[SRM] Please review apache2_2.2.3-4+etch4

Hi stable release managers,

please review apache2 2.2.3-4+etch4 for inclusion in etch r3. Here is the changelog:

apache2 (2.2.3-4+etch4) stable; urgency=low

• Fix various cross site scripting vulnerabilities with browsers that do not conform to RFC 2616: Apache now adds explicit ContentType and Charset headers to the output of various modules, even if AddDefaultCharset is commented out. This includes directory indexes generated by mod_autoindex and mod_proxy_ftp. Backport the charset and type IndexOptions, and the ProxyFtpDirCharset directive. These allow to specify the character set that is sent with the generated directory indexes. (CVE-2007-4465, CVE-2008-0005, closes: #453783)
• Reduce memory usage of chunk filter and ap_rwrite/ap_rflush (Closes: #399776, #421557)
• More minor security fixes:
  • XSS in mod_imagemap (CVE-2007-5000)
  • XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
  • XSS in HTTP method in 413 error message (CVE-2007-6203)
  • possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
• Fix mod_proxy_balancer configuration file parsing (closes: #453630).
• Don't ship NEWS.Debian with apache2-utils as it affects only the server. Remove bogus reference to 2.2.3-5 from README.Debian, and add note about MSIE SSL workaround.

The full debdiff is at
http://people.debian.org/~sf/apache2_2.2.3-4+etch4.debdiff

Unfortunately the fix for CVE-2007-4465 and CVE-2008-0005 needs to introduce new config directives (otherwise there would be regressions). Therefore, and because of the corresponding documentation updates, the diff is quite large.

In order for the behaviour in the default configuration to stay the same, I updated apache2.conf and proxy.conf. Not doing so would change the behaviour for people who use non-ASCII filenames. If you think that would be better than forcing all people to merge the changed apache2.conf, I could remove that change. I am not quite sure which option is better.

Thanks in advance.

Cheers,
Stefan

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: This is a digitally signed message part.