ubuntu/+source/apache2:ubuntu/oneiric-security

Last commit made on 2013-03-18
Get this branch:
git clone -b ubuntu/oneiric-security https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/oneiric-security
Repository:
lp:ubuntu/+source/apache2

Recent commits

b741f00... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.20-1ubuntu1.4 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 57140407385d8a420289691519dda16984e3decc

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: denial of service in mod_proxy_ajp
    - debian/patches/CVE-2012-4557.dpatch: check for timeout in
      modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
    - CVE-2012-4557
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
    - Thanks to Stefan Fritsch for the fix.
    - CVE-2013-1048

5714040... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.20-1ubuntu1.3 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 231b2bd2b79856b1962c53a450c2981b68152669

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/220_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/221_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929

231b2bd... by Marc Deslauriers on 2012-02-14

Import patches-unapplied version 2.2.20-1ubuntu1.2 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: c30faabd2e8cebf5e475d610b62670c28a394c10

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service via invalid cookie
    - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
      modules/loggers/mod_log_config.c.
    - CVE-2012-0021
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053

c30faab... by Steve Beattie on 2011-11-07

Import patches-unapplied version 2.2.20-1ubuntu1.1 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 763661c86389830015f1f3640b02679c824b8b71

New changelog entries:
  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.

763661c... by Steve Beattie on 2011-09-06

Import patches-unapplied version 2.2.20-1ubuntu1 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: dedd18e27f7852e11855d1c115fefc9e41b6d6ee

New changelog entries:
  * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
    Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.

dedd18e... by Stefan Fritsch on 2011-09-04

Import patches-unapplied version 2.2.20-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: bbed116b9c159d0c8ed54996e908bb09fd8765de

New changelog entries:
  * New upstream release.
  * Fix some regressions related to Range requests caused by the CVE-2011-3192
    fix. Closes: #639825
  * Add build-arch and build-indep rules targets to make Lintian happy.
  * Bump Standards-Version (no changes).

bbed116... by Stefan Fritsch on 2011-08-29

Import patches-unapplied version 2.2.19-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: bc2619356a3bbe340e04bac263b9e51047f97b9b

New changelog entries:
  * Fix CVE-2011-3192: DoS by high memory usage for a large number of
    overlapping ranges.
  * Reduce default KeepAliveTimeout from 15 to 5 seconds.
  * Use "linux-any" in build-deps. Closes: #634709
  * Improve reload message of a2enmod. Closes: #639291
  * Improve description of the prefork MPM. Closes: #634242
  * Mention .conf files in a2enmod man page. Closes: #634834

bc26193... by Stefan Fritsch on 2011-05-22

Import patches-unapplied version 2.2.19-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 6b9c99483e8cb1ab308c3602a3f4be50ba678b9f

New changelog entries:
  * New upstream release.
    - Makes apr-md5 the default algorithm for htpasswd, removing the 8
      character limit of the crypt()-algorithm. Closes: #539246
    - Fixes merging of IndexOptions. Closes: #394688
    - Documents why order of ProxyPass and <Proxy> blocks matters in the
      configuration. See "Workers" section in the mod_proxy documentation.
      Closes: #560020
  * For multiple instance setups, correctly determine the config dir in the
    init script if it is called via a start/stop link. Closes: #627061
  * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204
  * Make it clear in README.multiple-instances that the MPMs are shipped
    in the apache2.2-bin package.

6b9c994... by Stefan Fritsch on 2011-04-10

Import patches-unapplied version 2.2.17-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f5dc725a0203581a89d047bb7bf0c672ae8a7c8c

New changelog entries:
  * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
  * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in
    htpasswd/htdbm.

f5dc725... by Stefan Fritsch on 2011-03-21

Import patches-unapplied version 2.2.17-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 37cf083701f3d38635c36b384e5c8e970ba8c2db

New changelog entries:
  * New mpm_itk upstream version 2.2.17-01:
    - Fix CVE-2011-1176: If NiceValue was set, the default with no
      AssignUserID was to run as root:root instead of the default Apache user
      and group, due to the configuration merger having an incorrect default
      configuration. Closes: #618857
  * Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
    Closes: #613969
  * Set the default file descriptor limit to 8192 instead of whatever the
    current limit is (usually 1024). Document how to change it in
    /etc/apache2/envvars . Closes: #615632
  * Fix typo in init script. Closes: #615866
  * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438
  * Remove some obsolete Depends and Replaces.