ubuntu/+source/apache2:ubuntu/precise-updates

Last commit made on 2016-07-18
Get this branch:
git clone -b ubuntu/precise-updates https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/precise-updates
Repository:
lp:ubuntu/+source/apache2

Recent commits

cfdfe14... by Marc Deslauriers on 2016-07-14

Import patches-unapplied version 2.2.22-1ubuntu1.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e2c1e15f5e252e69dcc8dcf82e92fff7e616714f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

e2c1e15... by Marc Deslauriers on 2015-07-24

Import patches-unapplied version 2.2.22-1ubuntu1.10 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: a0e701797553c012298a3ec81c025905f3d14d4d

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183

a0e7017... by Marc Deslauriers on 2015-05-28

Import patches-unapplied version 2.2.22-1ubuntu1.9 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: a4942ee27e6db044130cd5f16bce961e2527f22b

New changelog entries:
  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.

a4942ee... by Marc Deslauriers on 2015-03-05

Import patches-unapplied version 2.2.22-1ubuntu1.8 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 6b1213d508b5842e84b2d47ed4aa3836262c74fd

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704

6b1213d... by Marc Deslauriers on 2014-07-22

Import patches-unapplied version 2.2.22-1ubuntu1.7 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 8974f778a99317f5f51e8ae4523d28cc11918804

New changelog entries:
  * SECURITY UPDATE: resource consumption via mod_deflate body
    decompression
    - debian/patches/CVE-2014-0118.patch: added new configuration options
      DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
      DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
    - CVE-2014-0118
  * SECURITY UPDATE: denial of service via race in mod_status
    - debian/patches/CVE-2014-0226.patch: fix race by adding
      ap_copy_scoreboard_worker() to include/scoreboard.h,
      modules/generators/mod_status.c, server/scoreboard.c.
    - CVE-2014-0226
  * SECURITY UPDATE: denial of service in mod_cgid
    - debian/patches/CVE-2014-0231.patch: added new configuration option
      CGIDScriptTimeout in modules/generators/mod_cgid.c.
    - CVE-2014-0231

8974f77... by Ritesh Khadgaray on 2014-03-27

Import patches-unapplied version 2.2.22-1ubuntu1.6 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: eb56bacff183221380f649d717e31fbbeee0f6b0

New changelog entries:
  * debian/patches/sni.patch:
    - apache2 doesn't compare SNI hostname against Host header
      case-insensitively (lp: #1298273)

eb56bac... by Marc Deslauriers on 2014-03-19

Import patches-unapplied version 2.2.22-1ubuntu1.5 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e04f701c82331ea89a9780abe72e6c47f7e6387a

New changelog entries:
  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
  * SECURITY UPDATE: denial of service via truncated cookie and
    mod_log_config
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
    - CVE-2014-0098

e04f701... by Marc Deslauriers on 2013-07-12

Import patches-unapplied version 2.2.22-1ubuntu1.4 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 9b1451f022e09764b646ea395cd601f77416e726

New changelog entries:
  * SECURITY UPDATE: log file poisoning via mod_rewrite (LP: #1188069)
    - debian/patches/CVE-2013-1862.patch: properly escape items in
      modules/mappers/mod_rewrite.c.
    - CVE-2013-1862
  * SECURITY UPDATE: denial of service via MERGE request
    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
      in modules/dav/main/mod_dav.c.
    - CVE-2013-1896

9b1451f... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.22-1ubuntu1.3 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 22dff0829f029948b77e088650c6857637b59cc7

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
    - Thanks to Stefan Fritsch for the fix.
    - CVE-2013-1048

22dff08... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.22-1ubuntu1.2 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: b067e6227d47e2dca25f0280ed005f1ba85c3235

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/CVE-2012-2687.patch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
      directive. Defaults to off as enabling compression enables the CRIME
      attack.
    - CVE-2012-4929