Ubuntu
apache2 package

Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.51-2-jammy into ubuntu/+source/apache2:debian/sid

  1. Git
  2. lp:~bryce/ubuntu/+source/apache2
  3. merge-v2.4.51-2-jammy
  4. Merge into debian/sid
Proposed by Bryce Harrington
Status: Merged
Merge reported by: Bryce Harrington
Merged at revision: e249e4c816da6f89181fa734e8f324ed03a10eef
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.51-2-jammy
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 3625 lines (+2918/-33) (has conflicts)
22 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+1/-0)
debian/apache2.py (+48/-0)
debian/apache2ctl (+33/-18)
debian/changelog (+1897/-2)
debian/control (+7/-1)
debian/index.html (+19/-12)
debian/patches/series (+13/-0)
debian/patches/support-openssl3-001.patch (+88/-0)
debian/patches/support-openssl3-002.patch (+345/-0)
debian/patches/support-openssl3-003.patch (+48/-0)
debian/patches/support-openssl3-004.patch (+56/-0)
debian/patches/support-openssl3-005.patch (+121/-0)
debian/patches/support-openssl3-006.patch (+33/-0)
debian/patches/support-openssl3-007.patch (+72/-0)
debian/patches/support-openssl3-008.patch (+29/-0)
debian/patches/support-openssl3-009.patch (+36/-0)
debian/patches/support-openssl3-010.patch (+54/-0)
debian/source/include-binaries (+1/-0)
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/patches/series
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Christian Ehrhardt  (community) Needs Fixing
git-ubuntu import Pending
Review via email: mp+412730@code.launchpad.net

Description of the change

Bunch of CVEs drop with this merge, but the remaining delta stays with us. The openssl3 changes are still valid for this release, but originated from upstream so will eventually be droppable.

With this merge, we also revert the graceful sru/fix for systemd as was recently done for other releases.

Autopgktests passed locally. I'll queue up PPA tests once the PPA has finished building.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.51-2

Usual tags pushed for review:

- tags/old/debian 517f14a34
- tags/new/debian 826e1a24b
- tags/old/ubuntu 2317e7e30
- tags/logical/2.4.48-3.1ubuntu4 ca88b20c2
- tags/reconstruct/2.4.48-3.1ubuntu4 1b5106881
- tags/split/2.4.48-3.1ubuntu4 9a6855775

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is still marked WIP, is it ready for review @bryce?

Revision history for this message
Bryce Harrington (bryce) wrote :

Yep, it's ready for review.

It was in WIP since I was waiting on some PPA tests to complete:

https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/s390x/a/apache2/20211203_075202_4dd22@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/ppc64el/a/apache2/20211203_075304_4dd22@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/armhf/a/apache2/20211203_082509_37178@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/arm64/a/apache2/20211203_082428_b9dbe@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.51-2/jammy/amd64/a/apache2/20211203_080400_7eeb0@/log.gz

Results for amd64:
autopkgtest [08:03:33]: test chroot: - - - - - - - - - - results - - - - - - - - - -
chroot PASS
autopkgtest [08:03:33]: @@@@@@@@@@@@@@@@@@@@ summary
run-test-suite PASS
duplicate-module-load PASS
htcacheclean PASS
default-mods PASS
ssl-passphrase PASS
check-http2 PASS
chroot PASS

(Oddly, lp-test-ppa reports these test logs as "Broken Test Log" which seems weird but I'm seeing no evidence of actual problems so wonder if that might just be a glitch in lp-test-ppa.)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For the test logs, it runs into:
  'utf-8' codec can't decode byte 0xa0 in position 1404450: invalid start byte

Firefox, Chroma and gunzip can extract it well.
But it isn't the extraction, but the following UTF convert anyway.

That is reproducible fetching the the log file and running:
import gzip
with gzip.open("log.gz") as f:
    f.read().decode("utf-8")

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa0 in position 1404450: invalid start byte

00156E18 6E 48 6F 73 74 3A 20 61 62 63 A0 5C 72 5C 6E 5C 72 5C 6E 0A 23 20 65 78 70 65 63 74 69 6E 67 20 32 30 30 2C 20 67 6F 74 nHost: abc.\r\n\r\n.# expecting 200, got

Terminal/Vim renders that as a "." but the usual "." isn't A0 but 0A.

Type is reported as UTF-8
log-unp: UTF-8 Unicode text, with very long lines, with CRLF, CR, LF line terminators

It isn't the python code that is wrong, other tools agree

$ iconv -f UTF-8 log-unp -o /dev/null
iconv: illegal input sequence at position 1404450

So maybe we should make our tool more tolerant as well.
Using errors="replace" makes this work much better.

The other decodes shall stay strict IMHO.

Pushed to the tools repo

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

And with that I can confirm test results are indeed good.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I think there is an issue in 5df3515d42

Somehow when applying the delta we reverted some of the Debian changes.
Salsa commit c91b4db1e91a9b6d5a66d132740830b6310c3263 has:

@@ -45,16 +45,13 @@ Recommends: ssl-cert
 Suggests: apache2-doc,
           apache2-suexec-pristine | apache2-suexec-custom,
           www-browser
-Pre-Depends: dpkg (>= 1.17.14),
- ${misc:Pre-Depends}
-Breaks: libapache2-mod-proxy-uwsgi (<< 2.4.33)
+Pre-Depends: ${misc:Pre-Depends}

But we now undo that in 5df3515d42

I think that is a bad rebase and needs fixup

(Shown by range-diff)

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The Revert of "systemd for graceful" should still be listed under "Dropped" IMHO.
And the good statement "This introduced a performance regression." maybe in [] as we usually do it when quoting reasons for drops.

I see what you wanted with the revert, but IMHO it confuses (at least me)

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The new
952c00489a - d/apache2ctl: Also use /run/systemd to check for systemd usage (LP: 1918209)

Has become a single whitespace change, that seems wrong.
I think you can remove the commit and mention it in the changelog to be dropped.

Or we need to fully add it again.

Looking at the new apache2ctl it is now a variable instead of a function, but in Docker still might yield false results. So I assume you need adapt that to match and then send it to Debian.

Or if OTOH this isn't needed anymore with the revert of the graceful changes mention that and fully drop it.

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ack to the Drop of the CVEs, they are present in Debian.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

An unimportant improvement in changelog/commit message:
  "failure to load when using OpenSSL 3. (LP #1951476)"
has a double space

In general I see some use double space (also 1288690) and others do not.
Maybe on this merge&rebase unify commit messages and changelog to eiter one?

~bryce/ubuntu/+source/apache2:merge-v2.4.51-2-jammy updated
2257354... by Bryce Harrington

merge-changelogs

e249e4c... by Bryce Harrington

reconstruct-changelog

Revision history for this message
Bryce Harrington (bryce) wrote :

Thank you for the thorough review comments, sorry took so long to get back to it (so many distractions!) Anyway, I agree with all your suggestions, have made all the changes, and am pushing the updated branch here for re-review. Thanks again!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm taking a look

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looks good

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, uploaded.

$ grep "^Vcs-Git" *source.changes
Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: e249e4c816da6f89181fa734e8f324ed03a10eef
Vcs-Git-Ref: refs/heads/merge-v2.4.51-2-jammy

$ dput ubuntu apache2_2.4.51-2ubuntu1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: /home/bryce/pkg/Apache2/merge-v2.4.51-2/apache2_2.4.51-2ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: /home/bryce/pkg/Apache2/merge-v2.4.51-2/apache2_2.4.51-2ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.51-2ubuntu1.dsc: done.
  Uploading apache2_2.4.51.orig.tar.gz: done.
  Uploading apache2_2.4.51-2ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.51-2ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.51-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated, please mark as "merged" when able.

Revision history for this message
Bryce Harrington (bryce) wrote :

Done, thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
index 63c573f..3d1bdf1 100644
--- a/debian/apache2-bin.install
+++ b/debian/apache2-bin.install
@@ -1,2 +1,3 @@
1/usr/lib/apache2/modules/1/usr/lib/apache2/modules/
2/usr/sbin/apache22/usr/sbin/apache2
3debian/apache2.py usr/share/apport/package-hooks
diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
3new file mode 1006444new file mode 100644
index 0000000..974a655
--- /dev/null
+++ b/debian/apache2-utils.ufw.profile
@@ -0,0 +1,14 @@
1[Apache]
2title=Web Server
3description=Apache v2 is the next generation of the omnipresent Apache web server.
4ports=80/tcp
5
6[Apache Secure]
7title=Web Server (HTTPS)
8description=Apache v2 is the next generation of the omnipresent Apache web server.
9ports=443/tcp
10
11[Apache Full]
12title=Web Server (HTTP,HTTPS)
13description=Apache v2 is the next generation of the omnipresent Apache web server.
14ports=80,443/tcp
diff --git a/debian/apache2.dirs b/debian/apache2.dirs
index 6089013..1aa6d3c 100644
--- a/debian/apache2.dirs
+++ b/debian/apache2.dirs
@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
10var/lib/apache210var/lib/apache2
11var/log/apache211var/log/apache2
12var/www/html12var/www/html
13/etc/ufw/applications.d/apache2
diff --git a/debian/apache2.install b/debian/apache2.install
index b6ad789..92865fc 100644
--- a/debian/apache2.install
+++ b/debian/apache2.install
@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
8debian/config-dir/envvars /etc/apache28debian/config-dir/envvars /etc/apache2
9debian/config-dir/magic /etc/apache29debian/config-dir/magic /etc/apache2
10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/10debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
11debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
diff --git a/debian/apache2.postrm b/debian/apache2.postrm
index a68583c..b0e5d7b 100644
--- a/debian/apache2.postrm
+++ b/debian/apache2.postrm
@@ -33,6 +33,7 @@ is_default_index_html () {
33 776221a94e5a174dc2396c0f3f6b6a7433 776221a94e5a174dc2396c0f3f6b6a74
34 c481228d439cbb54bdcedbaec5bbb11a34 c481228d439cbb54bdcedbaec5bbb11a
35 e2620d4a5a0f8d80dd4b16de59af981f35 e2620d4a5a0f8d80dd4b16de59af981f
36 3526531ccd6c6a1d2340574a305a18f8
36 EOF37 EOF
37}38}
3839
diff --git a/debian/apache2.py b/debian/apache2.py
39new file mode 10064440new file mode 100644
index 0000000..a9fb9d8
--- /dev/null
+++ b/debian/apache2.py
@@ -0,0 +1,48 @@
1#!/usr/bin/python
2
3'''apport hook for apache2
4
5(c) 2010 Adam Sommer.
6Author: Adam Sommer <asommer@ubuntu.com>
7
8This program is free software; you can redistribute it and/or modify it
9under the terms of the GNU General Public License as published by the
10Free Software Foundation; either version 2 of the License, or (at your
11option) any later version. See http://www.gnu.org/copyleft/gpl.html for
12the full text of the license.
13'''
14
15from apport.hookutils import *
16import os
17
18SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
19
20def add_info(report, ui):
21 if os.path.isdir(SITES_ENABLED_DIR):
22 response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
23 "may help developers diagnose your bug more "
24 "quickly. However, it may contain sensitive "
25 "information. Do you want to include it in your "
26 "bug report?")
27
28 if response == None: # user cancelled
29 raise StopIteration
30
31 elif response == True:
32 # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
33 for conf_file in os.listdir(SITES_ENABLED_DIR):
34 attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
35
36 try:
37 report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
38 except OSError:
39 report['Apache2ConfdDirListing'] = str(False)
40
41 # Attach default config files if changed.
42 attach_conffiles(report, 'apache2', conffiles=None)
43
44 # Attach the error.log file.
45 attach_file(report, '/var/log/apache2/error.log', key='error.log')
46
47 # Get loaded modules.
48 report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
diff --git a/debian/apache2ctl b/debian/apache2ctl
index 404b9f9..02f3bca 100755
--- a/debian/apache2ctl
+++ b/debian/apache2ctl
@@ -143,6 +143,21 @@ mkdir_chown () {
143 fi143 fi
144}144}
145145
146need_systemd () {
147 # Detect if systemd is in use and should be used for managing
148 # the Apache2 httpd service. Returns 0 if so, 1 otherwise.
149 if [ -z "${APACHE_STARTED_BY_SYSTEMD}" ]; then
150 case "$(readlink -f /proc/1/exe)" in
151 *systemd*)
152 return 0
153 ;;
154 esac
155 # With Docker, /proc/1 is not necessarily an init system,
156 # so fallback to checking in /run.
157 [ -d /run/systemd/system ]
158 fi
159 return 1
160}
146161
147[ ! -d ${APACHE_RUN_DIR:-/var/run/apache2} ] && mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2}162[ ! -d ${APACHE_RUN_DIR:-/var/run/apache2} ] && mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2}
148[ ! -d ${APACHE_LOCK_DIR:-/var/lock/apache2} ] && mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}163[ ! -d ${APACHE_LOCK_DIR:-/var/lock/apache2} ] && mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
@@ -153,38 +168,38 @@ start)
153 # (this is bad if there are several apache2 instances running)168 # (this is bad if there are several apache2 instances running)
154 rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache*169 rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache*
155170
156 need_systemd=false171 if need_systemd; then
157 if [ -z "$APACHE_STARTED_BY_SYSTEMD" ] ; then
158 case "$(readlink -f /proc/1/exe)" in
159 *systemd*)
160 need_systemd=true
161 ;;
162 *)
163 ;;
164 esac
165 fi
166 if $need_systemd ; then
167 # If running on systemd we should not start httpd without systemd172 # If running on systemd we should not start httpd without systemd
168 # or systemd will get confused about the status of httpd.173 # or systemd will get confused about the status of httpd.
169 echo "Invoking 'systemctl start $APACHE_SYSTEMD_SERVICE'."174 echo "Invoking 'systemctl start ${APACHE_SYSTEMD_SERVICE}'."
170 echo "Use 'systemctl status $APACHE_SYSTEMD_SERVICE' for more info."175 echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info."
171 systemctl start "$APACHE_SYSTEMD_SERVICE"176 systemctl start "${APACHE_SYSTEMD_SERVICE}"
172 else177 else
173 unset APACHE_STARTED_BY_SYSTEMD178 unset APACHE_STARTED_BY_SYSTEMD
174 $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"179 ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}"
175 fi180 fi
176181
177 ERROR=$?182 ERROR=$?
178 ;;183 ;;
179stop|graceful-stop)184stop|graceful-stop)
180 $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"185 ${HTTPD} ${APACHE_ARGUMENTS} -k "$ARGV"
181 ERROR=$?186 ERROR=$?
182 ;;187 ;;
183restart|graceful)188restart|graceful)
184 if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then189 if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then
185 $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV"190 if need_systemd; then
191 # If running on systemd we should not directly restart httpd since
192 # systemd would be confused about httpd's status.
193 # (See LP: #1832182)
194 echo "Invoking 'systemctl restart ${APACHE_SYSTEMD_SERVICE}'."
195 echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info."
196 systemctl restart "${APACHE_SYSTEMD_SERVICE}"
197 else
198 unset APACHE_STARTED_BY_SYSTEMD
199 ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}"
200 fi
186 else201 else
187 $HTTPD ${APACHE_ARGUMENTS} -t202 ${HTTPD} ${APACHE_ARGUMENTS} -t
188 fi203 fi
189 ERROR=$?204 ERROR=$?
190 ;;205 ;;
diff --git a/debian/changelog b/debian/changelog
index 2a8d158..a17c195 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,60 @@
1<<<<<<< debian/changelog
2=======
3apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
4
5 * Merge with Debian unstable. Remaining changes:
6 - debian/{control, apache2.install, apache2-utils.ufw.profile,
7 apache2.dirs}: Add ufw profiles.
8 (LP 261198)
9 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
10 (LP 609177)
11 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
12 d/s/include-binaries: replace Debian with Ubuntu on default
13 page and add Ubuntu icon file.
14 (LP 1288690)
15 - d/p/support-openssl3-*.patch: Backport various patches from
16 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
17 failure to load when using OpenSSL 3.
18 (LP #1951476)
19 * Dropped:
20 - d/apache2ctl: Also use systemd for graceful if it is in use.
21 (LP: 1832182)
22 [This introduced a performance regression.]
23 - d/apache2ctl: Also use /run/systemd to check for systemd usage.
24 (LP 1918209)
25 [Not needed]
26 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
27 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
28 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
29 server/core_filters.c, server/protocol.c, server/vhost.c.
30 [Fixed in 2.4.48-4]
31 - debian/patches/CVE-2021-34798.patch: add NULL check in
32 server/scoreboard.c.
33 [Fixed in 2.4.49-1]
34 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
35 generic worker in modules/proxy/mod_proxy_uwsgi.c.
36 [Fixed in 2.4.49-1]
37 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
38 substitution logic in server/util.c.
39 [Fixed in 2.4.49-1]
40 - arbitrary origin server via crafted request uri-path
41 + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
42 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
43 modules/proxy/proxy_util.c.
44 + debian/patches/CVE-2021-40438.patch: add sanity checks on the
45 configured UDS path in modules/proxy/proxy_util.c.
46 [Fixed in 2.4.49-3]
47 - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
48 + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
49 rules in modules/mappers/mod_rewrite.c.
50 + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
51 hostname in modules/mappers/mod_rewrite.c,
52 modules/proxy/proxy_util.c.
53 [Fixed in 2.4.49-3]
54
55 -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
56
57>>>>>>> debian/changelog
1apache2 (2.4.51-2) unstable; urgency=medium58apache2 (2.4.51-2) unstable; urgency=medium
259
3 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters60 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters
@@ -61,6 +118,77 @@ apache2 (2.4.48-4) unstable; urgency=medium
61118
62 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200119 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
63120
121<<<<<<< debian/changelog
122=======
123apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
124
125 * d/p/support-openssl3-*.patch: Backport various patches from
126 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
127 failure to load when using OpenSSL 3. (LP: #1951476)
128
129 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
130
131apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
132
133 * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
134 - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
135 rules in modules/mappers/mod_rewrite.c.
136 - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
137 hostname in modules/mappers/mod_rewrite.c,
138 modules/proxy/proxy_util.c.
139
140 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
141
142apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
143
144 * SECURITY UPDATE: request splitting over HTTP/2
145 - debian/patches/CVE-2021-33193.patch: refactor request parsing in
146 include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
147 include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
148 server/core_filters.c, server/protocol.c, server/vhost.c.
149 - CVE-2021-33193
150 * SECURITY UPDATE: NULL deref via malformed requests
151 - debian/patches/CVE-2021-34798.patch: add NULL check in
152 server/scoreboard.c.
153 - CVE-2021-34798
154 * SECURITY UPDATE: DoS in mod_proxy_uwsgi
155 - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
156 generic worker in modules/proxy/mod_proxy_uwsgi.c.
157 - CVE-2021-36160
158 * SECURITY UPDATE: buffer overflow in ap_escape_quotes
159 - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
160 substitution logic in server/util.c.
161 - CVE-2021-39275
162 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
163 - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
164 parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
165 modules/proxy/proxy_util.c.
166 - debian/patches/CVE-2021-40438.patch: add sanity checks on the
167 configured UDS path in modules/proxy/proxy_util.c.
168 - CVE-2021-40438
169
170 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
171
172apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
173
174 * Merge with Debian unstable. Remaining changes:
175 - debian/{control, apache2.install, apache2-utils.ufw.profile,
176 apache2.dirs}: Add ufw profiles. (LP 261198)
177 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
178 (LP 609177)
179 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
180 d/s/include-binaries: replace Debian with Ubuntu on default
181 page and add Ubuntu icon file. (LP 1288690)
182 - d/apache2ctl: Also use systemd for graceful if it is in use.
183 This extends an earlier fix for the start command to behave
184 similarly for restart / graceful. Fixes service failures on
185 unattended upgrade. (LP 1832182)
186 - d/apache2ctl: Also use /run/systemd to check for systemd usage
187 (LP 1918209)
188
189 -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
190
191>>>>>>> debian/changelog
64apache2 (2.4.48-3.1) unstable; urgency=medium192apache2 (2.4.48-3.1) unstable; urgency=medium
65193
66 * Non-maintainer upload.194 * Non-maintainer upload.
@@ -69,6 +197,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
69197
70 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200198 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
71199
200apache2 (2.4.48-3ubuntu1) impish; urgency=medium
201
202 * Merge with Debian unstable. Remaining changes:
203 - debian/{control, apache2.install, apache2-utils.ufw.profile,
204 apache2.dirs}: Add ufw profiles. (LP: 261198)
205 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
206 (LP: 609177)
207 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
208 d/s/include-binaries: replace Debian with Ubuntu on default
209 page and add Ubuntu icon file. (LP: 1288690)
210 - d/apache2ctl: Also use systemd for graceful if it is in use.
211 This extends an earlier fix for the start command to behave
212 similarly for restart / graceful. Fixes service failures on
213 unattended upgrade. (LP: 1832182)
214 - d/apache2ctl: Also use /run/systemd to check for systemd usage
215 (LP: 1918209)
216 * Dropped:
217 - d/t/control, d/t/check-http2: add basic test for http2 support
218 [Fixed in 2.4.48-2]
219 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
220 [Fixed in 2.4.48-1]
221 - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
222 connection in modules/proxy/mod_proxy_http.c.
223 [Fixed in 2.4.48 upstream]
224 - d/p/CVE-2020-35452.patch: fast validation of the nonce's
225 base64 to fail early if the format can't match anyway in
226 modules/aaa/mod_auth_digest.c.
227 [Fixed in 2.4.48 upstream]
228 - d/p/CVE-2021-26690.patch: save one apr_strtok() in
229 session_identity_decode() in modules/session/mod_session.c.
230 [Fixed in 2.4.48 upstream]
231 - d/p/CVE-2021-26691.patch: account for the '&' in
232 identity_concat() in modules/session/mod_session.c.
233 [Fixed in 2.4.48 upstream]
234 - d/p/CVE-2021-30641.patch: change default behavior in
235 server/request.c.
236 [Fixed in 2.4.48 upstream]
237
238 -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
239
72apache2 (2.4.48-3) unstable; urgency=medium240apache2 (2.4.48-3) unstable; urgency=medium
73241
74 * Fix debian/changelog242 * Fix debian/changelog
@@ -125,6 +293,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
125293
126 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200294 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
127295
296apache2 (2.4.46-4ubuntu3) impish; urgency=medium
297
298 * No-change rebuild due to OpenLDAP soname bump.
299
300 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
301
302apache2 (2.4.46-4ubuntu2) impish; urgency=medium
303
304 * SECURITY UPDATE: mod_proxy_http denial of service.
305 - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
306 connection in modules/proxy/mod_proxy_http.c.
307 - CVE-2020-13950
308 * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
309 - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
310 base64 to fail early if the format can't match anyway in
311 modules/aaa/mod_auth_digest.c.
312 - CVE-2020-35452
313 * SECURITY UPDATE: DoS via cookie header in mod_session
314 - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
315 session_identity_decode() in modules/session/mod_session.c.
316 - CVE-2021-26690
317 * SECURITY UPDATE: heap overflow via SessionHeader
318 - debian/patches/CVE-2021-26691.patch: account for the '&' in
319 identity_concat() in modules/session/mod_session.c.
320 - CVE-2021-26691
321 * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
322 - debian/patches/CVE-2021-30641.patch: change default behavior in
323 server/request.c.
324 - CVE-2021-30641
325
326 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
327
328apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
329
330 * Merge with Debian unstable, to allow moving from lua5.2 to
331 lua5.3 (LP: #1910372). Remaining changes:
332 - debian/{control, apache2.install, apache2-utils.ufw.profile,
333 apache2.dirs}: Add ufw profiles.
334 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
335 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
336 Debian with Ubuntu on default page.
337 + d/source/include-binaries: add Ubuntu icon file
338 - d/t/control, d/t/check-http2: add basic test for http2 support
339 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
340 issue reading error log too quickly after request, by adding a sleep.
341 (LP #1890302)
342 - d/apache2ctl: Also use systemd for graceful if it is in use.
343 This extends an earlier fix for the start command to behave
344 similarly for restart / graceful. Fixes service failures on
345 unattended upgrade.
346 * Drop:
347 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
348 was re-added by mistake in 2.4.41-1 (Closes #921024)
349 [Included in Debian 2.4.46-3]
350 * d/apache2ctl: Also use /run/systemd to check for systemd usage
351 (LP: #1918209)
352
353 -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
354
128apache2 (2.4.46-4) unstable; urgency=medium355apache2 (2.4.46-4) unstable; urgency=medium
129356
130 * Ignore other random another test failures (Closes: #979664)357 * Ignore other random another test failures (Closes: #979664)
@@ -142,6 +369,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
142369
143 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100370 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
144371
372apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
373
374 * Merge with Debian unstable. Remaining changes:
375 - debian/{control, apache2.install, apache2-utils.ufw.profile,
376 apache2.dirs}: Add ufw profiles.
377 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
378 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
379 Debian with Ubuntu on default page.
380 + d/source/include-binaries: add Ubuntu icon file
381 - d/t/control, d/t/check-http2: add basic test for http2 support
382 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
383 was re-added by mistake in 2.4.41-1 (Closes #921024)
384 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
385 issue reading error log too quickly after request, by adding a sleep.
386 (LP #1890302)
387 - d/apache2ctl: Also use systemd for graceful if it is in use.
388 This extends an earlier fix for the start command to behave
389 similarly for restart / graceful. Fixes service failures on
390 unattended upgrade.
391
392 -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
393
145apache2 (2.4.46-2) unstable; urgency=medium394apache2 (2.4.46-2) unstable; urgency=medium
146395
147 [ Jean-Michel Vourgère ]396 [ Jean-Michel Vourgère ]
@@ -163,6 +412,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
163412
164 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100413 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
165414
415apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
416
417 * d/apache2ctl: Also use systemd for graceful if it is in use.
418 (LP: #1832182)
419 - This extends an earlier fix for the start command to behave
420 similarly for restart / graceful. Fixes service failures on
421 unattended upgrade.
422
423 -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
424
425apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
426
427 * Merge with Debian unstable. Remaining changes:
428 - debian/{control, apache2.install, apache2-utils.ufw.profile,
429 apache2.dirs}: Add ufw profiles.
430 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
431 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
432 Debian with Ubuntu on default page.
433 + d/source/include-binaries: add Ubuntu icon file
434 - d/t/control, d/t/check-http2: add basic test for http2 support
435 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
436 was re-added by mistake in 2.4.41-1 (Closes #921024)
437 - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
438 issue reading error log too quickly after request, by adding a sleep.
439 (LP #1890302)
440 * Dropped:
441 - debian/patches/086_svn_cross_compiles: Backport several cross
442 fixes from upstream
443 [Unclear if it's still necessary, and upstream hasn't made a
444 release with it yet]
445
446 -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
447
166apache2 (2.4.46-1) unstable; urgency=medium448apache2 (2.4.46-1) unstable; urgency=medium
167449
168 [ Xavier Guimard ]450 [ Xavier Guimard ]
@@ -179,6 +461,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
179461
180 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200462 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
181463
464apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
465
466 * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
467 issue reading error log too quickly after request, by adding a sleep.
468 (LP: #1890302)
469
470 -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
471
472apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
473
474 * Merge with Debian unstable. Remaining changes:
475 - debian/{control, apache2.install, apache2-utils.ufw.profile,
476 apache2.dirs}: Add ufw profiles.
477 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
478 - debian/patches/086_svn_cross_compiles: Backport several cross
479 fixes from upstream
480 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
481 Debian with Ubuntu on default page.
482 + d/source/include-binaries: add Ubuntu icon file
483 - d/t/control, d/t/check-http2: add basic test for http2 support
484 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
485 was re-added by mistake in 2.4.41-1 (Closes #921024)
486 * Dropped:
487 - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
488 parameter to mod_proxy_ajp (LP #1865340)
489 [Fixed upstream]
490 - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
491 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
492 Closes #955348, LP #1872478
493 [In 2.4.43-1]
494
495 -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
496
182apache2 (2.4.43-1) unstable; urgency=medium497apache2 (2.4.43-1) unstable; urgency=medium
183498
184 [ Timo Aaltonen ]499 [ Timo Aaltonen ]
@@ -206,6 +521,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
206521
207 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100522 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
208523
524apache2 (2.4.41-4ubuntu3) focal; urgency=medium
525
526 [ Timo Aaltonen ]
527 * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
528 mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
529 Closes: #955348, LP: #1872478
530
531 -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
532
533apache2 (2.4.41-4ubuntu2) focal; urgency=medium
534
535 * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
536 parameter to mod_proxy_ajp (LP: #1865340)
537
538 -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
539
540apache2 (2.4.41-4ubuntu1) focal; urgency=medium
541
542 * Merge with Debian unstable. Remaining changes:
543 - debian/{control, apache2.install, apache2-utils.ufw.profile,
544 apache2.dirs}: Add ufw profiles.
545 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
546 - debian/patches/086_svn_cross_compiles: Backport several cross
547 fixes from upstream
548 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
549 Debian with Ubuntu on default page.
550 + d/source/include-binaries: add Ubuntu icon file
551 - d/t/control, d/t/check-http2: add basic test for http2 support
552 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
553 was re-added by mistake in 2.4.41-1 (Closes #921024)
554
555 -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
556
209apache2 (2.4.41-4) unstable; urgency=medium557apache2 (2.4.41-4) unstable; urgency=medium
210558
211 * Add gcc in chroot autopkgtest (fixes debci)559 * Add gcc in chroot autopkgtest (fixes debci)
@@ -230,6 +578,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
230578
231 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100579 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
232580
581apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
582
583 * Merge with Debian unstable. Remaining changes:
584 - debian/{control, apache2.install, apache2-utils.ufw.profile,
585 apache2.dirs}: Add ufw profiles.
586 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
587 - debian/patches/086_svn_cross_compiles: Backport several cross
588 fixes from upstream
589 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
590 Debian with Ubuntu on default page.
591 + d/source/include-binaries: add Ubuntu icon file
592 - d/t/control, d/t/check-http2: add basic test for http2 support
593 * Dropped:
594 - Cherrypick upstream testsuite fix:
595 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
596 as such).
597 + Similarly use TLSv1.2 for pr12355 and pr43738.
598 [Test suite updated in 2.4.41-1]
599 - Cherrypick upstream test suite fix for buffer.
600 [Included in 2.4.41-1]
601 - d/p/spelling-errors.patch: removed hunks already fixed upstream
602 [Included in 2.4.39-1]
603 - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
604 + d/p/CVE-2019-0196.patch
605 + d/p/CVE-2019-0211.patch
606 + d/p/CVE-2019-0215.patch
607 + d/p/CVE-2019-0217.patch
608 + d/p/CVE-2019-0220-*.patch
609 + d/p/CVE-2019-0197.patch
610 * Added:
611 - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
612 was re-added by mistake in 2.4.41-1 (Closes: #921024)
613
614 -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
615
233apache2 (2.4.41-1) unstable; urgency=medium616apache2 (2.4.41-1) unstable; urgency=medium
234617
235 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,618 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
@@ -262,6 +645,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
262645
263 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200646 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
264647
648apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
649
650 * New upstream version: 2.4.39
651 * d/p/spelling-errors.patch: removed hunks already fixed upstream
652 * Remaining changes:
653 - Cherrypick upstream test suite fix for buffer.
654 - Cherrypick upstream testsuite fix:
655 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
656 as such).
657 - Similarly use TLSv1.2 for pr12355 and pr43738.
658 - debian/{control, apache2.install, apache2-utils.ufw.profile,
659 apache2.dirs}: Add ufw profiles.
660 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
661 - debian/patches/086_svn_cross_compiles: Backport several cross
662 fixes from upstream
663 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
664 Debian with Ubuntu on default page.
665 + d/source/include-binaries: add Ubuntu icon file
666 - d/t/control, d/t/check-http2: add basic test for http2 support
667 * Dropped patches (fixed upstream):
668 - d/p/CVE-2019-0196.patch
669 - d/p/CVE-2019-0211.patch
670 - d/p/CVE-2019-0215.patch
671 - d/p/CVE-2019-0217.patch
672 - d/p/CVE-2019-0220-*.patch
673 - d/p/CVE-2019-0197.patch
674
675 -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
676
677apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
678
679 * Cherrypick upstream test suite fix for buffer.
680
681 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
682
683apache2 (2.4.38-3ubuntu1) eoan; urgency=low
684
685 * Merge from Debian unstable. Remaining changes:
686 - Cherrypick upstream testsuite fix:
687 + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
688 as such).
689 - Similarly use TLSv1.2 for pr12355 and pr43738.
690 - debian/{control, apache2.install, apache2-utils.ufw.profile,
691 apache2.dirs}: Add ufw profiles.
692 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
693 - debian/patches/086_svn_cross_compiles: Backport several cross
694 fixes from upstream
695 [Removed configure chunk, not needed since configure.in is being
696 patched.]
697 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
698 Debian with Ubuntu on default page.
699 + d/source/include-binaries: add Ubuntu icon file
700 - d/t/control, d/t/check-http2: add basic test for http2 support
701
702 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
703
265apache2 (2.4.38-3) unstable; urgency=high704apache2 (2.4.38-3) unstable; urgency=high
266705
267 [ Marc Deslauriers ]706 [ Marc Deslauriers ]
@@ -299,6 +738,79 @@ apache2 (2.4.38-3) unstable; urgency=high
299738
300 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200739 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
301740
741apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
742
743 * Cherrypick upstream testsuite fix:
744 - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
745 as such).
746 * Similarly use TLSv1.2 for pr12355 and pr43738.
747
748 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
749
750apache2 (2.4.38-2ubuntu2) disco; urgency=medium
751
752 * SECURITY UPDATE: read-after-free on a string compare in mod_http2
753 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
754 request method in modules/http2/h2_request.c.
755 - CVE-2019-0196
756 * SECURITY UPDATE: privilege escalation from modules' scripts
757 - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
758 child to its slot number in include/scoreboard.h,
759 server/mpm/event/event.c, server/mpm/prefork/prefork.c,
760 server/mpm/worker/worker.c.
761 - CVE-2019-0211
762 * SECURITY UPDATE: mod_ssl access control bypass
763 - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
764 PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
765 - CVE-2019-0215
766 * SECURITY UPDATE: mod_auth_digest access control bypass
767 - debian/patches/CVE-2019-0217.patch: fix a race condition in
768 modules/aaa/mod_auth_digest.c.
769 - CVE-2019-0217
770 * SECURITY UPDATE: URL normalization inconsistincy
771 - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
772 the path in include/http_core.h, include/httpd.h, server/core.c,
773 server/request.c, server/util.c.
774 - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
775 in server/request.c, server/util.c.
776 - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
777 server/util.c.
778 - CVE-2019-0220
779
780 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
781
782apache2 (2.4.38-2ubuntu1) disco; urgency=medium
783
784 * Merge with Debian unstable. Remaining changes:
785 - debian/{control, apache2.install, apache2-utils.ufw.profile,
786 apache2.dirs}: Add ufw profiles.
787 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
788 - debian/patches/086_svn_cross_compiles: Backport several cross
789 fixes from upstream
790 [Removed configure chunk, not needed since configure.in is being
791 patched.]
792 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
793 Debian with Ubuntu on default page.
794 + d/source/include-binaries: add Ubuntu icon file
795 - d/t/control, d/t/check-http2: add basic test for http2 support
796 * Dropped:
797 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
798 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
799 cannot be coinstalled with libcurl3. That situation breaks the
800 installation of libapache2-mod-shib2. See
801 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
802 for details.
803 [This has been resolved in Disco, where libxmltooling8 is built with
804 openssl 1.1]
805 - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
806 + debian/patches/CVE-2018-11763.patch: rework connection IO event
807 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
808 modules/http2/h2_version.h.
809 - CVE-2018-11763
810 [Fixed in 2.4.35]
811
812 -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
813
302apache2 (2.4.38-2) unstable; urgency=medium814apache2 (2.4.38-2) unstable; urgency=medium
303815
304 * Disable "reset" test in allowmethods.t (Closes: #921024)816 * Disable "reset" test in allowmethods.t (Closes: #921024)
@@ -381,6 +893,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
381893
382 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200894 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
383895
896apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
897
898 * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
899 - debian/patches/CVE-2018-11763.patch: rework connection IO event
900 handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
901 modules/http2/h2_version.h.
902 - CVE-2018-11763
903
904 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
905
906apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
907
908 * Merge with Debian unstable. Remaining changes:
909 - debian/{control, apache2.install, apache2-utils.ufw.profile,
910 apache2.dirs}: Add ufw profiles.
911 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
912 - debian/patches/086_svn_cross_compiles: Backport several cross
913 fixes from upstream
914 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
915 Debian with Ubuntu on default page.
916 + d/source/include-binaries: add Ubuntu icon file
917 - d/t/control, d/t/check-http2: add basic test for http2 support
918 - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
919 libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
920 cannot be coinstalled with libcurl3. That situation breaks the
921 installation of libapache2-mod-shib2. See
922 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
923 for details.
924
925 -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
926
384apache2 (2.4.34-1) unstable; urgency=medium927apache2 (2.4.34-1) unstable; urgency=medium
385928
386 [ Ondřej Surý ]929 [ Ondřej Surý ]
@@ -399,6 +942,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
399942
400 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200943 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
401944
945apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
946
947 * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
948 re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
949
950 -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
951
952apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
953
954 * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
955 libapache2-mod-md until we figure out their transitions. libapache2-mod-md
956 in particular is problematic because that makes apache2-bin pull in
957 libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
958 the installation of libapache2-mod-shib2. See
959 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
960 for details.
961 - Don't ship md.load and remove build-requires that were added because of
962 mod-md (see
963 https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
964 - Remove proxy_uwsgi.load as we are not building it for now (see
965 https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
966
967 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
968
969apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
970
971 * Merge with Debian unstable (LP: #1770242). Remaining changes:
972 - debian/{control, apache2.install, apache2-utils.ufw.profile,
973 apache2.dirs}: Add ufw profiles.
974 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
975 - debian/patches/086_svn_cross_compiles: Backport several cross
976 fixes from upstream
977 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
978 Debian with Ubuntu on default page.
979 + d/source/include-binaries: add Ubuntu icon file
980 - d/t/control, d/t/check-http2: add basic test for http2 support
981 * Drop:
982 - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
983 + debian/patches/CVE-2017-15710.patch: fix language long names
984 detection as short name in modules/aaa/mod_authnz_ldap.c.
985 + CVE-2017-15710
986 - SECURITY UPDATE: incorrect <FilesMatch> matching
987 + debian/patches/CVE-2017-15715.patch: allow to configure
988 global/default options for regexes, like caseless matching or
989 extended format in include/ap_regex.h, server/core.c,
990 server/util_pcre.c.
991 + CVE-2017-15715
992 - SECURITY UPDATE: mod_session header manipulation
993 + debian/patches/CVE-2018-1283.patch: strip Session header when
994 SessionEnv is on in modules/session/mod_session.c.
995 + CVE-2018-1283
996 - SECURITY UPDATE: DoS via specially-crafted request
997 + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
998 terminated on any error, not only on buffer full in
999 server/protocol.c.
1000 + CVE-2018-1301
1001 - SECURITY UPDATE: mod_cache_socache DoS
1002 + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1003 to carriage return in modules/cache/mod_cache_socache.c.
1004 + CVE-2018-1303
1005 - SECURITY UPDATE: insecure nonce generation
1006 + debian/patches/CVE-2018-1312.patch: actually use the secret when
1007 generating nonces in modules/aaa/mod_auth_digest.c.
1008 + CVE-2018-1312
1009 - Correct systemd-sysv-generator behavior by customizing some
1010 parameters:
1011 + d/apache2-systemd.conf: add a drop-in file to specify some
1012 parameters for the systemd unit (type=Forking and
1013 RemainsAfterExit=no), this allow a correct state synchronisation
1014 between systemctl status and actual state of apache2 daemon.
1015 + d/apache2.install: place the apache2-systemd.conf file in the
1016 correct location.
1017 [type=Forking already in the base systemd service file, and
1018 RemainsAfterExit=no is the default value, so no need to
1019 customize these anymore.]
1020 - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
1021 + added debian/patches/util_ldap_cache_lock_fix.patch
1022 [Already applied upstream]
1023
1024 -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
1025
402apache2 (2.4.33-3) unstable; urgency=medium1026apache2 (2.4.33-3) unstable; urgency=medium
4031027
404 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.1028 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
@@ -471,6 +1095,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
4711095
472 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +00001096 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
4731097
1098apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
1099
1100 * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1101 - debian/patches/CVE-2017-15710.patch: fix language long names
1102 detection as short name in modules/aaa/mod_authnz_ldap.c.
1103 - CVE-2017-15710
1104 * SECURITY UPDATE: incorrect <FilesMatch> matching
1105 - debian/patches/CVE-2017-15715.patch: allow to configure
1106 global/default options for regexes, like caseless matching or
1107 extended format in include/ap_regex.h, server/core.c,
1108 server/util_pcre.c.
1109 - CVE-2017-15715
1110 * SECURITY UPDATE: mod_session header manipulation
1111 - debian/patches/CVE-2018-1283.patch: strip Session header when
1112 SessionEnv is on in modules/session/mod_session.c.
1113 - CVE-2018-1283
1114 * SECURITY UPDATE: DoS via specially-crafted request
1115 - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1116 terminated on any error, not only on buffer full in
1117 server/protocol.c.
1118 - CVE-2018-1301
1119 * SECURITY UPDATE: mod_cache_socache DoS
1120 - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1121 to carriage return in modules/cache/mod_cache_socache.c.
1122 - CVE-2018-1303
1123 * SECURITY UPDATE: insecure nonce generation
1124 - debian/patches/CVE-2018-1312.patch: actually use the secret when
1125 generating nonces in modules/aaa/mod_auth_digest.c.
1126 - CVE-2018-1312
1127
1128 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1129
1130apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1131
1132 * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1133 - added debian/patches/util_ldap_cache_lock_fix.patch
1134
1135 -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1136
1137apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1138
1139 * Switch back to OpenSSL 1.1.
1140
1141 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1142
1143apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1144
1145 * enable http2 (LP: #1687454) by stopping to disable it
1146 - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1147 - debian/config-dir/mods-available/http2.load: no more removed.
1148 - debian/rules: no more removed proxy_http2 from configure.
1149 * d/t/control, d/t/check-http2: add basic test for http2 support
1150
1151 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1152
1153apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1154
1155 * Merge with Debian unstable. Remaining changes:
1156 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1157 apache2.dirs}: Add ufw profiles.
1158 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1159 - debian/patches/086_svn_cross_compiles: Backport several cross
1160 fixes from upstream
1161 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1162 Debian with Ubuntu on default page.
1163 + d/source/include-binaries: add Ubuntu icon file
1164 - Correct systemd-sysv-generator behavior by customizing some
1165 parameters:
1166 + d/apache2-systemd.conf: add a drop-in file to specify some
1167 parameters for the systemd unit (type=Forking and
1168 RemainsAfterExit=no), this allow a correct state synchronisation
1169 between systemctl status and actual state of apache2 daemon.
1170 + d/apache2.install: place the apache2-systemd.conf file in the
1171 correct location.
1172 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1173 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1174 + debian/config-dir/mods-available/http2.load: removed.
1175 + debian/rules: removed proxy_http2 from configure.
1176 * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1177 - debian/control: switch BuildDepends to libssl1.0-dev
1178 - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1179 - debian/rules: remove openssl virtual package and logic
1180
1181 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1182
474apache2 (2.4.29-1) unstable; urgency=medium1183apache2 (2.4.29-1) unstable; urgency=medium
4751184
476 [ Stefan Fritsch ]1185 [ Stefan Fritsch ]
@@ -535,6 +1244,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
5351244
536 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +02001245 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
5371246
1247apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1248
1249 * SECURITY UPDATE: optionsbleed information leak
1250 - debian/patches/CVE-2017-9798.patch: disallow method registration
1251 at run time in server/core.c.
1252 - CVE-2017-9798
1253
1254 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1255
1256apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1257
1258 * Undrop (LP 1658469):
1259 - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1260 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1261 + debian/config-dir/mods-available/http2.load: removed.
1262 + debian/rules: removed proxy_http2 from configure.
1263
1264 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1265
1266apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1267
1268 * Merge with Debian unstable (LP: #1702582). Remaining changes:
1269 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1270 apache2.dirs}: Add ufw profiles.
1271 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1272 - debian/patches/086_svn_cross_compiles: Backport several cross
1273 fixes from upstream
1274 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1275 Debian with Ubuntu on default page.
1276 + d/source/include-binaries: add Ubuntu icon file
1277 - Correct systemd-sysv-generator behavior by customizing some
1278 parameters:
1279 + d/apache2-systemd.conf: add a drop-in file to specify some
1280 parameters for the systemd unit (type=Forking and
1281 RemainsAfterExit=no), this allow a correct state synchronisation
1282 between systemctl status and actual state of apache2 daemon.
1283 + d/apache2.install: place the apache2-systemd.conf file in the
1284 correct location.
1285
1286 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1287
538apache2 (2.4.27-2) unstable; urgency=medium1288apache2 (2.4.27-2) unstable; urgency=medium
5391289
540 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more1290 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
@@ -564,6 +1314,55 @@ apache2 (2.4.25-4) unstable; urgency=high
5641314
565 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +02001315 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
5661316
1317apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1318
1319 * Re-Drop (LP: #1658469):
1320 - Don't build experimental http2 module for LTS:
1321 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1322 + debian/config-dir/mods-available/http2.load: removed.
1323 + debian/rules: removed proxy_http2 from configure.
1324 + debian/apache2.maintscript: remove http2 conffile.
1325
1326 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1327
1328apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1329 * Undrop (LP 1658469):
1330 - Don't build experimental http2 module for LTS:
1331 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1332 + debian/config-dir/mods-available/http2.load: removed.
1333 + debian/rules: removed proxy_http2 from configure.
1334 + debian/apache2.maintscript: remove http2 conffile.
1335
1336 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1337
1338apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1339
1340 * Merge from Debian unstable (LP: #1663425). Remaining changes:
1341 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1342 apache2.dirs}: Add ufw profiles.
1343 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1344 - debian/patches/086_svn_cross_compiles: Backport several cross
1345 fixes from upstream
1346 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1347 Debian with Ubuntu on default page.
1348 + d/source/include-binaries: add Ubuntu icon file
1349 - Correct systemd-sysv-generator behavior by customizing some
1350 parameters:
1351 + d/apache2-systemd.conf: add a drop-in file to specify some
1352 parameters for the systemd unit (type=Forking and
1353 RemainsAfterExit=no), this allow a correct state synchronisation
1354 between systemctl status and actual state of apache2 daemon.
1355 + d/apache2.install: place the apache2-systemd.conf file in the
1356 correct location.
1357 * Drop (LP: #1658469):
1358 - Don't build experimental http2 module for LTS:
1359 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1360 + debian/config-dir/mods-available/http2.load: removed.
1361 + debian/rules: removed proxy_http2 from configure.
1362 + debian/apache2.maintscript: remove http2 conffile.
1363
1364 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1365
567apache2 (2.4.25-3) unstable; urgency=medium1366apache2 (2.4.25-3) unstable; urgency=medium
5681367
569 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.1368 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
@@ -625,6 +1424,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
6251424
626 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +01001425 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
6271426
1427apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1428
1429 * Merge from Debian unstable (LP: #). Remaining changes:
1430 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1431 apache2.dirs}: Add ufw profiles.
1432 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1433 - debian/patches/086_svn_cross_compiles: Backport several cross
1434 fixes from upstream
1435 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1436 d/source/include-binaries: replace Debian with Ubuntu on default
1437 page.
1438 [ include-binaries change previously undocumented ]
1439 - Don't build experimental http2 module for LTS:
1440 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1441 + debian/config-dir/mods-available/http2.load: removed.
1442 + debian/rules: removed proxy_http2 from configure.
1443 + debian/apache2.maintscript: remove http2 conffile.
1444 [ Previously undocumented ]
1445 - Correct systemd-sysv-generator behavior by customizing some
1446 parameters:
1447 + d/apache2-systemd.conf: add a drop-in file to specify some
1448 parameters for the systemd unit (type=Forking and
1449 RemainsAfterExit=no), this allow a correct state synchronisation
1450 between systemctl status and actual state of apache2 daemon.
1451 + d/apache2.install: place the apache2-systemd.conf file in the
1452 correct location.
1453 * Drop:
1454 - debian/rules: Fix cross-building by passing
1455 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1456 [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1457
1458 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1459
628apache2 (2.4.23-8) unstable; urgency=medium1460apache2 (2.4.23-8) unstable; urgency=medium
6291461
630 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a1462 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
@@ -635,6 +1467,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
6351467
636 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +01001468 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
6371469
1470apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1471
1472 * Merge from Debian unstable. Remaining changes:
1473 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1474 apache2.dirs}: Add ufw profiles.
1475 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1476 - debian/rules: Fix cross-building by passing
1477 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1478 - debian/patches/086_svn_cross_compiles: Backport several cross
1479 fixes from upstream
1480 - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1481 Debian with Ubuntu on default page.
1482 - Don't build experimental http2 module for LTS:
1483 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1484 + debian/config-dir/mods-available/http2.load: removed.
1485 + debian/rules: removed proxy_http2 from configure.
1486 - Correct systemd-sysv-generator behavior by customizing some
1487 parameters:
1488 + d/apache2-systemd.conf: add a drop-in file to specify some
1489 parameters for the systemd unit (type=Forking and
1490 RemainsAfterExit=no), this allow a correct state synchronisation
1491 between systemctl status and actual state of apache2 daemon.
1492 + d/apache2.install: place the apache2-systemd.conf file in the
1493 correct location.
1494
1495 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1496
638apache2 (2.4.23-7) unstable; urgency=medium1497apache2 (2.4.23-7) unstable; urgency=medium
6391498
640 * Make apache2-dev depend on openssl 1.0, too. Closes: #8441601499 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
@@ -749,6 +1608,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
7491608
750 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +02001609 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
7511610
1611apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1612
1613 * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1614 - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1615 server/util_script.c.
1616 - CVE-2016-5387
1617
1618 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1619
1620apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1621
1622 [ Ryan Harper ]
1623 * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1624 introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1625 all, since http2 support is intentionally disabled (see LP 1531864).
1626 * d/apache2.maintscript: handle removal of http2.load conffile.
1627
1628 [ Robie Basak ]
1629 * Re-write Ryan's changelog entry.
1630
1631 -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1632
1633apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1634
1635 * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1636 - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1637 unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1638 between systemctl status and actual state of apache2 daemon.
1639 - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1640
1641 -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1642
1643apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1644
1645 * Merge from Debian unstable. Remaining changes:
1646 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1647 apache2.dirs}: Add ufw profiles.
1648 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1649 - debian/rules: Fix cross-building by passing
1650 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1651 - debian/patches/086_svn_cross_compiles: Backport several cross
1652 fixes from upstream
1653 - d/index.html: replace Debian with Ubuntu on default page.
1654 - Don't build experimental http2 module for LTS:
1655 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1656 + debian/config-dir/mods-available/http2.load: removed.
1657
1658 -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1659
752apache2 (2.4.18-2) unstable; urgency=low1660apache2 (2.4.18-2) unstable; urgency=low
7531661
754 * htcacheclean:1662 * htcacheclean:
@@ -774,6 +1682,24 @@ apache2 (2.4.18-2) unstable; urgency=low
7741682
775 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +02001683 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
7761684
1685apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1686
1687 * Merge from Debian unstable. Remaining changes:
1688 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1689 apache2.dirs}: Add ufw profiles.
1690 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1691 - Add dep8 tests.
1692 - debian/rules: Fix cross-building by passing
1693 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1694 - debian/patches/086_svn_cross_compiles: Backport several cross
1695 fixes from upstream
1696 - d/index.html: replace Debian with Ubuntu on default page.
1697 - Don't build experimental http2 module for LTS:
1698 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1699 + debian/config-dir/mods-available/http2.load: removed.
1700
1701 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1702
777apache2 (2.4.18-1) unstable; urgency=medium1703apache2 (2.4.18-1) unstable; urgency=medium
7781704
779 * New upstream release:1705 * New upstream release:
@@ -781,12 +1707,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
7811707
782 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +01001708 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
7831709
1710apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1711
1712 * Merge from Debian unstable. Remaining changes:
1713 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1714 apache2.dirs}: Add ufw profiles.
1715 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1716 - Add dep8 tests.
1717 - debian/rules: Fix cross-building by passing
1718 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1719 - debian/patches/086_svn_cross_compiles: Backport several cross
1720 fixes from upstream
1721 - d/index.html: replace Debian with Ubuntu on default page.
1722 - Don't build experimental http2 module for LTS:
1723 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1724 + debian/config-dir/mods-available/http2.load: removed.
1725
1726 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1727
784apache2 (2.4.17-3) unstable; urgency=medium1728apache2 (2.4.17-3) unstable; urgency=medium
7851729
786 * mpm_prefork: Fix segfault if started with -X. Closes: #8057371730 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
7871731
788 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +01001732 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
7891733
1734apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1735
1736 * Merge from Debian unstable. Remaining changes:
1737 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1738 apache2.dirs}: Add ufw profiles.
1739 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1740 - Add dep8 tests.
1741 - debian/rules: Fix cross-building by passing
1742 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1743 - debian/patches/086_svn_cross_compiles: Backport several cross
1744 fixes from upstream
1745 - d/index.html: replace Debian with Ubuntu on default page.
1746 - Don't build experimental http2 module for LTS:
1747 + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1748 + debian/config-dir/mods-available/http2.load: removed.
1749
1750 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1751
790apache2 (2.4.17-2) unstable; urgency=medium1752apache2 (2.4.17-2) unstable; urgency=medium
7911753
792 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke1754 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
@@ -797,6 +1759,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
7971759
798 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +01001760 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
7991761
1762apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1763
1764 * Merge from Debian unstable. Remaining changes:
1765 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1766 apache2.dirs}: Add ufw profiles.
1767 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1768 - Add dep8 tests.
1769 - debian/rules: Fix cross-building by passing
1770 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1771 - debian/patches/086_svn_cross_compiles: Backport several cross
1772 fixes from upstream
1773 - d/index.html: replace Debian with Ubuntu on default page.
1774 * Drop patches (applied upstream):
1775 - debian/patches/CVE-2015-3183.patch
1776 - debian/patches/CVE-2015-3185.patch
1777 * Drop changes (adopted in Debian):
1778 - Allow "triggers-awaited" and "triggers-pending" states in addition
1779 to "installed" when determining whether to defer actions or
1780 process deferred actions.
1781 * Don't build experimental http2 module for LTS
1782 - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1783 - debian/config-dir/mods-available/http2.load: removed.
1784
1785 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1786
800apache2 (2.4.17-1) unstable; urgency=medium1787apache2 (2.4.17-1) unstable; urgency=medium
8011788
802 [ Stefan Fritsch ]1789 [ Stefan Fritsch ]
@@ -862,6 +1849,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
8621849
863 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +02001850 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
8641851
1852apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1853
1854 * SECURITY UPDATE: request smuggling via chunked transfer encoding
1855 - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1856 modules/http/http_filters.c.
1857 - CVE-2015-3183
1858 * SECURITY UPDATE: access restriction bypass via deprecated API
1859 - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1860 in include/http_request.h, server/request.c.
1861 - CVE-2015-3185
1862
1863 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1864
1865apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1866
1867 * Merge from Debian unstable. Remaining changes:
1868 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1869 apache2.dirs}: Add ufw profiles.
1870 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1871 - Add dep8 tests.
1872 - debian/rules: Fix cross-building by passing
1873 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1874 - debian/patches/086_svn_cross_compiles: Backport several cross
1875 fixes from upstream
1876 - d/index.html: replace Debian with Ubuntu on default page.
1877 - Allow "triggers-awaited" and "triggers-pending" states in addition
1878 to "installed" when determining whether to defer actions or
1879 process deferred actions.
1880 * Drop patches (applied upstream):
1881 - d/p/split-logfile.patch
1882 - d/p/CVE-2015-0228.patch
1883 * Drop changes (superceded in Debian):
1884 - Cherry-pick versioned build-depend on dpkg from Debian for correct
1885 dpkg-maintscript-helper symlink_to_dir support.
1886 * Drop changes (adopted in Debian):
1887 - d/control, d/config-dir/mods-available/ssl.conf,
1888 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1889 dialog program ask-for-passphrase.
1890 * Fix cross-building configure line in d/rules, which had bit-rotted in
1891 previous merges.
1892
1893 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1894
865apache2 (2.4.12-2) unstable; urgency=medium1895apache2 (2.4.12-2) unstable; urgency=medium
8661896
867 [ Jean-Michel Nirgal Vourgère ]1897 [ Jean-Michel Nirgal Vourgère ]
@@ -911,6 +1941,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
9111941
912 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +01001942 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
9131943
1944apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1945
1946 * Merge from Debian unstable. Remaining changes:
1947 - debian/{control, apache2.install, apache2-utils.ufw.profile,
1948 apache2.dirs}: Add ufw profiles.
1949 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1950 - d/control, d/config-dir/mods-available/ssl.conf,
1951 - Add dep8 tests.
1952 - debian/rules: Fix cross-building by passing
1953 DEB_{HOST,BUILD}_GNU_TYPE to configure.
1954 - debian/patches/086_svn_cross_compiles: Backport several cross
1955 fixes from upstream
1956 - d/index.html: replace Debian with Ubuntu on default page.
1957 - d/p/split-logfile.patch: fix completely broken split-logfile
1958 command.
1959 - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1960 denial of service in mod_lua via websockets PING
1961 * debian/tests/ssl-passphrase: Add password responder for
1962 systemd-ask-passphrase.
1963
1964 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1965
914apache2 (2.4.10-9) unstable; urgency=medium1966apache2 (2.4.10-9) unstable; urgency=medium
9151967
916 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a1968 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
@@ -925,6 +1977,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
9251977
926 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +01001978 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
9271979
1980apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
1981
1982 * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
1983 directives
1984 - debian/patches/CVE-2014-8109.patch: handle multiple Require
1985 directives with different arguments in modules/lua/mod_lua.c.
1986 - CVE-2014-8109
1987 * SECURITY UPDATE: denial of service in mod_lua via websockets PING
1988 - debian/patches/CVE-2015-0228.patch: fix logic in
1989 modules/lua/lua_request.c.
1990 - CVE-2015-0228
1991
1992 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
1993
1994apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
1995
1996 * Allow "triggers-awaited" and "triggers-pending" states in addition to
1997 "installed" when determining whether to defer actions or process
1998 deferred actions (LP: #1393832).
1999
2000 -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
2001
2002apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
2003
2004 * Merge from Debian unstable. Remaining changes:
2005 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2006 apache2.dirs}: Add ufw profiles.
2007 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2008 - d/control, d/config-dir/mods-available/ssl.conf,
2009 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2010 dialog program ask-for-passphrase.
2011 - Add dep8 tests.
2012 - debian/rules: Fix cross-building by passing
2013 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2014 - debian/patches/086_svn_cross_compiles: Backport several cross
2015 fixes from upstream
2016 - d/index.html: replace Debian with Ubuntu on default page.
2017 - d/p/split-logfile.patch: fix completely broken split-logfile
2018 command.
2019 * Fixes from Debian included in merge:
2020 - Crash caused by OCSP stapling code; this was erroneously
2021 attributed to Debian in my previous merge, but actually only
2022 appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
2023 * Cherry-pick versioned build-depend on dpkg from Debian for correct
2024 dpkg-maintscript-helper symlink_to_dir support.
2025
2026 -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
2027
928apache2 (2.4.10-8) unstable; urgency=medium2028apache2 (2.4.10-8) unstable; urgency=medium
9292029
930 * Bump dpkg Pre-Depends to version that supports relative symlinks in2030 * Bump dpkg Pre-Depends to version that supports relative symlinks in
@@ -939,6 +2039,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
9392039
940 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +01002040 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
9412041
2042apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
2043
2044 * Merge from Debian unstable. Remaining changes:
2045 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2046 apache2.dirs}: Add ufw profiles.
2047 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2048 - d/control, d/config-dir/mods-available/ssl.conf,
2049 d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
2050 dialog program ask-for-passphrase.
2051 - Add dep8 tests.
2052 - debian/rules: Fix cross-building by passing
2053 DEB_{HOST,BUILD}_GNU_TYPE to configure.
2054 - debian/patches/086_svn_cross_compiles: Backport several cross
2055 fixes from upstream
2056 - d/index.html: replace Debian with Ubuntu on default page.
2057 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2058 * Fixes from Debian included in merge:
2059 - Don't use a2query in preinst, as it may not be available yet
2060 (LP: #1312533).
2061 - Crash caused by OCSP stapling code (LP: #1366174).
2062 - Disable SSLv3 in default config (LP: #1358305).
2063 - If apache2 is not configured yet, defer actions executed via
2064 apache2-maintscript-helper. This fixes installation failures if a
2065 module package is configured first (LP: #1312854).
2066
2067 -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
2068
942apache2 (2.4.10-7) unstable; urgency=medium2069apache2 (2.4.10-7) unstable; urgency=medium
9432070
944 * Handle transitions of doc dirs and symlinks correctly during upgrade.2071 * Handle transitions of doc dirs and symlinks correctly during upgrade.
@@ -1022,6 +2149,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
10222149
1023 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +02002150 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
10242151
2152apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
2153
2154 * Merge from Debian unstable. Remaining changes:
2155 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2156 apache2.dirs}: Add ufw profiles.
2157 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2158 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2159 d/apache2.install: Plymouth aware passphrase dialog program
2160 ask-for-passphrase.
2161 - Add dep8 tests.
2162 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2163 configure.
2164 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2165 upstream
2166 - d/index.html: replace Debian with Ubuntu on default page.
2167 - d/p/split-logfile.patch: fix completely broken split-logfile command.
2168
2169 -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
2170
1025apache2 (2.4.10-1) unstable; urgency=medium2171apache2 (2.4.10-1) unstable; urgency=medium
10262172
1027 [ Arno Töll ]2173 [ Arno Töll ]
@@ -1069,6 +2215,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
10692215
1070 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +02002216 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
10712217
2218apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
2219
2220 * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
2221 yet support building against lua 5.2 (LP: #1323930).
2222
2223 -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
2224
2225apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
2226
2227 * Merge from Debian unstable. Remaining changes:
2228 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2229 apache2.dirs}: Add ufw profiles.
2230 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2231 - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
2232 d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
2233 dialog program ask-for-passphrase.
2234 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
2235 configure.
2236 - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
2237 upstream
2238 - Build using lua5.2.
2239 - d/tests/chroot: dep8 test for ChrootDir case.
2240 - d/tests/ssl-passphrase: update for new default path /var/www/html.
2241 - d/tests/duplicate-module-load: check for duplicate module loads.
2242 - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
2243 - d/p/split-logfile.patch: fix completely broken split-logfile command
2244 (LP: #1299162). Thanks to Holger Mauermann.
2245 * Drop changes (upstreamed):
2246 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2247 files find inside the .pc directory. This stops a double module load
2248 causing later havoc, including "ChrootDir" directive failure.
2249 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2250 in modules/dav/main/util.c.
2251 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2252 modules/loggers/mod_log_config.c.
2253 * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
2254
2255 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
2256
1072apache2 (2.4.9-1) unstable; urgency=medium2257apache2 (2.4.9-1) unstable; urgency=medium
10732258
1074 * New upstream version.2259 * New upstream version.
@@ -1101,6 +2286,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
11012286
1102 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +01002287 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
11032288
2289apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
2290
2291 * d/p/split-logfile.patch: fix completely broken split-logfile command
2292 (LP: #1299162). Thanks to Holger Mauermann.
2293
2294 -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
2295
2296apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
2297
2298 * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
2299 calculation
2300 - debian/patches/CVE-2013-6438.patch: properly calculate correct length
2301 in modules/dav/main/util.c.
2302 - CVE-2013-6438
2303 * SECURITY UPDATE: denial of service via truncated cookie and
2304 mod_log_config
2305 - debian/patches/CVE-2014-0098.patch: properly parse tokens in
2306 modules/loggers/mod_log_config.c.
2307 - CVE-2014-0098
2308
2309 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
2310
2311apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
2312
2313 * d/index.html: replace Debian with Ubuntu on default page
2314 (LP: #1288690).
2315
2316 -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
2317
2318apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
2319
2320 * Merge from Debian unstable. Remaining changes:
2321 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2322 apache2.dirs}: Add ufw profiles.
2323 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2324 - d/control, d/config-dir/mods-available/ssl.conf,
2325 d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
2326 Plymouth aware passphrase dialog program ask-for-passphrase.
2327 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2328 to configure.
2329 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2330 from upstream
2331 - Build using lua5.2.
2332 - d/tests/chroot: dep8 test for ChrootDir case.
2333 - d/p/ignore-quilt-dir: adjust build system so that it does not use
2334 files find inside the .pc directory. This stops a double module load
2335 causing later havoc, including "ChrootDir" directive failure.
2336 * Drop changes:
2337 - debian/{control, rules}: Enable PIE hardening: no longer required;
2338 2.4.7-1 is already hardened.
2339 - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
2340 out of this package.
2341 * d/tests/ssl-passphrase: update for new default path /var/www/html.
2342 * d/tests/duplicate-module-load: check for duplicate module loads.
2343
2344 -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
2345
1104apache2 (2.4.7-1) unstable; urgency=low2346apache2 (2.4.7-1) unstable; urgency=low
11052347
1106 New upstream version2348 New upstream version
@@ -1164,6 +2406,53 @@ apache2 (2.4.6-3) unstable; urgency=low
11642406
1165 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +02002407 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
11662408
2409apache2 (2.4.6-2ubuntu4) trusty; urgency=low
2410
2411 * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
2412 that it does not use files find inside the .pc directory. This stops a
2413 double module load causing later havoc, including "ChrootDir" directive
2414 failure (LP: #1251939). Thanks to Stefan Fritsch.
2415 * d/tests/chroot: dep8 test for ChrootDir case.
2416
2417 -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
2418
2419apache2 (2.4.6-2ubuntu3) trusty; urgency=low
2420
2421 * debian/apache2.install: Correct path for ufw.
2422 (LP: #1252722)
2423
2424 -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
2425
2426apache2 (2.4.6-2ubuntu2) saucy; urgency=low
2427
2428 * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
2429 passphrase prompting for SSL certificates that are passphrase protected.
2430 * Add dep8 test for SSL passphrase prompting.
2431
2432 -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
2433
2434apache2 (2.4.6-2ubuntu1) saucy; urgency=low
2435
2436 * Merge from Debian unstable. Remaining changes:
2437 - debian/{control, rules}: Enable PIE hardening.
2438 - debian/{control, apache2.install, apache2-utils.ufw.profile,
2439 apache2.dirs}: Add ufw profiles.
2440 - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
2441 - debian/control, debian/config-dir/mods-available/ssl.conf,
2442 debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
2443 passphrase dialog program ask-for-passphrase.
2444 - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
2445 to configure.
2446 - debian/patches/086_svn_cross_compiles: Backport several cross fixes
2447 from upstream
2448 * Dropped changes:
2449 - debian/patches/CVE-2013-1896.patch: upstream
2450 * Fixed module dependencies (LP: #1205314)
2451 - debian/config-dir/mods-available/lbmethod_*: properly specify
2452 proxy_balancer, not mod_proxy_balancer.
2453
2454 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
2455
1167apache2 (2.4.6-2) unstable; urgency=low2456apache2 (2.4.6-2) unstable; urgency=low
11682457
1169 [ Stefan Fritsch ]2458 [ Stefan Fritsch ]
@@ -1216,6 +2505,56 @@ apache2 (2.4.6-1) unstable; urgency=low
12162505
1217 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +02002506 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
12182507
2508apache2 (2.4.4-6ubuntu5) saucy; urgency=low
2509
2510 * SECURITY UPDATE: denial of service via MERGE request
2511 - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
2512 in modules/dav/main/mod_dav.c.
2513 - CVE-2013-1896
2514
2515 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
2516
2517apache2 (2.4.4-6ubuntu4) saucy; urgency=low
2518
2519 * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
2520 apache2-bin. apache2-utils is only suggested by apache2, so may not
2521 always be installed by bug reporters. However, apache2-bin will always
2522 need to be installed for Apache to be functional, so this is a better
2523 place for the apport hook. apache2-bin already Conflicts/Replaces
2524 apache2.2-common, so this also fixes (LP: #1199318).
2525 * d/apache2.py: adjust apport hook for new location of configuration
2526 files in apache2 >= 2.4: they have moved from apache2.2-common to
2527 apache2.
2528
2529 -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
2530
2531apache2 (2.4.4-6ubuntu3) saucy; urgency=low
2532
2533 * Build using lua5.2.
2534
2535 -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
2536
2537apache2 (2.4.4-6ubuntu2) saucy; urgency=low
2538
2539 * debian/rules: Fix FTBFS while installing ufw.
2540
2541 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
2542
2543apache2 (2.4.4-6ubuntu1) saucy; urgency=low
2544
2545 * Merge from Debian unstable. Remaining changes:
2546 - debian/{control, rules}: Enable PIE hardening.
2547 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2548 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2549 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2550 Plymouth aware passphrase dialog program ask-for-passphrase.
2551 * Dropped changes:
2552 - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
2553 - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
2554 - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
2555
2556 -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
2557
1219apache2 (2.4.4-6) unstable; urgency=low2558apache2 (2.4.4-6) unstable; urgency=low
12202559
1221 * Denote exact versions breaking gnome-user-share now that Gnome maintainers2560 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
@@ -1687,6 +3026,122 @@ apache2 (2.4.1-1) experimental; urgency=low
16873026
1688 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +01003027 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
16893028
3029apache2 (2.2.22-6ubuntu5) raring; urgency=low
3030
3031 * SECURITY UPDATE: multiple cross-site scripting issues
3032 - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
3033 modules/generators/{mod_info.c,mod_status.c},
3034 modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
3035 modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
3036 - CVE-2012-3499
3037 - CVE-2012-4558
3038 * SECURITY UPDATE: symlink attack in apache2ctl script
3039 - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
3040 - Thanks to Stefan Fritsch for the fix.
3041 - CVE-2013-1048
3042
3043 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
3044
3045apache2 (2.2.22-6ubuntu4) raring; urgency=low
3046
3047 * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
3048 * Skip module sanity check between MPMs if cross-building without the
3049 kernel/binfmt support to run our target binaries on the build system.
3050 * Backport several cross fixes from upstream as 086_svn_cross_compiles.
3051
3052 -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
3053
3054apache2 (2.2.22-6ubuntu3) raring; urgency=low
3055
3056 * SECURITY UPDATE: XSS vulnerability in mod_negotiation
3057 - debian/patches/CVE-2012-2687.patch: escape filenames in
3058 modules/mappers/mod_negotiation.c.
3059 - CVE-2012-2687
3060 * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
3061 - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
3062 directive. Defaults to off as enabling compression enables the CRIME
3063 attack.
3064 - CVE-2012-4929
3065
3066 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
3067
3068apache2 (2.2.22-6ubuntu2) quantal; urgency=low
3069
3070 * debian/apache2.py
3071 - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
3072 - Check if this directory exists: /etc/apache2/sites-enabled/
3073
3074 -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
3075
3076apache2 (2.2.22-6ubuntu1) quantal; urgency=low
3077
3078 * Merge from Debian unstable. Remaining changes:
3079 - debian/{control, rules}: Enable PIE hardening.
3080 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3081 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3082 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3083 Plymouth aware passphrase dialog program ask-for-passphrase.
3084 * Dropped changes:
3085 - debian/control: Add bzr tag and point it to our tree; this is not
3086 really required and just increases the delta.
3087
3088 -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
3089
3090apache2 (2.2.22-6) unstable; urgency=low
3091
3092 [ Stefan Fritsch ]
3093 * Fix regression causing apache2 to cache "206 partial content" responses,
3094 and then serving these partial responses when replying to normal requests.
3095 Closes: #671204
3096 * Add section to security.conf that shows how to forbid access to VCS
3097 directories. Closes: #548213
3098 * Update ssl default cipher config, add alternative speed optimized config.
3099 Closes: #649020
3100 * Add "AddCharset" for .brf files in default mod_mime config.
3101 Closes: #402567
3102 * Don't create httpd.conf anymore and don't include it in apache2.conf. If
3103 it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
3104 * Port some of the comments in apache2.conf from the 2.4 package.
3105 * Compile mod_version statically, drop associated module load file.
3106 * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
3107 configtest.
3108 * Note in README.Debian that future versions of the package will have the
3109 include statements changed to include only *.conf.
3110 * Change compiled-in document root to /var/www, to avoid strange error
3111 messages.
3112 * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
3113
3114 [ Arno Töll ]
3115 * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
3116 to override LDFLAGS at compile time by defining LDLAGS in the environment,
3117 just like it is possible for CFLAGS. This also means, config_vars.mk now
3118 exports hardening build flags by default.
3119 * Update doc-base metadata for the apache2-doc package.
3120
3121 -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
3122
3123apache2 (2.2.22-5) unstable; urgency=low
3124
3125 * Make LoadFile and LoadModule look in the standard search paths if the
3126 dso file name is given as a pure filename. This helps with the multi-arch
3127 transition.
3128
3129 -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
3130
3131apache2 (2.2.22-4) unstable; urgency=high
3132
3133 * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
3134 hosts' config files.
3135 If scripting modules like mod_php or mod_rivet are enabled on systems
3136 where either 1) some frontend server forwards connections to an apache2
3137 backend server on the localhost address, or 2) the machine running
3138 apache2 is also used for web browsing, this could allow a remote
3139 attacker to execute example scripts stored under /usr/share/doc.
3140 Depending on the installed packages, this could lead to issues like cross
3141 site scripting, code execution, or leakage of sensitive data.
3142
3143 -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
3144
1690apache2 (2.2.22-3) unstable; urgency=low3145apache2 (2.2.22-3) unstable; urgency=low
16913146
1692 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':3147 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
@@ -1707,6 +3162,18 @@ apache2 (2.2.22-2) unstable; urgency=low
17073162
1708 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +01003163 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
17093164
3165apache2 (2.2.22-1ubuntu1) precise; urgency=low
3166
3167 * Merge from Debian testing. Remaining changes:
3168 - debian/{control, rules}: Enable PIE hardening.
3169 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3170 - debian/control: Add bzr tag and point it to our tree
3171 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3172 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3173 Plymouth aware passphrase dialog program ask-for-passphrase.
3174
3175 -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
3176
1710apache2 (2.2.22-1) unstable; urgency=low3177apache2 (2.2.22-1) unstable; urgency=low
17113178
1712 [ Stefan Fritsch ]3179 [ Stefan Fritsch ]
@@ -1724,6 +3191,18 @@ apache2 (2.2.22-1) unstable; urgency=low
17243191
1725 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +01003192 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
17263193
3194apache2 (2.2.21-5ubuntu1) precise; urgency=low
3195
3196 * Merge from Debian testing. Remaining changes:
3197 - debian/{control, rules}: Enable PIE hardening.
3198 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3199 - debian/control: Add bzr tag and point it to our tree
3200 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3201 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3202 Plymouth aware passphrase dialog program ask-for-passphrase.
3203
3204 -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
3205
1727apache2 (2.2.21-5) unstable; urgency=low3206apache2 (2.2.21-5) unstable; urgency=low
17283207
1729 [ Arno Töll ]3208 [ Arno Töll ]
@@ -1777,6 +3256,26 @@ apache2 (2.2.21-4) unstable; urgency=low
17773256
1778 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +01003257 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
17793258
3259apache2 (2.2.21-3ubuntu2) precise; urgency=low
3260
3261 * d/ask-for-passphrase: Flip the logic of this script so that it checks
3262 first to see if apache is being started from a TTY, and then if not,
3263 tries plymouth. (LP: #887410)
3264
3265 -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
3266
3267apache2 (2.2.21-3ubuntu1) precise; urgency=low
3268
3269 * Merge from Debian testing. Remaining changes:
3270 - debian/{control, rules}: Enable PIE hardening.
3271 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3272 - debian/control: Add bzr tag and point it to our tree
3273 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3274 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3275 Plymouth aware passphrase dialog program ask-for-passphrase.
3276
3277 -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
3278
1780apache2 (2.2.21-3) unstable; urgency=medium3279apache2 (2.2.21-3) unstable; urgency=medium
17813280
1782 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some3281 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
@@ -1791,6 +3290,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
17913290
1792 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +01003291 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
17933292
3293apache2 (2.2.21-2ubuntu2) precise; urgency=low
3294
3295 * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
3296
3297 -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
3298
3299apache2 (2.2.21-2ubuntu1) precise; urgency=low
3300
3301 * Merge from debian unstable. Remaining changes:
3302 - debian/{control, rules}: Enable PIE hardening.
3303 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3304 - debian/control: Add bzr tag and point it to our tree
3305 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3306 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3307 Plymouth aware passphrase dialog program ask-for-passphrase.
3308
3309 -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
3310
1794apache2 (2.2.21-2) unstable; urgency=high3311apache2 (2.2.21-2) unstable; urgency=high
17953312
1796 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some3313 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
@@ -1808,6 +3325,19 @@ apache2 (2.2.21-1) unstable; urgency=low
18083325
1809 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +02003326 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
18103327
3328apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
3329
3330 * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
3331 Remaining changes:
3332 - debian/{control, rules}: Enable PIE hardening.
3333 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3334 - debian/control: Add bzr tag and point it to our tree
3335 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3336 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3337 Plymouth aware passphrase dialog program ask-for-passphrase.
3338
3339 -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
3340
1811apache2 (2.2.20-1) unstable; urgency=low3341apache2 (2.2.20-1) unstable; urgency=low
18123342
1813 * New upstream release.3343 * New upstream release.
@@ -1830,6 +3360,18 @@ apache2 (2.2.19-2) unstable; urgency=high
18303360
1831 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +02003361 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
18323362
3363apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
3364
3365 * Merge from debian unstable (LP: #787013). Remaining changes:
3366 - debian/{control, rules}: Enable PIE hardening.
3367 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3368 - debian/control: Add bzr tag and point it to our tree
3369 - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
3370 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3371 Plymouth aware passphrase dialog program ask-for-passphrase.
3372
3373 -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
3374
1833apache2 (2.2.19-1) unstable; urgency=low3375apache2 (2.2.19-1) unstable; urgency=low
18343376
1835 * New upstream release.3377 * New upstream release.
@@ -1847,6 +3389,18 @@ apache2 (2.2.19-1) unstable; urgency=low
18473389
1848 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +02003390 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
18493391
3392apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
3393
3394 * Merge from debian unstable. Remaining changes:
3395 - debian/{control, rules}: Enable PIE hardening.
3396 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3397 - debian/control: Add bzr tag and point it to our tree
3398 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3399 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3400 Plymouth aware passphrase dialog program ask-for-passphrase.
3401
3402 -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
3403
1850apache2 (2.2.17-3) unstable; urgency=low3404apache2 (2.2.17-3) unstable; urgency=low
18513405
1852 * Fix compilation with OpenSSL without SSLv2 support. Closes: #6220493406 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
@@ -1873,6 +3427,18 @@ apache2 (2.2.17-2) unstable; urgency=high
18733427
1874 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +01003428 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
18753429
3430apache2 (2.2.17-1ubuntu1) natty; urgency=low
3431
3432 * Merge from debian unstable, remaining changes:
3433 - debian/{control, rules}: Enable PIE hardening.
3434 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3435 - debian/control: Add bzr tag and point it to our tree
3436 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3437 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3438 Plymouth aware passphrase dialog program ask-for-passphrase.
3439
3440 -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
3441
1876apache2 (2.2.17-1) unstable; urgency=low3442apache2 (2.2.17-1) unstable; urgency=low
18773443
1878 * New upstream version3444 * New upstream version
@@ -1881,6 +3447,32 @@ apache2 (2.2.17-1) unstable; urgency=low
18813447
1882 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +01003448 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
18833449
3450apache2 (2.2.16-6ubuntu3) natty; urgency=low
3451
3452 * debian/rules: Don't use "-fno-strict-aliasing" since it causes
3453 apache FTBFS on amd64. (LP: #711293)
3454
3455 -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
3456
3457apache2 (2.2.16-6ubuntu2) natty; urgency=low
3458
3459 * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
3460 (LP: #697105)
3461
3462 -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
3463
3464apache2 (2.2.16-6ubuntu1) natty; urgency=low
3465
3466 * Merge from debian unstable. Remaining changes:
3467 - debian/{control, rules}: Enable PIE hardening.
3468 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3469 - debian/control: Add bzr tag and point it to our tree
3470 - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
3471 - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
3472 Plymouth aware passphrase dialog program ask-for-passphrase.
3473
3474 -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
3475
1884apache2 (2.2.16-6) unstable; urgency=low3476apache2 (2.2.16-6) unstable; urgency=low
18853477
1886 * Also add $named to the secondary-init-script example.3478 * Also add $named to the secondary-init-script example.
@@ -1896,6 +3488,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
18963488
1897 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +01003489 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
18983490
3491apache2 (2.2.16-4ubuntu2) natty; urgency=low
3492
3493 [Clint Byrum]
3494 * Adding plymouth aware passphrase dialog program ask-for-passphrase.
3495 (LP: #582963)
3496 + debian/control: apache2.2-common depends on bash for ask-for-passphrase
3497 + debian/config-dir/mods-available/ssl.conf:
3498 - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
3499
3500 [Chuck Short]
3501 * Add apport hook. (LP: #609177)
3502 + debian/apache2.py, debian/apache2.2-common.install
3503
3504 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
3505
3506apache2 (2.2.16-4ubuntu1) natty; urgency=low
3507
3508 * Merge from debian unstable. Remaining changes:
3509 - debian/{control, rules}: Enable PIE hardening.
3510 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3511 - debian/control: Add bzr tag and point it to our tree
3512
3513 -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
3514
1899apache2 (2.2.16-4) unstable; urgency=medium3515apache2 (2.2.16-4) unstable; urgency=medium
19003516
1901 * Increase the mod_reqtimeout default timeouts to avoid potential problems3517 * Increase the mod_reqtimeout default timeouts to avoid potential problems
@@ -1906,6 +3522,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
19063522
1907 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +01003523 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
19083524
3525apache2 (2.2.16-3ubuntu1) natty; urgency=low
3526
3527 * Merge from debian unstable. Remaining changes:
3528 - debian/{control, rules}: Enable PIE hardening.
3529 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3530 - debian/control: Add bzr tag and point it to our tree.
3531
3532 -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
3533
1909apache2 (2.2.16-3) unstable; urgency=high3534apache2 (2.2.16-3) unstable; urgency=high
19103535
1911 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.3536 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
@@ -1928,6 +3553,30 @@ apache2 (2.2.16-2) unstable; urgency=low
19283553
1929 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +02003554 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
19303555
3556apache2 (2.2.16-1ubuntu3) maverick; urgency=low
3557
3558 * Revert "stty sane" to unbreak apache starting, this will have to be
3559 fixed a different way. (LP: #626723)
3560
3561 -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
3562
3563apache2 (2.2.16-1ubuntu2) maverick; urgency=low
3564
3565 * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
3566 password prompt when using apache-ssl. (LP: #582963)
3567
3568 -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
3569
3570apache2 (2.2.16-1ubuntu1) maverick; urgency=low
3571
3572 * Merge from debian unstable. Remaining changes:
3573 - debian/{control, rules}: Enable PIE hardening.
3574 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3575 - debian/control: Add bzr tag and point it to our tree.
3576 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3577
3578 -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
3579
1931apache2 (2.2.16-1) unstable; urgency=medium3580apache2 (2.2.16-1) unstable; urgency=medium
19323581
1933 * Urgency medium for security fix.3582 * Urgency medium for security fix.
@@ -1960,6 +3609,24 @@ apache2 (2.2.15-6) unstable; urgency=low
19603609
1961 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +02003610 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
19623611
3612apache2 (2.2.15-5ubuntu1) maverick; urgency=low
3613
3614 * Merge from debian unstable. Remaining changes:
3615 - debian/{control, rules}: Enable PIE hardening.
3616 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3617 - debian/control: Add bzr tag and point it to our tree.
3618 - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
3619 + Dropped:
3620 - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
3621 - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
3622 - debian/config-dir/apache2.conf: Merged back from debian.
3623 - mod-reqtimeout functionality: Merge back from debian.
3624 - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
3625 - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
3626 - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
3627
3628 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
3629
1963apache2 (2.2.15-5) unstable; urgency=low3630apache2 (2.2.15-5) unstable; urgency=low
19643631
1965 * Conflict with apache package as we now include apachectl. Closes: #5790653632 * Conflict with apache package as we now include apachectl. Closes: #579065
@@ -2080,6 +3747,80 @@ apache2 (2.2.14-6) unstable; urgency=low
20803747
2081 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +01003748 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
20823749
3750apache2 (2.2.14-5ubuntu8) lucid; urgency=low
3751
3752 * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
3753 (LP: #562370)
3754
3755 -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
3756
3757apache2 (2.2.14-5ubuntu7) lucid; urgency=low
3758
3759 * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
3760 leaks by making sure to not destroy bucket brigades that have been created
3761 by earlier filters. Backported from 2.2.15.
3762 * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
3763 has reached MaxClients until it has. Backported from 2.2.15
3764 * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
3765 more secure by adding Satisfy all. (Debian bug: #572075)
3766 * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
3767 debian/config2-dir/mods-available/reqtimeout.load,
3768 debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
3769 mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
3770 bug in apache. Enable it by default. (LP: #392759)
3771
3772 -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
3773
3774apache2 (2.2.14-5ubuntu6) lucid; urgency=low
3775
3776 * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
3777
3778 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
3779
3780apache2 (2.2.14-5ubuntu5) lucid; urgency=low
3781
3782 * Revert 99-fix-mod-dav-permissions.dpatch
3783
3784 -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
3785
3786apache2 (2.2.14-5ubuntu4) lucid; urgency=low
3787
3788 * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
3789 downloading files from webdav (LP: #540747)
3790 * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
3791
3792 -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
3793
3794apache2 (2.2.14-5ubuntu3) lucid; urgency=low
3795
3796 * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
3797 - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
3798 in modules/proxy/mod_proxy_ajp.c.
3799 - CVE-2010-0408
3800 * SECURITY UPDATE: information disclosure via improper handling of
3801 headers in subrequests
3802 - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
3803 in server/protocol.c.
3804 - CVE-2010-0434
3805
3806 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
3807
3808apache2 (2.2.14-5ubuntu2) lucid; urgency=low
3809
3810 * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
3811 wacky options. (LP: #450501)
3812
3813 -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
3814
3815apache2 (2.2.14-5ubuntu1) lucid; urgency=low
3816
3817 * Merge from debian testing. Remaining changes: LP: #506862
3818 - debian/{control, rules}: Enable PIE hardening.
3819 - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
3820 - debian/control: Add bzr tag and point it to our tree.
3821
3822 -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
3823
2083apache2 (2.2.14-5) unstable; urgency=low3824apache2 (2.2.14-5) unstable; urgency=low
20843825
2085 * Security: Further mitigation for the TLS renegotation attack3826 * Security: Further mitigation for the TLS renegotation attack
@@ -2103,6 +3844,15 @@ apache2 (2.2.14-5) unstable; urgency=low
21033844
2104 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +01003845 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
21053846
3847apache2 (2.2.14-4ubuntu1) lucid; urgency=low
3848
3849 * Resynchronzie with Debian, remaining changes are:
3850 - debian/{control, rules}: Enable PIE hardening.
3851 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
3852 - debian/control: Add bzr tag and point it to our tree.
3853
3854 -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
3855
2106apache2 (2.2.14-4) unstable; urgency=low3856apache2 (2.2.14-4) unstable; urgency=low
21073857
2108 * Disable localized error pages again by default because they break3858 * Disable localized error pages again by default because they break
@@ -2153,6 +3903,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
21533903
2154 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +01003904 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
21553905
3906apache2 (2.2.14-1ubuntu1) lucid; urgency=low
3907
3908 * Merge from debian testing, remaining changes:
3909 - debian/{control, rules}: Enable PIE hardening.
3910 - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
3911 - debian/conrol: Add bzr tag and point it to our tree.
3912 - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
3913 Already applied upstream.
3914
3915 -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
3916
2156apache2 (2.2.14-1) unstable; urgency=low3917apache2 (2.2.14-1) unstable; urgency=low
21573918
2158 * New upstream version:3919 * New upstream version:
@@ -2187,6 +3948,24 @@ apache2 (2.2.13-1) unstable; urgency=low
21873948
2188 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +02003949 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
21893950
3951apache2 (2.2.12-1ubuntu2) karmic; urgency=low
3952
3953 * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
3954 - Fix potential segfaults with the use of the legacy ap_rputs() etc
3955 interfaces, in cases where an output filter fails. This happens
3956 frequently after CVE-2009-1891 got fixed. (LP: #409987)
3957
3958 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
3959
3960apache2 (2.2.12-1ubuntu1) karmic; urgency=low
3961
3962 * Merge from debian unstable, remaining changes:
3963 - debian/{control,rules}: enable PIE hardening.
3964 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
3965 - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
3966
3967 -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
3968
2190apache2 (2.2.12-1) unstable; urgency=low3969apache2 (2.2.12-1) unstable; urgency=low
21913970
2192 * New upstream release:3971 * New upstream release:
@@ -2234,6 +4013,16 @@ apache2 (2.2.12-1) unstable; urgency=low
22344013
2235 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +02004014 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
22364015
4016apache2 (2.2.11-7ubuntu1) karmic; urgency=low
4017
4018 * Merge from debian unstable, remaining changes: LP: #398130
4019 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4020 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4021 - debian/{control,rules}: enable PIE hardening.
4022 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4023
4024 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
4025
2237apache2 (2.2.11-7) unstable; urgency=low4026apache2 (2.2.11-7) unstable; urgency=low
22384027
2239 * Security fixes:4028 * Security fixes:
@@ -2248,6 +4037,16 @@ apache2 (2.2.11-7) unstable; urgency=low
22484037
2249 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +02004038 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
22504039
4040apache2 (2.2.11-6ubuntu1) karmic; urgency=low
4041
4042 * Merge from debian unstable, remaining changes:
4043 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
4044 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4045 - debian/{control,rules}: enable PIE hardening.
4046 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4047
4048 -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
4049
2251apache2 (2.2.11-6) unstable; urgency=high4050apache2 (2.2.11-6) unstable; urgency=high
22524051
2253 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server4052 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
@@ -2256,6 +4055,16 @@ apache2 (2.2.11-6) unstable; urgency=high
22564055
2257 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +02004056 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
22584057
4058apache2 (2.2.11-5ubuntu1) karmic; urgency=low
4059
4060 * Merge from debian unstable, remaining changes:
4061 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4062 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4063 - debian/{control,rules}: enable PIE hardening.
4064 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4065
4066 -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
4067
2259apache2 (2.2.11-5) unstable; urgency=low4068apache2 (2.2.11-5) unstable; urgency=low
22604069
2261 * Move all binaries into a new package apache2.2-bin and make4070 * Move all binaries into a new package apache2.2-bin and make
@@ -2304,6 +4113,16 @@ apache2 (2.2.11-4) unstable; urgency=low
23044113
2305 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +02004114 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
23064115
4116apache2 (2.2.11-3ubuntu1) karmic; urgency=low
4117
4118 * Merge from debian unstable, remaining changes:
4119 - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4120 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4121 - debian/{control,rules}: enable PIE hardening.
4122 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4123
4124 -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
4125
2307apache2 (2.2.11-3) unstable; urgency=low4126apache2 (2.2.11-3) unstable; urgency=low
23084127
2309 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap4128 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
@@ -2312,6 +4131,21 @@ apache2 (2.2.11-3) unstable; urgency=low
23124131
2313 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +02004132 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
23144133
4134apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
4135
4136 * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
4137 Fix timefmt is ignored when XBitHack is on. (LP: #258914)
4138
4139 -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
4140
4141apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
4142
4143 * Merge from debian unstable, remaining changes:
4144 - debian/{contro,rules}: enable PIE hardening.
4145 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4146
4147 -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
4148
2315apache2 (2.2.11-2) unstable; urgency=low4149apache2 (2.2.11-2) unstable; urgency=low
23164150
2317 * Report an error instead instead of segfaulting when apr_pollset_create4151 * Report an error instead instead of segfaulting when apr_pollset_create
@@ -2321,6 +4155,14 @@ apache2 (2.2.11-2) unstable; urgency=low
23214155
2322 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +01004156 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
23234157
4158apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
4159
4160 * Merge from debian unstable, remaining changes:
4161 - debian/{control, rules}: enable PIE hardening.
4162 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4163
4164 -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
4165
2324apache2 (2.2.11-1) unstable; urgency=low4166apache2 (2.2.11-1) unstable; urgency=low
23254167
2326 [Thom May]4168 [Thom May]
@@ -2335,6 +4177,14 @@ apache2 (2.2.11-1) unstable; urgency=low
23354177
2336 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +01004178 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
23374179
4180apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
4181
4182 * Merge from debian unstable, remaining changes: (LP: #303375)
4183 - debian/{control, rules}: enable PIE hardening.
4184 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4185
4186 -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
4187
2338apache2 (2.2.9-11) unstable; urgency=low4188apache2 (2.2.9-11) unstable; urgency=low
23394189
2340 * Regression fix from upstream svn for mod_proxy:4190 * Regression fix from upstream svn for mod_proxy:
@@ -2349,6 +4199,14 @@ apache2 (2.2.9-11) unstable; urgency=low
23494199
2350 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +01004200 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
23514201
4202apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
4203
4204 * Merge from debian unstable, remaining changes:
4205 - debian/{control, rules}: enable PIE hardening.
4206 - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
4207
4208 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
4209
2352apache2 (2.2.9-10) unstable; urgency=low4210apache2 (2.2.9-10) unstable; urgency=low
23534211
2354 * Regression fix from upstream svn for mod_proxy_http:4212 * Regression fix from upstream svn for mod_proxy_http:
@@ -2379,6 +4237,27 @@ apache2 (2.2.9-8) unstable; urgency=low
23794237
2380 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +02004238 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
23814239
4240apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
4241
4242 * Revert logrotate change since it will break it for everyone.
4243
4244 -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
4245
4246apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
4247
4248 * debian/logrotate: Restart rather than reload for busy websites.
4249 (LP: #270899)
4250
4251 -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
4252
4253apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
4254
4255 * Merge from debian unstable, remaining changes:
4256 - debian/{control,rules}: enable PIE hardening.
4257 - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
4258
4259 -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
4260
2382apache2 (2.2.9-7) unstable; urgency=low4261apache2 (2.2.9-7) unstable; urgency=low
23834262
2384 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).4263 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
@@ -2421,6 +4300,23 @@ apache2 (2.2.9-4) unstable; urgency=low
24214300
2422 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +02004301 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
24234302
4303apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
4304
4305 * add ufw integration (see
4306 https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
4307 (LP: #261198)
4308 - debian/control: suggest ufw for apache2.2-common
4309 - add apache2.2-common.ufw.profile with 3 profiles and install it to
4310 /etc/ufw/applications.d/apache2.2-common
4311
4312 -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
4313
4314apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
4315
4316 * debian/{control,rules}: enable PIE hardening
4317
4318 -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
4319
2424apache2 (2.2.9-3) unstable; urgency=low4320apache2 (2.2.9-3) unstable; urgency=low
24254321
2426 [ Stefan Fritsch ]4322 [ Stefan Fritsch ]
@@ -3991,9 +5887,7 @@ apache2 (2.0.37-1) unstable; urgency=low
3991 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +01005887 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
39925888
3993apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low5889apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
3994
3995 * New upstream release5890 * New upstream release
3996
3997 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +01005891 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
39985892
3999apache2 (2.0.36-2) unstable; urgency=low5893apache2 (2.0.36-2) unstable; urgency=low
@@ -4501,3 +6395,4 @@ apache2 (2.0.18-1) unstable; urgency=low
4501 * Initial Release.6395 * Initial Release.
45026396
4503 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +10006397 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
6398
diff --git a/debian/control b/debian/control
index 5465d60..ed2c254 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,6 @@
1Source: apache21Source: apache2
2Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>2Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
3XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
3Uploaders: Stefan Fritsch <sf@debian.org>,4Uploaders: Stefan Fritsch <sf@debian.org>,
4 Arno Töll <arno@debian.org>,5 Arno Töll <arno@debian.org>,
5 Ondřej Surý <ondrej@debian.org>,6 Ondřej Surý <ondrej@debian.org>,
@@ -44,7 +45,12 @@ Depends: apache2-bin (= ${binary:Version}),
44Recommends: ssl-cert45Recommends: ssl-cert
45Suggests: apache2-doc,46Suggests: apache2-doc,
46 apache2-suexec-pristine | apache2-suexec-custom,47 apache2-suexec-pristine | apache2-suexec-custom,
48<<<<<<< debian/control
47 www-browser49 www-browser
50=======
51 www-browser,
52 ufw
53>>>>>>> debian/control
48Pre-Depends: ${misc:Pre-Depends}54Pre-Depends: ${misc:Pre-Depends}
49Conflicts: apache2.2-bin,55Conflicts: apache2.2-bin,
50 apache2.2-common56 apache2.2-common
diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
51new file mode 10064457new file mode 100644
index 0000000..4db2fa1
52Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ58Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
diff --git a/debian/index.html b/debian/index.html
index 766401d..96ed444 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -1,9 +1,14 @@
11
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml">3<html xmlns="http://www.w3.org/1999/xhtml">
4 <!--
5 Modified from the Debian original for Ubuntu
6 Last updated: 2016-11-16
7 See: https://launchpad.net/bugs/1288690
8 -->
4 <head>9 <head>
5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />10 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6 <title>Apache2 Debian Default Page: It works</title>11 <title>Apache2 Ubuntu Default Page: It works</title>
7 <style type="text/css" media="screen">12 <style type="text/css" media="screen">
8 * {13 * {
9 margin: 0px 0px 0px 0px;14 margin: 0px 0px 0px 0px;
@@ -188,9 +193,9 @@
188 <body>193 <body>
189 <div class="main_page">194 <div class="main_page">
190 <div class="page_header floating_element">195 <div class="page_header floating_element">
191 <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>196 <img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
192 <span class="floating_element">197 <span class="floating_element">
193 Apache2 Debian Default Page198 Apache2 Ubuntu Default Page
194 </span>199 </span>
195 </div>200 </div>
196<!-- <div class="table_of_contents floating_element">201<!-- <div class="table_of_contents floating_element">
@@ -221,7 +226,9 @@
221 <div class="content_section_text">226 <div class="content_section_text">
222 <p>227 <p>
223 This is the default welcome page used to test the correct 228 This is the default welcome page used to test the correct
224 operation of the Apache2 server after installation on Debian systems.229 operation of the Apache2 server after installation on Ubuntu systems.
230 It is based on the equivalent page on Debian, from which the Ubuntu Apache
231 packaging is derived.
225 If you can read this page, it means that the Apache HTTP server installed at232 If you can read this page, it means that the Apache HTTP server installed at
226 this site is working properly. You should <b>replace this file</b> (located at233 this site is working properly. You should <b>replace this file</b> (located at
227 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.234 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
@@ -242,9 +249,9 @@
242 </div>249 </div>
243 <div class="content_section_text">250 <div class="content_section_text">
244 <p>251 <p>
245 Debian's Apache2 default configuration is different from the252 Ubuntu's Apache2 default configuration is different from the
246 upstream default configuration, and split into several files optimized for253 upstream default configuration, and split into several files optimized for
247 interaction with Debian tools. The configuration system is254 interaction with Ubuntu tools. The configuration system is
248 <b>fully documented in255 <b>fully documented in
249 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full256 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
250 documentation. Documentation for the web server itself can be257 documentation. Documentation for the web server itself can be
@@ -253,7 +260,7 @@
253260
254 </p>261 </p>
255 <p>262 <p>
256 The configuration layout for an Apache2 web server installation on Debian systems is as follows:263 The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
257 </p>264 </p>
258 <pre>265 <pre>
259/etc/apache2/266/etc/apache2/
@@ -324,7 +331,7 @@
324331
325 <div class="content_section_text">332 <div class="content_section_text">
326 <p>333 <p>
327 By default, Debian does not allow access through the web browser to334 By default, Ubuntu does not allow access through the web browser to
328 <em>any</em> file apart of those located in <tt>/var/www</tt>,335 <em>any</em> file apart of those located in <tt>/var/www</tt>,
329 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>336 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
330 directories (when enabled) and <tt>/usr/share</tt> (for web337 directories (when enabled) and <tt>/usr/share</tt> (for web
@@ -333,7 +340,7 @@
333 document root directory in <tt>/etc/apache2/apache2.conf</tt>.340 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
334 </p>341 </p>
335 <p>342 <p>
336 The default Debian document root is <tt>/var/www/html</tt>. You343 The default Ubuntu document root is <tt>/var/www/html</tt>. You
337 can make your own virtual hosts under /var/www. This is different344 can make your own virtual hosts under /var/www. This is different
338 to previous releases which provides better security out of the box.345 to previous releases which provides better security out of the box.
339 </p>346 </p>
@@ -345,9 +352,9 @@
345 </div>352 </div>
346 <div class="content_section_text">353 <div class="content_section_text">
347 <p>354 <p>
348 Please use the <tt>reportbug</tt> tool to report bugs in the355 Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
349 Apache2 package with Debian. However, check <a356 Apache2 package with Ubuntu. However, check <a
350 href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"357 href="https://bugs.launchpad.net/ubuntu/+source/apache2"
351 rel="nofollow">existing bug reports</a> before reporting a new bug.358 rel="nofollow">existing bug reports</a> before reporting a new bug.
352 </p>359 </p>
353 <p>360 <p>
diff --git a/debian/patches/series b/debian/patches/series
index ed0c2ec..b6bc836 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,16 @@ fix-macro.patch
1111
12# This patch is applied manually12# This patch is applied manually
13#suexec-custom.patch13#suexec-custom.patch
14<<<<<<< debian/patches/series
15=======
16support-openssl3-001.patch
17support-openssl3-002.patch
18support-openssl3-003.patch
19support-openssl3-004.patch
20support-openssl3-005.patch
21support-openssl3-006.patch
22support-openssl3-007.patch
23support-openssl3-008.patch
24support-openssl3-009.patch
25support-openssl3-010.patch
26>>>>>>> debian/patches/series
diff --git a/debian/patches/support-openssl3-001.patch b/debian/patches/support-openssl3-001.patch
14new file mode 10064427new file mode 100644
index 0000000..d7d386d
--- /dev/null
+++ b/debian/patches/support-openssl3-001.patch
@@ -0,0 +1,88 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:23:24 +0100
3Subject: add some log messages and AP_DEBUG_ASSERTs for functions that should
4 never be called
5
6Submitted by: sf
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_io.c | 28 ++++++++++++++++++++++++++++
13 1 file changed, 28 insertions(+)
14
15diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
16index cabf753..ed9db54 100644
17--- a/modules/ssl/ssl_engine_io.c
18+++ b/modules/ssl/ssl_engine_io.c
19@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
20 static int bio_filter_out_read(BIO *bio, char *out, int outl)
21 {
22 /* this is never called */
23+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
24+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
25+ "BUG: %s() should not be called", "bio_filter_out_read");
26+ AP_DEBUG_ASSERT(0);
27 return -1;
28 }
29
30@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
31 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
32 {
33 /* this is never called */
34+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
35+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
36+ "BUG: %s() should not be called", "bio_filter_out_gets");
37+ AP_DEBUG_ASSERT(0);
38 return -1;
39 }
40
41 static int bio_filter_out_puts(BIO *bio, const char *str)
42 {
43 /* this is never called */
44+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
45+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
46+ "BUG: %s() should not be called", "bio_filter_out_puts");
47+ AP_DEBUG_ASSERT(0);
48 return -1;
49 }
50
51@@ -533,21 +545,37 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
52
53 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
54 {
55+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
56+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
57+ "BUG: %s() should not be called", "bio_filter_in_write");
58+ AP_DEBUG_ASSERT(0);
59 return -1;
60 }
61
62 static int bio_filter_in_puts(BIO *bio, const char *str)
63 {
64+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
65+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
66+ "BUG: %s() should not be called", "bio_filter_in_puts");
67+ AP_DEBUG_ASSERT(0);
68 return -1;
69 }
70
71 static int bio_filter_in_gets(BIO *bio, char *buf, int size)
72 {
73+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
74+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
75+ "BUG: %s() should not be called", "bio_filter_in_gets");
76+ AP_DEBUG_ASSERT(0);
77 return -1;
78 }
79
80 static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
81 {
82+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
83+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
84+ "BUG: %s() should not be called", "bio_filter_in_ctrl");
85+ AP_DEBUG_ASSERT(0);
86 return -1;
87 }
88
diff --git a/debian/patches/support-openssl3-002.patch b/debian/patches/support-openssl3-002.patch
0new file mode 10064489new file mode 100644
index 0000000..3a56106
--- /dev/null
+++ b/debian/patches/support-openssl3-002.patch
@@ -0,0 +1,345 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:24:24 +0100
3Subject: mod_ssl: add compatibility with OpenSSL 3.0.0
4
5Wrappers around deprecated API:
6* X509_STORE_load_locations() => modssl_X509_STORE_load_locations(),
7* CTX_load_verify_locations() => modssl_CTX_load_verify_locations(),
8* ERR_peek_error_line_data() => modssl_ERR_peek_error_data(),
9* DH_bits(dh) => BN_num_bits(DH_get0_p(dh)).
10
11Provide a compatible version of ssl_callback_SessionTicket() which does not
12use the deprecated HMAC_CTX and HMAC_Init_ex(), replaced by EVP_MAC_CTX and
13EVP_MAC_CTX_set_params() respectively. This requires adapting struct
14modssl_ticket_key_t to replace hmac_secret[] with OSSL_PARAM mac_params[],
15created once at load time still.
16The callback is registered by SSL_CTX_set_tlsext_ticket_key_evp_cb() instead
17of SSL_CTX_set_tlsext_ticket_key_cb().
18
19Since BIO_eof() may now be called openssl-3 state machine, the never-called
20assertion in bio_filter_in_ctrl() does not hold anymore, and we have to
21handle BIO_CTRL_EOF. For any other cmd, we continue to AP_DEBUG_ASSERT(0) and
22log an error, yet the return value is changed from -1 to 0 which is the usual
23unhandled value.
24
25Note that OpenSSL 3.0.0 is still in alpha stage as of now, the API shouldn't
26change though, neither breakage to 1.x.x API.
27
28Submitted by: ylavic
29
30
31Forwarded: yes, https://github.com/apache/httpd/pull/258
32Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
33---
34 modules/ssl/ssl_engine_init.c | 76 ++++++++++++++++++++++++++++++++---------
35 modules/ssl/ssl_engine_io.c | 17 ++++++---
36 modules/ssl/ssl_engine_kernel.c | 22 ++++++++++--
37 modules/ssl/ssl_engine_log.c | 12 ++++++-
38 modules/ssl/ssl_private.h | 19 +++++++++--
39 5 files changed, 120 insertions(+), 26 deletions(-)
40
41diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
42index 4da24ed..eb41e7f 100644
43--- a/modules/ssl/ssl_engine_init.c
44+++ b/modules/ssl/ssl_engine_init.c
45@@ -843,6 +843,23 @@ static void ssl_init_ctx_callbacks(server_rec *s,
46 #endif
47 }
48
49+static APR_INLINE
50+int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
51+ const char *file,
52+ const char *path)
53+{
54+#if OPENSSL_VERSION_NUMBER < 0x30000000L
55+ if (!SSL_CTX_load_verify_locations(ctx, file, path))
56+ return 0;
57+#else
58+ if (file && !SSL_CTX_load_verify_file(ctx, file))
59+ return 0;
60+ if (path && !SSL_CTX_load_verify_dir(ctx, path))
61+ return 0;
62+#endif
63+ return 1;
64+}
65+
66 static apr_status_t ssl_init_ctx_verify(server_rec *s,
67 apr_pool_t *p,
68 apr_pool_t *ptemp,
69@@ -883,10 +900,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s,
70 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
71 "Configuring client authentication");
72
73- if (!SSL_CTX_load_verify_locations(ctx,
74- mctx->auth.ca_cert_file,
75- mctx->auth.ca_cert_path))
76- {
77+ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
78+ mctx->auth.ca_cert_path)) {
79 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
80 "Unable to configure verify locations "
81 "for client authentication");
82@@ -971,6 +986,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
83 return APR_SUCCESS;
84 }
85
86+static APR_INLINE
87+int modssl_X509_STORE_load_locations(X509_STORE *store,
88+ const char *file,
89+ const char *path)
90+{
91+#if OPENSSL_VERSION_NUMBER < 0x30000000L
92+ if (!X509_STORE_load_locations(store, file, path))
93+ return 0;
94+#else
95+ if (file && !X509_STORE_load_file(store, file))
96+ return 0;
97+ if (path && !X509_STORE_load_path(store, path))
98+ return 0;
99+#endif
100+ return 1;
101+}
102+
103 static apr_status_t ssl_init_ctx_crl(server_rec *s,
104 apr_pool_t *p,
105 apr_pool_t *ptemp,
106@@ -1009,8 +1041,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
107 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
108 "Configuring certificate revocation facility");
109
110- if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
111- mctx->crl_path)) {
112+ if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
113+ mctx->crl_path)) {
114 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
115 "Host %s: unable to configure X.509 CRL storage "
116 "for certificate revocation", mctx->sc->vhost_id);
117@@ -1249,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
118 const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
119 int i;
120 X509 *cert;
121- DH *dhparams;
122+ DH *dh;
123 #ifdef HAVE_ECC
124 EC_GROUP *ecparams = NULL;
125 int nid;
126@@ -1434,12 +1466,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
127 */
128 certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
129 if (certfile && !modssl_is_engine_id(certfile)
130- && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
131- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
132+ && (dh = ssl_dh_GetParamFromFile(certfile))) {
133+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
134 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
135 "Custom DH parameters (%d bits) for %s loaded from %s",
136- DH_bits(dhparams), vhost_id, certfile);
137- DH_free(dhparams);
138+ BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
139+ DH_free(dh);
140 }
141
142 #ifdef HAVE_ECC
143@@ -1490,6 +1522,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
144 char buf[TLSEXT_TICKET_KEY_LEN];
145 char *path;
146 modssl_ticket_key_t *ticket_key = mctx->ticket_key;
147+ int res;
148
149 if (!ticket_key->file_path) {
150 return APR_SUCCESS;
151@@ -1517,11 +1550,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
152 }
153
154 memcpy(ticket_key->key_name, buf, 16);
155- memcpy(ticket_key->hmac_secret, buf + 16, 16);
156 memcpy(ticket_key->aes_key, buf + 32, 16);
157-
158- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
159- ssl_callback_SessionTicket)) {
160+#if OPENSSL_VERSION_NUMBER < 0x30000000L
161+ memcpy(ticket_key->hmac_secret, buf + 16, 16);
162+ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
163+ ssl_callback_SessionTicket);
164+#else
165+ ticket_key->mac_params[0] =
166+ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
167+ ticket_key->mac_params[1] =
168+ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
169+ ticket_key->mac_params[2] =
170+ OSSL_PARAM_construct_end();
171+ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
172+ ssl_callback_SessionTicket);
173+#endif
174+ if (!res) {
175 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
176 "Unable to initialize TLS session ticket key callback "
177 "(incompatible OpenSSL version?)");
178@@ -1652,7 +1696,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
179 return ssl_die(s);
180 }
181
182- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
183+ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
184
185 for (n = 0; n < ncerts; n++) {
186 int i;
187diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
188index ed9db54..f7e5cfc 100644
189--- a/modules/ssl/ssl_engine_io.c
190+++ b/modules/ssl/ssl_engine_io.c
191@@ -572,11 +572,20 @@ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
192
193 static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
194 {
195- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
196+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
197+ switch (cmd) {
198+#ifdef BIO_CTRL_EOF
199+ case BIO_CTRL_EOF:
200+ return inctx->rc == APR_EOF;
201+#endif
202+ default:
203+ break;
204+ }
205 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
206- "BUG: %s() should not be called", "bio_filter_in_ctrl");
207+ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
208+ cmd);
209 AP_DEBUG_ASSERT(0);
210- return -1;
211+ return 0;
212 }
213
214 #if MODSSL_USE_OPENSSL_PRE_1_1_API
215@@ -601,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = {
216 bio_filter_in_read,
217 bio_filter_in_puts, /* puts is never called */
218 bio_filter_in_gets, /* gets is never called */
219- bio_filter_in_ctrl, /* ctrl is never called */
220+ bio_filter_in_ctrl, /* ctrl is called for EOF check */
221 bio_filter_create,
222 bio_filter_destroy,
223 NULL
224diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
225index b99dcf1..f2d49ad 100644
226--- a/modules/ssl/ssl_engine_kernel.c
227+++ b/modules/ssl/ssl_engine_kernel.c
228@@ -2614,7 +2614,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
229 unsigned char *keyname,
230 unsigned char *iv,
231 EVP_CIPHER_CTX *cipher_ctx,
232- HMAC_CTX *hctx,
233+#if OPENSSL_VERSION_NUMBER < 0x30000000L
234+ HMAC_CTX *hmac_ctx,
235+#else
236+ EVP_MAC_CTX *mac_ctx,
237+#endif
238 int mode)
239 {
240 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
241@@ -2641,7 +2645,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
242 }
243 EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
244 ticket_key->aes_key, iv);
245- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
246+
247+#if OPENSSL_VERSION_NUMBER < 0x30000000L
248+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
249+ tlsext_tick_md(), NULL);
250+#else
251+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
252+#endif
253
254 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
255 "TLS session ticket key for %s successfully set, "
256@@ -2662,7 +2672,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
257
258 EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
259 ticket_key->aes_key, iv);
260- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
261+
262+#if OPENSSL_VERSION_NUMBER < 0x30000000L
263+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
264+ tlsext_tick_md(), NULL);
265+#else
266+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
267+#endif
268
269 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
270 "TLS session ticket key for %s successfully set, "
271diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
272index 7dbbbdb..3b3ceac 100644
273--- a/modules/ssl/ssl_engine_log.c
274+++ b/modules/ssl/ssl_engine_log.c
275@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
276 return APR_EGENERAL;
277 }
278
279+static APR_INLINE
280+unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
281+{
282+#if OPENSSL_VERSION_NUMBER < 0x30000000L
283+ return ERR_peek_error_line_data(NULL, NULL, data, flags);
284+#else
285+ return ERR_peek_error_data(data, flags);
286+#endif
287+}
288+
289 /*
290 * Prints the SSL library error information.
291 */
292@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
293 const char *data;
294 int flags;
295
296- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
297+ while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
298 const char *annotation;
299 char err[256];
300
301diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
302index a6fc751..71d658c 100644
303--- a/modules/ssl/ssl_private.h
304+++ b/modules/ssl/ssl_private.h
305@@ -89,6 +89,9 @@
306 /* must be defined before including ssl.h */
307 #define OPENSSL_NO_SSL_INTERN
308 #endif
309+#if OPENSSL_VERSION_NUMBER >= 0x30000000
310+#include <openssl/core_names.h>
311+#endif
312 #include <openssl/ssl.h>
313 #include <openssl/err.h>
314 #include <openssl/x509.h>
315@@ -674,7 +677,11 @@ typedef struct {
316 typedef struct {
317 const char *file_path;
318 unsigned char key_name[16];
319+#if OPENSSL_VERSION_NUMBER < 0x30000000L
320 unsigned char hmac_secret[16];
321+#else
322+ OSSL_PARAM mac_params[3];
323+#endif
324 unsigned char aes_key[16];
325 } modssl_ticket_key_t;
326 #endif
327@@ -938,8 +945,16 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
328 int ssl_callback_ClientHello(SSL *, int *, void *);
329 #endif
330 #ifdef HAVE_TLS_SESSION_TICKETS
331-int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
332- EVP_CIPHER_CTX *, HMAC_CTX *, int);
333+int ssl_callback_SessionTicket(SSL *ssl,
334+ unsigned char *keyname,
335+ unsigned char *iv,
336+ EVP_CIPHER_CTX *cipher_ctx,
337+#if OPENSSL_VERSION_NUMBER < 0x30000000L
338+ HMAC_CTX *hmac_ctx,
339+#else
340+ EVP_MAC_CTX *mac_ctx,
341+#endif
342+ int mode);
343 #endif
344
345 #ifdef HAVE_TLS_ALPN
diff --git a/debian/patches/support-openssl3-003.patch b/debian/patches/support-openssl3-003.patch
0new file mode 100644346new file mode 100644
index 0000000..06906a9
--- /dev/null
+++ b/debian/patches/support-openssl3-003.patch
@@ -0,0 +1,48 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:24:27 +0100
3Subject: mod_ssl: follow up to r1876934: wrap DH_bits()
4
5DH_get0_p() seems to be undefined for some openssl versions, so it can't
6be used to implement DH_bits() generically.
7
8Add new a modssl_DH_bits() wrapper to call DH_bits() for openssl < 3,
9and BN_num_bits(DH_get0_p(dh)) otherwise.
10
11Submitted by: ylavic
12
13
14Forwarded: yes, https://github.com/apache/httpd/pull/258
15Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
16---
17 modules/ssl/ssl_engine_init.c | 11 ++++++++++-
18 1 file changed, 10 insertions(+), 1 deletion(-)
19
20diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
21index eb41e7f..a2da916 100644
22--- a/modules/ssl/ssl_engine_init.c
23+++ b/modules/ssl/ssl_engine_init.c
24@@ -1271,6 +1271,15 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
25 return 0;
26 }
27
28+static APR_INLINE int modssl_DH_bits(DH *dh)
29+{
30+#if OPENSSL_VERSION_NUMBER < 0x30000000L
31+ return DH_bits(dh);
32+#else
33+ return BN_num_bits(DH_get0_p(dh));
34+#endif
35+}
36+
37 static apr_status_t ssl_init_server_certs(server_rec *s,
38 apr_pool_t *p,
39 apr_pool_t *ptemp,
40@@ -1470,7 +1479,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
41 SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
42 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
43 "Custom DH parameters (%d bits) for %s loaded from %s",
44- BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
45+ modssl_DH_bits(dh), vhost_id, certfile);
46 DH_free(dh);
47 }
48
diff --git a/debian/patches/support-openssl3-004.patch b/debian/patches/support-openssl3-004.patch
0new file mode 10064449new file mode 100644
index 0000000..5566eaf
--- /dev/null
+++ b/debian/patches/support-openssl3-004.patch
@@ -0,0 +1,56 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:24:46 +0100
3Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use of
4 encrypted private keys with OpenSSL 3.0.
5
6* test/travis_run_linux.sh: For TEST_SSL, test loading encrypted
7 private keys.
8
9Github: closes #{197}
10
11Submitted by: jorton
12
13
14Forwarded: yes, https://github.com/apache/httpd/pull/258
15Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
16---
17 modules/ssl/ssl_engine_init.c | 19 +++++++++++++++++--
18 1 file changed, 17 insertions(+), 2 deletions(-)
19
20diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
21index a2da916..2f3a120 100644
22--- a/modules/ssl/ssl_engine_init.c
23+++ b/modules/ssl/ssl_engine_init.c
24@@ -1280,6 +1280,22 @@ static APR_INLINE int modssl_DH_bits(DH *dh)
25 #endif
26 }
27
28+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
29+ * key was encrypted, or due to a mismatch between an already-loaded
30+ * cert and the key - a common misconfiguration - from calling
31+ * X509_check_private_key(). This macro is passed the last error code
32+ * off the OpenSSL stack and evaluates to true only for the first
33+ * case. With OpenSSL < 3 the second case is identifiable by the
34+ * function code, but function codes are not used from 3.0. */
35+#if OPENSSL_VERSION_NUMBER < 0x30000000L
36+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
37+#else
38+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
39+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
40+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
41+ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
42+#endif
43+
44 static apr_status_t ssl_init_server_certs(server_rec *s,
45 apr_pool_t *p,
46 apr_pool_t *ptemp,
47@@ -1385,8 +1401,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
48 }
49 else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
50 SSL_FILETYPE_PEM) < 1)
51- && (ERR_GET_FUNC(ERR_peek_last_error())
52- != X509_F_X509_CHECK_PRIVATE_KEY)) {
53+ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
54 ssl_asn1_t *asn1;
55 const unsigned char *ptr;
56
diff --git a/debian/patches/support-openssl3-005.patch b/debian/patches/support-openssl3-005.patch
0new file mode 10064457new file mode 100644
index 0000000..5c6ebe8
--- /dev/null
+++ b/debian/patches/support-openssl3-005.patch
@@ -0,0 +1,121 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:25:36 +0100
3Subject: mod_ssl: Switch to using OpenSSL's automatic internal DH parameter
4 generation from OpenSSL 1.1.0 and later. The SSL_set_tmp_dh_callback() API
5 is deprecated from OpenSSL 3.0 onwards. Should not be a user-visible change
6 (except mod_ssl gets smaller).
7
8* modules/ssl/ssl_private.h,
9 modules/ssl/ssl_engine_kernel.c,
10 modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
11 Drop internal DH parameter generation and callback for OpenSSL 1.1+,
12 use SSL_CTX_set_dh_auto(, 1) instead.
13
14Github: closes #188
15Reviewed by: rpluem
16
17Submitted by: jorton
18
19
20Forwarded: yes, https://github.com/apache/httpd/pull/258
21Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
22---
23 modules/ssl/ssl_engine_init.c | 14 ++++++++++----
24 modules/ssl/ssl_engine_kernel.c | 2 ++
25 modules/ssl/ssl_private.h | 2 ++
26 3 files changed, 14 insertions(+), 4 deletions(-)
27
28diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
29index 2f3a120..d0ef4ba 100644
30--- a/modules/ssl/ssl_engine_init.c
31+++ b/modules/ssl/ssl_engine_init.c
32@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
33
34 return 1;
35 }
36-#endif
37
38 /*
39 * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
40@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen)
41
42 return NULL; /* impossible to reach. */
43 }
44+#endif
45
46 static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
47 server_rec *s)
48@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
49
50 modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
51
52+#if MODSSL_USE_OPENSSL_PRE_1_1_API
53 init_dh_params();
54-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
55+#else
56 init_bio_methods();
57 #endif
58
59@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
60 {
61 SSL_CTX *ctx = mctx->ssl_ctx;
62
63+#if MODSSL_USE_OPENSSL_PRE_1_1_API
64 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
65+#else
66+ SSL_CTX_set_dh_auto(ctx, 1);
67+#endif
68
69 SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
70
71@@ -2317,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data)
72
73 }
74
75-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
76+#if MODSSL_USE_OPENSSL_PRE_1_1_API
77+ free_dh_params();
78+#else
79 free_bio_methods();
80 #endif
81- free_dh_params();
82
83 return APR_SUCCESS;
84 }
85diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
86index f2d49ad..aced92d 100644
87--- a/modules/ssl/ssl_engine_kernel.c
88+++ b/modules/ssl/ssl_engine_kernel.c
89@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
90 ** _________________________________________________________________
91 */
92
93+#if MODSSL_USE_OPENSSL_PRE_1_1_API
94 /*
95 * Hand out standard DH parameters, based on the authentication strength
96 */
97@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
98
99 return modssl_get_dh_params(keylen);
100 }
101+#endif
102
103 /*
104 * This OpenSSL callback function is called when OpenSSL
105diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
106index 71d658c..b74d956 100644
107--- a/modules/ssl/ssl_private.h
108+++ b/modules/ssl/ssl_private.h
109@@ -1127,10 +1127,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
110
111 #endif
112
113+#if MODSSL_USE_OPENSSL_PRE_1_1_API
114 /* Retrieve DH parameters for given key length. Return value should
115 * be treated as unmutable, since it is stored in process-global
116 * memory. */
117 DH *modssl_get_dh_params(unsigned keylen);
118+#endif
119
120 /* Returns non-zero if the request was made over SSL/TLS. If sslconn
121 * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
diff --git a/debian/patches/support-openssl3-006.patch b/debian/patches/support-openssl3-006.patch
0new file mode 100644122new file mode 100644
index 0000000..33e0c1f
--- /dev/null
+++ b/debian/patches/support-openssl3-006.patch
@@ -0,0 +1,33 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:29:32 +0100
3Subject: fix build with LibreSSL [Yann Ylavic] Github issue #188
4
5Submitted by: gbechis
6
7
8Forwarded: yes, https://github.com/apache/httpd/pull/258
9Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
10---
11 modules/ssl/ssl_private.h | 5 ++---
12 1 file changed, 2 insertions(+), 3 deletions(-)
13
14diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
15index b74d956..b091c58 100644
16--- a/modules/ssl/ssl_private.h
17+++ b/modules/ssl/ssl_private.h
18@@ -137,13 +137,12 @@
19 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
20 #define SSL_CTX_set_max_proto_version(ctx, version) \
21 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
22-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
23+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
24 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
25 * include most changes from OpenSSL >= 1.1 (new functions, macros,
26 * deprecations, ...), so we have to work around this...
27 */
28-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
29-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
30+#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
31 #else /* defined(LIBRESSL_VERSION_NUMBER) */
32 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
33 #endif
diff --git a/debian/patches/support-openssl3-007.patch b/debian/patches/support-openssl3-007.patch
0new file mode 10064434new file mode 100644
index 0000000..6f760b8
--- /dev/null
+++ b/debian/patches/support-openssl3-007.patch
@@ -0,0 +1,72 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 14:15:28 +0100
3Subject: Support for OpenSSL 1.1.0: - BIO was made opaque after OpenSSL
4 1.1.0pre4.
5
6Submitted by: rjung
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_io.c | 12 ++++++------
13 1 file changed, 6 insertions(+), 6 deletions(-)
14
15diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
16index f7e5cfc..3db7077 100644
17--- a/modules/ssl/ssl_engine_io.c
18+++ b/modules/ssl/ssl_engine_io.c
19@@ -194,7 +194,7 @@ static int bio_filter_destroy(BIO *bio)
20 static int bio_filter_out_read(BIO *bio, char *out, int outl)
21 {
22 /* this is never called */
23- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
24+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
25 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
26 "BUG: %s() should not be called", "bio_filter_out_read");
27 AP_DEBUG_ASSERT(0);
28@@ -297,7 +297,7 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
29 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
30 {
31 /* this is never called */
32- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
33+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
34 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
35 "BUG: %s() should not be called", "bio_filter_out_gets");
36 AP_DEBUG_ASSERT(0);
37@@ -307,7 +307,7 @@ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
38 static int bio_filter_out_puts(BIO *bio, const char *str)
39 {
40 /* this is never called */
41- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
42+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
43 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
44 "BUG: %s() should not be called", "bio_filter_out_puts");
45 AP_DEBUG_ASSERT(0);
46@@ -545,7 +545,7 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
47
48 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
49 {
50- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
51+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
52 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
53 "BUG: %s() should not be called", "bio_filter_in_write");
54 AP_DEBUG_ASSERT(0);
55@@ -554,7 +554,7 @@ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
56
57 static int bio_filter_in_puts(BIO *bio, const char *str)
58 {
59- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
60+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
61 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
62 "BUG: %s() should not be called", "bio_filter_in_puts");
63 AP_DEBUG_ASSERT(0);
64@@ -563,7 +563,7 @@ static int bio_filter_in_puts(BIO *bio, const char *str)
65
66 static int bio_filter_in_gets(BIO *bio, char *buf, int size)
67 {
68- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
69+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
70 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
71 "BUG: %s() should not be called", "bio_filter_in_gets");
72 AP_DEBUG_ASSERT(0);
diff --git a/debian/patches/support-openssl3-008.patch b/debian/patches/support-openssl3-008.patch
0new file mode 10064473new file mode 100644
index 0000000..d04497f
--- /dev/null
+++ b/debian/patches/support-openssl3-008.patch
@@ -0,0 +1,29 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Wed, 28 Jul 2021 12:28:59 +0100
3Subject: mod_ssl: follow up to r1876934: fix
4 !modssl_X509_STORE_load_locations() logic.
5
6Submitted by: ylavic
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_init.c | 4 ++--
13 1 file changed, 2 insertions(+), 2 deletions(-)
14
15diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
16index d0ef4ba..5d199cd 100644
17--- a/modules/ssl/ssl_engine_init.c
18+++ b/modules/ssl/ssl_engine_init.c
19@@ -1046,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
20 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
21 "Configuring certificate revocation facility");
22
23- if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
24- mctx->crl_path)) {
25+ if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
26+ mctx->crl_path)) {
27 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
28 "Host %s: unable to configure X.509 CRL storage "
29 "for certificate revocation", mctx->sc->vhost_id);
diff --git a/debian/patches/support-openssl3-009.patch b/debian/patches/support-openssl3-009.patch
0new file mode 10064430new file mode 100644
index 0000000..01687e9
--- /dev/null
+++ b/debian/patches/support-openssl3-009.patch
@@ -0,0 +1,36 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 4 Oct 2021 14:26:49 +0100
3Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSL
4 1.1+,
5 disable auto DH parameter selection if parameters have been manually
6 configured. This fixes a regression in r1890067 after which manually
7 configured parameters are ignored.
8
9Submitted by: jorton
10
11
12Forwarded: yes, https://github.com/apache/httpd/pull/258
13Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
14---
15 modules/ssl/ssl_engine_init.c | 7 +++++++
16 1 file changed, 7 insertions(+)
17
18diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
19index 5d199cd..3986ba7 100644
20--- a/modules/ssl/ssl_engine_init.c
21+++ b/modules/ssl/ssl_engine_init.c
22@@ -1496,7 +1496,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
23 certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
24 if (certfile && !modssl_is_engine_id(certfile)
25 && (dh = ssl_dh_GetParamFromFile(certfile))) {
26+ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
27+ * for OpenSSL 3.0+. */
28 SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
29+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
30+ /* OpenSSL ignores manually configured DH params if automatic
31+ * selection if enabled, so disable auto selection here. */
32+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
33+#endif
34 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
35 "Custom DH parameters (%d bits) for %s loaded from %s",
36 modssl_DH_bits(dh), vhost_id, certfile);
diff --git a/debian/patches/support-openssl3-010.patch b/debian/patches/support-openssl3-010.patch
0new file mode 10064437new file mode 100644
index 0000000..2791e96
--- /dev/null
+++ b/debian/patches/support-openssl3-010.patch
@@ -0,0 +1,54 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Tue, 12 Oct 2021 13:48:55 +0100
3Subject: * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks,
4 ssl_init_server_certs): Flip logic for enabling/disabling DH auto
5 parameter selection for OpenSSL 1.1+ to be simpler and consistent with
6 auto ECDH curve selection.
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_init.c | 16 +++++++++-------
13 1 file changed, 9 insertions(+), 7 deletions(-)
14
15diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
16index 3986ba7..f440a37 100644
17--- a/modules/ssl/ssl_engine_init.c
18+++ b/modules/ssl/ssl_engine_init.c
19@@ -836,9 +836,9 @@ static void ssl_init_ctx_callbacks(server_rec *s,
20 SSL_CTX *ctx = mctx->ssl_ctx;
21
22 #if MODSSL_USE_OPENSSL_PRE_1_1_API
23+ /* Note that for OpenSSL>=1.1, auto selection is enabled via
24+ * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
25 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
26-#else
27- SSL_CTX_set_dh_auto(ctx, 1);
28 #endif
29
30 SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
31@@ -1499,16 +1499,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
32 /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
33 * for OpenSSL 3.0+. */
34 SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
35-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
36- /* OpenSSL ignores manually configured DH params if automatic
37- * selection if enabled, so disable auto selection here. */
38- SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
39-#endif
40 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
41 "Custom DH parameters (%d bits) for %s loaded from %s",
42 modssl_DH_bits(dh), vhost_id, certfile);
43 DH_free(dh);
44 }
45+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
46+ else {
47+ /* If no parameter is manually configured, enable auto
48+ * selection. */
49+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
50+ }
51+#endif
52
53 #ifdef HAVE_ECC
54 /*
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index d617b1d..823d9c0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
17debian/icons/odf6ots-20x22.png17debian/icons/odf6ots-20x22.png
18debian/icons/odf6ott-20x22.png18debian/icons/odf6ott-20x22.png
19debian/icons/openlogo-75.png19debian/icons/openlogo-75.png
20debian/icons/ubuntu-logo.png
20debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml21debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
21debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php22debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
22debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml23debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches