[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, master, updated. cc2d8feba962b0ef7fd4b73043114a64ee4ab54f
Stefan Fritsch
sf at sfritsch.de
Mon Jan 30 21:29:03 UTC 2012
The following commit has been merged in the master branch:
commit cc2d8feba962b0ef7fd4b73043114a64ee4ab54f
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Mon Jan 30 22:05:14 2012 +0100
updates for 2.2.22, move httxt2dbm to apache2-utils
diff --git a/debian/apache2-prefork-dev.install b/debian/apache2-prefork-dev.install
index eec6da4..67dc997 100644
--- a/debian/apache2-prefork-dev.install
+++ b/debian/apache2-prefork-dev.install
@@ -1 +1 @@
-usr/share/man/man8/apxs2.8
+usr/share/man/man1/apxs2.1
diff --git a/debian/apache2-threaded-dev.install b/debian/apache2-threaded-dev.install
index eec6da4..67dc997 100644
--- a/debian/apache2-threaded-dev.install
+++ b/debian/apache2-threaded-dev.install
@@ -1 +1 @@
-usr/share/man/man8/apxs2.8
+usr/share/man/man1/apxs2.1
diff --git a/debian/apache2-utils.install b/debian/apache2-utils.install
index f3b5849..3465173 100644
--- a/debian/apache2-utils.install
+++ b/debian/apache2-utils.install
@@ -15,5 +15,7 @@ usr/sbin/rotatelogs
usr/share/man/man8/rotatelogs.8
usr/sbin/htcacheclean
usr/share/man/man8/htcacheclean.8
+usr/sbin/httxt2dbm
+usr/share/man/man1/httxt2dbm.1
support/check_forensic usr/sbin
debian/build-tree/worker/support/split-logfile usr/sbin
diff --git a/debian/apache2.2-bin.install b/debian/apache2.2-bin.install
index c5638ca..8e8d38b 100644
--- a/debian/apache2.2-bin.install
+++ b/debian/apache2.2-bin.install
@@ -1,2 +1 @@
usr/lib/apache2/modules
-usr/sbin/httxt2dbm
diff --git a/debian/apache2.2-bin.manpages b/debian/apache2.2-bin.manpages
deleted file mode 100644
index b5db557..0000000
--- a/debian/apache2.2-bin.manpages
+++ /dev/null
@@ -1 +0,0 @@
-debian/httxt2dbm.8
diff --git a/debian/changelog b/debian/changelog
index e6ed189..ee9ac76 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,12 +1,19 @@
-apache2 (2.2.21-6) UNRELEASED; urgency=low
-
- [ Arno Töll ]
- * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)
+apache2 (2.2.22-1) UNRELEASED; urgency=medium
[ Stefan Fritsch ]
+ * New upstream release, urgency medium due to security fixes:
+ - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
+ - Fix CVE-2012-0031: Unprivileged child process could cause the parent to
+ crash at shutdown
+ - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
+ message.
+ * Move httxt2dbm to apache2-utils
* Adjust debian/control to point to new git repository.
- -- Arno Töll <debian at toell.net> Sat, 31 Dec 2011 09:45:14 +0100
+ [ Arno Töll ]
+ * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)
+
+ -- Stefan Fritsch <sf at debian.org> Sun, 29 Jan 2012 13:38:37 +0100
apache2 (2.2.21-5) unstable; urgency=low
diff --git a/debian/control b/debian/control
index f621e1f..ee56409 100644
--- a/debian/control
+++ b/debian/control
@@ -106,7 +106,7 @@ Description: multiuser MPM for Apache 2.2
Package: apache2-utils
Architecture: any
-Replaces: apache2-common, apache-utils (<< 1.3.33-4)
+Replaces: apache2-common, apache-utils (<< 1.3.33-4), apache2.2-bin (<< 2.2.22-1~)
Conflicts: apache-common (<< 1.3.28.0.1-1)
Depends: ${misc:Depends}, ${shlibs:Depends}
Description: utility programs for webservers
@@ -121,6 +121,7 @@ Description: utility programs for webservers
- split-logfile (Split a single log including multiple vhosts)
- checkgid (Checks whether the caller can setgid to the specified group)
- check_forensic (Extract mod_log_forensic output from Apache log files)
+ - httxt2dbm (Generate dbm files for use with RewriteMap)
Package: apache2-suexec
Architecture: any
diff --git a/debian/patches/083_CVE-2011-3368 b/debian/patches/083_CVE-2011-3368
deleted file mode 100755
index 69a38c9..0000000
--- a/debian/patches/083_CVE-2011-3368
+++ /dev/null
@@ -1,52 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Upstream r1179525
-
- at DPATCH@
-commit d239e98144d468928fbd2d3f519bd9265d162932
-Author: Joe Orton <jorton at apache.org>
-Date: Thu Oct 6 07:39:13 2011 +0000
-
- Merge r1179239 from trunk:
-
- SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
- reverse proxy configurations by strictly validating the request-URI:
-
- * server/protocol.c (read_request_line): Send a 400 response if the
- request-URI does not match the grammar from RFC 2616. This ensures
- the input string for RewriteRule et al really is an absolute path.
-
- Reviewed by: jim, covener, rjung
-
-
- git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1179525 13f79535-47bb-0310-9956-ffa450edef68
-
---- a/server/protocol.c
-+++ b/server/protocol.c
-@@ -640,6 +640,25 @@
-
- ap_parse_uri(r, uri);
-
-+ /* RFC 2616:
-+ * Request-URI = "*" | absoluteURI | abs_path | authority
-+ *
-+ * authority is a special case for CONNECT. If the request is not
-+ * using CONNECT, and the parsed URI does not have scheme, and
-+ * it does not begin with '/', and it is not '*', then, fail
-+ * and give a 400 response. */
-+ if (r->method_number != M_CONNECT
-+ && !r->parsed_uri.scheme
-+ && uri[0] != '/'
-+ && !(uri[0] == '*' && uri[1] == '\0')) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "invalid request-URI %s", uri);
-+ r->args = NULL;
-+ r->hostname = NULL;
-+ r->status = HTTP_BAD_REQUEST;
-+ r->uri = apr_pstrdup(r->pool, uri);
-+ }
-+
- if (ll[0]) {
- r->assbackwards = 0;
- pro = ll;
diff --git a/debian/patches/084_CVE-2011-4317 b/debian/patches/084_CVE-2011-4317
deleted file mode 100644
index a880bd2..0000000
--- a/debian/patches/084_CVE-2011-4317
+++ /dev/null
@@ -1,66 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Upstream r1209432
-
- at DPATCH@
-commit 318b86756de2049f652561e1a66420b4a92d4a7e
-Author: Joe Orton <jorton at apache.org>
-Date: Fri Dec 2 12:04:20 2011 +0000
-
- Fix for additional cases of URL rewriting with ProxyPassMatch or
- RewriteRule, where particular request-URIs could result in undesired
- backend network exposure in some configurations. (CVE-2011-4317)
-
- Thanks to Prutha Parikh from Qualys for reporting this issue.
-
- * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
- request-URI. Fail for cases where r->uri does not begin with a "/".
-
- * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
-
-
- git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
-
---- a/modules/mappers/mod_rewrite.c
-+++ b/modules/mappers/mod_rewrite.c
-@@ -4283,6 +4283,18 @@
- return DECLINED;
- }
-
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* Don't apply rewrite rules to "*". */
-+ return DECLINED;
-+ }
-+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
- /*
- * add the SCRIPT_URL variable to the env. this is a bit complicated
- * due to the fact that apache uses subrequests and internal redirects
---- a/modules/proxy/mod_proxy.c
-+++ b/modules/proxy/mod_proxy.c
-@@ -566,6 +566,18 @@
- return OK;
- }
-
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* "*" cannot be proxied. */
-+ return DECLINED;
-+ }
-+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
- /* XXX: since r->uri has been manipulated already we're not really
- * compliant with RFC1945 at this point. But this probably isn't
- * an issue because this is a hybrid proxy/origin server.
diff --git a/debian/patches/085_CVE-2011-3607 b/debian/patches/085_CVE-2011-3607
deleted file mode 100755
index b9963f5..0000000
--- a/debian/patches/085_CVE-2011-3607
+++ /dev/null
@@ -1,29 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 085_CVE-2011-3607.dpatch by Stefan Fritsch <sf at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix integer overflow, based on upstream r1198940
-
- at DPATCH@
-Index: trunk/server/util.c
-===================================================================
---- trunk.orig/server/util.c 2011-12-29 11:48:52.208562162 +0100
-+++ trunk/server/util.c 2011-12-29 11:50:13.204564281 +0100
-@@ -366,7 +366,7 @@
- char *dest, *dst;
- char c;
- size_t no;
-- int len;
-+ apr_size_t len;
-
- if (!source)
- return NULL;
-@@ -391,6 +391,8 @@
- len++;
- }
- else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
-+ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
-+ return NULL;
- len += pmatch[no].rm_eo - pmatch[no].rm_so;
- }
-
diff --git a/debian/patches/series b/debian/patches/series
index a2a5ad6..6404142 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,9 +21,6 @@
077_CacheIgnoreURLSessionIdentifiers
079_polish_translation
082_ab_num_requests
-083_CVE-2011-3368
-084_CVE-2011-4317
-085_CVE-2011-3607
099_config_guess_sub_update
201_build_suexec-custom
# The patch below must not be applied by quilt at extraction time. It depends
diff --git a/debian/rules b/debian/rules
index 0ca917c..47b250f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -205,16 +205,13 @@ override_dh_install-arch:
fi \
done
cd debian && ln -s $(INSTALL_DIR_RELATIVE)/worker tmp
- for m in logresolve ab; do d=debian/tmp/usr/share/man/ ;\
- perl -p -e 's/^([.]TH.*?) 8 (.*)/$$1 1 $$2/' < $$d/man8/$$m.8 > $$d/man1/$$m.1 ;\
- done
#cleanup of death
rm -rf $(DEFAULT_MPM)/etc/apache2/original
rm -rf $(DEFAULT_MPM)/usr/include
rm -rf $(DEFAULT_MPM)/usr/share/apache2/build
rm -f $(DEFAULT_MPM)/usr/share/man/man8/httpd.8 # We install our own
rm -f $(DEFAULT_MPM)/usr/sbin/apxs $(DEFAULT_MPM)/usr/sbin/apache2 debian/tmp/usr/sbin/apachectl
- mv $(DEFAULT_MPM)/usr/share/man/man8/apxs.8 $(DEFAULT_MPM)/usr/share/man/man8/apxs2.8
+ mv $(DEFAULT_MPM)/usr/share/man/man1/apxs.1 $(DEFAULT_MPM)/usr/share/man/man1/apxs2.1
mv $(DEFAULT_MPM)/usr/share/man/man8/apachectl.8 $(DEFAULT_MPM)/usr/share/man/man8/apache2ctl.8
dh_install -a --list-missing
# DO NOT FALL FOR THE TEMPTATION TO MV INTO PACKAGES OR DOOM
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list