ubuntu/+source/apache2:ubuntu/lucid-proposed

Last commit made on 2012-03-05
Get this branch:
git clone -b ubuntu/lucid-proposed https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/lucid-proposed
Repository:
lp:ubuntu/+source/apache2

Recent commits

8a2507f... by Chuck Short on 2012-03-02

Import patches-unapplied version 2.2.14-5ubuntu8.9 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: 321ce80ba02b4bee9b7dd2a7fa627ebbbfd7fb47

New changelog entries:
  * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix webdav permissions,
    backported from trunk Thanks to James M. Leady (LP: #540747)

321ce80... by Marc Deslauriers on 2012-02-14

Import patches-unapplied version 2.2.14-5ubuntu8.8 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 5977f711a7624e47c578ee9d16448001e9789944

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

5977f71... by Steve Beattie on 2011-11-03

Import patches-unapplied version 2.2.14-5ubuntu8.7 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 236315b4a38558ae21daa60127453ed8e8279363

New changelog entries:
  [ Michael Jeanson ]
  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests.
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368
  [ Steve Beattie ]
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/215_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.

236315b... by Steve Beattie on 2011-09-01

Import patches-unapplied version 2.2.14-5ubuntu8.6 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: af98fdb23d13c75076be5be0489bb89230195ea7

New changelog entries:
  * SECURITY UPDATE: Range header DoS vulnerability
    - debian/patches/207_CVE-2011-3192.dpatch: filter out large
      byte ranges and improve memory efficiency in handling buckets.
      (thanks to Debian and upstream)
    - CVE-2011-3192
  * Include fix for regressions introduced by above patch:
    - debian/patches/208_CVE-2011-3192_regression.dpatch: return 206
      and 416 response codes where appropriate (see deban bug 639825)

af98fdb... by Marc Deslauriers on 2010-11-18

Import patches-unapplied version 2.2.14-5ubuntu8.4 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: aea1889affd81a314980429fc497970c352821cf

New changelog entries:
  * SECURITY UPDATE: denial of service via request that lacks a path in
    mod_cache and mod_dav.
    - debian/patches/201_CVE-2010-1452.dpatch: fix path handling in
      modules/cache/cache_storage.c and modules/dav/main/util.c.
    - CVE-2010-1452

aea1889... by Chuck Short on 2010-09-27

Import patches-unapplied version 2.2.14-5ubuntu8.3 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: 10975a4efc3048f274ee0a681243d44e5b8dcda1

New changelog entries:
  * debian/apache2.2-common.postinst: Don't fail if you can load the reqtimeout module.
    (LP: #621837)
  * debian/patches/Backport fix for upstream bug PR 45444: https://issues.apache.org/bugzilla/show_bug.cgi?id=45444. (LP: #609290, #589611, #595116)

10975a4... by Marc Deslauriers on 2010-08-18

Import patches-unapplied version 2.2.14-5ubuntu8.2 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: d4c5988222b32205a5ed099a75ebac9a5f2eff1f

New changelog entries:
  * debian/patches/211-sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.

d4c5988... by Chuck Short on 2010-04-13

Import patches-unapplied version 2.2.14-5ubuntu8 to ubuntu/lucid

Imported using git-ubuntu import.

Changelog parent: e88e7548956882dbd14a37178a89f8a3ca31d00c

New changelog entries:
  * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
    (LP: #562370)

e88e754... by Chuck Short on 2010-04-05

Import patches-unapplied version 2.2.14-5ubuntu7 to ubuntu/lucid

Imported using git-ubuntu import.

Changelog parent: 11b34b34b7e023c0c892faca454aee93157f49b4

New changelog entries:
  * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
    leaks by making sure to not destroy bucket brigades that have been created
    by earlier filters. Backported from 2.2.15.
  * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
    has reached MaxClients until it has. Backported from 2.2.15
  * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
    more secure by adding Satisfy all. (Debian bug: #572075)
  * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
    debian/config2-dir/mods-available/reqtimeout.load,
    debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
    mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
    bug in apache. Enable it by default. (LP: #392759)

11b34b3... by Chuck Short on 2010-03-30

Import patches-unapplied version 2.2.14-5ubuntu6 to ubuntu/lucid

Imported using git-ubuntu import.

Changelog parent: 8217b1bd498d3706fd7a9ae3d8512f04fd425600

New changelog entries:
  * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)