Change logs for apache2 source package in Hardy

  • apache2 (2.2.8-1ubuntu0.25) hardy-security; urgency=low
    
      * SECURITY UPDATE: multiple cross-site scripting issues
        - debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
          modules/generators/{mod_info.c,mod_status.c},
          modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
          modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
        - CVE-2012-3499
        - CVE-2012-4558
      * SECURITY UPDATE: denial of service in mod_proxy_ajp
        - debian/patches/CVE-2012-4557.dpatch: check for timeout in
          modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
        - CVE-2012-4557
      * SECURITY UPDATE: symlink attack in apache2ctl script
        - debian/patches/CVE-2013-1048.dpatch: introduce and use a safer
          mkdir_chown() function in support/apachectl.in.
        - CVE-2013-1048
     -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 11:17:51 -0500
  • apache2 (2.2.8-1ubuntu0.24) hardy-security; urgency=low
    
      * SECURITY UPDATE: XSS vulnerability in mod_negotiation
        - debian/patches/224_CVE-2012-2687.dpatch: escape filenames in
          modules/mappers/mod_negotiation.c.
        - CVE-2012-2687
      * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
        - debian/patches/225_CVE-2012-4929.dpatch: backport SSLCompression
          on|off directive. Defaults to off as enabling compression enables the
          CRIME attack.
        - CVE-2012-4929
     -- Marc Deslauriers <email address hidden>   Tue, 06 Nov 2012 15:01:07 -0500
  • apache2 (2.2.8-1ubuntu0.23) hardy-security; urgency=low
    
      * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
        directive (LP: #811422)
        - debian/patches/220_CVE-2011-3607.dpatch: validate length in
          server/util.c.
        - CVE-2011-3607
      * SECURITY UPDATE: another mod_proxy reverse proxy exposure
        - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
          modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
          server/protocol.c.
        - CVE-2011-4317
      * SECURITY UPDATE: denial of service and possible code execution via
        type field modification within a scoreboard shared memory segment
        - debian/patches/222_CVE-2012-0031.dpatch: check type field in
          server/scoreboard.c.
        - CVE-2012-0031
      * SECURITY UPDATE: cookie disclosure via Bad Request errors
        - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
          server/protocol.c.
        - CVE-2012-0053
     -- Marc Deslauriers <email address hidden>   Tue, 14 Feb 2012 10:49:11 -0500
  • apache2 (2.2.8-1ubuntu0.22) hardy-security; urgency=low
    
      [ Michael Jeanson ]
      * SECURITY UPDATE: mod_proxy reverse proxy exposure
        * debian/patches/216_CVE-2011-3368.dpatch: return 400
          on invalid requests.
        - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
          0.9 protocol
    
      [ Steve Beattie ]
      * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
        - debian/patches/213_CVE-2011-3348.dpatch: return
          HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
        - CVE-2011-3348
      * Include additional fixes for regressions introduced by
        CVE-2011-3192 fixes
        - debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
          take upstream fixes for byterange_filter.c through the 2.2.21
          release except for the added MaxRanges configuration option.
     -- Steve Beattie <email address hidden>   Wed, 02 Nov 2011 19:43:46 -0700
  • apache2 (2.2.8-1ubuntu0.21) hardy-security; urgency=low
    
      * SECURITY UPDATE: Range header DoS vulnerability
        * debian/patches/214_CVE-2011-3192.dpatch: filter out large
          byte ranges and improve memory efficiency in handling buckets.
          (thanks to Debian and upstream)
        * CVE-2011-3192
      * Include fix for regressions introduced by above patch:
        - debian/patches/084_CVE-2011-3192_regression.dpatch: return 206
          and 416 response codes where appropriate (see deban bug 639825)
     -- Steve Beattie <email address hidden>   Thu, 01 Sep 2011 01:53:46 -0700
  • apache2 (2.2.8-1ubuntu0.19) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via request that lacks a path in
        mod_dav.
        - debian/patches/213_CVE-2010-1452.dpatch: fix path handling in
          modules/dav/main/util.c.
        - CVE-2010-1452
     -- Marc Deslauriers <email address hidden>   Thu, 18 Nov 2010 14:25:56 -0500
  • apache2 (2.2.8-1ubuntu0.18) hardy-security; urgency=low
    
      * debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
        openssl gets updated to fix CVE-2009-3555, server renegotiations with
        unpatched clients will fail. This patch adds the ability to revert to
        the previous unsafe behaviour with a new SSLInsecureRenegotiation
        directive. (LP: #616759)
      * debian/control: add specific dependency on first openssl version to get
        CVE-2009-3555 fix.
     -- Marc Deslauriers <email address hidden>   Mon, 16 Aug 2010 13:39:40 -0400
  • apache2 (2.2.8-1ubuntu0.17) hardy-proposed; urgency=low
    
      * debian/apache2.2-common.postinst: When dpkg-statoverride is used, the cut
        delimiter has now been set to use ' ', as it was causing upgrades to fail.
        (LP: #583698)
     -- Dave Walker (Daviey) <email address hidden>   Fri, 21 May 2010 13:50:34 +0100
  • apache2 (2.2.8-1ubuntu0.16) hardy-proposed; urgency=low
    
      * debian/patches/211_fix_mod_proxy_nocanon.dpatch: Fix duplicated query string
        when using nocanon option to mod_proxy. Patch courtesy of James Troup, based
        on upstream cherry pick. (LP: #455873)
     -- Dave Walker (Daviey) <email address hidden>   Mon, 17 May 2010 18:06:59 +0100
  • apache2 (2.2.8-1ubuntu0.15) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
        - debian/patches/209_CVE-2010-0408.dpatch: return the right error code
          in modules/proxy/mod_proxy_ajp.c.
        - CVE-2010-0408
      * SECURITY UPDATE: information disclosure via improper handling of
        headers in subrequests
        - debian/patches/210_CVE-2010-0434.dpatch: use a copy of r->headers_in
          in server/protocol.c.
        - CVE-2010-0434
     -- Marc Deslauriers <email address hidden>   Mon, 08 Mar 2010 11:56:13 -0500
  • apache2 (2.2.8-1ubuntu0.14) hardy-security; urgency=low
    
      * SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
        Partial fix for CVE-2009-3555. Configurations requiring renegotiation
        of per-directory/location access controls are still affected until
        OpenSSL is updated.
        - debian/patches/206_CVE-2009-3555.dpatch: disable all client
          renegotiations
        - CVE-2009-3555
      * SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
        - debian/patches/207-CVE-2009-3094.dpatch: fix NULL pointer dereference
          in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
          in EPSV response parser
        - CVE-2009-3094
      * SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
        configured as a reverse proxy
        - debian/patches/208-CVE-2009-3095.dpatch: adjust proxy_ftp_handler()
          in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
          special characters.
        - CVE-2009-3095
     -- Jamie Strandboge <email address hidden>   Thu, 12 Nov 2009 14:15:40 -0600
  • apache2 (2.2.8-1ubuntu0.12) hardy-proposed; urgency=low
    
      * debian/patches/999_fix_mod_proxy_nocanon.dpatch: Make all proxy modules
        nocanon aware and do not add the query string again in this case.
        Thanks to James Troup. (LP: #455873)
    
     -- Chuck Short <email address hidden>   Mon, 02 Nov 2009 11:25:38 -0500
  • apache2 (2.2.8-1ubuntu0.11) hardy-security; urgency=low
    
      * SECURITY UPDATE: remote denial of service in mod_deflate module when
        the network connection was closed before compression completed
        - debian/patches/205_CVE-2009-1891.dpatch: update patch to fix
          regression that caused segfaults under certain circumstances.
          (LP: #409987)
        - CVE-2009-1891
    
     -- Marc Deslauriers <email address hidden>   Mon, 17 Aug 2009 08:00:35 -0400
  • apache2 (2.2.8-1ubuntu0.10) hardy-security; urgency=low
    
      * SECURITY UPDATE: remote denial of service in the mod_proxy module via
        amount of streamed data that exceeds the Content-Length value
        - debian/patches/204_CVE-2009-1890.dpatch: make sure Content-Length is
          sane and check the length of the data in modules/proxy/mod_proxy_http.c
        - CVE-2009-1890
      * SECURITY UPDATE: remote denial of service in mod_deflate module when
        the network connection was closed before compression completed
        - debian/patches/205_CVE-2009-1891.dpatch: fail if the connection has
          been aborted in server/core_filters.c
        - CVE-2009-1891
    
     -- Marc Deslauriers <email address hidden>   Thu, 09 Jul 2009 14:53:32 -0400
  • apache2 (2.2.8-1ubuntu0.9) hardy-proposed; urgency=low
    
      * debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
        with SSL using all the CPU. (LP: #306293)
    
     -- Chuck Short <email address hidden>   Fri, 13 Feb 2009 15:43:29 +0000
  • apache2 (2.2.8-1ubuntu0.8) hardy-security; urgency=low
    
      * SECURITY UPDATE: Includes option could be overridden via .htaccess file
        when AllowOverride restrictions do not permit it
        - debian/patches/203_CVE-2009-1195.dpatch: adjust server/config.c,
          server/core.c, modules/filters/mod_include.c, include/http_core.h to
          only enable .htaccess override when permitted.
        - CVE-2009-1195
    
     -- Jamie Strandboge <email address hidden>   Wed, 10 Jun 2009 17:50:41 -0500
  • apache2 (2.2.8-1ubuntu0.6) hardy-proposed; urgency=low
    
      * debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
        with SSL using all the CPU. (LP: #306293)
    
     -- Chuck Short <email address hidden>   Fri, 13 Feb 2009 15:43:29 +0000
  • apache2 (2.2.8-1ubuntu0.5) hardy-security; urgency=low
    
      [ Emanuele Gentili ]
      * SECURITY UPDATE:
       + debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
        - The ap_proxy_http_process_response function in mod_proxy_http.c
          in the mod_proxy module does not limit the number of forwarded
          interim responses, which allows remote HTTP servers to cause a
          denial of service (memory consumption) via a large number of
          interim responses.
       + References
        - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364
    
      [ Marc Deslauriers ]
      * SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
        mod_proxy_balancer
        - debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
          nonce in modules/proxy/mod_proxy_balancer.c.
        - CVE-2007-6420
      * SECURITY UPDATE: Denial of service via large number of interim responses in
        mod_proxy module (LP: #239894)
        - debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
          version.
        - CVE-2008-2364
      * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
        mod_proxy_ftp module
        - debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
          contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
        - CVE-2008-2939
    
     -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2009 17:20:17 -0500
  • apache2 (2.2.8-1ubuntu0.4) hardy-proposed; urgency=low
    
      * debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
        with SSL using all the CPU. (LP: #306293)
    
     -- Chuck Short <email address hidden>   Fri, 13 Feb 2009 15:43:29 +0000
  • apache2 (2.2.8-1ubuntu0.4) hardy-security; urgency=low
    
      [ Emanuele Gentili ]
      * SECURITY UPDATE:
       + debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
        - The ap_proxy_http_process_response function in mod_proxy_http.c
          in the mod_proxy module does not limit the number of forwarded
          interim responses, which allows remote HTTP servers to cause a
          denial of service (memory consumption) via a large number of
          interim responses.
       + References
        - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364
    
      [ Marc Deslauriers ]
      * SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
        mod_proxy_balancer
        - debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
          nonce in modules/proxy/mod_proxy_balancer.c.
        - CVE-2007-6420
      * SECURITY UPDATE: Denial of service via large number of interim responses in
        mod_proxy module (LP: #239894)
        - debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
          version.
        - CVE-2008-2364
      * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
        mod_proxy_ftp module
        - debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
          contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
        - CVE-2008-2939
    
     -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2009 17:20:17 -0500
  • apache2 (2.2.8-1ubuntu0.3) hardy-proposed; urgency=low
    
      * debian/config-dir/mods-available/disk_cache.conf:
        Don't enable caching of the root URL by default when disk_cache is
        enabled. (LP: #219914).
        disk_cache caches sensitive information without additional tweaks.
        Enabling it by default has security implications - it should be
        treated as mod_proxy.
      * debian/apache2.2-common.postinst:
        Only enable disk_cache if the 'EnableCache disk ' directive is used in the
        configuration. (LP: #219914).
        If we'd enable on every upgrade from 2.0, htcacheclean would be started
        even if disk_cache isn't used.
    
     -- Mathias Gug <email address hidden>   Tue, 24 Jun 2008 17:45:55 -0400
  • apache2 (2.2.8-1ubuntu0.2) hardy-proposed; urgency=low
    
      * debian/patches/100_mpm_wokers_crash.dpatch
        - Fix for segmentation fault with mpm-worker is under load.
          Backported from http://svn.apache.org/viewvc?view=rev&revision=631362.
          (LP: #235294)
      * debian/apache2.2-common.install:
        - Fix for index.html if it is a dangling symlink when doing an upgrade
          (LP: #221932)
      * debian/rules
        - Fix for Readme.Debian.gz which was a broken symlink. (LP: #231313)
    
     -- Chuck Short <email address hidden>   Tue, 27 May 2008 14:32:13 -0400
  • apache2 (2.2.8-1ubuntu0.1) hardy-proposed; urgency=low
    
      [Dustin Kirkland]
      - debian/patches/060_fix_ssl_mem_leak.dpatch
        Fix buggy ssl memory leak function. Backported from
        http://svn.apache.org/viewvc?view=rev&revision=654119 (LP: #224945)
      - Update maintainers according to spec.
    
      [Chuck Short]
      - debian/config-dir/autoindex.conf
        Added UTF-8 Support. (LP: #193753)
    
     -- Chuck Short <email address hidden>   Tue, 13 May 2008 08:46:01 -0400
  • apache2 (2.2.8-1) unstable; urgency=low
    
      * New upstream version:
        - Fixes cross-site scripting issues in
          o mod_imagemap (CVE-2007-5000)
          o mod_status (CVE-2007-6388)
          o mod_proxy_balancer's balancer manager (CVE-2007-6421)
        - Fixes a denial of service issue in mod_proxy_balancer's balancer manager
          (CVE-2007-6422).
        - Fixes mod_proxy URL encoding in error messages (closes: #337325).
        - Adds explicit charset to the output of various modules to work around
          possible cross-site scripting flaws affecting web browsers that do not
          derive the response character set as required by RFC2616. For
          mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
          specify something else than ISO-8859-1 (CVE-2008-0005).
        - Adds mod_substitute which performs inline response content pattern
          matching (including regex) and substitution (like mod_line_edit).
        - Adds "DefaultType none" option.
        - Adds new "B" option to RewriteRule to suppress URL unescaping.
        - Adds an "if" directive for mod_include to test whether an URL is
          accessible, and if so, conditionally display content.
        - Adds support for mod_ssl to the event MPM.
      * Move the configuration of User, Group, and PidFile to
        /etc/apache2/envvars. This makes it easier to use these settings in
        scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
        (inspired by Marc Haber's patch).  (Closes: #349709, #460105, #458085)
      * Make apache2ctl check the configuration syntax before trying to restart
        apache, to match the behaviour documented in the man page.
        (Closes: #459236)
      * Convert docs to be directly viewable with a browser (and not use content
        negotiation).
      * Add doc-base entry for the documentation. (closes: #311269)
      * Don't ship default files in /var/www, but copy a sample file to
        /var/www/index.html on new installs. Also remove the now unneeded
        RedirectMatch line from sites-available/default.
        (Closes: #411774, #458093)
      * Add some information to README.Debian (Apache wiki, default virtual host)
      * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
        dependencies, easing library transitions (closes: #458857).
      * Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
        Patch by Nicolas Valcárcel. (Closes: #436441)
      * Add reportbug script to list enabled modules.
      * Fix some lintian warnings:
        - Pass --no-start to dh_installinit instead of omitting the debhelper token
          in various maintainer scripts. Also move the update-rc.d call to
          apache2.2-common.
        - Add Short-Description to init script.
      * Remove unused apache2-mpm-prefork.prerm from source package and clean up
        debian/rules a bit.
      * Don't ship NEWS.Debian with apache2-utils, as the contents are only
        relevant for the server.
    
     -- Mathias Gug <email address hidden>   Fri,  01 Feb 2008 16:24:43 +0000
  • apache2 (2.2.6-3ubuntu2) hardy; urgency=low
    
      [ Nicolas Valcárcel ]
      * Added icons for OpenDocuments by default on mime.conf
        (Closes: LP: #130836)
      * Icons added to the package in uuencode format
      * Added sharutils to Build-Depends on debian/control for uuencode
      * debian/apache2.2-common.apache2.init:
        - Only look for *.conf files in /etc/apache2 when searching for pidfiles
          (Closes: LP: #112991) Thanks to Daniel Hahler for the patch
    
      [ Soren Hansen ]
      * Clean up after OpenDocument icon generation
    
     -- Soren Hansen <email address hidden>   Wed, 16 Jan 2008 08:52:01 +0100
  • apache2 (2.2.6-3ubuntu1) hardy; urgency=low
    
      * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
        dependencies (including db4.5).
      * Modify Maintainer value to match the DebianMaintainerField
        specification.
    
     -- Martin Pitt <email address hidden>   Thu, 03 Jan 2008 11:19:10 +0100
  • apache2 (2.2.6-3) unstable; urgency=low
    
      * Allocate fewer bucket brigades in case of a flush bucket. This might help
        with the memory leaks reported in #399776 and #421557.
      * Escape the HTTP method in error messages to avoid potential cross site
        scripting vulnerabilities (CVE-2007-6203).
      * Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition.
      * Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config
        (Closes: #450867).
      * Add icons for .ogg and .ogm (Closes: #255443).
      * Add comment about how to log X-Forwarded-For (Closes: #425008).
      * Make mod_proxy_balancer not depend on mod_cache.
      * Add Homepage field to debian/control.
      * Add/fix some lintian overrides, fix some warnings.
      * Bump Standards-Version (no changes).
    
     -- Ubuntu Archive Auto-Sync <email address hidden>   Sun,  09 Dec 2007 19:02:32 +0000
  • apache2 (2.2.6-2) unstable; urgency=low
    
      * Avoid calling apr_pollset_poll() and accept_func() when the listening
        sockets have already been closed on graceful stop or reload. This
        hopefully fixes processes not being killed (closes: #445263, #447164)
        and the "Bad file descriptor: apr_socket_accept: (client socket)"
        error message (closes: #400918, #443310)
      * Allow logresolve to process long lines (Closes: #331631)
      * Remove duplicate config examples (Closes: #294662)
      * Include README.backtrace describing how to create a backtrace
      * Add CVE reference to 2.2.6-1 changelog entry
    
    apache2 (2.2.6-1) unstable; urgency=low
    
      * New upstream release
        - fixes mod_proxy DoS for threaded MPMs (CVE-2007-3847)
        - fixes spurious warning for valid wildcard certificates (Closes: #414855)
        - adds warning that htpasswd is not setuid safe (Closes: #356285)
        - adds Type and Charset options to IndexOptions directive,
          allowing a workaround for buggy browsers affected by CVE-2007-4465
        - adds new ProxyPassMatch directive
      * Add index.htm to the default DirectoryIndex configuration
        (Closes: #439375)
      * Use apache2ctl in init script (Closes: #439027)
      * make init script less noisy (Closes: #438950)
      * improve NEWS entry (Closes: #440084)
    
     -- Ubuntu Archive Auto-Sync <email address hidden>   Tue,  23 Oct 2007 15:20:12 +0100
  • apache2 (2.2.4-3build1) gutsy; urgency=low
    
      * Trigger rebuild for hppa
    
     -- LaMont Jones <email address hidden>   Thu, 04 Oct 2007 11:58:34 -0600