[apache2] 01/03: Activate mod_reqtimeout

[Stefan Fritsch]

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch jessie
in repository apache2.

commit 654a605f4a861e5a32074b9406905e8da5953b59
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Thu Dec 29 19:06:54 2016 +0100

    Activate mod_reqtimeout
---
 debian/apache2.postinst | 10 +++++++++-
 debian/changelog        |  4 ++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/debian/apache2.postinst b/debian/apache2.postinst
index 0f6d987..f226e13 100644
--- a/debian/apache2.postinst
+++ b/debian/apache2.postinst
@@ -205,7 +205,7 @@ enable_default_modules()
 				alias dir autoindex \
 				env mime negotiation setenvif \
 				filter deflate \
-				status ; do
+				status reqtimeout ; do
 			a2enmod -m -q $module
 		done
 	elif we_are_upgrading_from_wheezy $@; then
@@ -223,6 +223,14 @@ enable_default_modules()
 			fi
 		done
 	fi
+	if [ -z "$2" ] ; then
+		return 0
+	fi
+	# mod_reqtimeout activation was missed since jessie
+	if dpkg --compare-versions "$2" lt "2.4.10-10+deb8u8"
+	then
+			a2enmod -m -q reqtimeout
+	fi
 }
 
 enable_default_conf()
diff --git a/debian/changelog b/debian/changelog
index 705bc4c..e5c3f1c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
 apache2 (2.4.10-10+deb8u8) UNRELEASED; urgency=medium
 
+  * Activate mod_reqtimeout in new installs and during updates from
+    before 2.4.10-10+deb8u8. It was wrongly not activated in new installs
+    since jessie. This made the default installation vulnerable to some
+    DoS attacks.
   * Don't run 2.2 to 2.4 upgrade logic again when upgrading from
     2.4.10-10+deb8u*. Closes: #836818
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git