[apache2] 02/03: Activate mod_reqtimeout

[Stefan Fritsch]

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit d4d29e7b7af0522e8300842d2c432bc36ca24090
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Thu Dec 29 19:06:54 2016 +0100

    Activate mod_reqtimeout
---
 debian/apache2.postinst | 12 +++++++++++-
 debian/changelog        |  4 ++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/debian/apache2.postinst b/debian/apache2.postinst
index f494434..66cb6d7 100644
--- a/debian/apache2.postinst
+++ b/debian/apache2.postinst
@@ -42,10 +42,20 @@ enable_default_modules()
 				alias dir autoindex \
 				env mime negotiation setenvif \
 				filter deflate \
-				status ; do
+				status reqtimeout ; do
 			a2enmod -m -q $module
 		done
 	fi
+	if [ -z "$2" ] ; then
+		return 0
+	fi
+	# mod_reqtimeout activation was missed in some versions
+	if dpkg --compare-versions "$2" lt "2.4.10-10+deb8u8" || \
+		(dpkg --compare-versions "$2" gt "2.4.10-11" && \
+		 dpkg --compare-versions "$2" lt "2.4.25-2~")
+	then
+			a2enmod -m -q reqtimeout
+	fi
 }
 
 enable_default_conf()
diff --git a/debian/changelog b/debian/changelog
index b734f34..af1237d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
 apache2 (2.4.25-2) UNRELEASED; urgency=medium
 
+  * Activate mod_reqtimeout in new installs and during updates from
+    before 2.4.25-2. It was wrongly not activated in new installs since
+    jessie. This made the default installation vulnerable to some DoS
+    attacks.
   * Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
     fixed in 2.4.23-2.
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git