[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SRM] Please review apache2_2.2.3-4+etch4



Hi stable release managers,

please review apache2 2.2.3-4+etch4 for inclusion in etch r3.
Here is the changelog:

apache2 (2.2.3-4+etch4) stable; urgency=low

  * Fix various cross site scripting vulnerabilities with browsers that
    do not conform to RFC 2616: Apache now adds explicit ContentType and
    Charset headers to the output of various modules, even if AddDefaultCharset
    is commented out. This includes directory indexes generated by
    mod_autoindex and mod_proxy_ftp.
    Backport the charset and type IndexOptions, and the ProxyFtpDirCharset
    directive. These allow to specify the character set that is sent with the
    generated directory indexes. (CVE-2007-4465, CVE-2008-0005,
    closes: #453783)
  * Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
    (Closes: #399776, #421557)
  * More minor security fixes:
    - XSS in mod_imagemap (CVE-2007-5000)
    - XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
    - XSS in HTTP method in 413 error message (CVE-2007-6203)
    - possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
  * Fix mod_proxy_balancer configuration file parsing (closes: #453630).
  * Don't ship NEWS.Debian with apache2-utils as it affects only the server.
    Remove bogus reference to 2.2.3-5 from README.Debian, and add note about
    MSIE SSL workaround.

The full debdiff is at
http://people.debian.org/~sf/apache2_2.2.3-4+etch4.debdiff

Unfortunately the fix for CVE-2007-4465 and CVE-2008-0005 needs 
to introduce new config directives (otherwise there would be
regressions). Therefore, and because of the corresponding 
documentation updates, the diff is quite large.

In order for the behaviour in the default configuration to stay 
the same, I updated apache2.conf and proxy.conf. Not doing so 
would change the behaviour for people who use non-ASCII filenames. 
If you think that would be better than forcing all people to merge 
the changed apache2.conf, I could remove that change. I am not 
quite sure which option is better.


Thanks in advance.

Cheers,
Stefan

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: