Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.54-2-kinetic into ubuntu/+source/apache2:debian/sid

Proposed by Bryce Harrington
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Bryce Harrington
Merged at revision: 7056ded95ee239394ace0bd0d5df8799d44df75d
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.54-2-kinetic
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2846 lines (+2144/-60)
10 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2021/-2)
debian/control (+4/-2)
debian/index.html (+51/-56)
debian/source/include-binaries (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Andreas Hasenack (community) Approve
Canonical Server Reporter Pending
Canonical Server Pending
Review via email: mp+427110@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

This is a re-merge of apache2 to pick up a new upstream, notably with some CVE fixes.

Just carrying the usual delta forward. I did some logical cleanup to squash related changes to make the changelog cleaner. No other changes and no conflicts; pretty straightforward merge.

PPA:
  https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.54-2

Tags:
  tags/old/debian 4f279c271
  tags/new/debian 5a3995743
  tags/old/ubuntu fa6c81283
  tags/logical/2.4.53-2ubuntu1 5614257af
  tags/reconstruct/2.4.53-2ubuntu1 7fc2ac968
  tags/split/2.4.53-2ubuntu1 e86ab8d6a

Autopkgtest Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/?format=plain)
  apache2 @ amd64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/amd64/a/apache2/20220719_073114_e67ae@/log.gz
    19.07.22 07:31:14 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ arm64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/arm64/a/apache2/20220719_081244_ed056@/log.gz
    19.07.22 08:12:44 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ armhf:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/armhf/a/apache2/20220719_075124_fd513@/log.gz
    19.07.22 07:51:24 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ ppc64el:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/ppc64el/a/apache2/20220719_071341_ed056@/log.gz
    19.07.22 07:13:41 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  apache2 @ s390x:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-bryce-apache2-merge-v2.4.54-2/kinetic/s390x/a/apache2/20220719_071607_6a9be@/log.gz
    19.07.22 07:16:07 ✅ Triggers: ['apache2/2.4.54-2ubuntu1']
  Running: (none)
  Waiting: (none)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Delta ok, debian changes in previous uploads ok, logical squashing ok, just forgot to mention d/source/include-binaries in ba53079ade0facf0fb6c46c3ddaefb1ea879e783

+1

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: bryce, ahasenack
Uploaders: bryce, ahasenack
MP auto-approved

review: Approve
04a7335... by Bryce Harrington

merge-changelogs

9a092a9... by Bryce Harrington

reconstruct-changelog

7056ded... by Bryce Harrington

update-maintainer

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, I added the missing d/source/include-binaries.

Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: 7056ded95ee239394ace0bd0d5df8799d44df75d
Vcs-Git-Ref: refs/heads/merge-v2.4.54-2-kinetic

Checking signature on .changes
gpg: ../apache2_2.4.54-2ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../apache2_2.4.54-2ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.54-2ubuntu1.dsc: done.
  Uploading apache2_2.4.54.orig.tar.gz: done.
  Uploading apache2_2.4.54-2ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.54-2ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.54-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Bryce Harrington (bryce) wrote :

This has migrated

 apache2 | 2.4.52-1ubuntu4 | jammy
 apache2 | 2.4.52-1ubuntu4.1 | jammy-security
 apache2 | 2.4.52-1ubuntu4.1 | jammy-updates
 apache2 | 2.4.54-2ubuntu1 | kinetic

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
2index 63c573f..3d1bdf1 100644
3--- a/debian/apache2-bin.install
4+++ b/debian/apache2-bin.install
5@@ -1,2 +1,3 @@
6 /usr/lib/apache2/modules/
7 /usr/sbin/apache2
8+debian/apache2.py usr/share/apport/package-hooks
9diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
10new file mode 100644
11index 0000000..974a655
12--- /dev/null
13+++ b/debian/apache2-utils.ufw.profile
14@@ -0,0 +1,14 @@
15+[Apache]
16+title=Web Server
17+description=Apache v2 is the next generation of the omnipresent Apache web server.
18+ports=80/tcp
19+
20+[Apache Secure]
21+title=Web Server (HTTPS)
22+description=Apache v2 is the next generation of the omnipresent Apache web server.
23+ports=443/tcp
24+
25+[Apache Full]
26+title=Web Server (HTTP,HTTPS)
27+description=Apache v2 is the next generation of the omnipresent Apache web server.
28+ports=80,443/tcp
29diff --git a/debian/apache2.dirs b/debian/apache2.dirs
30index 6089013..1aa6d3c 100644
31--- a/debian/apache2.dirs
32+++ b/debian/apache2.dirs
33@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
34 var/lib/apache2
35 var/log/apache2
36 var/www/html
37+/etc/ufw/applications.d/apache2
38diff --git a/debian/apache2.install b/debian/apache2.install
39index b6ad789..92865fc 100644
40--- a/debian/apache2.install
41+++ b/debian/apache2.install
42@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
43 debian/config-dir/envvars /etc/apache2
44 debian/config-dir/magic /etc/apache2
45 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
46+debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
47diff --git a/debian/apache2.postrm b/debian/apache2.postrm
48index a68583c..4a22601 100644
49--- a/debian/apache2.postrm
50+++ b/debian/apache2.postrm
51@@ -33,6 +33,8 @@ is_default_index_html () {
52 776221a94e5a174dc2396c0f3f6b6a74
53 c481228d439cbb54bdcedbaec5bbb11a
54 e2620d4a5a0f8d80dd4b16de59af981f
55+ 3526531ccd6c6a1d2340574a305a18f8
56+ 720999b43a3be0674180354ac41f20b1
57 EOF
58 }
59
60diff --git a/debian/apache2.py b/debian/apache2.py
61new file mode 100644
62index 0000000..a9fb9d8
63--- /dev/null
64+++ b/debian/apache2.py
65@@ -0,0 +1,48 @@
66+#!/usr/bin/python
67+
68+'''apport hook for apache2
69+
70+(c) 2010 Adam Sommer.
71+Author: Adam Sommer <asommer@ubuntu.com>
72+
73+This program is free software; you can redistribute it and/or modify it
74+under the terms of the GNU General Public License as published by the
75+Free Software Foundation; either version 2 of the License, or (at your
76+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
77+the full text of the license.
78+'''
79+
80+from apport.hookutils import *
81+import os
82+
83+SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
84+
85+def add_info(report, ui):
86+ if os.path.isdir(SITES_ENABLED_DIR):
87+ response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
88+ "may help developers diagnose your bug more "
89+ "quickly. However, it may contain sensitive "
90+ "information. Do you want to include it in your "
91+ "bug report?")
92+
93+ if response == None: # user cancelled
94+ raise StopIteration
95+
96+ elif response == True:
97+ # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
98+ for conf_file in os.listdir(SITES_ENABLED_DIR):
99+ attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
100+
101+ try:
102+ report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
103+ except OSError:
104+ report['Apache2ConfdDirListing'] = str(False)
105+
106+ # Attach default config files if changed.
107+ attach_conffiles(report, 'apache2', conffiles=None)
108+
109+ # Attach the error.log file.
110+ attach_file(report, '/var/log/apache2/error.log', key='error.log')
111+
112+ # Get loaded modules.
113+ report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
114diff --git a/debian/changelog b/debian/changelog
115index 03aeebd..dfa196a 100644
116--- a/debian/changelog
117+++ b/debian/changelog
118@@ -1,3 +1,18 @@
119+apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium
120+
121+ * Merge with Debian unstable (LP: #1982048). Remaining changes:
122+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
123+ d/source/include-binaries: Replace Debian with Ubuntu on default
124+ homepage.
125+ (LP #1966004)
126+ - d/apache2.py, d/apache2-bin.install: Add apport hook
127+ (LP #609177)
128+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
129+ d/apache2.dirs: Add ufw profiles
130+ (LP #261198)
131+
132+ -- Bryce Harrington <bryce@canonical.com> Thu, 21 Jul 2022 19:38:00 +0000
133+
134 apache2 (2.4.54-2) unstable; urgency=medium
135
136 * Move cgid socket into a writeable directory (Closes: #1014056)
137@@ -24,6 +39,48 @@ apache2 (2.4.54-1) unstable; urgency=medium
138
139 -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200
140
141+apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
142+
143+ * Merge with Debian unstable (LP: #1971248). Remaining changes:
144+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
145+ apache2.dirs}: Add ufw profiles.
146+ (LP 261198)
147+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
148+ (LP 609177)
149+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
150+ d/s/include-binaries: replace Debian with Ubuntu on default
151+ page and add Ubuntu icon file.
152+ (LP 1288690)
153+ - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
154+ new logo
155+ (LP 1966004)
156+ - d/apache2.postrm: Include md5 sum for updated index.html
157+ * Dropped:
158+ - OOB read in mod_lua via crafted request body
159+ + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
160+ lua_write_body() fail in modules/lua/lua_request.c.
161+ [Fixed in 2.4.53 upstream]
162+ - HTTP Request Smuggling via error discarding the
163+ request body
164+ + d/p/CVE-2022-22720.patch: simpler connection close logic
165+ if discarding the request body fails in modules/http/http_filters.c,
166+ server/protocol.c.
167+ [Fixed in 2.4.53 upstream]
168+ - overflow via large LimitXMLRequestBody
169+ + d/p/CVE-2022-22721.patch: make sure and check that
170+ LimitXMLRequestBody fits in system memory in server/core.c,
171+ server/util.c, server/util_xml.c.
172+ [Fixed in 2.4.53 upstream]
173+ - out-of-bounds write in mod_sed
174+ + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
175+ buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
176+ modules/filters/mod_sed.c, modules/filters/sed1.c.
177+ + d/p/CVE-2022-23943-2.patch: improve the logic flow in
178+ modules/filters/mod_sed.c.
179+ [Fixed in 2.4.53 upstream]
180+
181+ -- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700
182+
183 apache2 (2.4.53-2) unstable; urgency=medium
184
185 * Clean useless Conflicts/Replace
186@@ -59,6 +116,79 @@ apache2 (2.4.52-2) experimental; urgency=medium
187
188 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100
189
190+apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
191+
192+ * d/apache2.postrm: Include md5 sum for updated index.html
193+
194+ -- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700
195+
196+apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
197+
198+ * d/index.html:
199+ - Redesign page's heading for the new logo
200+ - Use the Ubuntu font where available
201+ - Update service management directions
202+ - Copyedit grammar
203+ - Light reformatting and whitespace cleanup
204+ * d/icons/ubuntu-logo.png: Refresh ubuntu logo
205+ (LP: #1966004)
206+
207+ -- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700
208+
209+apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
210+
211+ * SECURITY UPDATE: OOB read in mod_lua via crafted request body
212+ - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
213+ lua_write_body() fail in modules/lua/lua_request.c.
214+ - CVE-2022-22719
215+ * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
216+ request body
217+ - debian/patches/CVE-2022-22720.patch: simpler connection close logic
218+ if discarding the request body fails in modules/http/http_filters.c,
219+ server/protocol.c.
220+ - CVE-2022-22720
221+ * SECURITY UPDATE: overflow via large LimitXMLRequestBody
222+ - debian/patches/CVE-2022-22721.patch: make sure and check that
223+ LimitXMLRequestBody fits in system memory in server/core.c,
224+ server/util.c, server/util_xml.c.
225+ - CVE-2022-22721
226+ * SECURITY UPDATE: out-of-bounds write in mod_sed
227+ - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
228+ buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
229+ modules/filters/mod_sed.c, modules/filters/sed1.c.
230+ - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
231+ modules/filters/mod_sed.c.
232+ - CVE-2022-23943
233+
234+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400
235+
236+apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
237+
238+ * Merge with Debian unstable (LP: #1959924). Remaining changes:
239+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
240+ apache2.dirs}: Add ufw profiles.
241+ (LP 261198)
242+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
243+ (LP 609177)
244+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
245+ d/s/include-binaries: replace Debian with Ubuntu on default
246+ page and add Ubuntu icon file.
247+ (LP 1288690)
248+ * Dropped:
249+ - d/p/support-openssl3-*.patch: Backport various patches from
250+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
251+ failure to load when using OpenSSL 3.
252+ (LP #1951476)
253+ [Included in upstream release 2.4.52]
254+ - d/apache2ctl: Also use systemd for graceful if it is in use.
255+ (LP 1832182)
256+ [This introduced a performance regression.]
257+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
258+ (LP 1918209)
259+ [Not needed]
260+
261+ -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
262+
263 apache2 (2.4.52-1) unstable; urgency=medium
264
265 * Refresh suexec-custom.patch
266@@ -69,6 +199,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
267
268 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
269
270+apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
271+
272+ * Merge with Debian unstable. Remaining changes:
273+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
274+ apache2.dirs}: Add ufw profiles.
275+ (LP 261198)
276+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
277+ (LP 609177)
278+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
279+ d/s/include-binaries: replace Debian with Ubuntu on default
280+ page and add Ubuntu icon file.
281+ (LP 1288690)
282+ - d/p/support-openssl3-*.patch: Backport various patches from
283+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
284+ failure to load when using OpenSSL 3.
285+ (LP #1951476)
286+ * Dropped:
287+ - d/apache2ctl: Also use systemd for graceful if it is in use.
288+ (LP: 1832182)
289+ [This introduced a performance regression.]
290+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
291+ (LP 1918209)
292+ [Not needed]
293+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
294+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
295+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
296+ server/core_filters.c, server/protocol.c, server/vhost.c.
297+ [Fixed in 2.4.48-4]
298+ - debian/patches/CVE-2021-34798.patch: add NULL check in
299+ server/scoreboard.c.
300+ [Fixed in 2.4.49-1]
301+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
302+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
303+ [Fixed in 2.4.49-1]
304+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
305+ substitution logic in server/util.c.
306+ [Fixed in 2.4.49-1]
307+ - arbitrary origin server via crafted request uri-path
308+ + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
309+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
310+ modules/proxy/proxy_util.c.
311+ + debian/patches/CVE-2021-40438.patch: add sanity checks on the
312+ configured UDS path in modules/proxy/proxy_util.c.
313+ [Fixed in 2.4.49-3]
314+ - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
315+ + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
316+ rules in modules/mappers/mod_rewrite.c.
317+ + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
318+ hostname in modules/mappers/mod_rewrite.c,
319+ modules/proxy/proxy_util.c.
320+ [Fixed in 2.4.49-3]
321+
322+ -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
323+
324 apache2 (2.4.51-2) unstable; urgency=medium
325
326 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
327@@ -134,6 +318,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
328
329 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
330
331+apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
332+
333+ * d/p/support-openssl3-*.patch: Backport various patches from
334+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
335+ failure to load when using OpenSSL 3. (LP: #1951476)
336+
337+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
338+
339+apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
340+
341+ * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
342+ - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
343+ rules in modules/mappers/mod_rewrite.c.
344+ - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
345+ hostname in modules/mappers/mod_rewrite.c,
346+ modules/proxy/proxy_util.c.
347+
348+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
349+
350+apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
351+
352+ * SECURITY UPDATE: request splitting over HTTP/2
353+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
354+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
355+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
356+ server/core_filters.c, server/protocol.c, server/vhost.c.
357+ - CVE-2021-33193
358+ * SECURITY UPDATE: NULL deref via malformed requests
359+ - debian/patches/CVE-2021-34798.patch: add NULL check in
360+ server/scoreboard.c.
361+ - CVE-2021-34798
362+ * SECURITY UPDATE: DoS in mod_proxy_uwsgi
363+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
364+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
365+ - CVE-2021-36160
366+ * SECURITY UPDATE: buffer overflow in ap_escape_quotes
367+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
368+ substitution logic in server/util.c.
369+ - CVE-2021-39275
370+ * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
371+ - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
372+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
373+ modules/proxy/proxy_util.c.
374+ - debian/patches/CVE-2021-40438.patch: add sanity checks on the
375+ configured UDS path in modules/proxy/proxy_util.c.
376+ - CVE-2021-40438
377+
378+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
379+
380+apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
381+
382+ * Merge with Debian unstable. Remaining changes:
383+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
384+ apache2.dirs}: Add ufw profiles. (LP 261198)
385+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
386+ (LP 609177)
387+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
388+ d/s/include-binaries: replace Debian with Ubuntu on default
389+ page and add Ubuntu icon file. (LP 1288690)
390+ - d/apache2ctl: Also use systemd for graceful if it is in use.
391+ This extends an earlier fix for the start command to behave
392+ similarly for restart / graceful. Fixes service failures on
393+ unattended upgrade. (LP 1832182)
394+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
395+ (LP 1918209)
396+
397+ -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
398+
399 apache2 (2.4.48-3.1) unstable; urgency=medium
400
401 * Non-maintainer upload.
402@@ -142,6 +394,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
403
404 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
405
406+apache2 (2.4.48-3ubuntu1) impish; urgency=medium
407+
408+ * Merge with Debian unstable. Remaining changes:
409+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
410+ apache2.dirs}: Add ufw profiles. (LP: 261198)
411+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
412+ (LP: 609177)
413+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
414+ d/s/include-binaries: replace Debian with Ubuntu on default
415+ page and add Ubuntu icon file. (LP: 1288690)
416+ - d/apache2ctl: Also use systemd for graceful if it is in use.
417+ This extends an earlier fix for the start command to behave
418+ similarly for restart / graceful. Fixes service failures on
419+ unattended upgrade. (LP: 1832182)
420+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
421+ (LP: 1918209)
422+ * Dropped:
423+ - d/t/control, d/t/check-http2: add basic test for http2 support
424+ [Fixed in 2.4.48-2]
425+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
426+ [Fixed in 2.4.48-1]
427+ - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
428+ connection in modules/proxy/mod_proxy_http.c.
429+ [Fixed in 2.4.48 upstream]
430+ - d/p/CVE-2020-35452.patch: fast validation of the nonce's
431+ base64 to fail early if the format can't match anyway in
432+ modules/aaa/mod_auth_digest.c.
433+ [Fixed in 2.4.48 upstream]
434+ - d/p/CVE-2021-26690.patch: save one apr_strtok() in
435+ session_identity_decode() in modules/session/mod_session.c.
436+ [Fixed in 2.4.48 upstream]
437+ - d/p/CVE-2021-26691.patch: account for the '&' in
438+ identity_concat() in modules/session/mod_session.c.
439+ [Fixed in 2.4.48 upstream]
440+ - d/p/CVE-2021-30641.patch: change default behavior in
441+ server/request.c.
442+ [Fixed in 2.4.48 upstream]
443+
444+ -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
445+
446 apache2 (2.4.48-3) unstable; urgency=medium
447
448 * Fix debian/changelog
449@@ -198,6 +490,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
450
451 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
452
453+apache2 (2.4.46-4ubuntu3) impish; urgency=medium
454+
455+ * No-change rebuild due to OpenLDAP soname bump.
456+
457+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
458+
459+apache2 (2.4.46-4ubuntu2) impish; urgency=medium
460+
461+ * SECURITY UPDATE: mod_proxy_http denial of service.
462+ - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
463+ connection in modules/proxy/mod_proxy_http.c.
464+ - CVE-2020-13950
465+ * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
466+ - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
467+ base64 to fail early if the format can't match anyway in
468+ modules/aaa/mod_auth_digest.c.
469+ - CVE-2020-35452
470+ * SECURITY UPDATE: DoS via cookie header in mod_session
471+ - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
472+ session_identity_decode() in modules/session/mod_session.c.
473+ - CVE-2021-26690
474+ * SECURITY UPDATE: heap overflow via SessionHeader
475+ - debian/patches/CVE-2021-26691.patch: account for the '&' in
476+ identity_concat() in modules/session/mod_session.c.
477+ - CVE-2021-26691
478+ * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
479+ - debian/patches/CVE-2021-30641.patch: change default behavior in
480+ server/request.c.
481+ - CVE-2021-30641
482+
483+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
484+
485+apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
486+
487+ * Merge with Debian unstable, to allow moving from lua5.2 to
488+ lua5.3 (LP: #1910372). Remaining changes:
489+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
490+ apache2.dirs}: Add ufw profiles.
491+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
492+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
493+ Debian with Ubuntu on default page.
494+ + d/source/include-binaries: add Ubuntu icon file
495+ - d/t/control, d/t/check-http2: add basic test for http2 support
496+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
497+ issue reading error log too quickly after request, by adding a sleep.
498+ (LP #1890302)
499+ - d/apache2ctl: Also use systemd for graceful if it is in use.
500+ This extends an earlier fix for the start command to behave
501+ similarly for restart / graceful. Fixes service failures on
502+ unattended upgrade.
503+ * Drop:
504+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
505+ was re-added by mistake in 2.4.41-1 (Closes #921024)
506+ [Included in Debian 2.4.46-3]
507+ * d/apache2ctl: Also use /run/systemd to check for systemd usage
508+ (LP: #1918209)
509+
510+ -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
511+
512 apache2 (2.4.46-4) unstable; urgency=medium
513
514 * Ignore other random another test failures (Closes: #979664)
515@@ -215,6 +566,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
516
517 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
518
519+apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
520+
521+ * Merge with Debian unstable. Remaining changes:
522+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
523+ apache2.dirs}: Add ufw profiles.
524+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
525+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
526+ Debian with Ubuntu on default page.
527+ + d/source/include-binaries: add Ubuntu icon file
528+ - d/t/control, d/t/check-http2: add basic test for http2 support
529+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
530+ was re-added by mistake in 2.4.41-1 (Closes #921024)
531+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
532+ issue reading error log too quickly after request, by adding a sleep.
533+ (LP #1890302)
534+ - d/apache2ctl: Also use systemd for graceful if it is in use.
535+ This extends an earlier fix for the start command to behave
536+ similarly for restart / graceful. Fixes service failures on
537+ unattended upgrade.
538+
539+ -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
540+
541 apache2 (2.4.46-2) unstable; urgency=medium
542
543 [ Jean-Michel Vourgère ]
544@@ -236,6 +609,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
545
546 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
547
548+apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
549+
550+ * d/apache2ctl: Also use systemd for graceful if it is in use.
551+ (LP: #1832182)
552+ - This extends an earlier fix for the start command to behave
553+ similarly for restart / graceful. Fixes service failures on
554+ unattended upgrade.
555+
556+ -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
557+
558+apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
559+
560+ * Merge with Debian unstable. Remaining changes:
561+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
562+ apache2.dirs}: Add ufw profiles.
563+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
564+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
565+ Debian with Ubuntu on default page.
566+ + d/source/include-binaries: add Ubuntu icon file
567+ - d/t/control, d/t/check-http2: add basic test for http2 support
568+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
569+ was re-added by mistake in 2.4.41-1 (Closes #921024)
570+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
571+ issue reading error log too quickly after request, by adding a sleep.
572+ (LP #1890302)
573+ * Dropped:
574+ - debian/patches/086_svn_cross_compiles: Backport several cross
575+ fixes from upstream
576+ [Unclear if it's still necessary, and upstream hasn't made a
577+ release with it yet]
578+
579+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
580+
581 apache2 (2.4.46-1) unstable; urgency=medium
582
583 [ Xavier Guimard ]
584@@ -252,6 +658,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
585
586 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
587
588+apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
589+
590+ * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
591+ issue reading error log too quickly after request, by adding a sleep.
592+ (LP: #1890302)
593+
594+ -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
595+
596+apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
597+
598+ * Merge with Debian unstable. Remaining changes:
599+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
600+ apache2.dirs}: Add ufw profiles.
601+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
602+ - debian/patches/086_svn_cross_compiles: Backport several cross
603+ fixes from upstream
604+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
605+ Debian with Ubuntu on default page.
606+ + d/source/include-binaries: add Ubuntu icon file
607+ - d/t/control, d/t/check-http2: add basic test for http2 support
608+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
609+ was re-added by mistake in 2.4.41-1 (Closes #921024)
610+ * Dropped:
611+ - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
612+ parameter to mod_proxy_ajp (LP #1865340)
613+ [Fixed upstream]
614+ - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
615+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
616+ Closes #955348, LP #1872478
617+ [In 2.4.43-1]
618+
619+ -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
620+
621 apache2 (2.4.43-1) unstable; urgency=medium
622
623 [ Timo Aaltonen ]
624@@ -279,6 +718,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
625
626 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
627
628+apache2 (2.4.41-4ubuntu3) focal; urgency=medium
629+
630+ [ Timo Aaltonen ]
631+ * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
632+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
633+ Closes: #955348, LP: #1872478
634+
635+ -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
636+
637+apache2 (2.4.41-4ubuntu2) focal; urgency=medium
638+
639+ * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
640+ parameter to mod_proxy_ajp (LP: #1865340)
641+
642+ -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
643+
644+apache2 (2.4.41-4ubuntu1) focal; urgency=medium
645+
646+ * Merge with Debian unstable. Remaining changes:
647+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
648+ apache2.dirs}: Add ufw profiles.
649+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
650+ - debian/patches/086_svn_cross_compiles: Backport several cross
651+ fixes from upstream
652+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
653+ Debian with Ubuntu on default page.
654+ + d/source/include-binaries: add Ubuntu icon file
655+ - d/t/control, d/t/check-http2: add basic test for http2 support
656+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
657+ was re-added by mistake in 2.4.41-1 (Closes #921024)
658+
659+ -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
660+
661 apache2 (2.4.41-4) unstable; urgency=medium
662
663 * Add gcc in chroot autopkgtest (fixes debci)
664@@ -303,6 +775,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
665
666 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
667
668+apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
669+
670+ * Merge with Debian unstable. Remaining changes:
671+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
672+ apache2.dirs}: Add ufw profiles.
673+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
674+ - debian/patches/086_svn_cross_compiles: Backport several cross
675+ fixes from upstream
676+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
677+ Debian with Ubuntu on default page.
678+ + d/source/include-binaries: add Ubuntu icon file
679+ - d/t/control, d/t/check-http2: add basic test for http2 support
680+ * Dropped:
681+ - Cherrypick upstream testsuite fix:
682+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
683+ as such).
684+ + Similarly use TLSv1.2 for pr12355 and pr43738.
685+ [Test suite updated in 2.4.41-1]
686+ - Cherrypick upstream test suite fix for buffer.
687+ [Included in 2.4.41-1]
688+ - d/p/spelling-errors.patch: removed hunks already fixed upstream
689+ [Included in 2.4.39-1]
690+ - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
691+ + d/p/CVE-2019-0196.patch
692+ + d/p/CVE-2019-0211.patch
693+ + d/p/CVE-2019-0215.patch
694+ + d/p/CVE-2019-0217.patch
695+ + d/p/CVE-2019-0220-*.patch
696+ + d/p/CVE-2019-0197.patch
697+ * Added:
698+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
699+ was re-added by mistake in 2.4.41-1 (Closes: #921024)
700+
701+ -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
702+
703 apache2 (2.4.41-1) unstable; urgency=medium
704
705 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
706@@ -335,6 +842,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
707
708 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
709
710+apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
711+
712+ * New upstream version: 2.4.39
713+ * d/p/spelling-errors.patch: removed hunks already fixed upstream
714+ * Remaining changes:
715+ - Cherrypick upstream test suite fix for buffer.
716+ - Cherrypick upstream testsuite fix:
717+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
718+ as such).
719+ - Similarly use TLSv1.2 for pr12355 and pr43738.
720+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
721+ apache2.dirs}: Add ufw profiles.
722+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
723+ - debian/patches/086_svn_cross_compiles: Backport several cross
724+ fixes from upstream
725+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
726+ Debian with Ubuntu on default page.
727+ + d/source/include-binaries: add Ubuntu icon file
728+ - d/t/control, d/t/check-http2: add basic test for http2 support
729+ * Dropped patches (fixed upstream):
730+ - d/p/CVE-2019-0196.patch
731+ - d/p/CVE-2019-0211.patch
732+ - d/p/CVE-2019-0215.patch
733+ - d/p/CVE-2019-0217.patch
734+ - d/p/CVE-2019-0220-*.patch
735+ - d/p/CVE-2019-0197.patch
736+
737+ -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
738+
739+apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
740+
741+ * Cherrypick upstream test suite fix for buffer.
742+
743+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
744+
745+apache2 (2.4.38-3ubuntu1) eoan; urgency=low
746+
747+ * Merge from Debian unstable. Remaining changes:
748+ - Cherrypick upstream testsuite fix:
749+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
750+ as such).
751+ - Similarly use TLSv1.2 for pr12355 and pr43738.
752+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
753+ apache2.dirs}: Add ufw profiles.
754+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
755+ - debian/patches/086_svn_cross_compiles: Backport several cross
756+ fixes from upstream
757+ [Removed configure chunk, not needed since configure.in is being
758+ patched.]
759+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
760+ Debian with Ubuntu on default page.
761+ + d/source/include-binaries: add Ubuntu icon file
762+ - d/t/control, d/t/check-http2: add basic test for http2 support
763+
764+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
765+
766 apache2 (2.4.38-3) unstable; urgency=high
767
768 [ Marc Deslauriers ]
769@@ -372,6 +935,79 @@ apache2 (2.4.38-3) unstable; urgency=high
770
771 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
772
773+apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
774+
775+ * Cherrypick upstream testsuite fix:
776+ - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
777+ as such).
778+ * Similarly use TLSv1.2 for pr12355 and pr43738.
779+
780+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
781+
782+apache2 (2.4.38-2ubuntu2) disco; urgency=medium
783+
784+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
785+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
786+ request method in modules/http2/h2_request.c.
787+ - CVE-2019-0196
788+ * SECURITY UPDATE: privilege escalation from modules' scripts
789+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
790+ child to its slot number in include/scoreboard.h,
791+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
792+ server/mpm/worker/worker.c.
793+ - CVE-2019-0211
794+ * SECURITY UPDATE: mod_ssl access control bypass
795+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
796+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
797+ - CVE-2019-0215
798+ * SECURITY UPDATE: mod_auth_digest access control bypass
799+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
800+ modules/aaa/mod_auth_digest.c.
801+ - CVE-2019-0217
802+ * SECURITY UPDATE: URL normalization inconsistincy
803+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
804+ the path in include/http_core.h, include/httpd.h, server/core.c,
805+ server/request.c, server/util.c.
806+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
807+ in server/request.c, server/util.c.
808+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
809+ server/util.c.
810+ - CVE-2019-0220
811+
812+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
813+
814+apache2 (2.4.38-2ubuntu1) disco; urgency=medium
815+
816+ * Merge with Debian unstable. Remaining changes:
817+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
818+ apache2.dirs}: Add ufw profiles.
819+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
820+ - debian/patches/086_svn_cross_compiles: Backport several cross
821+ fixes from upstream
822+ [Removed configure chunk, not needed since configure.in is being
823+ patched.]
824+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
825+ Debian with Ubuntu on default page.
826+ + d/source/include-binaries: add Ubuntu icon file
827+ - d/t/control, d/t/check-http2: add basic test for http2 support
828+ * Dropped:
829+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
830+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
831+ cannot be coinstalled with libcurl3. That situation breaks the
832+ installation of libapache2-mod-shib2. See
833+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
834+ for details.
835+ [This has been resolved in Disco, where libxmltooling8 is built with
836+ openssl 1.1]
837+ - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
838+ + debian/patches/CVE-2018-11763.patch: rework connection IO event
839+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
840+ modules/http2/h2_version.h.
841+ - CVE-2018-11763
842+ [Fixed in 2.4.35]
843+
844+ -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
845+
846 apache2 (2.4.38-2) unstable; urgency=medium
847
848 * Disable "reset" test in allowmethods.t (Closes: #921024)
849@@ -454,6 +1090,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
850
851 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
852
853+apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
854+
855+ * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
856+ - debian/patches/CVE-2018-11763.patch: rework connection IO event
857+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
858+ modules/http2/h2_version.h.
859+ - CVE-2018-11763
860+
861+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
862+
863+apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
864+
865+ * Merge with Debian unstable. Remaining changes:
866+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
867+ apache2.dirs}: Add ufw profiles.
868+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
869+ - debian/patches/086_svn_cross_compiles: Backport several cross
870+ fixes from upstream
871+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
872+ Debian with Ubuntu on default page.
873+ + d/source/include-binaries: add Ubuntu icon file
874+ - d/t/control, d/t/check-http2: add basic test for http2 support
875+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
876+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
877+ cannot be coinstalled with libcurl3. That situation breaks the
878+ installation of libapache2-mod-shib2. See
879+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
880+ for details.
881+
882+ -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
883+
884 apache2 (2.4.34-1) unstable; urgency=medium
885
886 [ Ondřej Surý ]
887@@ -472,6 +1139,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
888
889 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
890
891+apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
892+
893+ * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
894+ re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
895+
896+ -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
897+
898+apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
899+
900+ * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
901+ libapache2-mod-md until we figure out their transitions. libapache2-mod-md
902+ in particular is problematic because that makes apache2-bin pull in
903+ libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
904+ the installation of libapache2-mod-shib2. See
905+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
906+ for details.
907+ - Don't ship md.load and remove build-requires that were added because of
908+ mod-md (see
909+ https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
910+ - Remove proxy_uwsgi.load as we are not building it for now (see
911+ https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
912+
913+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
914+
915+apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
916+
917+ * Merge with Debian unstable (LP: #1770242). Remaining changes:
918+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
919+ apache2.dirs}: Add ufw profiles.
920+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
921+ - debian/patches/086_svn_cross_compiles: Backport several cross
922+ fixes from upstream
923+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
924+ Debian with Ubuntu on default page.
925+ + d/source/include-binaries: add Ubuntu icon file
926+ - d/t/control, d/t/check-http2: add basic test for http2 support
927+ * Drop:
928+ - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
929+ + debian/patches/CVE-2017-15710.patch: fix language long names
930+ detection as short name in modules/aaa/mod_authnz_ldap.c.
931+ + CVE-2017-15710
932+ - SECURITY UPDATE: incorrect <FilesMatch> matching
933+ + debian/patches/CVE-2017-15715.patch: allow to configure
934+ global/default options for regexes, like caseless matching or
935+ extended format in include/ap_regex.h, server/core.c,
936+ server/util_pcre.c.
937+ + CVE-2017-15715
938+ - SECURITY UPDATE: mod_session header manipulation
939+ + debian/patches/CVE-2018-1283.patch: strip Session header when
940+ SessionEnv is on in modules/session/mod_session.c.
941+ + CVE-2018-1283
942+ - SECURITY UPDATE: DoS via specially-crafted request
943+ + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
944+ terminated on any error, not only on buffer full in
945+ server/protocol.c.
946+ + CVE-2018-1301
947+ - SECURITY UPDATE: mod_cache_socache DoS
948+ + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
949+ to carriage return in modules/cache/mod_cache_socache.c.
950+ + CVE-2018-1303
951+ - SECURITY UPDATE: insecure nonce generation
952+ + debian/patches/CVE-2018-1312.patch: actually use the secret when
953+ generating nonces in modules/aaa/mod_auth_digest.c.
954+ + CVE-2018-1312
955+ - Correct systemd-sysv-generator behavior by customizing some
956+ parameters:
957+ + d/apache2-systemd.conf: add a drop-in file to specify some
958+ parameters for the systemd unit (type=Forking and
959+ RemainsAfterExit=no), this allow a correct state synchronisation
960+ between systemctl status and actual state of apache2 daemon.
961+ + d/apache2.install: place the apache2-systemd.conf file in the
962+ correct location.
963+ [type=Forking already in the base systemd service file, and
964+ RemainsAfterExit=no is the default value, so no need to
965+ customize these anymore.]
966+ - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
967+ + added debian/patches/util_ldap_cache_lock_fix.patch
968+ [Already applied upstream]
969+
970+ -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
971+
972 apache2 (2.4.33-3) unstable; urgency=medium
973
974 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
975@@ -544,6 +1292,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
976
977 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
978
979+apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
980+
981+ * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
982+ - debian/patches/CVE-2017-15710.patch: fix language long names
983+ detection as short name in modules/aaa/mod_authnz_ldap.c.
984+ - CVE-2017-15710
985+ * SECURITY UPDATE: incorrect <FilesMatch> matching
986+ - debian/patches/CVE-2017-15715.patch: allow to configure
987+ global/default options for regexes, like caseless matching or
988+ extended format in include/ap_regex.h, server/core.c,
989+ server/util_pcre.c.
990+ - CVE-2017-15715
991+ * SECURITY UPDATE: mod_session header manipulation
992+ - debian/patches/CVE-2018-1283.patch: strip Session header when
993+ SessionEnv is on in modules/session/mod_session.c.
994+ - CVE-2018-1283
995+ * SECURITY UPDATE: DoS via specially-crafted request
996+ - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
997+ terminated on any error, not only on buffer full in
998+ server/protocol.c.
999+ - CVE-2018-1301
1000+ * SECURITY UPDATE: mod_cache_socache DoS
1001+ - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1002+ to carriage return in modules/cache/mod_cache_socache.c.
1003+ - CVE-2018-1303
1004+ * SECURITY UPDATE: insecure nonce generation
1005+ - debian/patches/CVE-2018-1312.patch: actually use the secret when
1006+ generating nonces in modules/aaa/mod_auth_digest.c.
1007+ - CVE-2018-1312
1008+
1009+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1010+
1011+apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1012+
1013+ * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1014+ - added debian/patches/util_ldap_cache_lock_fix.patch
1015+
1016+ -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1017+
1018+apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1019+
1020+ * Switch back to OpenSSL 1.1.
1021+
1022+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1023+
1024+apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1025+
1026+ * enable http2 (LP: #1687454) by stopping to disable it
1027+ - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1028+ - debian/config-dir/mods-available/http2.load: no more removed.
1029+ - debian/rules: no more removed proxy_http2 from configure.
1030+ * d/t/control, d/t/check-http2: add basic test for http2 support
1031+
1032+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1033+
1034+apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1035+
1036+ * Merge with Debian unstable. Remaining changes:
1037+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1038+ apache2.dirs}: Add ufw profiles.
1039+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1040+ - debian/patches/086_svn_cross_compiles: Backport several cross
1041+ fixes from upstream
1042+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1043+ Debian with Ubuntu on default page.
1044+ + d/source/include-binaries: add Ubuntu icon file
1045+ - Correct systemd-sysv-generator behavior by customizing some
1046+ parameters:
1047+ + d/apache2-systemd.conf: add a drop-in file to specify some
1048+ parameters for the systemd unit (type=Forking and
1049+ RemainsAfterExit=no), this allow a correct state synchronisation
1050+ between systemctl status and actual state of apache2 daemon.
1051+ + d/apache2.install: place the apache2-systemd.conf file in the
1052+ correct location.
1053+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1054+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1055+ + debian/config-dir/mods-available/http2.load: removed.
1056+ + debian/rules: removed proxy_http2 from configure.
1057+ * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1058+ - debian/control: switch BuildDepends to libssl1.0-dev
1059+ - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1060+ - debian/rules: remove openssl virtual package and logic
1061+
1062+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1063+
1064 apache2 (2.4.29-1) unstable; urgency=medium
1065
1066 [ Stefan Fritsch ]
1067@@ -608,6 +1441,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
1068
1069 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
1070
1071+apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1072+
1073+ * SECURITY UPDATE: optionsbleed information leak
1074+ - debian/patches/CVE-2017-9798.patch: disallow method registration
1075+ at run time in server/core.c.
1076+ - CVE-2017-9798
1077+
1078+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1079+
1080+apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1081+
1082+ * Undrop (LP 1658469):
1083+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1084+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1085+ + debian/config-dir/mods-available/http2.load: removed.
1086+ + debian/rules: removed proxy_http2 from configure.
1087+
1088+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1089+
1090+apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1091+
1092+ * Merge with Debian unstable (LP: #1702582). Remaining changes:
1093+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1094+ apache2.dirs}: Add ufw profiles.
1095+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1096+ - debian/patches/086_svn_cross_compiles: Backport several cross
1097+ fixes from upstream
1098+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1099+ Debian with Ubuntu on default page.
1100+ + d/source/include-binaries: add Ubuntu icon file
1101+ - Correct systemd-sysv-generator behavior by customizing some
1102+ parameters:
1103+ + d/apache2-systemd.conf: add a drop-in file to specify some
1104+ parameters for the systemd unit (type=Forking and
1105+ RemainsAfterExit=no), this allow a correct state synchronisation
1106+ between systemctl status and actual state of apache2 daemon.
1107+ + d/apache2.install: place the apache2-systemd.conf file in the
1108+ correct location.
1109+
1110+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1111+
1112 apache2 (2.4.27-2) unstable; urgency=medium
1113
1114 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
1115@@ -637,6 +1511,55 @@ apache2 (2.4.25-4) unstable; urgency=high
1116
1117 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
1118
1119+apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1120+
1121+ * Re-Drop (LP: #1658469):
1122+ - Don't build experimental http2 module for LTS:
1123+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1124+ + debian/config-dir/mods-available/http2.load: removed.
1125+ + debian/rules: removed proxy_http2 from configure.
1126+ + debian/apache2.maintscript: remove http2 conffile.
1127+
1128+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1129+
1130+apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1131+ * Undrop (LP 1658469):
1132+ - Don't build experimental http2 module for LTS:
1133+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1134+ + debian/config-dir/mods-available/http2.load: removed.
1135+ + debian/rules: removed proxy_http2 from configure.
1136+ + debian/apache2.maintscript: remove http2 conffile.
1137+
1138+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1139+
1140+apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1141+
1142+ * Merge from Debian unstable (LP: #1663425). Remaining changes:
1143+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1144+ apache2.dirs}: Add ufw profiles.
1145+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1146+ - debian/patches/086_svn_cross_compiles: Backport several cross
1147+ fixes from upstream
1148+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1149+ Debian with Ubuntu on default page.
1150+ + d/source/include-binaries: add Ubuntu icon file
1151+ - Correct systemd-sysv-generator behavior by customizing some
1152+ parameters:
1153+ + d/apache2-systemd.conf: add a drop-in file to specify some
1154+ parameters for the systemd unit (type=Forking and
1155+ RemainsAfterExit=no), this allow a correct state synchronisation
1156+ between systemctl status and actual state of apache2 daemon.
1157+ + d/apache2.install: place the apache2-systemd.conf file in the
1158+ correct location.
1159+ * Drop (LP: #1658469):
1160+ - Don't build experimental http2 module for LTS:
1161+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1162+ + debian/config-dir/mods-available/http2.load: removed.
1163+ + debian/rules: removed proxy_http2 from configure.
1164+ + debian/apache2.maintscript: remove http2 conffile.
1165+
1166+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1167+
1168 apache2 (2.4.25-3) unstable; urgency=medium
1169
1170 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
1171@@ -698,6 +1621,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
1172
1173 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
1174
1175+apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1176+
1177+ * Merge from Debian unstable (LP: #). Remaining changes:
1178+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1179+ apache2.dirs}: Add ufw profiles.
1180+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1181+ - debian/patches/086_svn_cross_compiles: Backport several cross
1182+ fixes from upstream
1183+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1184+ d/source/include-binaries: replace Debian with Ubuntu on default
1185+ page.
1186+ [ include-binaries change previously undocumented ]
1187+ - Don't build experimental http2 module for LTS:
1188+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1189+ + debian/config-dir/mods-available/http2.load: removed.
1190+ + debian/rules: removed proxy_http2 from configure.
1191+ + debian/apache2.maintscript: remove http2 conffile.
1192+ [ Previously undocumented ]
1193+ - Correct systemd-sysv-generator behavior by customizing some
