ubuntu/+source/apache2:applied/ubuntu/oneiric-updates

Last commit made on 2013-03-18
Get this branch:
git clone -b applied/ubuntu/oneiric-updates https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/oneiric-updates
Repository:
lp:ubuntu/+source/apache2

Recent commits

3eb67f0... by Marc Deslauriers on 2013-03-08

Import patches-applied version 2.2.20-1ubuntu1.4 to applied/ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: e880446ebc769cd01e0d160af67448588928dd3e
Unapplied parent: b741f00c2ffd657670c7514f9d218da2d76ce4bc

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: denial of service in mod_proxy_ajp
    - debian/patches/CVE-2012-4557.dpatch: check for timeout in
      modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
    - CVE-2012-4557
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
    - Thanks to Stefan Fritsch for the fix.
    - CVE-2013-1048

b741f00... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.20-1ubuntu1.4 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 57140407385d8a420289691519dda16984e3decc

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: denial of service in mod_proxy_ajp
    - debian/patches/CVE-2012-4557.dpatch: check for timeout in
      modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
    - CVE-2012-4557
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
    - Thanks to Stefan Fritsch for the fix.
    - CVE-2013-1048

e880446... by Marc Deslauriers on 2012-11-06

Import patches-applied version 2.2.20-1ubuntu1.3 to applied/ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 8ecd00bd2bed2b97b220e4980fbdf38d99920e24
Unapplied parent: 57140407385d8a420289691519dda16984e3decc

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/220_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/221_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929

5714040... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.20-1ubuntu1.3 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 231b2bd2b79856b1962c53a450c2981b68152669

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/220_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/221_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929

8ecd00b... by Marc Deslauriers on 2012-02-14

Import patches-applied version 2.2.20-1ubuntu1.2 to applied/ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 9d8945a39be000f6bf56c6fe0f130680b47b57e5
Unapplied parent: 231b2bd2b79856b1962c53a450c2981b68152669

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service via invalid cookie
    - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
      modules/loggers/mod_log_config.c.
    - CVE-2012-0021
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

231b2bd... by Marc Deslauriers on 2012-02-14

Import patches-unapplied version 2.2.20-1ubuntu1.2 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: c30faabd2e8cebf5e475d610b62670c28a394c10

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service via invalid cookie
    - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
      modules/loggers/mod_log_config.c.
    - CVE-2012-0021
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

9d8945a... by Steve Beattie on 2011-11-07

Import patches-applied version 2.2.20-1ubuntu1.1 to applied/ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 6f4fcdec0ac37252d1506c87821896dfe40fc2f7
Unapplied parent: c30faabd2e8cebf5e475d610b62670c28a394c10

New changelog entries:
  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.

c30faab... by Steve Beattie on 2011-11-07

Import patches-unapplied version 2.2.20-1ubuntu1.1 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 763661c86389830015f1f3640b02679c824b8b71

New changelog entries:
  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.

6f4fcde... by Steve Beattie on 2011-09-06

Import patches-applied version 2.2.20-1ubuntu1 to applied/ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: de2716403366616cc98729e992da2a15738b7d84
Unapplied parent: 763661c86389830015f1f3640b02679c824b8b71

New changelog entries:
  * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
    Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.

763661c... by Steve Beattie on 2011-09-06

Import patches-unapplied version 2.2.20-1ubuntu1 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: dedd18e27f7852e11855d1c115fefc9e41b6d6ee

New changelog entries:
  * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
    Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.