lp://staging/ubuntu/maverick-security/apache2

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

64. By Marc Deslauriers on 2012-02-14

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/215_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/218_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

63. By Steve Beattie on 2011-11-02

* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
  - debian/patches/212_CVE-2011-3368.dpatch: return 400
    on invalid requests. (patch courtesy of Michael Jeanson)
  - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
    0.9 protocol
  - CVE-2011-3368
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
  - debian/patches/213_CVE-2011-3348.dpatch: return
    HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
  - CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
  configurations
  - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
    configurations correctly
  - CVE-2011-1176
* Include additional fixes for regressions introduced by
  CVE-2011-3192 fixes
  - debian/patches/085_CVE-2011-3192_regression_part2.dpatch:
    take upstream fixes for byterange_filter.c through the 2.2.21
    release except for the added MaxRanges configuration option along
    with a fix staged for 2.2.22.

62. By Steve Beattie on 2011-09-01

* SECURITY UPDATE: Range header DoS vulnerability
  - debian/patches/084_CVE-2011-3192.dpatch: filter out large
    byte ranges and improve memory efficiency in handling buckets.
    (thanks to Debian and upstream)
  - CVE-2011-3192
* Include fix for regressions introduced by above patch:
  - debian/patches/085_CVE-2011-3192_regression.dpatch: return 206
    and 416 response codes where appropriate (see deban bug 639825)

61. By Marc Deslauriers on 2010-11-18

* SECURITY UPDATE: denial of service via memory leak in mod_reqtimeout.
  - debian/patches/204_CVE-2010-1623.dpatch: merge by small buckets to
    prevent high memory usage in modules/filters/mod_reqtimeout.c.
  - CVE-2010-1623

60. By Chuck Short on 2010-09-08

Revert "stty sane" to unbreak apache starting, this will have to be
fixed a different way. (LP: #626723)

59. By Chuck Short on 2010-08-25

debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
password prompt when using apache-ssl. (LP: #582963)

58. By Chuck Short on 2010-07-26

* Merge from debian unstable. Remaining changes:
  - debian/{control, rules}: Enable PIE hardening.
  - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
  - debian/control: Add bzr tag and point it to our tree.
  - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)

57. By Chuck Short on 2010-05-05

* Merge from debian unstable. Remaining changes:
  - debian/{control, rules}: Enable PIE hardening.
  - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
  - debian/control: Add bzr tag and point it to our tree.
  - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
  + Dropped:
    - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
    - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
    - debian/config-dir/apache2.conf: Merged back from debian.
    - mod-reqtimeout functionality: Merge back from debian.
    - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
    - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
    - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.

56. By Chuck Short on 2010-04-13

debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
(LP: #562370)

55. By Chuck Short on 2009-12-23

Fix debian/rules