[Pkg-apache-commits] r1162 - in /trunk/apache2: ./ config-dir/mods-available/ patches/

sf at alioth.debian.org sf at alioth.debian.org
Sun Mar 7 22:02:36 UTC 2010 

Author: sf
Date: Sun Mar  7 22:02:34 2010
New Revision: 1162

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1162
Log:
Prepare new upstream 2.2.15
- build mod_reqtimeout
- enable mod_reqtimeout by default and on upgrades
- bump openssl build-dep to 0.9.8m for SSLInsecureRenegotiation

Added:
    trunk/apache2/config-dir/mods-available/reqtimeout.conf   (with props)
    trunk/apache2/config-dir/mods-available/reqtimeout.load
Removed:
    trunk/apache2/patches/068_mod_dav_detect_EOF.dpatch
    trunk/apache2/patches/070_RemoveType_override_mime.types.dpatch
    trunk/apache2/patches/072_CVE-2009-3555.dpatch
    trunk/apache2/patches/078_avoid_brigade_destroy.dpatch
Modified:
    trunk/apache2/apache2.2-common.postinst
    trunk/apache2/changelog
    trunk/apache2/config-dir/mods-available/ssl.conf
    trunk/apache2/control
    trunk/apache2/patches/00list
    trunk/apache2/patches/033_dbm_read_hash_or_btree
    trunk/apache2/rules

Modified: trunk/apache2/apache2.2-common.postinst
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/apache2.2-common.postinst?rev=1162&op=diff
==============================================================================
--- trunk/apache2/apache2.2-common.postinst (original)
+++ trunk/apache2/apache2.2-common.postinst Sun Mar  7 22:02:34 2010
@@ -72,6 +72,11 @@
 	rm -f /var/lock/apache2/DAVLock.dir /var/lock/apache2/DAVLock.pag
 fi
 
+# Note, this line catches new installs as well as upgrades
+if dpkg --compare-versions "$2" lt 2.2.15-1~0; then
+	a2enmod -q reqtimeout
+fi
+
 rm -f /etc/apache2/ports.conf.dpkg-apache2.2-common.old
 rm -f /etc/default/apache2.dpkg-apache2.2-common.old
 rm -f /etc/apache2/conf.d/charset.dpkg-apache2.2-common.old

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1162&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sun Mar  7 22:02:34 2010
@@ -1,5 +1,19 @@
-apache2 (2.2.14-8) UNRELEASED; urgency=low
-
+apache2 (2.2.15-1) UNRELEASED; urgency=low
+
+  * New upstream version:
+    - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
+    - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
+      prefix injection attack.
+    - CVE-2010-0434: mod_headers: Fix potential information leak with threaded
+      MPMs.
+    - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
+      renegotiation with clients which do not yet support the secure
+      renegotiation protocol. As this requires openssl 0.9.8m, bump
+      build dependency accordingly.
+    - mod_reqtimeout: New module limiting the time waiting for receiving
+      a request from the client. This is a (partial) mitigation against
+      slowloris-type resource exhaustion attacks. The module is enabled by
+      default. Closes: #533661
   * Fix bash completion for a2ensite if the site name contains 'conf' or
     'load'. Closes: #572232
   * Do a configcheck in the init script before doing a non-graceful restart.

Added: trunk/apache2/config-dir/mods-available/reqtimeout.conf
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/config-dir/mods-available/reqtimeout.conf?rev=1162&op=file
==============================================================================
--- trunk/apache2/config-dir/mods-available/reqtimeout.conf (added)
+++ trunk/apache2/config-dir/mods-available/reqtimeout.conf Sun Mar  7 22:02:34 2010
@@ -1,0 +1,12 @@
+<IfModule reqtimeout_module>
+
+# Wait max 10 seconds for the first byte of the request line+headers
+# From then, require a minimum data rate of 500 bytes/s, but don't
+# wait longer than 20 seconds in total.
+RequestReadTimeout header=10-20,minrate=500
+
+# Wait max 10 seconds for the first byte of the request body (if any)
+# From then, require a minimum data rate of 500 bytes/s
+RequestReadTimeout body=10,minrate=500
+
+</IfModule>

Propchange: trunk/apache2/config-dir/mods-available/reqtimeout.conf
------------------------------------------------------------------------------
    svn:eol-style = native

Added: trunk/apache2/config-dir/mods-available/reqtimeout.load
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/config-dir/mods-available/reqtimeout.load?rev=1162&op=file
==============================================================================
--- trunk/apache2/config-dir/mods-available/reqtimeout.load (added)
+++ trunk/apache2/config-dir/mods-available/reqtimeout.load Sun Mar  7 22:02:34 2010
@@ -1,0 +1,1 @@
+LoadModule reqtimeout_module /usr/lib/apache2/modules/mod_reqtimeout.so

Modified: trunk/apache2/config-dir/mods-available/ssl.conf
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/config-dir/mods-available/ssl.conf?rev=1162&op=diff
==============================================================================
--- trunk/apache2/config-dir/mods-available/ssl.conf (original)
+++ trunk/apache2/config-dir/mods-available/ssl.conf Sun Mar  7 22:02:34 2010
@@ -62,4 +62,8 @@
 # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
 SSLProtocol all -SSLv2
 
+# Allow insecure renegotiation with clients which do not yet support the
+# secure renegotiation protocol
+# SSLInsecureRenegotiation on
+
 </IfModule>

Modified: trunk/apache2/control
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/control?rev=1162&op=diff
==============================================================================
--- trunk/apache2/control (original)
+++ trunk/apache2/control Sun Mar  7 22:02:34 2010
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
 Uploaders: Tollef Fog Heen <tfheen at debian.org>, Thom May <thom at debian.org>, Peter Samuelson <peter at p12n.org>, Stefan Fritsch <sf at debian.org>, Steinar H. Gunderson <sesse at debian.org>
-Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf
+Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 0.9.8m), sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf
 Build-Conflicts: autoconf2.13
 Standards-Version: 3.8.4
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2

Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1162&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Sun Mar  7 22:02:34 2010
@@ -15,17 +15,13 @@
 057_disablemods.dpatch
 058_suexec-CVE-2007-1742.dpatch
 067_fix_segfault_in_ab.dpatch
-068_mod_dav_detect_EOF.dpatch
 069_no_deflate_for_HEAD.dpatch
-070_RemoveType_override_mime.types.dpatch
 071_fix_cacheenable.dpatch
-072_CVE-2009-3555.dpatch
 073_mod_dav_trunk_fixes.dpatch
 074_link_support_progs_with_lcrypt.dpatch
 075_mod_rewrite_literal_ipv6_redirect.dpatch
 076_apxs2_a2enmod.dpatch
 077_CacheIgnoreURLSessionIdentifiers.dpatch
-078_avoid_brigade_destroy.dpatch
 079_polish_translation.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch

Modified: trunk/apache2/patches/033_dbm_read_hash_or_btree
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/033_dbm_read_hash_or_btree?rev=1162&op=diff
==============================================================================
--- trunk/apache2/patches/033_dbm_read_hash_or_btree (original)
+++ trunk/apache2/patches/033_dbm_read_hash_or_btree Sun Mar  7 22:02:34 2010
@@ -17,7 +17,7 @@
  sub usage {
      my $cmds = join "|", sort keys %dbmc::;
 @@ -154,7 +154,9 @@
- my($mode, $flags) = $command =~ 
+ my($mode, $flags) = $command =~
      /^(?:view|check)$/ ? (0644, O_RDONLY) : (0644, O_RDWR|O_CREAT);
  
 -tie (%DB, "AnyDBM_File", $file, $flags, $mode) || die "Can't tie $file: $!";
@@ -28,11 +28,11 @@
  untie %DB;
  
 @@ -168,7 +168,7 @@
- 	srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
+         srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
      }
      else {
--        for (qw(-xlwwa -le)) { 
-+        for (qw(xlwwa -le)) { 
- 	    `ps $_ 2>/dev/null`;
+-        for (qw(-xlwwa -le)) {
++        for (qw(xlwwa -le)) {
+             `ps $_ 2>/dev/null`;
              $psf = $_, last unless $?;
          }

Modified: trunk/apache2/rules
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/rules?rev=1162&op=diff
==============================================================================
--- trunk/apache2/rules (original)
+++ trunk/apache2/rules Sun Mar  7 22:02:34 2010
@@ -69,7 +69,7 @@
 		      --enable-actions=shared --enable-speling=shared \
 		      --enable-userdir=shared --enable-alias=shared \
 		      --enable-rewrite=shared --enable-mime=shared \
-		      --enable-substitute=shared
+		      --enable-substitute=shared  --enable-reqtimeout=shared
 
 AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok -I/usr/include/openssl -Wall -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector
 AP2_LDFLAGS = -Wl,--as-needed -Wl,-z,relro

More information about the Pkg-apache-commits mailing list