Author: Ubuntu Git Importer
Author Date: 2019-05-07 12:44:24 UTC

DSC file for 2.4.38-2ubuntu3

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-unapplied version 2.4.38-2ubuntu3 to ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 966926b3120edbcedd8c5dc2fe9920ebaf6cae97

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-applied version 2.4.38-2ubuntu3 to applied/ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 9ea5e0d29b07cc576cb16f0e82c1da3095903c57
Unapplied parent: c83fb5dc9e3d206ffd979697e0b63497cdaf81df

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-applied version 2.4.38-2ubuntu3 to applied/ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 9ea5e0d29b07cc576cb16f0e82c1da3095903c57
Unapplied parent: c83fb5dc9e3d206ffd979697e0b63497cdaf81df

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-unapplied version 2.4.38-2ubuntu3 to ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 966926b3120edbcedd8c5dc2fe9920ebaf6cae97

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-applied version 2.4.38-2ubuntu3 to applied/ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 9ea5e0d29b07cc576cb16f0e82c1da3095903c57
Unapplied parent: c83fb5dc9e3d206ffd979697e0b63497cdaf81df

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-unapplied version 2.4.38-2ubuntu3 to ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 966926b3120edbcedd8c5dc2fe9920ebaf6cae97

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-unapplied version 2.4.38-2ubuntu3 to ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 966926b3120edbcedd8c5dc2fe9920ebaf6cae97

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Dimitri John Ledkov
Author Date: 2019-05-07 09:39:47 UTC

Import patches-applied version 2.4.38-2ubuntu3 to applied/ubuntu/eoan-proposed

Imported using git-ubuntu import.

Changelog parent: 9ea5e0d29b07cc576cb16f0e82c1da3095903c57
Unapplied parent: c83fb5dc9e3d206ffd979697e0b63497cdaf81df

New changelog entries:
  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

Author: Ubuntu Git Importer
Author Date: 2019-04-27 10:52:42 UTC

DSC file for 2.4.25-3+deb9u7

Author: Stefan Fritsch
Author Date: 2019-04-02 19:05:13 UTC

Import patches-applied version 2.4.25-3+deb9u7 to applied/debian/stretch

Imported using git-ubuntu import.

Changelog parent: acf76141e54bba53396cd90efe2afd347d111e62
Unapplied parent: 6937d77f8862904a391f441cc8e3b08b4f416ea9

New changelog entries:
  [ Xavier Guimard ]
  * CVE-2018-17199: mode_session: Fix missing check for session expiry time.
    Closes: #920303
  [ Stefan Fritsch ]
  * mod_http2: Fix keepalive timeout behavior. This fixes a regression with
    Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
  * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
    Closes: #904150
  * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
    Closes: #920302
  * CVE-2019-0196: mod_http2: Fix read after free
  * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
  * CVE-2019-0217: mod_auth_digest: Access control bypass
  * CVE-2019-0220: URL normalization inconsistincy.
    Consecutive slashes in URL's are now merged before use in LocationMatch
    and RewriteRule. The old behavior can be restored with the new directive
    "MergeSlashes off".

Author: Stefan Fritsch
Author Date: 2019-04-02 19:05:13 UTC

Import patches-unapplied version 2.4.25-3+deb9u7 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: b408c29c36dd316a29de39410df8cdb08a633bd0

New changelog entries:
  [ Xavier Guimard ]
  * CVE-2018-17199: mode_session: Fix missing check for session expiry time.
    Closes: #920303
  [ Stefan Fritsch ]
  * mod_http2: Fix keepalive timeout behavior. This fixes a regression with
    Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
  * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
    Closes: #904150
  * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
    Closes: #920302
  * CVE-2019-0196: mod_http2: Fix read after free
  * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
  * CVE-2019-0217: mod_auth_digest: Access control bypass
  * CVE-2019-0220: URL normalization inconsistincy.
    Consecutive slashes in URL's are now merged before use in LocationMatch
    and RewriteRule. The old behavior can be restored with the new directive
    "MergeSlashes off".

