ubuntu/+source/apache2:applied/debian/squeeze

Last commit made on 2014-02-15
Get this branch:
git clone -b applied/debian/squeeze https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/squeeze
Repository:
lp:ubuntu/+source/apache2

Recent commits

8adbf86... by Stefan Fritsch on 2014-01-28

Import patches-applied version 2.2.16-6+squeeze12 to applied/debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 69800bbe6560e576198da5696274a3bd5a7a5fd2
Unapplied parent: 395caec61eed3a87e9c527b7258b90bccabcf642

New changelog entries:
  * Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
    the RewriteLog is escaped to prevent terminal escape sequences from
    entering the log file. Closes: #722333
  * Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
    Closes: #717272
  * mod_dav: Fix segfaults in certain error conditions.
    https://issues.apache.org/bugzilla/show_bug.cgi?id=52559

395caec... by Stefan Fritsch on 2014-01-28

Import patches-unapplied version 2.2.16-6+squeeze12 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: b06a71bf8a3f0f36a32fc76ad16f8a5df2f2b202

New changelog entries:
  * Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
    the RewriteLog is escaped to prevent terminal escape sequences from
    entering the log file. Closes: #722333
  * Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
    Closes: #717272
  * mod_dav: Fix segfaults in certain error conditions.
    https://issues.apache.org/bugzilla/show_bug.cgi?id=52559

69800bb... by Stefan Fritsch on 2013-03-03

Import patches-applied version 2.2.16-6+squeeze11 to applied/debian/squeeze

Imported using git-ubuntu import.

Changelog parent: d5298206840ea81aec32b2379a6a01f588dba3d4
Unapplied parent: b06a71bf8a3f0f36a32fc76ad16f8a5df2f2b202

New changelog entries:
  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
  * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.

b06a71b... by Stefan Fritsch on 2013-03-03

Import patches-unapplied version 2.2.16-6+squeeze11 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: a19e92e13d0116d23f19f7ceaecddacfd1cea929

New changelog entries:
  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
  * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.

d529820... by Stefan Fritsch on 2012-11-30

Import patches-applied version 2.2.16-6+squeeze10 to applied/debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 84c4464dc9494671752a35d817a8331f413e3593
Unapplied parent: a19e92e13d0116d23f19f7ceaecddacfd1cea929

New changelog entries:
  [ Arno Töll ]
  * Backport disable-ssl-compression.patch from Wheezy. This patch disabled
    SSL compression upon request by introducing a "Compression on|off"
    directive to mod_ssl. This is to mitigate impact of CRIME attacks to SSL -
    which is a browser issue, however.
    See also Debian bug #674142 and #689936.
  [ Stefan Fritsch ]
  * CVE-2012-4557: mod_proxy_ajp: Remote denial of service (temporary, until
    mod_proxy_ajp's retry timeout expired).

a19e92e... by Stefan Fritsch on 2012-11-30

Import patches-unapplied version 2.2.16-6+squeeze10 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 293f5290bd23699e1f5ed73442483d6cf7de2984

New changelog entries:
  [ Arno Töll ]
  * Backport disable-ssl-compression.patch from Wheezy. This patch disabled
    SSL compression upon request by introducing a "Compression on|off"
    directive to mod_ssl. This is to mitigate impact of CRIME attacks to SSL -
    which is a browser issue, however.
    See also Debian bug #674142 and #689936.
  [ Stefan Fritsch ]
  * CVE-2012-4557: mod_proxy_ajp: Remote denial of service (temporary, until
    mod_proxy_ajp's retry timeout expired).

84c4464... by Stefan Fritsch on 2012-09-09

Import patches-applied version 2.2.16-6+squeeze8 to applied/debian/squeeze

Imported using git-ubuntu import.

Changelog parent: fb0dd7b8f7106a463cfba1a78927b87861364642
Unapplied parent: 293f5290bd23699e1f5ed73442483d6cf7de2984

New changelog entries:
  * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
    prevent a possible XSS vulnerability for a site where untrusted users
    can upload files to a location with MultiViews enabled.
  * Send 408 status instead of 400 if reading of a request fails with a
    timeout. This allows browsers to retry. Closes: #677086
  * mod_cache: Prevent Partial Content responses from being cached and served
    as normal response. Closes: #671204
  * mpm_itk: Fix an issue where users can sometimes get spurious 403s on
    persistent connections. Closes: #672333

293f529... by Stefan Fritsch on 2012-09-09

Import patches-unapplied version 2.2.16-6+squeeze8 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: a509e38c1585e805a22b333715871a8e5064a40a

New changelog entries:
  * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
    prevent a possible XSS vulnerability for a site where untrusted users
    can upload files to a location with MultiViews enabled.
  * Send 408 status instead of 400 if reading of a request fails with a
    timeout. This allows browsers to retry. Closes: #677086
  * mod_cache: Prevent Partial Content responses from being cached and served
    as normal response. Closes: #671204
  * mpm_itk: Fix an issue where users can sometimes get spurious 403s on
    persistent connections. Closes: #672333

fb0dd7b... by Stefan Fritsch on 2012-03-31

Import patches-applied version 2.2.16-6+squeeze7 to applied/debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 1bfbc10ddd55a9dba5395f05e1eca90f7d254cd1
Unapplied parent: a509e38c1585e805a22b333715871a8e5064a40a

New changelog entries:
  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
    hosts' config files.
    If scripting modules like mod_php or mod_rivet are enabled on systems
    where either 1) some frontend server forwards connections to an apache2
    backend server on the localhost address, or 2) the machine running
    apache2 is also used for web browsing, this could allow a remote
    attacker to execute example scripts stored under /usr/share/doc.
    Depending on the installed packages, this could lead to issues like cross
    site scripting, code execution, or leakage of sensitive data.
  * Rebuild with distribution set to squeeze-security.
  * Prevent unintended pattern expansion in some reverse proxy
    configurations by strictly validating the request-URI. Fixes
    CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
  * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
    privilege escalation.
  * CVE-2012-0031: Fix client process being able to crash parent process
    during shutdown.
  * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
    "httpOnly" cookies.

a509e38... by Stefan Fritsch on 2012-03-31

Import patches-unapplied version 2.2.16-6+squeeze7 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 061ab79d334cbd98b20c49994612c275a8cc01c6

New changelog entries:
  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
    hosts' config files.
    If scripting modules like mod_php or mod_rivet are enabled on systems
    where either 1) some frontend server forwards connections to an apache2
    backend server on the localhost address, or 2) the machine running
    apache2 is also used for web browsing, this could allow a remote
    attacker to execute example scripts stored under /usr/share/doc.
    Depending on the installed packages, this could lead to issues like cross
    site scripting, code execution, or leakage of sensitive data.
  * Rebuild with distribution set to squeeze-security.
  * Prevent unintended pattern expansion in some reverse proxy
    configurations by strictly validating the request-URI. Fixes
    CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
  * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
    privilege escalation.
  * CVE-2012-0031: Fix client process being able to crash parent process
    during shutdown.
  * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
    "httpOnly" cookies.