Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.59-2-oracular into ubuntu/+source/apache2:debian/sid
- Git
- lp:~bryce/ubuntu/+source/apache2
- merge-v2.4.59-2-oracular
- Merge into debian/sid
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||||||
Approved revision: | not available | ||||||||
Merge reported by: | git-ubuntu bot | ||||||||
Merged at revision: | bc488d2eb57f4abdeec73735df5ff2d1806ae1fc | ||||||||
Proposed branch: | ~bryce/ubuntu/+source/apache2:merge-v2.4.59-2-oracular | ||||||||
Merge into: | ubuntu/+source/apache2:debian/sid | ||||||||
Diff against target: |
3212 lines (+2410/-62) 16 files modified
debian/apache2-bin.install (+1/-0) debian/apache2-utils.ufw.profile (+14/-0) debian/apache2.dirs (+1/-0) debian/apache2.install (+1/-0) debian/apache2.postrm (+2/-0) debian/apache2.py (+48/-0) debian/changelog (+2230/-2) debian/config-dir/mods-available/setenvif.conf (+2/-0) debian/control (+5/-3) debian/debhelper/apache2-maintscript-helper (+4/-0) debian/index.html (+52/-57) debian/patches/fix-dolphin-to-delete-webdav-dirs.patch (+16/-0) debian/patches/series (+1/-0) debian/source/include-binaries (+1/-0) debian/tests/check-ubuntu-branding (+28/-0) debian/tests/control (+4/-0) |
||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Andreas Hasenack | Approve | ||
Canonical Server packageset reviewers | Pending | ||
Canonical Server Reporter | Pending | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+466357@code.launchpad.net |
Commit message
Description of the change
Merge with Debian's package. I've taken this opportunity to do a deep dive review on each piece of delta, annotate it in the git-ubuntu changelog, and tag it according to its forwardability state.
Two bits of the delta looked relevant to Debian but lacked evidence they've been forwarded, so I've done so and updated the tags.
Three CVEs cherrypicked from upstream could be dropped. I've also pulled in the fix for LP: #2045055 that switches a http link in the default index.html page to https, which there is already a Debian PR for.
PPA with test packages: https:/
Usual tags pushed for review:
- tags/old/debian f94de9fba
- tags/new/debian 70cd25ddc
- tags/old/ubuntu 581abf935
- tags/logical/
- tags/reconstruc
- tags/split/
Autopkgtest testing:
$ ppa tests ppa:bryce/
# time pkg release arch ppa trigger
- 10 apache2 oracular amd64 bryce/apache2-
- 10 apache2 oracular s390x bryce/apache2-
- 10 apache2 oracular ppc64el bryce/apache2-
- 10 apache2 oracular i386 bryce/apache2-
Install testing:
$ sudo add-apt-repository -yus ppa:bryce/
$ sudo apt-get install apache2
Andreas Hasenack (ahasenack) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
- debian changes: ok (including the removal of transitional binary packages)
- upstream 2.4.59 changes: ok
- merge: ok
+1
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: bryce, ahasenack
Uploaders: bryce, ahasenack
MP auto-approved
Bryce Harrington (bryce) wrote : | # |
Thanks for the review, pushed:
Successfully signed dsc, buildinfo, changes files
Vcs-Git: https:/
Vcs-Git-Commit: bc488d2eb57f4ab
Vcs-Git-Ref: refs/heads/
gpg: ../apache2_
gpg: ../apache2_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading apache2_
Uploading apache2_
Uploading apache2_
Uploading apache2_
Uploading apache2_
Preview Diff
1 | diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install |
2 | index 63c573f..3d1bdf1 100644 |
3 | --- a/debian/apache2-bin.install |
4 | +++ b/debian/apache2-bin.install |
5 | @@ -1,2 +1,3 @@ |
6 | /usr/lib/apache2/modules/ |
7 | /usr/sbin/apache2 |
8 | +debian/apache2.py usr/share/apport/package-hooks |
9 | diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile |
10 | new file mode 100644 |
11 | index 0000000..974a655 |
12 | --- /dev/null |
13 | +++ b/debian/apache2-utils.ufw.profile |
14 | @@ -0,0 +1,14 @@ |
15 | +[Apache] |
16 | +title=Web Server |
17 | +description=Apache v2 is the next generation of the omnipresent Apache web server. |
18 | +ports=80/tcp |
19 | + |
20 | +[Apache Secure] |
21 | +title=Web Server (HTTPS) |
22 | +description=Apache v2 is the next generation of the omnipresent Apache web server. |
23 | +ports=443/tcp |
24 | + |
25 | +[Apache Full] |
26 | +title=Web Server (HTTP,HTTPS) |
27 | +description=Apache v2 is the next generation of the omnipresent Apache web server. |
28 | +ports=80,443/tcp |
29 | diff --git a/debian/apache2.dirs b/debian/apache2.dirs |
30 | index 6089013..1aa6d3c 100644 |
31 | --- a/debian/apache2.dirs |
32 | +++ b/debian/apache2.dirs |
33 | @@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk |
34 | var/lib/apache2 |
35 | var/log/apache2 |
36 | var/www/html |
37 | +/etc/ufw/applications.d/apache2 |
38 | diff --git a/debian/apache2.install b/debian/apache2.install |
39 | index b6ad789..92865fc 100644 |
40 | --- a/debian/apache2.install |
41 | +++ b/debian/apache2.install |
42 | @@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2 |
43 | debian/config-dir/envvars /etc/apache2 |
44 | debian/config-dir/magic /etc/apache2 |
45 | debian/debhelper/apache2-maintscript-helper /usr/share/apache2/ |
46 | +debian/apache2-utils.ufw.profile /etc/ufw/applications.d/ |
47 | diff --git a/debian/apache2.postrm b/debian/apache2.postrm |
48 | index a68583c..4a22601 100644 |
49 | --- a/debian/apache2.postrm |
50 | +++ b/debian/apache2.postrm |
51 | @@ -33,6 +33,8 @@ is_default_index_html () { |
52 | 776221a94e5a174dc2396c0f3f6b6a74 |
53 | c481228d439cbb54bdcedbaec5bbb11a |
54 | e2620d4a5a0f8d80dd4b16de59af981f |
55 | + 3526531ccd6c6a1d2340574a305a18f8 |
56 | + 720999b43a3be0674180354ac41f20b1 |
57 | EOF |
58 | } |
59 | |
60 | diff --git a/debian/apache2.py b/debian/apache2.py |
61 | new file mode 100644 |
62 | index 0000000..a9fb9d8 |
63 | --- /dev/null |
64 | +++ b/debian/apache2.py |
65 | @@ -0,0 +1,48 @@ |
66 | +#!/usr/bin/python |
67 | + |
68 | +'''apport hook for apache2 |
69 | + |
70 | +(c) 2010 Adam Sommer. |
71 | +Author: Adam Sommer <asommer@ubuntu.com> |
72 | + |
73 | +This program is free software; you can redistribute it and/or modify it |
74 | +under the terms of the GNU General Public License as published by the |
75 | +Free Software Foundation; either version 2 of the License, or (at your |
76 | +option) any later version. See http://www.gnu.org/copyleft/gpl.html for |
77 | +the full text of the license. |
78 | +''' |
79 | + |
80 | +from apport.hookutils import * |
