ubuntu/+source/apache2:ubuntu/lucid-devel

Last commit made on 2015-03-10
Get this branch:
git clone -b ubuntu/lucid-devel https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/lucid-devel
Repository:
lp:ubuntu/+source/apache2

Recent commits

a16cf78... by Marc Deslauriers on 2015-03-05

Import patches-unapplied version 2.2.14-5ubuntu8.15 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: a7f4299a4a7deaae29f0bda82ebf35269db447e1

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704

a7f4299... by Marc Deslauriers on 2014-07-22

Import patches-unapplied version 2.2.14-5ubuntu8.14 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: c85f26ae6e2f3cf1e196151b56b3e90f09991645

New changelog entries:
  * SECURITY UPDATE: resource consumption via mod_deflate body
    decompression
    - debian/patches/CVE-2014-0118.dpatch: added new configuration options
      DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
      DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
    - CVE-2014-0118
  * SECURITY UPDATE: denial of service via race in mod_status
    - debian/patches/CVE-2014-0226.dpatch: fix race by adding
      ap_copy_scoreboard_worker() to include/scoreboard.h,
      modules/generators/mod_status.c, server/scoreboard.c.
    - CVE-2014-0226
  * SECURITY UPDATE: denial of service in mod_cgid
    - debian/patches/CVE-2014-0231.dpatch: added new configuration option
      CGIDScriptTimeout in modules/generators/mod_cgid.c.
    - CVE-2014-0231

c85f26a... by Marc Deslauriers on 2014-03-19

Import patches-unapplied version 2.2.14-5ubuntu8.13 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 3a6eb35aeccde390cccf39aa1f66b08e361c6587

New changelog entries:
  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.dpatch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438

3a6eb35... by Marc Deslauriers on 2013-07-12

Import patches-unapplied version 2.2.14-5ubuntu8.12 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 1d4c35b874b252caa88a8a86760671a11f1f3874

New changelog entries:
  * SECURITY UPDATE: log file poisoning via mod_rewrite (LP: #1188069)
    - debian/patches/CVE-2013-1862.dpatch: properly escape items in
      modules/mappers/mod_rewrite.c.
    - CVE-2013-1862
  * SECURITY UPDATE: denial of service via MERGE request
    - debian/patches/CVE-2013-1896.dpatch: make sure DAV is enabled for URI
      in modules/dav/main/mod_dav.c.
    - CVE-2013-1896

1d4c35b... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.14-5ubuntu8.11 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 7b9584062eca34f3a1fb6e6bb6f620e7c4f48a7d

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: denial of service in mod_proxy_ajp
    - debian/patches/CVE-2012-4557.dpatch: check for timeout in
      modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
    - CVE-2012-4557
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/patches/CVE-2013-1048.dpatch: introduce and use a safer
      mkdir_chown() function in support/apachectl.in.
    - CVE-2013-1048

7b95840... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.14-5ubuntu8.10 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 8a2507ff90f4c78a963f79a94e96cac3ba7b362c

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/302_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/303_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929

8a2507f... by Chuck Short on 2012-03-02

Import patches-unapplied version 2.2.14-5ubuntu8.9 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: 321ce80ba02b4bee9b7dd2a7fa627ebbbfd7fb47

New changelog entries:
  * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix webdav permissions,
    backported from trunk Thanks to James M. Leady (LP: #540747)

321ce80... by Marc Deslauriers on 2012-02-14

Import patches-unapplied version 2.2.14-5ubuntu8.8 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 5977f711a7624e47c578ee9d16448001e9789944

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

5977f71... by Steve Beattie on 2011-11-03

Import patches-unapplied version 2.2.14-5ubuntu8.7 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 236315b4a38558ae21daa60127453ed8e8279363

New changelog entries:
  [ Michael Jeanson ]
  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests.
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368
  [ Steve Beattie ]
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/215_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.

236315b... by Steve Beattie on 2011-09-01

Import patches-unapplied version 2.2.14-5ubuntu8.6 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: af98fdb23d13c75076be5be0489bb89230195ea7

New changelog entries:
  * SECURITY UPDATE: Range header DoS vulnerability
    - debian/patches/207_CVE-2011-3192.dpatch: filter out large
      byte ranges and improve memory efficiency in handling buckets.
      (thanks to Debian and upstream)
    - CVE-2011-3192
  * Include fix for regressions introduced by above patch:
    - debian/patches/208_CVE-2011-3192_regression.dpatch: return 206
      and 416 response codes where appropriate (see deban bug 639825)