Change log for apache2 package in Ubuntu
226 → 269 of 419 results | First • Previous • Next • Last |
apache2 (2.2.8-3) unstable; urgency=low * mod_cache: Handle If-Range correctly if the cached resource was stale (closes: #47065). * mod_autodindex: Use UTF-8 as character set for filenames in the default configuration. Change this in autoindex.conf if you are still using ISO-8859-1. * Introduce APACHE_RUN_DIR and APACHE_LOCK_DIR in apache2ctl. Also, make it use APACHE_RUN_USER instead of APACHE2_RUN_USER, to be consistent with apache2.conf. * Add 'status' function to init script (adapted from patch by Dustin Kirkland). * Don't build the modules three times. We are only shipping one set of them, anyway. (Inspired by the Fedora package.) * Remove Fabio M. Di Nitto from the uploaders field (thanks for your work).
apache2 (2.2.4-3ubuntu0.1) gutsy-security; urgency=low * SECURITY UPDATE: denial of service (application crash) when using mod_proxy in threaded MPM via crafted date headers. * debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use apr_date_parse_http() and apr_rfc822_date() * SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c when charset not defined * debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly check for and use charset * SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap * debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use ap_escape_html() * SECURITY UPDATE: cross-site scripting vulnerability in mod_status when server-status is enabled * debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly setup table * SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer * debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to use ap_escape_html() * SECURITY UPDATE: denial of service (application crash) in mod_proxy_balancer when MPM is used * debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to check bsel is non-NULL * SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when charset is not defined * debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define a charset * References CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 -- Jamie Strandboge <email address hidden> Tue, 22 Jan 2008 18:28:27 +0000
apache2 (2.2.3-3.2ubuntu2.1) feisty-security; urgency=low * SECURITY UPDATE: denial of service (application crash) when using mod_proxy in threaded MPM via crafted date headers. * debian/patches/100_CVE-2007-3847.dpatch: fix proxy_util.c to use apr_date_parse_http() and apr_rfc822_date() * SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c when charset not defined * debian/patches/101_CVE-2007-4465.dpatch: fix mod_autoindex.c to properly check for and use charset * SECURITY UPDATE: cross-site scripting vulnerability in mod_imagemap * debian/patches/102_CVE-2007-5000.dpatch: fix for mod_imagemap.c to use ap_escape_html() * SECURITY UPDATE: cross-site scripting vulnerability in mod_status when server-status is enabled * debian/patches/103_CVE-2007-6388.dpatch: fix for mod_status.c to properly setup table * SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_balancer * debian/patches/104_CVE-2007-6421.dpatch: fix for mod_proxy_balancer.c to use ap_escape_html() * SECURITY UPDATE: denial of service (application crash) in mod_proxy_balancer when MPM is used * debian/patches/105_CVE-2007-6422.dpatch: fix for /mod_proxy_balancer.c to check bsel is non-NULL * SECURITY UPDATE: cross-site scripting vulnerability in mod_proxy_ftp when charset is not defined * debian/patches/106_CVE-2008-0005.dpatch: fix for mod_proxy_ftp.c to define a charset * References CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 -- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 17:34:21 +0000
