Debian Bug report logs - #687114
pu: package apache2/2.2.16-6+squeeze8

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sun, 9 Sep 2012 21:27:02 UTC

Severity: normal

Tags: confirmed, pending, squeeze

Fixed in version 6.0.6

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#687114; Package release.debian.org. (Sun, 09 Sep 2012 21:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 09 Sep 2012 21:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package apache2/2.2.16-6+squeeze8
Date: Sun, 09 Sep 2012 23:23:57 +0200
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Please review apache2_2.2.16-6+squeeze8 for inclusion in squeeze. It fixes
a minor security issue and some important bugs:

   * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
     prevent a possible XSS vulnerability for a site where untrusted users
     can upload files to a location with MultiViews enabled.
   * Send 408 status instead of 400 if reading of a request fails with a
     timeout. This allows browsers to retry. Closes: #677086
   * mod_cache: Prevent Partial Content responses from being cached and served
     as normal response. Closes: #671204
   * mpm_itk: Fix an issue where users can sometimes get spurious 403s on
     persistent connections. Closes: #672333

Full debdiff is attached.

Cheers,
Stefan
[apache2_2.2.16-6+squeeze8.debdiff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#687114; Package release.debian.org. (Tue, 11 Sep 2012 20:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 11 Sep 2012 20:09:06 GMT) Full text and rfc822 format available.

Message #10 received at 687114@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Stefan Fritsch <sf@sfritsch.de>, 687114@bugs.debian.org
Subject: Re: Bug#687114: pu: package apache2/2.2.16-6+squeeze8
Date: Tue, 11 Sep 2012 21:04:28 +0100
Control: tags -1 + squeeze confirmed

On Sun, 2012-09-09 at 23:23 +0200, Stefan Fritsch wrote:
> Please review apache2_2.2.16-6+squeeze8 for inclusion in squeeze. It fixes
> a minor security issue and some important bugs:
> 
>    * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
>      prevent a possible XSS vulnerability for a site where untrusted users
>      can upload files to a location with MultiViews enabled.
>    * Send 408 status instead of 400 if reading of a request fails with a
>      timeout. This allows browsers to retry. Closes: #677086
>    * mod_cache: Prevent Partial Content responses from being cached and served
>      as normal response. Closes: #671204
>    * mpm_itk: Fix an issue where users can sometimes get spurious 403s on
>      persistent connections. Closes: #672333

Assuming that the resulting package has been tested on a squeeze system,
please go ahead; thanks.

Regards,

Adam




Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 687114-submit@bugs.debian.org. (Tue, 11 Sep 2012 20:09:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#687114; Package release.debian.org. (Wed, 12 Sep 2012 22:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 12 Sep 2012 22:21:03 GMT) Full text and rfc822 format available.

Message #17 received at 687114@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 687114@bugs.debian.org
Cc: Stefan Fritsch <sf@sfritsch.de>
Subject: Re: Bug#687114: pu: package apache2/2.2.16-6+squeeze8
Date: Wed, 12 Sep 2012 23:16:16 +0100
Control: tags -1 + pending

On Tue, 2012-09-11 at 21:04 +0100, Adam D. Barratt wrote:
> On Sun, 2012-09-09 at 23:23 +0200, Stefan Fritsch wrote:
> > Please review apache2_2.2.16-6+squeeze8 for inclusion in squeeze. It fixes
> > a minor security issue and some important bugs:
[...]
> Assuming that the resulting package has been tested on a squeeze system,
> please go ahead; thanks.

For the record, this was uploaded and I've just flagged the package for
acceptance; thanks.

Regards,

Adam




Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 687114-submit@bugs.debian.org. (Wed, 12 Sep 2012 22:21:03 GMT) Full text and rfc822 format available.

Marked as fixed in versions 6.0.6. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 05 Oct 2012 09:27:21 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 05 Oct 2012 09:27:21 GMT) Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (Fri, 05 Oct 2012 09:27:22 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 03 Nov 2012 07:25:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:34:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.