-
d9db552...
by
Rafael David Tinoco
on 2018-03-02
-
Import patches-unapplied version 2.4.7-1ubuntu4.19 to ubuntu/trusty-proposed
Imported using git-ubuntu import.
Changelog parent: 4ce8f475fe1a7c4af97f6dc09ecf28efdee0d12b
New changelog entries:
* Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
- added debian/patches/util_ldap_cache_lock_fix.patch
-
4ce8f47...
by
Marc Deslauriers
on 2017-09-18
-
Import patches-unapplied version 2.4.7-1ubuntu4.18 to ubuntu/trusty-security
Imported using git-ubuntu import.
Changelog parent: 181b6d05779ecf34634cb44f74771a9f25cc5387
New changelog entries:
* SECURITY UPDATE: optionsbleed information leak
- debian/patches/CVE-2017-9798.patch: disallow method registration
at run time in server/core.c.
- CVE-2017-9798
-
181b6d0...
by
Marc Deslauriers
on 2017-07-27
-
Import patches-unapplied version 2.4.7-1ubuntu4.17 to ubuntu/trusty-security
Imported using git-ubuntu import.
Changelog parent: 85378f36afd9fb3303888d983153f29b342d26ee
New changelog entries:
* SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
- debian/patches/CVE-2017-9788.patch: correct string scope in
modules/aaa/mod_auth_digest.c.
- CVE-2017-9788
-
85378f3...
by
Marc Deslauriers
on 2017-06-26
-
Import patches-unapplied version 2.4.7-1ubuntu4.16 to ubuntu/trusty-security
Imported using git-ubuntu import.
Changelog parent: 14a42d6bee0f8d416de61b834f193934893c6b58
New changelog entries:
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-
14a42d6...
by
Marc Deslauriers
on 2017-05-05
-
Import patches-unapplied version 2.4.7-1ubuntu4.15 to ubuntu/trusty-security
Imported using git-ubuntu import.
Changelog parent: 5e537cd787b3a5bd8ac3c08836b3d4a2ecf30b47
New changelog entries:
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
-
5e537cd...
by
Marc Deslauriers
on 2016-07-14
-
Import patches-unapplied version 2.4.7-1ubuntu4.13 to ubuntu/trusty-security
Imported using git-ubuntu import.
Changelog parent: fe526ba278235a37d3b808793acf0da3ecaa76e5
New changelog entries:
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
* This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
trusty-proposed.
-
fe526ba...
by
Christian Ehrhardt
on 2016-06-07
-
Import patches-unapplied version 2.4.7-1ubuntu4.11 to ubuntu/trusty-proposed
Imported using git-ubuntu import.
Changelog parent: 604ac30cde956f740ae42a005fdc08283b1c06bb
New changelog entries:
* Fix hang until proxy timeout for Proxy responses with error status and
"ProxyErrorOverride On" being set (LP: #1495988).
-
604ac30...
by
Louis Bouchard
on 2016-04-20
-
Import patches-unapplied version 2.4.7-1ubuntu4.10 to ubuntu/trusty-proposed
Imported using git-ubuntu import.
Changelog parent: 7d9ca92cae55b0bdd87b7fd64ded8f17e77e84ab
New changelog entries:
* Add apache2 specific modification needed along with fix to
libapache2-mpm-itk so it becomes installable again (LP: #1286882):
- Removes warning on mpm_itk use
- Removes conflicts on mpm_itk
-
7d9ca92...
by
Dave Chiluk
on 2016-01-13
-
Import patches-unapplied version 2.4.7-1ubuntu4.9 to ubuntu/trusty-proposed
Imported using git-ubuntu import.
Changelog parent: 90ca46e36d58ecf124b43f0715c67ea578fabc34
New changelog entries:
* Force disablereuse on for mod_proxy_wstunnel. Fixes "Unable to connect to:
ws://<maas IP>:/MAAS/ws" errors with maas, and other proxy applications.
https://bz.apache.org/bugzilla/show_bug.cgi?id=55890
(LP: #1484696).
-
90ca46e...
by
Jeffrey Hutzelman <email address hidden>
on 2015-10-08
-
Import patches-unapplied version 2.4.7-1ubuntu4.8 to ubuntu/trusty-proposed
Imported using git-ubuntu import.
Changelog parent: d9c682ad7724b64fc68380d9db89d78be93ce235
New changelog entries:
* Fix -D[efined] or <Define>[d] variables lifetime across restarts.
This fixes incorrect processing of configuration files on reload
(LP: #1504354).
