Ubuntu
apache2 package

Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.53-2-kinetic into ubuntu/+source/apache2:debian/sid

Proposed by Bryce Harrington on 2022-05-23

Status:

Merged

Merge reported by:

Bryce Harrington

Merged at revision:

664141ab1914122240001fcb45ec825ee3147bd8

Proposed branch:

~bryce/ubuntu/+source/apache2:merge-v2.4.53-2-kinetic

Merge into:

ubuntu/+source/apache2:debian/sid

Diff against target:

2824 lines (+2129/-60)

10 files modified

debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2006/-2)
debian/control (+4/-2)
debian/index.html (+51/-56)
debian/source/include-binaries (+1/-0)

Related bugs:

Bug #1971248: Merge apache2 from Debian unstable for kinetic	Undecided	Fix Released
Bug #1974251: libapache2-mod-shib module doesn't work with 2.4.52	Undecided	In Progress

Link a bug report

Reviewer	Date Requested	Status
Andreas Hasenack	2022-05-23	Approve on 2022-05-25
Canonical Server	2022-05-23	Pending
git-ubuntu import	2022-05-23	Pending
Review via email: mp+423205@code.launchpad.net

Description of the change

Merge with Debian's package. I summarized some of the recent changes in the ubuntu delta, and could go further in simplifying the changelog entry if you think it'd make sense, but have left it a bit on the verbose side for now.

Usual tags pushed for review:
  - tags/old/debian 365005afd
  - tags/new/debian 4f279c271
  - tags/old/ubuntu 4a109d807
  - tags/logical/2.4.52-1ubuntu4 3c6ba5780
  - tags/reconstruct/2.4.52-1ubuntu4 b9d7f3345
  - tags/split/2.4.52-1ubuntu4 c162ba5f1

I've verified it builds locally and the autopkgtests pass. PPA is still building but should be up shortly.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.53-2/+packages

autopkgtest [02:49:05]: @@@@@@@@@@@@@@@@@@@@ summary
run-test-suite SKIP Test breaks testbed but testbed does not provide revert-full-system
ssl-passphrase SKIP Test breaks testbed but testbed does not provide revert-full-system
check-http2 SKIP Test breaks testbed but testbed does not provide revert-full-system
chroot SKIP Test breaks testbed but testbed does not provide revert-full-system
duplicate-module-load PASS
default-mods PASS
htcacheclean PASS

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2022-05-25:

You could squash together these 3 commits if you want, to make the delta simpler/smaller:

commit ee14fcd7ad2a6e0f7dfa4b05d20bc8687c2474bf
Author: Bryce Harrington <email address hidden>
Date: Fri May 20 14:12:41 2022 -0700

- d/apache2.postrm: Include md5 sum for updated index.html

commit 998d8b823b2cbc61d06d46dca2dc602fed87a93a
Author: Bryce Harrington <email address hidden>
Date: Fri May 20 14:12:44 2022 -0700

        - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
          new logo
          (LP: 1966004)

commit 7315771f7f353b1ca92fac1c85b3bdf7208e97ed
Author: Bryce Harrington <email address hidden>
Date: Wed Feb 2 19:12:23 2022 -0800

        - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
          d/s/include-binaries: replace Debian with Ubuntu on default
          page and add Ubuntu icon file.
          (LP 1288690)

But it's also ok as is, I'm fine either way.

Note that the PPA builds failed, but I haven't seen a clear error. In fact, the logs says:

"""
Build finished at 2022-05-25T18:56:10Z

Finished
--------

I: Built successfully
"""

+1 if it's just some transient error in LP and a retry fixes it.

review: Approve

Revision history for this message

Bryce Harrington (bryce) wrote on 2022-06-02:

Thanks for the review. Sorry took a while to reply but wanted to investigate the build failures. You're right though, there's no actual error messages, and tellingly it passes on some arch's but not all. Maybe LP was having a bad day? Flaky tests triggered during build? I've kicked off rebuilds, and am attempting a build locally. If any of that still doesn't pass I'll investigate further, else will upload.

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2022-06-03:

OT: there are more comments at LP: #1974251, do take a look, please. Thank you! :D

Revision history for this message

Bryce Harrington (bryce) wrote on 2022-06-03:

Interesting, the rebuild worked, I'll go ahead and upload. Odd.

Revision history for this message

Bryce Harrington (bryce) wrote on 2022-06-03:

Regarding LP: #1974251, I dropped mention of that from the merge changelog since it's not clear what exactly fixed the user's problem, and whether there's additional packaging adjustments needed.

Revision history for this message

Bryce Harrington (bryce) wrote on 2022-06-03:

Uploaded:

Checking signature on .changes
gpg: ../apache2_2.4.53-2ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../apache2_2.4.53-2ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.53-2ubuntu1.dsc: done.
  Uploading apache2_2.4.53.orig.tar.gz: done.
  Uploading apache2_2.4.53-2ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.53-2ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.53-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message

Bryce Harrington (bryce) wrote on 2022-06-08:

This has migrated

$ rmad apache2
apache2 | 2.4.52-1ubuntu4 | jammy
apache2 | 2.4.53-2ubuntu1 | kinetic

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Bryce Harrington

git-ubuntu developers

 diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
 index 63c573f..3d1bdf1 100644
 --- a/debian/apache2-bin.install
 +++ b/debian/apache2-bin.install
@@ -1,2 +1,3 @@
  /usr/lib/apache2/modules/
  /usr/sbin/apache2
++debian/apache2.py usr/share/apport/package-hooks
 diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
 new file mode 100644
 index 0000000..974a655
 --- /dev/null
 +++ b/debian/apache2-utils.ufw.profile
@@ -0,0 +1,14 @@
++[Apache]
++title=Web Server
++description=Apache v2 is the next generation of the omnipresent Apache web server.
++ports=80/tcp
++
++[Apache Secure]
++title=Web Server (HTTPS)
++description=Apache v2 is the next generation of the omnipresent Apache web server.
++ports=443/tcp
++
++[Apache Full]
++title=Web Server (HTTP,HTTPS)
++description=Apache v2 is the next generation of the omnipresent Apache web server.
++ports=80,443/tcp
 diff --git a/debian/apache2.dirs b/debian/apache2.dirs
 index 6089013..1aa6d3c 100644
 --- a/debian/apache2.dirs
 +++ b/debian/apache2.dirs
@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
  var/lib/apache2
  var/log/apache2
  var/www/html
++/etc/ufw/applications.d/apache2
 diff --git a/debian/apache2.install b/debian/apache2.install
 index b6ad789..92865fc 100644
 --- a/debian/apache2.install
 +++ b/debian/apache2.install
@@ -8,3 +8,4 @@ debian/config-dir/*.conf			/etc/apache2
  debian/config-dir/envvars			/etc/apache2
  debian/config-dir/magic				/etc/apache2
  debian/debhelper/apache2-maintscript-helper	/usr/share/apache2/
++debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
 diff --git a/debian/apache2.postrm b/debian/apache2.postrm
 index a68583c..4a22601 100644
 --- a/debian/apache2.postrm
 +++ b/debian/apache2.postrm
@@ -33,6 +33,8 @@ is_default_index_html () {
 a94e5a174dc2396c0f3f6b6a74
  		c481228d439cbb54bdcedbaec5bbb11a
  		e2620d4a5a0f8d80dd4b16de59af981f
++		3526531ccd6c6a1d2340574a305a18f8
++		720999b43a3be0674180354ac41f20b1
  	EOF
+ }
 diff --git a/debian/apache2.py b/debian/apache2.py
 new file mode 100644
 index 0000000..a9fb9d8
 --- /dev/null
 +++ b/debian/apache2.py
@@ -0,0 +1,48 @@
++#!/usr/bin/python
++
++'''apport hook for apache2
++
++(c) 2010 Adam Sommer.
++Author: Adam Sommer <asommer@ubuntu.com>
++
++This program is free software; you can redistribute it and/or modify it
++under the terms of the GNU General Public License as published by the
++Free Software Foundation; either version 2 of the License, or (at your
++option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
++the full text of the license.
++'''
++
++from apport.hookutils import *
++import os
++
++SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
++
++def add_info(report, ui):
++    if os.path.isdir(SITES_ENABLED_DIR):
++        response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
++                            "may help developers diagnose your bug more "
++                            "quickly.  However, it may contain sensitive "
++                            "information.  Do you want to include it in your "
++                            "bug report?")
++
++        if response == None: # user cancelled
++            raise StopIteration
++
++        elif response == True:
++            # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
++            for conf_file in os.listdir(SITES_ENABLED_DIR):
++                attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
++
++    try:
++        report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
++    except OSError:
++        report['Apache2ConfdDirListing'] = str(False)
++
++    # Attach default config files if changed.
++    attach_conffiles(report, 'apache2', conffiles=None)
++
++    # Attach the error.log file.
++    attach_file(report, '/var/log/apache2/error.log', key='error.log')
++
++    # Get loaded modules.
++    report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
 diff --git a/debian/changelog b/debian/changelog
 index 019b5b1..b999d65 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,45 @@
++apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1971248). Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++      (LP 261198)
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++      (LP 609177)
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
++      d/s/include-binaries: replace Debian with Ubuntu on default
++      page and add Ubuntu icon file.
++      (LP 1288690)
++    - d/index.html, d/icons/ubuntu-logo.png:  Refresh page design and
++      new logo
++      (LP 1966004)
++    - d/apache2.postrm: Include md5 sum for updated index.html
++  * Dropped:
++    - OOB read in mod_lua via crafted request body
++      + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
++        lua_write_body() fail in modules/lua/lua_request.c.
++      [Fixed in 2.4.53 upstream]
++    - HTTP Request Smuggling via error discarding the
++      request body
++      + d/p/CVE-2022-22720.patch: simpler connection close logic
++        if discarding the request body fails in modules/http/http_filters.c,
++        server/protocol.c.
++      [Fixed in 2.4.53 upstream]
++    - overflow via large LimitXMLRequestBody
++      + d/p/CVE-2022-22721.patch: make sure and check that
++        LimitXMLRequestBody fits in system memory in server/core.c,
++        server/util.c, server/util_xml.c.
++      [Fixed in 2.4.53 upstream]
++    - out-of-bounds write in mod_sed
++      + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
++        buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
++        modules/filters/mod_sed.c, modules/filters/sed1.c.
++      + d/p/CVE-2022-23943-2.patch: improve the logic flow in
++        modules/filters/mod_sed.c.
++      [Fixed in 2.4.53 upstream]
++
++ -- Bryce Harrington <bryce@canonical.com>  Mon, 23 May 2022 19:34:18 -0700
++
  apache2 (2.4.53-2) unstable; urgency=medium
    * Clean useless Conflicts/Replace
@@ -33,6 +75,79 @@ apache2 (2.4.52-2) experimental; urgency=medium
   -- Yadd <yadd@debian.org>  Tue, 28 Dec 2021 20:01:43 +0100
++apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
++
++  * d/apache2.postrm: Include md5 sum for updated index.html
++
++ -- Bryce Harrington <bryce@canonical.com>  Thu, 24 Mar 2022 17:35:40 -0700
++
++apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
++
++  * d/index.html:
++    - Redesign page's heading for the new logo
++    - Use the Ubuntu font where available
++    - Update service management directions
++    - Copyedit grammar
++    - Light reformatting and whitespace cleanup
++  * d/icons/ubuntu-logo.png: Refresh ubuntu logo
++    (LP: #1966004)
++
++ -- Bryce Harrington <bryce@canonical.com>  Wed, 23 Mar 2022 16:18:11 -0700
++
++apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
++
++  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
++    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
++      lua_write_body() fail in modules/lua/lua_request.c.
++    - CVE-2022-22719
++  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
++    request body
++    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
++      if discarding the request body fails in modules/http/http_filters.c,
++      server/protocol.c.
++    - CVE-2022-22720
++  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
++    - debian/patches/CVE-2022-22721.patch: make sure and check that
++      LimitXMLRequestBody fits in system memory in server/core.c,
++      server/util.c, server/util_xml.c.
++    - CVE-2022-22721
++  * SECURITY UPDATE: out-of-bounds write in mod_sed
++    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
++      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
++      modules/filters/mod_sed.c, modules/filters/sed1.c.
++    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
++      modules/filters/mod_sed.c.
++    - CVE-2022-23943
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 17 Mar 2022 09:39:54 -0400
++
++apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable (LP: #1959924). Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++      (LP 261198)
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++      (LP 609177)
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
++      d/s/include-binaries: replace Debian with Ubuntu on default
++      page and add Ubuntu icon file.
++      (LP 1288690)
++  * Dropped:
++    - d/p/support-openssl3-*.patch: Backport various patches from
++      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
++      failure to load when using OpenSSL 3.
++      (LP #1951476)
++      [Included in upstream release 2.4.52]
++    - d/apache2ctl: Also use systemd for graceful if it is in use.
++      (LP 1832182)
++      [This introduced a performance regression.]
++    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
++      (LP 1918209)
++      [Not needed]
++
++ -- Bryce Harrington <bryce@canonical.com>  Thu, 03 Feb 2022 10:25:47 -0800
++
  apache2 (2.4.52-1) unstable; urgency=medium
    * Refresh suexec-custom.patch
@@ -43,6 +158,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
   -- Yadd <yadd@debian.org>  Mon, 20 Dec 2021 18:42:09 +0100
++apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++      (LP 261198)
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++      (LP 609177)
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
++      d/s/include-binaries: replace Debian with Ubuntu on default
++      page and add Ubuntu icon file.
++      (LP 1288690)
++    - d/p/support-openssl3-*.patch: Backport various patches from
++      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
++      failure to load when using OpenSSL 3.
++      (LP #1951476)
++  * Dropped:
++    - d/apache2ctl: Also use systemd for graceful if it is in use.
++      (LP: 1832182)
++      [This introduced a performance regression.]
++    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
++      (LP 1918209)
++      [Not needed]
++    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
++      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
++      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
++      server/core_filters.c, server/protocol.c, server/vhost.c.
++      [Fixed in 2.4.48-4]
++    - debian/patches/CVE-2021-34798.patch: add NULL check in
++      server/scoreboard.c.
++      [Fixed in 2.4.49-1]
++    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
++      generic worker in modules/proxy/mod_proxy_uwsgi.c.
++      [Fixed in 2.4.49-1]
++    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
++      substitution logic in server/util.c.
++      [Fixed in 2.4.49-1]
++    - arbitrary origin server via crafted request uri-path
++      + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
++        parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
++        modules/proxy/proxy_util.c.
++      + debian/patches/CVE-2021-40438.patch: add sanity checks on the
++        configured UDS path in modules/proxy/proxy_util.c.
++      [Fixed in 2.4.49-3]
++    - SECURITY REGRESSION: Issues in UDS URIs.  (LP #1945311)
++      + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
++        rules in modules/mappers/mod_rewrite.c.
++      + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
++        hostname in modules/mappers/mod_rewrite.c,
++        modules/proxy/proxy_util.c.
++      [Fixed in 2.4.49-3]
++
++ -- Bryce Harrington <bryce@canonical.com>  Thu, 16 Dec 2021 14:09:26 -0800
++
  apache2 (2.4.51-2) unstable; urgency=medium
    * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
@@ -108,6 +277,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
   -- Yadd <yadd@debian.org>  Thu, 12 Aug 2021 11:37:43 +0200
++apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
++
++  * d/p/support-openssl3-*.patch: Backport various patches from
++    https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
++    failure to load when using OpenSSL 3.  (LP: #1951476)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 26 Nov 2021 16:07:56 -0500
++
++apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
++
++  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
++    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
++      rules in modules/mappers/mod_rewrite.c.
++    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
++      hostname in modules/mappers/mod_rewrite.c,
++      modules/proxy/proxy_util.c.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 28 Sep 2021 08:52:26 -0400
++
++apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
++
++  * SECURITY UPDATE: request splitting over HTTP/2
++    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
++      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
++      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
++      server/core_filters.c, server/protocol.c, server/vhost.c.
++    - CVE-2021-33193
++  * SECURITY UPDATE: NULL deref via malformed requests
++    - debian/patches/CVE-2021-34798.patch: add NULL check in
++      server/scoreboard.c.
++    - CVE-2021-34798
++  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
++    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
++      generic worker in modules/proxy/mod_proxy_uwsgi.c.
++    - CVE-2021-36160
++  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
++    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
++      substitution logic in server/util.c.
++    - CVE-2021-39275
++  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
++    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
++      parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
++      modules/proxy/proxy_util.c.
++    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
++      configured UDS path in modules/proxy/proxy_util.c.
++    - CVE-2021-40438
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 23 Sep 2021 12:51:16 -0400
++
++apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles. (LP 261198)
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++      (LP 609177)
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
++      d/s/include-binaries: replace Debian with Ubuntu on default
++      page and add Ubuntu icon file.  (LP 1288690)
++    - d/apache2ctl: Also use systemd for graceful if it is in use.
++      This extends an earlier fix for the start command to behave
++      similarly for restart / graceful.  Fixes service failures on
++      unattended upgrade.  (LP 1832182)
++    - d/apache2ctl: Also use /run/systemd to check for systemd usage
++      (LP 1918209)
++
++ -- Bryce Harrington <bryce@canonical.com>  Wed, 11 Aug 2021 20:03:24 -0700
++
  apache2 (2.4.48-3.1) unstable; urgency=medium
    * Non-maintainer upload.
@@ -116,6 +353,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
   -- Thorsten Glaser <tg@mirbsd.de>  Sat, 10 Jul 2021 23:31:28 +0200
++apache2 (2.4.48-3ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles. (LP: 261198)
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++      (LP: 609177)
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
++      d/s/include-binaries: replace Debian with Ubuntu on default
++      page and add Ubuntu icon file.  (LP: 1288690)
++    - d/apache2ctl: Also use systemd for graceful if it is in use.
++      This extends an earlier fix for the start command to behave
++      similarly for restart / graceful.  Fixes service failures on
++      unattended upgrade.  (LP: 1832182)
++    - d/apache2ctl: Also use /run/systemd to check for systemd usage
++      (LP: 1918209)
++  * Dropped:
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++      [Fixed in 2.4.48-2]
++    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
++      [Fixed in 2.4.48-1]
++    - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
++      connection in modules/proxy/mod_proxy_http.c.
++      [Fixed in 2.4.48 upstream]
++    - d/p/CVE-2020-35452.patch: fast validation of the nonce's
++      base64 to fail early if the format can't match anyway in
++      modules/aaa/mod_auth_digest.c.
++      [Fixed in 2.4.48 upstream]
++    - d/p/CVE-2021-26690.patch: save one apr_strtok() in
++      session_identity_decode() in modules/session/mod_session.c.
++      [Fixed in 2.4.48 upstream]
++    - d/p/CVE-2021-26691.patch: account for the '&' in
++      identity_concat() in modules/session/mod_session.c.
++      [Fixed in 2.4.48 upstream]
++    - d/p/CVE-2021-30641.patch: change default behavior in
++      server/request.c.
++      [Fixed in 2.4.48 upstream]
++
++ -- Bryce Harrington <bryce@canonical.com>  Thu, 08 Jul 2021 03:20:46 +0000
++
  apache2 (2.4.48-3) unstable; urgency=medium
    * Fix debian/changelog
@@ -172,6 +449,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
   -- Yadd <yadd@debian.org>  Thu, 10 Jun 2021 11:57:38 +0200
++apache2 (2.4.46-4ubuntu3) impish; urgency=medium
++
++  * No-change rebuild due to OpenLDAP soname bump.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 21 Jun 2021 17:43:48 -0400
++
++apache2 (2.4.46-4ubuntu2) impish; urgency=medium
++
++  * SECURITY UPDATE: mod_proxy_http denial of service.
++    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
++      connection in modules/proxy/mod_proxy_http.c.
++    - CVE-2020-13950
++  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
++    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
++      base64 to fail early if the format can't match anyway in
++      modules/aaa/mod_auth_digest.c.
++    - CVE-2020-35452
++  * SECURITY UPDATE: DoS via cookie header in mod_session
++    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
++      session_identity_decode() in modules/session/mod_session.c.
++    - CVE-2021-26690
++  * SECURITY UPDATE: heap overflow via SessionHeader
++    - debian/patches/CVE-2021-26691.patch: account for the '&' in
++      identity_concat() in modules/session/mod_session.c.
++    - CVE-2021-26691
++  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
++    - debian/patches/CVE-2021-30641.patch: change default behavior in
++      server/request.c.
++    - CVE-2021-30641
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 17 Jun 2021 13:09:41 -0400
++
++apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable, to allow moving from lua5.2 to
++    lua5.3 (LP: #1910372). Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
++      issue reading error log too quickly after request, by adding a sleep.
++      (LP #1890302)
++    - d/apache2ctl: Also use systemd for graceful if it is in use.
++      This extends an earlier fix for the start command to behave
++      similarly for restart / graceful.  Fixes service failures on
++      unattended upgrade.
++  * Drop:
++    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
++      was re-added by mistake in 2.4.41-1 (Closes #921024)
++      [Included in Debian 2.4.46-3]
++  * d/apache2ctl: Also use /run/systemd to check for systemd usage
++    (LP: #1918209)
++
++ -- Bryce Harrington <bryce@canonical.com>  Tue, 09 Mar 2021 00:45:35 +0000
++
  apache2 (2.4.46-4) unstable; urgency=medium
    * Ignore other random another test failures (Closes: #979664)
@@ -189,6 +525,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
   -- Xavier Guimard <yadd@debian.org>  Sun, 10 Jan 2021 22:43:21 +0100
++apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
++      was re-added by mistake in 2.4.41-1 (Closes #921024)
++    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
++      issue reading error log too quickly after request, by adding a sleep.
++      (LP #1890302)
++    - d/apache2ctl: Also use systemd for graceful if it is in use.
++      This extends an earlier fix for the start command to behave
++      similarly for restart / graceful.  Fixes service failures on
++      unattended upgrade.
++
++ -- Paride Legovini <paride.legovini@canonical.com>  Mon, 14 Dec 2020 18:12:15 +0100
++
  apache2 (2.4.46-2) unstable; urgency=medium
    [ Jean-Michel Vourgère ]
@@ -210,6 +568,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
   -- Xavier Guimard <yadd@debian.org>  Fri, 13 Nov 2020 16:59:01 +0100
++apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
++
++  * d/apache2ctl: Also use systemd for graceful if it is in use.
++    (LP: #1832182)
++    - This extends an earlier fix for the start command to behave
++      similarly for restart / graceful.  Fixes service failures on
++      unattended upgrade.
++
++ -- Bryce Harrington <bryce@canonical.com>  Mon, 05 Oct 2020 16:06:32 -0700
++
++apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
++      was re-added by mistake in 2.4.41-1 (Closes #921024)
++    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
++      issue reading error log too quickly after request, by adding a sleep.
++      (LP #1890302)
++  * Dropped:
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++      [Unclear if it's still necessary, and upstream hasn't made a
++      release with it yet]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 25 Aug 2020 09:13:38 -0300
++
  apache2 (2.4.46-1) unstable; urgency=medium
    [ Xavier Guimard ]
@@ -226,6 +617,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
   -- Xavier Guimard <yadd@debian.org>  Sat, 08 Aug 2020 08:33:36 +0200
++apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
++
++  * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
++    issue reading error log too quickly after request, by adding a sleep.
++    (LP: #1890302)
++
++ -- Bryce Harrington <bryce@canonical.com>  Wed, 05 Aug 2020 12:44:59 -0700
++
++apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
++      was re-added by mistake in 2.4.41-1 (Closes #921024)
++  * Dropped:
++    - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
++      parameter to mod_proxy_ajp (LP #1865340)
++      [Fixed upstream]
++    - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
++      mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
++      Closes #955348, LP #1872478
++      [In 2.4.43-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 21 Jul 2020 10:22:42 -0300
++
  apache2 (2.4.43-1) unstable; urgency=medium
    [ Timo Aaltonen ]
@@ -253,6 +677,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
   -- Xavier Guimard <yadd@debian.org>  Wed, 18 Mar 2020 21:06:49 +0100
++apache2 (2.4.41-4ubuntu3) focal; urgency=medium
++
++  [ Timo Aaltonen ]
++  * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
++    mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
++    Closes: #955348, LP: #1872478
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 13 Apr 2020 14:19:17 -0300
++
++apache2 (2.4.41-4ubuntu2) focal; urgency=medium
++
++  * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
++    parameter to mod_proxy_ajp (LP: #1865340)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 05 Mar 2020 15:51:00 -0300
++
++apache2 (2.4.41-4ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
++      was re-added by mistake in 2.4.41-1 (Closes #921024)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 26 Feb 2020 10:36:13 -0300
++
  apache2 (2.4.41-4) unstable; urgency=medium
    * Add gcc in chroot autopkgtest (fixes debci)
@@ -277,6 +734,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
   -- Xavier Guimard <yadd@debian.org>  Mon, 13 Jan 2020 06:14:45 +0100
++apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++  * Dropped:
++    - Cherrypick upstream testsuite fix:
++      + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
++      as such).
++      + Similarly use TLSv1.2 for pr12355 and pr43738.
++        [Test suite updated in 2.4.41-1]
++    - Cherrypick upstream test suite fix for buffer.
++      [Included in 2.4.41-1]
++    - d/p/spelling-errors.patch: removed hunks already fixed upstream
++      [Included in 2.4.39-1]
++    - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
++      + d/p/CVE-2019-0196.patch
++      + d/p/CVE-2019-0211.patch
++      + d/p/CVE-2019-0215.patch
++      + d/p/CVE-2019-0217.patch
++      + d/p/CVE-2019-0220-*.patch
++      + d/p/CVE-2019-0197.patch
++  * Added:
++    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
++      was re-added by mistake in 2.4.41-1 (Closes: #921024)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 14 Aug 2019 11:36:32 -0300
++
  apache2 (2.4.41-1) unstable; urgency=medium
    * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
@@ -309,6 +801,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
   -- Xavier Guimard <yadd@debian.org>  Mon, 12 Aug 2019 21:30:33 +0200
++apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
++
++  * New upstream version: 2.4.39
++  * d/p/spelling-errors.patch: removed hunks already fixed upstream
++  * Remaining changes:
++    - Cherrypick upstream test suite fix for buffer.
++    - Cherrypick upstream testsuite fix:
++      + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
++      as such).
++    - Similarly use TLSv1.2 for pr12355 and pr43738.
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++  * Dropped patches (fixed upstream):
++    - d/p/CVE-2019-0196.patch
++    - d/p/CVE-2019-0211.patch
++    - d/p/CVE-2019-0215.patch
++    - d/p/CVE-2019-0217.patch
++    - d/p/CVE-2019-0220-*.patch
++    - d/p/CVE-2019-0197.patch
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 05 Aug 2019 18:09:08 -0300
++
++apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
++
++  * Cherrypick upstream test suite fix for buffer.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 13 Jun 2019 11:08:24 +0100
++
++apache2 (2.4.38-3ubuntu1) eoan; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Cherrypick upstream testsuite fix:
++      + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
++      as such).
++    - Similarly use TLSv1.2 for pr12355 and pr43738.
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++      [Removed configure chunk, not needed since configure.in is being
++       patched.]
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 10 Jun 2019 19:17:38 +0100
++
  apache2 (2.4.38-3) unstable; urgency=high
    [ Marc Deslauriers ]
@@ -346,6 +894,79 @@ apache2 (2.4.38-3) unstable; urgency=high
   -- Stefan Fritsch <sf@debian.org>  Sun, 07 Apr 2019 20:15:40 +0200
++apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
++
++  * Cherrypick upstream testsuite fix:
++    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
++      as such).
++  * Similarly use TLSv1.2 for pr12355 and pr43738.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 07 May 2019 10:39:47 +0100
++
++apache2 (2.4.38-2ubuntu2) disco; urgency=medium
++
++  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
++    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
++      request method in modules/http2/h2_request.c.
++    - CVE-2019-0196
++  * SECURITY UPDATE: privilege escalation from modules' scripts
++    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
++      child to its slot number in include/scoreboard.h,
++      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
++      server/mpm/worker/worker.c.
++    - CVE-2019-0211
++  * SECURITY UPDATE: mod_ssl access control bypass
++    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
++      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
++    - CVE-2019-0215
++  * SECURITY UPDATE: mod_auth_digest access control bypass
++    - debian/patches/CVE-2019-0217.patch: fix a race condition in
++      modules/aaa/mod_auth_digest.c.
++    - CVE-2019-0217
++  * SECURITY UPDATE: URL normalization inconsistincy
++    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
++      the path in include/http_core.h, include/httpd.h, server/core.c,
++      server/request.c, server/util.c.
++    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
++      in server/request.c, server/util.c.
++    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
++      server/util.c.
++    - CVE-2019-0220
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 03 Apr 2019 14:31:46 -0400
++
++apache2 (2.4.38-2ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++   - debian/patches/086_svn_cross_compiles: Backport several cross
++     fixes from upstream
++     [Removed configure chunk, not needed since configure.in is being
++      patched.]
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++  * Dropped:
++    - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
++      libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
++      cannot be coinstalled with libcurl3. That situation breaks the
++      installation of libapache2-mod-shib2.  See
++      https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
++      for details.
++      [This has been resolved in Disco, where libxmltooling8 is built with
++      openssl 1.1]
++    - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
++      + debian/patches/CVE-2018-11763.patch: rework connection IO event
++        handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
++        modules/http2/h2_version.h.
++        - CVE-2018-11763
++        [Fixed in 2.4.35]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sun, 03 Feb 2019 14:57:13 -0200
++
  apache2 (2.4.38-2) unstable; urgency=medium
    * Disable "reset" test in allowmethods.t (Closes: #921024)
@@ -428,6 +1049,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 07 Oct 2018 12:54:58 +0200
++apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
++
++  * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
++    - debian/patches/CVE-2018-11763.patch: rework connection IO event
++      handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
++      modules/http2/h2_version.h.
++    - CVE-2018-11763
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 03 Oct 2018 09:57:22 -0400
++
++apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++    - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
++      libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
++      cannot be coinstalled with libcurl3. That situation breaks the
++      installation of libapache2-mod-shib2.  See
++      https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
++      for details.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 03 Aug 2018 17:09:27 -0300
++
  apache2 (2.4.34-1) unstable; urgency=medium
    [ Ondřej Surý ]
@@ -446,6 +1098,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Fri, 27 Jul 2018 21:37:37 +0200
++apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
++
++  * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
++    re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 28 Jun 2018 10:07:06 -0300
++
++apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
++
++  * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
++    libapache2-mod-md until we figure out their transitions.  libapache2-mod-md
++    in particular is problematic because that makes apache2-bin pull in
++    libcurl4 which cannot be coinstalled with libcurl3.  That situation breaks
++    the installation of libapache2-mod-shib2.  See
++    https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
++    for details.
++    - Don't ship md.load and remove build-requires that were added because of
++      mod-md (see
++      https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
++    - Remove proxy_uwsgi.load as we are not building it for now (see
++      https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 May 2018 14:46:19 +0000
++
++apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1770242). Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - d/t/control, d/t/check-http2: add basic test for http2 support
++  * Drop:
++    - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
++      + debian/patches/CVE-2017-15710.patch: fix language long names
++        detection as short name in modules/aaa/mod_authnz_ldap.c.
++      + CVE-2017-15710
++    - SECURITY UPDATE: incorrect <FilesMatch> matching
++      + debian/patches/CVE-2017-15715.patch: allow to configure
++        global/default options for regexes, like caseless matching or
++        extended format in include/ap_regex.h, server/core.c,
++        server/util_pcre.c.
++      + CVE-2017-15715
++    - SECURITY UPDATE: mod_session header manipulation
++      + debian/patches/CVE-2018-1283.patch: strip Session header when
++        SessionEnv is on in modules/session/mod_session.c.
++      + CVE-2018-1283
++    - SECURITY UPDATE: DoS via specially-crafted request
++      + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
++        terminated on any error, not only on buffer full in
++        server/protocol.c.
++      + CVE-2018-1301
++    - SECURITY UPDATE: mod_cache_socache DoS
++      + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
++        to carriage return in modules/cache/mod_cache_socache.c.
++      + CVE-2018-1303
++    - SECURITY UPDATE: insecure nonce generation
++      + debian/patches/CVE-2018-1312.patch: actually use the secret when
++        generating nonces in modules/aaa/mod_auth_digest.c.
++      + CVE-2018-1312
++    - Correct systemd-sysv-generator behavior by customizing some
++      parameters:
++      + d/apache2-systemd.conf: add a drop-in file to specify some
++        parameters for the systemd unit (type=Forking and
++        RemainsAfterExit=no), this allow a correct state synchronisation
++        between systemctl status and actual state of apache2 daemon.
++      + d/apache2.install: place the apache2-systemd.conf file in the
++        correct location.
++      [type=Forking already in the base systemd service file, and
++       RemainsAfterExit=no is the default value, so no need to
++       customize these anymore.]
++    - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
++      + added debian/patches/util_ldap_cache_lock_fix.patch
++      [Already applied upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 15 May 2018 11:03:34 -0300
++
  apache2 (2.4.33-3) unstable; urgency=medium
    * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
@@ -518,6 +1251,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Sun, 14 Jan 2018 11:01:58 +0000
++apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
++
++  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
++    - debian/patches/CVE-2017-15710.patch: fix language long names
++      detection as short name in modules/aaa/mod_authnz_ldap.c.
++    - CVE-2017-15710
++  * SECURITY UPDATE: incorrect <FilesMatch> matching
++    - debian/patches/CVE-2017-15715.patch: allow to configure
++      global/default options for regexes, like caseless matching or
++      extended format in include/ap_regex.h, server/core.c,
++      server/util_pcre.c.
++    - CVE-2017-15715
++  * SECURITY UPDATE: mod_session header manipulation
++    - debian/patches/CVE-2018-1283.patch: strip Session header when
++      SessionEnv is on in modules/session/mod_session.c.
++    - CVE-2018-1283
++  * SECURITY UPDATE: DoS via specially-crafted request
++    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
++      terminated on any error, not only on buffer full in
++      server/protocol.c.
++    - CVE-2018-1301
++  * SECURITY UPDATE: mod_cache_socache DoS
++    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
++      to carriage return in modules/cache/mod_cache_socache.c.
++    - CVE-2018-1303
++  * SECURITY UPDATE: insecure nonce generation
++    - debian/patches/CVE-2018-1312.patch: actually use the secret when
++      generating nonces in modules/aaa/mod_auth_digest.c.
++    - CVE-2018-1312
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 25 Apr 2018 07:38:24 -0400
++
++apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
++
++  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
++    - added debian/patches/util_ldap_cache_lock_fix.patch
++
++ -- Rafael David Tinoco <rafael.tinoco@canonical.com>  Fri, 02 Mar 2018 02:19:31 +0000
++
++apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
++
++  * Switch back to OpenSSL 1.1.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 06 Feb 2018 11:57:20 +0000
++
++apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
++
++  * enable http2 (LP: #1687454) by stopping to disable it
++    - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
++    - debian/config-dir/mods-available/http2.load: no more removed.
++    - debian/rules: no more removed proxy_http2 from configure.
++  * d/t/control, d/t/check-http2: add basic test for http2 support
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 05 Dec 2017 17:25:39 +0100
++
++apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - Correct systemd-sysv-generator behavior by customizing some
++      parameters:
++      + d/apache2-systemd.conf: add a drop-in file to specify some
++        parameters for the systemd unit (type=Forking and
++        RemainsAfterExit=no), this allow a correct state synchronisation
++        between systemctl status and actual state of apache2 daemon.
++      + d/apache2.install: place the apache2-systemd.conf file in the
++        correct location.
++    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++      + debian/rules: removed proxy_http2 from configure.
++  * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
++    - debian/control: switch BuildDepends to libssl1.0-dev
++    - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
++    - debian/rules: remove openssl virtual package and logic
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 10 Nov 2017 10:51:46 -0500
++
  apache2 (2.4.29-1) unstable; urgency=medium
    [ Stefan Fritsch ]
@@ -582,6 +1400,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 16 Jul 2017 23:11:07 +0200
++apache2 (2.4.27-2ubuntu3) artful; urgency=medium
++
++  * SECURITY UPDATE: optionsbleed information leak
++    - debian/patches/CVE-2017-9798.patch: disallow method registration
++      at run time in server/core.c.
++    - CVE-2017-9798
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 18 Sep 2017 11:05:48 -0400
++
++apache2 (2.4.27-2ubuntu2) artful; urgency=medium
++
++  * Undrop (LP 1658469):
++    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++      + debian/rules: removed proxy_http2 from configure.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 02 Aug 2017 13:04:45 -0400
++
++apache2 (2.4.27-2ubuntu1) artful; urgency=medium
++
++  * Merge with Debian unstable (LP: #1702582). Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - Correct systemd-sysv-generator behavior by customizing some
++      parameters:
++      + d/apache2-systemd.conf: add a drop-in file to specify some
++        parameters for the systemd unit (type=Forking and
++        RemainsAfterExit=no), this allow a correct state synchronisation
++        between systemctl status and actual state of apache2 daemon.
++      + d/apache2.install: place the apache2-systemd.conf file in the
++        correct location.
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Thu, 27 Jul 2017 13:38:39 -0700
++
  apache2 (2.4.27-2) unstable; urgency=medium
    * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
@@ -611,6 +1470,55 @@ apache2 (2.4.25-4) unstable; urgency=high
   -- Stefan Fritsch <sf@debian.org>  Tue, 20 Jun 2017 21:31:51 +0200
++apache2 (2.4.25-3ubuntu3) artful; urgency=medium
++
++  * Re-Drop (LP: #1658469):
++    - Don't build experimental http2 module for LTS:
++     + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++     + debian/config-dir/mods-available/http2.load: removed.
++     + debian/rules: removed proxy_http2 from configure.
++     + debian/apache2.maintscript: remove http2 conffile.
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Mon, 01 May 2017 09:55:11 -0700
++
++apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
++  * Undrop (LP 1658469):
++    - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++      + debian/rules: removed proxy_http2 from configure.
++      + debian/apache2.maintscript: remove http2 conffile.
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Fri, 10 Feb 2017 08:53:43 -0800
++
++apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian unstable (LP: #1663425). Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++      + d/source/include-binaries: add Ubuntu icon file
++    - Correct systemd-sysv-generator behavior by customizing some
++      parameters:
++      + d/apache2-systemd.conf: add a drop-in file to specify some
++        parameters for the systemd unit (type=Forking and
++        RemainsAfterExit=no), this allow a correct state synchronisation
++        between systemctl status and actual state of apache2 daemon.
++      + d/apache2.install: place the apache2-systemd.conf file in the
++        correct location.
++   * Drop (LP: #1658469):
++     - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++      + debian/rules: removed proxy_http2 from configure.
++      + debian/apache2.maintscript: remove http2 conffile.
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Thu, 09 Feb 2017 15:48:28 -0800
++
  apache2 (2.4.25-3) unstable; urgency=medium
    * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
@@ -672,6 +1580,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Wed, 21 Dec 2016 23:46:06 +0100
++apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian unstable (LP: #). Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
++      d/source/include-binaries: replace Debian with Ubuntu on default
++      page.
++      [ include-binaries change previously undocumented ]
++    - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++      + debian/rules: removed proxy_http2 from configure.
++      + debian/apache2.maintscript: remove http2 conffile.
++        [ Previously undocumented ]
++    - Correct systemd-sysv-generator behavior by customizing some
++      parameters:
++      + d/apache2-systemd.conf: add a drop-in file to specify some
++        parameters for the systemd unit (type=Forking and
++        RemainsAfterExit=no), this allow a correct state synchronisation
++        between systemctl status and actual state of apache2 daemon.
++      + d/apache2.install: place the apache2-systemd.conf file in the
++        correct location.
++  * Drop:
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Fri, 09 Dec 2016 11:02:38 +0100
++
  apache2 (2.4.23-8) unstable; urgency=medium
    * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
@@ -682,6 +1623,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 20 Nov 2016 00:33:13 +0100
++apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
++      Debian with Ubuntu on default page.
++    - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++      + debian/rules: removed proxy_http2 from configure.
++    - Correct systemd-sysv-generator behavior by customizing some
++      parameters:
++      + d/apache2-systemd.conf: add a drop-in file to specify some
++        parameters for the systemd unit (type=Forking and
++        RemainsAfterExit=no), this allow a correct state synchronisation
++        between systemctl status and actual state of apache2 daemon.
++      + d/apache2.install: place the apache2-systemd.conf file in the
++        correct location.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 16 Nov 2016 09:17:24 -0500
++
  apache2 (2.4.23-7) unstable; urgency=medium
    * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
@@ -796,6 +1764,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 10 Apr 2016 14:03:41 +0200
++apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
++
++  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
++    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
++      server/util_script.c.
++    - CVE-2016-5387
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 18 Jul 2016 14:32:02 -0400
++
++apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
++
++  [ Ryan Harper ]
++  * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
++    introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
++    all, since http2 support is intentionally disabled (see LP 1531864).
++  * d/apache2.maintscript: handle removal of http2.load conffile.
++
++  [ Robie Basak ]
++  * Re-write Ryan's changelog entry.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Fri, 15 Apr 2016 18:00:57 +0000
++
++apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
++
++  * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
++    - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
++      unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
++      between systemctl status and actual state of apache2 daemon.
++    - d/apache2.install: place the apache2-systemd.conf file in the correct location.
++
++ -- Pierre-André MOREY <pierre-andre.morey@canonical.com>  Fri, 08 Apr 2016 11:48:00 +0200
++
++apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++
++ -- Timo Aaltonen <tjaalton@debian.org>  Wed, 06 Apr 2016 00:18:31 +0300
++
  apache2 (2.4.18-2) unstable; urgency=low
    * htcacheclean:
@@ -821,6 +1838,24 @@ apache2 (2.4.18-2) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Mon, 28 Mar 2016 21:58:54 +0200
++apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 21 Jan 2016 15:15:22 -0500
++
  apache2 (2.4.18-1) unstable; urgency=medium
    * New upstream release:
@@ -828,12 +1863,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sat, 19 Dec 2015 09:26:14 +0100
++apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 03 Dec 2015 10:07:35 -0500
++
  apache2 (2.4.17-3) unstable; urgency=medium
    * mpm_prefork: Fix segfault if started with -X. Closes: #805737
   -- Stefan Fritsch <sf@debian.org>  Mon, 23 Nov 2015 19:52:09 +0100
++apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - Don't build experimental http2 module for LTS:
++      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
++      + debian/config-dir/mods-available/http2.load: removed.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 20 Nov 2015 09:11:52 -0500
++
  apache2 (2.4.17-2) unstable; urgency=medium
    * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
@@ -844,6 +1915,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sat, 31 Oct 2015 23:17:11 +0100
++apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++  * Drop patches (applied upstream):
++    - debian/patches/CVE-2015-3183.patch
++    - debian/patches/CVE-2015-3185.patch
++  * Drop changes (adopted in Debian):
++    - Allow "triggers-awaited" and "triggers-pending" states in addition
++      to "installed" when determining whether to defer actions or
++      process deferred actions.
++  * Don't build experimental http2 module for LTS
++    - debian/control: removed libnghttp2-dev Build-Depends (in universe).
++    - debian/config-dir/mods-available/http2.load: removed.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 30 Oct 2015 09:35:46 -0400
++
  apache2 (2.4.17-1) unstable; urgency=medium
    [ Stefan Fritsch ]
@@ -909,6 +2005,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 02 Aug 2015 00:44:07 +0200
++apache2 (2.4.12-2ubuntu2) wily; urgency=medium
++
++  * SECURITY UPDATE: request smuggling via chunked transfer encoding
++    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
++      modules/http/http_filters.c.
++    - CVE-2015-3183
++  * SECURITY UPDATE: access restriction bypass via deprecated API
++    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
++      in include/http_request.h, server/request.c.
++    - CVE-2015-3185
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 24 Jul 2015 09:56:09 -0400
++
++apache2 (2.4.12-2ubuntu1) wily; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - Allow "triggers-awaited" and "triggers-pending" states in addition
++      to "installed" when determining whether to defer actions or
++      process deferred actions.
++  * Drop patches (applied upstream):
++    - d/p/split-logfile.patch
++    - d/p/CVE-2015-0228.patch
++  * Drop changes (superceded in Debian):
++    - Cherry-pick versioned build-depend on dpkg from Debian for correct
++      dpkg-maintscript-helper symlink_to_dir support.
++  * Drop changes (adopted in Debian):
++    - d/control, d/config-dir/mods-available/ssl.conf,
++      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
++      dialog program ask-for-passphrase.
++  * Fix cross-building configure line in d/rules, which had bit-rotted in
++    previous merges.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Thu, 28 May 2015 16:34:00 +0000
++
  apache2 (2.4.12-2) unstable; urgency=medium
    [ Jean-Michel Nirgal Vourgère ]
@@ -958,6 +2097,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 15 Mar 2015 10:47:36 +0100
++apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/control, d/config-dir/mods-available/ssl.conf,
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - d/p/split-logfile.patch: fix completely broken split-logfile
++      command.
++    - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
++      denial of service in mod_lua via websockets PING
++  * debian/tests/ssl-passphrase: Add password responder for
++    systemd-ask-passphrase.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 09 Mar 2015 12:03:16 +0100
++
  apache2 (2.4.10-9) unstable; urgency=medium
    * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
@@ -972,6 +2133,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Mon, 22 Dec 2014 20:24:36 +0100
++apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
++
++  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
++    directives
++    - debian/patches/CVE-2014-8109.patch: handle multiple Require
++      directives with different arguments in modules/lua/mod_lua.c.
++    - CVE-2014-8109
++  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
++    - debian/patches/CVE-2015-0228.patch: fix logic in
++      modules/lua/lua_request.c.
++    - CVE-2015-0228
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 05 Mar 2015 10:56:34 -0500
++
++apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
++
++  * Allow "triggers-awaited" and "triggers-pending" states in addition to
++    "installed" when determining whether to defer actions or process
++    deferred actions (LP: #1393832).
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Wed, 26 Nov 2014 11:31:44 +0000
++
++apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/control, d/config-dir/mods-available/ssl.conf,
++      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
++      dialog program ask-for-passphrase.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - d/p/split-logfile.patch: fix completely broken split-logfile
++      command.
++  * Fixes from Debian included in merge:
++    - Crash caused by OCSP stapling code; this was erroneously
++      attributed to Debian in my previous merge, but actually only
++      appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
++  * Cherry-pick versioned build-depend on dpkg from Debian for correct
++    dpkg-maintscript-helper symlink_to_dir support.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Fri, 21 Nov 2014 15:15:58 +0000
++
  apache2 (2.4.10-8) unstable; urgency=medium
    * Bump dpkg Pre-Depends to version that supports relative symlinks in
@@ -986,6 +2195,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Tue, 18 Nov 2014 15:18:18 +0100
++apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/control, d/config-dir/mods-available/ssl.conf,
++      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
++      dialog program ask-for-passphrase.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing
++      DEB_{HOST,BUILD}_GNU_TYPE to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross
++      fixes from upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - d/p/split-logfile.patch: fix completely broken split-logfile command.
++  * Fixes from Debian included in merge:
++    - Don't use a2query in preinst, as it may not be available yet
++      (LP: #1312533).
++    - Crash caused by OCSP stapling code (LP: #1366174).
++    - Disable SSLv3 in default config (LP: #1358305).
++    - If apache2 is not configured yet, defer actions executed via
++      apache2-maintscript-helper. This fixes installation failures if a
++      module package is configured first (LP: #1312854).
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Mon, 17 Nov 2014 18:04:40 +0000
++
  apache2 (2.4.10-7) unstable; urgency=medium
    * Handle transitions of doc dirs and symlinks correctly during upgrade.
@@ -1069,6 +2305,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 21 Sep 2014 22:58:33 +0200
++apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
++      d/apache2.install: Plymouth aware passphrase dialog program
++      ask-for-passphrase.
++    - Add dep8 tests.
++    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
++      configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
++      upstream
++    - d/index.html: replace Debian with Ubuntu on default page.
++    - d/p/split-logfile.patch: fix completely broken split-logfile command.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Thu, 24 Jul 2014 15:13:16 +0000
++
  apache2 (2.4.10-1) unstable; urgency=medium
    [ Arno Töll ]
@@ -1116,6 +2371,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 08 Jun 2014 10:38:04 +0200
++apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
++
++  * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
++    yet support building against lua 5.2 (LP: #1323930).
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Wed, 28 May 2014 08:55:25 +0000
++
++apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
++      d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
++      dialog program ask-for-passphrase.
++    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
++      configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
++      upstream
++    - Build using lua5.2.
++    - d/tests/chroot: dep8 test for ChrootDir case.
++    - d/tests/ssl-passphrase: update for new default path /var/www/html.
++    - d/tests/duplicate-module-load: check for duplicate module loads.
++    - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
++    - d/p/split-logfile.patch: fix completely broken split-logfile command
++      (LP: #1299162). Thanks to Holger Mauermann.
++  * Drop changes (upstreamed):
++    - d/p/ignore-quilt-dir: adjust build system so that it does not use
++      files find inside the .pc directory. This stops a double module load
++      causing later havoc, including "ChrootDir" directive failure.
++    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
++      in modules/dav/main/util.c.
++    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
++      modules/loggers/mod_log_config.c.
++  * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Fri, 09 May 2014 19:30:04 +0000
++
  apache2 (2.4.9-1) unstable; urgency=medium
    * New upstream version.
@@ -1148,6 +2442,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sat, 29 Mar 2014 22:50:32 +0100
++apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
++
++  * d/p/split-logfile.patch: fix completely broken split-logfile command
++    (LP: #1299162). Thanks to Holger Mauermann.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Thu, 03 Apr 2014 11:21:22 +0000
++
++apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
++
++  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
++    calculation
++    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
++      in modules/dav/main/util.c.
++    - CVE-2013-6438
++  * SECURITY UPDATE: denial of service via truncated cookie and
++    mod_log_config
++    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
++      modules/loggers/mod_log_config.c.
++    - CVE-2014-0098
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 20 Mar 2014 08:34:10 -0400
++
++apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
++
++  * d/index.html: replace Debian with Ubuntu on default page
++    (LP: #1288690).
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Wed, 19 Mar 2014 11:04:21 +0000
++
++apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - d/control, d/config-dir/mods-available/ssl.conf,
++      d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
++      to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross fixes
++      from upstream
++    - Build using lua5.2.
++    - d/tests/chroot: dep8 test for ChrootDir case.
++    - d/p/ignore-quilt-dir: adjust build system so that it does not use
++      files find inside the .pc directory. This stops a double module load
++      causing later havoc, including "ChrootDir" directive failure.
++  * Drop changes:
++    - debian/{control, rules}: Enable PIE hardening: no longer required;
++      2.4.7-1 is already hardened.
++    - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
++      out of this package.
++  * d/tests/ssl-passphrase: update for new default path /var/www/html.
++  * d/tests/duplicate-module-load: check for duplicate module loads.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Tue, 14 Jan 2014 17:23:47 +0000
++
  apache2 (2.4.7-1) unstable; urgency=low
    New upstream version
@@ -1211,6 +2562,53 @@ apache2 (2.4.6-3) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Mon, 12 Aug 2013 20:15:38 +0200
++apache2 (2.4.6-2ubuntu4) trusty; urgency=low
++
++  * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
++    that it does not use files find inside the .pc directory. This stops a
++    double module load causing later havoc, including "ChrootDir" directive
++    failure (LP: #1251939). Thanks to Stefan Fritsch.
++  * d/tests/chroot: dep8 test for ChrootDir case.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Thu, 28 Nov 2013 16:21:51 +0000
++
++apache2 (2.4.6-2ubuntu3) trusty; urgency=low
++
++  * debian/apache2.install: Correct path for ufw.
++    (LP: #1252722)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 19 Nov 2013 08:59:54 -0500
++
++apache2 (2.4.6-2ubuntu2) saucy; urgency=low
++
++  * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
++    passphrase prompting for SSL certificates that are passphrase protected.
++  * Add dep8 test for SSL passphrase prompting.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Fri, 09 Aug 2013 13:08:52 +0000
++
++apache2 (2.4.6-2ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, apache2.install, apache2-utils.ufw.profile,
++      apache2.dirs}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
++    - debian/control, debian/config-dir/mods-available/ssl.conf,
++      debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
++      passphrase dialog program ask-for-passphrase.
++    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
++      to configure.
++    - debian/patches/086_svn_cross_compiles: Backport several cross fixes
++      from upstream
++  * Dropped changes:
++    - debian/patches/CVE-2013-1896.patch: upstream
++  * Fixed module dependencies (LP: #1205314)
++    - debian/config-dir/mods-available/lbmethod_*: properly specify
++      proxy_balancer, not mod_proxy_balancer.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 26 Jul 2013 08:31:33 -0400
++
  apache2 (2.4.6-2) unstable; urgency=low
    [ Stefan Fritsch ]
@@ -1263,6 +2661,56 @@ apache2 (2.4.6-1) unstable; urgency=low
   -- Arno Töll <arno@debian.org>  Sun, 21 Jul 2013 18:44:42 +0200
++apache2 (2.4.4-6ubuntu5) saucy; urgency=low
++
++  * SECURITY UPDATE: denial of service via MERGE request
++    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
++      in modules/dav/main/mod_dav.c.
++    - CVE-2013-1896
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Jul 2013 11:20:47 -0400
++
++apache2 (2.4.4-6ubuntu4) saucy; urgency=low
++
++  * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
++    apache2-bin. apache2-utils is only suggested by apache2, so may not
++    always be installed by bug reporters. However, apache2-bin will always
++    need to be installed for Apache to be functional, so this is a better
++    place for the apport hook. apache2-bin already Conflicts/Replaces
++    apache2.2-common, so this also fixes (LP: #1199318).
++  * d/apache2.py: adjust apport hook for new location of configuration
++    files in apache2 >= 2.4: they have moved from apache2.2-common to
++    apache2.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Wed, 17 Jul 2013 17:54:22 +0000
++
++apache2 (2.4.4-6ubuntu3) saucy; urgency=low
++
++  * Build using lua5.2.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Jul 2013 14:24:42 +0200
++
++apache2 (2.4.4-6ubuntu2) saucy; urgency=low
++
++  * debian/rules: Fix FTBFS while installing ufw.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 02 Jul 2013 10:10:14 -0500
++
++apache2 (2.4.4-6ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++  * Dropped changes:
++    - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
++    - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
++    - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 02 Jul 2013 08:34:01 -0500
++
  apache2 (2.4.4-6) unstable; urgency=low
    * Denote exact versions breaking gnome-user-share now that Gnome maintainers
@@ -1734,6 +3182,122 @@ apache2 (2.4.1-1) experimental; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Mon, 19 Mar 2012 10:46:02 +0100
++apache2 (2.2.22-6ubuntu5) raring; urgency=low
++
++  * SECURITY UPDATE: multiple cross-site scripting issues
++    - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
++      modules/generators/{mod_info.c,mod_status.c},
++      modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
++      modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
++    - CVE-2012-3499
++    - CVE-2012-4558
++  * SECURITY UPDATE: symlink attack in apache2ctl script
++    - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
++    - Thanks to Stefan Fritsch for the fix.
++    - CVE-2013-1048
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 15 Mar 2013 07:59:58 -0400
++
++apache2 (2.2.22-6ubuntu4) raring; urgency=low
++
++  * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
++  * Skip module sanity check between MPMs if cross-building without the
++    kernel/binfmt support to run our target binaries on the build system.
++  * Backport several cross fixes from upstream as 086_svn_cross_compiles.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Wed, 05 Dec 2012 02:21:46 -0700
++
++apache2 (2.2.22-6ubuntu3) raring; urgency=low
++
++  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
++    - debian/patches/CVE-2012-2687.patch: escape filenames in
++      modules/mappers/mod_negotiation.c.
++    - CVE-2012-2687
++  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
++    - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
++      directive. Defaults to off as enabling compression enables the CRIME
++      attack.
++    - CVE-2012-4929
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 08 Nov 2012 17:56:24 -0500
++
++apache2 (2.2.22-6ubuntu2) quantal; urgency=low
++
++  * debian/apache2.py
++   - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
++   - Check if this directory exists: /etc/apache2/sites-enabled/
++
++ -- Matthieu Baerts (matttbe) <matttbe@gmail.com>  Mon, 16 Jul 2012 10:02:18 +0200
++
++apache2 (2.2.22-6ubuntu1) quantal; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++  * Dropped changes:
++    - debian/control: Add bzr tag and point it to our tree; this is not
++      really required and just increases the delta.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Fri, 08 Jun 2012 11:37:31 +0100
++
++apache2 (2.2.22-6) unstable; urgency=low
++
++  [ Stefan Fritsch ]
++  * Fix regression causing apache2 to cache "206 partial content" responses,
++    and then serving these partial responses when replying to normal requests.
++    Closes: #671204
++  * Add section to security.conf that shows how to forbid access to VCS
++    directories. Closes: #548213
++  * Update ssl default cipher config, add alternative speed optimized config.
++    Closes: #649020
++  * Add "AddCharset" for .brf files in default mod_mime config.
++    Closes: #402567
++  * Don't create httpd.conf anymore and don't include it in apache2.conf. If
++    it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
++  * Port some of the comments in apache2.conf from the 2.4 package.
++  * Compile mod_version statically, drop associated module load file.
++  * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
++    configtest.
++  * Note in README.Debian that future versions of the package will have the
++    include statements changed to include only *.conf.
++  * Change compiled-in document root to /var/www, to avoid strange error
++    messages.
++  * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
++
++  [ Arno Töll ]
++  * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
++    to override LDFLAGS at compile time by defining LDLAGS in the environment,
++    just like it is possible for CFLAGS. This also means, config_vars.mk now
++    exports hardening build flags by default.
++  * Update doc-base metadata for the apache2-doc package.
++
++ -- Stefan Fritsch <sf@debian.org>  Tue, 29 May 2012 22:05:48 +0200
++
++apache2 (2.2.22-5) unstable; urgency=low
++
++  * Make LoadFile and LoadModule look in the standard search paths if the
++    dso file name is given as a pure filename. This helps with the multi-arch
++    transition.
++
++ -- Stefan Fritsch <sf@debian.org>  Mon, 30 Apr 2012 23:38:33 +0200
++
++apache2 (2.2.22-4) unstable; urgency=high
++
++  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
++    hosts' config files.
++    If scripting modules like mod_php or mod_rivet are enabled on systems
++    where either 1) some frontend server forwards connections to an apache2
++    backend server on the localhost address, or 2) the machine running
++    apache2 is also used for web browsing, this could allow a remote
++    attacker to execute example scripts stored under /usr/share/doc.
++    Depending on the installed packages, this could lead to issues like cross
++    site scripting, code execution, or leakage of sensitive data.
++
++ -- Stefan Fritsch <sf@debian.org>  Sun, 15 Apr 2012 23:41:43 +0200
++
  apache2 (2.2.22-3) unstable; urgency=low
    * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
@@ -1754,6 +3318,18 @@ apache2 (2.2.22-2) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Thu, 15 Mar 2012 00:02:31 +0100
++apache2 (2.2.22-1ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sun, 12 Feb 2012 20:06:35 -0500
++
  apache2 (2.2.22-1) unstable; urgency=low
     [ Stefan Fritsch ]
@@ -1771,6 +3347,18 @@ apache2 (2.2.22-1) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Wed, 01 Feb 2012 21:49:04 +0100
++apache2 (2.2.21-5ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 09 Jan 2012 06:26:31 +0000
++
  apache2 (2.2.21-5) unstable; urgency=low
    [ Arno Töll ]
@@ -1824,6 +3412,26 @@ apache2 (2.2.21-4) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Thu, 29 Dec 2011 12:09:14 +0100
++apache2 (2.2.21-3ubuntu2) precise; urgency=low
++
++  * d/ask-for-passphrase: Flip the logic of this script so that it checks
++    first to see if apache is being started from a TTY, and then if not,
++    tries plymouth. (LP: #887410)
++
++ -- Clint Byrum <clint@ubuntu.com>  Tue, 06 Dec 2011 16:49:33 -0800
++
++apache2 (2.2.21-3ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 09 Dec 2011 05:20:43 +0000
++
  apache2 (2.2.21-3) unstable; urgency=medium
    * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
@@ -1838,6 +3446,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sat, 03 Dec 2011 18:54:03 +0100
++apache2 (2.2.21-2ubuntu2) precise; urgency=low
++
++  * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Fri, 02 Dec 2011 17:36:28 -0700
++
++apache2 (2.2.21-2ubuntu1) precise; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 14 Oct 2011 16:01:29 +0000
++
  apache2 (2.2.21-2) unstable; urgency=high
    * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
@@ -1855,6 +3481,19 @@ apache2 (2.2.21-1) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Mon, 26 Sep 2011 18:16:11 +0200
++apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
++    Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Tue, 06 Sep 2011 01:17:15 -0700
++
  apache2 (2.2.20-1) unstable; urgency=low
    * New upstream release.
@@ -1877,6 +3516,18 @@ apache2 (2.2.19-2) unstable; urgency=high
   -- Stefan Fritsch <sf@debian.org>  Mon, 29 Aug 2011 17:08:17 +0200
++apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable (LP: #787013). Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Andres Rodriguez <andreserl@ubuntu.com>  Mon, 23 May 2011 10:16:09 -0400
++
  apache2 (2.2.19-1) unstable; urgency=low
    * New upstream release.
@@ -1894,6 +3545,18 @@ apache2 (2.2.19-1) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Sun, 22 May 2011 10:21:21 +0200
++apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 11 Apr 2011 02:13:30 +0100
++
  apache2 (2.2.17-3) unstable; urgency=low
    * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
@@ -1920,6 +3583,18 @@ apache2 (2.2.17-2) unstable; urgency=high
   -- Stefan Fritsch <sf@debian.org>  Mon, 21 Mar 2011 23:01:17 +0100
++apache2 (2.2.17-1ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 22 Feb 2011 13:02:08 -0500
++
  apache2 (2.2.17-1) unstable; urgency=low
    * New upstream version
@@ -1928,6 +3603,32 @@ apache2 (2.2.17-1) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Tue, 15 Feb 2011 23:30:18 +0100
++apache2 (2.2.16-6ubuntu3) natty; urgency=low
++
++  * debian/rules: Don't use "-fno-strict-aliasing" since it causes
++    apache FTBFS on amd64. (LP: #711293)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 01 Feb 2011 10:19:55 -0500
++
++apache2 (2.2.16-6ubuntu2) natty; urgency=low
++
++  * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
++   (LP: #697105)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 25 Jan 2011 11:14:58 -0500
++
++apache2 (2.2.16-6ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++    - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
++    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
++      Plymouth aware passphrase dialog program ask-for-passphrase.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sun, 02 Jan 2011 06:05:51 +0000
++
  apache2 (2.2.16-6) unstable; urgency=low
    * Also add $named to the secondary-init-script example.
@@ -1943,6 +3644,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Fri, 31 Dec 2010 01:22:19 +0100
++apache2 (2.2.16-4ubuntu2) natty; urgency=low
++
++  [Clint Byrum]
++  * Adding plymouth aware passphrase dialog program ask-for-passphrase.
++    (LP: #582963)
++    + debian/control: apache2.2-common depends on bash for ask-for-passphrase
++    + debian/config-dir/mods-available/ssl.conf:
++      - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
++
++  [Chuck Short]
++  * Add apport hook. (LP: #609177)
++    + debian/apache2.py, debian/apache2.2-common.install
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 22 Nov 2010 09:43:43 -0500
++
++apache2 (2.2.16-4ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 22 Nov 2010 09:43:41 -0500
++
  apache2 (2.2.16-4) unstable; urgency=medium
    * Increase the mod_reqtimeout default timeouts to avoid potential problems
@@ -1953,6 +3678,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sun, 14 Nov 2010 19:05:55 +0100
++apache2 (2.2.16-3ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 12 Oct 2010 11:54:48 +0100
++
  apache2 (2.2.16-3) unstable; urgency=high
    * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
@@ -1975,6 +3709,30 @@ apache2 (2.2.16-2) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Sun, 29 Aug 2010 15:29:21 +0200
++apache2 (2.2.16-1ubuntu3) maverick; urgency=low
++
++  * Revert "stty sane" to unbreak apache starting, this will have to be
++    fixed a different way. (LP: #626723)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 08 Sep 2010 08:33:17 -0400
++
++apache2 (2.2.16-1ubuntu2) maverick; urgency=low
++
++  * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
++    password prompt when using apache-ssl. (LP: #582963)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 25 Aug 2010 09:25:05 -0400
++
++apache2 (2.2.16-1ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree.
++    - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 26 Jul 2010 20:21:37 +0100
++
  apache2 (2.2.16-1) unstable; urgency=medium
    * Urgency medium for security fix.
@@ -2007,6 +3765,24 @@ apache2 (2.2.15-6) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Fri, 16 Jul 2010 23:41:08 +0200
++apache2 (2.2.15-5ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree.
++    - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
++    + Dropped:
++      - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
++      - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
++      - debian/config-dir/apache2.conf: Merged back from debian.
++      - mod-reqtimeout functionality: Merge back from debian.
++      - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
++      - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
++      - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 05 May 2010 01:28:04 +0100
++
  apache2 (2.2.15-5) unstable; urgency=low
    * Conflict with apache package as we now include apachectl. Closes: #579065
@@ -2127,6 +3903,80 @@ apache2 (2.2.14-6) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Sun, 07 Feb 2010 17:29:45 +0100
++apache2 (2.2.14-5ubuntu8) lucid; urgency=low
++
++  * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
++    (LP: #562370)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 13 Apr 2010 15:09:57 -0400
++
++apache2 (2.2.14-5ubuntu7) lucid; urgency=low
++
++  * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
++    leaks by making sure to not destroy bucket brigades that have been created
++    by earlier filters. Backported from 2.2.15.
++  * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
++    has reached MaxClients until it has. Backported from 2.2.15
++  * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
++    more secure by adding Satisfy all. (Debian bug: #572075)
++  * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
++    debian/config2-dir/mods-available/reqtimeout.load,
++    debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
++    mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
++    bug in apache. Enable it by default. (LP: #392759)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 05 Apr 2010 09:53:35 -0400
++
++apache2 (2.2.14-5ubuntu6) lucid; urgency=low
++
++  * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 30 Mar 2010 09:41:11 -0400
++
++apache2 (2.2.14-5ubuntu5) lucid; urgency=low
++
++  * Revert 99-fix-mod-dav-permissions.dpatch
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 30 Mar 2010 07:55:46 -0400
++
++apache2 (2.2.14-5ubuntu4) lucid; urgency=low
++
++  * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
++    downloading files from webdav (LP: #540747)
++  * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 29 Mar 2010 13:37:39 -0400
++
++apache2 (2.2.14-5ubuntu3) lucid; urgency=low
++
++  * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
++    - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
++      in modules/proxy/mod_proxy_ajp.c.
++    - CVE-2010-0408
++  * SECURITY UPDATE: information disclosure via improper handling of
++    headers in subrequests
++    - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
++      in server/protocol.c.
++    - CVE-2010-0434
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 10 Mar 2010 14:48:48 -0500
++
++apache2 (2.2.14-5ubuntu2) lucid; urgency=low
++
++  * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
++    wacky options. (LP: #450501)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 08 Mar 2010 14:53:17 -0500
++
++apache2 (2.2.14-5ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing.  Remaining changes: LP: #506862
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/control: Add bzr tag and point it to our tree.
++
++ -- Bhavani Shankar <right2bhavi@gmail.com>  Wed, 13 Jan 2010 14:28:41 +0530
++
  apache2 (2.2.14-5) unstable; urgency=low
    * Security: Further mitigation for the TLS renegotation attack
@@ -2150,6 +4000,15 @@ apache2 (2.2.14-5) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Sat, 02 Jan 2010 22:44:15 +0100
++apache2 (2.2.14-4ubuntu1) lucid; urgency=low
++
++  * Resynchronzie with Debian, remaining changes are:
++   - debian/{control, rules}: Enable PIE hardening.
++   - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
++   - debian/control: Add bzr tag and point it to our tree.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 23 Dec 2009 14:44:51 -0500
++
  apache2 (2.2.14-4) unstable; urgency=low
    * Disable localized error pages again by default because they break
@@ -2200,6 +4059,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
   -- Stefan Fritsch <sf@debian.org>  Sat, 07 Nov 2009 14:37:37 +0100
++apache2 (2.2.14-1ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing, remaining changes:
++    - debian/{control, rules}: Enable PIE hardening.
++    - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
++    - debian/conrol: Add bzr tag and point it to our tree.
++    - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
++      Already applied upstream.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 06 Nov 2009 00:29:03 +0000
++
  apache2 (2.2.14-1) unstable; urgency=low
    * New upstream version:
@@ -2234,6 +4104,24 @@ apache2 (2.2.13-1) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Mon, 31 Aug 2009 20:28:56 +0200
++apache2 (2.2.12-1ubuntu2) karmic; urgency=low
++
++  * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
++    - Fix potential segfaults with the use of the legacy ap_rputs() etc
++      interfaces, in cases where an output filter fails. This happens
++      frequently after CVE-2009-1891 got fixed. (LP: #409987)
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 17 Aug 2009 15:38:47 -0400
++
++apache2 (2.2.12-1ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/{control,rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++    - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 04 Aug 2009 20:04:24 +0100
++
  apache2 (2.2.12-1) unstable; urgency=low
    * New upstream release:
@@ -2281,6 +4169,16 @@ apache2 (2.2.12-1) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Tue, 04 Aug 2009 11:02:34 +0200
++apache2 (2.2.11-7ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable, remaining changes: LP: #398130
++    - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
++      Fix timefmt is ignored when XBitHack is on. (LP: #258914)
++    - debian/{control,rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Bhavani Shankar <right2bhavi@gmail.com>  Sat, 11 Jul 2009 16:34:32 +0530
++
  apache2 (2.2.11-7) unstable; urgency=low
    * Security fixes:
@@ -2295,6 +4193,16 @@ apache2 (2.2.11-7) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Fri, 10 Jul 2009 22:42:57 +0200
++apache2 (2.2.11-6ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
++      Fix timefmt is ignored when XBitHack is on. (LP: #258914)
++    - debian/{control,rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 09 Jun 2009 01:01:23 +0100
++
  apache2 (2.2.11-6) unstable; urgency=high
    * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
@@ -2303,6 +4211,16 @@ apache2 (2.2.11-6) unstable; urgency=high
   -- Stefan Fritsch <sf@debian.org>  Mon, 08 Jun 2009 19:22:58 +0200
++apache2 (2.2.11-5ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
++      Fix timefmt is ignored when XBitHack is on. (LP: #258914)
++    - debian/{control,rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Andrew Mitchell <ajmitch@ubuntu.com>  Wed, 03 Jun 2009 14:10:54 +1200
++
  apache2 (2.2.11-5) unstable; urgency=low
    * Move all binaries into a new package apache2.2-bin and make
@@ -2351,6 +4269,16 @@ apache2 (2.2.11-4) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Tue, 19 May 2009 22:55:27 +0200
++apache2 (2.2.11-3ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
++      Fix timefmt is ignored when XBitHack is on. (LP: #258914)
++    - debian/{control,rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Andrew Mitchell <ajmitch@ubuntu.com>  Tue, 12 May 2009 16:15:34 +1200
++
  apache2 (2.2.11-3) unstable; urgency=low
    * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
@@ -2359,6 +4287,21 @@ apache2 (2.2.11-3) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Tue, 31 Mar 2009 21:07:26 +0200
++apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
++
++  * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
++    Fix timefmt is ignored when XBitHack is on. (LP: #258914)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 01 Apr 2009 11:39:17 -0400
++
++apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/{contro,rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sat, 17 Jan 2009 00:02:55 +0000
++
  apache2 (2.2.11-2) unstable; urgency=low
    * Report an error instead instead of segfaulting when apr_pollset_create
@@ -2368,6 +4311,14 @@ apache2 (2.2.11-2) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Fri, 16 Jan 2009 19:01:59 +0100
++apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/{control, rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 15 Dec 2008 00:06:50 +0000
++
  apache2 (2.2.11-1) unstable; urgency=low
    [Thom May]
@@ -2382,6 +4333,14 @@ apache2 (2.2.11-1) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Sun, 14 Dec 2008 09:34:24 +0100
++apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
++
++  * Merge from debian unstable, remaining changes: (LP: #303375)
++    - debian/{control, rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Bhavani Shankar <right2bhavi@gmail.com>  Sat, 29 Nov 2008 14:02:31 +0530
++
  apache2 (2.2.9-11) unstable; urgency=low
    * Regression fix from upstream svn for mod_proxy:
@@ -2396,6 +4355,14 @@ apache2 (2.2.9-11) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Wed, 26 Nov 2008 23:10:22 +0100
++apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/{control, rules}: enable PIE hardening.
++    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 05 Nov 2008 02:23:18 -0400
++
  apache2 (2.2.9-10) unstable; urgency=low
    * Regression fix from upstream svn for mod_proxy_http:
@@ -2426,6 +4393,27 @@ apache2 (2.2.9-8) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Thu, 11 Sep 2008 09:17:33 +0200
++apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
++
++  * Revert logrotate change since it will break it for everyone.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 19 Sep 2008 09:32:01 -0400
++
++apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
++
++  * debian/logrotate: Restart rather than reload for busy websites.
++    (LP: #270899)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Thu, 18 Sep 2008 08:42:22 -0400
++
++apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/{control,rules}: enable PIE hardening.
++    - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
++
++ -- Kees Cook <kees@ubuntu.com>  Thu, 28 Aug 2008 08:10:59 -0700
++
  apache2 (2.2.9-7) unstable; urgency=low
    * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
@@ -2468,6 +4456,23 @@ apache2 (2.2.9-4) unstable; urgency=low
   -- Stefan Fritsch <sf@debian.org>  Sun, 06 Jul 2008 10:38:37 +0200
++apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
++
++  * add ufw integration (see
++    https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
++    (LP: #261198)
++    - debian/control: suggest ufw for apache2.2-common
++    - add apache2.2-common.ufw.profile with 3 profiles and install it to
++      /etc/ufw/applications.d/apache2.2-common
++
++ -- Didier Roche <didrocks@ubuntu-fr.org>  Tue, 26 Aug 2008 19:03:42 +0200
++
++apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
++
++  * debian/{control,rules}: enable PIE hardening
++
++ -- Kees Cook <kees@ubuntu.com>  Wed, 20 Aug 2008 15:45:00 -0700
++
  apache2 (2.2.9-3) unstable; urgency=low
    [ Stefan Fritsch ]
@@ -4038,9 +6043,7 @@ apache2 (2.0.37-1) unstable; urgency=low
   -- Thom May <thom@debian.org>  Thu, 13 Jun 2002 17:47:12 +0100
  apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
--
    * New upstream release
--
   -- Thom May <thom@debian.org>  Wed,  5 Jun 2002 12:42:34 +0100
  apache2 (2.0.36-2) unstable; urgency=low
@@ -4548,3 +6551,4 @@ apache2 (2.0.18-1) unstable; urgency=low
    * Initial Release.
   -- Daniel Stone <daniel@sfarc.net>  Wed,  4 Jul 2001 21:29:29 +1000
++
 diff --git a/debian/control b/debian/control
 index 5cd2245..82a3450 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,5 +1,6 @@
  Source: apache2
--Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
  Uploaders: Stefan Fritsch <sf@debian.org>,
             Arno Töll <arno@debian.org>,
             Ondřej Surý <ondrej@debian.org>,
@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
  Recommends: ssl-cert
  Suggests: apache2-doc,
            apache2-suexec-pristine | apache2-suexec-custom,
--          www-browser
++          www-browser,
++          ufw
  Pre-Depends: ${misc:Pre-Depends}
  Provides: httpd,
            httpd-cgi
 diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
 new file mode 100644
 index 0000000..eee686c
 Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
 diff --git a/debian/index.html b/debian/index.html
 index 766401d..9c90ef4 100644
 --- a/debian/index.html
 +++ b/debian/index.html
@@ -1,9 +1,13 @@
--
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
++  <!--
++    Modified from the Debian original for Ubuntu
++    Last updated: 2022-03-22
++    See: https://launchpad.net/bugs/1966004
++  -->
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
--    <title>Apache2 Debian Default Page: It works</title>
++    <title>Apache2 Ubuntu Default Page: It works</title>
      <style type="text/css" media="screen">
    * {
      margin: 0px 0px 0px 0px;
@@ -15,7 +19,7 @@
      background-color: #D8DBE2;
--    font-family: Verdana, sans-serif;
++    font-family: Ubuntu, Verdana, sans-serif;
      font-size: 11pt;
      text-align: center;
+   }
@@ -41,7 +45,7 @@
+   }
    div.page_header {
--    height: 99px;
++    height: 180px;
      width: 100%;
      background-color: #F5F6F7;
@@ -60,6 +64,19 @@
      border: 0px 0px 0px;
+   }
++  div.banner {
++    padding: 9px 6px 9px 6px;
++    background-color: #E9510E;
++    color: #FFFFFF;
++    font-weight: bold;
++    font-size: 112%;
++    text-align: center;
++    position: absolute;
++    left: 40%;
++    bottom: 30px;
++    width: 20%;
++  }
++
    div.table_of_contents {
      clear: left;
@@ -136,10 +153,6 @@
      text-align: center;
+   }
--  div.section_header_red {
--    background-color: #CD214F;
--  }
--
    div.section_header_grey {
      background-color: #9F9386;
+   }
@@ -188,46 +201,31 @@
    <body>
      <div class="main_page">
        <div class="page_header floating_element">
--        <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
--        <span class="floating_element">
--          Apache2 Debian Default Page
--        </span>
--      </div>
--<!--      <div class="table_of_contents floating_element">
--        <div class="section_header section_header_grey">
--          TABLE OF CONTENTS
--        </div>
--        <div class="table_of_contents_item floating_element">
--          <a href="#about">About</a>
--        </div>
--        <div class="table_of_contents_item floating_element">
--          <a href="#changes">Changes</a>
--        </div>
--        <div class="table_of_contents_item floating_element">
--          <a href="#scope">Scope</a>
--        </div>
--        <div class="table_of_contents_item floating_element">
--          <a href="#files">Config files</a>
++        <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo"
++             style="width:184px;height:146px;" class="floating_element" />
++        <div>
++          <span style="margin-top: 1.5em;" class="floating_element">
++            Apache2 Default Page
++          </span>
          </div>
--      </div>
---->
--      <div class="content_section floating_element">
--
--
--        <div class="section_header section_header_red">
++        <div class="banner">
            <div id="about"></div>
            It works!
          </div>
++
++      </div>
++      <div class="content_section floating_element">
          <div class="content_section_text">
            <p>
                  This is the default welcome page used to test the correct
--                operation of the Apache2 server after installation on Debian systems.
++                operation of the Apache2 server after installation on Ubuntu systems.
++                It is based on the equivalent page on Debian, from which the Ubuntu Apache
++                packaging is derived.
                  If you can read this page, it means that the Apache HTTP server installed at
                  this site is working properly. You should <b>replace this file</b> (located at
                  <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
            </p>
--
            <p>
                  If you are a normal user of this web site and don't know what this page is
                  about, this probably means that the site is currently unavailable due to
@@ -242,18 +240,17 @@
          </div>
          <div class="content_section_text">
            <p>
--                Debian's Apache2 default configuration is different from the
++                Ubuntu's Apache2 default configuration is different from the
                  upstream default configuration, and split into several files optimized for
--                interaction with Debian tools. The configuration system is
++                interaction with Ubuntu tools. The configuration system is
                  <b>fully documented in
                  /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
                  documentation. Documentation for the web server itself can be
                  found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
                  package was installed on this server.
--
            </p>
            <p>
--                The configuration layout for an Apache2 web server installation on Debian systems is as follows:
++                The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
            </p>
            <pre>
  /etc/apache2/
@@ -308,9 +305,12 @@
                          </li>
                          <li>
--                           The binary is called apache2. Due to the use of
--                           environment variables, in the default configuration, apache2 needs to be
--                           started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
++                           The binary is called apache2 and is managed using systemd, so to
++                           start/stop the service use <tt>systemctl start apache2</tt> and
++                           <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt>
++                           and <tt>journalctl -u apache2</tt> to check status.  <tt>system</tt>
++                           and <tt>apache2ctl</tt> can also be used for service management if
++                           desired.
                             <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
                             default configuration.
                          </li>
@@ -324,8 +324,8 @@
          <div class="content_section_text">
              <p>
--                By default, Debian does not allow access through the web browser to
--                <em>any</em> file apart of those located in <tt>/var/www</tt>,
++                By default, Ubuntu does not allow access through the web browser to
++                <em>any</em> file outside of those located in <tt>/var/www</tt>,
                  <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
                  directories (when enabled) and <tt>/usr/share</tt> (for web
                  applications). If your site is using a web document root
@@ -333,9 +333,8 @@
                  document root directory in <tt>/etc/apache2/apache2.conf</tt>.
              </p>
              <p>
--                The default Debian document root is <tt>/var/www/html</tt>. You
--                can make your own virtual hosts under /var/www. This is different
--                to previous releases which provides better security out of the box.
++                The default Ubuntu document root is <tt>/var/www/html</tt>. You
++                can make your own virtual hosts under /var/www.
              </p>
          </div>
@@ -345,24 +344,20 @@
          </div>
          <div class="content_section_text">
            <p>
--                Please use the <tt>reportbug</tt> tool to report bugs in the
--                Apache2 package with Debian. However, check <a
--                href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
++                Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
++                Apache2 package with Ubuntu. However, check <a
++                href="https://bugs.launchpad.net/ubuntu/+source/apache2"
                  rel="nofollow">existing bug reports</a> before reporting a new bug.
            </p>
            <p>
                  Please report bugs specific to modules (such as PHP and others)
--                to respective packages, not to the web server itself.
++                to their respective packages, not to the web server itself.
            </p>
          </div>
--
--
--
        </div>
      </div>
      <div class="validator">
      </div>
    </body>
  </html>
--
 diff --git a/debian/source/include-binaries b/debian/source/include-binaries
 index d617b1d..823d9c0 100644
 --- a/debian/source/include-binaries
 +++ b/debian/source/include-binaries
@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
  debian/icons/odf6ots-20x22.png
  debian/icons/odf6ott-20x22.png
  debian/icons/openlogo-75.png
++debian/icons/ubuntu-logo.png
  debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
  debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
  debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Ubuntuapache2 package

Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.53-2-kinetic into ubuntu/+source/apache2:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
apache2 package