ubuntu/+source/apache2:ubuntu/quantal-security

Last commit made on 2014-03-24
Get this branch:
git clone -b ubuntu/quantal-security https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/quantal-security
Repository:
lp:ubuntu/+source/apache2

Recent commits

51d9a8a... by Marc Deslauriers on 2014-03-19

Import patches-unapplied version 2.2.22-6ubuntu2.4 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 43813725f1f40ef90698186b7823b3b2af981beb

New changelog entries:
  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
  * SECURITY UPDATE: denial of service via truncated cookie and
    mod_log_config
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
    - CVE-2014-0098

4381372... by Marc Deslauriers on 2013-07-12

Import patches-unapplied version 2.2.22-6ubuntu2.3 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 3937748025e950d33883eace71822ffc7077b9d7

New changelog entries:
  * SECURITY UPDATE: log file poisoning via mod_rewrite (LP: #1188069)
    - debian/patches/CVE-2013-1862.patch: properly escape items in
      modules/mappers/mod_rewrite.c.
    - CVE-2013-1862
  * SECURITY UPDATE: denial of service via MERGE request
    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
      in modules/dav/main/mod_dav.c.
    - CVE-2013-1896

3937748... by Marc Deslauriers on 2013-03-08

Import patches-unapplied version 2.2.22-6ubuntu2.2 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 4bce2ec681fee4c4d93ff3d7eefbe6d14e5ca9c4

New changelog entries:
  * SECURITY UPDATE: multiple cross-site scripting issues
    - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
      modules/generators/{mod_info.c,mod_status.c},
      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
    - CVE-2012-3499
    - CVE-2012-4558
  * SECURITY UPDATE: symlink attack in apache2ctl script
    - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
    - Thanks to Stefan Fritsch for the fix.
    - CVE-2013-1048

4bce2ec... by Marc Deslauriers on 2012-11-06

Import patches-unapplied version 2.2.22-6ubuntu2.1 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 11984c7fcffe77d492deb681f0a60b0abfa9a3f8

New changelog entries:
  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/CVE-2012-2687.patch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
      directive. Defaults to off as enabling compression enables the CRIME
      attack.
    - CVE-2012-4929

11984c7... by Matthieu Baerts on 2012-07-16

Import patches-unapplied version 2.2.22-6ubuntu2 to ubuntu/quantal

Imported using git-ubuntu import.

Changelog parent: 8dbf29704dcbbd8934b8055b59948bc6a6b9b461

New changelog entries:
  * debian/apache2.py
   - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
   - Check if this directory exists: /etc/apache2/sites-enabled/

8dbf297... by Robie Basak on 2012-06-08

Import patches-unapplied version 2.2.22-6ubuntu1 to ubuntu/quantal

Imported using git-ubuntu import.

Changelog parent: 1edd1e44190a4efd3587eb653740e3d1b30efa95

New changelog entries:
  * Merge from Debian unstable. Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.
  * Dropped changes:
    - debian/control: Add bzr tag and point it to our tree; this is not
      really required and just increases the delta.

1edd1e4... by Stefan Fritsch on 2012-05-29

Import patches-unapplied version 2.2.22-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 85df2487082b6cd9a9df3a920a5deb65610a217c

New changelog entries:
  [ Stefan Fritsch ]
  * Fix regression causing apache2 to cache "206 partial content" responses,
    and then serving these partial responses when replying to normal requests.
    Closes: #671204
  * Add section to security.conf that shows how to forbid access to VCS
    directories. Closes: #548213
  * Update ssl default cipher config, add alternative speed optimized config.
    Closes: #649020
  * Add "AddCharset" for .brf files in default mod_mime config.
    Closes: #402567
  * Don't create httpd.conf anymore and don't include it in apache2.conf. If
    it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
  * Port some of the comments in apache2.conf from the 2.4 package.
  * Compile mod_version statically, drop associated module load file.
  * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
    configtest.
  * Note in README.Debian that future versions of the package will have the
    include statements changed to include only *.conf.
  * Change compiled-in document root to /var/www, to avoid strange error
    messages.
  * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
  [ Arno Töll ]
  * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
    to override LDFLAGS at compile time by defining LDLAGS in the environment,
    just like it is possible for CFLAGS. This also means, config_vars.mk now
    exports hardening build flags by default.
  * Update doc-base metadata for the apache2-doc package.

85df248... by Stefan Fritsch on 2012-04-30

Import patches-unapplied version 2.2.22-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7147558dbac2faadd910729d3e4e224cc4ef975f

New changelog entries:
  * Make LoadFile and LoadModule look in the standard search paths if the
    dso file name is given as a pure filename. This helps with the multi-arch
    transition.

7147558... by Stefan Fritsch on 2012-04-15

Import patches-unapplied version 2.2.22-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b8147564f421fb39c2527ad1ff1e16e2a7ca02dd

New changelog entries:
  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
    hosts' config files.
    If scripting modules like mod_php or mod_rivet are enabled on systems
    where either 1) some frontend server forwards connections to an apache2
    backend server on the localhost address, or 2) the machine running
    apache2 is also used for web browsing, this could allow a remote
    attacker to execute example scripts stored under /usr/share/doc.
    Depending on the installed packages, this could lead to issues like cross
    site scripting, code execution, or leakage of sensitive data.

b814756... by Arno Töll <email address hidden> on 2012-04-05

Import patches-unapplied version 2.2.22-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d1c6efcab0af78d4eaf130d8f3433fe034adcd71

New changelog entries:
  * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
    No such file or directory". Do not use internal rules targets which clash
    with build target names ... (Closes: #667069)
  * Drop apache2-dev virtual package. This had virtually no users but breaks our
    experimental package in some cases (e.g. #666793)
  * Push Standards version - no further changes
  * Update my maintainer address