Last commit made on 2015-09-05
Get this branch:
git clone -b debian/wheezy https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

7b83b89... by Stefan Fritsch on 2015-08-18

Import patches-unapplied version 2.2.22-13+deb7u6 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 97530c3b6f2d0f0a60edb1b22ea9245fb03db6f8

New changelog entries:
  * Fix regression causing spurious errors when loading certificate chain.
    Closes: #794383
  * CVE-2015-3183: Fix request smuggling via chunked transfer encoding.
    Backported by Marc Deslauriers.
  * Don't limit default DH parameters to 1024 bits. Closes: #780398
    This may cause problems with some Java based clients. A work-around is to
    configure these client not to use DHE key exchange but use ECDHE or RSA
    A server-side work-around that limits the DH parameters to 1024 bits for
    all clients is described at
    http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh .
  * Backport support for adding DH parameters to the SSLCertificateFile.

97530c3... by Stefan Fritsch on 2014-12-23

Import patches-unapplied version 2.2.22-13+deb7u4 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 85e848a0ab957dda3674feaeefaab516e9eaaaee

New changelog entries:
  * CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could
    use this flaw to bypass intended mod_headers restrictions, allowing
    them to send requests to applications that include headers that should
    have been removed by mod_headers.
    The new behavior is to not merge trailers into the headers autmatically.
    A new directive "MergeTrailers" is introduced to restore the old
  * Fix hostname comparison with SNI to be case insensitive. Closes: #771199
  * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15).
    Closes: #773841
  * Add paragraph about session ticket key life-time and forward secrecy to
    README.Debian. Closes: #762619

85e848a... by Stefan Fritsch on 2014-07-23

Import patches-unapplied version 2.2.22-13+deb7u3 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: ef425a217470d1a0c2bf4d02fe509ade919a8ac7

New changelog entries:
  * CVE-2014-0226: Fix a race condition in scoreboard handling,
    which could lead to a heap buffer overflow.
  * CVE-2014-0231: mod_cgid: Fix a denial of service against CGI scripts
    that do not consume stdin that could lead to lingering HTTPD child
    processes filling up the scoreboard and eventually hanging the server.
    By default, the client I/O timeout (Timeout directive) now applies to
    communication with scripts. The CGIDScriptTimeout directive can be
    used to set a different timeout for communication with scripts.
  * CVE-2014-0118: mod_deflate: The DEFLATE input filter (inflates request
    bodies) now limits the length and compression ratio of inflated request
    bodies to avoid denial of sevice via highly compressed bodies.
    By default, LimitRequestBody is applied after decompression. Fine-tuning
    is possible with the new directives DeflateInflateLimitRequestBody,
    DeflateInflateRatioLimit, and DeflateInflateRatioBurst.

ef425a2... by Stefan Fritsch on 2014-05-25

Import patches-unapplied version 2.2.22-13+deb7u2 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 5cd2ed1d954019b9b9aaeda4705980a55c17e548

New changelog entries:
  * Backport support for SSL ECC keys and ECDH ciphers.
    Bump build-dependency for libssl-dev to 1.0.1e-2+deb7u8 to get the
    compatibility fix for older Safari browsers. Apache2 will still
    run with older libssl-1.0.0 but without the compatibility fix.
    In case of problems, see README.Debian.
  * CVE-2013-6438: mod_dav: Fix potential denial of service from
    specifically crafted DAV WRITE requests.
  * mod_log_config: Fix a bug that cookies whose values contain '=' would
    only be logged partially. This is related to CVE-2014-0098, but Apache
    2.2.22 is not vulnerable to this issue.
  * mod_proxy: Fix crashes under high load with threaded mpms.

5cd2ed1... by Stefan Fritsch on 2014-01-31

Import patches-unapplied version 2.2.22-13+deb7u1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 94efc73d1c3fe78eb17388aa764c1c01d13cb49a

New changelog entries:
  Low impact security fixes:
  * CVE-2013-1862: mod_rewrite: Ensure that client data written to the
    RewriteLog is escaped to prevent terminal escape sequences from entering
    the log file. Closes: #722333
  * CVE-2013-1896: mod_dav: denial of service via MERGE request.
    Closes: #717272
  * mod_dav: Fix segfaults in certain error conditions.
  * Make apache2ctl create the necessary directories even if started with
    special options for apache2. Closes: #731531
  * Adjust paragraph in README.Debian about MaxMemFree not working properly.
    The issue has been fixed with apr 1.4.5-1.

94efc73... by Stefan Fritsch on 2013-03-04

Import patches-unapplied version 2.2.22-13 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 8a9a8e88f9bd48f8bc98c898bb937c1faa75788b

New changelog entries:
  [ Stefan Fritsch ]
  * Urgency medium for security fixes.
  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
  * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
  * mod_log_forensic: Fix spurious '-' characters being logged, causing
    false positives. Closes: #693292
  [ Arno Töll ]
  * Document APACHE_ARGUMENTS in envvars (Closes: #693299)

8a9a8e8... by Arno Töll <email address hidden> on 2012-10-30

Import patches-unapplied version 2.2.22-12 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 300293608eac3eddb8e22317cb125d0c9796bf56

New changelog entries:
  * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
    "off". This mitigates impact of CRIME attacks. Fixes:
    - "handling the CRIME attack" (Closes: #689936)
    - "make it possible to disable ssl compression in apache2 mod_ssl"
      (Closes: #674142)

3002936... by Arno Töll <email address hidden> on 2012-08-03

Import patches-unapplied version 2.2.22-11 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d427403b8921546e1fa16229f34d2b6668d46a4d

New changelog entries:
  * Be more careful regarding link attacks when purging the cache disk
  * Change file ownership of /var/cache/apache2/ to root.
  * Compress the data.tar in binary packages using xz to save some space on
    installation medias (Debian only).

d427403... by Stefan Fritsch on 2012-07-30

Import patches-unapplied version 2.2.22-10 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 78646690a5e65a5702c7196458b59443795c1a89

New changelog entries:
  [ Arno Töll ]
  * Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing
    perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes:
  * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
    with ext3" by changing the default to more moderate values. Some file
    systems have a hard limit for the number of subdirectories in a single
    directory. This change requires the cache directory to be purged.
    (Closes: #682840)
  [ Stefan Fritsch ]
  * Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
    directives. Closes: #682897

7864669... by Stefan Fritsch on 2012-06-24

Import patches-unapplied version 2.2.22-9 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 84a38c63b875da242965082f96f635f3ed1daa4b

New changelog entries:
  * Fix typo in conf.d/security comment. Closes: #678740