Ubuntu
apache2 package

Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.54-2-kinetic into ubuntu/+source/apache2:debian/sid

  1. Git
  2. lp:~bryce/ubuntu/+source/apache2
  3. merge-v2.4.54-2-kinetic
  4. Merge into debian/sid
Proposed by Bryce Harrington
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Bryce Harrington
Merged at revision: 7056ded95ee239394ace0bd0d5df8799d44df75d
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.54-2-kinetic
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2846 lines (+2144/-60)
10 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2021/-2)
debian/control (+4/-2)
debian/index.html (+51/-56)
debian/source/include-binaries (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Andreas Hasenack Approve
Canonical Server Reporter Pending
Canonical Server Pending
Review via email: mp+427110@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

This is a re-merge of apache2 to pick up a new upstream, notably with some CVE fixes.

Just carrying the usual delta forward. I did some logical cleanup to squash related changes to make the changelog cleaner. No other changes and no conflicts; pretty straightforward merge.

PPA:
  https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.54-2

Tags:
  tags/old/debian 4f279c271
  tags/new/debian 5a3995743
  tags/old/ubuntu fa6c81283
  tags/logical/2.4.53-2ubuntu1 5614257af
  tags/reconstruct/2.4.53-2ubuntu1 7fc2ac968
  tags/split/2.4.53-2ubuntu1 e86ab8d6a

Autopkgtest Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/?format=plain)
  apache2 @ amd64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/amd64/a/apache2/20220719_073114_e67ae@/log.gz
    19.07.22 07:31:14 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ arm64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/arm64/a/apache2/20220719_081244_ed056@/log.gz
    19.07.22 08:12:44 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ armhf:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/armhf/a/apache2/20220719_075124_fd513@/log.gz
    19.07.22 07:51:24 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ ppc64el:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/ppc64el/a/apache2/20220719_071341_ed056@/log.gz
    19.07.22 07:13:41 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ s390x:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/s390x/a/apache2/20220719_071607_6a9be@/log.gz
    19.07.22 07:16:07 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  Running: (none)
  Waiting: (none)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Delta ok, debian changes in previous uploads ok, logical squashing ok, just forgot to mention d/source/include-binaries in ba53079ade0facf0fb6c46c3ddaefb1ea879e783

+1

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: bryce, ahasenack
Uploaders: bryce, ahasenack
MP auto-approved

review: Approve
~bryce/ubuntu/+source/apache2:merge-v2.4.54-2-kinetic updated
04a7335... by Bryce Harrington

merge-changelogs

9a092a9... by Bryce Harrington

reconstruct-changelog

7056ded... by Bryce Harrington

update-maintainer

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, I added the missing d/source/include-binaries.

Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: 7056ded95ee239394ace0bd0d5df8799d44df75d
Vcs-Git-Ref: refs/heads/merge-v2.4.54-2-kinetic

Checking signature on .changes
gpg: ../apache2_2.4.54-2ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../apache2_2.4.54-2ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.54-2ubuntu1.dsc: done.
  Uploading apache2_2.4.54.orig.tar.gz: done.
  Uploading apache2_2.4.54-2ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.54-2ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.54-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Bryce Harrington (bryce) wrote :

This has migrated

 apache2 | 2.4.52-1ubuntu4 | jammy
 apache2 | 2.4.52-1ubuntu4.1 | jammy-security
 apache2 | 2.4.52-1ubuntu4.1 | jammy-updates
 apache2 | 2.4.54-2ubuntu1 | kinetic

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
index 63c573f..3d1bdf1 100644
--- a/debian/apache2-bin.install
+++ b/debian/apache2-bin.install
@@ -1,2 +1,3 @@
1/usr/lib/apache2/modules/1/usr/lib/apache2/modules/
2/usr/sbin/apache22/usr/sbin/apache2
3debian/apache2.py usr/share/apport/package-hooks
diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
3new file mode 1006444new file mode 100644
index 0000000..974a655
--- /dev/null
+++ b/debian/apache2-utils.ufw.profile
@@ -0,0 +1,14 @@
1[Apache]
2title=Web Server
3description=Apache v2 is the next generation of the omnipresent Apache web server.
4ports=80/tcp
5
6[Apache Secure]
7title=Web Server (HTTPS)
8description=Apache v2 is the next generation of the omnipresent Apache web server.
9ports=443/tcp
10
11[Apache Full]
12title=Web Server (HTTP,HTTPS)
13description=Apache v2 is the next generation of the omnipresent Apache web server.
14ports=80,443/tcp
diff --git a/debian/apache2.dirs b/debian/apache2.dirs
index 6089013..1aa6d3c 100644
--- a/debian/apache2.dirs
+++ b/debian/apache2.dirs
@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
10var/lib/apache210var/lib/apache2
11var/log/apache211var/log/apache2
12var/www/html12var/www/html
13/etc/ufw/applications.d/apache2
diff --git a/debian/apache2.install b/debian/apache2.install
index b6ad789..92865fc 100644
--- a/debian/apache2.install
+++ b/debian/apache2.install
@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
8debian/config-dir/envvars /etc/apache28debian/config-dir/envvars /etc/apache2
9debian/config-dir/magic /etc/apache29debian/config-dir/magic /etc/apache2
10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
11debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
diff --git a/debian/apache2.postrm b/debian/apache2.postrm
index a68583c..4a22601 100644
--- a/debian/apache2.postrm
+++ b/debian/apache2.postrm
@@ -33,6 +33,8 @@ is_default_index_html () {
33 776221a94e5a174dc2396c0f3f6b6a7433 776221a94e5a174dc2396c0f3f6b6a74
34 c481228d439cbb54bdcedbaec5bbb11a34 c481228d439cbb54bdcedbaec5bbb11a
35 e2620d4a5a0f8d80dd4b16de59af981f35 e2620d4a5a0f8d80dd4b16de59af981f
36 3526531ccd6c6a1d2340574a305a18f8
37 720999b43a3be0674180354ac41f20b1
36 EOF38 EOF
37}39}
3840
diff --git a/debian/apache2.py b/debian/apache2.py
39new file mode 10064441new file mode 100644
index 0000000..a9fb9d8
--- /dev/null
+++ b/debian/apache2.py
@@ -0,0 +1,48 @@
1#!/usr/bin/python
2
3'''apport hook for apache2
4
5(c) 2010 Adam Sommer.
6Author: Adam Sommer <asommer@ubuntu.com>
7
8This program is free software; you can redistribute it and/or modify it
9under the terms of the GNU General Public License as published by the
10Free Software Foundation; either version 2 of the License, or (at your
11option) any later version. See http://www.gnu.org/copyleft/gpl.html for
12the full text of the license.
13'''
14
15from apport.hookutils import *
16import os
17
18SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
19
20def add_info(report, ui):
21 if os.path.isdir(SITES_ENABLED_DIR):
22 response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
23 "may help developers diagnose your bug more "
24 "quickly. However, it may contain sensitive "
25 "information. Do you want to include it in your "
26 "bug report?")
27
28 if response == None: # user cancelled
29 raise StopIteration
30
31 elif response == True:
32 # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
33 for conf_file in os.listdir(SITES_ENABLED_DIR):
34 attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
35
36 try:
37 report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
38 except OSError:
39 report['Apache2ConfdDirListing'] = str(False)
40
41 # Attach default config files if changed.
42 attach_conffiles(report, 'apache2', conffiles=None)
43
44 # Attach the error.log file.
45 attach_file(report, '/var/log/apache2/error.log', key='error.log')
46
47 # Get loaded modules.
48 report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
diff --git a/debian/changelog b/debian/changelog
index 03aeebd..dfa196a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
1apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium
2
3 * Merge with Debian unstable (LP: #1982048). Remaining changes:
4 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
5 d/source/include-binaries: Replace Debian with Ubuntu on default
6 homepage.
7 (LP #1966004)
8 - d/apache2.py, d/apache2-bin.install: Add apport hook
9 (LP #609177)
10 - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
11 d/apache2.dirs: Add ufw profiles
12 (LP #261198)
13
14 -- Bryce Harrington <bryce@canonical.com> Thu, 21 Jul 2022 19:38:00 +0000
15
1apache2 (2.4.54-2) unstable; urgency=medium16apache2 (2.4.54-2) unstable; urgency=medium
217
3 * Move cgid socket into a writeable directory (Closes: #1014056)18 * Move cgid socket into a writeable directory (Closes: #1014056)
@@ -24,6 +39,48 @@ apache2 (2.4.54-1) unstable; urgency=medium
2439
25 -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +020040 -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200
2641
42apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
43
44 * Merge with Debian unstable (LP: #1971248). Remaining changes:
45 - debian/{control, apache2.install, apache2-utils.ufw.profile,
46 apache2.dirs}: Add ufw profiles.
47 (LP 261198)
48 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
49 (LP 609177)
50 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
51 d/s/include-binaries: replace Debian with Ubuntu on default
52 page and add Ubuntu icon file.
53 (LP 1288690)
54 - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
55 new logo
56 (LP 1966004)
57 - d/apache2.postrm: Include md5 sum for updated index.html
58 * Dropped:
59 - OOB read in mod_lua via crafted request body
60 + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
61 lua_write_body() fail in modules/lua/lua_request.c.
62 [Fixed in 2.4.53 upstream]
63 - HTTP Request Smuggling via error discarding the
64 request body
65 + d/p/CVE-2022-22720.patch: simpler connection close logic
66 if discarding the request body fails in modules/http/http_filters.c,
67 server/protocol.c.
68 [Fixed in 2.4.53 upstream]
69 - overflow via large LimitXMLRequestBody
70 + d/p/CVE-2022-22721.patch: make sure and check that
71 LimitXMLRequestBody fits in system memory in server/core.c,
72 server/util.c, server/util_xml.c.
73 [Fixed in 2.4.53 upstream]
74 - out-of-bounds write in mod_sed
75 + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
76 buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
77 modules/filters/mod_sed.c, modules/filters/sed1.c.
78 + d/p/CVE-2022-23943-2.patch: improve the logic flow in
79 modules/filters/mod_sed.c.
80 [Fixed in 2.4.53 upstream]
81
82 -- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700
83
27apache2 (2.4.53-2) unstable; urgency=medium84apache2 (2.4.53-2) unstable; urgency=medium
2885
29 * Clean useless Conflicts/Replace86 * Clean useless Conflicts/Replace
@@ -59,6 +116,79 @@ apache2 (2.4.52-2) experimental; urgency=medium
59116
60 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100117 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100
61118
119apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
120
121 * d/apache2.postrm: Include md5 sum for updated index.html
122
123 -- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700
124
125apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
126
127 * d/index.html:
128 - Redesign page's heading for the new logo
129 - Use the Ubuntu font where available
130 - Update service management directions
131 - Copyedit grammar
132 - Light reformatting and whitespace cleanup
133 * d/icons/ubuntu-logo.png: Refresh ubuntu logo
134 (LP: #1966004)
135
136 -- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700
137
138apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
139
140 * SECURITY UPDATE: OOB read in mod_lua via crafted request body
141 - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
142 lua_write_body() fail in modules/lua/lua_request.c.
143 - CVE-2022-22719
144 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
145 request body
146 - debian/patches/CVE-2022-22720.patch: simpler connection close logic
147 if discarding the request body fails in modules/http/http_filters.c,
148 server/protocol.c.
149 - CVE-2022-22720
150 * SECURITY UPDATE: overflow via large LimitXMLRequestBody
151 - debian/patches/CVE-2022-22721.patch: make sure and check that
152 LimitXMLRequestBody fits in system memory in server/core.c,
153 server/util.c, server/util_xml.c.
154 - CVE-2022-22721
155 * SECURITY UPDATE: out-of-bounds write in mod_sed
156 - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
157 buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
158 modules/filters/mod_sed.c, modules/filters/sed1.c.
159 - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
160 modules/filters/mod_sed.c.
161 - CVE-2022-23943
162
163 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400
164
165apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
166
167 * Merge with Debian unstable (LP: #1959924). Remaining changes:
168 - debian/{control, apache2.install, apache2-utils.ufw.profile,
169 apache2.dirs}: Add ufw profiles.
170 (LP 261198)
171 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
172 (LP 609177)
173 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
174 d/s/include-binaries: replace Debian with Ubuntu on default
175 page and add Ubuntu icon file.
176 (LP 1288690)
177 * Dropped:
178 - d/p/support-openssl3-*.patch: Backport various patches from
179 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
180 failure to load when using OpenSSL 3.
181 (LP #1951476)
182 [Included in upstream release 2.4.52]
183 - d/apache2ctl: Also use systemd for graceful if it is in use.
184 (LP 1832182)
185 [This introduced a performance regression.]
186 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
187 (LP 1918209)
188 [Not needed]
189
190 -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
191
62apache2 (2.4.52-1) unstable; urgency=medium192apache2 (2.4.52-1) unstable; urgency=medium
63193
64 * Refresh suexec-custom.patch194 * Refresh suexec-custom.patch
@@ -69,6 +199,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
69199
70 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100200 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
71201
202apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
203
204 * Merge with Debian unstable. Remaining changes:
205 - debian/{control, apache2.install, apache2-utils.ufw.profile,
206 apache2.dirs}: Add ufw profiles.
207 (LP 261198)
208 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
209 (LP 609177)
210 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
211 d/s/include-binaries: replace Debian with Ubuntu on default
212 page and add Ubuntu icon file.
213 (LP 1288690)
214 - d/p/support-openssl3-*.patch: Backport various patches from
215 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
216 failure to load when using OpenSSL 3.
217 (LP #1951476)
218 * Dropped:
219 - d/apache2ctl: Also use systemd for graceful if it is in use.
220 (LP: 1832182)
221 [This introduced a performance regression.]
222 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
223 (LP 1918209)
224 [Not needed]
225 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
226 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
227 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
228 server/core_filters.c, server/protocol.c, server/vhost.c.
229 [Fixed in 2.4.48-4]
230 - debian/patches/CVE-2021-34798.patch: add NULL check in
231 server/scoreboard.c.
232 [Fixed in 2.4.49-1]
233 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
234 generic worker in modules/proxy/mod_proxy_uwsgi.c.
235 [Fixed in 2.4.49-1]
236 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
237 substitution logic in server/util.c.
238 [Fixed in 2.4.49-1]
239 - arbitrary origin server via crafted request uri-path
240 + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
241 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
242 modules/proxy/proxy_util.c.
243 + debian/patches/CVE-2021-40438.patch: add sanity checks on the
244 configured UDS path in modules/proxy/proxy_util.c.
245 [Fixed in 2.4.49-3]
246 - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
247 + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
248 rules in modules/mappers/mod_rewrite.c.
249 + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
250 hostname in modules/mappers/mod_rewrite.c,
251 modules/proxy/proxy_util.c.
252 [Fixed in 2.4.49-3]
253
254 -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
255
72apache2 (2.4.51-2) unstable; urgency=medium256apache2 (2.4.51-2) unstable; urgency=medium
73257
74 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting258 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
@@ -134,6 +318,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
134318
135 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200319 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
136320
321apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
322
323 * d/p/support-openssl3-*.patch: Backport various patches from
324 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
325 failure to load when using OpenSSL 3. (LP: #1951476)
326
327 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
328
329apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
330
331 * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
332 - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
333 rules in modules/mappers/mod_rewrite.c.
334 - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
335 hostname in modules/mappers/mod_rewrite.c,
336 modules/proxy/proxy_util.c.
337
338 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
339
340apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
341
342 * SECURITY UPDATE: request splitting over HTTP/2
343 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
344 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
345 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
346 server/core_filters.c, server/protocol.c, server/vhost.c.
347 - CVE-2021-33193
348 * SECURITY UPDATE: NULL deref via malformed requests
349 - debian/patches/CVE-2021-34798.patch: add NULL check in
350 server/scoreboard.c.
351 - CVE-2021-34798
352 * SECURITY UPDATE: DoS in mod_proxy_uwsgi
353 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
354 generic worker in modules/proxy/mod_proxy_uwsgi.c.
355 - CVE-2021-36160
356 * SECURITY UPDATE: buffer overflow in ap_escape_quotes
357 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
358 substitution logic in server/util.c.
359 - CVE-2021-39275
360 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
361 - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
362 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
363 modules/proxy/proxy_util.c.
364 - debian/patches/CVE-2021-40438.patch: add sanity checks on the
365 configured UDS path in modules/proxy/proxy_util.c.
366 - CVE-2021-40438
367
368 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
369
370apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
371
372 * Merge with Debian unstable. Remaining changes:
373 - debian/{control, apache2.install, apache2-utils.ufw.profile,
374 apache2.dirs}: Add ufw profiles. (LP 261198)
375 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
376 (LP 609177)
377 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
378 d/s/include-binaries: replace Debian with Ubuntu on default
379 page and add Ubuntu icon file. (LP 1288690)
380 - d/apache2ctl: Also use systemd for graceful if it is in use.
381 This extends an earlier fix for the start command to behave
382 similarly for restart / graceful. Fixes service failures on
383 unattended upgrade. (LP 1832182)
384 - d/apache2ctl: Also use /run/systemd to check for systemd usage
385 (LP 1918209)
386
387 -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
388
137apache2 (2.4.48-3.1) unstable; urgency=medium389apache2 (2.4.48-3.1) unstable; urgency=medium
138390
139 * Non-maintainer upload.391 * Non-maintainer upload.
@@ -142,6 +394,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
142394
143 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200395 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
144396
397apache2 (2.4.48-3ubuntu1) impish; urgency=medium
398
399 * Merge with Debian unstable. Remaining changes:
400 - debian/{control, apache2.install, apache2-utils.ufw.profile,
401 apache2.dirs}: Add ufw profiles. (LP: 261198)
402 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
403 (LP: 609177)
404 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
405 d/s/include-binaries: replace Debian with Ubuntu on default
406 page and add Ubuntu icon file. (LP: 1288690)
407 - d/apache2ctl: Also use systemd for graceful if it is in use.
408 This extends an earlier fix for the start command to behave
409 similarly for restart / graceful. Fixes service failures on
410 unattended upgrade. (LP: 1832182)
411 - d/apache2ctl: Also use /run/systemd to check for systemd usage
412 (LP: 1918209)
413 * Dropped:
414 - d/t/control, d/t/check-http2: add basic test for http2 support
415 [Fixed in 2.4.48-2]
416 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
417 [Fixed in 2.4.48-1]
418 - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
419 connection in modules/proxy/mod_proxy_http.c.
420 [Fixed in 2.4.48 upstream]
421 - d/p/CVE-2020-35452.patch: fast validation of the nonce's
422 base64 to fail early if the format can't match anyway in
423 modules/aaa/mod_auth_digest.c.
424 [Fixed in 2.4.48 upstream]
425 - d/p/CVE-2021-26690.patch: save one apr_strtok() in
426 session_identity_decode() in modules/session/mod_session.c.
427 [Fixed in 2.4.48 upstream]
428 - d/p/CVE-2021-26691.patch: account for the '&' in
429 identity_concat() in modules/session/mod_session.c.
430 [Fixed in 2.4.48 upstream]
431 - d/p/CVE-2021-30641.patch: change default behavior in
432 server/request.c.
433 [Fixed in 2.4.48 upstream]
