apache2 2.4.10-10+deb8u8 source package in Debian


apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium

  * CVE-2016-8743: Enforce more HTTP conformance for request lines and
    request headers, to prevent response splitting and cache pollution
    by malicious clients or downstream proxies.
    If this causes problems with non-conforming clients, some checks can
    be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
    to the configuration.
    Differently than the upstream 2.4.25 release which will also be in the
    Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
    underscores in host and domain names even while 'HttpProtocolOptions
    strict' is in effect.
    More information is available at
  * CVE-2016-0736: mod_session_crypto: Prevent padding oracle attack.
  * CVE-2016-2161: mod_auth_digest: Prevent segfaults when the shared memory
    space is exhausted.
  * Activate mod_reqtimeout in new installs and during updates from
    before 2.4.10-10+deb8u8. It was wrongly not activated in new installs
    since jessie. This made the default installation vulnerable to some
    DoS attacks.
  * Don't run 2.2 to 2.4 upgrade logic again when upgrading from
    2.4.10-10+deb8u*. Closes: #836818

 -- Stefan Fritsch <email address hidden>  Fri, 24 Feb 2017 19:36:41 +0100

Upload details

Uploaded by:
Debian Apache Maintainers on 2017-05-07
Uploaded to:
Original maintainer:
Debian Apache Maintainers
any all
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section



File Size SHA-256 Checksum
apache2_2.4.10-10+deb8u8.dsc 3.2 KiB c20dc666e6192c3db716e1dfb60afed3248aabd9a2d3232301a11fe8d936dac6
apache2_2.4.10.orig.tar.bz2 4.8 MiB 176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a
apache2_2.4.10-10+deb8u8.debian.tar.xz 542.5 KiB 352be8c8245c162a9d97cf167a904fd1684904ffede565f23a654935701b40fa

No changes file available.

Binary packages built by this source