Hi stable release managers, please review apache2 2.2.3-4+etch4 for inclusion in etch r3. Here is the changelog: apache2 (2.2.3-4+etch4) stable; urgency=low * Fix various cross site scripting vulnerabilities with browsers that do not conform to RFC 2616: Apache now adds explicit ContentType and Charset headers to the output of various modules, even if AddDefaultCharset is commented out. This includes directory indexes generated by mod_autoindex and mod_proxy_ftp. Backport the charset and type IndexOptions, and the ProxyFtpDirCharset directive. These allow to specify the character set that is sent with the generated directory indexes. (CVE-2007-4465, CVE-2008-0005, closes: #453783) * Reduce memory usage of chunk filter and ap_rwrite/ap_rflush (Closes: #399776, #421557) * More minor security fixes: - XSS in mod_imagemap (CVE-2007-5000) - XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421) - XSS in HTTP method in 413 error message (CVE-2007-6203) - possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422) * Fix mod_proxy_balancer configuration file parsing (closes: #453630). * Don't ship NEWS.Debian with apache2-utils as it affects only the server. Remove bogus reference to 2.2.3-5 from README.Debian, and add note about MSIE SSL workaround. The full debdiff is at http://people.debian.org/~sf/apache2_2.2.3-4+etch4.debdiff Unfortunately the fix for CVE-2007-4465 and CVE-2008-0005 needs to introduce new config directives (otherwise there would be regressions). Therefore, and because of the corresponding documentation updates, the diff is quite large. In order for the behaviour in the default configuration to stay the same, I updated apache2.conf and proxy.conf. Not doing so would change the behaviour for people who use non-ASCII filenames. If you think that would be better than forcing all people to merge the changed apache2.conf, I could remove that change. I am not quite sure which option is better. Thanks in advance. Cheers, Stefan
Description: This is a digitally signed message part.