Control: tags -1 + confirmed
Hi,
please review the update for apache2 for inclusion into s-p-u. It fixes
a low-impact security issue and also includes two one-line bug fixes.
The changelog is below, debdiff is attached.
As I couldn't find any mail about it, I guess that 7.8 "Not yet
planned;
likely mid-December" is not yet closed?
Indeed. There's probably around 10 days before it closes, assuming I can
get all the cats herded in time.
* CVE-2013-5704: Fix handling of chunk trailers. A remote attacker
could
use this flaw to bypass intended mod_headers restrictions,
allowing
them to send requests to applications that include headers that
should
have been removed by mod_headers.
The new behavior is to not merge trailers into the headers
autmatically.
A new directive "MergeTrailers" is introduced to restore the old
behavior.
* Fix hostname comparison with SNI to be case insensitive. Closes:
#771199
* Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15).
Closes: #773841
* Add paragraph about session ticket key life-time and forward
secrecy to
README.Debian. Closes: #762619
Please go ahead, thanks.
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
