[Pkg-apache-commits] r1162 - in /trunk/apache2: ./ config-dir/mods-available/ patches/
sf at alioth.debian.org
sf at alioth.debian.org
Sun Mar 7 22:02:36 UTC 2010
Author: sf
Date: Sun Mar 7 22:02:34 2010
New Revision: 1162
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1162
Log:
Prepare new upstream 2.2.15
- build mod_reqtimeout
- enable mod_reqtimeout by default and on upgrades
- bump openssl build-dep to 0.9.8m for SSLInsecureRenegotiation
Added:
trunk/apache2/config-dir/mods-available/reqtimeout.conf (with props)
trunk/apache2/config-dir/mods-available/reqtimeout.load
Removed:
trunk/apache2/patches/068_mod_dav_detect_EOF.dpatch
trunk/apache2/patches/070_RemoveType_override_mime.types.dpatch
trunk/apache2/patches/072_CVE-2009-3555.dpatch
trunk/apache2/patches/078_avoid_brigade_destroy.dpatch
Modified:
trunk/apache2/apache2.2-common.postinst
trunk/apache2/changelog
trunk/apache2/config-dir/mods-available/ssl.conf
trunk/apache2/control
trunk/apache2/patches/00list
trunk/apache2/patches/033_dbm_read_hash_or_btree
trunk/apache2/rules
Modified: trunk/apache2/apache2.2-common.postinst
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/apache2.2-common.postinst?rev=1162&op=diff
==============================================================================
--- trunk/apache2/apache2.2-common.postinst (original)
+++ trunk/apache2/apache2.2-common.postinst Sun Mar 7 22:02:34 2010
@@ -72,6 +72,11 @@
rm -f /var/lock/apache2/DAVLock.dir /var/lock/apache2/DAVLock.pag
fi
+# Note, this line catches new installs as well as upgrades
+if dpkg --compare-versions "$2" lt 2.2.15-1~0; then
+ a2enmod -q reqtimeout
+fi
+
rm -f /etc/apache2/ports.conf.dpkg-apache2.2-common.old
rm -f /etc/default/apache2.dpkg-apache2.2-common.old
rm -f /etc/apache2/conf.d/charset.dpkg-apache2.2-common.old
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1162&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sun Mar 7 22:02:34 2010
@@ -1,5 +1,19 @@
-apache2 (2.2.14-8) UNRELEASED; urgency=low
-
+apache2 (2.2.15-1) UNRELEASED; urgency=low
+
+ * New upstream version:
+ - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
+ - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
+ prefix injection attack.
+ - CVE-2010-0434: mod_headers: Fix potential information leak with threaded
+ MPMs.
+ - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
+ renegotiation with clients which do not yet support the secure
+ renegotiation protocol. As this requires openssl 0.9.8m, bump
+ build dependency accordingly.
+ - mod_reqtimeout: New module limiting the time waiting for receiving
+ a request from the client. This is a (partial) mitigation against
+ slowloris-type resource exhaustion attacks. The module is enabled by
+ default. Closes: #533661
* Fix bash completion for a2ensite if the site name contains 'conf' or
'load'. Closes: #572232
* Do a configcheck in the init script before doing a non-graceful restart.
Added: trunk/apache2/config-dir/mods-available/reqtimeout.conf
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/config-dir/mods-available/reqtimeout.conf?rev=1162&op=file
==============================================================================
--- trunk/apache2/config-dir/mods-available/reqtimeout.conf (added)
+++ trunk/apache2/config-dir/mods-available/reqtimeout.conf Sun Mar 7 22:02:34 2010
@@ -1,0 +1,12 @@
+<IfModule reqtimeout_module>
+
+# Wait max 10 seconds for the first byte of the request line+headers
+# From then, require a minimum data rate of 500 bytes/s, but don't
+# wait longer than 20 seconds in total.
+RequestReadTimeout header=10-20,minrate=500
+
+# Wait max 10 seconds for the first byte of the request body (if any)
+# From then, require a minimum data rate of 500 bytes/s
+RequestReadTimeout body=10,minrate=500
+
+</IfModule>
Propchange: trunk/apache2/config-dir/mods-available/reqtimeout.conf
------------------------------------------------------------------------------
svn:eol-style = native
Added: trunk/apache2/config-dir/mods-available/reqtimeout.load
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/config-dir/mods-available/reqtimeout.load?rev=1162&op=file
==============================================================================
--- trunk/apache2/config-dir/mods-available/reqtimeout.load (added)
+++ trunk/apache2/config-dir/mods-available/reqtimeout.load Sun Mar 7 22:02:34 2010
@@ -1,0 +1,1 @@
+LoadModule reqtimeout_module /usr/lib/apache2/modules/mod_reqtimeout.so
Modified: trunk/apache2/config-dir/mods-available/ssl.conf
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/config-dir/mods-available/ssl.conf?rev=1162&op=diff
==============================================================================
--- trunk/apache2/config-dir/mods-available/ssl.conf (original)
+++ trunk/apache2/config-dir/mods-available/ssl.conf Sun Mar 7 22:02:34 2010
@@ -62,4 +62,8 @@
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
+# Allow insecure renegotiation with clients which do not yet support the
+# secure renegotiation protocol
+# SSLInsecureRenegotiation on
+
</IfModule>
Modified: trunk/apache2/control
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/control?rev=1162&op=diff
==============================================================================
--- trunk/apache2/control (original)
+++ trunk/apache2/control Sun Mar 7 22:02:34 2010
@@ -3,7 +3,7 @@
Priority: optional
Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
Uploaders: Tollef Fog Heen <tfheen at debian.org>, Thom May <thom at debian.org>, Peter Samuelson <peter at p12n.org>, Stefan Fritsch <sf at debian.org>, Steinar H. Gunderson <sesse at debian.org>
-Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf
+Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 0.9.8m), sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf
Build-Conflicts: autoconf2.13
Standards-Version: 3.8.4
Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1162&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Sun Mar 7 22:02:34 2010
@@ -15,17 +15,13 @@
057_disablemods.dpatch
058_suexec-CVE-2007-1742.dpatch
067_fix_segfault_in_ab.dpatch
-068_mod_dav_detect_EOF.dpatch
069_no_deflate_for_HEAD.dpatch
-070_RemoveType_override_mime.types.dpatch
071_fix_cacheenable.dpatch
-072_CVE-2009-3555.dpatch
073_mod_dav_trunk_fixes.dpatch
074_link_support_progs_with_lcrypt.dpatch
075_mod_rewrite_literal_ipv6_redirect.dpatch
076_apxs2_a2enmod.dpatch
077_CacheIgnoreURLSessionIdentifiers.dpatch
-078_avoid_brigade_destroy.dpatch
079_polish_translation.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
Modified: trunk/apache2/patches/033_dbm_read_hash_or_btree
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/033_dbm_read_hash_or_btree?rev=1162&op=diff
==============================================================================
--- trunk/apache2/patches/033_dbm_read_hash_or_btree (original)
+++ trunk/apache2/patches/033_dbm_read_hash_or_btree Sun Mar 7 22:02:34 2010
@@ -17,7 +17,7 @@
sub usage {
my $cmds = join "|", sort keys %dbmc::;
@@ -154,7 +154,9 @@
- my($mode, $flags) = $command =~
+ my($mode, $flags) = $command =~
/^(?:view|check)$/ ? (0644, O_RDONLY) : (0644, O_RDWR|O_CREAT);
-tie (%DB, "AnyDBM_File", $file, $flags, $mode) || die "Can't tie $file: $!";
@@ -28,11 +28,11 @@
untie %DB;
@@ -168,7 +168,7 @@
- srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
+ srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
}
else {
-- for (qw(-xlwwa -le)) {
-+ for (qw(xlwwa -le)) {
- `ps $_ 2>/dev/null`;
+- for (qw(-xlwwa -le)) {
++ for (qw(xlwwa -le)) {
+ `ps $_ 2>/dev/null`;
$psf = $_, last unless $?;
}
Modified: trunk/apache2/rules
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/rules?rev=1162&op=diff
==============================================================================
--- trunk/apache2/rules (original)
+++ trunk/apache2/rules Sun Mar 7 22:02:34 2010
@@ -69,7 +69,7 @@
--enable-actions=shared --enable-speling=shared \
--enable-userdir=shared --enable-alias=shared \
--enable-rewrite=shared --enable-mime=shared \
- --enable-substitute=shared
+ --enable-substitute=shared --enable-reqtimeout=shared
AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok -I/usr/include/openssl -Wall -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector
AP2_LDFLAGS = -Wl,--as-needed -Wl,-z,relro
More information about the Pkg-apache-commits
mailing list