Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.51-2-jammy into ubuntu/+source/apache2:debian/sid

Proposed by Bryce Harrington
Status: Merged
Merge reported by: Bryce Harrington
Merged at revision: e249e4c816da6f89181fa734e8f324ed03a10eef
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.51-2-jammy
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 3625 lines (+2918/-33) (has conflicts)
22 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+1/-0)
debian/apache2.py (+48/-0)
debian/apache2ctl (+33/-18)
debian/changelog (+1897/-2)
debian/control (+7/-1)
debian/index.html (+19/-12)
debian/patches/series (+13/-0)
debian/patches/support-openssl3-001.patch (+88/-0)
debian/patches/support-openssl3-002.patch (+345/-0)
debian/patches/support-openssl3-003.patch (+48/-0)
debian/patches/support-openssl3-004.patch (+56/-0)
debian/patches/support-openssl3-005.patch (+121/-0)
debian/patches/support-openssl3-006.patch (+33/-0)
debian/patches/support-openssl3-007.patch (+72/-0)
debian/patches/support-openssl3-008.patch (+29/-0)
debian/patches/support-openssl3-009.patch (+36/-0)
debian/patches/support-openssl3-010.patch (+54/-0)
debian/source/include-binaries (+1/-0)
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/patches/series
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Christian Ehrhardt  (community) Needs Fixing
git-ubuntu import Pending
Review via email: mp+412730@code.launchpad.net

Description of the change

Bunch of CVEs drop with this merge, but the remaining delta stays with us. The openssl3 changes are still valid for this release, but originated from upstream so will eventually be droppable.

With this merge, we also revert the graceful sru/fix for systemd as was recently done for other releases.

Autopgktests passed locally. I'll queue up PPA tests once the PPA has finished building.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.51-2

Usual tags pushed for review:

- tags/old/debian 517f14a34
- tags/new/debian 826e1a24b
- tags/old/ubuntu 2317e7e30
- tags/logical/2.4.48-3.1ubuntu4 ca88b20c2
- tags/reconstruct/2.4.48-3.1ubuntu4 1b5106881
- tags/split/2.4.48-3.1ubuntu4 9a6855775

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is still marked WIP, is it ready for review @bryce?

Revision history for this message
Bryce Harrington (bryce) wrote :

Yep, it's ready for review.

It was in WIP since I was waiting on some PPA tests to complete:

https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/s390x/a/apache2/20211203_075202_4dd22@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/ppc64el/a/apache2/20211203_075304_4dd22@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/armhf/a/apache2/20211203_082509_37178@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/arm64/a/apache2/20211203_082428_b9dbe@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/amd64/a/apache2/20211203_080400_7eeb0@/log.gz

Results for amd64:
autopkgtest [08:03:33]: test chroot: - - - - - - - - - - results - - - - - - - - - -
chroot PASS
autopkgtest [08:03:33]: @@@@@@@@@@@@@@@@@@@@ summary
run-test-suite PASS
duplicate-module-load PASS
htcacheclean PASS
default-mods PASS
ssl-passphrase PASS
check-http2 PASS
chroot PASS

(Oddly, lp-test-ppa reports these test logs as "Broken Test Log" which seems weird but I'm seeing no evidence of actual problems so wonder if that might just be a glitch in lp-test-ppa.)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For the test logs, it runs into:
  'utf-8' codec can't decode byte 0xa0 in position 1404450: invalid start byte

Firefox, Chroma and gunzip can extract it well.
But it isn't the extraction, but the following UTF convert anyway.

That is reproducible fetching the the log file and running:
import gzip
with gzip.open("log.gz") as f:
    f.read().decode("utf-8")

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa0 in position 1404450: invalid start byte

00156E18 6E 48 6F 73 74 3A 20 61 62 63 A0 5C 72 5C 6E 5C 72 5C 6E 0A 23 20 65 78 70 65 63 74 69 6E 67 20 32 30 30 2C 20 67 6F 74 nHost: abc.\r\n\r\n.# expecting 200, got

Terminal/Vim renders that as a "." but the usual "." isn't A0 but 0A.

Type is reported as UTF-8
log-unp: UTF-8 Unicode text, with very long lines, with CRLF, CR, LF line terminators

It isn't the python code that is wrong, other tools agree

$ iconv -f UTF-8 log-unp -o /dev/null
iconv: illegal input sequence at position 1404450

So maybe we should make our tool more tolerant as well.
Using errors="replace" makes this work much better.

The other decodes shall stay strict IMHO.

Pushed to the tools repo

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

And with that I can confirm test results are indeed good.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I think there is an issue in 5df3515d42

Somehow when applying the delta we reverted some of the Debian changes.
Salsa commit c91b4db1e91a9b6d5a66d132740830b6310c3263 has:

@@ -45,16 +45,13 @@ Recommends: ssl-cert
 Suggests: apache2-doc,
           apache2-suexec-pristine | apache2-suexec-custom,
           www-browser
-Pre-Depends: dpkg (>= 1.17.14),
- ${misc:Pre-Depends}
-Breaks: libapache2-mod-proxy-uwsgi (<< 2.4.33)
+Pre-Depends: ${misc:Pre-Depends}

But we now undo that in 5df3515d42

I think that is a bad rebase and needs fixup

(Shown by range-diff)

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The Revert of "systemd for graceful" should still be listed under "Dropped" IMHO.
And the good statement "This introduced a performance regression." maybe in [] as we usually do it when quoting reasons for drops.

I see what you wanted with the revert, but IMHO it confuses (at least me)

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The new
952c00489a - d/apache2ctl: Also use /run/systemd to check for systemd usage (LP: 1918209)

Has become a single whitespace change, that seems wrong.
I think you can remove the commit and mention it in the changelog to be dropped.

Or we need to fully add it again.

Looking at the new apache2ctl it is now a variable instead of a function, but in Docker still might yield false results. So I assume you need adapt that to match and then send it to Debian.

Or if OTOH this isn't needed anymore with the revert of the graceful changes mention that and fully drop it.

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ack to the Drop of the CVEs, they are present in Debian.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

An unimportant improvement in changelog/commit message:
  "failure to load when using OpenSSL 3. (LP #1951476)"
has a double space

In general I see some use double space (also 1288690) and others do not.
Maybe on this merge&rebase unify commit messages and changelog to eiter one?

2257354... by Bryce Harrington

merge-changelogs

e249e4c... by Bryce Harrington

reconstruct-changelog

Revision history for this message
Bryce Harrington (bryce) wrote :

Thank you for the thorough review comments, sorry took so long to get back to it (so many distractions!) Anyway, I agree with all your suggestions, have made all the changes, and am pushing the updated branch here for re-review. Thanks again!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm taking a look

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looks good

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, uploaded.

$ grep "^Vcs-Git" *source.changes
Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: e249e4c816da6f89181fa734e8f324ed03a10eef
Vcs-Git-Ref: refs/heads/merge-v2.4.51-2-jammy

$ dput ubuntu apache2_2.4.51-2ubuntu1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: /home/bryce/pkg/Apache2/merge-v2.4.51-2/apache2_2.4.51-2ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: /home/bryce/pkg/Apache2/merge-v2.4.51-2/apache2_2.4.51-2ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.51-2ubuntu1.dsc: done.
  Uploading apache2_2.4.51.orig.tar.gz: done.
  Uploading apache2_2.4.51-2ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.51-2ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.51-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated, please mark as "merged" when able.

Revision history for this message
Bryce Harrington (bryce) wrote :

Done, thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
2index 63c573f..3d1bdf1 100644
3--- a/debian/apache2-bin.install
4+++ b/debian/apache2-bin.install
5@@ -1,2 +1,3 @@
6 /usr/lib/apache2/modules/
7 /usr/sbin/apache2
8+debian/apache2.py usr/share/apport/package-hooks
9diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
10new file mode 100644
11index 0000000..974a655
12--- /dev/null
13+++ b/debian/apache2-utils.ufw.profile
14@@ -0,0 +1,14 @@
15+[Apache]
16+title=Web Server
17+description=Apache v2 is the next generation of the omnipresent Apache web server.
18+ports=80/tcp
19+
20+[Apache Secure]
21+title=Web Server (HTTPS)
22+description=Apache v2 is the next generation of the omnipresent Apache web server.
23+ports=443/tcp
24+
25+[Apache Full]
26+title=Web Server (HTTP,HTTPS)
27+description=Apache v2 is the next generation of the omnipresent Apache web server.
28+ports=80,443/tcp
29diff --git a/debian/apache2.dirs b/debian/apache2.dirs
30index 6089013..1aa6d3c 100644
31--- a/debian/apache2.dirs
32+++ b/debian/apache2.dirs
33@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
34 var/lib/apache2
35 var/log/apache2
36 var/www/html
37+/etc/ufw/applications.d/apache2
38diff --git a/debian/apache2.install b/debian/apache2.install
39index b6ad789..92865fc 100644
40--- a/debian/apache2.install
41+++ b/debian/apache2.install
42@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
43 debian/config-dir/envvars /etc/apache2
44 debian/config-dir/magic /etc/apache2
45 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
46+debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
47diff --git a/debian/apache2.postrm b/debian/apache2.postrm
48index a68583c..b0e5d7b 100644
49--- a/debian/apache2.postrm
50+++ b/debian/apache2.postrm
51@@ -33,6 +33,7 @@ is_default_index_html () {
52 776221a94e5a174dc2396c0f3f6b6a74
53 c481228d439cbb54bdcedbaec5bbb11a
54 e2620d4a5a0f8d80dd4b16de59af981f
55+ 3526531ccd6c6a1d2340574a305a18f8
56 EOF
57 }
58
59diff --git a/debian/apache2.py b/debian/apache2.py
60new file mode 100644
61index 0000000..a9fb9d8
62--- /dev/null
63+++ b/debian/apache2.py
64@@ -0,0 +1,48 @@
65+#!/usr/bin/python
66+
67+'''apport hook for apache2
68+
69+(c) 2010 Adam Sommer.
70+Author: Adam Sommer <asommer@ubuntu.com>
71+
72+This program is free software; you can redistribute it and/or modify it
73+under the terms of the GNU General Public License as published by the
74+Free Software Foundation; either version 2 of the License, or (at your
75+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
76+the full text of the license.
77+'''
78+
79+from apport.hookutils import *
80+import os
81+
82+SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
83+
84+def add_info(report, ui):
85+ if os.path.isdir(SITES_ENABLED_DIR):
86+ response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
87+ "may help developers diagnose your bug more "
88+ "quickly. However, it may contain sensitive "
89+ "information. Do you want to include it in your "
90+ "bug report?")
91+
92+ if response == None: # user cancelled
93+ raise StopIteration
94+
95+ elif response == True:
96+ # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
97+ for conf_file in os.listdir(SITES_ENABLED_DIR):
98+ attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
99+
100+ try:
101+ report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
102+ except OSError:
103+ report['Apache2ConfdDirListing'] = str(False)
104+
105+ # Attach default config files if changed.
106+ attach_conffiles(report, 'apache2', conffiles=None)
107+
108+ # Attach the error.log file.
109+ attach_file(report, '/var/log/apache2/error.log', key='error.log')
110+
111+ # Get loaded modules.
112+ report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
113diff --git a/debian/apache2ctl b/debian/apache2ctl
114index 404b9f9..02f3bca 100755
115--- a/debian/apache2ctl
116+++ b/debian/apache2ctl
117@@ -143,6 +143,21 @@ mkdir_chown () {
118 fi
119 }
120
121+need_systemd () {
122+ # Detect if systemd is in use and should be used for managing
123+ # the Apache2 httpd service. Returns 0 if so, 1 otherwise.
124+ if [ -z "${APACHE_STARTED_BY_SYSTEMD}" ]; then
125+ case "$(readlink -f /proc/1/exe)" in
126+ *systemd*)
127+ return 0
128+ ;;
129+ esac
130+ # With Docker, /proc/1 is not necessarily an init system,
131+ # so fallback to checking in /run.
132+ [ -d /run/systemd/system ]
133+ fi
134+ return 1
135+}
136
137 [ ! -d ${APACHE_RUN_DIR:-/var/run/apache2} ] && mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2}
138 [ ! -d ${APACHE_LOCK_DIR:-/var/lock/apache2} ] && mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
139@@ -153,38 +168,38 @@ start)
140 # (this is bad if there are several apache2 instances running)
141 rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache*
142
143- need_systemd=false
144- if [ -z "$APACHE_STARTED_BY_SYSTEMD" ] ; then
145- case "$(readlink -f /proc/1/exe)" in
146- *systemd*)
147- need_systemd=true
148- ;;
149- *)
150- ;;
151- esac
152- fi
153- if $need_systemd ; then
154+ if need_systemd; then
155 # If running on systemd we should not start httpd without systemd
156 # or systemd will get confused about the status of httpd.
157- echo "Invoking 'systemctl start $APACHE_SYSTEMD_SERVICE'."
158- echo "Use 'systemctl status $APACHE_SYSTEMD_SERVICE' for more info."
159- systemctl start "$APACHE_SYSTEMD_SERVICE"
160+ echo "Invoking 'systemctl start ${APACHE_SYSTEMD_SERVICE}'."
161+ echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info."
162+ systemctl start "${APACHE_SYSTEMD_SERVICE}"
163 else
164 unset APACHE_STARTED_BY_SYSTEMD
165- $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"
166+ ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}"
167 fi
168
169 ERROR=$?
170 ;;
171 stop|graceful-stop)
172- $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"
173+ ${HTTPD} ${APACHE_ARGUMENTS} -k "$ARGV"
174 ERROR=$?
175 ;;
176 restart|graceful)
177 if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then
178- $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"
179+ if need_systemd; then
180+ # If running on systemd we should not directly restart httpd since
181+ # systemd would be confused about httpd's status.
182+ # (See LP: #1832182)
183+ echo "Invoking 'systemctl restart ${APACHE_SYSTEMD_SERVICE}'."
184+ echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info."
185+ systemctl restart "${APACHE_SYSTEMD_SERVICE}"
186+ else
187+ unset APACHE_STARTED_BY_SYSTEMD
188+ ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}"
189+ fi
190 else
191- $HTTPD ${APACHE_ARGUMENTS} -t
192+ ${HTTPD} ${APACHE_ARGUMENTS} -t
193 fi
194 ERROR=$?
195 ;;
196diff --git a/debian/changelog b/debian/changelog
197index 2a8d158..a17c195 100644
198--- a/debian/changelog
199+++ b/debian/changelog
200@@ -1,3 +1,60 @@
201+<<<<<<< debian/changelog
202+=======
203+apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
204+
205+ * Merge with Debian unstable. Remaining changes:
206+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
207+ apache2.dirs}: Add ufw profiles.
208+ (LP 261198)
209+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
210+ (LP 609177)
211+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
212+ d/s/include-binaries: replace Debian with Ubuntu on default
213+ page and add Ubuntu icon file.
214+ (LP 1288690)
215+ - d/p/support-openssl3-*.patch: Backport various patches from
216+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
217+ failure to load when using OpenSSL 3.
218+ (LP #1951476)
219+ * Dropped:
220+ - d/apache2ctl: Also use systemd for graceful if it is in use.
221+ (LP: 1832182)
222+ [This introduced a performance regression.]
223+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
224+ (LP 1918209)
225+ [Not needed]
226+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
227+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
228+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
229+ server/core_filters.c, server/protocol.c, server/vhost.c.
230+ [Fixed in 2.4.48-4]
231+ - debian/patches/CVE-2021-34798.patch: add NULL check in
232+ server/scoreboard.c.
233+ [Fixed in 2.4.49-1]
234+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
235+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
236+ [Fixed in 2.4.49-1]
237+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
238+ substitution logic in server/util.c.
239+ [Fixed in 2.4.49-1]
240+ - arbitrary origin server via crafted request uri-path
241+ + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
242+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
243+ modules/proxy/proxy_util.c.
244+ + debian/patches/CVE-2021-40438.patch: add sanity checks on the
245+ configured UDS path in modules/proxy/proxy_util.c.
246+ [Fixed in 2.4.49-3]
247+ - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
248+ + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
249+ rules in modules/mappers/mod_rewrite.c.
250+ + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
251+ hostname in modules/mappers/mod_rewrite.c,
252+ modules/proxy/proxy_util.c.
253+ [Fixed in 2.4.49-3]
254+
255+ -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
256+
257+>>>>>>> debian/changelog
258 apache2 (2.4.51-2) unstable; urgency=medium
259
260 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters
261@@ -61,6 +118,77 @@ apache2 (2.4.48-4) unstable; urgency=medium
262
263 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
264
265+<<<<<<< debian/changelog
266+=======
267+apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
268+
269+ * d/p/support-openssl3-*.patch: Backport various patches from
270+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
271+ failure to load when using OpenSSL 3. (LP: #1951476)
272+
273+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
274+
275+apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
276+
277+ * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
278+ - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
279+ rules in modules/mappers/mod_rewrite.c.
280+ - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
281+ hostname in modules/mappers/mod_rewrite.c,
282+ modules/proxy/proxy_util.c.
283+
284+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
285+
286+apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
287+
288+ * SECURITY UPDATE: request splitting over HTTP/2
289+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
290+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
291+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
292+ server/core_filters.c, server/protocol.c, server/vhost.c.
293+ - CVE-2021-33193
294+ * SECURITY UPDATE: NULL deref via malformed requests
295+ - debian/patches/CVE-2021-34798.patch: add NULL check in
296+ server/scoreboard.c.
297+ - CVE-2021-34798
298+ * SECURITY UPDATE: DoS in mod_proxy_uwsgi
299+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
300+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
301+ - CVE-2021-36160
302+ * SECURITY UPDATE: buffer overflow in ap_escape_quotes
303+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
304+ substitution logic in server/util.c.
305+ - CVE-2021-39275
306+ * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
307+ - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
308+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
309+ modules/proxy/proxy_util.c.
310+ - debian/patches/CVE-2021-40438.patch: add sanity checks on the
311+ configured UDS path in modules/proxy/proxy_util.c.
312+ - CVE-2021-40438
313+
314+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
315+
316+apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
317+
318+ * Merge with Debian unstable. Remaining changes:
319+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
320+ apache2.dirs}: Add ufw profiles. (LP 261198)
321+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
322+ (LP 609177)
323+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
324+ d/s/include-binaries: replace Debian with Ubuntu on default
325+ page and add Ubuntu icon file. (LP 1288690)
326+ - d/apache2ctl: Also use systemd for graceful if it is in use.
327+ This extends an earlier fix for the start command to behave
328+ similarly for restart / graceful. Fixes service failures on
329+ unattended upgrade. (LP 1832182)
330+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
331+ (LP 1918209)
332+
333+ -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
334+
335+>>>>>>> debian/changelog
336 apache2 (2.4.48-3.1) unstable; urgency=medium
337
338 * Non-maintainer upload.
339@@ -69,6 +197,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
340
341 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
342
343+apache2 (2.4.48-3ubuntu1) impish; urgency=medium
344+
345+ * Merge with Debian unstable. Remaining changes:
346+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
347+ apache2.dirs}: Add ufw profiles. (LP: 261198)
348+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
349+ (LP: 609177)
350+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
351+ d/s/include-binaries: replace Debian with Ubuntu on default
352+ page and add Ubuntu icon file. (LP: 1288690)
353+ - d/apache2ctl: Also use systemd for graceful if it is in use.
354+ This extends an earlier fix for the start command to behave
355+ similarly for restart / graceful. Fixes service failures on
356+ unattended upgrade. (LP: 1832182)
357+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
358+ (LP: 1918209)
359+ * Dropped:
360+ - d/t/control, d/t/check-http2: add basic test for http2 support
361+ [Fixed in 2.4.48-2]
362+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
363+ [Fixed in 2.4.48-1]
364+ - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
365+ connection in modules/proxy/mod_proxy_http.c.
366+ [Fixed in 2.4.48 upstream]
367+ - d/p/CVE-2020-35452.patch: fast validation of the nonce's
368+ base64 to fail early if the format can't match anyway in
369+ modules/aaa/mod_auth_digest.c.
370+ [Fixed in 2.4.48 upstream]
371+ - d/p/CVE-2021-26690.patch: save one apr_strtok() in
372+ session_identity_decode() in modules/session/mod_session.c.
373+ [Fixed in 2.4.48 upstream]
374+ - d/p/CVE-2021-26691.patch: account for the '&' in
375+ identity_concat() in modules/session/mod_session.c.
376+ [Fixed in 2.4.48 upstream]
377+ - d/p/CVE-2021-30641.patch: change default behavior in
378+ server/request.c.
379+ [Fixed in 2.4.48 upstream]
380+
381+ -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
382+
383 apache2 (2.4.48-3) unstable; urgency=medium
384
385 * Fix debian/changelog
386@@ -125,6 +293,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
387
388 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
389
390+apache2 (2.4.46-4ubuntu3) impish; urgency=medium
391+
392+ * No-change rebuild due to OpenLDAP soname bump.
393+
394+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
395+
396+apache2 (2.4.46-4ubuntu2) impish; urgency=medium
397+
398+ * SECURITY UPDATE: mod_proxy_http denial of service.
399+ - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
400+ connection in modules/proxy/mod_proxy_http.c.
401+ - CVE-2020-13950
402+ * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
403+ - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
404+ base64 to fail early if the format can't match anyway in
405+ modules/aaa/mod_auth_digest.c.
406+ - CVE-2020-35452
407+ * SECURITY UPDATE: DoS via cookie header in mod_session
408+ - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
409+ session_identity_decode() in modules/session/mod_session.c.
410+ - CVE-2021-26690
411+ * SECURITY UPDATE: heap overflow via SessionHeader
412+ - debian/patches/CVE-2021-26691.patch: account for the '&' in
413+ identity_concat() in modules/session/mod_session.c.
414+ - CVE-2021-26691
415+ * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
416+ - debian/patches/CVE-2021-30641.patch: change default behavior in
417+ server/request.c.
418+ - CVE-2021-30641
419+
420+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
421+
422+apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
423+
424+ * Merge with Debian unstable, to allow moving from lua5.2 to
425+ lua5.3 (LP: #1910372). Remaining changes:
426+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
427+ apache2.dirs}: Add ufw profiles.
428+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
429+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
430+ Debian with Ubuntu on default page.
431+ + d/source/include-binaries: add Ubuntu icon file
432+ - d/t/control, d/t/check-http2: add basic test for http2 support
433+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
434+ issue reading error log too quickly after request, by adding a sleep.
435+ (LP #1890302)
436+ - d/apache2ctl: Also use systemd for graceful if it is in use.
437+ This extends an earlier fix for the start command to behave
438+ similarly for restart / graceful. Fixes service failures on
439+ unattended upgrade.
440+ * Drop:
441+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
442+ was re-added by mistake in 2.4.41-1 (Closes #921024)
443+ [Included in Debian 2.4.46-3]
444+ * d/apache2ctl: Also use /run/systemd to check for systemd usage
445+ (LP: #1918209)
446+
447+ -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
448+
449 apache2 (2.4.46-4) unstable; urgency=medium
450
451 * Ignore other random another test failures (Closes: #979664)
452@@ -142,6 +369,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
453
454 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
455
456+apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
457+
458+ * Merge with Debian unstable. Remaining changes:
459+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
460+ apache2.dirs}: Add ufw profiles.
461+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
462+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
463+ Debian with Ubuntu on default page.
464+ + d/source/include-binaries: add Ubuntu icon file
465+ - d/t/control, d/t/check-http2: add basic test for http2 support
466+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
467+ was re-added by mistake in 2.4.41-1 (Closes #921024)
468+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
469+ issue reading error log too quickly after request, by adding a sleep.
470+ (LP #1890302)
471+ - d/apache2ctl: Also use systemd for graceful if it is in use.
472+ This extends an earlier fix for the start command to behave
473+ similarly for restart / graceful. Fixes service failures on
474+ unattended upgrade.
475+
476+ -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
477+
478 apache2 (2.4.46-2) unstable; urgency=medium
479
480 [ Jean-Michel Vourgère ]
481@@ -163,6 +412,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
482
483 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
484
485+apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
486+
487+ * d/apache2ctl: Also use systemd for graceful if it is in use.
488+ (LP: #1832182)
489+ - This extends an earlier fix for the start command to behave
490+ similarly for restart / graceful. Fixes service failures on
491+ unattended upgrade.
492+
493+ -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
494+
495+apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
496+
497+ * Merge with Debian unstable. Remaining changes:
498+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
499+ apache2.dirs}: Add ufw profiles.
500+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
501+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
502+ Debian with Ubuntu on default page.
503+ + d/source/include-binaries: add Ubuntu icon file
504+ - d/t/control, d/t/check-http2: add basic test for http2 support
505+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
506+ was re-added by mistake in 2.4.41-1 (Closes #921024)
507+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
508+ issue reading error log too quickly after request, by adding a sleep.
509+ (LP #1890302)
510+ * Dropped:
511+ - debian/patches/086_svn_cross_compiles: Backport several cross
512+ fixes from upstream
513+ [Unclear if it's still necessary, and upstream hasn't made a
514+ release with it yet]
515+
516+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
517+
518 apache2 (2.4.46-1) unstable; urgency=medium
519
520 [ Xavier Guimard ]
521@@ -179,6 +461,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
522
523 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
524
525+apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
526+
527+ * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
528+ issue reading error log too quickly after request, by adding a sleep.
529+ (LP: #1890302)
530+
531+ -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
532+
533+apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
534+
535+ * Merge with Debian unstable. Remaining changes:
536+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
537+ apache2.dirs}: Add ufw profiles.
538+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
539+ - debian/patches/086_svn_cross_compiles: Backport several cross
540+ fixes from upstream
541+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
542+ Debian with Ubuntu on default page.
543+ + d/source/include-binaries: add Ubuntu icon file
544+ - d/t/control, d/t/check-http2: add basic test for http2 support
545+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
546+ was re-added by mistake in 2.4.41-1 (Closes #921024)
547+ * Dropped:
548+ - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
549+ parameter to mod_proxy_ajp (LP #1865340)
550+ [Fixed upstream]
551+ - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
552+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
553+ Closes #955348, LP #1872478
554+ [In 2.4.43-1]
555+
556+ -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
557+
558 apache2 (2.4.43-1) unstable; urgency=medium
559
560 [ Timo Aaltonen ]
561@@ -206,6 +521,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
562
563 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
564
565+apache2 (2.4.41-4ubuntu3) focal; urgency=medium
566+
567+ [ Timo Aaltonen ]
568+ * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
569+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
570+ Closes: #955348, LP: #1872478
571+
572+ -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
573+
574+apache2 (2.4.41-4ubuntu2) focal; urgency=medium
575+
576+ * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
577+ parameter to mod_proxy_ajp (LP: #1865340)
578+
579+ -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
580+
581+apache2 (2.4.41-4ubuntu1) focal; urgency=medium
582+
583+ * Merge with Debian unstable. Remaining changes:
584+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
585+ apache2.dirs}: Add ufw profiles.
586+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
587+ - debian/patches/086_svn_cross_compiles: Backport several cross
588+ fixes from upstream
589+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
590+ Debian with Ubuntu on default page.
591+ + d/source/include-binaries: add Ubuntu icon file
592+ - d/t/control, d/t/check-http2: add basic test for http2 support
593+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
594+ was re-added by mistake in 2.4.41-1 (Closes #921024)
595+
596+ -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
597+
598 apache2 (2.4.41-4) unstable; urgency=medium
599
600 * Add gcc in chroot autopkgtest (fixes debci)
601@@ -230,6 +578,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
602
603 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
604
605+apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
606+
607+ * Merge with Debian unstable. Remaining changes:
608+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
609+ apache2.dirs}: Add ufw profiles.
610+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
611+ - debian/patches/086_svn_cross_compiles: Backport several cross
612+ fixes from upstream
613+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
614+ Debian with Ubuntu on default page.
615+ + d/source/include-binaries: add Ubuntu icon file
616+ - d/t/control, d/t/check-http2: add basic test for http2 support
617+ * Dropped:
618+ - Cherrypick upstream testsuite fix:
619+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
620+ as such).
621+ + Similarly use TLSv1.2 for pr12355 and pr43738.
622+ [Test suite updated in 2.4.41-1]
623+ - Cherrypick upstream test suite fix for buffer.
624+ [Included in 2.4.41-1]
625+ - d/p/spelling-errors.patch: removed hunks already fixed upstream
626+ [Included in 2.4.39-1]
627+ - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
628+ + d/p/CVE-2019-0196.patch
629+ + d/p/CVE-2019-0211.patch
630+ + d/p/CVE-2019-0215.patch
631+ + d/p/CVE-2019-0217.patch
632+ + d/p/CVE-2019-0220-*.patch
633+ + d/p/CVE-2019-0197.patch
634+ * Added:
635+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
636+ was re-added by mistake in 2.4.41-1 (Closes: #921024)
637+
638+ -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
639+
640 apache2 (2.4.41-1) unstable; urgency=medium
641
642 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
643@@ -262,6 +645,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
644
645 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
646
647+apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
648+
649+ * New upstream version: 2.4.39
650+ * d/p/spelling-errors.patch: removed hunks already fixed upstream
651+ * Remaining changes:
652+ - Cherrypick upstream test suite fix for buffer.
653+ - Cherrypick upstream testsuite fix:
654+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
655+ as such).
656+ - Similarly use TLSv1.2 for pr12355 and pr43738.
657+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
658+ apache2.dirs}: Add ufw profiles.
659+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
660+ - debian/patches/086_svn_cross_compiles: Backport several cross
661+ fixes from upstream
662+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
663+ Debian with Ubuntu on default page.
664+ + d/source/include-binaries: add Ubuntu icon file
665+ - d/t/control, d/t/check-http2: add basic test for http2 support
666+ * Dropped patches (fixed upstream):
667+ - d/p/CVE-2019-0196.patch
668+ - d/p/CVE-2019-0211.patch
669+ - d/p/CVE-2019-0215.patch
670+ - d/p/CVE-2019-0217.patch
671+ - d/p/CVE-2019-0220-*.patch
672+ - d/p/CVE-2019-0197.patch
673+
674+ -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
675+
676+apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
677+
678+ * Cherrypick upstream test suite fix for buffer.
679+
680+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
681+
682+apache2 (2.4.38-3ubuntu1) eoan; urgency=low
683+
684+ * Merge from Debian unstable. Remaining changes:
685+ - Cherrypick upstream testsuite fix:
686+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
687+ as such).
688+ - Similarly use TLSv1.2 for pr12355 and pr43738.
689+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
690+ apache2.dirs}: Add ufw profiles.
691+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
692+ - debian/patches/086_svn_cross_compiles: Backport several cross
693+ fixes from upstream
694+ [Removed configure chunk, not needed since configure.in is being
695+ patched.]
696+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
697+ Debian with Ubuntu on default page.
698+ + d/source/include-binaries: add Ubuntu icon file
699+ - d/t/control, d/t/check-http2: add basic test for http2 support
700+
701+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
702+
703 apache2 (2.4.38-3) unstable; urgency=high
704
705 [ Marc Deslauriers ]
706@@ -299,6 +738,79 @@ apache2 (2.4.38-3) unstable; urgency=high
707
708 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
709
710+apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
711+
712+ * Cherrypick upstream testsuite fix:
713+ - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
714+ as such).
715+ * Similarly use TLSv1.2 for pr12355 and pr43738.
716+
717+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
718+
719+apache2 (2.4.38-2ubuntu2) disco; urgency=medium
720+
721+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
722+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
723+ request method in modules/http2/h2_request.c.
724+ - CVE-2019-0196
725+ * SECURITY UPDATE: privilege escalation from modules' scripts
726+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
727+ child to its slot number in include/scoreboard.h,
728+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
729+ server/mpm/worker/worker.c.
730+ - CVE-2019-0211
731+ * SECURITY UPDATE: mod_ssl access control bypass
732+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
733+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
734+ - CVE-2019-0215
735+ * SECURITY UPDATE: mod_auth_digest access control bypass
736+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
737+ modules/aaa/mod_auth_digest.c.
738+ - CVE-2019-0217
739+ * SECURITY UPDATE: URL normalization inconsistincy
740+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
741+ the path in include/http_core.h, include/httpd.h, server/core.c,
742+ server/request.c, server/util.c.
743+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
744+ in server/request.c, server/util.c.
745+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
746+ server/util.c.
747+ - CVE-2019-0220
748+
749+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
750+
751+apache2 (2.4.38-2ubuntu1) disco; urgency=medium
752+
753+ * Merge with Debian unstable. Remaining changes:
754+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
755+ apache2.dirs}: Add ufw profiles.
756+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
757+ - debian/patches/086_svn_cross_compiles: Backport several cross
758+ fixes from upstream
759+ [Removed configure chunk, not needed since configure.in is being
760+ patched.]
761+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
762+ Debian with Ubuntu on default page.
763+ + d/source/include-binaries: add Ubuntu icon file
764+ - d/t/control, d/t/check-http2: add basic test for http2 support
765+ * Dropped:
766+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
767+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
768+ cannot be coinstalled with libcurl3. That situation breaks the
769+ installation of libapache2-mod-shib2. See
770+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
771+ for details.
772+ [This has been resolved in Disco, where libxmltooling8 is built with
773+ openssl 1.1]
774+ - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
775+ + debian/patches/CVE-2018-11763.patch: rework connection IO event
776+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
777+ modules/http2/h2_version.h.
778+ - CVE-2018-11763
779+ [Fixed in 2.4.35]
780+
781+ -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
782+
783 apache2 (2.4.38-2) unstable; urgency=medium
784
785 * Disable "reset" test in allowmethods.t (Closes: #921024)
786@@ -381,6 +893,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
787
788 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
789
790+apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
791+
792+ * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
793+ - debian/patches/CVE-2018-11763.patch: rework connection IO event
794+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
795+ modules/http2/h2_version.h.
796+ - CVE-2018-11763
797+
798+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
799+
800+apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
801+
802+ * Merge with Debian unstable. Remaining changes:
803+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
804+ apache2.dirs}: Add ufw profiles.
805+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
806+ - debian/patches/086_svn_cross_compiles: Backport several cross
807+ fixes from upstream
808+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
809+ Debian with Ubuntu on default page.
810+ + d/source/include-binaries: add Ubuntu icon file
811+ - d/t/control, d/t/check-http2: add basic test for http2 support
812+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
813+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
814+ cannot be coinstalled with libcurl3. That situation breaks the
815+ installation of libapache2-mod-shib2. See
816+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
817+ for details.
818+
819+ -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
820+
821 apache2 (2.4.34-1) unstable; urgency=medium
822
823 [ Ondřej Surý ]
824@@ -399,6 +942,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
825
826 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
827
828+apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
829+
830+ * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
831+ re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
832+
833+ -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
834+
835+apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
836+
837+ * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
838+ libapache2-mod-md until we figure out their transitions. libapache2-mod-md
839+ in particular is problematic because that makes apache2-bin pull in
840+ libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
841+ the installation of libapache2-mod-shib2. See
842+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
843+ for details.
844+ - Don't ship md.load and remove build-requires that were added because of
845+ mod-md (see
846+ https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
847+ - Remove proxy_uwsgi.load as we are not building it for now (see
848+ https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
849+
850+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
851+
852+apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
853+
854+ * Merge with Debian unstable (LP: #1770242). Remaining changes:
855+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
856+ apache2.dirs}: Add ufw profiles.
857+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
858+ - debian/patches/086_svn_cross_compiles: Backport several cross
859+ fixes from upstream
860+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
861+ Debian with Ubuntu on default page.
862+ + d/source/include-binaries: add Ubuntu icon file
863+ - d/t/control, d/t/check-http2: add basic test for http2 support
864+ * Drop:
865+ - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
866+ + debian/patches/CVE-2017-15710.patch: fix language long names
867+ detection as short name in modules/aaa/mod_authnz_ldap.c.
868+ + CVE-2017-15710
869+ - SECURITY UPDATE: incorrect <FilesMatch> matching
870+ + debian/patches/CVE-2017-15715.patch: allow to configure
871+ global/default options for regexes, like caseless matching or
872+ extended format in include/ap_regex.h, server/core.c,
873+ server/util_pcre.c.
874+ + CVE-2017-15715
875+ - SECURITY UPDATE: mod_session header manipulation
876+ + debian/patches/CVE-2018-1283.patch: strip Session header when
877+ SessionEnv is on in modules/session/mod_session.c.
878+ + CVE-2018-1283
879+ - SECURITY UPDATE: DoS via specially-crafted request
880+ + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
881+ terminated on any error, not only on buffer full in
882+ server/protocol.c.
883+ + CVE-2018-1301
884+ - SECURITY UPDATE: mod_cache_socache DoS
885+ + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
886+ to carriage return in modules/cache/mod_cache_socache.c.
887+ + CVE-2018-1303
888+ - SECURITY UPDATE: insecure nonce generation
889+ + debian/patches/CVE-2018-1312.patch: actually use the secret when
890+ generating nonces in modules/aaa/mod_auth_digest.c.
891+ + CVE-2018-1312
892+ - Correct systemd-sysv-generator behavior by customizing some
893+ parameters:
894+ + d/apache2-systemd.conf: add a drop-in file to specify some
895+ parameters for the systemd unit (type=Forking and
896+ RemainsAfterExit=no), this allow a correct state synchronisation
897+ between systemctl status and actual state of apache2 daemon.
898+ + d/apache2.install: place the apache2-systemd.conf file in the
899+ correct location.
900+ [type=Forking already in the base systemd service file, and
901+ RemainsAfterExit=no is the default value, so no need to
902+ customize these anymore.]
903+ - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
904+ + added debian/patches/util_ldap_cache_lock_fix.patch
905+ [Already applied upstream]
906+
907+ -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
908+
909 apache2 (2.4.33-3) unstable; urgency=medium
910
911 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
912@@ -471,6 +1095,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
913
914 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
915
916+apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
917+
918+ * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
919+ - debian/patches/CVE-2017-15710.patch: fix language long names
920+ detection as short name in modules/aaa/mod_authnz_ldap.c.
921+ - CVE-2017-15710
922+ * SECURITY UPDATE: incorrect <FilesMatch> matching
923+ - debian/patches/CVE-2017-15715.patch: allow to configure
924+ global/default options for regexes, like caseless matching or
925+ extended format in include/ap_regex.h, server/core.c,
926+ server/util_pcre.c.
927+ - CVE-2017-15715
928+ * SECURITY UPDATE: mod_session header manipulation
929+ - debian/patches/CVE-2018-1283.patch: strip Session header when
930+ SessionEnv is on in modules/session/mod_session.c.
931+ - CVE-2018-1283
932+ * SECURITY UPDATE: DoS via specially-crafted request
933+ - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
934+ terminated on any error, not only on buffer full in
935+ server/protocol.c.
936+ - CVE-2018-1301
937+ * SECURITY UPDATE: mod_cache_socache DoS
938+ - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
939+ to carriage return in modules/cache/mod_cache_socache.c.
940+ - CVE-2018-1303
941+ * SECURITY UPDATE: insecure nonce generation
942+ - debian/patches/CVE-2018-1312.patch: actually use the secret when
943+ generating nonces in modules/aaa/mod_auth_digest.c.
944+ - CVE-2018-1312
945+
946+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
947+
948+apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
949+
950+ * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
951+ - added debian/patches/util_ldap_cache_lock_fix.patch
952+
953+ -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
954+
955+apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
956+
957+ * Switch back to OpenSSL 1.1.
958+
959+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
960+
961+apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
962+
963+ * enable http2 (LP: #1687454) by stopping to disable it
964+ - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
965+ - debian/config-dir/mods-available/http2.load: no more removed.
966+ - debian/rules: no more removed proxy_http2 from configure.
967+ * d/t/control, d/t/check-http2: add basic test for http2 support
968+
969+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
970+
971+apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
972+
973+ * Merge with Debian unstable. Remaining changes:
974+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
975+ apache2.dirs}: Add ufw profiles.
976+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
977+ - debian/patches/086_svn_cross_compiles: Backport several cross
978+ fixes from upstream
979+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
980+ Debian with Ubuntu on default page.
981+ + d/source/include-binaries: add Ubuntu icon file
982+ - Correct systemd-sysv-generator behavior by customizing some
983+ parameters:
984+ + d/apache2-systemd.conf: add a drop-in file to specify some
985+ parameters for the systemd unit (type=Forking and
986+ RemainsAfterExit=no), this allow a correct state synchronisation
987+ between systemctl status and actual state of apache2 daemon.
988+ + d/apache2.install: place the apache2-systemd.conf file in the
989+ correct location.
990+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
991+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
992+ + debian/config-dir/mods-available/http2.load: removed.
993+ + debian/rules: removed proxy_http2 from configure.
994+ * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
995+ - debian/control: switch BuildDepends to libssl1.0-dev
996+ - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
997+ - debian/rules: remove openssl virtual package and logic
998+
999+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1000+
1001 apache2 (2.4.29-1) unstable; urgency=medium
1002
1003 [ Stefan Fritsch ]
1004@@ -535,6 +1244,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
1005
1006 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
1007
1008+apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1009+
1010+ * SECURITY UPDATE: optionsbleed information leak
1011+ - debian/patches/CVE-2017-9798.patch: disallow method registration
1012+ at run time in server/core.c.
1013+ - CVE-2017-9798
1014+
1015+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1016+
1017+apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1018+
1019+ * Undrop (LP 1658469):
1020+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1021+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1022+ + debian/config-dir/mods-available/http2.load: removed.
1023+ + debian/rules: removed proxy_http2 from configure.
1024+
1025+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1026+
1027+apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1028+
1029+ * Merge with Debian unstable (LP: #1702582). Remaining changes:
1030+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1031+ apache2.dirs}: Add ufw profiles.
1032+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1033+ - debian/patches/086_svn_cross_compiles: Backport several cross
1034+ fixes from upstream
1035+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1036+ Debian with Ubuntu on default page.
1037+ + d/source/include-binaries: add Ubuntu icon file
1038+ - Correct systemd-sysv-generator behavior by customizing some
1039+ parameters:
1040+ + d/apache2-systemd.conf: add a drop-in file to specify some
1041+ parameters for the systemd unit (type=Forking and
1042+ RemainsAfterExit=no), this allow a correct state synchronisation
1043+ between systemctl status and actual state of apache2 daemon.
1044+ + d/apache2.install: place the apache2-systemd.conf file in the
1045+ correct location.
1046+
1047+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1048+
1049 apache2 (2.4.27-2) unstable; urgency=medium
1050
1051 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
1052@@ -564,6 +1314,55 @@ apache2 (2.4.25-4) unstable; urgency=high
1053
1054 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
1055
1056+apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1057+
1058+ * Re-Drop (LP: #1658469):
1059+ - Don't build experimental http2 module for LTS:
1060+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1061+ + debian/config-dir/mods-available/http2.load: removed.
1062+ + debian/rules: removed proxy_http2 from configure.
1063+ + debian/apache2.maintscript: remove http2 conffile.
1064+
1065+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1066+
1067+apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1068+ * Undrop (LP 1658469):
1069+ - Don't build experimental http2 module for LTS:
1070+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1071+ + debian/config-dir/mods-available/http2.load: removed.
1072+ + debian/rules: removed proxy_http2 from configure.
1073+ + debian/apache2.maintscript: remove http2 conffile.
1074+
1075+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1076+
1077+apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1078+
1079+ * Merge from Debian unstable (LP: #1663425). Remaining changes:
1080+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1081+ apache2.dirs}: Add ufw profiles.
1082+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1083+ - debian/patches/086_svn_cross_compiles: Backport several cross
1084+ fixes from upstream
1085+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1086+ Debian with Ubuntu on default page.
1087+ + d/source/include-binaries: add Ubuntu icon file
1088+ - Correct systemd-sysv-generator behavior by customizing some
1089+ parameters:
1090+ + d/apache2-systemd.conf: add a drop-in file to specify some
1091+ parameters for the systemd unit (type=Forking and
1092+ RemainsAfterExit=no), this allow a correct state synchronisation
1093+ between systemctl status and actual state of apache2 daemon.
1094+ + d/apache2.install: place the apache2-systemd.conf file in the
1095+ correct location.
1096+ * Drop (LP: #1658469):
1097+ - Don't build experimental http2 module for LTS:
1098+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1099+ + debian/config-dir/mods-available/http2.load: removed.
1100+ + debian/rules: removed proxy_http2 from configure.
1101+ + debian/apache2.maintscript: remove http2 conffile.
1102+
1103+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1104+
1105 apache2 (2.4.25-3) unstable; urgency=medium
1106
1107 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
1108@@ -625,6 +1424,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
1109
1110 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
1111
1112+apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1113+
1114+ * Merge from Debian unstable (LP: #). Remaining changes:
1115+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1116+ apache2.dirs}: Add ufw profiles.
1117+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1118+ - debian/patches/086_svn_cross_compiles: Backport several cross
1119+ fixes from upstream
1120+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1121+ d/source/include-binaries: replace Debian with Ubuntu on default
1122+ page.
1123+ [ include-binaries change previously undocumented ]
1124+ - Don't build experimental http2 module for LTS:
1125+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1126+ + debian/config-dir/mods-available/http2.load: removed.
1127+ + debian/rules: removed proxy_http2 from configure.
1128+ + debian/apache2.maintscript: remove http2 conffile.
1129+ [ Previously undocumented ]
1130+ - Correct systemd-sysv-generator behavior by customizing some
1131+ parameters:
1132+ + d/apache2-systemd.conf: add a drop-in file to specify some
1133+ parameters for the systemd unit (type=Forking and
1134+ RemainsAfterExit=no), this allow a correct state synchronisation
1135+ between systemctl status and actual state of apache2 daemon.
1136+ + d/apache2.install: place the apache2-systemd.conf file in the
1137+ correct location.
1138+ * Drop:
1139+ - debian/rules: Fix cross-building by passing
1140+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1141+ [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1142+
1143+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1144+
1145 apache2 (2.4.23-8) unstable; urgency=medium
1146
1147 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
1148@@ -635,6 +1467,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
1149
1150 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
1151
1152+apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1153+
1154+ * Merge from Debian unstable. Remaining changes:
1155+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1156+ apache2.dirs}: Add ufw profiles.
1157+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1158+ - debian/rules: Fix cross-building by passing
1159+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1160+ - debian/patches/086_svn_cross_compiles: Backport several cross
1161+ fixes from upstream
1162+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1163+ Debian with Ubuntu on default page.
1164+ - Don't build experimental http2 module for LTS:
1165+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1166+ + debian/config-dir/mods-available/http2.load: removed.
1167+ + debian/rules: removed proxy_http2 from configure.
1168+ - Correct systemd-sysv-generator behavior by customizing some
1169+ parameters:
1170+ + d/apache2-systemd.conf: add a drop-in file to specify some
1171+ parameters for the systemd unit (type=Forking and
1172+ RemainsAfterExit=no), this allow a correct state synchronisation
1173+ between systemctl status and actual state of apache2 daemon.
1174+ + d/apache2.install: place the apache2-systemd.conf file in the
1175+ correct location.
1176+
1177+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1178+
1179 apache2 (2.4.23-7) unstable; urgency=medium
1180
1181 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
1182@@ -749,6 +1608,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
1183
1184 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
1185
1186+apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1187+
1188+ * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1189+ - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1190+ server/util_script.c.
1191+ - CVE-2016-5387
1192+
1193+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1194+
1195+apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1196+
1197+ [ Ryan Harper ]
1198+ * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1199+ introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1200+ all, since http2 support is intentionally disabled (see LP 1531864).
1201+ * d/apache2.maintscript: handle removal of http2.load conffile.
1202+
1203+ [ Robie Basak ]
1204+ * Re-write Ryan's changelog entry.
1205+
1206+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1207+
1208+apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1209+
1210+ * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1211+ - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1212+ unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1213+ between systemctl status and actual state of apache2 daemon.
1214+ - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1215+
1216+ -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1217+
1218+apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1219+
1220+ * Merge from Debian unstable. Remaining changes:
1221+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1222+ apache2.dirs}: Add ufw profiles.
1223+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1224+ - debian/rules: Fix cross-building by passing
1225+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1226+ - debian/patches/086_svn_cross_compiles: Backport several cross
1227+ fixes from upstream
1228+ - d/index.html: replace Debian with Ubuntu on default page.
1229+ - Don't build experimental http2 module for LTS:
1230+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1231+ + debian/config-dir/mods-available/http2.load: removed.
1232+
1233+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1234+
1235 apache2 (2.4.18-2) unstable; urgency=low
1236
1237 * htcacheclean:
1238@@ -774,6 +1682,24 @@ apache2 (2.4.18-2) unstable; urgency=low
1239
1240 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
1241
1242+apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1243+
1244+ * Merge from Debian unstable. Remaining changes:
1245+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1246+ apache2.dirs}: Add ufw profiles.
1247+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1248+ - Add dep8 tests.
1249+ - debian/rules: Fix cross-building by passing
1250+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1251+ - debian/patches/086_svn_cross_compiles: Backport several cross
1252+ fixes from upstream
1253+ - d/index.html: replace Debian with Ubuntu on default page.
1254+ - Don't build experimental http2 module for LTS:
1255+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1256+ + debian/config-dir/mods-available/http2.load: removed.
1257+
1258+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1259+
1260 apache2 (2.4.18-1) unstable; urgency=medium
1261
1262 * New upstream release:
1263@@ -781,12 +1707,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
1264
1265 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
1266
1267+apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1268+
1269+ * Merge from Debian unstable. Remaining changes:
1270+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1271+ apache2.dirs}: Add ufw profiles.
1272+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1273+ - Add dep8 tests.
1274+ - debian/rules: Fix cross-building by passing
1275+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1276+ - debian/patches/086_svn_cross_compiles: Backport several cross
1277+ fixes from upstream
1278+ - d/index.html: replace Debian with Ubuntu on default page.
1279+ - Don't build experimental http2 module for LTS:
1280+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1281+ + debian/config-dir/mods-available/http2.load: removed.
1282+
1283+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1284+
1285 apache2 (2.4.17-3) unstable; urgency=medium
1286
1287 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
1288
1289 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
1290
1291+apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1292+
1293+ * Merge from Debian unstable. Remaining changes:
1294+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1295+ apache2.dirs}: Add ufw profiles.
1296+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1297+ - Add dep8 tests.
1298+ - debian/rules: Fix cross-building by passing
1299+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1300+ - debian/patches/086_svn_cross_compiles: Backport several cross
1301+ fixes from upstream
1302+ - d/index.html: replace Debian with Ubuntu on default page.
1303+ - Don't build experimental http2 module for LTS:
1304+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1305+ + debian/config-dir/mods-available/http2.load: removed.
1306+
1307+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1308+
1309 apache2 (2.4.17-2) unstable; urgency=medium
1310
1311 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
1312@@ -797,6 +1759,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
1313
1314 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
1315
1316+apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1317+
1318+ * Merge from Debian unstable. Remaining changes:
1319+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1320+ apache2.dirs}: Add ufw profiles.
1321+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1322+ - Add dep8 tests.
1323+ - debian/rules: Fix cross-building by passing
1324+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1325+ - debian/patches/086_svn_cross_compiles: Backport several cross
1326+ fixes from upstream
1327+ - d/index.html: replace Debian with Ubuntu on default page.
1328+ * Drop patches (applied upstream):
1329+ - debian/patches/CVE-2015-3183.patch
1330+ - debian/patches/CVE-2015-3185.patch
1331+ * Drop changes (adopted in Debian):
1332+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1333+ to "installed" when determining whether to defer actions or
1334+ process deferred actions.
1335+ * Don't build experimental http2 module for LTS
1336+ - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1337+ - debian/config-dir/mods-available/http2.load: removed.
1338+
1339+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1340+
1341 apache2 (2.4.17-1) unstable; urgency=medium
1342
1343 [ Stefan Fritsch ]
1344@@ -862,6 +1849,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
1345
1346 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
1347
1348+apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1349+
1350+ * SECURITY UPDATE: request smuggling via chunked transfer encoding
1351+ - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1352+ modules/http/http_filters.c.
1353+ - CVE-2015-3183
1354+ * SECURITY UPDATE: access restriction bypass via deprecated API
1355+ - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1356+ in include/http_request.h, server/request.c.
1357+ - CVE-2015-3185
1358+
1359+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1360+
1361+apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1362+
1363+ * Merge from Debian unstable. Remaining changes:
1364+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1365+ apache2.dirs}: Add ufw profiles.
1366+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1367+ - Add dep8 tests.
1368+ - debian/rules: Fix cross-building by passing
1369+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1370+ - debian/patches/086_svn_cross_compiles: Backport several cross
1371+ fixes from upstream
1372+ - d/index.html: replace Debian with Ubuntu on default page.
1373+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1374+ to "installed" when determining whether to defer actions or
1375+ process deferred actions.
1376+ * Drop patches (applied upstream):
1377+ - d/p/split-logfile.patch
1378+ - d/p/CVE-2015-0228.patch
1379+ * Drop changes (superceded in Debian):
1380+ - Cherry-pick versioned build-depend on dpkg from Debian for correct
1381+ dpkg-maintscript-helper symlink_to_dir support.
1382+ * Drop changes (adopted in Debian):
1383+ - d/control, d/config-dir/mods-available/ssl.conf,
1384+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1385+ dialog program ask-for-passphrase.
1386+ * Fix cross-building configure line in d/rules, which had bit-rotted in
1387+ previous merges.
1388+
1389+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1390+
1391 apache2 (2.4.12-2) unstable; urgency=medium
1392
1393 [ Jean-Michel Nirgal Vourgère ]
1394@@ -911,6 +1941,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
1395
1396 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
1397
1398+apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1399+
1400+ * Merge from Debian unstable. Remaining changes:
1401+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1402+ apache2.dirs}: Add ufw profiles.
1403+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1404+ - d/control, d/config-dir/mods-available/ssl.conf,
1405+ - Add dep8 tests.
1406+ - debian/rules: Fix cross-building by passing
1407+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1408+ - debian/patches/086_svn_cross_compiles: Backport several cross
1409+ fixes from upstream
1410+ - d/index.html: replace Debian with Ubuntu on default page.
1411+ - d/p/split-logfile.patch: fix completely broken split-logfile
1412+ command.
1413+ - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1414+ denial of service in mod_lua via websockets PING
1415+ * debian/tests/ssl-passphrase: Add password responder for
1416+ systemd-ask-passphrase.
1417+
1418+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1419+
1420 apache2 (2.4.10-9) unstable; urgency=medium
1421
1422 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
1423@@ -925,6 +1977,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
1424
1425 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
1426
1427+apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
1428+
1429+ * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
1430+ directives
1431+ - debian/patches/CVE-2014-8109.patch: handle multiple Require
1432+ directives with different arguments in modules/lua/mod_lua.c.
1433+ - CVE-2014-8109
1434+ * SECURITY UPDATE: denial of service in mod_lua via websockets PING
1435+ - debian/patches/CVE-2015-0228.patch: fix logic in
1436+ modules/lua/lua_request.c.
1437+ - CVE-2015-0228
1438+
1439+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
1440+
1441+apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
1442+
1443+ * Allow "triggers-awaited" and "triggers-pending" states in addition to
1444+ "installed" when determining whether to defer actions or process
1445+ deferred actions (LP: #1393832).
1446+
1447+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
1448+
1449+apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
1450+
1451+ * Merge from Debian unstable. Remaining changes:
1452+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1453+ apache2.dirs}: Add ufw profiles.
1454+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1455+ - d/control, d/config-dir/mods-available/ssl.conf,
1456+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1457+ dialog program ask-for-passphrase.
1458+ - Add dep8 tests.
1459+ - debian/rules: Fix cross-building by passing
1460+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1461+ - debian/patches/086_svn_cross_compiles: Backport several cross
1462+ fixes from upstream
1463+ - d/index.html: replace Debian with Ubuntu on default page.
1464+ - d/p/split-logfile.patch: fix completely broken split-logfile
1465+ command.
1466+ * Fixes from Debian included in merge:
1467+ - Crash caused by OCSP stapling code; this was erroneously
1468+ attributed to Debian in my previous merge, but actually only
1469+ appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
1470+ * Cherry-pick versioned build-depend on dpkg from Debian for correct
1471+ dpkg-maintscript-helper symlink_to_dir support.
1472+
1473+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
1474+
1475 apache2 (2.4.10-8) unstable; urgency=medium
1476
1477 * Bump dpkg Pre-Depends to version that supports relative symlinks in
1478@@ -939,6 +2039,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
1479
1480 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
1481
1482+apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
1483+
1484+ * Merge from Debian unstable. Remaining changes:
1485+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1486+ apache2.dirs}: Add ufw profiles.
1487+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1488+ - d/control, d/config-dir/mods-available/ssl.conf,
1489+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1490+ dialog program ask-for-passphrase.
1491+ - Add dep8 tests.
1492+ - debian/rules: Fix cross-building by passing
1493+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1494+ - debian/patches/086_svn_cross_compiles: Backport several cross
1495+ fixes from upstream
1496+ - d/index.html: replace Debian with Ubuntu on default page.
1497+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1498+ * Fixes from Debian included in merge:
1499+ - Don't use a2query in preinst, as it may not be available yet
1500+ (LP: #1312533).
1501+ - Crash caused by OCSP stapling code (LP: #1366174).
1502+ - Disable SSLv3 in default config (LP: #1358305).
1503+ - If apache2 is not configured yet, defer actions executed via
1504+ apache2-maintscript-helper. This fixes installation failures if a
1505+ module package is configured first (LP: #1312854).
1506+
1507+ -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
1508+
1509 apache2 (2.4.10-7) unstable; urgency=medium
1510
1511 * Handle transitions of doc dirs and symlinks correctly during upgrade.
1512@@ -1022,6 +2149,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
1513
1514 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
1515
1516+apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
1517+
1518+ * Merge from Debian unstable. Remaining changes:
1519+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1520+ apache2.dirs}: Add ufw profiles.
1521+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1522+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1523+ d/apache2.install: Plymouth aware passphrase dialog program
1524+ ask-for-passphrase.
1525+ - Add dep8 tests.
1526+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1527+ configure.
1528+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1529+ upstream
1530+ - d/index.html: replace Debian with Ubuntu on default page.
1531+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1532+
1533+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
1534+
1535 apache2 (2.4.10-1) unstable; urgency=medium
1536
1537 [ Arno Töll ]
1538@@ -1069,6 +2215,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
1539
1540 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
1541
1542+apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
1543+
1544+ * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
1545+ yet support building against lua 5.2 (LP: #1323930).
1546+
1547+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
1548+
1549+apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
1550+
1551+ * Merge from Debian unstable. Remaining changes:
1552+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1553+ apache2.dirs}: Add ufw profiles.
1554+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1555+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1556+ d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
1557+ dialog program ask-for-passphrase.
1558+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1559+ configure.
1560+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1561+ upstream
1562+ - Build using lua5.2.
1563+ - d/tests/chroot: dep8 test for ChrootDir case.
1564+ - d/tests/ssl-passphrase: update for new default path /var/www/html.
1565+ - d/tests/duplicate-module-load: check for duplicate module loads.
1566+ - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
1567+ - d/p/split-logfile.patch: fix completely broken split-logfile command
1568+ (LP: #1299162). Thanks to Holger Mauermann.
1569+ * Drop changes (upstreamed):
1570+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1571+ files find inside the .pc directory. This stops a double module load
1572+ causing later havoc, including "ChrootDir" directive failure.
1573+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1574+ in modules/dav/main/util.c.
1575+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1576+ modules/loggers/mod_log_config.c.
1577+ * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
1578+
1579+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
1580+
1581 apache2 (2.4.9-1) unstable; urgency=medium
1582
1583 * New upstream version.
1584@@ -1101,6 +2286,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
1585
1586 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
1587
1588+apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
1589+
1590+ * d/p/split-logfile.patch: fix completely broken split-logfile command
1591+ (LP: #1299162). Thanks to Holger Mauermann.
1592+
1593+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
1594+
1595+apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
1596+
1597+ * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
1598+ calculation
1599+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1600+ in modules/dav/main/util.c.
1601+ - CVE-2013-6438
1602+ * SECURITY UPDATE: denial of service via truncated cookie and
1603+ mod_log_config
1604+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1605+ modules/loggers/mod_log_config.c.
1606+ - CVE-2014-0098
1607+
1608+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
1609+
1610+apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
1611+
1612+ * d/index.html: replace Debian with Ubuntu on default page
1613+ (LP: #1288690).
1614+
1615+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
1616+
1617+apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
1618+
1619+ * Merge from Debian unstable. Remaining changes:
1620+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1621+ apache2.dirs}: Add ufw profiles.
1622+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1623+ - d/control, d/config-dir/mods-available/ssl.conf,
1624+ d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
1625+ Plymouth aware passphrase dialog program ask-for-passphrase.
1626+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1627+ to configure.
1628+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1629+ from upstream
1630+ - Build using lua5.2.
1631+ - d/tests/chroot: dep8 test for ChrootDir case.
1632+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1633+ files find inside the .pc directory. This stops a double module load
1634+ causing later havoc, including "ChrootDir" directive failure.
1635+ * Drop changes:
1636+ - debian/{control, rules}: Enable PIE hardening: no longer required;
1637+ 2.4.7-1 is already hardened.
1638+ - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
1639+ out of this package.
1640+ * d/tests/ssl-passphrase: update for new default path /var/www/html.
1641+ * d/tests/duplicate-module-load: check for duplicate module loads.
1642+
1643+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
1644+
1645 apache2 (2.4.7-1) unstable; urgency=low
1646
1647 New upstream version
1648@@ -1164,6 +2406,53 @@ apache2 (2.4.6-3) unstable; urgency=low
1649
1650 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
1651
1652+apache2 (2.4.6-2ubuntu4) trusty; urgency=low
1653+
1654+ * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
1655+ that it does not use files find inside the .pc directory. This stops a
1656+ double module load causing later havoc, including "ChrootDir" directive
1657+ failure (LP: #1251939). Thanks to Stefan Fritsch.
1658+ * d/tests/chroot: dep8 test for ChrootDir case.
1659+
1660+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
1661+
1662+apache2 (2.4.6-2ubuntu3) trusty; urgency=low
1663+
1664+ * debian/apache2.install: Correct path for ufw.
1665+ (LP: #1252722)
1666+
1667+ -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
1668+
1669+apache2 (2.4.6-2ubuntu2) saucy; urgency=low
1670+
1671+ * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
1672+ passphrase prompting for SSL certificates that are passphrase protected.
1673+ * Add dep8 test for SSL passphrase prompting.
1674+
1675+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
1676+
1677+apache2 (2.4.6-2ubuntu1) saucy; urgency=low
1678+
1679+ * Merge from Debian unstable. Remaining changes:
1680+ - debian/{control, rules}: Enable PIE hardening.
1681+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1682+ apache2.dirs}: Add ufw profiles.
1683+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1684+ - debian/control, debian/config-dir/mods-available/ssl.conf,
1685+ debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
1686+ passphrase dialog program ask-for-passphrase.
1687+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1688+ to configure.
1689+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1690+ from upstream
1691+ * Dropped changes:
1692+ - debian/patches/CVE-2013-1896.patch: upstream
1693+ * Fixed module dependencies (LP: #1205314)
1694+ - debian/config-dir/mods-available/lbmethod_*: properly specify
1695+ proxy_balancer, not mod_proxy_balancer.
1696+
1697+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
1698+
1699 apache2 (2.4.6-2) unstable; urgency=low
1700
1701 [ Stefan Fritsch ]
1702@@ -1216,6 +2505,56 @@ apache2 (2.4.6-1) unstable; urgency=low
1703
1704 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
1705
1706+apache2 (2.4.4-6ubuntu5) saucy; urgency=low
1707+
1708+ * SECURITY UPDATE: denial of service via MERGE request
1709+ - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
1710+ in modules/dav/main/mod_dav.c.
1711+ - CVE-2013-1896
1712+
1713+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
1714+
1715+apache2 (2.4.4-6ubuntu4) saucy; urgency=low
1716+
1717+ * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
1718+ apache2-bin. apache2-utils is only suggested by apache2, so may not
1719+ always be installed by bug reporters. However, apache2-bin will always
1720+ need to be installed for Apache to be functional, so this is a better
1721+ place for the apport hook. apache2-bin already Conflicts/Replaces
1722+ apache2.2-common, so this also fixes (LP: #1199318).
1723+ * d/apache2.py: adjust apport hook for new location of configuration
1724+ files in apache2 >= 2.4: they have moved from apache2.2-common to
1725+ apache2.
1726+
1727+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
1728+
1729+apache2 (2.4.4-6ubuntu3) saucy; urgency=low
1730+
1731+ * Build using lua5.2.
1732+
1733+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
1734+
1735+apache2 (2.4.4-6ubuntu2) saucy; urgency=low
1736+
1737+ * debian/rules: Fix FTBFS while installing ufw.
1738+
1739+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
1740+
1741+apache2 (2.4.4-6ubuntu1) saucy; urgency=low
1742+
1743+ * Merge from Debian unstable. Remaining changes:
1744+ - debian/{control, rules}: Enable PIE hardening.
1745+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1746+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1747+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1748+ Plymouth aware passphrase dialog program ask-for-passphrase.
1749+ * Dropped changes:
1750+ - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
1751+ - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
1752+ - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
1753+
1754+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
1755+
1756 apache2 (2.4.4-6) unstable; urgency=low
1757
1758 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
1759@@ -1687,6 +3026,122 @@ apache2 (2.4.1-1) experimental; urgency=low
1760
1761 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
1762
1763+apache2 (2.2.22-6ubuntu5) raring; urgency=low
1764+
1765+ * SECURITY UPDATE: multiple cross-site scripting issues
1766+ - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
1767+ modules/generators/{mod_info.c,mod_status.c},
1768+ modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
1769+ modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
1770+ - CVE-2012-3499
1771+ - CVE-2012-4558
1772+ * SECURITY UPDATE: symlink attack in apache2ctl script
1773+ - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
1774+ - Thanks to Stefan Fritsch for the fix.
1775+ - CVE-2013-1048
1776+
1777+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
1778+
1779+apache2 (2.2.22-6ubuntu4) raring; urgency=low
1780+
1781+ * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
1782+ * Skip module sanity check between MPMs if cross-building without the
1783+ kernel/binfmt support to run our target binaries on the build system.
1784+ * Backport several cross fixes from upstream as 086_svn_cross_compiles.
1785+
1786+ -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
1787+
1788+apache2 (2.2.22-6ubuntu3) raring; urgency=low
1789+
1790+ * SECURITY UPDATE: XSS vulnerability in mod_negotiation
1791+ - debian/patches/CVE-2012-2687.patch: escape filenames in
1792+ modules/mappers/mod_negotiation.c.
1793+ - CVE-2012-2687
1794+ * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
1795+ - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
1796+ directive. Defaults to off as enabling compression enables the CRIME
1797+ attack.
1798+ - CVE-2012-4929
1799+
1800+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
1801+
1802+apache2 (2.2.22-6ubuntu2) quantal; urgency=low
1803+
1804+ * debian/apache2.py
1805+ - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
1806+ - Check if this directory exists: /etc/apache2/sites-enabled/
1807+
1808+ -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
1809+
1810+apache2 (2.2.22-6ubuntu1) quantal; urgency=low
1811+
1812+ * Merge from Debian unstable. Remaining changes:
1813+ - debian/{control, rules}: Enable PIE hardening.
1814+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1815+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1816+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1817+ Plymouth aware passphrase dialog program ask-for-passphrase.
1818+ * Dropped changes:
1819+ - debian/control: Add bzr tag and point it to our tree; this is not
1820+ really required and just increases the delta.
1821+
1822+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
1823+
1824+apache2 (2.2.22-6) unstable; urgency=low
1825+
1826+ [ Stefan Fritsch ]
1827+ * Fix regression causing apache2 to cache "206 partial content" responses,
1828+ and then serving these partial responses when replying to normal requests.
1829+ Closes: #671204
1830+ * Add section to security.conf that shows how to forbid access to VCS
1831+ directories. Closes: #548213
1832+ * Update ssl default cipher config, add alternative speed optimized config.
1833+ Closes: #649020
1834+ * Add "AddCharset" for .brf files in default mod_mime config.
1835+ Closes: #402567
1836+ * Don't create httpd.conf anymore and don't include it in apache2.conf. If
1837+ it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
1838+ * Port some of the comments in apache2.conf from the 2.4 package.
1839+ * Compile mod_version statically, drop associated module load file.
1840+ * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
1841+ configtest.
1842+ * Note in README.Debian that future versions of the package will have the
1843+ include statements changed to include only *.conf.
1844+ * Change compiled-in document root to /var/www, to avoid strange error
1845+ messages.
1846+ * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
1847+
1848+ [ Arno Töll ]
1849+ * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
1850+ to override LDFLAGS at compile time by defining LDLAGS in the environment,
1851+ just like it is possible for CFLAGS. This also means, config_vars.mk now
1852+ exports hardening build flags by default.
1853+ * Update doc-base metadata for the apache2-doc package.
1854+
1855+ -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
1856+
1857+apache2 (2.2.22-5) unstable; urgency=low
1858+
1859+ * Make LoadFile and LoadModule look in the standard search paths if the
1860+ dso file name is given as a pure filename. This helps with the multi-arch
1861+ transition.
1862+
1863+ -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
1864+
1865+apache2 (2.2.22-4) unstable; urgency=high
1866+
1867+ * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
1868+ hosts' config files.
1869+ If scripting modules like mod_php or mod_rivet are enabled on systems
1870+ where either 1) some frontend server forwards connections to an apache2
1871+ backend server on the localhost address, or 2) the machine running
1872+ apache2 is also used for web browsing, this could allow a remote
1873+ attacker to execute example scripts stored under /usr/share/doc.
1874+ Depending on the installed packages, this could lead to issues like cross
1875+ site scripting, code execution, or leakage of sensitive data.
1876+
1877+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
1878+
1879 apache2 (2.2.22-3) unstable; urgency=low
1880
1881 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
1882@@ -1707,6 +3162,18 @@ apache2 (2.2.22-2) unstable; urgency=low
1883
1884 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
1885
1886+apache2 (2.2.22-1ubuntu1) precise; urgency=low
1887+
1888+ * Merge from Debian testing. Remaining changes:
1889+ - debian/{control, rules}: Enable PIE hardening.
1890+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1891+ - debian/control: Add bzr tag and point it to our tree
1892+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1893+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1894+ Plymouth aware passphrase dialog program ask-for-passphrase.
1895+
1896+ -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
1897+
1898 apache2 (2.2.22-1) unstable; urgency=low
1899
1900 [ Stefan Fritsch ]
1901@@ -1724,6 +3191,18 @@ apache2 (2.2.22-1) unstable; urgency=low
1902
1903 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
1904
1905+apache2 (2.2.21-5ubuntu1) precise; urgency=low
1906+
1907+ * Merge from Debian testing. Remaining changes:
1908+ - debian/{control, rules}: Enable PIE hardening.
1909+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1910+ - debian/control: Add bzr tag and point it to our tree
1911+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1912+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1913+ Plymouth aware passphrase dialog program ask-for-passphrase.
1914+
1915+ -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
1916+
1917 apache2 (2.2.21-5) unstable; urgency=low
1918
1919 [ Arno Töll ]
1920@@ -1777,6 +3256,26 @@ apache2 (2.2.21-4) unstable; urgency=low
1921
1922 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
1923
1924+apache2 (2.2.21-3ubuntu2) precise; urgency=low
1925+
1926+ * d/ask-for-passphrase: Flip the logic of this script so that it checks
1927+ first to see if apache is being started from a TTY, and then if not,
1928+ tries plymouth. (LP: #887410)
1929+
1930+ -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
1931+
1932+apache2 (2.2.21-3ubuntu1) precise; urgency=low
1933+
1934+ * Merge from Debian testing. Remaining changes:
1935+ - debian/{control, rules}: Enable PIE hardening.
1936+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1937+ - debian/control: Add bzr tag and point it to our tree
1938+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1939+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1940+ Plymouth aware passphrase dialog program ask-for-passphrase.
1941+
1942+ -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
1943+
1944 apache2 (2.2.21-3) unstable; urgency=medium
1945
1946 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
1947@@ -1791,6 +3290,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
1948
1949 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
1950
1951+apache2 (2.2.21-2ubuntu2) precise; urgency=low
1952+
1953+ * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
1954+
1955+ -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
1956+
1957+apache2 (2.2.21-2ubuntu1) precise; urgency=low
1958+
1959+ * Merge from debian unstable. Remaining changes:
1960+ - debian/{control, rules}: Enable PIE hardening.
1961+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1962+ - debian/control: Add bzr tag and point it to our tree
1963+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1964+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1965+ Plymouth aware passphrase dialog program ask-for-passphrase.
1966+
1967+ -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
1968+
1969 apache2 (2.2.21-2) unstable; urgency=high
1970
1971 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
1972@@ -1808,6 +3325,19 @@ apache2 (2.2.21-1) unstable; urgency=low
1973
1974 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
1975
1976+apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
1977+
1978+ * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
1979+ Remaining changes:
1980+ - debian/{control, rules}: Enable PIE hardening.
1981+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1982+ - debian/control: Add bzr tag and point it to our tree
1983+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1984+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1985+ Plymouth aware passphrase dialog program ask-for-passphrase.
1986+
1987+ -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
1988+
1989 apache2 (2.2.20-1) unstable; urgency=low
1990
1991 * New upstream release.
1992@@ -1830,6 +3360,18 @@ apache2 (2.2.19-2) unstable; urgency=high
1993
1994 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
1995
1996+apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
1997+
1998+ * Merge from debian unstable (LP: #787013). Remaining changes:
1999+ - debian/{control, rules}: Enable PIE hardening.
2000+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2001+ - debian/control: Add bzr tag and point it to our tree
2002+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2003+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2004+ Plymouth aware passphrase dialog program ask-for-passphrase.
2005+
2006+ -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
2007+
2008 apache2 (2.2.19-1) unstable; urgency=low
2009
2010 * New upstream release.
2011@@ -1847,6 +3389,18 @@ apache2 (2.2.19-1) unstable; urgency=low
2012
2013 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
2014
2015+apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
2016+
2017+ * Merge from debian unstable. Remaining changes:
2018+ - debian/{control, rules}: Enable PIE hardening.
2019+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2020+ - debian/control: Add bzr tag and point it to our tree
2021+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2022+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2023+ Plymouth aware passphrase dialog program ask-for-passphrase.
2024+
2025+ -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
2026+
2027 apache2 (2.2.17-3) unstable; urgency=low
2028
2029 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
2030@@ -1873,6 +3427,18 @@ apache2 (2.2.17-2) unstable; urgency=high
2031
2032 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
2033
2034+apache2 (2.2.17-1ubuntu1) natty; urgency=low
2035+
2036+ * Merge from debian unstable, remaining changes:
2037+ - debian/{control, rules}: Enable PIE hardening.
2038+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2039+ - debian/control: Add bzr tag and point it to our tree
2040+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2041+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2042+ Plymouth aware passphrase dialog program ask-for-passphrase.
2043+
2044+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
2045+
2046 apache2 (2.2.17-1) unstable; urgency=low
2047
2048 * New upstream version
2049@@ -1881,6 +3447,32 @@ apache2 (2.2.17-1) unstable; urgency=low
2050
2051 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
2052
2053+apache2 (2.2.16-6ubuntu3) natty; urgency=low
2054+
2055+ * debian/rules: Don't use "-fno-strict-aliasing" since it causes
2056+ apache FTBFS on amd64. (LP: #711293)
2057+
2058+ -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
2059+
2060+apache2 (2.2.16-6ubuntu2) natty; urgency=low
2061+
2062+ * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
2063+ (LP: #697105)
2064+
2065+ -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
2066+
2067+apache2 (2.2.16-6ubuntu1) natty; urgency=low
2068+
2069+ * Merge from debian unstable. Remaining changes:
2070+ - debian/{control, rules}: Enable PIE hardening.
2071+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2072+ - debian/control: Add bzr tag and point it to our tree
2073+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2074+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2075+ Plymouth aware passphrase dialog program ask-for-passphrase.
2076+
2077+ -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
2078+
2079 apache2 (2.2.16-6) unstable; urgency=low
2080
2081 * Also add $named to the secondary-init-script example.
2082@@ -1896,6 +3488,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
2083
2084 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
2085
2086+apache2 (2.2.16-4ubuntu2) natty; urgency=low
2087+
2088+ [Clint Byrum]
2089+ * Adding plymouth aware passphrase dialog program ask-for-passphrase.
2090+ (LP: #582963)
2091+ + debian/control: apache2.2-common depends on bash for ask-for-passphrase
2092+ + debian/config-dir/mods-available/ssl.conf:
2093+ - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
2094+
2095+ [Chuck Short]
2096+ * Add apport hook. (LP: #609177)
2097+ + debian/apache2.py, debian/apache2.2-common.install
2098+
2099+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
2100+
2101+apache2 (2.2.16-4ubuntu1) natty; urgency=low
2102+
2103+ * Merge from debian unstable. Remaining changes:
2104+ - debian/{control, rules}: Enable PIE hardening.
2105+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2106+ - debian/control: Add bzr tag and point it to our tree
2107+
2108+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
2109+
2110 apache2 (2.2.16-4) unstable; urgency=medium
2111
2112 * Increase the mod_reqtimeout default timeouts to avoid potential problems
2113@@ -1906,6 +3522,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
2114
2115 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
2116
2117+apache2 (2.2.16-3ubuntu1) natty; urgency=low
2118+
2119+ * Merge from debian unstable. Remaining changes:
2120+ - debian/{control, rules}: Enable PIE hardening.
2121+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2122+ - debian/control: Add bzr tag and point it to our tree.
2123+
2124+ -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
2125+
2126 apache2 (2.2.16-3) unstable; urgency=high
2127
2128 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
2129@@ -1928,6 +3553,30 @@ apache2 (2.2.16-2) unstable; urgency=low
2130
2131 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
2132
2133+apache2 (2.2.16-1ubuntu3) maverick; urgency=low
2134+
2135+ * Revert "stty sane" to unbreak apache starting, this will have to be
2136+ fixed a different way. (LP: #626723)
2137+
2138+ -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
2139+
2140+apache2 (2.2.16-1ubuntu2) maverick; urgency=low
2141+
2142+ * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
2143+ password prompt when using apache-ssl. (LP: #582963)
2144+
2145+ -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
2146+
2147+apache2 (2.2.16-1ubuntu1) maverick; urgency=low
2148+
2149+ * Merge from debian unstable. Remaining changes:
2150+ - debian/{control, rules}: Enable PIE hardening.
2151+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2152+ - debian/control: Add bzr tag and point it to our tree.
2153+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2154+
2155+ -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
2156+
2157 apache2 (2.2.16-1) unstable; urgency=medium
2158
2159 * Urgency medium for security fix.
2160@@ -1960,6 +3609,24 @@ apache2 (2.2.15-6) unstable; urgency=low
2161
2162 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
2163
2164+apache2 (2.2.15-5ubuntu1) maverick; urgency=low
2165+
2166+ * Merge from debian unstable. Remaining changes:
2167+ - debian/{control, rules}: Enable PIE hardening.
2168+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2169+ - debian/control: Add bzr tag and point it to our tree.
2170+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2171+ + Dropped:
2172+ - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
2173+ - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
2174+ - debian/config-dir/apache2.conf: Merged back from debian.
2175+ - mod-reqtimeout functionality: Merge back from debian.
2176+ - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
2177+ - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
2178+ - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
2179+
2180+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
2181+
2182 apache2 (2.2.15-5) unstable; urgency=low
2183
2184 * Conflict with apache package as we now include apachectl. Closes: #579065
2185@@ -2080,6 +3747,80 @@ apache2 (2.2.14-6) unstable; urgency=low
2186
2187 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
2188
2189+apache2 (2.2.14-5ubuntu8) lucid; urgency=low
2190+
2191+ * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
2192+ (LP: #562370)
2193+
2194+ -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
2195+
2196+apache2 (2.2.14-5ubuntu7) lucid; urgency=low
2197+
2198+ * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
2199+ leaks by making sure to not destroy bucket brigades that have been created
2200+ by earlier filters. Backported from 2.2.15.
2201+ * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
2202+ has reached MaxClients until it has. Backported from 2.2.15
2203+ * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
2204+ more secure by adding Satisfy all. (Debian bug: #572075)
2205+ * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
2206+ debian/config2-dir/mods-available/reqtimeout.load,
2207+ debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
2208+ mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
2209+ bug in apache. Enable it by default. (LP: #392759)
2210+
2211+ -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
2212+
2213+apache2 (2.2.14-5ubuntu6) lucid; urgency=low
2214+
2215+ * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
2216+
2217+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
2218+
2219+apache2 (2.2.14-5ubuntu5) lucid; urgency=low
2220+
2221+ * Revert 99-fix-mod-dav-permissions.dpatch
2222+
2223+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
2224+
2225+apache2 (2.2.14-5ubuntu4) lucid; urgency=low
2226+
2227+ * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
2228+ downloading files from webdav (LP: #540747)
2229+ * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
2230+
2231+ -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
2232+
2233+apache2 (2.2.14-5ubuntu3) lucid; urgency=low
2234+
2235+ * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
2236+ - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
2237+ in modules/proxy/mod_proxy_ajp.c.
2238+ - CVE-2010-0408
2239+ * SECURITY UPDATE: information disclosure via improper handling of
2240+ headers in subrequests
2241+ - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
2242+ in server/protocol.c.
2243+ - CVE-2010-0434
2244+
2245+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
2246+
2247+apache2 (2.2.14-5ubuntu2) lucid; urgency=low
2248+
2249+ * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
2250+ wacky options. (LP: #450501)
2251+
2252+ -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
2253+
2254+apache2 (2.2.14-5ubuntu1) lucid; urgency=low
2255+
2256+ * Merge from debian testing. Remaining changes: LP: #506862
2257+ - debian/{control, rules}: Enable PIE hardening.
2258+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2259+ - debian/control: Add bzr tag and point it to our tree.
2260+
2261+ -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
2262+
2263 apache2 (2.2.14-5) unstable; urgency=low
2264
2265 * Security: Further mitigation for the TLS renegotation attack
2266@@ -2103,6 +3844,15 @@ apache2 (2.2.14-5) unstable; urgency=low
2267
2268 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
2269
2270+apache2 (2.2.14-4ubuntu1) lucid; urgency=low
2271+
2272+ * Resynchronzie with Debian, remaining changes are:
2273+ - debian/{control, rules}: Enable PIE hardening.
2274+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2275+ - debian/control: Add bzr tag and point it to our tree.
2276+
2277+ -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
2278+
2279 apache2 (2.2.14-4) unstable; urgency=low
2280
2281 * Disable localized error pages again by default because they break
2282@@ -2153,6 +3903,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
2283
2284 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
2285
2286+apache2 (2.2.14-1ubuntu1) lucid; urgency=low
2287+
2288+ * Merge from debian testing, remaining changes:
2289+ - debian/{control, rules}: Enable PIE hardening.
2290+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2291+ - debian/conrol: Add bzr tag and point it to our tree.
2292+ - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2293+ Already applied upstream.
2294+
2295+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
2296+
2297 apache2 (2.2.14-1) unstable; urgency=low
2298
2299 * New upstream version:
2300@@ -2187,6 +3948,24 @@ apache2 (2.2.13-1) unstable; urgency=low
2301
2302 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
2303
2304+apache2 (2.2.12-1ubuntu2) karmic; urgency=low
2305+
2306+ * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2307+ - Fix potential segfaults with the use of the legacy ap_rputs() etc
2308+ interfaces, in cases where an output filter fails. This happens
2309+ frequently after CVE-2009-1891 got fixed. (LP: #409987)
2310+
2311+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
2312+
2313+apache2 (2.2.12-1ubuntu1) karmic; urgency=low
2314+
2315+ * Merge from debian unstable, remaining changes:
2316+ - debian/{control,rules}: enable PIE hardening.
2317+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2318+ - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
2319+
2320+ -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
2321+
2322 apache2 (2.2.12-1) unstable; urgency=low
2323
2324 * New upstream release:
2325@@ -2234,6 +4013,16 @@ apache2 (2.2.12-1) unstable; urgency=low
2326
2327 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
2328
2329+apache2 (2.2.11-7ubuntu1) karmic; urgency=low
2330+
2331+ * Merge from debian unstable, remaining changes: LP: #398130
2332+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2333+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2334+ - debian/{control,rules}: enable PIE hardening.
2335+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2336+
2337+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
2338+
2339 apache2 (2.2.11-7) unstable; urgency=low
2340
2341 * Security fixes:
2342@@ -2248,6 +4037,16 @@ apache2 (2.2.11-7) unstable; urgency=low
2343
2344 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
2345
2346+apache2 (2.2.11-6ubuntu1) karmic; urgency=low
2347+
2348+ * Merge from debian unstable, remaining changes:
2349+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2350+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2351+ - debian/{control,rules}: enable PIE hardening.
2352+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2353+
2354+ -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
2355+
2356 apache2 (2.2.11-6) unstable; urgency=high
2357
2358 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
2359@@ -2256,6 +4055,16 @@ apache2 (2.2.11-6) unstable; urgency=high
2360
2361 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
2362
2363+apache2 (2.2.11-5ubuntu1) karmic; urgency=low
2364+
2365+ * Merge from debian unstable, remaining changes:
2366+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2367+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2368+ - debian/{control,rules}: enable PIE hardening.
2369+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2370+
2371+ -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
2372+
2373 apache2 (2.2.11-5) unstable; urgency=low
2374
2375 * Move all binaries into a new package apache2.2-bin and make
2376@@ -2304,6 +4113,16 @@ apache2 (2.2.11-4) unstable; urgency=low
2377
2378 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
2379
2380+apache2 (2.2.11-3ubuntu1) karmic; urgency=low
2381+
2382+ * Merge from debian unstable, remaining changes:
2383+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2384+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2385+ - debian/{control,rules}: enable PIE hardening.
2386+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2387+
2388+ -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
2389+
2390 apache2 (2.2.11-3) unstable; urgency=low
2391
2392 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
2393@@ -2312,6 +4131,21 @@ apache2 (2.2.11-3) unstable; urgency=low
2394
2395 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
2396
2397+apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
2398+
2399+ * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2400+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2401+
2402+ -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
2403+
2404+apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
2405+
2406+ * Merge from debian unstable, remaining changes:
2407+ - debian/{contro,rules}: enable PIE hardening.
2408+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2409+
2410+ -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
2411+
2412 apache2 (2.2.11-2) unstable; urgency=low
2413
2414 * Report an error instead instead of segfaulting when apr_pollset_create
2415@@ -2321,6 +4155,14 @@ apache2 (2.2.11-2) unstable; urgency=low
2416
2417 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
2418
2419+apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
2420+
2421+ * Merge from debian unstable, remaining changes:
2422+ - debian/{control, rules}: enable PIE hardening.
2423+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2424+
2425+ -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
2426+
2427 apache2 (2.2.11-1) unstable; urgency=low
2428
2429 [Thom May]
2430@@ -2335,6 +4177,14 @@ apache2 (2.2.11-1) unstable; urgency=low
2431
2432 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
2433
2434+apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
2435+
2436+ * Merge from debian unstable, remaining changes: (LP: #303375)
2437+ - debian/{control, rules}: enable PIE hardening.
2438+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2439+
2440+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
2441+
2442 apache2 (2.2.9-11) unstable; urgency=low
2443
2444 * Regression fix from upstream svn for mod_proxy:
2445@@ -2349,6 +4199,14 @@ apache2 (2.2.9-11) unstable; urgency=low
2446
2447 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
2448
2449+apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
2450+
2451+ * Merge from debian unstable, remaining changes:
2452+ - debian/{control, rules}: enable PIE hardening.
2453+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2454+
2455+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
2456+
2457 apache2 (2.2.9-10) unstable; urgency=low
2458
2459 * Regression fix from upstream svn for mod_proxy_http:
2460@@ -2379,6 +4237,27 @@ apache2 (2.2.9-8) unstable; urgency=low
2461
2462 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
2463
2464+apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
2465+
2466+ * Revert logrotate change since it will break it for everyone.
2467+
2468+ -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
2469+
2470+apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
2471+
2472+ * debian/logrotate: Restart rather than reload for busy websites.
2473+ (LP: #270899)
2474+
2475+ -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
2476+
2477+apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
2478+
2479+ * Merge from debian unstable, remaining changes:
2480+ - debian/{control,rules}: enable PIE hardening.
2481+ - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
2482+
2483+ -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
2484+
2485 apache2 (2.2.9-7) unstable; urgency=low
2486
2487 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
2488@@ -2421,6 +4300,23 @@ apache2 (2.2.9-4) unstable; urgency=low
2489
2490 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
2491
2492+apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
2493+
2494+ * add ufw integration (see
2495+ https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
2496+ (LP: #261198)
2497+ - debian/control: suggest ufw for apache2.2-common
2498+ - add apache2.2-common.ufw.profile with 3 profiles and install it to
2499+ /etc/ufw/applications.d/apache2.2-common
2500+
2501+ -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
2502+
2503+apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
2504+
2505+ * debian/{control,rules}: enable PIE hardening
2506+
2507+ -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
2508+
2509 apache2 (2.2.9-3) unstable; urgency=low
2510
2511 [ Stefan Fritsch ]
2512@@ -3991,9 +5887,7 @@ apache2 (2.0.37-1) unstable; urgency=low
2513 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
2514
2515 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
2516-
2517 * New upstream release
2518-
2519 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
2520
2521 apache2 (2.0.36-2) unstable; urgency=low
2522@@ -4501,3 +6395,4 @@ apache2 (2.0.18-1) unstable; urgency=low
2523 * Initial Release.
2524
2525 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
2526+
2527diff --git a/debian/control b/debian/control
2528index 5465d60..ed2c254 100644
2529--- a/debian/control
2530+++ b/debian/control
2531@@ -1,5 +1,6 @@
2532 Source: apache2
2533-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2534+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2535+XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2536 Uploaders: Stefan Fritsch <sf@debian.org>,
2537 Arno Töll <arno@debian.org>,
2538 Ondřej Surý <ondrej@debian.org>,
2539@@ -44,7 +45,12 @@ Depends: apache2-bin (= ${binary:Version}),
2540 Recommends: ssl-cert
2541 Suggests: apache2-doc,
2542 apache2-suexec-pristine | apache2-suexec-custom,
2543+<<<<<<< debian/control
2544 www-browser
2545+=======
2546+ www-browser,
2547+ ufw
2548+>>>>>>> debian/control
2549 Pre-Depends: ${misc:Pre-Depends}
2550 Conflicts: apache2.2-bin,
2551 apache2.2-common
2552diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
2553new file mode 100644
2554index 0000000..4db2fa1
2555Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
2556diff --git a/debian/index.html b/debian/index.html
2557index 766401d..96ed444 100644
2558--- a/debian/index.html
2559+++ b/debian/index.html
2560@@ -1,9 +1,14 @@
2561
2562 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2563 <html xmlns="http://www.w3.org/1999/xhtml">
2564+ <!--
2565+ Modified from the Debian original for Ubuntu
2566+ Last updated: 2016-11-16
2567+ See: https://launchpad.net/bugs/1288690
2568+ -->
2569 <head>
2570 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
2571- <title>Apache2 Debian Default Page: It works</title>
2572+ <title>Apache2 Ubuntu Default Page: It works</title>
2573 <style type="text/css" media="screen">
2574 * {
2575 margin: 0px 0px 0px 0px;
2576@@ -188,9 +193,9 @@
2577 <body>
2578 <div class="main_page">
2579 <div class="page_header floating_element">
2580- <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
2581+ <img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
2582 <span class="floating_element">
2583- Apache2 Debian Default Page
2584+ Apache2 Ubuntu Default Page
2585 </span>
2586 </div>
2587 <!-- <div class="table_of_contents floating_element">
2588@@ -221,7 +226,9 @@
2589 <div class="content_section_text">
2590 <p>
2591 This is the default welcome page used to test the correct
2592- operation of the Apache2 server after installation on Debian systems.
2593+ operation of the Apache2 server after installation on Ubuntu systems.
2594+ It is based on the equivalent page on Debian, from which the Ubuntu Apache
2595+ packaging is derived.
2596 If you can read this page, it means that the Apache HTTP server installed at
2597 this site is working properly. You should <b>replace this file</b> (located at
2598 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
2599@@ -242,9 +249,9 @@
2600 </div>
2601 <div class="content_section_text">
2602 <p>
2603- Debian's Apache2 default configuration is different from the
2604+ Ubuntu's Apache2 default configuration is different from the
2605 upstream default configuration, and split into several files optimized for
2606- interaction with Debian tools. The configuration system is
2607+ interaction with Ubuntu tools. The configuration system is
2608 <b>fully documented in
2609 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
2610 documentation. Documentation for the web server itself can be
2611@@ -253,7 +260,7 @@
2612
2613 </p>
2614 <p>
2615- The configuration layout for an Apache2 web server installation on Debian systems is as follows:
2616+ The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
2617 </p>
2618 <pre>
2619 /etc/apache2/
2620@@ -324,7 +331,7 @@
2621
2622 <div class="content_section_text">
2623 <p>
2624- By default, Debian does not allow access through the web browser to
2625+ By default, Ubuntu does not allow access through the web browser to
2626 <em>any</em> file apart of those located in <tt>/var/www</tt>,
2627 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
2628 directories (when enabled) and <tt>/usr/share</tt> (for web
2629@@ -333,7 +340,7 @@
2630 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
2631 </p>
2632 <p>
2633- The default Debian document root is <tt>/var/www/html</tt>. You
2634+ The default Ubuntu document root is <tt>/var/www/html</tt>. You
2635 can make your own virtual hosts under /var/www. This is different
2636 to previous releases which provides better security out of the box.
2637 </p>
2638@@ -345,9 +352,9 @@
2639 </div>
2640 <div class="content_section_text">
2641 <p>
2642- Please use the <tt>reportbug</tt> tool to report bugs in the
2643- Apache2 package with Debian. However, check <a
2644- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
2645+ Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
2646+ Apache2 package with Ubuntu. However, check <a
2647+ href="https://bugs.launchpad.net/ubuntu/+source/apache2"
2648 rel="nofollow">existing bug reports</a> before reporting a new bug.
2649 </p>
2650 <p>
2651diff --git a/debian/patches/series b/debian/patches/series
2652index ed0c2ec..b6bc836 100644
2653--- a/debian/patches/series
2654+++ b/debian/patches/series
2655@@ -11,3 +11,16 @@ fix-macro.patch
2656
2657 # This patch is applied manually
2658 #suexec-custom.patch
2659+<<<<<<< debian/patches/series
2660+=======
2661+support-openssl3-001.patch
2662+support-openssl3-002.patch
2663+support-openssl3-003.patch
2664+support-openssl3-004.patch
2665+support-openssl3-005.patch
2666+support-openssl3-006.patch
2667+support-openssl3-007.patch
2668+support-openssl3-008.patch
2669+support-openssl3-009.patch
2670+support-openssl3-010.patch
2671+>>>>>>> debian/patches/series
2672diff --git a/debian/patches/support-openssl3-001.patch b/debian/patches/support-openssl3-001.patch
2673new file mode 100644
2674index 0000000..d7d386d
2675--- /dev/null
2676+++ b/debian/patches/support-openssl3-001.patch
2677@@ -0,0 +1,88 @@
2678+From: Joe Orton <jorton@redhat.com>
2679+Date: Mon, 26 Jul 2021 12:23:24 +0100
2680+Subject: add some log messages and AP_DEBUG_ASSERTs for functions that should
2681+ never be called
2682+
2683+Submitted by: sf
2684+
2685+
2686+Forwarded: yes, https://github.com/apache/httpd/pull/258
2687+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
2688+---
2689+ modules/ssl/ssl_engine_io.c | 28 ++++++++++++++++++++++++++++
2690+ 1 file changed, 28 insertions(+)
2691+
2692+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
2693+index cabf753..ed9db54 100644
2694+--- a/modules/ssl/ssl_engine_io.c
2695++++ b/modules/ssl/ssl_engine_io.c
2696+@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
2697+ static int bio_filter_out_read(BIO *bio, char *out, int outl)
2698+ {
2699+ /* this is never called */
2700++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
2701++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
2702++ "BUG: %s() should not be called", "bio_filter_out_read");
2703++ AP_DEBUG_ASSERT(0);
2704+ return -1;
2705+ }
2706+
2707+@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
2708+ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
2709+ {
2710+ /* this is never called */
2711++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
2712++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
2713++ "BUG: %s() should not be called", "bio_filter_out_gets");
2714++ AP_DEBUG_ASSERT(0);
2715+ return -1;
2716+ }
2717+
2718+ static int bio_filter_out_puts(BIO *bio, const char *str)
2719+ {
2720+ /* this is never called */
2721++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
2722++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
2723++ "BUG: %s() should not be called", "bio_filter_out_puts");
2724++ AP_DEBUG_ASSERT(0);
2725+ return -1;
2726+ }
2727+
2728+@@ -533,21 +545,37 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
2729+
2730+ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
2731+ {
2732++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
2733++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
2734++ "BUG: %s() should not be called", "bio_filter_in_write");
2735++ AP_DEBUG_ASSERT(0);
2736+ return -1;
2737+ }
2738+
2739+ static int bio_filter_in_puts(BIO *bio, const char *str)
2740+ {
2741++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
2742++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
2743++ "BUG: %s() should not be called", "bio_filter_in_puts");
2744++ AP_DEBUG_ASSERT(0);
2745+ return -1;
2746+ }
2747+
2748+ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
2749+ {
2750++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
2751++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
2752++ "BUG: %s() should not be called", "bio_filter_in_gets");
2753++ AP_DEBUG_ASSERT(0);
2754+ return -1;
2755+ }
2756+
2757+ static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
2758+ {
2759++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
2760++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
2761++ "BUG: %s() should not be called", "bio_filter_in_ctrl");
2762++ AP_DEBUG_ASSERT(0);
2763+ return -1;
2764+ }
2765+
2766diff --git a/debian/patches/support-openssl3-002.patch b/debian/patches/support-openssl3-002.patch
2767new file mode 100644
2768index 0000000..3a56106
2769--- /dev/null
2770+++ b/debian/patches/support-openssl3-002.patch
2771@@ -0,0 +1,345 @@
2772+From: Joe Orton <jorton@redhat.com>
2773+Date: Mon, 26 Jul 2021 12:24:24 +0100
2774+Subject: mod_ssl: add compatibility with OpenSSL 3.0.0
2775+
2776+Wrappers around deprecated API:
2777+* X509_STORE_load_locations() => modssl_X509_STORE_load_locations(),
2778+* CTX_load_verify_locations() => modssl_CTX_load_verify_locations(),
2779+* ERR_peek_error_line_data() => modssl_ERR_peek_error_data(),
2780+* DH_bits(dh) => BN_num_bits(DH_get0_p(dh)).
2781+
2782+Provide a compatible version of ssl_callback_SessionTicket() which does not
2783+use the deprecated HMAC_CTX and HMAC_Init_ex(), replaced by EVP_MAC_CTX and
2784+EVP_MAC_CTX_set_params() respectively. This requires adapting struct
2785+modssl_ticket_key_t to replace hmac_secret[] with OSSL_PARAM mac_params[],
2786+created once at load time still.
2787+The callback is registered by SSL_CTX_set_tlsext_ticket_key_evp_cb() instead
2788+of SSL_CTX_set_tlsext_ticket_key_cb().
2789+
2790+Since BIO_eof() may now be called openssl-3 state machine, the never-called
2791+assertion in bio_filter_in_ctrl() does not hold anymore, and we have to
2792+handle BIO_CTRL_EOF. For any other cmd, we continue to AP_DEBUG_ASSERT(0) and
2793+log an error, yet the return value is changed from -1 to 0 which is the usual
2794+unhandled value.
2795+
2796+Note that OpenSSL 3.0.0 is still in alpha stage as of now, the API shouldn't
2797+change though, neither breakage to 1.x.x API.
2798+
2799+Submitted by: ylavic
2800+
2801+
2802+Forwarded: yes, https://github.com/apache/httpd/pull/258
2803+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
2804+---
2805+ modules/ssl/ssl_engine_init.c | 76 ++++++++++++++++++++++++++++++++---------
2806+ modules/ssl/ssl_engine_io.c | 17 ++++++---
2807+ modules/ssl/ssl_engine_kernel.c | 22 ++++++++++--
2808+ modules/ssl/ssl_engine_log.c | 12 ++++++-
2809+ modules/ssl/ssl_private.h | 19 +++++++++--
2810+ 5 files changed, 120 insertions(+), 26 deletions(-)
2811+
2812+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
2813+index 4da24ed..eb41e7f 100644
2814+--- a/modules/ssl/ssl_engine_init.c
2815++++ b/modules/ssl/ssl_engine_init.c
2816+@@ -843,6 +843,23 @@ static void ssl_init_ctx_callbacks(server_rec *s,
2817+ #endif
2818+ }
2819+
2820++static APR_INLINE
2821++int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
2822++ const char *file,
2823++ const char *path)
2824++{
2825++#if OPENSSL_VERSION_NUMBER < 0x30000000L
2826++ if (!SSL_CTX_load_verify_locations(ctx, file, path))
2827++ return 0;
2828++#else
2829++ if (file && !SSL_CTX_load_verify_file(ctx, file))
2830++ return 0;
2831++ if (path && !SSL_CTX_load_verify_dir(ctx, path))
2832++ return 0;
2833++#endif
2834++ return 1;
2835++}
2836++
2837+ static apr_status_t ssl_init_ctx_verify(server_rec *s,
2838+ apr_pool_t *p,
2839+ apr_pool_t *ptemp,
2840+@@ -883,10 +900,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s,
2841+ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
2842+ "Configuring client authentication");
2843+
2844+- if (!SSL_CTX_load_verify_locations(ctx,
2845+- mctx->auth.ca_cert_file,
2846+- mctx->auth.ca_cert_path))
2847+- {
2848++ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
2849++ mctx->auth.ca_cert_path)) {
2850+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
2851+ "Unable to configure verify locations "
2852+ "for client authentication");
2853+@@ -971,6 +986,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
2854+ return APR_SUCCESS;
2855+ }
2856+
2857++static APR_INLINE
2858++int modssl_X509_STORE_load_locations(X509_STORE *store,
2859++ const char *file,
2860++ const char *path)
2861++{
2862++#if OPENSSL_VERSION_NUMBER < 0x30000000L
2863++ if (!X509_STORE_load_locations(store, file, path))
2864++ return 0;
2865++#else
2866++ if (file && !X509_STORE_load_file(store, file))
2867++ return 0;
2868++ if (path && !X509_STORE_load_path(store, path))
2869++ return 0;
2870++#endif
2871++ return 1;
2872++}
2873++
2874+ static apr_status_t ssl_init_ctx_crl(server_rec *s,
2875+ apr_pool_t *p,
2876+ apr_pool_t *ptemp,
2877+@@ -1009,8 +1041,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
2878+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
2879+ "Configuring certificate revocation facility");
2880+
2881+- if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
2882+- mctx->crl_path)) {
2883++ if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
2884++ mctx->crl_path)) {
2885+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
2886+ "Host %s: unable to configure X.509 CRL storage "
2887+ "for certificate revocation", mctx->sc->vhost_id);
2888+@@ -1249,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
2889+ const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
2890+ int i;
2891+ X509 *cert;
2892+- DH *dhparams;
2893++ DH *dh;
2894+ #ifdef HAVE_ECC
2895+ EC_GROUP *ecparams = NULL;
2896+ int nid;
2897+@@ -1434,12 +1466,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
2898+ */
2899+ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
2900+ if (certfile && !modssl_is_engine_id(certfile)
2901+- && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
2902+- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
2903++ && (dh = ssl_dh_GetParamFromFile(certfile))) {
2904++ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
2905+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
2906+ "Custom DH parameters (%d bits) for %s loaded from %s",
2907+- DH_bits(dhparams), vhost_id, certfile);
2908+- DH_free(dhparams);
2909++ BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
2910++ DH_free(dh);
2911+ }
2912+
2913+ #ifdef HAVE_ECC
2914+@@ -1490,6 +1522,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
2915+ char buf[TLSEXT_TICKET_KEY_LEN];
2916+ char *path;
2917+ modssl_ticket_key_t *ticket_key = mctx->ticket_key;
2918++ int res;
2919+
2920+ if (!ticket_key->file_path) {
2921+ return APR_SUCCESS;
2922+@@ -1517,11 +1550,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
2923+ }
2924+
2925+ memcpy(ticket_key->key_name, buf, 16);
2926+- memcpy(ticket_key->hmac_secret, buf + 16, 16);
2927+ memcpy(ticket_key->aes_key, buf + 32, 16);
2928+-
2929+- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
2930+- ssl_callback_SessionTicket)) {
2931++#if OPENSSL_VERSION_NUMBER < 0x30000000L
2932++ memcpy(ticket_key->hmac_secret, buf + 16, 16);
2933++ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
2934++ ssl_callback_SessionTicket);
2935++#else
2936++ ticket_key->mac_params[0] =
2937++ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
2938++ ticket_key->mac_params[1] =
2939++ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
2940++ ticket_key->mac_params[2] =
2941++ OSSL_PARAM_construct_end();
2942++ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
2943++ ssl_callback_SessionTicket);
2944++#endif
2945++ if (!res) {
2946+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
2947+ "Unable to initialize TLS session ticket key callback "
2948+ "(incompatible OpenSSL version?)");
2949+@@ -1652,7 +1696,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
2950+ return ssl_die(s);
2951+ }
2952+
2953+- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
2954++ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
2955+
2956+ for (n = 0; n < ncerts; n++) {
2957+ int i;
2958+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
2959+index ed9db54..f7e5cfc 100644
2960+--- a/modules/ssl/ssl_engine_io.c
2961++++ b/modules/ssl/ssl_engine_io.c
2962+@@ -572,11 +572,20 @@ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
2963+
2964+ static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
2965+ {
2966+- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
2967++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
2968++ switch (cmd) {
2969++#ifdef BIO_CTRL_EOF
2970++ case BIO_CTRL_EOF:
2971++ return inctx->rc == APR_EOF;
2972++#endif
2973++ default:
2974++ break;
2975++ }
2976+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
2977+- "BUG: %s() should not be called", "bio_filter_in_ctrl");
2978++ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
2979++ cmd);
2980+ AP_DEBUG_ASSERT(0);
2981+- return -1;
2982++ return 0;
2983+ }
2984+
2985+ #if MODSSL_USE_OPENSSL_PRE_1_1_API
2986+@@ -601,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = {
2987+ bio_filter_in_read,
2988+ bio_filter_in_puts, /* puts is never called */
2989+ bio_filter_in_gets, /* gets is never called */
2990+- bio_filter_in_ctrl, /* ctrl is never called */
2991++ bio_filter_in_ctrl, /* ctrl is called for EOF check */
2992+ bio_filter_create,
2993+ bio_filter_destroy,
2994+ NULL
2995+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
2996+index b99dcf1..f2d49ad 100644
2997+--- a/modules/ssl/ssl_engine_kernel.c
2998++++ b/modules/ssl/ssl_engine_kernel.c
2999+@@ -2614,7 +2614,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
3000+ unsigned char *keyname,
3001+ unsigned char *iv,
3002+ EVP_CIPHER_CTX *cipher_ctx,
3003+- HMAC_CTX *hctx,
3004++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3005++ HMAC_CTX *hmac_ctx,
3006++#else
3007++ EVP_MAC_CTX *mac_ctx,
3008++#endif
3009+ int mode)
3010+ {
3011+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
3012+@@ -2641,7 +2645,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
3013+ }
3014+ EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
3015+ ticket_key->aes_key, iv);
3016+- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
3017++
3018++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3019++ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
3020++ tlsext_tick_md(), NULL);
3021++#else
3022++ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
3023++#endif
3024+
3025+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
3026+ "TLS session ticket key for %s successfully set, "
3027+@@ -2662,7 +2672,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
3028+
3029+ EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
3030+ ticket_key->aes_key, iv);
3031+- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
3032++
3033++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3034++ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
3035++ tlsext_tick_md(), NULL);
3036++#else
3037++ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
3038++#endif
3039+
3040+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
3041+ "TLS session ticket key for %s successfully set, "
3042+diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
3043+index 7dbbbdb..3b3ceac 100644
3044+--- a/modules/ssl/ssl_engine_log.c
3045++++ b/modules/ssl/ssl_engine_log.c
3046+@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
3047+ return APR_EGENERAL;
3048+ }
3049+
3050++static APR_INLINE
3051++unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
3052++{
3053++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3054++ return ERR_peek_error_line_data(NULL, NULL, data, flags);
3055++#else
3056++ return ERR_peek_error_data(data, flags);
3057++#endif
3058++}
3059++
3060+ /*
3061+ * Prints the SSL library error information.
3062+ */
3063+@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
3064+ const char *data;
3065+ int flags;
3066+
3067+- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
3068++ while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
3069+ const char *annotation;
3070+ char err[256];
3071+
3072+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
3073+index a6fc751..71d658c 100644
3074+--- a/modules/ssl/ssl_private.h
3075++++ b/modules/ssl/ssl_private.h
3076+@@ -89,6 +89,9 @@
3077+ /* must be defined before including ssl.h */
3078+ #define OPENSSL_NO_SSL_INTERN
3079+ #endif
3080++#if OPENSSL_VERSION_NUMBER >= 0x30000000
3081++#include <openssl/core_names.h>
3082++#endif
3083+ #include <openssl/ssl.h>
3084+ #include <openssl/err.h>
3085+ #include <openssl/x509.h>
3086+@@ -674,7 +677,11 @@ typedef struct {
3087+ typedef struct {
3088+ const char *file_path;
3089+ unsigned char key_name[16];
3090++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3091+ unsigned char hmac_secret[16];
3092++#else
3093++ OSSL_PARAM mac_params[3];
3094++#endif
3095+ unsigned char aes_key[16];
3096+ } modssl_ticket_key_t;
3097+ #endif
3098+@@ -938,8 +945,16 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
3099+ int ssl_callback_ClientHello(SSL *, int *, void *);
3100+ #endif
3101+ #ifdef HAVE_TLS_SESSION_TICKETS
3102+-int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
3103+- EVP_CIPHER_CTX *, HMAC_CTX *, int);
3104++int ssl_callback_SessionTicket(SSL *ssl,
3105++ unsigned char *keyname,
3106++ unsigned char *iv,
3107++ EVP_CIPHER_CTX *cipher_ctx,
3108++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3109++ HMAC_CTX *hmac_ctx,
3110++#else
3111++ EVP_MAC_CTX *mac_ctx,
3112++#endif
3113++ int mode);
3114+ #endif
3115+
3116+ #ifdef HAVE_TLS_ALPN
3117diff --git a/debian/patches/support-openssl3-003.patch b/debian/patches/support-openssl3-003.patch
3118new file mode 100644
3119index 0000000..06906a9
3120--- /dev/null
3121+++ b/debian/patches/support-openssl3-003.patch
3122@@ -0,0 +1,48 @@
3123+From: Joe Orton <jorton@redhat.com>
3124+Date: Mon, 26 Jul 2021 12:24:27 +0100
3125+Subject: mod_ssl: follow up to r1876934: wrap DH_bits()
3126+
3127+DH_get0_p() seems to be undefined for some openssl versions, so it can't
3128+be used to implement DH_bits() generically.
3129+
3130+Add new a modssl_DH_bits() wrapper to call DH_bits() for openssl < 3,
3131+and BN_num_bits(DH_get0_p(dh)) otherwise.
3132+
3133+Submitted by: ylavic
3134+
3135+
3136+Forwarded: yes, https://github.com/apache/httpd/pull/258
3137+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3138+---
3139+ modules/ssl/ssl_engine_init.c | 11 ++++++++++-
3140+ 1 file changed, 10 insertions(+), 1 deletion(-)
3141+
3142+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
3143+index eb41e7f..a2da916 100644
3144+--- a/modules/ssl/ssl_engine_init.c
3145++++ b/modules/ssl/ssl_engine_init.c
3146+@@ -1271,6 +1271,15 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
3147+ return 0;
3148+ }
3149+
3150++static APR_INLINE int modssl_DH_bits(DH *dh)
3151++{
3152++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3153++ return DH_bits(dh);
3154++#else
3155++ return BN_num_bits(DH_get0_p(dh));
3156++#endif
3157++}
3158++
3159+ static apr_status_t ssl_init_server_certs(server_rec *s,
3160+ apr_pool_t *p,
3161+ apr_pool_t *ptemp,
3162+@@ -1470,7 +1479,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
3163+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
3164+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
3165+ "Custom DH parameters (%d bits) for %s loaded from %s",
3166+- BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
3167++ modssl_DH_bits(dh), vhost_id, certfile);
3168+ DH_free(dh);
3169+ }
3170+
3171diff --git a/debian/patches/support-openssl3-004.patch b/debian/patches/support-openssl3-004.patch
3172new file mode 100644
3173index 0000000..5566eaf
3174--- /dev/null
3175+++ b/debian/patches/support-openssl3-004.patch
3176@@ -0,0 +1,56 @@
3177+From: Joe Orton <jorton@redhat.com>
3178+Date: Mon, 26 Jul 2021 12:24:46 +0100
3179+Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use of
3180+ encrypted private keys with OpenSSL 3.0.
3181+
3182+* test/travis_run_linux.sh: For TEST_SSL, test loading encrypted
3183+ private keys.
3184+
3185+Github: closes #{197}
3186+
3187+Submitted by: jorton
3188+
3189+
3190+Forwarded: yes, https://github.com/apache/httpd/pull/258
3191+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3192+---
3193+ modules/ssl/ssl_engine_init.c | 19 +++++++++++++++++--
3194+ 1 file changed, 17 insertions(+), 2 deletions(-)
3195+
3196+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
3197+index a2da916..2f3a120 100644
3198+--- a/modules/ssl/ssl_engine_init.c
3199++++ b/modules/ssl/ssl_engine_init.c
3200+@@ -1280,6 +1280,22 @@ static APR_INLINE int modssl_DH_bits(DH *dh)
3201+ #endif
3202+ }
3203+
3204++/* SSL_CTX_use_PrivateKey_file() can fail either because the private
3205++ * key was encrypted, or due to a mismatch between an already-loaded
3206++ * cert and the key - a common misconfiguration - from calling
3207++ * X509_check_private_key(). This macro is passed the last error code
3208++ * off the OpenSSL stack and evaluates to true only for the first
3209++ * case. With OpenSSL < 3 the second case is identifiable by the
3210++ * function code, but function codes are not used from 3.0. */
3211++#if OPENSSL_VERSION_NUMBER < 0x30000000L
3212++#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
3213++#else
3214++#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
3215++ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
3216++ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
3217++ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
3218++#endif
3219++
3220+ static apr_status_t ssl_init_server_certs(server_rec *s,
3221+ apr_pool_t *p,
3222+ apr_pool_t *ptemp,
3223+@@ -1385,8 +1401,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
3224+ }
3225+ else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
3226+ SSL_FILETYPE_PEM) < 1)
3227+- && (ERR_GET_FUNC(ERR_peek_last_error())
3228+- != X509_F_X509_CHECK_PRIVATE_KEY)) {
3229++ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
3230+ ssl_asn1_t *asn1;
3231+ const unsigned char *ptr;
3232+
3233diff --git a/debian/patches/support-openssl3-005.patch b/debian/patches/support-openssl3-005.patch
3234new file mode 100644
3235index 0000000..5c6ebe8
3236--- /dev/null
3237+++ b/debian/patches/support-openssl3-005.patch
3238@@ -0,0 +1,121 @@
3239+From: Joe Orton <jorton@redhat.com>
3240+Date: Mon, 26 Jul 2021 12:25:36 +0100
3241+Subject: mod_ssl: Switch to using OpenSSL's automatic internal DH parameter
3242+ generation from OpenSSL 1.1.0 and later. The SSL_set_tmp_dh_callback() API
3243+ is deprecated from OpenSSL 3.0 onwards. Should not be a user-visible change
3244+ (except mod_ssl gets smaller).
3245+
3246+* modules/ssl/ssl_private.h,
3247+ modules/ssl/ssl_engine_kernel.c,
3248+ modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
3249+ Drop internal DH parameter generation and callback for OpenSSL 1.1+,
3250+ use SSL_CTX_set_dh_auto(, 1) instead.
3251+
3252+Github: closes #188
3253+Reviewed by: rpluem
3254+
3255+Submitted by: jorton
3256+
3257+
3258+Forwarded: yes, https://github.com/apache/httpd/pull/258
3259+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3260+---
3261+ modules/ssl/ssl_engine_init.c | 14 ++++++++++----
3262+ modules/ssl/ssl_engine_kernel.c | 2 ++
3263+ modules/ssl/ssl_private.h | 2 ++
3264+ 3 files changed, 14 insertions(+), 4 deletions(-)
3265+
3266+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
3267+index 2f3a120..d0ef4ba 100644
3268+--- a/modules/ssl/ssl_engine_init.c
3269++++ b/modules/ssl/ssl_engine_init.c
3270+@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
3271+
3272+ return 1;
3273+ }
3274+-#endif
3275+
3276+ /*
3277+ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
3278+@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen)
3279+
3280+ return NULL; /* impossible to reach. */
3281+ }
3282++#endif
3283+
3284+ static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
3285+ server_rec *s)
3286+@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
3287+
3288+ modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
3289+
3290++#if MODSSL_USE_OPENSSL_PRE_1_1_API
3291+ init_dh_params();
3292+-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
3293++#else
3294+ init_bio_methods();
3295+ #endif
3296+
3297+@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
3298+ {
3299+ SSL_CTX *ctx = mctx->ssl_ctx;
3300+
3301++#if MODSSL_USE_OPENSSL_PRE_1_1_API
3302+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
3303++#else
3304++ SSL_CTX_set_dh_auto(ctx, 1);
3305++#endif
3306+
3307+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
3308+
3309+@@ -2317,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data)
3310+
3311+ }
3312+
3313+-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
3314++#if MODSSL_USE_OPENSSL_PRE_1_1_API
3315++ free_dh_params();
3316++#else
3317+ free_bio_methods();
3318+ #endif
3319+- free_dh_params();
3320+
3321+ return APR_SUCCESS;
3322+ }
3323+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
3324+index f2d49ad..aced92d 100644
3325+--- a/modules/ssl/ssl_engine_kernel.c
3326++++ b/modules/ssl/ssl_engine_kernel.c
3327+@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
3328+ ** _________________________________________________________________
3329+ */
3330+
3331++#if MODSSL_USE_OPENSSL_PRE_1_1_API
3332+ /*
3333+ * Hand out standard DH parameters, based on the authentication strength
3334+ */
3335+@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
3336+
3337+ return modssl_get_dh_params(keylen);
3338+ }
3339++#endif
3340+
3341+ /*
3342+ * This OpenSSL callback function is called when OpenSSL
3343+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
3344+index 71d658c..b74d956 100644
3345+--- a/modules/ssl/ssl_private.h
3346++++ b/modules/ssl/ssl_private.h
3347+@@ -1127,10 +1127,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
3348+
3349+ #endif
3350+
3351++#if MODSSL_USE_OPENSSL_PRE_1_1_API
3352+ /* Retrieve DH parameters for given key length. Return value should
3353+ * be treated as unmutable, since it is stored in process-global
3354+ * memory. */
3355+ DH *modssl_get_dh_params(unsigned keylen);
3356++#endif
3357+
3358+ /* Returns non-zero if the request was made over SSL/TLS. If sslconn
3359+ * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
3360diff --git a/debian/patches/support-openssl3-006.patch b/debian/patches/support-openssl3-006.patch
3361new file mode 100644
3362index 0000000..33e0c1f
3363--- /dev/null
3364+++ b/debian/patches/support-openssl3-006.patch
3365@@ -0,0 +1,33 @@
3366+From: Joe Orton <jorton@redhat.com>
3367+Date: Mon, 26 Jul 2021 12:29:32 +0100
3368+Subject: fix build with LibreSSL [Yann Ylavic] Github issue #188
3369+
3370+Submitted by: gbechis
3371+
3372+
3373+Forwarded: yes, https://github.com/apache/httpd/pull/258
3374+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3375+---
3376+ modules/ssl/ssl_private.h | 5 ++---
3377+ 1 file changed, 2 insertions(+), 3 deletions(-)
3378+
3379+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
3380+index b74d956..b091c58 100644
3381+--- a/modules/ssl/ssl_private.h
3382++++ b/modules/ssl/ssl_private.h
3383+@@ -137,13 +137,12 @@
3384+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
3385+ #define SSL_CTX_set_max_proto_version(ctx, version) \
3386+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
3387+-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
3388++#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
3389+ /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
3390+ * include most changes from OpenSSL >= 1.1 (new functions, macros,
3391+ * deprecations, ...), so we have to work around this...
3392+ */
3393+-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
3394+-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
3395++#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
3396+ #else /* defined(LIBRESSL_VERSION_NUMBER) */
3397+ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
3398+ #endif
3399diff --git a/debian/patches/support-openssl3-007.patch b/debian/patches/support-openssl3-007.patch
3400new file mode 100644
3401index 0000000..6f760b8
3402--- /dev/null
3403+++ b/debian/patches/support-openssl3-007.patch
3404@@ -0,0 +1,72 @@
3405+From: Joe Orton <jorton@redhat.com>
3406+Date: Mon, 26 Jul 2021 14:15:28 +0100
3407+Subject: Support for OpenSSL 1.1.0: - BIO was made opaque after OpenSSL
3408+ 1.1.0pre4.
3409+
3410+Submitted by: rjung
3411+
3412+
3413+Forwarded: yes, https://github.com/apache/httpd/pull/258
3414+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3415+---
3416+ modules/ssl/ssl_engine_io.c | 12 ++++++------
3417+ 1 file changed, 6 insertions(+), 6 deletions(-)
3418+
3419+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
3420+index f7e5cfc..3db7077 100644
3421+--- a/modules/ssl/ssl_engine_io.c
3422++++ b/modules/ssl/ssl_engine_io.c
3423+@@ -194,7 +194,7 @@ static int bio_filter_destroy(BIO *bio)
3424+ static int bio_filter_out_read(BIO *bio, char *out, int outl)
3425+ {
3426+ /* this is never called */
3427+- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
3428++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
3429+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
3430+ "BUG: %s() should not be called", "bio_filter_out_read");
3431+ AP_DEBUG_ASSERT(0);
3432+@@ -297,7 +297,7 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
3433+ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
3434+ {
3435+ /* this is never called */
3436+- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
3437++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
3438+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
3439+ "BUG: %s() should not be called", "bio_filter_out_gets");
3440+ AP_DEBUG_ASSERT(0);
3441+@@ -307,7 +307,7 @@ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
3442+ static int bio_filter_out_puts(BIO *bio, const char *str)
3443+ {
3444+ /* this is never called */
3445+- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
3446++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
3447+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
3448+ "BUG: %s() should not be called", "bio_filter_out_puts");
3449+ AP_DEBUG_ASSERT(0);
3450+@@ -545,7 +545,7 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
3451+
3452+ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
3453+ {
3454+- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
3455++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
3456+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
3457+ "BUG: %s() should not be called", "bio_filter_in_write");
3458+ AP_DEBUG_ASSERT(0);
3459+@@ -554,7 +554,7 @@ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
3460+
3461+ static int bio_filter_in_puts(BIO *bio, const char *str)
3462+ {
3463+- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
3464++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
3465+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
3466+ "BUG: %s() should not be called", "bio_filter_in_puts");
3467+ AP_DEBUG_ASSERT(0);
3468+@@ -563,7 +563,7 @@ static int bio_filter_in_puts(BIO *bio, const char *str)
3469+
3470+ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
3471+ {
3472+- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
3473++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
3474+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
3475+ "BUG: %s() should not be called", "bio_filter_in_gets");
3476+ AP_DEBUG_ASSERT(0);
3477diff --git a/debian/patches/support-openssl3-008.patch b/debian/patches/support-openssl3-008.patch
3478new file mode 100644
3479index 0000000..d04497f
3480--- /dev/null
3481+++ b/debian/patches/support-openssl3-008.patch
3482@@ -0,0 +1,29 @@
3483+From: Joe Orton <jorton@redhat.com>
3484+Date: Wed, 28 Jul 2021 12:28:59 +0100
3485+Subject: mod_ssl: follow up to r1876934: fix
3486+ !modssl_X509_STORE_load_locations() logic.
3487+
3488+Submitted by: ylavic
3489+
3490+
3491+Forwarded: yes, https://github.com/apache/httpd/pull/258
3492+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3493+---
3494+ modules/ssl/ssl_engine_init.c | 4 ++--
3495+ 1 file changed, 2 insertions(+), 2 deletions(-)
3496+
3497+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
3498+index d0ef4ba..5d199cd 100644
3499+--- a/modules/ssl/ssl_engine_init.c
3500++++ b/modules/ssl/ssl_engine_init.c
3501+@@ -1046,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
3502+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
3503+ "Configuring certificate revocation facility");
3504+
3505+- if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
3506+- mctx->crl_path)) {
3507++ if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
3508++ mctx->crl_path)) {
3509+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
3510+ "Host %s: unable to configure X.509 CRL storage "
3511+ "for certificate revocation", mctx->sc->vhost_id);
3512diff --git a/debian/patches/support-openssl3-009.patch b/debian/patches/support-openssl3-009.patch
3513new file mode 100644
3514index 0000000..01687e9
3515--- /dev/null
3516+++ b/debian/patches/support-openssl3-009.patch
3517@@ -0,0 +1,36 @@
3518+From: Joe Orton <jorton@redhat.com>
3519+Date: Mon, 4 Oct 2021 14:26:49 +0100
3520+Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSL
3521+ 1.1+,
3522+ disable auto DH parameter selection if parameters have been manually
3523+ configured. This fixes a regression in r1890067 after which manually
3524+ configured parameters are ignored.
3525+
3526+Submitted by: jorton
3527+
3528+
3529+Forwarded: yes, https://github.com/apache/httpd/pull/258
3530+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3531+---
3532+ modules/ssl/ssl_engine_init.c | 7 +++++++
3533+ 1 file changed, 7 insertions(+)
3534+
3535+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
3536+index 5d199cd..3986ba7 100644
3537+--- a/modules/ssl/ssl_engine_init.c
3538++++ b/modules/ssl/ssl_engine_init.c
3539+@@ -1496,7 +1496,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
3540+ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
3541+ if (certfile && !modssl_is_engine_id(certfile)
3542+ && (dh = ssl_dh_GetParamFromFile(certfile))) {
3543++ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
3544++ * for OpenSSL 3.0+. */
3545+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
3546++#if !MODSSL_USE_OPENSSL_PRE_1_1_API
3547++ /* OpenSSL ignores manually configured DH params if automatic
3548++ * selection if enabled, so disable auto selection here. */
3549++ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
3550++#endif
3551+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
3552+ "Custom DH parameters (%d bits) for %s loaded from %s",
3553+ modssl_DH_bits(dh), vhost_id, certfile);
3554diff --git a/debian/patches/support-openssl3-010.patch b/debian/patches/support-openssl3-010.patch
3555new file mode 100644
3556index 0000000..2791e96
3557--- /dev/null
3558+++ b/debian/patches/support-openssl3-010.patch
3559@@ -0,0 +1,54 @@
3560+From: Joe Orton <jorton@redhat.com>
3561+Date: Tue, 12 Oct 2021 13:48:55 +0100
3562+Subject: * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks,
3563+ ssl_init_server_certs): Flip logic for enabling/disabling DH auto
3564+ parameter selection for OpenSSL 1.1+ to be simpler and consistent with
3565+ auto ECDH curve selection.
3566+
3567+
3568+Forwarded: yes, https://github.com/apache/httpd/pull/258
3569+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
3570+---
3571+ modules/ssl/ssl_engine_init.c | 16 +++++++++-------
3572+ 1 file changed, 9 insertions(+), 7 deletions(-)
3573+
3574+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
3575+index 3986ba7..f440a37 100644
3576+--- a/modules/ssl/ssl_engine_init.c
3577++++ b/modules/ssl/ssl_engine_init.c
3578+@@ -836,9 +836,9 @@ static void ssl_init_ctx_callbacks(server_rec *s,
3579+ SSL_CTX *ctx = mctx->ssl_ctx;
3580+
3581+ #if MODSSL_USE_OPENSSL_PRE_1_1_API
3582++ /* Note that for OpenSSL>=1.1, auto selection is enabled via
3583++ * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
3584+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
3585+-#else
3586+- SSL_CTX_set_dh_auto(ctx, 1);
3587+ #endif
3588+
3589+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
3590+@@ -1499,16 +1499,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
3591+ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
3592+ * for OpenSSL 3.0+. */
3593+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
3594+-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
3595+- /* OpenSSL ignores manually configured DH params if automatic
3596+- * selection if enabled, so disable auto selection here. */
3597+- SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
3598+-#endif
3599+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
3600+ "Custom DH parameters (%d bits) for %s loaded from %s",
3601+ modssl_DH_bits(dh), vhost_id, certfile);
3602+ DH_free(dh);
3603+ }
3604++#if !MODSSL_USE_OPENSSL_PRE_1_1_API
3605++ else {
3606++ /* If no parameter is manually configured, enable auto
3607++ * selection. */
3608++ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
3609++ }
3610++#endif
3611+
3612+ #ifdef HAVE_ECC
3613+ /*
3614diff --git a/debian/source/include-binaries b/debian/source/include-binaries
3615index d617b1d..823d9c0 100644
3616--- a/debian/source/include-binaries
3617+++ b/debian/source/include-binaries
3618@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
3619 debian/icons/odf6ots-20x22.png
3620 debian/icons/odf6ott-20x22.png
3621 debian/icons/openlogo-75.png
3622+debian/icons/ubuntu-logo.png
3623 debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
3624 debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
3625 debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches