Version in base suite: 2.2.3-4+etch6
Version in overlay suite: (not present)

Base version: apache2_2.2.3-4+etch6
Target version: apache2_2.2.3-4+etch9
Base file: /org/ftp.debian.org/ftp/pool/main/a/apache2/apache2_2.2.3-4+etch6.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/apache2_2.2.3-4+etch9.dsc

 apache2-2.2.3/debian/changelog                             |   24 +
 apache2-2.2.3/debian/patches/00list                        |    3 
 debian/patches/070_CVE-2009-1195_mod_include_noexec.dpatch |  159 +++++++++++++
 debian/patches/071_CVE-2009-1891.dpatch                    |   36 ++
 debian/patches/073_no_deflate_for_HEAD.dpatch              |   30 ++
 5 files changed, 252 insertions(+)

diff -u apache2-2.2.3/debian/patches/00list apache2-2.2.3/debian/patches/00list
--- apache2-2.2.3/debian/patches/00list
+++ apache2-2.2.3/debian/patches/00list
@@ -35,0 +36,3 @@
+070_CVE-2009-1195_mod_include_noexec.dpatch
+071_CVE-2009-1891.dpatch
+073_no_deflate_for_HEAD.dpatch
diff -u apache2-2.2.3/debian/changelog apache2-2.2.3/debian/changelog
--- apache2-2.2.3/debian/changelog
+++ apache2-2.2.3/debian/changelog
@@ -1,3 +1,27 @@
+apache2 (2.2.3-4+etch9) oldstable-security; urgency=high
+
+  * Security:
+    CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
+    Also prevent compressing the content for HEAD requests.
+
+ -- Stefan Fritsch <sf@debian.org>  Tue, 14 Jul 2009 23:06:43 +0200
+
+apache2 (2.2.3-4+etch8) oldstable-security; urgency=low
+
+  * Security: Fix a bug similar to CVE-2009-1195 that allowed to override
+    more options than configured with AllowOverride (PR 44262).
+
+ -- Stefan Fritsch <sf@debian.org>  Fri, 12 Jun 2009 17:09:06 +0200
+
+apache2 (2.2.3-4+etch7) oldstable-security; urgency=low
+
+  * Security: CVE-2009-1195: In configurations using the AllowOverride
+     directive with certain Options= arguments, local users were not restricted
+     from executing commands from a Server-Side-Include script as intended
+     (closes: #530834).
+
+ -- Stefan Fritsch <sf@debian.org>  Thu, 11 Jun 2009 10:34:34 +0200
+
 apache2 (2.2.3-4+etch6) stable; urgency=low
 
