Bug#717231: apr hard-codes -fstack-protector even on unsupported platforms

2013-07-18 Thread Matthias Klose 
Package: apr
Version: 1.4.8-1

apr hard-codes -fstack-protector even on unsupported platforms, leading to not
that useful warnings during the build.


-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51e7b0b9.70...@debian.org

Bug#717272: apache2: Fix for CVE-2013-1896

2013-07-18 Thread Marc Deslauriers 
Package: apache2
Version: 2.4.4-6
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu saucy ubuntu-patch



*** /tmp/tmp5THIhe/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service via MERGE request
- debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
  in modules/dav/main/mod_dav.c.
- CVE-2013-1896


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers raring-updates
  APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 
'raring'), (100, 'raring-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru apache2-2.4.4/debian/patches/CVE-2013-1896.patch apache2-2.4.4/debian/patches/CVE-2013-1896.patch
--- apache2-2.4.4/debian/patches/CVE-2013-1896.patch	1969-12-31 19:00:00.0 -0500
+++ apache2-2.4.4/debian/patches/CVE-2013-1896.patch	2013-07-18 11:21:47.0 -0400
@@ -0,0 +1,32 @@
+Description: fix denial of service via MERGE request
+Origin: upstream, http://svn.apache.org/viewvc?view=revisionrevision=1486461
+
+Index: apache2-2.4.4/modules/dav/main/mod_dav.c
+===
+--- apache2-2.4.4.orig/modules/dav/main/mod_dav.c	2011-12-04 19:08:01.0 -0500
 apache2-2.4.4/modules/dav/main/mod_dav.c	2013-07-18 11:20:33.353180556 -0400
+@@ -707,6 +707,12 @@
+ 
+ conf = ap_get_module_config(r-per_dir_config, dav_module);
+ /* assert: conf-provider != NULL */
++if (conf-provider == NULL) {
++return dav_new_error(r-pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++ apr_psprintf(r-pool,
++  DAV not enabled for %s,
++	  ap_escape_html(r-pool, r-uri)));
++}
+ 
+ /* resolve the resource */
+ err = (*conf-provider-repos-get_resource)(r, conf-dir,
+@@ -2683,11 +2689,6 @@
+   Destination URI had an error.);
+ }
+ 
+-if (dav_get_provider(lookup.rnew) == NULL) {
+-return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-  DAV not enabled for Destination URI.);
+-}
+-
+ /* Resolve destination resource */
+ err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+0 /* use_checked_in */, resnew);
diff -Nru apache2-2.4.4/debian/patches/series apache2-2.4.4/debian/patches/series
--- apache2-2.4.4/debian/patches/series	2013-07-02 09:33:25.0 -0400
+++ apache2-2.4.4/debian/patches/series	2013-07-18 11:20:09.0 -0400
@@ -20,3 +20,4 @@
 itk-rerun-configure.patch
 upstream-fixes
 allow-strtoul.patch
+CVE-2013-1896.patch

Bug#717299: apache2-dev: dh_apache2 ignores alternative httpd on conf files

2013-07-18 Thread Jean-Michel Vourgère 
Package: apache2-dev
Version: 2.4.4-6
Severity: normal

Dear Maintainer,

I'm using a debian/apache2 file like this:
conf javascript-common.conf lighttpd

I expected to get a control file with:
Recommends: apache2 (= 2.4.4~) | lighttpd | httpd

But I only get:
Recommends: apache2 (= 2.4.4~) | httpd

On line 386 of /usr/bin/dh_apache2, changing if ($#arguments  0) by if (1)
fixes my problem.

Regards

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.9-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2-dev depends on:
ii  debhelper9.20130630
ii  libapr1-dev  1.4.8-1
ii  libaprutil1-dev  1.5.2-1
ii  openssl  1.0.1e-3
ii  perl 5.14.2-21

apache2-dev recommends no packages.

apache2-dev suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201307190203.54498.jmv_...@nirgal.com