Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.52-1-jammy into ubuntu/+source/apache2:debian/sid

Proposed by Bryce Harrington
Status: Merged
Merge reported by: Bryce Harrington
Merged at revision: 028479c2c5469eb33796f914258b3108c24d58bb
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.52-1-jammy
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2604 lines (+2008/-16)
10 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+1/-0)
debian/apache2.py (+48/-0)
debian/changelog (+1918/-2)
debian/control (+4/-2)
debian/index.html (+19/-12)
debian/source/include-binaries (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack (community) Approve
Utkarsh Gupta (community) Approve
git-ubuntu import Pending
Review via email: mp+415047@code.launchpad.net

Description of the change

This is a re-merge of apache2; we already had 2.4.51-2 merged previously. The advantage here is that OpenSSL3 is included in this upstream version, whereas for 2.4.51 we patched it in. Security also asked if we were going to re-merge, which makes me suspect there are some security updates in 2.4.52 that they would like to have included for jammy.

Previously, I had been successful at rebasing on my old branches in order to carry the ubuntu delta commits forward, but the rebase procedure I'd worked out before fails on this release. My best guess is that the procedure is not quite robust and perhaps introduced some irregularity. But it's not vital that we carry the delta forward (more of a nice-to-have), and there's not many items left anyway, so I time-boxed that effort and decided to do a "normal" apache2 merge by manually re-splitting things.

In doing this, I discovered an error in the prior merge: It was intended that the graceful changes be dropped for 2.4.51-2ubuntu1 yet the changes were still present in the delta. I've verified that delta is gone in this merge, and am re-mentioning it in the changelog.

One final point of note for the reviewer: Debian experimental has a newer version, 2.4.51-3. This -3 update includes a switch from pre3 to pre2, which sounds like it may resolve a long standing bug for us (LP: #1792544). I considered merging from experimental to include this, but decided to hold off for now for a few reasons: a) bug 1792544 has been open for 3-4 years and there are still a bunch of non-trivial packages needing updated, so urgency seems not terribly high, b) pre3->pre2 might bring changes/regressions to regular expression functionality that may be hard to catch from tests alone, and c) direction from management is to take conservative choices for this LTS. So, I think it is most beneficial to let the pre2 change gain confidence from being thoroughly tested in Debian, and look at maybe merging it in once they're comfortable including it in unstable.

PPA:
  https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.52-1/+packages
  Still building on arm64 and armhf; other arch's built successfully.

Bileto:
  I've kicked off tests for amd64, s390x, and ppc64el.
  Once they've run, results should be available here:
  https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-apache2-merge-v2.4.52-1

Usual tags pushed:
  tags/old/debian 826e1a24b
  tags/new/debian 365005afd
  tags/old/ubuntu af8ae353f
  tags/logical/2.4.51-2ubuntu1 e3e516779
  tags/reconstruct/2.4.51-2ubuntu1 72354054a
  tags/split/2.4.51-2ubuntu1 3bbcdc58e

To post a comment you must log in.
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Bryce, this looks good. The changes that have been dropped are clear (along w/ the description which paints the entire picture) and the delta that we carry is just Ubuntu-specific.

Furthermore, to give you a bit of a background for pcre3 v/s pcre2: Debian is moving to pcre2 from the deprecated and the obsolete pcre3 now. See MBF at https://lists.debian.org/debian-devel/2021/11/msg00176.html. Debian 12 will not ship pcre3 anymore. So whilst it's a good-to-have thing to have moved to pcre2, you're absolutely right that it might result in some breakage, here and there, and isn't a good candidate for the LTS cycle.

So +1, hold off the pcre3->pcre2 switch for now and upload as-is. \o/

review: Approve
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Linked the LP bug in the "Related bugs:" filed so the MP is also linked against LP: #1959924. \o/

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looks good, +1

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :
Download full text (5.2 KiB)

Thanks for the reviews!

Pushed to jammy:

$ debuild -S -sa -uc -us $(git ubuntu prepare-upload args)
Everything up-to-date
 dpkg-buildpackage -us -uc -ui -i -I.bzr -I.svn -I.git -S -sa --changes-option=-DVcs-Git=https://git.launchpad.net/~bryce/ubuntu/+source/apache2 --changes-option=-DVcs-Git-Ref=refs/heads/merge-v2.4.52-1-jammy --changes-option=-DVcs-Git-Commit=028479c2c5469eb33796f914258b3108c24d58bb
dpkg-buildpackage: info: source package apache2
dpkg-buildpackage: info: source version 2.4.52-1ubuntu1
dpkg-buildpackage: info: source distribution jammy
dpkg-buildpackage: info: source changed by Bryce Harrington <email address hidden>
 dpkg-source -i -I.bzr -I.svn -I.git --before-build .
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying fhs_compliance.patch
dpkg-source: info: applying no_LD_LIBRARY_PATH.patch
dpkg-source: info: applying suexec-CVE-2007-1742.patch
dpkg-source: info: applying customize_apxs.patch
dpkg-source: info: applying build_suexec-custom.patch
dpkg-source: info: applying reproducible_builds.diff
dpkg-source: info: applying fix-macro.patch
 fakeroot debian/rules clean
dh clean
   dh_clean
 dpkg-source -i -I.bzr -I.svn -I.git -b .
dpkg-source: warning: upstream signing key but no upstream tarball signature
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building apache2 using existing ./apache2_2.4.52.orig.tar.gz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: warning: ignoring deletion of directory changes-entries
dpkg-source: warning: ignoring deletion of directory test/modules/md/data/store_migrate/1.0/sample1/challenges
dpkg-source: warning: ignoring deletion of directory test/modules/md/data/store_migrate/1.0/sample1/staging
dpkg-source: warning: ignoring deletion of directory test/modules/md/data/store_migrate/1.0/sample1/tmp
dpkg-source: warning: ignoring deletion of directory docs/manual/style/xsl
dpkg-source: warning: ignoring deletion of directory docs/manual/style/xsl/util
dpkg-source: warning: ignoring deletion of directory docs/manual/style/lang
dpkg-source: info: building apache2 in apache2_2.4.52-1ubuntu1.debian.tar.xz
dpkg-source: info: building apache2 in apache2_2.4.52-1ubuntu1.dsc
 dpkg-genbuildinfo --build=source -O../apache2_2.4.52-1ubuntu1_source.buildinfo
 dpkg-genchanges -sa -DVcs-Git=https://git.launchpad.net/~bryce/ubuntu/+source/apache2 -DVcs-Git-Ref=refs/heads/merge-v2.4.52-1-jammy -DVcs-Git-Commit=028479c2c5469eb33796f914258b3108c24d58bb --build=source -O../apache2_2.4.52-1ubuntu1_source.changes
dpkg-genchanges: info: including full source code in upload
 dpkg-source -i -I.bzr -I.svn -I.git --after-build .
dpkg-source: info: unapplying fix-macro.patch
dpkg-source: info: unapplying reproducible_builds.diff
dpkg-source: info: unapplying build_suexec-custom.patch
dpkg-source: info: unapplying customize_apxs.patch
dpkg-source: info: unapplying suexec-CVE-2007-1742.patch
dpkg-source: info: unapplying no_LD_LIBRARY_PATH.patch
dpkg-source: info: unapplying fhs_compliance.patch
dpkg-buildpackage: info: source-only upload (original source is included)
Now running lintian apache2_2.4.52-1ubuntu1_source.changes ....

Read more...

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
2index 63c573f..3d1bdf1 100644
3--- a/debian/apache2-bin.install
4+++ b/debian/apache2-bin.install
5@@ -1,2 +1,3 @@
6 /usr/lib/apache2/modules/
7 /usr/sbin/apache2
8+debian/apache2.py usr/share/apport/package-hooks
9diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
10new file mode 100644
11index 0000000..974a655
12--- /dev/null
13+++ b/debian/apache2-utils.ufw.profile
14@@ -0,0 +1,14 @@
15+[Apache]
16+title=Web Server
17+description=Apache v2 is the next generation of the omnipresent Apache web server.
18+ports=80/tcp
19+
20+[Apache Secure]
21+title=Web Server (HTTPS)
22+description=Apache v2 is the next generation of the omnipresent Apache web server.
23+ports=443/tcp
24+
25+[Apache Full]
26+title=Web Server (HTTP,HTTPS)
27+description=Apache v2 is the next generation of the omnipresent Apache web server.
28+ports=80,443/tcp
29diff --git a/debian/apache2.dirs b/debian/apache2.dirs
30index 6089013..1aa6d3c 100644
31--- a/debian/apache2.dirs
32+++ b/debian/apache2.dirs
33@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
34 var/lib/apache2
35 var/log/apache2
36 var/www/html
37+/etc/ufw/applications.d/apache2
38diff --git a/debian/apache2.install b/debian/apache2.install
39index b6ad789..92865fc 100644
40--- a/debian/apache2.install
41+++ b/debian/apache2.install
42@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
43 debian/config-dir/envvars /etc/apache2
44 debian/config-dir/magic /etc/apache2
45 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
46+debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
47diff --git a/debian/apache2.postrm b/debian/apache2.postrm
48index a68583c..b0e5d7b 100644
49--- a/debian/apache2.postrm
50+++ b/debian/apache2.postrm
51@@ -33,6 +33,7 @@ is_default_index_html () {
52 776221a94e5a174dc2396c0f3f6b6a74
53 c481228d439cbb54bdcedbaec5bbb11a
54 e2620d4a5a0f8d80dd4b16de59af981f
55+ 3526531ccd6c6a1d2340574a305a18f8
56 EOF
57 }
58
59diff --git a/debian/apache2.py b/debian/apache2.py
60new file mode 100644
61index 0000000..a9fb9d8
62--- /dev/null
63+++ b/debian/apache2.py
64@@ -0,0 +1,48 @@
65+#!/usr/bin/python
66+
67+'''apport hook for apache2
68+
69+(c) 2010 Adam Sommer.
70+Author: Adam Sommer <asommer@ubuntu.com>
71+
72+This program is free software; you can redistribute it and/or modify it
73+under the terms of the GNU General Public License as published by the
74+Free Software Foundation; either version 2 of the License, or (at your
75+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
76+the full text of the license.
77+'''
78+
79+from apport.hookutils import *
80+import os
81+
82+SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
83+
84+def add_info(report, ui):
85+ if os.path.isdir(SITES_ENABLED_DIR):
86+ response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
87+ "may help developers diagnose your bug more "
88+ "quickly. However, it may contain sensitive "
89+ "information. Do you want to include it in your "
90+ "bug report?")
91+
92+ if response == None: # user cancelled
93+ raise StopIteration
94+
95+ elif response == True:
96+ # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
97+ for conf_file in os.listdir(SITES_ENABLED_DIR):
98+ attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
99+
100+ try:
101+ report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
102+ except OSError:
103+ report['Apache2ConfdDirListing'] = str(False)
104+
105+ # Attach default config files if changed.
106+ attach_conffiles(report, 'apache2', conffiles=None)
107+
108+ # Attach the error.log file.
109+ attach_file(report, '/var/log/apache2/error.log', key='error.log')
110+
111+ # Get loaded modules.
112+ report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
113diff --git a/debian/changelog b/debian/changelog
114index 0df5aec..3e2b50f 100644
115--- a/debian/changelog
116+++ b/debian/changelog
117@@ -1,3 +1,30 @@
118+apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
119+
120+ * Merge with Debian unstable (LP: #1959924). Remaining changes:
121+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
122+ apache2.dirs}: Add ufw profiles.
123+ (LP 261198)
124+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
125+ (LP 609177)
126+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
127+ d/s/include-binaries: replace Debian with Ubuntu on default
128+ page and add Ubuntu icon file.
129+ (LP 1288690)
130+ * Dropped:
131+ - d/p/support-openssl3-*.patch: Backport various patches from
132+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
133+ failure to load when using OpenSSL 3.
134+ (LP #1951476)
135+ [Included in upstream release 2.4.52]
136+ - d/apache2ctl: Also use systemd for graceful if it is in use.
137+ (LP 1832182)
138+ [This introduced a performance regression.]
139+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
140+ (LP 1918209)
141+ [Not needed]
142+
143+ -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
144+
145 apache2 (2.4.52-1) unstable; urgency=medium
146
147 * Refresh suexec-custom.patch
148@@ -8,6 +35,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
149
150 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
151
152+apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
153+
154+ * Merge with Debian unstable. Remaining changes:
155+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
156+ apache2.dirs}: Add ufw profiles.
157+ (LP 261198)
158+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
159+ (LP 609177)
160+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
161+ d/s/include-binaries: replace Debian with Ubuntu on default
162+ page and add Ubuntu icon file.
163+ (LP 1288690)
164+ - d/p/support-openssl3-*.patch: Backport various patches from
165+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
166+ failure to load when using OpenSSL 3.
167+ (LP #1951476)
168+ * Dropped:
169+ - d/apache2ctl: Also use systemd for graceful if it is in use.
170+ (LP: 1832182)
171+ [This introduced a performance regression.]
172+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
173+ (LP 1918209)
174+ [Not needed]
175+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
176+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
177+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
178+ server/core_filters.c, server/protocol.c, server/vhost.c.
179+ [Fixed in 2.4.48-4]
180+ - debian/patches/CVE-2021-34798.patch: add NULL check in
181+ server/scoreboard.c.
182+ [Fixed in 2.4.49-1]
183+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
184+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
185+ [Fixed in 2.4.49-1]
186+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
187+ substitution logic in server/util.c.
188+ [Fixed in 2.4.49-1]
189+ - arbitrary origin server via crafted request uri-path
190+ + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
191+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
192+ modules/proxy/proxy_util.c.
193+ + debian/patches/CVE-2021-40438.patch: add sanity checks on the
194+ configured UDS path in modules/proxy/proxy_util.c.
195+ [Fixed in 2.4.49-3]
196+ - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
197+ + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
198+ rules in modules/mappers/mod_rewrite.c.
199+ + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
200+ hostname in modules/mappers/mod_rewrite.c,
201+ modules/proxy/proxy_util.c.
202+ [Fixed in 2.4.49-3]
203+
204+ -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
205+
206 apache2 (2.4.51-2) unstable; urgency=medium
207
208 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
209@@ -73,6 +154,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
210
211 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
212
213+apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
214+
215+ * d/p/support-openssl3-*.patch: Backport various patches from
216+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
217+ failure to load when using OpenSSL 3. (LP: #1951476)
218+
219+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
220+
221+apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
222+
223+ * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
224+ - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
225+ rules in modules/mappers/mod_rewrite.c.
226+ - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
227+ hostname in modules/mappers/mod_rewrite.c,
228+ modules/proxy/proxy_util.c.
229+
230+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
231+
232+apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
233+
234+ * SECURITY UPDATE: request splitting over HTTP/2
235+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
236+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
237+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
238+ server/core_filters.c, server/protocol.c, server/vhost.c.
239+ - CVE-2021-33193
240+ * SECURITY UPDATE: NULL deref via malformed requests
241+ - debian/patches/CVE-2021-34798.patch: add NULL check in
242+ server/scoreboard.c.
243+ - CVE-2021-34798
244+ * SECURITY UPDATE: DoS in mod_proxy_uwsgi
245+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
246+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
247+ - CVE-2021-36160
248+ * SECURITY UPDATE: buffer overflow in ap_escape_quotes
249+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
250+ substitution logic in server/util.c.
251+ - CVE-2021-39275
252+ * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
253+ - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
254+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
255+ modules/proxy/proxy_util.c.
256+ - debian/patches/CVE-2021-40438.patch: add sanity checks on the
257+ configured UDS path in modules/proxy/proxy_util.c.
258+ - CVE-2021-40438
259+
260+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
261+
262+apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
263+
264+ * Merge with Debian unstable. Remaining changes:
265+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
266+ apache2.dirs}: Add ufw profiles. (LP 261198)
267+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
268+ (LP 609177)
269+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
270+ d/s/include-binaries: replace Debian with Ubuntu on default
271+ page and add Ubuntu icon file. (LP 1288690)
272+ - d/apache2ctl: Also use systemd for graceful if it is in use.
273+ This extends an earlier fix for the start command to behave
274+ similarly for restart / graceful. Fixes service failures on
275+ unattended upgrade. (LP 1832182)
276+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
277+ (LP 1918209)
278+
279+ -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
280+
281 apache2 (2.4.48-3.1) unstable; urgency=medium
282
283 * Non-maintainer upload.
284@@ -81,6 +230,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
285
286 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
287
288+apache2 (2.4.48-3ubuntu1) impish; urgency=medium
289+
290+ * Merge with Debian unstable. Remaining changes:
291+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
292+ apache2.dirs}: Add ufw profiles. (LP: 261198)
293+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
294+ (LP: 609177)
295+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
296+ d/s/include-binaries: replace Debian with Ubuntu on default
297+ page and add Ubuntu icon file. (LP: 1288690)
298+ - d/apache2ctl: Also use systemd for graceful if it is in use.
299+ This extends an earlier fix for the start command to behave
300+ similarly for restart / graceful. Fixes service failures on
301+ unattended upgrade. (LP: 1832182)
302+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
303+ (LP: 1918209)
304+ * Dropped:
305+ - d/t/control, d/t/check-http2: add basic test for http2 support
306+ [Fixed in 2.4.48-2]
307+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
308+ [Fixed in 2.4.48-1]
309+ - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
310+ connection in modules/proxy/mod_proxy_http.c.
311+ [Fixed in 2.4.48 upstream]
312+ - d/p/CVE-2020-35452.patch: fast validation of the nonce's
313+ base64 to fail early if the format can't match anyway in
314+ modules/aaa/mod_auth_digest.c.
315+ [Fixed in 2.4.48 upstream]
316+ - d/p/CVE-2021-26690.patch: save one apr_strtok() in
317+ session_identity_decode() in modules/session/mod_session.c.
318+ [Fixed in 2.4.48 upstream]
319+ - d/p/CVE-2021-26691.patch: account for the '&' in
320+ identity_concat() in modules/session/mod_session.c.
321+ [Fixed in 2.4.48 upstream]
322+ - d/p/CVE-2021-30641.patch: change default behavior in
323+ server/request.c.
324+ [Fixed in 2.4.48 upstream]
325+
326+ -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
327+
328 apache2 (2.4.48-3) unstable; urgency=medium
329
330 * Fix debian/changelog
331@@ -137,6 +326,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
332
333 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
334
335+apache2 (2.4.46-4ubuntu3) impish; urgency=medium
336+
337+ * No-change rebuild due to OpenLDAP soname bump.
338+
339+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
340+
341+apache2 (2.4.46-4ubuntu2) impish; urgency=medium
342+
343+ * SECURITY UPDATE: mod_proxy_http denial of service.
344+ - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
345+ connection in modules/proxy/mod_proxy_http.c.
346+ - CVE-2020-13950
347+ * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
348+ - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
349+ base64 to fail early if the format can't match anyway in
350+ modules/aaa/mod_auth_digest.c.
351+ - CVE-2020-35452
352+ * SECURITY UPDATE: DoS via cookie header in mod_session
353+ - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
354+ session_identity_decode() in modules/session/mod_session.c.
355+ - CVE-2021-26690
356+ * SECURITY UPDATE: heap overflow via SessionHeader
357+ - debian/patches/CVE-2021-26691.patch: account for the '&' in
358+ identity_concat() in modules/session/mod_session.c.
359+ - CVE-2021-26691
360+ * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
361+ - debian/patches/CVE-2021-30641.patch: change default behavior in
362+ server/request.c.
363+ - CVE-2021-30641
364+
365+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
366+
367+apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
368+
369+ * Merge with Debian unstable, to allow moving from lua5.2 to
370+ lua5.3 (LP: #1910372). Remaining changes:
371+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
372+ apache2.dirs}: Add ufw profiles.
373+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
374+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
375+ Debian with Ubuntu on default page.
376+ + d/source/include-binaries: add Ubuntu icon file
377+ - d/t/control, d/t/check-http2: add basic test for http2 support
378+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
379+ issue reading error log too quickly after request, by adding a sleep.
380+ (LP #1890302)
381+ - d/apache2ctl: Also use systemd for graceful if it is in use.
382+ This extends an earlier fix for the start command to behave
383+ similarly for restart / graceful. Fixes service failures on
384+ unattended upgrade.
385+ * Drop:
386+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
387+ was re-added by mistake in 2.4.41-1 (Closes #921024)
388+ [Included in Debian 2.4.46-3]
389+ * d/apache2ctl: Also use /run/systemd to check for systemd usage
390+ (LP: #1918209)
391+
392+ -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
393+
394 apache2 (2.4.46-4) unstable; urgency=medium
395
396 * Ignore other random another test failures (Closes: #979664)
397@@ -154,6 +402,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
398
399 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
400
401+apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
402+
403+ * Merge with Debian unstable. Remaining changes:
404+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
405+ apache2.dirs}: Add ufw profiles.
406+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
407+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
408+ Debian with Ubuntu on default page.
409+ + d/source/include-binaries: add Ubuntu icon file
410+ - d/t/control, d/t/check-http2: add basic test for http2 support
411+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
412+ was re-added by mistake in 2.4.41-1 (Closes #921024)
413+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
414+ issue reading error log too quickly after request, by adding a sleep.
415+ (LP #1890302)
416+ - d/apache2ctl: Also use systemd for graceful if it is in use.
417+ This extends an earlier fix for the start command to behave
418+ similarly for restart / graceful. Fixes service failures on
419+ unattended upgrade.
420+
421+ -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
422+
423 apache2 (2.4.46-2) unstable; urgency=medium
424
425 [ Jean-Michel Vourgère ]
426@@ -175,6 +445,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
427
428 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
429
430+apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
431+
432+ * d/apache2ctl: Also use systemd for graceful if it is in use.
433+ (LP: #1832182)
434+ - This extends an earlier fix for the start command to behave
435+ similarly for restart / graceful. Fixes service failures on
436+ unattended upgrade.
437+
438+ -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
439+
440+apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
441+
442+ * Merge with Debian unstable. Remaining changes:
443+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
444+ apache2.dirs}: Add ufw profiles.
445+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
446+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
447+ Debian with Ubuntu on default page.
448+ + d/source/include-binaries: add Ubuntu icon file
449+ - d/t/control, d/t/check-http2: add basic test for http2 support
450+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
451+ was re-added by mistake in 2.4.41-1 (Closes #921024)
452+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
453+ issue reading error log too quickly after request, by adding a sleep.
454+ (LP #1890302)
455+ * Dropped:
456+ - debian/patches/086_svn_cross_compiles: Backport several cross
457+ fixes from upstream
458+ [Unclear if it's still necessary, and upstream hasn't made a
459+ release with it yet]
460+
461+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
462+
463 apache2 (2.4.46-1) unstable; urgency=medium
464
465 [ Xavier Guimard ]
466@@ -191,6 +494,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
467
468 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
469
470+apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
471+
472+ * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
473+ issue reading error log too quickly after request, by adding a sleep.
474+ (LP: #1890302)
475+
476+ -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
477+
478+apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
479+
480+ * Merge with Debian unstable. Remaining changes:
481+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
482+ apache2.dirs}: Add ufw profiles.
483+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
484+ - debian/patches/086_svn_cross_compiles: Backport several cross
485+ fixes from upstream
486+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
487+ Debian with Ubuntu on default page.
488+ + d/source/include-binaries: add Ubuntu icon file
489+ - d/t/control, d/t/check-http2: add basic test for http2 support
490+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
491+ was re-added by mistake in 2.4.41-1 (Closes #921024)
492+ * Dropped:
493+ - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
494+ parameter to mod_proxy_ajp (LP #1865340)
495+ [Fixed upstream]
496+ - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
497+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
498+ Closes #955348, LP #1872478
499+ [In 2.4.43-1]
500+
501+ -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
502+
503 apache2 (2.4.43-1) unstable; urgency=medium
504
505 [ Timo Aaltonen ]
506@@ -218,6 +554,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
507
508 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
509
510+apache2 (2.4.41-4ubuntu3) focal; urgency=medium
511+
512+ [ Timo Aaltonen ]
513+ * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
514+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
515+ Closes: #955348, LP: #1872478
516+
517+ -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
518+
519+apache2 (2.4.41-4ubuntu2) focal; urgency=medium
520+
521+ * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
522+ parameter to mod_proxy_ajp (LP: #1865340)
523+
524+ -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
525+
526+apache2 (2.4.41-4ubuntu1) focal; urgency=medium
527+
528+ * Merge with Debian unstable. Remaining changes:
529+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
530+ apache2.dirs}: Add ufw profiles.
531+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
532+ - debian/patches/086_svn_cross_compiles: Backport several cross
533+ fixes from upstream
534+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
535+ Debian with Ubuntu on default page.
536+ + d/source/include-binaries: add Ubuntu icon file
537+ - d/t/control, d/t/check-http2: add basic test for http2 support
538+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
539+ was re-added by mistake in 2.4.41-1 (Closes #921024)
540+
541+ -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
542+
543 apache2 (2.4.41-4) unstable; urgency=medium
544
545 * Add gcc in chroot autopkgtest (fixes debci)
546@@ -242,6 +611,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
547
548 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
549
550+apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
551+
552+ * Merge with Debian unstable. Remaining changes:
553+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
554+ apache2.dirs}: Add ufw profiles.
555+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
556+ - debian/patches/086_svn_cross_compiles: Backport several cross
557+ fixes from upstream
558+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
559+ Debian with Ubuntu on default page.
560+ + d/source/include-binaries: add Ubuntu icon file
561+ - d/t/control, d/t/check-http2: add basic test for http2 support
562+ * Dropped:
563+ - Cherrypick upstream testsuite fix:
564+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
565+ as such).
566+ + Similarly use TLSv1.2 for pr12355 and pr43738.
567+ [Test suite updated in 2.4.41-1]
568+ - Cherrypick upstream test suite fix for buffer.
569+ [Included in 2.4.41-1]
570+ - d/p/spelling-errors.patch: removed hunks already fixed upstream
571+ [Included in 2.4.39-1]
572+ - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
573+ + d/p/CVE-2019-0196.patch
574+ + d/p/CVE-2019-0211.patch
575+ + d/p/CVE-2019-0215.patch
576+ + d/p/CVE-2019-0217.patch
577+ + d/p/CVE-2019-0220-*.patch
578+ + d/p/CVE-2019-0197.patch
579+ * Added:
580+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
581+ was re-added by mistake in 2.4.41-1 (Closes: #921024)
582+
583+ -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
584+
585 apache2 (2.4.41-1) unstable; urgency=medium
586
587 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
588@@ -274,6 +678,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
589
590 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
591
592+apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
593+
594+ * New upstream version: 2.4.39
595+ * d/p/spelling-errors.patch: removed hunks already fixed upstream
596+ * Remaining changes:
597+ - Cherrypick upstream test suite fix for buffer.
598+ - Cherrypick upstream testsuite fix:
599+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
600+ as such).
601+ - Similarly use TLSv1.2 for pr12355 and pr43738.
602+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
603+ apache2.dirs}: Add ufw profiles.
604+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
605+ - debian/patches/086_svn_cross_compiles: Backport several cross
606+ fixes from upstream
607+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
608+ Debian with Ubuntu on default page.
609+ + d/source/include-binaries: add Ubuntu icon file
610+ - d/t/control, d/t/check-http2: add basic test for http2 support
611+ * Dropped patches (fixed upstream):
612+ - d/p/CVE-2019-0196.patch
613+ - d/p/CVE-2019-0211.patch
614+ - d/p/CVE-2019-0215.patch
615+ - d/p/CVE-2019-0217.patch
616+ - d/p/CVE-2019-0220-*.patch
617+ - d/p/CVE-2019-0197.patch
618+
619+ -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
620+
621+apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
622+
623+ * Cherrypick upstream test suite fix for buffer.
624+
625+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
626+
627+apache2 (2.4.38-3ubuntu1) eoan; urgency=low
628+
629+ * Merge from Debian unstable. Remaining changes:
630+ - Cherrypick upstream testsuite fix:
631+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
632+ as such).
633+ - Similarly use TLSv1.2 for pr12355 and pr43738.
634+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
635+ apache2.dirs}: Add ufw profiles.
636+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
637+ - debian/patches/086_svn_cross_compiles: Backport several cross
638+ fixes from upstream
639+ [Removed configure chunk, not needed since configure.in is being
640+ patched.]
641+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
642+ Debian with Ubuntu on default page.
643+ + d/source/include-binaries: add Ubuntu icon file
644+ - d/t/control, d/t/check-http2: add basic test for http2 support
645+
646+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
647+
648 apache2 (2.4.38-3) unstable; urgency=high
649
650 [ Marc Deslauriers ]
651@@ -311,6 +771,79 @@ apache2 (2.4.38-3) unstable; urgency=high
652
653 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
654
655+apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
656+
657+ * Cherrypick upstream testsuite fix:
658+ - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
659+ as such).
660+ * Similarly use TLSv1.2 for pr12355 and pr43738.
661+
662+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
663+
664+apache2 (2.4.38-2ubuntu2) disco; urgency=medium
665+
666+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
667+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
668+ request method in modules/http2/h2_request.c.
669+ - CVE-2019-0196
670+ * SECURITY UPDATE: privilege escalation from modules' scripts
671+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
672+ child to its slot number in include/scoreboard.h,
673+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
674+ server/mpm/worker/worker.c.
675+ - CVE-2019-0211
676+ * SECURITY UPDATE: mod_ssl access control bypass
677+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
678+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
679+ - CVE-2019-0215
680+ * SECURITY UPDATE: mod_auth_digest access control bypass
681+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
682+ modules/aaa/mod_auth_digest.c.
683+ - CVE-2019-0217
684+ * SECURITY UPDATE: URL normalization inconsistincy
685+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
686+ the path in include/http_core.h, include/httpd.h, server/core.c,
687+ server/request.c, server/util.c.
688+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
689+ in server/request.c, server/util.c.
690+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
691+ server/util.c.
692+ - CVE-2019-0220
693+
694+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
695+
696+apache2 (2.4.38-2ubuntu1) disco; urgency=medium
697+
698+ * Merge with Debian unstable. Remaining changes:
699+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
700+ apache2.dirs}: Add ufw profiles.
701+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
702+ - debian/patches/086_svn_cross_compiles: Backport several cross
703+ fixes from upstream
704+ [Removed configure chunk, not needed since configure.in is being
705+ patched.]
706+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
707+ Debian with Ubuntu on default page.
708+ + d/source/include-binaries: add Ubuntu icon file
709+ - d/t/control, d/t/check-http2: add basic test for http2 support
710+ * Dropped:
711+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
712+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
713+ cannot be coinstalled with libcurl3. That situation breaks the
714+ installation of libapache2-mod-shib2. See
715+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
716+ for details.
717+ [This has been resolved in Disco, where libxmltooling8 is built with
718+ openssl 1.1]
719+ - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
720+ + debian/patches/CVE-2018-11763.patch: rework connection IO event
721+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
722+ modules/http2/h2_version.h.
723+ - CVE-2018-11763
724+ [Fixed in 2.4.35]
725+
726+ -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
727+
728 apache2 (2.4.38-2) unstable; urgency=medium
729
730 * Disable "reset" test in allowmethods.t (Closes: #921024)
731@@ -393,6 +926,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
732
733 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
734
735+apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
736+
737+ * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
738+ - debian/patches/CVE-2018-11763.patch: rework connection IO event
739+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
740+ modules/http2/h2_version.h.
741+ - CVE-2018-11763
742+
743+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
744+
745+apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
746+
747+ * Merge with Debian unstable. Remaining changes:
748+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
749+ apache2.dirs}: Add ufw profiles.
750+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
751+ - debian/patches/086_svn_cross_compiles: Backport several cross
752+ fixes from upstream
753+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
754+ Debian with Ubuntu on default page.
755+ + d/source/include-binaries: add Ubuntu icon file
756+ - d/t/control, d/t/check-http2: add basic test for http2 support
757+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
758+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
759+ cannot be coinstalled with libcurl3. That situation breaks the
760+ installation of libapache2-mod-shib2. See
761+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
762+ for details.
763+
764+ -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
765+
766 apache2 (2.4.34-1) unstable; urgency=medium
767
768 [ Ondřej Surý ]
769@@ -411,6 +975,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
770
771 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
772
773+apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
774+
775+ * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
776+ re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
777+
778+ -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
779+
780+apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
781+
782+ * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
783+ libapache2-mod-md until we figure out their transitions. libapache2-mod-md
784+ in particular is problematic because that makes apache2-bin pull in
785+ libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
786+ the installation of libapache2-mod-shib2. See
787+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
788+ for details.
789+ - Don't ship md.load and remove build-requires that were added because of
790+ mod-md (see
791+ https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
792+ - Remove proxy_uwsgi.load as we are not building it for now (see
793+ https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
794+
795+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
796+
797+apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
798+
799+ * Merge with Debian unstable (LP: #1770242). Remaining changes:
800+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
801+ apache2.dirs}: Add ufw profiles.
802+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
803+ - debian/patches/086_svn_cross_compiles: Backport several cross
804+ fixes from upstream
805+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
806+ Debian with Ubuntu on default page.
807+ + d/source/include-binaries: add Ubuntu icon file
808+ - d/t/control, d/t/check-http2: add basic test for http2 support
809+ * Drop:
810+ - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
811+ + debian/patches/CVE-2017-15710.patch: fix language long names
812+ detection as short name in modules/aaa/mod_authnz_ldap.c.
813+ + CVE-2017-15710
814+ - SECURITY UPDATE: incorrect <FilesMatch> matching
815+ + debian/patches/CVE-2017-15715.patch: allow to configure
816+ global/default options for regexes, like caseless matching or
817+ extended format in include/ap_regex.h, server/core.c,
818+ server/util_pcre.c.
819+ + CVE-2017-15715
820+ - SECURITY UPDATE: mod_session header manipulation
821+ + debian/patches/CVE-2018-1283.patch: strip Session header when
822+ SessionEnv is on in modules/session/mod_session.c.
823+ + CVE-2018-1283
824+ - SECURITY UPDATE: DoS via specially-crafted request
825+ + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
826+ terminated on any error, not only on buffer full in
827+ server/protocol.c.
828+ + CVE-2018-1301
829+ - SECURITY UPDATE: mod_cache_socache DoS
830+ + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
831+ to carriage return in modules/cache/mod_cache_socache.c.
832+ + CVE-2018-1303
833+ - SECURITY UPDATE: insecure nonce generation
834+ + debian/patches/CVE-2018-1312.patch: actually use the secret when
835+ generating nonces in modules/aaa/mod_auth_digest.c.
836+ + CVE-2018-1312
837+ - Correct systemd-sysv-generator behavior by customizing some
838+ parameters:
839+ + d/apache2-systemd.conf: add a drop-in file to specify some
840+ parameters for the systemd unit (type=Forking and
841+ RemainsAfterExit=no), this allow a correct state synchronisation
842+ between systemctl status and actual state of apache2 daemon.
843+ + d/apache2.install: place the apache2-systemd.conf file in the
844+ correct location.
845+ [type=Forking already in the base systemd service file, and
846+ RemainsAfterExit=no is the default value, so no need to
847+ customize these anymore.]
848+ - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
849+ + added debian/patches/util_ldap_cache_lock_fix.patch
850+ [Already applied upstream]
851+
852+ -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
853+
854 apache2 (2.4.33-3) unstable; urgency=medium
855
856 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
857@@ -483,6 +1128,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
858
859 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
860
861+apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
862+
863+ * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
864+ - debian/patches/CVE-2017-15710.patch: fix language long names
865+ detection as short name in modules/aaa/mod_authnz_ldap.c.
866+ - CVE-2017-15710
867+ * SECURITY UPDATE: incorrect <FilesMatch> matching
868+ - debian/patches/CVE-2017-15715.patch: allow to configure
869+ global/default options for regexes, like caseless matching or
870+ extended format in include/ap_regex.h, server/core.c,
871+ server/util_pcre.c.
872+ - CVE-2017-15715
873+ * SECURITY UPDATE: mod_session header manipulation
874+ - debian/patches/CVE-2018-1283.patch: strip Session header when
875+ SessionEnv is on in modules/session/mod_session.c.
876+ - CVE-2018-1283
877+ * SECURITY UPDATE: DoS via specially-crafted request
878+ - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
879+ terminated on any error, not only on buffer full in
880+ server/protocol.c.
881+ - CVE-2018-1301
882+ * SECURITY UPDATE: mod_cache_socache DoS
883+ - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
884+ to carriage return in modules/cache/mod_cache_socache.c.
885+ - CVE-2018-1303
886+ * SECURITY UPDATE: insecure nonce generation
887+ - debian/patches/CVE-2018-1312.patch: actually use the secret when
888+ generating nonces in modules/aaa/mod_auth_digest.c.
889+ - CVE-2018-1312
890+
891+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
892+
893+apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
894+
895+ * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
896+ - added debian/patches/util_ldap_cache_lock_fix.patch
897+
898+ -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
899+
900+apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
901+
902+ * Switch back to OpenSSL 1.1.
903+
904+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
905+
906+apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
907+
908+ * enable http2 (LP: #1687454) by stopping to disable it
909+ - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
910+ - debian/config-dir/mods-available/http2.load: no more removed.
911+ - debian/rules: no more removed proxy_http2 from configure.
912+ * d/t/control, d/t/check-http2: add basic test for http2 support
913+
914+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
915+
916+apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
917+
918+ * Merge with Debian unstable. Remaining changes:
919+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
920+ apache2.dirs}: Add ufw profiles.
921+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
922+ - debian/patches/086_svn_cross_compiles: Backport several cross
923+ fixes from upstream
924+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
925+ Debian with Ubuntu on default page.
926+ + d/source/include-binaries: add Ubuntu icon file
927+ - Correct systemd-sysv-generator behavior by customizing some
928+ parameters:
929+ + d/apache2-systemd.conf: add a drop-in file to specify some
930+ parameters for the systemd unit (type=Forking and
931+ RemainsAfterExit=no), this allow a correct state synchronisation
932+ between systemctl status and actual state of apache2 daemon.
933+ + d/apache2.install: place the apache2-systemd.conf file in the
934+ correct location.
935+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
936+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
937+ + debian/config-dir/mods-available/http2.load: removed.
938+ + debian/rules: removed proxy_http2 from configure.
939+ * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
940+ - debian/control: switch BuildDepends to libssl1.0-dev
941+ - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
942+ - debian/rules: remove openssl virtual package and logic
943+
944+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
945+
946 apache2 (2.4.29-1) unstable; urgency=medium
947
948 [ Stefan Fritsch ]
949@@ -547,6 +1277,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
950
951 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
952
953+apache2 (2.4.27-2ubuntu3) artful; urgency=medium
954+
955+ * SECURITY UPDATE: optionsbleed information leak
956+ - debian/patches/CVE-2017-9798.patch: disallow method registration
957+ at run time in server/core.c.
958+ - CVE-2017-9798
959+
960+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
961+
962+apache2 (2.4.27-2ubuntu2) artful; urgency=medium
963+
964+ * Undrop (LP 1658469):
965+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
966+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
967+ + debian/config-dir/mods-available/http2.load: removed.
968+ + debian/rules: removed proxy_http2 from configure.
969+
970+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
971+
972+apache2 (2.4.27-2ubuntu1) artful; urgency=medium
973+
974+ * Merge with Debian unstable (LP: #1702582). Remaining changes:
975+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
976+ apache2.dirs}: Add ufw profiles.
977+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
978+ - debian/patches/086_svn_cross_compiles: Backport several cross
979+ fixes from upstream
980+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
981+ Debian with Ubuntu on default page.
982+ + d/source/include-binaries: add Ubuntu icon file
983+ - Correct systemd-sysv-generator behavior by customizing some
984+ parameters:
985+ + d/apache2-systemd.conf: add a drop-in file to specify some
986+ parameters for the systemd unit (type=Forking and
987+ RemainsAfterExit=no), this allow a correct state synchronisation
988+ between systemctl status and actual state of apache2 daemon.
989+ + d/apache2.install: place the apache2-systemd.conf file in the
990+ correct location.
991+
992+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
993+
994 apache2 (2.4.27-2) unstable; urgency=medium
995
996 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
997@@ -576,6 +1347,55 @@ apache2 (2.4.25-4) unstable; urgency=high
998
999 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
1000
1001+apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1002+
1003+ * Re-Drop (LP: #1658469):
1004+ - Don't build experimental http2 module for LTS:
1005+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1006+ + debian/config-dir/mods-available/http2.load: removed.
1007+ + debian/rules: removed proxy_http2 from configure.
1008+ + debian/apache2.maintscript: remove http2 conffile.
1009+
1010+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1011+
1012+apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1013+ * Undrop (LP 1658469):
1014+ - Don't build experimental http2 module for LTS:
1015+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1016+ + debian/config-dir/mods-available/http2.load: removed.
1017+ + debian/rules: removed proxy_http2 from configure.
1018+ + debian/apache2.maintscript: remove http2 conffile.
1019+
1020+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1021+
1022+apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1023+
1024+ * Merge from Debian unstable (LP: #1663425). Remaining changes:
1025+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1026+ apache2.dirs}: Add ufw profiles.
1027+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1028+ - debian/patches/086_svn_cross_compiles: Backport several cross
1029+ fixes from upstream
1030+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1031+ Debian with Ubuntu on default page.
1032+ + d/source/include-binaries: add Ubuntu icon file
1033+ - Correct systemd-sysv-generator behavior by customizing some
1034+ parameters:
1035+ + d/apache2-systemd.conf: add a drop-in file to specify some
1036+ parameters for the systemd unit (type=Forking and
1037+ RemainsAfterExit=no), this allow a correct state synchronisation
1038+ between systemctl status and actual state of apache2 daemon.
1039+ + d/apache2.install: place the apache2-systemd.conf file in the
1040+ correct location.
1041+ * Drop (LP: #1658469):
1042+ - Don't build experimental http2 module for LTS:
1043+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1044+ + debian/config-dir/mods-available/http2.load: removed.
1045+ + debian/rules: removed proxy_http2 from configure.
1046+ + debian/apache2.maintscript: remove http2 conffile.
1047+
1048+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1049+
1050 apache2 (2.4.25-3) unstable; urgency=medium
1051
1052 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
1053@@ -637,6 +1457,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
1054
1055 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
1056
1057+apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1058+
1059+ * Merge from Debian unstable (LP: #). Remaining changes:
1060+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1061+ apache2.dirs}: Add ufw profiles.
1062+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1063+ - debian/patches/086_svn_cross_compiles: Backport several cross
1064+ fixes from upstream
1065+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1066+ d/source/include-binaries: replace Debian with Ubuntu on default
1067+ page.
1068+ [ include-binaries change previously undocumented ]
1069+ - Don't build experimental http2 module for LTS:
1070+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1071+ + debian/config-dir/mods-available/http2.load: removed.
1072+ + debian/rules: removed proxy_http2 from configure.
1073+ + debian/apache2.maintscript: remove http2 conffile.
1074+ [ Previously undocumented ]
1075+ - Correct systemd-sysv-generator behavior by customizing some
1076+ parameters:
1077+ + d/apache2-systemd.conf: add a drop-in file to specify some
1078+ parameters for the systemd unit (type=Forking and
1079+ RemainsAfterExit=no), this allow a correct state synchronisation
1080+ between systemctl status and actual state of apache2 daemon.
1081+ + d/apache2.install: place the apache2-systemd.conf file in the
1082+ correct location.
1083+ * Drop:
1084+ - debian/rules: Fix cross-building by passing
1085+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1086+ [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1087+
1088+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1089+
1090 apache2 (2.4.23-8) unstable; urgency=medium
1091
1092 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
1093@@ -647,6 +1500,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
1094
1095 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
1096
1097+apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1098+
1099+ * Merge from Debian unstable. Remaining changes:
1100+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1101+ apache2.dirs}: Add ufw profiles.
1102+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1103+ - debian/rules: Fix cross-building by passing
1104+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1105+ - debian/patches/086_svn_cross_compiles: Backport several cross
1106+ fixes from upstream
1107+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1108+ Debian with Ubuntu on default page.
1109+ - Don't build experimental http2 module for LTS:
1110+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1111+ + debian/config-dir/mods-available/http2.load: removed.
1112+ + debian/rules: removed proxy_http2 from configure.
1113+ - Correct systemd-sysv-generator behavior by customizing some
1114+ parameters:
1115+ + d/apache2-systemd.conf: add a drop-in file to specify some
1116+ parameters for the systemd unit (type=Forking and
1117+ RemainsAfterExit=no), this allow a correct state synchronisation
1118+ between systemctl status and actual state of apache2 daemon.
1119+ + d/apache2.install: place the apache2-systemd.conf file in the
1120+ correct location.
1121+
1122+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1123+
1124 apache2 (2.4.23-7) unstable; urgency=medium
1125
1126 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
1127@@ -761,6 +1641,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
1128
1129 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
1130
1131+apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1132+
1133+ * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1134+ - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1135+ server/util_script.c.
1136+ - CVE-2016-5387
1137+
1138+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1139+
1140+apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1141+
1142+ [ Ryan Harper ]
1143+ * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1144+ introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1145+ all, since http2 support is intentionally disabled (see LP 1531864).
1146+ * d/apache2.maintscript: handle removal of http2.load conffile.
1147+
1148+ [ Robie Basak ]
1149+ * Re-write Ryan's changelog entry.
1150+
1151+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1152+
1153+apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1154+
1155+ * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1156+ - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1157+ unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1158+ between systemctl status and actual state of apache2 daemon.
1159+ - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1160+
1161+ -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1162+
1163+apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1164+
1165+ * Merge from Debian unstable. Remaining changes:
1166+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1167+ apache2.dirs}: Add ufw profiles.
1168+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1169+ - debian/rules: Fix cross-building by passing
1170+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1171+ - debian/patches/086_svn_cross_compiles: Backport several cross
1172+ fixes from upstream
1173+ - d/index.html: replace Debian with Ubuntu on default page.
1174+ - Don't build experimental http2 module for LTS:
1175+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1176+ + debian/config-dir/mods-available/http2.load: removed.
1177+
1178+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1179+
1180 apache2 (2.4.18-2) unstable; urgency=low
1181
1182 * htcacheclean:
1183@@ -786,6 +1715,24 @@ apache2 (2.4.18-2) unstable; urgency=low
1184
1185 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
1186
1187+apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1188+
1189+ * Merge from Debian unstable. Remaining changes:
1190+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1191+ apache2.dirs}: Add ufw profiles.
1192+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1193+ - Add dep8 tests.
1194+ - debian/rules: Fix cross-building by passing
1195+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1196+ - debian/patches/086_svn_cross_compiles: Backport several cross
1197+ fixes from upstream
1198+ - d/index.html: replace Debian with Ubuntu on default page.
1199+ - Don't build experimental http2 module for LTS:
1200+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1201+ + debian/config-dir/mods-available/http2.load: removed.
1202+
1203+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1204+
1205 apache2 (2.4.18-1) unstable; urgency=medium
1206
1207 * New upstream release:
1208@@ -793,12 +1740,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
1209
1210 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
1211
1212+apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1213+
1214+ * Merge from Debian unstable. Remaining changes:
1215+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1216+ apache2.dirs}: Add ufw profiles.
1217+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1218+ - Add dep8 tests.
1219+ - debian/rules: Fix cross-building by passing
1220+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1221+ - debian/patches/086_svn_cross_compiles: Backport several cross
1222+ fixes from upstream
1223+ - d/index.html: replace Debian with Ubuntu on default page.
1224+ - Don't build experimental http2 module for LTS:
1225+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1226+ + debian/config-dir/mods-available/http2.load: removed.
1227+
1228+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1229+
1230 apache2 (2.4.17-3) unstable; urgency=medium
1231
1232 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
1233
1234 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
1235
1236+apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1237+
1238+ * Merge from Debian unstable. Remaining changes:
1239+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1240+ apache2.dirs}: Add ufw profiles.
1241+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1242+ - Add dep8 tests.
1243+ - debian/rules: Fix cross-building by passing
1244+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1245+ - debian/patches/086_svn_cross_compiles: Backport several cross
1246+ fixes from upstream
1247+ - d/index.html: replace Debian with Ubuntu on default page.
1248+ - Don't build experimental http2 module for LTS:
1249+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1250+ + debian/config-dir/mods-available/http2.load: removed.
1251+
1252+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1253+
1254 apache2 (2.4.17-2) unstable; urgency=medium
1255
1256 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
1257@@ -809,6 +1792,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
1258
1259 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
1260
1261+apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1262+
1263+ * Merge from Debian unstable. Remaining changes:
1264+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1265+ apache2.dirs}: Add ufw profiles.
1266+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1267+ - Add dep8 tests.
1268+ - debian/rules: Fix cross-building by passing
1269+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1270+ - debian/patches/086_svn_cross_compiles: Backport several cross
1271+ fixes from upstream
1272+ - d/index.html: replace Debian with Ubuntu on default page.
1273+ * Drop patches (applied upstream):
1274+ - debian/patches/CVE-2015-3183.patch
1275+ - debian/patches/CVE-2015-3185.patch
1276+ * Drop changes (adopted in Debian):
1277+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1278+ to "installed" when determining whether to defer actions or
1279+ process deferred actions.
1280+ * Don't build experimental http2 module for LTS
1281+ - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1282+ - debian/config-dir/mods-available/http2.load: removed.
1283+
1284+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1285+
1286 apache2 (2.4.17-1) unstable; urgency=medium
1287
1288 [ Stefan Fritsch ]
1289@@ -874,6 +1882,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
1290
1291 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
1292
1293+apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1294+
1295+ * SECURITY UPDATE: request smuggling via chunked transfer encoding
1296+ - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1297+ modules/http/http_filters.c.
1298+ - CVE-2015-3183
1299+ * SECURITY UPDATE: access restriction bypass via deprecated API
1300+ - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1301+ in include/http_request.h, server/request.c.
1302+ - CVE-2015-3185
1303+
1304+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1305+
1306+apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1307+
1308+ * Merge from Debian unstable. Remaining changes:
1309+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1310+ apache2.dirs}: Add ufw profiles.
1311+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1312+ - Add dep8 tests.
1313+ - debian/rules: Fix cross-building by passing
1314+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1315+ - debian/patches/086_svn_cross_compiles: Backport several cross
1316+ fixes from upstream
1317+ - d/index.html: replace Debian with Ubuntu on default page.
1318+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1319+ to "installed" when determining whether to defer actions or
1320+ process deferred actions.
1321+ * Drop patches (applied upstream):
1322+ - d/p/split-logfile.patch
1323+ - d/p/CVE-2015-0228.patch
1324+ * Drop changes (superceded in Debian):
1325+ - Cherry-pick versioned build-depend on dpkg from Debian for correct
1326+ dpkg-maintscript-helper symlink_to_dir support.
1327+ * Drop changes (adopted in Debian):
1328+ - d/control, d/config-dir/mods-available/ssl.conf,
1329+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1330+ dialog program ask-for-passphrase.
1331+ * Fix cross-building configure line in d/rules, which had bit-rotted in
1332+ previous merges.
1333+
1334+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1335+
1336 apache2 (2.4.12-2) unstable; urgency=medium
1337
1338 [ Jean-Michel Nirgal Vourgère ]
1339@@ -923,6 +1974,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
1340
1341 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
1342
1343+apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1344+
1345+ * Merge from Debian unstable. Remaining changes:
1346+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1347+ apache2.dirs}: Add ufw profiles.
1348+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1349+ - d/control, d/config-dir/mods-available/ssl.conf,
1350+ - Add dep8 tests.
1351+ - debian/rules: Fix cross-building by passing
1352+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1353+ - debian/patches/086_svn_cross_compiles: Backport several cross
1354+ fixes from upstream
1355+ - d/index.html: replace Debian with Ubuntu on default page.
1356+ - d/p/split-logfile.patch: fix completely broken split-logfile
1357+ command.
1358+ - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1359+ denial of service in mod_lua via websockets PING
1360+ * debian/tests/ssl-passphrase: Add password responder for
1361+ systemd-ask-passphrase.
1362+
1363+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1364+
1365 apache2 (2.4.10-9) unstable; urgency=medium
1366
1367 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
1368@@ -937,6 +2010,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
1369
1370 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
1371
1372+apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
1373+
1374+ * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
1375+ directives
1376+ - debian/patches/CVE-2014-8109.patch: handle multiple Require
1377+ directives with different arguments in modules/lua/mod_lua.c.
1378+ - CVE-2014-8109
1379+ * SECURITY UPDATE: denial of service in mod_lua via websockets PING
1380+ - debian/patches/CVE-2015-0228.patch: fix logic in
1381+ modules/lua/lua_request.c.
1382+ - CVE-2015-0228
1383+
1384+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
1385+
1386+apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
1387+
1388+ * Allow "triggers-awaited" and "triggers-pending" states in addition to
1389+ "installed" when determining whether to defer actions or process
1390+ deferred actions (LP: #1393832).
1391+
1392+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
1393+
1394+apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
1395+
1396+ * Merge from Debian unstable. Remaining changes:
1397+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1398+ apache2.dirs}: Add ufw profiles.
1399+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1400+ - d/control, d/config-dir/mods-available/ssl.conf,
1401+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1402+ dialog program ask-for-passphrase.
1403+ - Add dep8 tests.
1404+ - debian/rules: Fix cross-building by passing
1405+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1406+ - debian/patches/086_svn_cross_compiles: Backport several cross
1407+ fixes from upstream
1408+ - d/index.html: replace Debian with Ubuntu on default page.
1409+ - d/p/split-logfile.patch: fix completely broken split-logfile
1410+ command.
1411+ * Fixes from Debian included in merge:
1412+ - Crash caused by OCSP stapling code; this was erroneously
1413+ attributed to Debian in my previous merge, but actually only
1414+ appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
1415+ * Cherry-pick versioned build-depend on dpkg from Debian for correct
1416+ dpkg-maintscript-helper symlink_to_dir support.
1417+
1418+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
1419+
1420 apache2 (2.4.10-8) unstable; urgency=medium
1421
1422 * Bump dpkg Pre-Depends to version that supports relative symlinks in
1423@@ -951,6 +2072,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
1424
1425 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
1426
1427+apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
1428+
1429+ * Merge from Debian unstable. Remaining changes:
1430+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1431+ apache2.dirs}: Add ufw profiles.
1432+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1433+ - d/control, d/config-dir/mods-available/ssl.conf,
1434+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1435+ dialog program ask-for-passphrase.
1436+ - Add dep8 tests.
1437+ - debian/rules: Fix cross-building by passing
1438+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1439+ - debian/patches/086_svn_cross_compiles: Backport several cross
1440+ fixes from upstream
1441+ - d/index.html: replace Debian with Ubuntu on default page.
1442+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1443+ * Fixes from Debian included in merge:
1444+ - Don't use a2query in preinst, as it may not be available yet
1445+ (LP: #1312533).
1446+ - Crash caused by OCSP stapling code (LP: #1366174).
1447+ - Disable SSLv3 in default config (LP: #1358305).
1448+ - If apache2 is not configured yet, defer actions executed via
1449+ apache2-maintscript-helper. This fixes installation failures if a
1450+ module package is configured first (LP: #1312854).
1451+
1452+ -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
1453+
1454 apache2 (2.4.10-7) unstable; urgency=medium
1455
1456 * Handle transitions of doc dirs and symlinks correctly during upgrade.
1457@@ -1034,6 +2182,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
1458
1459 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
1460
1461+apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
1462+
1463+ * Merge from Debian unstable. Remaining changes:
1464+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1465+ apache2.dirs}: Add ufw profiles.
1466+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1467+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1468+ d/apache2.install: Plymouth aware passphrase dialog program
1469+ ask-for-passphrase.
1470+ - Add dep8 tests.
1471+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1472+ configure.
1473+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1474+ upstream
1475+ - d/index.html: replace Debian with Ubuntu on default page.
1476+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1477+
1478+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
1479+
1480 apache2 (2.4.10-1) unstable; urgency=medium
1481
1482 [ Arno Töll ]
1483@@ -1081,6 +2248,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
1484
1485 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
1486
1487+apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
1488+
1489+ * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
1490+ yet support building against lua 5.2 (LP: #1323930).
1491+
1492+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
1493+
1494+apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
1495+
1496+ * Merge from Debian unstable. Remaining changes:
1497+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1498+ apache2.dirs}: Add ufw profiles.
1499+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1500+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1501+ d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
1502+ dialog program ask-for-passphrase.
1503+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1504+ configure.
1505+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1506+ upstream
1507+ - Build using lua5.2.
1508+ - d/tests/chroot: dep8 test for ChrootDir case.
1509+ - d/tests/ssl-passphrase: update for new default path /var/www/html.
1510+ - d/tests/duplicate-module-load: check for duplicate module loads.
1511+ - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
1512+ - d/p/split-logfile.patch: fix completely broken split-logfile command
1513+ (LP: #1299162). Thanks to Holger Mauermann.
1514+ * Drop changes (upstreamed):
1515+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1516+ files find inside the .pc directory. This stops a double module load
1517+ causing later havoc, including "ChrootDir" directive failure.
1518+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1519+ in modules/dav/main/util.c.
1520+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1521+ modules/loggers/mod_log_config.c.
1522+ * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
1523+
1524+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
1525+
1526 apache2 (2.4.9-1) unstable; urgency=medium
1527
1528 * New upstream version.
1529@@ -1113,6 +2319,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
1530
1531 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
1532
1533+apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
1534+
1535+ * d/p/split-logfile.patch: fix completely broken split-logfile command
1536+ (LP: #1299162). Thanks to Holger Mauermann.
1537+
1538+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
1539+
1540+apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
1541+
1542+ * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
1543+ calculation
1544+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1545+ in modules/dav/main/util.c.
1546+ - CVE-2013-6438
1547+ * SECURITY UPDATE: denial of service via truncated cookie and
1548+ mod_log_config
1549+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1550+ modules/loggers/mod_log_config.c.
1551+ - CVE-2014-0098
1552+
1553+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
1554+
1555+apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
1556+
1557+ * d/index.html: replace Debian with Ubuntu on default page
1558+ (LP: #1288690).
1559+
1560+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
1561+
1562+apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
1563+
1564+ * Merge from Debian unstable. Remaining changes:
1565+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1566+ apache2.dirs}: Add ufw profiles.
1567+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1568+ - d/control, d/config-dir/mods-available/ssl.conf,
1569+ d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
1570+ Plymouth aware passphrase dialog program ask-for-passphrase.
1571+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1572+ to configure.
1573+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1574+ from upstream
1575+ - Build using lua5.2.
1576+ - d/tests/chroot: dep8 test for ChrootDir case.
1577+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1578+ files find inside the .pc directory. This stops a double module load
1579+ causing later havoc, including "ChrootDir" directive failure.
1580+ * Drop changes:
1581+ - debian/{control, rules}: Enable PIE hardening: no longer required;
1582+ 2.4.7-1 is already hardened.
1583+ - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
1584+ out of this package.
1585+ * d/tests/ssl-passphrase: update for new default path /var/www/html.
1586+ * d/tests/duplicate-module-load: check for duplicate module loads.
1587+
1588+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
1589+
1590 apache2 (2.4.7-1) unstable; urgency=low
1591
1592 New upstream version
1593@@ -1176,6 +2439,53 @@ apache2 (2.4.6-3) unstable; urgency=low
1594
1595 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
1596
1597+apache2 (2.4.6-2ubuntu4) trusty; urgency=low
1598+
1599+ * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
1600+ that it does not use files find inside the .pc directory. This stops a
1601+ double module load causing later havoc, including "ChrootDir" directive
1602+ failure (LP: #1251939). Thanks to Stefan Fritsch.
1603+ * d/tests/chroot: dep8 test for ChrootDir case.
1604+
1605+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
1606+
1607+apache2 (2.4.6-2ubuntu3) trusty; urgency=low
1608+
1609+ * debian/apache2.install: Correct path for ufw.
1610+ (LP: #1252722)
1611+
1612+ -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
1613+
1614+apache2 (2.4.6-2ubuntu2) saucy; urgency=low
1615+
1616+ * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
1617+ passphrase prompting for SSL certificates that are passphrase protected.
1618+ * Add dep8 test for SSL passphrase prompting.
1619+
1620+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
1621+
1622+apache2 (2.4.6-2ubuntu1) saucy; urgency=low
1623+
1624+ * Merge from Debian unstable. Remaining changes:
1625+ - debian/{control, rules}: Enable PIE hardening.
1626+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1627+ apache2.dirs}: Add ufw profiles.
1628+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1629+ - debian/control, debian/config-dir/mods-available/ssl.conf,
1630+ debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
1631+ passphrase dialog program ask-for-passphrase.
1632+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1633+ to configure.
1634+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1635+ from upstream
1636+ * Dropped changes:
1637+ - debian/patches/CVE-2013-1896.patch: upstream
1638+ * Fixed module dependencies (LP: #1205314)
1639+ - debian/config-dir/mods-available/lbmethod_*: properly specify
1640+ proxy_balancer, not mod_proxy_balancer.
1641+
1642+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
1643+
1644 apache2 (2.4.6-2) unstable; urgency=low
1645
1646 [ Stefan Fritsch ]
1647@@ -1228,6 +2538,56 @@ apache2 (2.4.6-1) unstable; urgency=low
1648
1649 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
1650
1651+apache2 (2.4.4-6ubuntu5) saucy; urgency=low
1652+
1653+ * SECURITY UPDATE: denial of service via MERGE request
1654+ - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
1655+ in modules/dav/main/mod_dav.c.
1656+ - CVE-2013-1896
1657+
1658+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
1659+
1660+apache2 (2.4.4-6ubuntu4) saucy; urgency=low
1661+
1662+ * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
1663+ apache2-bin. apache2-utils is only suggested by apache2, so may not
1664+ always be installed by bug reporters. However, apache2-bin will always
1665+ need to be installed for Apache to be functional, so this is a better
1666+ place for the apport hook. apache2-bin already Conflicts/Replaces
1667+ apache2.2-common, so this also fixes (LP: #1199318).
1668+ * d/apache2.py: adjust apport hook for new location of configuration
1669+ files in apache2 >= 2.4: they have moved from apache2.2-common to
1670+ apache2.
1671+
1672+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
1673+
1674+apache2 (2.4.4-6ubuntu3) saucy; urgency=low
1675+
1676+ * Build using lua5.2.
1677+
1678+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
1679+
1680+apache2 (2.4.4-6ubuntu2) saucy; urgency=low
1681+
1682+ * debian/rules: Fix FTBFS while installing ufw.
1683+
1684+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
1685+
1686+apache2 (2.4.4-6ubuntu1) saucy; urgency=low
1687+
1688+ * Merge from Debian unstable. Remaining changes:
1689+ - debian/{control, rules}: Enable PIE hardening.
1690+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1691+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1692+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1693+ Plymouth aware passphrase dialog program ask-for-passphrase.
1694+ * Dropped changes:
1695+ - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
1696+ - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
1697+ - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
1698+
1699+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
1700+
1701 apache2 (2.4.4-6) unstable; urgency=low
1702
1703 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
1704@@ -1699,6 +3059,122 @@ apache2 (2.4.1-1) experimental; urgency=low
1705
1706 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
1707
1708+apache2 (2.2.22-6ubuntu5) raring; urgency=low
1709+
1710+ * SECURITY UPDATE: multiple cross-site scripting issues
1711+ - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
1712+ modules/generators/{mod_info.c,mod_status.c},
1713+ modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
1714+ modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
1715+ - CVE-2012-3499
1716+ - CVE-2012-4558
1717+ * SECURITY UPDATE: symlink attack in apache2ctl script
1718+ - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
1719+ - Thanks to Stefan Fritsch for the fix.
1720+ - CVE-2013-1048
1721+
1722+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
1723+
1724+apache2 (2.2.22-6ubuntu4) raring; urgency=low
1725+
1726+ * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
1727+ * Skip module sanity check between MPMs if cross-building without the
1728+ kernel/binfmt support to run our target binaries on the build system.
1729+ * Backport several cross fixes from upstream as 086_svn_cross_compiles.
1730+
1731+ -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
1732+
1733+apache2 (2.2.22-6ubuntu3) raring; urgency=low
1734+
1735+ * SECURITY UPDATE: XSS vulnerability in mod_negotiation
1736+ - debian/patches/CVE-2012-2687.patch: escape filenames in
1737+ modules/mappers/mod_negotiation.c.
1738+ - CVE-2012-2687
1739+ * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
1740+ - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
1741+ directive. Defaults to off as enabling compression enables the CRIME
1742+ attack.
1743+ - CVE-2012-4929
1744+
1745+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
1746+
1747+apache2 (2.2.22-6ubuntu2) quantal; urgency=low
1748+
1749+ * debian/apache2.py
1750+ - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
1751+ - Check if this directory exists: /etc/apache2/sites-enabled/
1752+
1753+ -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
1754+
1755+apache2 (2.2.22-6ubuntu1) quantal; urgency=low
1756+
1757+ * Merge from Debian unstable. Remaining changes:
1758+ - debian/{control, rules}: Enable PIE hardening.
1759+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1760+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1761+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1762+ Plymouth aware passphrase dialog program ask-for-passphrase.
1763+ * Dropped changes:
1764+ - debian/control: Add bzr tag and point it to our tree; this is not
1765+ really required and just increases the delta.
1766+
1767+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
1768+
1769+apache2 (2.2.22-6) unstable; urgency=low
1770+
1771+ [ Stefan Fritsch ]
1772+ * Fix regression causing apache2 to cache "206 partial content" responses,
1773+ and then serving these partial responses when replying to normal requests.
1774+ Closes: #671204
1775+ * Add section to security.conf that shows how to forbid access to VCS
1776+ directories. Closes: #548213
1777+ * Update ssl default cipher config, add alternative speed optimized config.
1778+ Closes: #649020
1779+ * Add "AddCharset" for .brf files in default mod_mime config.
1780+ Closes: #402567
1781+ * Don't create httpd.conf anymore and don't include it in apache2.conf. If
1782+ it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
1783+ * Port some of the comments in apache2.conf from the 2.4 package.
1784+ * Compile mod_version statically, drop associated module load file.
1785+ * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
1786+ configtest.
1787+ * Note in README.Debian that future versions of the package will have the
1788+ include statements changed to include only *.conf.
1789+ * Change compiled-in document root to /var/www, to avoid strange error
1790+ messages.
1791+ * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
1792+
1793+ [ Arno Töll ]
1794+ * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
1795+ to override LDFLAGS at compile time by defining LDLAGS in the environment,
1796+ just like it is possible for CFLAGS. This also means, config_vars.mk now
1797+ exports hardening build flags by default.
1798+ * Update doc-base metadata for the apache2-doc package.
1799+
1800+ -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
1801+
1802+apache2 (2.2.22-5) unstable; urgency=low
1803+
1804+ * Make LoadFile and LoadModule look in the standard search paths if the
1805+ dso file name is given as a pure filename. This helps with the multi-arch
1806+ transition.
1807+
1808+ -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
1809+
1810+apache2 (2.2.22-4) unstable; urgency=high
1811+
1812+ * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
1813+ hosts' config files.
1814+ If scripting modules like mod_php or mod_rivet are enabled on systems
1815+ where either 1) some frontend server forwards connections to an apache2
1816+ backend server on the localhost address, or 2) the machine running
1817+ apache2 is also used for web browsing, this could allow a remote
1818+ attacker to execute example scripts stored under /usr/share/doc.
1819+ Depending on the installed packages, this could lead to issues like cross
1820+ site scripting, code execution, or leakage of sensitive data.
1821+
1822+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
1823+
1824 apache2 (2.2.22-3) unstable; urgency=low
1825
1826 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
1827@@ -1719,6 +3195,18 @@ apache2 (2.2.22-2) unstable; urgency=low
1828
1829 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
1830
1831+apache2 (2.2.22-1ubuntu1) precise; urgency=low
1832+
1833+ * Merge from Debian testing. Remaining changes:
1834+ - debian/{control, rules}: Enable PIE hardening.
1835+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1836+ - debian/control: Add bzr tag and point it to our tree
1837+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1838+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1839+ Plymouth aware passphrase dialog program ask-for-passphrase.
1840+
1841+ -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
1842+
1843 apache2 (2.2.22-1) unstable; urgency=low
1844
1845 [ Stefan Fritsch ]
1846@@ -1736,6 +3224,18 @@ apache2 (2.2.22-1) unstable; urgency=low
1847
1848 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
1849
1850+apache2 (2.2.21-5ubuntu1) precise; urgency=low
1851+
1852+ * Merge from Debian testing. Remaining changes:
1853+ - debian/{control, rules}: Enable PIE hardening.
1854+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1855+ - debian/control: Add bzr tag and point it to our tree
1856+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1857+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1858+ Plymouth aware passphrase dialog program ask-for-passphrase.
1859+
1860+ -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
1861+
1862 apache2 (2.2.21-5) unstable; urgency=low
1863
1864 [ Arno Töll ]
1865@@ -1789,6 +3289,26 @@ apache2 (2.2.21-4) unstable; urgency=low
1866
1867 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
1868
1869+apache2 (2.2.21-3ubuntu2) precise; urgency=low
1870+
1871+ * d/ask-for-passphrase: Flip the logic of this script so that it checks
1872+ first to see if apache is being started from a TTY, and then if not,
1873+ tries plymouth. (LP: #887410)
1874+
1875+ -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
1876+
1877+apache2 (2.2.21-3ubuntu1) precise; urgency=low
1878+
1879+ * Merge from Debian testing. Remaining changes:
1880+ - debian/{control, rules}: Enable PIE hardening.
1881+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1882+ - debian/control: Add bzr tag and point it to our tree
1883+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1884+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1885+ Plymouth aware passphrase dialog program ask-for-passphrase.
1886+
1887+ -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
1888+
1889 apache2 (2.2.21-3) unstable; urgency=medium
1890
1891 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
1892@@ -1803,6 +3323,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
1893
1894 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
1895
1896+apache2 (2.2.21-2ubuntu2) precise; urgency=low
1897+
1898+ * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
1899+
1900+ -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
1901+
1902+apache2 (2.2.21-2ubuntu1) precise; urgency=low
1903+
1904+ * Merge from debian unstable. Remaining changes:
1905+ - debian/{control, rules}: Enable PIE hardening.
1906+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1907+ - debian/control: Add bzr tag and point it to our tree
1908+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1909+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1910+ Plymouth aware passphrase dialog program ask-for-passphrase.
1911+
1912+ -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
1913+
1914 apache2 (2.2.21-2) unstable; urgency=high
1915
1916 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
1917@@ -1820,6 +3358,19 @@ apache2 (2.2.21-1) unstable; urgency=low
1918
1919 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
1920
1921+apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
1922+
1923+ * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
1924+ Remaining changes:
1925+ - debian/{control, rules}: Enable PIE hardening.
1926+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1927+ - debian/control: Add bzr tag and point it to our tree
1928+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1929+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1930+ Plymouth aware passphrase dialog program ask-for-passphrase.
1931+
1932+ -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
1933+
1934 apache2 (2.2.20-1) unstable; urgency=low
1935
1936 * New upstream release.
1937@@ -1842,6 +3393,18 @@ apache2 (2.2.19-2) unstable; urgency=high
1938
1939 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
1940
1941+apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
1942+
1943+ * Merge from debian unstable (LP: #787013). Remaining changes:
1944+ - debian/{control, rules}: Enable PIE hardening.
1945+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1946+ - debian/control: Add bzr tag and point it to our tree
1947+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1948+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1949+ Plymouth aware passphrase dialog program ask-for-passphrase.
1950+
1951+ -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
1952+
1953 apache2 (2.2.19-1) unstable; urgency=low
1954
1955 * New upstream release.
1956@@ -1859,6 +3422,18 @@ apache2 (2.2.19-1) unstable; urgency=low
1957
1958 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
1959
1960+apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
1961+
1962+ * Merge from debian unstable. Remaining changes:
1963+ - debian/{control, rules}: Enable PIE hardening.
1964+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1965+ - debian/control: Add bzr tag and point it to our tree
1966+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
1967+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1968+ Plymouth aware passphrase dialog program ask-for-passphrase.
1969+
1970+ -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
1971+
1972 apache2 (2.2.17-3) unstable; urgency=low
1973
1974 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
1975@@ -1885,6 +3460,18 @@ apache2 (2.2.17-2) unstable; urgency=high
1976
1977 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
1978
1979+apache2 (2.2.17-1ubuntu1) natty; urgency=low
1980+
1981+ * Merge from debian unstable, remaining changes:
1982+ - debian/{control, rules}: Enable PIE hardening.
1983+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1984+ - debian/control: Add bzr tag and point it to our tree
1985+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
1986+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1987+ Plymouth aware passphrase dialog program ask-for-passphrase.
1988+
1989+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
1990+
1991 apache2 (2.2.17-1) unstable; urgency=low
1992
1993 * New upstream version
1994@@ -1893,6 +3480,32 @@ apache2 (2.2.17-1) unstable; urgency=low
1995
1996 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
1997
1998+apache2 (2.2.16-6ubuntu3) natty; urgency=low
1999+
2000+ * debian/rules: Don't use "-fno-strict-aliasing" since it causes
2001+ apache FTBFS on amd64. (LP: #711293)
2002+
2003+ -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
2004+
2005+apache2 (2.2.16-6ubuntu2) natty; urgency=low
2006+
2007+ * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
2008+ (LP: #697105)
2009+
2010+ -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
2011+
2012+apache2 (2.2.16-6ubuntu1) natty; urgency=low
2013+
2014+ * Merge from debian unstable. Remaining changes:
2015+ - debian/{control, rules}: Enable PIE hardening.
2016+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2017+ - debian/control: Add bzr tag and point it to our tree
2018+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2019+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2020+ Plymouth aware passphrase dialog program ask-for-passphrase.
2021+
2022+ -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
2023+
2024 apache2 (2.2.16-6) unstable; urgency=low
2025
2026 * Also add $named to the secondary-init-script example.
2027@@ -1908,6 +3521,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
2028
2029 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
2030
2031+apache2 (2.2.16-4ubuntu2) natty; urgency=low
2032+
2033+ [Clint Byrum]
2034+ * Adding plymouth aware passphrase dialog program ask-for-passphrase.
2035+ (LP: #582963)
2036+ + debian/control: apache2.2-common depends on bash for ask-for-passphrase
2037+ + debian/config-dir/mods-available/ssl.conf:
2038+ - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
2039+
2040+ [Chuck Short]
2041+ * Add apport hook. (LP: #609177)
2042+ + debian/apache2.py, debian/apache2.2-common.install
2043+
2044+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
2045+
2046+apache2 (2.2.16-4ubuntu1) natty; urgency=low
2047+
2048+ * Merge from debian unstable. Remaining changes:
2049+ - debian/{control, rules}: Enable PIE hardening.
2050+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2051+ - debian/control: Add bzr tag and point it to our tree
2052+
2053+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
2054+
2055 apache2 (2.2.16-4) unstable; urgency=medium
2056
2057 * Increase the mod_reqtimeout default timeouts to avoid potential problems
2058@@ -1918,6 +3555,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
2059
2060 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
2061
2062+apache2 (2.2.16-3ubuntu1) natty; urgency=low
2063+
2064+ * Merge from debian unstable. Remaining changes:
2065+ - debian/{control, rules}: Enable PIE hardening.
2066+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2067+ - debian/control: Add bzr tag and point it to our tree.
2068+
2069+ -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
2070+
2071 apache2 (2.2.16-3) unstable; urgency=high
2072
2073 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
2074@@ -1940,6 +3586,30 @@ apache2 (2.2.16-2) unstable; urgency=low
2075
2076 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
2077
2078+apache2 (2.2.16-1ubuntu3) maverick; urgency=low
2079+
2080+ * Revert "stty sane" to unbreak apache starting, this will have to be
2081+ fixed a different way. (LP: #626723)
2082+
2083+ -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
2084+
2085+apache2 (2.2.16-1ubuntu2) maverick; urgency=low
2086+
2087+ * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
2088+ password prompt when using apache-ssl. (LP: #582963)
2089+
2090+ -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
2091+
2092+apache2 (2.2.16-1ubuntu1) maverick; urgency=low
2093+
2094+ * Merge from debian unstable. Remaining changes:
2095+ - debian/{control, rules}: Enable PIE hardening.
2096+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2097+ - debian/control: Add bzr tag and point it to our tree.
2098+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2099+
2100+ -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
2101+
2102 apache2 (2.2.16-1) unstable; urgency=medium
2103
2104 * Urgency medium for security fix.
2105@@ -1972,6 +3642,24 @@ apache2 (2.2.15-6) unstable; urgency=low
2106
2107 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
2108
2109+apache2 (2.2.15-5ubuntu1) maverick; urgency=low
2110+
2111+ * Merge from debian unstable. Remaining changes:
2112+ - debian/{control, rules}: Enable PIE hardening.
2113+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2114+ - debian/control: Add bzr tag and point it to our tree.
2115+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2116+ + Dropped:
2117+ - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
2118+ - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
2119+ - debian/config-dir/apache2.conf: Merged back from debian.
2120+ - mod-reqtimeout functionality: Merge back from debian.
2121+ - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
2122+ - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
2123+ - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
2124+
2125+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
2126+
2127 apache2 (2.2.15-5) unstable; urgency=low
2128
2129 * Conflict with apache package as we now include apachectl. Closes: #579065
2130@@ -2092,6 +3780,80 @@ apache2 (2.2.14-6) unstable; urgency=low
2131
2132 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
2133
2134+apache2 (2.2.14-5ubuntu8) lucid; urgency=low
2135+
2136+ * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
2137+ (LP: #562370)
2138+
2139+ -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
2140+
2141+apache2 (2.2.14-5ubuntu7) lucid; urgency=low
2142+
2143+ * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
2144+ leaks by making sure to not destroy bucket brigades that have been created
2145+ by earlier filters. Backported from 2.2.15.
2146+ * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
2147+ has reached MaxClients until it has. Backported from 2.2.15
2148+ * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
2149+ more secure by adding Satisfy all. (Debian bug: #572075)
2150+ * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
2151+ debian/config2-dir/mods-available/reqtimeout.load,
2152+ debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
2153+ mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
2154+ bug in apache. Enable it by default. (LP: #392759)
2155+
2156+ -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
2157+
2158+apache2 (2.2.14-5ubuntu6) lucid; urgency=low
2159+
2160+ * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
2161+
2162+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
2163+
2164+apache2 (2.2.14-5ubuntu5) lucid; urgency=low
2165+
2166+ * Revert 99-fix-mod-dav-permissions.dpatch
2167+
2168+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
2169+
2170+apache2 (2.2.14-5ubuntu4) lucid; urgency=low
2171+
2172+ * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
2173+ downloading files from webdav (LP: #540747)
2174+ * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
2175+
2176+ -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
2177+
2178+apache2 (2.2.14-5ubuntu3) lucid; urgency=low
2179+
2180+ * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
2181+ - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
2182+ in modules/proxy/mod_proxy_ajp.c.
2183+ - CVE-2010-0408
2184+ * SECURITY UPDATE: information disclosure via improper handling of
2185+ headers in subrequests
2186+ - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
2187+ in server/protocol.c.
2188+ - CVE-2010-0434
2189+
2190+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
2191+
2192+apache2 (2.2.14-5ubuntu2) lucid; urgency=low
2193+
2194+ * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
2195+ wacky options. (LP: #450501)
2196+
2197+ -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
2198+
2199+apache2 (2.2.14-5ubuntu1) lucid; urgency=low
2200+
2201+ * Merge from debian testing. Remaining changes: LP: #506862
2202+ - debian/{control, rules}: Enable PIE hardening.
2203+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2204+ - debian/control: Add bzr tag and point it to our tree.
2205+
2206+ -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
2207+
2208 apache2 (2.2.14-5) unstable; urgency=low
2209
2210 * Security: Further mitigation for the TLS renegotation attack
2211@@ -2115,6 +3877,15 @@ apache2 (2.2.14-5) unstable; urgency=low
2212
2213 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
2214
2215+apache2 (2.2.14-4ubuntu1) lucid; urgency=low
2216+
2217+ * Resynchronzie with Debian, remaining changes are:
2218+ - debian/{control, rules}: Enable PIE hardening.
2219+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2220+ - debian/control: Add bzr tag and point it to our tree.
2221+
2222+ -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
2223+
2224 apache2 (2.2.14-4) unstable; urgency=low
2225
2226 * Disable localized error pages again by default because they break
2227@@ -2165,6 +3936,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
2228
2229 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
2230
2231+apache2 (2.2.14-1ubuntu1) lucid; urgency=low
2232+
2233+ * Merge from debian testing, remaining changes:
2234+ - debian/{control, rules}: Enable PIE hardening.
2235+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2236+ - debian/conrol: Add bzr tag and point it to our tree.
2237+ - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2238+ Already applied upstream.
2239+
2240+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
2241+
2242 apache2 (2.2.14-1) unstable; urgency=low
2243
2244 * New upstream version:
2245@@ -2199,6 +3981,24 @@ apache2 (2.2.13-1) unstable; urgency=low
2246
2247 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
2248
2249+apache2 (2.2.12-1ubuntu2) karmic; urgency=low
2250+
2251+ * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2252+ - Fix potential segfaults with the use of the legacy ap_rputs() etc
2253+ interfaces, in cases where an output filter fails. This happens
2254+ frequently after CVE-2009-1891 got fixed. (LP: #409987)
2255+
2256+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
2257+
2258+apache2 (2.2.12-1ubuntu1) karmic; urgency=low
2259+
2260+ * Merge from debian unstable, remaining changes:
2261+ - debian/{control,rules}: enable PIE hardening.
2262+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2263+ - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
2264+
2265+ -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
2266+
2267 apache2 (2.2.12-1) unstable; urgency=low
2268
2269 * New upstream release:
2270@@ -2246,6 +4046,16 @@ apache2 (2.2.12-1) unstable; urgency=low
2271
2272 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
2273
2274+apache2 (2.2.11-7ubuntu1) karmic; urgency=low
2275+
2276+ * Merge from debian unstable, remaining changes: LP: #398130
2277+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2278+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2279+ - debian/{control,rules}: enable PIE hardening.
2280+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2281+
2282+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
2283+
2284 apache2 (2.2.11-7) unstable; urgency=low
2285
2286 * Security fixes:
2287@@ -2260,6 +4070,16 @@ apache2 (2.2.11-7) unstable; urgency=low
2288
2289 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
2290
2291+apache2 (2.2.11-6ubuntu1) karmic; urgency=low
2292+
2293+ * Merge from debian unstable, remaining changes:
2294+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2295+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2296+ - debian/{control,rules}: enable PIE hardening.
2297+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2298+
2299+ -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
2300+
2301 apache2 (2.2.11-6) unstable; urgency=high
2302
2303 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
2304@@ -2268,6 +4088,16 @@ apache2 (2.2.11-6) unstable; urgency=high
2305
2306 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
2307
2308+apache2 (2.2.11-5ubuntu1) karmic; urgency=low
2309+
2310+ * Merge from debian unstable, remaining changes:
2311+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2312+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2313+ - debian/{control,rules}: enable PIE hardening.
2314+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2315+
2316+ -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
2317+
2318 apache2 (2.2.11-5) unstable; urgency=low
2319
2320 * Move all binaries into a new package apache2.2-bin and make
2321@@ -2316,6 +4146,16 @@ apache2 (2.2.11-4) unstable; urgency=low
2322
2323 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
2324
2325+apache2 (2.2.11-3ubuntu1) karmic; urgency=low
2326+
2327+ * Merge from debian unstable, remaining changes:
2328+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2329+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2330+ - debian/{control,rules}: enable PIE hardening.
2331+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2332+
2333+ -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
2334+
2335 apache2 (2.2.11-3) unstable; urgency=low
2336
2337 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
2338@@ -2324,6 +4164,21 @@ apache2 (2.2.11-3) unstable; urgency=low
2339
2340 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
2341
2342+apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
2343+
2344+ * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2345+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2346+
2347+ -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
2348+
2349+apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
2350+
2351+ * Merge from debian unstable, remaining changes:
2352+ - debian/{contro,rules}: enable PIE hardening.
2353+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2354+
2355+ -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
2356+
2357 apache2 (2.2.11-2) unstable; urgency=low
2358
2359 * Report an error instead instead of segfaulting when apr_pollset_create
2360@@ -2333,6 +4188,14 @@ apache2 (2.2.11-2) unstable; urgency=low
2361
2362 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
2363
2364+apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
2365+
2366+ * Merge from debian unstable, remaining changes:
2367+ - debian/{control, rules}: enable PIE hardening.
2368+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2369+
2370+ -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
2371+
2372 apache2 (2.2.11-1) unstable; urgency=low
2373
2374 [Thom May]
2375@@ -2347,6 +4210,14 @@ apache2 (2.2.11-1) unstable; urgency=low
2376
2377 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
2378
2379+apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
2380+
2381+ * Merge from debian unstable, remaining changes: (LP: #303375)
2382+ - debian/{control, rules}: enable PIE hardening.
2383+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2384+
2385+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
2386+
2387 apache2 (2.2.9-11) unstable; urgency=low
2388
2389 * Regression fix from upstream svn for mod_proxy:
2390@@ -2361,6 +4232,14 @@ apache2 (2.2.9-11) unstable; urgency=low
2391
2392 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
2393
2394+apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
2395+
2396+ * Merge from debian unstable, remaining changes:
2397+ - debian/{control, rules}: enable PIE hardening.
2398+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2399+
2400+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
2401+
2402 apache2 (2.2.9-10) unstable; urgency=low
2403
2404 * Regression fix from upstream svn for mod_proxy_http:
2405@@ -2391,6 +4270,27 @@ apache2 (2.2.9-8) unstable; urgency=low
2406
2407 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
2408
2409+apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
2410+
2411+ * Revert logrotate change since it will break it for everyone.
2412+
2413+ -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
2414+
2415+apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
2416+
2417+ * debian/logrotate: Restart rather than reload for busy websites.
2418+ (LP: #270899)
2419+
2420+ -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
2421+
2422+apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
2423+
2424+ * Merge from debian unstable, remaining changes:
2425+ - debian/{control,rules}: enable PIE hardening.
2426+ - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
2427+
2428+ -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
2429+
2430 apache2 (2.2.9-7) unstable; urgency=low
2431
2432 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
2433@@ -2433,6 +4333,23 @@ apache2 (2.2.9-4) unstable; urgency=low
2434
2435 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
2436
2437+apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
2438+
2439+ * add ufw integration (see
2440+ https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
2441+ (LP: #261198)
2442+ - debian/control: suggest ufw for apache2.2-common
2443+ - add apache2.2-common.ufw.profile with 3 profiles and install it to
2444+ /etc/ufw/applications.d/apache2.2-common
2445+
2446+ -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
2447+
2448+apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
2449+
2450+ * debian/{control,rules}: enable PIE hardening
2451+
2452+ -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
2453+
2454 apache2 (2.2.9-3) unstable; urgency=low
2455
2456 [ Stefan Fritsch ]
2457@@ -4003,9 +5920,7 @@ apache2 (2.0.37-1) unstable; urgency=low
2458 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
2459
2460 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
2461-
2462 * New upstream release
2463-
2464 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
2465
2466 apache2 (2.0.36-2) unstable; urgency=low
2467@@ -4513,3 +6428,4 @@ apache2 (2.0.18-1) unstable; urgency=low
2468 * Initial Release.
2469
2470 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
2471+
2472diff --git a/debian/control b/debian/control
2473index 5465d60..c80d798 100644
2474--- a/debian/control
2475+++ b/debian/control
2476@@ -1,5 +1,6 @@
2477 Source: apache2
2478-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2479+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2480+XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2481 Uploaders: Stefan Fritsch <sf@debian.org>,
2482 Arno Töll <arno@debian.org>,
2483 Ondřej Surý <ondrej@debian.org>,
2484@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
2485 Recommends: ssl-cert
2486 Suggests: apache2-doc,
2487 apache2-suexec-pristine | apache2-suexec-custom,
2488- www-browser
2489+ www-browser,
2490+ ufw
2491 Pre-Depends: ${misc:Pre-Depends}
2492 Conflicts: apache2.2-bin,
2493 apache2.2-common
2494diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
2495new file mode 100644
2496index 0000000..4db2fa1
2497Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
2498diff --git a/debian/index.html b/debian/index.html
2499index 766401d..96ed444 100644
2500--- a/debian/index.html
2501+++ b/debian/index.html
2502@@ -1,9 +1,14 @@
2503
2504 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2505 <html xmlns="http://www.w3.org/1999/xhtml">
2506+ <!--
2507+ Modified from the Debian original for Ubuntu
2508+ Last updated: 2016-11-16
2509+ See: https://launchpad.net/bugs/1288690
2510+ -->
2511 <head>
2512 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
2513- <title>Apache2 Debian Default Page: It works</title>
2514+ <title>Apache2 Ubuntu Default Page: It works</title>
2515 <style type="text/css" media="screen">
2516 * {
2517 margin: 0px 0px 0px 0px;
2518@@ -188,9 +193,9 @@
2519 <body>
2520 <div class="main_page">
2521 <div class="page_header floating_element">
2522- <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
2523+ <img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
2524 <span class="floating_element">
2525- Apache2 Debian Default Page
2526+ Apache2 Ubuntu Default Page
2527 </span>
2528 </div>
2529 <!-- <div class="table_of_contents floating_element">
2530@@ -221,7 +226,9 @@
2531 <div class="content_section_text">
2532 <p>
2533 This is the default welcome page used to test the correct
2534- operation of the Apache2 server after installation on Debian systems.
2535+ operation of the Apache2 server after installation on Ubuntu systems.
2536+ It is based on the equivalent page on Debian, from which the Ubuntu Apache
2537+ packaging is derived.
2538 If you can read this page, it means that the Apache HTTP server installed at
2539 this site is working properly. You should <b>replace this file</b> (located at
2540 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
2541@@ -242,9 +249,9 @@
2542 </div>
2543 <div class="content_section_text">
2544 <p>
2545- Debian's Apache2 default configuration is different from the
2546+ Ubuntu's Apache2 default configuration is different from the
2547 upstream default configuration, and split into several files optimized for
2548- interaction with Debian tools. The configuration system is
2549+ interaction with Ubuntu tools. The configuration system is
2550 <b>fully documented in
2551 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
2552 documentation. Documentation for the web server itself can be
2553@@ -253,7 +260,7 @@
2554
2555 </p>
2556 <p>
2557- The configuration layout for an Apache2 web server installation on Debian systems is as follows:
2558+ The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
2559 </p>
2560 <pre>
2561 /etc/apache2/
2562@@ -324,7 +331,7 @@
2563
2564 <div class="content_section_text">
2565 <p>
2566- By default, Debian does not allow access through the web browser to
2567+ By default, Ubuntu does not allow access through the web browser to
2568 <em>any</em> file apart of those located in <tt>/var/www</tt>,
2569 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
2570 directories (when enabled) and <tt>/usr/share</tt> (for web
2571@@ -333,7 +340,7 @@
2572 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
2573 </p>
2574 <p>
2575- The default Debian document root is <tt>/var/www/html</tt>. You
2576+ The default Ubuntu document root is <tt>/var/www/html</tt>. You
2577 can make your own virtual hosts under /var/www. This is different
2578 to previous releases which provides better security out of the box.
2579 </p>
2580@@ -345,9 +352,9 @@
2581 </div>
2582 <div class="content_section_text">
2583 <p>
2584- Please use the <tt>reportbug</tt> tool to report bugs in the
2585- Apache2 package with Debian. However, check <a
2586- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
2587+ Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
2588+ Apache2 package with Ubuntu. However, check <a
2589+ href="https://bugs.launchpad.net/ubuntu/+source/apache2"
2590 rel="nofollow">existing bug reports</a> before reporting a new bug.
2591 </p>
2592 <p>
2593diff --git a/debian/source/include-binaries b/debian/source/include-binaries
2594index d617b1d..823d9c0 100644
2595--- a/debian/source/include-binaries
2596+++ b/debian/source/include-binaries
2597@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
2598 debian/icons/odf6ots-20x22.png
2599 debian/icons/odf6ott-20x22.png
2600 debian/icons/openlogo-75.png
2601+debian/icons/ubuntu-logo.png
2602 debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
2603 debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
2604 debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches