Ubuntu
apache2 package

Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.54-3-lunar into ubuntu/+source/apache2:debian/sid

  1. Git
  2. lp:~bryce/ubuntu/+source/apache2
  3. merge-v2.4.54-3-lunar
  4. Merge into debian/sid
Proposed by Bryce Harrington
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 41d5df1e18b8e7167aa892ce2cf29370826fba13
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.54-3-lunar
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2868 lines (+2159/-60)
10 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2036/-2)
debian/control (+4/-2)
debian/index.html (+51/-56)
debian/source/include-binaries (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+433316@code.launchpad.net

Description of the change

Fairly trivial merge of 2.4.54-3, to pick up one minor fix for alias /manual. The delta is all ubuntu-specific and so is just carried forward. Upstream releases every few months and last release was in June so I expect to be re-merging this at least once more this cycle.

PPA with test packages: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.54-3

    $ sudo add-apt-repository -yus ppa:bryce/apache2-merge-v2.4.54-3
    $ sudo apt-get install apache2

* gnome-terminal
  - lp-test-ppa ppa:bryce/apache2-merge-v2.4.54-3 --release lunar --showpass

* Results:
  - apache2/2.4.54-3ubuntu1~lunar1
    + ✅ apache2 on lunar for amd64 @ 18.11.22 21:49:18 Log️ 🗒️
    + ✅ apache2 on lunar for arm64 @ 18.11.22 21:54:28 Log️ 🗒️
    + ✅ apache2 on lunar for armhf @ 18.11.22 21:19:11 Log️ 🗒️
    + ❌ apache2 on lunar for i386 @ 18.11.22 21:48:17 Log️ 🗒️
      • run-test-suite FAIL 🟥
      • duplicate-module-load PASS 🟩
      • default-mods PASS 🟩
      • htcacheclean PASS 🟩
      • ssl-passphrase PASS 🟩
      • check-http2 PASS 🟩
      • chroot FAIL 🟥
    + ✅ apache2 on lunar for ppc64el @ 18.11.22 21:37:09 Log️ 🗒️
    + ✅ apache2 on lunar for s390x @ 18.11.22 21:04:39 Log️ 🗒️

The issues on i386 are assuredly just the usual flaky test situation apache2 is plagued with, but I've re-triggered to doublecheck.

Usual tags pushed for review:
  - tags/old/debian 5a3995743
  - tags/new/debian 36f5aa2f1
  - tags/old/ubuntu 7056ded95
  - tags/logical/2.4.54-2ubuntu1 e80266d97
  - tags/reconstruct/2.4.54-2ubuntu1 eb8dddba3
  - tags/split/2.4.54-2ubuntu1 f0bac5dcc

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I'm taking this one.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Bryce.

Indeed, trivial merge it seems. Changes seem OK, builds finished without problems, dep8 tests seem OK modulo the usual flaky ones. d/changelog entry is alright. LGMT, +1.

Thanks.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: bryce, sergiodj
Uploaders: bryce, sergiodj
MP auto-approved

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks Sergio, uploaded

Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: 41d5df1e18b8e7167aa892ce2cf29370826fba13
Vcs-Git-Ref: refs/heads/merge-v2.4.54-3-lunar
$ dput ubuntu ../apache2_2.4.54-3ubuntu1_source.changes
D: Setting host argument.
Checking signature on .changes
Checking signature on .dsc
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.54-3ubuntu1.dsc: done.
  Uploading apache2_2.4.54.orig.tar.gz: done.
  Uploading apache2_2.4.54-3ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.54-3ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.54-3ubuntu1_source.changes: done.
Successfully uploaded packages.

The i386 tests failed again on retry, but I still think it's flaky tests. I'll keep an eye on if it fails in -proposed.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
index 63c573f..3d1bdf1 100644
--- a/debian/apache2-bin.install
+++ b/debian/apache2-bin.install
@@ -1,2 +1,3 @@
1/usr/lib/apache2/modules/1/usr/lib/apache2/modules/
2/usr/sbin/apache22/usr/sbin/apache2
3debian/apache2.py usr/share/apport/package-hooks
diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
3new file mode 1006444new file mode 100644
index 0000000..974a655
--- /dev/null
+++ b/debian/apache2-utils.ufw.profile
@@ -0,0 +1,14 @@
1[Apache]
2title=Web Server
3description=Apache v2 is the next generation of the omnipresent Apache web server.
4ports=80/tcp
5
6[Apache Secure]
7title=Web Server (HTTPS)
8description=Apache v2 is the next generation of the omnipresent Apache web server.
9ports=443/tcp
10
11[Apache Full]
12title=Web Server (HTTP,HTTPS)
13description=Apache v2 is the next generation of the omnipresent Apache web server.
14ports=80,443/tcp
diff --git a/debian/apache2.dirs b/debian/apache2.dirs
index 6089013..1aa6d3c 100644
--- a/debian/apache2.dirs
+++ b/debian/apache2.dirs
@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
10var/lib/apache210var/lib/apache2
11var/log/apache211var/log/apache2
12var/www/html12var/www/html
13/etc/ufw/applications.d/apache2
diff --git a/debian/apache2.install b/debian/apache2.install
index b6ad789..92865fc 100644
--- a/debian/apache2.install
+++ b/debian/apache2.install
@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
8debian/config-dir/envvars /etc/apache28debian/config-dir/envvars /etc/apache2
9debian/config-dir/magic /etc/apache29debian/config-dir/magic /etc/apache2
10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
11debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
diff --git a/debian/apache2.postrm b/debian/apache2.postrm
index a68583c..4a22601 100644
--- a/debian/apache2.postrm
+++ b/debian/apache2.postrm
@@ -33,6 +33,8 @@ is_default_index_html () {
33 776221a94e5a174dc2396c0f3f6b6a7433 776221a94e5a174dc2396c0f3f6b6a74
34 c481228d439cbb54bdcedbaec5bbb11a34 c481228d439cbb54bdcedbaec5bbb11a
35 e2620d4a5a0f8d80dd4b16de59af981f35 e2620d4a5a0f8d80dd4b16de59af981f
36 3526531ccd6c6a1d2340574a305a18f8
37 720999b43a3be0674180354ac41f20b1
36 EOF38 EOF
37}39}
3840
diff --git a/debian/apache2.py b/debian/apache2.py
39new file mode 10064441new file mode 100644
index 0000000..a9fb9d8
--- /dev/null
+++ b/debian/apache2.py
@@ -0,0 +1,48 @@
1#!/usr/bin/python
2
3'''apport hook for apache2
4
5(c) 2010 Adam Sommer.
6Author: Adam Sommer <asommer@ubuntu.com>
7
8This program is free software; you can redistribute it and/or modify it
9under the terms of the GNU General Public License as published by the
10Free Software Foundation; either version 2 of the License, or (at your
11option) any later version. See http://www.gnu.org/copyleft/gpl.html for
12the full text of the license.
13'''
14
15from apport.hookutils import *
16import os
17
18SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
19
20def add_info(report, ui):
21 if os.path.isdir(SITES_ENABLED_DIR):
22 response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
23 "may help developers diagnose your bug more "
24 "quickly. However, it may contain sensitive "
25 "information. Do you want to include it in your "
26 "bug report?")
27
28 if response == None: # user cancelled
29 raise StopIteration
30
31 elif response == True:
32 # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
33 for conf_file in os.listdir(SITES_ENABLED_DIR):
34 attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
35
36 try:
37 report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
38 except OSError:
39 report['Apache2ConfdDirListing'] = str(False)
40
41 # Attach default config files if changed.
42 attach_conffiles(report, 'apache2', conffiles=None)
43
44 # Attach the error.log file.
45 attach_file(report, '/var/log/apache2/error.log', key='error.log')
46
47 # Get loaded modules.
48 report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
diff --git a/debian/changelog b/debian/changelog
index b3dada2..9ea763a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
1apache2 (2.4.54-3ubuntu1) lunar; urgency=medium
2
3 * Merge with Debian unstable (LP: #1993373). Remaining changes:
4 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
5 d/source/include-binaries: Replace Debian with Ubuntu on default
6 homepage.
7 (LP #1966004)
8 - d/apache2.py, d/apache2-bin.install: Add apport hook
9 (LP #609177)
10 - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
11 d/apache2.dirs: Add ufw profiles
12 (LP #261198)
13
14 -- Bryce Harrington <bryce@canonical.com> Wed, 16 Nov 2022 16:44:44 -0800
15
1apache2 (2.4.54-3) unstable; urgency=medium16apache2 (2.4.54-3) unstable; urgency=medium
217
3 [ Hendrik Jäger ]18 [ Hendrik Jäger ]
@@ -6,6 +21,21 @@ apache2 (2.4.54-3) unstable; urgency=medium
621
7 -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:20:52 +020022 -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:20:52 +0200
823
24apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium
25
26 * Merge with Debian unstable (LP: #1982048). Remaining changes:
27 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
28 d/source/include-binaries: Replace Debian with Ubuntu on default
29 homepage.
30 (LP #1966004)
31 - d/apache2.py, d/apache2-bin.install: Add apport hook
32 (LP #609177)
33 - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
34 d/apache2.dirs: Add ufw profiles
35 (LP #261198)
36
37 -- Bryce Harrington <bryce@canonical.com> Thu, 21 Jul 2022 19:38:00 +0000
38
9apache2 (2.4.54-2) unstable; urgency=medium39apache2 (2.4.54-2) unstable; urgency=medium
1040
11 * Move cgid socket into a writeable directory (Closes: #1014056)41 * Move cgid socket into a writeable directory (Closes: #1014056)
@@ -32,6 +62,48 @@ apache2 (2.4.54-1) unstable; urgency=medium
3262
33 -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +020063 -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200
3464
65apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
66
67 * Merge with Debian unstable (LP: #1971248). Remaining changes:
68 - debian/{control, apache2.install, apache2-utils.ufw.profile,
69 apache2.dirs}: Add ufw profiles.
70 (LP 261198)
71 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
72 (LP 609177)
73 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
74 d/s/include-binaries: replace Debian with Ubuntu on default
75 page and add Ubuntu icon file.
76 (LP 1288690)
77 - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
78 new logo
79 (LP 1966004)
80 - d/apache2.postrm: Include md5 sum for updated index.html
81 * Dropped:
82 - OOB read in mod_lua via crafted request body
83 + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
84 lua_write_body() fail in modules/lua/lua_request.c.
85 [Fixed in 2.4.53 upstream]
86 - HTTP Request Smuggling via error discarding the
87 request body
88 + d/p/CVE-2022-22720.patch: simpler connection close logic
89 if discarding the request body fails in modules/http/http_filters.c,
90 server/protocol.c.
91 [Fixed in 2.4.53 upstream]
92 - overflow via large LimitXMLRequestBody
93 + d/p/CVE-2022-22721.patch: make sure and check that
94 LimitXMLRequestBody fits in system memory in server/core.c,
95 server/util.c, server/util_xml.c.
96 [Fixed in 2.4.53 upstream]
97 - out-of-bounds write in mod_sed
98 + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
99 buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
100 modules/filters/mod_sed.c, modules/filters/sed1.c.
101 + d/p/CVE-2022-23943-2.patch: improve the logic flow in
102 modules/filters/mod_sed.c.
103 [Fixed in 2.4.53 upstream]
104
105 -- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700
106
35apache2 (2.4.53-2) unstable; urgency=medium107apache2 (2.4.53-2) unstable; urgency=medium
36108
37 * Clean useless Conflicts/Replace109 * Clean useless Conflicts/Replace
@@ -67,6 +139,79 @@ apache2 (2.4.52-2) experimental; urgency=medium
67139
68 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100140 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100
69141
142apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
143
144 * d/apache2.postrm: Include md5 sum for updated index.html
145
146 -- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700
147
148apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
149
150 * d/index.html:
151 - Redesign page's heading for the new logo
152 - Use the Ubuntu font where available
153 - Update service management directions
154 - Copyedit grammar
155 - Light reformatting and whitespace cleanup
156 * d/icons/ubuntu-logo.png: Refresh ubuntu logo
157 (LP: #1966004)
158
159 -- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700
160
161apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
162
163 * SECURITY UPDATE: OOB read in mod_lua via crafted request body
164 - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
165 lua_write_body() fail in modules/lua/lua_request.c.
166 - CVE-2022-22719
167 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
168 request body
169 - debian/patches/CVE-2022-22720.patch: simpler connection close logic
170 if discarding the request body fails in modules/http/http_filters.c,
171 server/protocol.c.
172 - CVE-2022-22720
173 * SECURITY UPDATE: overflow via large LimitXMLRequestBody
174 - debian/patches/CVE-2022-22721.patch: make sure and check that
175 LimitXMLRequestBody fits in system memory in server/core.c,
176 server/util.c, server/util_xml.c.
177 - CVE-2022-22721
178 * SECURITY UPDATE: out-of-bounds write in mod_sed
179 - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
180 buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
181 modules/filters/mod_sed.c, modules/filters/sed1.c.
182 - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
183 modules/filters/mod_sed.c.
184 - CVE-2022-23943
185
186 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400
187
188apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
189
190 * Merge with Debian unstable (LP: #1959924). Remaining changes:
191 - debian/{control, apache2.install, apache2-utils.ufw.profile,
192 apache2.dirs}: Add ufw profiles.
193 (LP 261198)
194 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
195 (LP 609177)
196 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
197 d/s/include-binaries: replace Debian with Ubuntu on default
198 page and add Ubuntu icon file.
199 (LP 1288690)
200 * Dropped:
201 - d/p/support-openssl3-*.patch: Backport various patches from
202 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
203 failure to load when using OpenSSL 3.
204 (LP #1951476)
205 [Included in upstream release 2.4.52]
206 - d/apache2ctl: Also use systemd for graceful if it is in use.
207 (LP 1832182)
208 [This introduced a performance regression.]
209 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
210 (LP 1918209)
211 [Not needed]
212
213 -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
214
70apache2 (2.4.52-1) unstable; urgency=medium215apache2 (2.4.52-1) unstable; urgency=medium
71216
72 * Refresh suexec-custom.patch217 * Refresh suexec-custom.patch
@@ -77,6 +222,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
77222
78 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100223 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
79224
225apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
226
227 * Merge with Debian unstable. Remaining changes:
228 - debian/{control, apache2.install, apache2-utils.ufw.profile,
229 apache2.dirs}: Add ufw profiles.
230 (LP 261198)
231 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
232 (LP 609177)
233 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
234 d/s/include-binaries: replace Debian with Ubuntu on default
235 page and add Ubuntu icon file.
236 (LP 1288690)
237 - d/p/support-openssl3-*.patch: Backport various patches from
238 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
239 failure to load when using OpenSSL 3.
240 (LP #1951476)
241 * Dropped:
242 - d/apache2ctl: Also use systemd for graceful if it is in use.
243 (LP: 1832182)
244 [This introduced a performance regression.]
245 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
246 (LP 1918209)
247 [Not needed]
248 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
249 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
250 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
251 server/core_filters.c, server/protocol.c, server/vhost.c.
252 [Fixed in 2.4.48-4]
253 - debian/patches/CVE-2021-34798.patch: add NULL check in
254 server/scoreboard.c.
255 [Fixed in 2.4.49-1]
256 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
257 generic worker in modules/proxy/mod_proxy_uwsgi.c.
258 [Fixed in 2.4.49-1]
259 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
260 substitution logic in server/util.c.
261 [Fixed in 2.4.49-1]
262 - arbitrary origin server via crafted request uri-path
263 + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
264 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
265 modules/proxy/proxy_util.c.
266 + debian/patches/CVE-2021-40438.patch: add sanity checks on the
267 configured UDS path in modules/proxy/proxy_util.c.
268 [Fixed in 2.4.49-3]
269 - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
270 + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
271 rules in modules/mappers/mod_rewrite.c.
272 + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
273 hostname in modules/mappers/mod_rewrite.c,
274 modules/proxy/proxy_util.c.
275 [Fixed in 2.4.49-3]
276
277 -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
278
80apache2 (2.4.51-2) unstable; urgency=medium279apache2 (2.4.51-2) unstable; urgency=medium
81280
82 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting281 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
@@ -142,6 +341,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
142341
143 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200342 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
144343
344apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
345
346 * d/p/support-openssl3-*.patch: Backport various patches from
347 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
348 failure to load when using OpenSSL 3. (LP: #1951476)
349
350 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
351
352apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
353
354 * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
355 - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
356 rules in modules/mappers/mod_rewrite.c.
357 - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
358 hostname in modules/mappers/mod_rewrite.c,
359 modules/proxy/proxy_util.c.
360
361 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
362
363apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
364
365 * SECURITY UPDATE: request splitting over HTTP/2
366 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
367 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
368 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
369 server/core_filters.c, server/protocol.c, server/vhost.c.
370 - CVE-2021-33193
371 * SECURITY UPDATE: NULL deref via malformed requests
372 - debian/patches/CVE-2021-34798.patch: add NULL check in
373 server/scoreboard.c.
374 - CVE-2021-34798
375 * SECURITY UPDATE: DoS in mod_proxy_uwsgi
376 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
377 generic worker in modules/proxy/mod_proxy_uwsgi.c.
378 - CVE-2021-36160
379 * SECURITY UPDATE: buffer overflow in ap_escape_quotes
380 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
381 substitution logic in server/util.c.
382 - CVE-2021-39275
383 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
384 - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
385 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
386 modules/proxy/proxy_util.c.
387 - debian/patches/CVE-2021-40438.patch: add sanity checks on the
388 configured UDS path in modules/proxy/proxy_util.c.
389 - CVE-2021-40438
390
391 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
392
393apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
394
395 * Merge with Debian unstable. Remaining changes:
396 - debian/{control, apache2.install, apache2-utils.ufw.profile,
397 apache2.dirs}: Add ufw profiles. (LP 261198)
398 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
399 (LP 609177)
400 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
401 d/s/include-binaries: replace Debian with Ubuntu on default
402 page and add Ubuntu icon file. (LP 1288690)
403 - d/apache2ctl: Also use systemd for graceful if it is in use.
404 This extends an earlier fix for the start command to behave
405 similarly for restart / graceful. Fixes service failures on
406 unattended upgrade. (LP 1832182)
407 - d/apache2ctl: Also use /run/systemd to check for systemd usage
408 (LP 1918209)
409
410 -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
411
145apache2 (2.4.48-3.1) unstable; urgency=medium412apache2 (2.4.48-3.1) unstable; urgency=medium
146413
147 * Non-maintainer upload.414 * Non-maintainer upload.
@@ -150,6 +417,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
150417
151 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200418 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
152419
420apache2 (2.4.48-3ubuntu1) impish; urgency=medium
421
422 * Merge with Debian unstable. Remaining changes:
423 - debian/{control, apache2.install, apache2-utils.ufw.profile,
424 apache2.dirs}: Add ufw profiles. (LP: 261198)
425 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
426 (LP: 609177)
427 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
428 d/s/include-binaries: replace Debian with Ubuntu on default
429 page and add Ubuntu icon file. (LP: 1288690)
430 - d/apache2ctl: Also use systemd for graceful if it is in use.
431 This extends an earlier fix for the start command to behave
432 similarly for restart / graceful. Fixes service failures on
433 unattended upgrade. (LP: 1832182)
434 - d/apache2ctl: Also use /run/systemd to check for systemd usage
435 (LP: 1918209)
436 * Dropped:
437 - d/t/control, d/t/check-http2: add basic test for http2 support
