Ubuntu
apache2 package

Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.53-2-kinetic into ubuntu/+source/apache2:debian/sid

  1. Git
  2. lp:~bryce/ubuntu/+source/apache2
  3. merge-v2.4.53-2-kinetic
  4. Merge into debian/sid
Proposed by Bryce Harrington
Status: Merged
Merge reported by: Bryce Harrington
Merged at revision: 664141ab1914122240001fcb45ec825ee3147bd8
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.53-2-kinetic
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2824 lines (+2129/-60)
10 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2006/-2)
debian/control (+4/-2)
debian/index.html (+51/-56)
debian/source/include-binaries (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu import Pending
Review via email: mp+423205@code.launchpad.net

Description of the change

Merge with Debian's package. I summarized some of the recent changes in the ubuntu delta, and could go further in simplifying the changelog entry if you think it'd make sense, but have left it a bit on the verbose side for now.

Usual tags pushed for review:
  - tags/old/debian 365005afd
  - tags/new/debian 4f279c271
  - tags/old/ubuntu 4a109d807
  - tags/logical/2.4.52-1ubuntu4 3c6ba5780
  - tags/reconstruct/2.4.52-1ubuntu4 b9d7f3345
  - tags/split/2.4.52-1ubuntu4 c162ba5f1

I've verified it builds locally and the autopkgtests pass. PPA is still building but should be up shortly.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.53-2/+packages

autopkgtest [02:49:05]: @@@@@@@@@@@@@@@@@@@@ summary
run-test-suite SKIP Test breaks testbed but testbed does not provide revert-full-system
ssl-passphrase SKIP Test breaks testbed but testbed does not provide revert-full-system
check-http2 SKIP Test breaks testbed but testbed does not provide revert-full-system
chroot SKIP Test breaks testbed but testbed does not provide revert-full-system
duplicate-module-load PASS
default-mods PASS
htcacheclean PASS

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

You could squash together these 3 commits if you want, to make the delta simpler/smaller:

commit ee14fcd7ad2a6e0f7dfa4b05d20bc8687c2474bf
Author: Bryce Harrington <email address hidden>
Date: Fri May 20 14:12:41 2022 -0700

        - d/apache2.postrm: Include md5 sum for updated index.html

commit 998d8b823b2cbc61d06d46dca2dc602fed87a93a
Author: Bryce Harrington <email address hidden>
Date: Fri May 20 14:12:44 2022 -0700

        - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
          new logo
          (LP: 1966004)

commit 7315771f7f353b1ca92fac1c85b3bdf7208e97ed
Author: Bryce Harrington <email address hidden>
Date: Wed Feb 2 19:12:23 2022 -0800

        - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
          d/s/include-binaries: replace Debian with Ubuntu on default
          page and add Ubuntu icon file.
          (LP 1288690)

But it's also ok as is, I'm fine either way.

Note that the PPA builds failed, but I haven't seen a clear error. In fact, the logs says:

"""
Build finished at 2022-05-25T18:56:10Z

Finished
--------

I: Built successfully
"""

+1 if it's just some transient error in LP and a retry fixes it.

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the review. Sorry took a while to reply but wanted to investigate the build failures. You're right though, there's no actual error messages, and tellingly it passes on some arch's but not all. Maybe LP was having a bad day? Flaky tests triggered during build? I've kicked off rebuilds, and am attempting a build locally. If any of that still doesn't pass I'll investigate further, else will upload.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

OT: there are more comments at LP: #1974251, do take a look, please. Thank you! :D

Revision history for this message
Bryce Harrington (bryce) wrote :

Interesting, the rebuild worked, I'll go ahead and upload. Odd.

Revision history for this message
Bryce Harrington (bryce) wrote :

Regarding LP: #1974251, I dropped mention of that from the merge changelog since it's not clear what exactly fixed the user's problem, and whether there's additional packaging adjustments needed.

Revision history for this message
Bryce Harrington (bryce) wrote :

Uploaded:

Checking signature on .changes
gpg: ../apache2_2.4.53-2ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../apache2_2.4.53-2ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.53-2ubuntu1.dsc: done.
  Uploading apache2_2.4.53.orig.tar.gz: done.
  Uploading apache2_2.4.53-2ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.53-2ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.53-2ubuntu1_source.changes: done.
Successfully uploaded packages.

$ rmad apache2
 apache2 | 2.4.52-1ubuntu4 | jammy
 apache2 | 2.4.52-1ubuntu4 | kinetic
 apache2 | 2.4.53-2ubuntu1 | kinetic-proposed

Revision history for this message
Bryce Harrington (bryce) wrote :

This has migrated

$ rmad apache2
 apache2 | 2.4.52-1ubuntu4 | jammy
 apache2 | 2.4.53-2ubuntu1 | kinetic

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
index 63c573f..3d1bdf1 100644
--- a/debian/apache2-bin.install
+++ b/debian/apache2-bin.install
@@ -1,2 +1,3 @@
1/usr/lib/apache2/modules/1/usr/lib/apache2/modules/
2/usr/sbin/apache22/usr/sbin/apache2
3debian/apache2.py usr/share/apport/package-hooks
diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
3new file mode 1006444new file mode 100644
index 0000000..974a655
--- /dev/null
+++ b/debian/apache2-utils.ufw.profile
@@ -0,0 +1,14 @@
1[Apache]
2title=Web Server
3description=Apache v2 is the next generation of the omnipresent Apache web server.
4ports=80/tcp
5
6[Apache Secure]
7title=Web Server (HTTPS)
8description=Apache v2 is the next generation of the omnipresent Apache web server.
9ports=443/tcp
10
11[Apache Full]
12title=Web Server (HTTP,HTTPS)
13description=Apache v2 is the next generation of the omnipresent Apache web server.
14ports=80,443/tcp
diff --git a/debian/apache2.dirs b/debian/apache2.dirs
index 6089013..1aa6d3c 100644
--- a/debian/apache2.dirs
+++ b/debian/apache2.dirs
@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
10var/lib/apache210var/lib/apache2
11var/log/apache211var/log/apache2
12var/www/html12var/www/html
13/etc/ufw/applications.d/apache2
diff --git a/debian/apache2.install b/debian/apache2.install
index b6ad789..92865fc 100644
--- a/debian/apache2.install
+++ b/debian/apache2.install
@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
8debian/config-dir/envvars /etc/apache28debian/config-dir/envvars /etc/apache2
9debian/config-dir/magic /etc/apache29debian/config-dir/magic /etc/apache2
10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
11debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
diff --git a/debian/apache2.postrm b/debian/apache2.postrm
index a68583c..4a22601 100644
--- a/debian/apache2.postrm
+++ b/debian/apache2.postrm
@@ -33,6 +33,8 @@ is_default_index_html () {
33 776221a94e5a174dc2396c0f3f6b6a7433 776221a94e5a174dc2396c0f3f6b6a74
34 c481228d439cbb54bdcedbaec5bbb11a34 c481228d439cbb54bdcedbaec5bbb11a
35 e2620d4a5a0f8d80dd4b16de59af981f35 e2620d4a5a0f8d80dd4b16de59af981f
36 3526531ccd6c6a1d2340574a305a18f8
37 720999b43a3be0674180354ac41f20b1
36 EOF38 EOF
37}39}
3840
diff --git a/debian/apache2.py b/debian/apache2.py
39new file mode 10064441new file mode 100644
index 0000000..a9fb9d8
--- /dev/null
+++ b/debian/apache2.py
@@ -0,0 +1,48 @@
1#!/usr/bin/python
2
3'''apport hook for apache2
4
5(c) 2010 Adam Sommer.
6Author: Adam Sommer <asommer@ubuntu.com>
7
8This program is free software; you can redistribute it and/or modify it
9under the terms of the GNU General Public License as published by the
10Free Software Foundation; either version 2 of the License, or (at your
11option) any later version. See http://www.gnu.org/copyleft/gpl.html for
12the full text of the license.
13'''
14
15from apport.hookutils import *
16import os
17
18SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
19
20def add_info(report, ui):
21 if os.path.isdir(SITES_ENABLED_DIR):
22 response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
23 "may help developers diagnose your bug more "
24 "quickly. However, it may contain sensitive "
25 "information. Do you want to include it in your "
26 "bug report?")
27
28 if response == None: # user cancelled
29 raise StopIteration
30
31 elif response == True:
32 # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
33 for conf_file in os.listdir(SITES_ENABLED_DIR):
34 attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
35
36 try:
37 report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
38 except OSError:
39 report['Apache2ConfdDirListing'] = str(False)
40
41 # Attach default config files if changed.
42 attach_conffiles(report, 'apache2', conffiles=None)
43
44 # Attach the error.log file.
45 attach_file(report, '/var/log/apache2/error.log', key='error.log')
46
47 # Get loaded modules.
48 report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
diff --git a/debian/changelog b/debian/changelog
index 019b5b1..b999d65 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,45 @@
1apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
2
3 * Merge with Debian unstable (LP: #1971248). Remaining changes:
4 - debian/{control, apache2.install, apache2-utils.ufw.profile,
5 apache2.dirs}: Add ufw profiles.
6 (LP 261198)
7 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
8 (LP 609177)
9 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
10 d/s/include-binaries: replace Debian with Ubuntu on default
11 page and add Ubuntu icon file.
12 (LP 1288690)
13 - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
14 new logo
15 (LP 1966004)
16 - d/apache2.postrm: Include md5 sum for updated index.html
17 * Dropped:
18 - OOB read in mod_lua via crafted request body
19 + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
20 lua_write_body() fail in modules/lua/lua_request.c.
21 [Fixed in 2.4.53 upstream]
22 - HTTP Request Smuggling via error discarding the
23 request body
24 + d/p/CVE-2022-22720.patch: simpler connection close logic
25 if discarding the request body fails in modules/http/http_filters.c,
26 server/protocol.c.
27 [Fixed in 2.4.53 upstream]
28 - overflow via large LimitXMLRequestBody
29 + d/p/CVE-2022-22721.patch: make sure and check that
30 LimitXMLRequestBody fits in system memory in server/core.c,
31 server/util.c, server/util_xml.c.
32 [Fixed in 2.4.53 upstream]
33 - out-of-bounds write in mod_sed
34 + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
35 buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
36 modules/filters/mod_sed.c, modules/filters/sed1.c.
37 + d/p/CVE-2022-23943-2.patch: improve the logic flow in
38 modules/filters/mod_sed.c.
39 [Fixed in 2.4.53 upstream]
40
41 -- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700
42
1apache2 (2.4.53-2) unstable; urgency=medium43apache2 (2.4.53-2) unstable; urgency=medium
244
3 * Clean useless Conflicts/Replace45 * Clean useless Conflicts/Replace
@@ -33,6 +75,79 @@ apache2 (2.4.52-2) experimental; urgency=medium
3375
34 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +010076 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100
3577
78apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
79
80 * d/apache2.postrm: Include md5 sum for updated index.html
81
82 -- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700
83
84apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
85
86 * d/index.html:
87 - Redesign page's heading for the new logo
88 - Use the Ubuntu font where available
89 - Update service management directions
90 - Copyedit grammar
91 - Light reformatting and whitespace cleanup
92 * d/icons/ubuntu-logo.png: Refresh ubuntu logo
93 (LP: #1966004)
94
95 -- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700
96
97apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
98
99 * SECURITY UPDATE: OOB read in mod_lua via crafted request body
100 - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
101 lua_write_body() fail in modules/lua/lua_request.c.
102 - CVE-2022-22719
103 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
104 request body
105 - debian/patches/CVE-2022-22720.patch: simpler connection close logic
106 if discarding the request body fails in modules/http/http_filters.c,
107 server/protocol.c.
108 - CVE-2022-22720
109 * SECURITY UPDATE: overflow via large LimitXMLRequestBody
110 - debian/patches/CVE-2022-22721.patch: make sure and check that
111 LimitXMLRequestBody fits in system memory in server/core.c,
112 server/util.c, server/util_xml.c.
113 - CVE-2022-22721
114 * SECURITY UPDATE: out-of-bounds write in mod_sed
115 - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
116 buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
117 modules/filters/mod_sed.c, modules/filters/sed1.c.
118 - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
119 modules/filters/mod_sed.c.
120 - CVE-2022-23943
121
122 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400
123
124apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
125
126 * Merge with Debian unstable (LP: #1959924). Remaining changes:
127 - debian/{control, apache2.install, apache2-utils.ufw.profile,
128 apache2.dirs}: Add ufw profiles.
129 (LP 261198)
130 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
131 (LP 609177)
132 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
133 d/s/include-binaries: replace Debian with Ubuntu on default
134 page and add Ubuntu icon file.
135 (LP 1288690)
136 * Dropped:
137 - d/p/support-openssl3-*.patch: Backport various patches from
138 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
139 failure to load when using OpenSSL 3.
140 (LP #1951476)
141 [Included in upstream release 2.4.52]
142 - d/apache2ctl: Also use systemd for graceful if it is in use.
143 (LP 1832182)
144 [This introduced a performance regression.]
145 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
146 (LP 1918209)
147 [Not needed]
148
149 -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
150
36apache2 (2.4.52-1) unstable; urgency=medium151apache2 (2.4.52-1) unstable; urgency=medium
37152
38 * Refresh suexec-custom.patch153 * Refresh suexec-custom.patch
@@ -43,6 +158,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
43158
44 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100159 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
45160
161apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
162
163 * Merge with Debian unstable. Remaining changes:
164 - debian/{control, apache2.install, apache2-utils.ufw.profile,
165 apache2.dirs}: Add ufw profiles.
166 (LP 261198)
167 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
168 (LP 609177)
169 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
170 d/s/include-binaries: replace Debian with Ubuntu on default
171 page and add Ubuntu icon file.
172 (LP 1288690)
173 - d/p/support-openssl3-*.patch: Backport various patches from
174 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
175 failure to load when using OpenSSL 3.
176 (LP #1951476)
177 * Dropped:
178 - d/apache2ctl: Also use systemd for graceful if it is in use.
179 (LP: 1832182)
180 [This introduced a performance regression.]
181 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
182 (LP 1918209)
183 [Not needed]
184 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
185 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
186 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
187 server/core_filters.c, server/protocol.c, server/vhost.c.
188 [Fixed in 2.4.48-4]
189 - debian/patches/CVE-2021-34798.patch: add NULL check in
190 server/scoreboard.c.
191 [Fixed in 2.4.49-1]
192 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
193 generic worker in modules/proxy/mod_proxy_uwsgi.c.
194 [Fixed in 2.4.49-1]
195 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
196 substitution logic in server/util.c.
197 [Fixed in 2.4.49-1]
198 - arbitrary origin server via crafted request uri-path
199 + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
200 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
201 modules/proxy/proxy_util.c.
202 + debian/patches/CVE-2021-40438.patch: add sanity checks on the
203 configured UDS path in modules/proxy/proxy_util.c.
204 [Fixed in 2.4.49-3]
205 - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
206 + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
207 rules in modules/mappers/mod_rewrite.c.
208 + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
209 hostname in modules/mappers/mod_rewrite.c,
210 modules/proxy/proxy_util.c.
211 [Fixed in 2.4.49-3]
212
213 -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
214
46apache2 (2.4.51-2) unstable; urgency=medium215apache2 (2.4.51-2) unstable; urgency=medium
47216
48 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting217 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
@@ -108,6 +277,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
108277
109 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200278 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
110279
280apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
281
282 * d/p/support-openssl3-*.patch: Backport various patches from
283 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
284 failure to load when using OpenSSL 3. (LP: #1951476)
285
286 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
287
288apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
289
290 * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
291 - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
292 rules in modules/mappers/mod_rewrite.c.
293 - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
294 hostname in modules/mappers/mod_rewrite.c,
295 modules/proxy/proxy_util.c.
296
297 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
298
299apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
300
301 * SECURITY UPDATE: request splitting over HTTP/2
302 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
303 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
304 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
305 server/core_filters.c, server/protocol.c, server/vhost.c.
306 - CVE-2021-33193
307 * SECURITY UPDATE: NULL deref via malformed requests
308 - debian/patches/CVE-2021-34798.patch: add NULL check in
309 server/scoreboard.c.
310 - CVE-2021-34798
311 * SECURITY UPDATE: DoS in mod_proxy_uwsgi
312 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
313 generic worker in modules/proxy/mod_proxy_uwsgi.c.
314 - CVE-2021-36160
315 * SECURITY UPDATE: buffer overflow in ap_escape_quotes
316 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
317 substitution logic in server/util.c.
318 - CVE-2021-39275
319 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
320 - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
321 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
322 modules/proxy/proxy_util.c.
323 - debian/patches/CVE-2021-40438.patch: add sanity checks on the
324 configured UDS path in modules/proxy/proxy_util.c.
325 - CVE-2021-40438
326
327 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
328
329apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
330
331 * Merge with Debian unstable. Remaining changes:
332 - debian/{control, apache2.install, apache2-utils.ufw.profile,
333 apache2.dirs}: Add ufw profiles. (LP 261198)
334 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
335 (LP 609177)
336 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
337 d/s/include-binaries: replace Debian with Ubuntu on default
338 page and add Ubuntu icon file. (LP 1288690)
339 - d/apache2ctl: Also use systemd for graceful if it is in use.
340 This extends an earlier fix for the start command to behave
341 similarly for restart / graceful. Fixes service failures on
342 unattended upgrade. (LP 1832182)
343 - d/apache2ctl: Also use /run/systemd to check for systemd usage
344 (LP 1918209)
345
346 -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
347
111apache2 (2.4.48-3.1) unstable; urgency=medium348apache2 (2.4.48-3.1) unstable; urgency=medium
112349
113 * Non-maintainer upload.350 * Non-maintainer upload.
@@ -116,6 +353,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
116353
117 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200354 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
118355
356apache2 (2.4.48-3ubuntu1) impish; urgency=medium
357
358 * Merge with Debian unstable. Remaining changes:
359 - debian/{control, apache2.install, apache2-utils.ufw.profile,
360 apache2.dirs}: Add ufw profiles. (LP: 261198)
361 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
362 (LP: 609177)
363 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
364 d/s/include-binaries: replace Debian with Ubuntu on default
365 page and add Ubuntu icon file. (LP: 1288690)
366 - d/apache2ctl: Also use systemd for graceful if it is in use.
367 This extends an earlier fix for the start command to behave
368 similarly for restart / graceful. Fixes service failures on
369 unattended upgrade. (LP: 1832182)
370 - d/apache2ctl: Also use /run/systemd to check for systemd usage
371 (LP: 1918209)
372 * Dropped:
373 - d/t/control, d/t/check-http2: add basic test for http2 support
374 [Fixed in 2.4.48-2]
375 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
376 [Fixed in 2.4.48-1]
377 - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
378 connection in modules/proxy/mod_proxy_http.c.
379 [Fixed in 2.4.48 upstream]
380 - d/p/CVE-2020-35452.patch: fast validation of the nonce's
381 base64 to fail early if the format can't match anyway in
382 modules/aaa/mod_auth_digest.c.
383 [Fixed in 2.4.48 upstream]
384 - d/p/CVE-2021-26690.patch: save one apr_strtok() in
385 session_identity_decode() in modules/session/mod_session.c.
386 [Fixed in 2.4.48 upstream]
387 - d/p/CVE-2021-26691.patch: account for the '&' in
388 identity_concat() in modules/session/mod_session.c.
389 [Fixed in 2.4.48 upstream]
390 - d/p/CVE-2021-30641.patch: change default behavior in
391 server/request.c.
392 [Fixed in 2.4.48 upstream]
393
394 -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
395
119apache2 (2.4.48-3) unstable; urgency=medium396apache2 (2.4.48-3) unstable; urgency=medium
120397
121 * Fix debian/changelog398 * Fix debian/changelog
@@ -172,6 +449,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
172449
173 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200450 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
174451
452apache2 (2.4.46-4ubuntu3) impish; urgency=medium
453
454 * No-change rebuild due to OpenLDAP soname bump.
455
456 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
457
458apache2 (2.4.46-4ubuntu2) impish; urgency=medium
459
460 * SECURITY UPDATE: mod_proxy_http denial of service.
461 - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
462 connection in modules/proxy/mod_proxy_http.c.
463 - CVE-2020-13950
464 * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
465 - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
466 base64 to fail early if the format can't match anyway in
467 modules/aaa/mod_auth_digest.c.
468 - CVE-2020-35452
469 * SECURITY UPDATE: DoS via cookie header in mod_session
470 - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
471 session_identity_decode() in modules/session/mod_session.c.
472 - CVE-2021-26690
473 * SECURITY UPDATE: heap overflow via SessionHeader
474 - debian/patches/CVE-2021-26691.patch: account for the '&' in
475 identity_concat() in modules/session/mod_session.c.
476 - CVE-2021-26691
477 * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
478 - debian/patches/CVE-2021-30641.patch: change default behavior in
479 server/request.c.
480 - CVE-2021-30641
481
482 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
483
484apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
485
486 * Merge with Debian unstable, to allow moving from lua5.2 to
487 lua5.3 (LP: #1910372). Remaining changes:
488 - debian/{control, apache2.install, apache2-utils.ufw.profile,
489 apache2.dirs}: Add ufw profiles.
490 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
491 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
492 Debian with Ubuntu on default page.
493 + d/source/include-binaries: add Ubuntu icon file
494 - d/t/control, d/t/check-http2: add basic test for http2 support
495 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
496 issue reading error log too quickly after request, by adding a sleep.
497 (LP #1890302)
498 - d/apache2ctl: Also use systemd for graceful if it is in use.
499 This extends an earlier fix for the start command to behave
500 similarly for restart / graceful. Fixes service failures on
501 unattended upgrade.
502 * Drop:
503 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
504 was re-added by mistake in 2.4.41-1 (Closes #921024)
505 [Included in Debian 2.4.46-3]
506 * d/apache2ctl: Also use /run/systemd to check for systemd usage
507 (LP: #1918209)
508
509 -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
510
175apache2 (2.4.46-4) unstable; urgency=medium511apache2 (2.4.46-4) unstable; urgency=medium
176512
177 * Ignore other random another test failures (Closes: #979664)513 * Ignore other random another test failures (Closes: #979664)
@@ -189,6 +525,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
189525
190 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100526 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
191527
528apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
529
530 * Merge with Debian unstable. Remaining changes:
531 - debian/{control, apache2.install, apache2-utils.ufw.profile,
532 apache2.dirs}: Add ufw profiles.
533 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
534 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
535 Debian with Ubuntu on default page.
536 + d/source/include-binaries: add Ubuntu icon file
537 - d/t/control, d/t/check-http2: add basic test for http2 support
538 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
539 was re-added by mistake in 2.4.41-1 (Closes #921024)
540 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
541 issue reading error log too quickly after request, by adding a sleep.
542 (LP #1890302)
543 - d/apache2ctl: Also use systemd for graceful if it is in use.
544 This extends an earlier fix for the start command to behave
545 similarly for restart / graceful. Fixes service failures on
546 unattended upgrade.
547
548 -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
549
192apache2 (2.4.46-2) unstable; urgency=medium550apache2 (2.4.46-2) unstable; urgency=medium
193551
194 [ Jean-Michel Vourgère ]552 [ Jean-Michel Vourgère ]
@@ -210,6 +568,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
210568
211 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100569 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
212570
571apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
572
573 * d/apache2ctl: Also use systemd for graceful if it is in use.
574 (LP: #1832182)
575 - This extends an earlier fix for the start command to behave
576 similarly for restart / graceful. Fixes service failures on
577 unattended upgrade.
578
579 -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
580
581apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
582
583 * Merge with Debian unstable. Remaining changes:
584 - debian/{control, apache2.install, apache2-utils.ufw.profile,
585 apache2.dirs}: Add ufw profiles.
586 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
587 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
588 Debian with Ubuntu on default page.
589 + d/source/include-binaries: add Ubuntu icon file
590 - d/t/control, d/t/check-http2: add basic test for http2 support
591 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
592 was re-added by mistake in 2.4.41-1 (Closes #921024)
593 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
594 issue reading error log too quickly after request, by adding a sleep.
595 (LP #1890302)
596 * Dropped:
597 - debian/patches/086_svn_cross_compiles: Backport several cross
598 fixes from upstream
599 [Unclear if it's still necessary, and upstream hasn't made a
600 release with it yet]
601
602 -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
603
213apache2 (2.4.46-1) unstable; urgency=medium604apache2 (2.4.46-1) unstable; urgency=medium
214605
215 [ Xavier Guimard ]606 [ Xavier Guimard ]
@@ -226,6 +617,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
226617
227 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200618 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
228619
620apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
621
622 * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
623 issue reading error log too quickly after request, by adding a sleep.
624 (LP: #1890302)
625
626 -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
627
628apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
629
630 * Merge with Debian unstable. Remaining changes:
631 - debian/{control, apache2.install, apache2-utils.ufw.profile,
632 apache2.dirs}: Add ufw profiles.
633 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
634 - debian/patches/086_svn_cross_compiles: Backport several cross
635 fixes from upstream
636 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
637 Debian with Ubuntu on default page.
638 + d/source/include-binaries: add Ubuntu icon file
639 - d/t/control, d/t/check-http2: add basic test for http2 support
640 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
641 was re-added by mistake in 2.4.41-1 (Closes #921024)
642 * Dropped:
643 - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
644 parameter to mod_proxy_ajp (LP #1865340)
645 [Fixed upstream]
646 - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
647 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
648 Closes #955348, LP #1872478
649 [In 2.4.43-1]
650
651 -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
652
229apache2 (2.4.43-1) unstable; urgency=medium653apache2 (2.4.43-1) unstable; urgency=medium
230654
231 [ Timo Aaltonen ]655 [ Timo Aaltonen ]
@@ -253,6 +677,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
253677
254 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100678 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
255679
680apache2 (2.4.41-4ubuntu3) focal; urgency=medium
681
682 [ Timo Aaltonen ]
683 * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
684 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
685 Closes: #955348, LP: #1872478
686
687 -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
688
689apache2 (2.4.41-4ubuntu2) focal; urgency=medium
690
691 * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
692 parameter to mod_proxy_ajp (LP: #1865340)
693
694 -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
695
696apache2 (2.4.41-4ubuntu1) focal; urgency=medium
697
698 * Merge with Debian unstable. Remaining changes:
699 - debian/{control, apache2.install, apache2-utils.ufw.profile,
700 apache2.dirs}: Add ufw profiles.
701 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
702 - debian/patches/086_svn_cross_compiles: Backport several cross
703 fixes from upstream
704 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
705 Debian with Ubuntu on default page.
706 + d/source/include-binaries: add Ubuntu icon file
707 - d/t/control, d/t/check-http2: add basic test for http2 support
708 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
709 was re-added by mistake in 2.4.41-1 (Closes #921024)
710
711 -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
712
256apache2 (2.4.41-4) unstable; urgency=medium713apache2 (2.4.41-4) unstable; urgency=medium
257714
258 * Add gcc in chroot autopkgtest (fixes debci)715 * Add gcc in chroot autopkgtest (fixes debci)
@@ -277,6 +734,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
277734
278 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100735 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
279736
737apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
738
739 * Merge with Debian unstable. Remaining changes:
740 - debian/{control, apache2.install, apache2-utils.ufw.profile,
741 apache2.dirs}: Add ufw profiles.
742 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
743 - debian/patches/086_svn_cross_compiles: Backport several cross
744 fixes from upstream
745 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
746 Debian with Ubuntu on default page.
747 + d/source/include-binaries: add Ubuntu icon file
748 - d/t/control, d/t/check-http2: add basic test for http2 support
749 * Dropped:
750 - Cherrypick upstream testsuite fix:
751 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
752 as such).
753 + Similarly use TLSv1.2 for pr12355 and pr43738.
754 [Test suite updated in 2.4.41-1]
755 - Cherrypick upstream test suite fix for buffer.
756 [Included in 2.4.41-1]
757 - d/p/spelling-errors.patch: removed hunks already fixed upstream
758 [Included in 2.4.39-1]
759 - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
760 + d/p/CVE-2019-0196.patch
761 + d/p/CVE-2019-0211.patch
762 + d/p/CVE-2019-0215.patch
763 + d/p/CVE-2019-0217.patch
764 + d/p/CVE-2019-0220-*.patch
765 + d/p/CVE-2019-0197.patch
766 * Added:
767 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
768 was re-added by mistake in 2.4.41-1 (Closes: #921024)
769
770 -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
771
280apache2 (2.4.41-1) unstable; urgency=medium772apache2 (2.4.41-1) unstable; urgency=medium
281773
282 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,774 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
@@ -309,6 +801,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
309801
310 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200802 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
311803
804apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
805
806 * New upstream version: 2.4.39
807 * d/p/spelling-errors.patch: removed hunks already fixed upstream
808 * Remaining changes:
809 - Cherrypick upstream test suite fix for buffer.
810 - Cherrypick upstream testsuite fix:
811 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
812 as such).
813 - Similarly use TLSv1.2 for pr12355 and pr43738.
814 - debian/{control, apache2.install, apache2-utils.ufw.profile,
815 apache2.dirs}: Add ufw profiles.
816 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
817 - debian/patches/086_svn_cross_compiles: Backport several cross
818 fixes from upstream
819 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
820 Debian with Ubuntu on default page.
821 + d/source/include-binaries: add Ubuntu icon file
822 - d/t/control, d/t/check-http2: add basic test for http2 support
823 * Dropped patches (fixed upstream):
824 - d/p/CVE-2019-0196.patch
825 - d/p/CVE-2019-0211.patch
826 - d/p/CVE-2019-0215.patch
827 - d/p/CVE-2019-0217.patch
828 - d/p/CVE-2019-0220-*.patch
829 - d/p/CVE-2019-0197.patch
830
831 -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
832
833apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
834
835 * Cherrypick upstream test suite fix for buffer.
836
837 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
838
839apache2 (2.4.38-3ubuntu1) eoan; urgency=low
840
841 * Merge from Debian unstable. Remaining changes:
842 - Cherrypick upstream testsuite fix:
843 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
844 as such).
845 - Similarly use TLSv1.2 for pr12355 and pr43738.
846 - debian/{control, apache2.install, apache2-utils.ufw.profile,
847 apache2.dirs}: Add ufw profiles.
848 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
849 - debian/patches/086_svn_cross_compiles: Backport several cross
850 fixes from upstream
851 [Removed configure chunk, not needed since configure.in is being
852 patched.]
853 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
854 Debian with Ubuntu on default page.
855 + d/source/include-binaries: add Ubuntu icon file
856 - d/t/control, d/t/check-http2: add basic test for http2 support
857
858 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
859
312apache2 (2.4.38-3) unstable; urgency=high860apache2 (2.4.38-3) unstable; urgency=high
313861
314 [ Marc Deslauriers ]862 [ Marc Deslauriers ]
@@ -346,6 +894,79 @@ apache2 (2.4.38-3) unstable; urgency=high
346894
347 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200895 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
348896
897apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
898
899 * Cherrypick upstream testsuite fix:
900 - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
901 as such).
902 * Similarly use TLSv1.2 for pr12355 and pr43738.
903
904 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
905
906apache2 (2.4.38-2ubuntu2) disco; urgency=medium
907
908 * SECURITY UPDATE: read-after-free on a string compare in mod_http2
909 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
910 request method in modules/http2/h2_request.c.
911 - CVE-2019-0196
912 * SECURITY UPDATE: privilege escalation from modules' scripts
913 - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
914 child to its slot number in include/scoreboard.h,
915 server/mpm/event/event.c, server/mpm/prefork/prefork.c,
916 server/mpm/worker/worker.c.
917 - CVE-2019-0211
918 * SECURITY UPDATE: mod_ssl access control bypass
919 - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
920 PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
921 - CVE-2019-0215
922 * SECURITY UPDATE: mod_auth_digest access control bypass
923 - debian/patches/CVE-2019-0217.patch: fix a race condition in
924 modules/aaa/mod_auth_digest.c.
925 - CVE-2019-0217
926 * SECURITY UPDATE: URL normalization inconsistincy
927 - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
928 the path in include/http_core.h, include/httpd.h, server/core.c,
929 server/request.c, server/util.c.
930 - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
931 in server/request.c, server/util.c.
932 - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
933 server/util.c.
934 - CVE-2019-0220
935
936 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
937
938apache2 (2.4.38-2ubuntu1) disco; urgency=medium
939
940 * Merge with Debian unstable. Remaining changes:
941 - debian/{control, apache2.install, apache2-utils.ufw.profile,
942 apache2.dirs}: Add ufw profiles.
943 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
944 - debian/patches/086_svn_cross_compiles: Backport several cross
945 fixes from upstream
946 [Removed configure chunk, not needed since configure.in is being
947 patched.]
948 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
949 Debian with Ubuntu on default page.
950 + d/source/include-binaries: add Ubuntu icon file
951 - d/t/control, d/t/check-http2: add basic test for http2 support
952 * Dropped:
953 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
954 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
955 cannot be coinstalled with libcurl3. That situation breaks the
956 installation of libapache2-mod-shib2. See
957 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
958 for details.
959 [This has been resolved in Disco, where libxmltooling8 is built with
960 openssl 1.1]
961 - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
962 + debian/patches/CVE-2018-11763.patch: rework connection IO event
963 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
964 modules/http2/h2_version.h.
965 - CVE-2018-11763
966 [Fixed in 2.4.35]
967
968 -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
969
349apache2 (2.4.38-2) unstable; urgency=medium970apache2 (2.4.38-2) unstable; urgency=medium
350971
351 * Disable "reset" test in allowmethods.t (Closes: #921024)972 * Disable "reset" test in allowmethods.t (Closes: #921024)
@@ -428,6 +1049,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
4281049
429 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +02001050 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
4301051
1052apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
1053
1054 * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
1055 - debian/patches/CVE-2018-11763.patch: rework connection IO event
1056 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
1057 modules/http2/h2_version.h.
1058 - CVE-2018-11763
1059
1060 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
1061
1062apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
1063
1064 * Merge with Debian unstable. Remaining changes:
1065 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1066 apache2.dirs}: Add ufw profiles.
1067 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1068 - debian/patches/086_svn_cross_compiles: Backport several cross
1069 fixes from upstream
1070 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1071 Debian with Ubuntu on default page.
1072 + d/source/include-binaries: add Ubuntu icon file
1073 - d/t/control, d/t/check-http2: add basic test for http2 support
1074 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
1075 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
1076 cannot be coinstalled with libcurl3. That situation breaks the
1077 installation of libapache2-mod-shib2. See
1078 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1079 for details.
1080
1081 -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
1082
431apache2 (2.4.34-1) unstable; urgency=medium1083apache2 (2.4.34-1) unstable; urgency=medium
4321084
433 [ Ondřej Surý ]1085 [ Ondřej Surý ]
@@ -446,6 +1098,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
4461098
447 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +02001099 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
4481100
1101apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
1102
1103 * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
1104 re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
1105
1106 -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
1107
1108apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
1109
1110 * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
1111 libapache2-mod-md until we figure out their transitions. libapache2-mod-md
1112 in particular is problematic because that makes apache2-bin pull in
1113 libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
1114 the installation of libapache2-mod-shib2. See
1115 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1116 for details.
1117 - Don't ship md.load and remove build-requires that were added because of
1118 mod-md (see
1119 https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
1120 - Remove proxy_uwsgi.load as we are not building it for now (see
1121 https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
1122
1123 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
1124
1125apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
1126
1127 * Merge with Debian unstable (LP: #1770242). Remaining changes:
1128 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1129 apache2.dirs}: Add ufw profiles.
1130 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1131 - debian/patches/086_svn_cross_compiles: Backport several cross
1132 fixes from upstream
1133 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1134 Debian with Ubuntu on default page.
1135 + d/source/include-binaries: add Ubuntu icon file
1136 - d/t/control, d/t/check-http2: add basic test for http2 support
1137 * Drop:
1138 - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1139 + debian/patches/CVE-2017-15710.patch: fix language long names
1140 detection as short name in modules/aaa/mod_authnz_ldap.c.
1141 + CVE-2017-15710
1142 - SECURITY UPDATE: incorrect <FilesMatch> matching
1143 + debian/patches/CVE-2017-15715.patch: allow to configure
1144 global/default options for regexes, like caseless matching or
1145 extended format in include/ap_regex.h, server/core.c,
1146 server/util_pcre.c.
1147 + CVE-2017-15715
1148 - SECURITY UPDATE: mod_session header manipulation
1149 + debian/patches/CVE-2018-1283.patch: strip Session header when
1150 SessionEnv is on in modules/session/mod_session.c.
1151 + CVE-2018-1283
1152 - SECURITY UPDATE: DoS via specially-crafted request
1153 + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1154 terminated on any error, not only on buffer full in
1155 server/protocol.c.
1156 + CVE-2018-1301
1157 - SECURITY UPDATE: mod_cache_socache DoS
1158 + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1159 to carriage return in modules/cache/mod_cache_socache.c.
1160 + CVE-2018-1303
1161 - SECURITY UPDATE: insecure nonce generation
1162 + debian/patches/CVE-2018-1312.patch: actually use the secret when
1163 generating nonces in modules/aaa/mod_auth_digest.c.
1164 + CVE-2018-1312
1165 - Correct systemd-sysv-generator behavior by customizing some
1166 parameters:
1167 + d/apache2-systemd.conf: add a drop-in file to specify some
1168 parameters for the systemd unit (type=Forking and
1169 RemainsAfterExit=no), this allow a correct state synchronisation
1170 between systemctl status and actual state of apache2 daemon.
1171 + d/apache2.install: place the apache2-systemd.conf file in the
1172 correct location.
1173 [type=Forking already in the base systemd service file, and
1174 RemainsAfterExit=no is the default value, so no need to
1175 customize these anymore.]
1176 - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
1177 + added debian/patches/util_ldap_cache_lock_fix.patch
1178 [Already applied upstream]
1179
1180 -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
1181
449apache2 (2.4.33-3) unstable; urgency=medium1182apache2 (2.4.33-3) unstable; urgency=medium
4501183
451 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.1184 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
@@ -518,6 +1251,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
5181251
519 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +00001252 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
5201253
1254apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
1255
1256 * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1257 - debian/patches/CVE-2017-15710.patch: fix language long names
1258 detection as short name in modules/aaa/mod_authnz_ldap.c.
1259 - CVE-2017-15710
1260 * SECURITY UPDATE: incorrect <FilesMatch> matching
1261 - debian/patches/CVE-2017-15715.patch: allow to configure
1262 global/default options for regexes, like caseless matching or
1263 extended format in include/ap_regex.h, server/core.c,
1264 server/util_pcre.c.
1265 - CVE-2017-15715
1266 * SECURITY UPDATE: mod_session header manipulation
1267 - debian/patches/CVE-2018-1283.patch: strip Session header when
1268 SessionEnv is on in modules/session/mod_session.c.
1269 - CVE-2018-1283
1270 * SECURITY UPDATE: DoS via specially-crafted request
1271 - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1272 terminated on any error, not only on buffer full in
1273 server/protocol.c.
1274 - CVE-2018-1301
1275 * SECURITY UPDATE: mod_cache_socache DoS
1276 - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1277 to carriage return in modules/cache/mod_cache_socache.c.
1278 - CVE-2018-1303
1279 * SECURITY UPDATE: insecure nonce generation
1280 - debian/patches/CVE-2018-1312.patch: actually use the secret when
1281 generating nonces in modules/aaa/mod_auth_digest.c.
1282 - CVE-2018-1312
1283
1284 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1285
1286apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1287
1288 * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1289 - added debian/patches/util_ldap_cache_lock_fix.patch
1290
1291 -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1292
1293apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1294
1295 * Switch back to OpenSSL 1.1.
1296
1297 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1298
1299apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1300
1301 * enable http2 (LP: #1687454) by stopping to disable it
1302 - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1303 - debian/config-dir/mods-available/http2.load: no more removed.
1304 - debian/rules: no more removed proxy_http2 from configure.
1305 * d/t/control, d/t/check-http2: add basic test for http2 support
1306
1307 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1308
1309apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1310
1311 * Merge with Debian unstable. Remaining changes:
1312 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1313 apache2.dirs}: Add ufw profiles.
1314 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1315 - debian/patches/086_svn_cross_compiles: Backport several cross
1316 fixes from upstream
1317 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1318 Debian with Ubuntu on default page.
1319 + d/source/include-binaries: add Ubuntu icon file
1320 - Correct systemd-sysv-generator behavior by customizing some
1321 parameters:
1322 + d/apache2-systemd.conf: add a drop-in file to specify some
1323 parameters for the systemd unit (type=Forking and
1324 RemainsAfterExit=no), this allow a correct state synchronisation
1325 between systemctl status and actual state of apache2 daemon.
1326 + d/apache2.install: place the apache2-systemd.conf file in the
1327 correct location.
1328 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1329 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1330 + debian/config-dir/mods-available/http2.load: removed.
1331 + debian/rules: removed proxy_http2 from configure.
1332 * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1333 - debian/control: switch BuildDepends to libssl1.0-dev
1334 - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1335 - debian/rules: remove openssl virtual package and logic
1336
1337 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1338
521apache2 (2.4.29-1) unstable; urgency=medium1339apache2 (2.4.29-1) unstable; urgency=medium
5221340
523 [ Stefan Fritsch ]1341 [ Stefan Fritsch ]
@@ -582,6 +1400,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
5821400
583 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +02001401 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
5841402
1403apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1404
1405 * SECURITY UPDATE: optionsbleed information leak
1406 - debian/patches/CVE-2017-9798.patch: disallow method registration
1407 at run time in server/core.c.
1408 - CVE-2017-9798
1409
1410 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1411
1412apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1413
1414 * Undrop (LP 1658469):
1415 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1416 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1417 + debian/config-dir/mods-available/http2.load: removed.
1418 + debian/rules: removed proxy_http2 from configure.
1419
1420 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1421
1422apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1423
1424 * Merge with Debian unstable (LP: #1702582). Remaining changes:
1425 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1426 apache2.dirs}: Add ufw profiles.
1427 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1428 - debian/patches/086_svn_cross_compiles: Backport several cross
1429 fixes from upstream
1430 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1431 Debian with Ubuntu on default page.
1432 + d/source/include-binaries: add Ubuntu icon file
1433 - Correct systemd-sysv-generator behavior by customizing some
1434 parameters:
1435 + d/apache2-systemd.conf: add a drop-in file to specify some
1436 parameters for the systemd unit (type=Forking and
1437 RemainsAfterExit=no), this allow a correct state synchronisation
1438 between systemctl status and actual state of apache2 daemon.
1439 + d/apache2.install: place the apache2-systemd.conf file in the
1440 correct location.
1441
1442 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1443
585apache2 (2.4.27-2) unstable; urgency=medium1444apache2 (2.4.27-2) unstable; urgency=medium
5861445
587 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more1446 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
@@ -611,6 +1470,55 @@ apache2 (2.4.25-4) unstable; urgency=high
6111470
612 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +02001471 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
6131472
1473apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1474
1475 * Re-Drop (LP: #1658469):
1476 - Don't build experimental http2 module for LTS:
1477 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1478 + debian/config-dir/mods-available/http2.load: removed.
1479 + debian/rules: removed proxy_http2 from configure.
1480 + debian/apache2.maintscript: remove http2 conffile.
1481
1482 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1483
1484apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1485 * Undrop (LP 1658469):
1486 - Don't build experimental http2 module for LTS:
1487 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1488 + debian/config-dir/mods-available/http2.load: removed.
1489 + debian/rules: removed proxy_http2 from configure.
1490 + debian/apache2.maintscript: remove http2 conffile.
1491
1492 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1493
1494apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1495
1496 * Merge from Debian unstable (LP: #1663425). Remaining changes:
1497 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1498 apache2.dirs}: Add ufw profiles.
1499 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1500 - debian/patches/086_svn_cross_compiles: Backport several cross
1501 fixes from upstream
1502 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1503 Debian with Ubuntu on default page.
1504 + d/source/include-binaries: add Ubuntu icon file
1505 - Correct systemd-sysv-generator behavior by customizing some
1506 parameters:
1507 + d/apache2-systemd.conf: add a drop-in file to specify some
1508 parameters for the systemd unit (type=Forking and
1509 RemainsAfterExit=no), this allow a correct state synchronisation
1510 between systemctl status and actual state of apache2 daemon.
1511 + d/apache2.install: place the apache2-systemd.conf file in the
1512 correct location.
1513 * Drop (LP: #1658469):
1514 - Don't build experimental http2 module for LTS:
1515 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1516 + debian/config-dir/mods-available/http2.load: removed.
1517 + debian/rules: removed proxy_http2 from configure.
1518 + debian/apache2.maintscript: remove http2 conffile.
1519
1520 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1521
614apache2 (2.4.25-3) unstable; urgency=medium1522apache2 (2.4.25-3) unstable; urgency=medium
6151523
616 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.1524 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
@@ -672,6 +1580,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
6721580
673 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +01001581 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
6741582
1583apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1584
1585 * Merge from Debian unstable (LP: #). Remaining changes:
1586 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1587 apache2.dirs}: Add ufw profiles.
1588 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1589 - debian/patches/086_svn_cross_compiles: Backport several cross
1590 fixes from upstream
1591 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1592 d/source/include-binaries: replace Debian with Ubuntu on default
1593 page.
1594 [ include-binaries change previously undocumented ]
1595 - Don't build experimental http2 module for LTS:
1596 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1597 + debian/config-dir/mods-available/http2.load: removed.
1598 + debian/rules: removed proxy_http2 from configure.
1599 + debian/apache2.maintscript: remove http2 conffile.
1600 [ Previously undocumented ]
1601 - Correct systemd-sysv-generator behavior by customizing some
1602 parameters:
1603 + d/apache2-systemd.conf: add a drop-in file to specify some
1604 parameters for the systemd unit (type=Forking and
1605 RemainsAfterExit=no), this allow a correct state synchronisation
1606 between systemctl status and actual state of apache2 daemon.
1607 + d/apache2.install: place the apache2-systemd.conf file in the
1608 correct location.
1609 * Drop:
1610 - debian/rules: Fix cross-building by passing
1611 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1612 [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1613
1614 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1615
675apache2 (2.4.23-8) unstable; urgency=medium1616apache2 (2.4.23-8) unstable; urgency=medium
6761617
677 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a1618 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
@@ -682,6 +1623,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
6821623
683 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +01001624 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
6841625
1626apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1627
1628 * Merge from Debian unstable. Remaining changes:
1629 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1630 apache2.dirs}: Add ufw profiles.
1631 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1632 - debian/rules: Fix cross-building by passing
1633 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1634 - debian/patches/086_svn_cross_compiles: Backport several cross
1635 fixes from upstream
1636 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1637 Debian with Ubuntu on default page.
1638 - Don't build experimental http2 module for LTS:
1639 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1640 + debian/config-dir/mods-available/http2.load: removed.
1641 + debian/rules: removed proxy_http2 from configure.
1642 - Correct systemd-sysv-generator behavior by customizing some
1643 parameters:
1644 + d/apache2-systemd.conf: add a drop-in file to specify some
1645 parameters for the systemd unit (type=Forking and
1646 RemainsAfterExit=no), this allow a correct state synchronisation
1647 between systemctl status and actual state of apache2 daemon.
1648 + d/apache2.install: place the apache2-systemd.conf file in the
1649 correct location.
1650
1651 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1652
685apache2 (2.4.23-7) unstable; urgency=medium1653apache2 (2.4.23-7) unstable; urgency=medium
6861654
687 * Make apache2-dev depend on openssl 1.0, too. Closes: #8441601655 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
@@ -796,6 +1764,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
7961764
797 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +02001765 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
7981766
1767apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1768
