by the client.

6d0a2f0... by Stefan Fritsch on 2010-12-11

Import patches-unapplied version 2.2.9-10+lenny9 to debian/lenny

Imported using git-ubuntu import.

Changelog parent: bb934921ee4652dd952518e5c7ef99adfd73e5c1

New changelog entries:
  * Add the new SSLInsecureRenegotiation directive to configure if clients
    that have not been patched to support secure renegotiation (RFC 5746)
    are allowed to connect (CVE-2009-3555).
    Together with the recent openssl upgrade, this closes: #587037
    This upgrade also adds support for the SSL_SECURE_RENEG variable, to
    allow testing if secure renegotiation is supported by the client.

99e9a70... by Stefan Fritsch on 2010-04-19

Import patches-applied version 2.2.9-10+lenny8 to applied/debian/lenny

Imported using git-ubuntu import.

Changelog parent: 1218550870e157ace8277c77884e5951b2653bbe
Unapplied parent: bb934921ee4652dd952518e5c7ef99adfd73e5c1

New changelog entries:
  * Add missing psmisc dependency for killall used in the init script.
    Closes: #568542
  * Fix potential memory leaks related to the usage of apr_brigade_destroy().
  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-0408: denial of service via crafted request in mod_proxy_ajp
  * Fixed CVE-2010-0434: information disclosure via improper handling of
    headers in subrequests

bb93492... by Stefan Fritsch on 2010-04-19

Import patches-unapplied version 2.2.9-10+lenny8 to debian/lenny

Imported using git-ubuntu import.

Changelog parent: 663a29e3a9cb70e3042292eba09ec6f0119d9a7f

New changelog entries:
  * Add missing psmisc dependency for killall used in the init script.
    Closes: #568542
  * Fix potential memory leaks related to the usage of apr_brigade_destroy().
  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-0408: denial of service via crafted request in mod_proxy_ajp
  * Fixed CVE-2010-0434: information disclosure via improper handling of
    headers in subrequests

1218550... by Stefan Fritsch on 2009-11-14

Import patches-applied version 2.2.9-10+lenny6 to applied/debian/lenny

Imported using git-ubuntu import.

Changelog parent: c333fad42835c64ef4bfa39ddaea613124896909
Unapplied parent: 663a29e3a9cb70e3042292eba09ec6f0119d9a7f

New changelog entries:
  * Security:
    - Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
      for the TLS renegotiation prefix injection attack (CVE-2009-3555).
      Any configuration which requires renegotiation for per-directory/location
      access control or uses "SSLVerifyClient optional" is still vulnerable.
  * Minor security fixes in mod_proxy_ftp (closes: #545951):
    - DoS by malicious ftp server (CVE-2009-3094)
    - missing input sanitization: a user could execute arbitrary ftp commands
      on the backend ftp server (CVE-2009-3095)
  * Fix segfault in legacy ap_r* API which is triggered more often since
    the fix for CVE-2009-1891 was applied (closes: #537665).
  * Take care to not override existing index.shtml files when upgrading from
    before 2.2.8-1 (closes: #517089).
  * mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip
    content-encoding. This prevented apache from sending "304 NOT MODIFIED"
    responses for compressed content.
  * mod_rewrite: Fix "B" flag breakage (closes: #524268)
  * Properly declare that apache2-suexec* replace files in old versions of
    apache2.2-common (closes: #528951).
  * Remove other_vhosts_access.log on package purge.

663a29e... by Stefan Fritsch on 2009-11-14

Import patches-unapplied version 2.2.9-10+lenny6 to debian/lenny

Imported using git-ubuntu import.

Changelog parent: a5821d9b3b93174bbe9e7b6c7eadd9771c4e1a5d

New changelog entries:
  * Security:
    - Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
      for the TLS renegotiation prefix injection attack (CVE-2009-3555).
      Any configuration which requires renegotiation for per-directory/location
      access control or uses "SSLVerifyClient optional" is still vulnerable.
  * Minor security fixes in mod_proxy_ftp (closes: #545951):
    - DoS by malicious ftp server (CVE-2009-3094)
    - missing input sanitization: a user could execute arbitrary ftp commands
      on the backend ftp server (CVE-2009-3095)
  * Fix segfault in legacy ap_r* API which is triggered more often since
    the fix for CVE-2009-1891 was applied (closes: #537665).
  * Take care to not override existing index.shtml files when upgrading from
    before 2.2.8-1 (closes: #517089).
  * mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip
    content-encoding. This prevented apache from sending "304 NOT MODIFIED"
    responses for compressed content.
  * mod_rewrite: Fix "B" flag breakage (closes: #524268)
  * Properly declare that apache2-suexec* replace files in old versions of
    apache2.2-common (closes: #528951).
  * Remove other_vhosts_access.log on package purge.