Your message dated Wed, 13 Apr 2005 05:34:14 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#285365: fixed in libapache-mod-security 1.8.7-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Dec 2004 20:23:20 +0000
>From [EMAIL PROTECTED] Sun Dec 12 12:23:20 2004
Return-path: <[EMAIL PROTECTED]>
Received: from smtp811.mail.sc5.yahoo.com [66.163.170.81]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CdaFU-0005RM-00; Sun, 12 Dec 2004 12:23:20 -0800
Received: from unknown (HELO ?192.168.0.2?) ([EMAIL PROTECTED]@68.75.48.169
with plain)
by smtp811.mail.sc5.yahoo.com with SMTP; 12 Dec 2004 20:23:19 -0000
Message-ID: <[EMAIL PROTECTED]>
Date: Sun, 12 Dec 2004 14:22:25 -0600
From: FX <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: New version of libapache2-mod-security fixes security issues
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
package: libapache2-mod-security
severity: important
New upstream version of mod-security fixes several important bugs and
security holes.
Changelog for new upstream versions 1.8.6 and 1.8.5 are as follows:
03/11/2004 1.8.6
----------------
* Made changes to how mod_security works to accommodate those
who only want to operate in detection mode. Validation checks
are now performed only once, at the beginning of request
processing (by mod_security, not Apache). At the same time I
have expanded the validation checks to include request headers
as well. Only normalisation will be performed later, as the
rules in the rule set are processed. There is one constraint,
though. Non-fatal default action is not allowed in the
initialization phase. Any normalisation or validation problems
will result in the request being rejected. Therefore the
only way to operate in a fully transparent detection mode
is to turn off implicit validation options (URL decoding, Unicode,
byte range, cookie format validation). I hope to relax this
restriction in the 1.9 branch.
* BUG Fixed the broken "skip" action.
* BUG Fixed a problem with file interception (when either storage or
approval is requested) that occurs with IE.
* BUG I introduced a new bug trying to fix a bug from 1.8.4. Uploading
a file larger than the memory buffer would cause the approval
phase to be skipped altogether.
21/10/2004 1.8.5
----------------
* BUG Fixed the O_BINARY problem that manifested itself on Windows.
* BUG Fixed a problem with temporary file reading that manifested
itself on Windows (Apache 2 version only).
* BUG Fixed the problem with requests for folders (where mod_dir
performs subrequests) and DynamicOnly is on, and there are
several dynamic entries in the DirectoryIndex configuration before
the "real" one. It's not a proper fix though. Fixing it properly
could jeopardize the stability so I've just disabled DynamicOnly
for folders.
* BUG Removed the harmless message emitted to the error log on
request line timeouts (Apache 1.3.31 started logging request
line timeouts with 408).
* BUG Dynamic POST buffering control did not work at all in the
Apache 2 module (causing segfaults). Fixed now.
* BUG Not defining a debug log file would case error messages
not to be logged to the Apache error log.
---------------------------------------
Received: (at 285365-close) by bugs.debian.org; 13 Apr 2005 09:46:29 +0000
>From [EMAIL PROTECTED] Wed Apr 13 02:46:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLeS4-0006hm-00; Wed, 13 Apr 2005 02:46:29 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DLeGE-0006dn-00; Wed, 13 Apr 2005 05:34:14 -0400
From: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#285365: fixed in libapache-mod-security 1.8.7-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 13 Apr 2005 05:34:14 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: libapache-mod-security
Source-Version: 1.8.7-1
We believe that the bug you reported is fixed in the latest version of
libapache-mod-security, which is due to be installed in the Debian FTP archive:
libapache-mod-security_1.8.7-1.diff.gz
to
pool/main/liba/libapache-mod-security/libapache-mod-security_1.8.7-1.diff.gz
libapache-mod-security_1.8.7-1.dsc
to pool/main/liba/libapache-mod-security/libapache-mod-security_1.8.7-1.dsc
libapache-mod-security_1.8.7-1_i386.deb
to
pool/main/liba/libapache-mod-security/libapache-mod-security_1.8.7-1_i386.deb
libapache-mod-security_1.8.7.orig.tar.gz
to
pool/main/liba/libapache-mod-security/libapache-mod-security_1.8.7.orig.tar.gz
libapache2-mod-security_1.8.7-1_i386.deb
to
pool/main/liba/libapache-mod-security/libapache2-mod-security_1.8.7-1_i386.deb
mod-security-common_1.8.7-1_all.deb
to pool/main/liba/libapache-mod-security/mod-security-common_1.8.7-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> (supplier of updated
libapache-mod-security package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 10 Apr 2005 12:28:03 +0200
Source: libapache-mod-security
Binary: libapache-mod-security libapache2-mod-security mod-security-common
Architecture: source i386 all
Version: 1.8.7-1
Distribution: unstable
Urgency: medium
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Changed-By: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Description:
libapache-mod-security - Tighten web applications security for Apache 1.x
libapache2-mod-security - Tighten web applications security for Apache 2.x
mod-security-common - Tighten web applications security - common files
Closes: 285365 304195 304196 304445
Changes:
libapache-mod-security (1.8.7-1) unstable; urgency=medium
.
* New upstream release. (Closes: #285365)
* Fixes several security issues, thus the urgency.
* Set proper permissions on test suite scripts (Closes: #304195)
* Corrected minor typo in README.Debian (Closes: #304196)
* debian/control: Reworded packages descriptions to be more useful.
(Closes: #304445)
Files:
9994f76cc940e537a07d6aa5a4c1eb90 737 web optional
libapache-mod-security_1.8.7-1.dsc
a92738b9c128ecf8f462daad4b5b9261 313029 web optional
libapache-mod-security_1.8.7.orig.tar.gz
9e0b309aa7b2aa90407a33c1ebcd9bf7 7422 web optional
libapache-mod-security_1.8.7-1.diff.gz
9ef05026073e5d7d9f77b6da40b6bd99 239666 web optional
mod-security-common_1.8.7-1_all.deb
b6b22714eb83698418aa3a0162f5d5b1 27406 web optional
libapache-mod-security_1.8.7-1_i386.deb
31a644bf7bdc5adfefc4bda11f72f5a8 34424 web optional
libapache2-mod-security_1.8.7-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCXOLnxRSvjkukAcMRAgd6AJ4zOjgPN9s9AXHm5CRi/FGSh/49GACg14BZ
ZYg2J+EhXXH9ieBaXMBwc6w=
=AxqK
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