1769 * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1770 - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1771 server/util_script.c.
1772 - CVE-2016-5387
1773
1774 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1775
1776apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1777
1778 [ Ryan Harper ]
1779 * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1780 introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1781 all, since http2 support is intentionally disabled (see LP 1531864).
1782 * d/apache2.maintscript: handle removal of http2.load conffile.
1783
1784 [ Robie Basak ]
1785 * Re-write Ryan's changelog entry.
1786
1787 -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1788
1789apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1790
1791 * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1792 - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1793 unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1794 between systemctl status and actual state of apache2 daemon.
1795 - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1796
1797 -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1798
1799apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1800
1801 * Merge from Debian unstable. Remaining changes:
1802 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1803 apache2.dirs}: Add ufw profiles.
1804 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1805 - debian/rules: Fix cross-building by passing
1806 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1807 - debian/patches/086_svn_cross_compiles: Backport several cross
1808 fixes from upstream
1809 - d/index.html: replace Debian with Ubuntu on default page.
1810 - Don't build experimental http2 module for LTS:
1811 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1812 + debian/config-dir/mods-available/http2.load: removed.
1813
1814 -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1815
799apache2 (2.4.18-2) unstable; urgency=low1816apache2 (2.4.18-2) unstable; urgency=low
8001817
801 * htcacheclean:1818 * htcacheclean:
@@ -821,6 +1838,24 @@ apache2 (2.4.18-2) unstable; urgency=low
8211838
822 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +02001839 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
8231840
1841apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1842
1843 * Merge from Debian unstable. Remaining changes:
1844 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1845 apache2.dirs}: Add ufw profiles.
1846 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1847 - Add dep8 tests.
1848 - debian/rules: Fix cross-building by passing
1849 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1850 - debian/patches/086_svn_cross_compiles: Backport several cross
1851 fixes from upstream
1852 - d/index.html: replace Debian with Ubuntu on default page.
1853 - Don't build experimental http2 module for LTS:
1854 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1855 + debian/config-dir/mods-available/http2.load: removed.
1856
1857 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1858
824apache2 (2.4.18-1) unstable; urgency=medium1859apache2 (2.4.18-1) unstable; urgency=medium
8251860
826 * New upstream release:1861 * New upstream release:
@@ -828,12 +1863,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
8281863
829 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +01001864 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
8301865
1866apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1867
1868 * Merge from Debian unstable. Remaining changes:
1869 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1870 apache2.dirs}: Add ufw profiles.
1871 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1872 - Add dep8 tests.
1873 - debian/rules: Fix cross-building by passing
1874 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1875 - debian/patches/086_svn_cross_compiles: Backport several cross
1876 fixes from upstream
1877 - d/index.html: replace Debian with Ubuntu on default page.
1878 - Don't build experimental http2 module for LTS:
1879 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1880 + debian/config-dir/mods-available/http2.load: removed.
1881
1882 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1883
831apache2 (2.4.17-3) unstable; urgency=medium1884apache2 (2.4.17-3) unstable; urgency=medium
8321885
833 * mpm_prefork: Fix segfault if started with -X. Closes: #8057371886 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
8341887
835 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +01001888 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
8361889
1890apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1891
1892 * Merge from Debian unstable. Remaining changes:
1893 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1894 apache2.dirs}: Add ufw profiles.
1895 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1896 - Add dep8 tests.
1897 - debian/rules: Fix cross-building by passing
1898 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1899 - debian/patches/086_svn_cross_compiles: Backport several cross
1900 fixes from upstream
1901 - d/index.html: replace Debian with Ubuntu on default page.
1902 - Don't build experimental http2 module for LTS:
1903 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1904 + debian/config-dir/mods-available/http2.load: removed.
1905
1906 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1907
837apache2 (2.4.17-2) unstable; urgency=medium1908apache2 (2.4.17-2) unstable; urgency=medium
8381909
839 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke1910 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
@@ -844,6 +1915,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
8441915
845 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +01001916 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
8461917
1918apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1919
1920 * Merge from Debian unstable. Remaining changes:
1921 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1922 apache2.dirs}: Add ufw profiles.
1923 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1924 - Add dep8 tests.
1925 - debian/rules: Fix cross-building by passing
1926 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1927 - debian/patches/086_svn_cross_compiles: Backport several cross
1928 fixes from upstream
1929 - d/index.html: replace Debian with Ubuntu on default page.
1930 * Drop patches (applied upstream):
1931 - debian/patches/CVE-2015-3183.patch
1932 - debian/patches/CVE-2015-3185.patch
1933 * Drop changes (adopted in Debian):
1934 - Allow "triggers-awaited" and "triggers-pending" states in addition
1935 to "installed" when determining whether to defer actions or
1936 process deferred actions.
1937 * Don't build experimental http2 module for LTS
1938 - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1939 - debian/config-dir/mods-available/http2.load: removed.
1940
1941 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1942
847apache2 (2.4.17-1) unstable; urgency=medium1943apache2 (2.4.17-1) unstable; urgency=medium
8481944
849 [ Stefan Fritsch ]1945 [ Stefan Fritsch ]
@@ -909,6 +2005,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
9092005
910 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +02002006 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
9112007
2008apache2 (2.4.12-2ubuntu2) wily; urgency=medium
2009
2010 * SECURITY UPDATE: request smuggling via chunked transfer encoding
2011 - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
2012 modules/http/http_filters.c.
2013 - CVE-2015-3183
2014 * SECURITY UPDATE: access restriction bypass via deprecated API
2015 - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
2016 in include/http_request.h, server/request.c.
2017 - CVE-2015-3185
2018
2019 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
2020
2021apache2 (2.4.12-2ubuntu1) wily; urgency=medium
2022
2023 * Merge from Debian unstable. Remaining changes:
2024 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2025 apache2.dirs}: Add ufw profiles.
2026 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2027 - Add dep8 tests.
2028 - debian/rules: Fix cross-building by passing
2029 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2030 - debian/patches/086_svn_cross_compiles: Backport several cross
2031 fixes from upstream
2032 - d/index.html: replace Debian with Ubuntu on default page.
2033 - Allow "triggers-awaited" and "triggers-pending" states in addition
2034 to "installed" when determining whether to defer actions or
2035 process deferred actions.
2036 * Drop patches (applied upstream):
2037 - d/p/split-logfile.patch
2038 - d/p/CVE-2015-0228.patch
2039 * Drop changes (superceded in Debian):
2040 - Cherry-pick versioned build-depend on dpkg from Debian for correct
2041 dpkg-maintscript-helper symlink_to_dir support.
2042 * Drop changes (adopted in Debian):
2043 - d/control, d/config-dir/mods-available/ssl.conf,
2044 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2045 dialog program ask-for-passphrase.
2046 * Fix cross-building configure line in d/rules, which had bit-rotted in
2047 previous merges.
2048
2049 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
2050
912apache2 (2.4.12-2) unstable; urgency=medium2051apache2 (2.4.12-2) unstable; urgency=medium
9132052
914 [ Jean-Michel Nirgal Vourgère ]2053 [ Jean-Michel Nirgal Vourgère ]
@@ -958,6 +2097,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
9582097
959 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +01002098 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
9602099
2100apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
2101
2102 * Merge from Debian unstable. Remaining changes:
2103 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2104 apache2.dirs}: Add ufw profiles.
2105 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2106 - d/control, d/config-dir/mods-available/ssl.conf,
2107 - Add dep8 tests.
2108 - debian/rules: Fix cross-building by passing
2109 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2110 - debian/patches/086_svn_cross_compiles: Backport several cross
2111 fixes from upstream
2112 - d/index.html: replace Debian with Ubuntu on default page.
2113 - d/p/split-logfile.patch: fix completely broken split-logfile
2114 command.
2115 - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
2116 denial of service in mod_lua via websockets PING
2117 * debian/tests/ssl-passphrase: Add password responder for
2118 systemd-ask-passphrase.
2119
2120 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
2121
961apache2 (2.4.10-9) unstable; urgency=medium2122apache2 (2.4.10-9) unstable; urgency=medium
9622123
963 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a2124 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
@@ -972,6 +2133,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
9722133
973 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +01002134 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
9742135
2136apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
2137
2138 * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
2139 directives
2140 - debian/patches/CVE-2014-8109.patch: handle multiple Require
2141 directives with different arguments in modules/lua/mod_lua.c.
2142 - CVE-2014-8109
2143 * SECURITY UPDATE: denial of service in mod_lua via websockets PING
2144 - debian/patches/CVE-2015-0228.patch: fix logic in
2145 modules/lua/lua_request.c.
2146 - CVE-2015-0228
2147
2148 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
2149
2150apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
2151
2152 * Allow "triggers-awaited" and "triggers-pending" states in addition to
2153 "installed" when determining whether to defer actions or process
2154 deferred actions (LP: #1393832).
2155
2156 -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
2157
2158apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
2159
2160 * Merge from Debian unstable. Remaining changes:
2161 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2162 apache2.dirs}: Add ufw profiles.
2163 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2164 - d/control, d/config-dir/mods-available/ssl.conf,
2165 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2166 dialog program ask-for-passphrase.
2167 - Add dep8 tests.
2168 - debian/rules: Fix cross-building by passing
2169 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2170 - debian/patches/086_svn_cross_compiles: Backport several cross
2171 fixes from upstream
2172 - d/index.html: replace Debian with Ubuntu on default page.
2173 - d/p/split-logfile.patch: fix completely broken split-logfile
2174 command.
2175 * Fixes from Debian included in merge:
2176 - Crash caused by OCSP stapling code; this was erroneously
2177 attributed to Debian in my previous merge, but actually only
2178 appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
2179 * Cherry-pick versioned build-depend on dpkg from Debian for correct
2180 dpkg-maintscript-helper symlink_to_dir support.
2181
2182 -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
2183
975apache2 (2.4.10-8) unstable; urgency=medium2184apache2 (2.4.10-8) unstable; urgency=medium
9762185
977 * Bump dpkg Pre-Depends to version that supports relative symlinks in2186 * Bump dpkg Pre-Depends to version that supports relative symlinks in
@@ -986,6 +2195,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
9862195
987 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +01002196 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
9882197
2198apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
2199
2200 * Merge from Debian unstable. Remaining changes:
2201 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2202 apache2.dirs}: Add ufw profiles.
2203 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2204 - d/control, d/config-dir/mods-available/ssl.conf,
2205 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2206 dialog program ask-for-passphrase.
2207 - Add dep8 tests.
2208 - debian/rules: Fix cross-building by passing
2209 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2210 - debian/patches/086_svn_cross_compiles: Backport several cross
2211 fixes from upstream
2212 - d/index.html: replace Debian with Ubuntu on default page.
2213 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2214 * Fixes from Debian included in merge:
2215 - Don't use a2query in preinst, as it may not be available yet
2216 (LP: #1312533).
2217 - Crash caused by OCSP stapling code (LP: #1366174).
2218 - Disable SSLv3 in default config (LP: #1358305).
2219 - If apache2 is not configured yet, defer actions executed via
2220 apache2-maintscript-helper. This fixes installation failures if a
2221 module package is configured first (LP: #1312854).
2222
2223 -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
2224
989apache2 (2.4.10-7) unstable; urgency=medium2225apache2 (2.4.10-7) unstable; urgency=medium
9902226
991 * Handle transitions of doc dirs and symlinks correctly during upgrade.2227 * Handle transitions of doc dirs and symlinks correctly during upgrade.
@@ -1069,6 +2305,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
10692305
1070 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +02002306 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
10712307
2308apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
2309
2310 * Merge from Debian unstable. Remaining changes:
2311 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2312 apache2.dirs}: Add ufw profiles.
2313 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2314 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2315 d/apache2.install: Plymouth aware passphrase dialog program
2316 ask-for-passphrase.
2317 - Add dep8 tests.
2318 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2319 configure.
2320 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2321 upstream
2322 - d/index.html: replace Debian with Ubuntu on default page.
2323 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2324
2325 -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
2326
1072apache2 (2.4.10-1) unstable; urgency=medium2327apache2 (2.4.10-1) unstable; urgency=medium
10732328
1074 [ Arno Töll ]2329 [ Arno Töll ]
@@ -1116,6 +2371,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
11162371
1117 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +02002372 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
11182373
2374apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
2375
2376 * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
2377 yet support building against lua 5.2 (LP: #1323930).
2378
2379 -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
2380
2381apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
2382
2383 * Merge from Debian unstable. Remaining changes:
2384 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2385 apache2.dirs}: Add ufw profiles.
2386 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2387 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2388 d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
2389 dialog program ask-for-passphrase.
2390 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2391 configure.
2392 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2393 upstream
2394 - Build using lua5.2.
2395 - d/tests/chroot: dep8 test for ChrootDir case.
2396 - d/tests/ssl-passphrase: update for new default path /var/www/html.
2397 - d/tests/duplicate-module-load: check for duplicate module loads.
2398 - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
2399 - d/p/split-logfile.patch: fix completely broken split-logfile command
2400 (LP: #1299162). Thanks to Holger Mauermann.
2401 * Drop changes (upstreamed):
2402 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2403 files find inside the .pc directory. This stops a double module load
2404 causing later havoc, including "ChrootDir" directive failure.
