Hi stable release managers,
please review apache2 2.2.3-4+etch4 for inclusion in etch r3.
Here is the changelog:
apache2 (2.2.3-4+etch4) stable; urgency=low
* Fix various cross site scripting vulnerabilities with browsers that
do not conform to RFC 2616: Apache now adds explicit ContentType and
Charset headers to the output of various modules, even if AddDefaultCharset
is commented out. This includes directory indexes generated by
mod_autoindex and mod_proxy_ftp.
Backport the charset and type IndexOptions, and the ProxyFtpDirCharset
directive. These allow to specify the character set that is sent with the
generated directory indexes. (CVE-2007-4465, CVE-2008-0005,
closes: #453783)
* Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
(Closes: #399776, #421557)
* More minor security fixes:
- XSS in mod_imagemap (CVE-2007-5000)
- XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
- XSS in HTTP method in 413 error message (CVE-2007-6203)
- possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
* Fix mod_proxy_balancer configuration file parsing (closes: #453630).
* Don't ship NEWS.Debian with apache2-utils as it affects only the server.
Remove bogus reference to 2.2.3-5 from README.Debian, and add note about
MSIE SSL workaround.
The full debdiff is at
http://people.debian.org/~sf/apache2_2.2.3-4+etch4.debdiff
Unfortunately the fix for CVE-2007-4465 and CVE-2008-0005 needs
to introduce new config directives (otherwise there would be
regressions). Therefore, and because of the corresponding
documentation updates, the diff is quite large.
In order for the behaviour in the default configuration to stay
the same, I updated apache2.conf and proxy.conf. Not doing so
would change the behaviour for people who use non-ASCII filenames.
If you think that would be better than forcing all people to merge
the changed apache2.conf, I could remove that change. I am not
quite sure which option is better.
Thanks in advance.
Cheers,
Stefan
signature.asc
Description: This is a digitally signed message part.