-
apache2 (2.2.20-1ubuntu1.4) oneiric-security; urgency=low
* SECURITY UPDATE: multiple cross-site scripting issues
- debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
modules/generators/{mod_info.c,mod_status.c},
modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
- CVE-2012-3499
- CVE-2012-4558
* SECURITY UPDATE: denial of service in mod_proxy_ajp
- debian/patches/CVE-2012-4557.dpatch: check for timeout in
modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
- CVE-2012-4557
* SECURITY UPDATE: symlink attack in apache2ctl script
- debian/apache2ctl: introduce and use a safer mkdir_chown() function.
- Thanks to Stefan Fritsch for the fix.
- CVE-2013-1048
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 09:56:53 -0500
-
apache2 (2.2.20-1ubuntu1.3) oneiric-security; urgency=low
* SECURITY UPDATE: XSS vulnerability in mod_negotiation
- debian/patches/220_CVE-2012-2687.dpatch: escape filenames in
modules/mappers/mod_negotiation.c.
- CVE-2012-2687
* SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
- debian/patches/221_CVE-2012-4929.dpatch: backport SSLCompression
on|off directive. Defaults to off as enabling compression enables the
CRIME attack.
- CVE-2012-4929
-- Marc Deslauriers <email address hidden> Tue, 06 Nov 2012 14:32:40 -0500
-
apache2 (2.2.20-1ubuntu1.2) oneiric-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/215_CVE-2011-3607.dpatch: validate length in
server/util.c.
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
server/protocol.c.
- CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
- debian/patches/217_CVE-2012-0021.dpatch: check name and value in
modules/loggers/mod_log_config.c.
- CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/patches/218_CVE-2012-0031.dpatch: check type field in
server/scoreboard.c.
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/patches/219_CVE-2012-0053.dpatch: check lengths in
server/protocol.c.
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 09:35:36 -0500
-
apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/patches/212_CVE-2011-3368.dpatch: return 400
on invalid requests. (patch courtesy of Michael Jeanson)
- CVE-2011-3368
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/patches/213_CVE-2011-3348.dpatch: return
HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
- CVE-2011-3348
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/patches/214_CVE-2011-3192_regression.dpatch:
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option, along
with a staged fix for the 2.2.22 release.
-- Steve Beattie <email address hidden> Mon, 07 Nov 2011 14:01:10 -0800
-
apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
* Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
- debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
-- Steve Beattie <email address hidden> Tue, 06 Sep 2011 01:17:15 -0700
-
apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
* Merge from debian unstable (LP: #787013). Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
- debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
-- Andres Rodriguez <email address hidden> Mon, 23 May 2011 10:16:09 -0400
-
apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
- debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
apache2 (2.2.17-3) unstable; urgency=low
* Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
* Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in
htpasswd/htdbm.
apache2 (2.2.17-2) unstable; urgency=high
* New mpm_itk upstream version 2.2.17-01:
- Fix CVE-2011-1176: If NiceValue was set, the default with no
AssignUserID was to run as root:root instead of the default Apache user
and group, due to the configuration merger having an incorrect default
configuration. Closes: #618857
* Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
Closes: #613969
* Set the default file descriptor limit to 8192 instead of whatever the
current limit is (usually 1024). Document how to change it in
/etc/apache2/envvars . Closes: #615632
* Fix typo in init script. Closes: #615866
* Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438
* Remove some obsolete Depends and Replaces.
-- Chuck Short <email address hidden> Mon, 11 Apr 2011 02:13:30 +0100
-
apache2 (2.2.17-1ubuntu1) natty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
- debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
-- Chuck Short <email address hidden> Tue, 22 Feb 2011 13:02:08 -0500