434
435 -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
436
145apache2 (2.4.48-3) unstable; urgency=medium437apache2 (2.4.48-3) unstable; urgency=medium
146438
147 * Fix debian/changelog439 * Fix debian/changelog
@@ -198,6 +490,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
198490
199 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200491 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
200492
493apache2 (2.4.46-4ubuntu3) impish; urgency=medium
494
495 * No-change rebuild due to OpenLDAP soname bump.
496
497 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
498
499apache2 (2.4.46-4ubuntu2) impish; urgency=medium
500
501 * SECURITY UPDATE: mod_proxy_http denial of service.
502 - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
503 connection in modules/proxy/mod_proxy_http.c.
504 - CVE-2020-13950
505 * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
506 - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
507 base64 to fail early if the format can't match anyway in
508 modules/aaa/mod_auth_digest.c.
509 - CVE-2020-35452
510 * SECURITY UPDATE: DoS via cookie header in mod_session
511 - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
512 session_identity_decode() in modules/session/mod_session.c.
513 - CVE-2021-26690
514 * SECURITY UPDATE: heap overflow via SessionHeader
515 - debian/patches/CVE-2021-26691.patch: account for the '&' in
516 identity_concat() in modules/session/mod_session.c.
517 - CVE-2021-26691
518 * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
519 - debian/patches/CVE-2021-30641.patch: change default behavior in
520 server/request.c.
521 - CVE-2021-30641
522
523 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
524
525apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
526
527 * Merge with Debian unstable, to allow moving from lua5.2 to
528 lua5.3 (LP: #1910372). Remaining changes:
529 - debian/{control, apache2.install, apache2-utils.ufw.profile,
530 apache2.dirs}: Add ufw profiles.
531 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
532 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
533 Debian with Ubuntu on default page.
534 + d/source/include-binaries: add Ubuntu icon file
535 - d/t/control, d/t/check-http2: add basic test for http2 support
536 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
537 issue reading error log too quickly after request, by adding a sleep.
538 (LP #1890302)
539 - d/apache2ctl: Also use systemd for graceful if it is in use.
540 This extends an earlier fix for the start command to behave
541 similarly for restart / graceful. Fixes service failures on
542 unattended upgrade.
543 * Drop:
544 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
545 was re-added by mistake in 2.4.41-1 (Closes #921024)
546 [Included in Debian 2.4.46-3]
547 * d/apache2ctl: Also use /run/systemd to check for systemd usage
548 (LP: #1918209)
549
550 -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
551
201apache2 (2.4.46-4) unstable; urgency=medium552apache2 (2.4.46-4) unstable; urgency=medium
202553
203 * Ignore other random another test failures (Closes: #979664)554 * Ignore other random another test failures (Closes: #979664)
@@ -215,6 +566,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
215566
216 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100567 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
217568
569apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
570
571 * Merge with Debian unstable. Remaining changes:
572 - debian/{control, apache2.install, apache2-utils.ufw.profile,
573 apache2.dirs}: Add ufw profiles.
574 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
575 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
576 Debian with Ubuntu on default page.
577 + d/source/include-binaries: add Ubuntu icon file
578 - d/t/control, d/t/check-http2: add basic test for http2 support
579 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
580 was re-added by mistake in 2.4.41-1 (Closes #921024)
581 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
582 issue reading error log too quickly after request, by adding a sleep.
583 (LP #1890302)
584 - d/apache2ctl: Also use systemd for graceful if it is in use.
585 This extends an earlier fix for the start command to behave
586 similarly for restart / graceful. Fixes service failures on
587 unattended upgrade.
588
589 -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
590
218apache2 (2.4.46-2) unstable; urgency=medium591apache2 (2.4.46-2) unstable; urgency=medium
219592
220 [ Jean-Michel Vourgère ]593 [ Jean-Michel Vourgère ]
@@ -236,6 +609,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
236609
237 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100610 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
238611
612apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
613
614 * d/apache2ctl: Also use systemd for graceful if it is in use.
615 (LP: #1832182)
616 - This extends an earlier fix for the start command to behave
617 similarly for restart / graceful. Fixes service failures on
618 unattended upgrade.
619
620 -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
621
622apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
623
624 * Merge with Debian unstable. Remaining changes:
625 - debian/{control, apache2.install, apache2-utils.ufw.profile,
626 apache2.dirs}: Add ufw profiles.
627 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
628 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
629 Debian with Ubuntu on default page.
630 + d/source/include-binaries: add Ubuntu icon file
631 - d/t/control, d/t/check-http2: add basic test for http2 support
632 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
633 was re-added by mistake in 2.4.41-1 (Closes #921024)
634 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
635 issue reading error log too quickly after request, by adding a sleep.
636 (LP #1890302)
637 * Dropped:
638 - debian/patches/086_svn_cross_compiles: Backport several cross
639 fixes from upstream
640 [Unclear if it's still necessary, and upstream hasn't made a
641 release with it yet]
642
643 -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
644
239apache2 (2.4.46-1) unstable; urgency=medium645apache2 (2.4.46-1) unstable; urgency=medium
240646
241 [ Xavier Guimard ]647 [ Xavier Guimard ]
@@ -252,6 +658,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
252658
253 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200659 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
254660
661apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
662
663 * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
664 issue reading error log too quickly after request, by adding a sleep.
665 (LP: #1890302)
666
667 -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
668
669apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
670
671 * Merge with Debian unstable. Remaining changes:
672 - debian/{control, apache2.install, apache2-utils.ufw.profile,
673 apache2.dirs}: Add ufw profiles.
674 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
675 - debian/patches/086_svn_cross_compiles: Backport several cross
676 fixes from upstream
677 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
678 Debian with Ubuntu on default page.
679 + d/source/include-binaries: add Ubuntu icon file
680 - d/t/control, d/t/check-http2: add basic test for http2 support
681 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
682 was re-added by mistake in 2.4.41-1 (Closes #921024)
683 * Dropped:
684 - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
685 parameter to mod_proxy_ajp (LP #1865340)
686 [Fixed upstream]
687 - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
688 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
689 Closes #955348, LP #1872478
690 [In 2.4.43-1]
691
692 -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
693
255apache2 (2.4.43-1) unstable; urgency=medium694apache2 (2.4.43-1) unstable; urgency=medium
256695
257 [ Timo Aaltonen ]696 [ Timo Aaltonen ]
@@ -279,6 +718,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
279718
280 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100719 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
281720
721apache2 (2.4.41-4ubuntu3) focal; urgency=medium
722
723 [ Timo Aaltonen ]
724 * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
725 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
726 Closes: #955348, LP: #1872478
727
728 -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
729
730apache2 (2.4.41-4ubuntu2) focal; urgency=medium
731
732 * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
733 parameter to mod_proxy_ajp (LP: #1865340)
734
735 -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
736
737apache2 (2.4.41-4ubuntu1) focal; urgency=medium
738
739 * Merge with Debian unstable. Remaining changes:
740 - debian/{control, apache2.install, apache2-utils.ufw.profile,
741 apache2.dirs}: Add ufw profiles.
742 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
743 - debian/patches/086_svn_cross_compiles: Backport several cross
744 fixes from upstream
745 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
746 Debian with Ubuntu on default page.
747 + d/source/include-binaries: add Ubuntu icon file
748 - d/t/control, d/t/check-http2: add basic test for http2 support
749 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
750 was re-added by mistake in 2.4.41-1 (Closes #921024)
751
752 -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
753
282apache2 (2.4.41-4) unstable; urgency=medium754apache2 (2.4.41-4) unstable; urgency=medium
283755
284 * Add gcc in chroot autopkgtest (fixes debci)756 * Add gcc in chroot autopkgtest (fixes debci)
@@ -303,6 +775,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
303775
304 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100776 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
305777
778apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
779
780 * Merge with Debian unstable. Remaining changes:
781 - debian/{control, apache2.install, apache2-utils.ufw.profile,
782 apache2.dirs}: Add ufw profiles.
783 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
784 - debian/patches/086_svn_cross_compiles: Backport several cross
785 fixes from upstream
786 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
787 Debian with Ubuntu on default page.
788 + d/source/include-binaries: add Ubuntu icon file
789 - d/t/control, d/t/check-http2: add basic test for http2 support
790 * Dropped:
791 - Cherrypick upstream testsuite fix:
792 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
793 as such).
794 + Similarly use TLSv1.2 for pr12355 and pr43738.
795 [Test suite updated in 2.4.41-1]
796 - Cherrypick upstream test suite fix for buffer.
797 [Included in 2.4.41-1]
798 - d/p/spelling-errors.patch: removed hunks already fixed upstream
799 [Included in 2.4.39-1]
800 - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
801 + d/p/CVE-2019-0196.patch
802 + d/p/CVE-2019-0211.patch
803 + d/p/CVE-2019-0215.patch
804 + d/p/CVE-2019-0217.patch
805 + d/p/CVE-2019-0220-*.patch
806 + d/p/CVE-2019-0197.patch
807 * Added:
808 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
809 was re-added by mistake in 2.4.41-1 (Closes: #921024)
810
811 -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
812
306apache2 (2.4.41-1) unstable; urgency=medium813apache2 (2.4.41-1) unstable; urgency=medium
307814
308 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,815 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
@@ -335,6 +842,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
335842
336 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200843 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
337844
845apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
846
847 * New upstream version: 2.4.39
848 * d/p/spelling-errors.patch: removed hunks already fixed upstream
849 * Remaining changes:
850 - Cherrypick upstream test suite fix for buffer.
851 - Cherrypick upstream testsuite fix:
852 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
853 as such).
854 - Similarly use TLSv1.2 for pr12355 and pr43738.
855 - debian/{control, apache2.install, apache2-utils.ufw.profile,
856 apache2.dirs}: Add ufw profiles.
857 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
858 - debian/patches/086_svn_cross_compiles: Backport several cross
859 fixes from upstream
860 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
861 Debian with Ubuntu on default page.
862 + d/source/include-binaries: add Ubuntu icon file
863 - d/t/control, d/t/check-http2: add basic test for http2 support
864 * Dropped patches (fixed upstream):
865 - d/p/CVE-2019-0196.patch
866 - d/p/CVE-2019-0211.patch
867 - d/p/CVE-2019-0215.patch
868 - d/p/CVE-2019-0217.patch
869 - d/p/CVE-2019-0220-*.patch
870 - d/p/CVE-2019-0197.patch
871
872 -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
873
874apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
875
876 * Cherrypick upstream test suite fix for buffer.
877
878 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
879
880apache2 (2.4.38-3ubuntu1) eoan; urgency=low
881
882 * Merge from Debian unstable. Remaining changes:
883 - Cherrypick upstream testsuite fix:
884 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
885 as such).
886 - Similarly use TLSv1.2 for pr12355 and pr43738.
887 - debian/{control, apache2.install, apache2-utils.ufw.profile,
888 apache2.dirs}: Add ufw profiles.
889 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
890 - debian/patches/086_svn_cross_compiles: Backport several cross
891 fixes from upstream
892 [Removed configure chunk, not needed since configure.in is being
893 patched.]
894 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
895 Debian with Ubuntu on default page.
896 + d/source/include-binaries: add Ubuntu icon file
897 - d/t/control, d/t/check-http2: add basic test for http2 support
898
899 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
900
338apache2 (2.4.38-3) unstable; urgency=high901apache2 (2.4.38-3) unstable; urgency=high
339902
340 [ Marc Deslauriers ]903 [ Marc Deslauriers ]
@@ -372,6 +935,79 @@ apache2 (2.4.38-3) unstable; urgency=high
372935
373 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200936 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
374937
938apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
939
940 * Cherrypick upstream testsuite fix:
941 - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
942 as such).
943 * Similarly use TLSv1.2 for pr12355 and pr43738.
944
945 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
946
947apache2 (2.4.38-2ubuntu2) disco; urgency=medium
948
949 * SECURITY UPDATE: read-after-free on a string compare in mod_http2
950 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
951 request method in modules/http2/h2_request.c.
952 - CVE-2019-0196
953 * SECURITY UPDATE: privilege escalation from modules' scripts
954 - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
955 child to its slot number in include/scoreboard.h,
956 server/mpm/event/event.c, server/mpm/prefork/prefork.c,
957 server/mpm/worker/worker.c.
958 - CVE-2019-0211
959 * SECURITY UPDATE: mod_ssl access control bypass
960 - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
961 PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
962 - CVE-2019-0215
963 * SECURITY UPDATE: mod_auth_digest access control bypass
964 - debian/patches/CVE-2019-0217.patch: fix a race condition in
965 modules/aaa/mod_auth_digest.c.
966 - CVE-2019-0217
967 * SECURITY UPDATE: URL normalization inconsistincy
968 - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
969 the path in include/http_core.h, include/httpd.h, server/core.c,
970 server/request.c, server/util.c.
971 - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
972 in server/request.c, server/util.c.
973 - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
974 server/util.c.
975 - CVE-2019-0220
976
977 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
978
979apache2 (2.4.38-2ubuntu1) disco; urgency=medium
980
981 * Merge with Debian unstable. Remaining changes:
982 - debian/{control, apache2.install, apache2-utils.ufw.profile,
983 apache2.dirs}: Add ufw profiles.
984 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
985 - debian/patches/086_svn_cross_compiles: Backport several cross
986 fixes from upstream
987 [Removed configure chunk, not needed since configure.in is being
988 patched.]
989 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
990 Debian with Ubuntu on default page.
991 + d/source/include-binaries: add Ubuntu icon file
992 - d/t/control, d/t/check-http2: add basic test for http2 support
993 * Dropped:
994 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
995 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
996 cannot be coinstalled with libcurl3. That situation breaks the
997 installation of libapache2-mod-shib2. See
998 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
999 for details.
1000 [This has been resolved in Disco, where libxmltooling8 is built with
1001 openssl 1.1]
1002 - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
1003 + debian/patches/CVE-2018-11763.patch: rework connection IO event
1004 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
1005 modules/http2/h2_version.h.
1006 - CVE-2018-11763
1007 [Fixed in 2.4.35]
1008
1009 -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
1010
375apache2 (2.4.38-2) unstable; urgency=medium1011apache2 (2.4.38-2) unstable; urgency=medium
3761012
377 * Disable "reset" test in allowmethods.t (Closes: #921024)1013 * Disable "reset" test in allowmethods.t (Closes: #921024)
@@ -454,6 +1090,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
4541090
455 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +02001091 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
4561092
1093apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
1094
1095 * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
1096 - debian/patches/CVE-2018-11763.patch: rework connection IO event
1097 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
1098 modules/http2/h2_version.h.
1099 - CVE-2018-11763
1100
1101 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
1102
1103apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
1104
1105 * Merge with Debian unstable. Remaining changes:
1106 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1107 apache2.dirs}: Add ufw profiles.
1108 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1109 - debian/patches/086_svn_cross_compiles: Backport several cross
1110 fixes from upstream
1111 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1112 Debian with Ubuntu on default page.
1113 + d/source/include-binaries: add Ubuntu icon file
1114 - d/t/control, d/t/check-http2: add basic test for http2 support
1115 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
1116 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
1117 cannot be coinstalled with libcurl3. That situation breaks the
1118 installation of libapache2-mod-shib2. See
1119 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1120 for details.
1121
1122 -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
1123
457apache2 (2.4.34-1) unstable; urgency=medium1124apache2 (2.4.34-1) unstable; urgency=medium
4581125
459 [ Ondřej Surý ]1126 [ Ondřej Surý ]
@@ -472,6 +1139,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
4721139
473 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +02001140 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
4741141
1142apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
1143
1144 * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
1145 re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
1146
1147 -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
1148
1149apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
1150
1151 * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
1152 libapache2-mod-md until we figure out their transitions. libapache2-mod-md
1153 in particular is problematic because that makes apache2-bin pull in
1154 libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
1155 the installation of libapache2-mod-shib2. See
1156 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1157 for details.
1158 - Don't ship md.load and remove build-requires that were added because of
1159 mod-md (see
1160 https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
1161 - Remove proxy_uwsgi.load as we are not building it for now (see
1162 https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
1163
1164 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
1165
1166apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
1167
1168 * Merge with Debian unstable (LP: #1770242). Remaining changes:
1169 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1170 apache2.dirs}: Add ufw profiles.
1171 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1172 - debian/patches/086_svn_cross_compiles: Backport several cross
1173 fixes from upstream
1174 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1175 Debian with Ubuntu on default page.
1176 + d/source/include-binaries: add Ubuntu icon file
1177 - d/t/control, d/t/check-http2: add basic test for http2 support
1178 * Drop:
1179 - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1180 + debian/patches/CVE-2017-15710.patch: fix language long names
1181 detection as short name in modules/aaa/mod_authnz_ldap.c.
1182 + CVE-2017-15710
1183 - SECURITY UPDATE: incorrect <FilesMatch> matching
1184 + debian/patches/CVE-2017-15715.patch: allow to configure
1185 global/default options for regexes, like caseless matching or
1186 extended format in include/ap_regex.h, server/core.c,
1187 server/util_pcre.c.
1188 + CVE-2017-15715
1189 - SECURITY UPDATE: mod_session header manipulation
1190 + debian/patches/CVE-2018-1283.patch: strip Session header when
1191 SessionEnv is on in modules/session/mod_session.c.
1192 + CVE-2018-1283
1193 - SECURITY UPDATE: DoS via specially-crafted request
1194 + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1195 terminated on any error, not only on buffer full in
1196 server/protocol.c.
1197 + CVE-2018-1301
1198 - SECURITY UPDATE: mod_cache_socache DoS
1199 + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1200 to carriage return in modules/cache/mod_cache_socache.c.
1201 + CVE-2018-1303
1202 - SECURITY UPDATE: insecure nonce generation
1203 + debian/patches/CVE-2018-1312.patch: actually use the secret when
1204 generating nonces in modules/aaa/mod_auth_digest.c.
1205 + CVE-2018-1312
1206 - Correct systemd-sysv-generator behavior by customizing some
1207 parameters:
1208 + d/apache2-systemd.conf: add a drop-in file to specify some
1209 parameters for the systemd unit (type=Forking and
1210 RemainsAfterExit=no), this allow a correct state synchronisation
1211 between systemctl status and actual state of apache2 daemon.
1212 + d/apache2.install: place the apache2-systemd.conf file in the
1213 correct location.
1214 [type=Forking already in the base systemd service file, and
1215 RemainsAfterExit=no is the default value, so no need to
1216 customize these anymore.]
1217 - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
1218 + added debian/patches/util_ldap_cache_lock_fix.patch
1219 [Already applied upstream]
1220
1221 -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
1222
475apache2 (2.4.33-3) unstable; urgency=medium1223apache2 (2.4.33-3) unstable; urgency=medium
4761224
477 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.1225 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
@@ -544,6 +1292,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
5441292
545 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +00001293 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
5461294
1295apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
1296
1297 * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1298 - debian/patches/CVE-2017-15710.patch: fix language long names
1299 detection as short name in modules/aaa/mod_authnz_ldap.c.
1300 - CVE-2017-15710
1301 * SECURITY UPDATE: incorrect <FilesMatch> matching
1302 - debian/patches/CVE-2017-15715.patch: allow to configure
1303 global/default options for regexes, like caseless matching or
1304 extended format in include/ap_regex.h, server/core.c,
1305 server/util_pcre.c.
1306 - CVE-2017-15715
1307 * SECURITY UPDATE: mod_session header manipulation
1308 - debian/patches/CVE-2018-1283.patch: strip Session header when
1309 SessionEnv is on in modules/session/mod_session.c.
1310 - CVE-2018-1283
1311 * SECURITY UPDATE: DoS via specially-crafted request
1312 - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1313 terminated on any error, not only on buffer full in
1314 server/protocol.c.
1315 - CVE-2018-1301
1316 * SECURITY UPDATE: mod_cache_socache DoS
1317 - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1318 to carriage return in modules/cache/mod_cache_socache.c.
1319 - CVE-2018-1303
1320 * SECURITY UPDATE: insecure nonce generation
1321 - debian/patches/CVE-2018-1312.patch: actually use the secret when
1322 generating nonces in modules/aaa/mod_auth_digest.c.
1323 - CVE-2018-1312
1324
1325 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1326
1327apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1328
1329 * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1330 - added debian/patches/util_ldap_cache_lock_fix.patch
1331
1332 -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1333
1334apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1335
1336 * Switch back to OpenSSL 1.1.
1337
1338 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1339
1340apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1341
1342 * enable http2 (LP: #1687454) by stopping to disable it
1343 - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1344 - debian/config-dir/mods-available/http2.load: no more removed.
1345 - debian/rules: no more removed proxy_http2 from configure.
1346 * d/t/control, d/t/check-http2: add basic test for http2 support
1347
1348 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1349
1350apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1351
1352 * Merge with Debian unstable. Remaining changes:
1353 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1354 apache2.dirs}: Add ufw profiles.
1355 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1356 - debian/patches/086_svn_cross_compiles: Backport several cross
1357 fixes from upstream
1358 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1359 Debian with Ubuntu on default page.
1360 + d/source/include-binaries: add Ubuntu icon file
1361 - Correct systemd-sysv-generator behavior by customizing some
1362 parameters:
1363 + d/apache2-systemd.conf: add a drop-in file to specify some
1364 parameters for the systemd unit (type=Forking and
1365 RemainsAfterExit=no), this allow a correct state synchronisation
1366 between systemctl status and actual state of apache2 daemon.
1367 + d/apache2.install: place the apache2-systemd.conf file in the
1368 correct location.
1369 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1370 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1371 + debian/config-dir/mods-available/http2.load: removed.
1372 + debian/rules: removed proxy_http2 from configure.
1373 * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1374 - debian/control: switch BuildDepends to libssl1.0-dev
1375 - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1376 - debian/rules: remove openssl virtual package and logic
1377
1378 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1379
547apache2 (2.4.29-1) unstable; urgency=medium1380apache2 (2.4.29-1) unstable; urgency=medium
5481381
549 [ Stefan Fritsch ]1382 [ Stefan Fritsch ]
@@ -608,6 +1441,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
6081441
609 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +02001442 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
6101443
1444apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1445
1446 * SECURITY UPDATE: optionsbleed information leak
1447 - debian/patches/CVE-2017-9798.patch: disallow method registration
1448 at run time in server/core.c.
1449 - CVE-2017-9798
1450
1451 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1452
1453apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1454
1455 * Undrop (LP 1658469):
1456 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1457 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1458 + debian/config-dir/mods-available/http2.load: removed.
1459 + debian/rules: removed proxy_http2 from configure.
1460
1461 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1462
1463apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1464
1465 * Merge with Debian unstable (LP: #1702582). Remaining changes:
1466 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1467 apache2.dirs}: Add ufw profiles.
1468 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1469 - debian/patches/086_svn_cross_compiles: Backport several cross
1470 fixes from upstream
1471 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1472 Debian with Ubuntu on default page.
1473 + d/source/include-binaries: add Ubuntu icon file
1474 - Correct systemd-sysv-generator behavior by customizing some
1475 parameters:
1476 + d/apache2-systemd.conf: add a drop-in file to specify some
1477 parameters for the systemd unit (type=Forking and
1478 RemainsAfterExit=no), this allow a correct state synchronisation
1479 between systemctl status and actual state of apache2 daemon.
1480 + d/apache2.install: place the apache2-systemd.conf file in the
1481 correct location.
1482
1483 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1484
611apache2 (2.4.27-2) unstable; urgency=medium1485apache2 (2.4.27-2) unstable; urgency=medium
6121486
613 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more1487 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
@@ -637,6 +1511,55 @@ apache2 (2.4.25-4) unstable; urgency=high
6371511
638 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +02001512 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
6391513
1514apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1515
1516 * Re-Drop (LP: #1658469):
1517 - Don't build experimental http2 module for LTS:
1518 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1519 + debian/config-dir/mods-available/http2.load: removed.
1520 + debian/rules: removed proxy_http2 from configure.
1521 + debian/apache2.maintscript: remove http2 conffile.
1522
1523 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1524
1525apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1526 * Undrop (LP 1658469):
1527 - Don't build experimental http2 module for LTS:
1528 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1529 + debian/config-dir/mods-available/http2.load: removed.
1530 + debian/rules: removed proxy_http2 from configure.
1531 + debian/apache2.maintscript: remove http2 conffile.
1532
1533 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1534
1535apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1536
1537 * Merge from Debian unstable (LP: #1663425). Remaining changes:
1538 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1539 apache2.dirs}: Add ufw profiles.
1540 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1541 - debian/patches/086_svn_cross_compiles: Backport several cross
1542 fixes from upstream
1543 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1544 Debian with Ubuntu on default page.
1545 + d/source/include-binaries: add Ubuntu icon file
1546 - Correct systemd-sysv-generator behavior by customizing some
1547 parameters:
1548 + d/apache2-systemd.conf: add a drop-in file to specify some
1549 parameters for the systemd unit (type=Forking and
1550 RemainsAfterExit=no), this allow a correct state synchronisation
1551 between systemctl status and actual state of apache2 daemon.
1552 + d/apache2.install: place the apache2-systemd.conf file in the
1553 correct location.
1554 * Drop (LP: #1658469):
1555 - Don't build experimental http2 module for LTS:
1556 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1557 + debian/config-dir/mods-available/http2.load: removed.
1558 + debian/rules: removed proxy_http2 from configure.
1559 + debian/apache2.maintscript: remove http2 conffile.
1560
1561 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1562
640apache2 (2.4.25-3) unstable; urgency=medium1563apache2 (2.4.25-3) unstable; urgency=medium
6411564
642 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.1565 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
@@ -698,6 +1621,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
6981621
699 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +01001622 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
7001623
1624apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1625
1626 * Merge from Debian unstable (LP: #). Remaining changes:
1627 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1628 apache2.dirs}: Add ufw profiles.
1629 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1630 - debian/patches/086_svn_cross_compiles: Backport several cross
1631 fixes from upstream
1632 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1633 d/source/include-binaries: replace Debian with Ubuntu on default
1634 page.
1635 [ include-binaries change previously undocumented ]
1636 - Don't build experimental http2 module for LTS:
1637 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1638 + debian/config-dir/mods-available/http2.load: removed.
1639 + debian/rules: removed proxy_http2 from configure.
1640 + debian/apache2.maintscript: remove http2 conffile.
1641 [ Previously undocumented ]
1642 - Correct systemd-sysv-generator behavior by customizing some
1643 parameters:
1644 + d/apache2-systemd.conf: add a drop-in file to specify some
1645 parameters for the systemd unit (type=Forking and
1646 RemainsAfterExit=no), this allow a correct state synchronisation
1647 between systemctl status and actual state of apache2 daemon.
1648 + d/apache2.install: place the apache2-systemd.conf file in the
1649 correct location.
1650 * Drop:
1651 - debian/rules: Fix cross-building by passing
1652 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1653 [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1654
1655 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1656
701apache2 (2.4.23-8) unstable; urgency=medium1657apache2 (2.4.23-8) unstable; urgency=medium
7021658
703 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a1659 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
@@ -708,6 +1664,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
7081664
709 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +01001665 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
7101666
1667apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1668
1669 * Merge from Debian unstable. Remaining changes:
1670 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1671 apache2.dirs}: Add ufw profiles.
1672 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1673 - debian/rules: Fix cross-building by passing
1674 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1675 - debian/patches/086_svn_cross_compiles: Backport several cross
1676 fixes from upstream
1677 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1678 Debian with Ubuntu on default page.
1679 - Don't build experimental http2 module for LTS:
1680 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1681 + debian/config-dir/mods-available/http2.load: removed.
1682 + debian/rules: removed proxy_http2 from configure.
1683 - Correct systemd-sysv-generator behavior by customizing some
1684 parameters:
1685 + d/apache2-systemd.conf: add a drop-in file to specify some
1686 parameters for the systemd unit (type=Forking and
1687 RemainsAfterExit=no), this allow a correct state synchronisation
1688 between systemctl status and actual state of apache2 daemon.
1689 + d/apache2.install: place the apache2-systemd.conf file in the
1690 correct location.
1691
1692 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1693
711apache2 (2.4.23-7) unstable; urgency=medium1694apache2 (2.4.23-7) unstable; urgency=medium
7121695
713 * Make apache2-dev depend on openssl 1.0, too. Closes: #8441601696 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
@@ -822,6 +1805,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
8221805
823 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +02001806 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
8241807
1808apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1809
1810 * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1811 - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1812 server/util_script.c.
1813 - CVE-2016-5387
1814
1815 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1816
1817apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1818
1819 [ Ryan Harper ]
1820 * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1821 introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1822 all, since http2 support is intentionally disabled (see LP 1531864).
1823 * d/apache2.maintscript: handle removal of http2.load conffile.
1824
1825 [ Robie Basak ]
1826 * Re-write Ryan's changelog entry.
1827
1828 -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1829
1830apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1831
1832 * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1833 - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1834 unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1835 between systemctl status and actual state of apache2 daemon.
1836 - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1837
1838 -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1839
1840apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1841
1842 * Merge from Debian unstable. Remaining changes:
1843 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1844 apache2.dirs}: Add ufw profiles.
1845 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1846 - debian/rules: Fix cross-building by passing
1847 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1848 - debian/patches/086_svn_cross_compiles: Backport several cross
1849 fixes from upstream
1850 - d/index.html: replace Debian with Ubuntu on default page.
1851 - Don't build experimental http2 module for LTS:
1852 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1853 + debian/config-dir/mods-available/http2.load: removed.
1854
1855 -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1856
825apache2 (2.4.18-2) unstable; urgency=low1857apache2 (2.4.18-2) unstable; urgency=low
8261858
827 * htcacheclean:1859 * htcacheclean:
@@ -847,6 +1879,24 @@ apache2 (2.4.18-2) unstable; urgency=low
8471879
848 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +02001880 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
8491881
1882apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1883
1884 * Merge from Debian unstable. Remaining changes:
1885 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1886 apache2.dirs}: Add ufw profiles.
1887 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1888 - Add dep8 tests.
1889 - debian/rules: Fix cross-building by passing
1890 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1891 - debian/patches/086_svn_cross_compiles: Backport several cross
1892 fixes from upstream
1893 - d/index.html: replace Debian with Ubuntu on default page.
1894 - Don't build experimental http2 module for LTS:
1895 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1896 + debian/config-dir/mods-available/http2.load: removed.
1897
1898 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1899
850apache2 (2.4.18-1) unstable; urgency=medium1900apache2 (2.4.18-1) unstable; urgency=medium
8511901
852 * New upstream release:1902 * New upstream release:
@@ -854,12 +1904,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
8541904
855 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +01001905 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
8561906
1907apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1908
1909 * Merge from Debian unstable. Remaining changes:
1910 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1911 apache2.dirs}: Add ufw profiles.
1912 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1913 - Add dep8 tests.
1914 - debian/rules: Fix cross-building by passing
1915 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1916 - debian/patches/086_svn_cross_compiles: Backport several cross
1917 fixes from upstream
1918 - d/index.html: replace Debian with Ubuntu on default page.
1919 - Don't build experimental http2 module for LTS:
1920 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1921 + debian/config-dir/mods-available/http2.load: removed.
1922
1923 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1924
857apache2 (2.4.17-3) unstable; urgency=medium1925apache2 (2.4.17-3) unstable; urgency=medium
8581926
859 * mpm_prefork: Fix segfault if started with -X. Closes: #8057371927 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
8601928
861 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +01001929 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
8621930
1931apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1932
1933 * Merge from Debian unstable. Remaining changes:
1934 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1935 apache2.dirs}: Add ufw profiles.
1936 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1937 - Add dep8 tests.
1938 - debian/rules: Fix cross-building by passing
1939 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1940 - debian/patches/086_svn_cross_compiles: Backport several cross
1941 fixes from upstream
1942 - d/index.html: replace Debian with Ubuntu on default page.
1943 - Don't build experimental http2 module for LTS:
1944 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1945 + debian/config-dir/mods-available/http2.load: removed.
1946
1947 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1948
863apache2 (2.4.17-2) unstable; urgency=medium1949apache2 (2.4.17-2) unstable; urgency=medium
8641950
865 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke1951 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
@@ -870,6 +1956,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
8701956
871 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +01001957 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
8721958
1959apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1960
1961 * Merge from Debian unstable. Remaining changes:
1962 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1963 apache2.dirs}: Add ufw profiles.
1964 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1965 - Add dep8 tests.
1966 - debian/rules: Fix cross-building by passing
1967 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1968 - debian/patches/086_svn_cross_compiles: Backport several cross
1969 fixes from upstream
1970 - d/index.html: replace Debian with Ubuntu on default page.
1971 * Drop patches (applied upstream):
1972 - debian/patches/CVE-2015-3183.patch
1973 - debian/patches/CVE-2015-3185.patch
1974 * Drop changes (adopted in Debian):
1975 - Allow "triggers-awaited" and "triggers-pending" states in addition
1976 to "installed" when determining whether to defer actions or
1977 process deferred actions.
1978 * Don't build experimental http2 module for LTS
1979 - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1980 - debian/config-dir/mods-available/http2.load: removed.
1981
1982 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1983
873apache2 (2.4.17-1) unstable; urgency=medium1984apache2 (2.4.17-1) unstable; urgency=medium
8741985
875 [ Stefan Fritsch ]1986 [ Stefan Fritsch ]
@@ -935,6 +2046,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
9352046
936 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +02002047 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
9372048
2049apache2 (2.4.12-2ubuntu2) wily; urgency=medium
2050
2051 * SECURITY UPDATE: request smuggling via chunked transfer encoding
2052 - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
2053 modules/http/http_filters.c.
2054 - CVE-2015-3183
2055 * SECURITY UPDATE: access restriction bypass via deprecated API
2056 - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
2057 in include/http_request.h, server/request.c.
2058 - CVE-2015-3185
2059
2060 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
2061
2062apache2 (2.4.12-2ubuntu1) wily; urgency=medium
2063
2064 * Merge from Debian unstable. Remaining changes:
2065 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2066 apache2.dirs}: Add ufw profiles.
2067 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2068 - Add dep8 tests.
2069 - debian/rules: Fix cross-building by passing
2070 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2071 - debian/patches/086_svn_cross_compiles: Backport several cross
2072 fixes from upstream
2073 - d/index.html: replace Debian with Ubuntu on default page.
2074 - Allow "triggers-awaited" and "triggers-pending" states in addition
2075 to "installed" when determining whether to defer actions or
2076 process deferred actions.
2077 * Drop patches (applied upstream):
2078 - d/p/split-logfile.patch
2079 - d/p/CVE-2015-0228.patch
2080 * Drop changes (superceded in Debian):
2081 - Cherry-pick versioned build-depend on dpkg from Debian for correct
2082 dpkg-maintscript-helper symlink_to_dir support.
2083 * Drop changes (adopted in Debian):
2084 - d/control, d/config-dir/mods-available/ssl.conf,
2085 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2086 dialog program ask-for-passphrase.
2087 * Fix cross-building configure line in d/rules, which had bit-rotted in
2088 previous merges.
2089
2090 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
2091
938apache2 (2.4.12-2) unstable; urgency=medium2092apache2 (2.4.12-2) unstable; urgency=medium
9392093
940 [ Jean-Michel Nirgal Vourgère ]2094 [ Jean-Michel Nirgal Vourgère ]
@@ -984,6 +2138,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
9842138
985 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +01002139 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
9862140
2141apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
2142
2143 * Merge from Debian unstable. Remaining changes:
2144 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2145 apache2.dirs}: Add ufw profiles.
2146 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2147 - d/control, d/config-dir/mods-available/ssl.conf,
2148 - Add dep8 tests.
2149 - debian/rules: Fix cross-building by passing
2150 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2151 - debian/patches/086_svn_cross_compiles: Backport several cross
2152 fixes from upstream
2153 - d/index.html: replace Debian with Ubuntu on default page.
2154 - d/p/split-logfile.patch: fix completely broken split-logfile
2155 command.
2156 - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
2157 denial of service in mod_lua via websockets PING
2158 * debian/tests/ssl-passphrase: Add password responder for
2159 systemd-ask-passphrase.
2160
2161 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
2162
987apache2 (2.4.10-9) unstable; urgency=medium2163apache2 (2.4.10-9) unstable; urgency=medium
9882164
989 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a2165 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
@@ -998,6 +2174,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
9982174
999 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +01002175 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
10002176
2177apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
2178
2179 * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
2180 directives
2181 - debian/patches/CVE-2014-8109.patch: handle multiple Require
2182 directives with different arguments in modules/lua/mod_lua.c.
2183 - CVE-2014-8109
2184 * SECURITY UPDATE: denial of service in mod_lua via websockets PING
2185 - debian/patches/CVE-2015-0228.patch: fix logic in
2186 modules/lua/lua_request.c.
2187 - CVE-2015-0228
2188
2189 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
2190
2191apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
2192
2193 * Allow "triggers-awaited" and "triggers-pending" states in addition to
2194 "installed" when determining whether to defer actions or process
2195 deferred actions (LP: #1393832).
2196
2197 -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
2198
2199apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
2200
2201 * Merge from Debian unstable. Remaining changes:
2202 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2203 apache2.dirs}: Add ufw profiles.
2204 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2205 - d/control, d/config-dir/mods-available/ssl.conf,
2206 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2207 dialog program ask-for-passphrase.
2208 - Add dep8 tests.
2209 - debian/rules: Fix cross-building by passing
2210 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2211 - debian/patches/086_svn_cross_compiles: Backport several cross
2212 fixes from upstream
2213 - d/index.html: replace Debian with Ubuntu on default page.
2214 - d/p/split-logfile.patch: fix completely broken split-logfile
2215 command.
2216 * Fixes from Debian included in merge:
2217 - Crash caused by OCSP stapling code; this was erroneously
2218 attributed to Debian in my previous merge, but actually only
2219 appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
2220 * Cherry-pick versioned build-depend on dpkg from Debian for correct
2221 dpkg-maintscript-helper symlink_to_dir support.
2222
2223 -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
2224
1001apache2 (2.4.10-8) unstable; urgency=medium2225apache2 (2.4.10-8) unstable; urgency=medium
10022226
1003 * Bump dpkg Pre-Depends to version that supports relative symlinks in2227 * Bump dpkg Pre-Depends to version that supports relative symlinks in
@@ -1012,6 +2236,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
10122236
1013 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +01002237 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
10142238
2239apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
2240
2241 * Merge from Debian unstable. Remaining changes:
2242 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2243 apache2.dirs}: Add ufw profiles.
2244 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2245 - d/control, d/config-dir/mods-available/ssl.conf,
2246 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2247 dialog program ask-for-passphrase.
2248 - Add dep8 tests.
2249 - debian/rules: Fix cross-building by passing
2250 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2251 - debian/patches/086_svn_cross_compiles: Backport several cross
2252 fixes from upstream
2253 - d/index.html: replace Debian with Ubuntu on default page.
2254 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2255 * Fixes from Debian included in merge:
2256 - Don't use a2query in preinst, as it may not be available yet
2257 (LP: #1312533).
2258 - Crash caused by OCSP stapling code (LP: #1366174).
2259 - Disable SSLv3 in default config (LP: #1358305).
2260 - If apache2 is not configured yet, defer actions executed via
2261 apache2-maintscript-helper. This fixes installation failures if a
2262 module package is configured first (LP: #1312854).
2263
2264 -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
2265
1015apache2 (2.4.10-7) unstable; urgency=medium2266apache2 (2.4.10-7) unstable; urgency=medium
10162267
1017 * Handle transitions of doc dirs and symlinks correctly during upgrade.2268 * Handle transitions of doc dirs and symlinks correctly during upgrade.
@@ -1095,6 +2346,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
10952346
1096 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +02002347 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
10972348
2349apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
2350
2351 * Merge from Debian unstable. Remaining changes:
2352 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2353 apache2.dirs}: Add ufw profiles.
2354 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2355 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2356 d/apache2.install: Plymouth aware passphrase dialog program
2357 ask-for-passphrase.
2358 - Add dep8 tests.
2359 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2360 configure.
2361 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2362 upstream
2363 - d/index.html: replace Debian with Ubuntu on default page.
2364 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2365
2366 -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
2367
1098apache2 (2.4.10-1) unstable; urgency=medium2368apache2 (2.4.10-1) unstable; urgency=medium
10992369
1100 [ Arno Töll ]2370 [ Arno Töll ]
@@ -1142,6 +2412,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
11422412
1143 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +02002413 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
11442414
2415apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
2416
2417 * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
2418 yet support building against lua 5.2 (LP: #1323930).
2419
2420 -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
2421
2422apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
2423
2424 * Merge from Debian unstable. Remaining changes:
2425 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2426 apache2.dirs}: Add ufw profiles.
2427 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2428 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2429 d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
2430 dialog program ask-for-passphrase.
2431 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2432 configure.
2433 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2434 upstream
2435 - Build using lua5.2.
2436 - d/tests/chroot: dep8 test for ChrootDir case.
2437 - d/tests/ssl-passphrase: update for new default path /var/www/html.
2438 - d/tests/duplicate-module-load: check for duplicate module loads.
2439 - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
2440 - d/p/split-logfile.patch: fix completely broken split-logfile command
2441 (LP: #1299162). Thanks to Holger Mauermann.
2442 * Drop changes (upstreamed):
2443 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2444 files find inside the .pc directory. This stops a double module load
2445 causing later havoc, including "ChrootDir" directive failure.
2446 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2447 in modules/dav/main/util.c.
2448 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2449 modules/loggers/mod_log_config.c.
2450 * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
2451
2452 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
2453
1145apache2 (2.4.9-1) unstable; urgency=medium2454apache2 (2.4.9-1) unstable; urgency=medium
11462455
1147 * New upstream version.2456 * New upstream version.
@@ -1174,6 +2483,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
11742483
1175 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +01002484 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
11762485
2486apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
2487
2488 * d/p/split-logfile.patch: fix completely broken split-logfile command
2489 (LP: #1299162). Thanks to Holger Mauermann.
2490
2491 -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
2492
2493apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
2494
2495 * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
2496 calculation
2497 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2498 in modules/dav/main/util.c.
2499 - CVE-2013-6438
2500 * SECURITY UPDATE: denial of service via truncated cookie and
2501 mod_log_config
2502 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2503 modules/loggers/mod_log_config.c.
2504 - CVE-2014-0098
2505
2506 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
2507
2508apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
2509
2510 * d/index.html: replace Debian with Ubuntu on default page
2511 (LP: #1288690).
2512
2513 -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
2514
2515apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
2516
2517 * Merge from Debian unstable. Remaining changes:
2518 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2519 apache2.dirs}: Add ufw profiles.
2520 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2521 - d/control, d/config-dir/mods-available/ssl.conf,
2522 d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
2523 Plymouth aware passphrase dialog program ask-for-passphrase.
2524 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2525 to configure.
2526 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2527 from upstream
2528 - Build using lua5.2.
2529 - d/tests/chroot: dep8 test for ChrootDir case.
2530 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2531 files find inside the .pc directory. This stops a double module load
2532 causing later havoc, including "ChrootDir" directive failure.
2533 * Drop changes:
2534 - debian/{control, rules}: Enable PIE hardening: no longer required;
2535 2.4.7-1 is already hardened.
2536 - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
2537 out of this package.
2538 * d/tests/ssl-passphrase: update for new default path /var/www/html.
2539 * d/tests/duplicate-module-load: check for duplicate module loads.
2540
2541 -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
2542
1177apache2 (2.4.7-1) unstable; urgency=low2543apache2 (2.4.7-1) unstable; urgency=low
11782544
1179 New upstream version2545 New upstream version
@@ -1237,6 +2603,53 @@ apache2 (2.4.6-3) unstable; urgency=low
12372603
1238 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +02002604 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
12392605
2606apache2 (2.4.6-2ubuntu4) trusty; urgency=low
2607
2608 * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
2609 that it does not use files find inside the .pc directory. This stops a
2610 double module load causing later havoc, including "ChrootDir" directive
2611 failure (LP: #1251939). Thanks to Stefan Fritsch.
2612 * d/tests/chroot: dep8 test for ChrootDir case.
2613
2614 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
2615
2616apache2 (2.4.6-2ubuntu3) trusty; urgency=low
2617
2618 * debian/apache2.install: Correct path for ufw.
2619 (LP: #1252722)
2620
2621 -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
2622
2623apache2 (2.4.6-2ubuntu2) saucy; urgency=low
2624
2625 * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
2626 passphrase prompting for SSL certificates that are passphrase protected.
2627 * Add dep8 test for SSL passphrase prompting.
2628
2629 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
2630
2631apache2 (2.4.6-2ubuntu1) saucy; urgency=low
2632
2633 * Merge from Debian unstable. Remaining changes:
2634 - debian/{control, rules}: Enable PIE hardening.
2635 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2636 apache2.dirs}: Add ufw profiles.
2637 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2638 - debian/control, debian/config-dir/mods-available/ssl.conf,
2639 debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
2640 passphrase dialog program ask-for-passphrase.
2641 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2642 to configure.
2643 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2644 from upstream
2645 * Dropped changes:
2646 - debian/patches/CVE-2013-1896.patch: upstream
2647 * Fixed module dependencies (LP: #1205314)
2648 - debian/config-dir/mods-available/lbmethod_*: properly specify
2649 proxy_balancer, not mod_proxy_balancer.
2650
2651 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
2652
1240apache2 (2.4.6-2) unstable; urgency=low2653apache2 (2.4.6-2) unstable; urgency=low
12412654
1242 [ Stefan Fritsch ]2655 [ Stefan Fritsch ]
@@ -1289,6 +2702,56 @@ apache2 (2.4.6-1) unstable; urgency=low
12892702
1290 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +02002703 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
12912704
2705apache2 (2.4.4-6ubuntu5) saucy; urgency=low
2706
2707 * SECURITY UPDATE: denial of service via MERGE request
2708 - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
2709 in modules/dav/main/mod_dav.c.
2710 - CVE-2013-1896
2711
2712 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
2713
2714apache2 (2.4.4-6ubuntu4) saucy; urgency=low
2715
2716 * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
2717 apache2-bin. apache2-utils is only suggested by apache2, so may not
2718 always be installed by bug reporters. However, apache2-bin will always
2719 need to be installed for Apache to be functional, so this is a better
2720 place for the apport hook. apache2-bin already Conflicts/Replaces
2721 apache2.2-common, so this also fixes (LP: #1199318).
2722 * d/apache2.py: adjust apport hook for new location of configuration
2723 files in apache2 >= 2.4: they have moved from apache2.2-common to
2724 apache2.
2725
2726 -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
2727
2728apache2 (2.4.4-6ubuntu3) saucy; urgency=low
2729
2730 * Build using lua5.2.
2731
2732 -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
2733
2734apache2 (2.4.4-6ubuntu2) saucy; urgency=low
2735
2736 * debian/rules: Fix FTBFS while installing ufw.
2737
2738 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
2739
2740apache2 (2.4.4-6ubuntu1) saucy; urgency=low
2741
2742 * Merge from Debian unstable. Remaining changes:
2743 - debian/{control, rules}: Enable PIE hardening.
2744 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2745 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2746 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2747 Plymouth aware passphrase dialog program ask-for-passphrase.
2748 * Dropped changes:
2749 - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
2750 - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
2751 - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
2752
2753 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
2754
1292apache2 (2.4.4-6) unstable; urgency=low2755apache2 (2.4.4-6) unstable; urgency=low
12932756
1294 * Denote exact versions breaking gnome-user-share now that Gnome maintainers2757 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
@@ -1760,6 +3223,122 @@ apache2 (2.4.1-1) experimental; urgency=low
17603223
1761 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +01003224 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
17623225
3226apache2 (2.2.22-6ubuntu5) raring; urgency=low
3227
3228 * SECURITY UPDATE: multiple cross-site scripting issues
3229 - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
3230 modules/generators/{mod_info.c,mod_status.c},
3231 modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
3232 modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
3233 - CVE-2012-3499
3234 - CVE-2012-4558
3235 * SECURITY UPDATE: symlink attack in apache2ctl script
3236 - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
3237 - Thanks to Stefan Fritsch for the fix.
3238 - CVE-2013-1048
3239
3240 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
3241
3242apache2 (2.2.22-6ubuntu4) raring; urgency=low
3243
3244 * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
3245 * Skip module sanity check between MPMs if cross-building without the
3246 kernel/binfmt support to run our target binaries on the build system.
3247 * Backport several cross fixes from upstream as 086_svn_cross_compiles.
3248
3249 -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
3250
3251apache2 (2.2.22-6ubuntu3) raring; urgency=low
3252
3253 * SECURITY UPDATE: XSS vulnerability in mod_negotiation
3254 - debian/patches/CVE-2012-2687.patch: escape filenames in
3255 modules/mappers/mod_negotiation.c.
3256 - CVE-2012-2687
3257 * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
3258 - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
3259 directive. Defaults to off as enabling compression enables the CRIME
3260 attack.
3261 - CVE-2012-4929
3262
3263 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
3264
3265apache2 (2.2.22-6ubuntu2) quantal; urgency=low
3266
3267 * debian/apache2.py
3268 - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
3269 - Check if this directory exists: /etc/apache2/sites-enabled/
3270
3271 -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
3272
3273apache2 (2.2.22-6ubuntu1) quantal; urgency=low
3274
3275 * Merge from Debian unstable. Remaining changes:
3276 - debian/{control, rules}: Enable PIE hardening.
3277 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3278 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3279 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3280 Plymouth aware passphrase dialog program ask-for-passphrase.
3281 * Dropped changes:
3282 - debian/control: Add bzr tag and point it to our tree; this is not
3283 really required and just increases the delta.
3284
3285 -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
3286
3287apache2 (2.2.22-6) unstable; urgency=low
3288
3289 [ Stefan Fritsch ]
3290 * Fix regression causing apache2 to cache "206 partial content" responses,
3291 and then serving these partial responses when replying to normal requests.
3292 Closes: #671204
3293 * Add section to security.conf that shows how to forbid access to VCS
3294 directories. Closes: #548213
3295 * Update ssl default cipher config, add alternative speed optimized config.
3296 Closes: #649020
3297 * Add "AddCharset" for .brf files in default mod_mime config.
3298 Closes: #402567
3299 * Don't create httpd.conf anymore and don't include it in apache2.conf. If
3300 it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
3301 * Port some of the comments in apache2.conf from the 2.4 package.
3302 * Compile mod_version statically, drop associated module load file.
3303 * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
3304 configtest.
3305 * Note in README.Debian that future versions of the package will have the
3306 include statements changed to include only *.conf.
3307 * Change compiled-in document root to /var/www, to avoid strange error
3308 messages.
3309 * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
3310
3311 [ Arno Töll ]
3312 * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
3313 to override LDFLAGS at compile time by defining LDLAGS in the environment,
3314 just like it is possible for CFLAGS. This also means, config_vars.mk now
3315 exports hardening build flags by default.
3316 * Update doc-base metadata for the apache2-doc package.
3317
3318 -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
3319
3320apache2 (2.2.22-5) unstable; urgency=low
3321
3322 * Make LoadFile and LoadModule look in the standard search paths if the
3323 dso file name is given as a pure filename. This helps with the multi-arch
3324 transition.
3325
3326 -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
3327
3328apache2 (2.2.22-4) unstable; urgency=high
3329
3330 * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
3331 hosts' config files.
3332 If scripting modules like mod_php or mod_rivet are enabled on systems
3333 where either 1) some frontend server forwards connections to an apache2
3334 backend server on the localhost address, or 2) the machine running
3335 apache2 is also used for web browsing, this could allow a remote
3336 attacker to execute example scripts stored under /usr/share/doc.
3337 Depending on the installed packages, this could lead to issues like cross
3338 site scripting, code execution, or leakage of sensitive data.
3339
3340 -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
3341
1763apache2 (2.2.22-3) unstable; urgency=low3342apache2 (2.2.22-3) unstable; urgency=low
17643343
1765 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':3344 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
@@ -1780,6 +3359,18 @@ apache2 (2.2.22-2) unstable; urgency=low
17803359
1781 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +01003360 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
17823361
3362apache2 (2.2.22-1ubuntu1) precise; urgency=low
3363
3364 * Merge from Debian testing. Remaining changes:
3365 - debian/{control, rules}: Enable PIE hardening.
3366 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3367 - debian/control: Add bzr tag and point it to our tree
3368 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3369 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3370 Plymouth aware passphrase dialog program ask-for-passphrase.
3371
3372 -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
3373
1783apache2 (2.2.22-1) unstable; urgency=low3374apache2 (2.2.22-1) unstable; urgency=low
17843375
1785 [ Stefan Fritsch ]3376 [ Stefan Fritsch ]
@@ -1797,6 +3388,18 @@ apache2 (2.2.22-1) unstable; urgency=low
17973388
1798 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +01003389 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
17993390
3391apache2 (2.2.21-5ubuntu1) precise; urgency=low
3392
3393 * Merge from Debian testing. Remaining changes:
3394 - debian/{control, rules}: Enable PIE hardening.
3395 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3396 - debian/control: Add bzr tag and point it to our tree
3397 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3398 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3399 Plymouth aware passphrase dialog program ask-for-passphrase.
3400
3401 -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
3402
1800apache2 (2.2.21-5) unstable; urgency=low3403apache2 (2.2.21-5) unstable; urgency=low
18013404
1802 [ Arno Töll ]3405 [ Arno Töll ]
@@ -1850,6 +3453,26 @@ apache2 (2.2.21-4) unstable; urgency=low
18503453
1851 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +01003454 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
18523455
3456apache2 (2.2.21-3ubuntu2) precise; urgency=low
3457
3458 * d/ask-for-passphrase: Flip the logic of this script so that it checks
3459 first to see if apache is being started from a TTY, and then if not,
3460 tries plymouth. (LP: #887410)
3461
3462 -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
3463
3464apache2 (2.2.21-3ubuntu1) precise; urgency=low
3465
3466 * Merge from Debian testing. Remaining changes:
3467 - debian/{control, rules}: Enable PIE hardening.
3468 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3469 - debian/control: Add bzr tag and point it to our tree
3470 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3471 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3472 Plymouth aware passphrase dialog program ask-for-passphrase.
3473
3474 -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
3475
1853apache2 (2.2.21-3) unstable; urgency=medium3476apache2 (2.2.21-3) unstable; urgency=medium
18543477
1855 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some3478 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
@@ -1864,6 +3487,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
18643487
1865 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +01003488 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
18663489
3490apache2 (2.2.21-2ubuntu2) precise; urgency=low
3491
3492 * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
3493
3494 -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
3495
3496apache2 (2.2.21-2ubuntu1) precise; urgency=low
3497
3498 * Merge from debian unstable. Remaining changes:
3499 - debian/{control, rules}: Enable PIE hardening.
3500 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3501 - debian/control: Add bzr tag and point it to our tree
3502 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3503 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3504 Plymouth aware passphrase dialog program ask-for-passphrase.
3505
3506 -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
3507
1867apache2 (2.2.21-2) unstable; urgency=high3508apache2 (2.2.21-2) unstable; urgency=high
18683509
1869 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some3510 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
@@ -1881,6 +3522,19 @@ apache2 (2.2.21-1) unstable; urgency=low
18813522
1882 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +02003523 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
18833524
3525apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
3526
3527 * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
3528 Remaining changes:
3529 - debian/{control, rules}: Enable PIE hardening.
3530 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3531 - debian/control: Add bzr tag and point it to our tree
3532 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3533 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3534 Plymouth aware passphrase dialog program ask-for-passphrase.
3535
3536 -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
3537
1884apache2 (2.2.20-1) unstable; urgency=low3538apache2 (2.2.20-1) unstable; urgency=low
18853539
1886 * New upstream release.3540 * New upstream release.
@@ -1903,6 +3557,18 @@ apache2 (2.2.19-2) unstable; urgency=high
19033557
1904 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +02003558 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
19053559
3560apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
3561
3562 * Merge from debian unstable (LP: #787013). Remaining changes:
3563 - debian/{control, rules}: Enable PIE hardening.
3564 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3565 - debian/control: Add bzr tag and point it to our tree
3566 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3567 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3568 Plymouth aware passphrase dialog program ask-for-passphrase.
3569
3570 -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
3571
1906apache2 (2.2.19-1) unstable; urgency=low3572apache2 (2.2.19-1) unstable; urgency=low
19073573
1908 * New upstream release.3574 * New upstream release.
@@ -1920,6 +3586,18 @@ apache2 (2.2.19-1) unstable; urgency=low
19203586
1921 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +02003587 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
19223588
3589apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
3590
3591 * Merge from debian unstable. Remaining changes:
3592 - debian/{control, rules}: Enable PIE hardening.
3593 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3594 - debian/control: Add bzr tag and point it to our tree
3595 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3596 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3597 Plymouth aware passphrase dialog program ask-for-passphrase.
3598
3599 -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
3600
1923apache2 (2.2.17-3) unstable; urgency=low3601apache2 (2.2.17-3) unstable; urgency=low
19243602
1925 * Fix compilation with OpenSSL without SSLv2 support. Closes: #6220493603 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
@@ -1946,6 +3624,18 @@ apache2 (2.2.17-2) unstable; urgency=high
19463624
1947 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +01003625 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
19483626
3627apache2 (2.2.17-1ubuntu1) natty; urgency=low
3628
3629 * Merge from debian unstable, remaining changes:
3630 - debian/{control, rules}: Enable PIE hardening.
3631 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3632 - debian/control: Add bzr tag and point it to our tree
3633 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3634 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3635 Plymouth aware passphrase dialog program ask-for-passphrase.
3636
3637 -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
3638
1949apache2 (2.2.17-1) unstable; urgency=low3639apache2 (2.2.17-1) unstable; urgency=low
19503640
1951 * New upstream version3641 * New upstream version
@@ -1954,6 +3644,32 @@ apache2 (2.2.17-1) unstable; urgency=low
19543644
1955 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +01003645 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
19563646
3647apache2 (2.2.16-6ubuntu3) natty; urgency=low
3648
3649 * debian/rules: Don't use "-fno-strict-aliasing" since it causes
3650 apache FTBFS on amd64. (LP: #711293)
3651
3652 -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
3653
3654apache2 (2.2.16-6ubuntu2) natty; urgency=low
3655
3656 * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
3657 (LP: #697105)
3658
3659 -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
3660
3661apache2 (2.2.16-6ubuntu1) natty; urgency=low
3662
3663 * Merge from debian unstable. Remaining changes:
3664 - debian/{control, rules}: Enable PIE hardening.
3665 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3666 - debian/control: Add bzr tag and point it to our tree
3667 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3668 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3669 Plymouth aware passphrase dialog program ask-for-passphrase.
3670
3671 -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
3672
1957apache2 (2.2.16-6) unstable; urgency=low3673apache2 (2.2.16-6) unstable; urgency=low
19583674
1959 * Also add $named to the secondary-init-script example.3675 * Also add $named to the secondary-init-script example.
@@ -1969,6 +3685,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
19693685
1970 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +01003686 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
19713687
3688apache2 (2.2.16-4ubuntu2) natty; urgency=low
3689
3690 [Clint Byrum]
3691 * Adding plymouth aware passphrase dialog program ask-for-passphrase.
3692 (LP: #582963)
3693 + debian/control: apache2.2-common depends on bash for ask-for-passphrase
3694 + debian/config-dir/mods-available/ssl.conf:
3695 - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
3696
3697 [Chuck Short]
3698 * Add apport hook. (LP: #609177)
3699 + debian/apache2.py, debian/apache2.2-common.install
3700
3701 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
3702
3703apache2 (2.2.16-4ubuntu1) natty; urgency=low
3704
3705 * Merge from debian unstable. Remaining changes:
3706 - debian/{control, rules}: Enable PIE hardening.
3707 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3708 - debian/control: Add bzr tag and point it to our tree
3709
3710 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
3711
1972apache2 (2.2.16-4) unstable; urgency=medium3712apache2 (2.2.16-4) unstable; urgency=medium
19733713
1974 * Increase the mod_reqtimeout default timeouts to avoid potential problems3714 * Increase the mod_reqtimeout default timeouts to avoid potential problems
@@ -1979,6 +3719,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
19793719
1980 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +01003720 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
19813721
3722apache2 (2.2.16-3ubuntu1) natty; urgency=low
3723
3724 * Merge from debian unstable. Remaining changes:
3725 - debian/{control, rules}: Enable PIE hardening.
3726 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3727 - debian/control: Add bzr tag and point it to our tree.
3728
3729 -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
3730
1982apache2 (2.2.16-3) unstable; urgency=high3731apache2 (2.2.16-3) unstable; urgency=high
19833732
1984 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.3733 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
@@ -2001,6 +3750,30 @@ apache2 (2.2.16-2) unstable; urgency=low
20013750
2002 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +02003751 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
20033752
3753apache2 (2.2.16-1ubuntu3) maverick; urgency=low
3754
3755 * Revert "stty sane" to unbreak apache starting, this will have to be
3756 fixed a different way. (LP: #626723)
3757
3758 -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
3759
3760apache2 (2.2.16-1ubuntu2) maverick; urgency=low
3761
3762 * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
3763 password prompt when using apache-ssl. (LP: #582963)
3764
3765 -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
3766
3767apache2 (2.2.16-1ubuntu1) maverick; urgency=low
3768
3769 * Merge from debian unstable. Remaining changes:
3770 - debian/{control, rules}: Enable PIE hardening.
3771 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3772 - debian/control: Add bzr tag and point it to our tree.
3773 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3774
3775 -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
3776
2004apache2 (2.2.16-1) unstable; urgency=medium3777apache2 (2.2.16-1) unstable; urgency=medium
20053778
2006 * Urgency medium for security fix.3779 * Urgency medium for security fix.
@@ -2033,6 +3806,24 @@ apache2 (2.2.15-6) unstable; urgency=low
20333806
2034 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +02003807 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
20353808
3809apache2 (2.2.15-5ubuntu1) maverick; urgency=low
3810
3811 * Merge from debian unstable. Remaining changes:
3812 - debian/{control, rules}: Enable PIE hardening.
3813 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3814 - debian/control: Add bzr tag and point it to our tree.
3815 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3816 + Dropped:
3817 - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
3818 - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
3819 - debian/config-dir/apache2.conf: Merged back from debian.
3820 - mod-reqtimeout functionality: Merge back from debian.
3821 - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
3822 - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
3823 - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
3824
3825 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
3826
2036apache2 (2.2.15-5) unstable; urgency=low3827apache2 (2.2.15-5) unstable; urgency=low
20373828
2038 * Conflict with apache package as we now include apachectl. Closes: #5790653829 * Conflict with apache package as we now include apachectl. Closes: #579065
@@ -2153,6 +3944,80 @@ apache2 (2.2.14-6) unstable; urgency=low
21533944
2154 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +01003945 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
21553946
3947apache2 (2.2.14-5ubuntu8) lucid; urgency=low
3948
3949 * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
3950 (LP: #562370)
3951
3952 -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
3953
3954apache2 (2.2.14-5ubuntu7) lucid; urgency=low
3955
3956 * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
3957 leaks by making sure to not destroy bucket brigades that have been created
3958 by earlier filters. Backported from 2.2.15.
3959 * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
3960 has reached MaxClients until it has. Backported from 2.2.15
3961 * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
3962 more secure by adding Satisfy all. (Debian bug: #572075)
3963 * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
3964 debian/config2-dir/mods-available/reqtimeout.load,
3965 debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
3966 mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
3967 bug in apache. Enable it by default. (LP: #392759)
3968
3969 -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
3970
3971apache2 (2.2.14-5ubuntu6) lucid; urgency=low
3972
3973 * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
3974
3975 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
3976
3977apache2 (2.2.14-5ubuntu5) lucid; urgency=low
3978
3979 * Revert 99-fix-mod-dav-permissions.dpatch
3980
3981 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
3982
3983apache2 (2.2.14-5ubuntu4) lucid; urgency=low
3984
3985 * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
3986 downloading files from webdav (LP: #540747)
3987 * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
3988
3989 -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
3990
3991apache2 (2.2.14-5ubuntu3) lucid; urgency=low
3992
3993 * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
3994 - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
3995 in modules/proxy/mod_proxy_ajp.c.
3996 - CVE-2010-0408
3997 * SECURITY UPDATE: information disclosure via improper handling of
3998 headers in subrequests
3999 - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
4000 in server/protocol.c.
4001 - CVE-2010-0434
4002
4003 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
4004
4005apache2 (2.2.14-5ubuntu2) lucid; urgency=low
4006
4007 * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
4008 wacky options. (LP: #450501)
4009
4010 -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
4011
4012apache2 (2.2.14-5ubuntu1) lucid; urgency=low
4013
4014 * Merge from debian testing. Remaining changes: LP: #506862
4015 - debian/{control, rules}: Enable PIE hardening.
4016 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
4017 - debian/control: Add bzr tag and point it to our tree.
4018
4019 -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
4020
2156apache2 (2.2.14-5) unstable; urgency=low4021apache2 (2.2.14-5) unstable; urgency=low
21574022
2158 * Security: Further mitigation for the TLS renegotation attack4023 * Security: Further mitigation for the TLS renegotation attack
@@ -2176,6 +4041,15 @@ apache2 (2.2.14-5) unstable; urgency=low
21764041
2177 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +01004042 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
21784043
4044apache2 (2.2.14-4ubuntu1) lucid; urgency=low
4045
4046 * Resynchronzie with Debian, remaining changes are:
4047 - debian/{control, rules}: Enable PIE hardening.
4048 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
4049 - debian/control: Add bzr tag and point it to our tree.
4050
4051 -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
4052
2179apache2 (2.2.14-4) unstable; urgency=low4053apache2 (2.2.14-4) unstable; urgency=low
21804054
2181 * Disable localized error pages again by default because they break4055 * Disable localized error pages again by default because they break
@@ -2226,6 +4100,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
22264100
2227 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +01004101 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
22284102
4103apache2 (2.2.14-1ubuntu1) lucid; urgency=low
4104
4105 * Merge from debian testing, remaining changes:
4106 - debian/{control, rules}: Enable PIE hardening.
4107 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
4108 - debian/conrol: Add bzr tag and point it to our tree.
4109 - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
4110 Already applied upstream.
4111
4112 -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
4113
2229apache2 (2.2.14-1) unstable; urgency=low4114apache2 (2.2.14-1) unstable; urgency=low
22304115
2231 * New upstream version:4116 * New upstream version:
@@ -2260,6 +4145,24 @@ apache2 (2.2.13-1) unstable; urgency=low
22604145
2261 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +02004146 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
22624147
4148apache2 (2.2.12-1ubuntu2) karmic; urgency=low
4149
4150 * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
4151 - Fix potential segfaults with the use of the legacy ap_rputs() etc
4152 interfaces, in cases where an output filter fails. This happens
4153 frequently after CVE-2009-1891 got fixed. (LP: #409987)
4154
4155 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
4156
4157apache2 (2.2.12-1ubuntu1) karmic; urgency=low
4158
4159 * Merge from debian unstable, remaining changes:
4160 - debian/{control,rules}: enable PIE hardening.
4161 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4162 - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
4163
4164 -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
4165
2263apache2 (2.2.12-1) unstable; urgency=low4166apache2 (2.2.12-1) unstable; urgency=low
22644167
2265 * New upstream release:4168 * New upstream release:
@@ -2307,6 +4210,16 @@ apache2 (2.2.12-1) unstable; urgency=low
23074210
2308 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +02004211 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
23094212
4213apache2 (2.2.11-7ubuntu1) karmic; urgency=low
4214
4215 * Merge from debian unstable, remaining changes: LP: #398130
4216 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4217 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4218 - debian/{control,rules}: enable PIE hardening.
4219 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4220
4221 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
4222
2310apache2 (2.2.11-7) unstable; urgency=low4223apache2 (2.2.11-7) unstable; urgency=low
23114224
2312 * Security fixes:4225 * Security fixes:
@@ -2321,6 +4234,16 @@ apache2 (2.2.11-7) unstable; urgency=low
23214234
2322 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +02004235 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
23234236
4237apache2 (2.2.11-6ubuntu1) karmic; urgency=low
4238
4239 * Merge from debian unstable, remaining changes:
4240 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4241 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4242 - debian/{control,rules}: enable PIE hardening.
4243 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4244
4245 -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
4246
2324apache2 (2.2.11-6) unstable; urgency=high4247apache2 (2.2.11-6) unstable; urgency=high
23254248
2326 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server4249 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
@@ -2329,6 +4252,16 @@ apache2 (2.2.11-6) unstable; urgency=high
23294252
2330 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +02004253 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
23314254
4255apache2 (2.2.11-5ubuntu1) karmic; urgency=low
4256
4257 * Merge from debian unstable, remaining changes:
4258 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4259 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4260 - debian/{control,rules}: enable PIE hardening.
4261 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4262
4263 -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
4264
2332apache2 (2.2.11-5) unstable; urgency=low4265apache2 (2.2.11-5) unstable; urgency=low
23334266
2334 * Move all binaries into a new package apache2.2-bin and make4267 * Move all binaries into a new package apache2.2-bin and make
@@ -2377,6 +4310,16 @@ apache2 (2.2.11-4) unstable; urgency=low
23774310
2378 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +02004311 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
23794312
4313apache2 (2.2.11-3ubuntu1) karmic; urgency=low
4314
4315 * Merge from debian unstable, remaining changes:
4316 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4317 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4318 - debian/{control,rules}: enable PIE hardening.
4319 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4320
4321 -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
4322
2380apache2 (2.2.11-3) unstable; urgency=low4323apache2 (2.2.11-3) unstable; urgency=low
23814324
2382 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap4325 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
@@ -2385,6 +4328,21 @@ apache2 (2.2.11-3) unstable; urgency=low
23854328
2386 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +02004329 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
23874330
4331apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
4332
4333 * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4334 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4335
4336 -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
4337
4338apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
4339
4340 * Merge from debian unstable, remaining changes:
4341 - debian/{contro,rules}: enable PIE hardening.
4342 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4343
4344 -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
4345
2388apache2 (2.2.11-2) unstable; urgency=low4346apache2 (2.2.11-2) unstable; urgency=low
23894347
2390 * Report an error instead instead of segfaulting when apr_pollset_create4348 * Report an error instead instead of segfaulting when apr_pollset_create
@@ -2394,6 +4352,14 @@ apache2 (2.2.11-2) unstable; urgency=low
23944352
2395 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +01004353 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
23964354
4355apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
4356
4357 * Merge from debian unstable, remaining changes:
4358 - debian/{control, rules}: enable PIE hardening.
4359 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4360
4361 -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
4362
2397apache2 (2.2.11-1) unstable; urgency=low4363apache2 (2.2.11-1) unstable; urgency=low
23984364
2399 [Thom May]4365 [Thom May]
@@ -2408,6 +4374,14 @@ apache2 (2.2.11-1) unstable; urgency=low
24084374
2409 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +01004375 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
24104376
4377apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
4378
4379 * Merge from debian unstable, remaining changes: (LP: #303375)
4380 - debian/{control, rules}: enable PIE hardening.
4381 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4382
4383 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
4384
2411apache2 (2.2.9-11) unstable; urgency=low4385apache2 (2.2.9-11) unstable; urgency=low
24124386
2413 * Regression fix from upstream svn for mod_proxy:4387 * Regression fix from upstream svn for mod_proxy:
@@ -2422,6 +4396,14 @@ apache2 (2.2.9-11) unstable; urgency=low
24224396
2423 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +01004397 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
24244398
4399apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
4400
4401 * Merge from debian unstable, remaining changes:
4402 - debian/{control, rules}: enable PIE hardening.
4403 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4404
4405 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
4406
2425apache2 (2.2.9-10) unstable; urgency=low4407apache2 (2.2.9-10) unstable; urgency=low
24264408
2427 * Regression fix from upstream svn for mod_proxy_http:4409 * Regression fix from upstream svn for mod_proxy_http:
@@ -2452,6 +4434,27 @@ apache2 (2.2.9-8) unstable; urgency=low
24524434
2453 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +02004435 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
24544436
4437apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
4438
4439 * Revert logrotate change since it will break it for everyone.
4440
4441 -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
4442
4443apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
4444
4445 * debian/logrotate: Restart rather than reload for busy websites.
4446 (LP: #270899)
4447
4448 -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
4449
4450apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
4451
4452 * Merge from debian unstable, remaining changes:
4453 - debian/{control,rules}: enable PIE hardening.
4454 - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
4455
4456 -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
4457
2455apache2 (2.2.9-7) unstable; urgency=low4458apache2 (2.2.9-7) unstable; urgency=low
24564459
2457 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).4460 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
@@ -2494,6 +4497,23 @@ apache2 (2.2.9-4) unstable; urgency=low
24944497
2495 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +02004498 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
24964499
4500apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
4501
4502 * add ufw integration (see
4503 https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
4504 (LP: #261198)
4505 - debian/control: suggest ufw for apache2.2-common
4506 - add apache2.2-common.ufw.profile with 3 profiles and install it to
4507 /etc/ufw/applications.d/apache2.2-common
4508
4509 -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
4510
4511apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
4512
4513 * debian/{control,rules}: enable PIE hardening
4514
4515 -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
4516
2497apache2 (2.2.9-3) unstable; urgency=low4517apache2 (2.2.9-3) unstable; urgency=low
24984518
2499 [ Stefan Fritsch ]4519 [ Stefan Fritsch ]
@@ -4064,9 +6084,7 @@ apache2 (2.0.37-1) unstable; urgency=low
4064 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +01006084 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
40656085
4066apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low6086apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
4067
4068 * New upstream release6087 * New upstream release
4069
4070 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +01006088 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
40716089
4072apache2 (2.0.36-2) unstable; urgency=low6090apache2 (2.0.36-2) unstable; urgency=low
@@ -4574,3 +6592,4 @@ apache2 (2.0.18-1) unstable; urgency=low
4574 * Initial Release.6592 * Initial Release.
45756593
4576 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +10006594 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
6595
diff --git a/debian/control b/debian/control
index af2505a..900f549 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,6 @@
1Source: apache21Source: apache2
2Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>2Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
3XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
3Uploaders: Stefan Fritsch <sf@debian.org>,4Uploaders: Stefan Fritsch <sf@debian.org>,
4 Arno Töll <arno@debian.org>,5 Arno Töll <arno@debian.org>,
5 Ondřej Surý <ondrej@debian.org>,6 Ondřej Surý <ondrej@debian.org>,
@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
44Recommends: ssl-cert45Recommends: ssl-cert
45Suggests: apache2-doc,46Suggests: apache2-doc,
46 apache2-suexec-pristine | apache2-suexec-custom,47 apache2-suexec-pristine | apache2-suexec-custom,
47 www-browser48 www-browser,
49 ufw
48Pre-Depends: ${misc:Pre-Depends}50Pre-Depends: ${misc:Pre-Depends}
49Provides: httpd,51Provides: httpd,
50 httpd-cgi52 httpd-cgi
diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
51new file mode 10064453new file mode 100644
index 0000000..eee686c
52Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ54Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
diff --git a/debian/index.html b/debian/index.html
index 766401d..9c90ef4 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -1,9 +1,13 @@
1
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml">2<html xmlns="http://www.w3.org/1999/xhtml">
3 <!--
4 Modified from the Debian original for Ubuntu
5 Last updated: 2022-03-22
6 See: https://launchpad.net/bugs/1966004
7 -->
4 <head>8 <head>
5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />9 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6 <title>Apache2 Debian Default Page: It works</title>10 <title>Apache2 Ubuntu Default Page: It works</title>
7 <style type="text/css" media="screen">11 <style type="text/css" media="screen">
8 * {12 * {
9 margin: 0px 0px 0px 0px;13 margin: 0px 0px 0px 0px;
@@ -15,7 +19,7 @@
1519
16 background-color: #D8DBE2;20 background-color: #D8DBE2;
1721
18 font-family: Verdana, sans-serif;22 font-family: Ubuntu, Verdana, sans-serif;
19 font-size: 11pt;23 font-size: 11pt;
20 text-align: center;24 text-align: center;
21 }25 }
@@ -41,7 +45,7 @@
41 }45 }
4246
43 div.page_header {47 div.page_header {
44 height: 99px;48 height: 180px;
45 width: 100%;49 width: 100%;
4650
47 background-color: #F5F6F7;51 background-color: #F5F6F7;
@@ -60,6 +64,19 @@
60 border: 0px 0px 0px;64 border: 0px 0px 0px;
61 }65 }
6266
67 div.banner {
68 padding: 9px 6px 9px 6px;
69 background-color: #E9510E;
70 color: #FFFFFF;
71 font-weight: bold;
72 font-size: 112%;
73 text-align: center;
74 position: absolute;
75 left: 40%;
76 bottom: 30px;
77 width: 20%;
78 }
79
63 div.table_of_contents {80 div.table_of_contents {
64 clear: left;81 clear: left;
6582
@@ -136,10 +153,6 @@
136 text-align: center;153 text-align: center;
137 }154 }
138155
139 div.section_header_red {
140 background-color: #CD214F;
141 }
142
143 div.section_header_grey {156 div.section_header_grey {
144 background-color: #9F9386;157 background-color: #9F9386;
145 }158 }
@@ -188,46 +201,31 @@
188 <body>201 <body>
189 <div class="main_page">202 <div class="main_page">
190 <div class="page_header floating_element">203 <div class="page_header floating_element">
191 <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>204 <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo"
192 <span class="floating_element">205 style="width:184px;height:146px;" class="floating_element" />
193 Apache2 Debian Default Page206 <div>
194 </span>207 <span style="margin-top: 1.5em;" class="floating_element">
195 </div>208 Apache2 Default Page
196<!-- <div class="table_of_contents floating_element">209 </span>
197 <div class="section_header section_header_grey">
198 TABLE OF CONTENTS
199 </div>
200 <div class="table_of_contents_item floating_element">
201 <a href="#about">About</a>
202 </div>
203 <div class="table_of_contents_item floating_element">
204 <a href="#changes">Changes</a>
205 </div>
206 <div class="table_of_contents_item floating_element">
207 <a href="#scope">Scope</a>
208 </div>
209 <div class="table_of_contents_item floating_element">
210 <a href="#files">Config files</a>
211 </div>210 </div>
212 </div>211 <div class="banner">
213-->
214 <div class="content_section floating_element">
215
216
217 <div class="section_header section_header_red">
218 <div id="about"></div>212 <div id="about"></div>
219 It works!213 It works!
220 </div>214 </div>
215
216 </div>
217 <div class="content_section floating_element">
221 <div class="content_section_text">218 <div class="content_section_text">
222 <p>219 <p>
223 This is the default welcome page used to test the correct 220 This is the default welcome page used to test the correct
224 operation of the Apache2 server after installation on Debian systems.221 operation of the Apache2 server after installation on Ubuntu systems.
222 It is based on the equivalent page on Debian, from which the Ubuntu Apache
223 packaging is derived.
225 If you can read this page, it means that the Apache HTTP server installed at224 If you can read this page, it means that the Apache HTTP server installed at
226 this site is working properly. You should <b>replace this file</b> (located at225 this site is working properly. You should <b>replace this file</b> (located at
227 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.226 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
228 </p>227 </p>
229228
230
231 <p>229 <p>
232 If you are a normal user of this web site and don't know what this page is230 If you are a normal user of this web site and don't know what this page is
233 about, this probably means that the site is currently unavailable due to231 about, this probably means that the site is currently unavailable due to
@@ -242,18 +240,17 @@
242 </div>240 </div>
243 <div class="content_section_text">241 <div class="content_section_text">
244 <p>242 <p>
245 Debian's Apache2 default configuration is different from the243 Ubuntu's Apache2 default configuration is different from the
246 upstream default configuration, and split into several files optimized for244 upstream default configuration, and split into several files optimized for
247 interaction with Debian tools. The configuration system is245 interaction with Ubuntu tools. The configuration system is
248 <b>fully documented in246 <b>fully documented in
249 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full247 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
250 documentation. Documentation for the web server itself can be248 documentation. Documentation for the web server itself can be
251 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>249 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
252 package was installed on this server.250 package was installed on this server.
253
254 </p>251 </p>
255 <p>252 <p>
256 The configuration layout for an Apache2 web server installation on Debian systems is as follows:253 The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
257 </p>254 </p>
258 <pre>255 <pre>
259/etc/apache2/256/etc/apache2/
@@ -308,9 +305,12 @@
308 </li>305 </li>
309306
310 <li>307 <li>
311 The binary is called apache2. Due to the use of308 The binary is called apache2 and is managed using systemd, so to
312 environment variables, in the default configuration, apache2 needs to be309 start/stop the service use <tt>systemctl start apache2</tt> and
313 started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.310 <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt>
311 and <tt>journalctl -u apache2</tt> to check status. <tt>system</tt>
312 and <tt>apache2ctl</tt> can also be used for service management if
313 desired.
314 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the314 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
315 default configuration.315 default configuration.
316 </li>316 </li>
@@ -324,8 +324,8 @@
324324
325 <div class="content_section_text">325 <div class="content_section_text">
326 <p>326 <p>
327 By default, Debian does not allow access through the web browser to327 By default, Ubuntu does not allow access through the web browser to
328 <em>any</em> file apart of those located in <tt>/var/www</tt>,328 <em>any</em> file outside of those located in <tt>/var/www</tt>,
329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
330 directories (when enabled) and <tt>/usr/share</tt> (for web330 directories (when enabled) and <tt>/usr/share</tt> (for web
331 applications). If your site is using a web document root331 applications). If your site is using a web document root
@@ -333,9 +333,8 @@
333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
334 </p>334 </p>
335 <p>335 <p>
336 The default Debian document root is <tt>/var/www/html</tt>. You336 The default Ubuntu document root is <tt>/var/www/html</tt>. You
337 can make your own virtual hosts under /var/www. This is different337 can make your own virtual hosts under /var/www.
338 to previous releases which provides better security out of the box.
339 </p>338 </p>
340 </div>339 </div>
341340
@@ -345,24 +344,20 @@
345 </div>344 </div>
346 <div class="content_section_text">345 <div class="content_section_text">
347 <p>346 <p>
348 Please use the <tt>reportbug</tt> tool to report bugs in the347 Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
349 Apache2 package with Debian. However, check <a348 Apache2 package with Ubuntu. However, check <a
350 href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"349 href="https://bugs.launchpad.net/ubuntu/+source/apache2"
351 rel="nofollow">existing bug reports</a> before reporting a new bug.350 rel="nofollow">existing bug reports</a> before reporting a new bug.
352 </p>351 </p>
353 <p>352 <p>
354 Please report bugs specific to modules (such as PHP and others)353 Please report bugs specific to modules (such as PHP and others)
355 to respective packages, not to the web server itself.354 to their respective packages, not to the web server itself.
356 </p>355 </p>
357 </div>356 </div>
358357
359
360
361
362 </div>358 </div>
363 </div>359 </div>
364 <div class="validator">360 <div class="validator">
365 </div>361 </div>
366 </body>362 </body>
367</html>363</html>
368
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index d617b1d..823d9c0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
17debian/icons/odf6ots-20x22.png17debian/icons/odf6ots-20x22.png
18debian/icons/odf6ott-20x22.png18debian/icons/odf6ott-20x22.png
19debian/icons/openlogo-75.png19debian/icons/openlogo-75.png
20debian/icons/ubuntu-logo.png
20debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml21debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
21debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php22debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
22debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml23debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches