ubuntu/+source/apache2:applied/ubuntu/hardy-updates

Last commit made on 2013-03-18
Get this branch:
git clone -b applied/ubuntu/hardy-updates https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/hardy-updates
Repository:
lp:ubuntu/+source/apache2

Recent commits

c15a18d... by Marc Deslauriers on 2013-03-08

Import patches-applied version 2.2.8-1ubuntu0.25 to applied/ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: f5cd9d662656049126ad4ec5ecca8125c227593a
Unapplied parent: d86de406547b2f6ce2ef95365778a8b2b7c0f28b

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: denial of service in mod_proxy_ajp
    - debian/patches/CVE-2012-4557.dpatch: check for timeout in
      modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
    - CVE-2012-4557
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/patches/CVE-2013-1048.dpatch: introduce and use a safer
      mkdir_chown() function in support/apachectl.in.
    - CVE-2013-1048

d86de40... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.8-1ubuntu0.25 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: d725bb399220ff3ce740ff83cf22ddb3c5c3c035

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: denial of service in mod_proxy_ajp
    - debian/patches/CVE-2012-4557.dpatch: check for timeout in
      modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
    - CVE-2012-4557
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/patches/CVE-2013-1048.dpatch: introduce and use a safer
      mkdir_chown() function in support/apachectl.in.
    - CVE-2013-1048

f5cd9d6... by Marc Deslauriers on 2012-11-06

Import patches-applied version 2.2.8-1ubuntu0.24 to applied/ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 084a86aaed45367a1c044180448d5e201a0a0b50
Unapplied parent: d725bb399220ff3ce740ff83cf22ddb3c5c3c035

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/224_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/225_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929

d725bb3... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.8-1ubuntu0.24 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 310b995976af5c00298bdc4a2adf9ac8ea4fbf21

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/224_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/225_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929

084a86a... by Marc Deslauriers on 2012-02-14

Import patches-applied version 2.2.8-1ubuntu0.23 to applied/ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: cc786df5528d0f4c2a992999b791cc86b58a30ea
Unapplied parent: 310b995976af5c00298bdc4a2adf9ac8ea4fbf21

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/220_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/222_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

310b995... by Marc Deslauriers on 2012-02-14

Import patches-unapplied version 2.2.8-1ubuntu0.23 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 7bc6008598299d3b87f9f5fc2d26e30ca6f2c1e9

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/220_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/222_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

cc786df... by Steve Beattie on 2011-11-03

Import patches-applied version 2.2.8-1ubuntu0.22 to applied/ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: e6f96c659a330d04a4b4cea3e3ca02378f47e25c
Unapplied parent: 7bc6008598299d3b87f9f5fc2d26e30ca6f2c1e9

New changelog entries:
  [ Michael Jeanson ]
  * SECURITY UPDATE: mod_proxy reverse proxy exposure
    * debian/patches/216_CVE-2011-3368.dpatch: return 400
      on invalid requests.
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
  [ Steve Beattie ]
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option.

7bc6008... by Steve Beattie on 2011-11-03

Import patches-unapplied version 2.2.8-1ubuntu0.22 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 5c1468239cbb8fc9a42c807505a1377d411d5d72

New changelog entries:
  [ Michael Jeanson ]
  * SECURITY UPDATE: mod_proxy reverse proxy exposure
    * debian/patches/216_CVE-2011-3368.dpatch: return 400
      on invalid requests.
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
  [ Steve Beattie ]
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option.

e6f96c6... by Steve Beattie on 2011-09-01

Import patches-applied version 2.2.8-1ubuntu0.21 to applied/ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 08758f68841059057c245d33f8e708314f7c26e0
Unapplied parent: 5c1468239cbb8fc9a42c807505a1377d411d5d72

New changelog entries:
  * SECURITY UPDATE: Range header DoS vulnerability
    * debian/patches/214_CVE-2011-3192.dpatch: filter out large
      byte ranges and improve memory efficiency in handling buckets.
      (thanks to Debian and upstream)
    * CVE-2011-3192
  * Include fix for regressions introduced by above patch:
    - debian/patches/084_CVE-2011-3192_regression.dpatch: return 206
      and 416 response codes where appropriate (see deban bug 639825)

5c14682... by Steve Beattie on 2011-09-01

Import patches-unapplied version 2.2.8-1ubuntu0.21 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 6a4751c418b12bedec5681c8545a4cade9faa2ec

New changelog entries:
  * SECURITY UPDATE: Range header DoS vulnerability
    * debian/patches/214_CVE-2011-3192.dpatch: filter out large
      byte ranges and improve memory efficiency in handling buckets.
      (thanks to Debian and upstream)
    * CVE-2011-3192
  * Include fix for regressions introduced by above patch:
    - debian/patches/084_CVE-2011-3192_regression.dpatch: return 206
      and 416 response codes where appropriate (see deban bug 639825)