This bug was fixed in the package apache2 - 2.2.15-5ubuntu1 --------------- apache2 (2.2.15-5ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree. - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) + Dropped: - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed. - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed. - debian/config-dir/apache2.conf: Merged back from debian. - mod-reqtimeout functionality: Merge back from debian. - debian/patches/204_CVE-2010-0408.dpatch: No longer needed. - debian/patches/205_CVE-2010-0434.dpatch: No longer needed. - debian/patches/203_fix-ab-segfault.dpatch: No longer needed. apache2 (2.2.15-5) unstable; urgency=low * Conflict with apache package as we now include apachectl. Closes: #579065 * Remove conflicts with old apache 2.0 modules. The conflicts are not necessary anymore as skipping a stable release is not supported anyway. * Silence the grep in preinst. apache2 (2.2.15-4) unstable; urgency=low * Move definition of other_vhosts_access.log to new config file /etc/apache2/conf.d/other-vhosts-access-log, but disable it if it has been disabled by the admin. Closes: #576572. LP: #507616 * Comment out the contents of mods-available/proxy.conf, as it just is a nuisance for use of apache2 as a reverse proxy, which is much more common than the use as forward proxy. Extend the comments in the file. * Change defaults or add example configs for some modules: status.conf: - enable ExtendedStatus by default - enable ProxyStatus by default - document SeeRequestTail directive proxy_ftp.conf: - set 'ProxyFtpDirCharset UTF-8' by default ldap.conf: - enable /ldap-status page, allow it from localhost by default proxy_balancer.conf: - add (disabled) example for /balancer-manager page ssl.conf: - document SSLStrictSNIVHostCheck directive * Add symlink from apachectl to apache2ctl to be more compatible with upstream. Apache httpd 1.3 hasn't been in Debian for some time. * Simplify logrotate script. Closes: #576105 * Remove empty directory /usr/lib/debug/usr/sbin in mpm packages. Closes: #576089 * Fix apxs2 to work with perl 5.12rc3. Closes: #577239 * Add source/format file to make lintian happy. apache2 (2.2.15-3) unstable; urgency=low * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881, including a fix for mod_proxy CONNECT requests. * mod_dav_fs: Use correct permissions when creating new files. LP: #540747 apache2 (2.2.15-2) unstable; urgency=low * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding Satisfy all. Closes: #572075 * mod_reqtimeout: Various bug fixes, including: - Don't mess up timeouts of mod_proxy's backend connections. Closes: #573163 apache2 (2.2.15-1) unstable; urgency=low * New upstream version: - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol prefix injection attack. - CVE-2010-0434: mod_headers: Fix potential information leak with threaded MPMs. - mod_reqtimeout: New module limiting the time waiting for receiving a request from the client. This is a (partial) mitigation against slowloris-type resource exhaustion attacks. The module is enabled by default. Closes: #533661 - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure renegotiation with clients which do not yet support the secure renegotiation protocol. As this requires openssl 0.9.8m, bump build dependency accordingly. * Fix bash completion for a2ensite if the site name contains 'conf' or 'load'. Closes: #572232 * Do a configcheck in the init script before doing a non-graceful restart. Closes: #571461 apache2 (2.2.14-7) unstable; urgency=low * Fix potential memory leaks related to the usage of apr_brigade_destroy(). * Add hints about correct mod_dav_fs configuration to README.Debian. Closes: #257945 * Fix error in Polish translation of 404 error page. Closes: #570228 * Document ThreadLimit in apache2.conf's comments. apache2 (2.2.14-6) unstable; urgency=low * Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and APACHE_LOG_DIR in the default configuration. If you have modified /etc/apache2/envvars, make sure that these variables are set and exported. * Add support for multiple apache2 instances to initscript and apache2ctl. See /usr/share/doc/apache2.2-common/README.multiple-instances for details. Closes: #353450 * Set default compiled-in ServerRoot to /etc/apache2 and make paths in apache2.conf relative to ServerRoot. * Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061 * Fix symlinks in apache2-dbg package. Closes: #567076 * Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383 * Add new init script action graceful-stop (LP: #456381) * Add more languages to mime.conf. To limit this to useful entries, we only add those for which a translation of the Debian intaller exists. LP: #217964 * Unset $HOME in /etc/apache2/envvars. * Change default config of mod_info and mod_status to use IP addresses instead of hostnames. Otherwise the hostname is sometimes logged even with 'HostnameLookup Off'. Closes: #568409 * Add a hook to apache2.2-common's postrm script that may come in handy when upgrading to 2.4. * Make bug script also display php extensions. * Bump Standards-Version (no changes). * Remove Adam Conrad from Uploaders. Thanks for your work in the past. -- Chuck Short