-
a4e538a...
by
Stefan Fritsch
on 2019-08-19
-
Import patches-unapplied version 2.4.25-3+deb9u8 to debian/stretch
Imported using git-ubuntu import.
Changelog parent: affacb033dd1f0938497d8551999d33159a0694a
New changelog entries:
[ Xavier Guimard ]
* Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092)
* Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082, CVE-2019-10081)
* Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098)
[ Stefan Fritsch ]
* Add -Werror=implicit-function-declaration to compile options to catch
problems with backports.
-
affacb0...
by
Stefan Fritsch
on 2019-04-02
-
Import patches-unapplied version 2.4.25-3+deb9u7 to debian/stretch
Imported using git-ubuntu import.
Changelog parent: b408c29c36dd316a29de39410df8cdb08a633bd0
New changelog entries:
[ Xavier Guimard ]
* CVE-2018-17199: mode_session: Fix missing check for session expiry time.
Closes: #920303
[ Stefan Fritsch ]
* mod_http2: Fix keepalive timeout behavior. This fixes a regression with
Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
* CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
Closes: #920302
* CVE-2019-0196: mod_http2: Fix read after free
* CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
* CVE-2019-0217: mod_auth_digest: Access control bypass
* CVE-2019-0220: URL normalization inconsistincy.
Consecutive slashes in URL's are now merged before use in LocationMatch
and RewriteRule. The old behavior can be restored with the new directive
"MergeSlashes off".
-
b408c29...
by
Stefan Fritsch
on 2018-11-03
-
Import patches-unapplied version 2.4.25-3+deb9u6 to debian/stretch
Imported using git-ubuntu import.
Changelog parent: 5481797e2caa19e93ab07da5f13362586b9fddae
New changelog entries:
* CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
* CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
Closes: #909591
* mod_proxy_fcgi: Fix segfault. Closes: #902906
-
5481797...
by
Stefan Fritsch
on 2018-06-02
-
Import patches-unapplied version 2.4.25-3+deb9u5 to debian/stretch
Imported using git-ubuntu import.
Changelog parent: 8bf2e49e6b4e62c7a67f25b37448bd4602afdda5
New changelog entries:
* Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
fixes
- CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
- Segfaults in mod_http2 (Closes: #873945)
- mod_http2 issue with option "Indexes" and directive "HeaderName"
(Closes: #850947)
Unfortunately, this also removes support for http2 when running on
mpm_prefork.
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Make the apache-htcacheclean init script actually look into
/etc/default/apache-htcacheclean for its config. Closes: #898563
* CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
when using too small Accept-Language values.
* CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
name.
Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
* CVE-2018-1283: Tampering of mod_session data for CGI applications.
* CVE-2018-1301: Possible out of bound access after failure in reading the
HTTP request
* CVE-2018-1303: Possible out of bound read in mod_cache_socache
* CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation
-
8bf2e49...
by
Salvatore Bonaccorso
on 2017-09-19
-
Import patches-unapplied version 2.4.25-3+deb9u3 to debian/stretch
Imported using git-ubuntu import.
Changelog parent: 2d4efdff06294a12500b0324e326f72b9aabfd3e
New changelog entries:
* Non-maintainer upload by the Security Team.
* CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
(Closes: #876109)
* CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory
-
2d4efdf...
by
Stefan Fritsch
on 2017-06-20
-
Import patches-unapplied version 2.4.25-3+deb9u1 to debian/stretch
Imported using git-ubuntu import.
Changelog parent: 7674960d2cfb46d6dd941e44384ea880155a8188
New changelog entries:
* Backport security fixes from 2.4.26:
* CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
* CVE-2017-3169: mod_ssl NULL pointer dereference
* CVE-2017-7668: Buffer overrun in ap_find_token()
* CVE-2017-7679: mod_mime buffer overread
* CVE-2017-7659: mod_http2 NULL pointer dereference
-
7674960...
by
Stefan Fritsch
on 2017-01-25
-
Import patches-unapplied version 2.4.25-3 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 5838443ffdd2e4fcade4168049811f0a89641fdb
New changelog entries:
* Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
Closes: #852543
* Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
the test suite, but don't add *.load files because they don't have any
real-world use.
* Include the upstream test suite and a corresponding autopkgtest. This
is quite a hack but it may help quite a bit with security updates,
especially if stretch gets LTS support, too.
-
5838443...
by
Stefan Fritsch
on 2017-01-14
-
Import patches-unapplied version 2.4.25-2 to debian/sid
Imported using git-ubuntu import.
Changelog parent: e3f3b995ccda824ea1f98974400a0e8b69631687
New changelog entries:
* Activate mod_reqtimeout in new installs and during updates from
before 2.4.25-2. It was wrongly not activated in new installs since
jessie. This made the default installation vulnerable to some DoS
attacks.
* Restart htcacheclean on updates and tighten dependency on apache2-utils
to ensure that apache2-utils cannot be upgraded without apache2.
Closes: #851122
* When running on systems with systemd, make 'apache2ctl start' invoke
systemctl instead. Otherwise systemd will think apache2 is not running
and ignore further commands like reload. Closes: #839227
* Avoid segfault in mpm_event if a signal is received too soon after start.
PR 60487
* Add test for some modules to be enabled.
* Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
fixed in 2.4.23-2.
-
e3f3b99...
by
Stefan Fritsch
on 2016-12-21
-
Import patches-unapplied version 2.4.25-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: d0ab85635184f1f83ca54b0a0b3298a0b72ade50
New changelog entries:
[ New upstream release ]
* Security: CVE-2016-0736:
mod_session_crypto: Authenticate the session data/cookie with a MAC to
prevent deciphering or tampering with a padding oracle attack.
* Security: CVE-2016-2161:
mod_auth_digest: Prevent segfaults during client entry allocation when the
shared memory space is exhausted.
* Security: CVE-2016-5387:
Mitigate [f]cgi "httpoxy" issues.
* Security: CVE-2016-8740:
mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
Closes: #847124
* Security: CVE-2016-8743:
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
* The stricter HTTP enforcement may cause compatibility problems with
non-conforming clients. Fine-tuning is possible with the new
HttpProtocolOptions directive.
* mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
* mod_http2: Many fixes and support for early pushes using the new
H2PushResource directive.
[ Stefan Fritsch ]
* Switch to debhelper compatibility level 9.
-
d0ab856...
by
Stefan Fritsch
on 2016-11-19
-
Import patches-unapplied version 2.4.23-8 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 4e4d3675b4d968da9149885326d2a14d661aeef0
New changelog entries:
* Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
new package apache2-ssl-dev. Packages that interface with openssl
state from mod_ssl must build-depend on this new package.
This will help to disentangle the build-deps in the openssl transition.
Closes: #845033
