apache2 (2.0.55-4ubuntu2.9) dapper-security; urgency=low
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/115_CVE-2009-3555.patch: disable all client
renegotiations
- based on
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/116-CVE-2009-3094.patch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- based on http://svn.apache.org/viewvc?revision=814652&view=revision
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/117-CVE-2009-3095.patch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- based on http://svn.apache.org/viewvc?revision=814045&view=revision
- CVE-2009-3095
Date: Thu, 12 Nov 2009 15:45:14 -0600
Changed-By: Jamie Strandboge <[email protected]>
Maintainer: Debian Apache Maintainers <[email protected]>
https://launchpad.net/ubuntu/dapper/+source/apache2/2.0.55-4ubuntu2.9
Format: 1.7
Date: Thu, 12 Nov 2009 15:45:14 -0600
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork
apache2-doc libapr0-dev apache2-mpm-worker libapr0 apache2-threaded-dev
apache2-common apache2-mpm-perchild
Architecture: source
Version: 2.0.55-4ubuntu2.9
Distribution: dapper-security
Urgency: low
Maintainer: Debian Apache Maintainers <[email protected]>
Changed-By: Jamie Strandboge <[email protected]>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-perchild - experimental high speed perchild threaded model for
Apache2
apache2-mpm-prefork - traditional model for Apache2
apache2-mpm-worker - high speed threaded model for Apache2
apache2-prefork-dev - development headers for apache2
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
libapr0 - the Apache Portable Runtime
libapr0-dev - development headers for libapr
Changes:
apache2 (2.0.55-4ubuntu2.9) dapper-security; urgency=low
.
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/115_CVE-2009-3555.patch: disable all client
renegotiations
- based on
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/116-CVE-2009-3094.patch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- based on http://svn.apache.org/viewvc?revision=814652&view=revision
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/117-CVE-2009-3095.patch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- based on http://svn.apache.org/viewvc?revision=814045&view=revision
- CVE-2009-3095
Files:
a6d575c4c0ef0ef9c4c77e7f6ddfb02d 1156 net optional
apache2_2.0.55-4ubuntu2.9.dsc
5d172b0ca228238e211940fad6b0935d 130638 net optional
apache2_2.0.55-4ubuntu2.9.diff.gz
--
dapper-changes mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/dapper-changes
