Hi, please review apache2 2.2.3-4+etch2 for inclusion in etch r2. Here is the annotated changelog: > apache2 (2.2.3-4+etch2) stable; urgency=low > > * Security fixes: > - CVE-2006-5752: XSS in mod_status > - CVE-2007-1863: DoS in mod_cache > - CVE-2007-3304: parent process could be forced to kill other processes Minor issues for which Moritz doesn't want to issue a DSA. > * Add /var/lock/apache2 owner fix to the init script, as /var/lock > may not persist across reboots. (Closes: #420101) Can break mod_dav in a quite non-obvious way if /var/lock is on a tmpfs. > * Fix regression breaking /etc/init.d/apache2 when /bin/sh is not bash > (Closes: #430386) RC, introduced in 2.2.3-4+etch1 > * Only allow group www-data to execute suexec (Closes: #431048) More a security precaution than a security issue > * Display warning when NO_START=1 even with VERBOSE=no, to avoid > confusion (Closes: #430116) Can break apache2 in a quite non-obvious way. (AFAIK VERBOSE=yes was the default in sarge, see also #418499) > * Unbreak apache2-doc: Ship correct conf.d/apache2-doc and add note how > to read the docs in README.Debian (Closes: #285290) apache2-doc is unusable without the config file (it cannot reasonably be viewed directly with a browser). > * NEWS.Debian: Add warning about new 2.2 config file syntax and point to > upgrading howto. Add some parts from the release notes to the package's documentation. > * Ship /usr/lib/cgi-bin (Closes: #415698) RC, breaks sqwebmail's postinst. > > -- Stefan Fritsch <sf@debian.org> Mon, 27 Aug 2007 22:45:02 +0200 The full debdiff output is at http://www.sfritsch.de/~stf/apache2_2.2.3-4+etch2.debdiff Thanks in advance. Cheers, Stefan
Attachment:
signature.asc
Description: This is a digitally signed message part.