-
apache2 (2.2.8-1ubuntu0.25) hardy-security; urgency=low
* SECURITY UPDATE: multiple cross-site scripting issues
- debian/patches/CVE-2012-3499_4558.dpatch: properly escape html in
modules/generators/{mod_info.c,mod_status.c},
modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
- CVE-2012-3499
- CVE-2012-4558
* SECURITY UPDATE: denial of service in mod_proxy_ajp
- debian/patches/CVE-2012-4557.dpatch: check for timeout in
modules/proxy/ajp_link.c, modules/proxy/mod_proxy_ajp.c.
- CVE-2012-4557
* SECURITY UPDATE: symlink attack in apache2ctl script
- debian/patches/CVE-2013-1048.dpatch: introduce and use a safer
mkdir_chown() function in support/apachectl.in.
- CVE-2013-1048
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 11:17:51 -0500
-
apache2 (2.2.8-1ubuntu0.24) hardy-security; urgency=low
* SECURITY UPDATE: XSS vulnerability in mod_negotiation
- debian/patches/224_CVE-2012-2687.dpatch: escape filenames in
modules/mappers/mod_negotiation.c.
- CVE-2012-2687
* SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
- debian/patches/225_CVE-2012-4929.dpatch: backport SSLCompression
on|off directive. Defaults to off as enabling compression enables the
CRIME attack.
- CVE-2012-4929
-- Marc Deslauriers <email address hidden> Tue, 06 Nov 2012 15:01:07 -0500
-
apache2 (2.2.8-1ubuntu0.23) hardy-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/220_CVE-2011-3607.dpatch: validate length in
server/util.c.
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
server/protocol.c.
- CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/patches/222_CVE-2012-0031.dpatch: check type field in
server/scoreboard.c.
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/patches/223_CVE-2012-0053.dpatch: check lengths in
server/protocol.c.
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:49:11 -0500
-
apache2 (2.2.8-1ubuntu0.22) hardy-security; urgency=low
[ Michael Jeanson ]
* SECURITY UPDATE: mod_proxy reverse proxy exposure
* debian/patches/216_CVE-2011-3368.dpatch: return 400
on invalid requests.
- debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
0.9 protocol
[ Steve Beattie ]
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/patches/213_CVE-2011-3348.dpatch: return
HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
- CVE-2011-3348
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option.
-- Steve Beattie <email address hidden> Wed, 02 Nov 2011 19:43:46 -0700
-
apache2 (2.2.8-1ubuntu0.21) hardy-security; urgency=low
* SECURITY UPDATE: Range header DoS vulnerability
* debian/patches/214_CVE-2011-3192.dpatch: filter out large
byte ranges and improve memory efficiency in handling buckets.
(thanks to Debian and upstream)
* CVE-2011-3192
* Include fix for regressions introduced by above patch:
- debian/patches/084_CVE-2011-3192_regression.dpatch: return 206
and 416 response codes where appropriate (see deban bug 639825)
-- Steve Beattie <email address hidden> Thu, 01 Sep 2011 01:53:46 -0700
-
apache2 (2.2.8-1ubuntu0.19) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via request that lacks a path in
mod_dav.
- debian/patches/213_CVE-2010-1452.dpatch: fix path handling in
modules/dav/main/util.c.
- CVE-2010-1452
-- Marc Deslauriers <email address hidden> Thu, 18 Nov 2010 14:25:56 -0500
-
apache2 (2.2.8-1ubuntu0.18) hardy-security; urgency=low
* debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
openssl gets updated to fix CVE-2009-3555, server renegotiations with
unpatched clients will fail. This patch adds the ability to revert to
the previous unsafe behaviour with a new SSLInsecureRenegotiation
directive. (LP: #616759)
* debian/control: add specific dependency on first openssl version to get
CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:39:40 -0400
-
apache2 (2.2.8-1ubuntu0.17) hardy-proposed; urgency=low
* debian/apache2.2-common.postinst: When dpkg-statoverride is used, the cut
delimiter has now been set to use ' ', as it was causing upgrades to fail.
(LP: #583698)
-- Dave Walker (Daviey) <email address hidden> Fri, 21 May 2010 13:50:34 +0100
-
apache2 (2.2.8-1ubuntu0.16) hardy-proposed; urgency=low
* debian/patches/211_fix_mod_proxy_nocanon.dpatch: Fix duplicated query string
when using nocanon option to mod_proxy. Patch courtesy of James Troup, based
on upstream cherry pick. (LP: #455873)
-- Dave Walker (Daviey) <email address hidden> Mon, 17 May 2010 18:06:59 +0100
-
apache2 (2.2.8-1ubuntu0.15) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
- debian/patches/209_CVE-2010-0408.dpatch: return the right error code
in modules/proxy/mod_proxy_ajp.c.
- CVE-2010-0408
* SECURITY UPDATE: information disclosure via improper handling of
headers in subrequests
- debian/patches/210_CVE-2010-0434.dpatch: use a copy of r->headers_in
in server/protocol.c.
- CVE-2010-0434
-- Marc Deslauriers <email address hidden> Mon, 08 Mar 2010 11:56:13 -0500
-
apache2 (2.2.8-1ubuntu0.14) hardy-security; urgency=low
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/206_CVE-2009-3555.dpatch: disable all client
renegotiations
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/207-CVE-2009-3094.dpatch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/208-CVE-2009-3095.dpatch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- CVE-2009-3095
-- Jamie Strandboge <email address hidden> Thu, 12 Nov 2009 14:15:40 -0600
-
apache2 (2.2.8-1ubuntu0.12) hardy-proposed; urgency=low
* debian/patches/999_fix_mod_proxy_nocanon.dpatch: Make all proxy modules
nocanon aware and do not add the query string again in this case.
Thanks to James Troup. (LP: #455873)
-- Chuck Short <email address hidden> Mon, 02 Nov 2009 11:25:38 -0500
-
apache2 (2.2.8-1ubuntu0.11) hardy-security; urgency=low
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/205_CVE-2009-1891.dpatch: update patch to fix
regression that caused segfaults under certain circumstances.
(LP: #409987)
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Mon, 17 Aug 2009 08:00:35 -0400
-
apache2 (2.2.8-1ubuntu0.10) hardy-security; urgency=low
* SECURITY UPDATE: remote denial of service in the mod_proxy module via
amount of streamed data that exceeds the Content-Length value
- debian/patches/204_CVE-2009-1890.dpatch: make sure Content-Length is
sane and check the length of the data in modules/proxy/mod_proxy_http.c
- CVE-2009-1890
* SECURITY UPDATE: remote denial of service in mod_deflate module when
the network connection was closed before compression completed
- debian/patches/205_CVE-2009-1891.dpatch: fail if the connection has
been aborted in server/core_filters.c
- CVE-2009-1891
-- Marc Deslauriers <email address hidden> Thu, 09 Jul 2009 14:53:32 -0400
-
apache2 (2.2.8-1ubuntu0.9) hardy-proposed; urgency=low
* debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)
-- Chuck Short <email address hidden> Fri, 13 Feb 2009 15:43:29 +0000
-
apache2 (2.2.8-1ubuntu0.8) hardy-security; urgency=low
* SECURITY UPDATE: Includes option could be overridden via .htaccess file
when AllowOverride restrictions do not permit it
- debian/patches/203_CVE-2009-1195.dpatch: adjust server/config.c,
server/core.c, modules/filters/mod_include.c, include/http_core.h to
only enable .htaccess override when permitted.
- CVE-2009-1195
-- Jamie Strandboge <email address hidden> Wed, 10 Jun 2009 17:50:41 -0500
-
apache2 (2.2.8-1ubuntu0.6) hardy-proposed; urgency=low
* debian/patches//101_fix-spinning-mod_proxy.dpatch: Fix mod_proxy
with SSL using all the CPU. (LP: #306293)
-- Chuck Short <email address hidden> Fri, 13 Feb 2009 15:43:29 +0000
-
apache2 (2.2.8-1ubuntu0.5) hardy-security; urgency=low
[ Emanuele Gentili ]
* SECURITY UPDATE:
+ debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
- The ap_proxy_http_process_response function in mod_proxy_http.c
in the mod_proxy module does not limit the number of forwarded
interim responses, which allows remote HTTP servers to cause a
denial of service (memory consumption) via a large number of
interim responses.
+ References
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364
[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
mod_proxy_balancer
- debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
nonce in modules/proxy/mod_proxy_balancer.c.
- CVE-2007-6420
* SECURITY UPDATE: Denial of service via large number of interim responses in
mod_proxy module (LP: #239894)
- debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
version.
- CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
mod_proxy_ftp module
- debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
- CVE-2008-2939
-- Marc Deslauriers <email address hidden> Thu, 05 Mar 2009 17:20:17 -0500
-
apache2 (2.2.8-1ubuntu0.4) hardy-security; urgency=low
[ Emanuele Gentili ]
* SECURITY UPDATE:
+ debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
- The ap_proxy_http_process_response function in mod_proxy_http.c
in the mod_proxy module does not limit the number of forwarded
interim responses, which allows remote HTTP servers to cause a
denial of service (memory consumption) via a large number of
interim responses.
+ References
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364
[ Marc Deslauriers ]
* SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
mod_proxy_balancer
- debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
nonce in modules/proxy/mod_proxy_balancer.c.
- CVE-2007-6420
* SECURITY UPDATE: Denial of service via large number of interim responses in
mod_proxy module (LP: #239894)
- debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
version.
- CVE-2008-2364
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
mod_proxy_ftp module
- debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
- CVE-2008-2939
-- Marc Deslauriers <email address hidden> Thu, 05 Mar 2009 17:20:17 -0500
-
apache2 (2.2.8-1ubuntu0.3) hardy-proposed; urgency=low
* debian/config-dir/mods-available/disk_cache.conf:
Don't enable caching of the root URL by default when disk_cache is
enabled. (LP: #219914).
disk_cache caches sensitive information without additional tweaks.
Enabling it by default has security implications - it should be
treated as mod_proxy.
* debian/apache2.2-common.postinst:
Only enable disk_cache if the 'EnableCache disk ' directive is used in the
configuration. (LP: #219914).
If we'd enable on every upgrade from 2.0, htcacheclean would be started
even if disk_cache isn't used.
-- Mathias Gug <email address hidden> Tue, 24 Jun 2008 17:45:55 -0400
-
apache2 (2.2.8-1ubuntu0.2) hardy-proposed; urgency=low
* debian/patches/100_mpm_wokers_crash.dpatch
- Fix for segmentation fault with mpm-worker is under load.
Backported from http://svn.apache.org/viewvc?view=rev&revision=631362.
(LP: #235294)
* debian/apache2.2-common.install:
- Fix for index.html if it is a dangling symlink when doing an upgrade
(LP: #221932)
* debian/rules
- Fix for Readme.Debian.gz which was a broken symlink. (LP: #231313)
-- Chuck Short <email address hidden> Tue, 27 May 2008 14:32:13 -0400
-
apache2 (2.2.8-1ubuntu0.1) hardy-proposed; urgency=low
[Dustin Kirkland]
- debian/patches/060_fix_ssl_mem_leak.dpatch
Fix buggy ssl memory leak function. Backported from
http://svn.apache.org/viewvc?view=rev&revision=654119 (LP: #224945)
- Update maintainers according to spec.
[Chuck Short]
- debian/config-dir/autoindex.conf
Added UTF-8 Support. (LP: #193753)
-- Chuck Short <email address hidden> Tue, 13 May 2008 08:46:01 -0400
-
apache2 (2.2.8-1) unstable; urgency=low
* New upstream version:
- Fixes cross-site scripting issues in
o mod_imagemap (CVE-2007-5000)
o mod_status (CVE-2007-6388)
o mod_proxy_balancer's balancer manager (CVE-2007-6421)
- Fixes a denial of service issue in mod_proxy_balancer's balancer manager
(CVE-2007-6422).
- Fixes mod_proxy URL encoding in error messages (closes: #337325).
- Adds explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. For
mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
specify something else than ISO-8859-1 (CVE-2008-0005).
- Adds mod_substitute which performs inline response content pattern
matching (including regex) and substitution (like mod_line_edit).
- Adds "DefaultType none" option.
- Adds new "B" option to RewriteRule to suppress URL unescaping.
- Adds an "if" directive for mod_include to test whether an URL is
accessible, and if so, conditionally display content.
- Adds support for mod_ssl to the event MPM.
* Move the configuration of User, Group, and PidFile to
/etc/apache2/envvars. This makes it easier to use these settings in
scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
(inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085)
* Make apache2ctl check the configuration syntax before trying to restart
apache, to match the behaviour documented in the man page.
(Closes: #459236)
* Convert docs to be directly viewable with a browser (and not use content
negotiation).
* Add doc-base entry for the documentation. (closes: #311269)
* Don't ship default files in /var/www, but copy a sample file to
/var/www/index.html on new installs. Also remove the now unneeded
RedirectMatch line from sites-available/default.
(Closes: #411774, #458093)
* Add some information to README.Debian (Apache wiki, default virtual host)
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
dependencies, easing library transitions (closes: #458857).
* Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
Patch by Nicolas Valcárcel. (Closes: #436441)
* Add reportbug script to list enabled modules.
* Fix some lintian warnings:
- Pass --no-start to dh_installinit instead of omitting the debhelper token
in various maintainer scripts. Also move the update-rc.d call to
apache2.2-common.
- Add Short-Description to init script.
* Remove unused apache2-mpm-prefork.prerm from source package and clean up
debian/rules a bit.
* Don't ship NEWS.Debian with apache2-utils, as the contents are only
relevant for the server.
-- Mathias Gug <email address hidden> Fri, 01 Feb 2008 16:24:43 +0000
-
apache2 (2.2.6-3ubuntu2) hardy; urgency=low
[ Nicolas Valcárcel ]
* Added icons for OpenDocuments by default on mime.conf
(Closes: LP: #130836)
* Icons added to the package in uuencode format
* Added sharutils to Build-Depends on debian/control for uuencode
* debian/apache2.2-common.apache2.init:
- Only look for *.conf files in /etc/apache2 when searching for pidfiles
(Closes: LP: #112991) Thanks to Daniel Hahler for the patch
[ Soren Hansen ]
* Clean up after OpenDocument icon generation
-- Soren Hansen <email address hidden> Wed, 16 Jan 2008 08:52:01 +0100
-
apache2 (2.2.6-3ubuntu1) hardy; urgency=low
* Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
dependencies (including db4.5).
* Modify Maintainer value to match the DebianMaintainerField
specification.
-- Martin Pitt <email address hidden> Thu, 03 Jan 2008 11:19:10 +0100
-
apache2 (2.2.6-3) unstable; urgency=low
* Allocate fewer bucket brigades in case of a flush bucket. This might help
with the memory leaks reported in #399776 and #421557.
* Escape the HTTP method in error messages to avoid potential cross site
scripting vulnerabilities (CVE-2007-6203).
* Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition.
* Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config
(Closes: #450867).
* Add icons for .ogg and .ogm (Closes: #255443).
* Add comment about how to log X-Forwarded-For (Closes: #425008).
* Make mod_proxy_balancer not depend on mod_cache.
* Add Homepage field to debian/control.
* Add/fix some lintian overrides, fix some warnings.
* Bump Standards-Version (no changes).
-- Ubuntu Archive Auto-Sync <email address hidden> Sun, 09 Dec 2007 19:02:32 +0000
-
apache2 (2.2.6-2) unstable; urgency=low
* Avoid calling apr_pollset_poll() and accept_func() when the listening
sockets have already been closed on graceful stop or reload. This
hopefully fixes processes not being killed (closes: #445263, #447164)
and the "Bad file descriptor: apr_socket_accept: (client socket)"
error message (closes: #400918, #443310)
* Allow logresolve to process long lines (Closes: #331631)
* Remove duplicate config examples (Closes: #294662)
* Include README.backtrace describing how to create a backtrace
* Add CVE reference to 2.2.6-1 changelog entry
apache2 (2.2.6-1) unstable; urgency=low
* New upstream release
- fixes mod_proxy DoS for threaded MPMs (CVE-2007-3847)
- fixes spurious warning for valid wildcard certificates (Closes: #414855)
- adds warning that htpasswd is not setuid safe (Closes: #356285)
- adds Type and Charset options to IndexOptions directive,
allowing a workaround for buggy browsers affected by CVE-2007-4465
- adds new ProxyPassMatch directive
* Add index.htm to the default DirectoryIndex configuration
(Closes: #439375)
* Use apache2ctl in init script (Closes: #439027)
* make init script less noisy (Closes: #438950)
* improve NEWS entry (Closes: #440084)
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 23 Oct 2007 15:20:12 +0100
-
apache2 (2.2.4-3build1) gutsy; urgency=low
* Trigger rebuild for hppa
-- LaMont Jones <email address hidden> Thu, 04 Oct 2007 11:58:34 -0600
