Author: Ubuntu Git Importer
Author Date: 2018-04-07 18:54:17 UTC

DSC file for 2.4.7-1ubuntu4.19

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:14:42 UTC

Import patches-applied version 2.4.27-2ubuntu4 to applied/ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: f4d42ef15c4bdc89112b82c0bf731f94432d9368
Unapplied parent: 4f6fd1a5ba4b2a4cca9e60aa82586e17aa5ed350

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 01:48:33 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.19 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: 4ce8f475fe1a7c4af97f6dc09ecf28efdee0d12b

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-01 18:29:12 UTC

Import patches-applied version 2.4.18-2ubuntu3.7 to applied/ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: e019db1fd84aca1b52b8b21893a5a910d15d1d2d
Unapplied parent: f3fee88407702e1a11ecb42cc43a4c58e7245b18

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-01 18:29:12 UTC

Import patches-applied version 2.4.18-2ubuntu3.7 to applied/ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: e019db1fd84aca1b52b8b21893a5a910d15d1d2d
Unapplied parent: f3fee88407702e1a11ecb42cc43a4c58e7245b18

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 01:48:33 UTC

Import patches-applied version 2.4.7-1ubuntu4.19 to applied/ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: e3ed742db79475a994cf0aeb86af0b47d8482265
Unapplied parent: 64cb5d64c35f0e6e24f73beafdcc2541dfeaa469

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:14:42 UTC

Import patches-unapplied version 2.4.27-2ubuntu4 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: c484172d3a6599603ebbf2fbbc81312301b61e72

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-01 18:29:12 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.7 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 1b78f08b4e9adf6bec26ed6ae6ed85a0fc1c5ebd

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 01:48:33 UTC

Import patches-applied version 2.4.7-1ubuntu4.19 to applied/ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: e3ed742db79475a994cf0aeb86af0b47d8482265
Unapplied parent: 64cb5d64c35f0e6e24f73beafdcc2541dfeaa469

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 01:48:33 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.19 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: 4ce8f475fe1a7c4af97f6dc09ecf28efdee0d12b

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:14:42 UTC

Import patches-applied version 2.4.27-2ubuntu4 to applied/ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: f4d42ef15c4bdc89112b82c0bf731f94432d9368
Unapplied parent: 4f6fd1a5ba4b2a4cca9e60aa82586e17aa5ed350

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-01 18:29:12 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.7 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 1b78f08b4e9adf6bec26ed6ae6ed85a0fc1c5ebd

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:14:42 UTC

Import patches-unapplied version 2.4.27-2ubuntu4 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: c484172d3a6599603ebbf2fbbc81312301b61e72

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Ubuntu Git Importer
Author Date: 2018-03-31 04:34:04 UTC

pristine-tar data for apache2_2.4.33.orig.tar.bz2

Author: Ubuntu Git Importer
Author Date: 2018-03-31 04:33:35 UTC

DSC file for 2.4.33-1

Author: Stefan Fritsch
Author Date: 2018-03-30 20:53:13 UTC

Import patches-applied version 2.4.33-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: d8eeb4126b1ab2ef92ceb89629b9edb3a8089b3e
Unapplied parent: 80ec81c53c05d766dea5b8a165d52a9b8073be03

New changelog entries:
  * New upstream version.
    Security fixes:
    - CVE-2017-15710
      Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
    - CVE-2018-1283
      mod_session: CGI-like applications that intend to read from mod_session's
      'SessionEnv ON' could be fooled into reading user-supplied data instead.
    - CVE-2018-1303
      mod_cache_socache: Fix request headers parsing to avoid a possible crash
      with specially crafted input data.
    - CVE-2018-1301
      core: Possible crash with excessively long HTTP request headers.
      Impractical to exploit with a production build and production LogLevel.
    - CVE-2017-15715
      core: Configure the regular expression engine to match '$' to the end of
      the input string only, excluding matching the end of any embedded
      newline characters. Behavior can be changed with new directive
      'RegexDefaultOptions'.
    - CVE-2018-1312
      mod_auth_digest: Fix generation of nonce values to prevent replay
      attacks across servers using a common Digest domain. This change
      may cause problems if used with round robin load balancers. PR 54637
    - CVE-2018-1302
      mod_http2: Potential crash w/ mod_http2.
    - mod_proxy_uwsgi: New UWSGI proxy submodule.
    - mod_md: New experimental module for managing domains across virtual
      hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
      renew certificates.
    - core: silently ignore a not existent file path when IncludeOptional
      is used. Closes: #878920
    - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
  * Fix lintian warnings:
    - Include SupportApache-small.png in apache2-doc package instead of
      linking to apache.org, to avoid privacy issues.
    - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
    - Remove deprecated use of autotools_dev with dh.
    - Add some overrides
  * Bump standards-version to 4.1.2 (no changes)

Author: Stefan Fritsch
Author Date: 2018-03-30 20:53:13 UTC

Import patches-unapplied version 2.4.33-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4d9e478148bbfba2ec7ea63e425f3425c76e6b42

New changelog entries:
  * New upstream version.
    Security fixes:
    - CVE-2017-15710
      Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
    - CVE-2018-1283
      mod_session: CGI-like applications that intend to read from mod_session's
      'SessionEnv ON' could be fooled into reading user-supplied data instead.
    - CVE-2018-1303
      mod_cache_socache: Fix request headers parsing to avoid a possible crash
      with specially crafted input data.
    - CVE-2018-1301
      core: Possible crash with excessively long HTTP request headers.
      Impractical to exploit with a production build and production LogLevel.
    - CVE-2017-15715
      core: Configure the regular expression engine to match '$' to the end of
      the input string only, excluding matching the end of any embedded
      newline characters. Behavior can be changed with new directive
      'RegexDefaultOptions'.
    - CVE-2018-1312
      mod_auth_digest: Fix generation of nonce values to prevent replay
      attacks across servers using a common Digest domain. This change
      may cause problems if used with round robin load balancers. PR 54637
    - CVE-2018-1302
      mod_http2: Potential crash w/ mod_http2.
    - mod_proxy_uwsgi: New UWSGI proxy submodule.
    - mod_md: New experimental module for managing domains across virtual
      hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
      renew certificates.
    - core: silently ignore a not existent file path when IncludeOptional
      is used. Closes: #878920
    - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
  * Fix lintian warnings:
    - Include SupportApache-small.png in apache2-doc package instead of
      linking to apache.org, to avoid privacy issues.
    - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
    - Remove deprecated use of autotools_dev with dh.
    - Add some overrides
  * Bump standards-version to 4.1.2 (no changes)

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-applied version 2.4.29-1ubuntu4 to applied/ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: e6a5ba316444c6a85aad977dc10a7ed7b1e830e3
Unapplied parent: 5f28e42a84d851b044f2aa09adaa6e79ea98871d

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-unapplied version 2.4.29-1ubuntu4 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 37630b8cc1dfd80c1b632f3e56c6a507e68d17be

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-applied version 2.4.29-1ubuntu4 to applied/ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: e6a5ba316444c6a85aad977dc10a7ed7b1e830e3
Unapplied parent: 5f28e42a84d851b044f2aa09adaa6e79ea98871d

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-applied version 2.4.29-1ubuntu4 to applied/ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: e6a5ba316444c6a85aad977dc10a7ed7b1e830e3
Unapplied parent: 5f28e42a84d851b044f2aa09adaa6e79ea98871d

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-unapplied version 2.4.29-1ubuntu4 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 37630b8cc1dfd80c1b632f3e56c6a507e68d17be

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-unapplied version 2.4.29-1ubuntu4 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 37630b8cc1dfd80c1b632f3e56c6a507e68d17be

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-unapplied version 2.4.29-1ubuntu4 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 37630b8cc1dfd80c1b632f3e56c6a507e68d17be

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Rafael David Tinoco
Author Date: 2018-03-02 02:19:31 UTC

Import patches-applied version 2.4.29-1ubuntu4 to applied/ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: e6a5ba316444c6a85aad977dc10a7ed7b1e830e3
Unapplied parent: 5f28e42a84d851b044f2aa09adaa6e79ea98871d

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

Author: Ubuntu Git Importer
Author Date: 2018-03-07 17:08:01 UTC

pristine-tar data for apache2_2.4.29.orig.tar.gz

Author: Ondřej Surý
Author Date: 2018-01-14 11:01:58 UTC

Import patches-unapplied version 2.4.29-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e71b57f8076ca227cd6c0a452857cb81a4bad93d

