This page collects goals for lenny for the apache2/apr/apr-util/ssl-cert packages and ideas how to implement them. Feel free to comment, but please mark comments as such.


SNI (delayed until lenny+1)

TLS Server Name Indication support is in upstream trunk but not in 2.2.x. See 461917 PR34607

Support for SNI in openssl was added in 0.9.8g-7, already in lenny.

thom on IRC: i don't think the outstanding questions will get cleared up and i don't think it'll have enough testing to get shoved in right before a release

SF: We will not backport the patch.

Configuration (done)

See this thread

Uploaded in 2.2.9-3

Mysql support for mod_dbd (done)

Either mysql 450535 or php-mysql 469081 needs to change first. Php5 was changen in 5.2.6-1.

Suexec (done)

Uploaded in 2.2.8-5

Support for /srv (done)

Current suexec supports scripts only in /var/www (and in ~*/public_html).

Allow to disable (done)

Suexec can create local security issues. It would be nice if suexec could be disabled. Either by debconf query or by moving it into a separate package. Maybe two separate packages for original and configurable versions.


bug reports


Debian wide hardening support seems unlikely for lenny (d-d-a mail). SF: I would be in favour of enabling the things manually for apr*/apache2.

We should decide and implement soon, to get better testing.

apr and apr-util is done (except on arm/armel which does not work because of a gcc bug).

apache2 should be next. Probably we should not enable -fpie, because of problems on some architectures. Also, I am not sure if lenny's gdb supports pie.