81 | +import os |
82 | + |
83 | +SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/' |
84 | + |
85 | +def add_info(report, ui): |
86 | + if os.path.isdir(SITES_ENABLED_DIR): |
87 | + response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory " |
88 | + "may help developers diagnose your bug more " |
89 | + "quickly. However, it may contain sensitive " |
90 | + "information. Do you want to include it in your " |
91 | + "bug report?") |
92 | + |
93 | + if response == None: # user cancelled |
94 | + raise StopIteration |
95 | + |
96 | + elif response == True: |
97 | + # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d |
98 | + for conf_file in os.listdir(SITES_ENABLED_DIR): |
99 | + attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file) |
100 | + |
101 | + try: |
102 | + report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d')) |
103 | + except OSError: |
104 | + report['Apache2ConfdDirListing'] = str(False) |
105 | + |
106 | + # Attach default config files if changed. |
107 | + attach_conffiles(report, 'apache2', conffiles=None) |
108 | + |
109 | + # Attach the error.log file. |
110 | + attach_file(report, '/var/log/apache2/error.log', key='error.log') |
111 | + |
112 | + # Get loaded modules. |
113 | + report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES']) |
114 | diff --git a/debian/changelog b/debian/changelog |
115 | index 8ab6c02..31b1ad7 100644 |
116 | --- a/debian/changelog |
117 | +++ b/debian/changelog |
118 | @@ -1,3 +1,45 @@ |
119 | +apache2 (2.4.59-2ubuntu1) oracular; urgency=medium |
120 | + |
121 | + * Merge with Debian unstable (LP: #2064378). Remaining changes: |
122 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
123 | + d/source/include-binaries, d/t/check-ubuntu-branding: Replace |
124 | + Debian with Ubuntu on default homepage. |
125 | + (LP #1966004, LP #1947459) |
126 | + - d/apache2.py, d/apache2-bin.install: Add apport hook |
127 | + (LP #609177) |
128 | + - d/control, d/apache2.install, d/apache2-utils.ufw.profile, |
129 | + d/apache2.dirs: Add ufw profiles |
130 | + (LP #261198) |
131 | + - d/control: Upgrade lua build dependency to 5.4 |
132 | + (LP #1910372) |
133 | + - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add |
134 | + dolphin and Konqueror/5 careful redirection so that directories can be |
135 | + deleted via webdav. |
136 | + (LP #1927742) |
137 | + - d/debhelper/apache2-maintscript-helper: Allow execution when called from a |
138 | + postinst script through a trigger (i.e., postinst triggered). |
139 | + Thanks to Roel van Meer. (Closes: #1060450) |
140 | + (LP #2038912) |
141 | + * Dropped: |
142 | + - d/p/CVE-2023-38709.patch: header validation after |
143 | + content-* are eval'ed in modules/http/http_filters.c. |
144 | + [Included in 2.4.59] |
145 | + - HTTP Response Splitting in multiple modules |
146 | + + d/p/CVE-2024-24795.patch: let httpd handle CL/TE for |
147 | + non-http handlers in include/util_script.h, |
148 | + modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c, |
149 | + modules/generators/mod_cgid.c, modules/http/http_filters.c, |
150 | + modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c, |
151 | + modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c. |
152 | + [Included in 2.4.59] |
153 | + - HTTP/2 DoS by memory exhaustion on endless continuation frames |
154 | + + d/p/CVE-2024-27316.patch: bail after too many failed reads |
155 | + in modules/http2/h2_session.c, modules/http2/h2_stream.c, |
156 | + modules/http2/h2_stream.h. |
157 | + [Included in 2.4.59] |
158 | + |
159 | + -- Bryce Harrington <bryce@canonical.com> Thu, 23 May 2024 13:30:30 -0700 |
160 | + |
161 | apache2 (2.4.59-2) unstable; urgency=medium |
162 | |
163 | * Breaks against fossil due to CVE-2024-24795 follows up |
164 | @@ -21,6 +63,93 @@ apache2 (2.4.59-1) unstable; urgency=medium |
165 | |
166 | -- Yadd <yadd@debian.org> Fri, 05 Apr 2024 08:08:11 +0400 |
167 | |
168 | +apache2 (2.4.58-1ubuntu8.1) noble-security; urgency=medium |
169 | + |
170 | + * SECURITY UPDATE: HTTP response splitting |
171 | + - debian/patches/CVE-2023-38709.patch: header validation after |
172 | + content-* are eval'ed in modules/http/http_filters.c. |
173 | + - CVE-2023-38709 |
174 | + * SECURITY UPDATE: HTTP Response Splitting in multiple modules |
175 | + - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for |
176 | + non-http handlers in include/util_script.h, |
177 | + modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c, |
178 | + modules/generators/mod_cgid.c, modules/http/http_filters.c, |
179 | + modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c, |
180 | + modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c. |
181 | + - CVE-2024-24795 |
182 | + * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless |
183 | + continuation frames |
184 | + - debian/patches/CVE-2024-27316.patch: bail after too many failed reads |
185 | + in modules/http2/h2_session.c, modules/http2/h2_stream.c, |
186 | + modules/http2/h2_stream.h. |
187 | + - CVE-2024-27316 |
188 | + |
189 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Apr 2024 11:13:41 -0400 |
190 | + |
191 | +apache2 (2.4.58-1ubuntu8) noble; urgency=medium |
192 | + |
193 | + * No-change rebuild against libapr1t64 |
194 | + |
195 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 07 Apr 2024 07:02:29 +0000 |
196 | + |
197 | +apache2 (2.4.58-1ubuntu7) noble; urgency=medium |
198 | + |
199 | + * No-change rebuild for CVE-2024-3094 |
200 | + |
201 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 08:37:28 +0000 |
202 | + |
203 | +apache2 (2.4.58-1ubuntu6) noble; urgency=medium |
204 | + |
205 | + * d/debhelper/apache2-maintscript-helper: Allow execution when called from a |
206 | + postinst script through a trigger (i.e., postinst triggered). |
207 | + Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450) |
208 | + |
209 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 18 Mar 2024 09:35:36 -0300 |
210 | + |
211 | +apache2 (2.4.58-1ubuntu5) noble; urgency=medium |
212 | + |
213 | + * No-change rebuild against libcurl4t64 |
214 | + |
215 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 16 Mar 2024 06:05:04 +0000 |
216 | + |
217 | +apache2 (2.4.58-1ubuntu4) noble; urgency=medium |
218 | + |
219 | + * No-change rebuild against libaprutil1t64 |
220 | + |
221 | + -- Zixing Liu <zixing.liu@canonical.com> Sat, 09 Mar 2024 23:05:43 -0700 |
222 | + |
223 | +apache2 (2.4.58-1ubuntu3) noble; urgency=medium |
224 | + |
225 | + * No-change rebuild against libssl3t64 |
226 | + |
227 | + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 17:21:46 +0000 |
228 | + |
229 | +apache2 (2.4.58-1ubuntu2) noble; urgency=medium |
230 | + |
231 | + * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add |
232 | + dolphin and Konqueror/5 careful redirection so that directories can be |
233 | + deleted via webdav. |
234 | + (LP: #1927742) |
235 | + |
236 | + -- Bryce Harrington <bryce@canonical.com> Wed, 24 Jan 2024 14:00:03 -0800 |
237 | + |
238 | +apache2 (2.4.58-1ubuntu1) noble; urgency=medium |
239 | + |
240 | + * Merge with Debian unstable (LP: #2040357). Remaining changes: |
241 | + |
242 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
243 | + d/source/include-binaries, d/t/check-ubuntu-branding: Replace |
244 | + Debian with Ubuntu on default homepage. |
245 | + (LP #1966004, LP #1947459) |
246 | + - d/apache2.py, d/apache2-bin.install: Add apport hook |
247 | + (LP #609177) |
248 | + - d/control, d/apache2.install, d/apache2-utils.ufw.profile, |
249 | + d/apache2.dirs: Add ufw profiles |
250 | + (LP #261198) |
251 | + - d/control: Upgrade lua build dependency to 5.4 |
252 | + |
253 | + -- Bryce Harrington <bryce@canonical.com> Thu, 14 Dec 2023 23:52:39 -0800 |
254 | + |
255 | apache2 (2.4.58-1) unstable; urgency=medium |
256 | |
257 | [ Bas Couwenberg ] |
258 | @@ -41,6 +170,35 @@ apache2 (2.4.57-3) unstable; urgency=medium |
259 | |
260 | -- Yadd <yadd@debian.org> Tue, 29 Aug 2023 11:39:32 +0400 |
261 | |
262 | +apache2 (2.4.57-2ubuntu3) noble; urgency=medium |
263 | + |
264 | + * d/icons/ubuntu-logo.png: add Ubuntu image for welcome page (LP: #1947459). |
265 | + * d/t/check-ubuntu-branding: add check for ubuntu branding. |
266 | + |
267 | + -- Mitchell Dzurick <mitchell.dzurick@canonical.com> Mon, 13 Nov 2023 10:49:48 -0700 |
268 | + |
269 | +apache2 (2.4.57-2ubuntu2) mantic; urgency=medium |
270 | + |
271 | + * d/control: Upgrade lua build dependency to 5.4 |
272 | + |
273 | + -- Lena Voytek <lena.voytek@canonical.com> Fri, 21 Jul 2023 14:17:42 -0700 |
274 | + |
275 | +apache2 (2.4.57-2ubuntu1) mantic; urgency=medium |
276 | + |
277 | + * Merge from Debian unstable. Remaining changes: |
278 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
279 | + d/source/include-binaries: Replace Debian with Ubuntu on default |
280 | + homepage. |
281 | + - d/apache2.py, d/apache2-bin.install: Add apport hook |
282 | + - d/control, d/apache2.install, d/apache2-utils.ufw.profile, |
283 | + d/apache2.dirs: Add ufw profiles |
284 | + * Dropped changes included in new version: |
285 | + - debian/patches/CVE-2023-25690-1.patch |
286 | + - debian/patches/CVE-2023-25690-2.patch |
287 | + - debian/patches/CVE-2023-27522.patch |
288 | + |
289 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Jun 2023 14:02:48 -0400 |
290 | + |
291 | apache2 (2.4.57-2) unstable; urgency=medium |
292 | |
293 | * Revert debian/* changes (Bookworm freeze) |
294 | @@ -68,6 +226,36 @@ apache2 (2.4.56-1) unstable; urgency=medium |
295 | |
296 | -- Yadd <yadd@debian.org> Wed, 08 Mar 2023 06:44:05 +0400 |
297 | |
298 | +apache2 (2.4.55-1ubuntu2) lunar; urgency=medium |
299 | + |
300 | + * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy |
301 | + - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query |
302 | + strings in modules/http2/mod_proxy_http2.c, |
303 | + modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, |
304 | + modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, |
305 | + modules/proxy/mod_proxy_wstunnel.c. |
306 | + - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in |
307 | + modules/http2/mod_proxy_http2.c. |
308 | + - CVE-2023-25690 |
309 | + * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting |
310 | + - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response |
311 | + parsing/validation in modules/proxy/mod_proxy_uwsgi.c. |
312 | + - CVE-2023-27522 |
313 | + |
314 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 08 Mar 2023 11:32:34 -0500 |
315 | + |
316 | +apache2 (2.4.55-1ubuntu1) lunar; urgency=low |
317 | + |
318 | + * Merge from Debian unstable. Remaining changes: |
319 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
320 | + d/source/include-binaries: Replace Debian with Ubuntu on default |
321 | + homepage. |
322 | + - d/apache2.py, d/apache2-bin.install: Add apport hook |
323 | + - d/control, d/apache2.install, d/apache2-utils.ufw.profile, |
324 | + d/apache2.dirs: Add ufw profiles |
325 | + |
326 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 24 Jan 2023 13:31:02 -0800 |
327 | + |
328 | apache2 (2.4.55-1) unstable; urgency=medium |
329 | |
330 | [ Hendrik Jäger ] |
331 | @@ -121,6 +309,27 @@ apache2 (2.4.54-4) unstable; urgency=medium |
332 | |
333 | -- Yadd <yadd@debian.org> Thu, 24 Nov 2022 10:45:00 +0100 |
334 | |
335 | +apache2 (2.4.54-3ubuntu2) lunar; urgency=medium |
336 | + |
337 | + * No-change rebuild against libldap-2 |
338 | + |
339 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:42:31 +0000 |
340 | + |
341 | +apache2 (2.4.54-3ubuntu1) lunar; urgency=medium |
342 | + |
343 | + * Merge with Debian unstable (LP: #1993373). Remaining changes: |
344 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
345 | + d/source/include-binaries: Replace Debian with Ubuntu on default |
346 | + homepage. |
347 | + (LP #1966004) |
348 | + - d/apache2.py, d/apache2-bin.install: Add apport hook |
349 | + (LP #609177) |
350 | + - d/control, d/apache2.install, d/apache2-utils.ufw.profile, |
351 | + d/apache2.dirs: Add ufw profiles |
352 | + (LP #261198) |
353 | + |
354 | + -- Bryce Harrington <bryce@canonical.com> Wed, 16 Nov 2022 16:44:44 -0800 |
355 | + |
356 | apache2 (2.4.54-3) unstable; urgency=medium |
357 | |
358 | [ Hendrik Jäger ] |
359 | @@ -129,6 +338,21 @@ apache2 (2.4.54-3) unstable; urgency=medium |
360 | |
361 | -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:20:52 +0200 |
362 | |
363 | +apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium |
364 | + |
365 | + * Merge with Debian unstable (LP: #1982048). Remaining changes: |
366 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
367 | + d/source/include-binaries: Replace Debian with Ubuntu on default |
368 | + homepage. |
369 | + (LP #1966004) |
370 | + - d/apache2.py, d/apache2-bin.install: Add apport hook |
371 | + (LP #609177) |
372 | + - d/control, d/apache2.install, d/apache2-utils.ufw.profile, |
373 | + d/apache2.dirs: Add ufw profiles |
374 | + (LP #261198) |
375 | + |
376 | + -- Bryce Harrington <bryce@canonical.com> Thu, 21 Jul 2022 19:38:00 +0000 |
377 | + |
378 | apache2 (2.4.54-2) unstable; urgency=medium |
379 | |
380 | * Move cgid socket into a writeable directory (Closes: #1014056) |
381 | @@ -155,6 +379,48 @@ apache2 (2.4.54-1) unstable; urgency=medium |
382 | |
383 | -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200 |
384 | |
385 | +apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium |
386 | + |
387 | + * Merge with Debian unstable (LP: #1971248). Remaining changes: |
388 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
389 | + apache2.dirs}: Add ufw profiles. |
390 | + (LP 261198) |
391 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
392 | + (LP 609177) |
393 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
394 | + d/s/include-binaries: replace Debian with Ubuntu on default |
395 | + page and add Ubuntu icon file. |
396 | + (LP 1288690) |
397 | + - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and |
398 | + new logo |
399 | + (LP 1966004) |
400 | + - d/apache2.postrm: Include md5 sum for updated index.html |
401 | + * Dropped: |
402 | + - OOB read in mod_lua via crafted request body |
403 | + + d/p/CVE-2022-22719.patch: error out if lua_read_body() or |
404 | + lua_write_body() fail in modules/lua/lua_request.c. |
405 | + [Fixed in 2.4.53 upstream] |
406 | + - HTTP Request Smuggling via error discarding the |
407 | + request body |
408 | + + d/p/CVE-2022-22720.patch: simpler connection close logic |
409 | + if discarding the request body fails in modules/http/http_filters.c, |
410 | + server/protocol.c. |
411 | + [Fixed in 2.4.53 upstream] |
412 | + - overflow via large LimitXMLRequestBody |
413 | + + d/p/CVE-2022-22721.patch: make sure and check that |
414 | + LimitXMLRequestBody fits in system memory in server/core.c, |
415 | + server/util.c, server/util_xml.c. |
416 | + [Fixed in 2.4.53 upstream] |
417 | + - out-of-bounds write in mod_sed |
418 | + + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger |
419 | + buffer sizes and unsigned arithmetics in modules/filters/libsed.h, |
420 | + modules/filters/mod_sed.c, modules/filters/sed1.c. |
421 | + + d/p/CVE-2022-23943-2.patch: improve the logic flow in |
422 | + modules/filters/mod_sed.c. |
423 | + [Fixed in 2.4.53 upstream] |
424 | + |
425 | + -- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700 |
426 | + |
427 | apache2 (2.4.53-2) unstable; urgency=medium |
428 | |
429 | * Clean useless Conflicts/Replace |
430 | @@ -190,6 +456,79 @@ apache2 (2.4.52-2) experimental; urgency=medium |
431 | |
432 | -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100 |
433 | |
434 | +apache2 (2.4.52-1ubuntu4) jammy; urgency=medium |
435 | + |
436 | + * d/apache2.postrm: Include md5 sum for updated index.html |
437 | + |
438 | + -- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700 |
439 | + |
440 | +apache2 (2.4.52-1ubuntu3) jammy; urgency=medium |
441 | + |
442 | + * d/index.html: |
443 | + - Redesign page's heading for the new logo |
444 | + - Use the Ubuntu font where available |
445 | + - Update service management directions |
446 | + - Copyedit grammar |
447 | + - Light reformatting and whitespace cleanup |
448 | + * d/icons/ubuntu-logo.png: Refresh ubuntu logo |
449 | + (LP: #1966004) |
450 | + |
451 | + -- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700 |
452 | + |
453 | +apache2 (2.4.52-1ubuntu2) jammy; urgency=medium |
454 | + |
455 | + * SECURITY UPDATE: OOB read in mod_lua via crafted request body |
456 | + - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or |
457 | + lua_write_body() fail in modules/lua/lua_request.c. |
458 | + - CVE-2022-22719 |
459 | + * SECURITY UPDATE: HTTP Request Smuggling via error discarding the |
460 | + request body |
461 | + - debian/patches/CVE-2022-22720.patch: simpler connection close logic |
462 | + if discarding the request body fails in modules/http/http_filters.c, |
463 | + server/protocol.c. |
464 | + - CVE-2022-22720 |
465 | + * SECURITY UPDATE: overflow via large LimitXMLRequestBody |
466 | + - debian/patches/CVE-2022-22721.patch: make sure and check that |
467 | + LimitXMLRequestBody fits in system memory in server/core.c, |
468 | + server/util.c, server/util_xml.c. |
469 | + - CVE-2022-22721 |
470 | + * SECURITY UPDATE: out-of-bounds write in mod_sed |
471 | + - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger |
472 | + buffer sizes and unsigned arithmetics in modules/filters/libsed.h, |
473 | + modules/filters/mod_sed.c, modules/filters/sed1.c. |
474 | + - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in |
475 | + modules/filters/mod_sed.c. |
476 | + - CVE-2022-23943 |
477 | + |
478 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400 |
479 | + |
480 | +apache2 (2.4.52-1ubuntu1) jammy; urgency=medium |
481 | + |
482 | + * Merge with Debian unstable (LP: #1959924). Remaining changes: |
483 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
484 | + apache2.dirs}: Add ufw profiles. |
485 | + (LP 261198) |
486 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
487 | + (LP 609177) |
488 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
489 | + d/s/include-binaries: replace Debian with Ubuntu on default |
490 | + page and add Ubuntu icon file. |
491 | + (LP 1288690) |
492 | + * Dropped: |
493 | + - d/p/support-openssl3-*.patch: Backport various patches from |
494 | + https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's |
495 | + failure to load when using OpenSSL 3. |
496 | + (LP #1951476) |
497 | + [Included in upstream release 2.4.52] |
498 | + - d/apache2ctl: Also use systemd for graceful if it is in use. |
499 | + (LP 1832182) |
500 | + [This introduced a performance regression.] |
501 | + - d/apache2ctl: Also use /run/systemd to check for systemd usage. |
502 | + (LP 1918209) |
503 | + [Not needed] |
504 | + |
505 | + -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800 |
506 | + |
507 | apache2 (2.4.52-1) unstable; urgency=medium |
508 | |
509 | * Refresh suexec-custom.patch |
510 | @@ -200,6 +539,60 @@ apache2 (2.4.52-1) unstable; urgency=medium |
511 | |
512 | -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100 |
513 | |
514 | +apache2 (2.4.51-2ubuntu1) jammy; urgency=medium |
515 | + |
516 | + * Merge with Debian unstable. Remaining changes: |
517 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
518 | + apache2.dirs}: Add ufw profiles. |
519 | + (LP 261198) |
520 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
521 | + (LP 609177) |
522 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
523 | + d/s/include-binaries: replace Debian with Ubuntu on default |
524 | + page and add Ubuntu icon file. |
525 | + (LP 1288690) |
526 | + - d/p/support-openssl3-*.patch: Backport various patches from |
527 | + https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's |
528 | + failure to load when using OpenSSL 3. |
529 | + (LP #1951476) |
530 | + * Dropped: |
531 | + - d/apache2ctl: Also use systemd for graceful if it is in use. |
532 | + (LP: 1832182) |
533 | + [This introduced a performance regression.] |
534 | + - d/apache2ctl: Also use /run/systemd to check for systemd usage. |
535 | + (LP 1918209) |
536 | + [Not needed] |
537 | + - debian/patches/CVE-2021-33193.patch: refactor request parsing in |
538 | + include/ap_mmn.h, include/http_core.h, include/http_protocol.h, |
539 | + include/http_vhost.h, modules/http2/h2_request.c, server/core.c, |
540 | + server/core_filters.c, server/protocol.c, server/vhost.c. |
541 | + [Fixed in 2.4.48-4] |
542 | + - debian/patches/CVE-2021-34798.patch: add NULL check in |
543 | + server/scoreboard.c. |
544 | + [Fixed in 2.4.49-1] |
545 | + - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for |
546 | + generic worker in modules/proxy/mod_proxy_uwsgi.c. |
547 | + [Fixed in 2.4.49-1] |
548 | + - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes |
549 | + substitution logic in server/util.c. |
550 | + [Fixed in 2.4.49-1] |
551 | + - arbitrary origin server via crafted request uri-path |
552 | + + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path |
553 | + parsing in the "proxy:" URL in modules/proxy/mod_proxy.c, |
554 | + modules/proxy/proxy_util.c. |
555 | + + debian/patches/CVE-2021-40438.patch: add sanity checks on the |
556 | + configured UDS path in modules/proxy/proxy_util.c. |
557 | + [Fixed in 2.4.49-3] |
558 | + - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311) |
559 | + + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P |
560 | + rules in modules/mappers/mod_rewrite.c. |
561 | + + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty |
562 | + hostname in modules/mappers/mod_rewrite.c, |
563 | + modules/proxy/proxy_util.c. |
564 | + [Fixed in 2.4.49-3] |
565 | + |
566 | + -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800 |
567 | + |
568 | apache2 (2.4.51-2) unstable; urgency=medium |
569 | |
570 | * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting |
571 | @@ -265,6 +658,74 @@ apache2 (2.4.48-4) unstable; urgency=medium |
572 | |
573 | -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200 |
574 | |
575 | +apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium |
576 | + |
577 | + * d/p/support-openssl3-*.patch: Backport various patches from |
578 | + https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's |
579 | + failure to load when using OpenSSL 3. (LP: #1951476) |
580 | + |
581 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500 |
582 | + |
583 | +apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium |
584 | + |
585 | + * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) |
586 | + - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P |
587 | + rules in modules/mappers/mod_rewrite.c. |
588 | + - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty |
589 | + hostname in modules/mappers/mod_rewrite.c, |
590 | + modules/proxy/proxy_util.c. |
591 | + |
592 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400 |
593 | + |
594 | +apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium |
595 | + |
596 | + * SECURITY UPDATE: request splitting over HTTP/2 |
597 | + - debian/patches/CVE-2021-33193.patch: refactor request parsing in |
598 | + include/ap_mmn.h, include/http_core.h, include/http_protocol.h, |
599 | + include/http_vhost.h, modules/http2/h2_request.c, server/core.c, |
600 | + server/core_filters.c, server/protocol.c, server/vhost.c. |
601 | + - CVE-2021-33193 |
602 | + * SECURITY UPDATE: NULL deref via malformed requests |
603 | + - debian/patches/CVE-2021-34798.patch: add NULL check in |
604 | + server/scoreboard.c. |
605 | + - CVE-2021-34798 |
606 | + * SECURITY UPDATE: DoS in mod_proxy_uwsgi |
607 | + - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for |
608 | + generic worker in modules/proxy/mod_proxy_uwsgi.c. |
609 | + - CVE-2021-36160 |
610 | + * SECURITY UPDATE: buffer overflow in ap_escape_quotes |
611 | + - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes |
612 | + substitution logic in server/util.c. |
613 | + - CVE-2021-39275 |
614 | + * SECURITY UPDATE: arbitrary origin server via crafted request uri-path |
615 | + - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path |
616 | + parsing in the "proxy:" URL in modules/proxy/mod_proxy.c, |
617 | + modules/proxy/proxy_util.c. |
618 | + - debian/patches/CVE-2021-40438.patch: add sanity checks on the |
619 | + configured UDS path in modules/proxy/proxy_util.c. |
620 | + - CVE-2021-40438 |
621 | + |
622 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400 |
623 | + |
624 | +apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium |
625 | + |
626 | + * Merge with Debian unstable. Remaining changes: |
627 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
628 | + apache2.dirs}: Add ufw profiles. (LP 261198) |
629 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
630 | + (LP 609177) |
631 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
632 | + d/s/include-binaries: replace Debian with Ubuntu on default |
633 | + page and add Ubuntu icon file. (LP 1288690) |
634 | + - d/apache2ctl: Also use systemd for graceful if it is in use. |
635 | + This extends an earlier fix for the start command to behave |
636 | + similarly for restart / graceful. Fixes service failures on |
637 | + unattended upgrade. (LP 1832182) |
638 | + - d/apache2ctl: Also use /run/systemd to check for systemd usage |
639 | + (LP 1918209) |
640 | + |
641 | + -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700 |
642 | + |
643 | apache2 (2.4.48-3.1) unstable; urgency=medium |
644 | |
645 | * Non-maintainer upload. |
646 | @@ -273,6 +734,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium |
647 | |
648 | -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200 |
649 | |
650 | +apache2 (2.4.48-3ubuntu1) impish; urgency=medium |
651 | + |
652 | + * Merge with Debian unstable. Remaining changes: |
653 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
654 | + apache2.dirs}: Add ufw profiles. (LP: 261198) |
655 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
656 | + (LP: 609177) |
657 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
658 | + d/s/include-binaries: replace Debian with Ubuntu on default |
659 | + page and add Ubuntu icon file. (LP: 1288690) |
660 | + - d/apache2ctl: Also use systemd for graceful if it is in use. |
661 | + This extends an earlier fix for the start command to behave |
662 | + similarly for restart / graceful. Fixes service failures on |
663 | + unattended upgrade. (LP: 1832182) |
664 | + - d/apache2ctl: Also use /run/systemd to check for systemd usage |
665 | + (LP: 1918209) |
666 | + * Dropped: |
667 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
668 | + [Fixed in 2.4.48-2] |
669 | + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing |
670 | + [Fixed in 2.4.48-1] |
671 | + - d/p/CVE-2020-13950.patch: don't dereference NULL proxy |
672 | + connection in modules/proxy/mod_proxy_http.c. |
673 | + [Fixed in 2.4.48 upstream] |
674 | + - d/p/CVE-2020-35452.patch: fast validation of the nonce's |
675 | + base64 to fail early if the format can't match anyway in |
676 | + modules/aaa/mod_auth_digest.c. |
677 | + [Fixed in 2.4.48 upstream] |
678 | + - d/p/CVE-2021-26690.patch: save one apr_strtok() in |
679 | + session_identity_decode() in modules/session/mod_session.c. |
680 | + [Fixed in 2.4.48 upstream] |
681 | + - d/p/CVE-2021-26691.patch: account for the '&' in |
682 | + identity_concat() in modules/session/mod_session.c. |
683 | + [Fixed in 2.4.48 upstream] |
684 | + - d/p/CVE-2021-30641.patch: change default behavior in |
685 | + server/request.c. |
686 | + [Fixed in 2.4.48 upstream] |
687 | + |
688 | + -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000 |
689 | + |
690 | apache2 (2.4.48-3) unstable; urgency=medium |
691 | |
692 | * Fix debian/changelog |
693 | @@ -329,6 +830,65 @@ apache2 (2.4.46-5) unstable; urgency=medium |
694 | |
695 | -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200 |
696 | |
697 | +apache2 (2.4.46-4ubuntu3) impish; urgency=medium |
698 | + |
699 | + * No-change rebuild due to OpenLDAP soname bump. |
700 | + |
701 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400 |
702 | + |
703 | +apache2 (2.4.46-4ubuntu2) impish; urgency=medium |
704 | + |
705 | + * SECURITY UPDATE: mod_proxy_http denial of service. |
706 | + - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy |
707 | + connection in modules/proxy/mod_proxy_http.c. |
708 | + - CVE-2020-13950 |
709 | + * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest |
710 | + - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's |
711 | + base64 to fail early if the format can't match anyway in |
712 | + modules/aaa/mod_auth_digest.c. |
713 | + - CVE-2020-35452 |
714 | + * SECURITY UPDATE: DoS via cookie header in mod_session |
715 | + - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in |
716 | + session_identity_decode() in modules/session/mod_session.c. |
717 | + - CVE-2021-26690 |
718 | + * SECURITY UPDATE: heap overflow via SessionHeader |
719 | + - debian/patches/CVE-2021-26691.patch: account for the '&' in |
720 | + identity_concat() in modules/session/mod_session.c. |
721 | + - CVE-2021-26691 |
722 | + * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF' |
723 | + - debian/patches/CVE-2021-30641.patch: change default behavior in |
724 | + server/request.c. |
725 | + - CVE-2021-30641 |
726 | + |
727 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400 |
728 | + |
729 | +apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium |
730 | + |
731 | + * Merge with Debian unstable, to allow moving from lua5.2 to |
732 | + lua5.3 (LP: #1910372). Remaining changes: |
733 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
734 | + apache2.dirs}: Add ufw profiles. |
735 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
736 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
737 | + Debian with Ubuntu on default page. |
738 | + + d/source/include-binaries: add Ubuntu icon file |
739 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
740 | + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing |
741 | + issue reading error log too quickly after request, by adding a sleep. |
742 | + (LP #1890302) |
743 | + - d/apache2ctl: Also use systemd for graceful if it is in use. |
744 | + This extends an earlier fix for the start command to behave |
745 | + similarly for restart / graceful. Fixes service failures on |
746 | + unattended upgrade. |
747 | + * Drop: |
748 | + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This |
749 | + was re-added by mistake in 2.4.41-1 (Closes #921024) |
750 | + [Included in Debian 2.4.46-3] |
751 | + * d/apache2ctl: Also use /run/systemd to check for systemd usage |
752 | + (LP: #1918209) |
753 | + |
754 | + -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000 |
755 | + |
756 | apache2 (2.4.46-4) unstable; urgency=medium |
757 | |
758 | * Ignore other random another test failures (Closes: #979664) |
759 | @@ -346,6 +906,28 @@ apache2 (2.4.46-3) unstable; urgency=medium |
760 | |
761 | -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100 |
762 | |
763 | +apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium |
764 | + |
765 | + * Merge with Debian unstable. Remaining changes: |
766 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
767 | + apache2.dirs}: Add ufw profiles. |
768 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
769 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
770 | + Debian with Ubuntu on default page. |
771 | + + d/source/include-binaries: add Ubuntu icon file |
772 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
773 | + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This |
774 | + was re-added by mistake in 2.4.41-1 (Closes #921024) |
775 | + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing |
776 | + issue reading error log too quickly after request, by adding a sleep. |
777 | + (LP #1890302) |
778 | + - d/apache2ctl: Also use systemd for graceful if it is in use. |
779 | + This extends an earlier fix for the start command to behave |
780 | + similarly for restart / graceful. Fixes service failures on |
781 | + unattended upgrade. |
782 | + |
783 | + -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100 |
784 | + |
785 | apache2 (2.4.46-2) unstable; urgency=medium |
786 | |
787 | [ Jean-Michel Vourgère ] |
788 | @@ -367,6 +949,39 @@ apache2 (2.4.46-2) unstable; urgency=medium |
789 | |
790 | -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100 |
791 | |
792 | +apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium |
793 | + |
794 | + * d/apache2ctl: Also use systemd for graceful if it is in use. |
795 | + (LP: #1832182) |
796 | + - This extends an earlier fix for the start command to behave |
797 | + similarly for restart / graceful. Fixes service failures on |
798 | + unattended upgrade. |
799 | + |
800 | + -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700 |
801 | + |
802 | +apache2 (2.4.46-1ubuntu1) groovy; urgency=medium |
803 | + |
804 | + * Merge with Debian unstable. Remaining changes: |
805 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
806 | + apache2.dirs}: Add ufw profiles. |
807 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
808 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
809 | + Debian with Ubuntu on default page. |
810 | + + d/source/include-binaries: add Ubuntu icon file |
811 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
812 | + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This |
813 | + was re-added by mistake in 2.4.41-1 (Closes #921024) |
814 | + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing |
815 | + issue reading error log too quickly after request, by adding a sleep. |
816 | + (LP #1890302) |
817 | + * Dropped: |
818 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
819 | + fixes from upstream |
820 | + [Unclear if it's still necessary, and upstream hasn't made a |
821 | + release with it yet] |
822 | + |
823 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300 |
824 | + |
825 | apache2 (2.4.46-1) unstable; urgency=medium |
826 | |
827 | [ Xavier Guimard ] |
828 | @@ -383,6 +998,39 @@ apache2 (2.4.46-1) unstable; urgency=medium |
829 | |
830 | -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200 |
831 | |
832 | +apache2 (2.4.43-1ubuntu2) groovy; urgency=medium |
833 | + |
834 | + * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing |
835 | + issue reading error log too quickly after request, by adding a sleep. |
836 | + (LP: #1890302) |
837 | + |
838 | + -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700 |
839 | + |
840 | +apache2 (2.4.43-1ubuntu1) groovy; urgency=medium |
841 | + |
842 | + * Merge with Debian unstable. Remaining changes: |
843 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
844 | + apache2.dirs}: Add ufw profiles. |
845 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
846 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
847 | + fixes from upstream |
848 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
849 | + Debian with Ubuntu on default page. |
850 | + + d/source/include-binaries: add Ubuntu icon file |
851 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
852 | + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This |
853 | + was re-added by mistake in 2.4.41-1 (Closes #921024) |
854 | + * Dropped: |
855 | + - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret" |
856 | + parameter to mod_proxy_ajp (LP #1865340) |
857 | + [Fixed upstream] |
858 | + - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff: |
859 | + mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests. |
860 | + Closes #955348, LP #1872478 |
861 | + [In 2.4.43-1] |
862 | + |
863 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300 |
864 | + |
865 | apache2 (2.4.43-1) unstable; urgency=medium |
866 | |
867 | [ Timo Aaltonen ] |
868 | @@ -410,6 +1058,39 @@ apache2 (2.4.41-5) unstable; urgency=medium |
869 | |
870 | -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100 |
871 | |
872 | +apache2 (2.4.41-4ubuntu3) focal; urgency=medium |
873 | + |
874 | + [ Timo Aaltonen ] |
875 | + * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff: |
876 | + mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests. |
877 | + Closes: #955348, LP: #1872478 |
878 | + |
879 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300 |
880 | + |
881 | +apache2 (2.4.41-4ubuntu2) focal; urgency=medium |
882 | + |
883 | + * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret" |
884 | + parameter to mod_proxy_ajp (LP: #1865340) |
885 | + |
886 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300 |
887 | + |
888 | +apache2 (2.4.41-4ubuntu1) focal; urgency=medium |
889 | + |
890 | + * Merge with Debian unstable. Remaining changes: |
891 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
892 | + apache2.dirs}: Add ufw profiles. |
893 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
894 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
895 | + fixes from upstream |
896 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
897 | + Debian with Ubuntu on default page. |
898 | + + d/source/include-binaries: add Ubuntu icon file |
899 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
900 | + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This |
901 | + was re-added by mistake in 2.4.41-1 (Closes #921024) |
902 | + |
903 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300 |
904 | + |
905 | apache2 (2.4.41-4) unstable; urgency=medium |
906 | |
907 | * Add gcc in chroot autopkgtest (fixes debci) |
908 | @@ -434,6 +1115,41 @@ apache2 (2.4.41-2) unstable; urgency=medium |
909 | |
910 | -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100 |
911 | |
912 | +apache2 (2.4.41-1ubuntu1) eoan; urgency=medium |
913 | + |
914 | + * Merge with Debian unstable. Remaining changes: |
915 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
916 | + apache2.dirs}: Add ufw profiles. |
917 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
918 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
919 | + fixes from upstream |
920 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
921 | + Debian with Ubuntu on default page. |
