Change log for apache2 package in Ubuntu
| 226 → 269 of 419 results | First • Previous • Next • Last |
apache2 (2.2.8-3) unstable; urgency=low
* mod_cache: Handle If-Range correctly if the cached resource was stale
(closes: #47065).
* mod_autodindex: Use UTF-8 as character set for filenames in the default
configuration. Change this in autoindex.conf if you are still using
ISO-8859-1.
* Introduce APACHE_RUN_DIR and APACHE_LOCK_DIR in apache2ctl. Also, make it
use APACHE_RUN_USER instead of APACHE2_RUN_USER, to be consistent with
apache2.conf.
* Add 'status' function to init script (adapted from patch by Dustin
Kirkland).
* Don't build the modules three times. We are only shipping one set of them,
anyway. (Inspired by the Fedora package.)
* Remove Fabio M. Di Nitto from the uploaders field (thanks for your work).
apache2 (2.2.4-3ubuntu0.1) gutsy-security; urgency=low
* SECURITY UPDATE: denial of service (application crash) when using
mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use
apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
when charset not defined
* debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly
check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use
ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
server-status is enabled
* debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly
setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to
use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
mod_proxy_balancer when MPM is used
* debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to
check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
charset is not defined
* debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define
a charset
* References
CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2007-6421
CVE-2007-6422
CVE-2008-0005
-- Jamie Strandboge <email address hidden> Tue, 22 Jan 2008 18:28:27 +0000
apache2 (2.2.3-3.2ubuntu2.1) feisty-security; urgency=low
* SECURITY UPDATE: denial of service (application crash) when using
mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use
apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
when charset not defined
* debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly
check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap
* debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use
ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
server-status is enabled
* debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly
setup table
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer
* debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to
use ap_escape_html()
* SECURITY UPDATE: denial of service (application crash) in
mod_proxy_balancer when MPM is used
* debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to
check bsel is non-NULL
* SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when
charset is not defined
* debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define
a charset
* References
CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2007-6421
CVE-2007-6422
CVE-2008-0005
-- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 17:34:21 +0000
apache2 (2.0.55-4ubuntu4.2) edgy-security; urgency=low
* SECURITY UPDATE: denial of service (application crash) when using
mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
ap_escape_html()
* References
CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2008-0005
CVE-2006-3918
-- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 20:12:00 +0000
apache2 (2.0.55-4ubuntu2.3) dapper-security; urgency=low
* SECURITY UPDATE: denial of service (application crash) when using
mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
ap_escape_html()
* References
CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2008-0005
CVE-2006-3918
-- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 20:18:52 +0000
apache2 (2.2.8-1) unstable; urgency=low
* New upstream version:
- Fixes cross-site scripting issues in
o mod_imagemap (CVE-2007-5000)
o mod_status (CVE-2007-6388)
o mod_proxy_balancer's balancer manager (CVE-2007-6421)
- Fixes a denial of service issue in mod_proxy_balancer's balancer manager
(CVE-2007-6422).
- Fixes mod_proxy URL encoding in error messages (closes: #337325).
- Adds explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. For
mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
specify something else than ISO-8859-1 (CVE-2008-0005).
- Adds mod_substitute which performs inline response content pattern
matching (including regex) and substitution (like mod_line_edit).
- Adds "DefaultType none" option.
- Adds new "B" option to RewriteRule to suppress URL unescaping.
- Adds an "if" directive for mod_include to test whether an URL is
accessible, and if so, conditionally display content.
- Adds support for mod_ssl to the event MPM.
* Move the configuration of User, Group, and PidFile to
/etc/apache2/envvars. This makes it easier to use these settings in
scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
(inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085)
* Make apache2ctl check the configuration syntax before trying to restart
apache, to match the behaviour documented in the man page.
(Closes: #459236)
* Convert docs to be directly viewable with a browser (and not use content
negotiation).
* Add doc-base entry for the documentation. (closes: #311269)
* Don't ship default files in /var/www, but copy a sample file to
/var/www/index.html on new installs. Also remove the now unneeded
RedirectMatch line from sites-available/default.
(Closes: #411774, #458093)
* Add some information to README.Debian (Apache wiki, default virtual host)
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
dependencies, easing library transitions (closes: #458857).
* Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
Patch by Nicolas Valcárcel. (Closes: #436441)
* Add reportbug script to list enabled modules.
* Fix some lintian warnings:
- Pass --no-start to dh_installinit instead of omitting the debhelper token
in various maintainer scripts. Also move the update-rc.d call to
apache2.2-common.
- Add Short-Description to init script.
* Remove unused apache2-mpm-prefork.prerm from source package and clean up
debian/rules a bit.
* Don't ship NEWS.Debian with apache2-utils, as the contents are only
relevant for the server.
-- Mathias Gug <email address hidden> Fri, 01 Feb 2008 16:24:43 +0000
| Superseded in hardy-release |
apache2 (2.2.6-3ubuntu2) hardy; urgency=low
[ Nicolas Valcárcel ]
* Added icons for OpenDocuments by default on mime.conf
(Closes: LP: #130836)
* Icons added to the package in uuencode format
* Added sharutils to Build-Depends on debian/control for uuencode
* debian/apache2.2-common.apache2.init:
- Only look for *.conf files in /etc/apache2 when searching for pidfiles
(Closes: LP: #112991) Thanks to Daniel Hahler for the patch
[ Soren Hansen ]
* Clean up after OpenDocument icon generation
-- Soren Hansen <email address hidden> Wed, 16 Jan 2008 08:52:01 +0100
| Superseded in hardy-release |
apache2 (2.2.6-3ubuntu1) hardy; urgency=low
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
dependencies (including db4.5).
* Modify Maintainer value to match the DebianMaintainerField
specification.
-- Martin Pitt <email address hidden> Thu, 03 Jan 2008 11:19:10 +0100
apache2 (2.2.6-3) unstable; urgency=low
* Allocate fewer bucket brigades in case of a flush bucket. This might help
with the memory leaks reported in #399776 and #421557.
* Escape the HTTP method in error messages to avoid potential cross site
scripting vulnerabilities (CVE-2007-6203).
* Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition.
* Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config
(Closes: #450867).
* Add icons for .ogg and .ogm (Closes: #255443).
* Add comment about how to log X-Forwarded-For (Closes: #425008).
* Make mod_proxy_balancer not depend on mod_cache.
* Add Homepage field to debian/control.
* Add/fix some lintian overrides, fix some warnings.
* Bump Standards-Version (no changes).
-- Ubuntu Archive Auto-Sync <email address hidden> Sun, 09 Dec 2007 19:02:32 +0000
apache2 (2.2.3-3.2ubuntu2) feisty-proposed; urgency=low
* debian/apache2.2-common.init.d: make sure that /var/lock/apache2 is owned
by www-data. Fixes LP: #129920.
-- Mathias Gug <email address hidden> Wed, 21 Nov 2007 16:55:25 -0500
apache2 (2.2.6-2) unstable; urgency=low
* Avoid calling apr_pollset_poll() and accept_func() when the listening
sockets have already been closed on graceful stop or reload. This
hopefully fixes processes not being killed (closes: #445263, #447164)
and the "Bad file descriptor: apr_socket_accept: (client socket)"
error message (closes: #400918, #443310)
* Allow logresolve to process long lines (Closes: #331631)
* Remove duplicate config examples (Closes: #294662)
* Include README.backtrace describing how to create a backtrace
* Add CVE reference to 2.2.6-1 changelog entry
apache2 (2.2.4-3build1) gutsy; urgency=low * Trigger rebuild for hppa -- LaMont Jones <email address hidden> Thu, 04 Oct 2007 11:58:34 -0600
apache2 (2.2.3-3.2ubuntu0.1) feisty-security; urgency=low
* SECURITY UPDATE: XSS in mod_status, DoS in mod_cache, signal passing.
* Backported fixes from upstream and Debian updates:
- CVE-2007-1863: fixed DoS via mod_cache headers.
http://svn.apache.org/viewvc?view=rev&revision=551944
- CVE-2007-3304: stop signals from being sent to other processes.
http://svn.apache.org/viewvc?view=rev&revision=547987
- CVE-2006-5752: fixed XSS in status report.
http://svn.apache.org/viewvc?view=rev&revision=549159
-- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
apache2 (2.0.55-4ubuntu4.1) edgy-security; urgency=low
* SECURITY UPDATE: XSS in mod_status, bad signal passing.
