[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, next, updated. d45a03625ca7399ba492081c586fc31ee49a76dd
Arno Töll
debian at toell.net
Thu Feb 2 23:40:53 UTC 2012
The following commit has been merged in the next branch:
commit 1c729c1dc03caf72efc40e3ab23b74fdcc4f9514
Author: Arno Töll <debian at toell.net>
Date: Thu Feb 2 01:50:02 2012 +0100
* Remove obsolete CVE patches they are all incorporated upstream
* Move httxt2dbm to apache2-utils
* Rename apache2-common package to apache2-data. It would be very complicated to
upgrade from the apache2.2-common packages as it "Replaces: apache2-common"
from the 2.0 transition
* Enable some more modules
diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
index 60bbda5..63c573f 100644
--- a/debian/apache2-bin.install
+++ b/debian/apache2-bin.install
@@ -1,3 +1,2 @@
/usr/lib/apache2/modules/
/usr/sbin/apache2
-/usr/sbin/httxt2dbm
diff --git a/debian/apache2-bin.manpages b/debian/apache2-bin.manpages
index 2995782..73118ad 100644
--- a/debian/apache2-bin.manpages
+++ b/debian/apache2-bin.manpages
@@ -1,2 +1 @@
debian/manpages/apache2.8
-debian/manpages/httxt2dbm.8
diff --git a/debian/apache2-common.bug-control b/debian/apache2-data.bug-control
similarity index 100%
rename from debian/apache2-common.bug-control
rename to debian/apache2-data.bug-control
diff --git a/debian/apache2-common.bug-script b/debian/apache2-data.bug-script
similarity index 100%
rename from debian/apache2-common.bug-script
rename to debian/apache2-data.bug-script
diff --git a/debian/apache2-common.install b/debian/apache2-data.install
similarity index 100%
rename from debian/apache2-common.install
rename to debian/apache2-data.install
diff --git a/debian/apache2.manpages b/debian/apache2-data.manpages
similarity index 100%
rename from debian/apache2.manpages
rename to debian/apache2-data.manpages
diff --git a/debian/apache2-utils.install b/debian/apache2-utils.install
index aa39bb1..7aaa198 100644
--- a/debian/apache2-utils.install
+++ b/debian/apache2-utils.install
@@ -8,5 +8,6 @@
/usr/sbin/rotatelogs /usr/bin
/usr/sbin/htcacheclean /usr/bin
/usr/sbin/checkgid /usr/bin
+/usr/sbin/httxt2dbm /usr/sbin
support/check_forensic /usr/sbin
support/split-logfile /usr/sbin
diff --git a/debian/apache2-utils.manpages b/debian/apache2-utils.manpages
index fd9131a..2f4ae90 100644
--- a/debian/apache2-utils.manpages
+++ b/debian/apache2-utils.manpages
@@ -6,6 +6,7 @@ debian/tmp/usr/share/man/man1/htdigest.1
debian/tmp/usr/share/man/man1/htdbm.1
debian/tmp/usr/share/man/man1/htpasswd.1
debian/tmp/usr/share/man/man1/dbmmanage.1
+debian/manpages/httxt2dbm.8
debian/manpages/check_forensic.8
debian/manpages/checkgid.8
debian/manpages/split-logfile.8
diff --git a/debian/changelog b/debian/changelog
index bc6657b..bb1e466 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,7 +17,7 @@ apache2 (2.3.16-beta-1) UNRELEASED; urgency=low
+ apache2 - configuration files and init scripts, Debian specific helper
scripts
+ apache2-bin - binaries and modules
- + apache2-common - error pages and images
+ + apache2-data - error pages and images
* Drop the ITK MPM entirely for now
* Consolidate development packages. As MPM packages are gone, we do not need
specific development packages either. Thus, drop all MPM specific apache2
@@ -61,7 +61,7 @@ apache2 (2.3.16-beta-1) UNRELEASED; urgency=low
+ Parse "Conflicts: " header to denote conflicts between modules which
cannot be loaded into the same Apache server.