New changelog entries:
  * Add myself to Uploaders
  * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
  * Run wrap-and-sort -a to canonicalize the debian/ directory
  * Add Build-Depends on libbrotli-dev and enable brotli module

Author: Ondřej Surý
Author Date: 2018-01-14 11:01:58 UTC

Import patches-applied version 2.4.29-2 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 8d719d6975df780d6caf840ed22113f8dd045f9c
Unapplied parent: 56d75fece754701497a67263ac50b21521f0dcb8

New changelog entries:
  * Add myself to Uploaders
  * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
  * Run wrap-and-sort -a to canonicalize the debian/ directory
  * Add Build-Depends on libbrotli-dev and enable brotli module

Author: Salvatore Bonaccorso
Author Date: 2017-09-19 19:08:12 UTC

Import patches-unapplied version 2.4.10-10+deb8u11 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 4306620a9efc1df641fc3c454f22c7a0dfbdb207

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)
  * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory

Author: Salvatore Bonaccorso
Author Date: 2017-09-19 19:08:12 UTC

Import patches-applied version 2.4.10-10+deb8u11 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: f10bb6888dcdb129751291b8e96e099037094297
Unapplied parent: 7faa2a42f24a4a238af1b6dc666bd55b0073f690

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)
  * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory

Author: Salvatore Bonaccorso
Author Date: 2017-09-19 18:58:57 UTC

Import patches-applied version 2.4.25-3+deb9u3 to applied/debian/stretch

Imported using git-ubuntu import.

Changelog parent: e8bdefa73c2e9d5a826873e76a41aa3361a4ee75
Unapplied parent: 01df4c7640452e2e7330777c4e0873fdcbe76a01

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)
  * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory

Author: Salvatore Bonaccorso
Author Date: 2017-09-19 18:58:57 UTC

Import patches-unapplied version 2.4.25-3+deb9u3 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 2d4efdff06294a12500b0324e326f72b9aabfd3e

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)
  * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory

Author: Marc Deslauriers
Author Date: 2017-09-18 15:09:02 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.5 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 910037212e26d3d24ffd68cf603774b05846e16b

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-unapplied version 2.4.25-3ubuntu2.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 8840cd42bf40a2c00ee0748841c259cc96f7a7df

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-applied version 2.4.25-3ubuntu2.3 to applied/ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: e391d728f15d6a2fa6a4ddde7cf4121ccca6d9d2
Unapplied parent: 4c6e6ab90f12f4ef7f1a84ab40c605c925d42ab3

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-applied version 2.4.25-3ubuntu2.3 to applied/ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: e391d728f15d6a2fa6a4ddde7cf4121ccca6d9d2
Unapplied parent: 4c6e6ab90f12f4ef7f1a84ab40c605c925d42ab3

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-unapplied version 2.4.25-3ubuntu2.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 8840cd42bf40a2c00ee0748841c259cc96f7a7df

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:10:30 UTC

Import patches-applied version 2.4.7-1ubuntu4.18 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: d18d487b4fa5a6f89f87b7f80b893abeb4455d14
Unapplied parent: d9cf5d2585c515aa66767392f492a4aafc0f24b9

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:10:30 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.18 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 181b6d05779ecf34634cb44f74771a9f25cc5387

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-unapplied version 2.4.25-3ubuntu2.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 8840cd42bf40a2c00ee0748841c259cc96f7a7df

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:10:30 UTC

Import patches-unapplied version 2.4.7-1ubuntu4.18 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 181b6d05779ecf34634cb44f74771a9f25cc5387

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:10:30 UTC

Import patches-applied version 2.4.7-1ubuntu4.18 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: d18d487b4fa5a6f89f87b7f80b893abeb4455d14
Unapplied parent: d9cf5d2585c515aa66767392f492a4aafc0f24b9

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:09:02 UTC

Import patches-applied version 2.4.18-2ubuntu3.5 to applied/ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 65f80f32bcbb5aa9a5d711ac2f02177f7a6051e3
Unapplied parent: 3ac04d6eed86536b3710848a084f063970ad3419

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:08:28 UTC

Import patches-applied version 2.4.25-3ubuntu2.3 to applied/ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: e391d728f15d6a2fa6a4ddde7cf4121ccca6d9d2
Unapplied parent: 4c6e6ab90f12f4ef7f1a84ab40c605c925d42ab3

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:09:02 UTC

Import patches-applied version 2.4.18-2ubuntu3.5 to applied/ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 65f80f32bcbb5aa9a5d711ac2f02177f7a6051e3
Unapplied parent: 3ac04d6eed86536b3710848a084f063970ad3419

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:09:02 UTC

Import patches-unapplied version 2.4.18-2ubuntu3.5 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 910037212e26d3d24ffd68cf603774b05846e16b

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:05:48 UTC

Import patches-unapplied version 2.4.27-2ubuntu3 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: f09ecdf404a45f84d3f6706d7415653f3faa38d7

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Marc Deslauriers
Author Date: 2017-09-18 15:05:48 UTC

Import patches-applied version 2.4.27-2ubuntu3 to applied/ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: a9d928beb04c919f0eb42bddd3574598261d3b03
Unapplied parent: b854305b2d29d662ed441f6a66952ab5649ed634

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

Author: Stefan Fritsch
Author Date: 2017-08-08 19:59:37 UTC

Import patches-unapplied version 2.4.27-4 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: f7ef7e92d24d60f681df739f05081350a628d775

New changelog entries:
  * Use 'invoke-rc.d' instead of init script in logrotate script.
    Closes: #857607
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. LP: #1691495
  * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
    LP: #1675184
  * Use 'service' instead of init script in monit example config.
  * Bump Standards-Version to 4.0.1. Other changes:
    - change package priorities from extra to optional
  * Use libprotocol-http2-perl in autopkgtest.
  * Update test suite to svn r1804214.
  * Various tweaks to the test suite autopkgtest to avoid having to skip
    any test.
  * Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
    to avoid them being used by apxs.
  * deflate.conf: Remove mention of MSIE6

Author: Stefan Fritsch
Author Date: 2017-08-08 19:59:37 UTC

Import patches-applied version 2.4.27-4 to applied/debian/experimental

Imported using git-ubuntu import.

Changelog parent: de4d68c17b6c366eaed7527386ac0b365b227b8c
Unapplied parent: 750c574d225db8c1f1c796236fc6674648ca780c

New changelog entries:
  * Use 'invoke-rc.d' instead of init script in logrotate script.
    Closes: #857607
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. LP: #1691495
  * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
    LP: #1675184
  * Use 'service' instead of init script in monit example config.
  * Bump Standards-Version to 4.0.1. Other changes:
    - change package priorities from extra to optional
  * Use libprotocol-http2-perl in autopkgtest.
  * Update test suite to svn r1804214.
  * Various tweaks to the test suite autopkgtest to avoid having to skip
    any test.
  * Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
    to avoid them being used by apxs.
  * deflate.conf: Remove mention of MSIE6

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-unapplied version 2.4.18-2ubuntu4.2 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 0f872b4a1d471912b5ed65424bd22f3e11b801d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-unapplied version 2.4.18-2ubuntu4.2 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 0f872b4a1d471912b5ed65424bd22f3e11b801d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-applied version 2.4.18-2ubuntu4.2 to applied/ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 59181d55c088186b8fdbac93ebfecb6ecb77799b
Unapplied parent: 20f84083a9f4578ac55e63b09549b1abce1b36d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-applied version 2.4.18-2ubuntu4.2 to applied/ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 59181d55c088186b8fdbac93ebfecb6ecb77799b
Unapplied parent: 20f84083a9f4578ac55e63b09549b1abce1b36d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-unapplied version 2.4.18-2ubuntu4.2 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 0f872b4a1d471912b5ed65424bd22f3e11b801d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Marc Deslauriers
Author Date: 2017-06-26 11:57:04 UTC

Import patches-applied version 2.4.18-2ubuntu4.2 to applied/ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 59181d55c088186b8fdbac93ebfecb6ecb77799b
Unapplied parent: 20f84083a9f4578ac55e63b09549b1abce1b36d7

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-applied version 2.4.25-3ubuntu2 to applied/ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: c104dcc49e7323e1d3aca5e7aefae424c3cbd16f
Unapplied parent: 76f1c069823774bac311b0800f8910f2bf6c8124

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-unapplied version 2.4.25-3ubuntu2 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: f110b98a2e759a131e5fa7b6b13c58d73f6c1550

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-applied version 2.4.25-3ubuntu2 to applied/ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: c104dcc49e7323e1d3aca5e7aefae424c3cbd16f
Unapplied parent: 76f1c069823774bac311b0800f8910f2bf6c8124

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Nish Aravamudan
Author Date: 2017-02-10 16:53:43 UTC

Import patches-unapplied version 2.4.25-3ubuntu2 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: f110b98a2e759a131e5fa7b6b13c58d73f6c1550

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

Author: Mike Gerow
Author Date: 2016-07-21 21:53:00 UTC

Import patches-applied version 2.4.10-1ubuntu1.1~ubuntu14.04.2 to applied/ubuntu/trusty-backports

Imported using git-ubuntu import.

Changelog parent: 46aa6c92efb0b769d76ae9b1fe9cee8bbc0b0593
Unapplied parent: 9cb03113c76117fb38daca7051c91db25f8f1584

New changelog entries:
  * CVE-2016-5387 (LP: #1604209)

Author: Mike Gerow
Author Date: 2016-07-21 21:53:00 UTC

Import patches-unapplied version 2.4.10-1ubuntu1.1~ubuntu14.04.2 to ubuntu/trusty-backports

Imported using git-ubuntu import.

Changelog parent: 3921bce3edba179bfd690db4379555e796b54371

New changelog entries:
  * CVE-2016-5387 (LP: #1604209)

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-applied version 2.4.18-2ubuntu4 to applied/ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: cb13433b66d68a397ea0c2fad1a5bfd4d7f55b42
Unapplied parent: 819fa9479958f93eaff872282c2cf57996094589

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-unapplied version 2.4.18-2ubuntu4 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: e16db65293a582fc13e9b00194ba3287590f5fb6

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-unapplied version 2.4.18-2ubuntu4 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: e16db65293a582fc13e9b00194ba3287590f5fb6

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-18 18:32:02 UTC

Import patches-applied version 2.4.18-2ubuntu4 to applied/ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: cb13433b66d68a397ea0c2fad1a5bfd4d7f55b42
Unapplied parent: 819fa9479958f93eaff872282c2cf57996094589

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-applied version 2.4.12-2ubuntu2.1 to applied/ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: e6ec171e91b9edc24a30947d128dce2db26b5b80
Unapplied parent: b05dcd36cab02c6460e1ea3d187b3a1253061101

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-unapplied version 2.4.12-2ubuntu2.1 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: 80e107784b66ab740328c0da1c1d81f9e20168dd

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-applied version 2.4.12-2ubuntu2.1 to applied/ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: e6ec171e91b9edc24a30947d128dce2db26b5b80
Unapplied parent: b05dcd36cab02c6460e1ea3d187b3a1253061101

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-unapplied version 2.2.22-1ubuntu1.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e2c1e15f5e252e69dcc8dcf82e92fff7e616714f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-unapplied version 2.2.22-1ubuntu1.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e2c1e15f5e252e69dcc8dcf82e92fff7e616714f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-applied version 2.2.22-1ubuntu1.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e687fed6ae4aa3ea1612e74d20f48bcecb6c55cc
Unapplied parent: a965cf1db7620c2141bd3a958b48f44351a05e8f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-unapplied version 2.2.22-1ubuntu1.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e2c1e15f5e252e69dcc8dcf82e92fff7e616714f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-applied version 2.2.22-1ubuntu1.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e687fed6ae4aa3ea1612e74d20f48bcecb6c55cc
Unapplied parent: a965cf1db7620c2141bd3a958b48f44351a05e8f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-unapplied version 2.4.12-2ubuntu2.1 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: 80e107784b66ab740328c0da1c1d81f9e20168dd

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-unapplied version 2.4.12-2ubuntu2.1 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: 80e107784b66ab740328c0da1c1d81f9e20168dd

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:39:28 UTC

Import patches-applied version 2.4.12-2ubuntu2.1 to applied/ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: e6ec171e91b9edc24a30947d128dce2db26b5b80
Unapplied parent: b05dcd36cab02c6460e1ea3d187b3a1253061101

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

Author: Marc Deslauriers
Author Date: 2016-07-14 12:50:27 UTC

Import patches-applied version 2.2.22-1ubuntu1.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e687fed6ae4aa3ea1612e74d20f48bcecb6c55cc
Unapplied parent: a965cf1db7620c2141bd3a958b48f44351a05e8f

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

Author: Robie Basak
Author Date: 2016-04-15 18:00:57 UTC

Import patches-applied version 2.4.18-2ubuntu3 to applied/ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 7346ee7445f72e010d0f96b5b6d51280233b3e2f
Unapplied parent: 91dde7dd3f230f25e6279d633aa6517a56746aec

New changelog entries:
  [ Ryan Harper ]
  * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
    introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
    all, since http2 support is intentionally disabled (see LP 1531864).
  * d/apache2.maintscript: handle removal of http2.load conffile.
  [ Robie Basak ]
  * Re-write Ryan's changelog entry.

Author: Robie Basak
Author Date: 2016-04-15 18:00:57 UTC

Import patches-unapplied version 2.4.18-2ubuntu3 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: cd6688141c7aecd46fd9dece4683e114cc605535

New changelog entries:
  [ Ryan Harper ]
  * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
    introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
    all, since http2 support is intentionally disabled (see LP 1531864).
  * d/apache2.maintscript: handle removal of http2.load conffile.
  [ Robie Basak ]
  * Re-write Ryan's changelog entry.

Author: Stefan Fritsch
Author Date: 2015-08-18 09:41:11 UTC

Import patches-unapplied version 2.2.22-13+deb7u6 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 97530c3b6f2d0f0a60edb1b22ea9245fb03db6f8

New changelog entries:
  * Fix regression causing spurious errors when loading certificate chain.
    Closes: #794383
  * CVE-2015-3183: Fix request smuggling via chunked transfer encoding.
    Backported by Marc Deslauriers.
  * Don't limit default DH parameters to 1024 bits. Closes: #780398
    This may cause problems with some Java based clients. A work-around is to
    configure these client not to use DHE key exchange but use ECDHE or RSA
    instead.
    A server-side work-around that limits the DH parameters to 1024 bits for
    all clients is described at
    http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh .
  * Backport support for adding DH parameters to the SSLCertificateFile.

Author: Stefan Fritsch
Author Date: 2015-08-18 09:41:11 UTC

Import patches-applied version 2.2.22-13+deb7u6 to applied/debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 9a2f32ff96df9ad1d6fb90a0590c899aa90dd70f
Unapplied parent: ecad7e8b5713e135011884cbcd6bd0a32fb34820

New changelog entries:
  * Fix regression causing spurious errors when loading certificate chain.
    Closes: #794383
  * CVE-2015-3183: Fix request smuggling via chunked transfer encoding.
    Backported by Marc Deslauriers.
  * Don't limit default DH parameters to 1024 bits. Closes: #780398
    This may cause problems with some Java based clients. A work-around is to
    configure these client not to use DHE key exchange but use ECDHE or RSA
    instead.
    A server-side work-around that limits the DH parameters to 1024 bits for
    all clients is described at
    http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh .
  * Backport support for adding DH parameters to the SSLCertificateFile.

Author: Marc Deslauriers
Author Date: 2015-07-24 16:25:41 UTC

Import patches-applied version 2.4.10-9ubuntu1.1 to applied/ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 820b66fb86388042c7d874ed60021c19762e090e
Unapplied parent: 51ec5ea508b960da2c0270cee551cbc4c5a36737

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 16:25:41 UTC

Import patches-unapplied version 2.4.10-9ubuntu1.1 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: c0aaa2266ca9a1a0a2616ef7693353b3b20150e4

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 16:25:41 UTC

Import patches-unapplied version 2.4.10-9ubuntu1.1 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: c0aaa2266ca9a1a0a2616ef7693353b3b20150e4

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 16:25:41 UTC

Import patches-unapplied version 2.4.10-9ubuntu1.1 to ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: c0aaa2266ca9a1a0a2616ef7693353b3b20150e4

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 16:25:41 UTC

Import patches-applied version 2.4.10-9ubuntu1.1 to applied/ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 820b66fb86388042c7d874ed60021c19762e090e
Unapplied parent: 51ec5ea508b960da2c0270cee551cbc4c5a36737

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 16:25:41 UTC

Import patches-applied version 2.4.10-9ubuntu1.1 to applied/ubuntu/vivid-security

Imported using git-ubuntu import.

Changelog parent: 820b66fb86388042c7d874ed60021c19762e090e
Unapplied parent: 51ec5ea508b960da2c0270cee551cbc4c5a36737

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 13:56:09 UTC

Import patches-applied version 2.4.12-2ubuntu2 to applied/ubuntu/wily-proposed

Imported using git-ubuntu import.

Changelog parent: dd36b867552432e0a8336fe26f3ff757b5beda58
Unapplied parent: 2b2f3dbab373ff42f7090ef4c55702b073657c56

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 13:56:09 UTC

Import patches-unapplied version 2.4.12-2ubuntu2 to ubuntu/wily-proposed

Imported using git-ubuntu import.

Changelog parent: db68d8373debd5ab56cbd27c91f3ba0b2915360e

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 13:56:09 UTC

Import patches-unapplied version 2.4.12-2ubuntu2 to ubuntu/wily-proposed

Imported using git-ubuntu import.

Changelog parent: db68d8373debd5ab56cbd27c91f3ba0b2915360e

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-07-24 13:56:09 UTC

Import patches-applied version 2.4.12-2ubuntu2 to applied/ubuntu/wily-proposed

Imported using git-ubuntu import.

Changelog parent: dd36b867552432e0a8336fe26f3ff757b5beda58
Unapplied parent: 2b2f3dbab373ff42f7090ef4c55702b073657c56

New changelog entries:
  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

Author: Marc Deslauriers
Author Date: 2015-03-05 17:45:09 UTC

Import patches-applied version 2.2.14-5ubuntu8.15 to applied/ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 8d915478cea94af6892d148cf65367265d94e7d6
Unapplied parent: a16cf78a6233287c675749c2fbf28d238be5fe06

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704

Author: Marc Deslauriers
Author Date: 2015-03-05 17:45:09 UTC

Import patches-applied version 2.2.14-5ubuntu8.15 to applied/ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 8d915478cea94af6892d148cf65367265d94e7d6
Unapplied parent: a16cf78a6233287c675749c2fbf28d238be5fe06

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704

Author: Marc Deslauriers
Author Date: 2015-03-05 17:45:09 UTC

Import patches-applied version 2.2.14-5ubuntu8.15 to applied/ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 8d915478cea94af6892d148cf65367265d94e7d6
Unapplied parent: a16cf78a6233287c675749c2fbf28d238be5fe06

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704

Author: Marc Deslauriers
Author Date: 2015-03-05 17:45:09 UTC

Import patches-unapplied version 2.2.14-5ubuntu8.15 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: a7f4299a4a7deaae29f0bda82ebf35269db447e1

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704

Author: Marc Deslauriers
Author Date: 2015-03-05 17:05:47 UTC

Import patches-unapplied version 2.4.10-1ubuntu1.1 to ubuntu/utopic-security

Imported using git-ubuntu import.

Changelog parent: 5b08bf02d55e56ec279fa287234935a46eecfd0e

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228

Author: Marc Deslauriers
Author Date: 2015-03-05 17:05:47 UTC

Import patches-applied version 2.4.10-1ubuntu1.1 to applied/ubuntu/utopic-security

Imported using git-ubuntu import.

Changelog parent: 5bbfc0c44d81be2733bf8784234c052b227e5eed
Unapplied parent: f2d29f8819127aa9b418e332470c367cf7fc7c56

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228

Author: Marc Deslauriers
Author Date: 2015-03-05 17:05:47 UTC

Import patches-unapplied version 2.4.10-1ubuntu1.1 to ubuntu/utopic-security

Imported using git-ubuntu import.

Changelog parent: 5b08bf02d55e56ec279fa287234935a46eecfd0e

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228

Author: Marc Deslauriers
Author Date: 2015-03-05 17:05:47 UTC

Import patches-unapplied version 2.4.10-1ubuntu1.1 to ubuntu/utopic-security

Imported using git-ubuntu import.

Changelog parent: 5b08bf02d55e56ec279fa287234935a46eecfd0e

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228