[SRM] please review apache2 2.2.3-4+etch2

Hi,

please review apache2 2.2.3-4+etch2 for inclusion in etch r2. Here is the annotated changelog:

> apache2 (2.2.3-4+etch2) stable; urgency=low
>
> * Security fixes:
> - CVE-2006-5752: XSS in mod_status
> - CVE-2007-1863: DoS in mod_cache
> - CVE-2007-3304: parent process could be forced to kill other processes
Minor issues for which Moritz doesn't want to issue a DSA.

> * Add /var/lock/apache2 owner fix to the init script, as /var/lock
> may not persist across reboots. (Closes: #420101)
Can break mod_dav in a quite non-obvious way if /var/lock is on a tmpfs.

> * Fix regression breaking /etc/init.d/apache2 when /bin/sh is not bash
> (Closes: #430386)

RC, introduced in 2.2.3-4+etch1

> * Only allow group www-data to execute suexec (Closes: #431048)
More a security precaution than a security issue

> * Display warning when NO_START=1 even with VERBOSE=no, to avoid
> confusion (Closes: #430116)

Can break apache2 in a quite non-obvious way. (AFAIK VERBOSE=yes was the default in sarge, see also #418499)

> * Unbreak apache2-doc: Ship correct conf.d/apache2-doc and add note how
> to read the docs in README.Debian (Closes: #285290)
apache2-doc is unusable without the config file (it cannot reasonably be viewed directly with a browser).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

> * NEWS.Debian: Add warning about new 2.2 config file syntax and point to
> upgrading howto.

Add some parts from the release notes to the package's documentation.

> * Ship /usr/lib/cgi-bin (Closes: #415698)
RC, breaks sqwebmail's postinst.

>
> -- Stefan Fritsch <sf@debian.org> Mon, 27 Aug 2007 22:45:02 +0200

The full debdiff output is at
http://www.sfritsch.de/~stf/apache2_2.2.3-4+etch2.debdiff

Thanks in advance.

Cheers,
Stefan

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: This is a digitally signed message part.