- -- Arno Töll <debian at toell.net> Mon, 30 Jan 2012 02:02:37 +0100
+ -- Arno Töll <debian at toell.net> Wed, 01 Feb 2012 22:49:14 +0100
apache2 (2.2.21-6) UNRELEASED; urgency=low
diff --git a/debian/config-dir/old-mods-available/asis.load b/debian/config-dir/mods-available/asis.load
similarity index 78%
rename from debian/config-dir/old-mods-available/asis.load
rename to debian/config-dir/mods-available/asis.load
index 60d1145..6b73c45 100644
--- a/debian/config-dir/old-mods-available/asis.load
+++ b/debian/config-dir/mods-available/asis.load
@@ -1 +1,2 @@
+# Depends: mime
LoadModule asis_module /usr/lib/apache2/modules/mod_asis.so
diff --git a/debian/config-dir/old-mods-available/deflate.conf b/debian/config-dir/mods-available/deflate.conf
similarity index 100%
rename from debian/config-dir/old-mods-available/deflate.conf
rename to debian/config-dir/mods-available/deflate.conf
diff --git a/debian/config-dir/old-mods-available/deflate.load b/debian/config-dir/mods-available/deflate.load
similarity index 78%
rename from debian/config-dir/old-mods-available/deflate.load
rename to debian/config-dir/mods-available/deflate.load
index d08bbf2..3873ffc 100644
--- a/debian/config-dir/old-mods-available/deflate.load
+++ b/debian/config-dir/mods-available/deflate.load
@@ -1 +1,2 @@
+# Depends: filter
LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
diff --git a/debian/config-dir/old-mods-available/expires.load b/debian/config-dir/mods-available/expires.load
similarity index 100%
rename from debian/config-dir/old-mods-available/expires.load
rename to debian/config-dir/mods-available/expires.load
diff --git a/debian/config-dir/old-mods-available/filter.load b/debian/config-dir/mods-available/filter.load
similarity index 100%
rename from debian/config-dir/old-mods-available/filter.load
rename to debian/config-dir/mods-available/filter.load
diff --git a/debian/config-dir/old-mods-available/negotiation.conf b/debian/config-dir/mods-available/negotiation.conf
similarity index 100%
rename from debian/config-dir/old-mods-available/negotiation.conf
rename to debian/config-dir/mods-available/negotiation.conf
diff --git a/debian/config-dir/old-mods-available/negotiation.load b/debian/config-dir/mods-available/negotiation.load
similarity index 100%
rename from debian/config-dir/old-mods-available/negotiation.load
rename to debian/config-dir/mods-available/negotiation.load
diff --git a/debian/config-dir/old-mods-available/speling.load b/debian/config-dir/mods-available/speling.load
similarity index 100%
rename from debian/config-dir/old-mods-available/speling.load
rename to debian/config-dir/mods-available/speling.load
diff --git a/debian/control b/debian/control
index 0289fbf..37411ea 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,7 @@ Package: apache2
Architecture: any
Depends: ${misc:Depends}, lsb-base, procps [!hurd-i386],
perl, mime-support, apache2-bin (= ${binary:Version}),
- apache2-common (= ${source:Version})
+ apache2-data (= ${source:Version})
Recommends: ssl-cert
Description: Apache HTTP Server
The Apache Software Foundation's goal is to build a secure, efficient and
@@ -27,13 +27,11 @@ Description: Apache HTTP Server
This package contains the configuration files, init scripts and support
scripts. It does not install the actual apache2 binaries.
-Package: apache2-common
+Package: apache2-data
Architecture: all
#Depends: ${misc:Depends}, apache2-bin (= ${binary:Version}), apache2-utils, mime-support, lsb-base, procps [!hurd-i386], perl
Depends: ${misc:Depends}
Recommends: ssl-cert
-#Conflicts: apache2-common, apache
-#Replaces: apache2-common
Description: Apache HTTP Server common files
The Apache Software Foundation's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
@@ -56,7 +54,7 @@ Description: Apache HTTP Server common binary files
This package contains the binaries only and does not set up a working
web-server instance. Install the "apache2" package to get a fully working
instance. Do not install this package unless you want to set-up the Apache
- HTTP server entirely on your own.
+ HTTP server entirely on your own.
Package: apache2-utils
Architecture: any
@@ -77,13 +75,14 @@ Description: utility programs for webservers
- split-logfile (Split a single log including multiple vhosts)
- checkgid (Checks whether the caller can setgid to the specified group)
- check_forensic (Extract mod_log_forensic output from Apache log files)
+ - httxt2dbm (Generate dbm files for use with RewriteMap)
Package: apache2-suexec-pristine
Architecture: any
Depends: ${misc:Depends}, ${shlibs:Depends}
#Depends: ${misc:Depends}, ${shlibs:Depends}, apache2.2-common
#Conflicts: apache2-suexec, apache-common
-#Replaces: apache2-suexec
+Replaces: apache2-suexec
Description: Standard suexec program for Apache 2 mod_suexec
Provides the standard suexec helper program for mod_suexec. This version is
compiled with document root /var/www and userdir suffix public_html. If you
@@ -119,6 +118,7 @@ Package: apache2-dev
Architecture: any
Depends: ${misc:Depends}, apache2 (= ${binary:Version}), openssl, libaprutil1-dev
Priority: extra
+Replaces: apache2-prefork-dev, apache2-threaded-dev
Description: Apache development headers
This package provides the development headers and apxs2 binary for
threaded versions of apache2; see the apache2 package description
diff --git a/debian/patches/083_CVE-2011-3368 b/debian/patches/083_CVE-2011-3368
deleted file mode 100755
index 69a38c9..0000000
--- a/debian/patches/083_CVE-2011-3368
+++ /dev/null
@@ -1,52 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Upstream r1179525
-
- at DPATCH@
-commit d239e98144d468928fbd2d3f519bd9265d162932
-Author: Joe Orton <jorton at apache.org>
-Date: Thu Oct 6 07:39:13 2011 +0000
-
- Merge r1179239 from trunk:
-
- SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
- reverse proxy configurations by strictly validating the request-URI:
-
- * server/protocol.c (read_request_line): Send a 400 response if the
- request-URI does not match the grammar from RFC 2616. This ensures
- the input string for RewriteRule et al really is an absolute path.
-
- Reviewed by: jim, covener, rjung
-
-
- git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1179525 13f79535-47bb-0310-9956-ffa450edef68
-
---- a/server/protocol.c
-+++ b/server/protocol.c
-@@ -640,6 +640,25 @@
-
- ap_parse_uri(r, uri);
-
-+ /* RFC 2616:
-+ * Request-URI = "*" | absoluteURI | abs_path | authority
-+ *
-+ * authority is a special case for CONNECT. If the request is not
-+ * using CONNECT, and the parsed URI does not have scheme, and
-+ * it does not begin with '/', and it is not '*', then, fail
-+ * and give a 400 response. */
-+ if (r->method_number != M_CONNECT
-+ && !r->parsed_uri.scheme
-+ && uri[0] != '/'
-+ && !(uri[0] == '*' && uri[1] == '\0')) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "invalid request-URI %s", uri);
-+ r->args = NULL;
-+ r->hostname = NULL;
-+ r->status = HTTP_BAD_REQUEST;
-+ r->uri = apr_pstrdup(r->pool, uri);
-+ }
-+
- if (ll[0]) {
- r->assbackwards = 0;
- pro = ll;
diff --git a/debian/patches/084_CVE-2011-4317 b/debian/patches/084_CVE-2011-4317
deleted file mode 100644
index a880bd2..0000000
--- a/debian/patches/084_CVE-2011-4317
+++ /dev/null
@@ -1,66 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Upstream r1209432
-
- at DPATCH@
-commit 318b86756de2049f652561e1a66420b4a92d4a7e
-Author: Joe Orton <jorton at apache.org>
-Date: Fri Dec 2 12:04:20 2011 +0000
-
- Fix for additional cases of URL rewriting with ProxyPassMatch or
- RewriteRule, where particular request-URIs could result in undesired
- backend network exposure in some configurations. (CVE-2011-4317)
-
- Thanks to Prutha Parikh from Qualys for reporting this issue.
-
- * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
- request-URI. Fail for cases where r->uri does not begin with a "/".
-
- * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
-
-
- git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
-
---- a/modules/mappers/mod_rewrite.c
-+++ b/modules/mappers/mod_rewrite.c
-@@ -4283,6 +4283,18 @@
- return DECLINED;
- }
-
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* Don't apply rewrite rules to "*". */
-+ return DECLINED;
-+ }
-+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
- /*
- * add the SCRIPT_URL variable to the env. this is a bit complicated
- * due to the fact that apache uses subrequests and internal redirects
---- a/modules/proxy/mod_proxy.c
-+++ b/modules/proxy/mod_proxy.c
-@@ -566,6 +566,18 @@
- return OK;
- }
-
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* "*" cannot be proxied. */
-+ return DECLINED;
-+ }
-+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
- /* XXX: since r->uri has been manipulated already we're not really
- * compliant with RFC1945 at this point. But this probably isn't
- * an issue because this is a hybrid proxy/origin server.
diff --git a/debian/patches/085_CVE-2011-3607 b/debian/patches/085_CVE-2011-3607
deleted file mode 100755
index b9963f5..0000000
--- a/debian/patches/085_CVE-2011-3607
+++ /dev/null
@@ -1,29 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 085_CVE-2011-3607.dpatch by Stefan Fritsch <sf at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix integer overflow, based on upstream r1198940
-
- at DPATCH@
-Index: trunk/server/util.c
-===================================================================
---- trunk.orig/server/util.c 2011-12-29 11:48:52.208562162 +0100
-+++ trunk/server/util.c 2011-12-29 11:50:13.204564281 +0100
-@@ -366,7 +366,7 @@
- char *dest, *dst;
- char c;
- size_t no;
-- int len;
-+ apr_size_t len;
-
- if (!source)
- return NULL;
-@@ -391,6 +391,8 @@
- len++;
- }
- else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
-+ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
-+ return NULL;
- len += pmatch[no].rm_eo - pmatch[no].rm_so;
- }
-
diff --git a/debian/patches/series b/debian/patches/series
index c953a1c..8c211a2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,9 +21,6 @@
#077_CacheIgnoreURLSessionIdentifiers
#079_polish_translation
#082_ab_num_requests
-#083_CVE-2011-3368
-#084_CVE-2011-4317
-#085_CVE-2011-3607
#099_config_guess_sub_update
201_build_suexec-custom
# The patch below must not be applied by quilt at extraction time. It depends
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list