ubuntu/+source/apache2:ubuntu/hardy-security

Last commit made on 2013-03-18
Get this branch:
git clone -b ubuntu/hardy-security https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/hardy-security
Repository:
lp:ubuntu/+source/apache2

Recent commits

d86de40... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.8-1ubuntu0.25 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: d725bb399220ff3ce740ff83cf22ddb3c5c3c035

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: denial of service in mod_proxy_ajp
    - debian/patches/CVE-2012-4557.dpatch: check for timeout in
      modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
    - CVE-2012-4557
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/patches/CVE-2013-1048.dpatch: introduce and use a safer
      mkdir_chown() function in support/apachectl.in.
    - CVE-2013-1048

d725bb3... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.8-1ubuntu0.24 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 310b995976af5c00298bdc4a2adf9ac8ea4fbf21

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/224_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/225_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929

310b995... by Marc Deslauriers on 2012-02-14

Import patches-unapplied version 2.2.8-1ubuntu0.23 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 7bc6008598299d3b87f9f5fc2d26e30ca6f2c1e9

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/220_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/222_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

7bc6008... by Steve Beattie on 2011-11-03

Import patches-unapplied version 2.2.8-1ubuntu0.22 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 5c1468239cbb8fc9a42c807505a1377d411d5d72

New changelog entries:
  [ Michael Jeanson ]
  * SECURITY UPDATE: mod_proxy reverse proxy exposure
    * debian/patches/216_CVE-2011-3368.dpatch: return 400
      on invalid requests.
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
  [ Steve Beattie ]
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option.

5c14682... by Steve Beattie on 2011-09-01

Import patches-unapplied version 2.2.8-1ubuntu0.21 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 6a4751c418b12bedec5681c8545a4cade9faa2ec

New changelog entries:
  * SECURITY UPDATE: Range header DoS vulnerability
    * debian/patches/214_CVE-2011-3192.dpatch: filter out large
      byte ranges and improve memory efficiency in handling buckets.
      (thanks to Debian and upstream)
    * CVE-2011-3192
  * Include fix for regressions introduced by above patch:
    - debian/patches/084_CVE-2011-3192_regression.dpatch: return 206
      and 416 response codes where appropriate (see deban bug 639825)

6a4751c... by Marc Deslauriers on 2010-11-18

Import patches-unapplied version 2.2.8-1ubuntu0.19 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: a1c613e4d207fad0abec1313eded87fea53bd0f6

New changelog entries:
  * SECURITY UPDATE: denial of service via request that lacks a path in
    mod_dav.
    - debian/patches/213_CVE-2010-1452.dpatch: fix path handling in
      modules/dav/main/util.c.
    - CVE-2010-1452

a1c613e... by Marc Deslauriers on 2010-08-16

Import patches-unapplied version 2.2.8-1ubuntu0.18 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: 8b3c081cadf968b86a70d8f2fbefadee514866a7

New changelog entries:
  * debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.

8b3c081... by Dave Walker on 2010-05-21

Import patches-unapplied version 2.2.8-1ubuntu0.17 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: 327f6373c3130688c3c05f53cbb72ca9822e1126

New changelog entries:
  * debian/apache2.2-common.postinst: When dpkg-statoverride is used, the cut
    delimiter has now been set to use ' ', as it was causing upgrades to fail.
    (LP: #583698)

327f637... by Dave Walker on 2010-05-17

Import patches-unapplied version 2.2.8-1ubuntu0.16 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: 3f454c55534892733f415c82db6f26e8fbe365ba

New changelog entries:
  * debian/patches/211_fix_mod_proxy_nocanon.dpatch: Fix duplicated query string
    when using nocanon option to mod_proxy. Patch courtesy of James Troup, based
    on upstream cherry pick. (LP: #455873)

3f454c5... by Marc Deslauriers on 2010-03-08

Import patches-unapplied version 2.2.8-1ubuntu0.15 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: bc3d237ed875696f577abbab7dc0e112b686c287

New changelog entries:
  * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
    - debian/patches/209_CVE-2010-0408.dpatch: return the right error code
      in modules/proxy/mod_proxy_ajp.c.
    - CVE-2010-0408
  * SECURITY UPDATE: information disclosure via improper handling of
    headers in subrequests
    - debian/patches/210_CVE-2010-0434.dpatch: use a copy of r->headers_in
      in server/protocol.c.
    - CVE-2010-0434