2405 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2406 in modules/dav/main/util.c.
2407 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2408 modules/loggers/mod_log_config.c.
2409 * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
2410
2411 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
2412
1119apache2 (2.4.9-1) unstable; urgency=medium2413apache2 (2.4.9-1) unstable; urgency=medium
11202414
1121 * New upstream version.2415 * New upstream version.
@@ -1148,6 +2442,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
11482442
1149 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +01002443 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
11502444
2445apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
2446
2447 * d/p/split-logfile.patch: fix completely broken split-logfile command
2448 (LP: #1299162). Thanks to Holger Mauermann.
2449
2450 -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
2451
2452apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
2453
2454 * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
2455 calculation
2456 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2457 in modules/dav/main/util.c.
2458 - CVE-2013-6438
2459 * SECURITY UPDATE: denial of service via truncated cookie and
2460 mod_log_config
2461 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2462 modules/loggers/mod_log_config.c.
2463 - CVE-2014-0098
2464
2465 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
2466
2467apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
2468
2469 * d/index.html: replace Debian with Ubuntu on default page
2470 (LP: #1288690).
2471
2472 -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
2473
2474apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
2475
2476 * Merge from Debian unstable. Remaining changes:
2477 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2478 apache2.dirs}: Add ufw profiles.
2479 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2480 - d/control, d/config-dir/mods-available/ssl.conf,
2481 d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
2482 Plymouth aware passphrase dialog program ask-for-passphrase.
2483 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2484 to configure.
2485 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2486 from upstream
2487 - Build using lua5.2.
2488 - d/tests/chroot: dep8 test for ChrootDir case.
2489 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2490 files find inside the .pc directory. This stops a double module load
2491 causing later havoc, including "ChrootDir" directive failure.
2492 * Drop changes:
2493 - debian/{control, rules}: Enable PIE hardening: no longer required;
2494 2.4.7-1 is already hardened.
2495 - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
2496 out of this package.
2497 * d/tests/ssl-passphrase: update for new default path /var/www/html.
2498 * d/tests/duplicate-module-load: check for duplicate module loads.
2499
2500 -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
2501
1151apache2 (2.4.7-1) unstable; urgency=low2502apache2 (2.4.7-1) unstable; urgency=low
11522503
1153 New upstream version2504 New upstream version
@@ -1211,6 +2562,53 @@ apache2 (2.4.6-3) unstable; urgency=low
12112562
1212 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +02002563 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
12132564
2565apache2 (2.4.6-2ubuntu4) trusty; urgency=low
2566
2567 * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
2568 that it does not use files find inside the .pc directory. This stops a
2569 double module load causing later havoc, including "ChrootDir" directive
2570 failure (LP: #1251939). Thanks to Stefan Fritsch.
2571 * d/tests/chroot: dep8 test for ChrootDir case.
2572
2573 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
2574
2575apache2 (2.4.6-2ubuntu3) trusty; urgency=low
2576
2577 * debian/apache2.install: Correct path for ufw.
2578 (LP: #1252722)
2579
2580 -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
2581
2582apache2 (2.4.6-2ubuntu2) saucy; urgency=low
2583
2584 * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
2585 passphrase prompting for SSL certificates that are passphrase protected.
2586 * Add dep8 test for SSL passphrase prompting.
2587
2588 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
2589
2590apache2 (2.4.6-2ubuntu1) saucy; urgency=low
2591
2592 * Merge from Debian unstable. Remaining changes:
2593 - debian/{control, rules}: Enable PIE hardening.
2594 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2595 apache2.dirs}: Add ufw profiles.
2596 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2597 - debian/control, debian/config-dir/mods-available/ssl.conf,
2598 debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
2599 passphrase dialog program ask-for-passphrase.
2600 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2601 to configure.
2602 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2603 from upstream
2604 * Dropped changes:
2605 - debian/patches/CVE-2013-1896.patch: upstream
2606 * Fixed module dependencies (LP: #1205314)
2607 - debian/config-dir/mods-available/lbmethod_*: properly specify
2608 proxy_balancer, not mod_proxy_balancer.
2609
2610 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
2611
1214apache2 (2.4.6-2) unstable; urgency=low2612apache2 (2.4.6-2) unstable; urgency=low
12152613
1216 [ Stefan Fritsch ]2614 [ Stefan Fritsch ]
@@ -1263,6 +2661,56 @@ apache2 (2.4.6-1) unstable; urgency=low
12632661
1264 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +02002662 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
12652663
2664apache2 (2.4.4-6ubuntu5) saucy; urgency=low
2665
2666 * SECURITY UPDATE: denial of service via MERGE request
2667 - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
2668 in modules/dav/main/mod_dav.c.
2669 - CVE-2013-1896
2670
2671 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
2672
2673apache2 (2.4.4-6ubuntu4) saucy; urgency=low
2674
2675 * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
2676 apache2-bin. apache2-utils is only suggested by apache2, so may not
2677 always be installed by bug reporters. However, apache2-bin will always
2678 need to be installed for Apache to be functional, so this is a better
2679 place for the apport hook. apache2-bin already Conflicts/Replaces
2680 apache2.2-common, so this also fixes (LP: #1199318).
2681 * d/apache2.py: adjust apport hook for new location of configuration
2682 files in apache2 >= 2.4: they have moved from apache2.2-common to
2683 apache2.
2684
2685 -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
2686
2687apache2 (2.4.4-6ubuntu3) saucy; urgency=low
2688
2689 * Build using lua5.2.
2690
2691 -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
2692
2693apache2 (2.4.4-6ubuntu2) saucy; urgency=low
2694
2695 * debian/rules: Fix FTBFS while installing ufw.
2696
2697 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
2698
2699apache2 (2.4.4-6ubuntu1) saucy; urgency=low
2700
2701 * Merge from Debian unstable. Remaining changes:
2702 - debian/{control, rules}: Enable PIE hardening.
2703 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2704 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2705 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2706 Plymouth aware passphrase dialog program ask-for-passphrase.
2707 * Dropped changes:
2708 - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
2709 - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
2710 - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
2711
2712 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
2713
1266apache2 (2.4.4-6) unstable; urgency=low2714apache2 (2.4.4-6) unstable; urgency=low
12672715
1268 * Denote exact versions breaking gnome-user-share now that Gnome maintainers2716 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
@@ -1734,6 +3182,122 @@ apache2 (2.4.1-1) experimental; urgency=low
17343182
1735 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +01003183 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
17363184
3185apache2 (2.2.22-6ubuntu5) raring; urgency=low
3186
3187 * SECURITY UPDATE: multiple cross-site scripting issues
3188 - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
3189 modules/generators/{mod_info.c,mod_status.c},
3190 modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
3191 modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
3192 - CVE-2012-3499
3193 - CVE-2012-4558
3194 * SECURITY UPDATE: symlink attack in apache2ctl script
3195 - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
3196 - Thanks to Stefan Fritsch for the fix.
3197 - CVE-2013-1048
3198
3199 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
3200
3201apache2 (2.2.22-6ubuntu4) raring; urgency=low
3202
3203 * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
3204 * Skip module sanity check between MPMs if cross-building without the
3205 kernel/binfmt support to run our target binaries on the build system.
3206 * Backport several cross fixes from upstream as 086_svn_cross_compiles.
3207
3208 -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
3209
3210apache2 (2.2.22-6ubuntu3) raring; urgency=low
3211
3212 * SECURITY UPDATE: XSS vulnerability in mod_negotiation
3213 - debian/patches/CVE-2012-2687.patch: escape filenames in
3214 modules/mappers/mod_negotiation.c.
3215 - CVE-2012-2687
3216 * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
3217 - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
3218 directive. Defaults to off as enabling compression enables the CRIME
3219 attack.
3220 - CVE-2012-4929
3221
3222 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
3223
3224apache2 (2.2.22-6ubuntu2) quantal; urgency=low
3225
3226 * debian/apache2.py
3227 - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
3228 - Check if this directory exists: /etc/apache2/sites-enabled/
3229
3230 -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
3231
3232apache2 (2.2.22-6ubuntu1) quantal; urgency=low
3233
3234 * Merge from Debian unstable. Remaining changes:
3235 - debian/{control, rules}: Enable PIE hardening.
3236 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3237 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3238 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3239 Plymouth aware passphrase dialog program ask-for-passphrase.
3240 * Dropped changes:
3241 - debian/control: Add bzr tag and point it to our tree; this is not
3242 really required and just increases the delta.
3243
3244 -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
3245
3246apache2 (2.2.22-6) unstable; urgency=low
3247
3248 [ Stefan Fritsch ]
3249 * Fix regression causing apache2 to cache "206 partial content" responses,
3250 and then serving these partial responses when replying to normal requests.
3251 Closes: #671204
3252 * Add section to security.conf that shows how to forbid access to VCS
3253 directories. Closes: #548213
3254 * Update ssl default cipher config, add alternative speed optimized config.
3255 Closes: #649020
3256 * Add "AddCharset" for .brf files in default mod_mime config.
3257 Closes: #402567
3258 * Don't create httpd.conf anymore and don't include it in apache2.conf. If
3259 it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
3260 * Port some of the comments in apache2.conf from the 2.4 package.
3261 * Compile mod_version statically, drop associated module load file.
3262 * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
3263 configtest.
3264 * Note in README.Debian that future versions of the package will have the
3265 include statements changed to include only *.conf.
3266 * Change compiled-in document root to /var/www, to avoid strange error
3267 messages.
3268 * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
3269
3270 [ Arno Töll ]
3271 * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
3272 to override LDFLAGS at compile time by defining LDLAGS in the environment,
3273 just like it is possible for CFLAGS. This also means, config_vars.mk now
3274 exports hardening build flags by default.
3275 * Update doc-base metadata for the apache2-doc package.
3276
3277 -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
3278
3279apache2 (2.2.22-5) unstable; urgency=low
3280
3281 * Make LoadFile and LoadModule look in the standard search paths if the
3282 dso file name is given as a pure filename. This helps with the multi-arch
3283 transition.
3284
3285 -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
3286
3287apache2 (2.2.22-4) unstable; urgency=high
3288
3289 * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
3290 hosts' config files.
3291 If scripting modules like mod_php or mod_rivet are enabled on systems
3292 where either 1) some frontend server forwards connections to an apache2
3293 backend server on the localhost address, or 2) the machine running
3294 apache2 is also used for web browsing, this could allow a remote
3295 attacker to execute example scripts stored under /usr/share/doc.
3296 Depending on the installed packages, this could lead to issues like cross
3297 site scripting, code execution, or leakage of sensitive data.
3298
3299 -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
3300
1737apache2 (2.2.22-3) unstable; urgency=low3301apache2 (2.2.22-3) unstable; urgency=low
17383302
1739 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':3303 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
@@ -1754,6 +3318,18 @@ apache2 (2.2.22-2) unstable; urgency=low
17543318
1755 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +01003319 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
17563320
3321apache2 (2.2.22-1ubuntu1) precise; urgency=low
3322
3323 * Merge from Debian testing. Remaining changes:
3324 - debian/{control, rules}: Enable PIE hardening.
3325 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3326 - debian/control: Add bzr tag and point it to our tree
3327 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3328 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3329 Plymouth aware passphrase dialog program ask-for-passphrase.
3330
3331 -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
3332
1757apache2 (2.2.22-1) unstable; urgency=low3333apache2 (2.2.22-1) unstable; urgency=low
17583334
1759 [ Stefan Fritsch ]3335 [ Stefan Fritsch ]
@@ -1771,6 +3347,18 @@ apache2 (2.2.22-1) unstable; urgency=low
17713347
1772 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +01003348 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
17733349
3350apache2 (2.2.21-5ubuntu1) precise; urgency=low
3351
3352 * Merge from Debian testing. Remaining changes:
3353 - debian/{control, rules}: Enable PIE hardening.
3354 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3355 - debian/control: Add bzr tag and point it to our tree
3356 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3357 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3358 Plymouth aware passphrase dialog program ask-for-passphrase.
3359
3360 -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
3361
1774apache2 (2.2.21-5) unstable; urgency=low3362apache2 (2.2.21-5) unstable; urgency=low
17753363
1776 [ Arno Töll ]3364 [ Arno Töll ]
@@ -1824,6 +3412,26 @@ apache2 (2.2.21-4) unstable; urgency=low
18243412
1825 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +01003413 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
18263414
3415apache2 (2.2.21-3ubuntu2) precise; urgency=low
3416
3417 * d/ask-for-passphrase: Flip the logic of this script so that it checks
3418 first to see if apache is being started from a TTY, and then if not,
3419 tries plymouth. (LP: #887410)
3420
3421 -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
3422
3423apache2 (2.2.21-3ubuntu1) precise; urgency=low
3424
3425 * Merge from Debian testing. Remaining changes:
3426 - debian/{control, rules}: Enable PIE hardening.
3427 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3428 - debian/control: Add bzr tag and point it to our tree
3429 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3430 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3431 Plymouth aware passphrase dialog program ask-for-passphrase.
3432
3433 -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
3434
1827apache2 (2.2.21-3) unstable; urgency=medium3435apache2 (2.2.21-3) unstable; urgency=medium
18283436
1829 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some3437 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
@@ -1838,6 +3446,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
18383446
1839 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +01003447 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
18403448
3449apache2 (2.2.21-2ubuntu2) precise; urgency=low
3450
3451 * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
3452
3453 -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
3454
3455apache2 (2.2.21-2ubuntu1) precise; urgency=low
3456
3457 * Merge from debian unstable. Remaining changes:
3458 - debian/{control, rules}: Enable PIE hardening.
3459 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3460 - debian/control: Add bzr tag and point it to our tree
3461 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3462 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3463 Plymouth aware passphrase dialog program ask-for-passphrase.
3464
3465 -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
3466
1841apache2 (2.2.21-2) unstable; urgency=high3467apache2 (2.2.21-2) unstable; urgency=high
18423468
1843 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some3469 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
@@ -1855,6 +3481,19 @@ apache2 (2.2.21-1) unstable; urgency=low
18553481
1856 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +02003482 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
18573483
3484apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
3485
3486 * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
3487 Remaining changes:
3488 - debian/{control, rules}: Enable PIE hardening.
3489 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3490 - debian/control: Add bzr tag and point it to our tree
3491 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3492 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3493 Plymouth aware passphrase dialog program ask-for-passphrase.
3494
3495 -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
3496
1858apache2 (2.2.20-1) unstable; urgency=low3497apache2 (2.2.20-1) unstable; urgency=low
18593498
1860 * New upstream release.3499 * New upstream release.
@@ -1877,6 +3516,18 @@ apache2 (2.2.19-2) unstable; urgency=high
18773516
1878 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +02003517 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
18793518
3519apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
3520
3521 * Merge from debian unstable (LP: #787013). Remaining changes:
3522 - debian/{control, rules}: Enable PIE hardening.
3523 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3524 - debian/control: Add bzr tag and point it to our tree
3525 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3526 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3527 Plymouth aware passphrase dialog program ask-for-passphrase.
3528
3529 -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
3530
1880apache2 (2.2.19-1) unstable; urgency=low3531apache2 (2.2.19-1) unstable; urgency=low
18813532
1882 * New upstream release.3533 * New upstream release.
@@ -1894,6 +3545,18 @@ apache2 (2.2.19-1) unstable; urgency=low
18943545
1895 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +02003546 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
18963547
3548apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
3549
3550 * Merge from debian unstable. Remaining changes:
3551 - debian/{control, rules}: Enable PIE hardening.
3552 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3553 - debian/control: Add bzr tag and point it to our tree
3554 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3555 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3556 Plymouth aware passphrase dialog program ask-for-passphrase.
3557
3558 -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
3559
1897apache2 (2.2.17-3) unstable; urgency=low3560apache2 (2.2.17-3) unstable; urgency=low
18983561
1899 * Fix compilation with OpenSSL without SSLv2 support. Closes: #6220493562 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
@@ -1920,6 +3583,18 @@ apache2 (2.2.17-2) unstable; urgency=high
19203583
1921 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +01003584 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
19223585
3586apache2 (2.2.17-1ubuntu1) natty; urgency=low
3587
3588 * Merge from debian unstable, remaining changes:
3589 - debian/{control, rules}: Enable PIE hardening.
3590 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3591 - debian/control: Add bzr tag and point it to our tree
3592 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3593 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3594 Plymouth aware passphrase dialog program ask-for-passphrase.
3595
3596 -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
3597
1923apache2 (2.2.17-1) unstable; urgency=low3598apache2 (2.2.17-1) unstable; urgency=low
19243599
1925 * New upstream version3600 * New upstream version
@@ -1928,6 +3603,32 @@ apache2 (2.2.17-1) unstable; urgency=low
19283603
1929 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +01003604 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
19303605
3606apache2 (2.2.16-6ubuntu3) natty; urgency=low
3607
3608 * debian/rules: Don't use "-fno-strict-aliasing" since it causes
3609 apache FTBFS on amd64. (LP: #711293)
3610
3611 -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
3612
3613apache2 (2.2.16-6ubuntu2) natty; urgency=low
3614
3615 * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
3616 (LP: #697105)
3617
3618 -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
3619
3620apache2 (2.2.16-6ubuntu1) natty; urgency=low
3621
3622 * Merge from debian unstable. Remaining changes:
3623 - debian/{control, rules}: Enable PIE hardening.
3624 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3625 - debian/control: Add bzr tag and point it to our tree
3626 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3627 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3628 Plymouth aware passphrase dialog program ask-for-passphrase.
3629
3630 -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
3631
1931apache2 (2.2.16-6) unstable; urgency=low3632apache2 (2.2.16-6) unstable; urgency=low
19323633
1933 * Also add $named to the secondary-init-script example.3634 * Also add $named to the secondary-init-script example.
@@ -1943,6 +3644,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
19433644
1944 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +01003645 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
19453646
3647apache2 (2.2.16-4ubuntu2) natty; urgency=low
3648
3649 [Clint Byrum]
3650 * Adding plymouth aware passphrase dialog program ask-for-passphrase.
3651 (LP: #582963)
3652 + debian/control: apache2.2-common depends on bash for ask-for-passphrase
3653 + debian/config-dir/mods-available/ssl.conf:
3654 - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
3655
3656 [Chuck Short]
3657 * Add apport hook. (LP: #609177)
3658 + debian/apache2.py, debian/apache2.2-common.install
3659
3660 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
3661
3662apache2 (2.2.16-4ubuntu1) natty; urgency=low
3663
3664 * Merge from debian unstable. Remaining changes:
3665 - debian/{control, rules}: Enable PIE hardening.
3666 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3667 - debian/control: Add bzr tag and point it to our tree
3668
3669 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
3670
1946apache2 (2.2.16-4) unstable; urgency=medium3671apache2 (2.2.16-4) unstable; urgency=medium
19473672
1948 * Increase the mod_reqtimeout default timeouts to avoid potential problems3673 * Increase the mod_reqtimeout default timeouts to avoid potential problems
@@ -1953,6 +3678,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
19533678
1954 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +01003679 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
19553680
3681apache2 (2.2.16-3ubuntu1) natty; urgency=low
3682
3683 * Merge from debian unstable. Remaining changes:
3684 - debian/{control, rules}: Enable PIE hardening.
3685 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3686 - debian/control: Add bzr tag and point it to our tree.
3687
3688 -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
3689
1956apache2 (2.2.16-3) unstable; urgency=high3690apache2 (2.2.16-3) unstable; urgency=high
19573691
1958 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.3692 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
@@ -1975,6 +3709,30 @@ apache2 (2.2.16-2) unstable; urgency=low
19753709
1976 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +02003710 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
19773711
3712apache2 (2.2.16-1ubuntu3) maverick; urgency=low
3713
3714 * Revert "stty sane" to unbreak apache starting, this will have to be
3715 fixed a different way. (LP: #626723)
3716
3717 -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
3718
3719apache2 (2.2.16-1ubuntu2) maverick; urgency=low
3720
3721 * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
3722 password prompt when using apache-ssl. (LP: #582963)
3723
3724 -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
3725
3726apache2 (2.2.16-1ubuntu1) maverick; urgency=low
3727
3728 * Merge from debian unstable. Remaining changes:
3729 - debian/{control, rules}: Enable PIE hardening.
3730 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3731 - debian/control: Add bzr tag and point it to our tree.
3732 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3733
3734 -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
3735
1978apache2 (2.2.16-1) unstable; urgency=medium3736apache2 (2.2.16-1) unstable; urgency=medium
19793737
1980 * Urgency medium for security fix.3738 * Urgency medium for security fix.
@@ -2007,6 +3765,24 @@ apache2 (2.2.15-6) unstable; urgency=low
20073765
2008 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +02003766 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
20093767
3768apache2 (2.2.15-5ubuntu1) maverick; urgency=low
3769
3770 * Merge from debian unstable. Remaining changes:
3771 - debian/{control, rules}: Enable PIE hardening.
3772 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3773 - debian/control: Add bzr tag and point it to our tree.
3774 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3775 + Dropped:
3776 - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
3777 - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
3778 - debian/config-dir/apache2.conf: Merged back from debian.
3779 - mod-reqtimeout functionality: Merge back from debian.
3780 - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
3781 - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
3782 - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
3783
3784 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
3785
2010apache2 (2.2.15-5) unstable; urgency=low3786apache2 (2.2.15-5) unstable; urgency=low
20113787
2012 * Conflict with apache package as we now include apachectl. Closes: #5790653788 * Conflict with apache package as we now include apachectl. Closes: #579065
@@ -2127,6 +3903,80 @@ apache2 (2.2.14-6) unstable; urgency=low
21273903
2128 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +01003904 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
21293905
3906apache2 (2.2.14-5ubuntu8) lucid; urgency=low
3907
3908 * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
3909 (LP: #562370)
3910
3911 -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
3912
3913apache2 (2.2.14-5ubuntu7) lucid; urgency=low
3914
3915 * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
3916 leaks by making sure to not destroy bucket brigades that have been created
3917 by earlier filters. Backported from 2.2.15.
3918 * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
3919 has reached MaxClients until it has. Backported from 2.2.15
3920 * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
3921 more secure by adding Satisfy all. (Debian bug: #572075)
3922 * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
3923 debian/config2-dir/mods-available/reqtimeout.load,
3924 debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
3925 mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
3926 bug in apache. Enable it by default. (LP: #392759)
3927
3928 -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
3929
3930apache2 (2.2.14-5ubuntu6) lucid; urgency=low
3931
3932 * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
3933
3934 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
3935
3936apache2 (2.2.14-5ubuntu5) lucid; urgency=low
3937
3938 * Revert 99-fix-mod-dav-permissions.dpatch
3939
3940 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
3941
3942apache2 (2.2.14-5ubuntu4) lucid; urgency=low
3943
3944 * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
3945 downloading files from webdav (LP: #540747)
3946 * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
3947
3948 -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
3949
3950apache2 (2.2.14-5ubuntu3) lucid; urgency=low
3951
3952 * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
3953 - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
3954 in modules/proxy/mod_proxy_ajp.c.
3955 - CVE-2010-0408
3956 * SECURITY UPDATE: information disclosure via improper handling of
3957 headers in subrequests
3958 - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
3959 in server/protocol.c.
3960 - CVE-2010-0434
3961
3962 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
3963
3964apache2 (2.2.14-5ubuntu2) lucid; urgency=low
3965
3966 * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
3967 wacky options. (LP: #450501)
3968
3969 -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
3970
3971apache2 (2.2.14-5ubuntu1) lucid; urgency=low
3972
3973 * Merge from debian testing. Remaining changes: LP: #506862
3974 - debian/{control, rules}: Enable PIE hardening.
3975 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3976 - debian/control: Add bzr tag and point it to our tree.
3977
3978 -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
3979
2130apache2 (2.2.14-5) unstable; urgency=low3980apache2 (2.2.14-5) unstable; urgency=low
21313981
2132 * Security: Further mitigation for the TLS renegotation attack3982 * Security: Further mitigation for the TLS renegotation attack
@@ -2150,6 +4000,15 @@ apache2 (2.2.14-5) unstable; urgency=low
21504000
2151 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +01004001 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
21524002
4003apache2 (2.2.14-4ubuntu1) lucid; urgency=low
4004
4005 * Resynchronzie with Debian, remaining changes are:
4006 - debian/{control, rules}: Enable PIE hardening.
4007 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
4008 - debian/control: Add bzr tag and point it to our tree.
4009
4010 -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
4011
2153apache2 (2.2.14-4) unstable; urgency=low4012apache2 (2.2.14-4) unstable; urgency=low
21544013
2155 * Disable localized error pages again by default because they break4014 * Disable localized error pages again by default because they break
@@ -2200,6 +4059,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
22004059
2201 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +01004060 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
22024061
4062apache2 (2.2.14-1ubuntu1) lucid; urgency=low
4063
4064 * Merge from debian testing, remaining changes:
4065 - debian/{control, rules}: Enable PIE hardening.
4066 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
4067 - debian/conrol: Add bzr tag and point it to our tree.
4068 - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
4069 Already applied upstream.
4070
4071 -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
4072
2203apache2 (2.2.14-1) unstable; urgency=low4073apache2 (2.2.14-1) unstable; urgency=low
22044074
2205 * New upstream version:4075 * New upstream version:
@@ -2234,6 +4104,24 @@ apache2 (2.2.13-1) unstable; urgency=low
22344104
2235 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +02004105 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
22364106
4107apache2 (2.2.12-1ubuntu2) karmic; urgency=low
4108
4109 * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
4110 - Fix potential segfaults with the use of the legacy ap_rputs() etc
4111 interfaces, in cases where an output filter fails. This happens
4112 frequently after CVE-2009-1891 got fixed. (LP: #409987)
4113
4114 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
4115
4116apache2 (2.2.12-1ubuntu1) karmic; urgency=low
4117
4118 * Merge from debian unstable, remaining changes:
4119 - debian/{control,rules}: enable PIE hardening.
4120 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4121 - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
4122
4123 -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
4124
2237apache2 (2.2.12-1) unstable; urgency=low4125apache2 (2.2.12-1) unstable; urgency=low
22384126
2239 * New upstream release:4127 * New upstream release:
@@ -2281,6 +4169,16 @@ apache2 (2.2.12-1) unstable; urgency=low
22814169
2282 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +02004170 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
22834171
4172apache2 (2.2.11-7ubuntu1) karmic; urgency=low
4173
4174 * Merge from debian unstable, remaining changes: LP: #398130
4175 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4176 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4177 - debian/{control,rules}: enable PIE hardening.
4178 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4179
4180 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
4181
2284apache2 (2.2.11-7) unstable; urgency=low4182apache2 (2.2.11-7) unstable; urgency=low
22854183
2286 * Security fixes:4184 * Security fixes:
@@ -2295,6 +4193,16 @@ apache2 (2.2.11-7) unstable; urgency=low
22954193
2296 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +02004194 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
22974195
4196apache2 (2.2.11-6ubuntu1) karmic; urgency=low
4197
4198 * Merge from debian unstable, remaining changes:
4199 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4200 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4201 - debian/{control,rules}: enable PIE hardening.
4202 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4203
4204 -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
4205
2298apache2 (2.2.11-6) unstable; urgency=high4206apache2 (2.2.11-6) unstable; urgency=high
22994207
2300 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server4208 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
@@ -2303,6 +4211,16 @@ apache2 (2.2.11-6) unstable; urgency=high
23034211
2304 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +02004212 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
23054213
4214apache2 (2.2.11-5ubuntu1) karmic; urgency=low
4215
4216 * Merge from debian unstable, remaining changes:
4217 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4218 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4219 - debian/{control,rules}: enable PIE hardening.
4220 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4221
4222 -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
4223
2306apache2 (2.2.11-5) unstable; urgency=low4224apache2 (2.2.11-5) unstable; urgency=low
23074225
2308 * Move all binaries into a new package apache2.2-bin and make4226 * Move all binaries into a new package apache2.2-bin and make
@@ -2351,6 +4269,16 @@ apache2 (2.2.11-4) unstable; urgency=low
23514269
2352 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +02004270 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
23534271
4272apache2 (2.2.11-3ubuntu1) karmic; urgency=low
4273
4274 * Merge from debian unstable, remaining changes:
4275 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4276 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4277 - debian/{control,rules}: enable PIE hardening.
4278 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4279
4280 -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
4281
2354apache2 (2.2.11-3) unstable; urgency=low4282apache2 (2.2.11-3) unstable; urgency=low
23554283
2356 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap4284 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
@@ -2359,6 +4287,21 @@ apache2 (2.2.11-3) unstable; urgency=low
23594287
2360 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +02004288 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
23614289
4290apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
4291
4292 * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4293 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4294
4295 -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
4296
4297apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
4298
4299 * Merge from debian unstable, remaining changes:
4300 - debian/{contro,rules}: enable PIE hardening.
4301 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4302
4303 -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
4304
2362apache2 (2.2.11-2) unstable; urgency=low4305apache2 (2.2.11-2) unstable; urgency=low
23634306
2364 * Report an error instead instead of segfaulting when apr_pollset_create4307 * Report an error instead instead of segfaulting when apr_pollset_create
@@ -2368,6 +4311,14 @@ apache2 (2.2.11-2) unstable; urgency=low
23684311
2369 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +01004312 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
23704313
4314apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
4315
4316 * Merge from debian unstable, remaining changes:
4317 - debian/{control, rules}: enable PIE hardening.
4318 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4319
4320 -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
4321
2371apache2 (2.2.11-1) unstable; urgency=low4322apache2 (2.2.11-1) unstable; urgency=low
23724323
2373 [Thom May]4324 [Thom May]
@@ -2382,6 +4333,14 @@ apache2 (2.2.11-1) unstable; urgency=low
23824333
2383 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +01004334 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
23844335
4336apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
4337
4338 * Merge from debian unstable, remaining changes: (LP: #303375)
4339 - debian/{control, rules}: enable PIE hardening.
4340 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4341
4342 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
4343
2385apache2 (2.2.9-11) unstable; urgency=low4344apache2 (2.2.9-11) unstable; urgency=low
23864345
2387 * Regression fix from upstream svn for mod_proxy:4346 * Regression fix from upstream svn for mod_proxy:
@@ -2396,6 +4355,14 @@ apache2 (2.2.9-11) unstable; urgency=low
23964355
2397 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +01004356 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
23984357
4358apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
4359
4360 * Merge from debian unstable, remaining changes:
4361 - debian/{control, rules}: enable PIE hardening.
4362 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4363
4364 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
4365
2399apache2 (2.2.9-10) unstable; urgency=low4366apache2 (2.2.9-10) unstable; urgency=low
24004367
2401 * Regression fix from upstream svn for mod_proxy_http:4368 * Regression fix from upstream svn for mod_proxy_http:
@@ -2426,6 +4393,27 @@ apache2 (2.2.9-8) unstable; urgency=low
24264393
2427 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +02004394 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
24284395
4396apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
4397
4398 * Revert logrotate change since it will break it for everyone.
4399
4400 -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
4401
4402apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
4403
4404 * debian/logrotate: Restart rather than reload for busy websites.
4405 (LP: #270899)
4406
4407 -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
4408
4409apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
4410
4411 * Merge from debian unstable, remaining changes:
4412 - debian/{control,rules}: enable PIE hardening.
4413 - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
4414
4415 -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
4416
2429apache2 (2.2.9-7) unstable; urgency=low4417apache2 (2.2.9-7) unstable; urgency=low
24304418
2431 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).4419 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
@@ -2468,6 +4456,23 @@ apache2 (2.2.9-4) unstable; urgency=low
24684456
2469 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +02004457 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
24704458
4459apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
4460
4461 * add ufw integration (see
4462 https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
4463 (LP: #261198)
4464 - debian/control: suggest ufw for apache2.2-common
4465 - add apache2.2-common.ufw.profile with 3 profiles and install it to
4466 /etc/ufw/applications.d/apache2.2-common
4467
4468 -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
4469
4470apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
4471
4472 * debian/{control,rules}: enable PIE hardening
4473
4474 -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
4475
2471apache2 (2.2.9-3) unstable; urgency=low4476apache2 (2.2.9-3) unstable; urgency=low
24724477
2473 [ Stefan Fritsch ]4478 [ Stefan Fritsch ]
@@ -4038,9 +6043,7 @@ apache2 (2.0.37-1) unstable; urgency=low
4038 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +01006043 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
40396044
4040apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low6045apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
4041
4042 * New upstream release6046 * New upstream release
4043
4044 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +01006047 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
40456048
4046apache2 (2.0.36-2) unstable; urgency=low6049apache2 (2.0.36-2) unstable; urgency=low
@@ -4548,3 +6551,4 @@ apache2 (2.0.18-1) unstable; urgency=low
4548 * Initial Release.6551 * Initial Release.
45496552
4550 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +10006553 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
6554
diff --git a/debian/control b/debian/control
index 5cd2245..82a3450 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,6 @@
1Source: apache21Source: apache2
2Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>2Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
3XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
3Uploaders: Stefan Fritsch <sf@debian.org>,4Uploaders: Stefan Fritsch <sf@debian.org>,
4 Arno Töll <arno@debian.org>,5 Arno Töll <arno@debian.org>,
5 Ondřej Surý <ondrej@debian.org>,6 Ondřej Surý <ondrej@debian.org>,
@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
44Recommends: ssl-cert45Recommends: ssl-cert
45Suggests: apache2-doc,46Suggests: apache2-doc,
46 apache2-suexec-pristine | apache2-suexec-custom,47 apache2-suexec-pristine | apache2-suexec-custom,
47 www-browser48 www-browser,
49 ufw
48Pre-Depends: ${misc:Pre-Depends}50Pre-Depends: ${misc:Pre-Depends}
49Provides: httpd,51Provides: httpd,
50 httpd-cgi52 httpd-cgi
diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
51new file mode 10064453new file mode 100644
index 0000000..eee686c
52Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ54Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
diff --git a/debian/index.html b/debian/index.html
index 766401d..9c90ef4 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -1,9 +1,13 @@
1
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml">2<html xmlns="http://www.w3.org/1999/xhtml">
3 <!--
4 Modified from the Debian original for Ubuntu
5 Last updated: 2022-03-22
6 See: https://launchpad.net/bugs/1966004
7 -->
4 <head>8 <head>
5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />9 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6 <title>Apache2 Debian Default Page: It works</title>10 <title>Apache2 Ubuntu Default Page: It works</title>
7 <style type="text/css" media="screen">11 <style type="text/css" media="screen">
8 * {12 * {
9 margin: 0px 0px 0px 0px;13 margin: 0px 0px 0px 0px;
@@ -15,7 +19,7 @@
1519
16 background-color: #D8DBE2;20 background-color: #D8DBE2;
1721
18 font-family: Verdana, sans-serif;22 font-family: Ubuntu, Verdana, sans-serif;
19 font-size: 11pt;23 font-size: 11pt;
20 text-align: center;24 text-align: center;
21 }25 }
@@ -41,7 +45,7 @@
41 }45 }
4246
43 div.page_header {47 div.page_header {
44 height: 99px;48 height: 180px;
45 width: 100%;49 width: 100%;
4650
47 background-color: #F5F6F7;51 background-color: #F5F6F7;
@@ -60,6 +64,19 @@
60 border: 0px 0px 0px;64 border: 0px 0px 0px;
61 }65 }
6266
67 div.banner {
68 padding: 9px 6px 9px 6px;
69 background-color: #E9510E;
70 color: #FFFFFF;
71 font-weight: bold;
72 font-size: 112%;
73 text-align: center;
74 position: absolute;
75 left: 40%;
76 bottom: 30px;
77 width: 20%;
78 }
79
63 div.table_of_contents {80 div.table_of_contents {
64 clear: left;81 clear: left;
6582
@@ -136,10 +153,6 @@
136 text-align: center;153 text-align: center;
137 }154 }
138155
139 div.section_header_red {
140 background-color: #CD214F;
141 }
142
143 div.section_header_grey {156 div.section_header_grey {
144 background-color: #9F9386;157 background-color: #9F9386;
145 }158 }
@@ -188,46 +201,31 @@
188 <body>201 <body>
189 <div class="main_page">202 <div class="main_page">
190 <div class="page_header floating_element">203 <div class="page_header floating_element">
191 <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>204 <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo"
192 <span class="floating_element">205 style="width:184px;height:146px;" class="floating_element" />
193 Apache2 Debian Default Page206 <div>
194 </span>207 <span style="margin-top: 1.5em;" class="floating_element">
195 </div>208 Apache2 Default Page
196<!-- <div class="table_of_contents floating_element">209 </span>
197 <div class="section_header section_header_grey">
198 TABLE OF CONTENTS
199 </div>
200 <div class="table_of_contents_item floating_element">
201 <a href="#about">About</a>
202 </div>
203 <div class="table_of_contents_item floating_element">
204 <a href="#changes">Changes</a>
205 </div>
206 <div class="table_of_contents_item floating_element">
207 <a href="#scope">Scope</a>
208 </div>
209 <div class="table_of_contents_item floating_element">
210 <a href="#files">Config files</a>
211 </div>210 </div>
212 </div>211 <div class="banner">
213-->
214 <div class="content_section floating_element">
215
216
217 <div class="section_header section_header_red">
218 <div id="about"></div>212 <div id="about"></div>
219 It works!213 It works!
220 </div>214 </div>
215
216 </div>
217 <div class="content_section floating_element">
221 <div class="content_section_text">218 <div class="content_section_text">
222 <p>219 <p>
223 This is the default welcome page used to test the correct 220 This is the default welcome page used to test the correct
224 operation of the Apache2 server after installation on Debian systems.221 operation of the Apache2 server after installation on Ubuntu systems.
222 It is based on the equivalent page on Debian, from which the Ubuntu Apache
223 packaging is derived.
225 If you can read this page, it means that the Apache HTTP server installed at224 If you can read this page, it means that the Apache HTTP server installed at
226 this site is working properly. You should <b>replace this file</b> (located at225 this site is working properly. You should <b>replace this file</b> (located at
227 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.226 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
228 </p>227 </p>
229228
230
231 <p>229 <p>
232 If you are a normal user of this web site and don't know what this page is230 If you are a normal user of this web site and don't know what this page is
233 about, this probably means that the site is currently unavailable due to231 about, this probably means that the site is currently unavailable due to
@@ -242,18 +240,17 @@
242 </div>240 </div>
243 <div class="content_section_text">241 <div class="content_section_text">
244 <p>242 <p>
245 Debian's Apache2 default configuration is different from the243 Ubuntu's Apache2 default configuration is different from the
246 upstream default configuration, and split into several files optimized for244 upstream default configuration, and split into several files optimized for
247 interaction with Debian tools. The configuration system is245 interaction with Ubuntu tools. The configuration system is
248 <b>fully documented in246 <b>fully documented in
249 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full247 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
250 documentation. Documentation for the web server itself can be248 documentation. Documentation for the web server itself can be
251 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>249 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
252 package was installed on this server.250 package was installed on this server.
253
254 </p>251 </p>
255 <p>252 <p>
256 The configuration layout for an Apache2 web server installation on Debian systems is as follows:253 The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
257 </p>254 </p>
258 <pre>255 <pre>
259/etc/apache2/256/etc/apache2/
@@ -308,9 +305,12 @@
308 </li>305 </li>
309306
310 <li>307 <li>
311 The binary is called apache2. Due to the use of308 The binary is called apache2 and is managed using systemd, so to
312 environment variables, in the default configuration, apache2 needs to be309 start/stop the service use <tt>systemctl start apache2</tt> and
313 started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.310 <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt>
311 and <tt>journalctl -u apache2</tt> to check status. <tt>system</tt>
312 and <tt>apache2ctl</tt> can also be used for service management if
313 desired.
314 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the314 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
315 default configuration.315 default configuration.
316 </li>316 </li>
@@ -324,8 +324,8 @@
324324
325 <div class="content_section_text">325 <div class="content_section_text">
326 <p>326 <p>
327 By default, Debian does not allow access through the web browser to327 By default, Ubuntu does not allow access through the web browser to
328 <em>any</em> file apart of those located in <tt>/var/www</tt>,328 <em>any</em> file outside of those located in <tt>/var/www</tt>,
329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
330 directories (when enabled) and <tt>/usr/share</tt> (for web330 directories (when enabled) and <tt>/usr/share</tt> (for web
331 applications). If your site is using a web document root331 applications). If your site is using a web document root
@@ -333,9 +333,8 @@
333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
334 </p>334 </p>
335 <p>335 <p>
336 The default Debian document root is <tt>/var/www/html</tt>. You336 The default Ubuntu document root is <tt>/var/www/html</tt>. You
337 can make your own virtual hosts under /var/www. This is different337 can make your own virtual hosts under /var/www.
338 to previous releases which provides better security out of the box.
339 </p>338 </p>
340 </div>339 </div>
341340
@@ -345,24 +344,20 @@
345 </div>344 </div>
346 <div class="content_section_text">345 <div class="content_section_text">
347 <p>346 <p>
348 Please use the <tt>reportbug</tt> tool to report bugs in the347 Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
349 Apache2 package with Debian. However, check <a348 Apache2 package with Ubuntu. However, check <a
350 href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"349 href="https://bugs.launchpad.net/ubuntu/+source/apache2"
351 rel="nofollow">existing bug reports</a> before reporting a new bug.350 rel="nofollow">existing bug reports</a> before reporting a new bug.
352 </p>351 </p>
353 <p>352 <p>
354 Please report bugs specific to modules (such as PHP and others)353 Please report bugs specific to modules (such as PHP and others)
355 to respective packages, not to the web server itself.354 to their respective packages, not to the web server itself.
356 </p>355 </p>
357 </div>356 </div>
358357
359
360
361
362 </div>358 </div>
363 </div>359 </div>
364 <div class="validator">360 <div class="validator">
365 </div>361 </div>
366 </body>362 </body>
367</html>363</html>
368
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index d617b1d..823d9c0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
17debian/icons/odf6ots-20x22.png17debian/icons/odf6ots-20x22.png
18debian/icons/odf6ott-20x22.png18debian/icons/odf6ott-20x22.png
19debian/icons/openlogo-75.png19debian/icons/openlogo-75.png
20debian/icons/ubuntu-logo.png
20debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml21debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
21debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php22debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
22debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml23debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches