diff -u apache2-2.2.11/debian/rules apache2-2.2.11/debian/rules --- apache2-2.2.11/debian/rules +++ apache2-2.2.11/debian/rules @@ -3,6 +3,7 @@ # Code for httpd 2.1, based on apache2 and others. # Copyright (C) Canonical Ltd, 2005 +export DEB_BUILD_HARDENING=1 export DEB_BUILD_OPTIONS export DH_OPTIONS @@ -211,6 +212,7 @@ cp debian/bash_completion debian/apache2.2-common/etc/bash_completion.d/apache2.2-common install -m755 debian/apache2.2-common.bug.script debian/apache2.2-common/usr/share/bug/apache2.2-common/script install -m644 debian/apache2.2-common.bug.control debian/apache2.2-common/usr/share/bug/apache2.2-common/control + install -m644 debian/apache2.2-common.ufw.profile debian/apache2.2-common/etc/ufw/applications.d/apache2.2-common # standard suexec chmod 4754 debian/apache2-suexec/usr/lib/apache2/suexec diff -u apache2-2.2.11/debian/apache2.2-common.dirs apache2-2.2.11/debian/apache2.2-common.dirs --- apache2-2.2.11/debian/apache2.2-common.dirs +++ apache2-2.2.11/debian/apache2.2-common.dirs @@ -14,0 +15 @@ +etc/ufw/applications.d diff -u apache2-2.2.11/debian/changelog apache2-2.2.11/debian/changelog --- apache2-2.2.11/debian/changelog +++ apache2-2.2.11/debian/changelog @@ -1,3 +1,13 @@ +apache2 (2.2.11-7ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: LP: #398130 + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 11 Jul 2009 16:34:32 +0530 + apache2 (2.2.11-7) unstable; urgency=low * Security fixes: @@ -12,6 +22,16 @@ -- Stefan Fritsch Fri, 10 Jul 2009 22:42:57 +0200 +apache2 (2.2.11-6ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Tue, 09 Jun 2009 01:01:23 +0100 + apache2 (2.2.11-6) unstable; urgency=high * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server @@ -20,6 +40,16 @@ -- Stefan Fritsch Mon, 08 Jun 2009 19:22:58 +0200 +apache2 (2.2.11-5ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Wed, 03 Jun 2009 14:10:54 +1200 + apache2 (2.2.11-5) unstable; urgency=low * Move all binaries into a new package apache2.2-bin and make @@ -68,6 +98,16 @@ -- Stefan Fritsch Tue, 19 May 2009 22:55:27 +0200 +apache2 (2.2.11-3ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Tue, 12 May 2009 16:15:34 +1200 + apache2 (2.2.11-3) unstable; urgency=low * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap @@ -76,6 +116,21 @@ -- Stefan Fritsch Tue, 31 Mar 2009 21:07:26 +0200 +apache2 (2.2.11-2ubuntu2) jaunty; urgency=low + + * debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + + -- Chuck Short Wed, 01 Apr 2009 11:39:17 -0400 + +apache2 (2.2.11-2ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{contro,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Sat, 17 Jan 2009 00:02:55 +0000 + apache2 (2.2.11-2) unstable; urgency=low * Report an error instead instead of segfaulting when apr_pollset_create @@ -85,6 +140,14 @@ -- Stefan Fritsch Fri, 16 Jan 2009 19:01:59 +0100 +apache2 (2.2.11-1ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Mon, 15 Dec 2008 00:06:50 +0000 + apache2 (2.2.11-1) unstable; urgency=low [Thom May] @@ -99,6 +162,14 @@ -- Stefan Fritsch Sun, 14 Dec 2008 09:34:24 +0100 +apache2 (2.2.9-11ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: (LP: #303375) + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 29 Nov 2008 14:02:31 +0530 + apache2 (2.2.9-11) unstable; urgency=low * Regression fix from upstream svn for mod_proxy: @@ -113,6 +184,14 @@ -- Stefan Fritsch Wed, 26 Nov 2008 23:10:22 +0100 +apache2 (2.2.9-10ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Wed, 05 Nov 2008 02:23:18 -0400 + apache2 (2.2.9-10) unstable; urgency=low * Regression fix from upstream svn for mod_proxy_http: @@ -143,6 +222,27 @@ -- Stefan Fritsch Thu, 11 Sep 2008 09:17:33 +0200 +apache2 (2.2.9-7ubuntu3) intrepid; urgency=low + + * Revert logrotate change since it will break it for everyone. + + -- Chuck Short Fri, 19 Sep 2008 09:32:01 -0400 + +apache2 (2.2.9-7ubuntu2) intrepid; urgency=low + + * debian/logrotate: Restart rather than reload for busy websites. + (LP: #270899) + + -- Chuck Short Thu, 18 Sep 2008 08:42:22 -0400 + +apache2 (2.2.9-7ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control,rules}: enable PIE hardening. + - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles. + + -- Kees Cook Thu, 28 Aug 2008 08:10:59 -0700 + apache2 (2.2.9-7) unstable; urgency=low * Fix XSS in mod_proxy_ftp (CVE-2008-2939). @@ -185,6 +285,23 @@ -- Stefan Fritsch Sun, 06 Jul 2008 10:38:37 +0200 +apache2 (2.2.9-3ubuntu2) intrepid; urgency=low + + * add ufw integration (see + https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages) + (LP: #261198) + - debian/control: suggest ufw for apache2.2-common + - add apache2.2-common.ufw.profile with 3 profiles and install it to + /etc/ufw/applications.d/apache2.2-common + + -- Didier Roche Tue, 26 Aug 2008 19:03:42 +0200 + +apache2 (2.2.9-3ubuntu1) intrepid; urgency=low + + * debian/{control,rules}: enable PIE hardening + + -- Kees Cook Wed, 20 Aug 2008 15:45:00 -0700 + apache2 (2.2.9-3) unstable; urgency=low [ Stefan Fritsch ] + diff -u apache2-2.2.11/debian/control apache2-2.2.11/debian/control --- apache2-2.2.11/debian/control +++ apache2-2.2.11/debian/control @@ -1,9 +1,10 @@ Source: apache2 Section: httpd Priority: optional -Maintainer: Debian Apache Maintainers +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Debian Apache Maintainers Uploaders: Tollef Fog Heen , Thom May , Adam Conrad , Peter Samuelson , Stefan Fritsch -Build-Depends: debhelper (>= 7), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils +Build-Depends: debhelper (>= 7), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils, hardening-wrapper Standards-Version: 3.8.2 Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2 Vcs-svn: svn://svn.debian.org/pkg-apache/trunk/apache2 @@ -13,7 +14,7 @@ Architecture: all Depends: apache2.2-bin (= ${binary:Version}), apache2-utils, libmagic1, mime-support, lsb-base, procps [!hurd-i386], perl Recommends: ssl-cert -Suggests: www-browser, apache2-doc, apache2-suexec | apache2-suexec-custom +Suggests: www-browser, apache2-doc, apache2-suexec | apache2-suexec-custom, ufw Conflicts: apache2-common, libapache2-mod-php5 (<= 5.1.6-3), libapache2-mod-php4 (<= 4:4.4.4-2), libapache2-mod-mime-xattr (<= 0.3-2), libapache2-mod-mono (<= 1.1.17-3), libapache2-mod-proxy-html (<= 2.4.3-2), libapache2-mod-scgi (<= 1.11-1), libapache2-mod-speedycgi (<= 2.22-3), libapache2-modxslt (<= 2005072700-1), libapache2-redirtoservername (<= 0.1-1), libapache2-webauth (<= 3.5.3-1), libapache2-webkdc (<= 3.5.3-1) Replaces: apache2-common Description: Apache HTTP Server common files diff -u apache2-2.2.11/debian/patches/00list apache2-2.2.11/debian/patches/00list --- apache2-2.2.11/debian/patches/00list +++ apache2-2.2.11/debian/patches/00list @@ -28,2 +28,3 @@ 201_build_suexec-custom.dpatch +203_fix-ssi-timeftm-ignored.dpatch 202_suexec-custom.dpatch only in patch2: unchanged: --- apache2-2.2.11.orig/debian/apache2.2-common.ufw.profile +++ apache2-2.2.11/debian/apache2.2-common.ufw.profile @@ -0,0 +1,14 @@ +[Apache] +title=Web Server +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80/tcp + +[Apache Secure] +title=Web Server (HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=443/tcp + +[Apache Full] +title=Web Server (HTTP,HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80,443/tcp only in patch2: unchanged: --- apache2-2.2.11.orig/debian/patches/203_fix-ssi-timeftm-ignored.dpatch +++ apache2-2.2.11/debian/patches/203_fix-ssi-timeftm-ignored.dpatch @@ -0,0 +1,76 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: the actual patch to make suexec-custom read a config file + +@DPATCH@ +diff -Naur httpd-2.2.11.orig/modules/filters/mod_include.c httpd-2.2.11/modules/filters/mod_include.c +--- httpd-2.2.11.orig/modules/filters/mod_include.c 2008-03-17 10:32:47.000000000 -0400 ++++ httpd-2.2.11/modules/filters/mod_include.c 2009-04-01 11:21:10.000000000 -0400 +@@ -580,7 +580,7 @@ + *p = '\0'; + } + +-static void add_include_vars(request_rec *r, const char *timefmt) ++static void add_include_vars(request_rec *r) + { + apr_table_t *e = r->subprocess_env; + char *t; +@@ -608,26 +608,18 @@ + } + } + +-static const char *add_include_vars_lazy(request_rec *r, const char *var) ++static const char *add_include_vars_lazy(request_rec *r, const char *var, const char *timefmt) + { + char *val; + if (!strcasecmp(var, "DATE_LOCAL")) { + include_dir_config *conf = +- (include_dir_config *)ap_get_module_config(r->per_dir_config, +- &include_module); +- val = ap_ht_time(r->pool, r->request_time, conf->default_time_fmt, 0); ++ val = ap_ht_time(r->pool, r->request_time, timefmt, 0); + } + else if (!strcasecmp(var, "DATE_GMT")) { +- include_dir_config *conf = +- (include_dir_config *)ap_get_module_config(r->per_dir_config, +- &include_module); +- val = ap_ht_time(r->pool, r->request_time, conf->default_time_fmt, 1); ++ val = ap_ht_time(r->pool, r->request_time, timefmt, 1); + } + else if (!strcasecmp(var, "LAST_MODIFIED")) { +- include_dir_config *conf = +- (include_dir_config *)ap_get_module_config(r->per_dir_config, +- &include_module); +- val = ap_ht_time(r->pool, r->finfo.mtime, conf->default_time_fmt, 0); ++ val = ap_ht_time(r->pool, r->finfo.mtime, timefmt, 0); + } + else if (!strcasecmp(var, "USER_NAME")) { + if (apr_uid_name_get(&val, r->finfo.user, r->pool) != APR_SUCCESS) { +@@ -684,7 +676,7 @@ + val = apr_table_get(r->subprocess_env, var); + + if (val == LAZY_VALUE) { +- val = add_include_vars_lazy(r, var); ++ val = add_include_vars_lazy(r, var, ctx->time_str); + } + } + +@@ -2423,7 +2415,7 @@ + /* get value */ + val_text = elts[i].val; + if (val_text == LAZY_VALUE) { +- val_text = add_include_vars_lazy(r, elts[i].key); ++ val_text = add_include_vars_lazy(r, elts[i].key, ctx->time_str); + } + val_text = ap_escape_html(ctx->dpool, elts[i].val); + v_len = strlen(val_text); +@@ -3608,7 +3600,7 @@ + * environment */ + ap_add_common_vars(r); + ap_add_cgi_vars(r); +- add_include_vars(r, conf->default_time_fmt); ++ add_include_vars(r); + } + /* Always unset the content-length. There is no way to know if + * the content will be modified at some point by send_parsed_content.