~ubuntu-branches/ubuntu/dapper/apache2/dapper-updates : changes

~ubuntu-branches/ubuntu/dapper/apache2/dapper-updates » Changes from revision 22

From Revision 22 to 3

Rev	Summary	Authors	Tags	Date
22	* SECURITY UPDATE: denial of service in apr_fnmatch exploita... * SECURITY UPDATE: denial of service in apr_fnmatch exploitable via apache's mod_index - debian/patches/122_fnmatch_CVE-2011-0419.patch: rewrite apr_fnmatch to have a better time bounds on execution. - CVE-2011-0419 - debian/patches/123_fnmatch_CVE-2011-1928.patch: fix possible DoS introduced by patch for CVE-2011-0419. - CVE-2011-1928	Steve Beattie	2.0.55-4ubuntu2.13	12 years ago
21	* SECURITY UPDATE: denial of service via request that lacks ... * SECURITY UPDATE: denial of service via request that lacks a path in mod_dav. - debian/patches/120_CVE-2010-1452.dpatch: fix path handling in modules/dav/main/util.c. - CVE-2010-1452 * SECURITY UPDATE: denial of service via memory leak in apr_brigade_split_line function. - debian/patches/121_CVE-2010-1623.dpatch: properly destroy bucket in srclib/apr-util/buckets/apr_brigade.c. - CVE-2010-1623	Marc Deslauriers	2.0.55-4ubuntu2.12	13 years ago
20	* debian/patches/119_sslinsecurerenegotiation-directive.dpat... * debian/patches/119_sslinsecurerenegotiation-directive.dpatch: once openssl gets updated to fix CVE-2009-3555, server renegotiations with unpatched clients will fail. This patch adds the ability to revert to the previous unsafe behaviour with a new SSLInsecureRenegotiation directive. (LP: #616759) * debian/control: add specific dependency on first openssl version to get CVE-2009-3555 fix.	Marc Deslauriers	2.0.55-4ubuntu2.11	13 years ago
19	* SECURITY UPDATE: information disclosure via improper handl... * SECURITY UPDATE: information disclosure via improper handling of headers in subrequests - debian/patches/118_CVE-2010-0434.dpatch: use a copy of r->headers_in in server/protocol.c. - CVE-2010-0434	Marc Deslauriers	2.0.55-4ubuntu2.10	14 years ago
18	* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotia... * SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations. Partial fix for CVE-2009-3555. Configurations requiring renegotiation of per-directory/location access controls are still affected until OpenSSL is updated. - debian/patches/115_CVE-2009-3555.patch: disable all client renegotiations - based on http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch - CVE-2009-3555 * SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module - debian/patches/116-CVE-2009-3094.patch: fix NULL pointer dereference in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread in EPSV response parser - based on http://svn.apache.org/viewvc?revision=814652&view=revision - CVE-2009-3094 * SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when configured as a reverse proxy - debian/patches/117-CVE-2009-3095.patch: adjust proxy_ftp_handler() in mod_proxy_ftp.c to fail if the decoded Basic credentials contain special characters. - based on http://svn.apache.org/viewvc?revision=814045&view=revision - CVE-2009-3095	Jamie Strandboge	2.0.55-4ubuntu2.9	14 years ago
17	* SECURITY UPDATE: remote denial of service in mod_deflate m... * SECURITY UPDATE: remote denial of service in mod_deflate module when the network connection was closed before compression completed - debian/patches/113_CVE-2009-1891.patch: update patch to fix regression that caused segfaults under certain circumstances. (LP: #409987) - CVE-2009-1891	Marc Deslauriers	2.0.55-4ubuntu2.8	14 years ago
16	* SECURITY UPDATE: fix integer overflow in libapr * SECURITY UPDATE: fix integer overflow in libapr - debian/patches/114_CVE-2009-2412.patch: adjust allocator_alloc() and apr_palloc() in apr_pools.c to check for overflow after aligning size - http://www.apache.org/dist/apr/patches/apr-0.9-CVE-2009-2412.patch - CVE-2009-2412 * SECURITY UPDATE: fix integer overflow in libaprutil - debian/patches/114_CVE-2009-2412b.patch: adjust apr_rmm_malloc, apr_rmm_calloc, apr_rmm_realloc to check for overflow after aligning size - http://www.apache.org/dist/apr/patches/apr-util-0.9-CVE-2009-2412.patch - CVE-2009-2412	Jamie Strandboge	2.0.55-4ubuntu2.7	14 years ago
15	* SECURITY UPDATE: remote denial of service in mod_deflate m... * SECURITY UPDATE: remote denial of service in mod_deflate module when the network connection was closed before compression completed - debian/patches/113_CVE-2009-1891.patch: fail if the connection has been aborted in server/core.c - CVE-2009-1891	Marc Deslauriers	2.0.55-4ubuntu2.6	14 years ago
14	* SECURITY UPDATE: Fix underflow in apr_strmatch_precompile * SECURITY UPDATE: Fix underflow in apr_strmatch_precompile - debian/patches/110_CVE-2009-0023.dpatch: adjust srclib/apr-util/strmatch/apr_strmatch.c to properly evaluate strings as unsigned char rather than int - CVE-2009-0023 * SECURITY UPDATE: Prevent "billion laughs" attack against expat - debian/patches/111_CVE-2009-1955.dpatch: adjust srclib/apr-util/xml/apr_xml.c to disable internal entity expansion - CVE-2009-1955 * SECURITY UPDATE: Fix off by one overflow in apr_brigade_vprintf - debian/patches/112_CVE-2009-1956.dpatch: don't add null terminator to vd.vbuff.curpos in srclib/apr-util/buckets/apr_brigade.c - CVE-2009-1956	Jamie Strandboge	2.0.55-4ubuntu2.5	14 years ago
13	* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability ... * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request Entity Too Large" error message - debian/patches/106_CVE-2007-6203.patch: properly escape some error messages in modules/http/http_protocol.c. - CVE-2007-6203 * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded URLs - debian/patches/107_CVE-2008-2168.patch: specify a default charset in modules/dav/main/mod_dav.c and modules/generators/mod_info.c. - CVE-2008-2168 * SECURITY UPDATE: Denial of service via large number of interim responses in mod_proxy module (LP: #239894) - debian/patches/108_CVE-2008-2364.patch: limit the number of interim responses in modules/proxy/proxy_http.c. - CVE-2008-2364 * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the mod_proxy_ftp module - debian/patches/109_CVE-2008-2939.patch: escape the html contained in the wildcard value in modules/proxy/proxy_ftp.c. - CVE-2008-2939	Marc Deslauriers	2.0.55-4ubuntu2.4	15 years ago
12	* SECURITY UPDATE: denial of service (application crash) whe... * SECURITY UPDATE: denial of service (application crash) when using mod_proxy in threaded MPM via crafted date headers. * debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use apr_date_parse_http() and apr_rfc822_date() * SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c when charset not defined * debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly check for and use charset * SECURITY UPDATE: cross-site scripting vulnerability in mod_imap * debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use ap_escape_html() * SECURITY UPDATE: cross-site scripting vulnerability in mod_status when server-status is enabled * debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly setup table * SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when charset is not defined * debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define a charset * SECURITY UPDATE: cross-site scripting vulnerability in Expect headers * debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use ap_escape_html() * References CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 CVE-2006-3918	Jamie Strandboge	2.0.55-4ubuntu2.3	16 years ago
11	* SECURITY UPDATE: XSS in mod_status, bad signal passing. * SECURITY UPDATE: XSS in mod_status, bad signal passing. * Backported fixes from upstream: - CVE-2007-3304: stop signals from being sent to other processes. http://svn.apache.org/viewvc?view=rev&revision=547987 - CVE-2006-5752: fixed XSS in status report. http://svn.apache.org/viewvc?view=rev&revision=549159	Kees Cook	2.0.55-4ubuntu2.2	16 years ago
10	* SECURITY UPDATE: Remote DoS, potential remote code executi... * SECURITY UPDATE: Remote DoS, potential remote code execution. * Add debian/patches/053_mod_rewite_CVE-2006-3747: - Fix off-by-one buffer overflow in mod_rewrite's ldap scheme handler. - Reported by Mark Dowd of McAfee Avert Labs. - CVE-2006-3747	Martin Pitt	2.0.55-4ubuntu2.1	17 years ago
9	Include patch from SVN HEAD to make sure LFS works on 64-bit... Include patch from SVN HEAD to make sure LFS works on 64-bit platforms where sendfile() doesn't like dealing with anything larger than 32-bit chunks. Yes, Linux 2.6, I'm looking at you (see: launchpad.net/11850)	Adam Conrad	2.0.55-4ubuntu2	17 years ago
8	Restore the "a2enmod userdir" that went missing in the "cruf... Restore the "a2enmod userdir" that went missing in the "cruft cleaning" in the last upload, since it's required to sanely configure new setups.	Adam Conrad	2.0.55-4ubuntu1	17 years ago
7	* Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer... * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 * Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in threaded MPMs when making a non-SSL connection to an SSL-enabled port on a server with a custom 400 error document defined; see CVE-2005-3357 * Clean up our use of trailing slashes on directories in debian/rules, so the newer, pickier, obviously very improved coreutils doesn't bite us. * Remove some cruft from apache2-common's postinst, dealing with upgrade scenarios from versions older than those released in Sarge or Warty. * Use "SHELL := sh -e" in debian/rules, so the build will stop on shell errors, instead of blundering on to later make targets (closes: #340761) * Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in case the user has /var/run and /var/lock on tmpfs, which is fasionable. * Make our init script a /bin/bash script instead of a /bin/sh script, so we can abuse it with regex globbing (#348189, #347962, #340955, #342008) * Take patch from Adrian Bridgett to output errors from our config test in the init script, but only do so when we're VERBOSE (closes: #339323) * In the spirit of the LSB, make our init script exit 2 when called with incorrect arguments, and exit 4 when asked for status (closes: #330275) * Fix the default site to not mix configuration syntax (closes: #345922) * Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921)	Adam Conrad	2.0.55-4	18 years ago
6	Rebuild for libstdc++ allocator change Rebuild for libstdc++ allocator change	Matthias Klose	2.0.55-3build1	18 years ago
5	Brown paper bag release: Tidy up CFLAGS and APR configure ca... Brown paper bag release: Tidy up CFLAGS and APR configure call to make sure that what we link to agrees with what apu-config tells others to do.	Adam Conrad	2.0.55-3	18 years ago
4	Add 047_ssl_reneg_with_body, which adds a (bounded) buffer o... Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request body data to provide a limited but safe fix for the mod_ssl renegotiation vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991)	Adam Conrad	2.0.54-5ubuntu2	18 years ago
3	Fix the init script to not exit with an error when asked to Fix the init script to not exit with an error when asked to stop a daemon that isn't running (Was the root cause of #8374)	Adam Conrad	2.0.53-5ubuntu5	19 years ago

Older »