Add note to README.Debian about CVE-2013-0966

2 files changed, 13 insertions, 0 deletions

diff --git a/debian/apache2.README.Debian b/debian/apache2.README.Debian
index e4e7f3bc..825c5e38 100644
--- a/debian/apache2.README.Debian
+++ b/debian/apache2.README.Debian
@@ -282,6 +282,17 @@ time and the default suexec mechanism can be picked by using the
 update-alternatives(8) system.
 
 
+Unicode File Name Normalization
+===============================
+
+Using Apache with the document root on a file system that does unicode
+normalization on the filenames can cause security issues. In Debian,
+this affects ZFS with the non-default option to enable filename normalization,
+and HFS+. It is strongly recommended not to use Apache with such file systems.
+More information about this issue can be found by searching the web for
+CVE-2013-0966.
+
+
 Documentation
 =============
 
diff --git a/debian/changelog b/debian/changelog
index 6fa2588c..4e9949ae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ apache2 (2.4.4-4) UNRELEASED; urgency=low
     - fix pod error
     - add overrides for hardening-no-fortify-functions
     - don't use /lib/init/vars.sh in init script
+  * Add note to README.Debian about CVE-2013-0966 if the document root is
+    on HFS+ or on ZFS with filename normalization.
 
   [ Arno Töll ]
   * Correct maintainer scripts by removing forgotten left-overs of our Squeeze