[Bug 255124] Re: apache's default logging format can be horribly inaccurate in terms of data transferred

Launchpad Bug Tracker 255124 at bugs.launchpad.net
Wed Aug 5 12:45:06 BST 2009 

This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---------------
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
    - debian/{control,rules}: enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
    - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
    - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
      (The Debian default configuration will be changed to use SNI in a later
      version.)
    - Fixes timefmt config in SSI (closes: #363964).
    - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
      to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
    similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
    sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
    README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
    loaded. Move the config for it from apache2.conf to
    /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
    required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
    versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
    included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
    2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
    (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
    package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
    which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
    MaxClients into the correct order so that Apache does not complain
    (closes: #495656).
    Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
    (closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
    (closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
    (closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
    with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Chuck Short <zulcss at ubuntu.com>   Tue, 04 Aug 2009 20:04:24 +0100

** Changed in: apache2 (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1891

-- 
apache's default logging format can be horribly inaccurate in terms of data transferred
https://bugs.launchpad.net/bugs/255124
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.

More information about the Ubuntu-server-bugs mailing list