lp://staging/ubuntu/gutsy-security/apache2

Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/gutsy-security/apache2
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

23. By Marc Deslauriers

[ Emanuele Gentili ]
* SECURITY UPDATE:
 + debian/patches/111_CVE-2008-2364.dpatch (LP: #239894)
  - The ap_proxy_http_process_response function in mod_proxy_http.c
    in the mod_proxy module does not limit the number of forwarded
    interim responses, which allows remote HTTP servers to cause a
    denial of service (memory consumption) via a large number of
    interim responses.
 + References
  - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
  Entity Too Large" error message
  - debian/patches/107_CVE-2007-6203.dpatch: properly escape some error
    messages in modules/http/http_protocol.c.
  - CVE-2007-6203
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
  mod_proxy_balancer
  - debian/patches/108_CVE-2007-6420.dpatch: generate and validate a nonce in
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2007-6420
* SECURITY UPDATE: Denial of service via memory leak in the zlib_stateful_init
  function (LP: #224945)
  - debian/patches/109_CVE-2008-1678.dpatch: don't call
    CRYPTO_cleanup_all_ex_data in modules/ssl/mod_ssl.c.
  - CVE-2008-1678
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
  URLs
  - debian/patches/110_CVE-2008-2168.dpatch: specify a default charset in
    modules/dav/main/mod_dav.c, modules/generators/mod_info.c and
    modules/proxy/mod_proxy_balancer.c.
  - CVE-2008-2168
* SECURITY UPDATE: Denial of service via large number of interim responses in
  mod_proxy module (LP: #239894)
  - debian/patches/111_CVE-2008-2364.dpatch: updated patch to newer version.
  - CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
  mod_proxy_ftp module
  - debian/patches/112_CVE-2008-2939.dpatch: escape the html
    contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
  - CVE-2008-2939

22. By Jamie Strandboge

* SECURITY UPDATE: denial of service (application crash) when using
  mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use
  apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
  when charset not defined
* debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly
  check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use
  ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
  server-status is enabled
* debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly
  setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to
  use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
  mod_proxy_balancer when MPM is used
* debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to
  check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
  charset is not defined
* debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define
  a charset
* References
  CVE-2007-3847
  CVE-2007-4465
  CVE-2007-5000
  CVE-2007-6388
  CVE-2007-6421
  CVE-2007-6422
  CVE-2008-0005

21. By LaMont Jones

Trigger rebuild for hppa

20. By Stefan Fritsch

[ Stefan Fritsch ]
* enable default site on new installs again (Closes: #436341)
* make mod_authn_dbd depend on mod_dbd
* make a2dissite return 0 if a site is already disabled (Closes: #435398)
* make a2 scripts print errors to stderr (Closes: #435400)
* move TypesConfig directive from apache2.conf to mime.conf
  (Closes: #434248)

[ Adam Conrad ]
* Special case apache2-dbg magic in debian/rules, so we don't do
  this on Ubuntu, which has an archive of detached debug packages.

19. By Martin Pitt

debian/rules: Also remove apache2-dbg from debian/files on Ubuntu, so that
dpkg-genchanges does not choke.

18. By Martin Pitt

debian/rules: Do not do the black magic for producing the -dbg package on
Ubuntu, since it breaks with pkg-create-dbgsym and is not needed for the
same reason.

17. By Stefan Fritsch

* Modularize config: Move module specific configuration from apache2.conf
  to mods-available/*conf (Closes: #338472)
* Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable
  apache2. (Closes: #408462, #275561)
* Create run and lock directores in apache2ctl to make it work on fresh
  installations before the first call of the init script. Together with
  the previous item, this closes: #418499
* Disable AddDefaultCharset again (Closes: #397886)
* Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles
  managed by dpkg
* Listen on port 443 by default if mod_ssl is loaded (Closes: #404598)
* Add logic to start htcacheclean as daemon or cronjob. The configuration
  is in /etc/default/apache2
* Fix security issues:
  - CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary
    processes
  - CVE-2006-5752: XSS in mod_status
* Add init.d dependency info from insserv overrides to /etc/init.d/apache2
* Replace apachectl with apache2ctl in docs (Closes: #164493)
* Add usage message to apache2ctl (Closes: #359008)
* Make -dev packages priority extra
* Add secure example cipher/protocol configuration to ssl.conf
* Update watch file (Closes: #433552)
* Bump dh_compat to 5
* Add new package apache2-dbg with debugging symbols
* Fix mod_cache returning 304 instead of 200 on HEAD requests

16. By Stefan Fritsch

[ Stefan Fritsch ]
* Urgency medium for security fix
* Fix CVE-2007-1863: DoS in mod_cache
* New upstream version (Closes: #427050)
  - Fixes "proxy: error reading status line from remote server"
    (Closes: #410331)
* Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4)
* Change logrotate script to use reload instead of restart.
  (Closes: #298689)
* chmod o-rx /var/log/apache2 (Closes: #291841)
* chmod o-x suexec (Closes: #431048)
* Update patch for truncated mod_cgi 500 responses from upstream SVN
  (Closes: #412580)
* Don't use AddDefaultCharset for our docs (Closes: #414429)
* fix options syntax in sites-available/default (Closes: #419539)
* Move conf.d include to the end of apache2.conf (Closes: #305933)
* Remove log, cache, and lock files on purge (Closes: #428887)
* Ship /usr/lib/cgi-bin (Closes: #415698)
* Add note to README.Debian how to read docs (Closes: #350822)
* Document pid file name (Closes: #350286)
* Update Standards-Version (no changes needed)
* Fix some lintian warnings, add some overrides
* Start apache when doing a "restart" even if it was not running
  (Closes: #384682)
* reload config in apache2-doc postinst (Closes: #289289)
* don't fail in prerm if apache is not running (Closes: #418536)
* Suggest apache2-doc and www-browser (Closes: #399056)
* Make init script always display a warning if NO_START=1 since
  VERBOSE=yes is not the default anymore (Closes: #430116)
* Replace apache2(8) man page with a more current version
* Add httxt2dbm(8) man page
* Show -X option in help message (Closes: #391817)
* remove sick-hack-to-update-modules
* don't depend on procps on hurd (Closes: #431125)

[ Peter Samuelson ]
* Add shlibs:Depends to apache2.2-common.

15. By Stefan Fritsch

[ Tollef Fog Heen ]
* Fix up apache2-src so the .tar.gz contains an apache2 top level
  directory.
* Make apache2 MPMs provide and conflict with apache2-mpm so other
  packages can provide MPMs too.
* Get rid of 2.1 references from descriptions. (Closes: #400981)

[ Thom May ]
* Let the init script cope with multiple pid files correctly. Probably we
  shouldn't be doing this at all, but we might as well do it properly!
  (Closes: #396162)
* Add a sensible autoindex default config
* Add patch from upstream to ensure that mod_cgi 500 responses aren't
  truncated (Closes: #412580)
* Use graceful-stop to shutdown apache to ensure we cope nicely with long
  running or blocked children

[ Peter Samuelson ]
* Ship apache2 manpage in apache2.2-common. (Closes: #391813)
* Rearrange init script so that 'force-reload' is the same as 'reload'.
  (Closes: #401053)
* Add Build-Depends: mawk. (Closes: #403682)
* Add a needed <IfModule mod_include.c> guard to apache2.conf.
  (Closes: #407307)
* Stop shipping /var/run/apache2/ as it is created at runtime anyway.
* Move the /var/lock/apache2 owner fix from the apache2.2-common
  postinst to the init script, as /var/lock may not persist across
  reboots. (Closes: #420101)

[ Stefan Fritsch ]
* Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043)
* Add XS-Vcs-* to debian/control
* Improve handling of empty $MODNAME in a2enmod (Closes: #422589)
* Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602)
* Re-add README.Debian and describe
  - the config dir layout (closes: #419552)
  - which files are ignored by Include
  - when and how to change "restart" to "reload" in the logrotate script
* When purging, remove {mods,sites}-enabled symlinks and the config files
  created by postinst (Closes: #397789)
* Fix suexec to log after a cgi error (Closes: #312385)
* Add watch file
* Add AddType for .bz2 (Closes: #416322)
* Make init script messages conform better to policy (Closes: #390348)
  and exit with failure if called with unknown parameter (Closes: #412407)
* Fix segfault in mod_proxy_ftp when FTP server sends back no spaces
  (Closes: #413727)
* Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464)
* Tell the user when selecting cgid instead of cgi (Closes: #428058)
* Add a2ensite/a2dissite man pages (Closes: #322385)
* Comment out CacheEnable by default, to prevent filling up /var.
  Document the problem in README.Debian and NEWS.Debian, point to
  htcacheclean and give a warning when doing a2enmod disk_cache
  (Closes: #423653).
* Add myself to Uploaders.

14. By Peter Samuelson <email address hidden>

* High-urgency upload for RC bugfixes.
* Ack NMUs - thanks Andi, Steve.
* Refactor apache2.2-common.postinst slightly, to account for sarge
  upgrades (since it's a new package name, rather than an upgrade).
  (Closes: #396782, #415775)
* If mod_proxy was configured in sarge, add proxy_http and
  disk_cache modules, which used to be included in the mod_proxy config.
  (Closes: #407171)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/lucid/apache2
This branch contains Public information 
Everyone can see this information.

Subscribers