Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.46-4-hirsute into ubuntu/+source/apache2:debian/sid

Proposed by Bryce Harrington
Status: Merged
Approved by: Bryce Harrington
Approved revision: e9e339c4bcea9c55de8cd6b61bedeb101021cc37
Merge reported by: Bryce Harrington
Merged at revision: e9e339c4bcea9c55de8cd6b61bedeb101021cc37
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.46-4-hirsute
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2522 lines (+1869/-34)
14 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+1/-0)
debian/apache2.py (+48/-0)
debian/apache2ctl (+33/-18)
debian/changelog (+1697/-2)
debian/control (+4/-2)
debian/index.html (+19/-12)
debian/perl-framework/t/apache/expr_string.t (+4/-0)
debian/source/include-binaries (+1/-0)
debian/tests/check-http2 (+41/-0)
debian/tests/control (+4/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  Approve
Canonical Server Team Pending
Ubuntu Server Dev import team Pending
Review via email: mp+399177@code.launchpad.net

Description of the change

This is a minor merge from Debian to help resolve LP: #1910372 which seeks to drop lua5.2 in favor of lua 5.3. Debian has already made this change, so doing the merge allows us to do as well.

The lua version change was not mentioned in Debian's changelog, but can be seen in the diff. To make sure there were not other undocumented changes that might violate our FFe policy, I did a commit-by-commit review of all changes in the -3 and -4 releases from Debian. There were no substantial changes to the software itself other than lua5.3 afaict. A report on this analysis is below.

Debian has disabled several test cases which I think are not broken for us. I considered re-enabling them for us, but I don't think that would gain us much. One of the commit messages uses the word 'temporary' so perhaps Debian and/or upstream will be working on fixes to them.

One piece of our delta is now in Debian. The remainder has been with us for quite some time and still looks to me like it should stay with us.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.46-4

### Additional Note ###

Historically, the split changes aren't available via git-ubuntu due to a bug. As a work-around to that, I started from Paride's merge branch. The aforementioned dropped delta was the only merge conflict.

Also, Apache2 hits the 'empty directories' problem with git, and so requires passing --no-verify to various git commands. Because of this, `git ubuntu merge finish pkg/ubuntu/devel` errors with a stack trace. The workaround I used for that was as follows:

$ git commit -m merge-changelogs --no-verify debian/changelog
[detached HEAD 4180b2f0f] merge-changelogs
 1 file changed, 1670 insertions(+), 2 deletions(-)
$ commit_message=$(for rev in $(git rev-list --reverse 'new/debian..HEAD^'); do git log --pretty=%B -n 1 $rev | sed '/^\
[[:space:]]*$/d'; done)
$ awk -v r="$commit_message" '{gsub(/* PLACEHOLDER/,r)}1' debian/changelog > debian/changelog.tmp
$ mv debian/changelog.tmp debian/changelog
$ git commit --no-verify -m reconstruct-changelog debian/changelog
$ update-maintainer
$ git commit --no-verify -m update-maintainer debian/control

I think this provided equivalent results to what git ubuntu does (I took the steps directly from the git-ubuntu codebase). I couldn't find these steps documented anywhere, although I suspect it's what others have had to do in the past. Anyway, I include them here for reference if someone needs them for future apache merges. (But sounds like Robie has a better way to work around this that might be better to try next time.)

### Analysis of Debian changes ###

c4345ed5 releasing package apache2 version 2.4.46-4
  - changelog only

91ec8581 Ignore another test
  - Identical to one of the changes in the ubuntu delta,
    which we can drop now.

b4b14a64 Ignore another random another test failure
  - Disables test case for png content. Reason not mentioned.

a55c97f6 releasing package apache2 version 2.4.46-3
  - changelog only

ac6936d8 Disable temporary 3 subtests
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979664
  - Disables an xml filter test case and two session module test cases.
    Reason not mentioned, just that they fail CI.

a0088e23 Update d/ch
  - changelog only

8753f5b5 Add debian/gbp.conf
  - Adds gbp config, which we don't use for maintaining apache.

115d3084 Declare compliance with policy 4.5.1
  - Just a housekeeping cleanup

647d73b6 Fix day-of-week for changelog entry 2.0.42-2.
  - changelog only

809ce169 Build against lua5.3 instead of lua5.2
  - This is a substantive change as it alters build dependencies, but
    this is a change we actively want.

920ac47a Update lintian overrides
  - Just a housekeeping cleanup

1883ce71 Update d/ch
  - changelog only

52c6d77a Enable verbose test output during autopkgtest
  - More verbosity during autopkgtest should be fine + helpful

58945288 Clean include-binaries
  - Drops debian/upstream/signing-key.pgp from the list of
    include-binaries. This file was converted to signing-key.asc back
    in 2.4.38-1.
  - So this is just cleanup

42d6a1de Remove postinst/preinst hooks concerning old versions
cb7db4b5 Partial revert of 42d6a1de
  - Drops some various cleanups for old versions of Apache2, that we
    haven't shipped since before bionic. Users upgrading from such old
    versions would have to go through at least bionic and focal, which
    will have cleaned the files up.
  - So this cleanup should also be safe for us

27377967 Spelling error in (c)
  - Just a sp. fix for debian/copyright

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is still marked as WIP, is it or shall this be reviewed?
Since I was missing last week I might miss some context here and not waste time reviewing if it might be not the right next step.

Revision history for this message
Bryce Harrington (bryce) wrote :

Yes, this is ready to be reviewed.

The reason I set to WIP was anticipating there might be ideas from the "git ubuntu empty dirs" meeting that I'd need to redo the merge for, but there weren't, so this is good to go as is.

2f86ed6... by Bryce Harrington on 2021-03-09

  * d/apache2ctl: Also use /run/systemd to check for systemd usage
    (LP: #1918209)

b9374b4... by Bryce Harrington on 2021-03-09

merge-changelogs

5e1e6b6... by Bryce Harrington on 2021-03-09

reconstruct-changelog

04405d0... by Bryce Harrington on 2021-03-09

update-maintainer

e9e339c... by Bryce Harrington on 2021-03-09

changelog add'l details about merge

Revision history for this message
Bryce Harrington (bryce) wrote :

Btw, I've also tacked on a bugfix for an issue we think causes OCI build failures.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Changelog:
- [✓] old content match as expected (I also have parides branch)
- [✓] changelog entry correct version and targeted codename
- [?] changelog entries correct (almost - IMHO the extra entry for 1918209 would go under an "* Added Changes", but that is optional and up to you
- [✓] update-maintainer has been run

Actual changes:
- [✓] no major upstream changes to consider
- [✓] no further upstream version to consider
- [✓] debian changes look safe (I've went through the changes in salsa just like you did and agree)

Old Delta:
- [✓] dropped changes are ok to be dropped
- [✓] nothing else to drop
- [?] changes forwarded upstream/debian
      Since Debian recently seems to be big on "disabling random fail tests" I wonder if it might be a good time to forward our delta for https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1890302 ?

New Delta:
- [✓] new are good
- [?] new change submitted to Debian? I've not seen a reference for https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1918209
I agree it is a common pattern https://codesearch.debian.net/search?q=%2Frun%2Fsystemd%2Fsystem&literal=1 and ok to add, but maybe file it with Debian as well to some day be able to drop the Delta?

Build/Test:
- [✓] build is ok
- [✓] verified PPA package installs/uninstalls

Revision history for this message
Christian Ehrhardt  (paelzer) :
review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the review. I've gone ahead and uploaded it (so we can get the fix for the OCIs in play), and will forward the delta to Debian later this week. I can't do the upload tag yet due to a git-ubuntu bug but will do so once there's a solution for that.

$ dput ubuntu apache2_2.4.46-4ubuntu1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: /home/bryce/pkg/Apache2/merge-v2.4.46-4/apache2_2.4.46-4ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: /home/bryce/pkg/Apache2/merge-v2.4.46-4/apache2_2.4.46-4ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.46-4ubuntu1.dsc: done.
  Uploading apache2_2.4.46-4ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.46-4ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.46-4ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Bryce Harrington (bryce) wrote :

This has now migrated. (There was one perl test failure on amd64 but it appears to have been just a timing issue; I re-triggered it and it passed.)

  - Current Version: 2.4.46-4ubuntu1
  - Proposed Version: None
  - Debian Version: 2.4.46-4
  - New Version: 2.4.46-4ubuntu1

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
2index 63c573f..3d1bdf1 100644
3--- a/debian/apache2-bin.install
4+++ b/debian/apache2-bin.install
5@@ -1,2 +1,3 @@
6 /usr/lib/apache2/modules/
7 /usr/sbin/apache2
8+debian/apache2.py usr/share/apport/package-hooks
9diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
10new file mode 100644
11index 0000000..974a655
12--- /dev/null
13+++ b/debian/apache2-utils.ufw.profile
14@@ -0,0 +1,14 @@
15+[Apache]
16+title=Web Server
17+description=Apache v2 is the next generation of the omnipresent Apache web server.
18+ports=80/tcp
19+
20+[Apache Secure]
21+title=Web Server (HTTPS)
22+description=Apache v2 is the next generation of the omnipresent Apache web server.
23+ports=443/tcp
24+
25+[Apache Full]
26+title=Web Server (HTTP,HTTPS)
27+description=Apache v2 is the next generation of the omnipresent Apache web server.
28+ports=80,443/tcp
29diff --git a/debian/apache2.dirs b/debian/apache2.dirs
30index 6089013..1aa6d3c 100644
31--- a/debian/apache2.dirs
32+++ b/debian/apache2.dirs
33@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
34 var/lib/apache2
35 var/log/apache2
36 var/www/html
37+/etc/ufw/applications.d/apache2
38diff --git a/debian/apache2.install b/debian/apache2.install
39index b6ad789..92865fc 100644
40--- a/debian/apache2.install
41+++ b/debian/apache2.install
42@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
43 debian/config-dir/envvars /etc/apache2
44 debian/config-dir/magic /etc/apache2
45 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
46+debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
47diff --git a/debian/apache2.postrm b/debian/apache2.postrm
48index a68583c..b0e5d7b 100644
49--- a/debian/apache2.postrm
50+++ b/debian/apache2.postrm
51@@ -33,6 +33,7 @@ is_default_index_html () {
52 776221a94e5a174dc2396c0f3f6b6a74
53 c481228d439cbb54bdcedbaec5bbb11a
54 e2620d4a5a0f8d80dd4b16de59af981f
55+ 3526531ccd6c6a1d2340574a305a18f8
56 EOF
57 }
58
59diff --git a/debian/apache2.py b/debian/apache2.py
60new file mode 100644
61index 0000000..a9fb9d8
62--- /dev/null
63+++ b/debian/apache2.py
64@@ -0,0 +1,48 @@
65+#!/usr/bin/python
66+
67+'''apport hook for apache2
68+
69+(c) 2010 Adam Sommer.
70+Author: Adam Sommer <asommer@ubuntu.com>
71+
72+This program is free software; you can redistribute it and/or modify it
73+under the terms of the GNU General Public License as published by the
74+Free Software Foundation; either version 2 of the License, or (at your
75+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
76+the full text of the license.
77+'''
78+
79+from apport.hookutils import *
80+import os
81+
82+SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
83+
84+def add_info(report, ui):
85+ if os.path.isdir(SITES_ENABLED_DIR):
86+ response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
87+ "may help developers diagnose your bug more "
88+ "quickly. However, it may contain sensitive "
89+ "information. Do you want to include it in your "
90+ "bug report?")
91+
92+ if response == None: # user cancelled
93+ raise StopIteration
94+
95+ elif response == True:
96+ # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
97+ for conf_file in os.listdir(SITES_ENABLED_DIR):
98+ attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
99+
100+ try:
101+ report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
102+ except OSError:
103+ report['Apache2ConfdDirListing'] = str(False)
104+
105+ # Attach default config files if changed.
106+ attach_conffiles(report, 'apache2', conffiles=None)
107+
108+ # Attach the error.log file.
109+ attach_file(report, '/var/log/apache2/error.log', key='error.log')
110+
111+ # Get loaded modules.
112+ report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
113diff --git a/debian/apache2ctl b/debian/apache2ctl
114index 404b9f9..02f3bca 100755
115--- a/debian/apache2ctl
116+++ b/debian/apache2ctl
117@@ -143,6 +143,21 @@ mkdir_chown () {
118 fi
119 }
120
121+need_systemd () {
122+ # Detect if systemd is in use and should be used for managing
123+ # the Apache2 httpd service. Returns 0 if so, 1 otherwise.
124+ if [ -z "${APACHE_STARTED_BY_SYSTEMD}" ]; then
125+ case "$(readlink -f /proc/1/exe)" in
126+ *systemd*)
127+ return 0
128+ ;;
129+ esac
130+ # With Docker, /proc/1 is not necessarily an init system,
131+ # so fallback to checking in /run.
132+ [ -d /run/systemd/system ]
133+ fi
134+ return 1
135+}
136
137 [ ! -d ${APACHE_RUN_DIR:-/var/run/apache2} ] && mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2}
138 [ ! -d ${APACHE_LOCK_DIR:-/var/lock/apache2} ] && mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
139@@ -153,38 +168,38 @@ start)
140 # (this is bad if there are several apache2 instances running)
141 rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache*
142
143- need_systemd=false
144- if [ -z "$APACHE_STARTED_BY_SYSTEMD" ] ; then
145- case "$(readlink -f /proc/1/exe)" in
146- *systemd*)
147- need_systemd=true
148- ;;
149- *)
150- ;;
151- esac
152- fi
153- if $need_systemd ; then
154+ if need_systemd; then
155 # If running on systemd we should not start httpd without systemd
156 # or systemd will get confused about the status of httpd.
157- echo "Invoking 'systemctl start $APACHE_SYSTEMD_SERVICE'."
158- echo "Use 'systemctl status $APACHE_SYSTEMD_SERVICE' for more info."
159- systemctl start "$APACHE_SYSTEMD_SERVICE"
160+ echo "Invoking 'systemctl start ${APACHE_SYSTEMD_SERVICE}'."
161+ echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info."
162+ systemctl start "${APACHE_SYSTEMD_SERVICE}"
163 else
164 unset APACHE_STARTED_BY_SYSTEMD
165- $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"
166+ ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}"
167 fi
168
169 ERROR=$?
170 ;;
171 stop|graceful-stop)
172- $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"
173+ ${HTTPD} ${APACHE_ARGUMENTS} -k "$ARGV"
174 ERROR=$?
175 ;;
176 restart|graceful)
177 if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then
178- $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"
179+ if need_systemd; then
180+ # If running on systemd we should not directly restart httpd since
181+ # systemd would be confused about httpd's status.
182+ # (See LP: #1832182)
183+ echo "Invoking 'systemctl restart ${APACHE_SYSTEMD_SERVICE}'."
184+ echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info."
185+ systemctl restart "${APACHE_SYSTEMD_SERVICE}"
186+ else
187+ unset APACHE_STARTED_BY_SYSTEMD
188+ ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}"
189+ fi
190 else
191- $HTTPD ${APACHE_ARGUMENTS} -t
192+ ${HTTPD} ${APACHE_ARGUMENTS} -t
193 fi
194 ERROR=$?
195 ;;
196diff --git a/debian/changelog b/debian/changelog
197index 8a02325..19b4857 100644
198--- a/debian/changelog
199+++ b/debian/changelog
200@@ -1,3 +1,30 @@
201+apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
202+
203+ * Merge with Debian unstable, to allow moving from lua5.2 to
204+ lua5.3 (LP: #1910372). Remaining changes:
205+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
206+ apache2.dirs}: Add ufw profiles.
207+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
208+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
209+ Debian with Ubuntu on default page.
210+ + d/source/include-binaries: add Ubuntu icon file
211+ - d/t/control, d/t/check-http2: add basic test for http2 support
212+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
213+ issue reading error log too quickly after request, by adding a sleep.
214+ (LP #1890302)
215+ - d/apache2ctl: Also use systemd for graceful if it is in use.
216+ This extends an earlier fix for the start command to behave
217+ similarly for restart / graceful. Fixes service failures on
218+ unattended upgrade.
219+ * Drop:
220+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
221+ was re-added by mistake in 2.4.41-1 (Closes #921024)
222+ [Included in Debian 2.4.46-3]
223+ * d/apache2ctl: Also use /run/systemd to check for systemd usage
224+ (LP: #1918209)
225+
226+ -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
227+
228 apache2 (2.4.46-4) unstable; urgency=medium
229
230 * Ignore other random another test failures (Closes: #979664)
231@@ -15,6 +42,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
232
233 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
234
235+apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
236+
237+ * Merge with Debian unstable. Remaining changes:
238+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
239+ apache2.dirs}: Add ufw profiles.
240+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
241+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
242+ Debian with Ubuntu on default page.
243+ + d/source/include-binaries: add Ubuntu icon file
244+ - d/t/control, d/t/check-http2: add basic test for http2 support
245+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
246+ was re-added by mistake in 2.4.41-1 (Closes #921024)
247+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
248+ issue reading error log too quickly after request, by adding a sleep.
249+ (LP #1890302)
250+ - d/apache2ctl: Also use systemd for graceful if it is in use.
251+ This extends an earlier fix for the start command to behave
252+ similarly for restart / graceful. Fixes service failures on
253+ unattended upgrade.
254+
255+ -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
256+
257 apache2 (2.4.46-2) unstable; urgency=medium
258
259 [ Jean-Michel Vourgère ]
260@@ -36,6 +85,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
261
262 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
263
264+apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
265+
266+ * d/apache2ctl: Also use systemd for graceful if it is in use.
267+ (LP: #1832182)
268+ - This extends an earlier fix for the start command to behave
269+ similarly for restart / graceful. Fixes service failures on
270+ unattended upgrade.
271+
272+ -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
273+
274+apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
275+
276+ * Merge with Debian unstable. Remaining changes:
277+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
278+ apache2.dirs}: Add ufw profiles.
279+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
280+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
281+ Debian with Ubuntu on default page.
282+ + d/source/include-binaries: add Ubuntu icon file
283+ - d/t/control, d/t/check-http2: add basic test for http2 support
284+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
285+ was re-added by mistake in 2.4.41-1 (Closes #921024)
286+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
287+ issue reading error log too quickly after request, by adding a sleep.
288+ (LP #1890302)
289+ * Dropped:
290+ - debian/patches/086_svn_cross_compiles: Backport several cross
291+ fixes from upstream
292+ [Unclear if it's still necessary, and upstream hasn't made a
293+ release with it yet]
294+
295+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
296+
297 apache2 (2.4.46-1) unstable; urgency=medium
298
299 [ Xavier Guimard ]
300@@ -52,6 +134,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
301
302 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
303
304+apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
305+
306+ * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
307+ issue reading error log too quickly after request, by adding a sleep.
308+ (LP: #1890302)
309+
310+ -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
311+
312+apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
313+
314+ * Merge with Debian unstable. Remaining changes:
315+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
316+ apache2.dirs}: Add ufw profiles.
317+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
318+ - debian/patches/086_svn_cross_compiles: Backport several cross
319+ fixes from upstream
320+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
321+ Debian with Ubuntu on default page.
322+ + d/source/include-binaries: add Ubuntu icon file
323+ - d/t/control, d/t/check-http2: add basic test for http2 support
324+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
325+ was re-added by mistake in 2.4.41-1 (Closes #921024)
326+ * Dropped:
327+ - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
328+ parameter to mod_proxy_ajp (LP #1865340)
329+ [Fixed upstream]
330+ - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
331+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
332+ Closes #955348, LP #1872478
333+ [In 2.4.43-1]
334+
335+ -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
336+
337 apache2 (2.4.43-1) unstable; urgency=medium
338
339 [ Timo Aaltonen ]
340@@ -79,6 +194,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
341
342 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
343
344+apache2 (2.4.41-4ubuntu3) focal; urgency=medium
345+
346+ [ Timo Aaltonen ]
347+ * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
348+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
349+ Closes: #955348, LP: #1872478
350+
351+ -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
352+
353+apache2 (2.4.41-4ubuntu2) focal; urgency=medium
354+
355+ * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
356+ parameter to mod_proxy_ajp (LP: #1865340)
357+
358+ -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
359+
360+apache2 (2.4.41-4ubuntu1) focal; urgency=medium
361+
362+ * Merge with Debian unstable. Remaining changes:
363+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
364+ apache2.dirs}: Add ufw profiles.
365+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
366+ - debian/patches/086_svn_cross_compiles: Backport several cross
367+ fixes from upstream
368+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
369+ Debian with Ubuntu on default page.
370+ + d/source/include-binaries: add Ubuntu icon file
371+ - d/t/control, d/t/check-http2: add basic test for http2 support
372+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
373+ was re-added by mistake in 2.4.41-1 (Closes #921024)
374+
375+ -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
376+
377 apache2 (2.4.41-4) unstable; urgency=medium
378
379 * Add gcc in chroot autopkgtest (fixes debci)
380@@ -103,6 +251,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
381
382 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
383
384+apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
385+
386+ * Merge with Debian unstable. Remaining changes:
387+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
388+ apache2.dirs}: Add ufw profiles.
389+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
390+ - debian/patches/086_svn_cross_compiles: Backport several cross
391+ fixes from upstream
392+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
393+ Debian with Ubuntu on default page.
394+ + d/source/include-binaries: add Ubuntu icon file
395+ - d/t/control, d/t/check-http2: add basic test for http2 support
396+ * Dropped:
397+ - Cherrypick upstream testsuite fix:
398+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
399+ as such).
400+ + Similarly use TLSv1.2 for pr12355 and pr43738.
401+ [Test suite updated in 2.4.41-1]
402+ - Cherrypick upstream test suite fix for buffer.
403+ [Included in 2.4.41-1]
404+ - d/p/spelling-errors.patch: removed hunks already fixed upstream
405+ [Included in 2.4.39-1]
406+ - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
407+ + d/p/CVE-2019-0196.patch
408+ + d/p/CVE-2019-0211.patch
409+ + d/p/CVE-2019-0215.patch
410+ + d/p/CVE-2019-0217.patch
411+ + d/p/CVE-2019-0220-*.patch
412+ + d/p/CVE-2019-0197.patch
413+ * Added:
414+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
415+ was re-added by mistake in 2.4.41-1 (Closes: #921024)
416+
417+ -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
418+
419 apache2 (2.4.41-1) unstable; urgency=medium
420
421 * New upstream version 2.4.41
422@@ -133,6 +316,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
423
424 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
425
426+apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
427+
428+ * New upstream version: 2.4.39
429+ * d/p/spelling-errors.patch: removed hunks already fixed upstream
430+ * Remaining changes:
431+ - Cherrypick upstream test suite fix for buffer.
432+ - Cherrypick upstream testsuite fix:
433+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
434+ as such).
435+ - Similarly use TLSv1.2 for pr12355 and pr43738.
436+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
437+ apache2.dirs}: Add ufw profiles.
438+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
439+ - debian/patches/086_svn_cross_compiles: Backport several cross
440+ fixes from upstream
441+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
442+ Debian with Ubuntu on default page.
443+ + d/source/include-binaries: add Ubuntu icon file
444+ - d/t/control, d/t/check-http2: add basic test for http2 support
445+ * Dropped patches (fixed upstream):
446+ - d/p/CVE-2019-0196.patch
447+ - d/p/CVE-2019-0211.patch
448+ - d/p/CVE-2019-0215.patch
449+ - d/p/CVE-2019-0217.patch
450+ - d/p/CVE-2019-0220-*.patch
451+ - d/p/CVE-2019-0197.patch
452+
453+ -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
454+
455+apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
456+
457+ * Cherrypick upstream test suite fix for buffer.
458+
459+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
460+
461+apache2 (2.4.38-3ubuntu1) eoan; urgency=low
462+
463+ * Merge from Debian unstable. Remaining changes:
464+ - Cherrypick upstream testsuite fix:
465+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
466+ as such).
467+ - Similarly use TLSv1.2 for pr12355 and pr43738.
468+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
469+ apache2.dirs}: Add ufw profiles.
470+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
471+ - debian/patches/086_svn_cross_compiles: Backport several cross
472+ fixes from upstream
473+ [Removed configure chunk, not needed since configure.in is being
474+ patched.]
475+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
476+ Debian with Ubuntu on default page.
477+ + d/source/include-binaries: add Ubuntu icon file
478+ - d/t/control, d/t/check-http2: add basic test for http2 support
479+
480+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
481+
482 apache2 (2.4.38-3) unstable; urgency=high
483
484 [ Marc Deslauriers ]
485@@ -170,6 +409,79 @@ apache2 (2.4.38-3) unstable; urgency=high
486
487 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
488
489+apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
490+
491+ * Cherrypick upstream testsuite fix:
492+ - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
493+ as such).
494+ * Similarly use TLSv1.2 for pr12355 and pr43738.
495+
496+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
497+
498+apache2 (2.4.38-2ubuntu2) disco; urgency=medium
499+
500+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
501+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
502+ request method in modules/http2/h2_request.c.
503+ - CVE-2019-0196
504+ * SECURITY UPDATE: privilege escalation from modules' scripts
505+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
506+ child to its slot number in include/scoreboard.h,
507+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
508+ server/mpm/worker/worker.c.
509+ - CVE-2019-0211
510+ * SECURITY UPDATE: mod_ssl access control bypass
511+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
512+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
513+ - CVE-2019-0215
514+ * SECURITY UPDATE: mod_auth_digest access control bypass
515+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
516+ modules/aaa/mod_auth_digest.c.
517+ - CVE-2019-0217
518+ * SECURITY UPDATE: URL normalization inconsistincy
519+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
520+ the path in include/http_core.h, include/httpd.h, server/core.c,
521+ server/request.c, server/util.c.
522+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
523+ in server/request.c, server/util.c.
524+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
525+ server/util.c.
526+ - CVE-2019-0220
527+
528+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
529+
530+apache2 (2.4.38-2ubuntu1) disco; urgency=medium
531+
532+ * Merge with Debian unstable. Remaining changes:
533+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
534+ apache2.dirs}: Add ufw profiles.
535+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
536+ - debian/patches/086_svn_cross_compiles: Backport several cross
537+ fixes from upstream
538+ [Removed configure chunk, not needed since configure.in is being
539+ patched.]
540+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
541+ Debian with Ubuntu on default page.
542+ + d/source/include-binaries: add Ubuntu icon file
543+ - d/t/control, d/t/check-http2: add basic test for http2 support
544+ * Dropped:
545+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
546+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
547+ cannot be coinstalled with libcurl3. That situation breaks the
548+ installation of libapache2-mod-shib2. See
549+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
550+ for details.
551+ [This has been resolved in Disco, where libxmltooling8 is built with
552+ openssl 1.1]
553+ - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
554+ + debian/patches/CVE-2018-11763.patch: rework connection IO event
555+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
556+ modules/http2/h2_version.h.
557+ - CVE-2018-11763
558+ [Fixed in 2.4.35]
559+
560+ -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
561+
562 apache2 (2.4.38-2) unstable; urgency=medium
563
564 * Disable "reset" test in allowmethods.t (Closes: #921024)
565@@ -251,6 +563,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
566
567 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
568
569+apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
570+
571+ * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
572+ - debian/patches/CVE-2018-11763.patch: rework connection IO event
573+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
574+ modules/http2/h2_version.h.
575+ - CVE-2018-11763
576+
577+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
578+
579+apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
580+
581+ * Merge with Debian unstable. Remaining changes:
582+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
583+ apache2.dirs}: Add ufw profiles.
584+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
585+ - debian/patches/086_svn_cross_compiles: Backport several cross
586+ fixes from upstream
587+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
588+ Debian with Ubuntu on default page.
589+ + d/source/include-binaries: add Ubuntu icon file
590+ - d/t/control, d/t/check-http2: add basic test for http2 support
591+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
592+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
593+ cannot be coinstalled with libcurl3. That situation breaks the
594+ installation of libapache2-mod-shib2. See
595+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
596+ for details.
597+
598+ -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
599+
600 apache2 (2.4.34-1) unstable; urgency=medium
601
602 [ Ondřej Surý ]
603@@ -269,6 +612,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
604
605 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
606
607+apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
608+
609+ * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
610+ re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
611+
612+ -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
613+
614+apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
615+
616+ * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
617+ libapache2-mod-md until we figure out their transitions. libapache2-mod-md
618+ in particular is problematic because that makes apache2-bin pull in
619+ libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
620+ the installation of libapache2-mod-shib2. See
621+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
622+ for details.
623+ - Don't ship md.load and remove build-requires that were added because of
624+ mod-md (see
625+ https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
626+ - Remove proxy_uwsgi.load as we are not building it for now (see
627+ https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
628+
629+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
630+
631+apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
632+
633+ * Merge with Debian unstable (LP: #1770242). Remaining changes:
634+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
635+ apache2.dirs}: Add ufw profiles.
636+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
637+ - debian/patches/086_svn_cross_compiles: Backport several cross
638+ fixes from upstream
639+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
640+ Debian with Ubuntu on default page.
641+ + d/source/include-binaries: add Ubuntu icon file
642+ - d/t/control, d/t/check-http2: add basic test for http2 support
643+ * Drop:
644+ - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
645+ + debian/patches/CVE-2017-15710.patch: fix language long names
646+ detection as short name in modules/aaa/mod_authnz_ldap.c.
647+ + CVE-2017-15710
648+ - SECURITY UPDATE: incorrect <FilesMatch> matching
649+ + debian/patches/CVE-2017-15715.patch: allow to configure
650+ global/default options for regexes, like caseless matching or
651+ extended format in include/ap_regex.h, server/core.c,
652+ server/util_pcre.c.
653+ + CVE-2017-15715
654+ - SECURITY UPDATE: mod_session header manipulation
655+ + debian/patches/CVE-2018-1283.patch: strip Session header when
656+ SessionEnv is on in modules/session/mod_session.c.
657+ + CVE-2018-1283
658+ - SECURITY UPDATE: DoS via specially-crafted request
659+ + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
660+ terminated on any error, not only on buffer full in
661+ server/protocol.c.
662+ + CVE-2018-1301
663+ - SECURITY UPDATE: mod_cache_socache DoS
664+ + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
665+ to carriage return in modules/cache/mod_cache_socache.c.
666+ + CVE-2018-1303
667+ - SECURITY UPDATE: insecure nonce generation
668+ + debian/patches/CVE-2018-1312.patch: actually use the secret when
669+ generating nonces in modules/aaa/mod_auth_digest.c.
670+ + CVE-2018-1312
671+ - Correct systemd-sysv-generator behavior by customizing some
672+ parameters:
673+ + d/apache2-systemd.conf: add a drop-in file to specify some
674+ parameters for the systemd unit (type=Forking and
675+ RemainsAfterExit=no), this allow a correct state synchronisation
676+ between systemctl status and actual state of apache2 daemon.
677+ + d/apache2.install: place the apache2-systemd.conf file in the
678+ correct location.
679+ [type=Forking already in the base systemd service file, and
680+ RemainsAfterExit=no is the default value, so no need to
681+ customize these anymore.]
682+ - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
683+ + added debian/patches/util_ldap_cache_lock_fix.patch
684+ [Already applied upstream]
685+
686+ -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
687+
688 apache2 (2.4.33-3) unstable; urgency=medium
689
690 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
691@@ -341,6 +765,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
692
693 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
694
695+apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
696+
697+ * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
698+ - debian/patches/CVE-2017-15710.patch: fix language long names
699+ detection as short name in modules/aaa/mod_authnz_ldap.c.
700+ - CVE-2017-15710
701+ * SECURITY UPDATE: incorrect <FilesMatch> matching
702+ - debian/patches/CVE-2017-15715.patch: allow to configure
703+ global/default options for regexes, like caseless matching or
704+ extended format in include/ap_regex.h, server/core.c,
705+ server/util_pcre.c.
706+ - CVE-2017-15715
707+ * SECURITY UPDATE: mod_session header manipulation
708+ - debian/patches/CVE-2018-1283.patch: strip Session header when
709+ SessionEnv is on in modules/session/mod_session.c.
710+ - CVE-2018-1283
711+ * SECURITY UPDATE: DoS via specially-crafted request
712+ - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
713+ terminated on any error, not only on buffer full in
714+ server/protocol.c.
715+ - CVE-2018-1301
716+ * SECURITY UPDATE: mod_cache_socache DoS
717+ - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
718+ to carriage return in modules/cache/mod_cache_socache.c.
719+ - CVE-2018-1303
720+ * SECURITY UPDATE: insecure nonce generation
721+ - debian/patches/CVE-2018-1312.patch: actually use the secret when
722+ generating nonces in modules/aaa/mod_auth_digest.c.
723+ - CVE-2018-1312
724+
725+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
726+
727+apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
728+
729+ * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
730+ - added debian/patches/util_ldap_cache_lock_fix.patch
731+
732+ -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
733+
734+apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
735+
736+ * Switch back to OpenSSL 1.1.
737+
738+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
739+
740+apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
741+
742+ * enable http2 (LP: #1687454) by stopping to disable it
743+ - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
744+ - debian/config-dir/mods-available/http2.load: no more removed.
745+ - debian/rules: no more removed proxy_http2 from configure.
746+ * d/t/control, d/t/check-http2: add basic test for http2 support
747+
748+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
749+
750+apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
751+
752+ * Merge with Debian unstable. Remaining changes:
753+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
754+ apache2.dirs}: Add ufw profiles.
755+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
756+ - debian/patches/086_svn_cross_compiles: Backport several cross
757+ fixes from upstream
758+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
759+ Debian with Ubuntu on default page.
760+ + d/source/include-binaries: add Ubuntu icon file
761+ - Correct systemd-sysv-generator behavior by customizing some
762+ parameters:
763+ + d/apache2-systemd.conf: add a drop-in file to specify some
764+ parameters for the systemd unit (type=Forking and
765+ RemainsAfterExit=no), this allow a correct state synchronisation
766+ between systemctl status and actual state of apache2 daemon.
767+ + d/apache2.install: place the apache2-systemd.conf file in the
768+ correct location.
769+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
770+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
771+ + debian/config-dir/mods-available/http2.load: removed.
772+ + debian/rules: removed proxy_http2 from configure.
773+ * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
774+ - debian/control: switch BuildDepends to libssl1.0-dev
775+ - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
776+ - debian/rules: remove openssl virtual package and logic
777+
778+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
779+
780 apache2 (2.4.29-1) unstable; urgency=medium
781
782 [ Stefan Fritsch ]
783@@ -405,6 +914,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
784
785 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
786
787+apache2 (2.4.27-2ubuntu3) artful; urgency=medium
788+
789+ * SECURITY UPDATE: optionsbleed information leak
790+ - debian/patches/CVE-2017-9798.patch: disallow method registration
791+ at run time in server/core.c.
792+ - CVE-2017-9798
793+
794+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
795+
796+apache2 (2.4.27-2ubuntu2) artful; urgency=medium
797+
798+ * Undrop (LP 1658469):
799+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
800+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
801+ + debian/config-dir/mods-available/http2.load: removed.
802+ + debian/rules: removed proxy_http2 from configure.
803+
804+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
805+
806+apache2 (2.4.27-2ubuntu1) artful; urgency=medium
807+
808+ * Merge with Debian unstable (LP: #1702582). Remaining changes:
809+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
810+ apache2.dirs}: Add ufw profiles.
811+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
812+ - debian/patches/086_svn_cross_compiles: Backport several cross
813+ fixes from upstream
814+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
815+ Debian with Ubuntu on default page.
816+ + d/source/include-binaries: add Ubuntu icon file
817+ - Correct systemd-sysv-generator behavior by customizing some
818+ parameters:
819+ + d/apache2-systemd.conf: add a drop-in file to specify some
820+ parameters for the systemd unit (type=Forking and
821+ RemainsAfterExit=no), this allow a correct state synchronisation
822+ between systemctl status and actual state of apache2 daemon.
823+ + d/apache2.install: place the apache2-systemd.conf file in the
824+ correct location.
825+
826+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
827+
828 apache2 (2.4.27-2) unstable; urgency=medium
829
830 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
831@@ -434,6 +984,55 @@ apache2 (2.4.25-4) unstable; urgency=high
832
833 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
834
835+apache2 (2.4.25-3ubuntu3) artful; urgency=medium
836+
837+ * Re-Drop (LP: #1658469):
838+ - Don't build experimental http2 module for LTS:
839+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
840+ + debian/config-dir/mods-available/http2.load: removed.
841+ + debian/rules: removed proxy_http2 from configure.
842+ + debian/apache2.maintscript: remove http2 conffile.
843+
844+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
845+
846+apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
847+ * Undrop (LP 1658469):
848+ - Don't build experimental http2 module for LTS:
849+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
850+ + debian/config-dir/mods-available/http2.load: removed.
851+ + debian/rules: removed proxy_http2 from configure.
852+ + debian/apache2.maintscript: remove http2 conffile.
853+
854+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
855+
856+apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
857+
858+ * Merge from Debian unstable (LP: #1663425). Remaining changes:
859+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
860+ apache2.dirs}: Add ufw profiles.
861+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
862+ - debian/patches/086_svn_cross_compiles: Backport several cross
863+ fixes from upstream
864+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
865+ Debian with Ubuntu on default page.
866+ + d/source/include-binaries: add Ubuntu icon file
867+ - Correct systemd-sysv-generator behavior by customizing some
868+ parameters:
869+ + d/apache2-systemd.conf: add a drop-in file to specify some
870+ parameters for the systemd unit (type=Forking and
871+ RemainsAfterExit=no), this allow a correct state synchronisation
872+ between systemctl status and actual state of apache2 daemon.
873+ + d/apache2.install: place the apache2-systemd.conf file in the
874+ correct location.
875+ * Drop (LP: #1658469):
876+ - Don't build experimental http2 module for LTS:
877+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
878+ + debian/config-dir/mods-available/http2.load: removed.
879+ + debian/rules: removed proxy_http2 from configure.
880+ + debian/apache2.maintscript: remove http2 conffile.
881+
882+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
883+
884 apache2 (2.4.25-3) unstable; urgency=medium
885
886 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
887@@ -495,6 +1094,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
888
889 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
890
891+apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
892+
893+ * Merge from Debian unstable (LP: #). Remaining changes:
894+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
895+ apache2.dirs}: Add ufw profiles.
896+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
897+ - debian/patches/086_svn_cross_compiles: Backport several cross
898+ fixes from upstream
899+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
900+ d/source/include-binaries: replace Debian with Ubuntu on default
901+ page.
902+ [ include-binaries change previously undocumented ]
903+ - Don't build experimental http2 module for LTS:
904+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
905+ + debian/config-dir/mods-available/http2.load: removed.
906+ + debian/rules: removed proxy_http2 from configure.
907+ + debian/apache2.maintscript: remove http2 conffile.
908+ [ Previously undocumented ]
909+ - Correct systemd-sysv-generator behavior by customizing some
910+ parameters:
911+ + d/apache2-systemd.conf: add a drop-in file to specify some
912+ parameters for the systemd unit (type=Forking and
913+ RemainsAfterExit=no), this allow a correct state synchronisation
914+ between systemctl status and actual state of apache2 daemon.
915+ + d/apache2.install: place the apache2-systemd.conf file in the
916+ correct location.
917+ * Drop:
918+ - debian/rules: Fix cross-building by passing
919+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
920+ [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
921+
922+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
923+
924 apache2 (2.4.23-8) unstable; urgency=medium
925
926 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
927@@ -505,6 +1137,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
928
929 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
930
931+apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
932+
933+ * Merge from Debian unstable. Remaining changes:
934+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
935+ apache2.dirs}: Add ufw profiles.
936+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
937+ - debian/rules: Fix cross-building by passing
938+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
939+ - debian/patches/086_svn_cross_compiles: Backport several cross
940+ fixes from upstream
941+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
942+ Debian with Ubuntu on default page.
943+ - Don't build experimental http2 module for LTS:
944+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
945+ + debian/config-dir/mods-available/http2.load: removed.
946+ + debian/rules: removed proxy_http2 from configure.
947+ - Correct systemd-sysv-generator behavior by customizing some
948+ parameters:
949+ + d/apache2-systemd.conf: add a drop-in file to specify some
950+ parameters for the systemd unit (type=Forking and
951+ RemainsAfterExit=no), this allow a correct state synchronisation
952+ between systemctl status and actual state of apache2 daemon.
953+ + d/apache2.install: place the apache2-systemd.conf file in the
954+ correct location.
955+
956+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
957+
958 apache2 (2.4.23-7) unstable; urgency=medium
959
960 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
961@@ -619,6 +1278,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
962
963 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
964
965+apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
966+
967+ * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
968+ - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
969+ server/util_script.c.
970+ - CVE-2016-5387
971+
972+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
973+
974+apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
975+
976+ [ Ryan Harper ]
977+ * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
978+ introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
979+ all, since http2 support is intentionally disabled (see LP 1531864).
980+ * d/apache2.maintscript: handle removal of http2.load conffile.
981+
982+ [ Robie Basak ]
983+ * Re-write Ryan's changelog entry.
984+
985+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
986+
987+apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
988+
989+ * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
990+ - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
991+ unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
992+ between systemctl status and actual state of apache2 daemon.
993+ - d/apache2.install: place the apache2-systemd.conf file in the correct location.
994+
995+ -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
996+
997+apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
998+
999+ * Merge from Debian unstable. Remaining changes:
1000+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1001+ apache2.dirs}: Add ufw profiles.
1002+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1003+ - debian/rules: Fix cross-building by passing
1004+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1005+ - debian/patches/086_svn_cross_compiles: Backport several cross
1006+ fixes from upstream
1007+ - d/index.html: replace Debian with Ubuntu on default page.
1008+ - Don't build experimental http2 module for LTS:
1009+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1010+ + debian/config-dir/mods-available/http2.load: removed.
1011+
1012+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1013+
1014 apache2 (2.4.18-2) unstable; urgency=low
1015
1016 * htcacheclean:
1017@@ -644,6 +1352,24 @@ apache2 (2.4.18-2) unstable; urgency=low
1018
1019 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
1020
1021+apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1022+
1023+ * Merge from Debian unstable. Remaining changes:
1024+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1025+ apache2.dirs}: Add ufw profiles.
1026+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1027+ - Add dep8 tests.
1028+ - debian/rules: Fix cross-building by passing
1029+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1030+ - debian/patches/086_svn_cross_compiles: Backport several cross
1031+ fixes from upstream
1032+ - d/index.html: replace Debian with Ubuntu on default page.
1033+ - Don't build experimental http2 module for LTS:
1034+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1035+ + debian/config-dir/mods-available/http2.load: removed.
1036+
1037+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1038+
1039 apache2 (2.4.18-1) unstable; urgency=medium
1040
1041 * New upstream release:
1042@@ -651,12 +1377,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
1043
1044 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
1045
1046+apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1047+
1048+ * Merge from Debian unstable. Remaining changes:
1049+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1050+ apache2.dirs}: Add ufw profiles.
1051+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1052+ - Add dep8 tests.
1053+ - debian/rules: Fix cross-building by passing
1054+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1055+ - debian/patches/086_svn_cross_compiles: Backport several cross
1056+ fixes from upstream
1057+ - d/index.html: replace Debian with Ubuntu on default page.
1058+ - Don't build experimental http2 module for LTS:
1059+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1060+ + debian/config-dir/mods-available/http2.load: removed.
1061+
1062+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1063+
1064 apache2 (2.4.17-3) unstable; urgency=medium
1065
1066 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
1067
1068 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
1069
1070+apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1071+
1072+ * Merge from Debian unstable. Remaining changes:
1073+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1074+ apache2.dirs}: Add ufw profiles.
1075+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1076+ - Add dep8 tests.
1077+ - debian/rules: Fix cross-building by passing
1078+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1079+ - debian/patches/086_svn_cross_compiles: Backport several cross
1080+ fixes from upstream
1081+ - d/index.html: replace Debian with Ubuntu on default page.
1082+ - Don't build experimental http2 module for LTS:
1083+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1084+ + debian/config-dir/mods-available/http2.load: removed.
1085+
1086+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1087+
1088 apache2 (2.4.17-2) unstable; urgency=medium
1089
1090 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
1091@@ -667,6 +1429,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
1092
1093 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
1094
1095+apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1096+
1097+ * Merge from Debian unstable. Remaining changes:
1098+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1099+ apache2.dirs}: Add ufw profiles.
1100+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1101+ - Add dep8 tests.
1102+ - debian/rules: Fix cross-building by passing
1103+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1104+ - debian/patches/086_svn_cross_compiles: Backport several cross
1105+ fixes from upstream
1106+ - d/index.html: replace Debian with Ubuntu on default page.
1107+ * Drop patches (applied upstream):
1108+ - debian/patches/CVE-2015-3183.patch
1109+ - debian/patches/CVE-2015-3185.patch
1110+ * Drop changes (adopted in Debian):
1111+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1112+ to "installed" when determining whether to defer actions or
1113+ process deferred actions.
1114+ * Don't build experimental http2 module for LTS
1115+ - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1116+ - debian/config-dir/mods-available/http2.load: removed.
1117+
1118+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1119+
1120 apache2 (2.4.17-1) unstable; urgency=medium
1121
1122 [ Stefan Fritsch ]
1123@@ -732,6 +1519,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
1124
1125 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
1126
1127+apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1128+
1129+ * SECURITY UPDATE: request smuggling via chunked transfer encoding
1130+ - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1131+ modules/http/http_filters.c.
1132+ - CVE-2015-3183
1133+ * SECURITY UPDATE: access restriction bypass via deprecated API
1134+ - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1135+ in include/http_request.h, server/request.c.
1136+ - CVE-2015-3185
1137+
1138+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1139+
1140+apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1141+
1142+ * Merge from Debian unstable. Remaining changes:
1143+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1144+ apache2.dirs}: Add ufw profiles.
1145+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1146+ - Add dep8 tests.
1147+ - debian/rules: Fix cross-building by passing
1148+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1149+ - debian/patches/086_svn_cross_compiles: Backport several cross
1150+ fixes from upstream
1151+ - d/index.html: replace Debian with Ubuntu on default page.
1152+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1153+ to "installed" when determining whether to defer actions or
1154+ process deferred actions.
1155+ * Drop patches (applied upstream):
1156+ - d/p/split-logfile.patch
1157+ - d/p/CVE-2015-0228.patch
1158+ * Drop changes (superceded in Debian):
1159+ - Cherry-pick versioned build-depend on dpkg from Debian for correct
1160+ dpkg-maintscript-helper symlink_to_dir support.
1161+ * Drop changes (adopted in Debian):
1162+ - d/control, d/config-dir/mods-available/ssl.conf,
1163+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1164+ dialog program ask-for-passphrase.
1165+ * Fix cross-building configure line in d/rules, which had bit-rotted in
1166+ previous merges.
1167+
1168+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1169+
1170 apache2 (2.4.12-2) unstable; urgency=medium
1171
1172 [ Jean-Michel Nirgal Vourgère ]
1173@@ -781,6 +1611,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
1174
1175 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
1176
1177+apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1178+
1179+ * Merge from Debian unstable. Remaining changes:
1180+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1181+ apache2.dirs}: Add ufw profiles.
1182+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1183+ - d/control, d/config-dir/mods-available/ssl.conf,
1184+ - Add dep8 tests.
1185+ - debian/rules: Fix cross-building by passing
1186+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1187+ - debian/patches/086_svn_cross_compiles: Backport several cross
1188+ fixes from upstream
1189+ - d/index.html: replace Debian with Ubuntu on default page.
1190+ - d/p/split-logfile.patch: fix completely broken split-logfile
1191+ command.
1192+ - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1193+ denial of service in mod_lua via websockets PING
1194+ * debian/tests/ssl-passphrase: Add password responder for
1195+ systemd-ask-passphrase.
1196+
1197+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1198+
1199 apache2 (2.4.10-9) unstable; urgency=medium
1200
1201 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
1202@@ -795,6 +1647,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
1203
1204 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
1205
1206+apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
1207+
1208+ * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
1209+ directives
1210+ - debian/patches/CVE-2014-8109.patch: handle multiple Require
1211+ directives with different arguments in modules/lua/mod_lua.c.
1212+ - CVE-2014-8109
1213+ * SECURITY UPDATE: denial of service in mod_lua via websockets PING
1214+ - debian/patches/CVE-2015-0228.patch: fix logic in
1215+ modules/lua/lua_request.c.
1216+ - CVE-2015-0228
1217+
1218+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
1219+
1220+apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
1221+
1222+ * Allow "triggers-awaited" and "triggers-pending" states in addition to
1223+ "installed" when determining whether to defer actions or process
1224+ deferred actions (LP: #1393832).
1225+
1226+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
1227+
1228+apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
1229+
1230+ * Merge from Debian unstable. Remaining changes:
1231+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1232+ apache2.dirs}: Add ufw profiles.
1233+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1234+ - d/control, d/config-dir/mods-available/ssl.conf,
1235+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1236+ dialog program ask-for-passphrase.
1237+ - Add dep8 tests.
1238+ - debian/rules: Fix cross-building by passing
1239+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1240+ - debian/patches/086_svn_cross_compiles: Backport several cross
1241+ fixes from upstream
1242+ - d/index.html: replace Debian with Ubuntu on default page.
1243+ - d/p/split-logfile.patch: fix completely broken split-logfile
1244+ command.
1245+ * Fixes from Debian included in merge:
1246+ - Crash caused by OCSP stapling code; this was erroneously
1247+ attributed to Debian in my previous merge, but actually only
1248+ appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
1249+ * Cherry-pick versioned build-depend on dpkg from Debian for correct
1250+ dpkg-maintscript-helper symlink_to_dir support.
1251+
1252+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
1253+
1254 apache2 (2.4.10-8) unstable; urgency=medium
1255
1256 * Bump dpkg Pre-Depends to version that supports relative symlinks in
1257@@ -809,6 +1709,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
1258
1259 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
1260
1261+apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
1262+
1263+ * Merge from Debian unstable. Remaining changes:
1264+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1265+ apache2.dirs}: Add ufw profiles.
1266+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1267+ - d/control, d/config-dir/mods-available/ssl.conf,
1268+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1269+ dialog program ask-for-passphrase.
1270+ - Add dep8 tests.
1271+ - debian/rules: Fix cross-building by passing
1272+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1273+ - debian/patches/086_svn_cross_compiles: Backport several cross
1274+ fixes from upstream
1275+ - d/index.html: replace Debian with Ubuntu on default page.
1276+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1277+ * Fixes from Debian included in merge:
1278+ - Don't use a2query in preinst, as it may not be available yet
1279+ (LP: #1312533).
1280+ - Crash caused by OCSP stapling code (LP: #1366174).
1281+ - Disable SSLv3 in default config (LP: #1358305).
1282+ - If apache2 is not configured yet, defer actions executed via
1283+ apache2-maintscript-helper. This fixes installation failures if a
1284+ module package is configured first (LP: #1312854).
1285+
1286+ -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
1287+
1288 apache2 (2.4.10-7) unstable; urgency=medium
1289
1290 * Handle transitions of doc dirs and symlinks correctly during upgrade.
1291@@ -892,6 +1819,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
1292
1293 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
1294
1295+apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
1296+
1297+ * Merge from Debian unstable. Remaining changes:
1298+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1299+ apache2.dirs}: Add ufw profiles.
1300+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1301+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1302+ d/apache2.install: Plymouth aware passphrase dialog program
1303+ ask-for-passphrase.
1304+ - Add dep8 tests.
1305+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1306+ configure.
1307+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1308+ upstream
1309+ - d/index.html: replace Debian with Ubuntu on default page.
1310+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1311+
1312+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
1313+
1314 apache2 (2.4.10-1) unstable; urgency=medium
1315
1316 [ Arno Töll ]
1317@@ -939,6 +1885,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
1318
1319 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
1320
1321+apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
1322+
1323+ * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
1324+ yet support building against lua 5.2 (LP: #1323930).
1325+
1326+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
1327+
1328+apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
1329+
1330+ * Merge from Debian unstable. Remaining changes:
1331+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1332+ apache2.dirs}: Add ufw profiles.
1333+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1334+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1335+ d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
1336+ dialog program ask-for-passphrase.
1337+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1338+ configure.
1339+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1340+ upstream
1341+ - Build using lua5.2.
1342+ - d/tests/chroot: dep8 test for ChrootDir case.
1343+ - d/tests/ssl-passphrase: update for new default path /var/www/html.
1344+ - d/tests/duplicate-module-load: check for duplicate module loads.
1345+ - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
1346+ - d/p/split-logfile.patch: fix completely broken split-logfile command
1347+ (LP: #1299162). Thanks to Holger Mauermann.
1348+ * Drop changes (upstreamed):
1349+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1350+ files find inside the .pc directory. This stops a double module load
1351+ causing later havoc, including "ChrootDir" directive failure.
1352+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1353+ in modules/dav/main/util.c.
1354+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1355+ modules/loggers/mod_log_config.c.
1356+ * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
1357+
1358+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
1359+
1360 apache2 (2.4.9-1) unstable; urgency=medium
1361
1362 * New upstream version.
1363@@ -971,6 +1956,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
1364
1365 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
1366
1367+apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
1368+
1369+ * d/p/split-logfile.patch: fix completely broken split-logfile command
1370+ (LP: #1299162). Thanks to Holger Mauermann.
1371+
1372+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
1373+
1374+apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
1375+
1376+ * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
1377+ calculation
1378+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1379+ in modules/dav/main/util.c.
1380+ - CVE-2013-6438
1381+ * SECURITY UPDATE: denial of service via truncated cookie and
1382+ mod_log_config
1383+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1384+ modules/loggers/mod_log_config.c.
1385+ - CVE-2014-0098
1386+
1387+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
1388+
1389+apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
1390+
1391+ * d/index.html: replace Debian with Ubuntu on default page
1392+ (LP: #1288690).
1393+
1394+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
1395+
1396+apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
1397+
1398+ * Merge from Debian unstable. Remaining changes:
1399+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1400+ apache2.dirs}: Add ufw profiles.
1401+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1402+ - d/control, d/config-dir/mods-available/ssl.conf,
1403+ d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
1404+ Plymouth aware passphrase dialog program ask-for-passphrase.
1405+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1406+ to configure.
1407+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1408+ from upstream
1409+ - Build using lua5.2.
1410+ - d/tests/chroot: dep8 test for ChrootDir case.
1411+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1412+ files find inside the .pc directory. This stops a double module load
1413+ causing later havoc, including "ChrootDir" directive failure.
1414+ * Drop changes:
1415+ - debian/{control, rules}: Enable PIE hardening: no longer required;
1416+ 2.4.7-1 is already hardened.
1417+ - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
1418+ out of this package.
1419+ * d/tests/ssl-passphrase: update for new default path /var/www/html.
1420+ * d/tests/duplicate-module-load: check for duplicate module loads.
1421+
1422+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
1423+
1424 apache2 (2.4.7-1) unstable; urgency=low
1425
1426 New upstream version
1427@@ -1034,6 +2076,53 @@ apache2 (2.4.6-3) unstable; urgency=low
1428
1429 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
1430
1431+apache2 (2.4.6-2ubuntu4) trusty; urgency=low
1432+
1433+ * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
1434+ that it does not use files find inside the .pc directory. This stops a
1435+ double module load causing later havoc, including "ChrootDir" directive
1436+ failure (LP: #1251939). Thanks to Stefan Fritsch.
1437+ * d/tests/chroot: dep8 test for ChrootDir case.
1438+
1439+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
1440+
1441+apache2 (2.4.6-2ubuntu3) trusty; urgency=low
1442+
1443+ * debian/apache2.install: Correct path for ufw.
1444+ (LP: #1252722)
1445+
1446+ -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
1447+
1448+apache2 (2.4.6-2ubuntu2) saucy; urgency=low
1449+
1450+ * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
1451+ passphrase prompting for SSL certificates that are passphrase protected.
1452+ * Add dep8 test for SSL passphrase prompting.
1453+
1454+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
1455+
1456+apache2 (2.4.6-2ubuntu1) saucy; urgency=low
1457+
1458+ * Merge from Debian unstable. Remaining changes:
1459+ - debian/{control, rules}: Enable PIE hardening.
1460+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1461+ apache2.dirs}: Add ufw profiles.
1462+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1463+ - debian/control, debian/config-dir/mods-available/ssl.conf,
1464+ debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
1465+ passphrase dialog program ask-for-passphrase.
1466+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1467+ to configure.
1468+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1469+ from upstream
1470+ * Dropped changes:
1471+ - debian/patches/CVE-2013-1896.patch: upstream
1472+ * Fixed module dependencies (LP: #1205314)
1473+ - debian/config-dir/mods-available/lbmethod_*: properly specify
1474+ proxy_balancer, not mod_proxy_balancer.
1475+
1476+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
1477+
1478 apache2 (2.4.6-2) unstable; urgency=low
1479
1480 [ Stefan Fritsch ]
1481@@ -1086,6 +2175,56 @@ apache2 (2.4.6-1) unstable; urgency=low
1482
1483 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
1484
1485+apache2 (2.4.4-6ubuntu5) saucy; urgency=low
1486+
1487+ * SECURITY UPDATE: denial of service via MERGE request
1488+ - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
1489+ in modules/dav/main/mod_dav.c.
1490+ - CVE-2013-1896
1491+
1492+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
1493+
1494+apache2 (2.4.4-6ubuntu4) saucy; urgency=low
1495+
1496+ * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
1497+ apache2-bin. apache2-utils is only suggested by apache2, so may not
1498+ always be installed by bug reporters. However, apache2-bin will always
1499+ need to be installed for Apache to be functional, so this is a better
1500+ place for the apport hook. apache2-bin already Conflicts/Replaces
1501+ apache2.2-common, so this also fixes (LP: #1199318).
1502+ * d/apache2.py: adjust apport hook for new location of configuration
1503+ files in apache2 >= 2.4: they have moved from apache2.2-common to
1504+ apache2.
1505+
1506+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
1507+
1508+apache2 (2.4.4-6ubuntu3) saucy; urgency=low
1509+
1510+ * Build using lua5.2.
1511+
1512+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
1513+
1514+apache2 (2.4.4-6ubuntu2) saucy; urgency=low
1515+
1516+ * debian/rules: Fix FTBFS while installing ufw.
1517+
1518+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
1519+
1520+apache2 (2.4.4-6ubuntu1) saucy; urgency=low
1521+
1522+ * Merge from Debian unstable. Remaining changes:
1523+ - debian/{control, rules}: Enable PIE hardening.
1524+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1525+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1526+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1527+ Plymouth aware passphrase dialog program ask-for-passphrase.
1528+ * Dropped changes:
1529+ - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
1530+ - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
1531+ - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
1532+
1533+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
1534+
1535 apache2 (2.4.4-6) unstable; urgency=low
1536
1537 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
1538@@ -1557,6 +2696,122 @@ apache2 (2.4.1-1) experimental; urgency=low
1539
1540 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
1541
1542+apache2 (2.2.22-6ubuntu5) raring; urgency=low
1543+
1544+ * SECURITY UPDATE: multiple cross-site scripting issues
1545+ - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
1546+ modules/generators/{mod_info.c,mod_status.c},
1547+ modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
1548+ modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
1549+ - CVE-2012-3499
1550+ - CVE-2012-4558
1551+ * SECURITY UPDATE: symlink attack in apache2ctl script
1552+ - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
1553+ - Thanks to Stefan Fritsch for the fix.
1554+ - CVE-2013-1048
1555+
1556+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
1557+
1558+apache2 (2.2.22-6ubuntu4) raring; urgency=low
1559+
1560+ * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
1561+ * Skip module sanity check between MPMs if cross-building without the
1562+ kernel/binfmt support to run our target binaries on the build system.
1563+ * Backport several cross fixes from upstream as 086_svn_cross_compiles.
1564+
1565+ -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
1566+
1567+apache2 (2.2.22-6ubuntu3) raring; urgency=low
1568+
1569+ * SECURITY UPDATE: XSS vulnerability in mod_negotiation
1570+ - debian/patches/CVE-2012-2687.patch: escape filenames in
1571+ modules/mappers/mod_negotiation.c.
1572+ - CVE-2012-2687
1573+ * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
1574+ - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
1575+ directive. Defaults to off as enabling compression enables the CRIME
1576+ attack.
1577+ - CVE-2012-4929
1578+
1579+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
1580+
1581+apache2 (2.2.22-6ubuntu2) quantal; urgency=low
1582+
1583+ * debian/apache2.py
1584+ - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
1585+ - Check if this directory exists: /etc/apache2/sites-enabled/
1586+
1587+ -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
1588+
1589+apache2 (2.2.22-6ubuntu1) quantal; urgency=low
1590+
1591+ * Merge from Debian unstable. Remaining changes:
1592+ - debian/{control, rules}: Enable PIE hardening.
1593+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1594+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1595+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1596+ Plymouth aware passphrase dialog program ask-for-passphrase.
1597+ * Dropped changes:
1598+ - debian/control: Add bzr tag and point it to our tree; this is not
1599+ really required and just increases the delta.
1600+
1601+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
1602+
1603+apache2 (2.2.22-6) unstable; urgency=low
1604+
1605+ [ Stefan Fritsch ]
1606+ * Fix regression causing apache2 to cache "206 partial content" responses,
1607+ and then serving these partial responses when replying to normal requests.
1608+ Closes: #671204
1609+ * Add section to security.conf that shows how to forbid access to VCS
1610+ directories. Closes: #548213
1611+ * Update ssl default cipher config, add alternative speed optimized config.
1612+ Closes: #649020
1613+ * Add "AddCharset" for .brf files in default mod_mime config.
1614+ Closes: #402567
1615+ * Don't create httpd.conf anymore and don't include it in apache2.conf. If
1616+ it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
1617+ * Port some of the comments in apache2.conf from the 2.4 package.
1618+ * Compile mod_version statically, drop associated module load file.
1619+ * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
1620+ configtest.
1621+ * Note in README.Debian that future versions of the package will have the
1622+ include statements changed to include only *.conf.
1623+ * Change compiled-in document root to /var/www, to avoid strange error
1624+ messages.
1625+ * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
1626+
1627+ [ Arno Töll ]
1628+ * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
1629+ to override LDFLAGS at compile time by defining LDLAGS in the environment,
1630+ just like it is possible for CFLAGS. This also means, config_vars.mk now
1631+ exports hardening build flags by default.
1632+ * Update doc-base metadata for the apache2-doc package.
1633+
1634+ -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
1635+
1636+apache2 (2.2.22-5) unstable; urgency=low
1637+
1638+ * Make LoadFile and LoadModule look in the standard search paths if the
1639+ dso file name is given as a pure filename. This helps with the multi-arch
1640+ transition.
1641+
1642+ -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
1643+
1644+apache2 (2.2.22-4) unstable; urgency=high
1645+
1646+ * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
1647+ hosts' config files.
1648+ If scripting modules like mod_php or mod_rivet are enabled on systems
1649+ where either 1) some frontend server forwards connections to an apache2
1650+ backend server on the localhost address, or 2) the machine running
1651+ apache2 is also used for web browsing, this could allow a remote
1652+ attacker to execute example scripts stored under /usr/share/doc.
1653+ Depending on the installed packages, this could lead to issues like cross
1654+ site scripting, code execution, or leakage of sensitive data.
1655+
1656+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
1657+
1658 apache2 (2.2.22-3) unstable; urgency=low
1659
1660 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
1661@@ -1577,6 +2832,18 @@ apache2 (2.2.22-2) unstable; urgency=low
1662
1663 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
1664
1665+apache2 (2.2.22-1ubuntu1) precise; urgency=low
1666+
1667+ * Merge from Debian testing. Remaining changes:
1668+ - debian/{control, rules}: Enable PIE hardening.
1669+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1670+ - debian/control: Add bzr tag and point it to our tree
1671+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1672+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1673+ Plymouth aware passphrase dialog program ask-for-passphrase.
1674+
1675+ -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
1676+
1677 apache2 (2.2.22-1) unstable; urgency=low
1678
1679 [ Stefan Fritsch ]
1680@@ -1594,6 +2861,18 @@ apache2 (2.2.22-1) unstable; urgency=low
1681
1682 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
1683
1684+apache2 (2.2.21-5ubuntu1) precise; urgency=low
1685+
1686+ * Merge from Debian testing. Remaining changes:
1687+ - debian/{control, rules}: Enable PIE hardening.
1688+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1689+ - debian/control: Add bzr tag and point it to our tree
1690+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1691+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1692+ Plymouth aware passphrase dialog program ask-for-passphrase.
1693+
1694+ -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
1695+
1696 apache2 (2.2.21-5) unstable; urgency=low
1697
1698 [ Arno Töll ]
1699@@ -1647,6 +2926,26 @@ apache2 (2.2.21-4) unstable; urgency=low
1700
1701 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
1702
1703+apache2 (2.2.21-3ubuntu2) precise; urgency=low
1704+
1705+ * d/ask-for-passphrase: Flip the logic of this script so that it checks
1706+ first to see if apache is being started from a TTY, and then if not,
1707+ tries plymouth. (LP: #887410)
1708+
1709+ -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
1710+
1711+apache2 (2.2.21-3ubuntu1) precise; urgency=low
1712+
1713+ * Merge from Debian testing. Remaining changes:
1714+ - debian/{control, rules}: Enable PIE hardening.
1715+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1716+ - debian/control: Add bzr tag and point it to our tree
1717+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1718+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1719+ Plymouth aware passphrase dialog program ask-for-passphrase.
1720+
1721+ -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
1722+
1723 apache2 (2.2.21-3) unstable; urgency=medium
1724
1725 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
1726@@ -1661,6 +2960,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
1727
1728 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
1729
1730+apache2 (2.2.21-2ubuntu2) precise; urgency=low
1731+
1732+ * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
1733+
1734+ -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
1735+
1736+apache2 (2.2.21-2ubuntu1) precise; urgency=low
1737+
1738+ * Merge from debian unstable. Remaining changes:
1739+ - debian/{control, rules}: Enable PIE hardening.
1740+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1741+ - debian/control: Add bzr tag and point it to our tree
1742+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1743+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1744+ Plymouth aware passphrase dialog program ask-for-passphrase.
1745+
1746+ -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
1747+
1748 apache2 (2.2.21-2) unstable; urgency=high
1749
1750 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
1751@@ -1678,6 +2995,19 @@ apache2 (2.2.21-1) unstable; urgency=low
1752
1753 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
1754
1755+apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
1756+
1757+ * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
1758+ Remaining changes:
1759+ - debian/{control, rules}: Enable PIE hardening.
1760+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1761+ - debian/control: Add bzr tag and point it to our tree
1762+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1763+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1764+ Plymouth aware passphrase dialog program ask-for-passphrase.
1765+
1766+ -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
1767+
1768 apache2 (2.2.20-1) unstable; urgency=low
1769
1770 * New upstream release.
1771@@ -1700,6 +3030,18 @@ apache2 (2.2.19-2) unstable; urgency=high
1772
1773 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
1774
1775+apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
1776+
1777+ * Merge from debian unstable (LP: #787013). Remaining changes:
1778+ - debian/{control, rules}: Enable PIE hardening.
1779+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1780+ - debian/control: Add bzr tag and point it to our tree
1781+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1782+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1783+ Plymouth aware passphrase dialog program ask-for-passphrase.
1784+
1785+ -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
1786+
1787 apache2 (2.2.19-1) unstable; urgency=low
1788
1789 * New upstream release.
1790@@ -1717,6 +3059,18 @@ apache2 (2.2.19-1) unstable; urgency=low
1791
1792 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
1793
1794+apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
1795+
1796+ * Merge from debian unstable. Remaining changes:
1797+ - debian/{control, rules}: Enable PIE hardening.
1798+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1799+ - debian/control: Add bzr tag and point it to our tree
1800+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
1801+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1802+ Plymouth aware passphrase dialog program ask-for-passphrase.
1803+
1804+ -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
1805+
1806 apache2 (2.2.17-3) unstable; urgency=low
1807
1808 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
1809@@ -1743,6 +3097,18 @@ apache2 (2.2.17-2) unstable; urgency=high
1810
1811 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
1812
1813+apache2 (2.2.17-1ubuntu1) natty; urgency=low
1814+
1815+ * Merge from debian unstable, remaining changes:
1816+ - debian/{control, rules}: Enable PIE hardening.
1817+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1818+ - debian/control: Add bzr tag and point it to our tree
1819+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
1820+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1821+ Plymouth aware passphrase dialog program ask-for-passphrase.
1822+
1823+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
1824+
1825 apache2 (2.2.17-1) unstable; urgency=low
1826
1827 * New upstream version
1828@@ -1751,6 +3117,32 @@ apache2 (2.2.17-1) unstable; urgency=low
1829
1830 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
1831
1832+apache2 (2.2.16-6ubuntu3) natty; urgency=low
1833+
1834+ * debian/rules: Don't use "-fno-strict-aliasing" since it causes
1835+ apache FTBFS on amd64. (LP: #711293)
1836+
1837+ -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
1838+
1839+apache2 (2.2.16-6ubuntu2) natty; urgency=low
1840+
1841+ * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
1842+ (LP: #697105)
1843+
1844+ -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
1845+
1846+apache2 (2.2.16-6ubuntu1) natty; urgency=low
1847+
1848+ * Merge from debian unstable. Remaining changes:
1849+ - debian/{control, rules}: Enable PIE hardening.
1850+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1851+ - debian/control: Add bzr tag and point it to our tree
1852+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
1853+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1854+ Plymouth aware passphrase dialog program ask-for-passphrase.
1855+
1856+ -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
1857+
1858 apache2 (2.2.16-6) unstable; urgency=low
1859
1860 * Also add $named to the secondary-init-script example.
1861@@ -1766,6 +3158,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
1862
1863 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
1864
1865+apache2 (2.2.16-4ubuntu2) natty; urgency=low
1866+
1867+ [Clint Byrum]
1868+ * Adding plymouth aware passphrase dialog program ask-for-passphrase.
1869+ (LP: #582963)
1870+ + debian/control: apache2.2-common depends on bash for ask-for-passphrase
1871+ + debian/config-dir/mods-available/ssl.conf:
1872+ - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
1873+
1874+ [Chuck Short]
1875+ * Add apport hook. (LP: #609177)
1876+ + debian/apache2.py, debian/apache2.2-common.install
1877+
1878+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
1879+
1880+apache2 (2.2.16-4ubuntu1) natty; urgency=low
1881+
1882+ * Merge from debian unstable. Remaining changes:
1883+ - debian/{control, rules}: Enable PIE hardening.
1884+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1885+ - debian/control: Add bzr tag and point it to our tree
1886+
1887+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
1888+
1889 apache2 (2.2.16-4) unstable; urgency=medium
1890
1891 * Increase the mod_reqtimeout default timeouts to avoid potential problems
1892@@ -1776,6 +3192,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
1893
1894 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
1895
1896+apache2 (2.2.16-3ubuntu1) natty; urgency=low
1897+
1898+ * Merge from debian unstable. Remaining changes:
1899+ - debian/{control, rules}: Enable PIE hardening.
1900+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1901+ - debian/control: Add bzr tag and point it to our tree.
1902+
1903+ -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
1904+
1905 apache2 (2.2.16-3) unstable; urgency=high
1906
1907 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
1908@@ -1798,6 +3223,30 @@ apache2 (2.2.16-2) unstable; urgency=low
1909
1910 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
1911
1912+apache2 (2.2.16-1ubuntu3) maverick; urgency=low
1913+
1914+ * Revert "stty sane" to unbreak apache starting, this will have to be
1915+ fixed a different way. (LP: #626723)
1916+
1917+ -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
1918+
1919+apache2 (2.2.16-1ubuntu2) maverick; urgency=low
1920+
1921+ * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
1922+ password prompt when using apache-ssl. (LP: #582963)
1923+
1924+ -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
1925+
1926+apache2 (2.2.16-1ubuntu1) maverick; urgency=low
1927+
1928+ * Merge from debian unstable. Remaining changes:
1929+ - debian/{control, rules}: Enable PIE hardening.
1930+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1931+ - debian/control: Add bzr tag and point it to our tree.
1932+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
1933+
1934+ -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
1935+
1936 apache2 (2.2.16-1) unstable; urgency=medium
1937
1938 * Urgency medium for security fix.
1939@@ -1830,6 +3279,24 @@ apache2 (2.2.15-6) unstable; urgency=low
1940
1941 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
1942
1943+apache2 (2.2.15-5ubuntu1) maverick; urgency=low
1944+
1945+ * Merge from debian unstable. Remaining changes:
1946+ - debian/{control, rules}: Enable PIE hardening.
1947+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1948+ - debian/control: Add bzr tag and point it to our tree.
1949+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
1950+ + Dropped:
1951+ - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
1952+ - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
1953+ - debian/config-dir/apache2.conf: Merged back from debian.
1954+ - mod-reqtimeout functionality: Merge back from debian.
1955+ - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
1956+ - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
1957+ - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
1958+
1959+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
1960+
1961 apache2 (2.2.15-5) unstable; urgency=low
1962
1963 * Conflict with apache package as we now include apachectl. Closes: #579065
1964@@ -1950,6 +3417,80 @@ apache2 (2.2.14-6) unstable; urgency=low
1965
1966 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
1967
1968+apache2 (2.2.14-5ubuntu8) lucid; urgency=low
1969+
1970+ * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
1971+ (LP: #562370)
1972+
1973+ -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
1974+
1975+apache2 (2.2.14-5ubuntu7) lucid; urgency=low
1976+
1977+ * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
1978+ leaks by making sure to not destroy bucket brigades that have been created
1979+ by earlier filters. Backported from 2.2.15.
1980+ * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
1981+ has reached MaxClients until it has. Backported from 2.2.15
1982+ * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
1983+ more secure by adding Satisfy all. (Debian bug: #572075)
1984+ * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
1985+ debian/config2-dir/mods-available/reqtimeout.load,
1986+ debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
1987+ mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
1988+ bug in apache. Enable it by default. (LP: #392759)
1989+
1990+ -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
1991+
1992+apache2 (2.2.14-5ubuntu6) lucid; urgency=low
1993+
1994+ * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
1995+
1996+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
1997+
1998+apache2 (2.2.14-5ubuntu5) lucid; urgency=low
1999+
2000+ * Revert 99-fix-mod-dav-permissions.dpatch
2001+
2002+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
2003+
2004+apache2 (2.2.14-5ubuntu4) lucid; urgency=low
2005+
2006+ * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
2007+ downloading files from webdav (LP: #540747)
2008+ * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
2009+
2010+ -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
2011+
2012+apache2 (2.2.14-5ubuntu3) lucid; urgency=low
2013+
2014+ * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
2015+ - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
2016+ in modules/proxy/mod_proxy_ajp.c.
2017+ - CVE-2010-0408
2018+ * SECURITY UPDATE: information disclosure via improper handling of
2019+ headers in subrequests
2020+ - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
2021+ in server/protocol.c.
2022+ - CVE-2010-0434
2023+
2024+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
2025+
2026+apache2 (2.2.14-5ubuntu2) lucid; urgency=low
2027+
2028+ * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
2029+ wacky options. (LP: #450501)
2030+
2031+ -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
2032+
2033+apache2 (2.2.14-5ubuntu1) lucid; urgency=low
2034+
2035+ * Merge from debian testing. Remaining changes: LP: #506862
2036+ - debian/{control, rules}: Enable PIE hardening.
2037+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2038+ - debian/control: Add bzr tag and point it to our tree.
2039+
2040+ -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
2041+
2042 apache2 (2.2.14-5) unstable; urgency=low
2043
2044 * Security: Further mitigation for the TLS renegotation attack
2045@@ -1973,6 +3514,15 @@ apache2 (2.2.14-5) unstable; urgency=low
2046
2047 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
2048
2049+apache2 (2.2.14-4ubuntu1) lucid; urgency=low
2050+
2051+ * Resynchronzie with Debian, remaining changes are:
2052+ - debian/{control, rules}: Enable PIE hardening.
2053+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2054+ - debian/control: Add bzr tag and point it to our tree.
2055+
2056+ -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
2057+
2058 apache2 (2.2.14-4) unstable; urgency=low
2059
2060 * Disable localized error pages again by default because they break
2061@@ -2023,6 +3573,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
2062
2063 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
2064
2065+apache2 (2.2.14-1ubuntu1) lucid; urgency=low
2066+
2067+ * Merge from debian testing, remaining changes:
2068+ - debian/{control, rules}: Enable PIE hardening.
2069+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2070+ - debian/conrol: Add bzr tag and point it to our tree.
2071+ - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2072+ Already applied upstream.
2073+
2074+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
2075+
2076 apache2 (2.2.14-1) unstable; urgency=low
2077
2078 * New upstream version:
2079@@ -2057,6 +3618,24 @@ apache2 (2.2.13-1) unstable; urgency=low
2080
2081 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
2082
2083+apache2 (2.2.12-1ubuntu2) karmic; urgency=low
2084+
2085+ * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2086+ - Fix potential segfaults with the use of the legacy ap_rputs() etc
2087+ interfaces, in cases where an output filter fails. This happens
2088+ frequently after CVE-2009-1891 got fixed. (LP: #409987)
2089+
2090+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
2091+
2092+apache2 (2.2.12-1ubuntu1) karmic; urgency=low
2093+
2094+ * Merge from debian unstable, remaining changes:
2095+ - debian/{control,rules}: enable PIE hardening.
2096+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2097+ - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
2098+
2099+ -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
2100+
2101 apache2 (2.2.12-1) unstable; urgency=low
2102
2103 * New upstream release:
2104@@ -2104,6 +3683,16 @@ apache2 (2.2.12-1) unstable; urgency=low
2105
2106 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
2107
2108+apache2 (2.2.11-7ubuntu1) karmic; urgency=low
2109+
2110+ * Merge from debian unstable, remaining changes: LP: #398130
2111+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2112+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2113+ - debian/{control,rules}: enable PIE hardening.
2114+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2115+
2116+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
2117+
2118 apache2 (2.2.11-7) unstable; urgency=low
2119
2120 * Security fixes:
2121@@ -2118,6 +3707,16 @@ apache2 (2.2.11-7) unstable; urgency=low
2122
2123 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
2124
2125+apache2 (2.2.11-6ubuntu1) karmic; urgency=low
2126+
2127+ * Merge from debian unstable, remaining changes:
2128+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2129+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2130+ - debian/{control,rules}: enable PIE hardening.
2131+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2132+
2133+ -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
2134+
2135 apache2 (2.2.11-6) unstable; urgency=high
2136
2137 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
2138@@ -2126,6 +3725,16 @@ apache2 (2.2.11-6) unstable; urgency=high
2139
2140 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
2141
2142+apache2 (2.2.11-5ubuntu1) karmic; urgency=low
2143+
2144+ * Merge from debian unstable, remaining changes:
2145+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2146+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2147+ - debian/{control,rules}: enable PIE hardening.
2148+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2149+
2150+ -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
2151+
2152 apache2 (2.2.11-5) unstable; urgency=low
2153
2154 * Move all binaries into a new package apache2.2-bin and make
2155@@ -2174,6 +3783,16 @@ apache2 (2.2.11-4) unstable; urgency=low
2156
2157 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
2158
2159+apache2 (2.2.11-3ubuntu1) karmic; urgency=low
2160+
2161+ * Merge from debian unstable, remaining changes:
2162+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2163+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2164+ - debian/{control,rules}: enable PIE hardening.
2165+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2166+
2167+ -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
2168+
2169 apache2 (2.2.11-3) unstable; urgency=low
2170
2171 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
2172@@ -2182,6 +3801,21 @@ apache2 (2.2.11-3) unstable; urgency=low
2173
2174 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
2175
2176+apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
2177+
2178+ * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2179+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2180+
2181+ -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
2182+
2183+apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
2184+
2185+ * Merge from debian unstable, remaining changes:
2186+ - debian/{contro,rules}: enable PIE hardening.
2187+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2188+
2189+ -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
2190+
2191 apache2 (2.2.11-2) unstable; urgency=low
2192
2193 * Report an error instead instead of segfaulting when apr_pollset_create
2194@@ -2191,6 +3825,14 @@ apache2 (2.2.11-2) unstable; urgency=low
2195
2196 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
2197
2198+apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
2199+
2200+ * Merge from debian unstable, remaining changes:
2201+ - debian/{control, rules}: enable PIE hardening.
2202+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2203+
2204+ -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
2205+
2206 apache2 (2.2.11-1) unstable; urgency=low
2207
2208 [Thom May]
2209@@ -2205,6 +3847,14 @@ apache2 (2.2.11-1) unstable; urgency=low
2210
2211 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
2212
2213+apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
2214+
2215+ * Merge from debian unstable, remaining changes: (LP: #303375)
2216+ - debian/{control, rules}: enable PIE hardening.
2217+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2218+
2219+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
2220+
2221 apache2 (2.2.9-11) unstable; urgency=low
2222
2223 * Regression fix from upstream svn for mod_proxy:
2224@@ -2219,6 +3869,14 @@ apache2 (2.2.9-11) unstable; urgency=low
2225
2226 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
2227
2228+apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
2229+
2230+ * Merge from debian unstable, remaining changes:
2231+ - debian/{control, rules}: enable PIE hardening.
2232+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2233+
2234+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
2235+
2236 apache2 (2.2.9-10) unstable; urgency=low
2237
2238 * Regression fix from upstream svn for mod_proxy_http:
2239@@ -2249,6 +3907,27 @@ apache2 (2.2.9-8) unstable; urgency=low
2240
2241 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
2242
2243+apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
2244+
2245+ * Revert logrotate change since it will break it for everyone.
2246+
2247+ -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
2248+
2249+apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
2250+
2251+ * debian/logrotate: Restart rather than reload for busy websites.
2252+ (LP: #270899)
2253+
2254+ -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
2255+
2256+apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
2257+
2258+ * Merge from debian unstable, remaining changes:
2259+ - debian/{control,rules}: enable PIE hardening.
2260+ - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
2261+
2262+ -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
2263+
2264 apache2 (2.2.9-7) unstable; urgency=low
2265
2266 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
2267@@ -2291,6 +3970,23 @@ apache2 (2.2.9-4) unstable; urgency=low
2268
2269 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
2270
2271+apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
2272+
2273+ * add ufw integration (see
2274+ https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
2275+ (LP: #261198)
2276+ - debian/control: suggest ufw for apache2.2-common
2277+ - add apache2.2-common.ufw.profile with 3 profiles and install it to
2278+ /etc/ufw/applications.d/apache2.2-common
2279+
2280+ -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
2281+
2282+apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
2283+
2284+ * debian/{control,rules}: enable PIE hardening
2285+
2286+ -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
2287+
2288 apache2 (2.2.9-3) unstable; urgency=low
2289
2290 [ Stefan Fritsch ]
2291@@ -3861,9 +5557,7 @@ apache2 (2.0.37-1) unstable; urgency=low
2292 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
2293
2294 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
2295-
2296 * New upstream release
2297-
2298 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
2299
2300 apache2 (2.0.36-2) unstable; urgency=low
2301@@ -4371,3 +6065,4 @@ apache2 (2.0.18-1) unstable; urgency=low
2302 * Initial Release.
2303
2304 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
2305+
2306diff --git a/debian/control b/debian/control
2307index 11d92ea..a86d804 100644
2308--- a/debian/control
2309+++ b/debian/control
2310@@ -1,5 +1,6 @@
2311 Source: apache2
2312-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2313+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2314+XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2315 Uploaders: Stefan Fritsch <sf@debian.org>,
2316 Arno Töll <arno@debian.org>,
2317 Ondřej Surý <ondrej@debian.org>,
2318@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
2319 Recommends: ssl-cert
2320 Suggests: apache2-doc,
2321 apache2-suexec-pristine | apache2-suexec-custom,
2322- www-browser
2323+ www-browser,
2324+ ufw
2325 Pre-Depends: dpkg (>= 1.17.14),
2326 ${misc:Pre-Depends}
2327 Breaks: libapache2-mod-proxy-uwsgi (<< 2.4.33)
2328diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
2329new file mode 100644
2330index 0000000..4db2fa1
2331Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
2332diff --git a/debian/index.html b/debian/index.html
2333index 766401d..96ed444 100644
2334--- a/debian/index.html
2335+++ b/debian/index.html
2336@@ -1,9 +1,14 @@
2337
2338 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2339 <html xmlns="http://www.w3.org/1999/xhtml">
2340+ <!--
2341+ Modified from the Debian original for Ubuntu
2342+ Last updated: 2016-11-16
2343+ See: https://launchpad.net/bugs/1288690
2344+ -->
2345 <head>
2346 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
2347- <title>Apache2 Debian Default Page: It works</title>
2348+ <title>Apache2 Ubuntu Default Page: It works</title>
2349 <style type="text/css" media="screen">
2350 * {
2351 margin: 0px 0px 0px 0px;
2352@@ -188,9 +193,9 @@
2353 <body>
2354 <div class="main_page">
2355 <div class="page_header floating_element">
2356- <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
2357+ <img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
2358 <span class="floating_element">
2359- Apache2 Debian Default Page
2360+ Apache2 Ubuntu Default Page
2361 </span>
2362 </div>
2363 <!-- <div class="table_of_contents floating_element">
2364@@ -221,7 +226,9 @@
2365 <div class="content_section_text">
2366 <p>
2367 This is the default welcome page used to test the correct
2368- operation of the Apache2 server after installation on Debian systems.
2369+ operation of the Apache2 server after installation on Ubuntu systems.
2370+ It is based on the equivalent page on Debian, from which the Ubuntu Apache
2371+ packaging is derived.
2372 If you can read this page, it means that the Apache HTTP server installed at
2373 this site is working properly. You should <b>replace this file</b> (located at
2374 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
2375@@ -242,9 +249,9 @@
2376 </div>
2377 <div class="content_section_text">
2378 <p>
2379- Debian's Apache2 default configuration is different from the
2380+ Ubuntu's Apache2 default configuration is different from the
2381 upstream default configuration, and split into several files optimized for
2382- interaction with Debian tools. The configuration system is
2383+ interaction with Ubuntu tools. The configuration system is
2384 <b>fully documented in
2385 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
2386 documentation. Documentation for the web server itself can be
2387@@ -253,7 +260,7 @@
2388
2389 </p>
2390 <p>
2391- The configuration layout for an Apache2 web server installation on Debian systems is as follows:
2392+ The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
2393 </p>
2394 <pre>
2395 /etc/apache2/
2396@@ -324,7 +331,7 @@
2397
2398 <div class="content_section_text">
2399 <p>
2400- By default, Debian does not allow access through the web browser to
2401+ By default, Ubuntu does not allow access through the web browser to
2402 <em>any</em> file apart of those located in <tt>/var/www</tt>,
2403 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
2404 directories (when enabled) and <tt>/usr/share</tt> (for web
2405@@ -333,7 +340,7 @@
2406 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
2407 </p>
2408 <p>
2409- The default Debian document root is <tt>/var/www/html</tt>. You
2410+ The default Ubuntu document root is <tt>/var/www/html</tt>. You
2411 can make your own virtual hosts under /var/www. This is different
2412 to previous releases which provides better security out of the box.
2413 </p>
2414@@ -345,9 +352,9 @@
2415 </div>
2416 <div class="content_section_text">
2417 <p>
2418- Please use the <tt>reportbug</tt> tool to report bugs in the
2419- Apache2 package with Debian. However, check <a
2420- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
2421+ Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
2422+ Apache2 package with Ubuntu. However, check <a
2423+ href="https://bugs.launchpad.net/ubuntu/+source/apache2"
2424 rel="nofollow">existing bug reports</a> before reporting a new bug.
2425 </p>
2426 <p>
2427diff --git a/debian/perl-framework/t/apache/expr_string.t b/debian/perl-framework/t/apache/expr_string.t
2428index a9115ee..66b0903 100644
2429--- a/debian/perl-framework/t/apache/expr_string.t
2430+++ b/debian/perl-framework/t/apache/expr_string.t
2431@@ -7,6 +7,8 @@ use Apache::TestUtil qw(t_write_file t_start_error_log_watch t_finish_error_log_
2432
2433 use File::Spec;
2434
2435+use Time::HiRes qw(usleep);
2436+
2437 # test ap_expr
2438
2439 Apache::TestRequest::user_agent(keep_alive => 1);
2440@@ -62,6 +64,8 @@ foreach my $t (@test_cases) {
2441 'SomeHeader' => 'SomeValue',
2442 'User-Agent' => 'SomeAgent',
2443 'Referer' => 'SomeReferer');
2444+ ### Sleep here, attempt to avoid intermittent failures. (LP: #1890302)
2445+ usleep(250000);
2446 my @loglines = t_finish_error_log_watch();
2447
2448 my @evalerrors = grep {/(?:internal evaluation error|flex scanner jammed)/i
2449diff --git a/debian/source/include-binaries b/debian/source/include-binaries
2450index d617b1d..823d9c0 100644
2451--- a/debian/source/include-binaries
2452+++ b/debian/source/include-binaries
2453@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
2454 debian/icons/odf6ots-20x22.png
2455 debian/icons/odf6ott-20x22.png
2456 debian/icons/openlogo-75.png
2457+debian/icons/ubuntu-logo.png
2458 debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
2459 debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
2460 debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml
2461diff --git a/debian/tests/check-http2 b/debian/tests/check-http2
2462new file mode 100644
2463index 0000000..6bc9125
2464--- /dev/null
2465+++ b/debian/tests/check-http2
2466@@ -0,0 +1,41 @@
2467+#!/bin/sh
2468+set -uxe
2469+
2470+# http2 is rather new, check that it at least generally works
2471+# Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2472+
2473+a2enmod http2
2474+a2enmod ssl
2475+a2ensite default-ssl
2476+# Enable globally
2477+echo "Protocols h2c h2 http/1.1" >> /etc/apache2/apache2.conf
2478+service apache2 restart
2479+
2480+# Use curl here. wget doesn't work on Debian, even with --no-check-certificate
2481+# wget on Debian gives me:
2482+# GnuTLS: A TLS warning alert has been received.
2483+# Unable to establish SSL connection.
2484+# Presumably this is due to the self-signed certificate, but I'm not sure how
2485+# to skip the warning with wget. curl will do for now.
2486+echo "Hello, world!" > /var/www/html/hello.txt
2487+
2488+testapache () {
2489+ cmd="${1}"
2490+ result=$(${cmd})
2491+
2492+ if [ "$result" != "Hello, world!" ]; then
2493+ echo "Unexpected result: ${result}" >&2
2494+ exit 1
2495+ else
2496+ echo OK
2497+ fi
2498+}
2499+
2500+# https shall not affect http
2501+testapache "curl -s -k http://localhost/hello.txt"
2502+# https shall not affect https
2503+testapache "curl -s -k https://localhost/hello.txt"
2504+#plain http2
2505+testapache "nghttp --no-verify-peer https://localhost/hello.txt"
2506+#http2 upgrade
2507+testapache "nghttp -u --no-verify-peer http://localhost/hello.txt"
2508diff --git a/debian/tests/control b/debian/tests/control
2509index be79f60..37ae2ca 100644
2510--- a/debian/tests/control
2511+++ b/debian/tests/control
2512@@ -23,6 +23,10 @@ Tests: ssl-passphrase
2513 Restrictions: needs-root allow-stderr breaks-testbed
2514 Depends: apache2, curl, expect, ssl-cert
2515
2516+Tests: check-http2
2517+Restrictions: needs-root allow-stderr breaks-testbed
2518+Depends: apache2, curl, ssl-cert, nghttp2-client
2519+
2520 Tests: chroot
2521 Features: no-build-needed
2522 Restrictions: needs-root allow-stderr breaks-testbed

Subscribers

People subscribed via source and target branches