[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#381848: marked as done (apache2: NMU - Patch)

Your message dated Sat, 07 Oct 2006 12:15:37 +0200
with message-id <87lkns2zzq.fsf@thosu.err.no>
and subject line Ack-ed
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: apache2
Version: 2.0.55-4
Severity: normal

  This is the patch I used for the recent NMU of Apache2.

Steve
-- 
 
-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.55-4   traditional model for Apache2

apache2 recommends no packages.

-- no debconf information

diff -u apache2-2.0.55/debian/rules apache2-2.0.55/debian/rules
--- apache2-2.0.55/debian/rules
+++ apache2-2.0.55/debian/rules
@@ -220,6 +220,7 @@
 	ln -s rotatelogs debian/apache2-utils/usr/sbin/rotatelogs2
 
 #apache2-common stuff
+	cp debian/bash_completion debian/apache2-common/etc/bash_completion.d/apache2-common
 	mv debian/apache2-mpm-worker/usr/share/apache2/icons/* debian/apache2-common/usr/share/apache2/icons/
 	mv debian/apache2-mpm-worker/usr/share/apache2/error/* debian/apache2-common/usr/share/apache2/error/
 	mv debian/apache2-mpm-worker/usr/sbin/apachectl debian/apache2-common/usr/sbin/apache2ctl
diff -u apache2-2.0.55/debian/changelog apache2-2.0.55/debian/changelog
--- apache2-2.0.55/debian/changelog
+++ apache2-2.0.55/debian/changelog
@@ -1,3 +1,20 @@
+apache2 (2.0.55-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.  Urgency set to high due to security fixes.
+  * Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in
+    mod_rewrite.
+    [CVE-2006-3747].  (Closes: #380182)
+  * Added '053_restore_prefix_fix' to allow rebuilding from source.
+    (Closes: #374160)
+  * Added '054_apr_sendfile' to allow building for Hurd.
+    (Closes: #349416)
+  * Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers.
+    [CVE-2006-3918].  (Closes: #381376)
+  * Added bash-completion script from Guillaume Rousse.
+    (Closes: #299855)
+
+ -- Steve Kemp <skx@debian.org>  Sat, 5 Aug 2006 21:35:53 +0000
+
 apache2 (2.0.55-4) unstable; urgency=low
 
   * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
diff -u apache2-2.0.55/debian/apache2-common.dirs apache2-2.0.55/debian/apache2-common.dirs
--- apache2-2.0.55/debian/apache2-common.dirs
+++ apache2-2.0.55/debian/apache2-common.dirs
@@ -5,6 +5,7 @@
 etc/apache2/mods-enabled
 etc/apache2/mods-available
 etc/apache2/conf.d
+etc/bash_completion.d/
 usr/bin
 usr/lib
 usr/lib/apache2
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/bash_completion
+++ apache2-2.0.55/debian/bash_completion
@@ -0,0 +1,54 @@
+# bash completion for Debian apache2 configuration tools
+# $Id: apache2,v 1.1 2005/03/16 22:51:19 guillaume Exp $
+
+_apache2_modsites()
+{
+	COMPREPLY=( $( compgen -W '$( command ls /etc/apache2/$1 2>/dev/null \
+		| sed -e 's/\.load//' -e 's/\.conf//' )' -- $cur  ) )
+}
+
+_a2enmod()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites mods-available
+}
+complete -F _a2enmod a2enmod
+
+_a2ensite()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites sites-available
+
+}
+complete -F _a2ensite a2ensite
+
+_a2dismod()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites mods-enabled
+}
+complete -F _a2dismod a2dismod
+
+_a2dissite()
+{
+	local cur
+
+	COMPREPLY=()
+	cur=${COMP_WORDS[COMP_CWORD]}
+
+	_apache2_modsites sites-enabled
+
+}
+complete -F _a2dissite a2dissite
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/052_mod_rewrite_CVE-2006-3747
+++ apache2-2.0.55/debian/patches/052_mod_rewrite_CVE-2006-3747
@@ -0,0 +1,11 @@
+--- build-tree.orig/apache2/modules/mappers/mod_rewrite.c       2006-07-28 08:16:53.000000000 +0000
++++ build-tree/apache2/modules/mappers/mod_rewrite.c    2006-07-28 08:16:59.000000000 +0000
+@@ -2906,7 +2906,7 @@
+             int c = 0;
+
+             token[0] = cp = apr_pstrdup(p, cp);
+-            while (*cp && c < 5) {
++            while (*cp && c < 4) {
+                 if (*cp == '?') {
+                     token[++c] = cp + 1;
+                     *cp = '\0';
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/053_restore_prefix_fix
+++ apache2-2.0.55/debian/patches/053_restore_prefix_fix
@@ -0,0 +1,33 @@
+--- build-tree/apache2/build/apr_common.m4
++++ build-tree/apache2/build/apr_common.m4
+@@ -827,6 +827,8 @@
+ dnl used here to allow us to co-exist layouts and argument based
+ dnl set ups.
+ AC_DEFUN(APR_PARSE_ARGUMENTS,[
++eval "set x $ac_configure_args"
++shift
+ ac_prev=
+ for ac_option
+ do
+--- build-tree/apache2/srclib/apr/build/apr_common.m4
++++ build-tree/apache2/srclib/apr/build/apr_common.m4
+@@ -827,6 +827,8 @@
+ dnl used here to allow us to co-exist layouts and argument based
+ dnl set ups.
+ AC_DEFUN(APR_PARSE_ARGUMENTS,[
++eval "set x $ac_configure_args"
++shift
+ ac_prev=
+ for ac_option
+ do
+--- build-tree/apache2/srclib/apr-util/build/apr_common.m4
++++ build-tree/apache2/srclib/apr-util/build/apr_common.m4
+@@ -827,6 +827,8 @@
+ dnl used here to allow us to co-exist layouts and argument based
+ dnl set ups.
+ AC_DEFUN(APR_PARSE_ARGUMENTS,[
++eval "set $ac_configure_args"
++shift
+ ac_prev=
+ for ac_option
+ do
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/054_apr_sendfile
+++ apache2-2.0.55/debian/patches/054_apr_sendfile
@@ -0,0 +1,11 @@
+--- build-tree.old/apache2/srclib/apr/network_io/unix/sendrecv.c	2005-03-28 22:21:19.000000000 +0200
++++ build-tree/apache2/srclib/apr/network_io/unix/sendrecv.c	2005-03-28 22:22:11.000000000 +0200
+@@ -239,7 +239,7 @@
+ /* Define a structure to pass in when we have a NULL header value */
+ static apr_hdtr_t no_hdtr;
+ 
+-#if defined(__linux__) && defined(HAVE_WRITEV)
++#if (defined(__linux__) || defined(__GNU__)) && defined(HAVE_WRITEV)
+ 
+ apr_status_t apr_socket_sendfile(apr_socket_t *sock, apr_file_t *file,
+                                  apr_hdtr_t *hdtr, apr_off_t *offset,
only in patch2:
unchanged:
--- apache2-2.0.55.orig/debian/patches/055_expect_CVE-2006-3918
+++ apache2-2.0.55/debian/patches/055_expect_CVE-2006-3918
@@ -0,0 +1,11 @@
+--- build-tree.orig/apache2/modules/http/http_protocol.c	2006/04/18 15:17:22	394964
++++ build-tree.orig/apache2/modules/http/http_protocol.c	2006/04/18 15:30:13	394965
+@@ -996,7 +996,7 @@
+                            "request-header"
+                            "\nfield could not be met by this server.</p>\n"
+                            "<p>The client sent<pre>\n    Expect: ",
+-                           apr_table_get(r->headers_in, "Expect"),
++                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
+                            "\n</pre>\n"
+                            "but we only allow the 100-continue "
+                            "expectation.</p>\n",

--- End Message ---
--- Begin Message --- 
Version: 2.2.3-1

Thanks for your NMU; acked.

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-

--- End Message ---
Reply to: