-
apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
* Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
the RewriteLog is escaped to prevent terminal escape sequences from
entering the log file. Closes: #722333
* Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
Closes: #717272
* mod_dav: Fix segfaults in certain error conditions.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
-- Stefan Fritsch <email address hidden> Tue, 28 Jan 2014 22:48:05 +0100
-
apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high
* CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
* CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
-- Stefan Fritsch <email address hidden> Sun, 03 Mar 2013 12:25:22 +0100
-
apache2 (2.2.16-6+squeeze10) squeeze-security; urgency=low
[ Arno Töll ]
* Backport disable-ssl-compression.patch from Wheezy. This patch disabled
SSL compression upon request by introducing a "Compression on|off"
directive to mod_ssl. This is to mitigate impact of CRIME attacks to SSL -
which is a browser issue, however.
See also Debian bug #674142 and #689936.
[ Stefan Fritsch ]
* CVE-2012-4557: mod_proxy_ajp: Remote denial of service (temporary, until
mod_proxy_ajp's retry timeout expired).
-- Stefan Fritsch <email address hidden> Fri, 30 Nov 2012 09:26:36 +0100
-
apache2 (2.2.16-6+squeeze8) squeeze; urgency=low
* CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
prevent a possible XSS vulnerability for a site where untrusted users
can upload files to a location with MultiViews enabled.
* Send 408 status instead of 400 if reading of a request fails with a
timeout. This allows browsers to retry. Closes: #677086
* mod_cache: Prevent Partial Content responses from being cached and served
as normal response. Closes: #671204
* mpm_itk: Fix an issue where users can sometimes get spurious 403s on
persistent connections. Closes: #672333
-- Stefan Fritsch <email address hidden> Sun, 09 Sep 2012 23:08:04 +0200
-
apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high
* CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
hosts' config files.
If scripting modules like mod_php or mod_rivet are enabled on systems
where either 1) some frontend server forwards connections to an apache2
backend server on the localhost address, or 2) the machine running
apache2 is also used for web browsing, this could allow a remote
attacker to execute example scripts stored under /usr/share/doc.
Depending on the installed packages, this could lead to issues like cross
site scripting, code execution, or leakage of sensitive data.
-- Stefan Fritsch <email address hidden> Sun, 01 Apr 2012 00:20:48 +0200
-
apache2 (2.2.16-6+squeeze4) squeeze; urgency=low
* Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp
if combined with mod_proxy_balancer.
* Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
Closes: #613969
* Fix typo in init script. Closes: #615866
* For multiple instance setups, correctly determine the config dir in the
init script if it is called via a start/stop link. Closes: #627061
* Add hint in README.Debian about 403 error with mod_dav PUT.
Closes: #613438
* Add hint in README.Debian about how to increase max number of open
files. Closes: #615632
* Make it clear in README.multiple-instances that the MPMs are shipped
in the apache2.2-bin package.
* Tweak patch header to fix "dpatch unapply" with unstable's patch/dpatch.
-- Stefan Fritsch <email address hidden> Mon, 26 Sep 2011 00:12:23 +0200
-
apache2 (2.2.16-6+squeeze1) stable-security; urgency=high
* Fix CVE-2011-1176 in apache2-mpm-itk: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group. Closes: #618857 -- Stefan Fritsch <email address hidden> Tue, 22 Mar 2011 21:44:39 +0100
-
apache2 (2.2.16-6) unstable; urgency=low
* Also add $named to the secondary-init-script example. -- Stefan Fritsch <email address hidden> Sat, 01 Jan 2011 22:55:15 +0100
-
apache2 (2.2.16-4) unstable; urgency=medium
* Increase the mod_reqtimeout default timeouts to avoid potential problems
with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
* Remove bogus comment in conf.d/security about default in the "release
after Lenny".
* Clarify comments in suexec-custom's default config file. LP: #673289
-- Stefan Fritsch <email address hidden> Sun, 14 Nov 2010 19:05:55 +0100
-
apache2 (2.2.16-3) unstable; urgency=high
* CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
* Fix "Could not reliably determine the server's ..." error message in
README.Debian, to make it easier to search for it. Closes: #590528
-- Stefan Fritsch <email address hidden> Sat, 09 Oct 2010 20:59:34 +0200
-
apache2 (2.2.16-2) unstable; urgency=low
* Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036
* Add a note about the new behaviour of SSL/TLS renegotiation and the new
directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
* Support 'graceful' as alias for 'reload' in the init script.
* In README.Debian, suggest an Apache configuration change to get rid of the
"Could not reliably determine the server's fully qualified domain name"
warning, as alternative to changing DNS or /etc/hosts. Closes: #590528
* Add notes to README.Debian on how to reduce memory usage.
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sun, 29 Aug 2010 15:29:21 +0200
-
apache2 (2.2.16-1) unstable; urgency=medium
* Urgency medium for security fix.
* New upstream release:
- CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability
due to incorrect handling of requests without a path segment.
- mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite
* Fix mod_ssl header line corruption because of using memcpy for overlapping
buffers. PR 45444. LP: #609290, #589611, #595116
-- Stefan Fritsch <email address hidden> Sat, 24 Jul 2010 22:18:43 +0200
-
apache2 (2.2.15-5) unstable; urgency=low
* Conflict with apache package as we now include apachectl. Closes: #579065
* Remove conflicts with old apache 2.0 modules. The conflicts are not
necessary anymore as skipping a stable release is not supported anyway.
* Silence the grep in preinst.
-- Stefan Fritsch <email address hidden> Sun, 25 Apr 2010 10:46:09 +0200
-
apache2 (2.2.15-2) unstable; urgency=low
* Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
Satisfy all. Closes: #572075
* mod_reqtimeout: Various bug fixes, including:
- Don't mess up timeouts of mod_proxy's backend connections.
Closes: #573163
-- Stefan Fritsch <email address hidden> Wed, 10 Mar 2010 21:06:06 +0100
-
apache2 (2.2.14-7) unstable; urgency=low
* Fix potential memory leaks related to the usage of apr_brigade_destroy().
* Add hints about correct mod_dav_fs configuration to README.Debian.
Closes: #257945
* Fix error in Polish translation of 404 error page. Closes: #570228
* Document ThreadLimit in apache2.conf's comments.
-- Stefan Fritsch <email address hidden> Sat, 20 Feb 2010 12:38:30 +0100
-
apache2 (2.2.14-5) unstable; urgency=low
* Security: Further mitigation for the TLS renegotation attack
(CVE-2009-3555): Disable keep-alive if parts of the next request have
already been received when doing a renegotiation. This defends against
some request splicing attacks.
* Print a useful error message if 'apache2ctl status' fails. Add a comment
to /etc/apache2/envvars on how to change the options for www-browser.
Closes: #561496, #272069
* Improve function to detect apache2 pid in init-script (closes: #562583).
* Add hint README.Debian on how to pass auth info to CGI scripts.
Closes: #483219
* Re-introduce objcopy magic to avoid dangling symlinks to the debug info
in the mpm packages. Closes: #563278
* Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178,
LP: #500703
* Point to README.backtrace in apache2-dbg's description.
* Use more debhelper functions to simplify debian/rules.
* Add misc-depends to various packages to make lintian happy.
* Change build-dep from libcap2-dev to libcap-dev because of package rename.
-- Stefan Fritsch <email address hidden> Sat, 02 Jan 2010 22:44:15 +0100
-
apache2 (2.2.14-4) unstable; urgency=low
* Disable localized error pages again by default because they break
configurations with "<Location /> SetHandler ...". A workaround is
described in the comments in /etc/apache2/conf.d/localized-error-pages
(closes: #543333).
* mod_rewrite: Fix URLs in redirects with literal IPv6 hosts
(closes: #557015).
* Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234).
* Add man page for split-logfile.
* Link with -lcrypt where necessary to fix a FTBFS with binutils-gold
(closes: #553946).
-- Stefan Fritsch <email address hidden> Sun, 13 Dec 2009 20:05:37 +0100
-
apache2 (2.2.14-3) unstable; urgency=low
* Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This
includes:
- Make PUT replace files atomically (closes: #525137).
- Make MOVE not delete the destination if the source file disappeared in
the meantime (closes: #273476).
NOTE: The format of the DavLockDB has changed. The default DavLockDB will
be deleted on upgrade. Non-default DavLockDBs should be deleted manually.
* Fix output of "/etc/init.d/apache2 status" (closes: #555687).
* Update the comment about SNI in ports.conf (closes: #556932).
* Set redirect-carefully for Konqueror/4.
-- Stefan Fritsch <email address hidden> Sat, 21 Nov 2009 10:20:54 +0100
-
apache2 (2.2.14-2) unstable; urgency=medium
* Security:
Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
Any configuration which requires renegotiation for per-directory/location
access control is still vulnerable.
* Allow RemoveType to override the types from /etc/mime.types. This allows
to use .es and .tr for Spanish and Turkish files in mod_negotiation.
Closes: #496080
* Fix 'CacheEnable disk http://'. Closes: #442266
* Fix missing dependency by changing killall to pkill in the init script.
LP: #460692
* Add X-Interactive header to init script as it may ask for the ssl key
passphrase. Closes: #554824
* Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too.
* Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian
-- Stefan Fritsch <email address hidden> Sat, 07 Nov 2009 14:37:37 +0100
-
apache2 (2.2.14-1) unstable; urgency=low
* New upstream version:
- new module mod_proxy_scgi
* Disable hardening option -pie again, as gdb in Debian does not support
it properly and it is broken on mips*.
-- Stefan Fritsch <email address hidden> Tue, 29 Sep 2009 20:55:05 +0200
-
apache2 (2.2.13-2) unstable; urgency=high
* mod_proxy_ftp security fixes (closes: #545951):
- DoS by malicious ftp server (CVE-2009-3094)
- missing input sanitization: a user could execute arbitrary ftp commands
on the backend ftp server (CVE-2009-3095)
* Add entries to NEWS.Debian and README.Debian about Apache being stricter
about certain misconfigurations involving name based SSL virtual hosts.
Also make Apache print the location of the misconfigured VirtualHost when
it complains about a missing SSLCertificateFile statement. Closes: #541607
* Add Build-Conflicts: autoconf2.13 (closes: #541536).
* Adjust priority of apache2-mpm-itk to extra.
* Switch apache2.2-common and the four mpm packages from architecture all to
any. This is stupid but makes apache2 binNMUable again (closes: #544509).
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Wed, 16 Sep 2009 20:55:02 +0200
-
apache2 (2.2.13-1) unstable; urgency=low
* New upstream release:
- Fixes segfault with mod_deflate and mod_php (closes: #542623).
-- Stefan Fritsch <email address hidden> Mon, 31 Aug 2009 20:28:56 +0200
-
apache2 (2.2.12-1) unstable; urgency=low
* New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
(The Debian default configuration will be changed to use SNI in a later
version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
* Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
* Enable hardening compile options.
* Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
* Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
* Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
* Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
* Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
* Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
* Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
* Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
* Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
* Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
* Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
* Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
* Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
* Remove other_vhosts_access.log on package purge.
-- Stefan Fritsch <email address hidden> Tue, 04 Aug 2009 11:02:34 +0200
-
apache2 (2.2.11-6) unstable; urgency=high
* CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
Side Includes (closes: #530834).
* Fix postinst scripts (closes: #532278).
-- Stefan Fritsch <email address hidden> Mon, 08 Jun 2009 19:22:58 +0200
-
apache2 (2.2.11-3) unstable; urgency=low
* Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
(see #521899). This also creates the dependencies on the new external
libaprutil1-dbd-* and libaprutil1-ldap packages.
-- Stefan Fritsch <email address hidden> Tue, 31 Mar 2009 21:07:26 +0200
-
apache2 (2.2.11-2) unstable; urgency=low
* Report an error instead instead of segfaulting when apr_pollset_create
fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
/proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
value of MaxClients in the Apache configuration. Closes: #511103
-- Stefan Fritsch <email address hidden> Fri, 16 Jan 2009 19:01:59 +0100