1194+ parameters:
1195+ + d/apache2-systemd.conf: add a drop-in file to specify some
1196+ parameters for the systemd unit (type=Forking and
1197+ RemainsAfterExit=no), this allow a correct state synchronisation
1198+ between systemctl status and actual state of apache2 daemon.
1199+ + d/apache2.install: place the apache2-systemd.conf file in the
1200+ correct location.
1201+ * Drop:
1202+ - debian/rules: Fix cross-building by passing
1203+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1204+ [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1205+
1206+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1207+
1208 apache2 (2.4.23-8) unstable; urgency=medium
1209
1210 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
1211@@ -708,6 +1664,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
1212
1213 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
1214
1215+apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1216+
1217+ * Merge from Debian unstable. Remaining changes:
1218+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1219+ apache2.dirs}: Add ufw profiles.
1220+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1221+ - debian/rules: Fix cross-building by passing
1222+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1223+ - debian/patches/086_svn_cross_compiles: Backport several cross
1224+ fixes from upstream
1225+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1226+ Debian with Ubuntu on default page.
1227+ - Don't build experimental http2 module for LTS:
1228+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1229+ + debian/config-dir/mods-available/http2.load: removed.
1230+ + debian/rules: removed proxy_http2 from configure.
1231+ - Correct systemd-sysv-generator behavior by customizing some
1232+ parameters:
1233+ + d/apache2-systemd.conf: add a drop-in file to specify some
1234+ parameters for the systemd unit (type=Forking and
1235+ RemainsAfterExit=no), this allow a correct state synchronisation
1236+ between systemctl status and actual state of apache2 daemon.
1237+ + d/apache2.install: place the apache2-systemd.conf file in the
1238+ correct location.
1239+
1240+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1241+
1242 apache2 (2.4.23-7) unstable; urgency=medium
1243
1244 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
1245@@ -822,6 +1805,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
1246
1247 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
1248
1249+apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1250+
1251+ * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1252+ - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1253+ server/util_script.c.
1254+ - CVE-2016-5387
1255+
1256+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1257+
1258+apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1259+
1260+ [ Ryan Harper ]
1261+ * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1262+ introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1263+ all, since http2 support is intentionally disabled (see LP 1531864).
1264+ * d/apache2.maintscript: handle removal of http2.load conffile.
1265+
1266+ [ Robie Basak ]
1267+ * Re-write Ryan's changelog entry.
1268+
1269+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1270+
1271+apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1272+
1273+ * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1274+ - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1275+ unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1276+ between systemctl status and actual state of apache2 daemon.
1277+ - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1278+
1279+ -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1280+
1281+apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1282+
1283+ * Merge from Debian unstable. Remaining changes:
1284+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1285+ apache2.dirs}: Add ufw profiles.
1286+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1287+ - debian/rules: Fix cross-building by passing
1288+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1289+ - debian/patches/086_svn_cross_compiles: Backport several cross
1290+ fixes from upstream
1291+ - d/index.html: replace Debian with Ubuntu on default page.
1292+ - Don't build experimental http2 module for LTS:
1293+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1294+ + debian/config-dir/mods-available/http2.load: removed.
1295+
1296+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1297+
1298 apache2 (2.4.18-2) unstable; urgency=low
1299
1300 * htcacheclean:
1301@@ -847,6 +1879,24 @@ apache2 (2.4.18-2) unstable; urgency=low
1302
1303 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
1304
1305+apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1306+
1307+ * Merge from Debian unstable. Remaining changes:
1308+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1309+ apache2.dirs}: Add ufw profiles.
1310+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1311+ - Add dep8 tests.
1312+ - debian/rules: Fix cross-building by passing
1313+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1314+ - debian/patches/086_svn_cross_compiles: Backport several cross
1315+ fixes from upstream
1316+ - d/index.html: replace Debian with Ubuntu on default page.
1317+ - Don't build experimental http2 module for LTS:
1318+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1319+ + debian/config-dir/mods-available/http2.load: removed.
1320+
1321+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1322+
1323 apache2 (2.4.18-1) unstable; urgency=medium
1324
1325 * New upstream release:
1326@@ -854,12 +1904,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
1327
1328 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
1329
1330+apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1331+
1332+ * Merge from Debian unstable. Remaining changes:
1333+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1334+ apache2.dirs}: Add ufw profiles.
1335+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1336+ - Add dep8 tests.
1337+ - debian/rules: Fix cross-building by passing
1338+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1339+ - debian/patches/086_svn_cross_compiles: Backport several cross
1340+ fixes from upstream
1341+ - d/index.html: replace Debian with Ubuntu on default page.
1342+ - Don't build experimental http2 module for LTS:
1343+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1344+ + debian/config-dir/mods-available/http2.load: removed.
1345+
1346+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1347+
1348 apache2 (2.4.17-3) unstable; urgency=medium
1349
1350 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
1351
1352 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
1353
1354+apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1355+
1356+ * Merge from Debian unstable. Remaining changes:
1357+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1358+ apache2.dirs}: Add ufw profiles.
1359+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1360+ - Add dep8 tests.
1361+ - debian/rules: Fix cross-building by passing
1362+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1363+ - debian/patches/086_svn_cross_compiles: Backport several cross
1364+ fixes from upstream
1365+ - d/index.html: replace Debian with Ubuntu on default page.
1366+ - Don't build experimental http2 module for LTS:
1367+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1368+ + debian/config-dir/mods-available/http2.load: removed.
1369+
1370+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1371+
1372 apache2 (2.4.17-2) unstable; urgency=medium
1373
1374 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
1375@@ -870,6 +1956,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
1376
1377 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
1378
1379+apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1380+
1381+ * Merge from Debian unstable. Remaining changes:
1382+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1383+ apache2.dirs}: Add ufw profiles.
1384+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1385+ - Add dep8 tests.
1386+ - debian/rules: Fix cross-building by passing
1387+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1388+ - debian/patches/086_svn_cross_compiles: Backport several cross
1389+ fixes from upstream
1390+ - d/index.html: replace Debian with Ubuntu on default page.
1391+ * Drop patches (applied upstream):
1392+ - debian/patches/CVE-2015-3183.patch
1393+ - debian/patches/CVE-2015-3185.patch
1394+ * Drop changes (adopted in Debian):
1395+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1396+ to "installed" when determining whether to defer actions or
1397+ process deferred actions.
1398+ * Don't build experimental http2 module for LTS
1399+ - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1400+ - debian/config-dir/mods-available/http2.load: removed.
1401+
1402+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1403+
1404 apache2 (2.4.17-1) unstable; urgency=medium
1405
1406 [ Stefan Fritsch ]
1407@@ -935,6 +2046,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
1408
1409 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
1410
1411+apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1412+
1413+ * SECURITY UPDATE: request smuggling via chunked transfer encoding
1414+ - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1415+ modules/http/http_filters.c.
1416+ - CVE-2015-3183
1417+ * SECURITY UPDATE: access restriction bypass via deprecated API
1418+ - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1419+ in include/http_request.h, server/request.c.
1420+ - CVE-2015-3185
1421+
1422+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1423+
1424+apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1425+
1426+ * Merge from Debian unstable. Remaining changes:
1427+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1428+ apache2.dirs}: Add ufw profiles.
1429+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1430+ - Add dep8 tests.
1431+ - debian/rules: Fix cross-building by passing
1432+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1433+ - debian/patches/086_svn_cross_compiles: Backport several cross
1434+ fixes from upstream
1435+ - d/index.html: replace Debian with Ubuntu on default page.
1436+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1437+ to "installed" when determining whether to defer actions or
1438+ process deferred actions.
1439+ * Drop patches (applied upstream):
1440+ - d/p/split-logfile.patch
1441+ - d/p/CVE-2015-0228.patch
1442+ * Drop changes (superceded in Debian):
1443+ - Cherry-pick versioned build-depend on dpkg from Debian for correct
1444+ dpkg-maintscript-helper symlink_to_dir support.
1445+ * Drop changes (adopted in Debian):
1446+ - d/control, d/config-dir/mods-available/ssl.conf,
1447+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1448+ dialog program ask-for-passphrase.
1449+ * Fix cross-building configure line in d/rules, which had bit-rotted in
1450+ previous merges.
1451+
1452+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1453+
1454 apache2 (2.4.12-2) unstable; urgency=medium
1455
1456 [ Jean-Michel Nirgal Vourgère ]
1457@@ -984,6 +2138,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
1458
1459 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
1460
1461+apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1462+
1463+ * Merge from Debian unstable. Remaining changes:
1464+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1465+ apache2.dirs}: Add ufw profiles.
1466+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1467+ - d/control, d/config-dir/mods-available/ssl.conf,
1468+ - Add dep8 tests.
1469+ - debian/rules: Fix cross-building by passing
1470+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1471+ - debian/patches/086_svn_cross_compiles: Backport several cross
1472+ fixes from upstream
1473+ - d/index.html: replace Debian with Ubuntu on default page.
1474+ - d/p/split-logfile.patch: fix completely broken split-logfile
1475+ command.
1476+ - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1477+ denial of service in mod_lua via websockets PING
1478+ * debian/tests/ssl-passphrase: Add password responder for
1479+ systemd-ask-passphrase.
1480+
1481+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1482+
1483 apache2 (2.4.10-9) unstable; urgency=medium
1484
1485 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
1486@@ -998,6 +2174,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
1487
1488 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
1489
1490+apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
1491+
1492+ * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
1493+ directives
1494+ - debian/patches/CVE-2014-8109.patch: handle multiple Require
1495+ directives with different arguments in modules/lua/mod_lua.c.
1496+ - CVE-2014-8109
1497+ * SECURITY UPDATE: denial of service in mod_lua via websockets PING
1498+ - debian/patches/CVE-2015-0228.patch: fix logic in
1499+ modules/lua/lua_request.c.
1500+ - CVE-2015-0228
1501+
1502+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
1503+
1504+apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
1505+
1506+ * Allow "triggers-awaited" and "triggers-pending" states in addition to
1507+ "installed" when determining whether to defer actions or process
1508+ deferred actions (LP: #1393832).
1509+
1510+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
1511+
1512+apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
1513+
1514+ * Merge from Debian unstable. Remaining changes:
1515+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1516+ apache2.dirs}: Add ufw profiles.
1517+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1518+ - d/control, d/config-dir/mods-available/ssl.conf,
1519+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1520+ dialog program ask-for-passphrase.
1521+ - Add dep8 tests.
1522+ - debian/rules: Fix cross-building by passing
1523+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1524+ - debian/patches/086_svn_cross_compiles: Backport several cross
1525+ fixes from upstream
1526+ - d/index.html: replace Debian with Ubuntu on default page.
1527+ - d/p/split-logfile.patch: fix completely broken split-logfile
1528+ command.
1529+ * Fixes from Debian included in merge:
1530+ - Crash caused by OCSP stapling code; this was erroneously
1531+ attributed to Debian in my previous merge, but actually only
1532+ appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
1533+ * Cherry-pick versioned build-depend on dpkg from Debian for correct
1534+ dpkg-maintscript-helper symlink_to_dir support.
1535+
1536+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
1537+
1538 apache2 (2.4.10-8) unstable; urgency=medium
1539
1540 * Bump dpkg Pre-Depends to version that supports relative symlinks in
1541@@ -1012,6 +2236,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
1542
1543 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
1544
1545+apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
1546+
1547+ * Merge from Debian unstable. Remaining changes:
1548+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1549+ apache2.dirs}: Add ufw profiles.
1550+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1551+ - d/control, d/config-dir/mods-available/ssl.conf,
1552+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1553+ dialog program ask-for-passphrase.
1554+ - Add dep8 tests.
1555+ - debian/rules: Fix cross-building by passing
1556+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1557+ - debian/patches/086_svn_cross_compiles: Backport several cross
1558+ fixes from upstream
1559+ - d/index.html: replace Debian with Ubuntu on default page.
1560+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1561+ * Fixes from Debian included in merge:
1562+ - Don't use a2query in preinst, as it may not be available yet
1563+ (LP: #1312533).
1564+ - Crash caused by OCSP stapling code (LP: #1366174).
1565+ - Disable SSLv3 in default config (LP: #1358305).
1566+ - If apache2 is not configured yet, defer actions executed via
1567+ apache2-maintscript-helper. This fixes installation failures if a
1568+ module package is configured first (LP: #1312854).
1569+
1570+ -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
1571+
1572 apache2 (2.4.10-7) unstable; urgency=medium
1573
1574 * Handle transitions of doc dirs and symlinks correctly during upgrade.
