-
apache2 (2.2.22-6ubuntu2.4) quantal-security; urgency=medium
* SECURITY UPDATE: denial of service via mod_dav incorrect end of string
calculation
- debian/patches/CVE-2013-6438.patch: properly calculate correct length
in modules/dav/main/util.c.
- CVE-2013-6438
* SECURITY UPDATE: denial of service via truncated cookie and
mod_log_config
- debian/patches/CVE-2014-0098.patch: properly parse tokens in
modules/loggers/mod_log_config.c.
- CVE-2014-0098
-- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:38:47 -0400
-
apache2 (2.2.22-6ubuntu2.3) quantal-security; urgency=low
* SECURITY UPDATE: log file poisoning via mod_rewrite (LP: #1188069)
- debian/patches/CVE-2013-1862.patch: properly escape items in
modules/mappers/mod_rewrite.c.
- CVE-2013-1862
* SECURITY UPDATE: denial of service via MERGE request
- debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
in modules/dav/main/mod_dav.c.
- CVE-2013-1896
-- Marc Deslauriers <email address hidden> Fri, 12 Jul 2013 08:35:53 -0400
-
apache2 (2.2.22-6ubuntu2.2) quantal-security; urgency=low
* SECURITY UPDATE: multiple cross-site scripting issues
- debian/patches/CVE-2012-3499_4558.patch: properly escape html in
modules/generators/{mod_info.c,mod_status.c},
modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
- CVE-2012-3499
- CVE-2012-4558
* SECURITY UPDATE: symlink attack in apache2ctl script
- debian/apache2ctl: introduce and use a safer mkdir_chown() function.
- Thanks to Stefan Fritsch for the fix.
- CVE-2013-1048
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 09:31:43 -0500
-
apache2 (2.2.22-6ubuntu2.1) quantal-security; urgency=low
* SECURITY UPDATE: XSS vulnerability in mod_negotiation
- debian/patches/CVE-2012-2687.patch: escape filenames in
modules/mappers/mod_negotiation.c.
- CVE-2012-2687
* SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
- debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
directive. Defaults to off as enabling compression enables the CRIME
attack.
- CVE-2012-4929
-- Marc Deslauriers <email address hidden> Tue, 06 Nov 2012 14:22:46 -0500
-
apache2 (2.2.22-6ubuntu2) quantal; urgency=low
* debian/apache2.py
- Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
- Check if this directory exists: /etc/apache2/sites-enabled/
-- Matthieu Baerts (matttbe) <email address hidden> Mon, 16 Jul 2012 10:02:18 +0200
-
apache2 (2.2.22-6ubuntu1) quantal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
* Dropped changes:
- debian/control: Add bzr tag and point it to our tree; this is not
really required and just increases the delta.
apache2 (2.2.22-6) unstable; urgency=low
[ Stefan Fritsch ]
* Fix regression causing apache2 to cache "206 partial content" responses,
and then serving these partial responses when replying to normal requests.
Closes: #671204
* Add section to security.conf that shows how to forbid access to VCS
directories. Closes: #548213
* Update ssl default cipher config, add alternative speed optimized config.
Closes: #649020
* Add "AddCharset" for .brf files in default mod_mime config.
Closes: #402567
* Don't create httpd.conf anymore and don't include it in apache2.conf. If
it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
* Port some of the comments in apache2.conf from the 2.4 package.
* Compile mod_version statically, drop associated module load file.
* If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
configtest.
* Note in README.Debian that future versions of the package will have the
include statements changed to include only *.conf.
* Change compiled-in document root to /var/www, to avoid strange error
messages.
* Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
[ Arno Töll ]
* Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
to override LDFLAGS at compile time by defining LDLAGS in the environment,
just like it is possible for CFLAGS. This also means, config_vars.mk now
exports hardening build flags by default.
* Update doc-base metadata for the apache2-doc package.
apache2 (2.2.22-5) unstable; urgency=low
* Make LoadFile and LoadModule look in the standard search paths if the
dso file name is given as a pure filename. This helps with the multi-arch
transition.
apache2 (2.2.22-4) unstable; urgency=high
* CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
hosts' config files.
If scripting modules like mod_php or mod_rivet are enabled on systems
where either 1) some frontend server forwards connections to an apache2
backend server on the localhost address, or 2) the machine running
apache2 is also used for web browsing, this could allow a remote
attacker to execute example scripts stored under /usr/share/doc.
Depending on the installed packages, this could lead to issues like cross
site scripting, code execution, or leakage of sensitive data.
apache2 (2.2.22-3) unstable; urgency=low
* Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
No such file or directory". Do not use internal rules targets which clash
with build target names ... (Closes: #667069)
* Drop apache2-dev virtual package. This had virtually no users but breaks our
experimental package in some cases (e.g. #666793)
* Push Standards version - no further changes
* Update my maintainer address
apache2 (2.2.22-2) unstable; urgency=low
[ Arno Töll ]
* Fix "Incorrect debhelper build dependency" by raising the build-dependency
of debhelper to 8.9.7 (Closes: #659148)
-- Robie Basak <email address hidden> Fri, 08 Jun 2012 11:37:31 +0100
-
apache2 (2.2.22-1ubuntu1) precise; urgency=low
* Merge from Debian testing. Remaining changes:
- debian/{control, rules}: Enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
- debian/control: Add bzr tag and point it to our tree
- debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
- debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
Plymouth aware passphrase dialog program ask-for-passphrase.
apache2 (2.2.22-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream release, urgency medium due to security fixes:
- Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
- Fix CVE-2012-0031: Unprivileged child process could cause the parent to
crash at shutdown
- Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
message.
* Move httxt2dbm to apache2-utils
* Adjust debian/control to point to new git repository.
[ Arno Töll ]
* Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)
-- Chuck Short <email address hidden> Sun, 12 Feb 2012 20:06:35 -0500