-
apache2 (2.2.11-2ubuntu2.7) jaunty-security; urgency=low
* debian/patches/909_sslinsecurerenegotiation-directive.dpatch: once
openssl gets updated to fix CVE-2009-3555, server renegotiations with
unpatched clients will fail. This patch adds the ability to revert to
the previous unsafe behaviour with a new SSLInsecureRenegotiation
directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:34:47 -0400
-
apache2 (2.2.11-2ubuntu2.6) jaunty-security; urgency=low
* SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
- debian/patches/907_CVE-2010-0408.dpatch: return the right error code
in modules/proxy/mod_proxy_ajp.c.
- CVE-2010-0408
* SECURITY UPDATE: information disclosure via improper handling of
headers in subrequests
- debian/patches/908_CVE-2010-0434.dpatch: use a copy of r->headers_in
in server/protocol.c.
- CVE-2010-0434
-- Marc Deslauriers <email address hidden> Mon, 08 Mar 2010 11:26:48 -0500
-
apache2 (2.2.11-2ubuntu2.5) jaunty-security; urgency=low
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/904_CVE-2009-3555.dpatch: disable all client
renegotiations
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/905-CVE-2009-3094.dpatch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/906-CVE-2009-3095.dpatch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- CVE-2009-3095
-- Jamie Strandboge <email address hidden> Thu, 12 Nov 2009 12:46:19 -0600
-
apache2 (2.2.11-2ubuntu2.3) jaunty-security; urgency=low
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/903_CVE-2009-1891.dpatch: update patch to fix
regression that caused segfaults under certain circumstances.
(LP: #409987)
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Mon, 17 Aug 2009 14:55:23 -0400
-
apache2 (2.2.11-2ubuntu2.2) jaunty-security; urgency=low
* SECURITY UPDATE: remote denial of service in the mod_proxy module via
amount of streamed data that exceeds the Content-Length value
- debian/patches/902_CVE-2009-1890.dpatch: make sure Content-Length is
sane and check the length of the data in modules/proxy/mod_proxy_http.c
- CVE-2009-1890
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/903_CVE-2009-1891.dpatch: fail if the connection has
been aborted in server/core_filters.c
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Thu, 09 Jul 2009 14:35:07 -0400
-
apache2 (2.2.11-2ubuntu2.1) jaunty-security; urgency=low
* SECURITY UPDATE: response data disclosure in mod_proxy_ajp when a client
request with no request body was sent
- debian/patches/900_CVE-2009-1191.dpatch: adjust
modules/proxy/mod_proxy_ajp.c to not reuse a connection when the client
closes a connection without sending a body
- CVE-2009-1191
* SECURITY UPDATE: Includes option could be overridden via .htaccess file
when AllowOverride restrictions do not permit it
- debian/patches/900_CVE-2009-1195.dpatch: adjust server/config.c,
server/core.c, modules/filters/mod_include.c, include/http_core.h to
only enable .htaccess override when permitted.
- CVE-2009-1195
-- Jamie Strandboge <email address hidden> Wed, 10 Jun 2009 17:15:00 -0500
-
apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
* debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
Fix timefmt is ignored when XBitHack is on. (LP: #258914)
-- Chuck Short <email address hidden> Wed, 01 Apr 2009 11:39:17 -0400
-
apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/{contro,rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
apache2 (2.2.11-2) unstable; urgency=low
* Report an error instead instead of segfaulting when apr_pollset_create
fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
/proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
value of MaxClients in the Apache configuration. Closes: #511103
-- Chuck Short <email address hidden> Sat, 17 Jan 2009 00:02:55 +0000
-
apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/{control, rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
apache2 (2.2.11-1) unstable; urgency=low
[Thom May]
* New Upstream Version (Closes: #508186, LP: #307397)
- Contains rewritten shmcb code which should fix alignment problems on
alpha (Closes: #419720).
- Notable new features: chroot support, mod_proxy improvements.
[Ryan Niebur]
* fix segfault in ab when being verbose on ssl sites (Closes: #495982)
* remove trailing slash for DocumentRoot (Closes: #495110)
-- Chuck Short <email address hidden> Mon, 15 Dec 2008 00:06:50 +0000
-
apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
* Merge from debian unstable, remaining changes: (LP: #303375)
- debian/{control, rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
apache2 (2.2.9-11) unstable; urgency=low
* Regression fix from upstream svn for mod_proxy:
Prevent segmentation faults by correctly adjusting the lifetime of the
buckets read from the proxy backend. PR 45792
* Fix from upstream svn for mpm_worker:
Crosscheck that idle workers are still available before using them and
thus preventing an overflow of the worker queue which causes a SegFault.
PR 45605
* Add a comment to ports.conf to point to NEWS.Debian.gz in case of
upgrading problems.
-- Bhavani Shankar <email address hidden> Sat, 29 Nov 2008 14:02:31 +0530
-
apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/{control, rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
apache2 (2.2.9-10) unstable; urgency=low
* Regression fix from upstream svn for mod_proxy_http:
Don't trigger a retry by the client if a failure to read the response line
was the result of a timeout.
apache2 (2.2.9-9) unstable; urgency=medium
* Revert the attempted fix for #496080 because it did not work due to
upstream PR 38330. Instead, document the problem and possible workarounds
in README.Debian.
apache2 (2.2.9-8) unstable; urgency=low
* Fix Spanish language support which was broken by .es being added to
/etc/mime.types for application/ecmascript. (Closes: #496080)
* Correct description of ServerTokens in /etc/apache2/conf.d/security.
(Closes: #497362)
* Clarify how to use apache2ctl to pass arbitrary arguments to
apache2. (LP: #259363)
* Add hints to README.Debian about the messages
"NameVirtualHost *:80 has no VirtualHosts" and
"File does not exist: /htdocs".
-- Chuck Short <email address hidden> Wed, 05 Nov 2008 02:23:18 -0400
-
apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
* Revert logrotate change since it will break it for everyone.
-- Chuck Short <email address hidden> Fri, 19 Sep 2008 09:32:01 -0400