   * Fix CVE-2007-6388: XSS in mod_status
only in patch2:
unchanged:
--- apache2-2.2.3.orig/debian/patches/073_no_deflate_for_HEAD.dpatch
+++ apache2-2.2.3/debian/patches/073_no_deflate_for_HEAD.dpatch
@@ -0,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_deflate DoS
+## DP: This should switch off deflate for HEAD requests
+
+@DPATCH@
+diff -urNad apache2-2.2.3~/modules/filters/mod_deflate.c apache2-2.2.3/modules/filters/mod_deflate.c
+--- apache2-2.2.3~/modules/filters/mod_deflate.c	2006-07-12 05:38:44.000000000 +0200
++++ apache2-2.2.3/modules/filters/mod_deflate.c	2009-07-14 23:07:54.804857905 +0200
+@@ -402,6 +402,19 @@
+         apr_size_t len;
+         int done = 0;
+ 
++        /*
++         * Optimization: If we are a HEAD request and bytes_sent is not zero
++         * it means that we have passed the content-length filter once and
++         * have more data to sent. This means that the content-length filter
++         * could not determine our content-length for the response to the
++         * HEAD request anyway (the associated GET request would deliver the
++         * body in chunked encoding) and we can stop compressing.
++         */
++        if (r->header_only && r->bytes_sent) {
++            ap_remove_output_filter(f);
++            return ap_pass_brigade(f->next, bb);
++        }
++
+         e = APR_BRIGADE_FIRST(bb);
+ 
+         if (APR_BUCKET_IS_EOS(e)) {
only in patch2:
unchanged:
--- apache2-2.2.3.orig/debian/patches/070_CVE-2009-1195_mod_include_noexec.dpatch
+++ apache2-2.2.3/debian/patches/070_CVE-2009-1195_mod_include_noexec.dpatch
@@ -0,0 +1,159 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 070_CVE-2009-1195_mod_include_noexec.dpatch by Stefan Fritsch <sf@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-1195 and PR 44262
+
+@DPATCH@
+diff -urNad etch-apache2~/include/http_core.h etch-apache2/include/http_core.h
+--- etch-apache2~/include/http_core.h	2006-07-12 05:38:44.000000000 +0200
++++ etch-apache2/include/http_core.h	2009-06-12 17:06:57.967613032 +0200
+@@ -65,7 +65,7 @@
+ #define OPT_NONE 0
+ /** Indexes directive */
+ #define OPT_INDEXES 1
+-/**  Includes directive */
++/** SSI is enabled without exec= permission  */
+ #define OPT_INCLUDES 2
+ /**  FollowSymLinks directive */
+ #define OPT_SYM_LINKS 4
+@@ -80,9 +80,22 @@
+ /** MultiViews directive */
+ #define OPT_MULTI 128
+ /**  All directives */
+-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
++#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
+ /** @} */
+ 
++#ifdef CORE_PRIVATE
++/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
++ * internally replaced by OPT_INC_WITH_EXEC.  The internal semantics
++ * of the two SSI-related bits are hence:
++ *
++ *  OPT_INCLUDES => "enable SSI, without exec= permission"
++ *  OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
++ *
++ * The set of options exposed via ap_allow_options() retains the
++ * semantics of OPT_INCNOEXEC by flipping the bit. */
++#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
++#endif
++
+ /**
+  * @defgroup get_remote_host Remote Host Resolution 
+  * @ingroup APACHE_CORE_HTTPD
+diff -urNad etch-apache2~/server/config.c etch-apache2/server/config.c
+--- etch-apache2~/server/config.c	2009-06-12 17:06:57.235614758 +0200
++++ etch-apache2/server/config.c	2009-06-12 17:06:57.967613032 +0200
+@@ -1493,7 +1493,7 @@
+     parms.temp_pool = ptemp;
+     parms.server = s;
+     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ 
+     parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
+                                             &arr_parms, NULL,
+@@ -1625,7 +1625,7 @@
+     parms.temp_pool = ptemp;
+     parms.server = s;
+     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ 
+     rv = ap_pcfg_openfile(&cfp, p, fname);
+     if (rv != APR_SUCCESS) {
+@@ -1764,7 +1764,7 @@
+     parms.temp_pool = ptemp;
+     parms.server = s;
+     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+     parms.limited = -1;
+ 
+     errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
+diff -urNad etch-apache2~/server/core.c etch-apache2/server/core.c
+--- etch-apache2~/server/core.c	2009-06-12 17:06:57.139611738 +0200
++++ etch-apache2/server/core.c	2009-06-12 17:08:16.407990843 +0200
+@@ -108,8 +108,7 @@
+     conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
+     conf->opts_add = conf->opts_remove = OPT_NONE;
+     conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
+-    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
+-                          | OPT_MULTI;
++    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ 
+     conf->content_md5 = 2;
+     conf->accept_path_info = 3;
+@@ -243,8 +242,15 @@
+         conf->opts_remove = (conf->opts_remove & ~new->opts_add)
+                             | new->opts_remove;
+         conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
+-        if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
+-            conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
++
++        /* If Includes was enabled with exec in the base config, but
++         * was enabled without exec in the new config, then disable
++         * exec in the merged set. */
++        if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++             == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++            && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++                == OPT_INCLUDES)) {
++            conf->opts &= ~OPT_INC_WITH_EXEC;
+         }
+     }
+     else {
+@@ -658,7 +664,16 @@
+     core_dir_config *conf =
+       (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
+ 
+-    return conf->opts;
++    /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
++     * inverted, such that the exposed semantics match that of
++     * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
++     * permitted. */
++    if (conf->opts & OPT_INCLUDES) {
++        return conf->opts ^ OPT_INC_WITH_EXEC;
++    }
++    else {
++        return conf->opts;
++    }
+ }
+ 
+ AP_DECLARE(int) ap_allow_overrides(request_rec *r)
+@@ -1304,10 +1319,12 @@
+             opt = OPT_INDEXES;
+         }
+         else if (!strcasecmp(w, "Includes")) {
+-            opt = OPT_INCLUDES;
++            /* If Includes is permitted, both Includes and
++             * IncludesNOEXEC may be changed. */
++            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+         }
+         else if (!strcasecmp(w, "IncludesNOEXEC")) {
+-            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++            opt = OPT_INCLUDES;
+         }
+         else if (!strcasecmp(w, "FollowSymLinks")) {
+             opt = OPT_SYM_LINKS;
+@@ -1428,10 +1445,10 @@
+             opt = OPT_INDEXES;
+         }
+         else if (!strcasecmp(w, "Includes")) {
+-            opt = OPT_INCLUDES;
++            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+         }
+         else if (!strcasecmp(w, "IncludesNOEXEC")) {
+-            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++            opt = OPT_INCLUDES;
+         }
+         else if (!strcasecmp(w, "FollowSymLinks")) {
+             opt = OPT_SYM_LINKS;
+@@ -1458,7 +1475,7 @@
+             return apr_pstrcat(cmd->pool, "Illegal option ", w, NULL);
+         }
+ 
+-        if (!(cmd->override_opts & opt) && opt != OPT_NONE) {
++        if ( (cmd->override_opts & opt) != opt ) {
+             return apr_pstrcat(cmd->pool, "Option ", w, " not allowed here", NULL);
+         }
+         else if (action == '-') {
only in patch2:
unchanged:
--- apache2-2.2.3.orig/debian/patches/071_CVE-2009-1891.dpatch
+++ apache2-2.2.3/debian/patches/071_CVE-2009-1891.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_deflate DoS
+## DP: http://mail-archives.apache.org/mod_mbox/httpd-dev/200907.mbox/<20090703100048.GA4492@redhat.com>
+
+@DPATCH@
+--- a/server/core_filters.c	(revision 790833)
++++ a/server/core_filters.c	(working copy)
+@@ -542,6 +542,12 @@
+     apr_read_type_e eblock = APR_NONBLOCK_READ;
+     apr_pool_t *input_pool = b->p;
+ 
++    /* Fail quickly if the connection has already been aborted. */
++    if (c->aborted) {
++        apr_brigade_cleanup(b);
++        return APR_ECONNABORTED;
++    }
++
+     if (ctx == NULL) {
+         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
+         net->out_ctx = ctx;
+@@ -909,12 +909,9 @@
+             /* No need to check for SUCCESS, we did that above. */
+             if (!APR_STATUS_IS_EAGAIN(rv)) {
+                 c->aborted = 1;
++                return APR_ECONNABORTED;
+             }
+ 
+-            /* The client has aborted, but the request was successful. We
+-             * will report success, and leave it to the access and error
+-             * logs to note that the connection was aborted.
+-             */
+             return APR_SUCCESS;
+         }
+