* Backported fixes from upstream:
- CVE-2007-3304: stop signals from being sent to other processes.
http://svn.apache.org/viewvc?view=rev&revision=547987
- CVE-2006-5752: fixed XSS in status report.
http://svn.apache.org/viewvc?view=rev&revision=549159
-- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
apache2 (2.0.55-4ubuntu2.2) dapper-security; urgency=low
* SECURITY UPDATE: XSS in mod_status, bad signal passing.
* Backported fixes from upstream:
- CVE-2007-3304: stop signals from being sent to other processes.
http://svn.apache.org/viewvc?view=rev&revision=547987
- CVE-2006-5752: fixed XSS in status report.
http://svn.apache.org/viewvc?view=rev&revision=549159
-- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
apache2 (2.2.4-3) unstable; urgency=low
[ Stefan Fritsch ]
* enable default site on new installs again (Closes: #436341)
* make mod_authn_dbd depend on mod_dbd
* make a2dissite return 0 if a site is already disabled (Closes: #435398)
* make a2 scripts print errors to stderr (Closes: #435400)
* move TypesConfig directive from apache2.conf to mime.conf
(Closes: #434248)
[ Adam Conrad ]
* Special case apache2-dbg magic in debian/rules, so we don't do
this on Ubuntu, which has an archive of detached debug packages.
-- Martin Pitt <email address hidden> Wed, 08 Aug 2007 23:19:13 +0100
| Deleted in feisty-proposed (Reason: SRU superseded by security) |
apache2 (2.2.3-3.2ubuntu1) feisty-proposed; urgency=low
* debian/apache2.2-common.init.d: make sure that /var/lock/apache2 is owned
by www-data. Fixes LP: #129920.
* debian/control: Set Maintainer to Ubuntu Core Dev and move Debian
maintainer to XSBC-Original-Maintainer.
-- Mathias Gug <email address hidden> Fri, 3 Aug 2007 10:03:57 -0400
| Superseded in gutsy-release |
apache2 (2.2.4-2ubuntu2) gutsy; urgency=low
* debian/rules: Also remove apache2-dbg from debian/files on Ubuntu, so that
dpkg-genchanges does not choke.
-- Martin Pitt <email address hidden> Wed, 01 Aug 2007 12:05:25 +0200
| Superseded in gutsy-release |
apache2 (2.2.4-2ubuntu1) gutsy; urgency=low
* debian/rules: Do not do the black magic for producing the -dbg package on
Ubuntu, since it breaks with pkg-create-dbgsym and is not needed for the
same reason.
-- Martin Pitt <email address hidden> Wed, 01 Aug 2007 10:19:48 +0200
apache2 (2.2.4-2) unstable; urgency=low
* Modularize config: Move module specific configuration from apache2.conf
to mods-available/*conf (Closes: #338472)
* Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable
apache2. (Closes: #408462, #275561)
* Create run and lock directores in apache2ctl to make it work on fresh
installations before the first call of the init script. Together with
the previous item, this closes: #418499
* Disable AddDefaultCharset again (Closes: #397886)
* Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles
managed by dpkg
* Listen on port 443 by default if mod_ssl is loaded (Closes: #404598)
* Add logic to start htcacheclean as daemon or cronjob. The configuration
is in /etc/default/apache2
* Fix security issues:
- CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary
processes
- CVE-2006-5752: XSS in mod_status
* Add init.d dependency info from insserv overrides to /etc/init.d/apache2
* Replace apachectl with apache2ctl in docs (Closes: #164493)
* Add usage message to apache2ctl (Closes: #359008)
* Make -dev packages priority extra
* Add secure example cipher/protocol configuration to ssl.conf
* Update watch file (Closes: #433552)
* Bump dh_compat to 5
* Add new package apache2-dbg with debugging symbols
* Fix mod_cache returning 304 instead of 200 on HEAD requests
-- Michael Bienia <email address hidden> Thu, 26 Jul 2007 18:19:38 +0100
apache2 (2.2.4-1) unstable; urgency=medium
[ Stefan Fritsch ]
* Urgency medium for security fix
* Fix CVE-2007-1863: DoS in mod_cache
* New upstream version (Closes: #427050)
- Fixes "proxy: error reading status line from remote server"
(Closes: #410331)
* Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4)
* Change logrotate script to use reload instead of restart.