apache2 (2.0.55-4ubuntu4.2) edgy-security; urgency=low * SECURITY UPDATE: denial of service (application crash) when using mod_proxy in threaded MPM via crafted date headers. * debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use apr_date_parse_http() and apr_rfc822_date() * SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c when charset not defined * debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly check for and use charset * SECURITY UPDATE: cross-site scripting vulnerability in mod_imap * debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use ap_escape_html() * SECURITY UPDATE: cross-site scripting vulnerability in mod_status when server-status is enabled * debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly setup table * SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when charset is not defined * debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define a charset * SECURITY UPDATE: cross-site scripting vulnerability in Expect headers * debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use ap_escape_html() * References CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 CVE-2006-3918 -- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 20:12:00 +0000
apache2 (2.0.55-4ubuntu2.3) dapper-security; urgency=low * SECURITY UPDATE: denial of service (application crash) when using mod_proxy in threaded MPM via crafted date headers. * debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use apr_date_parse_http() and apr_rfc822_date() * SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c when charset not defined * debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly check for and use charset * SECURITY UPDATE: cross-site scripting vulnerability in mod_imap * debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use ap_escape_html() * SECURITY UPDATE: cross-site scripting vulnerability in mod_status when server-status is enabled * debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly setup table * SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when charset is not defined * debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define a charset * SECURITY UPDATE: cross-site scripting vulnerability in Expect headers * debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use ap_escape_html() * References CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 CVE-2006-3918 -- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 20:18:52 +0000
apache2 (2.2.8-1) unstable; urgency=low * New upstream version: - Fixes cross-site scripting issues in o mod_imagemap (CVE-2007-5000) o mod_status (CVE-2007-6388) o mod_proxy_balancer's balancer manager (CVE-2007-6421) - Fixes a denial of service issue in mod_proxy_balancer's balancer manager (CVE-2007-6422). - Fixes mod_proxy URL encoding in error messages (closes: #337325). - Adds explicit charset to the output of various modules to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. For mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to specify something else than ISO-8859-1 (CVE-2008-0005). - Adds mod_substitute which performs inline response content pattern matching (including regex) and substitution (like mod_line_edit). - Adds "DefaultType none" option. - Adds new "B" option to RewriteRule to suppress URL unescaping. - Adds an "if" directive for mod_include to test whether an URL is accessible, and if so, conditionally display content. - Adds support for mod_ssl to the event MPM. * Move the configuration of User, Group, and PidFile to /etc/apache2/envvars. This makes it easier to use these settings in scripts. /etc/apache2/envvars can now also be used to influence apache2ctl (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085) * Make apache2ctl check the configuration syntax before trying to restart apache, to match the behaviour documented in the man page. (Closes: #459236) * Convert docs to be directly viewable with a browser (and not use content negotiation). * Add doc-base entry for the documentation. (closes: #311269) * Don't ship default files in /var/www, but copy a sample file to /var/www/index.html on new installs. Also remove the now unneeded RedirectMatch line from sites-available/default. (Closes: #411774, #458093) * Add some information to README.Debian (Apache wiki, default virtual host) * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary dependencies, easing library transitions (closes: #458857). * Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode. Patch by Nicolas Valcárcel. (Closes: #436441) * Add reportbug script to list enabled modules. * Fix some lintian warnings: - Pass --no-start to dh_installinit instead of omitting the debhelper token in various maintainer scripts. Also move the update-rc.d call to apache2.2-common. - Add Short-Description to init script. * Remove unused apache2-mpm-prefork.prerm from source package and clean up debian/rules a bit. * Don't ship NEWS.Debian with apache2-utils, as the contents are only relevant for the server. -- Mathias Gug <email address hidden> Fri, 01 Feb 2008 16:24:43 +0000
Superseded in hardy-release |
apache2 (2.2.6-3ubuntu2) hardy; urgency=low [ Nicolas Valcárcel ] * Added icons for OpenDocuments by default on mime.conf (Closes: LP: #130836) * Icons added to the package in uuencode format * Added sharutils to Build-Depends on debian/control for uuencode * debian/apache2.2-common.apache2.init: - Only look for *.conf files in /etc/apache2 when searching for pidfiles (Closes: LP: #112991) Thanks to Daniel Hahler for the patch [ Soren Hansen ] * Clean up after OpenDocument icon generation -- Soren Hansen <email address hidden> Wed, 16 Jan 2008 08:52:01 +0100
Superseded in hardy-release |
apache2 (2.2.6-3ubuntu1) hardy; urgency=low * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary dependencies (including db4.5). * Modify Maintainer value to match the DebianMaintainerField specification. -- Martin Pitt <email address hidden> Thu, 03 Jan 2008 11:19:10 +0100
apache2 (2.2.6-3) unstable; urgency=low * Allocate fewer bucket brigades in case of a flush bucket. This might help with the memory leaks reported in #399776 and #421557. * Escape the HTTP method in error messages to avoid potential cross site scripting vulnerabilities (CVE-2007-6203). * Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition. * Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config (Closes: #450867). * Add icons for .ogg and .ogm (Closes: #255443). * Add comment about how to log X-Forwarded-For (Closes: #425008). * Make mod_proxy_balancer not depend on mod_cache. * Add Homepage field to debian/control. * Add/fix some lintian overrides, fix some warnings. * Bump Standards-Version (no changes). -- Ubuntu Archive Auto-Sync <email address hidden> Sun, 09 Dec 2007 19:02:32 +0000
apache2 (2.2.3-3.2ubuntu2) feisty-proposed; urgency=low * debian/apache2.2-common.init.d: make sure that /var/lock/apache2 is owned by www-data. Fixes LP: #129920. -- Mathias Gug <email address hidden> Wed, 21 Nov 2007 16:55:25 -0500
apache2 (2.2.6-2) unstable; urgency=low * Avoid calling apr_pollset_poll() and accept_func() when the listening sockets have already been closed on graceful stop or reload. This hopefully fixes processes not being killed (closes: #445263, #447164) and the "Bad file descriptor: apr_socket_accept: (client socket)" error message (closes: #400918, #443310) * Allow logresolve to process long lines (Closes: #331631) * Remove duplicate config examples (Closes: #294662) * Include README.backtrace describing how to create a backtrace * Add CVE reference to 2.2.6-1 changelog entry
apache2 (2.2.4-3build1) gutsy; urgency=low * Trigger rebuild for hppa -- LaMont Jones <email address hidden> Thu, 04 Oct 2007 11:58:34 -0600
apache2 (2.2.3-3.2ubuntu0.1) feisty-security; urgency=low * SECURITY UPDATE: XSS in mod_status, DoS in mod_cache, signal passing. * Backported fixes from upstream and Debian updates: - CVE-2007-1863: fixed DoS via mod_cache headers. http://svn.apache.org/viewvc?view=rev&revision=551944 - CVE-2007-3304: stop signals from being sent to other processes. http://svn.apache.org/viewvc?view=rev&revision=547987 - CVE-2006-5752: fixed XSS in status report. http://svn.apache.org/viewvc?view=rev&revision=549159 -- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
apache2 (2.0.55-4ubuntu4.1) edgy-security; urgency=low * SECURITY UPDATE: XSS in mod_status, bad signal passing. * Backported fixes from upstream: - CVE-2007-3304: stop signals from being sent to other processes. http://svn.apache.org/viewvc?view=rev&revision=547987 - CVE-2006-5752: fixed XSS in status report. http://svn.apache.org/viewvc?view=rev&revision=549159 -- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
apache2 (2.0.55-4ubuntu2.2) dapper-security; urgency=low * SECURITY UPDATE: XSS in mod_status, bad signal passing. * Backported fixes from upstream: - CVE-2007-3304: stop signals from being sent to other processes. http://svn.apache.org/viewvc?view=rev&revision=547987 - CVE-2006-5752: fixed XSS in status report. http://svn.apache.org/viewvc?view=rev&revision=549159 -- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
apache2 (2.2.4-3) unstable; urgency=low [ Stefan Fritsch ] * enable default site on new installs again (Closes: #436341) * make mod_authn_dbd depend on mod_dbd * make a2dissite return 0 if a site is already disabled (Closes: #435398) * make a2 scripts print errors to stderr (Closes: #435400) * move TypesConfig directive from apache2.conf to mime.conf (Closes: #434248) [ Adam Conrad ] * Special case apache2-dbg magic in debian/rules, so we don't do this on Ubuntu, which has an archive of detached debug packages. -- Martin Pitt <email address hidden> Wed, 08 Aug 2007 23:19:13 +0100
Deleted in feisty-proposed (Reason: SRU superseded by security) |
apache2 (2.2.3-3.2ubuntu1) feisty-proposed; urgency=low * debian/apache2.2-common.init.d: make sure that /var/lock/apache2 is owned by www-data. Fixes LP: #129920. * debian/control: Set Maintainer to Ubuntu Core Dev and move Debian maintainer to XSBC-Original-Maintainer. -- Mathias Gug <email address hidden> Fri, 3 Aug 2007 10:03:57 -0400
Superseded in gutsy-release |
apache2 (2.2.4-2ubuntu2) gutsy; urgency=low * debian/rules: Also remove apache2-dbg from debian/files on Ubuntu, so that dpkg-genchanges does not choke. -- Martin Pitt <email address hidden> Wed, 01 Aug 2007 12:05:25 +0200
Superseded in gutsy-release |
apache2 (2.2.4-2ubuntu1) gutsy; urgency=low * debian/rules: Do not do the black magic for producing the -dbg package on Ubuntu, since it breaks with pkg-create-dbgsym and is not needed for the same reason. -- Martin Pitt <email address hidden> Wed, 01 Aug 2007 10:19:48 +0200
apache2 (2.2.4-2) unstable; urgency=low * Modularize config: Move module specific configuration from apache2.conf to mods-available/*conf (Closes: #338472) * Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable apache2. (Closes: #408462, #275561) * Create run and lock directores in apache2ctl to make it work on fresh installations before the first call of the init script. Together with the previous item, this closes: #418499 * Disable AddDefaultCharset again (Closes: #397886) * Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles managed by dpkg * Listen on port 443 by default if mod_ssl is loaded (Closes: #404598) * Add logic to start htcacheclean as daemon or cronjob. The configuration is in /etc/default/apache2 * Fix security issues: - CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary processes - CVE-2006-5752: XSS in mod_status * Add init.d dependency info from insserv overrides to /etc/init.d/apache2 * Replace apachectl with apache2ctl in docs (Closes: #164493) * Add usage message to apache2ctl (Closes: #359008) * Make -dev packages priority extra * Add secure example cipher/protocol configuration to ssl.conf * Update watch file (Closes: #433552) * Bump dh_compat to 5 * Add new package apache2-dbg with debugging symbols * Fix mod_cache returning 304 instead of 200 on HEAD requests -- Michael Bienia <email address hidden> Thu, 26 Jul 2007 18:19:38 +0100
apache2 (2.2.4-1) unstable; urgency=medium [ Stefan Fritsch ] * Urgency medium for security fix * Fix CVE-2007-1863: DoS in mod_cache * New upstream version (Closes: #427050) - Fixes "proxy: error reading status line from remote server" (Closes: #410331) * Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4) * Change logrotate script to use reload instead of restart. (Closes: #298689) * chmod o-rx /var/log/apache2 (Closes: #291841) * chmod o-x suexec (Closes: #431048) * Update patch for truncated mod_cgi 500 responses from upstream SVN (Closes: #412580) * Don't use AddDefaultCharset for our docs (Closes: #414429) * fix options syntax in sites-available/default (Closes: #419539) * Move conf.d include to the end of apache2.conf (Closes: #305933) * Remove log, cache, and lock files on