1575@@ -1095,6 +2346,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
1576
1577 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
1578
1579+apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
1580+
1581+ * Merge from Debian unstable. Remaining changes:
1582+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1583+ apache2.dirs}: Add ufw profiles.
1584+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1585+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1586+ d/apache2.install: Plymouth aware passphrase dialog program
1587+ ask-for-passphrase.
1588+ - Add dep8 tests.
1589+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1590+ configure.
1591+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1592+ upstream
1593+ - d/index.html: replace Debian with Ubuntu on default page.
1594+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1595+
1596+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
1597+
1598 apache2 (2.4.10-1) unstable; urgency=medium
1599
1600 [ Arno Töll ]
1601@@ -1142,6 +2412,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
1602
1603 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
1604
1605+apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
1606+
1607+ * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
1608+ yet support building against lua 5.2 (LP: #1323930).
1609+
1610+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
1611+
1612+apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
1613+
1614+ * Merge from Debian unstable. Remaining changes:
1615+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1616+ apache2.dirs}: Add ufw profiles.
1617+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1618+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1619+ d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
1620+ dialog program ask-for-passphrase.
1621+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1622+ configure.
1623+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1624+ upstream
1625+ - Build using lua5.2.
1626+ - d/tests/chroot: dep8 test for ChrootDir case.
1627+ - d/tests/ssl-passphrase: update for new default path /var/www/html.
1628+ - d/tests/duplicate-module-load: check for duplicate module loads.
1629+ - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
1630+ - d/p/split-logfile.patch: fix completely broken split-logfile command
1631+ (LP: #1299162). Thanks to Holger Mauermann.
1632+ * Drop changes (upstreamed):
1633+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1634+ files find inside the .pc directory. This stops a double module load
1635+ causing later havoc, including "ChrootDir" directive failure.
1636+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1637+ in modules/dav/main/util.c.
1638+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1639+ modules/loggers/mod_log_config.c.
1640+ * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
1641+
1642+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
1643+
1644 apache2 (2.4.9-1) unstable; urgency=medium
1645
1646 * New upstream version.
1647@@ -1174,6 +2483,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
1648
1649 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
1650
1651+apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
1652+
1653+ * d/p/split-logfile.patch: fix completely broken split-logfile command
1654+ (LP: #1299162). Thanks to Holger Mauermann.
1655+
1656+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
1657+
1658+apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
1659+
1660+ * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
1661+ calculation
1662+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1663+ in modules/dav/main/util.c.
1664+ - CVE-2013-6438
1665+ * SECURITY UPDATE: denial of service via truncated cookie and
1666+ mod_log_config
1667+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1668+ modules/loggers/mod_log_config.c.
1669+ - CVE-2014-0098
1670+
1671+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
1672+
1673+apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
1674+
1675+ * d/index.html: replace Debian with Ubuntu on default page
1676+ (LP: #1288690).
1677+
1678+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
1679+
1680+apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
1681+
1682+ * Merge from Debian unstable. Remaining changes:
1683+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1684+ apache2.dirs}: Add ufw profiles.
1685+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1686+ - d/control, d/config-dir/mods-available/ssl.conf,
1687+ d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
1688+ Plymouth aware passphrase dialog program ask-for-passphrase.
1689+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1690+ to configure.
1691+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1692+ from upstream
1693+ - Build using lua5.2.
1694+ - d/tests/chroot: dep8 test for ChrootDir case.
1695+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1696+ files find inside the .pc directory. This stops a double module load
1697+ causing later havoc, including "ChrootDir" directive failure.
1698+ * Drop changes:
1699+ - debian/{control, rules}: Enable PIE hardening: no longer required;
1700+ 2.4.7-1 is already hardened.
1701+ - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
1702+ out of this package.
1703+ * d/tests/ssl-passphrase: update for new default path /var/www/html.
1704+ * d/tests/duplicate-module-load: check for duplicate module loads.
1705+
1706+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
1707+
1708 apache2 (2.4.7-1) unstable; urgency=low
1709
1710 New upstream version
1711@@ -1237,6 +2603,53 @@ apache2 (2.4.6-3) unstable; urgency=low
1712
1713 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
1714
1715+apache2 (2.4.6-2ubuntu4) trusty; urgency=low
1716+
1717+ * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
1718+ that it does not use files find inside the .pc directory. This stops a
1719+ double module load causing later havoc, including "ChrootDir" directive
1720+ failure (LP: #1251939). Thanks to Stefan Fritsch.
1721+ * d/tests/chroot: dep8 test for ChrootDir case.
1722+
1723+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
1724+
1725+apache2 (2.4.6-2ubuntu3) trusty; urgency=low
1726+
1727+ * debian/apache2.install: Correct path for ufw.
1728+ (LP: #1252722)
1729+
1730+ -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
1731+
1732+apache2 (2.4.6-2ubuntu2) saucy; urgency=low
1733+
1734+ * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
1735+ passphrase prompting for SSL certificates that are passphrase protected.
1736+ * Add dep8 test for SSL passphrase prompting.
1737+
1738+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
1739+
1740+apache2 (2.4.6-2ubuntu1) saucy; urgency=low
1741+
1742+ * Merge from Debian unstable. Remaining changes:
1743+ - debian/{control, rules}: Enable PIE hardening.
1744+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1745+ apache2.dirs}: Add ufw profiles.
1746+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1747+ - debian/control, debian/config-dir/mods-available/ssl.conf,
1748+ debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
1749+ passphrase dialog program ask-for-passphrase.
1750+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1751+ to configure.
1752+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1753+ from upstream
1754+ * Dropped changes:
1755+ - debian/patches/CVE-2013-1896.patch: upstream
1756+ * Fixed module dependencies (LP: #1205314)
1757+ - debian/config-dir/mods-available/lbmethod_*: properly specify
1758+ proxy_balancer, not mod_proxy_balancer.
1759+
1760+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
1761+
1762 apache2 (2.4.6-2) unstable; urgency=low
1763
1764 [ Stefan Fritsch ]
1765@@ -1289,6 +2702,56 @@ apache2 (2.4.6-1) unstable; urgency=low
1766
1767 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
1768
1769+apache2 (2.4.4-6ubuntu5) saucy; urgency=low
1770+
1771+ * SECURITY UPDATE: denial of service via MERGE request
1772+ - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
1773+ in modules/dav/main/mod_dav.c.
1774+ - CVE-2013-1896
1775+
1776+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
1777+
1778+apache2 (2.4.4-6ubuntu4) saucy; urgency=low
1779+
1780+ * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
1781+ apache2-bin. apache2-utils is only suggested by apache2, so may not
1782+ always be installed by bug reporters. However, apache2-bin will always
1783+ need to be installed for Apache to be functional, so this is a better
1784+ place for the apport hook. apache2-bin already Conflicts/Replaces
1785+ apache2.2-common, so this also fixes (LP: #1199318).
1786+ * d/apache2.py: adjust apport hook for new location of configuration
1787+ files in apache2 >= 2.4: they have moved from apache2.2-common to
1788+ apache2.
1789+
1790+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
1791+
1792+apache2 (2.4.4-6ubuntu3) saucy; urgency=low
1793+
1794+ * Build using lua5.2.
1795+
1796+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
1797+
1798+apache2 (2.4.4-6ubuntu2) saucy; urgency=low
1799+
1800+ * debian/rules: Fix FTBFS while installing ufw.
1801+
1802+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
1803+
1804+apache2 (2.4.4-6ubuntu1) saucy; urgency=low
1805+
1806+ * Merge from Debian unstable. Remaining changes:
1807+ - debian/{control, rules}: Enable PIE hardening.
1808+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1809+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1810+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1811+ Plymouth aware passphrase dialog program ask-for-passphrase.
1812+ * Dropped changes:
1813+ - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
1814+ - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
1815+ - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
1816+
1817+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
1818+
1819 apache2 (2.4.4-6) unstable; urgency=low
1820
1821 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
1822@@ -1760,6 +3223,122 @@ apache2 (2.4.1-1) experimental; urgency=low
1823
1824 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
1825
1826+apache2 (2.2.22-6ubuntu5) raring; urgency=low
1827+
1828+ * SECURITY UPDATE: multiple cross-site scripting issues
1829+ - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
1830+ modules/generators/{mod_info.c,mod_status.c},
1831+ modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
1832+ modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
1833+ - CVE-2012-3499
1834+ - CVE-2012-4558
1835+ * SECURITY UPDATE: symlink attack in apache2ctl script
1836+ - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
1837+ - Thanks to Stefan Fritsch for the fix.
1838+ - CVE-2013-1048
1839+
1840+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
1841+
1842+apache2 (2.2.22-6ubuntu4) raring; urgency=low
1843+
1844+ * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
1845+ * Skip module sanity check between MPMs if cross-building without the
1846+ kernel/binfmt support to run our target binaries on the build system.
1847+ * Backport several cross fixes from upstream as 086_svn_cross_compiles.
1848+
1849+ -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
1850+
1851+apache2 (2.2.22-6ubuntu3) raring; urgency=low
1852+
1853+ * SECURITY UPDATE: XSS vulnerability in mod_negotiation
1854+ - debian/patches/CVE-2012-2687.patch: escape filenames in
1855+ modules/mappers/mod_negotiation.c.
1856+ - CVE-2012-2687
1857+ * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
1858+ - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
1859+ directive. Defaults to off as enabling compression enables the CRIME
1860+ attack.
1861+ - CVE-2012-4929
1862+
1863+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
1864+
1865+apache2 (2.2.22-6ubuntu2) quantal; urgency=low
1866+
1867+ * debian/apache2.py
1868+ - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
1869+ - Check if this directory exists: /etc/apache2/sites-enabled/
1870+
1871+ -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
1872+
1873+apache2 (2.2.22-6ubuntu1) quantal; urgency=low
1874+
1875+ * Merge from Debian unstable. Remaining changes:
1876+ - debian/{control, rules}: Enable PIE hardening.
1877+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1878+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1879+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1880+ Plymouth aware passphrase dialog program ask-for-passphrase.
1881+ * Dropped changes:
1882+ - debian/control: Add bzr tag and point it to our tree; this is not
1883+ really required and just increases the delta.
1884+
1885+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
1886+
1887+apache2 (2.2.22-6) unstable; urgency=low
1888+
1889+ [ Stefan Fritsch ]
1890+ * Fix regression causing apache2 to cache "206 partial content" responses,
1891+ and then serving these partial responses when replying to normal requests.
1892+ Closes: #671204
1893+ * Add section to security.conf that shows how to forbid access to VCS
1894+ directories. Closes: #548213
1895+ * Update ssl default cipher config, add alternative speed optimized config.
1896+ Closes: #649020
1897+ * Add "AddCharset" for .brf files in default mod_mime config.
1898+ Closes: #402567
1899+ * Don't create httpd.conf anymore and don't include it in apache2.conf. If
1900+ it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
1901+ * Port some of the comments in apache2.conf from the 2.4 package.
1902+ * Compile mod_version statically, drop associated module load file.
1903+ * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
1904+ configtest.
1905+ * Note in README.Debian that future versions of the package will have the
1906+ include statements changed to include only *.conf.
1907+ * Change compiled-in document root to /var/www, to avoid strange error
1908+ messages.
1909+ * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
1910+
1911+ [ Arno Töll ]
1912+ * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
1913+ to override LDFLAGS at compile time by defining LDLAGS in the environment,
1914+ just like it is possible for CFLAGS. This also means, config_vars.mk now
1915+ exports hardening build flags by default.
1916+ * Update doc-base metadata for the apache2-doc package.
1917+
1918+ -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
1919+
1920+apache2 (2.2.22-5) unstable; urgency=low
1921+
1922+ * Make LoadFile and LoadModule look in the standard search paths if the
1923+ dso file name is given as a pure filename. This helps with the multi-arch
1924+ transition.
1925+
1926+ -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
1927+
1928+apache2 (2.2.22-4) unstable; urgency=high
1929+
1930+ * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
1931+ hosts' config files.
1932+ If scripting modules like mod_php or mod_rivet are enabled on systems
1933+ where either 1) some frontend server forwards connections to an apache2
1934+ backend server on the localhost address, or 2) the machine running
1935+ apache2 is also used for web browsing, this could allow a remote
1936+ attacker to execute example scripts stored under /usr/share/doc.
1937+ Depending on the installed packages, this could lead to issues like cross
1938+ site scripting, code execution, or leakage of sensitive data.
1939+
1940+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
1941+
1942 apache2 (2.2.22-3) unstable; urgency=low
1943
1944 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
1945@@ -1780,6 +3359,18 @@ apache2 (2.2.22-2) unstable; urgency=low
1946
1947 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
1948
1949+apache2 (2.2.22-1ubuntu1) precise; urgency=low
1950+
1951+ * Merge from Debian testing. Remaining changes:
1952+ - debian/{control, rules}: Enable PIE hardening.
1953+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1954+ - debian/control: Add bzr tag and point it to our tree
1955+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1956+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1957+ Plymouth aware passphrase dialog program ask-for-passphrase.
1958+
1959+ -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
1960+
1961 apache2 (2.2.22-1) unstable; urgency=low
1962
1963 [ Stefan Fritsch ]
1964@@ -1797,6 +3388,18 @@ apache2 (2.2.22-1) unstable; urgency=low
1965
1966 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
1967
1968+apache2 (2.2.21-5ubuntu1) precise; urgency=low
1969+
1970+ * Merge from Debian testing. Remaining changes:
1971+ - debian/{control, rules}: Enable PIE hardening.
1972+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1973+ - debian/control: Add bzr tag and point it to our tree
1974+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1975+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1976+ Plymouth aware passphrase dialog program ask-for-passphrase.
1977+
1978+ -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
1979+
1980 apache2 (2.2.21-5) unstable; urgency=low
1981
1982 [ Arno Töll ]
1983@@ -1850,6 +3453,26 @@ apache2 (2.2.21-4) unstable; urgency=low
1984
1985 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
1986
1987+apache2 (2.2.21-3ubuntu2) precise; urgency=low
1988+
1989+ * d/ask-for-passphrase: Flip the logic of this script so that it checks
1990+ first to see if apache is being started from a TTY, and then if not,
1991+ tries plymouth. (LP: #887410)
1992+
1993+ -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
1994+
1995+apache2 (2.2.21-3ubuntu1) precise; urgency=low
1996+
1997+ * Merge from Debian testing. Remaining changes:
1998+ - debian/{control, rules}: Enable PIE hardening.
1999+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2000+ - debian/control: Add bzr tag and point it to our tree
2001+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2002+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2003+ Plymouth aware passphrase dialog program ask-for-passphrase.
2004+
2005+ -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
2006+
2007 apache2 (2.2.21-3) unstable; urgency=medium
2008
2009 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
2010@@ -1864,6 +3487,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
2011
2012 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
2013
2014+apache2 (2.2.21-2ubuntu2) precise; urgency=low
2015+
2016+ * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
2017+
2018+ -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
2019+
2020+apache2 (2.2.21-2ubuntu1) precise; urgency=low
2021+
2022+ * Merge from debian unstable. Remaining changes:
2023+ - debian/{control, rules}: Enable PIE hardening.
2024+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2025+ - debian/control: Add bzr tag and point it to our tree
2026+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2027+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2028+ Plymouth aware passphrase dialog program ask-for-passphrase.
2029+
2030+ -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
2031+
2032 apache2 (2.2.21-2) unstable; urgency=high
2033
2034 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
2035@@ -1881,6 +3522,19 @@ apache2 (2.2.21-1) unstable; urgency=low
2036
2037 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
2038
2039+apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
2040+
2041+ * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
2042+ Remaining changes:
2043+ - debian/{control, rules}: Enable PIE hardening.
2044+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2045+ - debian/control: Add bzr tag and point it to our tree
2046+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2047+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2048+ Plymouth aware passphrase dialog program ask-for-passphrase.
2049+
2050+ -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
2051+
2052 apache2 (2.2.20-1) unstable; urgency=low
2053
2054 * New upstream release.
2055@@ -1903,6 +3557,18 @@ apache2 (2.2.19-2) unstable; urgency=high
2056
2057 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
2058
2059+apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
2060+
2061+ * Merge from debian unstable (LP: #787013). Remaining changes:
2062+ - debian/{control, rules}: Enable PIE hardening.
2063+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2064+ - debian/control: Add bzr tag and point it to our tree
2065+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2066+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2067+ Plymouth aware passphrase dialog program ask-for-passphrase.
2068+
2069+ -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
2070+
2071 apache2 (2.2.19-1) unstable; urgency=low
2072
2073 * New upstream release.
2074@@ -1920,6 +3586,18 @@ apache2 (2.2.19-1) unstable; urgency=low
2075
2076 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
2077
2078+apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
2079+
2080+ * Merge from debian unstable. Remaining changes:
2081+ - debian/{control, rules}: Enable PIE hardening.
2082+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2083+ - debian/control: Add bzr tag and point it to our tree
2084+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2085+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2086+ Plymouth aware passphrase dialog program ask-for-passphrase.
2087+
2088+ -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
2089+
2090 apache2 (2.2.17-3) unstable; urgency=low
2091
2092 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
2093@@ -1946,6 +3624,18 @@ apache2 (2.2.17-2) unstable; urgency=high
2094
2095 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
2096
2097+apache2 (2.2.17-1ubuntu1) natty; urgency=low
2098+
2099+ * Merge from debian unstable, remaining changes:
2100+ - debian/{control, rules}: Enable PIE hardening.
2101+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2102+ - debian/control: Add bzr tag and point it to our tree
2103+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2104+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2105+ Plymouth aware passphrase dialog program ask-for-passphrase.
2106+
2107+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
2108+
2109 apache2 (2.2.17-1) unstable; urgency=low
2110
2111 * New upstream version
2112@@ -1954,6 +3644,32 @@ apache2 (2.2.17-1) unstable; urgency=low
2113
2114 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
2115
2116+apache2 (2.2.16-6ubuntu3) natty; urgency=low
2117+
2118+ * debian/rules: Don't use "-fno-strict-aliasing" since it causes
2119+ apache FTBFS on amd64. (LP: #711293)
2120+
2121+ -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
2122+
2123+apache2 (2.2.16-6ubuntu2) natty; urgency=low
2124+
2125+ * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
2126+ (LP: #697105)
2127+
2128+ -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
2129+
2130+apache2 (2.2.16-6ubuntu1) natty; urgency=low
2131+
2132+ * Merge from debian unstable. Remaining changes:
2133+ - debian/{control, rules}: Enable PIE hardening.
2134+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2135+ - debian/control: Add bzr tag and point it to our tree
2136+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2137+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2138+ Plymouth aware passphrase dialog program ask-for-passphrase.
2139+
2140+ -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
2141+
2142 apache2 (2.2.16-6) unstable; urgency=low
2143
2144 * Also add $named to the secondary-init-script example.
2145@@ -1969,6 +3685,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
2146
2147 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
2148
2149+apache2 (2.2.16-4ubuntu2) natty; urgency=low
2150+
2151+ [Clint Byrum]
2152+ * Adding plymouth aware passphrase dialog program ask-for-passphrase.
2153+ (LP: #582963)
2154+ + debian/control: apache2.2-common depends on bash for ask-for-passphrase
2155+ + debian/config-dir/mods-available/ssl.conf:
2156+ - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
2157+
2158+ [Chuck Short]
2159+ * Add apport hook. (LP: #609177)
2160+ + debian/apache2.py, debian/apache2.2-common.install
2161+
2162+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
2163+
2164+apache2 (2.2.16-4ubuntu1) natty; urgency=low
2165+
2166+ * Merge from debian unstable. Remaining changes:
2167+ - debian/{control, rules}: Enable PIE hardening.
2168+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2169+ - debian/control: Add bzr tag and point it to our tree
2170+
2171+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
2172+
2173 apache2 (2.2.16-4) unstable; urgency=medium
2174
2175 * Increase the mod_reqtimeout default timeouts to avoid potential problems
2176@@ -1979,6 +3719,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
2177
2178 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
2179
2180+apache2 (2.2.16-3ubuntu1) natty; urgency=low
2181+
2182+ * Merge from debian unstable. Remaining changes:
2183+ - debian/{control, rules}: Enable PIE hardening.
2184+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2185+ - debian/control: Add bzr tag and point it to our tree.
2186+
2187+ -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
2188+
2189 apache2 (2.2.16-3) unstable; urgency=high
2190
2191 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
2192@@ -2001,6 +3750,30 @@ apache2 (2.2.16-2) unstable; urgency=low
2193
2194 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
2195
2196+apache2 (2.2.16-1ubuntu3) maverick; urgency=low
2197+
2198+ * Revert "stty sane" to unbreak apache starting, this will have to be
2199+ fixed a different way. (LP: #626723)
2200+
2201+ -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
2202+
2203+apache2 (2.2.16-1ubuntu2) maverick; urgency=low
2204+
2205+ * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
2206+ password prompt when using apache-ssl. (LP: #582963)
2207+
2208+ -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
2209+
2210+apache2 (2.2.16-1ubuntu1) maverick; urgency=low
2211+
2212+ * Merge from debian unstable. Remaining changes:
2213+ - debian/{control, rules}: Enable PIE hardening.
2214+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2215+ - debian/control: Add bzr tag and point it to our tree.
2216+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2217+
2218+ -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
2219+
2220 apache2 (2.2.16-1) unstable; urgency=medium
2221
2222 * Urgency medium for security fix.
2223@@ -2033,6 +3806,24 @@ apache2 (2.2.15-6) unstable; urgency=low
2224
2225 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
2226
2227+apache2 (2.2.15-5ubuntu1) maverick; urgency=low
2228+
2229+ * Merge from debian unstable. Remaining changes:
2230+ - debian/{control, rules}: Enable PIE hardening.
2231+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2232+ - debian/control: Add bzr tag and point it to our tree.
2233+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2234+ + Dropped:
2235+ - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
2236+ - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
2237+ - debian/config-dir/apache2.conf: Merged back from debian.
2238+ - mod-reqtimeout functionality: Merge back from debian.
2239+ - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
2240+ - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
2241+ - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
2242+
2243+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
2244+
2245 apache2 (2.2.15-5) unstable; urgency=low
2246
2247 * Conflict with apache package as we now include apachectl. Closes: #579065
2248@@ -2153,6 +3944,80 @@ apache2 (2.2.14-6) unstable; urgency=low
2249
2250 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
2251
2252+apache2 (2.2.14-5ubuntu8) lucid; urgency=low
2253+
2254+ * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
2255+ (LP: #562370)
2256+
2257+ -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
2258+
2259+apache2 (2.2.14-5ubuntu7) lucid; urgency=low
2260+
2261+ * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
2262+ leaks by making sure to not destroy bucket brigades that have been created
2263+ by earlier filters. Backported from 2.2.15.
2264+ * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
2265+ has reached MaxClients until it has. Backported from 2.2.15
2266+ * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
2267+ more secure by adding Satisfy all. (Debian bug: #572075)
2268+ * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
2269+ debian/config2-dir/mods-available/reqtimeout.load,
2270+ debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
2271+ mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
2272+ bug in apache. Enable it by default. (LP: #392759)
2273+
2274+ -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
2275+
2276+apache2 (2.2.14-5ubuntu6) lucid; urgency=low
2277+
2278+ * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
2279+
2280+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
2281+
2282+apache2 (2.2.14-5ubuntu5) lucid; urgency=low
2283+
2284+ * Revert 99-fix-mod-dav-permissions.dpatch
2285+
2286+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
2287+
2288+apache2 (2.2.14-5ubuntu4) lucid; urgency=low
2289+
2290+ * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
2291+ downloading files from webdav (LP: #540747)
2292+ * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
2293+
2294+ -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
2295+
2296+apache2 (2.2.14-5ubuntu3) lucid; urgency=low
2297+
2298+ * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
2299+ - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
2300+ in modules/proxy/mod_proxy_ajp.c.
2301+ - CVE-2010-0408
2302+ * SECURITY UPDATE: information disclosure via improper handling of
2303+ headers in subrequests
2304+ - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
2305+ in server/protocol.c.
2306+ - CVE-2010-0434
2307+
2308+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
2309+
2310+apache2 (2.2.14-5ubuntu2) lucid; urgency=low
2311+
2312+ * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
2313+ wacky options. (LP: #450501)
2314+
2315+ -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
2316+
2317+apache2 (2.2.14-5ubuntu1) lucid; urgency=low
2318+
2319+ * Merge from debian testing. Remaining changes: LP: #506862
2320+ - debian/{control, rules}: Enable PIE hardening.
2321+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2322+ - debian/control: Add bzr tag and point it to our tree.
2323+
2324+ -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
2325+
2326 apache2 (2.2.14-5) unstable; urgency=low
2327
2328 * Security: Further mitigation for the TLS renegotation attack
2329@@ -2176,6 +4041,15 @@ apache2 (2.2.14-5) unstable; urgency=low
2330
2331 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
2332
2333+apache2 (2.2.14-4ubuntu1) lucid; urgency=low
2334+
2335+ * Resynchronzie with Debian, remaining changes are:
2336+ - debian/{control, rules}: Enable PIE hardening.
2337+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2338+ - debian/control: Add bzr tag and point it to our tree.
2339+
2340+ -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
2341+
2342 apache2 (2.2.14-4) unstable; urgency=low
2343
2344 * Disable localized error pages again by default because they break
2345@@ -2226,6 +4100,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
2346
2347 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
2348
2349+apache2 (2.2.14-1ubuntu1) lucid; urgency=low
2350+
2351+ * Merge from debian testing, remaining changes:
2352+ - debian/{control, rules}: Enable PIE hardening.
2353+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2354+ - debian/conrol: Add bzr tag and point it to our tree.
2355+ - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2356+ Already applied upstream.
2357+
2358+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
2359+
2360 apache2 (2.2.14-1) unstable; urgency=low
2361
2362 * New upstream version:
2363@@ -2260,6 +4145,24 @@ apache2 (2.2.13-1) unstable; urgency=low
2364
2365 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
2366
2367+apache2 (2.2.12-1ubuntu2) karmic; urgency=low
2368+
2369+ * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2370+ - Fix potential segfaults with the use of the legacy ap_rputs() etc
2371+ interfaces, in cases where an output filter fails. This happens
2372+ frequently after CVE-2009-1891 got fixed. (LP: #409987)
2373+
2374+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
2375+
2376+apache2 (2.2.12-1ubuntu1) karmic; urgency=low
2377+
2378+ * Merge from debian unstable, remaining changes:
2379+ - debian/{control,rules}: enable PIE hardening.
2380+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2381+ - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
2382+
2383+ -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
2384+
2385 apache2 (2.2.12-1) unstable; urgency=low
2386
2387 * New upstream release:
2388@@ -2307,6 +4210,16 @@ apache2 (2.2.12-1) unstable; urgency=low
2389
2390 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
2391
2392+apache2 (2.2.11-7ubuntu1) karmic; urgency=low
2393+
2394+ * Merge from debian unstable, remaining changes: LP: #398130
2395+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2396+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2397+ - debian/{control,rules}: enable PIE hardening.
2398+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2399+
2400+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
2401+
2402 apache2 (2.2.11-7) unstable; urgency=low
2403
2404 * Security fixes:
2405@@ -2321,6 +4234,16 @@ apache2 (2.2.11-7) unstable; urgency=low
2406
2407 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
2408
2409+apache2 (2.2.11-6ubuntu1) karmic; urgency=low
2410+
2411+ * Merge from debian unstable, remaining changes:
2412+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2413+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2414+ - debian/{control,rules}: enable PIE hardening.
2415+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2416+
2417+ -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
2418+
2419 apache2 (2.2.11-6) unstable; urgency=high
2420
2421 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
2422@@ -2329,6 +4252,16 @@ apache2 (2.2.11-6) unstable; urgency=high
2423
2424 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
2425
2426+apache2 (2.2.11-5ubuntu1) karmic; urgency=low
2427+
2428+ * Merge from debian unstable, remaining changes:
2429+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2430+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2431+ - debian/{control,rules}: enable PIE hardening.
2432+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2433+
2434+ -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
2435+
2436 apache2 (2.2.11-5) unstable; urgency=low
2437
2438 * Move all binaries into a new package apache2.2-bin and make
2439@@ -2377,6 +4310,16 @@ apache2 (2.2.11-4) unstable; urgency=low
2440
2441 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
2442
2443+apache2 (2.2.11-3ubuntu1) karmic; urgency=low
2444+
2445+ * Merge from debian unstable, remaining changes:
2446+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2447+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2448+ - debian/{control,rules}: enable PIE hardening.
2449+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2450+
2451+ -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
2452+
2453 apache2 (2.2.11-3) unstable; urgency=low
2454
2455 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
2456@@ -2385,6 +4328,21 @@ apache2 (2.2.11-3) unstable; urgency=low
2457
2458 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
2459
2460+apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
2461+
2462+ * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2463+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2464+
2465+ -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
2466+
2467+apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
2468+
2469+ * Merge from debian unstable, remaining changes:
2470+ - debian/{contro,rules}: enable PIE hardening.
2471+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2472+
2473+ -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
2474+
2475 apache2 (2.2.11-2) unstable; urgency=low
2476
2477 * Report an error instead instead of segfaulting when apr_pollset_create
2478@@ -2394,6 +4352,14 @@ apache2 (2.2.11-2) unstable; urgency=low
2479
2480 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
2481
2482+apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
2483+
2484+ * Merge from debian unstable, remaining changes:
2485+ - debian/{control, rules}: enable PIE hardening.
2486+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2487+
2488+ -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
2489+
2490 apache2 (2.2.11-1) unstable; urgency=low
2491
2492 [Thom May]
2493@@ -2408,6 +4374,14 @@ apache2 (2.2.11-1) unstable; urgency=low
2494
2495 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
2496
2497+apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
2498+
2499+ * Merge from debian unstable, remaining changes: (LP: #303375)
2500+ - debian/{control, rules}: enable PIE hardening.
2501+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2502+
2503+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
2504+
2505 apache2 (2.2.9-11) unstable; urgency=low
2506
2507 * Regression fix from upstream svn for mod_proxy:
2508@@ -2422,6 +4396,14 @@ apache2 (2.2.9-11) unstable; urgency=low
2509
2510 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
2511
2512+apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
2513+
2514+ * Merge from debian unstable, remaining changes:
2515+ - debian/{control, rules}: enable PIE hardening.
2516+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2517+
2518+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
2519+
2520 apache2 (2.2.9-10) unstable; urgency=low
2521
2522 * Regression fix from upstream svn for mod_proxy_http:
2523@@ -2452,6 +4434,27 @@ apache2 (2.2.9-8) unstable; urgency=low
2524
2525 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
2526
2527+apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
2528+
2529+ * Revert logrotate change since it will break it for everyone.
2530+
2531+ -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
2532+
2533+apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
2534+
2535+ * debian/logrotate: Restart rather than reload for busy websites.
2536+ (LP: #270899)
2537+
2538+ -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
2539+
2540+apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
2541+
2542+ * Merge from debian unstable, remaining changes:
2543+ - debian/{control,rules}: enable PIE hardening.
2544+ - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
2545+
2546+ -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
2547+
2548 apache2 (2.2.9-7) unstable; urgency=low
2549
2550 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
2551@@ -2494,6 +4497,23 @@ apache2 (2.2.9-4) unstable; urgency=low
2552
2553 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
2554
2555+apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
2556+
2557+ * add ufw integration (see
2558+ https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
2559+ (LP: #261198)
2560+ - debian/control: suggest ufw for apache2.2-common
2561+ - add apache2.2-common.ufw.profile with 3 profiles and install it to
2562+ /etc/ufw/applications.d/apache2.2-common
2563+
2564+ -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
2565+
2566+apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
2567+
2568+ * debian/{control,rules}: enable PIE hardening
2569+
2570+ -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
2571+
2572 apache2 (2.2.9-3) unstable; urgency=low
2573
2574 [ Stefan Fritsch ]
2575@@ -4064,9 +6084,7 @@ apache2 (2.0.37-1) unstable; urgency=low
2576 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
2577
2578 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
2579-
2580 * New upstream release
2581-
2582 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
2583
2584 apache2 (2.0.36-2) unstable; urgency=low
2585@@ -4574,3 +6592,4 @@ apache2 (2.0.18-1) unstable; urgency=low
2586 * Initial Release.
2587
2588 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
2589+
2590diff --git a/debian/control b/debian/control
2591index af2505a..900f549 100644
2592--- a/debian/control
2593+++ b/debian/control
2594@@ -1,5 +1,6 @@
2595 Source: apache2
2596-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2597+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2598+XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2599 Uploaders: Stefan Fritsch <sf@debian.org>,
2600 Arno Töll <arno@debian.org>,
2601 Ondřej Surý <ondrej@debian.org>,
2602@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
2603 Recommends: ssl-cert
2604 Suggests: apache2-doc,
2605 apache2-suexec-pristine | apache2-suexec-custom,
2606- www-browser
2607+ www-browser,
2608+ ufw
2609 Pre-Depends: ${misc:Pre-Depends}
2610 Provides: httpd,
2611 httpd-cgi
2612diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
2613new file mode 100644
2614index 0000000..eee686c
2615Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
2616diff --git a/debian/index.html b/debian/index.html
2617index 766401d..9c90ef4 100644
2618--- a/debian/index.html
2619+++ b/debian/index.html
2620@@ -1,9 +1,13 @@
2621-
2622 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2623 <html xmlns="http://www.w3.org/1999/xhtml">
2624+ <!--
2625+ Modified from the Debian original for Ubuntu
2626+ Last updated: 2022-03-22
2627+ See: https://launchpad.net/bugs/1966004
2628+ -->
2629 <head>
2630 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
2631- <title>Apache2 Debian Default Page: It works</title>
2632+ <title>Apache2 Ubuntu Default Page: It works</title>
2633 <style type="text/css" media="screen">
2634 * {
2635 margin: 0px 0px 0px 0px;
2636@@ -15,7 +19,7 @@
2637
2638 background-color: #D8DBE2;
2639
2640- font-family: Verdana, sans-serif;
2641+ font-family: Ubuntu, Verdana, sans-serif;
2642 font-size: 11pt;
2643 text-align: center;
2644 }
2645@@ -41,7 +45,7 @@
2646 }
2647
2648 div.page_header {
2649- height: 99px;
2650+ height: 180px;
2651 width: 100%;
2652
2653 background-color: #F5F6F7;
2654@@ -60,6 +64,19 @@
2655 border: 0px 0px 0px;
2656 }
2657
2658+ div.banner {
2659+ padding: 9px 6px 9px 6px;
2660+ background-color: #E9510E;
2661+ color: #FFFFFF;
2662+ font-weight: bold;
2663+ font-size: 112%;
2664+ text-align: center;
2665+ position: absolute;
2666+ left: 40%;
2667+ bottom: 30px;
2668+ width: 20%;
2669+ }
2670+
2671 div.table_of_contents {
2672 clear: left;
2673
2674@@ -136,10 +153,6 @@
2675 text-align: center;
2676 }
2677
2678- div.section_header_red {
2679- background-color: #CD214F;
2680- }
2681-
2682 div.section_header_grey {
2683 background-color: #9F9386;
2684 }
2685@@ -188,46 +201,31 @@
2686 <body>
2687 <div class="main_page">
2688 <div class="page_header floating_element">
2689- <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
2690- <span class="floating_element">
2691- Apache2 Debian Default Page
2692- </span>
2693- </div>
2694-<!-- <div class="table_of_contents floating_element">
2695- <div class="section_header section_header_grey">
2696- TABLE OF CONTENTS
2697- </div>
2698- <div class="table_of_contents_item floating_element">
2699- <a href="#about">About</a>
2700- </div>
2701- <div class="table_of_contents_item floating_element">
2702- <a href="#changes">Changes</a>
2703- </div>
2704- <div class="table_of_contents_item floating_element">
2705- <a href="#scope">Scope</a>
2706- </div>
2707- <div class="table_of_contents_item floating_element">
2708- <a href="#files">Config files</a>
2709+ <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo"
2710+ style="width:184px;height:146px;" class="floating_element" />
2711+ <div>
2712+ <span style="margin-top: 1.5em;" class="floating_element">
2713+ Apache2 Default Page
2714+ </span>
2715 </div>
2716- </div>
2717--->
2718- <div class="content_section floating_element">
2719-
2720-
2721- <div class="section_header section_header_red">
2722+ <div class="banner">
2723 <div id="about"></div>
2724 It works!
2725 </div>
2726+
2727+ </div>
2728+ <div class="content_section floating_element">
2729 <div class="content_section_text">
2730 <p>
2731 This is the default welcome page used to test the correct
2732- operation of the Apache2 server after installation on Debian systems.
2733+ operation of the Apache2 server after installation on Ubuntu systems.
2734+ It is based on the equivalent page on Debian, from which the Ubuntu Apache
2735+ packaging is derived.
2736 If you can read this page, it means that the Apache HTTP server installed at
2737 this site is working properly. You should <b>replace this file</b> (located at
2738 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
2739 </p>
2740
2741-
2742 <p>
2743 If you are a normal user of this web site and don't know what this page is
2744 about, this probably means that the site is currently unavailable due to
2745@@ -242,18 +240,17 @@
2746 </div>
2747 <div class="content_section_text">
2748 <p>
2749- Debian's Apache2 default configuration is different from the
2750+ Ubuntu's Apache2 default configuration is different from the
2751 upstream default configuration, and split into several files optimized for
2752- interaction with Debian tools. The configuration system is
2753+ interaction with Ubuntu tools. The configuration system is
2754 <b>fully documented in
2755 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
2756 documentation. Documentation for the web server itself can be
2757 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
2758 package was installed on this server.
2759-
2760 </p>
2761 <p>
2762- The configuration layout for an Apache2 web server installation on Debian systems is as follows:
2763+ The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
2764 </p>
2765 <pre>
2766 /etc/apache2/
2767@@ -308,9 +305,12 @@
2768 </li>
2769
2770 <li>
2771- The binary is called apache2. Due to the use of
2772- environment variables, in the default configuration, apache2 needs to be
2773- started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
2774+ The binary is called apache2 and is managed using systemd, so to
2775+ start/stop the service use <tt>systemctl start apache2</tt> and
2776+ <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt>
2777+ and <tt>journalctl -u apache2</tt> to check status. <tt>system</tt>
2778+ and <tt>apache2ctl</tt> can also be used for service management if
2779+ desired.
2780 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
2781 default configuration.
2782 </li>
2783@@ -324,8 +324,8 @@
2784
2785 <div class="content_section_text">
2786 <p>
2787- By default, Debian does not allow access through the web browser to
2788- <em>any</em> file apart of those located in <tt>/var/www</tt>,
2789+ By default, Ubuntu does not allow access through the web browser to
2790+ <em>any</em> file outside of those located in <tt>/var/www</tt>,
2791 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
2792 directories (when enabled) and <tt>/usr/share</tt> (for web
2793 applications). If your site is using a web document root
2794@@ -333,9 +333,8 @@
2795 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
2796 </p>
2797 <p>
2798- The default Debian document root is <tt>/var/www/html</tt>. You
2799- can make your own virtual hosts under /var/www. This is different
2800- to previous releases which provides better security out of the box.
2801+ The default Ubuntu document root is <tt>/var/www/html</tt>. You
2802+ can make your own virtual hosts under /var/www.
2803 </p>
2804 </div>
2805
2806@@ -345,24 +344,20 @@
2807 </div>
2808 <div class="content_section_text">
2809 <p>
2810- Please use the <tt>reportbug</tt> tool to report bugs in the
2811- Apache2 package with Debian. However, check <a
2812- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
2813+ Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
2814+ Apache2 package with Ubuntu. However, check <a
2815+ href="https://bugs.launchpad.net/ubuntu/+source/apache2"
2816 rel="nofollow">existing bug reports</a> before reporting a new bug.
2817 </p>
2818 <p>
2819 Please report bugs specific to modules (such as PHP and others)
2820- to respective packages, not to the web server itself.
2821+ to their respective packages, not to the web server itself.
2822 </p>
2823 </div>
2824
2825-
2826-
2827-
2828 </div>
2829 </div>
2830 <div class="validator">
2831 </div>
2832 </body>
2833 </html>
2834-
2835diff --git a/debian/source/include-binaries b/debian/source/include-binaries
2836index d617b1d..823d9c0 100644
2837--- a/debian/source/include-binaries
2838+++ b/debian/source/include-binaries
2839@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
2840 debian/icons/odf6ots-20x22.png
2841 debian/icons/odf6ott-20x22.png
2842 debian/icons/openlogo-75.png
2843+debian/icons/ubuntu-logo.png
2844 debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
2845 debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
2846 debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches