-
apache2 (2.2.14-5ubuntu8.15) lucid-security; urgency=medium
* SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
- debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
and add a "MergeTrailers" directive to revert to previous behaviour
to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
modules/http/http_request.c, modules/loggers/mod_log_config.c,
modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
server/core.c, server/protocol.c.
- CVE-2013-5704
-- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:45:09 -0500
-
apache2 (2.2.14-5ubuntu8.14) lucid-security; urgency=medium
* SECURITY UPDATE: resource consumption via mod_deflate body
decompression
- debian/patches/CVE-2014-0118.dpatch: added new configuration options
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
- CVE-2014-0118
* SECURITY UPDATE: denial of service via race in mod_status
- debian/patches/CVE-2014-0226.dpatch: fix race by adding
ap_copy_scoreboard_worker() to include/scoreboard.h,
modules/generators/mod_status.c, server/scoreboard.c.
- CVE-2014-0226
* SECURITY UPDATE: denial of service in mod_cgid
- debian/patches/CVE-2014-0231.dpatch: added new configuration option
CGIDScriptTimeout in modules/generators/mod_cgid.c.
- CVE-2014-0231
-- Marc Deslauriers <email address hidden> Tue, 22 Jul 2014 10:03:41 -0400
-
apache2 (2.2.14-5ubuntu8.13) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service via mod_dav incorrect end of string
calculation
- debian/patches/CVE-2013-6438.dpatch: properly calculate correct length
in modules/dav/main/util.c.
- CVE-2013-6438
-- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:51:06 -0400
-
apache2 (2.2.14-5ubuntu8.12) lucid-security; urgency=low
* SECURITY UPDATE: log file poisoning via mod_rewrite (LP: #1188069)
- debian/patches/CVE-2013-1862.dpatch: properly escape items in
modules/mappers/mod_rewrite.c.
- CVE-2013-1862
* SECURITY UPDATE: denial of service via MERGE request
- debian/patches/CVE-2013-1896.dpatch: make sure DAV is enabled for URI
in modules/dav/main/mod_dav.c.
- CVE-2013-1896
-- Marc Deslauriers <email address hidden> Fri, 12 Jul 2013 09:00:34 -0400
-
apache2 (2.2.14-5ubuntu8.11) lucid-security; urgency=low
* SECURITY UPDATE: multiple cross-site scripting issues
- debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
modules/generators/{mod_info.c,mod_status.c},
modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
- CVE-2012-3499
- CVE-2012-4558
* SECURITY UPDATE: denial of service in mod_proxy_ajp
- debian/patches/CVE-2012-4557.dpatch: check for timeout in
modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
- CVE-2012-4557
* SECURITY UPDATE: symlink attack in apache2ctl script
- debian/patches/CVE-2013-1048.dpatch: introduce and use a safer
mkdir_chown() function in support/apachectl.in.
- CVE-2013-1048
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 10:47:48 -0500
-
apache2 (2.2.14-5ubuntu8.10) lucid-security; urgency=low
* SECURITY UPDATE: XSS vulnerability in mod_negotiation
- debian/patches/302_CVE-2012-2687.dpatch: escape filenames in
modules/mappers/mod_negotiation.c.
- CVE-2012-2687
* SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
- debian/patches/303_CVE-2012-4929.dpatch: backport SSLCompression
on|off directive. Defaults to off as enabling compression enables the
CRIME attack.
- CVE-2012-4929
-- Marc Deslauriers <email address hidden> Tue, 06 Nov 2012 14:47:15 -0500
-
apache2 (2.2.14-5ubuntu8.9) lucid-proposed; urgency=low
* debian/patches/99-fix-mod-dav-permissions.dpatch: Fix webdav permissions,
backported from trunk Thanks to James M. Leady (LP: #540747)
-- Chuck Short <email address hidden> Fri, 02 Mar 2012 14:43:08 -0500
-
apache2 (2.2.14-5ubuntu8.8) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/215_CVE-2011-3607.dpatch: validate length in
server/util.c.
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
server/protocol.c.
- CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/patches/218_CVE-2012-0031.dpatch: check type field in
server/scoreboard.c.
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/patches/219_CVE-2012-0053.dpatch: check lengths in
server/protocol.c.
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:36:43 -0500
-
apache2 (2.2.14-5ubuntu8.7) lucid-security; urgency=low
[ Michael Jeanson ]
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/patches/212_CVE-2011-3368.dpatch: return 400
on invalid requests.
- debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
0.9 protocol
- CVE-2011-3368
[ Steve Beattie ]
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/patches/213_CVE-2011-3348.dpatch: return
HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
- CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
configurations
- debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
configurations correctly
- CVE-2011-1176
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/patches/215_CVE-2011-3192_regression_part2.dpatch:
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option along
with a fix staged for 2.2.22.
-- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:27:07 -0700
-
apache2 (2.2.14-5ubuntu8.6) lucid-security; urgency=low
* SECURITY UPDATE: Range header DoS vulnerability
- debian/patches/207_CVE-2011-3192.dpatch: filter out large
byte ranges and improve memory efficiency in handling buckets.
(thanks to Debian and upstream)
- CVE-2011-3192
* Include fix for regressions introduced by above patch:
- debian/patches/208_CVE-2011-3192_regression.dpatch: return 206
and 416 response codes where appropriate (see deban bug 639825)
-- Steve Beattie <email address hidden> Thu, 01 Sep 2011 01:52:17 -0700
-
apache2 (2.2.14-5ubuntu8.4) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via request that lacks a path in
mod_cache and mod_dav.
- debian/patches/201_CVE-2010-1452.dpatch: fix path handling in
modules/cache/cache_storage.c and modules/dav/main/util.c.
- CVE-2010-1452
-- Marc Deslauriers <email address hidden> Thu, 18 Nov 2010 13:10:01 -0500
-
apache2 (2.2.14-5ubuntu8.3) lucid-proposed; urgency=low
* debian/apache2.2-common.postinst: Don't fail if you can load the reqtimeout module.
(LP: #621837)
* debian/patches/Backport fix for upstream bug PR 45444: https://issues.apache.org/bugzilla/show_bug.cgi?id=45444. (LP: #609290, #589611, #595116)
-- Chuck Short <email address hidden> Mon, 27 Sep 2010 14:06:57 -0400
-
apache2 (2.2.14-5ubuntu8.2) lucid-security; urgency=low
* debian/patches/211-sslinsecurerenegotiation-directive.dpatch: once
openssl gets updated to fix CVE-2009-3555, server renegotiations with
unpatched clients will fail. This patch adds the ability to revert to
the previous unsafe behaviour with a new SSLInsecureRenegotiation
directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Wed, 18 Aug 2010 16:37:47 -0400
-
apache2 (2.2.14-5ubuntu8.1) lucid-proposed; urgency=low
* debian/patches/upstream-fix-for-lp-609290.patch: Backport fix for upstream bug PR 45444.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45444. (LP: #609290, #589611, #595116)
-- Chuck Short <email address hidden> Fri, 06 Aug 2010 12:32:36 -0500
-
apache2 (2.2.14-5ubuntu8) lucid; urgency=low
* debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
(LP: #562370)
-- Chuck Short <email address hidden> Tue, 13 Apr 2010 15:09:57 -0400
-
apache2 (2.2.14-5ubuntu7) lucid; urgency=low
* debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
leaks by making sure to not destroy bucket brigades that have been created
by earlier filters. Backported from 2.2.15.
* debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
has reached MaxClients until it has. Backported from 2.2.15
* debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
more secure by adding Satisfy all. (Debian bug: #572075)
* debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
debian/config2-dir/mods-available/reqtimeout.load,
debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
bug in apache. Enable it by default. (LP: #392759)
-- Chuck Short <email address hidden> Mon, 05 Apr 2010 09:53:35 -0400
-
apache2 (2.2.14-5ubuntu6) lucid; urgency=low
* debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
-- Chuck Short <email address hidden> Tue, 30 Mar 2010 09:41:11 -0400
-
apache2 (2.2.14-5ubuntu5) lucid; urgency=low
* Revert 99-fix-mod-dav-permissions.dpatch
-- Chuck Short <email address hidden> Tue, 30 Mar 2010 07:55:46 -0400
-
apache2 (2.2.14-5ubuntu4) lucid; urgency=low
* debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
downloading files from webdav (LP: #540747)
* debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
-- Chuck Short <email address hidden> Mon, 29 Mar 2010 13:37:39 -0400
-
apache2 (2.2.14-5ubuntu3) lucid; urgency=low
* SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
- debian/patches/204_CVE-2010-0408.dpatch: return the right error code
in modules/proxy/mod_proxy_ajp.c.
- CVE-2010-0408
* SECURITY UPDATE: information disclosure via improper handling of
headers in subrequests
- debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
in server/protocol.c.
- CVE-2010-0434
-- Marc Deslauriers <email address hidden> Wed, 10 Mar 2010 14:48:48 -0500
-
apache2 (2.2.14-5ubuntu2) lucid; urgency=low
* debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
wacky options. (LP: #450501)
-- Chuck Short <email address hidden> Mon, 08 Mar 2010 14:53:17 -0500
-
apache2 (2.2.14-5ubuntu1) lucid; urgency=low
* Merge from debian testing. Remaining changes: LP: #506862
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree.
apache2 (2.2.14-5) unstable; urgency=low
* Security: Further mitigation for the TLS renegotation attack
(CVE-2009-3555): Disable keep-alive if parts of the next request have
already been received when doing a renegotiation. This defends against
some request splicing attacks.
* Print a useful error message if 'apache2ctl status' fails. Add a comment
to /etc/apache2/envvars on how to change the options for www-browser.
Closes: #561496, #272069
* Improve function to detect apache2 pid in init-script (closes: #562583).
* Add hint README.Debian on how to pass auth info to CGI scripts.
Closes: #483219
* Re-introduce objcopy magic to avoid dangling symlinks to the debug info
in the mpm packages. Closes: #563278
* Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178,
LP: #500703
* Point to README.backtrace in apache2-dbg's description.
* Use more debhelper functions to simplify debian/rules.
* Add misc-depends to various packages to make lintian happy.
* Change build-dep from libcap2-dev to libcap-dev because of package rename.
-- Bhavani Shankar <email address hidden> Wed, 13 Jan 2010 14:28:41 +0530
-
apache2 (2.2.14-4ubuntu1) lucid; urgency=low
* Resynchronzie with Debian, remaining changes are:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree.
-- Chuck Short <email address hidden> Wed, 23 Dec 2009 14:44:51 -0500
-
apache2 (2.2.14-2ubuntu1) lucid; urgency=low
* Merge from debian testing, remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
- debian/conrol: Add bzr tag and point it to our tree.
- removed debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: it was
already dropped from 00list, so just remove the patch entirely
apache2 (2.2.14-2) unstable; urgency=medium
* Security:
Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
Any configuration which requires renegotiation for per-directory/location
access control is still vulnerable.
* Allow RemoveType to override the types from /etc/mime.types. This allows
to use .es and .tr for Spanish and Turkish files in mod_negotiation.
Closes: #496080
* Fix 'CacheEnable disk http://'. Closes: #442266
* Fix missing dependency by changing killall to pkill in the init script.
LP: #460692
* Add X-Interactive header to init script as it may ask for the ssl key
passphrase. Closes: #554824
* Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too.
* Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian
-- Jamie Strandboge <email address hidden> Thu, 12 Nov 2009 16:09:30 -0600
-
apache2 (2.2.14-1ubuntu1) lucid; urgency=low
* Merge from debian testing, remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
- debian/conrol: Add bzr tag and point it to our tree.
- Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
Already applied upstream.
apache2 (2.2.14-1) unstable; urgency=low
* New upstream version:
- new module mod_proxy_scgi
* Disable hardening option -pie again, as gdb in Debian does not support
it properly and it is broken on mips*.
apache2 (2.2.13-2) unstable; urgency=high
* mod_proxy_ftp security fixes (closes: #545951):
- DoS by malicious ftp server (CVE-2009-3094)
- missing input sanitization: a user could execute arbitrary ftp commands
on the backend ftp server (CVE-2009-3095)
* Add entries to NEWS.Debian and README.Debian about Apache being stricter
about certain misconfigurations involving name based SSL virtual hosts.
Also make Apache print the location of the misconfigured VirtualHost when
it complains about a missing SSLCertificateFile statement. Closes: #541607
* Add Build-Conflicts: autoconf2.13 (closes: #541536).
* Adjust priority of apache2-mpm-itk to extra.
* Switch apache2.2-common and the four mpm packages from architecture all to
any. This is stupid but makes apache2 binNMUable again (closes: #544509).
* Bump Standards-Version (no changes).
apache2 (2.2.13-1) unstable; urgency=low
* New upstream release:
- Fixes segfault with mod_deflate and mod_php (closes: #542623).
-- Chuck Short <email address hidden> Fri, 06 Nov 2009 00:29:03 +0000
-
apache2 (2.2.12-1ubuntu2) karmic; urgency=low
* debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
- Fix potential segfaults with the use of the legacy ap_rputs() etc
interfaces, in cases where an output filter fails. This happens
frequently after CVE-2009-1891 got fixed. (LP: #409987)
-- Marc Deslauriers <email address hidden> Mon, 17 Aug 2009 15:38:47 -0400
