Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
please review apache2/2.2.9-10+lenny5 for inclusion in
5.0.4. It fixes minor security issues and some other bugs.
Here is the changelog:
apache2 (2.2.9-10+lenny5) stable; urgency=low
* Minor security fixes in mod_proxy_ftp (closes: #545951):
- DoS by malicious ftp server (CVE-2009-3094)
- missing input sanitization: a user could execute arbitrary ftp commands
on the backend ftp server (CVE-2009-3095)
* Fix segfault in legacy ap_r* API which is triggered more often since
the fix for CVE-2009-1891 was applied (closes: #537665).
* Take care to not override existing index.shtml files when upgrading from
before 2.2.8-1 (closes: #517089).
* mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip
content-encoding. This prevented apache from sending "304 NOT MODIFIED"
responses for compressed content.
* mod_rewrite: Fix "B" flag breakage (closes: #524268)
* Properly declare that apache2-suexec* replace files in old versions of
apache2.2-common (closes: #528951).
* Remove other_vhosts_access.log on package purge.
-- Stefan Fritsch <sf@debian.org> Mon, 05 Oct 2009 19:07:08 +0200
Full debdiff is at:
http://people.debian.org/~sf/2.2.9-10+lenny5/debdiff
Thanks in advance.
Cheers,
Stefan