-
apache2 (2.0.55-4ubuntu2.13) dapper-security; urgency=low
* SECURITY UPDATE: denial of service in apr_fnmatch exploitable via
apache's mod_index
- debian/patches/122_fnmatch_CVE-2011-0419.patch: rewrite
apr_fnmatch to have a better time bounds on execution.
- CVE-2011-0419
- debian/patches/123_fnmatch_CVE-2011-1928.patch: fix possible
DoS introduced by patch for CVE-2011-0419.
- CVE-2011-1928
-- Steve Beattie <email address hidden> Sun, 22 May 2011 21:17:32 -0700
-
apache2 (2.0.55-4ubuntu2.12) dapper-security; urgency=low
* SECURITY UPDATE: denial of service via request that lacks a path in
mod_dav.
- debian/patches/120_CVE-2010-1452.dpatch: fix path handling in
modules/dav/main/util.c.
- CVE-2010-1452
* SECURITY UPDATE: denial of service via memory leak in
apr_brigade_split_line function.
- debian/patches/121_CVE-2010-1623.dpatch: properly destroy bucket in
srclib/apr-util/buckets/apr_brigade.c.
- CVE-2010-1623
-- Marc Deslauriers <email address hidden> Thu, 18 Nov 2010 14:39:06 -0500
-
apache2 (2.0.55-4ubuntu2.11) dapper-security; urgency=low
* debian/patches/119_sslinsecurerenegotiation-directive.dpatch: once
openssl gets updated to fix CVE-2009-3555, server renegotiations with
unpatched clients will fail. This patch adds the ability to revert to
the previous unsafe behaviour with a new SSLInsecureRenegotiation
directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:44:28 -0400
-
apache2 (2.0.55-4ubuntu2.10) dapper-security; urgency=low
* SECURITY UPDATE: information disclosure via improper handling of
headers in subrequests
- debian/patches/118_CVE-2010-0434.dpatch: use a copy of r->headers_in
in server/protocol.c.
- CVE-2010-0434
-- Marc Deslauriers <email address hidden> Mon, 08 Mar 2010 14:33:49 -0500
-
apache2 (2.0.55-4ubuntu2.9) dapper-security; urgency=low
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/115_CVE-2009-3555.patch: disable all client
renegotiations
- based on http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/116-CVE-2009-3094.patch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- based on http://svn.apache.org/viewvc?revision=814652&view=revision
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/117-CVE-2009-3095.patch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- based on http://svn.apache.org/viewvc?revision=814045&view=revision
- CVE-2009-3095
-- Jamie Strandboge <email address hidden> Thu, 12 Nov 2009 15:45:14 -0600
-
apache2 (2.0.55-4ubuntu2.8) dapper-security; urgency=low
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/113_CVE-2009-1891.patch: update patch to fix
regression that caused segfaults under certain circumstances.
(LP: #409987)
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Mon, 17 Aug 2009 13:34:03 -0400
-
apache2 (2.0.55-4ubuntu2.7) dapper-security; urgency=low
* SECURITY UPDATE: fix integer overflow in libapr
- debian/patches/114_CVE-2009-2412.patch: adjust allocator_alloc() and
apr_palloc() in apr_pools.c to check for overflow after aligning size
- http://www.apache.org/dist/apr/patches/apr-0.9-CVE-2009-2412.patch
- CVE-2009-2412
* SECURITY UPDATE: fix integer overflow in libaprutil
- debian/patches/114_CVE-2009-2412b.patch: adjust apr_rmm_malloc,
apr_rmm_calloc, apr_rmm_realloc to check for overflow after aligning
size
- http://www.apache.org/dist/apr/patches/apr-util-0.9-CVE-2009-2412.patch
- CVE-2009-2412
-- Jamie Strandboge <email address hidden> Fri, 07 Aug 2009 11:30:44 -0500
-
apache2 (2.0.55-4ubuntu2.6) dapper-security; urgency=low
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/113_CVE-2009-1891.patch: fail if the connection has
been aborted in server/core.c
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Fri, 10 Jul 2009 10:39:28 -0400
-
apache2 (2.0.55-4ubuntu2.5) dapper-security; urgency=low
* SECURITY UPDATE: Fix underflow in apr_strmatch_precompile
- debian/patches/110_CVE-2009-0023.dpatch: adjust
srclib/apr-util/strmatch/apr_strmatch.c to properly evaluate strings as
unsigned char rather than int
- CVE-2009-0023
* SECURITY UPDATE: Prevent "billion laughs" attack against expat
- debian/patches/111_CVE-2009-1955.dpatch: adjust
srclib/apr-util/xml/apr_xml.c to disable internal entity expansion
- CVE-2009-1955
* SECURITY UPDATE: Fix off by one overflow in apr_brigade_vprintf
- debian/patches/112_CVE-2009-1956.dpatch: don't add null terminator to
vd.vbuff.curpos in srclib/apr-util/buckets/apr_brigade.c
- CVE-2009-1956
-- Jamie Strandboge <email address hidden> Wed, 10 Jun 2009 22:01:23 -0500
-
apache2 (2.0.55-4ubuntu2.4) dapper-security; urgency=low
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
Entity Too Large" error message
- debian/patches/106_CVE-2007-6203.patch: properly escape some error
messages in modules/http/http_protocol.c.
- CVE-2007-6203
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
URLs
- debian/patches/107_CVE-2008-2168.patch: specify a default charset in
modules/dav/main/mod_dav.c and modules/generators/mod_info.c.
- CVE-2008-2168
* SECURITY UPDATE: Denial of service via large number of interim responses in
mod_proxy module (LP: #239894)
- debian/patches/108_CVE-2008-2364.patch: limit the number of interim
responses in modules/proxy/proxy_http.c.
- CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
mod_proxy_ftp module
- debian/patches/109_CVE-2008-2939.patch: escape the html contained in the
wildcard value in modules/proxy/proxy_ftp.c.
- CVE-2008-2939
-- Marc Deslauriers <email address hidden> Wed, 25 Feb 2009 08:59:04 -0500
-
apache2 (2.0.55-4ubuntu2.3) dapper-security; urgency=low
* SECURITY UPDATE: denial of service (application crash) when using
mod_proxy in threaded MPM via crafted date headers.
* debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use
apr_date_parse_http() and apr_rfc822_date()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c
when charset not defined
* debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly
check for and use charset
* SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
* debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use
ap_escape_html()
* SECURITY UPDATE: cross-site scripting vulnerability in mod_status when
server-status is enabled
* debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly
setup table
* SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when
charset is not defined
* debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define
a charset
* SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
* debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use
ap_escape_html()
* References
CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2008-0005
CVE-2006-3918
-- Jamie Strandboge <email address hidden> Tue, 29 Jan 2008 20:18:52 +0000
-
apache2 (2.0.55-4ubuntu2.2) dapper-security; urgency=low
* SECURITY UPDATE: XSS in mod_status, bad signal passing.
* Backported fixes from upstream:
- CVE-2007-3304: stop signals from being sent to other processes.
http://svn.apache.org/viewvc?view=rev&revision=547987
- CVE-2006-5752: fixed XSS in status report.
http://svn.apache.org/viewvc?view=rev&revision=549159
-- Kees Cook <email address hidden> Wed, 15 Aug 2007 15:32:31 -0700
-
apache2 (2.0.55-4ubuntu2.1) dapper-security; urgency=low
* SECURITY UPDATE: Remote DoS, potential remote code execution.
* Add debian/patches/053_mod_rewite_CVE-2006-3747:
- Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler.
- Reported by Mark Dowd of McAfee Avert Labs.
- CVE-2006-3747
-- Martin Pitt <email address hidden> Wed, 26 Jul 2006 07:14:56 +0000
-
apache2 (2.0.55-4ubuntu2) dapper; urgency=low
* Include patch from SVN HEAD to make sure LFS works on 64-bit platforms
where sendfile() doesn't like dealing with anything larger than 32-bit
chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850)
-- Adam Conrad <email address hidden> Fri, 26 May 2006 20:12:28 +1000
-
apache2 (2.0.55-4ubuntu1) dapper; urgency=low
* Restore the "a2enmod userdir" that went missing in the "cruft cleaning"
in the last upload, since it's required to sanely configure new setups.
-- Adam Conrad <email address hidden> Mon, 22 May 2006 10:20:22 +1000
-
apache2 (2.0.55-4) unstable; urgency=low
* Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
* Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
threaded MPMs when making a non-SSL connection to an SSL-enabled port
on a server with a custom 400 error document defined; see CVE-2005-3357
* Clean up our use of trailing slashes on directories in debian/rules, so
the newer, pickier, obviously very improved coreutils doesn't bite us.
* Remove some cruft from apache2-common's postinst, dealing with upgrade
scenarios from versions older than those released in Sarge or Warty.
* Use "SHELL := sh -e" in debian/rules, so the build will stop on shell
errors, instead of blundering on to later make targets (closes: #340761)
* Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in
case the user has /var/run and /var/lock on tmpfs, which is fasionable.
* Make our init script a /bin/bash script instead of a /bin/sh script, so
we can abuse it with regex globbing (#348189, #347962, #340955, #342008)
* Take patch from Adrian Bridgett to output errors from our config test
in the init script, but only do so when we're VERBOSE (closes: #339323)
* In the spirit of the LSB, make our init script exit 2 when called with
incorrect arguments, and exit 4 when asked for status (closes: #330275)
* Fix the default site to not mix configuration syntax (closes: #345922)
* Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921)
-- Adam Conrad <adconrad@0c3.net> Sat, 26 Nov 2005 19:06:32 +1100
-
apache2 (2.0.55-3build1) dapper; urgency=low
* Rebuild for libstdc++ allocator change
-- Matthias Klose <email address hidden> Thu, 24 Nov 2005 12:16:41 +0000
-
apache2 (2.0.55-3) unstable; urgency=low
* Brown paper bag release: Tidy up CFLAGS and APR configure call to make
sure that what we link to agrees with what apu-config tells others to do.
-- Adam Conrad <adconrad@0c3.net> Mon, 24 Oct 2005 13:02:52 +1000
