Attached is a debdiff for the merge of apache 2.2.20-1 (I was unable to do this via bzr due to bug 842144). I've verified that the package builds on i386 and amd64 and ran the lp:qa-regression-testing tests against that package, and confirmed that no regressions occur.
** Description changed: CVE-2011-3192 relates to an exploit in Apache that could cause Denial of Service through use of excess range headers. Debian has released an update that fixes this problem (apache2 2.2.19-2) - http://security-tracker.debian.org/tracker/CVE-2011-3192 + + Debian version 2.2.20-1 includes the upstream fix for CVE-2011-3192 as + well as a fix for a regression introduced by that fix + (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825). Both 2.2.19-2 + and 2.2.20-1 are bugfix-only releases: + + +apache2 (2.2.20-1) unstable; urgency=low + + + + * New upstream release. + + * Fix some regressions related to Range requests caused by the CVE-2011-3192 + + fix. Closes: #639825 + + * Add build-arch and build-indep rules targets to make Lintian happy. + + * Bump Standards-Version (no changes). + + + + -- Stefan Fritsch <s...@debian.org> Sun, 04 Sep 2011 21:50:22 +0200 + + + +apache2 (2.2.19-2) unstable; urgency=high + + + + * Fix CVE-2011-3192: DoS by high memory usage for a large number of + + overlapping ranges. + + * Reduce default KeepAliveTimeout from 15 to 5 seconds. + + * Use "linux-any" in build-deps. Closes: #634709 + + * Improve reload message of a2enmod. Closes: #639291 + + * Improve description of the prefork MPM. Closes: #634242 + + * Mention .conf files in a2enmod man page. Closes: #634834 + + + + -- Stefan Fritsch <s...@debian.org> Mon, 29 Aug 2011 17:08:17 +0200 + + and the upstream revision 2.2.20 is a bugfix only release as well, see: + http://www.apache.org/dist/httpd/CHANGES_2.2.20 + + There is one user (sysadmin) visible change in 2.2.19-2 to the a2enmod + command's output: + + -info("To to activate the new configuration, you need to run:\n /etc/init.d/apache2 $reload\n") + +info("To activate the new configuration, you need to run:\n service apache2 $reload\n") + + I've verified that the output string does not show up in the current + version of the Ubuntu Server Guide, and contacted the person working on + the apache portion of the Ubuntu Server Guide according to + http://pad.ubuntu.com/serverguide , Gary Roberts + (https://launchpad.net/~ag1t) and confirmed that this change does not + interfere with his intended updates. ** Summary changed: - Update apache2 to 2.2.19-2 to fix CVE-2011-3192 + Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions ** Patch added: "apache2_2.2.20-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+attachment/2362702/+files/apache2_2.2.20-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/837991 Title: Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