Author: Stefan Fritsch
Author Date: 2019-04-07 18:15:40 UTC

Import patches-applied version 2.4.38-3 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 51a0ddced04f55fe833211d6e9b0b1318b712b76
Unapplied parent: 6b6d562a8245fbcfa0b5f693bbf940d2301fbd96

New changelog entries:
  [ Marc Deslauriers ]
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220
  [ Stefan Fritsch ]
  * Pull security fixes from 2.4.39 via Ubuntu
  * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade

Author: Stefan Fritsch
Author Date: 2019-04-07 18:15:40 UTC

Import patches-unapplied version 2.4.38-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 847b2dd6c945b42d4b49bbc8fbb24a7dd4fc4897

New changelog entries:
  [ Marc Deslauriers ]
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220
  [ Stefan Fritsch ]
  * Pull security fixes from 2.4.39 via Ubuntu
  * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade

Author: Stefan Fritsch
Author Date: 2019-04-07 18:15:40 UTC

Import patches-applied version 2.4.38-3 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 51a0ddced04f55fe833211d6e9b0b1318b712b76
Unapplied parent: 6b6d562a8245fbcfa0b5f693bbf940d2301fbd96

New changelog entries:
  [ Marc Deslauriers ]
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220
  [ Stefan Fritsch ]
  * Pull security fixes from 2.4.39 via Ubuntu
  * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade

Author: Stefan Fritsch
Author Date: 2019-04-07 18:15:40 UTC

Import patches-unapplied version 2.4.38-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 847b2dd6c945b42d4b49bbc8fbb24a7dd4fc4897

New changelog entries:
  [ Marc Deslauriers ]
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220
  [ Stefan Fritsch ]
  * Pull security fixes from 2.4.39 via Ubuntu
  * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade

Author: Marc Deslauriers
Author Date: 2019-04-03 13:22:37 UTC

Import patches-applied version 2.4.29-1ubuntu4.6 to applied/ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: 4e898b28cf295246bc4e0ce078b9ce92b6928606
Unapplied parent: b4778fee97c002a34fab99b468708b6031d27626

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 12:50:09 UTC

Import patches-unapplied version 2.4.34-1ubuntu2.1 to ubuntu/cosmic-security

Imported using git-ubuntu import.

Changelog parent: c01ee5a6ff12c19ca89f37cf3f112ad04e0d951b

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 14:37:52 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.22 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 0b650c8ba19c535d768b044a174fd3f34c865882

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions
      that could not be decoded in modules/session/mod_session.c.
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:34:47 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.10 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: d7a2c9922f3a2122925aa4b3b2aa3b47a52eb920

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 14:37:52 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.22 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 0b650c8ba19c535d768b044a174fd3f34c865882

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions
      that could not be decoded in modules/session/mod_session.c.
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 14:37:52 UTC

Import patches-applied version 2.4.7-1ubuntu4.22 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: dd6ba45dddfe265a828be6fbc0a1cc26339c9a5e
Unapplied parent: 0e68b70f753dfa4a40d2a603a27163b26ddeaa21

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions
      that could not be decoded in modules/session/mod_session.c.
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 12:50:09 UTC

Import patches-applied version 2.4.34-1ubuntu2.1 to applied/ubuntu/cosmic-security

Imported using git-ubuntu import.

Changelog parent: 66cf474c05f5ccc50455c09ae4e45aef8ed1793f
Unapplied parent: 245ef397d9af30ddfcda49d53654a760ea7a8e5d

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:34:47 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.10 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: d7a2c9922f3a2122925aa4b3b2aa3b47a52eb920

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 12:50:09 UTC

Import patches-applied version 2.4.34-1ubuntu2.1 to applied/ubuntu/cosmic-security

Imported using git-ubuntu import.

Changelog parent: 66cf474c05f5ccc50455c09ae4e45aef8ed1793f
Unapplied parent: 245ef397d9af30ddfcda49d53654a760ea7a8e5d

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:34:47 UTC

Import patches-applied version 2.4.18-2ubuntu3.10 to applied/ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 041036cbb488e4081930732e86d7bef90544f695
Unapplied parent: 968d270b6c23720cf71160d4025998be6891eaf9

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:22:37 UTC

Import patches-unapplied version 2.4.29-1ubuntu4.6 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: cafd33c017ea25062f023347aed73e9241a8f4a3

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 14:37:52 UTC

Import patches-applied version 2.4.7-1ubuntu4.22 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: dd6ba45dddfe265a828be6fbc0a1cc26339c9a5e
Unapplied parent: 0e68b70f753dfa4a40d2a603a27163b26ddeaa21

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions
      that could not be decoded in modules/session/mod_session.c.
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:22:37 UTC

Import patches-unapplied version 2.4.29-1ubuntu4.6 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: cafd33c017ea25062f023347aed73e9241a8f4a3

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:34:47 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.10 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: d7a2c9922f3a2122925aa4b3b2aa3b47a52eb920

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:34:47 UTC

Import patches-applied version 2.4.18-2ubuntu3.10 to applied/ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 041036cbb488e4081930732e86d7bef90544f695
Unapplied parent: 968d270b6c23720cf71160d4025998be6891eaf9

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 14:37:52 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.22 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 0b650c8ba19c535d768b044a174fd3f34c865882

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions
      that could not be decoded in modules/session/mod_session.c.
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 12:50:09 UTC

Import patches-applied version 2.4.34-1ubuntu2.1 to applied/ubuntu/cosmic-security

Imported using git-ubuntu import.

Changelog parent: 66cf474c05f5ccc50455c09ae4e45aef8ed1793f
Unapplied parent: 245ef397d9af30ddfcda49d53654a760ea7a8e5d

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:22:37 UTC

Import patches-applied version 2.4.29-1ubuntu4.6 to applied/ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: 4e898b28cf295246bc4e0ce078b9ce92b6928606
Unapplied parent: b4778fee97c002a34fab99b468708b6031d27626

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:34:47 UTC

Import patches-applied version 2.4.18-2ubuntu3.10 to applied/ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 041036cbb488e4081930732e86d7bef90544f695
Unapplied parent: 968d270b6c23720cf71160d4025998be6891eaf9

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:22:37 UTC

Import patches-unapplied version 2.4.29-1ubuntu4.6 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: cafd33c017ea25062f023347aed73e9241a8f4a3

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 12:50:09 UTC

Import patches-unapplied version 2.4.34-1ubuntu2.1 to ubuntu/cosmic-security

Imported using git-ubuntu import.

Changelog parent: c01ee5a6ff12c19ca89f37cf3f112ad04e0d951b

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 14:37:52 UTC

Import patches-applied version 2.4.7-1ubuntu4.22 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: dd6ba45dddfe265a828be6fbc0a1cc26339c9a5e
Unapplied parent: 0e68b70f753dfa4a40d2a603a27163b26ddeaa21

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions
      that could not be decoded in modules/session/mod_session.c.
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 12:50:09 UTC

Import patches-unapplied version 2.4.34-1ubuntu2.1 to ubuntu/cosmic-security

Imported using git-ubuntu import.

Changelog parent: c01ee5a6ff12c19ca89f37cf3f112ad04e0d951b

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 13:22:37 UTC

Import patches-applied version 2.4.29-1ubuntu4.6 to applied/ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: 4e898b28cf295246bc4e0ce078b9ce92b6928606
Unapplied parent: b4778fee97c002a34fab99b468708b6031d27626

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 18:31:46 UTC

Import patches-unapplied version 2.4.38-2ubuntu2 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: 065c91fc0057a94d466f1f3589984b27fcfbf53c

New changelog entries:
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 18:31:46 UTC

Import patches-unapplied version 2.4.38-2ubuntu2 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: 065c91fc0057a94d466f1f3589984b27fcfbf53c

New changelog entries:
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 18:31:46 UTC

Import patches-unapplied version 2.4.38-2ubuntu2 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: 065c91fc0057a94d466f1f3589984b27fcfbf53c

New changelog entries:
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 18:31:46 UTC

Import patches-applied version 2.4.38-2ubuntu2 to applied/ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: d593a21e22d85e50dc60ffd3e9c13cf039af641d
Unapplied parent: 7a185371bbc4fd4f8c2330f18999f124d1483f6c

New changelog entries:
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 18:31:46 UTC

Import patches-applied version 2.4.38-2ubuntu2 to applied/ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: d593a21e22d85e50dc60ffd3e9c13cf039af641d
Unapplied parent: 7a185371bbc4fd4f8c2330f18999f124d1483f6c

New changelog entries:
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Marc Deslauriers
Author Date: 2019-04-03 18:31:46 UTC

Import patches-applied version 2.4.38-2ubuntu2 to applied/ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: d593a21e22d85e50dc60ffd3e9c13cf039af641d
Unapplied parent: 7a185371bbc4fd4f8c2330f18999f124d1483f6c

New changelog entries:
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Author: Andreas Hasenack
Author Date: 2018-11-23 19:45:20 UTC

Import patches-applied version 2.4.7-1ubuntu4.21 to applied/ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: c927cf7dc322d0d42878387def4606c12d83f830
Unapplied parent: 56356e86d2b58595a3e370f8ff50c74ff857c99a

New changelog entries:
  * d/p/AuthzProviderAlias-visibility.patch: Allow <AuthzProviderAlias>'es
    to be seen from auth stanzas under virtual hosts (LP: #1529355)

Author: Andreas Hasenack
Author Date: 2018-11-23 19:45:20 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.21 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: b6bc6bdec9edcafb645ba0012ba945909c0a4445

New changelog entries:
  * d/p/AuthzProviderAlias-visibility.patch: Allow <AuthzProviderAlias>'es
    to be seen from auth stanzas under virtual hosts (LP: #1529355)

Author: Andreas Hasenack
Author Date: 2018-10-10 18:59:25 UTC

Import patches-unapplied version 2.4.29-1ubuntu4.5 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 7a4ca66b9ce3095183ac8bc28c5d484434de2bf0

New changelog entries:
  * d/debhelper/apache2-maintscript-helper: fix typo in apache2_switch_mpm()'s
    a2query call. (LP: #1782806)

Author: Andreas Hasenack
Author Date: 2018-10-10 18:59:25 UTC

Import patches-applied version 2.4.29-1ubuntu4.5 to applied/ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: b81055e66c4cf7ab82db1b90b857fcc089374347
Unapplied parent: 4158522166a47a6293f5ba95c69a25c6e227be49

New changelog entries:
  * d/debhelper/apache2-maintscript-helper: fix typo in apache2_switch_mpm()'s
    a2query call. (LP: #1782806)

Author: Marc Deslauriers
Author Date: 2018-10-03 13:57:22 UTC

Import patches-applied version 2.4.34-1ubuntu2 to applied/ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Changelog parent: 5ee6fd8ed95918bf0ee925dea807050d1eb973de
Unapplied parent: 3f7f83fc1fbbeb37142f2b0b6388c60e9e3e8ec0

New changelog entries:
  * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
    - debian/patches/CVE-2018-11763.patch: rework connection IO event
      handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_version.h.
    - CVE-2018-11763

Author: Marc Deslauriers
Author Date: 2018-10-03 13:57:22 UTC

Import patches-unapplied version 2.4.34-1ubuntu2 to ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Changelog parent: 54cf94ea486abd9b821825e9707ccbab064f95a2

New changelog entries:
  * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
    - debian/patches/CVE-2018-11763.patch: rework connection IO event
      handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_version.h.
    - CVE-2018-11763

Author: Marc Deslauriers
Author Date: 2018-10-03 13:57:22 UTC

Import patches-applied version 2.4.34-1ubuntu2 to applied/ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Changelog parent: 5ee6fd8ed95918bf0ee925dea807050d1eb973de
Unapplied parent: 3f7f83fc1fbbeb37142f2b0b6388c60e9e3e8ec0

New changelog entries:
  * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
    - debian/patches/CVE-2018-11763.patch: rework connection IO event
      handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_version.h.
    - CVE-2018-11763

Author: Marc Deslauriers
Author Date: 2018-10-03 13:57:22 UTC

Import patches-unapplied version 2.4.34-1ubuntu2 to ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Changelog parent: 54cf94ea486abd9b821825e9707ccbab064f95a2

New changelog entries:
  * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
    - debian/patches/CVE-2018-11763.patch: rework connection IO event
      handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_version.h.
    - CVE-2018-11763

Author: Stefan Fritsch
Author Date: 2018-03-31 09:31:57 UTC

Import patches-applied version 2.4.10-10+deb8u12 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: 00e390572793fa6a05c5e856c4800602946e1a18
Unapplied parent: c4596a9809422583e0b43d77aa93bcc4edb1d15f

New changelog entries:
  * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
    when using too small Accept-Language values.
  * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
    name.
    Configure the regular expression engine to match '$' to the end of
    the input string only, excluding matching the end of any embedded
    newline characters. Behavior can be changed with new directive
    'RegexDefaultOptions'.
  * CVE-2018-1283: Tampering of mod_session data for CGI applications.
  * CVE-2018-1301: Possible out of bound access after failure in reading the
    HTTP request
  * CVE-2018-1303: Possible out of bound read in mod_cache_socache
  * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation

Author: Stefan Fritsch
Author Date: 2018-03-31 09:31:57 UTC

Import patches-unapplied version 2.4.10-10+deb8u12 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 2c986900081af76f74ef6d53bd789ecf4497af8e

New changelog entries:
  * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
    when using too small Accept-Language values.
  * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
    name.
    Configure the regular expression engine to match '$' to the end of
    the input string only, excluding matching the end of any embedded
    newline characters. Behavior can be changed with new directive
    'RegexDefaultOptions'.
  * CVE-2018-1283: Tampering of mod_session data for CGI applications.
  * CVE-2018-1301: Possible out of bound access after failure in reading the
    HTTP request
  * CVE-2018-1303: Possible out of bound read in mod_cache_socache
  * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation

Author: Andreas Hasenack
Author Date: 2018-06-07 19:43:03 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.9 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 70003688226c7b2b0040a7bb651616a86e4f1b50

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Andreas Hasenack
Author Date: 2018-06-07 19:43:03 UTC

Import patches-applied version 2.4.18-2ubuntu3.9 to applied/ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: b5d462cf6d8bda9c03c94365002304f837714907
Unapplied parent: 1aad28c0a259d04f7e5960d9cb82c3ccfc0b31f7

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Andreas Hasenack
Author Date: 2018-06-07 20:53:23 UTC

Import patches-unapplied version 2.4.27-2ubuntu4.2 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: cbc32000dfcc49bf646d2453fa1b15f7c2075c8c

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Andreas Hasenack
Author Date: 2018-06-07 20:53:23 UTC

Import patches-applied version 2.4.27-2ubuntu4.2 to applied/ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: fd5338f20b378326a61beb4dbbc6e669e496b4bb
Unapplied parent: 642df2d682545baf86a0432c70bf133875b1f9c6

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Andreas Hasenack
Author Date: 2018-06-07 20:53:23 UTC

Import patches-unapplied version 2.4.27-2ubuntu4.2 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: cbc32000dfcc49bf646d2453fa1b15f7c2075c8c

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Andreas Hasenack
Author Date: 2018-06-07 20:53:23 UTC

Import patches-applied version 2.4.27-2ubuntu4.2 to applied/ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: fd5338f20b378326a61beb4dbbc6e669e496b4bb
Unapplied parent: 642df2d682545baf86a0432c70bf133875b1f9c6

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Andreas Hasenack
Author Date: 2018-06-07 20:53:23 UTC

Import patches-applied version 2.4.27-2ubuntu4.2 to applied/ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: fd5338f20b378326a61beb4dbbc6e669e496b4bb
Unapplied parent: 642df2d682545baf86a0432c70bf133875b1f9c6

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Andreas Hasenack
Author Date: 2018-06-07 20:53:23 UTC

Import patches-unapplied version 2.4.27-2ubuntu4.2 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: cbc32000dfcc49bf646d2453fa1b15f7c2075c8c

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

Author: Marc Deslauriers
Author Date: 2018-04-18 14:20:05 UTC

Import patches-applied version 2.4.27-2ubuntu4.1 to applied/ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 4cbcac15d53554def83f1ce8815ed41072705790
Unapplied parent: c8d6bd075d7b5cd749d1ab0ab8967330d73fbee5

New changelog entries:
  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

Author: Marc Deslauriers
Author Date: 2018-04-18 14:20:05 UTC

Import patches-unapplied version 2.4.27-2ubuntu4.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: c7c79f29748d24bb5f9fbc71b131aef8cc4117c2

New changelog entries:
  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

Author: Ubuntu Git Importer
Author Date: 2018-03-31 04:34:04 UTC

pristine-tar data for apache2_2.4.33.orig.tar.bz2

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-applied version 2.4.29-1ubuntu4 to applied/ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: e6a5ba316444c6a85aad977dc10a7ed7b1e830e3
Unapplied parent: 5f28e42a84d851b044f2aa09adaa6e79ea98871d

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-unapplied version 2.4.29-1ubuntu4 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 37630b8cc1dfd80c1b632f3e56c6a507e68d17be

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Ubuntu Git Importer
Author Date: 2018-03-07 17:08:01 UTC

pristine-tar data for apache2_2.4.29.orig.tar.gz

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-applied version 2.4.25-3ubuntu2.3 to applied/ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: e391d728f15d6a2fa6a4ddde7cf4121ccca6d9d2
Unapplied parent: 4c6e6ab90f12f4ef7f1a84ab40c605c925d42ab3

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-unapplied version 2.4.25-3ubuntu2.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 8840cd42bf40a2c00ee0748841c259cc96f7a7df

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-unapplied version 2.4.25-3ubuntu2.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 8840cd42bf40a2c00ee0748841c259cc96f7a7df

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-applied version 2.4.25-3ubuntu2.3 to applied/ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: e391d728f15d6a2fa6a4ddde7cf4121ccca6d9d2
Unapplied parent: 4c6e6ab90f12f4ef7f1a84ab40c605c925d42ab3

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-applied version 2.4.25-3ubuntu2.3 to applied/ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: e391d728f15d6a2fa6a4ddde7cf4121ccca6d9d2
Unapplied parent: 4c6e6ab90f12f4ef7f1a84ab40c605c925d42ab3

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-unapplied version 2.4.25-3ubuntu2.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 8840cd42bf40a2c00ee0748841c259cc96f7a7df

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:05:48 UTC

Import patches-unapplied version 2.4.27-2ubuntu3 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: f09ecdf404a45f84d3f6706d7415653f3faa38d7

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:05:48 UTC

Import patches-applied version 2.4.27-2ubuntu3 to applied/ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: a9d928beb04c919f0eb42bddd3574598261d3b03
Unapplied parent: b854305b2d29d662ed441f6a66952ab5649ed634

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Stefan Fritsch
Author Date: 2017-08-08 19:59:37 UTC

Import patches-unapplied version 2.4.27-4 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: f7ef7e92d24d60f681df739f05081350a628d775

New changelog entries:
  * Use 'invoke-rc.d' instead of init script in logrotate script.
    Closes: #857607
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. LP: #1691495
  * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
    LP: #1675184
  * Use 'service' instead of init script in monit example config.
  * Bump Standards-Version to 4.0.1. Other changes:
    - change package priorities from extra to optional
  * Use libprotocol-http2-perl in autopkgtest.
  * Update test suite to svn r1804214.
  * Various tweaks to the test suite autopkgtest to avoid having to skip
    any test.
  * Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
    to avoid them being used by apxs.
  * deflate.conf: Remove mention of MSIE6

Author: Stefan Fritsch
Author Date: 2017-08-08 19:59:37 UTC

Import patches-applied version 2.4.27-4 to applied/debian/experimental

Imported using git-ubuntu import.

Changelog parent: de4d68c17b6c366eaed7527386ac0b365b227b8c
Unapplied parent: 750c574d225db8c1f1c796236fc6674648ca780c

New changelog entries:
  * Use 'invoke-rc.d' instead of init script in logrotate script.
    Closes: #857607
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. LP: #1691495
  * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
    LP: #1675184
  * Use 'service' instead of init script in monit example config.
  * Bump Standards-Version to 4.0.1. Other changes:
    - change package priorities from extra to optional
  * Use libprotocol-http2-perl in autopkgtest.
  * Update test suite to svn r1804214.
  * Various tweaks to the test suite autopkgtest to avoid having to skip
    any test.
  * Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
    to avoid them being used by apxs.
  * deflate.conf: Remove mention of MSIE6

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-unapplied version 2.4.18-2ubuntu4.2 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 0f872b4a1d471912b5ed65424bd22f3e11b801d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-applied version 2.4.18-2ubuntu4.2 to applied/ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 59181d55c088186b8fdbac93ebfecb6ecb77799b
Unapplied parent: 20f84083a9f4578ac55e63b09549b1abce1b36d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-applied version 2.4.18-2ubuntu4.2 to applied/ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 59181d55c088186b8fdbac93ebfecb6ecb77799b
Unapplied parent: 20f84083a9f4578ac55e63b09549b1abce1b36d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-unapplied version 2.4.18-2ubuntu4.2 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 0f872b4a1d471912b5ed65424bd22f3e11b801d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-applied version 2.4.18-2ubuntu4.2 to applied/ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 59181d55c088186b8fdbac93ebfecb6ecb77799b
Unapplied parent: 20f84083a9f4578ac55e63b09549b1abce1b36d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-unapplied version 2.4.18-2ubuntu4.2 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 0f872b4a1d471912b5ed65424bd22f3e11b801d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-applied version 2.4.25-3ubuntu2 to applied/ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: c104dcc49e7323e1d3aca5e7aefae424c3cbd16f
Unapplied parent: 76f1c069823774bac311b0800f8910f2bf6c8124

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-applied version 2.4.25-3ubuntu2 to applied/ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: c104dcc49e7323e1d3aca5e7aefae424c3cbd16f
Unapplied parent: 76f1c069823774bac311b0800f8910f2bf6c8124

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-unapplied version 2.4.25-3ubuntu2 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: f110b98a2e759a131e5fa7b6b13c58d73f6c1550

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-unapplied version 2.4.25-3ubuntu2 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: f110b98a2e759a131e5fa7b6b13c58d73f6c1550

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Mike Gerow
Author Date: 2016-07-21 21:53:00 UTC

Import patches-applied version 2.4.10-1ubuntu1.1~ubuntu14.04.2 to applied/ubuntu/trusty-backports

Imported using git-ubuntu import.

Changelog parent: 46aa6c92efb0b769d76ae9b1fe9cee8bbc0b0593
Unapplied parent: 9cb03113c76117fb38daca7051c91db25f8f1584

New changelog entries:
  * CVE-2016-5387 (LP: #1604209)

Author: Mike Gerow
Author Date: 2016-07-21 21:53:00 UTC

Import patches-unapplied version 2.4.10-1ubuntu1.1~ubuntu14.04.2 to ubuntu/trusty-backports

Imported using git-ubuntu import.

Changelog parent: 3921bce3edba179bfd690db4379555e796b54371

New changelog entries:
  * CVE-2016-5387 (LP: #1604209)

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-applied version 2.4.18-2ubuntu4 to applied/ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: cb13433b66d68a397ea0c2fad1a5bfd4d7f55b42
Unapplied parent: 819fa9479958f93eaff872282c2cf57996094589

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-applied version 2.4.18-2ubuntu4 to applied/ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: cb13433b66d68a397ea0c2fad1a5bfd4d7f55b42
Unapplied parent: 819fa9479958f93eaff872282c2cf57996094589

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-unapplied version 2.4.18-2ubuntu4 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: e16db65293a582fc13e9b00194ba3287590f5fb6

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-unapplied version 2.4.18-2ubuntu4 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: e16db65293a582fc13e9b00194ba3287590f5fb6

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-unapplied version 2.4.12-2ubuntu2.1 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: 80e107784b66ab740328c0da1c1d81f9e20168dd

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-applied version 2.4.12-2ubuntu2.1 to applied/ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: e6ec171e91b9edc24a30947d128dce2db26b5b80
Unapplied parent: b05dcd36cab02c6460e1ea3d187b3a1253061101

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-applied version 2.2.22-1ubuntu1.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e687fed6ae4aa3ea1612e74d20f48bcecb6c55cc
Unapplied parent: a965cf1db7620c2141bd3a958b48f44351a05e8f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-applied version 2.2.22-1ubuntu1.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e687fed6ae4aa3ea1612e74d20f48bcecb6c55cc
Unapplied parent: a965cf1db7620c2141bd3a958b48f44351a05e8f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.