Ubuntu
apache2 package

Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.52-1-jammy into ubuntu/+source/apache2:debian/sid

  1. Git
  2. lp:~bryce/ubuntu/+source/apache2
  3. merge-v2.4.52-1-jammy
  4. Merge into debian/sid
Proposed by Bryce Harrington
Status: Merged
Merge reported by: Bryce Harrington
Merged at revision: 028479c2c5469eb33796f914258b3108c24d58bb
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.52-1-jammy
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2604 lines (+2008/-16)
10 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+1/-0)
debian/apache2.py (+48/-0)
debian/changelog (+1918/-2)
debian/control (+4/-2)
debian/index.html (+19/-12)
debian/source/include-binaries (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Utkarsh Gupta (community) Approve
git-ubuntu import Pending
Review via email: mp+415047@code.launchpad.net

Description of the change

This is a re-merge of apache2; we already had 2.4.51-2 merged previously. The advantage here is that OpenSSL3 is included in this upstream version, whereas for 2.4.51 we patched it in. Security also asked if we were going to re-merge, which makes me suspect there are some security updates in 2.4.52 that they would like to have included for jammy.

Previously, I had been successful at rebasing on my old branches in order to carry the ubuntu delta commits forward, but the rebase procedure I'd worked out before fails on this release. My best guess is that the procedure is not quite robust and perhaps introduced some irregularity. But it's not vital that we carry the delta forward (more of a nice-to-have), and there's not many items left anyway, so I time-boxed that effort and decided to do a "normal" apache2 merge by manually re-splitting things.

In doing this, I discovered an error in the prior merge: It was intended that the graceful changes be dropped for 2.4.51-2ubuntu1 yet the changes were still present in the delta. I've verified that delta is gone in this merge, and am re-mentioning it in the changelog.

One final point of note for the reviewer: Debian experimental has a newer version, 2.4.51-3. This -3 update includes a switch from pre3 to pre2, which sounds like it may resolve a long standing bug for us (LP: #1792544). I considered merging from experimental to include this, but decided to hold off for now for a few reasons: a) bug 1792544 has been open for 3-4 years and there are still a bunch of non-trivial packages needing updated, so urgency seems not terribly high, b) pre3->pre2 might bring changes/regressions to regular expression functionality that may be hard to catch from tests alone, and c) direction from management is to take conservative choices for this LTS. So, I think it is most beneficial to let the pre2 change gain confidence from being thoroughly tested in Debian, and look at maybe merging it in once they're comfortable including it in unstable.

PPA:
  https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.52-1/+packages
  Still building on arm64 and armhf; other arch's built successfully.

Bileto:
  I've kicked off tests for amd64, s390x, and ppc64el.
  Once they've run, results should be available here:
  https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.52-1

Usual tags pushed:
  tags/old/debian 826e1a24b
  tags/new/debian 365005afd
  tags/old/ubuntu af8ae353f
  tags/logical/2.4.51-2ubuntu1 e3e516779
  tags/reconstruct/2.4.51-2ubuntu1 72354054a
  tags/split/2.4.51-2ubuntu1 3bbcdc58e

To post a comment you must log in.
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Bryce, this looks good. The changes that have been dropped are clear (along w/ the description which paints the entire picture) and the delta that we carry is just Ubuntu-specific.

Furthermore, to give you a bit of a background for pcre3 v/s pcre2: Debian is moving to pcre2 from the deprecated and the obsolete pcre3 now. See MBF at https://lists.debian.org/debian-devel/2021/11/msg00176.html. Debian 12 will not ship pcre3 anymore. So whilst it's a good-to-have thing to have moved to pcre2, you're absolutely right that it might result in some breakage, here and there, and isn't a good candidate for the LTS cycle.

So +1, hold off the pcre3->pcre2 switch for now and upload as-is. \o/

review: Approve
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Linked the LP bug in the "Related bugs:" filed so the MP is also linked against LP: #1959924. \o/

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looks good, +1

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :
Download full text (5.2 KiB)

Thanks for the reviews!

Pushed to jammy:

$ debuild -S -sa -uc -us $(git ubuntu prepare-upload args)
Everything up-to-date
 dpkg-buildpackage -us -uc -ui -i -I.bzr -I.svn -I.git -S -sa --changes-option=-DVcs-Git=https://git.launchpad.net/~bryce/ubuntu/+source/apache2 --changes-option=-DVcs-Git-Ref=refs/heads/merge-v2.4.52-1-jammy --changes-option=-DVcs-Git-Commit=028479c2c5469eb33796f914258b3108c24d58bb
dpkg-buildpackage: info: source package apache2
dpkg-buildpackage: info: source version 2.4.52-1ubuntu1
dpkg-buildpackage: info: source distribution jammy
dpkg-buildpackage: info: source changed by Bryce Harrington <email address hidden>
 dpkg-source -i -I.bzr -I.svn -I.git --before-build .
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying fhs_compliance.patch
dpkg-source: info: applying no_LD_LIBRARY_PATH.patch
dpkg-source: info: applying suexec-CVE-2007-1742.patch
dpkg-source: info: applying customize_apxs.patch
dpkg-source: info: applying build_suexec-custom.patch
dpkg-source: info: applying reproducible_builds.diff
dpkg-source: info: applying fix-macro.patch
 fakeroot debian/rules clean
dh clean
   dh_clean
 dpkg-source -i -I.bzr -I.svn -I.git -b .
dpkg-source: warning: upstream signing key but no upstream tarball signature
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building apache2 using existing ./apache2_2.4.52.orig.tar.gz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: warning: ignoring deletion of directory changes-entries
dpkg-source: warning: ignoring deletion of directory test/modules/md/data/store_migrate/1.0/sample1/challenges
dpkg-source: warning: ignoring deletion of directory test/modules/md/data/store_migrate/1.0/sample1/staging
dpkg-source: warning: ignoring deletion of directory test/modules/md/data/store_migrate/1.0/sample1/tmp
dpkg-source: warning: ignoring deletion of directory docs/manual/style/xsl
dpkg-source: warning: ignoring deletion of directory docs/manual/style/xsl/util
dpkg-source: warning: ignoring deletion of directory docs/manual/style/lang
dpkg-source: info: building apache2 in apache2_2.4.52-1ubuntu1.debian.tar.xz
dpkg-source: info: building apache2 in apache2_2.4.52-1ubuntu1.dsc
 dpkg-genbuildinfo --build=source -O../apache2_2.4.52-1ubuntu1_source.buildinfo
 dpkg-genchanges -sa -DVcs-Git=https://git.launchpad.net/~bryce/ubuntu/+source/apache2 -DVcs-Git-Ref=refs/heads/merge-v2.4.52-1-jammy -DVcs-Git-Commit=028479c2c5469eb33796f914258b3108c24d58bb --build=source -O../apache2_2.4.52-1ubuntu1_source.changes
dpkg-genchanges: info: including full source code in upload
 dpkg-source -i -I.bzr -I.svn -I.git --after-build .
dpkg-source: info: unapplying fix-macro.patch
dpkg-source: info: unapplying reproducible_builds.diff
dpkg-source: info: unapplying build_suexec-custom.patch
dpkg-source: info: unapplying customize_apxs.patch
dpkg-source: info: unapplying suexec-CVE-2007-1742.patch
dpkg-source: info: unapplying no_LD_LIBRARY_PATH.patch
dpkg-source: info: unapplying fhs_compliance.patch
dpkg-buildpackage: info: source-only upload (original source is included)
Now running lintian apache2_2.4.52-1ubuntu1_source.changes ....

Read more...

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
index 63c573f..3d1bdf1 100644
--- a/debian/apache2-bin.install
+++ b/debian/apache2-bin.install
@@ -1,2 +1,3 @@
1/usr/lib/apache2/modules/1/usr/lib/apache2/modules/
2/usr/sbin/apache22/usr/sbin/apache2
3debian/apache2.py usr/share/apport/package-hooks
diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
3new file mode 1006444new file mode 100644
index 0000000..974a655
--- /dev/null
+++ b/debian/apache2-utils.ufw.profile
@@ -0,0 +1,14 @@
1[Apache]
2title=Web Server
3description=Apache v2 is the next generation of the omnipresent Apache web server.
4ports=80/tcp
5
6[Apache Secure]
7title=Web Server (HTTPS)
8description=Apache v2 is the next generation of the omnipresent Apache web server.
9ports=443/tcp
10
11[Apache Full]
12title=Web Server (HTTP,HTTPS)
13description=Apache v2 is the next generation of the omnipresent Apache web server.
14ports=80,443/tcp
diff --git a/debian/apache2.dirs b/debian/apache2.dirs
index 6089013..1aa6d3c 100644
--- a/debian/apache2.dirs
+++ b/debian/apache2.dirs
@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
10var/lib/apache210var/lib/apache2
11var/log/apache211var/log/apache2
12var/www/html12var/www/html
13/etc/ufw/applications.d/apache2
diff --git a/debian/apache2.install b/debian/apache2.install
index b6ad789..92865fc 100644
--- a/debian/apache2.install
+++ b/debian/apache2.install
@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
8debian/config-dir/envvars /etc/apache28debian/config-dir/envvars /etc/apache2
9debian/config-dir/magic /etc/apache29debian/config-dir/magic /etc/apache2
10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
11debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
diff --git a/debian/apache2.postrm b/debian/apache2.postrm
index a68583c..b0e5d7b 100644
--- a/debian/apache2.postrm
+++ b/debian/apache2.postrm
@@ -33,6 +33,7 @@ is_default_index_html () {
33 776221a94e5a174dc2396c0f3f6b6a7433 776221a94e5a174dc2396c0f3f6b6a74
34 c481228d439cbb54bdcedbaec5bbb11a34 c481228d439cbb54bdcedbaec5bbb11a
35 e2620d4a5a0f8d80dd4b16de59af981f35 e2620d4a5a0f8d80dd4b16de59af981f
36 3526531ccd6c6a1d2340574a305a18f8
36 EOF37 EOF
37}38}
3839
diff --git a/debian/apache2.py b/debian/apache2.py
39new file mode 10064440new file mode 100644
index 0000000..a9fb9d8
--- /dev/null
+++ b/debian/apache2.py
@@ -0,0 +1,48 @@
1#!/usr/bin/python
2
3'''apport hook for apache2
4
5(c) 2010 Adam Sommer.
6Author: Adam Sommer <asommer@ubuntu.com>
7
8This program is free software; you can redistribute it and/or modify it
9under the terms of the GNU General Public License as published by the
10Free Software Foundation; either version 2 of the License, or (at your
11option) any later version. See http://www.gnu.org/copyleft/gpl.html for
12the full text of the license.
13'''
14
15from apport.hookutils import *
16import os
17
18SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
19
20def add_info(report, ui):
21 if os.path.isdir(SITES_ENABLED_DIR):
22 response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
23 "may help developers diagnose your bug more "
24 "quickly. However, it may contain sensitive "
25 "information. Do you want to include it in your "
26 "bug report?")
27
28 if response == None: # user cancelled
29 raise StopIteration
30
31 elif response == True:
32 # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
33 for conf_file in os.listdir(SITES_ENABLED_DIR):
34 attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
35
36 try:
37 report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
38 except OSError:
39 report['Apache2ConfdDirListing'] = str(False)
40
41 # Attach default config files if changed.
42 attach_conffiles(report, 'apache2', conffiles=None)
43
44 # Attach the error.log file.
45 attach_file(report, '/var/log/apache2/error.log', key='error.log')
46
47 # Get loaded modules.
48 report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
diff --git a/debian/changelog b/debian/changelog
index 0df5aec..3e2b50f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
1apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
2
3 * Merge with Debian unstable (LP: #1959924). Remaining changes:
4 - debian/{control, apache2.install, apache2-utils.ufw.profile,
5 apache2.dirs}: Add ufw profiles.
6 (LP 261198)
7 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
8 (LP 609177)
9 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
10 d/s/include-binaries: replace Debian with Ubuntu on default
11 page and add Ubuntu icon file.
12 (LP 1288690)
13 * Dropped:
14 - d/p/support-openssl3-*.patch: Backport various patches from
15 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
16 failure to load when using OpenSSL 3.
17 (LP #1951476)
18 [Included in upstream release 2.4.52]
19 - d/apache2ctl: Also use systemd for graceful if it is in use.
20 (LP 1832182)
21 [This introduced a performance regression.]
22 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
23 (LP 1918209)
24 [Not needed]
25
26 -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
27
1apache2 (2.4.52-1) unstable; urgency=medium28apache2 (2.4.52-1) unstable; urgency=medium
229
3 * Refresh suexec-custom.patch30 * Refresh suexec-custom.patch
@@ -8,6 +35,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
835
9 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +010036 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
1037
38apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
39
40 * Merge with Debian unstable. Remaining changes:
41 - debian/{control, apache2.install, apache2-utils.ufw.profile,
42 apache2.dirs}: Add ufw profiles.
43 (LP 261198)
44 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
45 (LP 609177)
46 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
47 d/s/include-binaries: replace Debian with Ubuntu on default
48 page and add Ubuntu icon file.
49 (LP 1288690)
50 - d/p/support-openssl3-*.patch: Backport various patches from
51 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
52 failure to load when using OpenSSL 3.
53 (LP #1951476)
54 * Dropped:
55 - d/apache2ctl: Also use systemd for graceful if it is in use.
56 (LP: 1832182)
57 [This introduced a performance regression.]
58 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
59 (LP 1918209)
60 [Not needed]
61 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
62 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
63 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
64 server/core_filters.c, server/protocol.c, server/vhost.c.
65 [Fixed in 2.4.48-4]
66 - debian/patches/CVE-2021-34798.patch: add NULL check in
67 server/scoreboard.c.
68 [Fixed in 2.4.49-1]
69 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
70 generic worker in modules/proxy/mod_proxy_uwsgi.c.
71 [Fixed in 2.4.49-1]
72 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
73 substitution logic in server/util.c.
74 [Fixed in 2.4.49-1]
75 - arbitrary origin server via crafted request uri-path
76 + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
77 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
78 modules/proxy/proxy_util.c.
79 + debian/patches/CVE-2021-40438.patch: add sanity checks on the
80 configured UDS path in modules/proxy/proxy_util.c.
81 [Fixed in 2.4.49-3]
82 - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
83 + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
84 rules in modules/mappers/mod_rewrite.c.
85 + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
86 hostname in modules/mappers/mod_rewrite.c,
87 modules/proxy/proxy_util.c.
88 [Fixed in 2.4.49-3]
89
90 -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
91
11apache2 (2.4.51-2) unstable; urgency=medium92apache2 (2.4.51-2) unstable; urgency=medium
1293
13 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting94 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
@@ -73,6 +154,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
73154
74 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200155 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
75156
157apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
158
159 * d/p/support-openssl3-*.patch: Backport various patches from
160 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
161 failure to load when using OpenSSL 3. (LP: #1951476)
162
163 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
164
165apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
166
167 * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
168 - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
169 rules in modules/mappers/mod_rewrite.c.
170 - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
171 hostname in modules/mappers/mod_rewrite.c,
172 modules/proxy/proxy_util.c.
173
174 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
175
176apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
177
178 * SECURITY UPDATE: request splitting over HTTP/2
179 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
180 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
181 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
182 server/core_filters.c, server/protocol.c, server/vhost.c.
183 - CVE-2021-33193
184 * SECURITY UPDATE: NULL deref via malformed requests
185 - debian/patches/CVE-2021-34798.patch: add NULL check in
186 server/scoreboard.c.
187 - CVE-2021-34798
188 * SECURITY UPDATE: DoS in mod_proxy_uwsgi
189 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
190 generic worker in modules/proxy/mod_proxy_uwsgi.c.
191 - CVE-2021-36160
192 * SECURITY UPDATE: buffer overflow in ap_escape_quotes
193 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
194 substitution logic in server/util.c.
195 - CVE-2021-39275
196 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
197 - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
198 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
199 modules/proxy/proxy_util.c.
200 - debian/patches/CVE-2021-40438.patch: add sanity checks on the
201 configured UDS path in modules/proxy/proxy_util.c.
202 - CVE-2021-40438
203
204 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
205
206apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
207
208 * Merge with Debian unstable. Remaining changes:
209 - debian/{control, apache2.install, apache2-utils.ufw.profile,
210 apache2.dirs}: Add ufw profiles. (LP 261198)
211 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
212 (LP 609177)
213 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
214 d/s/include-binaries: replace Debian with Ubuntu on default
215 page and add Ubuntu icon file. (LP 1288690)
216 - d/apache2ctl: Also use systemd for graceful if it is in use.
217 This extends an earlier fix for the start command to behave
218 similarly for restart / graceful. Fixes service failures on
219 unattended upgrade. (LP 1832182)
220 - d/apache2ctl: Also use /run/systemd to check for systemd usage
221 (LP 1918209)
222
223 -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
224
76apache2 (2.4.48-3.1) unstable; urgency=medium225apache2 (2.4.48-3.1) unstable; urgency=medium
77226
78 * Non-maintainer upload.227 * Non-maintainer upload.
@@ -81,6 +230,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
81230
82 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200231 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
83232
233apache2 (2.4.48-3ubuntu1) impish; urgency=medium
234
235 * Merge with Debian unstable. Remaining changes:
236 - debian/{control, apache2.install, apache2-utils.ufw.profile,
237 apache2.dirs}: Add ufw profiles. (LP: 261198)
238 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
239 (LP: 609177)
240 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
241 d/s/include-binaries: replace Debian with Ubuntu on default
242 page and add Ubuntu icon file. (LP: 1288690)
243 - d/apache2ctl: Also use systemd for graceful if it is in use.
244 This extends an earlier fix for the start command to behave
245 similarly for restart / graceful. Fixes service failures on
246 unattended upgrade. (LP: 1832182)
247 - d/apache2ctl: Also use /run/systemd to check for systemd usage
248 (LP: 1918209)
249 * Dropped:
250 - d/t/control, d/t/check-http2: add basic test for http2 support
251 [Fixed in 2.4.48-2]
252 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
253 [Fixed in 2.4.48-1]
254 - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
255 connection in modules/proxy/mod_proxy_http.c.
256 [Fixed in 2.4.48 upstream]
257 - d/p/CVE-2020-35452.patch: fast validation of the nonce's
258 base64 to fail early if the format can't match anyway in
259 modules/aaa/mod_auth_digest.c.
260 [Fixed in 2.4.48 upstream]
261 - d/p/CVE-2021-26690.patch: save one apr_strtok() in
262 session_identity_decode() in modules/session/mod_session.c.
263 [Fixed in 2.4.48 upstream]
264 - d/p/CVE-2021-26691.patch: account for the '&' in
265 identity_concat() in modules/session/mod_session.c.
266 [Fixed in 2.4.48 upstream]
267 - d/p/CVE-2021-30641.patch: change default behavior in
268 server/request.c.
269 [Fixed in 2.4.48 upstream]
270
271 -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
272
84apache2 (2.4.48-3) unstable; urgency=medium273apache2 (2.4.48-3) unstable; urgency=medium
85274
86 * Fix debian/changelog275 * Fix debian/changelog
@@ -137,6 +326,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
137326
138 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200327 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
139328
329apache2 (2.4.46-4ubuntu3) impish; urgency=medium
330
331 * No-change rebuild due to OpenLDAP soname bump.
332
333 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
334
335apache2 (2.4.46-4ubuntu2) impish; urgency=medium
336
337 * SECURITY UPDATE: mod_proxy_http denial of service.
338 - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
339 connection in modules/proxy/mod_proxy_http.c.
340 - CVE-2020-13950
341 * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
342 - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
343 base64 to fail early if the format can't match anyway in
344 modules/aaa/mod_auth_digest.c.
345 - CVE-2020-35452
346 * SECURITY UPDATE: DoS via cookie header in mod_session
347 - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
348 session_identity_decode() in modules/session/mod_session.c.
349 - CVE-2021-26690
350 * SECURITY UPDATE: heap overflow via SessionHeader
351 - debian/patches/CVE-2021-26691.patch: account for the '&' in
352 identity_concat() in modules/session/mod_session.c.
353 - CVE-2021-26691
354 * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
355 - debian/patches/CVE-2021-30641.patch: change default behavior in
356 server/request.c.
357 - CVE-2021-30641
358
359 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
360
361apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
362
363 * Merge with Debian unstable, to allow moving from lua5.2 to
364 lua5.3 (LP: #1910372). Remaining changes:
365 - debian/{control, apache2.install, apache2-utils.ufw.profile,
366 apache2.dirs}: Add ufw profiles.
367 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
368 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
369 Debian with Ubuntu on default page.
370 + d/source/include-binaries: add Ubuntu icon file
371 - d/t/control, d/t/check-http2: add basic test for http2 support
372 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
373 issue reading error log too quickly after request, by adding a sleep.
374 (LP #1890302)
375 - d/apache2ctl: Also use systemd for graceful if it is in use.
376 This extends an earlier fix for the start command to behave
377 similarly for restart / graceful. Fixes service failures on
378 unattended upgrade.
379 * Drop:
380 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
381 was re-added by mistake in 2.4.41-1 (Closes #921024)
382 [Included in Debian 2.4.46-3]
383 * d/apache2ctl: Also use /run/systemd to check for systemd usage
384 (LP: #1918209)
385
386 -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
387
140apache2 (2.4.46-4) unstable; urgency=medium388apache2 (2.4.46-4) unstable; urgency=medium
141389
142 * Ignore other random another test failures (Closes: #979664)390 * Ignore other random another test failures (Closes: #979664)
@@ -154,6 +402,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
154402
155 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100403 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
156404
405apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
406
407 * Merge with Debian unstable. Remaining changes:
408 - debian/{control, apache2.install, apache2-utils.ufw.profile,
409 apache2.dirs}: Add ufw profiles.
410 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
411 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
412 Debian with Ubuntu on default page.
413 + d/source/include-binaries: add Ubuntu icon file
414 - d/t/control, d/t/check-http2: add basic test for http2 support
415 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
416 was re-added by mistake in 2.4.41-1 (Closes #921024)
417 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
418 issue reading error log too quickly after request, by adding a sleep.
419 (LP #1890302)
420 - d/apache2ctl: Also use systemd for graceful if it is in use.
421 This extends an earlier fix for the start command to behave
422 similarly for restart / graceful. Fixes service failures on
423 unattended upgrade.
424
425 -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
426
157apache2 (2.4.46-2) unstable; urgency=medium427apache2 (2.4.46-2) unstable; urgency=medium
158428
159 [ Jean-Michel Vourgère ]429 [ Jean-Michel Vourgère ]
@@ -175,6 +445,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
175445
176 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100446 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
177447
448apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
449
450 * d/apache2ctl: Also use systemd for graceful if it is in use.
451 (LP: #1832182)
452 - This extends an earlier fix for the start command to behave
453 similarly for restart / graceful. Fixes service failures on
454 unattended upgrade.
455
456 -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
457
458apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
459
460 * Merge with Debian unstable. Remaining changes:
461 - debian/{control, apache2.install, apache2-utils.ufw.profile,
462 apache2.dirs}: Add ufw profiles.
463 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
464 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
465 Debian with Ubuntu on default page.
466 + d/source/include-binaries: add Ubuntu icon file
467 - d/t/control, d/t/check-http2: add basic test for http2 support
468 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
469 was re-added by mistake in 2.4.41-1 (Closes #921024)
470 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
471 issue reading error log too quickly after request, by adding a sleep.
472 (LP #1890302)
473 * Dropped:
474 - debian/patches/086_svn_cross_compiles: Backport several cross
475 fixes from upstream
476 [Unclear if it's still necessary, and upstream hasn't made a
477 release with it yet]
478
479 -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
480
178apache2 (2.4.46-1) unstable; urgency=medium481apache2 (2.4.46-1) unstable; urgency=medium
179482
180 [ Xavier Guimard ]483 [ Xavier Guimard ]
@@ -191,6 +494,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
191494
192 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200495 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
193496
497apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
498
499 * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
500 issue reading error log too quickly after request, by adding a sleep.
501 (LP: #1890302)
502
503 -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
504
505apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
506
507 * Merge with Debian unstable. Remaining changes:
508 - debian/{control, apache2.install, apache2-utils.ufw.profile,
509 apache2.dirs}: Add ufw profiles.
510 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
511 - debian/patches/086_svn_cross_compiles: Backport several cross
512 fixes from upstream
513 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
514 Debian with Ubuntu on default page.
515 + d/source/include-binaries: add Ubuntu icon file
516 - d/t/control, d/t/check-http2: add basic test for http2 support
517 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
518 was re-added by mistake in 2.4.41-1 (Closes #921024)
519 * Dropped:
520 - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
521 parameter to mod_proxy_ajp (LP #1865340)
522 [Fixed upstream]
523 - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
524 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
525 Closes #955348, LP #1872478
526 [In 2.4.43-1]
527
528 -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
529
194apache2 (2.4.43-1) unstable; urgency=medium530apache2 (2.4.43-1) unstable; urgency=medium
195531
196 [ Timo Aaltonen ]532 [ Timo Aaltonen ]
@@ -218,6 +554,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
218554
219 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100555 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
220556
557apache2 (2.4.41-4ubuntu3) focal; urgency=medium
558
559 [ Timo Aaltonen ]
560 * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
561 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
562 Closes: #955348, LP: #1872478
563
564 -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
565
566apache2 (2.4.41-4ubuntu2) focal; urgency=medium
567
568 * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
569 parameter to mod_proxy_ajp (LP: #1865340)
570
571 -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
572
573apache2 (2.4.41-4ubuntu1) focal; urgency=medium
574
575 * Merge with Debian unstable. Remaining changes:
576 - debian/{control, apache2.install, apache2-utils.ufw.profile,
577 apache2.dirs}: Add ufw profiles.
578 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
579 - debian/patches/086_svn_cross_compiles: Backport several cross
580 fixes from upstream
581 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
582 Debian with Ubuntu on default page.
583 + d/source/include-binaries: add Ubuntu icon file
584 - d/t/control, d/t/check-http2: add basic test for http2 support
585 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
586 was re-added by mistake in 2.4.41-1 (Closes #921024)
587
588 -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
589
221apache2 (2.4.41-4) unstable; urgency=medium590apache2 (2.4.41-4) unstable; urgency=medium
222591
223 * Add gcc in chroot autopkgtest (fixes debci)592 * Add gcc in chroot autopkgtest (fixes debci)
@@ -242,6 +611,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
242611
243 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100612 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
244613
614apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
615
616 * Merge with Debian unstable. Remaining changes:
617 - debian/{control, apache2.install, apache2-utils.ufw.profile,
618 apache2.dirs}: Add ufw profiles.
619 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
620 - debian/patches/086_svn_cross_compiles: Backport several cross
621 fixes from upstream
622 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
623 Debian with Ubuntu on default page.
624 + d/source/include-binaries: add Ubuntu icon file
625 - d/t/control, d/t/check-http2: add basic test for http2 support
626 * Dropped:
627 - Cherrypick upstream testsuite fix:
628 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
629 as such).
630 + Similarly use TLSv1.2 for pr12355 and pr43738.
631 [Test suite updated in 2.4.41-1]
632 - Cherrypick upstream test suite fix for buffer.
633 [Included in 2.4.41-1]
634 - d/p/spelling-errors.patch: removed hunks already fixed upstream
635 [Included in 2.4.39-1]
636 - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
637 + d/p/CVE-2019-0196.patch
638 + d/p/CVE-2019-0211.patch
639 + d/p/CVE-2019-0215.patch
640 + d/p/CVE-2019-0217.patch
641 + d/p/CVE-2019-0220-*.patch
642 + d/p/CVE-2019-0197.patch
643 * Added:
644 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
645 was re-added by mistake in 2.4.41-1 (Closes: #921024)
646
647 -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
648
245apache2 (2.4.41-1) unstable; urgency=medium649apache2 (2.4.41-1) unstable; urgency=medium
246650
247 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,651 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
@@ -274,6 +678,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
274678
275 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200679 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
276680
681apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
682
683 * New upstream version: 2.4.39
684 * d/p/spelling-errors.patch: removed hunks already fixed upstream
685 * Remaining changes:
686 - Cherrypick upstream test suite fix for buffer.
687 - Cherrypick upstream testsuite fix:
688 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
689 as such).
690 - Similarly use TLSv1.2 for pr12355 and pr43738.
691 - debian/{control, apache2.install, apache2-utils.ufw.profile,
692 apache2.dirs}: Add ufw profiles.
693 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
694 - debian/patches/086_svn_cross_compiles: Backport several cross
695 fixes from upstream
696 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
697 Debian with Ubuntu on default page.
698 + d/source/include-binaries: add Ubuntu icon file
699 - d/t/control, d/t/check-http2: add basic test for http2 support
700 * Dropped patches (fixed upstream):
701 - d/p/CVE-2019-0196.patch
702 - d/p/CVE-2019-0211.patch
703 - d/p/CVE-2019-0215.patch
704 - d/p/CVE-2019-0217.patch
705 - d/p/CVE-2019-0220-*.patch
706 - d/p/CVE-2019-0197.patch
707
708 -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
709
710apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
711
712 * Cherrypick upstream test suite fix for buffer.
713
714 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
715
716apache2 (2.4.38-3ubuntu1) eoan; urgency=low
717
718 * Merge from Debian unstable. Remaining changes:
719 - Cherrypick upstream testsuite fix:
720 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
721 as such).
722 - Similarly use TLSv1.2 for pr12355 and pr43738.
723 - debian/{control, apache2.install, apache2-utils.ufw.profile,
724 apache2.dirs}: Add ufw profiles.
725 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
726 - debian/patches/086_svn_cross_compiles: Backport several cross
727 fixes from upstream
728 [Removed configure chunk, not needed since configure.in is being
729 patched.]
730 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
731 Debian with Ubuntu on default page.
732 + d/source/include-binaries: add Ubuntu icon file
733 - d/t/control, d/t/check-http2: add basic test for http2 support
734
735 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
736
277apache2 (2.4.38-3) unstable; urgency=high737apache2 (2.4.38-3) unstable; urgency=high
278738
279 [ Marc Deslauriers ]739 [ Marc Deslauriers ]
@@ -311,6 +771,79 @@ apache2 (2.4.38-3) unstable; urgency=high
311771
312 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200772 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
313773
774apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
775
776 * Cherrypick upstream testsuite fix:
777 - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
778 as such).
779 * Similarly use TLSv1.2 for pr12355 and pr43738.
780
781 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
782
783apache2 (2.4.38-2ubuntu2) disco; urgency=medium
784
785 * SECURITY UPDATE: read-after-free on a string compare in mod_http2
786 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
787 request method in modules/http2/h2_request.c.
788 - CVE-2019-0196
789 * SECURITY UPDATE: privilege escalation from modules' scripts
790 - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
791 child to its slot number in include/scoreboard.h,
792 server/mpm/event/event.c, server/mpm/prefork/prefork.c,
793 server/mpm/worker/worker.c.
794 - CVE-2019-0211
795 * SECURITY UPDATE: mod_ssl access control bypass
796 - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
797 PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
798 - CVE-2019-0215
799 * SECURITY UPDATE: mod_auth_digest access control bypass
800 - debian/patches/CVE-2019-0217.patch: fix a race condition in
801 modules/aaa/mod_auth_digest.c.
802 - CVE-2019-0217
803 * SECURITY UPDATE: URL normalization inconsistincy
804 - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
805 the path in include/http_core.h, include/httpd.h, server/core.c,
806 server/request.c, server/util.c.
807 - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
808 in server/request.c, server/util.c.
809 - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
810 server/util.c.
811 - CVE-2019-0220
812
813 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
814
815apache2 (2.4.38-2ubuntu1) disco; urgency=medium
816
817 * Merge with Debian unstable. Remaining changes:
818 - debian/{control, apache2.install, apache2-utils.ufw.profile,
819 apache2.dirs}: Add ufw profiles.
820 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
821 - debian/patches/086_svn_cross_compiles: Backport several cross
822 fixes from upstream
823 [Removed configure chunk, not needed since configure.in is being
824 patched.]
825 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
826 Debian with Ubuntu on default page.
827 + d/source/include-binaries: add Ubuntu icon file
828 - d/t/control, d/t/check-http2: add basic test for http2 support
829 * Dropped:
830 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
831 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
832 cannot be coinstalled with libcurl3. That situation breaks the
833 installation of libapache2-mod-shib2. See
834 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
835 for details.
836 [This has been resolved in Disco, where libxmltooling8 is built with
837 openssl 1.1]
838 - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
839 + debian/patches/CVE-2018-11763.patch: rework connection IO event
840 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
841 modules/http2/h2_version.h.
842 - CVE-2018-11763
843 [Fixed in 2.4.35]
844
845 -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
846
314apache2 (2.4.38-2) unstable; urgency=medium847apache2 (2.4.38-2) unstable; urgency=medium
315848
316 * Disable "reset" test in allowmethods.t (Closes: #921024)849 * Disable "reset" test in allowmethods.t (Closes: #921024)
@@ -393,6 +926,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
393926
394 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200927 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
395928
929apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
930
931 * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
932 - debian/patches/CVE-2018-11763.patch: rework connection IO event
933 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
934 modules/http2/h2_version.h.
935 - CVE-2018-11763
936
937 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
938
939apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
940
941 * Merge with Debian unstable. Remaining changes:
942 - debian/{control, apache2.install, apache2-utils.ufw.profile,
943 apache2.dirs}: Add ufw profiles.
944 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
945 - debian/patches/086_svn_cross_compiles: Backport several cross
946 fixes from upstream
947 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
948 Debian with Ubuntu on default page.
949 + d/source/include-binaries: add Ubuntu icon file
950 - d/t/control, d/t/check-http2: add basic test for http2 support
951 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
952 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
953 cannot be coinstalled with libcurl3. That situation breaks the
954 installation of libapache2-mod-shib2. See
955 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
956 for details.
957
958 -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
959
396apache2 (2.4.34-1) unstable; urgency=medium960apache2 (2.4.34-1) unstable; urgency=medium
397961
398 [ Ondřej Surý ]962 [ Ondřej Surý ]
@@ -411,6 +975,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
411975
412 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200976 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
413977
978apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
979
980 * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
981 re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
982
983 -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
984
985apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
986
987 * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
988 libapache2-mod-md until we figure out their transitions. libapache2-mod-md
989 in particular is problematic because that makes apache2-bin pull in
990 libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
991 the installation of libapache2-mod-shib2. See
992 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
993 for details.
994 - Don't ship md.load and remove build-requires that were added because of
995 mod-md (see
996 https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
997 - Remove proxy_uwsgi.load as we are not building it for now (see
998 https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
999
1000 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
1001
1002apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
1003
1004 * Merge with Debian unstable (LP: #1770242). Remaining changes:
1005 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1006 apache2.dirs}: Add ufw profiles.
1007 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1008 - debian/patches/086_svn_cross_compiles: Backport several cross
1009 fixes from upstream
1010 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1011 Debian with Ubuntu on default page.
1012 + d/source/include-binaries: add Ubuntu icon file
1013 - d/t/control, d/t/check-http2: add basic test for http2 support
1014 * Drop:
1015 - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1016 + debian/patches/CVE-2017-15710.patch: fix language long names
1017 detection as short name in modules/aaa/mod_authnz_ldap.c.
1018 + CVE-2017-15710
1019 - SECURITY UPDATE: incorrect <FilesMatch> matching
1020 + debian/patches/CVE-2017-15715.patch: allow to configure
1021 global/default options for regexes, like caseless matching or
1022 extended format in include/ap_regex.h, server/core.c,
1023 server/util_pcre.c.
1024 + CVE-2017-15715
1025 - SECURITY UPDATE: mod_session header manipulation
1026 + debian/patches/CVE-2018-1283.patch: strip Session header when
1027 SessionEnv is on in modules/session/mod_session.c.
1028 + CVE-2018-1283
1029 - SECURITY UPDATE: DoS via specially-crafted request
1030 + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1031 terminated on any error, not only on buffer full in
1032 server/protocol.c.
1033 + CVE-2018-1301
1034 - SECURITY UPDATE: mod_cache_socache DoS
1035 + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1036 to carriage return in modules/cache/mod_cache_socache.c.
1037 + CVE-2018-1303
1038 - SECURITY UPDATE: insecure nonce generation
1039 + debian/patches/CVE-2018-1312.patch: actually use the secret when
1040 generating nonces in modules/aaa/mod_auth_digest.c.
1041 + CVE-2018-1312
1042 - Correct systemd-sysv-generator behavior by customizing some
1043 parameters:
1044 + d/apache2-systemd.conf: add a drop-in file to specify some
1045 parameters for the systemd unit (type=Forking and
1046 RemainsAfterExit=no), this allow a correct state synchronisation
1047 between systemctl status and actual state of apache2 daemon.
1048 + d/apache2.install: place the apache2-systemd.conf file in the
1049 correct location.
1050 [type=Forking already in the base systemd service file, and
1051 RemainsAfterExit=no is the default value, so no need to
1052 customize these anymore.]
1053 - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
1054 + added debian/patches/util_ldap_cache_lock_fix.patch
1055 [Already applied upstream]
1056
1057 -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
1058
414apache2 (2.4.33-3) unstable; urgency=medium1059apache2 (2.4.33-3) unstable; urgency=medium
4151060
416 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.1061 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
@@ -483,6 +1128,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
4831128
484 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +00001129 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
4851130
1131apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
1132
1133 * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1134 - debian/patches/CVE-2017-15710.patch: fix language long names
1135 detection as short name in modules/aaa/mod_authnz_ldap.c.
1136 - CVE-2017-15710
1137 * SECURITY UPDATE: incorrect <FilesMatch> matching
1138 - debian/patches/CVE-2017-15715.patch: allow to configure
1139 global/default options for regexes, like caseless matching or
1140 extended format in include/ap_regex.h, server/core.c,
1141 server/util_pcre.c.
1142 - CVE-2017-15715
1143 * SECURITY UPDATE: mod_session header manipulation
1144 - debian/patches/CVE-2018-1283.patch: strip Session header when
1145 SessionEnv is on in modules/session/mod_session.c.
1146 - CVE-2018-1283
1147 * SECURITY UPDATE: DoS via specially-crafted request
1148 - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1149 terminated on any error, not only on buffer full in
1150 server/protocol.c.
1151 - CVE-2018-1301
1152 * SECURITY UPDATE: mod_cache_socache DoS
1153 - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1154 to carriage return in modules/cache/mod_cache_socache.c.
1155 - CVE-2018-1303
1156 * SECURITY UPDATE: insecure nonce generation
1157 - debian/patches/CVE-2018-1312.patch: actually use the secret when
1158 generating nonces in modules/aaa/mod_auth_digest.c.
1159 - CVE-2018-1312
1160
1161 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1162
1163apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1164
1165 * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1166 - added debian/patches/util_ldap_cache_lock_fix.patch
1167
1168 -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1169
1170apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1171
1172 * Switch back to OpenSSL 1.1.
1173
1174 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1175
1176apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1177
1178 * enable http2 (LP: #1687454) by stopping to disable it
1179 - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1180 - debian/config-dir/mods-available/http2.load: no more removed.
1181 - debian/rules: no more removed proxy_http2 from configure.
1182 * d/t/control, d/t/check-http2: add basic test for http2 support
1183
1184 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1185
1186apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1187
1188 * Merge with Debian unstable. Remaining changes:
1189 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1190 apache2.dirs}: Add ufw profiles.
1191 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1192 - debian/patches/086_svn_cross_compiles: Backport several cross
1193 fixes from upstream
1194 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1195 Debian with Ubuntu on default page.
1196 + d/source/include-binaries: add Ubuntu icon file
1197 - Correct systemd-sysv-generator behavior by customizing some
1198 parameters:
1199 + d/apache2-systemd.conf: add a drop-in file to specify some
1200 parameters for the systemd unit (type=Forking and
1201 RemainsAfterExit=no), this allow a correct state synchronisation
1202 between systemctl status and actual state of apache2 daemon.
1203 + d/apache2.install: place the apache2-systemd.conf file in the
1204 correct location.
1205 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1206 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1207 + debian/config-dir/mods-available/http2.load: removed.
1208 + debian/rules: removed proxy_http2 from configure.
1209 * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1210 - debian/control: switch BuildDepends to libssl1.0-dev
1211 - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1212 - debian/rules: remove openssl virtual package and logic
1213
1214 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1215
486apache2 (2.4.29-1) unstable; urgency=medium1216apache2 (2.4.29-1) unstable; urgency=medium
4871217
488 [ Stefan Fritsch ]1218 [ Stefan Fritsch ]
@@ -547,6 +1277,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
5471277
548 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +02001278 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
5491279
1280apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1281
1282 * SECURITY UPDATE: optionsbleed information leak
1283 - debian/patches/CVE-2017-9798.patch: disallow method registration
1284 at run time in server/core.c.
1285 - CVE-2017-9798
1286
1287 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1288
1289apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1290
1291 * Undrop (LP 1658469):
1292 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1293 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1294 + debian/config-dir/mods-available/http2.load: removed.
1295 + debian/rules: removed proxy_http2 from configure.
1296
1297 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1298
1299apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1300
1301 * Merge with Debian unstable (LP: #1702582). Remaining changes:
1302 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1303 apache2.dirs}: Add ufw profiles.
1304 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1305 - debian/patches/086_svn_cross_compiles: Backport several cross
1306 fixes from upstream
1307 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1308 Debian with Ubuntu on default page.
1309 + d/source/include-binaries: add Ubuntu icon file
1310 - Correct systemd-sysv-generator behavior by customizing some
1311 parameters:
1312 + d/apache2-systemd.conf: add a drop-in file to specify some
1313 parameters for the systemd unit (type=Forking and
1314 RemainsAfterExit=no), this allow a correct state synchronisation
1315 between systemctl status and actual state of apache2 daemon.
1316 + d/apache2.install: place the apache2-systemd.conf file in the
1317 correct location.
1318
1319 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1320
550apache2 (2.4.27-2) unstable; urgency=medium1321apache2 (2.4.27-2) unstable; urgency=medium
5511322
552 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more1323 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
@@ -576,6 +1347,55 @@ apache2 (2.4.25-4) unstable; urgency=high
5761347
577 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +02001348 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
5781349
1350apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1351
1352 * Re-Drop (LP: #1658469):
1353 - Don't build experimental http2 module for LTS:
1354 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1355 + debian/config-dir/mods-available/http2.load: removed.
1356 + debian/rules: removed proxy_http2 from configure.
1357 + debian/apache2.maintscript: remove http2 conffile.
1358
1359 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1360
1361apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1362 * Undrop (LP 1658469):
1363 - Don't build experimental http2 module for LTS:
1364 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1365 + debian/config-dir/mods-available/http2.load: removed.
1366 + debian/rules: removed proxy_http2 from configure.
1367 + debian/apache2.maintscript: remove http2 conffile.
1368
1369 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1370
1371apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1372
1373 * Merge from Debian unstable (LP: #1663425). Remaining changes:
1374 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1375 apache2.dirs}: Add ufw profiles.
1376 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1377 - debian/patches/086_svn_cross_compiles: Backport several cross
1378 fixes from upstream
1379 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1380 Debian with Ubuntu on default page.
1381 + d/source/include-binaries: add Ubuntu icon file
1382 - Correct systemd-sysv-generator behavior by customizing some
1383 parameters:
1384 + d/apache2-systemd.conf: add a drop-in file to specify some
1385 parameters for the systemd unit (type=Forking and
1386 RemainsAfterExit=no), this allow a correct state synchronisation
1387 between systemctl status and actual state of apache2 daemon.
1388 + d/apache2.install: place the apache2-systemd.conf file in the
1389 correct location.
1390 * Drop (LP: #1658469):
1391 - Don't build experimental http2 module for LTS:
1392 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1393 + debian/config-dir/mods-available/http2.load: removed.
1394 + debian/rules: removed proxy_http2 from configure.
1395 + debian/apache2.maintscript: remove http2 conffile.
1396
1397 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1398
579apache2 (2.4.25-3) unstable; urgency=medium1399apache2 (2.4.25-3) unstable; urgency=medium
5801400
581 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.1401 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
@@ -637,6 +1457,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
6371457
638 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +01001458 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
6391459
1460apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1461
1462 * Merge from Debian unstable (LP: #). Remaining changes:
1463 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1464 apache2.dirs}: Add ufw profiles.
1465 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1466 - debian/patches/086_svn_cross_compiles: Backport several cross
1467 fixes from upstream
1468 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1469 d/source/include-binaries: replace Debian with Ubuntu on default
1470 page.
1471 [ include-binaries change previously undocumented ]
1472 - Don't build experimental http2 module for LTS:
1473 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1474 + debian/config-dir/mods-available/http2.load: removed.
1475 + debian/rules: removed proxy_http2 from configure.
1476 + debian/apache2.maintscript: remove http2 conffile.
1477 [ Previously undocumented ]
1478 - Correct systemd-sysv-generator behavior by customizing some
1479 parameters:
1480 + d/apache2-systemd.conf: add a drop-in file to specify some
1481 parameters for the systemd unit (type=Forking and
1482 RemainsAfterExit=no), this allow a correct state synchronisation
1483 between systemctl status and actual state of apache2 daemon.
1484 + d/apache2.install: place the apache2-systemd.conf file in the
1485 correct location.
1486 * Drop:
1487 - debian/rules: Fix cross-building by passing
1488 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1489 [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1490
1491 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1492
640apache2 (2.4.23-8) unstable; urgency=medium1493apache2 (2.4.23-8) unstable; urgency=medium
6411494
642 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a1495 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
@@ -647,6 +1500,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
6471500
648 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +01001501 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
6491502
1503apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1504
1505 * Merge from Debian unstable. Remaining changes:
1506 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1507 apache2.dirs}: Add ufw profiles.
1508 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1509 - debian/rules: Fix cross-building by passing
1510 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1511 - debian/patches/086_svn_cross_compiles: Backport several cross
1512 fixes from upstream
1513 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1514 Debian with Ubuntu on default page.
1515 - Don't build experimental http2 module for LTS:
1516 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1517 + debian/config-dir/mods-available/http2.load: removed.
1518 + debian/rules: removed proxy_http2 from configure.
1519 - Correct systemd-sysv-generator behavior by customizing some
1520 parameters:
1521 + d/apache2-systemd.conf: add a drop-in file to specify some
1522 parameters for the systemd unit (type=Forking and
1523 RemainsAfterExit=no), this allow a correct state synchronisation
1524 between systemctl status and actual state of apache2 daemon.
1525 + d/apache2.install: place the apache2-systemd.conf file in the
1526 correct location.
1527
1528 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1529
650apache2 (2.4.23-7) unstable; urgency=medium1530apache2 (2.4.23-7) unstable; urgency=medium
6511531
652 * Make apache2-dev depend on openssl 1.0, too. Closes: #8441601532 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
@@ -761,6 +1641,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
7611641
762 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +02001642 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
7631643
1644apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1645
1646 * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1647 - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1648 server/util_script.c.
1649 - CVE-2016-5387
1650
1651 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1652
1653apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1654
1655 [ Ryan Harper ]
1656 * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1657 introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1658 all, since http2 support is intentionally disabled (see LP 1531864).
1659 * d/apache2.maintscript: handle removal of http2.load conffile.
1660
1661 [ Robie Basak ]
1662 * Re-write Ryan's changelog entry.
1663
1664 -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1665
1666apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1667
1668 * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1669 - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1670 unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1671 between systemctl status and actual state of apache2 daemon.
1672 - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1673
1674 -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1675
1676apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1677
1678 * Merge from Debian unstable. Remaining changes:
1679 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1680 apache2.dirs}: Add ufw profiles.
1681 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1682 - debian/rules: Fix cross-building by passing
1683 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1684 - debian/patches/086_svn_cross_compiles: Backport several cross
1685 fixes from upstream
1686 - d/index.html: replace Debian with Ubuntu on default page.
1687 - Don't build experimental http2 module for LTS:
1688 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1689 + debian/config-dir/mods-available/http2.load: removed.
1690
1691 -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1692
764apache2 (2.4.18-2) unstable; urgency=low1693apache2 (2.4.18-2) unstable; urgency=low
7651694
766 * htcacheclean:1695 * htcacheclean:
@@ -786,6 +1715,24 @@ apache2 (2.4.18-2) unstable; urgency=low
7861715
787 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +02001716 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
7881717
1718apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1719
1720 * Merge from Debian unstable. Remaining changes:
1721 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1722 apache2.dirs}: Add ufw profiles.
1723 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1724 - Add dep8 tests.
1725 - debian/rules: Fix cross-building by passing
1726 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1727 - debian/patches/086_svn_cross_compiles: Backport several cross
1728 fixes from upstream
1729 - d/index.html: replace Debian with Ubuntu on default page.
1730 - Don't build experimental http2 module for LTS:
1731 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1732 + debian/config-dir/mods-available/http2.load: removed.
1733
1734 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1735
789apache2 (2.4.18-1) unstable; urgency=medium1736apache2 (2.4.18-1) unstable; urgency=medium
7901737
791 * New upstream release:1738 * New upstream release:
@@ -793,12 +1740,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
7931740
794 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +01001741 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
7951742
1743apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1744
1745 * Merge from Debian unstable. Remaining changes:
1746 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1747 apache2.dirs}: Add ufw profiles.
1748 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1749 - Add dep8 tests.
1750 - debian/rules: Fix cross-building by passing
1751 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1752 - debian/patches/086_svn_cross_compiles: Backport several cross
1753 fixes from upstream
1754 - d/index.html: replace Debian with Ubuntu on default page.
1755 - Don't build experimental http2 module for LTS:
1756 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1757 + debian/config-dir/mods-available/http2.load: removed.
1758
1759 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1760
796apache2 (2.4.17-3) unstable; urgency=medium1761apache2 (2.4.17-3) unstable; urgency=medium
7971762
798 * mpm_prefork: Fix segfault if started with -X. Closes: #8057371763 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
7991764
800 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +01001765 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
8011766
1767apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1768
1769 * Merge from Debian unstable. Remaining changes:
1770 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1771 apache2.dirs}: Add ufw profiles.
1772 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1773 - Add dep8 tests.
1774 - debian/rules: Fix cross-building by passing
1775 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1776 - debian/patches/086_svn_cross_compiles: Backport several cross
1777 fixes from upstream
1778 - d/index.html: replace Debian with Ubuntu on default page.
1779 - Don't build experimental http2 module for LTS:
1780 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1781 + debian/config-dir/mods-available/http2.load: removed.
1782
1783 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1784
802apache2 (2.4.17-2) unstable; urgency=medium1785apache2 (2.4.17-2) unstable; urgency=medium
8031786
804 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke1787 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
@@ -809,6 +1792,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
8091792
810 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +01001793 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
8111794
1795apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1796
1797 * Merge from Debian unstable. Remaining changes:
1798 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1799 apache2.dirs}: Add ufw profiles.
1800 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1801 - Add dep8 tests.
1802 - debian/rules: Fix cross-building by passing
1803 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1804 - debian/patches/086_svn_cross_compiles: Backport several cross
1805 fixes from upstream
1806 - d/index.html: replace Debian with Ubuntu on default page.
1807 * Drop patches (applied upstream):
1808 - debian/patches/CVE-2015-3183.patch
1809 - debian/patches/CVE-2015-3185.patch
1810 * Drop changes (adopted in Debian):
1811 - Allow "triggers-awaited" and "triggers-pending" states in addition
1812 to "installed" when determining whether to defer actions or
1813 process deferred actions.
1814 * Don't build experimental http2 module for LTS
1815 - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1816 - debian/config-dir/mods-available/http2.load: removed.
1817
1818 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1819
812apache2 (2.4.17-1) unstable; urgency=medium1820apache2 (2.4.17-1) unstable; urgency=medium
8131821
814 [ Stefan Fritsch ]1822 [ Stefan Fritsch ]
@@ -874,6 +1882,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
8741882
875 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +02001883 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
8761884
1885apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1886
1887 * SECURITY UPDATE: request smuggling via chunked transfer encoding
1888 - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1889 modules/http/http_filters.c.
1890 - CVE-2015-3183
1891 * SECURITY UPDATE: access restriction bypass via deprecated API
1892 - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1893 in include/http_request.h, server/request.c.
1894 - CVE-2015-3185
1895
1896 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1897
1898apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1899
1900 * Merge from Debian unstable. Remaining changes:
1901 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1902 apache2.dirs}: Add ufw profiles.
1903 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1904 - Add dep8 tests.
1905 - debian/rules: Fix cross-building by passing
1906 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1907 - debian/patches/086_svn_cross_compiles: Backport several cross
1908 fixes from upstream
1909 - d/index.html: replace Debian with Ubuntu on default page.
1910 - Allow "triggers-awaited" and "triggers-pending" states in addition
1911 to "installed" when determining whether to defer actions or
1912 process deferred actions.
1913 * Drop patches (applied upstream):
1914 - d/p/split-logfile.patch
1915 - d/p/CVE-2015-0228.patch
1916 * Drop changes (superceded in Debian):
1917 - Cherry-pick versioned build-depend on dpkg from Debian for correct
1918 dpkg-maintscript-helper symlink_to_dir support.
1919 * Drop changes (adopted in Debian):
1920 - d/control, d/config-dir/mods-available/ssl.conf,
1921 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1922 dialog program ask-for-passphrase.
1923 * Fix cross-building configure line in d/rules, which had bit-rotted in
1924 previous merges.
1925
1926 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1927
877apache2 (2.4.12-2) unstable; urgency=medium1928apache2 (2.4.12-2) unstable; urgency=medium
8781929
879 [ Jean-Michel Nirgal Vourgère ]1930 [ Jean-Michel Nirgal Vourgère ]
@@ -923,6 +1974,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
9231974
924 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +01001975 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
9251976
1977apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1978
1979 * Merge from Debian unstable. Remaining changes:
1980 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1981 apache2.dirs}: Add ufw profiles.
1982 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1983 - d/control, d/config-dir/mods-available/ssl.conf,
1984 - Add dep8 tests.
1985 - debian/rules: Fix cross-building by passing
1986 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1987 - debian/patches/086_svn_cross_compiles: Backport several cross
1988 fixes from upstream
1989 - d/index.html: replace Debian with Ubuntu on default page.
1990 - d/p/split-logfile.patch: fix completely broken split-logfile
1991 command.
1992 - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1993 denial of service in mod_lua via websockets PING
1994 * debian/tests/ssl-passphrase: Add password responder for
1995 systemd-ask-passphrase.
1996
1997 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1998
926apache2 (2.4.10-9) unstable; urgency=medium1999apache2 (2.4.10-9) unstable; urgency=medium
9272000
928 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a2001 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
@@ -937,6 +2010,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
9372010
938 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +01002011 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
9392012
2013apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
2014
2015 * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
2016 directives
2017 - debian/patches/CVE-2014-8109.patch: handle multiple Require
2018 directives with different arguments in modules/lua/mod_lua.c.
2019 - CVE-2014-8109
2020 * SECURITY UPDATE: denial of service in mod_lua via websockets PING
2021 - debian/patches/CVE-2015-0228.patch: fix logic in
2022 modules/lua/lua_request.c.
2023 - CVE-2015-0228
2024
2025 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
2026
2027apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
2028
2029 * Allow "triggers-awaited" and "triggers-pending" states in addition to
2030 "installed" when determining whether to defer actions or process
2031 deferred actions (LP: #1393832).
2032
2033 -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
2034
2035apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
2036
2037 * Merge from Debian unstable. Remaining changes:
2038 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2039 apache2.dirs}: Add ufw profiles.
2040 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2041 - d/control, d/config-dir/mods-available/ssl.conf,
2042 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2043 dialog program ask-for-passphrase.
2044 - Add dep8 tests.
2045 - debian/rules: Fix cross-building by passing
2046 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2047 - debian/patches/086_svn_cross_compiles: Backport several cross
2048 fixes from upstream
2049 - d/index.html: replace Debian with Ubuntu on default page.
2050 - d/p/split-logfile.patch: fix completely broken split-logfile
2051 command.
2052 * Fixes from Debian included in merge:
2053 - Crash caused by OCSP stapling code; this was erroneously
2054 attributed to Debian in my previous merge, but actually only
2055 appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
2056 * Cherry-pick versioned build-depend on dpkg from Debian for correct
2057 dpkg-maintscript-helper symlink_to_dir support.
2058
2059 -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
2060
940apache2 (2.4.10-8) unstable; urgency=medium2061apache2 (2.4.10-8) unstable; urgency=medium
9412062
942 * Bump dpkg Pre-Depends to version that supports relative symlinks in2063 * Bump dpkg Pre-Depends to version that supports relative symlinks in
@@ -951,6 +2072,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
9512072
952 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +01002073 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
9532074
2075apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
2076
2077 * Merge from Debian unstable. Remaining changes:
2078 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2079 apache2.dirs}: Add ufw profiles.
2080 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2081 - d/control, d/config-dir/mods-available/ssl.conf,
2082 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2083 dialog program ask-for-passphrase.
2084 - Add dep8 tests.
2085 - debian/rules: Fix cross-building by passing
2086 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2087 - debian/patches/086_svn_cross_compiles: Backport several cross
2088 fixes from upstream
2089 - d/index.html: replace Debian with Ubuntu on default page.
2090 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2091 * Fixes from Debian included in merge:
2092 - Don't use a2query in preinst, as it may not be available yet
2093 (LP: #1312533).
2094 - Crash caused by OCSP stapling code (LP: #1366174).
2095 - Disable SSLv3 in default config (LP: #1358305).
2096 - If apache2 is not configured yet, defer actions executed via
2097 apache2-maintscript-helper. This fixes installation failures if a
2098 module package is configured first (LP: #1312854).
2099
2100 -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
2101
954apache2 (2.4.10-7) unstable; urgency=medium2102apache2 (2.4.10-7) unstable; urgency=medium
9552103
956 * Handle transitions of doc dirs and symlinks correctly during upgrade.2104 * Handle transitions of doc dirs and symlinks correctly during upgrade.
@@ -1034,6 +2182,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
10342182
1035 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +02002183 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
10362184
2185apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
2186
2187 * Merge from Debian unstable. Remaining changes:
2188 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2189 apache2.dirs}: Add ufw profiles.
2190 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2191 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2192 d/apache2.install: Plymouth aware passphrase dialog program
2193 ask-for-passphrase.
2194 - Add dep8 tests.
2195 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2196 configure.
2197 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2198 upstream
2199 - d/index.html: replace Debian with Ubuntu on default page.
2200 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2201
2202 -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
2203
1037apache2 (2.4.10-1) unstable; urgency=medium2204apache2 (2.4.10-1) unstable; urgency=medium
10382205
1039 [ Arno Töll ]2206 [ Arno Töll ]
@@ -1081,6 +2248,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
10812248
1082 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +02002249 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
10832250
2251apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
2252
2253 * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
2254 yet support building against lua 5.2 (LP: #1323930).
2255
2256 -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
2257
2258apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
2259
2260 * Merge from Debian unstable. Remaining changes:
2261 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2262 apache2.dirs}: Add ufw profiles.
2263 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2264 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2265 d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
2266 dialog program ask-for-passphrase.
2267 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2268 configure.
2269 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2270 upstream
2271 - Build using lua5.2.
2272 - d/tests/chroot: dep8 test for ChrootDir case.
2273 - d/tests/ssl-passphrase: update for new default path /var/www/html.
2274 - d/tests/duplicate-module-load: check for duplicate module loads.
2275 - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
2276 - d/p/split-logfile.patch: fix completely broken split-logfile command
2277 (LP: #1299162). Thanks to Holger Mauermann.
2278 * Drop changes (upstreamed):
2279 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2280 files find inside the .pc directory. This stops a double module load
2281 causing later havoc, including "ChrootDir" directive failure.
2282 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2283 in modules/dav/main/util.c.
2284 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2285 modules/loggers/mod_log_config.c.
2286 * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
2287
2288 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
2289
1084apache2 (2.4.9-1) unstable; urgency=medium2290apache2 (2.4.9-1) unstable; urgency=medium
10852291
1086 * New upstream version.2292 * New upstream version.
@@ -1113,6 +2319,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
11132319
1114 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +01002320 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
11152321
2322apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
2323
2324 * d/p/split-logfile.patch: fix completely broken split-logfile command
2325 (LP: #1299162). Thanks to Holger Mauermann.
2326
2327 -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
2328
2329apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
2330
2331 * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
2332 calculation
2333 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2334 in modules/dav/main/util.c.
2335 - CVE-2013-6438
2336 * SECURITY UPDATE: denial of service via truncated cookie and
2337 mod_log_config
2338 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2339 modules/loggers/mod_log_config.c.
2340 - CVE-2014-0098
2341
2342 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
2343
2344apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
2345
2346 * d/index.html: replace Debian with Ubuntu on default page
2347 (LP: #1288690).
2348
2349 -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
2350
2351apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
2352
2353 * Merge from Debian unstable. Remaining changes:
2354 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2355 apache2.dirs}: Add ufw profiles.
2356 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2357 - d/control, d/config-dir/mods-available/ssl.conf,
2358 d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
2359 Plymouth aware passphrase dialog program ask-for-passphrase.
2360 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2361 to configure.
2362 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2363 from upstream
2364 - Build using lua5.2.
2365 - d/tests/chroot: dep8 test for ChrootDir case.
2366 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2367 files find inside the .pc directory. This stops a double module load
2368 causing later havoc, including "ChrootDir" directive failure.
2369 * Drop changes:
2370 - debian/{control, rules}: Enable PIE hardening: no longer required;
2371 2.4.7-1 is already hardened.
2372 - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
2373 out of this package.
2374 * d/tests/ssl-passphrase: update for new default path /var/www/html.
2375 * d/tests/duplicate-module-load: check for duplicate module loads.
2376
2377 -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
2378
1116apache2 (2.4.7-1) unstable; urgency=low2379apache2 (2.4.7-1) unstable; urgency=low
11172380
1118 New upstream version2381 New upstream version
@@ -1176,6 +2439,53 @@ apache2 (2.4.6-3) unstable; urgency=low
11762439
1177 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +02002440 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
11782441
2442apache2 (2.4.6-2ubuntu4) trusty; urgency=low
2443
2444 * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
2445 that it does not use files find inside the .pc directory. This stops a
2446 double module load causing later havoc, including "ChrootDir" directive
2447 failure (LP: #1251939). Thanks to Stefan Fritsch.
2448 * d/tests/chroot: dep8 test for ChrootDir case.
2449
2450 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
2451
2452apache2 (2.4.6-2ubuntu3) trusty; urgency=low
2453
2454 * debian/apache2.install: Correct path for ufw.
2455 (LP: #1252722)
2456
2457 -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
2458
2459apache2 (2.4.6-2ubuntu2) saucy; urgency=low
2460
2461 * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
2462 passphrase prompting for SSL certificates that are passphrase protected.
2463 * Add dep8 test for SSL passphrase prompting.
2464
2465 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
2466
2467apache2 (2.4.6-2ubuntu1) saucy; urgency=low
2468
2469 * Merge from Debian unstable. Remaining changes:
2470 - debian/{control, rules}: Enable PIE hardening.
2471 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2472 apache2.dirs}: Add ufw profiles.
2473 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2474 - debian/control, debian/config-dir/mods-available/ssl.conf,
2475 debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
2476 passphrase dialog program ask-for-passphrase.
2477 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2478 to configure.
2479 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2480 from upstream
2481 * Dropped changes:
2482 - debian/patches/CVE-2013-1896.patch: upstream
2483 * Fixed module dependencies (LP: #1205314)
2484 - debian/config-dir/mods-available/lbmethod_*: properly specify
2485 proxy_balancer, not mod_proxy_balancer.
2486
2487 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
2488
1179apache2 (2.4.6-2) unstable; urgency=low2489apache2 (2.4.6-2) unstable; urgency=low
11802490
1181 [ Stefan Fritsch ]2491 [ Stefan Fritsch ]
@@ -1228,6 +2538,56 @@ apache2 (2.4.6-1) unstable; urgency=low
12282538
1229 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +02002539 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
12302540
2541apache2 (2.4.4-6ubuntu5) saucy; urgency=low
2542
2543 * SECURITY UPDATE: denial of service via MERGE request
2544 - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
2545 in modules/dav/main/mod_dav.c.
2546 - CVE-2013-1896
2547
2548 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
2549
2550apache2 (2.4.4-6ubuntu4) saucy; urgency=low
2551
2552 * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
2553 apache2-bin. apache2-utils is only suggested by apache2, so may not
2554 always be installed by bug reporters. However, apache2-bin will always
2555 need to be installed for Apache to be functional, so this is a better
2556 place for the apport hook. apache2-bin already Conflicts/Replaces
2557 apache2.2-common, so this also fixes (LP: #1199318).
2558 * d/apache2.py: adjust apport hook for new location of configuration
2559 files in apache2 >= 2.4: they have moved from apache2.2-common to
2560 apache2.
2561
2562 -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
2563
2564apache2 (2.4.4-6ubuntu3) saucy; urgency=low
2565
2566 * Build using lua5.2.
2567
2568 -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
2569
2570apache2 (2.4.4-6ubuntu2) saucy; urgency=low
2571
2572 * debian/rules: Fix FTBFS while installing ufw.
2573
2574 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
2575
2576apache2 (2.4.4-6ubuntu1) saucy; urgency=low
2577
2578 * Merge from Debian unstable. Remaining changes:
2579 - debian/{control, rules}: Enable PIE hardening.
2580 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2581 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2582 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2583 Plymouth aware passphrase dialog program ask-for-passphrase.
2584 * Dropped changes:
2585 - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
2586 - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
2587 - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
2588
2589 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
2590
1231apache2 (2.4.4-6) unstable; urgency=low2591apache2 (2.4.4-6) unstable; urgency=low
12322592
1233 * Denote exact versions breaking gnome-user-share now that Gnome maintainers2593 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
@@ -1699,6 +3059,122 @@ apache2 (2.4.1-1) experimental; urgency=low
16993059
1700 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +01003060 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
17013061
3062apache2 (2.2.22-6ubuntu5) raring; urgency=low
3063
3064 * SECURITY UPDATE: multiple cross-site scripting issues
3065 - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
3066 modules/generators/{mod_info.c,mod_status.c},
3067 modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
3068 modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
3069 - CVE-2012-3499
3070 - CVE-2012-4558
3071 * SECURITY UPDATE: symlink attack in apache2ctl script
3072 - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
3073 - Thanks to Stefan Fritsch for the fix.
3074 - CVE-2013-1048
3075
3076 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
3077
3078apache2 (2.2.22-6ubuntu4) raring; urgency=low
3079
3080 * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
3081 * Skip module sanity check between MPMs if cross-building without the
3082 kernel/binfmt support to run our target binaries on the build system.
3083 * Backport several cross fixes from upstream as 086_svn_cross_compiles.
3084
3085 -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
3086
3087apache2 (2.2.22-6ubuntu3) raring; urgency=low
3088
3089 * SECURITY UPDATE: XSS vulnerability in mod_negotiation
3090 - debian/patches/CVE-2012-2687.patch: escape filenames in
3091 modules/mappers/mod_negotiation.c.
3092 - CVE-2012-2687
3093 * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
3094 - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
3095 directive. Defaults to off as enabling compression enables the CRIME
3096 attack.
3097 - CVE-2012-4929
3098
3099 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
3100
3101apache2 (2.2.22-6ubuntu2) quantal; urgency=low
3102
3103 * debian/apache2.py
3104 - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
3105 - Check if this directory exists: /etc/apache2/sites-enabled/
3106
3107 -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
3108
3109apache2 (2.2.22-6ubuntu1) quantal; urgency=low
3110
3111 * Merge from Debian unstable. Remaining changes:
3112 - debian/{control, rules}: Enable PIE hardening.
3113 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3114 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3115 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3116 Plymouth aware passphrase dialog program ask-for-passphrase.
3117 * Dropped changes:
3118 - debian/control: Add bzr tag and point it to our tree; this is not
3119 really required and just increases the delta.
3120
3121 -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
3122
3123apache2 (2.2.22-6) unstable; urgency=low
3124
3125 [ Stefan Fritsch ]
3126 * Fix regression causing apache2 to cache "206 partial content" responses,
3127 and then serving these partial responses when replying to normal requests.
3128 Closes: #671204
3129 * Add section to security.conf that shows how to forbid access to VCS
3130 directories. Closes: #548213
3131 * Update ssl default cipher config, add alternative speed optimized config.
3132 Closes: #649020
3133 * Add "AddCharset" for .brf files in default mod_mime config.
3134 Closes: #402567
3135 * Don't create httpd.conf anymore and don't include it in apache2.conf. If
3136 it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
3137 * Port some of the comments in apache2.conf from the 2.4 package.
3138 * Compile mod_version statically, drop associated module load file.
3139 * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
3140 configtest.
3141 * Note in README.Debian that future versions of the package will have the
3142 include statements changed to include only *.conf.
3143 * Change compiled-in document root to /var/www, to avoid strange error
3144 messages.
3145 * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
3146
3147 [ Arno Töll ]
3148 * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
3149 to override LDFLAGS at compile time by defining LDLAGS in the environment,
3150 just like it is possible for CFLAGS. This also means, config_vars.mk now
3151 exports hardening build flags by default.
3152 * Update doc-base metadata for the apache2-doc package.
3153
3154 -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
3155
3156apache2 (2.2.22-5) unstable; urgency=low
3157
3158 * Make LoadFile and LoadModule look in the standard search paths if the
3159 dso file name is given as a pure filename. This helps with the multi-arch
3160 transition.
3161
3162 -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
3163
3164apache2 (2.2.22-4) unstable; urgency=high
3165
3166 * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
3167 hosts' config files.
3168 If scripting modules like mod_php or mod_rivet are enabled on systems
3169 where either 1) some frontend server forwards connections to an apache2
3170 backend server on the localhost address, or 2) the machine running
3171 apache2 is also used for web browsing, this could allow a remote
3172 attacker to execute example scripts stored under /usr/share/doc.
3173 Depending on the installed packages, this could lead to issues like cross
3174 site scripting, code execution, or leakage of sensitive data.
3175
3176 -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
3177
1702apache2 (2.2.22-3) unstable; urgency=low3178apache2 (2.2.22-3) unstable; urgency=low
17033179
1704 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':3180 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
@@ -1719,6 +3195,18 @@ apache2 (2.2.22-2) unstable; urgency=low
17193195
1720 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +01003196 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
17213197
3198apache2 (2.2.22-1ubuntu1) precise; urgency=low
3199
3200 * Merge from Debian testing. Remaining changes:
3201 - debian/{control, rules}: Enable PIE hardening.
3202 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3203 - debian/control: Add bzr tag and point it to our tree
3204 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3205 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3206 Plymouth aware passphrase dialog program ask-for-passphrase.
3207
3208 -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
3209
1722apache2 (2.2.22-1) unstable; urgency=low3210apache2 (2.2.22-1) unstable; urgency=low
17233211
1724 [ Stefan Fritsch ]3212 [ Stefan Fritsch ]
@@ -1736,6 +3224,18 @@ apache2 (2.2.22-1) unstable; urgency=low
17363224
1737 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +01003225 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
17383226
3227apache2 (2.2.21-5ubuntu1) precise; urgency=low
3228
3229 * Merge from Debian testing. Remaining changes:
3230 - debian/{control, rules}: Enable PIE hardening.
3231 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3232 - debian/control: Add bzr tag and point it to our tree
3233 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3234 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3235 Plymouth aware passphrase dialog program ask-for-passphrase.
3236
3237 -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
3238
1739apache2 (2.2.21-5) unstable; urgency=low3239apache2 (2.2.21-5) unstable; urgency=low
17403240
1741 [ Arno Töll ]3241 [ Arno Töll ]
@@ -1789,6 +3289,26 @@ apache2 (2.2.21-4) unstable; urgency=low
17893289
1790 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +01003290 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
17913291
3292apache2 (2.2.21-3ubuntu2) precise; urgency=low
3293
3294 * d/ask-for-passphrase: Flip the logic of this script so that it checks
3295 first to see if apache is being started from a TTY, and then if not,
3296 tries plymouth. (LP: #887410)
3297
3298 -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
3299
3300apache2 (2.2.21-3ubuntu1) precise; urgency=low
3301
3302 * Merge from Debian testing. Remaining changes:
3303 - debian/{control, rules}: Enable PIE hardening.
3304 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3305 - debian/control: Add bzr tag and point it to our tree
3306 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3307 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3308 Plymouth aware passphrase dialog program ask-for-passphrase.
3309
3310 -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
3311
1792apache2 (2.2.21-3) unstable; urgency=medium3312apache2 (2.2.21-3) unstable; urgency=medium
17933313
1794 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some3314 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
@@ -1803,6 +3323,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
18033323
1804 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +01003324 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
18053325
3326apache2 (2.2.21-2ubuntu2) precise; urgency=low
3327
3328 * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
3329
3330 -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
3331
3332apache2 (2.2.21-2ubuntu1) precise; urgency=low
3333
3334 * Merge from debian unstable. Remaining changes:
3335 - debian/{control, rules}: Enable PIE hardening.
3336 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3337 - debian/control: Add bzr tag and point it to our tree
3338 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3339 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3340 Plymouth aware passphrase dialog program ask-for-passphrase.
3341
3342 -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
3343
1806apache2 (2.2.21-2) unstable; urgency=high3344apache2 (2.2.21-2) unstable; urgency=high
18073345
1808 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some3346 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
@@ -1820,6 +3358,19 @@ apache2 (2.2.21-1) unstable; urgency=low
18203358
1821 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +02003359 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
18223360
3361apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
3362
3363 * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
3364 Remaining changes:
3365 - debian/{control, rules}: Enable PIE hardening.
3366 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3367 - debian/control: Add bzr tag and point it to our tree
3368 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3369 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3370 Plymouth aware passphrase dialog program ask-for-passphrase.
3371
3372 -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
3373
1823apache2 (2.2.20-1) unstable; urgency=low3374apache2 (2.2.20-1) unstable; urgency=low
18243375
1825 * New upstream release.3376 * New upstream release.
@@ -1842,6 +3393,18 @@ apache2 (2.2.19-2) unstable; urgency=high
18423393
1843 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +02003394 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
18443395
3396apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
3397
3398 * Merge from debian unstable (LP: #787013). Remaining changes:
3399 - debian/{control, rules}: Enable PIE hardening.
3400 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3401 - debian/control: Add bzr tag and point it to our tree
3402 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3403 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3404 Plymouth aware passphrase dialog program ask-for-passphrase.
3405
3406 -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
3407
1845apache2 (2.2.19-1) unstable; urgency=low3408apache2 (2.2.19-1) unstable; urgency=low
18463409
1847 * New upstream release.3410 * New upstream release.
@@ -1859,6 +3422,18 @@ apache2 (2.2.19-1) unstable; urgency=low
18593422
1860 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +02003423 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
18613424
3425apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
3426
3427 * Merge from debian unstable. Remaining changes:
3428 - debian/{control, rules}: Enable PIE hardening.
3429 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3430 - debian/control: Add bzr tag and point it to our tree
3431 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3432 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3433 Plymouth aware passphrase dialog program ask-for-passphrase.
3434
3435 -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
3436
1862apache2 (2.2.17-3) unstable; urgency=low3437apache2 (2.2.17-3) unstable; urgency=low
18633438
1864 * Fix compilation with OpenSSL without SSLv2 support. Closes: #6220493439 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
@@ -1885,6 +3460,18 @@ apache2 (2.2.17-2) unstable; urgency=high
18853460
1886 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +01003461 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
18873462
3463apache2 (2.2.17-1ubuntu1) natty; urgency=low
3464
3465 * Merge from debian unstable, remaining changes:
3466 - debian/{control, rules}: Enable PIE hardening.
3467 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3468 - debian/control: Add bzr tag and point it to our tree
3469 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3470 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3471 Plymouth aware passphrase dialog program ask-for-passphrase.
3472
3473 -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
3474
1888apache2 (2.2.17-1) unstable; urgency=low3475apache2 (2.2.17-1) unstable; urgency=low
18893476
1890 * New upstream version3477 * New upstream version
@@ -1893,6 +3480,32 @@ apache2 (2.2.17-1) unstable; urgency=low
18933480
1894 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +01003481 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
18953482
3483apache2 (2.2.16-6ubuntu3) natty; urgency=low
3484
3485 * debian/rules: Don't use "-fno-strict-aliasing" since it causes
3486 apache FTBFS on amd64. (LP: #711293)
3487
3488 -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
3489
3490apache2 (2.2.16-6ubuntu2) natty; urgency=low
3491
3492 * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
3493 (LP: #697105)
3494
3495 -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
3496
3497apache2 (2.2.16-6ubuntu1) natty; urgency=low
3498
3499 * Merge from debian unstable. Remaining changes:
3500 - debian/{control, rules}: Enable PIE hardening.
3501 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3502 - debian/control: Add bzr tag and point it to our tree
3503 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3504 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3505 Plymouth aware passphrase dialog program ask-for-passphrase.
3506
3507 -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
3508
1896apache2 (2.2.16-6) unstable; urgency=low3509apache2 (2.2.16-6) unstable; urgency=low
18973510
1898 * Also add $named to the secondary-init-script example.3511 * Also add $named to the secondary-init-script example.
@@ -1908,6 +3521,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
19083521
1909 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +01003522 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
19103523
3524apache2 (2.2.16-4ubuntu2) natty; urgency=low
3525
3526 [Clint Byrum]
3527 * Adding plymouth aware passphrase dialog program ask-for-passphrase.
3528 (LP: #582963)
3529 + debian/control: apache2.2-common depends on bash for ask-for-passphrase
3530 + debian/config-dir/mods-available/ssl.conf:
3531 - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
3532
3533 [Chuck Short]
3534 * Add apport hook. (LP: #609177)
3535 + debian/apache2.py, debian/apache2.2-common.install
3536
3537 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
3538
3539apache2 (2.2.16-4ubuntu1) natty; urgency=low
3540
3541 * Merge from debian unstable. Remaining changes:
3542 - debian/{control, rules}: Enable PIE hardening.
3543 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3544 - debian/control: Add bzr tag and point it to our tree
3545
3546 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
3547
1911apache2 (2.2.16-4) unstable; urgency=medium3548apache2 (2.2.16-4) unstable; urgency=medium
19123549
1913 * Increase the mod_reqtimeout default timeouts to avoid potential problems3550 * Increase the mod_reqtimeout default timeouts to avoid potential problems
@@ -1918,6 +3555,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
19183555
1919 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +01003556 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
19203557
3558apache2 (2.2.16-3ubuntu1) natty; urgency=low
3559
3560 * Merge from debian unstable. Remaining changes:
3561 - debian/{control, rules}: Enable PIE hardening.
3562 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3563 - debian/control: Add bzr tag and point it to our tree.
3564
3565 -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
3566
1921apache2 (2.2.16-3) unstable; urgency=high3567apache2 (2.2.16-3) unstable; urgency=high
19223568
1923 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.3569 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
@@ -1940,6 +3586,30 @@ apache2 (2.2.16-2) unstable; urgency=low
19403586
1941 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +02003587 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
19423588
3589apache2 (2.2.16-1ubuntu3) maverick; urgency=low
3590
3591 * Revert "stty sane" to unbreak apache starting, this will have to be
3592 fixed a different way. (LP: #626723)
3593
3594 -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
3595
3596apache2 (2.2.16-1ubuntu2) maverick; urgency=low
3597
3598 * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
3599 password prompt when using apache-ssl. (LP: #582963)
3600
3601 -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
3602
3603apache2 (2.2.16-1ubuntu1) maverick; urgency=low
3604
3605 * Merge from debian unstable. Remaining changes:
3606 - debian/{control, rules}: Enable PIE hardening.
3607 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3608 - debian/control: Add bzr tag and point it to our tree.
3609 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3610
3611 -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
3612
1943apache2 (2.2.16-1) unstable; urgency=medium3613apache2 (2.2.16-1) unstable; urgency=medium
19443614
1945 * Urgency medium for security fix.3615 * Urgency medium for security fix.
@@ -1972,6 +3642,24 @@ apache2 (2.2.15-6) unstable; urgency=low
19723642
1973 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +02003643 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
19743644
3645apache2 (2.2.15-5ubuntu1) maverick; urgency=low
3646
3647 * Merge from debian unstable. Remaining changes:
3648 - debian/{control, rules}: Enable PIE hardening.
3649 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3650 - debian/control: Add bzr tag and point it to our tree.
3651 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3652 + Dropped:
3653 - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
3654 - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
3655 - debian/config-dir/apache2.conf: Merged back from debian.
3656 - mod-reqtimeout functionality: Merge back from debian.
3657 - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
3658 - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
3659 - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
3660
3661 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
3662
1975apache2 (2.2.15-5) unstable; urgency=low3663apache2 (2.2.15-5) unstable; urgency=low
19763664
1977 * Conflict with apache package as we now include apachectl. Closes: #5790653665 * Conflict with apache package as we now include apachectl. Closes: #579065
@@ -2092,6 +3780,80 @@ apache2 (2.2.14-6) unstable; urgency=low
20923780
2093 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +01003781 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
20943782
3783apache2 (2.2.14-5ubuntu8) lucid; urgency=low
3784
3785 * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
3786 (LP: #562370)
3787
3788 -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
3789
3790apache2 (2.2.14-5ubuntu7) lucid; urgency=low
3791
3792 * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
3793 leaks by making sure to not destroy bucket brigades that have been created
3794 by earlier filters. Backported from 2.2.15.
3795 * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
3796 has reached MaxClients until it has. Backported from 2.2.15
3797 * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
3798 more secure by adding Satisfy all. (Debian bug: #572075)
3799 * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
3800 debian/config2-dir/mods-available/reqtimeout.load,
3801 debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
3802 mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
3803 bug in apache. Enable it by default. (LP: #392759)
3804
3805 -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
3806
3807apache2 (2.2.14-5ubuntu6) lucid; urgency=low
3808
3809 * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
3810
3811 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
3812
3813apache2 (2.2.14-5ubuntu5) lucid; urgency=low
3814
3815 * Revert 99-fix-mod-dav-permissions.dpatch
3816
3817 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
3818
3819apache2 (2.2.14-5ubuntu4) lucid; urgency=low
3820
3821 * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
3822 downloading files from webdav (LP: #540747)
3823 * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
3824
3825 -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
3826
3827apache2 (2.2.14-5ubuntu3) lucid; urgency=low
3828
3829 * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
3830 - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
3831 in modules/proxy/mod_proxy_ajp.c.
3832 - CVE-2010-0408
3833 * SECURITY UPDATE: information disclosure via improper handling of
3834 headers in subrequests
3835 - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
3836 in server/protocol.c.
3837 - CVE-2010-0434
3838
3839 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
3840
3841apache2 (2.2.14-5ubuntu2) lucid; urgency=low
3842
3843 * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
3844 wacky options. (LP: #450501)
3845
3846 -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
3847
3848apache2 (2.2.14-5ubuntu1) lucid; urgency=low
3849
3850 * Merge from debian testing. Remaining changes: LP: #506862
3851 - debian/{control, rules}: Enable PIE hardening.
3852 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3853 - debian/control: Add bzr tag and point it to our tree.
3854
3855 -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
3856
2095apache2 (2.2.14-5) unstable; urgency=low3857apache2 (2.2.14-5) unstable; urgency=low
20963858
2097 * Security: Further mitigation for the TLS renegotation attack3859 * Security: Further mitigation for the TLS renegotation attack
@@ -2115,6 +3877,15 @@ apache2 (2.2.14-5) unstable; urgency=low
21153877
2116 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +01003878 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
21173879
3880apache2 (2.2.14-4ubuntu1) lucid; urgency=low
3881
3882 * Resynchronzie with Debian, remaining changes are:
3883 - debian/{control, rules}: Enable PIE hardening.
3884 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
3885 - debian/control: Add bzr tag and point it to our tree.
3886
3887 -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
3888
2118apache2 (2.2.14-4) unstable; urgency=low3889apache2 (2.2.14-4) unstable; urgency=low
21193890
2120 * Disable localized error pages again by default because they break3891 * Disable localized error pages again by default because they break
@@ -2165,6 +3936,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
21653936
2166 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +01003937 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
21673938
3939apache2 (2.2.14-1ubuntu1) lucid; urgency=low
3940
3941 * Merge from debian testing, remaining changes:
3942 - debian/{control, rules}: Enable PIE hardening.
3943 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
3944 - debian/conrol: Add bzr tag and point it to our tree.
3945 - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
3946 Already applied upstream.
3947
3948 -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
3949
2168apache2 (2.2.14-1) unstable; urgency=low3950apache2 (2.2.14-1) unstable; urgency=low
21693951
2170 * New upstream version:3952 * New upstream version:
@@ -2199,6 +3981,24 @@ apache2 (2.2.13-1) unstable; urgency=low
21993981
2200 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +02003982 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
22013983
3984apache2 (2.2.12-1ubuntu2) karmic; urgency=low
3985
3986 * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
3987 - Fix potential segfaults with the use of the legacy ap_rputs() etc
3988 interfaces, in cases where an output filter fails. This happens
3989 frequently after CVE-2009-1891 got fixed. (LP: #409987)
3990
3991 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
3992
3993apache2 (2.2.12-1ubuntu1) karmic; urgency=low
3994
3995 * Merge from debian unstable, remaining changes:
3996 - debian/{control,rules}: enable PIE hardening.
3997 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
3998 - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
3999
4000 -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
4001
2202apache2 (2.2.12-1) unstable; urgency=low4002apache2 (2.2.12-1) unstable; urgency=low
22034003
2204 * New upstream release:4004 * New upstream release:
@@ -2246,6 +4046,16 @@ apache2 (2.2.12-1) unstable; urgency=low
22464046
2247 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +02004047 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
22484048
4049apache2 (2.2.11-7ubuntu1) karmic; urgency=low
4050
4051 * Merge from debian unstable, remaining changes: LP: #398130
4052 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4053 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4054 - debian/{control,rules}: enable PIE hardening.
4055 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4056
4057 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
4058
2249apache2 (2.2.11-7) unstable; urgency=low4059apache2 (2.2.11-7) unstable; urgency=low
22504060
2251 * Security fixes:4061 * Security fixes:
@@ -2260,6 +4070,16 @@ apache2 (2.2.11-7) unstable; urgency=low
22604070
2261 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +02004071 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
22624072
4073apache2 (2.2.11-6ubuntu1) karmic; urgency=low
4074
4075 * Merge from debian unstable, remaining changes:
4076 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4077 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4078 - debian/{control,rules}: enable PIE hardening.
4079 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4080
4081 -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
4082
2263apache2 (2.2.11-6) unstable; urgency=high4083apache2 (2.2.11-6) unstable; urgency=high
22644084
2265 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server4085 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
@@ -2268,6 +4088,16 @@ apache2 (2.2.11-6) unstable; urgency=high
22684088
2269 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +02004089 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
22704090
4091apache2 (2.2.11-5ubuntu1) karmic; urgency=low
4092
4093 * Merge from debian unstable, remaining changes:
4094 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4095 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4096 - debian/{control,rules}: enable PIE hardening.
4097 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4098
4099 -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
4100
2271apache2 (2.2.11-5) unstable; urgency=low4101apache2 (2.2.11-5) unstable; urgency=low
22724102
2273 * Move all binaries into a new package apache2.2-bin and make4103 * Move all binaries into a new package apache2.2-bin and make
@@ -2316,6 +4146,16 @@ apache2 (2.2.11-4) unstable; urgency=low
23164146
2317 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +02004147 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
23184148
4149apache2 (2.2.11-3ubuntu1) karmic; urgency=low
4150
4151 * Merge from debian unstable, remaining changes:
4152 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4153 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4154 - debian/{control,rules}: enable PIE hardening.
4155 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4156
4157 -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
4158
2319apache2 (2.2.11-3) unstable; urgency=low4159apache2 (2.2.11-3) unstable; urgency=low
23204160
2321 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap4161 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
@@ -2324,6 +4164,21 @@ apache2 (2.2.11-3) unstable; urgency=low
23244164
2325 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +02004165 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
23264166
4167apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
4168
4169 * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4170 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4171
4172 -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
4173
4174apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
4175
4176 * Merge from debian unstable, remaining changes:
4177 - debian/{contro,rules}: enable PIE hardening.
4178 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4179
4180 -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
4181
2327apache2 (2.2.11-2) unstable; urgency=low4182apache2 (2.2.11-2) unstable; urgency=low
23284183
2329 * Report an error instead instead of segfaulting when apr_pollset_create4184 * Report an error instead instead of segfaulting when apr_pollset_create
@@ -2333,6 +4188,14 @@ apache2 (2.2.11-2) unstable; urgency=low
23334188
2334 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +01004189 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
23354190
4191apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
4192
4193 * Merge from debian unstable, remaining changes:
4194 - debian/{control, rules}: enable PIE hardening.
4195 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4196
4197 -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
4198
2336apache2 (2.2.11-1) unstable; urgency=low4199apache2 (2.2.11-1) unstable; urgency=low
23374200
2338 [Thom May]4201 [Thom May]
@@ -2347,6 +4210,14 @@ apache2 (2.2.11-1) unstable; urgency=low
23474210
2348 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +01004211 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
23494212
4213apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
4214
4215 * Merge from debian unstable, remaining changes: (LP: #303375)
4216 - debian/{control, rules}: enable PIE hardening.
4217 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4218
4219 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
4220
2350apache2 (2.2.9-11) unstable; urgency=low4221apache2 (2.2.9-11) unstable; urgency=low
23514222
2352 * Regression fix from upstream svn for mod_proxy:4223 * Regression fix from upstream svn for mod_proxy:
@@ -2361,6 +4232,14 @@ apache2 (2.2.9-11) unstable; urgency=low
23614232
2362 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +01004233 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
23634234
4235apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
4236
4237 * Merge from debian unstable, remaining changes:
4238 - debian/{control, rules}: enable PIE hardening.
4239 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4240
4241 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
4242
2364apache2 (2.2.9-10) unstable; urgency=low4243apache2 (2.2.9-10) unstable; urgency=low
23654244
2366 * Regression fix from upstream svn for mod_proxy_http:4245 * Regression fix from upstream svn for mod_proxy_http:
@@ -2391,6 +4270,27 @@ apache2 (2.2.9-8) unstable; urgency=low
23914270
2392 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +02004271 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
23934272
4273apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
4274
4275 * Revert logrotate change since it will break it for everyone.
4276
4277 -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
4278
4279apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
4280
4281 * debian/logrotate: Restart rather than reload for busy websites.
4282 (LP: #270899)
4283
4284 -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
4285
4286apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
4287
4288 * Merge from debian unstable, remaining changes:
4289 - debian/{control,rules}: enable PIE hardening.
4290 - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
4291
4292 -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
4293
2394apache2 (2.2.9-7) unstable; urgency=low4294apache2 (2.2.9-7) unstable; urgency=low
23954295
2396 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).4296 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
@@ -2433,6 +4333,23 @@ apache2 (2.2.9-4) unstable; urgency=low
24334333
2434 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +02004334 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
24354335
4336apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
4337
4338 * add ufw integration (see
4339 https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
4340 (LP: #261198)
4341 - debian/control: suggest ufw for apache2.2-common
4342 - add apache2.2-common.ufw.profile with 3 profiles and install it to
4343 /etc/ufw/applications.d/apache2.2-common
4344
4345 -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
4346
4347apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
4348
4349 * debian/{control,rules}: enable PIE hardening
4350
4351 -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
4352
2436apache2 (2.2.9-3) unstable; urgency=low4353apache2 (2.2.9-3) unstable; urgency=low
24374354
2438 [ Stefan Fritsch ]4355 [ Stefan Fritsch ]
@@ -4003,9 +5920,7 @@ apache2 (2.0.37-1) unstable; urgency=low
4003 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +01005920 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
40045921
4005apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low5922apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
4006
4007 * New upstream release5923 * New upstream release
4008
4009 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +01005924 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
40105925
4011apache2 (2.0.36-2) unstable; urgency=low5926apache2 (2.0.36-2) unstable; urgency=low
@@ -4513,3 +6428,4 @@ apache2 (2.0.18-1) unstable; urgency=low
4513 * Initial Release.6428 * Initial Release.
45146429
4515 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +10006430 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
6431
diff --git a/debian/control b/debian/control
index 5465d60..c80d798 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,6 @@
1Source: apache21Source: apache2
2Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>2Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
3XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
3Uploaders: Stefan Fritsch <sf@debian.org>,4Uploaders: Stefan Fritsch <sf@debian.org>,
4 Arno Töll <arno@debian.org>,5 Arno Töll <arno@debian.org>,
5 Ondřej Surý <ondrej@debian.org>,6 Ondřej Surý <ondrej@debian.org>,
@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
44Recommends: ssl-cert45Recommends: ssl-cert
45Suggests: apache2-doc,46Suggests: apache2-doc,
46 apache2-suexec-pristine | apache2-suexec-custom,47 apache2-suexec-pristine | apache2-suexec-custom,
47 www-browser48 www-browser,
49 ufw
48Pre-Depends: ${misc:Pre-Depends}50Pre-Depends: ${misc:Pre-Depends}
49Conflicts: apache2.2-bin,51Conflicts: apache2.2-bin,
50 apache2.2-common52 apache2.2-common
diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
51new file mode 10064453new file mode 100644
index 0000000..4db2fa1
52Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ54Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
diff --git a/debian/index.html b/debian/index.html
index 766401d..96ed444 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -1,9 +1,14 @@
11
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml">3<html xmlns="http://www.w3.org/1999/xhtml">
4 <!--
5 Modified from the Debian original for Ubuntu
6 Last updated: 2016-11-16
7 See: https://launchpad.net/bugs/1288690
8 -->
4 <head>9 <head>
5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />10 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6 <title>Apache2 Debian Default Page: It works</title>11 <title>Apache2 Ubuntu Default Page: It works</title>
7 <style type="text/css" media="screen">12 <style type="text/css" media="screen">
8 * {13 * {
9 margin: 0px 0px 0px 0px;14 margin: 0px 0px 0px 0px;
@@ -188,9 +193,9 @@
188 <body>193 <body>
189 <div class="main_page">194 <div class="main_page">
190 <div class="page_header floating_element">195 <div class="page_header floating_element">
191 <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>196 <img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
192 <span class="floating_element">197 <span class="floating_element">
193 Apache2 Debian Default Page198 Apache2 Ubuntu Default Page
194 </span>199 </span>
195 </div>200 </div>
196<!-- <div class="table_of_contents floating_element">201<!-- <div class="table_of_contents floating_element">
@@ -221,7 +226,9 @@
221 <div class="content_section_text">226 <div class="content_section_text">
222 <p>227 <p>
223 This is the default welcome page used to test the correct 228 This is the default welcome page used to test the correct
224 operation of the Apache2 server after installation on Debian systems.229 operation of the Apache2 server after installation on Ubuntu systems.
230 It is based on the equivalent page on Debian, from which the Ubuntu Apache
231 packaging is derived.
225 If you can read this page, it means that the Apache HTTP server installed at232 If you can read this page, it means that the Apache HTTP server installed at
226 this site is working properly. You should <b>replace this file</b> (located at233 this site is working properly. You should <b>replace this file</b> (located at
227 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.234 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
@@ -242,9 +249,9 @@
242 </div>249 </div>
243 <div class="content_section_text">250 <div class="content_section_text">
244 <p>251 <p>
245 Debian's Apache2 default configuration is different from the252 Ubuntu's Apache2 default configuration is different from the
246 upstream default configuration, and split into several files optimized for253 upstream default configuration, and split into several files optimized for
247 interaction with Debian tools. The configuration system is254 interaction with Ubuntu tools. The configuration system is
248 <b>fully documented in255 <b>fully documented in
249 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full256 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
250 documentation. Documentation for the web server itself can be257 documentation. Documentation for the web server itself can be
@@ -253,7 +260,7 @@
253260
254 </p>261 </p>
255 <p>262 <p>
256 The configuration layout for an Apache2 web server installation on Debian systems is as follows:263 The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
257 </p>264 </p>
258 <pre>265 <pre>
259/etc/apache2/266/etc/apache2/
@@ -324,7 +331,7 @@
324331
325 <div class="content_section_text">332 <div class="content_section_text">
326 <p>333 <p>
327 By default, Debian does not allow access through the web browser to334 By default, Ubuntu does not allow access through the web browser to
328 <em>any</em> file apart of those located in <tt>/var/www</tt>,335 <em>any</em> file apart of those located in <tt>/var/www</tt>,
329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>336 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
330 directories (when enabled) and <tt>/usr/share</tt> (for web337 directories (when enabled) and <tt>/usr/share</tt> (for web
@@ -333,7 +340,7 @@
333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.340 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
334 </p>341 </p>
335 <p>342 <p>
336 The default Debian document root is <tt>/var/www/html</tt>. You343 The default Ubuntu document root is <tt>/var/www/html</tt>. You
337 can make your own virtual hosts under /var/www. This is different344 can make your own virtual hosts under /var/www. This is different
338 to previous releases which provides better security out of the box.345 to previous releases which provides better security out of the box.
339 </p>346 </p>
@@ -345,9 +352,9 @@
345 </div>352 </div>
346 <div class="content_section_text">353 <div class="content_section_text">
347 <p>354 <p>
348 Please use the <tt>reportbug</tt> tool to report bugs in the355 Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
349 Apache2 package with Debian. However, check <a356 Apache2 package with Ubuntu. However, check <a
350 href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"357 href="https://bugs.launchpad.net/ubuntu/+source/apache2"
351 rel="nofollow">existing bug reports</a> before reporting a new bug.358 rel="nofollow">existing bug reports</a> before reporting a new bug.
352 </p>359 </p>
353 <p>360 <p>
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index d617b1d..823d9c0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
17debian/icons/odf6ots-20x22.png17debian/icons/odf6ots-20x22.png
18debian/icons/odf6ott-20x22.png18debian/icons/odf6ott-20x22.png
19debian/icons/openlogo-75.png19debian/icons/openlogo-75.png
20debian/icons/ubuntu-logo.png
20debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml21debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
21debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php22debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
22debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml23debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches