-
apache2 (2.2.9-7ubuntu3.6) intrepid-security; urgency=low
* SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
- debian/patches/907_CVE-2010-0408.dpatch: return the right error code
in modules/proxy/mod_proxy_ajp.c.
- CVE-2010-0408
* SECURITY UPDATE: information disclosure via improper handling of
headers in subrequests
- debian/patches/908_CVE-2010-0434.dpatch: use a copy of r->headers_in
in server/protocol.c.
- CVE-2010-0434
-- Marc Deslauriers <email address hidden> Mon, 08 Mar 2010 11:29:11 -0500
-
apache2 (2.2.9-7ubuntu3.5) intrepid-security; urgency=low
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/904_CVE-2009-3555.dpatch: disable all client
renegotiations
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/905-CVE-2009-3094.dpatch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/906-CVE-2009-3095.dpatch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- CVE-2009-3095
-- Jamie Strandboge <email address hidden> Thu, 12 Nov 2009 14:02:27 -0600
-
apache2 (2.2.9-7ubuntu3.3) intrepid-security; urgency=low
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/903_CVE-2009-1891.dpatch: update patch to fix
regression that caused segfaults under certain circumstances.
(LP: #409987)
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Mon, 17 Aug 2009 14:37:17 -0400
-
apache2 (2.2.9-7ubuntu3.2) intrepid-security; urgency=low
* SECURITY UPDATE: remote denial of service in the mod_proxy module via
amount of streamed data that exceeds the Content-Length value
- debian/patches/902_CVE-2009-1890.dpatch: make sure Content-Length is
sane and check the length of the data in modules/proxy/mod_proxy_http.c
- CVE-2009-1890
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/903_CVE-2009-1891.dpatch: fail if the connection has
been aborted in server/core_filters.c
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Thu, 09 Jul 2009 14:47:48 -0400
-
apache2 (2.2.9-7ubuntu3.1) intrepid-security; urgency=low
* SECURITY UPDATE: Includes option could be overridden via .htaccess file
when AllowOverride restrictions do not permit it
- debian/patches/900_CVE-2009-1195.dpatch: adjust server/config.c,
server/core.c, modules/filters/mod_include.c, include/http_core.h to
only enable .htaccess override when permitted.
- CVE-2009-1195
-- Jamie Strandboge <email address hidden> Wed, 10 Jun 2009 17:47:06 -0500
-
apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
* Revert logrotate change since it will break it for everyone.
-- Chuck Short <email address hidden> Fri, 19 Sep 2008 09:32:01 -0400
-
apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
* debian/logrotate: Restart rather than reload for busy websites.
(LP: #270899)
-- Chuck Short <email address hidden> Thu, 18 Sep 2008 08:42:22 -0400
-
apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- debian/{control,rules}: enable PIE hardening.
- debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
apache2 (2.2.9-7) unstable; urgency=low
* Fix XSS in mod_proxy_ftp (CVE-2008-2939).
* Fix mod_proxy_http losing the query string with noescape (PR 45247).
* Make the balancer manager work in Opera and MSIE (PR 45578).
* Fix mod_headers "edit" removing multiple headers with the same name (PR
45333).
* Also describe how to get a backtrace from a running process in
README.backtrace.
apache2 (2.2.9-6) unstable; urgency=high
* Urgency high for RC bug fix.
* Fix SIGBUS on SPARC by preventing gcc from optimizing some memcpy calls
away. (Closes: #485525)
apache2 (2.2.9-5) unstable; urgency=medium
* Urgency medium to get this into testing before the freeze.
* Remove IPv6 patch that was necessary for very old kernels but creates
problems on systems with current kernels and net.ipv6.bindv6only = 1.
Apache will now always create its sockets with IPV6_V6ONLY set to 0.
(Closes: #391280)
apache2 (2.2.9-4) unstable; urgency=low
* Make postinst more quiet. (Closes: #489153)
* Add Turkish language support. (Closes: #489224)
* Remove duplicate comments in sites-available/default-ssl. (Closes: #489383)
* Describe in NEWS.Debian how to revert to the old NameVirtualHost config.
(Closes: #489215)
* Redirect apache2 bug reports to apache2.2-common, to get useful dependency
information.
-- Kees Cook <email address hidden> Thu, 28 Aug 2008 08:10:59 -0700
-
apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
* add ufw integration (see
https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
(LP: #261198)
- debian/control: suggest ufw for apache2.2-common
- add apache2.2-common.ufw.profile with 3 profiles and install it to
/etc/ufw/applications.d/apache2.2-common
-- Didier Roche <email address hidden> Tue, 26 Aug 2008 19:03:42 +0200
-
apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
* debian/{control,rules}: enable PIE hardening
-- Kees Cook <email address hidden> Wed, 20 Aug 2008 15:45:00 -0700
-
apache2 (2.2.9-3) unstable; urgency=low
[ Stefan Fritsch ]
* Move NameVirtualHost directive to ports.conf and switch from "*" to
"*:80". (Closes: #314606, #486286)
* Comment out the CacheEnable line in disk_cache.conf. It would have caused
problems with Etch to Lenny upgrades.
* Change the minimum user id for suexec back to 100, the new value of 1000
was too disruptive for existing configurations. (Closes: #488821)
* Add a default SSL virtual host. (Closes: #267477)
- Use snakeoil certificate by default (if ssl-cert is installed).
(Closes: #293524, #446765)
- Document this in README.Debian.
(Closes: #293469, #293519, #398520, #395823)
- Add MSIE workarounds. (Closes: #421802)
- Add ssl-cert to Recommends.
* Add a new config file /etc/apache2/conf.d/security with some vaguely
security related diectives. (Closes: #260063)
* Adjust mod_userdir accordingly. Also add "AllowOverride Indexes" for the
home directories.
* Disable SSLv2 by default. It is insecure. Also only enable ciphers with
key lengths of at least 128 bit.
* Make the init script complain about a missing $APACHE_PID_FILE during
"start", too, and not only during "stop" or "restart". This makes it more
obvious that /etc/apache2/envvars has to be updated. (Closes: #473982)
* Add hint about the "..., using 127.0.0.1 for ServerName" warning to
README.Debian. (Closes: #457708)
* Add hint about the "could not create rewrite_log_lock" error message to
README.Debian. (Closes: #450831)
* Remove empty dir from apache2-doc to fix Lintian warning.
* Always pass -g to gcc instead of relying on dpkg-buildpackage to set
CFLAGS. We always want the debug info for the apache2-dbg package.
[ Ryan Niebur ]
* Upgraded to policy 3.8.0
- added support for noopt in DEB_BUILD_OPTIONS
- added a README.source
- added support for parallel in DEB_BUILD_OPTIONS
* Dropped XS- from the Vcs fields in control
-- Chuck Short <email address hidden> Fri, 04 Jul 2008 09:06:04 +0100
-
apache2 (2.2.9-2ubuntu1) intrepid; urgency=low
* debian/config-dir/mods-available/disk_cache.conf:
Don't enable caching of the root URL by default when disk_cache is
enabled. (LP: #219914).
* debian/control: Update Maintainer field.
-- Mathias Gug <email address hidden> Tue, 24 Jun 2008 15:03:27 -0400
-
apache2 (2.2.9-2) unstable; urgency=low
* Make the init script use normal 'stop' instead of 'graceful-stop' again:
With graceful-stop, it can take a long time until all child processes have
closed their listening sockets and there is no way for the init script to
know when it is save to start apache again. This could make the restart of
apache fail. (Closes: #486629, #463338)
* Improve package descriptions, thanks to Justin B Rye. (Closes: #486855)
-- Chuck Short <email address hidden> Tue, 24 Jun 2008 00:58:50 +0100
-
apache2 (2.2.9-1ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- Dropped debian/patches/100_mpm_wokers_crash.dpatch. Already included
upstream. (LP: #235294)
- Dropped debian/patches/059_ssl_memleak_fix_PR44975.dpatch. Already included upstream.
- Updated maintainer field according to spec.
apache2 (2.2.9-1) unstable; urgency=low
* New upstream release. Notable changes:
- mod_proxy_http: Better handling of excessive interim responses from
origin server to prevent potential denial of service and high memory
usage (CVE-2008-2364).
- mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
(CVE-2007-6420).
- Worker / Event MPM: Fix race condition in pool recycling that leads to
segmentation faults under load. (Closes: #484800)
- mod_proxy: Keep connections to the backend persistent in the HTTPS case.
- mod_proxy: Support environment variable interpolation in reverse
proxying directives.
- mod_headers: Add 'merge' option to avoid duplicate values within the
same header.
- mod_substitute: The default is now flattening the buckets after each
substitution. The newly added 'q' flag allows for the quicker, more
efficient bucket-splitting.
* Shorten the init script's waiting period during 'restart' from 10 to 4
seconds. This should still be plenty to allow the apache processes to
close their listening sockets. Make the wait even shorter if apache dies
faster. (Closes: #479136)
* Fix some lintian warnings:
- Add some missing patch descriptions.
- Point to /usr/share/common-licenses instead of including the license in
the copyright file.
apache2 (2.2.8-5) unstable; urgency=low
* Replace a2{en,dis}{mod,site} by a rewritten version that
- supports wildcards (Closes: #373969).
- can be influenced with environment variables (Closes: #349716).
- checks existing symlinks for correctness (Closes: #409970).
- allows to remove dead symlinks (Closes: #480893).
* Move suexec suid helper program to a separate package apache2-suexec,
which is not installed by default. Provide an alternative version of
suexec, which can be customized with a config file. This can be found in
the apache2-suexec-custom package. Closes: #312252, #266835
* Some more suexec fixes:
- Fix race condition when changing directories.
- Accept only /var/www/*, and not /var/www*. The same for public_html/*
instead of public_html* (CVE-2007-1742).
- Raise the minimum userid that suexec may change to from 100 to 1000.
* Enable mod_deflate in new installs.
* Include config.nice in apache2-src. This hopefully allows apache2-mpm-itk
to drop the build-dependency on apache2-prefork-dev.
* Mention environment variables in apache2 and apache2ctl man pages and point
to README.Debian. (Closes: #475150)
* Drop unneeded build-dep on libtool.
* Drop obsolete apache2-mpm-perchild package (closes: #477522).
* Don't fail in postinst if there is a dangling symlink /var/www/index.html.
* Fix typo in bug number in 2.2.8-3 changelog entry.
* Use dh_lintian in debian/rules.
-- Chuck Short <email address hidden> Sun, 15 Jun 2008 05:01:28 +0100
-
apache2 (2.2.8-4ubuntu2) intrepid; urgency=low
* debian/apache2-2-common.postinst: Fix for index.html if it is a dangling
symlink when doing an upgrade. (LP: #221932)
-- Chuck Short <email address hidden> Mon, 09 Jun 2008 14:24:17 +0000
-
apache2 (2.2.8-4ubuntu1) intrepid; urgency=low
* debian/patches/100_mpm_wokers_crash.dpatch
- Fix for segmentation fault with mpm-worker is under load.
Backported from http://svn.apache.org/viewvc?view=rev&revision=631362.
(LP: #235294)
* Modify Maintainer value to match the DebianMaintainerField
specification.
-- Dustin Kirkland <email address hidden> Thu, 05 Jun 2008 15:23:03 -0500
-
apache2 (2.2.8-4) unstable; urgency=high
* Urgency high for DoS vulnerability fix.
* Fix memory leak in mod_ssl with zlib compression.
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 14 May 2008 15:48:10 +0100
-
apache2 (2.2.8-3) unstable; urgency=low
* mod_cache: Handle If-Range correctly if the cached resource was stale
(closes: #47065).
* mod_autodindex: Use UTF-8 as character set for filenames in the default
configuration. Change this in autoindex.conf if you are still using
ISO-8859-1.
* Introduce APACHE_RUN_DIR and APACHE_LOCK_DIR in apache2ctl. Also, make it
use APACHE_RUN_USER instead of APACHE2_RUN_USER, to be consistent with
apache2.conf.
* Add 'status' function to init script (adapted from patch by Dustin
Kirkland).
* Don't build the modules three times. We are only shipping one set of them,
anyway. (Inspired by the Fedora package.)
* Remove Fabio M. Di Nitto from the uploaders field (thanks for your work).
apache2 (2.2.8-2) unstable; urgency=low
* Provide a fallback access log (other_vhosts_access.log) and a suitable
LogFormat (vhost_combined) for VirtualHosts that don't define their own
log file. (Closes: #313430)
* Fix broken symlink to README.Debian.gz and typos in the file
(closes: #461462).
* Improve generation of password salts in htpasswd (closes: #469271).
* Point VCS tags in debian control to trunk, to make them useful with
debcheckout.
* Add missing ${APACHE_ARGUMENTS} to *) case in apache2ctl.
* In upgrades from etch, replace /etc/apache2/default without asking also in
the NO_START=1 case, in order to not break piuparts (closes: #466367).
* Print file name where "Useless use of AllowOverride" occured.
(Closes: #410334)
* Make bugreport script source /etc/apache2/envvars before calling apache2.
* Add note about MSIE SSL workaround to README.Debian.
* Don't ship empty /var/www/apache2-default in apache2-doc.
(Closes: #469145)
* mod_autoindex: Use the bomb icon only for the name 'core', not for
'*core'. (Closes: #467480)
* Include module name in a2enmod error messages (closes: #461341).
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 02 May 2008 01:51:51 +0100
-
apache2 (2.2.8-1) unstable; urgency=low
* New upstream version:
- Fixes cross-site scripting issues in
o mod_imagemap (CVE-2007-5000)
o mod_status (CVE-2007-6388)
o mod_proxy_balancer's balancer manager (CVE-2007-6421)
- Fixes a denial of service issue in mod_proxy_balancer's balancer manager
(CVE-2007-6422).
- Fixes mod_proxy URL encoding in error messages (closes: #337325).
- Adds explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. For
mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
specify something else than ISO-8859-1 (CVE-2008-0005).
- Adds mod_substitute which performs inline response content pattern
matching (including regex) and substitution (like mod_line_edit).
- Adds "DefaultType none" option.
- Adds new "B" option to RewriteRule to suppress URL unescaping.
- Adds an "if" directive for mod_include to test whether an URL is
accessible, and if so, conditionally display content.
- Adds support for mod_ssl to the event MPM.
* Move the configuration of User, Group, and PidFile to
/etc/apache2/envvars. This makes it easier to use these settings in
scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
(inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085)
* Make apache2ctl check the configuration syntax before trying to restart
apache, to match the behaviour documented in the man page.
(Closes: #459236)
* Convert docs to be directly viewable with a browser (and not use content
negotiation).
* Add doc-base entry for the documentation. (closes: #311269)
* Don't ship default files in /var/www, but copy a sample file to
/var/www/index.html on new installs. Also remove the now unneeded
RedirectMatch line from sites-available/default.
(Closes: #411774, #458093)
* Add some information to README.Debian (Apache wiki, default virtual host)
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
dependencies, easing library transitions (closes: #458857).
* Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
Patch by Nicolas Valcárcel. (Closes: #436441)
* Add reportbug script to list enabled modules.
* Fix some lintian warnings:
- Pass --no-start to dh_installinit instead of omitting the debhelper token
in various maintainer scripts. Also move the update-rc.d call to
apache2.2-common.
- Add Short-Description to init script.
* Remove unused apache2-mpm-prefork.prerm from source package and clean up
debian/rules a bit.
* Don't ship NEWS.Debian with apache2-utils, as the contents are only
relevant for the server.
-- Mathias Gug <email address hidden> Fri, 01 Feb 2008 16:24:43 +0000