Bug#381848: apache2: NMU - Patch

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#381848: apache2: NMU - Patch
From: Steve Kemp <skx@debian.org>
Date: Mon, 7 Aug 2006 12:22:41 +0100
Message-id: <[🔎] 20060807112241.GA16806@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>, 381848@bugs.debian.org

Package: apache2
Version: 2.0.55-4
Severity: normal

  This is the patch I used for the recent NMU of Apache2.

Steve
-- 
 
-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.55-4   traditional model for Apache2

apache2 recommends no packages.

-- no debconf information

diff -u apache2-2.0.55/debian/rules apache2-2.0.55/debian/rules
--- apache2-2.0.55/debian/rules
+++ apache2-2.0.55/debian/rules
@@ -220,6 +220,7 @@
 	ln -s rotatelogs debian/apache2-utils/usr/sbin/rotatelogs2
 
 #apache2-common stuff
+	cp debian/bash_completion debian/apache2-common/etc/bash_completion.d/apache2-common
 	mv debian/apache2-mpm-worker/usr/share/apache2/icons/* debian/apache2-common/usr/share/apache2/icons/
 	mv debian/apache2-mpm-worker/usr/share/apache2/error/* debian/apache2-common/usr/share/apache2/error/
 	mv debian/apache2-mpm-worker/usr/sbin/apachectl debian/apache2-common/usr/sbin/apache2ctl
diff -u apache2-2.0.55/debian/changelog apache2-2.0.55/debian/changelog
--- apache2-2.0.55/debian/changelog
+++ apache2-2.0.55/debian/changelog
@@ -1,3 +1,20 @@
+apache2 (2.0.55-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.  Urgency set to high due to security fixes.
+  * Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in
+    mod_rewrite.
+    [CVE-2006-3747].  (Closes: #380182)
+  * Added '053_restore_prefix_fix' to allow rebuilding from source.
+    (Closes: #374160)
+  * Added '054_apr_sendfile' to allow building for Hurd.
+    (Closes: #349416)
+  * Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers.
+    [CVE-2006-3918].  (Closes: #381376)
+  * Added bash-completion script from Guillaume Rousse.
+    (Closes: #299855)
+
+ -- Steve Kemp <skx@debian.org>  Sat, 5 Aug 2006 21:35:53 +0000
+
 apache2 (2.0.55-4) unstable; urgency=low
 
   * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
diff -u apache2-2.0.55/debian/apache2-common.dirs apache2-2.0.55/debian/apache2-common.dirs
--- apache2-2.0.55/debian/apache2-common.dirs
+++ apache2-2.0.55/debian/apache2-common.dirs
@@ -5,6 +5,7 @@
 etc/apache2/mods-enabled
 etc/apache2/mods-available
 etc/apache2/conf.d
+etc/bash_completion.d/
 usr/bin
 usr/lib
 usr/lib/apache2
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/bash_completion
+++ apache2-2.0.55/debian/bash_completion
@@ -0,0 +1,54 @@
+# bash completion for Debian apache2 configuration tools
+# $Id: apache2,v 1.1 2005/03/16 22:51:19 guillaume Exp $
+
+_apache2_modsites()
+{
+	COMPREPLY=( $( compgen -W '$( command ls /etc/apache2/$1 2>/dev/null \
+		| sed -e 's/\.load//' -e 's/\.conf//' )' -- $cur  ) )
+}
+
+_a2enmod()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites mods-available
+}
+complete -F _a2enmod a2enmod
+
+_a2ensite()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites sites-available
+
+}
+complete -F _a2ensite a2ensite
+
+_a2dismod()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites mods-enabled
+}
+complete -F _a2dismod a2dismod
+
+_a2dissite()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites sites-enabled
+
+}
+complete -F _a2dissite a2dissite
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/052_mod_rewrite_CVE-2006-3747
+++ apache2-2.0.55/debian/patches/052_mod_rewrite_CVE-2006-3747
@@ -0,0 +1,11 @@
+--- build-tree.orig/apache2/modules/mappers/mod_rewrite.c       2006-07-28 08:16:53.000000000 +0000
++++ build-tree/apache2/modules/mappers/mod_rewrite.c    2006-07-28 08:16:59.000000000 +0000
+@@ -2906,7 +2906,7 @@
+             int c = 0;
+
+             token[0] = cp = apr_pstrdup(p, cp);
+-            while (*cp && c < 5) {
++            while (*cp && c < 4) {
+                 if (*cp == '?') {
+                     token[++c] = cp + 1;
+                     *cp = '\0';
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/053_restore_prefix_fix
+++ apache2-2.0.55/debian/patches/053_restore_prefix_fix
@@ -0,0 +1,33 @@
+--- build-tree/apache2/build/apr_common.m4
++++ build-tree/apache2/build/apr_common.m4
+@@ -827,6 +827,8 @@
+ dnl used here to allow us to co-exist layouts and argument based
+ dnl set ups.
+ AC_DEFUN(APR_PARSE_ARGUMENTS,[
++eval "set x $ac_configure_args"
++shift
+ ac_prev=
+ for ac_option
+ do
+--- build-tree/apache2/srclib/apr/build/apr_common.m4
++++ build-tree/apache2/srclib/apr/build/apr_common.m4
+@@ -827,6 +827,8 @@
+ dnl used here to allow us to co-exist layouts and argument based
+ dnl set ups.
+ AC_DEFUN(APR_PARSE_ARGUMENTS,[
++eval "set x $ac_configure_args"
++shift
+ ac_prev=
+ for ac_option
+ do
+--- build-tree/apache2/srclib/apr-util/build/apr_common.m4
++++ build-tree/apache2/srclib/apr-util/build/apr_common.m4
+@@ -827,6 +827,8 @@
+ dnl used here to allow us to co-exist layouts and argument based
+ dnl set ups.
+ AC_DEFUN(APR_PARSE_ARGUMENTS,[
++eval "set $ac_configure_args"
++shift
+ ac_prev=
+ for ac_option
+ do
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/054_apr_sendfile
+++ apache2-2.0.55/debian/patches/054_apr_sendfile
@@ -0,0 +1,11 @@
+--- build-tree.old/apache2/srclib/apr/network_io/unix/sendrecv.c	2005-03-28 22:21:19.000000000 +0200
++++ build-tree/apache2/srclib/apr/network_io/unix/sendrecv.c	2005-03-28 22:22:11.000000000 +0200
+@@ -239,7 +239,7 @@
+ /* Define a structure to pass in when we have a NULL header value */
+ static apr_hdtr_t no_hdtr;
+ 
+-#if defined(__linux__) && defined(HAVE_WRITEV)
++#if (defined(__linux__) || defined(__GNU__)) && defined(HAVE_WRITEV)
+ 
+ apr_status_t apr_socket_sendfile(apr_socket_t *sock, apr_file_t *file,
+                                  apr_hdtr_t *hdtr, apr_off_t *offset,
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/055_expect_CVE-2006-3918
+++ apache2-2.0.55/debian/patches/055_expect_CVE-2006-3918
@@ -0,0 +1,11 @@
+--- build-tree.orig/apache2/modules/http/http_protocol.c	2006/04/18 15:17:22	394964
++++ build-tree.orig/apache2/modules/http/http_protocol.c	2006/04/18 15:30:13	394965
+@@ -996,7 +996,7 @@
+                            "request-header"
+                            "\nfield could not be met by this server.</p>\n"
+                            "<p>The client sent<pre>\n    Expect: ",
+-                           apr_table_get(r->headers_in, "Expect"),
++                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
+                            "\n</pre>\n"
+                            "but we only allow the 100-continue "
+                            "expectation.</p>\n",

Reply to:

Prev by Date: Bug#358543: Apache Installation Fix
Next by Date: Stellen Sie sich vor: Ich stelle mich vor!
Previous by thread: promotes
Next by thread: Stellen Sie sich vor: Ich stelle mich vor!
Index(es):
- Date
- Thread