Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.54-3-lunar into ubuntu/+source/apache2:debian/sid

Proposed by Bryce Harrington
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 41d5df1e18b8e7167aa892ce2cf29370826fba13
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.54-3-lunar
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 2868 lines (+2159/-60)
10 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2036/-2)
debian/control (+4/-2)
debian/index.html (+51/-56)
debian/source/include-binaries (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+433316@code.launchpad.net

Description of the change

Fairly trivial merge of 2.4.54-3, to pick up one minor fix for alias /manual. The delta is all ubuntu-specific and so is just carried forward. Upstream releases every few months and last release was in June so I expect to be re-merging this at least once more this cycle.

PPA with test packages: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.54-3

    $ sudo add-apt-repository -yus ppa:bryce/apache2-merge-v2.4.54-3
    $ sudo apt-get install apache2

* gnome-terminal
  - lp-test-ppa ppa:bryce/apache2-merge-v2.4.54-3 --release lunar --showpass

* Results:
  - apache2/2.4.54-3ubuntu1~lunar1
    + ✅ apache2 on lunar for amd64 @ 18.11.22 21:49:18 Log️ 🗒️
    + ✅ apache2 on lunar for arm64 @ 18.11.22 21:54:28 Log️ 🗒️
    + ✅ apache2 on lunar for armhf @ 18.11.22 21:19:11 Log️ 🗒️
    + ❌ apache2 on lunar for i386 @ 18.11.22 21:48:17 Log️ 🗒️
      • run-test-suite FAIL 🟥
      • duplicate-module-load PASS 🟩
      • default-mods PASS 🟩
      • htcacheclean PASS 🟩
      • ssl-passphrase PASS 🟩
      • check-http2 PASS 🟩
      • chroot FAIL 🟥
    + ✅ apache2 on lunar for ppc64el @ 18.11.22 21:37:09 Log️ 🗒️
    + ✅ apache2 on lunar for s390x @ 18.11.22 21:04:39 Log️ 🗒️

The issues on i386 are assuredly just the usual flaky test situation apache2 is plagued with, but I've re-triggered to doublecheck.

Usual tags pushed for review:
  - tags/old/debian 5a3995743
  - tags/new/debian 36f5aa2f1
  - tags/old/ubuntu 7056ded95
  - tags/logical/2.4.54-2ubuntu1 e80266d97
  - tags/reconstruct/2.4.54-2ubuntu1 eb8dddba3
  - tags/split/2.4.54-2ubuntu1 f0bac5dcc

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I'm taking this one.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Bryce.

Indeed, trivial merge it seems. Changes seem OK, builds finished without problems, dep8 tests seem OK modulo the usual flaky ones. d/changelog entry is alright. LGMT, +1.

Thanks.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: bryce, sergiodj
Uploaders: bryce, sergiodj
MP auto-approved

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks Sergio, uploaded

Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: 41d5df1e18b8e7167aa892ce2cf29370826fba13
Vcs-Git-Ref: refs/heads/merge-v2.4.54-3-lunar
$ dput ubuntu ../apache2_2.4.54-3ubuntu1_source.changes
D: Setting host argument.
Checking signature on .changes
Checking signature on .dsc
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.54-3ubuntu1.dsc: done.
  Uploading apache2_2.4.54.orig.tar.gz: done.
  Uploading apache2_2.4.54-3ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.54-3ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.54-3ubuntu1_source.changes: done.
Successfully uploaded packages.

The i386 tests failed again on retry, but I still think it's flaky tests. I'll keep an eye on if it fails in -proposed.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
2index 63c573f..3d1bdf1 100644
3--- a/debian/apache2-bin.install
4+++ b/debian/apache2-bin.install
5@@ -1,2 +1,3 @@
6 /usr/lib/apache2/modules/
7 /usr/sbin/apache2
8+debian/apache2.py usr/share/apport/package-hooks
9diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
10new file mode 100644
11index 0000000..974a655
12--- /dev/null
13+++ b/debian/apache2-utils.ufw.profile
14@@ -0,0 +1,14 @@
15+[Apache]
16+title=Web Server
17+description=Apache v2 is the next generation of the omnipresent Apache web server.
18+ports=80/tcp
19+
20+[Apache Secure]
21+title=Web Server (HTTPS)
22+description=Apache v2 is the next generation of the omnipresent Apache web server.
23+ports=443/tcp
24+
25+[Apache Full]
26+title=Web Server (HTTP,HTTPS)
27+description=Apache v2 is the next generation of the omnipresent Apache web server.
28+ports=80,443/tcp
29diff --git a/debian/apache2.dirs b/debian/apache2.dirs
30index 6089013..1aa6d3c 100644
31--- a/debian/apache2.dirs
32+++ b/debian/apache2.dirs
33@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
34 var/lib/apache2
35 var/log/apache2
36 var/www/html
37+/etc/ufw/applications.d/apache2
38diff --git a/debian/apache2.install b/debian/apache2.install
39index b6ad789..92865fc 100644
40--- a/debian/apache2.install
41+++ b/debian/apache2.install
42@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
43 debian/config-dir/envvars /etc/apache2
44 debian/config-dir/magic /etc/apache2
45 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
46+debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
47diff --git a/debian/apache2.postrm b/debian/apache2.postrm
48index a68583c..4a22601 100644
49--- a/debian/apache2.postrm
50+++ b/debian/apache2.postrm
51@@ -33,6 +33,8 @@ is_default_index_html () {
52 776221a94e5a174dc2396c0f3f6b6a74
53 c481228d439cbb54bdcedbaec5bbb11a
54 e2620d4a5a0f8d80dd4b16de59af981f
55+ 3526531ccd6c6a1d2340574a305a18f8
56+ 720999b43a3be0674180354ac41f20b1
57 EOF
58 }
59
60diff --git a/debian/apache2.py b/debian/apache2.py
61new file mode 100644
62index 0000000..a9fb9d8
63--- /dev/null
64+++ b/debian/apache2.py
65@@ -0,0 +1,48 @@
66+#!/usr/bin/python
67+
68+'''apport hook for apache2
69+
70+(c) 2010 Adam Sommer.
71+Author: Adam Sommer <asommer@ubuntu.com>
72+
73+This program is free software; you can redistribute it and/or modify it
74+under the terms of the GNU General Public License as published by the
75+Free Software Foundation; either version 2 of the License, or (at your
76+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
77+the full text of the license.
78+'''
79+
80+from apport.hookutils import *
81+import os
82+
83+SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
84+
85+def add_info(report, ui):
86+ if os.path.isdir(SITES_ENABLED_DIR):
87+ response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
88+ "may help developers diagnose your bug more "
89+ "quickly. However, it may contain sensitive "
90+ "information. Do you want to include it in your "
91+ "bug report?")
92+
93+ if response == None: # user cancelled
94+ raise StopIteration
95+
96+ elif response == True:
97+ # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
98+ for conf_file in os.listdir(SITES_ENABLED_DIR):
99+ attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
100+
101+ try:
102+ report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
103+ except OSError:
104+ report['Apache2ConfdDirListing'] = str(False)
105+
106+ # Attach default config files if changed.
107+ attach_conffiles(report, 'apache2', conffiles=None)
108+
109+ # Attach the error.log file.
110+ attach_file(report, '/var/log/apache2/error.log', key='error.log')
111+
112+ # Get loaded modules.
113+ report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
114diff --git a/debian/changelog b/debian/changelog
115index b3dada2..9ea763a 100644
116--- a/debian/changelog
117+++ b/debian/changelog
118@@ -1,3 +1,18 @@
119+apache2 (2.4.54-3ubuntu1) lunar; urgency=medium
120+
121+ * Merge with Debian unstable (LP: #1993373). Remaining changes:
122+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
123+ d/source/include-binaries: Replace Debian with Ubuntu on default
124+ homepage.
125+ (LP #1966004)
126+ - d/apache2.py, d/apache2-bin.install: Add apport hook
127+ (LP #609177)
128+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
129+ d/apache2.dirs: Add ufw profiles
130+ (LP #261198)
131+
132+ -- Bryce Harrington <bryce@canonical.com> Wed, 16 Nov 2022 16:44:44 -0800
133+
134 apache2 (2.4.54-3) unstable; urgency=medium
135
136 [ Hendrik Jäger ]
137@@ -6,6 +21,21 @@ apache2 (2.4.54-3) unstable; urgency=medium
138
139 -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:20:52 +0200
140
141+apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium
142+
143+ * Merge with Debian unstable (LP: #1982048). Remaining changes:
144+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
145+ d/source/include-binaries: Replace Debian with Ubuntu on default
146+ homepage.
147+ (LP #1966004)
148+ - d/apache2.py, d/apache2-bin.install: Add apport hook
149+ (LP #609177)
150+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
151+ d/apache2.dirs: Add ufw profiles
152+ (LP #261198)
153+
154+ -- Bryce Harrington <bryce@canonical.com> Thu, 21 Jul 2022 19:38:00 +0000
155+
156 apache2 (2.4.54-2) unstable; urgency=medium
157
158 * Move cgid socket into a writeable directory (Closes: #1014056)
159@@ -32,6 +62,48 @@ apache2 (2.4.54-1) unstable; urgency=medium
160
161 -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200
162
163+apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
164+
165+ * Merge with Debian unstable (LP: #1971248). Remaining changes:
166+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
167+ apache2.dirs}: Add ufw profiles.
168+ (LP 261198)
169+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
170+ (LP 609177)
171+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
172+ d/s/include-binaries: replace Debian with Ubuntu on default
173+ page and add Ubuntu icon file.
174+ (LP 1288690)
175+ - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
176+ new logo
177+ (LP 1966004)
178+ - d/apache2.postrm: Include md5 sum for updated index.html
179+ * Dropped:
180+ - OOB read in mod_lua via crafted request body
181+ + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
182+ lua_write_body() fail in modules/lua/lua_request.c.
183+ [Fixed in 2.4.53 upstream]
184+ - HTTP Request Smuggling via error discarding the
185+ request body
186+ + d/p/CVE-2022-22720.patch: simpler connection close logic
187+ if discarding the request body fails in modules/http/http_filters.c,
188+ server/protocol.c.
189+ [Fixed in 2.4.53 upstream]
190+ - overflow via large LimitXMLRequestBody
191+ + d/p/CVE-2022-22721.patch: make sure and check that
192+ LimitXMLRequestBody fits in system memory in server/core.c,
193+ server/util.c, server/util_xml.c.
194+ [Fixed in 2.4.53 upstream]
195+ - out-of-bounds write in mod_sed
196+ + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
197+ buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
198+ modules/filters/mod_sed.c, modules/filters/sed1.c.
199+ + d/p/CVE-2022-23943-2.patch: improve the logic flow in
200+ modules/filters/mod_sed.c.
201+ [Fixed in 2.4.53 upstream]
202+
203+ -- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700
204+
205 apache2 (2.4.53-2) unstable; urgency=medium
206
207 * Clean useless Conflicts/Replace
208@@ -67,6 +139,79 @@ apache2 (2.4.52-2) experimental; urgency=medium
209
210 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100
211
212+apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
213+
214+ * d/apache2.postrm: Include md5 sum for updated index.html
215+
216+ -- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700
217+
218+apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
219+
220+ * d/index.html:
221+ - Redesign page's heading for the new logo
222+ - Use the Ubuntu font where available
223+ - Update service management directions
224+ - Copyedit grammar
225+ - Light reformatting and whitespace cleanup
226+ * d/icons/ubuntu-logo.png: Refresh ubuntu logo
227+ (LP: #1966004)
228+
229+ -- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700
230+
231+apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
232+
233+ * SECURITY UPDATE: OOB read in mod_lua via crafted request body
234+ - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
235+ lua_write_body() fail in modules/lua/lua_request.c.
236+ - CVE-2022-22719
237+ * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
238+ request body
239+ - debian/patches/CVE-2022-22720.patch: simpler connection close logic
240+ if discarding the request body fails in modules/http/http_filters.c,
241+ server/protocol.c.
242+ - CVE-2022-22720
243+ * SECURITY UPDATE: overflow via large LimitXMLRequestBody
244+ - debian/patches/CVE-2022-22721.patch: make sure and check that
245+ LimitXMLRequestBody fits in system memory in server/core.c,
246+ server/util.c, server/util_xml.c.
247+ - CVE-2022-22721
248+ * SECURITY UPDATE: out-of-bounds write in mod_sed
249+ - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
250+ buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
251+ modules/filters/mod_sed.c, modules/filters/sed1.c.
252+ - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
253+ modules/filters/mod_sed.c.
254+ - CVE-2022-23943
255+
256+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400
257+
258+apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
259+
260+ * Merge with Debian unstable (LP: #1959924). Remaining changes:
261+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
262+ apache2.dirs}: Add ufw profiles.
263+ (LP 261198)
264+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
265+ (LP 609177)
266+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
267+ d/s/include-binaries: replace Debian with Ubuntu on default
268+ page and add Ubuntu icon file.
269+ (LP 1288690)
270+ * Dropped:
271+ - d/p/support-openssl3-*.patch: Backport various patches from
272+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
273+ failure to load when using OpenSSL 3.
274+ (LP #1951476)
275+ [Included in upstream release 2.4.52]
276+ - d/apache2ctl: Also use systemd for graceful if it is in use.
277+ (LP 1832182)
278+ [This introduced a performance regression.]
279+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
280+ (LP 1918209)
281+ [Not needed]
282+
283+ -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
284+
285 apache2 (2.4.52-1) unstable; urgency=medium
286
287 * Refresh suexec-custom.patch
288@@ -77,6 +222,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
289
290 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
291
292+apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
293+
294+ * Merge with Debian unstable. Remaining changes:
295+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
296+ apache2.dirs}: Add ufw profiles.
297+ (LP 261198)
298+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
299+ (LP 609177)
300+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
301+ d/s/include-binaries: replace Debian with Ubuntu on default
302+ page and add Ubuntu icon file.
303+ (LP 1288690)
304+ - d/p/support-openssl3-*.patch: Backport various patches from
305+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
306+ failure to load when using OpenSSL 3.
307+ (LP #1951476)
308+ * Dropped:
309+ - d/apache2ctl: Also use systemd for graceful if it is in use.
310+ (LP: 1832182)
311+ [This introduced a performance regression.]
312+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
313+ (LP 1918209)
314+ [Not needed]
315+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
316+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
317+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
318+ server/core_filters.c, server/protocol.c, server/vhost.c.
319+ [Fixed in 2.4.48-4]
320+ - debian/patches/CVE-2021-34798.patch: add NULL check in
321+ server/scoreboard.c.
322+ [Fixed in 2.4.49-1]
323+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
324+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
325+ [Fixed in 2.4.49-1]
326+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
327+ substitution logic in server/util.c.
328+ [Fixed in 2.4.49-1]
329+ - arbitrary origin server via crafted request uri-path
330+ + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
331+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
332+ modules/proxy/proxy_util.c.
333+ + debian/patches/CVE-2021-40438.patch: add sanity checks on the
334+ configured UDS path in modules/proxy/proxy_util.c.
335+ [Fixed in 2.4.49-3]
336+ - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
337+ + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
338+ rules in modules/mappers/mod_rewrite.c.
339+ + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
340+ hostname in modules/mappers/mod_rewrite.c,
341+ modules/proxy/proxy_util.c.
342+ [Fixed in 2.4.49-3]
343+
344+ -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
345+
346 apache2 (2.4.51-2) unstable; urgency=medium
347
348 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
349@@ -142,6 +341,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
350
351 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
352
353+apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
354+
355+ * d/p/support-openssl3-*.patch: Backport various patches from
356+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
357+ failure to load when using OpenSSL 3. (LP: #1951476)
358+
359+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
360+
361+apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
362+
363+ * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
364+ - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
365+ rules in modules/mappers/mod_rewrite.c.
366+ - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
367+ hostname in modules/mappers/mod_rewrite.c,
368+ modules/proxy/proxy_util.c.
369+
370+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
371+
372+apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
373+
374+ * SECURITY UPDATE: request splitting over HTTP/2
375+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
376+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
377+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
378+ server/core_filters.c, server/protocol.c, server/vhost.c.
379+ - CVE-2021-33193
380+ * SECURITY UPDATE: NULL deref via malformed requests
381+ - debian/patches/CVE-2021-34798.patch: add NULL check in
382+ server/scoreboard.c.
383+ - CVE-2021-34798
384+ * SECURITY UPDATE: DoS in mod_proxy_uwsgi
385+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
386+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
387+ - CVE-2021-36160
388+ * SECURITY UPDATE: buffer overflow in ap_escape_quotes
389+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
390+ substitution logic in server/util.c.
391+ - CVE-2021-39275
392+ * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
393+ - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
394+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
395+ modules/proxy/proxy_util.c.
396+ - debian/patches/CVE-2021-40438.patch: add sanity checks on the
397+ configured UDS path in modules/proxy/proxy_util.c.
398+ - CVE-2021-40438
399+
400+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
401+
402+apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
403+
404+ * Merge with Debian unstable. Remaining changes:
405+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
406+ apache2.dirs}: Add ufw profiles. (LP 261198)
407+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
408+ (LP 609177)
409+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
410+ d/s/include-binaries: replace Debian with Ubuntu on default
411+ page and add Ubuntu icon file. (LP 1288690)
412+ - d/apache2ctl: Also use systemd for graceful if it is in use.
413+ This extends an earlier fix for the start command to behave
414+ similarly for restart / graceful. Fixes service failures on
415+ unattended upgrade. (LP 1832182)
416+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
417+ (LP 1918209)
418+
419+ -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
420+
421 apache2 (2.4.48-3.1) unstable; urgency=medium
422
423 * Non-maintainer upload.
424@@ -150,6 +417,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
425
426 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
427
428+apache2 (2.4.48-3ubuntu1) impish; urgency=medium
429+
430+ * Merge with Debian unstable. Remaining changes:
431+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
432+ apache2.dirs}: Add ufw profiles. (LP: 261198)
433+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
434+ (LP: 609177)
435+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
436+ d/s/include-binaries: replace Debian with Ubuntu on default
437+ page and add Ubuntu icon file. (LP: 1288690)
438+ - d/apache2ctl: Also use systemd for graceful if it is in use.
439+ This extends an earlier fix for the start command to behave
440+ similarly for restart / graceful. Fixes service failures on
441+ unattended upgrade. (LP: 1832182)
442+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
443+ (LP: 1918209)
444+ * Dropped:
445+ - d/t/control, d/t/check-http2: add basic test for http2 support
446+ [Fixed in 2.4.48-2]
447+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
448+ [Fixed in 2.4.48-1]
449+ - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
450+ connection in modules/proxy/mod_proxy_http.c.
451+ [Fixed in 2.4.48 upstream]
452+ - d/p/CVE-2020-35452.patch: fast validation of the nonce's
453+ base64 to fail early if the format can't match anyway in
454+ modules/aaa/mod_auth_digest.c.
455+ [Fixed in 2.4.48 upstream]
456+ - d/p/CVE-2021-26690.patch: save one apr_strtok() in
457+ session_identity_decode() in modules/session/mod_session.c.
458+ [Fixed in 2.4.48 upstream]
459+ - d/p/CVE-2021-26691.patch: account for the '&' in
460+ identity_concat() in modules/session/mod_session.c.
461+ [Fixed in 2.4.48 upstream]
462+ - d/p/CVE-2021-30641.patch: change default behavior in
463+ server/request.c.
464+ [Fixed in 2.4.48 upstream]
465+
466+ -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
467+
468 apache2 (2.4.48-3) unstable; urgency=medium
469
470 * Fix debian/changelog
471@@ -206,6 +513,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
472
473 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
474
475+apache2 (2.4.46-4ubuntu3) impish; urgency=medium
476+
477+ * No-change rebuild due to OpenLDAP soname bump.
478+
479+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
480+
481+apache2 (2.4.46-4ubuntu2) impish; urgency=medium
482+
483+ * SECURITY UPDATE: mod_proxy_http denial of service.
484+ - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
485+ connection in modules/proxy/mod_proxy_http.c.
486+ - CVE-2020-13950
487+ * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
488+ - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
489+ base64 to fail early if the format can't match anyway in
490+ modules/aaa/mod_auth_digest.c.
491+ - CVE-2020-35452
492+ * SECURITY UPDATE: DoS via cookie header in mod_session
493+ - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
494+ session_identity_decode() in modules/session/mod_session.c.
495+ - CVE-2021-26690
496+ * SECURITY UPDATE: heap overflow via SessionHeader
497+ - debian/patches/CVE-2021-26691.patch: account for the '&' in
498+ identity_concat() in modules/session/mod_session.c.
499+ - CVE-2021-26691
500+ * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
501+ - debian/patches/CVE-2021-30641.patch: change default behavior in
502+ server/request.c.
503+ - CVE-2021-30641
504+
505+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
506+
507+apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
508+
509+ * Merge with Debian unstable, to allow moving from lua5.2 to
510+ lua5.3 (LP: #1910372). Remaining changes:
511+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
512+ apache2.dirs}: Add ufw profiles.
513+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
514+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
515+ Debian with Ubuntu on default page.
516+ + d/source/include-binaries: add Ubuntu icon file
517+ - d/t/control, d/t/check-http2: add basic test for http2 support
518+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
519+ issue reading error log too quickly after request, by adding a sleep.
520+ (LP #1890302)
521+ - d/apache2ctl: Also use systemd for graceful if it is in use.
522+ This extends an earlier fix for the start command to behave
523+ similarly for restart / graceful. Fixes service failures on
524+ unattended upgrade.
525+ * Drop:
526+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
527+ was re-added by mistake in 2.4.41-1 (Closes #921024)
528+ [Included in Debian 2.4.46-3]
529+ * d/apache2ctl: Also use /run/systemd to check for systemd usage
530+ (LP: #1918209)
531+
532+ -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
533+
534 apache2 (2.4.46-4) unstable; urgency=medium
535
536 * Ignore other random another test failures (Closes: #979664)
537@@ -223,6 +589,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
538
539 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
540
541+apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
542+
543+ * Merge with Debian unstable. Remaining changes:
544+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
545+ apache2.dirs}: Add ufw profiles.
546+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
547+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
548+ Debian with Ubuntu on default page.
549+ + d/source/include-binaries: add Ubuntu icon file
550+ - d/t/control, d/t/check-http2: add basic test for http2 support
551+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
552+ was re-added by mistake in 2.4.41-1 (Closes #921024)
553+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
554+ issue reading error log too quickly after request, by adding a sleep.
555+ (LP #1890302)
556+ - d/apache2ctl: Also use systemd for graceful if it is in use.
557+ This extends an earlier fix for the start command to behave
558+ similarly for restart / graceful. Fixes service failures on
559+ unattended upgrade.
560+
561+ -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
562+
563 apache2 (2.4.46-2) unstable; urgency=medium
564
565 [ Jean-Michel Vourgère ]
566@@ -244,6 +632,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
567
568 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
569
570+apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
571+
572+ * d/apache2ctl: Also use systemd for graceful if it is in use.
573+ (LP: #1832182)
574+ - This extends an earlier fix for the start command to behave
575+ similarly for restart / graceful. Fixes service failures on
576+ unattended upgrade.
577+
578+ -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
579+
580+apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
581+
582+ * Merge with Debian unstable. Remaining changes:
583+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
584+ apache2.dirs}: Add ufw profiles.
585+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
586+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
587+ Debian with Ubuntu on default page.
588+ + d/source/include-binaries: add Ubuntu icon file
589+ - d/t/control, d/t/check-http2: add basic test for http2 support
590+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
591+ was re-added by mistake in 2.4.41-1 (Closes #921024)
592+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
593+ issue reading error log too quickly after request, by adding a sleep.
594+ (LP #1890302)
595+ * Dropped:
596+ - debian/patches/086_svn_cross_compiles: Backport several cross
597+ fixes from upstream
598+ [Unclear if it's still necessary, and upstream hasn't made a
599+ release with it yet]
600+
601+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
602+
603 apache2 (2.4.46-1) unstable; urgency=medium
604
605 [ Xavier Guimard ]
606@@ -260,6 +681,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
607
608 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
609
610+apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
611+
612+ * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
613+ issue reading error log too quickly after request, by adding a sleep.
614+ (LP: #1890302)
615+
616+ -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
617+
618+apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
619+
620+ * Merge with Debian unstable. Remaining changes:
621+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
622+ apache2.dirs}: Add ufw profiles.
623+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
624+ - debian/patches/086_svn_cross_compiles: Backport several cross
625+ fixes from upstream
626+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
627+ Debian with Ubuntu on default page.
628+ + d/source/include-binaries: add Ubuntu icon file
629+ - d/t/control, d/t/check-http2: add basic test for http2 support
630+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
631+ was re-added by mistake in 2.4.41-1 (Closes #921024)
632+ * Dropped:
633+ - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
634+ parameter to mod_proxy_ajp (LP #1865340)
635+ [Fixed upstream]
636+ - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
637+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
638+ Closes #955348, LP #1872478
639+ [In 2.4.43-1]
640+
641+ -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
642+
643 apache2 (2.4.43-1) unstable; urgency=medium
644
645 [ Timo Aaltonen ]
646@@ -287,6 +741,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
647
648 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
649
650+apache2 (2.4.41-4ubuntu3) focal; urgency=medium
651+
652+ [ Timo Aaltonen ]
653+ * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
654+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
655+ Closes: #955348, LP: #1872478
656+
657+ -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
658+
659+apache2 (2.4.41-4ubuntu2) focal; urgency=medium
660+
661+ * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
662+ parameter to mod_proxy_ajp (LP: #1865340)
663+
664+ -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
665+
666+apache2 (2.4.41-4ubuntu1) focal; urgency=medium
667+
668+ * Merge with Debian unstable. Remaining changes:
669+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
670+ apache2.dirs}: Add ufw profiles.
671+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
672+ - debian/patches/086_svn_cross_compiles: Backport several cross
673+ fixes from upstream
674+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
675+ Debian with Ubuntu on default page.
676+ + d/source/include-binaries: add Ubuntu icon file
677+ - d/t/control, d/t/check-http2: add basic test for http2 support
678+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
679+ was re-added by mistake in 2.4.41-1 (Closes #921024)
680+
681+ -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
682+
683 apache2 (2.4.41-4) unstable; urgency=medium
684
685 * Add gcc in chroot autopkgtest (fixes debci)
686@@ -311,6 +798,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
687
688 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
689
690+apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
691+
692+ * Merge with Debian unstable. Remaining changes:
693+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
694+ apache2.dirs}: Add ufw profiles.
695+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
696+ - debian/patches/086_svn_cross_compiles: Backport several cross
697+ fixes from upstream
698+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
699+ Debian with Ubuntu on default page.
700+ + d/source/include-binaries: add Ubuntu icon file
701+ - d/t/control, d/t/check-http2: add basic test for http2 support
702+ * Dropped:
703+ - Cherrypick upstream testsuite fix:
704+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
705+ as such).
706+ + Similarly use TLSv1.2 for pr12355 and pr43738.
707+ [Test suite updated in 2.4.41-1]
708+ - Cherrypick upstream test suite fix for buffer.
709+ [Included in 2.4.41-1]
710+ - d/p/spelling-errors.patch: removed hunks already fixed upstream
711+ [Included in 2.4.39-1]
712+ - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
713+ + d/p/CVE-2019-0196.patch
714+ + d/p/CVE-2019-0211.patch
715+ + d/p/CVE-2019-0215.patch
716+ + d/p/CVE-2019-0217.patch
717+ + d/p/CVE-2019-0220-*.patch
718+ + d/p/CVE-2019-0197.patch
719+ * Added:
720+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
721+ was re-added by mistake in 2.4.41-1 (Closes: #921024)
722+
723+ -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
724+
725 apache2 (2.4.41-1) unstable; urgency=medium
726
727 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
728@@ -343,6 +865,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
729
730 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
731
732+apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
733+
734+ * New upstream version: 2.4.39
735+ * d/p/spelling-errors.patch: removed hunks already fixed upstream
736+ * Remaining changes:
737+ - Cherrypick upstream test suite fix for buffer.
738+ - Cherrypick upstream testsuite fix:
739+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
740+ as such).
741+ - Similarly use TLSv1.2 for pr12355 and pr43738.
742+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
743+ apache2.dirs}: Add ufw profiles.
744+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
745+ - debian/patches/086_svn_cross_compiles: Backport several cross
746+ fixes from upstream
747+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
748+ Debian with Ubuntu on default page.
749+ + d/source/include-binaries: add Ubuntu icon file
750+ - d/t/control, d/t/check-http2: add basic test for http2 support
751+ * Dropped patches (fixed upstream):
752+ - d/p/CVE-2019-0196.patch
753+ - d/p/CVE-2019-0211.patch
754+ - d/p/CVE-2019-0215.patch
755+ - d/p/CVE-2019-0217.patch
756+ - d/p/CVE-2019-0220-*.patch
757+ - d/p/CVE-2019-0197.patch
758+
759+ -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
760+
761+apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
762+
763+ * Cherrypick upstream test suite fix for buffer.
764+
765+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
766+
767+apache2 (2.4.38-3ubuntu1) eoan; urgency=low
768+
769+ * Merge from Debian unstable. Remaining changes:
770+ - Cherrypick upstream testsuite fix:
771+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
772+ as such).
773+ - Similarly use TLSv1.2 for pr12355 and pr43738.
774+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
775+ apache2.dirs}: Add ufw profiles.
776+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
777+ - debian/patches/086_svn_cross_compiles: Backport several cross
778+ fixes from upstream
779+ [Removed configure chunk, not needed since configure.in is being
780+ patched.]
781+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
782+ Debian with Ubuntu on default page.
783+ + d/source/include-binaries: add Ubuntu icon file
784+ - d/t/control, d/t/check-http2: add basic test for http2 support
785+
786+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
787+
788 apache2 (2.4.38-3) unstable; urgency=high
789
790 [ Marc Deslauriers ]
791@@ -380,6 +958,79 @@ apache2 (2.4.38-3) unstable; urgency=high
792
793 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
794
795+apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
796+
797+ * Cherrypick upstream testsuite fix:
798+ - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
799+ as such).
800+ * Similarly use TLSv1.2 for pr12355 and pr43738.
801+
802+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
803+
804+apache2 (2.4.38-2ubuntu2) disco; urgency=medium
805+
806+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
807+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
808+ request method in modules/http2/h2_request.c.
809+ - CVE-2019-0196
810+ * SECURITY UPDATE: privilege escalation from modules' scripts
811+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
812+ child to its slot number in include/scoreboard.h,
813+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
814+ server/mpm/worker/worker.c.
815+ - CVE-2019-0211
816+ * SECURITY UPDATE: mod_ssl access control bypass
817+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
818+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
819+ - CVE-2019-0215
820+ * SECURITY UPDATE: mod_auth_digest access control bypass
821+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
822+ modules/aaa/mod_auth_digest.c.
823+ - CVE-2019-0217
824+ * SECURITY UPDATE: URL normalization inconsistincy
825+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
826+ the path in include/http_core.h, include/httpd.h, server/core.c,
827+ server/request.c, server/util.c.
828+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
829+ in server/request.c, server/util.c.
830+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
831+ server/util.c.
832+ - CVE-2019-0220
833+
834+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
835+
836+apache2 (2.4.38-2ubuntu1) disco; urgency=medium
837+
838+ * Merge with Debian unstable. Remaining changes:
839+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
840+ apache2.dirs}: Add ufw profiles.
841+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
842+ - debian/patches/086_svn_cross_compiles: Backport several cross
843+ fixes from upstream
844+ [Removed configure chunk, not needed since configure.in is being
845+ patched.]
846+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
847+ Debian with Ubuntu on default page.
848+ + d/source/include-binaries: add Ubuntu icon file
849+ - d/t/control, d/t/check-http2: add basic test for http2 support
850+ * Dropped:
851+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
852+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
853+ cannot be coinstalled with libcurl3. That situation breaks the
854+ installation of libapache2-mod-shib2. See
855+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
856+ for details.
857+ [This has been resolved in Disco, where libxmltooling8 is built with
858+ openssl 1.1]
859+ - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
860+ + debian/patches/CVE-2018-11763.patch: rework connection IO event
861+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
862+ modules/http2/h2_version.h.
863+ - CVE-2018-11763
864+ [Fixed in 2.4.35]
865+
866+ -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
867+
868 apache2 (2.4.38-2) unstable; urgency=medium
869
870 * Disable "reset" test in allowmethods.t (Closes: #921024)
871@@ -462,6 +1113,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
872
873 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
874
875+apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
876+
877+ * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
878+ - debian/patches/CVE-2018-11763.patch: rework connection IO event
879+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
880+ modules/http2/h2_version.h.
881+ - CVE-2018-11763
882+
883+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
884+
885+apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
886+
887+ * Merge with Debian unstable. Remaining changes:
888+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
889+ apache2.dirs}: Add ufw profiles.
890+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
891+ - debian/patches/086_svn_cross_compiles: Backport several cross
892+ fixes from upstream
893+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
894+ Debian with Ubuntu on default page.
895+ + d/source/include-binaries: add Ubuntu icon file
896+ - d/t/control, d/t/check-http2: add basic test for http2 support
897+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
898+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
899+ cannot be coinstalled with libcurl3. That situation breaks the
900+ installation of libapache2-mod-shib2. See
901+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
902+ for details.
903+
904+ -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
905+
906 apache2 (2.4.34-1) unstable; urgency=medium
907
908 [ Ondřej Surý ]
909@@ -480,6 +1162,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
910
911 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
912
913+apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
914+
915+ * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
916+ re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
917+
918+ -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
919+
920+apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
921+
922+ * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
923+ libapache2-mod-md until we figure out their transitions. libapache2-mod-md
924+ in particular is problematic because that makes apache2-bin pull in
925+ libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
926+ the installation of libapache2-mod-shib2. See
927+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
928+ for details.
929+ - Don't ship md.load and remove build-requires that were added because of
930+ mod-md (see
931+ https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
932+ - Remove proxy_uwsgi.load as we are not building it for now (see
933+ https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
934+
935+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
936+
937+apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
938+
939+ * Merge with Debian unstable (LP: #1770242). Remaining changes:
940+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
941+ apache2.dirs}: Add ufw profiles.
942+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
943+ - debian/patches/086_svn_cross_compiles: Backport several cross
944+ fixes from upstream
945+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
946+ Debian with Ubuntu on default page.
947+ + d/source/include-binaries: add Ubuntu icon file
948+ - d/t/control, d/t/check-http2: add basic test for http2 support
949+ * Drop:
950+ - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
951+ + debian/patches/CVE-2017-15710.patch: fix language long names
952+ detection as short name in modules/aaa/mod_authnz_ldap.c.
953+ + CVE-2017-15710
954+ - SECURITY UPDATE: incorrect <FilesMatch> matching
955+ + debian/patches/CVE-2017-15715.patch: allow to configure
956+ global/default options for regexes, like caseless matching or
957+ extended format in include/ap_regex.h, server/core.c,
958+ server/util_pcre.c.
959+ + CVE-2017-15715
960+ - SECURITY UPDATE: mod_session header manipulation
961+ + debian/patches/CVE-2018-1283.patch: strip Session header when
962+ SessionEnv is on in modules/session/mod_session.c.
963+ + CVE-2018-1283
964+ - SECURITY UPDATE: DoS via specially-crafted request
965+ + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
966+ terminated on any error, not only on buffer full in
967+ server/protocol.c.
968+ + CVE-2018-1301
969+ - SECURITY UPDATE: mod_cache_socache DoS
970+ + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
971+ to carriage return in modules/cache/mod_cache_socache.c.
972+ + CVE-2018-1303
973+ - SECURITY UPDATE: insecure nonce generation
974+ + debian/patches/CVE-2018-1312.patch: actually use the secret when
975+ generating nonces in modules/aaa/mod_auth_digest.c.
976+ + CVE-2018-1312
977+ - Correct systemd-sysv-generator behavior by customizing some
978+ parameters:
979+ + d/apache2-systemd.conf: add a drop-in file to specify some
980+ parameters for the systemd unit (type=Forking and
981+ RemainsAfterExit=no), this allow a correct state synchronisation
982+ between systemctl status and actual state of apache2 daemon.
983+ + d/apache2.install: place the apache2-systemd.conf file in the
984+ correct location.
985+ [type=Forking already in the base systemd service file, and
986+ RemainsAfterExit=no is the default value, so no need to
987+ customize these anymore.]
988+ - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
989+ + added debian/patches/util_ldap_cache_lock_fix.patch
990+ [Already applied upstream]
991+
992+ -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
993+
994 apache2 (2.4.33-3) unstable; urgency=medium
995
996 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
997@@ -552,6 +1315,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
998
999 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
1000
1001+apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
1002+
1003+ * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1004+ - debian/patches/CVE-2017-15710.patch: fix language long names
1005+ detection as short name in modules/aaa/mod_authnz_ldap.c.
1006+ - CVE-2017-15710
1007+ * SECURITY UPDATE: incorrect <FilesMatch> matching
1008+ - debian/patches/CVE-2017-15715.patch: allow to configure
1009+ global/default options for regexes, like caseless matching or
1010+ extended format in include/ap_regex.h, server/core.c,
1011+ server/util_pcre.c.
1012+ - CVE-2017-15715
1013+ * SECURITY UPDATE: mod_session header manipulation
1014+ - debian/patches/CVE-2018-1283.patch: strip Session header when
1015+ SessionEnv is on in modules/session/mod_session.c.
1016+ - CVE-2018-1283
1017+ * SECURITY UPDATE: DoS via specially-crafted request
1018+ - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1019+ terminated on any error, not only on buffer full in
1020+ server/protocol.c.
1021+ - CVE-2018-1301
1022+ * SECURITY UPDATE: mod_cache_socache DoS
1023+ - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1024+ to carriage return in modules/cache/mod_cache_socache.c.
1025+ - CVE-2018-1303
1026+ * SECURITY UPDATE: insecure nonce generation
1027+ - debian/patches/CVE-2018-1312.patch: actually use the secret when
1028+ generating nonces in modules/aaa/mod_auth_digest.c.
1029+ - CVE-2018-1312
1030+
1031+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1032+
1033+apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1034+
1035+ * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1036+ - added debian/patches/util_ldap_cache_lock_fix.patch
1037+
1038+ -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1039+
1040+apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1041+
1042+ * Switch back to OpenSSL 1.1.
1043+
1044+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1045+
1046+apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1047+
1048+ * enable http2 (LP: #1687454) by stopping to disable it
1049+ - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1050+ - debian/config-dir/mods-available/http2.load: no more removed.
1051+ - debian/rules: no more removed proxy_http2 from configure.
1052+ * d/t/control, d/t/check-http2: add basic test for http2 support
1053+
1054+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1055+
1056+apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1057+
1058+ * Merge with Debian unstable. Remaining changes:
1059+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1060+ apache2.dirs}: Add ufw profiles.
1061+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1062+ - debian/patches/086_svn_cross_compiles: Backport several cross
1063+ fixes from upstream
1064+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1065+ Debian with Ubuntu on default page.
1066+ + d/source/include-binaries: add Ubuntu icon file
1067+ - Correct systemd-sysv-generator behavior by customizing some
1068+ parameters:
1069+ + d/apache2-systemd.conf: add a drop-in file to specify some
1070+ parameters for the systemd unit (type=Forking and
1071+ RemainsAfterExit=no), this allow a correct state synchronisation
1072+ between systemctl status and actual state of apache2 daemon.
1073+ + d/apache2.install: place the apache2-systemd.conf file in the
1074+ correct location.
1075+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1076+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1077+ + debian/config-dir/mods-available/http2.load: removed.
1078+ + debian/rules: removed proxy_http2 from configure.
1079+ * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1080+ - debian/control: switch BuildDepends to libssl1.0-dev
1081+ - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1082+ - debian/rules: remove openssl virtual package and logic
1083+
1084+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1085+
1086 apache2 (2.4.29-1) unstable; urgency=medium
1087
1088 [ Stefan Fritsch ]
1089@@ -616,6 +1464,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
1090
1091 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
1092
1093+apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1094+
1095+ * SECURITY UPDATE: optionsbleed information leak
1096+ - debian/patches/CVE-2017-9798.patch: disallow method registration
1097+ at run time in server/core.c.
1098+ - CVE-2017-9798
1099+
1100+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1101+
1102+apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1103+
1104+ * Undrop (LP 1658469):
1105+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1106+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1107+ + debian/config-dir/mods-available/http2.load: removed.
1108+ + debian/rules: removed proxy_http2 from configure.
1109+
1110+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1111+
1112+apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1113+
1114+ * Merge with Debian unstable (LP: #1702582). Remaining changes:
1115+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1116+ apache2.dirs}: Add ufw profiles.
1117+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1118+ - debian/patches/086_svn_cross_compiles: Backport several cross
1119+ fixes from upstream
1120+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1121+ Debian with Ubuntu on default page.
1122+ + d/source/include-binaries: add Ubuntu icon file
1123+ - Correct systemd-sysv-generator behavior by customizing some
1124+ parameters:
1125+ + d/apache2-systemd.conf: add a drop-in file to specify some
1126+ parameters for the systemd unit (type=Forking and
1127+ RemainsAfterExit=no), this allow a correct state synchronisation
1128+ between systemctl status and actual state of apache2 daemon.
1129+ + d/apache2.install: place the apache2-systemd.conf file in the
1130+ correct location.
1131+
1132+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1133+
1134 apache2 (2.4.27-2) unstable; urgency=medium
1135
1136 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
1137@@ -645,6 +1534,55 @@ apache2 (2.4.25-4) unstable; urgency=high
1138
1139 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
1140
1141+apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1142+
1143+ * Re-Drop (LP: #1658469):
1144+ - Don't build experimental http2 module for LTS:
1145+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1146+ + debian/config-dir/mods-available/http2.load: removed.
1147+ + debian/rules: removed proxy_http2 from configure.
1148+ + debian/apache2.maintscript: remove http2 conffile.
1149+
1150+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1151+
1152+apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1153+ * Undrop (LP 1658469):
1154+ - Don't build experimental http2 module for LTS:
1155+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1156+ + debian/config-dir/mods-available/http2.load: removed.
1157+ + debian/rules: removed proxy_http2 from configure.
1158+ + debian/apache2.maintscript: remove http2 conffile.
1159+
1160+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1161+
1162+apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1163+
1164+ * Merge from Debian unstable (LP: #1663425). Remaining changes:
1165+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1166+ apache2.dirs}: Add ufw profiles.
1167+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1168+ - debian/patches/086_svn_cross_compiles: Backport several cross
1169+ fixes from upstream
1170+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1171+ Debian with Ubuntu on default page.
1172+ + d/source/include-binaries: add Ubuntu icon file
1173+ - Correct systemd-sysv-generator behavior by customizing some
1174+ parameters:
1175+ + d/apache2-systemd.conf: add a drop-in file to specify some
1176+ parameters for the systemd unit (type=Forking and
1177+ RemainsAfterExit=no), this allow a correct state synchronisation
1178+ between systemctl status and actual state of apache2 daemon.
1179+ + d/apache2.install: place the apache2-systemd.conf file in the
1180+ correct location.
1181+ * Drop (LP: #1658469):
1182+ - Don't build experimental http2 module for LTS:
1183+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1184+ + debian/config-dir/mods-available/http2.load: removed.
1185+ + debian/rules: removed proxy_http2 from configure.
1186+ + debian/apache2.maintscript: remove http2 conffile.
1187+
1188+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1189+
1190 apache2 (2.4.25-3) unstable; urgency=medium
1191
1192 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
1193@@ -706,6 +1644,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
1194
1195 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
1196
1197+apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1198+
1199+ * Merge from Debian unstable (LP: #). Remaining changes:
1200+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1201+ apache2.dirs}: Add ufw profiles.
1202+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1203+ - debian/patches/086_svn_cross_compiles: Backport several cross
1204+ fixes from upstream
1205+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1206+ d/source/include-binaries: replace Debian with Ubuntu on default
1207+ page.
1208+ [ include-binaries change previously undocumented ]
1209+ - Don't build experimental http2 module for LTS:
1210+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1211+ + debian/config-dir/mods-available/http2.load: removed.
1212+ + debian/rules: removed proxy_http2 from configure.
1213+ + debian/apache2.maintscript: remove http2 conffile.
1214+ [ Previously undocumented ]
1215+ - Correct systemd-sysv-generator behavior by customizing some
1216+ parameters:
1217+ + d/apache2-systemd.conf: add a drop-in file to specify some
1218+ parameters for the systemd unit (type=Forking and
1219+ RemainsAfterExit=no), this allow a correct state synchronisation
1220+ between systemctl status and actual state of apache2 daemon.
1221+ + d/apache2.install: place the apache2-systemd.conf file in the
1222+ correct location.
1223+ * Drop:
1224+ - debian/rules: Fix cross-building by passing
1225+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1226+ [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1227+
1228+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1229+
1230 apache2 (2.4.23-8) unstable; urgency=medium
1231
1232 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
1233@@ -716,6 +1687,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
1234
1235 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
1236
1237+apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1238+
1239+ * Merge from Debian unstable. Remaining changes:
1240+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1241+ apache2.dirs}: Add ufw profiles.
1242+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1243+ - debian/rules: Fix cross-building by passing
1244+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1245+ - debian/patches/086_svn_cross_compiles: Backport several cross
1246+ fixes from upstream
1247+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1248+ Debian with Ubuntu on default page.
1249+ - Don't build experimental http2 module for LTS:
1250+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1251+ + debian/config-dir/mods-available/http2.load: removed.
1252+ + debian/rules: removed proxy_http2 from configure.
1253+ - Correct systemd-sysv-generator behavior by customizing some
1254+ parameters:
1255+ + d/apache2-systemd.conf: add a drop-in file to specify some
1256+ parameters for the systemd unit (type=Forking and
1257+ RemainsAfterExit=no), this allow a correct state synchronisation
1258+ between systemctl status and actual state of apache2 daemon.
1259+ + d/apache2.install: place the apache2-systemd.conf file in the
1260+ correct location.
1261+
1262+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1263+
1264 apache2 (2.4.23-7) unstable; urgency=medium
1265
1266 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
1267@@ -830,6 +1828,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
1268
1269 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
1270
1271+apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1272+
1273+ * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1274+ - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1275+ server/util_script.c.
1276+ - CVE-2016-5387
1277+
1278+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1279+
1280+apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1281+
1282+ [ Ryan Harper ]
1283+ * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1284+ introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1285+ all, since http2 support is intentionally disabled (see LP 1531864).
1286+ * d/apache2.maintscript: handle removal of http2.load conffile.
1287+
1288+ [ Robie Basak ]
1289+ * Re-write Ryan's changelog entry.
1290+
1291+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1292+
1293+apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1294+
1295+ * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1296+ - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1297+ unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1298+ between systemctl status and actual state of apache2 daemon.
1299+ - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1300+
1301+ -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1302+
1303+apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1304+
1305+ * Merge from Debian unstable. Remaining changes:
1306+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1307+ apache2.dirs}: Add ufw profiles.
1308+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1309+ - debian/rules: Fix cross-building by passing
1310+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1311+ - debian/patches/086_svn_cross_compiles: Backport several cross
1312+ fixes from upstream
1313+ - d/index.html: replace Debian with Ubuntu on default page.
1314+ - Don't build experimental http2 module for LTS:
1315+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1316+ + debian/config-dir/mods-available/http2.load: removed.
1317+
1318+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1319+
1320 apache2 (2.4.18-2) unstable; urgency=low
1321
1322 * htcacheclean:
1323@@ -855,6 +1902,24 @@ apache2 (2.4.18-2) unstable; urgency=low
1324
1325 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
1326
1327+apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1328+
1329+ * Merge from Debian unstable. Remaining changes:
1330+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1331+ apache2.dirs}: Add ufw profiles.
1332+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1333+ - Add dep8 tests.
1334+ - debian/rules: Fix cross-building by passing
1335+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1336+ - debian/patches/086_svn_cross_compiles: Backport several cross
1337+ fixes from upstream
1338+ - d/index.html: replace Debian with Ubuntu on default page.
1339+ - Don't build experimental http2 module for LTS:
1340+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1341+ + debian/config-dir/mods-available/http2.load: removed.
1342+
1343+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1344+
1345 apache2 (2.4.18-1) unstable; urgency=medium
1346
1347 * New upstream release:
1348@@ -862,12 +1927,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
1349
1350 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
1351
1352+apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1353+
1354+ * Merge from Debian unstable. Remaining changes:
1355+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1356+ apache2.dirs}: Add ufw profiles.
1357+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1358+ - Add dep8 tests.
1359+ - debian/rules: Fix cross-building by passing
1360+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1361+ - debian/patches/086_svn_cross_compiles: Backport several cross
1362+ fixes from upstream
1363+ - d/index.html: replace Debian with Ubuntu on default page.
1364+ - Don't build experimental http2 module for LTS:
1365+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1366+ + debian/config-dir/mods-available/http2.load: removed.
1367+
1368+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1369+
1370 apache2 (2.4.17-3) unstable; urgency=medium
1371
1372 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
1373
1374 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
1375
1376+apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1377+
1378+ * Merge from Debian unstable. Remaining changes:
1379+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1380+ apache2.dirs}: Add ufw profiles.
1381+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1382+ - Add dep8 tests.
1383+ - debian/rules: Fix cross-building by passing
1384+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1385+ - debian/patches/086_svn_cross_compiles: Backport several cross
1386+ fixes from upstream
1387+ - d/index.html: replace Debian with Ubuntu on default page.
1388+ - Don't build experimental http2 module for LTS:
1389+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1390+ + debian/config-dir/mods-available/http2.load: removed.
1391+
1392+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1393+
1394 apache2 (2.4.17-2) unstable; urgency=medium
1395
1396 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
1397@@ -878,6 +1979,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
1398
1399 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
1400
1401+apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1402+
1403+ * Merge from Debian unstable. Remaining changes:
1404+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1405+ apache2.dirs}: Add ufw profiles.
1406+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1407+ - Add dep8 tests.
1408+ - debian/rules: Fix cross-building by passing
1409+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1410+ - debian/patches/086_svn_cross_compiles: Backport several cross
1411+ fixes from upstream
1412+ - d/index.html: replace Debian with Ubuntu on default page.
1413+ * Drop patches (applied upstream):
1414+ - debian/patches/CVE-2015-3183.patch
1415+ - debian/patches/CVE-2015-3185.patch
1416+ * Drop changes (adopted in Debian):
1417+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1418+ to "installed" when determining whether to defer actions or
1419+ process deferred actions.
1420+ * Don't build experimental http2 module for LTS
1421+ - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1422+ - debian/config-dir/mods-available/http2.load: removed.
1423+
1424+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1425+
1426 apache2 (2.4.17-1) unstable; urgency=medium
1427
1428 [ Stefan Fritsch ]
1429@@ -943,6 +2069,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
1430
1431 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
1432
1433+apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1434+
1435+ * SECURITY UPDATE: request smuggling via chunked transfer encoding
1436+ - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1437+ modules/http/http_filters.c.
1438+ - CVE-2015-3183
1439+ * SECURITY UPDATE: access restriction bypass via deprecated API
1440+ - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1441+ in include/http_request.h, server/request.c.
1442+ - CVE-2015-3185
1443+
1444+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1445+
1446+apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1447+
1448+ * Merge from Debian unstable. Remaining changes:
1449+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1450+ apache2.dirs}: Add ufw profiles.
1451+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1452+ - Add dep8 tests.
1453+ - debian/rules: Fix cross-building by passing
1454+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1455+ - debian/patches/086_svn_cross_compiles: Backport several cross
1456+ fixes from upstream
1457+ - d/index.html: replace Debian with Ubuntu on default page.
1458+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1459+ to "installed" when determining whether to defer actions or
1460+ process deferred actions.
1461+ * Drop patches (applied upstream):
1462+ - d/p/split-logfile.patch
1463+ - d/p/CVE-2015-0228.patch
1464+ * Drop changes (superceded in Debian):
1465+ - Cherry-pick versioned build-depend on dpkg from Debian for correct
1466+ dpkg-maintscript-helper symlink_to_dir support.
1467+ * Drop changes (adopted in Debian):
1468+ - d/control, d/config-dir/mods-available/ssl.conf,
1469+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1470+ dialog program ask-for-passphrase.
1471+ * Fix cross-building configure line in d/rules, which had bit-rotted in
1472+ previous merges.
1473+
1474+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1475+
1476 apache2 (2.4.12-2) unstable; urgency=medium
1477
1478 [ Jean-Michel Nirgal Vourgère ]
1479@@ -992,6 +2161,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
1480
1481 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
1482
1483+apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1484+
1485+ * Merge from Debian unstable. Remaining changes:
1486+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1487+ apache2.dirs}: Add ufw profiles.
1488+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1489+ - d/control, d/config-dir/mods-available/ssl.conf,
1490+ - Add dep8 tests.
1491+ - debian/rules: Fix cross-building by passing
1492+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1493+ - debian/patches/086_svn_cross_compiles: Backport several cross
1494+ fixes from upstream
1495+ - d/index.html: replace Debian with Ubuntu on default page.
1496+ - d/p/split-logfile.patch: fix completely broken split-logfile
1497+ command.
1498+ - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1499+ denial of service in mod_lua via websockets PING
1500+ * debian/tests/ssl-passphrase: Add password responder for
1501+ systemd-ask-passphrase.
1502+
1503+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1504+
1505 apache2 (2.4.10-9) unstable; urgency=medium
1506
1507 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
1508@@ -1006,6 +2197,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
1509
1510 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
1511
1512+apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
1513+
1514+ * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
1515+ directives
1516+ - debian/patches/CVE-2014-8109.patch: handle multiple Require
1517+ directives with different arguments in modules/lua/mod_lua.c.
1518+ - CVE-2014-8109
1519+ * SECURITY UPDATE: denial of service in mod_lua via websockets PING
1520+ - debian/patches/CVE-2015-0228.patch: fix logic in
1521+ modules/lua/lua_request.c.
1522+ - CVE-2015-0228
1523+
1524+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
1525+
1526+apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
1527+
1528+ * Allow "triggers-awaited" and "triggers-pending" states in addition to
1529+ "installed" when determining whether to defer actions or process
1530+ deferred actions (LP: #1393832).
1531+
1532+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
1533+
1534+apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
1535+
1536+ * Merge from Debian unstable. Remaining changes:
1537+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1538+ apache2.dirs}: Add ufw profiles.
1539+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1540+ - d/control, d/config-dir/mods-available/ssl.conf,
1541+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1542+ dialog program ask-for-passphrase.
1543+ - Add dep8 tests.
1544+ - debian/rules: Fix cross-building by passing
1545+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1546+ - debian/patches/086_svn_cross_compiles: Backport several cross
1547+ fixes from upstream
1548+ - d/index.html: replace Debian with Ubuntu on default page.
1549+ - d/p/split-logfile.patch: fix completely broken split-logfile
1550+ command.
1551+ * Fixes from Debian included in merge:
1552+ - Crash caused by OCSP stapling code; this was erroneously
1553+ attributed to Debian in my previous merge, but actually only
1554+ appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
1555+ * Cherry-pick versioned build-depend on dpkg from Debian for correct
1556+ dpkg-maintscript-helper symlink_to_dir support.
1557+
1558+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
1559+
1560 apache2 (2.4.10-8) unstable; urgency=medium
1561
1562 * Bump dpkg Pre-Depends to version that supports relative symlinks in
1563@@ -1020,6 +2259,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
1564
1565 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
1566
1567+apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
1568+
1569+ * Merge from Debian unstable. Remaining changes:
1570+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1571+ apache2.dirs}: Add ufw profiles.
1572+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1573+ - d/control, d/config-dir/mods-available/ssl.conf,
1574+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1575+ dialog program ask-for-passphrase.
1576+ - Add dep8 tests.
1577+ - debian/rules: Fix cross-building by passing
1578+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1579+ - debian/patches/086_svn_cross_compiles: Backport several cross
1580+ fixes from upstream
1581+ - d/index.html: replace Debian with Ubuntu on default page.
1582+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1583+ * Fixes from Debian included in merge:
1584+ - Don't use a2query in preinst, as it may not be available yet
1585+ (LP: #1312533).
1586+ - Crash caused by OCSP stapling code (LP: #1366174).
1587+ - Disable SSLv3 in default config (LP: #1358305).
1588+ - If apache2 is not configured yet, defer actions executed via
1589+ apache2-maintscript-helper. This fixes installation failures if a
1590+ module package is configured first (LP: #1312854).
1591+
1592+ -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
1593+
1594 apache2 (2.4.10-7) unstable; urgency=medium
1595
1596 * Handle transitions of doc dirs and symlinks correctly during upgrade.
1597@@ -1103,6 +2369,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
1598
1599 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
1600
1601+apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
1602+
1603+ * Merge from Debian unstable. Remaining changes:
1604+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1605+ apache2.dirs}: Add ufw profiles.
1606+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1607+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1608+ d/apache2.install: Plymouth aware passphrase dialog program
1609+ ask-for-passphrase.
1610+ - Add dep8 tests.
1611+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1612+ configure.
1613+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1614+ upstream
1615+ - d/index.html: replace Debian with Ubuntu on default page.
1616+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1617+
1618+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
1619+
1620 apache2 (2.4.10-1) unstable; urgency=medium
1621
1622 [ Arno Töll ]
1623@@ -1150,6 +2435,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
1624
1625 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
1626
1627+apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
1628+
1629+ * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
1630+ yet support building against lua 5.2 (LP: #1323930).
1631+
1632+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
1633+
1634+apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
1635+
1636+ * Merge from Debian unstable. Remaining changes:
1637+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1638+ apache2.dirs}: Add ufw profiles.
1639+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1640+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1641+ d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
1642+ dialog program ask-for-passphrase.
1643+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1644+ configure.
1645+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1646+ upstream
1647+ - Build using lua5.2.
1648+ - d/tests/chroot: dep8 test for ChrootDir case.
1649+ - d/tests/ssl-passphrase: update for new default path /var/www/html.
1650+ - d/tests/duplicate-module-load: check for duplicate module loads.
1651+ - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
1652+ - d/p/split-logfile.patch: fix completely broken split-logfile command
1653+ (LP: #1299162). Thanks to Holger Mauermann.
1654+ * Drop changes (upstreamed):
1655+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1656+ files find inside the .pc directory. This stops a double module load
1657+ causing later havoc, including "ChrootDir" directive failure.
1658+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1659+ in modules/dav/main/util.c.
1660+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1661+ modules/loggers/mod_log_config.c.
1662+ * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
1663+
1664+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
1665+
1666 apache2 (2.4.9-1) unstable; urgency=medium
1667
1668 * New upstream version.
1669@@ -1182,6 +2506,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
1670
1671 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
1672
1673+apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
1674+
1675+ * d/p/split-logfile.patch: fix completely broken split-logfile command
1676+ (LP: #1299162). Thanks to Holger Mauermann.
1677+
1678+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
1679+
1680+apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
1681+
1682+ * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
1683+ calculation
1684+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1685+ in modules/dav/main/util.c.
1686+ - CVE-2013-6438
1687+ * SECURITY UPDATE: denial of service via truncated cookie and
1688+ mod_log_config
1689+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1690+ modules/loggers/mod_log_config.c.
1691+ - CVE-2014-0098
1692+
1693+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
1694+
1695+apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
1696+
1697+ * d/index.html: replace Debian with Ubuntu on default page
1698+ (LP: #1288690).
1699+
1700+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
1701+
1702+apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
1703+
1704+ * Merge from Debian unstable. Remaining changes:
1705+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1706+ apache2.dirs}: Add ufw profiles.
1707+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1708+ - d/control, d/config-dir/mods-available/ssl.conf,
1709+ d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
1710+ Plymouth aware passphrase dialog program ask-for-passphrase.
1711+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1712+ to configure.
1713+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1714+ from upstream
1715+ - Build using lua5.2.
1716+ - d/tests/chroot: dep8 test for ChrootDir case.
1717+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1718+ files find inside the .pc directory. This stops a double module load
1719+ causing later havoc, including "ChrootDir" directive failure.
1720+ * Drop changes:
1721+ - debian/{control, rules}: Enable PIE hardening: no longer required;
1722+ 2.4.7-1 is already hardened.
1723+ - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
1724+ out of this package.
1725+ * d/tests/ssl-passphrase: update for new default path /var/www/html.
1726+ * d/tests/duplicate-module-load: check for duplicate module loads.
1727+
1728+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
1729+
1730 apache2 (2.4.7-1) unstable; urgency=low
1731
1732 New upstream version
1733@@ -1245,6 +2626,53 @@ apache2 (2.4.6-3) unstable; urgency=low
1734
1735 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
1736
1737+apache2 (2.4.6-2ubuntu4) trusty; urgency=low
1738+
1739+ * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
1740+ that it does not use files find inside the .pc directory. This stops a
1741+ double module load causing later havoc, including "ChrootDir" directive
1742+ failure (LP: #1251939). Thanks to Stefan Fritsch.
1743+ * d/tests/chroot: dep8 test for ChrootDir case.
1744+
1745+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
1746+
1747+apache2 (2.4.6-2ubuntu3) trusty; urgency=low
1748+
1749+ * debian/apache2.install: Correct path for ufw.
1750+ (LP: #1252722)
1751+
1752+ -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
1753+
1754+apache2 (2.4.6-2ubuntu2) saucy; urgency=low
1755+
1756+ * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
1757+ passphrase prompting for SSL certificates that are passphrase protected.
1758+ * Add dep8 test for SSL passphrase prompting.
1759+
1760+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
1761+
1762+apache2 (2.4.6-2ubuntu1) saucy; urgency=low
1763+
1764+ * Merge from Debian unstable. Remaining changes:
1765+ - debian/{control, rules}: Enable PIE hardening.
1766+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1767+ apache2.dirs}: Add ufw profiles.
1768+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1769+ - debian/control, debian/config-dir/mods-available/ssl.conf,
1770+ debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
1771+ passphrase dialog program ask-for-passphrase.
1772+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1773+ to configure.
1774+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1775+ from upstream
1776+ * Dropped changes:
1777+ - debian/patches/CVE-2013-1896.patch: upstream
1778+ * Fixed module dependencies (LP: #1205314)
1779+ - debian/config-dir/mods-available/lbmethod_*: properly specify
1780+ proxy_balancer, not mod_proxy_balancer.
1781+
1782+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
1783+
1784 apache2 (2.4.6-2) unstable; urgency=low
1785
1786 [ Stefan Fritsch ]
1787@@ -1297,6 +2725,56 @@ apache2 (2.4.6-1) unstable; urgency=low
1788
1789 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
1790
1791+apache2 (2.4.4-6ubuntu5) saucy; urgency=low
1792+
1793+ * SECURITY UPDATE: denial of service via MERGE request
1794+ - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
1795+ in modules/dav/main/mod_dav.c.
1796+ - CVE-2013-1896
1797+
1798+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
1799+
1800+apache2 (2.4.4-6ubuntu4) saucy; urgency=low
1801+
1802+ * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
1803+ apache2-bin. apache2-utils is only suggested by apache2, so may not
1804+ always be installed by bug reporters. However, apache2-bin will always
1805+ need to be installed for Apache to be functional, so this is a better
1806+ place for the apport hook. apache2-bin already Conflicts/Replaces
1807+ apache2.2-common, so this also fixes (LP: #1199318).
1808+ * d/apache2.py: adjust apport hook for new location of configuration
1809+ files in apache2 >= 2.4: they have moved from apache2.2-common to
1810+ apache2.
1811+
1812+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
1813+
1814+apache2 (2.4.4-6ubuntu3) saucy; urgency=low
1815+
1816+ * Build using lua5.2.
1817+
1818+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
1819+
1820+apache2 (2.4.4-6ubuntu2) saucy; urgency=low
1821+
1822+ * debian/rules: Fix FTBFS while installing ufw.
1823+
1824+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
1825+
1826+apache2 (2.4.4-6ubuntu1) saucy; urgency=low
1827+
1828+ * Merge from Debian unstable. Remaining changes:
1829+ - debian/{control, rules}: Enable PIE hardening.
1830+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1831+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1832+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1833+ Plymouth aware passphrase dialog program ask-for-passphrase.
1834+ * Dropped changes:
1835+ - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
1836+ - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
1837+ - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
1838+
1839+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
1840+
1841 apache2 (2.4.4-6) unstable; urgency=low
1842
1843 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
1844@@ -1768,6 +3246,122 @@ apache2 (2.4.1-1) experimental; urgency=low
1845
1846 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
1847
1848+apache2 (2.2.22-6ubuntu5) raring; urgency=low
1849+
1850+ * SECURITY UPDATE: multiple cross-site scripting issues
1851+ - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
1852+ modules/generators/{mod_info.c,mod_status.c},
1853+ modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
1854+ modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
1855+ - CVE-2012-3499
1856+ - CVE-2012-4558
1857+ * SECURITY UPDATE: symlink attack in apache2ctl script
1858+ - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
1859+ - Thanks to Stefan Fritsch for the fix.
1860+ - CVE-2013-1048
1861+
1862+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
1863+
1864+apache2 (2.2.22-6ubuntu4) raring; urgency=low
1865+
1866+ * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
1867+ * Skip module sanity check between MPMs if cross-building without the
1868+ kernel/binfmt support to run our target binaries on the build system.
1869+ * Backport several cross fixes from upstream as 086_svn_cross_compiles.
1870+
1871+ -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
1872+
1873+apache2 (2.2.22-6ubuntu3) raring; urgency=low
1874+
1875+ * SECURITY UPDATE: XSS vulnerability in mod_negotiation
1876+ - debian/patches/CVE-2012-2687.patch: escape filenames in
1877+ modules/mappers/mod_negotiation.c.
1878+ - CVE-2012-2687
1879+ * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
1880+ - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
1881+ directive. Defaults to off as enabling compression enables the CRIME
1882+ attack.
1883+ - CVE-2012-4929
1884+
1885+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
1886+
1887+apache2 (2.2.22-6ubuntu2) quantal; urgency=low
1888+
1889+ * debian/apache2.py
1890+ - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
1891+ - Check if this directory exists: /etc/apache2/sites-enabled/
1892+
1893+ -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
1894+
1895+apache2 (2.2.22-6ubuntu1) quantal; urgency=low
1896+
1897+ * Merge from Debian unstable. Remaining changes:
1898+ - debian/{control, rules}: Enable PIE hardening.
1899+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1900+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1901+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1902+ Plymouth aware passphrase dialog program ask-for-passphrase.
1903+ * Dropped changes:
1904+ - debian/control: Add bzr tag and point it to our tree; this is not
1905+ really required and just increases the delta.
1906+
1907+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
1908+
1909+apache2 (2.2.22-6) unstable; urgency=low
1910+
1911+ [ Stefan Fritsch ]
1912+ * Fix regression causing apache2 to cache "206 partial content" responses,
1913+ and then serving these partial responses when replying to normal requests.
1914+ Closes: #671204
1915+ * Add section to security.conf that shows how to forbid access to VCS
1916+ directories. Closes: #548213
1917+ * Update ssl default cipher config, add alternative speed optimized config.
1918+ Closes: #649020
1919+ * Add "AddCharset" for .brf files in default mod_mime config.
1920+ Closes: #402567
1921+ * Don't create httpd.conf anymore and don't include it in apache2.conf. If
1922+ it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
1923+ * Port some of the comments in apache2.conf from the 2.4 package.
1924+ * Compile mod_version statically, drop associated module load file.
1925+ * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
1926+ configtest.
1927+ * Note in README.Debian that future versions of the package will have the
1928+ include statements changed to include only *.conf.
1929+ * Change compiled-in document root to /var/www, to avoid strange error
1930+ messages.
1931+ * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
1932+
1933+ [ Arno Töll ]
1934+ * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
1935+ to override LDFLAGS at compile time by defining LDLAGS in the environment,
1936+ just like it is possible for CFLAGS. This also means, config_vars.mk now
1937+ exports hardening build flags by default.
1938+ * Update doc-base metadata for the apache2-doc package.
1939+
1940+ -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
1941+
1942+apache2 (2.2.22-5) unstable; urgency=low
1943+
1944+ * Make LoadFile and LoadModule look in the standard search paths if the
1945+ dso file name is given as a pure filename. This helps with the multi-arch
1946+ transition.
1947+
1948+ -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
1949+
1950+apache2 (2.2.22-4) unstable; urgency=high
1951+
1952+ * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
1953+ hosts' config files.
1954+ If scripting modules like mod_php or mod_rivet are enabled on systems
1955+ where either 1) some frontend server forwards connections to an apache2
1956+ backend server on the localhost address, or 2) the machine running
1957+ apache2 is also used for web browsing, this could allow a remote
1958+ attacker to execute example scripts stored under /usr/share/doc.
1959+ Depending on the installed packages, this could lead to issues like cross
1960+ site scripting, code execution, or leakage of sensitive data.
1961+
1962+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
1963+
1964 apache2 (2.2.22-3) unstable; urgency=low
1965
1966 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
1967@@ -1788,6 +3382,18 @@ apache2 (2.2.22-2) unstable; urgency=low
1968
1969 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
1970
1971+apache2 (2.2.22-1ubuntu1) precise; urgency=low
1972+
1973+ * Merge from Debian testing. Remaining changes:
1974+ - debian/{control, rules}: Enable PIE hardening.
1975+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1976+ - debian/control: Add bzr tag and point it to our tree
1977+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1978+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1979+ Plymouth aware passphrase dialog program ask-for-passphrase.
1980+
1981+ -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
1982+
1983 apache2 (2.2.22-1) unstable; urgency=low
1984
1985 [ Stefan Fritsch ]
1986@@ -1805,6 +3411,18 @@ apache2 (2.2.22-1) unstable; urgency=low
1987
1988 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
1989
1990+apache2 (2.2.21-5ubuntu1) precise; urgency=low
1991+
1992+ * Merge from Debian testing. Remaining changes:
1993+ - debian/{control, rules}: Enable PIE hardening.
1994+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
1995+ - debian/control: Add bzr tag and point it to our tree
1996+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
1997+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
1998+ Plymouth aware passphrase dialog program ask-for-passphrase.
1999+
2000+ -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
2001+
2002 apache2 (2.2.21-5) unstable; urgency=low
2003
2004 [ Arno Töll ]
2005@@ -1858,6 +3476,26 @@ apache2 (2.2.21-4) unstable; urgency=low
2006
2007 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
2008
2009+apache2 (2.2.21-3ubuntu2) precise; urgency=low
2010+
2011+ * d/ask-for-passphrase: Flip the logic of this script so that it checks
2012+ first to see if apache is being started from a TTY, and then if not,
2013+ tries plymouth. (LP: #887410)
2014+
2015+ -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
2016+
2017+apache2 (2.2.21-3ubuntu1) precise; urgency=low
2018+
2019+ * Merge from Debian testing. Remaining changes:
2020+ - debian/{control, rules}: Enable PIE hardening.
2021+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2022+ - debian/control: Add bzr tag and point it to our tree
2023+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2024+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2025+ Plymouth aware passphrase dialog program ask-for-passphrase.
2026+
2027+ -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
2028+
2029 apache2 (2.2.21-3) unstable; urgency=medium
2030
2031 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
2032@@ -1872,6 +3510,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
2033
2034 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
2035
2036+apache2 (2.2.21-2ubuntu2) precise; urgency=low
2037+
2038+ * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
2039+
2040+ -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
2041+
2042+apache2 (2.2.21-2ubuntu1) precise; urgency=low
2043+
2044+ * Merge from debian unstable. Remaining changes:
2045+ - debian/{control, rules}: Enable PIE hardening.
2046+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2047+ - debian/control: Add bzr tag and point it to our tree
2048+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2049+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2050+ Plymouth aware passphrase dialog program ask-for-passphrase.
2051+
2052+ -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
2053+
2054 apache2 (2.2.21-2) unstable; urgency=high
2055
2056 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
2057@@ -1889,6 +3545,19 @@ apache2 (2.2.21-1) unstable; urgency=low
2058
2059 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
2060
2061+apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
2062+
2063+ * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
2064+ Remaining changes:
2065+ - debian/{control, rules}: Enable PIE hardening.
2066+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2067+ - debian/control: Add bzr tag and point it to our tree
2068+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2069+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2070+ Plymouth aware passphrase dialog program ask-for-passphrase.
2071+
2072+ -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
2073+
2074 apache2 (2.2.20-1) unstable; urgency=low
2075
2076 * New upstream release.
2077@@ -1911,6 +3580,18 @@ apache2 (2.2.19-2) unstable; urgency=high
2078
2079 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
2080
2081+apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
2082+
2083+ * Merge from debian unstable (LP: #787013). Remaining changes:
2084+ - debian/{control, rules}: Enable PIE hardening.
2085+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2086+ - debian/control: Add bzr tag and point it to our tree
2087+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2088+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2089+ Plymouth aware passphrase dialog program ask-for-passphrase.
2090+
2091+ -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
2092+
2093 apache2 (2.2.19-1) unstable; urgency=low
2094
2095 * New upstream release.
2096@@ -1928,6 +3609,18 @@ apache2 (2.2.19-1) unstable; urgency=low
2097
2098 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
2099
2100+apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
2101+
2102+ * Merge from debian unstable. Remaining changes:
2103+ - debian/{control, rules}: Enable PIE hardening.
2104+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2105+ - debian/control: Add bzr tag and point it to our tree
2106+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2107+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2108+ Plymouth aware passphrase dialog program ask-for-passphrase.
2109+
2110+ -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
2111+
2112 apache2 (2.2.17-3) unstable; urgency=low
2113
2114 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
2115@@ -1954,6 +3647,18 @@ apache2 (2.2.17-2) unstable; urgency=high
2116
2117 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
2118
2119+apache2 (2.2.17-1ubuntu1) natty; urgency=low
2120+
2121+ * Merge from debian unstable, remaining changes:
2122+ - debian/{control, rules}: Enable PIE hardening.
2123+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2124+ - debian/control: Add bzr tag and point it to our tree
2125+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2126+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2127+ Plymouth aware passphrase dialog program ask-for-passphrase.
2128+
2129+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
2130+
2131 apache2 (2.2.17-1) unstable; urgency=low
2132
2133 * New upstream version
2134@@ -1962,6 +3667,32 @@ apache2 (2.2.17-1) unstable; urgency=low
2135
2136 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
2137
2138+apache2 (2.2.16-6ubuntu3) natty; urgency=low
2139+
2140+ * debian/rules: Don't use "-fno-strict-aliasing" since it causes
2141+ apache FTBFS on amd64. (LP: #711293)
2142+
2143+ -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
2144+
2145+apache2 (2.2.16-6ubuntu2) natty; urgency=low
2146+
2147+ * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
2148+ (LP: #697105)
2149+
2150+ -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
2151+
2152+apache2 (2.2.16-6ubuntu1) natty; urgency=low
2153+
2154+ * Merge from debian unstable. Remaining changes:
2155+ - debian/{control, rules}: Enable PIE hardening.
2156+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2157+ - debian/control: Add bzr tag and point it to our tree
2158+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2159+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2160+ Plymouth aware passphrase dialog program ask-for-passphrase.
2161+
2162+ -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
2163+
2164 apache2 (2.2.16-6) unstable; urgency=low
2165
2166 * Also add $named to the secondary-init-script example.
2167@@ -1977,6 +3708,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
2168
2169 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
2170
2171+apache2 (2.2.16-4ubuntu2) natty; urgency=low
2172+
2173+ [Clint Byrum]
2174+ * Adding plymouth aware passphrase dialog program ask-for-passphrase.
2175+ (LP: #582963)
2176+ + debian/control: apache2.2-common depends on bash for ask-for-passphrase
2177+ + debian/config-dir/mods-available/ssl.conf:
2178+ - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
2179+
2180+ [Chuck Short]
2181+ * Add apport hook. (LP: #609177)
2182+ + debian/apache2.py, debian/apache2.2-common.install
2183+
2184+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
2185+
2186+apache2 (2.2.16-4ubuntu1) natty; urgency=low
2187+
2188+ * Merge from debian unstable. Remaining changes:
2189+ - debian/{control, rules}: Enable PIE hardening.
2190+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2191+ - debian/control: Add bzr tag and point it to our tree
2192+
2193+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
2194+
2195 apache2 (2.2.16-4) unstable; urgency=medium
2196
2197 * Increase the mod_reqtimeout default timeouts to avoid potential problems
2198@@ -1987,6 +3742,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
2199
2200 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
2201
2202+apache2 (2.2.16-3ubuntu1) natty; urgency=low
2203+
2204+ * Merge from debian unstable. Remaining changes:
2205+ - debian/{control, rules}: Enable PIE hardening.
2206+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2207+ - debian/control: Add bzr tag and point it to our tree.
2208+
2209+ -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
2210+
2211 apache2 (2.2.16-3) unstable; urgency=high
2212
2213 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
2214@@ -2009,6 +3773,30 @@ apache2 (2.2.16-2) unstable; urgency=low
2215
2216 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
2217
2218+apache2 (2.2.16-1ubuntu3) maverick; urgency=low
2219+
2220+ * Revert "stty sane" to unbreak apache starting, this will have to be
2221+ fixed a different way. (LP: #626723)
2222+
2223+ -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
2224+
2225+apache2 (2.2.16-1ubuntu2) maverick; urgency=low
2226+
2227+ * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
2228+ password prompt when using apache-ssl. (LP: #582963)
2229+
2230+ -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
2231+
2232+apache2 (2.2.16-1ubuntu1) maverick; urgency=low
2233+
2234+ * Merge from debian unstable. Remaining changes:
2235+ - debian/{control, rules}: Enable PIE hardening.
2236+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2237+ - debian/control: Add bzr tag and point it to our tree.
2238+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2239+
2240+ -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
2241+
2242 apache2 (2.2.16-1) unstable; urgency=medium
2243
2244 * Urgency medium for security fix.
2245@@ -2041,6 +3829,24 @@ apache2 (2.2.15-6) unstable; urgency=low
2246
2247 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
2248
2249+apache2 (2.2.15-5ubuntu1) maverick; urgency=low
2250+
2251+ * Merge from debian unstable. Remaining changes:
2252+ - debian/{control, rules}: Enable PIE hardening.
2253+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2254+ - debian/control: Add bzr tag and point it to our tree.
2255+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2256+ + Dropped:
2257+ - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
2258+ - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
2259+ - debian/config-dir/apache2.conf: Merged back from debian.
2260+ - mod-reqtimeout functionality: Merge back from debian.
2261+ - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
2262+ - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
2263+ - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
2264+
2265+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
2266+
2267 apache2 (2.2.15-5) unstable; urgency=low
2268
2269 * Conflict with apache package as we now include apachectl. Closes: #579065
2270@@ -2161,6 +3967,80 @@ apache2 (2.2.14-6) unstable; urgency=low
2271
2272 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
2273
2274+apache2 (2.2.14-5ubuntu8) lucid; urgency=low
2275+
2276+ * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
2277+ (LP: #562370)
2278+
2279+ -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
2280+
2281+apache2 (2.2.14-5ubuntu7) lucid; urgency=low
2282+
2283+ * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
2284+ leaks by making sure to not destroy bucket brigades that have been created
2285+ by earlier filters. Backported from 2.2.15.
2286+ * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
2287+ has reached MaxClients until it has. Backported from 2.2.15
2288+ * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
2289+ more secure by adding Satisfy all. (Debian bug: #572075)
2290+ * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
2291+ debian/config2-dir/mods-available/reqtimeout.load,
2292+ debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
2293+ mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
2294+ bug in apache. Enable it by default. (LP: #392759)
2295+
2296+ -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
2297+
2298+apache2 (2.2.14-5ubuntu6) lucid; urgency=low
2299+
2300+ * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
2301+
2302+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
2303+
2304+apache2 (2.2.14-5ubuntu5) lucid; urgency=low
2305+
2306+ * Revert 99-fix-mod-dav-permissions.dpatch
2307+
2308+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
2309+
2310+apache2 (2.2.14-5ubuntu4) lucid; urgency=low
2311+
2312+ * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
2313+ downloading files from webdav (LP: #540747)
2314+ * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
2315+
2316+ -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
2317+
2318+apache2 (2.2.14-5ubuntu3) lucid; urgency=low
2319+
2320+ * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
2321+ - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
2322+ in modules/proxy/mod_proxy_ajp.c.
2323+ - CVE-2010-0408
2324+ * SECURITY UPDATE: information disclosure via improper handling of
2325+ headers in subrequests
2326+ - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
2327+ in server/protocol.c.
2328+ - CVE-2010-0434
2329+
2330+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
2331+
2332+apache2 (2.2.14-5ubuntu2) lucid; urgency=low
2333+
2334+ * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
2335+ wacky options. (LP: #450501)
2336+
2337+ -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
2338+
2339+apache2 (2.2.14-5ubuntu1) lucid; urgency=low
2340+
2341+ * Merge from debian testing. Remaining changes: LP: #506862
2342+ - debian/{control, rules}: Enable PIE hardening.
2343+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2344+ - debian/control: Add bzr tag and point it to our tree.
2345+
2346+ -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
2347+
2348 apache2 (2.2.14-5) unstable; urgency=low
2349
2350 * Security: Further mitigation for the TLS renegotation attack
2351@@ -2184,6 +4064,15 @@ apache2 (2.2.14-5) unstable; urgency=low
2352
2353 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
2354
2355+apache2 (2.2.14-4ubuntu1) lucid; urgency=low
2356+
2357+ * Resynchronzie with Debian, remaining changes are:
2358+ - debian/{control, rules}: Enable PIE hardening.
2359+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2360+ - debian/control: Add bzr tag and point it to our tree.
2361+
2362+ -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
2363+
2364 apache2 (2.2.14-4) unstable; urgency=low
2365
2366 * Disable localized error pages again by default because they break
2367@@ -2234,6 +4123,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
2368
2369 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
2370
2371+apache2 (2.2.14-1ubuntu1) lucid; urgency=low
2372+
2373+ * Merge from debian testing, remaining changes:
2374+ - debian/{control, rules}: Enable PIE hardening.
2375+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2376+ - debian/conrol: Add bzr tag and point it to our tree.
2377+ - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2378+ Already applied upstream.
2379+
2380+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
2381+
2382 apache2 (2.2.14-1) unstable; urgency=low
2383
2384 * New upstream version:
2385@@ -2268,6 +4168,24 @@ apache2 (2.2.13-1) unstable; urgency=low
2386
2387 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
2388
2389+apache2 (2.2.12-1ubuntu2) karmic; urgency=low
2390+
2391+ * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2392+ - Fix potential segfaults with the use of the legacy ap_rputs() etc
2393+ interfaces, in cases where an output filter fails. This happens
2394+ frequently after CVE-2009-1891 got fixed. (LP: #409987)
2395+
2396+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
2397+
2398+apache2 (2.2.12-1ubuntu1) karmic; urgency=low
2399+
2400+ * Merge from debian unstable, remaining changes:
2401+ - debian/{control,rules}: enable PIE hardening.
2402+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2403+ - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
2404+
2405+ -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
2406+
2407 apache2 (2.2.12-1) unstable; urgency=low
2408
2409 * New upstream release:
2410@@ -2315,6 +4233,16 @@ apache2 (2.2.12-1) unstable; urgency=low
2411
2412 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
2413
2414+apache2 (2.2.11-7ubuntu1) karmic; urgency=low
2415+
2416+ * Merge from debian unstable, remaining changes: LP: #398130
2417+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2418+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2419+ - debian/{control,rules}: enable PIE hardening.
2420+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2421+
2422+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
2423+
2424 apache2 (2.2.11-7) unstable; urgency=low
2425
2426 * Security fixes:
2427@@ -2329,6 +4257,16 @@ apache2 (2.2.11-7) unstable; urgency=low
2428
2429 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
2430
2431+apache2 (2.2.11-6ubuntu1) karmic; urgency=low
2432+
2433+ * Merge from debian unstable, remaining changes:
2434+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2435+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2436+ - debian/{control,rules}: enable PIE hardening.
2437+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2438+
2439+ -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
2440+
2441 apache2 (2.2.11-6) unstable; urgency=high
2442
2443 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
2444@@ -2337,6 +4275,16 @@ apache2 (2.2.11-6) unstable; urgency=high
2445
2446 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
2447
2448+apache2 (2.2.11-5ubuntu1) karmic; urgency=low
2449+
2450+ * Merge from debian unstable, remaining changes:
2451+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2452+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2453+ - debian/{control,rules}: enable PIE hardening.
2454+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2455+
2456+ -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
2457+
2458 apache2 (2.2.11-5) unstable; urgency=low
2459
2460 * Move all binaries into a new package apache2.2-bin and make
2461@@ -2385,6 +4333,16 @@ apache2 (2.2.11-4) unstable; urgency=low
2462
2463 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
2464
2465+apache2 (2.2.11-3ubuntu1) karmic; urgency=low
2466+
2467+ * Merge from debian unstable, remaining changes:
2468+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2469+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2470+ - debian/{control,rules}: enable PIE hardening.
2471+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2472+
2473+ -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
2474+
2475 apache2 (2.2.11-3) unstable; urgency=low
2476
2477 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
2478@@ -2393,6 +4351,21 @@ apache2 (2.2.11-3) unstable; urgency=low
2479
2480 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
2481
2482+apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
2483+
2484+ * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2485+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2486+
2487+ -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
2488+
2489+apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
2490+
2491+ * Merge from debian unstable, remaining changes:
2492+ - debian/{contro,rules}: enable PIE hardening.
2493+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2494+
2495+ -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
2496+
2497 apache2 (2.2.11-2) unstable; urgency=low
2498
2499 * Report an error instead instead of segfaulting when apr_pollset_create
2500@@ -2402,6 +4375,14 @@ apache2 (2.2.11-2) unstable; urgency=low
2501
2502 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
2503
2504+apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
2505+
2506+ * Merge from debian unstable, remaining changes:
2507+ - debian/{control, rules}: enable PIE hardening.
2508+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2509+
2510+ -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
2511+
2512 apache2 (2.2.11-1) unstable; urgency=low
2513
2514 [Thom May]
2515@@ -2416,6 +4397,14 @@ apache2 (2.2.11-1) unstable; urgency=low
2516
2517 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
2518
2519+apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
2520+
2521+ * Merge from debian unstable, remaining changes: (LP: #303375)
2522+ - debian/{control, rules}: enable PIE hardening.
2523+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2524+
2525+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
2526+
2527 apache2 (2.2.9-11) unstable; urgency=low
2528
2529 * Regression fix from upstream svn for mod_proxy:
2530@@ -2430,6 +4419,14 @@ apache2 (2.2.9-11) unstable; urgency=low
2531
2532 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
2533
2534+apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
2535+
2536+ * Merge from debian unstable, remaining changes:
2537+ - debian/{control, rules}: enable PIE hardening.
2538+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2539+
2540+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
2541+
2542 apache2 (2.2.9-10) unstable; urgency=low
2543
2544 * Regression fix from upstream svn for mod_proxy_http:
2545@@ -2460,6 +4457,27 @@ apache2 (2.2.9-8) unstable; urgency=low
2546
2547 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
2548
2549+apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
2550+
2551+ * Revert logrotate change since it will break it for everyone.
2552+
2553+ -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
2554+
2555+apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
2556+
2557+ * debian/logrotate: Restart rather than reload for busy websites.
2558+ (LP: #270899)
2559+
2560+ -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
2561+
2562+apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
2563+
2564+ * Merge from debian unstable, remaining changes:
2565+ - debian/{control,rules}: enable PIE hardening.
2566+ - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
2567+
2568+ -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
2569+
2570 apache2 (2.2.9-7) unstable; urgency=low
2571
2572 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
2573@@ -2502,6 +4520,23 @@ apache2 (2.2.9-4) unstable; urgency=low
2574
2575 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
2576
2577+apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
2578+
2579+ * add ufw integration (see
2580+ https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
2581+ (LP: #261198)
2582+ - debian/control: suggest ufw for apache2.2-common
2583+ - add apache2.2-common.ufw.profile with 3 profiles and install it to
2584+ /etc/ufw/applications.d/apache2.2-common
2585+
2586+ -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
2587+
2588+apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
2589+
2590+ * debian/{control,rules}: enable PIE hardening
2591+
2592+ -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
2593+
2594 apache2 (2.2.9-3) unstable; urgency=low
2595
2596 [ Stefan Fritsch ]
2597@@ -4072,9 +6107,7 @@ apache2 (2.0.37-1) unstable; urgency=low
2598 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
2599
2600 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
2601-
2602 * New upstream release
2603-
2604 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
2605
2606 apache2 (2.0.36-2) unstable; urgency=low
2607@@ -4582,3 +6615,4 @@ apache2 (2.0.18-1) unstable; urgency=low
2608 * Initial Release.
2609
2610 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
2611+
2612diff --git a/debian/control b/debian/control
2613index af2505a..900f549 100644
2614--- a/debian/control
2615+++ b/debian/control
2616@@ -1,5 +1,6 @@
2617 Source: apache2
2618-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2619+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2620+XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2621 Uploaders: Stefan Fritsch <sf@debian.org>,
2622 Arno Töll <arno@debian.org>,
2623 Ondřej Surý <ondrej@debian.org>,
2624@@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version}),
2625 Recommends: ssl-cert
2626 Suggests: apache2-doc,
2627 apache2-suexec-pristine | apache2-suexec-custom,
2628- www-browser
2629+ www-browser,
2630+ ufw
2631 Pre-Depends: ${misc:Pre-Depends}
2632 Provides: httpd,
2633 httpd-cgi
2634diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
2635new file mode 100644
2636index 0000000..eee686c
2637Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
2638diff --git a/debian/index.html b/debian/index.html
2639index 766401d..9c90ef4 100644
2640--- a/debian/index.html
2641+++ b/debian/index.html
2642@@ -1,9 +1,13 @@
2643-
2644 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2645 <html xmlns="http://www.w3.org/1999/xhtml">
2646+ <!--
2647+ Modified from the Debian original for Ubuntu
2648+ Last updated: 2022-03-22
2649+ See: https://launchpad.net/bugs/1966004
2650+ -->
2651 <head>
2652 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
2653- <title>Apache2 Debian Default Page: It works</title>
2654+ <title>Apache2 Ubuntu Default Page: It works</title>
2655 <style type="text/css" media="screen">
2656 * {
2657 margin: 0px 0px 0px 0px;
2658@@ -15,7 +19,7 @@
2659
2660 background-color: #D8DBE2;
2661
2662- font-family: Verdana, sans-serif;
2663+ font-family: Ubuntu, Verdana, sans-serif;
2664 font-size: 11pt;
2665 text-align: center;
2666 }
2667@@ -41,7 +45,7 @@
2668 }
2669
2670 div.page_header {
2671- height: 99px;
2672+ height: 180px;
2673 width: 100%;
2674
2675 background-color: #F5F6F7;
2676@@ -60,6 +64,19 @@
2677 border: 0px 0px 0px;
2678 }
2679
2680+ div.banner {
2681+ padding: 9px 6px 9px 6px;
2682+ background-color: #E9510E;
2683+ color: #FFFFFF;
2684+ font-weight: bold;
2685+ font-size: 112%;
2686+ text-align: center;
2687+ position: absolute;
2688+ left: 40%;
2689+ bottom: 30px;
2690+ width: 20%;
2691+ }
2692+
2693 div.table_of_contents {
2694 clear: left;
2695
2696@@ -136,10 +153,6 @@
2697 text-align: center;
2698 }
2699
2700- div.section_header_red {
2701- background-color: #CD214F;
2702- }
2703-
2704 div.section_header_grey {
2705 background-color: #9F9386;
2706 }
2707@@ -188,46 +201,31 @@
2708 <body>
2709 <div class="main_page">
2710 <div class="page_header floating_element">
2711- <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
2712- <span class="floating_element">
2713- Apache2 Debian Default Page
2714- </span>
2715- </div>
2716-<!-- <div class="table_of_contents floating_element">
2717- <div class="section_header section_header_grey">
2718- TABLE OF CONTENTS
2719- </div>
2720- <div class="table_of_contents_item floating_element">
2721- <a href="#about">About</a>
2722- </div>
2723- <div class="table_of_contents_item floating_element">
2724- <a href="#changes">Changes</a>
2725- </div>
2726- <div class="table_of_contents_item floating_element">
2727- <a href="#scope">Scope</a>
2728- </div>
2729- <div class="table_of_contents_item floating_element">
2730- <a href="#files">Config files</a>
2731+ <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo"
2732+ style="width:184px;height:146px;" class="floating_element" />
2733+ <div>
2734+ <span style="margin-top: 1.5em;" class="floating_element">
2735+ Apache2 Default Page
2736+ </span>
2737 </div>
2738- </div>
2739--->
2740- <div class="content_section floating_element">
2741-
2742-
2743- <div class="section_header section_header_red">
2744+ <div class="banner">
2745 <div id="about"></div>
2746 It works!
2747 </div>
2748+
2749+ </div>
2750+ <div class="content_section floating_element">
2751 <div class="content_section_text">
2752 <p>
2753 This is the default welcome page used to test the correct
2754- operation of the Apache2 server after installation on Debian systems.
2755+ operation of the Apache2 server after installation on Ubuntu systems.
2756+ It is based on the equivalent page on Debian, from which the Ubuntu Apache
2757+ packaging is derived.
2758 If you can read this page, it means that the Apache HTTP server installed at
2759 this site is working properly. You should <b>replace this file</b> (located at
2760 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
2761 </p>
2762
2763-
2764 <p>
2765 If you are a normal user of this web site and don't know what this page is
2766 about, this probably means that the site is currently unavailable due to
2767@@ -242,18 +240,17 @@
2768 </div>
2769 <div class="content_section_text">
2770 <p>
2771- Debian's Apache2 default configuration is different from the
2772+ Ubuntu's Apache2 default configuration is different from the
2773 upstream default configuration, and split into several files optimized for
2774- interaction with Debian tools. The configuration system is
2775+ interaction with Ubuntu tools. The configuration system is
2776 <b>fully documented in
2777 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
2778 documentation. Documentation for the web server itself can be
2779 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
2780 package was installed on this server.
2781-
2782 </p>
2783 <p>
2784- The configuration layout for an Apache2 web server installation on Debian systems is as follows:
2785+ The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
2786 </p>
2787 <pre>
2788 /etc/apache2/
2789@@ -308,9 +305,12 @@
2790 </li>
2791
2792 <li>
2793- The binary is called apache2. Due to the use of
2794- environment variables, in the default configuration, apache2 needs to be
2795- started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
2796+ The binary is called apache2 and is managed using systemd, so to
2797+ start/stop the service use <tt>systemctl start apache2</tt> and
2798+ <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt>
2799+ and <tt>journalctl -u apache2</tt> to check status. <tt>system</tt>
2800+ and <tt>apache2ctl</tt> can also be used for service management if
2801+ desired.
2802 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
2803 default configuration.
2804 </li>
2805@@ -324,8 +324,8 @@
2806
2807 <div class="content_section_text">
2808 <p>
2809- By default, Debian does not allow access through the web browser to
2810- <em>any</em> file apart of those located in <tt>/var/www</tt>,
2811+ By default, Ubuntu does not allow access through the web browser to
2812+ <em>any</em> file outside of those located in <tt>/var/www</tt>,
2813 <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
2814 directories (when enabled) and <tt>/usr/share</tt> (for web
2815 applications). If your site is using a web document root
2816@@ -333,9 +333,8 @@
2817 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
2818 </p>
2819 <p>
2820- The default Debian document root is <tt>/var/www/html</tt>. You
2821- can make your own virtual hosts under /var/www. This is different
2822- to previous releases which provides better security out of the box.
2823+ The default Ubuntu document root is <tt>/var/www/html</tt>. You
2824+ can make your own virtual hosts under /var/www.
2825 </p>
2826 </div>
2827
2828@@ -345,24 +344,20 @@
2829 </div>
2830 <div class="content_section_text">
2831 <p>
2832- Please use the <tt>reportbug</tt> tool to report bugs in the
2833- Apache2 package with Debian. However, check <a
2834- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
2835+ Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
2836+ Apache2 package with Ubuntu. However, check <a
2837+ href="https://bugs.launchpad.net/ubuntu/+source/apache2"
2838 rel="nofollow">existing bug reports</a> before reporting a new bug.
2839 </p>
2840 <p>
2841 Please report bugs specific to modules (such as PHP and others)
2842- to respective packages, not to the web server itself.
2843+ to their respective packages, not to the web server itself.
2844 </p>
2845 </div>
2846
2847-
2848-
2849-
2850 </div>
2851 </div>
2852 <div class="validator">
2853 </div>
2854 </body>
2855 </html>
2856-
2857diff --git a/debian/source/include-binaries b/debian/source/include-binaries
2858index d617b1d..823d9c0 100644
2859--- a/debian/source/include-binaries
2860+++ b/debian/source/include-binaries
2861@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
2862 debian/icons/odf6ots-20x22.png
2863 debian/icons/odf6ott-20x22.png
2864 debian/icons/openlogo-75.png
2865+debian/icons/ubuntu-logo.png
2866 debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
2867 debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
2868 debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml

Subscribers

People subscribed via source and target branches