-
apache2 (2.2.17-1ubuntu1.5) natty-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/215_CVE-2011-3607.dpatch: validate length in
server/util.c.
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
server/protocol.c.
- CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
- debian/patches/217_CVE-2012-0021.dpatch: check name and value in
modules/loggers/mod_log_config.c.
- CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/patches/218_CVE-2012-0031.dpatch: check type field in
server/scoreboard.c.
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/patches/219_CVE-2012-0053.dpatch: check lengths in
server/protocol.c.
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:02:26 -0500
-
apache2 (2.2.17-1ubuntu1.4) natty-security; urgency=low
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/patches/212_CVE-2011-3368.dpatch: return 400
on invalid requests. (patch courtesy of Michael Jeanson)
- debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
0.9 protocol
- CVE-2011-3368
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/patches/213_CVE-2011-3348.dpatch: return
HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
- CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
configurations
- debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
configurations correctly
- CVE-2011-1176
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option along
with a fix staged for 2.2.22.
-- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:21:04 -0700
-
apache2 (2.2.17-1ubuntu1.2) natty-security; urgency=low
* SECURITY UPDATE: Range header DoS vulnerability
- debian/patches/083_CVE-2011-3192.dpatch: filter out large
byte ranges and improve memory efficiency in handling buckets.
(thanks to Debian and upstream)
- CVE-2011-3192
* Include fix for regressions introduced by above patch:
- debian/patches/084_CVE-2011-3192_regression.dpatch: return 206
and 416 response codes where appropriate (see deban bug 639825)
-- Steve Beattie <email address hidden> Thu, 01 Sep 2011 01:51:37 -0700
-
apache2 (2.2.17-1ubuntu1) natty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
- debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
-- Chuck Short <email address hidden> Tue, 22 Feb 2011 13:02:08 -0500
-
apache2 (2.2.16-6ubuntu3) natty; urgency=low
* debian/rules: Don't use "-fno-strict-aliasing" since it causes
apache FTBFS on amd64. (LP: #711293)
-- Chuck Short <email address hidden> Tue, 01 Feb 2011 10:19:55 -0500
-
apache2 (2.2.16-6ubuntu2) natty; urgency=low
* debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
(LP: #697105)
-- Chuck Short <email address hidden> Tue, 25 Jan 2011 11:14:58 -0500
-
apache2 (2.2.16-6ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
- debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
apache2 (2.2.16-6) unstable; urgency=low
* Also add $named to the secondary-init-script example.
apache2 (2.2.16-5) unstable; urgency=medium
* Add $named to the init script dependency header, since apache depends on
DNS in some configurations. Closes: #608437
* Update outdated description of /etc/apache2/magic in README.Debian.
Closes: #603586
-- Chuck Short <email address hidden> Sun, 02 Jan 2011 06:05:51 +0000
-
apache2 (2.2.16-4ubuntu2) natty; urgency=low
[Clint Byrum]
* Adding plymouth aware passphrase dialog program ask-for-passphrase.
(LP: #582963)
+ debian/control: apache2.2-common depends on bash for ask-for-passphrase
+ debian/config-dir/mods-available/ssl.conf:
- SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
[Chuck Short]
* Add apport hook. (LP: #609177)
+ debian/apache2.py, debian/apache2.2-common.install
-- Chuck Short <email address hidden> Mon, 22 Nov 2010 09:43:43 -0500
-
apache2 (2.2.16-4ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
apache2 (2.2.16-4) unstable; urgency=medium
* Increase the mod_reqtimeout default timeouts to avoid potential problems
with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
* Remove bogus comment in conf.d/security about default in the "release
after Lenny".
* Clarify comments in suexec-custom's default config file. LP: #673289
-- Chuck Short <email address hidden> Sun, 14 Nov 2010 23:31:45 +0000
-
apache2 (2.2.16-3ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree.
apache2 (2.2.16-3) unstable; urgency=high
* CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
* Fix "Could not reliably determine the server's ..." error message in
README.Debian, to make it easier to search for it. Closes: #590528
apache2 (2.2.16-2) unstable; urgency=low
* Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036
* Add a note about the new behaviour of SSL/TLS renegotiation and the new
directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
* Support 'graceful' as alias for 'reload' in the init script.
* In README.Debian, suggest an Apache configuration change to get rid of the
"Could not reliably determine the server's fully qualified domain name"
warning, as alternative to changing DNS or /etc/hosts. Closes: #590528
* Add notes to README.Debian on how to reduce memory usage.
* Bump Standards-Version (no changes).
-- Chuck Short <email address hidden> Tue, 12 Oct 2010 11:54:48 +0100
-
apache2 (2.2.16-1ubuntu3) maverick; urgency=low
* Revert "stty sane" to unbreak apache starting, this will have to be
fixed a different way. (LP: #626723)
-- Chuck Short <email address hidden> Wed, 08 Sep 2010 08:33:17 -0400