[SCM] Debian packaging for apache2 branch, next, updated. debian/2.4.4-2-34-gc7f1a23
Stefan Fritsch
sf at sfritsch.de
Thu May 30 13:15:10 UTC 2013
The following commit has been merged in the next branch:
commit c7f1a230b9560109b16b910665fd4d3860cb6602
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Thu May 30 15:13:45 2013 +0200
Add note to README.Debian about CVE-2013-0966
diff --git a/debian/apache2.README.Debian b/debian/apache2.README.Debian
index e4e7f3b..825c5e3 100644
--- a/debian/apache2.README.Debian
+++ b/debian/apache2.README.Debian
@@ -282,6 +282,17 @@ time and the default suexec mechanism can be picked by using the
update-alternatives(8) system.
+Unicode File Name Normalization
+===============================
+
+Using Apache with the document root on a file system that does unicode
+normalization on the filenames can cause security issues. In Debian,
+this affects ZFS with the non-default option to enable filename normalization,
+and HFS+. It is strongly recommended not to use Apache with such file systems.
+More information about this issue can be found by searching the web for
+CVE-2013-0966.
+
+
Documentation
=============
diff --git a/debian/changelog b/debian/changelog
index 6fa2588..4e9949a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ apache2 (2.4.4-4) UNRELEASED; urgency=low
- fix pod error
- add overrides for hardening-no-fortify-functions
- don't use /lib/init/vars.sh in init script
+ * Add note to README.Debian about CVE-2013-0966 if the document root is
+ on HFS+ or on ZFS with filename normalization.
[ Arno Töll ]
* Correct maintainer scripts by removing forgotten left-overs of our Squeeze
--
Debian packaging for apache2
More information about the Pkg-apache-commits
mailing list