purge (Closes: #428887) * Ship /usr/lib/cgi-bin (Closes: #415698) * Add note to README.Debian how to read docs (Closes: #350822) * Document pid file name (Closes: #350286) * Update Standards-Version (no changes needed) * Fix some lintian warnings, add some overrides * Start apache when doing a "restart" even if it was not running (Closes: #384682) * reload config in apache2-doc postinst (Closes: #289289) * don't fail in prerm if apache is not running (Closes: #418536) * Suggest apache2-doc and www-browser (Closes: #399056) * Make init script always display a warning if NO_START=1 since VERBOSE=yes is not the default anymore (Closes: #430116) * Replace apache2(8) man page with a more current version * Add httxt2dbm(8) man page * Show -X option in help message (Closes: #391817) * remove sick-hack-to-update-modules * don't depend on procps on hurd (Closes: #431125) [ Peter Samuelson ] * Add shlibs:Depends to apache2.2-common. -- Kees Cook <email address hidden> Thu, 05 Jul 2007 10:18:25 +0100
apache2 (2.2.3-5) unstable; urgency=low [ Tollef Fog Heen ] * Fix up apache2-src so the .tar.gz contains an apache2 top level directory. * Make apache2 MPMs provide and conflict with apache2-mpm so other packages can provide MPMs too. * Get rid of 2.1 references from descriptions. (Closes: #400981) [ Thom May ] * Let the init script cope with multiple pid files correctly. Probably we shouldn't be doing this at all, but we might as well do it properly! (Closes: #396162) * Add a sensible autoindex default config * Add patch from upstream to ensure that mod_cgi 500 responses aren't truncated (Closes: #412580) * Use graceful-stop to shutdown apache to ensure we cope nicely with long running or blocked children [ Peter Samuelson ] * Ship apache2 manpage in apache2.2-common. (Closes: #391813) * Rearrange init script so that 'force-reload' is the same as 'reload'. (Closes: #401053) * Add Build-Depends: mawk. (Closes: #403682) * Add a needed <IfModule mod_include.c> guard to apache2.conf. (Closes: #407307) * Stop shipping /var/run/apache2/ as it is created at runtime anyway. * Move the /var/lock/apache2 owner fix from the apache2.2-common postinst to the init script, as /var/lock may not persist across reboots. (Closes: #420101) [ Stefan Fritsch ] * Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043) * Add XS-Vcs-* to debian/control * Improve handling of empty $MODNAME in a2enmod (Closes: #422589) * Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602) * Re-add README.Debian and describe - the config dir layout (closes: #419552) - which files are ignored by Include - when and how to change "restart" to "reload" in the logrotate script * When purging, remove {mods,sites}-enabled symlinks and the config files created by postinst (Closes: #397789) * Fix suexec to log after a cgi error (Closes: #312385) * Add watch file * Add AddType for .bz2 (Closes: #416322) * Make init script messages conform better to policy (Closes: #390348) and exit with failure if called with unknown parameter (Closes: #412407) * Fix segfault in mod_proxy_ftp when FTP server sends back no spaces (Closes: #413727) * Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464) * Tell the user when selecting cgid instead of cgi (Closes: #428058) * Add a2ensite/a2dissite man pages (Closes: #322385) * Comment out CacheEnable by default, to prevent filling up /var. Document the problem in README.Debian and NEWS.Debian, point to htcacheclean and give a warning when doing a2enmod disk_cache (Closes: #423653). * Add myself to Uploaders. -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 11 Jun 2007 18:39:11 +0100
apache2 (2.2.3-4) unstable; urgency=high * High-urgency upload for RC bugfixes. * Ack NMUs - thanks Andi, Steve. * Refactor apache2.2-common.postinst slightly, to account for sarge upgrades (since it's a new package name, rather than an upgrade). (Closes: #396782, #415775) * If mod_proxy was configured in sarge, add proxy_http and disk_cache modules, which used to be included in the mod_proxy config. (Closes: #407171)
apache2 (2.2.3-3.2build1) feisty; urgency=low * No-change upload for the libpq4->libpq5 transition. -- Martin Pitt <email address hidden> Mon, 15 Jan 2007 17:10:39 +0100
apache2 (2.2.3-3.2) unstable; urgency=high * Non-maintainer upload. * 043_ajp_connection_reuse: Patch from upstream Bugzilla, fixing a critical issue with regard to connection reuse in mod_proxy_ajp. Closes: #396265
apache2 (2.0.55-4ubuntu4) edgy; urgency=low * Add debian/patches/054_restore_prefix_fix: - Fix autoconf macros to work with autoconf 2.60 (AC_CANONICAL_SYSTEM overwrites $@ in 2.60, see Debian bug #372179), so that the package builds again on recent Edgy. - Thanks to Daniel Schepler <email address hidden> for this patch (taken from Debian #374160) - Closes: LP#62242 -- Martin Pitt <email address hidden> Wed, 27 Sep 2006 16:23:09 +0200
Superseded in dapper-security |
apache2 (2.0.55-4ubuntu2.1) dapper-security; urgency=low * SECURITY UPDATE: Remote DoS, potential remote code execution. * Add debian/patches/053_mod_rewite_CVE-2006-3747: - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler. - Reported by Mark Dowd of McAfee Avert Labs. - CVE-2006-3747 -- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:14:56 +0000
Obsolete in breezy-security |
apache2 (2.0.54-5ubuntu4.1) breezy-security; urgency=low * SECURITY UPDATE: Remote DoS, potential remote code execution. * Add debian/patches/053_mod_rewite_CVE-2006-3747: - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler. - Reported by Mark Dowd of McAfee Avert Labs. - CVE-2006-3747 -- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:18:39 +0000
Obsolete in hoary-security |
apache2 (2.0.53-5ubuntu5.6) hoary-security; urgency=low * SECURITY UPDATE: Remote DoS, potential remote code execution. * Add debian/patches/053_mod_rewite_CVE-2006-3747: - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler. - Reported by Mark Dowd of McAfee Avert Labs. - CVE-2006-3747 -- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:20:37 +0000
Superseded in edgy-release |
apache2 (2.0.55-4ubuntu3) edgy; urgency=low * SECURITY UPDATE: Remote DoS, potential remote code execution. * Add debian/patches/053_mod_rewite_CVE-2006-3747: - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler. - Reported by Mark Dowd of McAfee Avert Labs. - CVE-2006-3747 -- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:14:56 +0000
apache2 (2.0.55-4ubuntu2) dapper; urgency=low * Include patch from SVN HEAD to make sure LFS works on 64-bit platforms where sendfile() doesn't like dealing with anything larger than 32-bit chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850) -- Adam Conrad <email address hidden> Fri, 26 May 2006 20:12:28 +1000
Superseded in dapper-release |
apache2 (2.0.55-4ubuntu1) dapper; urgency=low * Restore the "a2enmod userdir" that went missing in the "cruft cleaning" in the last upload, since it's required to sanely configure new setups. -- Adam Conrad <email address hidden> Mon, 22 May 2006 10:20:22 +1000
apache2 (2.0.55-4) unstable; urgency=low * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 * Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in threaded MPMs when making a non-SSL connection to an SSL-enabled port on a server with a custom 400 error document defined; see CVE-2005-3357 * Clean up our use of trailing slashes on directories in debian/rules, so the newer, pickier, obviously very improved coreutils doesn't bite us. * Remove some cruft from apache2-common's postinst, dealing with upgrade scenarios from versions older than those released in Sarge or Warty. * Use "SHELL := sh -e" in debian/rules, so the build will stop on shell errors, instead of blundering on to later make targets (closes: #340761) * Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in case the user has /var/run and /var/lock on tmpfs, which is fasionable. * Make our init script a /bin/bash script instead of a /bin/sh script, so we can abuse it with regex globbing (#348189, #347962, #340955, #342008) * Take patch from Adrian Bridgett to output errors from our config test in the init script, but only do so when we're VERBOSE (closes: #339323) * In the spirit of the LSB, make our init script exit 2 when called with incorrect arguments, and exit 4 when asked for status (closes: #330275) * Fix the default site to not mix configuration syntax (closes: #345922) * Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921) -- Adam Conrad <adconrad@0c3.net> Sat, 26 Nov 2005 19:06:32 +1100
Superseded in breezy-security |
apache2 (2.0.54-5ubuntu4) breezy-security; urgency=low * SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability. - Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 - Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in threaded MPMs when making a non-SSL connection to an SSL-enabled port on a server with a custom 400 error document defined; see CVE-2005-3357 -- Adam Conrad <email address hidden> Sun, 8 Jan 2006 00:01:47 +1100
Superseded in hoary-security |
apache2 (2.0.53-5ubuntu5.5) hoary-security; urgency=low * SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability. - Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 - Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in threaded MPMs when making a non-SSL connection to an SSL-enabled port on a server with a custom 400 error document defined; see CVE-2005-3357 -- Adam Conrad <email address hidden> Sun, 8 Jan 2006 00:01:38 +1100
Obsolete in warty-security |
apache2 (2.0.50-12ubuntu4.10) warty-security; urgency=low * SECURITY UPDATE: Remote DoS and Cross-Site Scripting vulnerability. - Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 - Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in threaded MPMs when making a non-SSL connection to an SSL-enabled port on a server with a custom 400 error document defined; see CVE-2005-3357 -- Adam Conrad <email address hidden> Sun, 8 Jan 2006 00:00:08 +1100
apache2 (2.0.55-3) unstable; urgency=low * Brown paper bag release: Tidy up CFLAGS and APR configure call to make sure that what we link to agrees with what apu-config tells others to do. -- Adam Conrad <adconrad@0c3.net> Mon, 24 Oct 2005 13:02:52 +1000
Superseded in dapper-release |
apache2 (2.0.55-3build1) dapper; urgency=low * Rebuild for libstdc++ allocator change -- Matthias Klose <email address hidden> Thu, 24 Nov 2005 12:16:41 +0000
Superseded in breezy-security |
apache2 (2.0.54-5ubuntu3) breezy-security; urgency=low * SECURITY UPDATE: Memory exhaustion denial of service in apache2-mpm-worker - Apply 048_worker_memleak_CAN-2005-2970 to resolves a memory leak in the worker MPM that can occur after aborted connections; CAN-2005-2970 -- Adam Conrad <email address hidden> Tue, 6 Dec 2005 02:13:10 +1100
Obsolete in breezy-release |
apache2 (2.0.54-5ubuntu2) breezy; urgency=low * Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request body data to provide a limited but safe fix for the mod_ssl renegotiation vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991) -- Adam Conrad <email address hidden> Tue, 4 Oct 2005 11:53:01 +1000
Superseded in hoary-security |
apache2 (2.0.53-5ubuntu5.4) hoary-security; urgency=low * SECURITY UPDATE: Memory exhaustion denial of service in apache2-mpm-worker - Apply 048_worker_memleak_CAN-2005-2970 to resolves a memory leak in the worker MPM that can occur after aborted connections; CAN-2005-2970 -- Adam Conrad <email address hidden> Tue, 6 Dec 2005 02:18:35 +1100
Obsolete in hoary-release |
apache2 (2.0.53-5ubuntu5) hoary; urgency=low * Fix the init script to not exit with an error when asked to stop a daemon that isn't running (Was the root cause of #8374) -- Adam Conrad <adconrad@0c3.net> Fri, 1 Apr 2005 16:30:56 +0000
Superseded in warty-security |
apache2 (2.0.50-12ubuntu4.9) warty-security; urgency=low * SECURITY UPDATE: Memory exhaustion denial of service in apache2-mpm-worker - Apply 048_worker_memleak_CAN-2005-2970 to resolves a memory leak in the worker MPM that can occur after aborted connections; CAN-2005-2970 -- Adam Conrad <email address hidden> Tue, 6 Dec 2005 02:17:58 +1100
Obsolete in warty-release |
apache2 (2.0.50-12ubuntu4) warty; urgency=low * Security Release. Patch from upstream for the following: CAN-2004-0885 - SSLCypherSuite can be bypassed during renegotiation. -- Thom May <email address hidden> Wed, 13 Oct 2004 19:46:10 +0100
226 → 269 of 419 results | First • Previous • Next • Last |