-
apache2 (2.0.55-4ubuntu4.2) edgy-security; urgency=low
* SECURITY UPDATE: denial of service (application crash) when using
mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
ap_escape_html()
* References
CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2008-0005
CVE-2006-3918
-- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 20:12:00 +0000
-
apache2 (2.0.55-4ubuntu4.1) edgy-security; urgency=low
* SECURITY UPDATE: XSS in mod_status, bad signal passing.
* Backported fixes from upstream:
- CVE-2007-3304: stop signals from being sent to other processes.
http://svn.apache.org/viewvc?view=rev&revision=547987
- CVE-2006-5752: fixed XSS in status report.
http://svn.apache.org/viewvc?view=rev&revision=549159
-- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
-
apache2 (2.0.55-4ubuntu4) edgy; urgency=low
* Add debian/patches/054_restore_prefix_fix:
- Fix autoconf macros to work with autoconf 2.60 (AC_CANONICAL_SYSTEM
overwrites $@ in 2.60, see Debian bug #372179), so that the package
builds again on recent Edgy.
- Thanks to Daniel Schepler <email address hidden> for this patch
(taken from Debian #374160)
- Closes: LP#62242
-- Martin Pitt <email address hidden> Wed, 27 Sep 2006 16:23:09 +0200
-
apache2 (2.0.55-4ubuntu3) edgy; urgency=low
* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
- Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
- Reported by Mark Dowd of McAfee Avert Labs.
- CVE-2006-3747
-- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:14:56 +0000
-
apache2 (2.0.55-4ubuntu2) dapper; urgency=low
* Include patch from SVN HEAD to make sure LFS works on 64-bit platforms
where sendfile() doesn't like dealing with anything larger than 32-bit
chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850)
-- Adam Conrad <email address hidden> Fri, 26 May 2006 20:12:28 +1000