ubuntu/+source/apache2:ubuntu/precise-proposed

Last commit made on 2014-04-17
Get this branch:
git clone -b ubuntu/precise-proposed https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/precise-proposed
Repository:
lp:ubuntu/+source/apache2

Recent commits

8974f77... by Ritesh Khadgaray on 2014-03-27

Import patches-unapplied version 2.2.22-1ubuntu1.6 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: eb56bacff183221380f649d717e31fbbeee0f6b0

New changelog entries:
  * debian/patches/sni.patch:
    - apache2 doesn't compare SNI hostname against Host header
      case-insensitively (lp: #1298273)

eb56bac... by Marc Deslauriers on 2014-03-19

Import patches-unapplied version 2.2.22-1ubuntu1.5 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e04f701c82331ea89a9780abe72e6c47f7e6387a

New changelog entries:
  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
  * SECURITY UPDATE: denial of service via truncated cookie and
    mod_log_config
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
    - CVE-2014-0098

e04f701... by Marc Deslauriers on 2013-07-12

Import patches-unapplied version 2.2.22-1ubuntu1.4 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 9b1451f022e09764b646ea395cd601f77416e726

New changelog entries:
  * SECURITY UPDATE: log file poisoning via mod_rewrite (LP: #1188069)
    - debian/patches/CVE-2013-1862.patch: properly escape items in
      modules/mappers/mod_rewrite.c.
    - CVE-2013-1862
  * SECURITY UPDATE: denial of service via MERGE request
    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
      in modules/dav/main/mod_dav.c.
    - CVE-2013-1896

9b1451f... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.22-1ubuntu1.3 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 22dff0829f029948b77e088650c6857637b59cc7

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
    - Thanks to Stefan Fritsch for the fix.
    - CVE-2013-1048

22dff08... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.22-1ubuntu1.2 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: b067e6227d47e2dca25f0280ed005f1ba85c3235

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/CVE-2012-2687.patch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
      directive. Defaults to off as enabling compression enables the CRIME
      attack.
    - CVE-2012-4929

b067e62... by Chuck Short on 2012-02-13

Import patches-unapplied version 2.2.22-1ubuntu1 to ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: 065234ee30b7351aa0a72730a5e57cb0a700c412

New changelog entries:
  * Merge from Debian testing. Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.

065234e... by Stefan Fritsch on 2012-02-01

Import patches-unapplied version 2.2.22-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a0b90fd80561d4579a8a70fdb6896eb70cc4fedc

New changelog entries:
  [ Stefan Fritsch ]
  * New upstream release, urgency medium due to security fixes:
    - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
    - Fix CVE-2012-0031: Unprivileged child process could cause the parent to
      crash at shutdown
    - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
      message.
  * Move httxt2dbm to apache2-utils
  * Adjust debian/control to point to new git repository.
  [ Arno Töll ]
  * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)

a0b90fd... by Stefan Fritsch on 2011-12-29

Import patches-unapplied version 2.2.21-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7c45b99783471cacc4c2914b7833c1248ae8acb4

New changelog entries:
  [ Arno Töll ]
  * Fix build failures introduced as regregression by the previous build. Debian
    buildds aren't rebuilding arch:all packages which caused problems for our
    unconditional copying into binary package. I was warned.

7c45b99... by Stefan Fritsch on 2011-12-29

Import patches-unapplied version 2.2.21-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 1e352f04e8c7e3b00b710137b2f982cc22256cb4

New changelog entries:
  [ Stefan Fritsch ]
  * Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
    ap_pregsub).
  * Optimize debian/rules again to improve build time by doing most work in a
    single parallelized "build-%" target.
  [ Arno Töll ]
  * Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType
    from text/plain to None. This lets the browser guess a proper MIME type
    instead of being forced to treat a given file according to our default type
    (Closes: #440058)
  * Fix "add pre-rotate hook to logrotate script" execute scripts in
    /etc/logrotate.d/httpd-prerotate if available (Closes: #590096).
  * Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading
    to Debian's 3.0/quilt source format also images don't need to be generated
    at build time anymore. Hence, the icon date can no longer lead to
    information disclosure (Closes: #649888).
  * Upgrade package to 3.0/quilt.
    + Remove uuencoded images, keep them in their binary format in debian/icons
    + Upgrade to quilt from dpatch and refresh all patches by keeping all hunks
      unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at
      build time where needed Move the 200_cp_suexec.dpatch patch and
      202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a
      script, not a patch which is not supported by quilt.
  * Rewrite debian/rules and base it on dh(1).
    + use overrides where possible, replace some debhelper calls by our own
      implementation where needed. That's required since the Apache package is
      compiled in parts several times for each MPM once.
    + move some install operations to the their respective .install files
    + Support dpkg-buildflags now, which also enables by default hardening
      flags. Thus, remove them from their explicit appearance in debian/rules
    + Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using
      dh(1)/dpkg-buildflags(1).
  * Push debhelper compatibility to 8
  * Remove unused Lintian overrides for the Debian source package remove and
    redundant priorities in debian/control.
  * Add myself to Uploaders

1e352f0... by Stefan Fritsch on 2011-12-03

Import patches-unapplied version 2.2.21-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ffee832c744ce848b675f1a5435b9eed9d153a28

New changelog entries:
  * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
    reverse proxy configurations. (Similar to CVE-2011-3368, but different
    attack vector.)
  * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
    via malicious .htaccess.
  * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
  * Fix broken link in docs. Closes: #650528
  * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
    Thanks for your work in the past.