438 [Fixed in 2.4.48-2]
439 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
440 [Fixed in 2.4.48-1]
441 - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
442 connection in modules/proxy/mod_proxy_http.c.
443 [Fixed in 2.4.48 upstream]
444 - d/p/CVE-2020-35452.patch: fast validation of the nonce's
445 base64 to fail early if the format can't match anyway in
446 modules/aaa/mod_auth_digest.c.
447 [Fixed in 2.4.48 upstream]
448 - d/p/CVE-2021-26690.patch: save one apr_strtok() in
449 session_identity_decode() in modules/session/mod_session.c.
450 [Fixed in 2.4.48 upstream]
451 - d/p/CVE-2021-26691.patch: account for the '&' in
452 identity_concat() in modules/session/mod_session.c.
453 [Fixed in 2.4.48 upstream]
454 - d/p/CVE-2021-30641.patch: change default behavior in
455 server/request.c.
456 [Fixed in 2.4.48 upstream]
457
458 -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
459
153apache2 (2.4.48-3) unstable; urgency=medium460apache2 (2.4.48-3) unstable; urgency=medium
154461
155 * Fix debian/changelog462 * Fix debian/changelog
@@ -206,6 +513,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
206513
207 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200514 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
208515
516apache2 (2.4.46-4ubuntu3) impish; urgency=medium
517
518 * No-change rebuild due to OpenLDAP soname bump.
519
520 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
521
522apache2 (2.4.46-4ubuntu2) impish; urgency=medium
523
524 * SECURITY UPDATE: mod_proxy_http denial of service.
525 - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
526 connection in modules/proxy/mod_proxy_http.c.
527 - CVE-2020-13950
528 * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
529 - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
530 base64 to fail early if the format can't match anyway in
531 modules/aaa/mod_auth_digest.c.
532 - CVE-2020-35452
533 * SECURITY UPDATE: DoS via cookie header in mod_session
534 - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
535 session_identity_decode() in modules/session/mod_session.c.
536 - CVE-2021-26690
537 * SECURITY UPDATE: heap overflow via SessionHeader
538 - debian/patches/CVE-2021-26691.patch: account for the '&' in
539 identity_concat() in modules/session/mod_session.c.
540 - CVE-2021-26691
541 * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
542 - debian/patches/CVE-2021-30641.patch: change default behavior in
543 server/request.c.
544 - CVE-2021-30641
545
546 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
547
548apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
549
550 * Merge with Debian unstable, to allow moving from lua5.2 to
551 lua5.3 (LP: #1910372). Remaining changes:
552 - debian/{control, apache2.install, apache2-utils.ufw.profile,
553 apache2.dirs}: Add ufw profiles.
554 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
555 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
556 Debian with Ubuntu on default page.
557 + d/source/include-binaries: add Ubuntu icon file
558 - d/t/control, d/t/check-http2: add basic test for http2 support
559 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
560 issue reading error log too quickly after request, by adding a sleep.
561 (LP #1890302)
562 - d/apache2ctl: Also use systemd for graceful if it is in use.
563 This extends an earlier fix for the start command to behave
564 similarly for restart / graceful. Fixes service failures on
565 unattended upgrade.
566 * Drop:
567 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
568 was re-added by mistake in 2.4.41-1 (Closes #921024)
569 [Included in Debian 2.4.46-3]
570 * d/apache2ctl: Also use /run/systemd to check for systemd usage
571 (LP: #1918209)
572
573 -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
574
209apache2 (2.4.46-4) unstable; urgency=medium575apache2 (2.4.46-4) unstable; urgency=medium
210576
211 * Ignore other random another test failures (Closes: #979664)577 * Ignore other random another test failures (Closes: #979664)
@@ -223,6 +589,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
223589
224 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100590 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
225591
592apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
593
594 * Merge with Debian unstable. Remaining changes:
595 - debian/{control, apache2.install, apache2-utils.ufw.profile,
596 apache2.dirs}: Add ufw profiles.
597 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
598 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
599 Debian with Ubuntu on default page.
600 + d/source/include-binaries: add Ubuntu icon file
601 - d/t/control, d/t/check-http2: add basic test for http2 support
602 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
603 was re-added by mistake in 2.4.41-1 (Closes #921024)
604 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
605 issue reading error log too quickly after request, by adding a sleep.
606 (LP #1890302)
607 - d/apache2ctl: Also use systemd for graceful if it is in use.
608 This extends an earlier fix for the start command to behave
609 similarly for restart / graceful. Fixes service failures on
610 unattended upgrade.
611
612 -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
613
226apache2 (2.4.46-2) unstable; urgency=medium614apache2 (2.4.46-2) unstable; urgency=medium
227615
228 [ Jean-Michel Vourgère ]616 [ Jean-Michel Vourgère ]
@@ -244,6 +632,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
244632
245 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100633 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
246634
635apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
636
637 * d/apache2ctl: Also use systemd for graceful if it is in use.
638 (LP: #1832182)
639 - This extends an earlier fix for the start command to behave
640 similarly for restart / graceful. Fixes service failures on
641 unattended upgrade.
642
643 -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
644
645apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
646
647 * Merge with Debian unstable. Remaining changes:
648 - debian/{control, apache2.install, apache2-utils.ufw.profile,
649 apache2.dirs}: Add ufw profiles.
650 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
651 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
652 Debian with Ubuntu on default page.
653 + d/source/include-binaries: add Ubuntu icon file
654 - d/t/control, d/t/check-http2: add basic test for http2 support
655 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
656 was re-added by mistake in 2.4.41-1 (Closes #921024)
657 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
658 issue reading error log too quickly after request, by adding a sleep.
659 (LP #1890302)
660 * Dropped:
661 - debian/patches/086_svn_cross_compiles: Backport several cross
662 fixes from upstream
663 [Unclear if it's still necessary, and upstream hasn't made a
664 release with it yet]
665
666 -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
667
247apache2 (2.4.46-1) unstable; urgency=medium668apache2 (2.4.46-1) unstable; urgency=medium
248669
249 [ Xavier Guimard ]670 [ Xavier Guimard ]
@@ -260,6 +681,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
260681
261 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200682 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
262683
684apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
685
686 * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
687 issue reading error log too quickly after request, by adding a sleep.
688 (LP: #1890302)
689
690 -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
691
692apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
693
694 * Merge with Debian unstable. Remaining changes:
695 - debian/{control, apache2.install, apache2-utils.ufw.profile,
696 apache2.dirs}: Add ufw profiles.
697 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
698 - debian/patches/086_svn_cross_compiles: Backport several cross
699 fixes from upstream
700 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
701 Debian with Ubuntu on default page.
702 + d/source/include-binaries: add Ubuntu icon file
703 - d/t/control, d/t/check-http2: add basic test for http2 support
704 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
705 was re-added by mistake in 2.4.41-1 (Closes #921024)
706 * Dropped:
707 - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
708 parameter to mod_proxy_ajp (LP #1865340)
709 [Fixed upstream]
710 - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
711 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
712 Closes #955348, LP #1872478
713 [In 2.4.43-1]
714
715 -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
716
263apache2 (2.4.43-1) unstable; urgency=medium717apache2 (2.4.43-1) unstable; urgency=medium
264718
265 [ Timo Aaltonen ]719 [ Timo Aaltonen ]
@@ -287,6 +741,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
287741
288 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100742 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
289743
744apache2 (2.4.41-4ubuntu3) focal; urgency=medium
745
746 [ Timo Aaltonen ]
747 * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
748 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
749 Closes: #955348, LP: #1872478
750
751 -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
752
753apache2 (2.4.41-4ubuntu2) focal; urgency=medium
754
755 * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
756 parameter to mod_proxy_ajp (LP: #1865340)
757
758 -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
759
760apache2 (2.4.41-4ubuntu1) focal; urgency=medium
761
762 * Merge with Debian unstable. Remaining changes:
763 - debian/{control, apache2.install, apache2-utils.ufw.profile,
764 apache2.dirs}: Add ufw profiles.
765 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
766 - debian/patches/086_svn_cross_compiles: Backport several cross
767 fixes from upstream
768 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
769 Debian with Ubuntu on default page.
770 + d/source/include-binaries: add Ubuntu icon file
771 - d/t/control, d/t/check-http2: add basic test for http2 support
772 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
773 was re-added by mistake in 2.4.41-1 (Closes #921024)
774
775 -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
776
290apache2 (2.4.41-4) unstable; urgency=medium777apache2 (2.4.41-4) unstable; urgency=medium
291778
292 * Add gcc in chroot autopkgtest (fixes debci)779 * Add gcc in chroot autopkgtest (fixes debci)
@@ -311,6 +798,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
311798
312 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100799 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
313800
801apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
802
803 * Merge with Debian unstable. Remaining changes:
804 - debian/{control, apache2.install, apache2-utils.ufw.profile,
805 apache2.dirs}: Add ufw profiles.
806 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
807 - debian/patches/086_svn_cross_compiles: Backport several cross
808 fixes from upstream
809 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
810 Debian with Ubuntu on default page.
811 + d/source/include-binaries: add Ubuntu icon file
812 - d/t/control, d/t/check-http2: add basic test for http2 support
813 * Dropped:
814 - Cherrypick upstream testsuite fix:
815 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
816 as such).
817 + Similarly use TLSv1.2 for pr12355 and pr43738.
818 [Test suite updated in 2.4.41-1]
819 - Cherrypick upstream test suite fix for buffer.
820 [Included in 2.4.41-1]
821 - d/p/spelling-errors.patch: removed hunks already fixed upstream
822 [Included in 2.4.39-1]
823 - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
824 + d/p/CVE-2019-0196.patch
825 + d/p/CVE-2019-0211.patch
826 + d/p/CVE-2019-0215.patch
827 + d/p/CVE-2019-0217.patch
828 + d/p/CVE-2019-0220-*.patch
829 + d/p/CVE-2019-0197.patch
830 * Added:
831 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
832 was re-added by mistake in 2.4.41-1 (Closes: #921024)
833
834 -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
835
314apache2 (2.4.41-1) unstable; urgency=medium836apache2 (2.4.41-1) unstable; urgency=medium
315837
316 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,838 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
@@ -343,6 +865,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
343865
344 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200866 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
345867
868apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
869
870 * New upstream version: 2.4.39
871 * d/p/spelling-errors.patch: removed hunks already fixed upstream
872 * Remaining changes:
873 - Cherrypick upstream test suite fix for buffer.
874 - Cherrypick upstream testsuite fix:
875 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
876 as such).
877 - Similarly use TLSv1.2 for pr12355 and pr43738.
878 - debian/{control, apache2.install, apache2-utils.ufw.profile,
879 apache2.dirs}: Add ufw profiles.
880 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
881 - debian/patches/086_svn_cross_compiles: Backport several cross
882 fixes from upstream
883 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
884 Debian with Ubuntu on default page.
885 + d/source/include-binaries: add Ubuntu icon file
886 - d/t/control, d/t/check-http2: add basic test for http2 support
887 * Dropped patches (fixed upstream):
888 - d/p/CVE-2019-0196.patch
889 - d/p/CVE-2019-0211.patch
890 - d/p/CVE-2019-0215.patch
891 - d/p/CVE-2019-0217.patch
892 - d/p/CVE-2019-0220-*.patch
893 - d/p/CVE-2019-0197.patch
894
895 -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
896
897apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
898
899 * Cherrypick upstream test suite fix for buffer.
900
901 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
902
903apache2 (2.4.38-3ubuntu1) eoan; urgency=low
904
905 * Merge from Debian unstable. Remaining changes:
906 - Cherrypick upstream testsuite fix:
907 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
908 as such).
909 - Similarly use TLSv1.2 for pr12355 and pr43738.
910 - debian/{control, apache2.install, apache2-utils.ufw.profile,
911 apache2.dirs}: Add ufw profiles.
912 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
913 - debian/patches/086_svn_cross_compiles: Backport several cross
914 fixes from upstream
915 [Removed configure chunk, not needed since configure.in is being
916 patched.]
917 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
918 Debian with Ubuntu on default page.
919 + d/source/include-binaries: add Ubuntu icon file
920 - d/t/control, d/t/check-http2: add basic test for http2 support
921
922 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
923
346apache2 (2.4.38-3) unstable; urgency=high924apache2 (2.4.38-3) unstable; urgency=high
347925
348 [ Marc Deslauriers ]926 [ Marc Deslauriers ]
@@ -380,6 +958,79 @@ apache2 (2.4.38-3) unstable; urgency=high
380958
381 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200959 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
382960
961apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
962
963 * Cherrypick upstream testsuite fix:
964 - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
965 as such).
966 * Similarly use TLSv1.2 for pr12355 and pr43738.
967
968 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
969
970apache2 (2.4.38-2ubuntu2) disco; urgency=medium
971
972 * SECURITY UPDATE: read-after-free on a string compare in mod_http2
973 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
974 request method in modules/http2/h2_request.c.
975 - CVE-2019-0196
976 * SECURITY UPDATE: privilege escalation from modules' scripts
977 - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
978 child to its slot number in include/scoreboard.h,
979 server/mpm/event/event.c, server/mpm/prefork/prefork.c,
980 server/mpm/worker/worker.c.
981 - CVE-2019-0211
982 * SECURITY UPDATE: mod_ssl access control bypass
983 - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
984 PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
985 - CVE-2019-0215
986 * SECURITY UPDATE: mod_auth_digest access control bypass
987 - debian/patches/CVE-2019-0217.patch: fix a race condition in
988 modules/aaa/mod_auth_digest.c.
989 - CVE-2019-0217
990 * SECURITY UPDATE: URL normalization inconsistincy
991 - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
992 the path in include/http_core.h, include/httpd.h, server/core.c,
993 server/request.c, server/util.c.
994 - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
995 in server/request.c, server/util.c.
996 - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
997 server/util.c.
998 - CVE-2019-0220
999
1000 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
1001
1002apache2 (2.4.38-2ubuntu1) disco; urgency=medium
1003
1004 * Merge with Debian unstable. Remaining changes:
1005 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1006 apache2.dirs}: Add ufw profiles.
1007 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1008 - debian/patches/086_svn_cross_compiles: Backport several cross
1009 fixes from upstream
1010 [Removed configure chunk, not needed since configure.in is being
1011 patched.]
1012 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1013 Debian with Ubuntu on default page.
1014 + d/source/include-binaries: add Ubuntu icon file
1015 - d/t/control, d/t/check-http2: add basic test for http2 support
1016 * Dropped:
1017 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
1018 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
1019 cannot be coinstalled with libcurl3. That situation breaks the
1020 installation of libapache2-mod-shib2. See
1021 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1022 for details.
1023 [This has been resolved in Disco, where libxmltooling8 is built with
1024 openssl 1.1]
1025 - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
1026 + debian/patches/CVE-2018-11763.patch: rework connection IO event
1027 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
1028 modules/http2/h2_version.h.
1029 - CVE-2018-11763
1030 [Fixed in 2.4.35]
1031
1032 -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
1033
383apache2 (2.4.38-2) unstable; urgency=medium1034apache2 (2.4.38-2) unstable; urgency=medium
3841035
385 * Disable "reset" test in allowmethods.t (Closes: #921024)1036 * Disable "reset" test in allowmethods.t (Closes: #921024)
@@ -462,6 +1113,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
4621113
463 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +02001114 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
4641115
1116apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
1117
1118 * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
1119 - debian/patches/CVE-2018-11763.patch: rework connection IO event
1120 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
1121 modules/http2/h2_version.h.
1122 - CVE-2018-11763
1123
1124 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
1125
1126apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
1127
1128 * Merge with Debian unstable. Remaining changes:
1129 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1130 apache2.dirs}: Add ufw profiles.
1131 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1132 - debian/patches/086_svn_cross_compiles: Backport several cross
1133 fixes from upstream
1134 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1135 Debian with Ubuntu on default page.
1136 + d/source/include-binaries: add Ubuntu icon file
1137 - d/t/control, d/t/check-http2: add basic test for http2 support
1138 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
1139 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
1140 cannot be coinstalled with libcurl3. That situation breaks the
1141 installation of libapache2-mod-shib2. See
1142 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1143 for details.
1144
1145 -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
1146
465apache2 (2.4.34-1) unstable; urgency=medium1147apache2 (2.4.34-1) unstable; urgency=medium
4661148
467 [ Ondřej Surý ]1149 [ Ondřej Surý ]
@@ -480,6 +1162,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
4801162
481 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +02001163 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
4821164
1165apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
1166
1167 * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
1168 re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
1169
1170 -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
1171
1172apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
1173
1174 * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
1175 libapache2-mod-md until we figure out their transitions. libapache2-mod-md
1176 in particular is problematic because that makes apache2-bin pull in
1177 libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
1178 the installation of libapache2-mod-shib2. See
1179 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1180 for details.
1181 - Don't ship md.load and remove build-requires that were added because of
1182 mod-md (see
1183 https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
1184 - Remove proxy_uwsgi.load as we are not building it for now (see
1185 https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
1186
1187 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
1188
1189apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
1190
1191 * Merge with Debian unstable (LP: #1770242). Remaining changes:
1192 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1193 apache2.dirs}: Add ufw profiles.
1194 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1195 - debian/patches/086_svn_cross_compiles: Backport several cross
1196 fixes from upstream
1197 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1198 Debian with Ubuntu on default page.
1199 + d/source/include-binaries: add Ubuntu icon file
1200 - d/t/control, d/t/check-http2: add basic test for http2 support
1201 * Drop:
1202 - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1203 + debian/patches/CVE-2017-15710.patch: fix language long names
1204 detection as short name in modules/aaa/mod_authnz_ldap.c.
1205 + CVE-2017-15710
1206 - SECURITY UPDATE: incorrect <FilesMatch> matching
1207 + debian/patches/CVE-2017-15715.patch: allow to configure
1208 global/default options for regexes, like caseless matching or
1209 extended format in include/ap_regex.h, server/core.c,
1210 server/util_pcre.c.
1211 + CVE-2017-15715
1212 - SECURITY UPDATE: mod_session header manipulation
1213 + debian/patches/CVE-2018-1283.patch: strip Session header when
1214 SessionEnv is on in modules/session/mod_session.c.
1215 + CVE-2018-1283
1216 - SECURITY UPDATE: DoS via specially-crafted request
1217 + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1218 terminated on any error, not only on buffer full in
1219 server/protocol.c.
1220 + CVE-2018-1301
1221 - SECURITY UPDATE: mod_cache_socache DoS
1222 + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1223 to carriage return in modules/cache/mod_cache_socache.c.
1224 + CVE-2018-1303
1225 - SECURITY UPDATE: insecure nonce generation
1226 + debian/patches/CVE-2018-1312.patch: actually use the secret when
1227 generating nonces in modules/aaa/mod_auth_digest.c.
1228 + CVE-2018-1312
1229 - Correct systemd-sysv-generator behavior by customizing some
1230 parameters:
1231 + d/apache2-systemd.conf: add a drop-in file to specify some
1232 parameters for the systemd unit (type=Forking and
1233 RemainsAfterExit=no), this allow a correct state synchronisation
1234 between systemctl status and actual state of apache2 daemon.
1235 + d/apache2.install: place the apache2-systemd.conf file in the
1236 correct location.
1237 [type=Forking already in the base systemd service file, and
1238 RemainsAfterExit=no is the default value, so no need to
1239 customize these anymore.]
1240 - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
1241 + added debian/patches/util_ldap_cache_lock_fix.patch
1242 [Already applied upstream]
1243
1244 -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
1245
483apache2 (2.4.33-3) unstable; urgency=medium1246apache2 (2.4.33-3) unstable; urgency=medium
4841247
485 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.1248 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
@@ -552,6 +1315,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
5521315
553 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +00001316 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
5541317
1318apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
1319
1320 * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1321 - debian/patches/CVE-2017-15710.patch: fix language long names
1322 detection as short name in modules/aaa/mod_authnz_ldap.c.
1323 - CVE-2017-15710
1324 * SECURITY UPDATE: incorrect <FilesMatch> matching
1325 - debian/patches/CVE-2017-15715.patch: allow to configure
1326 global/default options for regexes, like caseless matching or
1327 extended format in include/ap_regex.h, server/core.c,
1328 server/util_pcre.c.
1329 - CVE-2017-15715
1330 * SECURITY UPDATE: mod_session header manipulation
1331 - debian/patches/CVE-2018-1283.patch: strip Session header when
1332 SessionEnv is on in modules/session/mod_session.c.
1333 - CVE-2018-1283
1334 * SECURITY UPDATE: DoS via specially-crafted request
1335 - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1336 terminated on any error, not only on buffer full in
1337 server/protocol.c.
1338 - CVE-2018-1301
1339 * SECURITY UPDATE: mod_cache_socache DoS
1340 - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1341 to carriage return in modules/cache/mod_cache_socache.c.
1342 - CVE-2018-1303
1343 * SECURITY UPDATE: insecure nonce generation
1344 - debian/patches/CVE-2018-1312.patch: actually use the secret when
1345 generating nonces in modules/aaa/mod_auth_digest.c.
1346 - CVE-2018-1312
1347
1348 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1349
1350apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1351
1352 * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1353 - added debian/patches/util_ldap_cache_lock_fix.patch
1354
1355 -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1356
1357apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1358
1359 * Switch back to OpenSSL 1.1.
1360
1361 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1362
1363apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1364
1365 * enable http2 (LP: #1687454) by stopping to disable it
1366 - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1367 - debian/config-dir/mods-available/http2.load: no more removed.
1368 - debian/rules: no more removed proxy_http2 from configure.
1369 * d/t/control, d/t/check-http2: add basic test for http2 support
1370
1371 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1372
1373apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1374
1375 * Merge with Debian unstable. Remaining changes:
1376 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1377 apache2.dirs}: Add ufw profiles.
1378 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1379 - debian/patches/086_svn_cross_compiles: Backport several cross
1380 fixes from upstream
1381 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1382 Debian with Ubuntu on default page.
1383 + d/source/include-binaries: add Ubuntu icon file
1384 - Correct systemd-sysv-generator behavior by customizing some
1385 parameters:
1386 + d/apache2-systemd.conf: add a drop-in file to specify some
1387 parameters for the systemd unit (type=Forking and
1388 RemainsAfterExit=no), this allow a correct state synchronisation
1389 between systemctl status and actual state of apache2 daemon.
1390 + d/apache2.install: place the apache2-systemd.conf file in the
1391 correct location.
1392 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1393 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1394 + debian/config-dir/mods-available/http2.load: removed.
1395 + debian/rules: removed proxy_http2 from configure.
1396 * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1397 - debian/control: switch BuildDepends to libssl1.0-dev
1398 - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1399 - debian/rules: remove openssl virtual package and logic
1400
1401 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1402
555apache2 (2.4.29-1) unstable; urgency=medium1403apache2 (2.4.29-1) unstable; urgency=medium
5561404
557 [ Stefan Fritsch ]1405 [ Stefan Fritsch ]
@@ -616,6 +1464,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
6161464
617 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +02001465 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
6181466
1467apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1468
1469 * SECURITY UPDATE: optionsbleed information leak
1470 - debian/patches/CVE-2017-9798.patch: disallow method registration
1471 at run time in server/core.c.
1472 - CVE-2017-9798
1473
1474 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1475
1476apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1477
1478 * Undrop (LP 1658469):
1479 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1480 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1481 + debian/config-dir/mods-available/http2.load: removed.
1482 + debian/rules: removed proxy_http2 from configure.
1483
1484 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1485
1486apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1487
1488 * Merge with Debian unstable (LP: #1702582). Remaining changes:
1489 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1490 apache2.dirs}: Add ufw profiles.
1491 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1492 - debian/patches/086_svn_cross_compiles: Backport several cross
1493 fixes from upstream
1494 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1495 Debian with Ubuntu on default page.
1496 + d/source/include-binaries: add Ubuntu icon file
1497 - Correct systemd-sysv-generator behavior by customizing some
1498 parameters:
1499 + d/apache2-systemd.conf: add a drop-in file to specify some
1500 parameters for the systemd unit (type=Forking and
1501 RemainsAfterExit=no), this allow a correct state synchronisation
1502 between systemctl status and actual state of apache2 daemon.
1503 + d/apache2.install: place the apache2-systemd.conf file in the
1504 correct location.
1505
1506 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1507
619apache2 (2.4.27-2) unstable; urgency=medium1508apache2 (2.4.27-2) unstable; urgency=medium
6201509
621 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more1510 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
@@ -645,6 +1534,55 @@ apache2 (2.4.25-4) unstable; urgency=high
6451534
646 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +02001535 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
6471536
1537apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1538
1539 * Re-Drop (LP: #1658469):
1540 - Don't build experimental http2 module for LTS:
1541 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1542 + debian/config-dir/mods-available/http2.load: removed.
1543 + debian/rules: removed proxy_http2 from configure.
1544 + debian/apache2.maintscript: remove http2 conffile.
1545
1546 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1547
1548apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1549 * Undrop (LP 1658469):
1550 - Don't build experimental http2 module for LTS:
1551 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1552 + debian/config-dir/mods-available/http2.load: removed.
1553 + debian/rules: removed proxy_http2 from configure.
1554 + debian/apache2.maintscript: remove http2 conffile.
1555
1556 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1557
1558apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1559
1560 * Merge from Debian unstable (LP: #1663425). Remaining changes:
1561 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1562 apache2.dirs}: Add ufw profiles.
1563 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1564 - debian/patches/086_svn_cross_compiles: Backport several cross
1565 fixes from upstream
1566 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1567 Debian with Ubuntu on default page.
1568 + d/source/include-binaries: add Ubuntu icon file
1569 - Correct systemd-sysv-generator behavior by customizing some
1570 parameters:
1571 + d/apache2-systemd.conf: add a drop-in file to specify some
1572 parameters for the systemd unit (type=Forking and
1573 RemainsAfterExit=no), this allow a correct state synchronisation
1574 between systemctl status and actual state of apache2 daemon.
1575 + d/apache2.install: place the apache2-systemd.conf file in the
1576 correct location.
1577 * Drop (LP: #1658469):
1578 - Don't build experimental http2 module for LTS:
1579 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1580 + debian/config-dir/mods-available/http2.load: removed.
1581 + debian/rules: removed proxy_http2 from configure.
1582 + debian/apache2.maintscript: remove http2 conffile.
1583
1584 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1585
648apache2 (2.4.25-3) unstable; urgency=medium1586apache2 (2.4.25-3) unstable; urgency=medium
6491587
650 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.1588 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
@@ -706,6 +1644,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
7061644
707 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +01001645 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
7081646
1647apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1648
1649 * Merge from Debian unstable (LP: #). Remaining changes:
1650 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1651 apache2.dirs}: Add ufw profiles.
1652 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1653 - debian/patches/086_svn_cross_compiles: Backport several cross
1654 fixes from upstream
1655 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1656 d/source/include-binaries: replace Debian with Ubuntu on default
1657 page.
1658 [ include-binaries change previously undocumented ]
1659 - Don't build experimental http2 module for LTS:
1660 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1661 + debian/config-dir/mods-available/http2.load: removed.
1662 + debian/rules: removed proxy_http2 from configure.
1663 + debian/apache2.maintscript: remove http2 conffile.
1664 [ Previously undocumented ]
1665 - Correct systemd-sysv-generator behavior by customizing some
1666 parameters:
1667 + d/apache2-systemd.conf: add a drop-in file to specify some
1668 parameters for the systemd unit (type=Forking and
1669 RemainsAfterExit=no), this allow a correct state synchronisation
1670 between systemctl status and actual state of apache2 daemon.
1671 + d/apache2.install: place the apache2-systemd.conf file in the
1672 correct location.
1673 * Drop:
1674 - debian/rules: Fix cross-building by passing
1675 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1676 [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1677
1678 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1679
709apache2 (2.4.23-8) unstable; urgency=medium1680apache2 (2.4.23-8) unstable; urgency=medium
7101681
711 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a1682 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
@@ -716,6 +1687,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
7161687
717 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +01001688 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
7181689
1690apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1691
1692 * Merge from Debian unstable. Remaining changes:
1693 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1694 apache2.dirs}: Add ufw profiles.
1695 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1696 - debian/rules: Fix cross-building by passing
1697 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1698 - debian/patches/086_svn_cross_compiles: Backport several cross
1699 fixes from upstream
1700 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1701 Debian with Ubuntu on default page.
1702 - Don't build experimental http2 module for LTS:
1703 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1704 + debian/config-dir/mods-available/http2.load: removed.
1705 + debian/rules: removed proxy_http2 from configure.
1706 - Correct systemd-sysv-generator behavior by customizing some
1707 parameters:
1708 + d/apache2-systemd.conf: add a drop-in file to specify some
1709 parameters for the systemd unit (type=Forking and
1710 RemainsAfterExit=no), this allow a correct state synchronisation
1711 between systemctl status and actual state of apache2 daemon.
1712 + d/apache2.install: place the apache2-systemd.conf file in the
1713 correct location.
1714
1715 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1716
719apache2 (2.4.23-7) unstable; urgency=medium1717apache2 (2.4.23-7) unstable; urgency=medium
7201718
721 * Make apache2-dev depend on openssl 1.0, too. Closes: #8441601719 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
@@ -830,6 +1828,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
8301828
831 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +02001829 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
8321830
1831apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1832
1833 * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1834 - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1835 server/util_script.c.
1836 - CVE-2016-5387
1837
1838 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1839
1840apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1841
1842 [ Ryan Harper ]
1843 * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1844 introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1845 all, since http2 support is intentionally disabled (see LP 1531864).
1846 * d/apache2.maintscript: handle removal of http2.load conffile.
1847
1848 [ Robie Basak ]
1849 * Re-write Ryan's changelog entry.
1850
1851 -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1852
1853apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1854
1855 * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1856 - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1857 unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1858 between systemctl status and actual state of apache2 daemon.
1859 - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1860
1861 -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1862
1863apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1864
1865 * Merge from Debian unstable. Remaining changes:
1866 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1867 apache2.dirs}: Add ufw profiles.
1868 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1869 - debian/rules: Fix cross-building by passing
1870 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1871 - debian/patches/086_svn_cross_compiles: Backport several cross
1872 fixes from upstream
1873 - d/index.html: replace Debian with Ubuntu on default page.
1874 - Don't build experimental http2 module for LTS:
1875 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1876 + debian/config-dir/mods-available/http2.load: removed.
1877
1878 -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1879
833apache2 (2.4.18-2) unstable; urgency=low1880apache2 (2.4.18-2) unstable; urgency=low
8341881
835 * htcacheclean:1882 * htcacheclean:
@@ -855,6 +1902,24 @@ apache2 (2.4.18-2) unstable; urgency=low
8551902
856 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +02001903 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
8571904
1905apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1906
1907 * Merge from Debian unstable. Remaining changes:
1908 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1909 apache2.dirs}: Add ufw profiles.
1910 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1911 - Add dep8 tests.
1912 - debian/rules: Fix cross-building by passing
1913 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1914 - debian/patches/086_svn_cross_compiles: Backport several cross
1915 fixes from upstream
1916 - d/index.html: replace Debian with Ubuntu on default page.
1917 - Don't build experimental http2 module for LTS:
1918 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1919 + debian/config-dir/mods-available/http2.load: removed.
1920
1921 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1922
858apache2 (2.4.18-1) unstable; urgency=medium1923apache2 (2.4.18-1) unstable; urgency=medium
8591924
860 * New upstream release:1925 * New upstream release:
@@ -862,12 +1927,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
8621927
863 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +01001928 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
8641929
1930apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1931
1932 * Merge from Debian unstable. Remaining changes:
1933 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1934 apache2.dirs}: Add ufw profiles.
1935 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1936 - Add dep8 tests.
1937 - debian/rules: Fix cross-building by passing
1938 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1939 - debian/patches/086_svn_cross_compiles: Backport several cross
1940 fixes from upstream
1941 - d/index.html: replace Debian with Ubuntu on default page.
1942 - Don't build experimental http2 module for LTS:
1943 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1944 + debian/config-dir/mods-available/http2.load: removed.
1945
1946 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1947
865apache2 (2.4.17-3) unstable; urgency=medium1948apache2 (2.4.17-3) unstable; urgency=medium
8661949
867 * mpm_prefork: Fix segfault if started with -X. Closes: #8057371950 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
8681951
869 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +01001952 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
8701953
1954apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1955
1956 * Merge from Debian unstable. Remaining changes:
1957 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1958 apache2.dirs}: Add ufw profiles.
1959 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1960 - Add dep8 tests.
1961 - debian/rules: Fix cross-building by passing
1962 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1963 - debian/patches/086_svn_cross_compiles: Backport several cross
1964 fixes from upstream
1965 - d/index.html: replace Debian with Ubuntu on default page.
1966 - Don't build experimental http2 module for LTS:
1967 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1968 + debian/config-dir/mods-available/http2.load: removed.
1969
1970 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1971
871apache2 (2.4.17-2) unstable; urgency=medium1972apache2 (2.4.17-2) unstable; urgency=medium
8721973
873 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke1974 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
@@ -878,6 +1979,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
8781979
879 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +01001980 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
8801981
1982apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1983
1984 * Merge from Debian unstable. Remaining changes:
1985 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1986 apache2.dirs}: Add ufw profiles.
1987 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1988 - Add dep8 tests.
1989 - debian/rules: Fix cross-building by passing
1990 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1991 - debian/patches/086_svn_cross_compiles: Backport several cross
1992 fixes from upstream
1993 - d/index.html: replace Debian with Ubuntu on default page.
1994 * Drop patches (applied upstream):
1995 - debian/patches/CVE-2015-3183.patch
1996 - debian/patches/CVE-2015-3185.patch
1997 * Drop changes (adopted in Debian):
1998 - Allow "triggers-awaited" and "triggers-pending" states in addition
1999 to "installed" when determining whether to defer actions or
2000 process deferred actions.
2001 * Don't build experimental http2 module for LTS
2002 - debian/control: removed libnghttp2-dev Build-Depends (in universe).
2003 - debian/config-dir/mods-available/http2.load: removed.
2004
2005 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
2006
881apache2 (2.4.17-1) unstable; urgency=medium2007apache2 (2.4.17-1) unstable; urgency=medium
8822008
883 [ Stefan Fritsch ]2009 [ Stefan Fritsch ]
@@ -943,6 +2069,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
9432069
944 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +02002070 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
9452071
2072apache2 (2.4.12-2ubuntu2) wily; urgency=medium
2073
2074 * SECURITY UPDATE: request smuggling via chunked transfer encoding
2075 - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
2076 modules/http/http_filters.c.
2077 - CVE-2015-3183
2078 * SECURITY UPDATE: access restriction bypass via deprecated API
2079 - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
2080 in include/http_request.h, server/request.c.
2081 - CVE-2015-3185
2082
2083 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
2084
2085apache2 (2.4.12-2ubuntu1) wily; urgency=medium
2086
2087 * Merge from Debian unstable. Remaining changes:
2088 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2089 apache2.dirs}: Add ufw profiles.
2090 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2091 - Add dep8 tests.
2092 - debian/rules: Fix cross-building by passing
2093 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2094 - debian/patches/086_svn_cross_compiles: Backport several cross
2095 fixes from upstream
2096 - d/index.html: replace Debian with Ubuntu on default page.
2097 - Allow "triggers-awaited" and "triggers-pending" states in addition
2098 to "installed" when determining whether to defer actions or
2099 process deferred actions.
2100 * Drop patches (applied upstream):
2101 - d/p/split-logfile.patch
2102 - d/p/CVE-2015-0228.patch
2103 * Drop changes (superceded in Debian):
2104 - Cherry-pick versioned build-depend on dpkg from Debian for correct
2105 dpkg-maintscript-helper symlink_to_dir support.
2106 * Drop changes (adopted in Debian):
2107 - d/control, d/config-dir/mods-available/ssl.conf,
2108 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2109 dialog program ask-for-passphrase.
2110 * Fix cross-building configure line in d/rules, which had bit-rotted in
2111 previous merges.
2112
2113 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
2114
946apache2 (2.4.12-2) unstable; urgency=medium2115apache2 (2.4.12-2) unstable; urgency=medium
9472116
948 [ Jean-Michel Nirgal Vourgère ]2117 [ Jean-Michel Nirgal Vourgère ]
@@ -992,6 +2161,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
9922161
993 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +01002162 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
9942163
2164apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
2165
2166 * Merge from Debian unstable. Remaining changes:
2167 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2168 apache2.dirs}: Add ufw profiles.
2169 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2170 - d/control, d/config-dir/mods-available/ssl.conf,
2171 - Add dep8 tests.
2172 - debian/rules: Fix cross-building by passing
2173 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2174 - debian/patches/086_svn_cross_compiles: Backport several cross
2175 fixes from upstream
2176 - d/index.html: replace Debian with Ubuntu on default page.
2177 - d/p/split-logfile.patch: fix completely broken split-logfile
2178 command.
2179 - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
2180 denial of service in mod_lua via websockets PING
2181 * debian/tests/ssl-passphrase: Add password responder for
2182 systemd-ask-passphrase.
2183
2184 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
2185
995apache2 (2.4.10-9) unstable; urgency=medium2186apache2 (2.4.10-9) unstable; urgency=medium
9962187
997 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a2188 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
@@ -1006,6 +2197,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
10062197
1007 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +01002198 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
10082199
2200apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
2201
2202 * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
2203 directives
2204 - debian/patches/CVE-2014-8109.patch: handle multiple Require
2205 directives with different arguments in modules/lua/mod_lua.c.
2206 - CVE-2014-8109
2207 * SECURITY UPDATE: denial of service in mod_lua via websockets PING
2208 - debian/patches/CVE-2015-0228.patch: fix logic in
2209 modules/lua/lua_request.c.
2210 - CVE-2015-0228
2211
2212 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
2213
2214apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
2215
2216 * Allow "triggers-awaited" and "triggers-pending" states in addition to
2217 "installed" when determining whether to defer actions or process
2218 deferred actions (LP: #1393832).
2219
2220 -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
2221
2222apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
2223
2224 * Merge from Debian unstable. Remaining changes:
2225 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2226 apache2.dirs}: Add ufw profiles.
2227 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2228 - d/control, d/config-dir/mods-available/ssl.conf,
2229 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2230 dialog program ask-for-passphrase.
2231 - Add dep8 tests.
2232 - debian/rules: Fix cross-building by passing
2233 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2234 - debian/patches/086_svn_cross_compiles: Backport several cross
2235 fixes from upstream
2236 - d/index.html: replace Debian with Ubuntu on default page.
2237 - d/p/split-logfile.patch: fix completely broken split-logfile
2238 command.
2239 * Fixes from Debian included in merge:
2240 - Crash caused by OCSP stapling code; this was erroneously
2241 attributed to Debian in my previous merge, but actually only
2242 appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
2243 * Cherry-pick versioned build-depend on dpkg from Debian for correct
2244 dpkg-maintscript-helper symlink_to_dir support.
2245
2246 -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
2247
1009apache2 (2.4.10-8) unstable; urgency=medium2248apache2 (2.4.10-8) unstable; urgency=medium
10102249
1011 * Bump dpkg Pre-Depends to version that supports relative symlinks in2250 * Bump dpkg Pre-Depends to version that supports relative symlinks in
@@ -1020,6 +2259,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
10202259
1021 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +01002260 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
10222261
2262apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
2263
2264 * Merge from Debian unstable. Remaining changes:
2265 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2266 apache2.dirs}: Add ufw profiles.
2267 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2268 - d/control, d/config-dir/mods-available/ssl.conf,
2269 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2270 dialog program ask-for-passphrase.
2271 - Add dep8 tests.
2272 - debian/rules: Fix cross-building by passing
2273 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2274 - debian/patches/086_svn_cross_compiles: Backport several cross
2275 fixes from upstream
2276 - d/index.html: replace Debian with Ubuntu on default page.
2277 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2278 * Fixes from Debian included in merge:
2279 - Don't use a2query in preinst, as it may not be available yet
2280 (LP: #1312533).
2281 - Crash caused by OCSP stapling code (LP: #1366174).
2282 - Disable SSLv3 in default config (LP: #1358305).
2283 - If apache2 is not configured yet, defer actions executed via
2284 apache2-maintscript-helper. This fixes installation failures if a
2285 module package is configured first (LP: #1312854).
2286
2287 -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
2288
1023apache2 (2.4.10-7) unstable; urgency=medium2289apache2 (2.4.10-7) unstable; urgency=medium
10242290
1025 * Handle transitions of doc dirs and symlinks correctly during upgrade.2291 * Handle transitions of doc dirs and symlinks correctly during upgrade.
@@ -1103,6 +2369,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
11032369
1104 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +02002370 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
11052371
2372apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
2373
2374 * Merge from Debian unstable. Remaining changes:
2375 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2376 apache2.dirs}: Add ufw profiles.
2377 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2378 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2379 d/apache2.install: Plymouth aware passphrase dialog program
2380 ask-for-passphrase.
2381 - Add dep8 tests.
2382 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2383 configure.
2384 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2385 upstream
2386 - d/index.html: replace Debian with Ubuntu on default page.
2387 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2388
2389 -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
2390
1106apache2 (2.4.10-1) unstable; urgency=medium2391apache2 (2.4.10-1) unstable; urgency=medium
11072392
1108 [ Arno Töll ]2393 [ Arno Töll ]
@@ -1150,6 +2435,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
11502435
1151 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +02002436 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
11522437
2438apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
2439
2440 * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
2441 yet support building against lua 5.2 (LP: #1323930).
2442
2443 -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
2444
2445apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
2446
2447 * Merge from Debian unstable. Remaining changes:
2448 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2449 apache2.dirs}: Add ufw profiles.
2450 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2451 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2452 d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
2453 dialog program ask-for-passphrase.
2454 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2455 configure.
2456 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2457 upstream
2458 - Build using lua5.2.
2459 - d/tests/chroot: dep8 test for ChrootDir case.
2460 - d/tests/ssl-passphrase: update for new default path /var/www/html.
2461 - d/tests/duplicate-module-load: check for duplicate module loads.
2462 - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
2463 - d/p/split-logfile.patch: fix completely broken split-logfile command
2464 (LP: #1299162). Thanks to Holger Mauermann.
2465 * Drop changes (upstreamed):
2466 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2467 files find inside the .pc directory. This stops a double module load
2468 causing later havoc, including "ChrootDir" directive failure.
2469 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2470 in modules/dav/main/util.c.
2471 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2472 modules/loggers/mod_log_config.c.
2473 * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
2474
2475 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
2476
1153apache2 (2.4.9-1) unstable; urgency=medium2477apache2 (2.4.9-1) unstable; urgency=medium
11542478
1155 * New upstream version.2479 * New upstream version.
@@ -1182,6 +2506,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
11822506
1183 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +01002507 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
11842508
2509apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
2510
2511 * d/p/split-logfile.patch: fix completely broken split-logfile command
2512 (LP: #1299162). Thanks to Holger Mauermann.
2513
2514 -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
2515
2516apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
2517
2518 * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
2519 calculation
2520 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2521 in modules/dav/main/util.c.
2522 - CVE-2013-6438
2523 * SECURITY UPDATE: denial of service via truncated cookie and
2524 mod_log_config
2525 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2526 modules/loggers/mod_log_config.c.
2527 - CVE-2014-0098
2528
2529 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
2530
2531apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
2532
2533 * d/index.html: replace Debian with Ubuntu on default page
2534 (LP: #1288690).
2535
2536 -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
2537
2538apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
2539
2540 * Merge from Debian unstable. Remaining changes:
2541 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2542 apache2.dirs}: Add ufw profiles.
2543 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2544 - d/control, d/config-dir/mods-available/ssl.conf,
2545 d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
2546 Plymouth aware passphrase dialog program ask-for-passphrase.
2547 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2548 to configure.
2549 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2550 from upstream
2551 - Build using lua5.2.
2552 - d/tests/chroot: dep8 test for ChrootDir case.
2553 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2554 files find inside the .pc directory. This stops a double module load
2555 causing later havoc, including "ChrootDir" directive failure.
2556 * Drop changes:
2557 - debian/{control, rules}: Enable PIE hardening: no longer required;
2558 2.4.7-1 is already hardened.
2559 - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
2560 out of this package.
2561 * d/tests/ssl-passphrase: update for new default path /var/www/html.
2562 * d/tests/duplicate-module-load: check for duplicate module loads.
2563
2564 -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
2565
1185apache2 (2.4.7-1) unstable; urgency=low2566apache2 (2.4.7-1) unstable; urgency=low
11862567
1187 New upstream version2568 New upstream version
@@ -1245,6 +2626,53 @@ apache2 (2.4.6-3) unstable; urgency=low
12452626
1246 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +02002627 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
12472628
2629apache2 (2.4.6-2ubuntu4) trusty; urgency=low
2630
2631 * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
2632 that it does not use files find inside the .pc directory. This stops a
2633 double module load causing later havoc, including "ChrootDir" directive
2634 failure (LP: #1251939). Thanks to Stefan Fritsch.
2635 * d/tests/chroot: dep8 test for ChrootDir case.
2636
2637 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
2638
2639apache2 (2.4.6-2ubuntu3) trusty; urgency=low
2640
2641 * debian/apache2.install: Correct path for ufw.
2642 (LP: #1252722)
2643
2644 -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
2645
2646apache2 (2.4.6-2ubuntu2) saucy; urgency=low
2647
2648 * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
2649 passphrase prompting for SSL certificates that are passphrase protected.
2650 * Add dep8 test for SSL passphrase prompting.
2651
2652 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
2653
2654apache2 (2.4.6-2ubuntu1) saucy; urgency=low
2655
2656 * Merge from Debian unstable. Remaining changes:
2657 - debian/{control, rules}: Enable PIE hardening.
2658 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2659 apache2.dirs}: Add ufw profiles.
2660 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2661 - debian/control, debian/config-dir/mods-available/ssl.conf,
2662 debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
2663 passphrase dialog program ask-for-passphrase.
2664 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2665 to configure.
2666 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2667 from upstream
2668 * Dropped changes:
2669 - debian/patches/CVE-2013-1896.patch: upstream
2670 * Fixed module dependencies (LP: #1205314)
2671 - debian/config-dir/mods-available/lbmethod_*: properly specify
2672 proxy_balancer, not mod_proxy_balancer.
2673
2674 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
2675
1248apache2 (2.4.6-2) unstable; urgency=low2676apache2 (2.4.6-2) unstable; urgency=low
12492677
1250 [ Stefan Fritsch ]2678 [ Stefan Fritsch ]
@@ -1297,6 +2725,56 @@ apache2 (2.4.6-1) unstable; urgency=low
12972725
1298 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +02002726 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
12992727
2728apache2 (2.4.4-6ubuntu5) saucy; urgency=low
2729
2730 * SECURITY UPDATE: denial of service via MERGE request
2731 - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
2732 in modules/dav/main/mod_dav.c.
2733 - CVE-2013-1896
2734
2735 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
2736
2737apache2 (2.4.4-6ubuntu4) saucy; urgency=low
2738
2739 * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
2740 apache2-bin. apache2-utils is only suggested by apache2, so may not
2741 always be installed by bug reporters. However, apache2-bin will always
2742 need to be installed for Apache to be functional, so this is a better
2743 place for the apport hook. apache2-bin already Conflicts/Replaces
2744 apache2.2-common, so this also fixes (LP: #1199318).
2745 * d/apache2.py: adjust apport hook for new location of configuration
2746 files in apache2 >= 2.4: they have moved from apache2.2-common to
2747 apache2.
2748
2749 -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
2750
2751apache2 (2.4.4-6ubuntu3) saucy; urgency=low
2752
2753 * Build using lua5.2.
2754
2755 -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
2756
2757apache2 (2.4.4-6ubuntu2) saucy; urgency=low
2758
2759 * debian/rules: Fix FTBFS while installing ufw.
2760
2761 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
2762
2763apache2 (2.4.4-6ubuntu1) saucy; urgency=low
2764
2765 * Merge from Debian unstable. Remaining changes:
2766 - debian/{control, rules}: Enable PIE hardening.
2767 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2768 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2769 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2770 Plymouth aware passphrase dialog program ask-for-passphrase.
2771 * Dropped changes:
2772 - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
2773 - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
2774 - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
2775
2776 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
2777
1300apache2 (2.4.4-6) unstable; urgency=low2778apache2 (2.4.4-6) unstable; urgency=low
13012779
1302 * Denote exact versions breaking gnome-user-share now that Gnome maintainers2780 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
@@ -1768,6 +3246,122 @@ apache2 (2.4.1-1) experimental; urgency=low
17683246
1769 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +01003247 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
17703248
3249apache2 (2.2.22-6ubuntu5) raring; urgency=low
3250
3251 * SECURITY UPDATE: multiple cross-site scripting issues
3252 - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
3253 modules/generators/{mod_info.c,mod_status.c},
3254 modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
3255 modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
3256 - CVE-2012-3499
3257 - CVE-2012-4558
3258 * SECURITY UPDATE: symlink attack in apache2ctl script
3259 - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
3260 - Thanks to Stefan Fritsch for the fix.
3261 - CVE-2013-1048
3262
3263 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
3264
3265apache2 (2.2.22-6ubuntu4) raring; urgency=low
3266
3267 * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
3268 * Skip module sanity check between MPMs if cross-building without the
3269 kernel/binfmt support to run our target binaries on the build system.
3270 * Backport several cross fixes from upstream as 086_svn_cross_compiles.
3271
3272 -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
3273
3274apache2 (2.2.22-6ubuntu3) raring; urgency=low
3275
3276 * SECURITY UPDATE: XSS vulnerability in mod_negotiation
3277 - debian/patches/CVE-2012-2687.patch: escape filenames in
3278 modules/mappers/mod_negotiation.c.
3279 - CVE-2012-2687
3280 * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
3281 - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
3282 directive. Defaults to off as enabling compression enables the CRIME
3283 attack.
3284 - CVE-2012-4929
3285
3286 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
3287
3288apache2 (2.2.22-6ubuntu2) quantal; urgency=low
3289
3290 * debian/apache2.py
3291 - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
3292 - Check if this directory exists: /etc/apache2/sites-enabled/
3293
3294 -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
3295
3296apache2 (2.2.22-6ubuntu1) quantal; urgency=low
3297
3298 * Merge from Debian unstable. Remaining changes:
3299 - debian/{control, rules}: Enable PIE hardening.
3300 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3301 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3302 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3303 Plymouth aware passphrase dialog program ask-for-passphrase.
3304 * Dropped changes:
3305 - debian/control: Add bzr tag and point it to our tree; this is not
3306 really required and just increases the delta.
3307
3308 -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
3309
3310apache2 (2.2.22-6) unstable; urgency=low
3311
3312 [ Stefan Fritsch ]
3313 * Fix regression causing apache2 to cache "206 partial content" responses,
3314 and then serving these partial responses when replying to normal requests.
3315 Closes: #671204
3316 * Add section to security.conf that shows how to forbid access to VCS
3317 directories. Closes: #548213
3318 * Update ssl default cipher config, add alternative speed optimized config.
3319 Closes: #649020
3320 * Add "AddCharset" for .brf files in default mod_mime config.
3321 Closes: #402567
3322 * Don't create httpd.conf anymore and don't include it in apache2.conf. If
3323 it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
3324 * Port some of the comments in apache2.conf from the 2.4 package.
3325 * Compile mod_version statically, drop associated module load file.
3326 * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
3327 configtest.
3328 * Note in README.Debian that future versions of the package will have the
3329 include statements changed to include only *.conf.
3330 * Change compiled-in document root to /var/www, to avoid strange error
3331 messages.
3332 * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
3333
3334 [ Arno Töll ]
3335 * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
3336 to override LDFLAGS at compile time by defining LDLAGS in the environment,
3337 just like it is possible for CFLAGS. This also means, config_vars.mk now
3338 exports hardening build flags by default.
3339 * Update doc-base metadata for the apache2-doc package.
3340
3341 -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
3342
3343apache2 (2.2.22-5) unstable; urgency=low
3344
3345 * Make LoadFile and LoadModule look in the standard search paths if the
3346 dso file name is given as a pure filename. This helps with the multi-arch
3347 transition.
3348
3349 -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
3350
3351apache2 (2.2.22-4) unstable; urgency=high
3352
3353 * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
3354 hosts' config files.
3355 If scripting modules like mod_php or mod_rivet are enabled on systems
3356 where either 1) some frontend server forwards connections to an apache2
3357 backend server on the localhost address, or 2) the machine running
3358 apache2 is also used for web browsing, this could allow a remote
3359 attacker to execute example scripts stored under /usr/share/doc.
3360 Depending on the installed packages, this could lead to issues like cross
3361 site scripting, code execution, or leakage of sensitive data.
3362
3363 -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
3364
1771apache2 (2.2.22-3) unstable; urgency=low3365apache2 (2.2.22-3) unstable; urgency=low
17723366
1773 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':3367 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
@@ -1788,6 +3382,18 @@ apache2 (2.2.22-2) unstable; urgency=low
17883382
1789 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +01003383 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
17903384
3385apache2 (2.2.22-1ubuntu1) precise; urgency=low
3386
3387 * Merge from Debian testing. Remaining changes:
3388 - debian/{control, rules}: Enable PIE hardening.
3389 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3390 - debian/control: Add bzr tag and point it to our tree
3391 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3392 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3393 Plymouth aware passphrase dialog program ask-for-passphrase.
3394
3395 -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
3396
1791apache2 (2.2.22-1) unstable; urgency=low3397apache2 (2.2.22-1) unstable; urgency=low
17923398
1793 [ Stefan Fritsch ]3399 [ Stefan Fritsch ]
@@ -1805,6 +3411,18 @@ apache2 (2.2.22-1) unstable; urgency=low
18053411
1806 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +01003412 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
18073413
3414apache2 (2.2.21-5ubuntu1) precise; urgency=low
3415
3416 * Merge from Debian testing. Remaining changes:
3417 - debian/{control, rules}: Enable PIE hardening.
3418 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3419 - debian/control: Add bzr tag and point it to our tree
3420 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3421 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3422 Plymouth aware passphrase dialog program ask-for-passphrase.
3423
3424 -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
3425
1808apache2 (2.2.21-5) unstable; urgency=low3426apache2 (2.2.21-5) unstable; urgency=low
18093427
1810 [ Arno Töll ]3428 [ Arno Töll ]
@@ -1858,6 +3476,26 @@ apache2 (2.2.21-4) unstable; urgency=low
18583476
1859 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +01003477 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
18603478
3479apache2 (2.2.21-3ubuntu2) precise; urgency=low
3480
3481 * d/ask-for-passphrase: Flip the logic of this script so that it checks
3482 first to see if apache is being started from a TTY, and then if not,
3483 tries plymouth. (LP: #887410)
3484
3485 -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
3486
3487apache2 (2.2.21-3ubuntu1) precise; urgency=low
3488
3489 * Merge from Debian testing. Remaining changes:
3490 - debian/{control, rules}: Enable PIE hardening.
3491 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3492 - debian/control: Add bzr tag and point it to our tree
3493 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3494 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3495 Plymouth aware passphrase dialog program ask-for-passphrase.
3496
3497 -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
3498
1861apache2 (2.2.21-3) unstable; urgency=medium3499apache2 (2.2.21-3) unstable; urgency=medium
18623500
1863 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some3501 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
@@ -1872,6 +3510,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
18723510
1873 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +01003511 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
18743512
3513apache2 (2.2.21-2ubuntu2) precise; urgency=low
3514
3515 * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
3516
3517 -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
3518
3519apache2 (2.2.21-2ubuntu1) precise; urgency=low
3520
3521 * Merge from debian unstable. Remaining changes:
3522 - debian/{control, rules}: Enable PIE hardening.
3523 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3524 - debian/control: Add bzr tag and point it to our tree
3525 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3526 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3527 Plymouth aware passphrase dialog program ask-for-passphrase.
3528
3529 -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
3530
1875apache2 (2.2.21-2) unstable; urgency=high3531apache2 (2.2.21-2) unstable; urgency=high
18763532
1877 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some3533 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
@@ -1889,6 +3545,19 @@ apache2 (2.2.21-1) unstable; urgency=low
18893545
1890 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +02003546 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
18913547
3548apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
3549
3550 * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
3551 Remaining changes:
3552 - debian/{control, rules}: Enable PIE hardening.
3553 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3554 - debian/control: Add bzr tag and point it to our tree
3555 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3556 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3557 Plymouth aware passphrase dialog program ask-for-passphrase.
3558
3559 -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
3560
1892apache2 (2.2.20-1) unstable; urgency=low3561apache2 (2.2.20-1) unstable; urgency=low
18933562
1894 * New upstream release.3563 * New upstream release.
@@ -1911,6 +3580,18 @@ apache2 (2.2.19-2) unstable; urgency=high
19113580
1912 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +02003581 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
19133582
3583apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
3584
3585 * Merge from debian unstable (LP: #787013). Remaining changes:
3586 - debian/{control, rules}: Enable PIE hardening.
3587 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3588 - debian/control: Add bzr tag and point it to our tree
3589 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3590 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3591 Plymouth aware passphrase dialog program ask-for-passphrase.
3592
3593 -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
3594
1914apache2 (2.2.19-1) unstable; urgency=low3595apache2 (2.2.19-1) unstable; urgency=low
19153596
1916 * New upstream release.3597 * New upstream release.
@@ -1928,6 +3609,18 @@ apache2 (2.2.19-1) unstable; urgency=low
19283609
1929 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +02003610 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
19303611
3612apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
3613
3614 * Merge from debian unstable. Remaining changes:
3615 - debian/{control, rules}: Enable PIE hardening.
3616 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3617 - debian/control: Add bzr tag and point it to our tree
3618 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3619 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3620 Plymouth aware passphrase dialog program ask-for-passphrase.
3621
3622 -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
3623
1931apache2 (2.2.17-3) unstable; urgency=low3624apache2 (2.2.17-3) unstable; urgency=low
19323625
1933 * Fix compilation with OpenSSL without SSLv2 support. Closes: #6220493626 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
@@ -1954,6 +3647,18 @@ apache2 (2.2.17-2) unstable; urgency=high
19543647
1955 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +01003648 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
19563649
3650apache2 (2.2.17-1ubuntu1) natty; urgency=low
3651
3652 * Merge from debian unstable, remaining changes:
3653 - debian/{control, rules}: Enable PIE hardening.
3654 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3655 - debian/control: Add bzr tag and point it to our tree
3656 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3657 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3658 Plymouth aware passphrase dialog program ask-for-passphrase.
3659
3660 -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
3661
1957apache2 (2.2.17-1) unstable; urgency=low3662apache2 (2.2.17-1) unstable; urgency=low
19583663
1959 * New upstream version3664 * New upstream version
@@ -1962,6 +3667,32 @@ apache2 (2.2.17-1) unstable; urgency=low
19623667
1963 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +01003668 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
19643669
3670apache2 (2.2.16-6ubuntu3) natty; urgency=low
3671
3672 * debian/rules: Don't use "-fno-strict-aliasing" since it causes
3673 apache FTBFS on amd64. (LP: #711293)
3674
3675 -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
3676
3677apache2 (2.2.16-6ubuntu2) natty; urgency=low
3678
3679 * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
3680 (LP: #697105)
3681
3682 -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
3683
3684apache2 (2.2.16-6ubuntu1) natty; urgency=low
3685
3686 * Merge from debian unstable. Remaining changes:
3687 - debian/{control, rules}: Enable PIE hardening.
3688 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3689 - debian/control: Add bzr tag and point it to our tree
3690 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3691 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3692 Plymouth aware passphrase dialog program ask-for-passphrase.
3693
3694 -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
3695
1965apache2 (2.2.16-6) unstable; urgency=low3696apache2 (2.2.16-6) unstable; urgency=low
19663697
1967 * Also add $named to the secondary-init-script example.3698 * Also add $named to the secondary-init-script example.
@@ -1977,6 +3708,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
19773708
1978 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +01003709 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
19793710
3711apache2 (2.2.16-4ubuntu2) natty; urgency=low
3712
3713 [Clint Byrum]
3714 * Adding plymouth aware passphrase dialog program ask-for-passphrase.
3715 (LP: #582963)
3716 + debian/control: apache2.2-common depends on bash for ask-for-passphrase
3717 + debian/config-dir/mods-available/ssl.conf:
3718 - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
3719
3720 [Chuck Short]
3721 * Add apport hook. (LP: #609177)
3722 + debian/apache2.py, debian/apache2.2-common.install
3723
3724 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
3725
3726apache2 (2.2.16-4ubuntu1) natty; urgency=low
3727
3728 * Merge from debian unstable. Remaining changes:
3729 - debian/{control, rules}: Enable PIE hardening.
3730 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3731 - debian/control: Add bzr tag and point it to our tree
3732
3733 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
3734
1980apache2 (2.2.16-4) unstable; urgency=medium3735apache2 (2.2.16-4) unstable; urgency=medium
19813736
1982 * Increase the mod_reqtimeout default timeouts to avoid potential problems3737 * Increase the mod_reqtimeout default timeouts to avoid potential problems
@@ -1987,6 +3742,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
19873742
1988 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +01003743 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
19893744
3745apache2 (2.2.16-3ubuntu1) natty; urgency=low
3746
3747 * Merge from debian unstable. Remaining changes:
3748 - debian/{control, rules}: Enable PIE hardening.
3749 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3750 - debian/control: Add bzr tag and point it to our tree.
3751
3752 -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
3753
1990apache2 (2.2.16-3) unstable; urgency=high3754apache2 (2.2.16-3) unstable; urgency=high
19913755
1992 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.3756 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
@@ -2009,6 +3773,30 @@ apache2 (2.2.16-2) unstable; urgency=low
20093773
2010 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +02003774 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
20113775
3776apache2 (2.2.16-1ubuntu3) maverick; urgency=low
3777
3778 * Revert "stty sane" to unbreak apache starting, this will have to be
3779 fixed a different way. (LP: #626723)
3780
3781 -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
3782
3783apache2 (2.2.16-1ubuntu2) maverick; urgency=low
3784
3785 * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
3786 password prompt when using apache-ssl. (LP: #582963)
3787
3788 -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
3789
3790apache2 (2.2.16-1ubuntu1) maverick; urgency=low
3791
3792 * Merge from debian unstable. Remaining changes:
3793 - debian/{control, rules}: Enable PIE hardening.
3794 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3795 - debian/control: Add bzr tag and point it to our tree.
3796 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3797
3798 -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
3799
2012apache2 (2.2.16-1) unstable; urgency=medium3800apache2 (2.2.16-1) unstable; urgency=medium
20133801
2014 * Urgency medium for security fix.3802 * Urgency medium for security fix.
@@ -2041,6 +3829,24 @@ apache2 (2.2.15-6) unstable; urgency=low
20413829
2042 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +02003830 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
20433831
3832apache2 (2.2.15-5ubuntu1) maverick; urgency=low
3833
3834 * Merge from debian unstable. Remaining changes:
3835 - debian/{control, rules}: Enable PIE hardening.
3836 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3837 - debian/control: Add bzr tag and point it to our tree.
3838 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3839 + Dropped:
3840 - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
3841 - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
3842 - debian/config-dir/apache2.conf: Merged back from debian.
3843 - mod-reqtimeout functionality: Merge back from debian.
3844 - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
3845 - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
3846 - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
3847
3848 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
3849
2044apache2 (2.2.15-5) unstable; urgency=low3850apache2 (2.2.15-5) unstable; urgency=low
20453851
2046 * Conflict with apache package as we now include apachectl. Closes: #5790653852 * Conflict with apache package as we now include apachectl. Closes: #579065
@@ -2161,6 +3967,80 @@ apache2 (2.2.14-6) unstable; urgency=low
21613967
2162 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +01003968 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
21633969
3970apache2 (2.2.14-5ubuntu8) lucid; urgency=low
3971
3972 * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
3973 (LP: #562370)
3974
3975 -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
3976
3977apache2 (2.2.14-5ubuntu7) lucid; urgency=low
3978
3979 * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
3980 leaks by making sure to not destroy bucket brigades that have been created
3981 by earlier filters. Backported from 2.2.15.
3982 * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
3983 has reached MaxClients until it has. Backported from 2.2.15
3984 * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
3985 more secure by adding Satisfy all. (Debian bug: #572075)
3986 * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
3987 debian/config2-dir/mods-available/reqtimeout.load,
3988 debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
3989 mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
3990 bug in apache. Enable it by default. (LP: #392759)
3991
3992 -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
3993
3994apache2 (2.2.14-5ubuntu6) lucid; urgency=low
3995
3996 * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
3997
3998 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
3999
4000apache2 (2.2.14-5ubuntu5) lucid; urgency=low
4001
4002 * Revert 99-fix-mod-dav-permissions.dpatch
4003
4004 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
4005
4006apache2 (2.2.14-5ubuntu4) lucid; urgency=low
4007
4008 * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
4009 downloading files from webdav (LP: #540747)
4010 * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
4011
4012 -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
4013
4014apache2 (2.2.14-5ubuntu3) lucid; urgency=low
4015
4016 * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
4017 - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
4018 in modules/proxy/mod_proxy_ajp.c.
4019 - CVE-2010-0408
4020 * SECURITY UPDATE: information disclosure via improper handling of
4021 headers in subrequests
4022 - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
4023 in server/protocol.c.
4024 - CVE-2010-0434
4025
4026 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
4027
4028apache2 (2.2.14-5ubuntu2) lucid; urgency=low
4029
4030 * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
4031 wacky options. (LP: #450501)
4032
4033 -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
4034
4035apache2 (2.2.14-5ubuntu1) lucid; urgency=low
4036
4037 * Merge from debian testing. Remaining changes: LP: #506862
4038 - debian/{control, rules}: Enable PIE hardening.
4039 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
4040 - debian/control: Add bzr tag and point it to our tree.
4041
4042 -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
4043
2164apache2 (2.2.14-5) unstable; urgency=low4044apache2 (2.2.14-5) unstable; urgency=low
21654045
2166 * Security: Further mitigation for the TLS renegotation attack4046 * Security: Further mitigation for the TLS renegotation attack
@@ -2184,6 +4064,15 @@ apache2 (2.2.14-5) unstable; urgency=low
21844064
2185 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +01004065 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
21864066
4067apache2 (2.2.14-4ubuntu1) lucid; urgency=low
4068
4069 * Resynchronzie with Debian, remaining changes are:
4070 - debian/{control, rules}: Enable PIE hardening.
4071 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
4072 - debian/control: Add bzr tag and point it to our tree.
4073
4074 -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
4075
2187apache2 (2.2.14-4) unstable; urgency=low4076apache2 (2.2.14-4) unstable; urgency=low
21884077
2189 * Disable localized error pages again by default because they break4078 * Disable localized error pages again by default because they break
@@ -2234,6 +4123,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
22344123
2235 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +01004124 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
22364125
4126apache2 (2.2.14-1ubuntu1) lucid; urgency=low
4127
4128 * Merge from debian testing, remaining changes:
4129 - debian/{control, rules}: Enable PIE hardening.
4130 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
4131 - debian/conrol: Add bzr tag and point it to our tree.
4132 - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
4133 Already applied upstream.
4134
4135 -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
4136
2237apache2 (2.2.14-1) unstable; urgency=low4137apache2 (2.2.14-1) unstable; urgency=low
22384138
2239 * New upstream version:4139 * New upstream version:
@@ -2268,6 +4168,24 @@ apache2 (2.2.13-1) unstable; urgency=low
22684168
2269 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +02004169 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
22704170
4171apache2 (2.2.12-1ubuntu2) karmic; urgency=low
4172
4173 * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
4174 - Fix potential segfaults with the use of the legacy ap_rputs() etc
4175 interfaces, in cases where an output filter fails. This happens
4176 frequently after CVE-2009-1891 got fixed. (LP: #409987)
4177
4178 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
4179
4180apache2 (2.2.12-1ubuntu1) karmic; urgency=low
4181
4182 * Merge from debian unstable, remaining changes:
4183 - debian/{control,rules}: enable PIE hardening.
4184 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4185 - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
4186
4187 -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
4188
2271apache2 (2.2.12-1) unstable; urgency=low4189apache2 (2.2.12-1) unstable; urgency=low
22724190
2273 * New upstream release:4191 * New upstream release:
@@ -2315,6 +4233,16 @@ apache2 (2.2.12-1) unstable; urgency=low
23154233
2316 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +02004234 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
23174235
4236apache2 (2.2.11-7ubuntu1) karmic; urgency=low
4237
4238 * Merge from debian unstable, remaining changes: LP: #398130
4239 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4240 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4241 - debian/{control,rules}: enable PIE hardening.
4242 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4243
4244 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
4245
2318apache2 (2.2.11-7) unstable; urgency=low4246apache2 (2.2.11-7) unstable; urgency=low
23194247
2320 * Security fixes:4248 * Security fixes:
@@ -2329,6 +4257,16 @@ apache2 (2.2.11-7) unstable; urgency=low
23294257
2330 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +02004258 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
23314259
4260apache2 (2.2.11-6ubuntu1) karmic; urgency=low
4261
4262 * Merge from debian unstable, remaining changes:
4263 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4264 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4265 - debian/{control,rules}: enable PIE hardening.
4266 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4267
4268 -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
4269
2332apache2 (2.2.11-6) unstable; urgency=high4270apache2 (2.2.11-6) unstable; urgency=high
23334271
2334 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server4272 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
@@ -2337,6 +4275,16 @@ apache2 (2.2.11-6) unstable; urgency=high
23374275
2338 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +02004276 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
23394277
4278apache2 (2.2.11-5ubuntu1) karmic; urgency=low
4279
4280 * Merge from debian unstable, remaining changes:
4281 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4282 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4283 - debian/{control,rules}: enable PIE hardening.
4284 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4285
4286 -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
4287
2340apache2 (2.2.11-5) unstable; urgency=low4288apache2 (2.2.11-5) unstable; urgency=low
23414289
2342 * Move all binaries into a new package apache2.2-bin and make4290 * Move all binaries into a new package apache2.2-bin and make
@@ -2385,6 +4333,16 @@ apache2 (2.2.11-4) unstable; urgency=low
23854333
2386 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +02004334 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
23874335
4336apache2 (2.2.11-3ubuntu1) karmic; urgency=low
4337
4338 * Merge from debian unstable, remaining changes:
4339 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4340 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4341 - debian/{control,rules}: enable PIE hardening.
4342 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4343
4344 -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
4345
2388apache2 (2.2.11-3) unstable; urgency=low4346apache2 (2.2.11-3) unstable; urgency=low
23894347
2390 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap4348 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
@@ -2393,6 +4351,21 @@ apache2 (2.2.11-3) unstable; urgency=low
23934351
2394 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +02004352 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
23954353
4354apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
4355
4356 * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4357 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4358
4359 -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
4360
4361apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
4362
4363 * Merge from debian unstable, remaining changes:
4364 - debian/{contro,rules}: enable PIE hardening.
4365 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4366
4367 -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
4368
2396apache2 (2.2.11-2) unstable; urgency=low4369apache2 (2.2.11-2) unstable; urgency=low
23974370
2398 * Report an error instead instead of segfaulting when apr_pollset_create4371 * Report an error instead instead of segfaulting when apr_pollset_create
@@ -2402,6 +4375,14 @@ apache2 (2.2.11-2) unstable; urgency=low
24024375
2403 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +01004376 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
24044377
4378apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
4379
4380 * Merge from debian unstable, remaining changes:
4381 - debian/{control, rules}: enable PIE hardening.
4382 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4383
4384 -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
4385
2405apache2 (2.2.11-1) unstable; urgency=low4386apache2 (2.2.11-1) unstable; urgency=low
24064387
2407 [Thom May]4388 [Thom May]
@@ -2416,6 +4397,14 @@ apache2 (2.2.11-1) unstable; urgency=low
24164397
2417 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +01004398 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
24184399
4400apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
4401
4402 * Merge from debian unstable, remaining changes: (LP: #303375)
4403 - debian/{control, rules}: enable PIE hardening.
4404 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4405
4406 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
4407
2419apache2 (2.2.9-11) unstable; urgency=low4408apache2 (2.2.9-11) unstable; urgency=low
24204409
2421 * Regression fix from upstream svn for mod_proxy:4410 * Regression fix from upstream svn for mod_proxy:
@@ -2430,6 +4419,14 @@ apache2 (2.2.9-11) unstable; urgency=low
24304419
2431 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +01004420 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
24324421
4422apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
4423
4424 * Merge from debian unstable, remaining changes:
4425 - debian/{control, rules}: enable PIE hardening.
4426 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4427
4428 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
4429
2433apache2 (2.2.9-10) unstable; urgency=low4430apache2 (2.2.9-10) unstable; urgency=low
24344431
2435 * Regression fix from upstream svn for mod_proxy_http:4432 * Regression fix from upstream svn for mod_proxy_http:
@@ -2460,6 +4457,27 @@ apache2 (2.2.9-8) unstable; urgency=low
24604457
2461 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +02004458 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
24624459
4460apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
4461
4462 * Revert logrotate change since it will break it for everyone.
4463
4464 -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
4465
4466apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
4467
4468 * debian/logrotate: Restart rather than reload for busy websites.
4469 (LP: #270899)
4470
4471 -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
4472
4473apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
4474
4475 * Merge from debian unstable, remaining changes:
4476 - debian/{control,rules}: enable PIE hardening.
4477 - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
4478
4479 -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
4480
2463apache2 (2.2.9-7) unstable; urgency=low4481apache2 (2.2.9-7) unstable; urgency=low
24644482
2465 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).4483 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
@@ -2502,6 +4520,23 @@ apache2 (2.2.9-4) unstable; urgency=low
25024520
2503 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +02004521 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
25044522
4523apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
4524
4525 * add ufw integration (see
4526 https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
4527 (LP: #261198)
4528 - debian/control: suggest ufw for apache2.2-common
4529 - add apache2.2-common.ufw.profile with 3 profiles and install it to
4530 /etc/ufw/applications.d/apache2.2-common
4531
4532 -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
4533
4534apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
4535
4536 * debian/{control,rules}: enable PIE hardening
4537
4538 -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
4539
2505apache2 (2.2.9-3) unstable; urgency=low4540apache2 (2.2.9-3) unstable; urgency=low
25064541
2507 [ Stefan Fritsch ]4542 [ Stefan Fritsch ]
@@ -4072,9 +6107,7 @@ apache2 (2.0.37-1) unstable; urgency=low
4072 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +01006107 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
40736108
4074apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low6109apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
4075
4076 * New upstream release6110 * New upstream release
4077
4078 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +01006111 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
40796112
4080apache2 (2.0.36-2) unstable; urgency=low6113apache2 (2.0.36-2) unstable; urgency=low
@@ -4582,3 +6615,4 @@ apache2 (2.0.18-1) unstable; urgency=low
4582 * Initial Release.6615 * Initial Release.
45836616
4584 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +10006617 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
6618
diff --git a/debian/control b/debian/control
index af2505a..900f549 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,6 @@
1Source: apache21Source: apache2
2Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>2Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
3XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
3Uploaders: Stefan Fritsch <sf@debian.org>,4Uploaders: Stefan Fritsch <sf@debian.org>,
4 Arno Töll <arno@debian.org>,5 Arno Töll <arno@debian.org>,
5 Ondřej Surý <ondrej@debian.org>,6 Ondřej Surý <ondrej@debian.org>,
@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
44Recommends: ssl-cert45Recommends: ssl-cert
45Suggests: apache2-doc,46Suggests: apache2-doc,
46 apache2-suexec-pristine | apache2-suexec-custom,47 apache2-suexec-pristine | apache2-suexec-custom,
47 www-browser48 www-browser,
49 ufw
48Pre-Depends: ${misc:Pre-Depends}50Pre-Depends: ${misc:Pre-Depends}
49Provides: httpd,51Provides: httpd,
50 httpd-cgi52 httpd-cgi
diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
51new file mode 10064453new file mode 100644
index 0000000..eee686c
52Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ54Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
diff --git a/debian/index.html b/debian/index.html
index 766401d..9c90ef4 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -1,9 +1,13 @@
1
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml">2<html xmlns="http://www.w3.org/1999/xhtml">
3 <!--
4 Modified from the Debian original for Ubuntu
5 Last updated: 2022-03-22
6 See: https://launchpad.net/bugs/1966004
7 -->
4 <head>8 <head>
5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />9 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6 <title>Apache2 Debian Default Page: It works</title>10 <title>Apache2 Ubuntu Default Page: It works</title>
7 <style type="text/css" media="screen">11 <style type="text/css" media="screen">
8 * {12 * {
9 margin: 0px 0px 0px 0px;13 margin: 0px 0px 0px 0px;
@@ -15,7 +19,7 @@
1519
16 background-color: #D8DBE2;20 background-color: #D8DBE2;
1721
18 font-family: Verdana, sans-serif;22 font-family: Ubuntu, Verdana, sans-serif;
19 font-size: 11pt;23 font-size: 11pt;
20 text-align: center;24 text-align: center;
21 }25 }
@@ -41,7 +45,7 @@
41 }45 }
4246
43 div.page_header {47 div.page_header {
44 height: 99px;48 height: 180px;
45 width: 100%;49 width: 100%;
4650
47 background-color: #F5F6F7;51 background-color: #F5F6F7;
@@ -60,6 +64,19 @@
60 border: 0px 0px 0px;64 border: 0px 0px 0px;
61 }65 }
6266
67 div.banner {
68 padding: 9px 6px 9px 6px;
69 background-color: #E9510E;
70 color: #FFFFFF;
71 font-weight: bold;
72 font-size: 112%;
73 text-align: center;
74 position: absolute;
75 left: 40%;
76 bottom: 30px;
77 width: 20%;
78 }
79
63 div.table_of_contents {80 div.table_of_contents {
64 clear: left;81 clear: left;
6582
@@ -136,10 +153,6 @@
136 text-align: center;153 text-align: center;
137 }154 }
138155
139 div.section_header_red {
140 background-color: #CD214F;
141 }
142
143 div.section_header_grey {156 div.section_header_grey {
144 background-color: #9F9386;157 background-color: #9F9386;
145 }158 }
@@ -188,46 +201,31 @@
188 <body>201 <body>
189 <div class="main_page">202 <div class="main_page">
190 <div class="page_header floating_element">203 <div class="page_header floating_element">
191 <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>204 <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo"
192 <span class="floating_element">205 style="width:184px;height:146px;" class="floating_element" />
193 Apache2 Debian Default Page206 <div>
194 </span>207 <span style="margin-top: 1.5em;" class="floating_element">
195 </div>208 Apache2 Default Page
196<!-- <div class="table_of_contents floating_element">209 </span>
197 <div class="section_header section_header_grey">
198 TABLE OF CONTENTS
199 </div>
200 <div class="table_of_contents_item floating_element">
201 <a href="#about">About</a>
202 </div>
203 <div class="table_of_contents_item floating_element">
204 <a href="#changes">Changes</a>
205 </div>
206 <div class="table_of_contents_item floating_element">
207 <a href="#scope">Scope</a>
208 </div>
209 <div class="table_of_contents_item floating_element">
210 <a href="#files">Config files</a>
211 </div>210 </div>
212 </div>211 <div class="banner">
213-->
214 <div class="content_section floating_element">
215
216
217 <div class="section_header section_header_red">
218 <div id="about"></div>212 <div id="about"></div>
219 It works!213 It works!
220 </div>214 </div>
215
216 </div>
217 <div class="content_section floating_element">
221 <div class="content_section_text">218 <div class="content_section_text">
222 <p>219 <p>
223 This is the default welcome page used to test the correct 220 This is the default welcome page used to test the correct
224 operation of the Apache2 server after installation on Debian systems.221 operation of the Apache2 server after installation on Ubuntu systems.
222 It is based on the equivalent page on Debian, from which the Ubuntu Apache
223 packaging is derived.
225 If you can read this page, it means that the Apache HTTP server installed at224 If you can read this page, it means that the Apache HTTP server installed at
226 this site is working properly. You should <b>replace this file</b> (located at225 this site is working properly. You should <b>replace this file</b> (located at
227 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.226 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
228 </p>227 </p>
229228
230
231 <p>229 <p>
232 If you are a normal user of this web site and don't know what this page is230 If you are a normal user of this web site and don't know what this page is
233 about, this probably means that the site is currently unavailable due to231 about, this probably means that the site is currently unavailable due to
@@ -242,18 +240,17 @@
242 </div>240 </div>
243 <div class="content_section_text">241 <div class="content_section_text">
244 <p>242 <p>
245 Debian's Apache2 default configuration is different from the243 Ubuntu's Apache2 default configuration is different from the
246 upstream default configuration, and split into several files optimized for244 upstream default configuration, and split into several files optimized for
247 interaction with Debian tools. The configuration system is245 interaction with Ubuntu tools. The configuration system is
248 <b>fully documented in246 <b>fully documented in
249 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full247 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
250 documentation. Documentation for the web server itself can be248 documentation. Documentation for the web server itself can be
251 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>249 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
252 package was installed on this server.250 package was installed on this server.
253
254 </p>251 </p>
255 <p>252 <p>
256 The configuration layout for an Apache2 web server installation on Debian systems is as follows:253 The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
257 </p>254 </p>
258 <pre>255 <pre>
259/etc/apache2/256/etc/apache2/
@@ -308,9 +305,12 @@
308 </li>305 </li>
309306
310 <li>307 <li>
311 The binary is called apache2. Due to the use of308 The binary is called apache2 and is managed using systemd, so to
312 environment variables, in the default configuration, apache2 needs to be309 start/stop the service use <tt>systemctl start apache2</tt> and
313 started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.310 <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt>
311 and <tt>journalctl -u apache2</tt> to check status. <tt>system</tt>
312 and <tt>apache2ctl</tt> can also be used for service management if
313 desired.
314 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the314 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
315 default configuration.315 default configuration.
316 </li>316 </li>
@@ -324,8 +324,8 @@
324324
325 <div class="content_section_text">325 <div class="content_section_text">
326 <p>326 <p>
327 By default, Debian does not allow access through the web browser to327 By default, Ubuntu does not allow access through the web browser to
328 <em>any</em> file apart of those located in <tt>/var/www</tt>,328 <em>any</em> file outside of those located in <tt>/var/www</tt>,
329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
330 directories (when enabled) and <tt>/usr/share</tt> (for web330 directories (when enabled) and <tt>/usr/share</tt> (for web
331 applications). If your site is using a web document root331 applications). If your site is using a web document root
@@ -333,9 +333,8 @@
333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
334 </p>334 </p>
335 <p>335 <p>
336 The default Debian document root is <tt>/var/www/html</tt>. You336 The default Ubuntu document root is <tt>/var/www/html</tt>. You
337 can make your own virtual hosts under /var/www. This is different337 can make your own virtual hosts under /var/www.
338 to previous releases which provides better security out of the box.
339 </p>338 </p>
340 </div>339 </div>
341340
@@ -345,24 +344,20 @@
345 </div>344 </div>
346 <div class="content_section_text">345 <div class="content_section_text">
347 <p>346 <p>
348 Please use the <tt>reportbug</tt> tool to report bugs in the347 Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
349 Apache2 package with Debian. However, check <a348 Apache2 package with Ubuntu. However, check <a
350 href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"349 href="https://bugs.launchpad.net/ubuntu/+source/apache2"
351 rel="nofollow">existing bug reports</a> before reporting a new bug.350 rel="nofollow">existing bug reports</a> before reporting a new bug.
352 </p>351 </p>
353 <p>352 <p>
354 Please report bugs specific to modules (such as PHP and others)353 Please report bugs specific to modules (such as PHP and others)
355 to respective packages, not to the web server itself.354 to their respective packages, not to the web server itself.
356 </p>355 </p>
357 </div>356 </div>
358357
359
360
361
362 </div>358 </div>
363 </div>359 </div>
364 <div class="validator">360 <div class="validator">
365 </div>361 </div>
366 </body>362 </body>
367</html>363</html>
368
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index d617b1d..823d9c0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
17debian/icons/odf6ots-20x22.png17debian/icons/odf6ots-20x22.png
18debian/icons/odf6ott-20x22.png18debian/icons/odf6ott-20x22.png
19debian/icons/openlogo-75.png19debian/icons/openlogo-75.png
20debian/icons/ubuntu-logo.png
20debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml21debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
21debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php22debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
22debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml23debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches