[ubuntu/dapper-security] apache2 2.0.55-4ubuntu2.9 (Accepted)
Ubuntu Installer
archive at ubuntu.com
Thu Nov 19 00:05:35 GMT 2009
apache2 (2.0.55-4ubuntu2.9) dapper-security; urgency=low
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/115_CVE-2009-3555.patch: disable all client
renegotiations
- based on http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/116-CVE-2009-3094.patch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- based on http://svn.apache.org/viewvc?revision=814652&view=revision
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/117-CVE-2009-3095.patch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- based on http://svn.apache.org/viewvc?revision=814045&view=revision
- CVE-2009-3095
Date: Thu, 12 Nov 2009 15:45:14 -0600
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
https://launchpad.net/ubuntu/dapper/+source/apache2/2.0.55-4ubuntu2.9
-------------- next part --------------
Format: 1.7
Date: Thu, 12 Nov 2009 15:45:14 -0600
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source
Version: 2.0.55-4ubuntu2.9
Distribution: dapper-security
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
apache2-mpm-prefork - traditional model for Apache2
apache2-mpm-worker - high speed threaded model for Apache2
apache2-prefork-dev - development headers for apache2
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
libapr0 - the Apache Portable Runtime
libapr0-dev - development headers for libapr
Changes:
apache2 (2.0.55-4ubuntu2.9) dapper-security; urgency=low
.
* SECURITY UPDATE: Reject client-initiated SSL/TLS renegotiations.
Partial fix for CVE-2009-3555. Configurations requiring renegotiation
of per-directory/location access controls are still affected until
OpenSSL is updated.
- debian/patches/115_CVE-2009-3555.patch: disable all client
renegotiations
- based on http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
- CVE-2009-3555
* SECURITY UPDATE: fix NULL pointer dereference in mod_proxy_ftp module
- debian/patches/116-CVE-2009-3094.patch: fix NULL pointer dereference
in mod_proxy_ftp.c/apr_socket_close() and potential buffer overread
in EPSV response parser
- based on http://svn.apache.org/viewvc?revision=814652&view=revision
- CVE-2009-3094
* SECURITY UPDATE: fix access control bypass in mod_proxy_ftp when
configured as a reverse proxy
- debian/patches/117-CVE-2009-3095.patch: adjust proxy_ftp_handler()
in mod_proxy_ftp.c to fail if the decoded Basic credentials contain
special characters.
- based on http://svn.apache.org/viewvc?revision=814045&view=revision
- CVE-2009-3095
Files:
a6d575c4c0ef0ef9c4c77e7f6ddfb02d 1156 net optional apache2_2.0.55-4ubuntu2.9.dsc
5d172b0ca228238e211940fad6b0935d 130638 net optional apache2_2.0.55-4ubuntu2.9.diff.gz
More information about the dapper-changes
mailing list