(Closes: #298689)
* chmod o-rx /var/log/apache2 (Closes: #291841)
* chmod o-x suexec (Closes: #431048)
* Update patch for truncated mod_cgi 500 responses from upstream SVN
(Closes: #412580)
* Don't use AddDefaultCharset for our docs (Closes: #414429)
* fix options syntax in sites-available/default (Closes: #419539)
* Move conf.d include to the end of apache2.conf (Closes: #305933)
* Remove log, cache, and lock files on purge (Closes: #428887)
* Ship /usr/lib/cgi-bin (Closes: #415698)
* Add note to README.Debian how to read docs (Closes: #350822)
* Document pid file name (Closes: #350286)
* Update Standards-Version (no changes needed)
* Fix some lintian warnings, add some overrides
* Start apache when doing a "restart" even if it was not running
(Closes: #384682)
* reload config in apache2-doc postinst (Closes: #289289)
* don't fail in prerm if apache is not running (Closes: #418536)
* Suggest apache2-doc and www-browser (Closes: #399056)
* Make init script always display a warning if NO_START=1 since
VERBOSE=yes is not the default anymore (Closes: #430116)
* Replace apache2(8) man page with a more current version
* Add httxt2dbm(8) man page
* Show -X option in help message (Closes: #391817)
* remove sick-hack-to-update-modules
* don't depend on procps on hurd (Closes: #431125)
[ Peter Samuelson ]
* Add shlibs:Depends to apache2.2-common.
-- Kees Cook <email address hidden> Thu, 05 Jul 2007 10:18:25 +0100
apache2 (2.2.3-5) unstable; urgency=low
[ Tollef Fog Heen ]
* Fix up apache2-src so the .tar.gz contains an apache2 top level
directory.
* Make apache2 MPMs provide and conflict with apache2-mpm so other
packages can provide MPMs too.
* Get rid of 2.1 references from descriptions. (Closes: #400981)
[ Thom May ]
* Let the init script cope with multiple pid files correctly. Probably we
shouldn't be doing this at all, but we might as well do it properly!
(Closes: #396162)
* Add a sensible autoindex default config
* Add patch from upstream to ensure that mod_cgi 500 responses aren't
truncated (Closes: #412580)
* Use graceful-stop to shutdown apache to ensure we cope nicely with long
running or blocked children
[ Peter Samuelson ]
* Ship apache2 manpage in apache2.2-common. (Closes: #391813)
* Rearrange init script so that 'force-reload' is the same as 'reload'.
(Closes: #401053)
* Add Build-Depends: mawk. (Closes: #403682)
* Add a needed <IfModule mod_include.c> guard to apache2.conf.
(Closes: #407307)
* Stop shipping /var/run/apache2/ as it is created at runtime anyway.
* Move the /var/lock/apache2 owner fix from the apache2.2-common
postinst to the init script, as /var/lock may not persist across
reboots. (Closes: #420101)
[ Stefan Fritsch ]
* Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043)
* Add XS-Vcs-* to debian/control
* Improve handling of empty $MODNAME in a2enmod (Closes: #422589)
* Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602)
* Re-add README.Debian and describe
- the config dir layout (closes: #419552)
- which files are ignored by Include
- when and how to change "restart" to "reload" in the logrotate script
* When purging, remove {mods,sites}-enabled symlinks and the config files
created by postinst (Closes: #397789)
* Fix suexec to log after a cgi error (Closes: #312385)
* Add watch file
* Add AddType for .bz2 (Closes: #416322)
* Make init script messages conform better to policy (Closes: #390348)
and exit with failure if called with unknown parameter (Closes: #412407)
* Fix segfault in mod_proxy_ftp when FTP server sends back no spaces
(Closes: #413727)
* Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464)
* Tell the user when selecting cgid instead of cgi (Closes: #428058)
* Add a2ensite/a2dissite man pages (Closes: #322385)
* Comment out CacheEnable by default, to prevent filling up /var.
Document the problem in README.Debian and NEWS.Debian, point to
htcacheclean and give a warning when doing a2enmod disk_cache
(Closes: #423653).
* Add myself to Uploaders.
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 11 Jun 2007 18:39:11 +0100
apache2 (2.2.3-4) unstable; urgency=high
* High-urgency upload for RC bugfixes.
* Ack NMUs - thanks Andi, Steve.
* Refactor apache2.2-common.postinst slightly, to account for sarge
upgrades (since it's a new package name, rather than an upgrade).
(Closes: #396782, #415775)
* If mod_proxy was configured in sarge, add proxy_http and
disk_cache modules, which used to be included in the mod_proxy config.
(Closes: #407171)
apache2 (2.2.3-3.2build1) feisty; urgency=low * No-change upload for the libpq4->libpq5 transition. -- Martin Pitt <email address hidden> Mon, 15 Jan 2007 17:10:39 +0100
apache2 (2.2.3-3.2) unstable; urgency=high
* Non-maintainer upload.
* 043_ajp_connection_reuse: Patch from upstream Bugzilla, fixing a critical
issue with regard to connection reuse in mod_proxy_ajp.
Closes: #396265
apache2 (2.0.55-4ubuntu4) edgy; urgency=low
* Add debian/patches/054_restore_prefix_fix:
- Fix autoconf macros to work with autoconf 2.60 (AC_CANONICAL_SYSTEM
overwrites $@ in 2.60, see Debian bug #372179), so that the package
builds again on recent Edgy.
- Thanks to Daniel Schepler <email address hidden> for this patch
(taken from Debian #374160)
- Closes: LP#62242
-- Martin Pitt <email address hidden> Wed, 27 Sep 2006 16:23:09 +0200
| Superseded in dapper-security |
apache2 (2.0.55-4ubuntu2.1) dapper-security; urgency=low
* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
- Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
- Reported by Mark Dowd of McAfee Avert Labs.
- CVE-2006-3747
-- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:14:56 +0000
| Obsolete in breezy-security |
apache2 (2.0.54-5ubuntu4.1) breezy-security; urgency=low
* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
- Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
- Reported by Mark Dowd of McAfee Avert Labs.
- CVE-2006-3747
-- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:18:39 +0000
| Obsolete in hoary-security |
apache2 (2.0.53-5ubuntu5.6) hoary-security; urgency=low
* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
- Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
- Reported by Mark Dowd of McAfee Avert Labs.
- CVE-2006-3747
-- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:20:37 +0000
| Superseded in edgy-release |
apache2 (2.0.55-4ubuntu3) edgy; urgency=low
* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
- Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
- Reported by Mark Dowd of McAfee Avert Labs.
- CVE-2006-3747
-- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:14:56 +0000
apache2 (2.0.55-4ubuntu2) dapper; urgency=low
* Include patch from SVN HEAD to make sure LFS works on 64-bit platforms
where sendfile() doesn't like dealing with anything larger than 32-bit
chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850)
-- Adam Conrad <email address hidden> Fri, 26 May 2006 20:12:28 +1000
| Superseded in dapper-release |
apache2 (2.0.55-4ubuntu1) dapper; urgency=low
* Restore the "a2enmod userdir" that went missing in the "cruft cleaning"
in the last upload, since it's required to sanely configure new setups.
-- Adam Conrad <email address hidden> Mon, 22 May 2006 10:20:22 +1000
apache2 (2.0.55-4) unstable; urgency=low
* Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
* Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
threaded MPMs when making a non-SSL connection to an SSL-enabled port
on a server with a custom 400 error document defined; see CVE-2005-3357
* Clean up our use of trailing slashes on directories in debian/rules, so
the newer, pickier, obviously very improved coreutils doesn't bite us.
* Remove some cruft from apache2-common's postinst, dealing with upgrade
scenarios from versions older than those released in Sarge or Warty.
* Use "SHELL := sh -e" in debian/rules, so the build will stop on shell
errors, instead of blundering on to later make targets (closes: #340761)
* Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in
case the user has /var/run and /var/lock on tmpfs, which is fasionable.
* Make our init script a /bin/bash script instead of a /bin/sh script, so
we can abuse it with regex globbing (#348189, #347962, #340955, #342008)
* Take patch from Adrian Bridgett to output errors from our config test
in the init script, but only do so when we're VERBOSE (closes: #339323)
* In the spirit of the LSB, make our init script exit 2 when called with
incorrect arguments, and exit 4 when asked for status (closes: #330275)
* Fix the default site to not mix configuration syntax (closes: #345922)
* Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921)
-- Adam Conrad <adconrad@0c3.net> Sat, 26 Nov 2005 19:06:32 +1100
| Superseded in breezy-security |
apache2 (2.0.54-5ubuntu4) breezy-security; urgency=low
* SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability.
- Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
- Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
threaded MPMs when making a non-SSL connection to an SSL-enabled port
on a server with a custom 400 error document defined; see CVE-2005-3357
-- Adam Conrad <email address hidden> Sun, 8 Jan 2006 00:01:47 +1100
| Superseded in hoary-security |
apache2 (2.0.53-5ubuntu5.5) hoary-security; urgency=low
* SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability.
- Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
- Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
threaded MPMs when making a non-SSL connection to an SSL-enabled port
on a server with a custom 400 error document defined; see CVE-2005-3357
-- Adam Conrad <email address hidden> Sun, 8 Jan 2006 00:01:38 +1100
| Obsolete in warty-security |
apache2 (2.0.50-12ubuntu4.10) warty-security; urgency=low
* SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability.
- Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
- Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
threaded MPMs when making a non-SSL connection to an SSL-enabled port
on a server with a custom 400 error document defined; see CVE-2005-3357
-- Adam Conrad <email address hidden> Sun, 8 Jan 2006 00:00:08 +1100
apache2 (2.0.55-3) unstable; urgency=low
* Brown paper bag release: Tidy up CFLAGS and APR configure call to make
sure that what we link to agrees with what apu-config tells others to do.
-- Adam Conrad <adconrad@0c3.net> Mon, 24 Oct 2005 13:02:52 +1000
| Superseded in dapper-release |
apache2 (2.0.55-3build1) dapper; urgency=low * Rebuild for libstdc++ allocator change -- Matthias Klose <email address hidden> Thu, 24 Nov 2005 12:16:41 +0000
| Superseded in breezy-security |
apache2 (2.0.54-5ubuntu3) breezy-security; urgency=low
* SECURITY UPDATE: Memory exhaustion denial of service in apache2-mpm-worker
- Apply 048_worker_memleak_CAN-2005-2970 to resolves a memory leak in
the worker MPM that can occur after aborted connections; CAN-2005-2970
-- Adam Conrad <email address hidden> Tue, 6 Dec 2005 02:13:10 +1100
| Obsolete in breezy-release |
apache2 (2.0.54-5ubuntu2) breezy; urgency=low
* Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request
body data to provide a limited but safe fix for the mod_ssl renegotiation
vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991)
-- Adam Conrad <email address hidden> Tue, 4 Oct 2005 11:53:01 +1000
| Superseded in hoary-security |
apache2 (2.0.53-5ubuntu5.4) hoary-security; urgency=low
* SECURITY UPDATE: Memory exhaustion denial of service in apache2-mpm-worker
- Apply 048_worker_memleak_CAN-2005-2970 to resolves a memory leak in
the worker MPM that can occur after aborted connections; CAN-2005-2970
-- Adam Conrad <email address hidden> Tue, 6 Dec 2005 02:18:35 +1100
| Obsolete in hoary-release |
apache2 (2.0.53-5ubuntu5) hoary; urgency=low
* Fix the init script to not exit with an error when asked to
stop a daemon that isn't running (Was the root cause of #8374)
-- Adam Conrad <adconrad@0c3.net> Fri, 1 Apr 2005 16:30:56 +0000
| Superseded in warty-security |
apache2 (2.0.50-12ubuntu4.9) warty-security; urgency=low
* SECURITY UPDATE: Memory exhaustion denial of service in apache2-mpm-worker
- Apply 048_worker_memleak_CAN-2005-2970 to resolves a memory leak in
the worker MPM that can occur after aborted connections; CAN-2005-2970
-- Adam Conrad <email address hidden> Tue, 6 Dec 2005 02:17:58 +1100
| Obsolete in warty-release |
apache2 (2.0.50-12ubuntu4) warty; urgency=low
* Security Release. Patch from upstream for the following:
CAN-2004-0885 - SSLCypherSuite can be bypassed during renegotiation.
-- Thom May <email address hidden> Wed, 13 Oct 2004 19:46:10 +0100
| 226 → 269 of 419 results | First • Previous • Next • Last |