922 | + + d/source/include-binaries: add Ubuntu icon file |
923 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
924 | + * Dropped: |
925 | + - Cherrypick upstream testsuite fix: |
926 | + + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" |
927 | + as such). |
928 | + + Similarly use TLSv1.2 for pr12355 and pr43738. |
929 | + [Test suite updated in 2.4.41-1] |
930 | + - Cherrypick upstream test suite fix for buffer. |
931 | + [Included in 2.4.41-1] |
932 | + - d/p/spelling-errors.patch: removed hunks already fixed upstream |
933 | + [Included in 2.4.39-1] |
934 | + - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1): |
935 | + + d/p/CVE-2019-0196.patch |
936 | + + d/p/CVE-2019-0211.patch |
937 | + + d/p/CVE-2019-0215.patch |
938 | + + d/p/CVE-2019-0217.patch |
939 | + + d/p/CVE-2019-0220-*.patch |
940 | + + d/p/CVE-2019-0197.patch |
941 | + * Added: |
942 | + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This |
943 | + was re-added by mistake in 2.4.41-1 (Closes: #921024) |
944 | + |
945 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300 |
946 | + |
947 | apache2 (2.4.41-1) unstable; urgency=medium |
948 | |
949 | * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081, |
950 | @@ -466,6 +1182,62 @@ apache2 (2.4.39-1) unstable; urgency=medium |
951 | |
952 | -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200 |
953 | |
954 | +apache2 (2.4.39-0ubuntu1) eoan; urgency=medium |
955 | + |
956 | + * New upstream version: 2.4.39 |
957 | + * d/p/spelling-errors.patch: removed hunks already fixed upstream |
958 | + * Remaining changes: |
959 | + - Cherrypick upstream test suite fix for buffer. |
960 | + - Cherrypick upstream testsuite fix: |
961 | + + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" |
962 | + as such). |
963 | + - Similarly use TLSv1.2 for pr12355 and pr43738. |
964 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
965 | + apache2.dirs}: Add ufw profiles. |
966 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
967 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
968 | + fixes from upstream |
969 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
970 | + Debian with Ubuntu on default page. |
971 | + + d/source/include-binaries: add Ubuntu icon file |
972 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
973 | + * Dropped patches (fixed upstream): |
974 | + - d/p/CVE-2019-0196.patch |
975 | + - d/p/CVE-2019-0211.patch |
976 | + - d/p/CVE-2019-0215.patch |
977 | + - d/p/CVE-2019-0217.patch |
978 | + - d/p/CVE-2019-0220-*.patch |
979 | + - d/p/CVE-2019-0197.patch |
980 | + |
981 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300 |
982 | + |
983 | +apache2 (2.4.38-3ubuntu2) eoan; urgency=medium |
984 | + |
985 | + * Cherrypick upstream test suite fix for buffer. |
986 | + |
987 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100 |
988 | + |
989 | +apache2 (2.4.38-3ubuntu1) eoan; urgency=low |
990 | + |
991 | + * Merge from Debian unstable. Remaining changes: |
992 | + - Cherrypick upstream testsuite fix: |
993 | + + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" |
994 | + as such). |
995 | + - Similarly use TLSv1.2 for pr12355 and pr43738. |
996 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
997 | + apache2.dirs}: Add ufw profiles. |
998 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
999 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1000 | + fixes from upstream |
1001 | + [Removed configure chunk, not needed since configure.in is being |
1002 | + patched.] |
1003 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1004 | + Debian with Ubuntu on default page. |
1005 | + + d/source/include-binaries: add Ubuntu icon file |
1006 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
1007 | + |
1008 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100 |
1009 | + |
1010 | apache2 (2.4.38-3) unstable; urgency=high |
1011 | |
1012 | [ Marc Deslauriers ] |
1013 | @@ -503,6 +1275,79 @@ apache2 (2.4.38-3) unstable; urgency=high |
1014 | |
1015 | -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200 |
1016 | |
1017 | +apache2 (2.4.38-2ubuntu3) eoan; urgency=medium |
1018 | + |
1019 | + * Cherrypick upstream testsuite fix: |
1020 | + - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" |
1021 | + as such). |
1022 | + * Similarly use TLSv1.2 for pr12355 and pr43738. |
1023 | + |
1024 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100 |
1025 | + |
1026 | +apache2 (2.4.38-2ubuntu2) disco; urgency=medium |
1027 | + |
1028 | + * SECURITY UPDATE: read-after-free on a string compare in mod_http2 |
1029 | + - debian/patches/CVE-2019-0196.patch: disentangelment of stream and |
1030 | + request method in modules/http2/h2_request.c. |
1031 | + - CVE-2019-0196 |
1032 | + * SECURITY UPDATE: privilege escalation from modules' scripts |
1033 | + - debian/patches/CVE-2019-0211.patch: bind the bucket number of each |
1034 | + child to its slot number in include/scoreboard.h, |
1035 | + server/mpm/event/event.c, server/mpm/prefork/prefork.c, |
1036 | + server/mpm/worker/worker.c. |
1037 | + - CVE-2019-0211 |
1038 | + * SECURITY UPDATE: mod_ssl access control bypass |
1039 | + - debian/patches/CVE-2019-0215.patch: restore SSL verify state after |
1040 | + PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c. |
1041 | + - CVE-2019-0215 |
1042 | + * SECURITY UPDATE: mod_auth_digest access control bypass |
1043 | + - debian/patches/CVE-2019-0217.patch: fix a race condition in |
1044 | + modules/aaa/mod_auth_digest.c. |
1045 | + - CVE-2019-0217 |
1046 | + * SECURITY UPDATE: URL normalization inconsistincy |
1047 | + - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in |
1048 | + the path in include/http_core.h, include/httpd.h, server/core.c, |
1049 | + server/request.c, server/util.c. |
1050 | + - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety |
1051 | + in server/request.c, server/util.c. |
1052 | + - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in |
1053 | + server/util.c. |
1054 | + - CVE-2019-0220 |
1055 | + |
1056 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400 |
1057 | + |
1058 | +apache2 (2.4.38-2ubuntu1) disco; urgency=medium |
1059 | + |
1060 | + * Merge with Debian unstable. Remaining changes: |
1061 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1062 | + apache2.dirs}: Add ufw profiles. |
1063 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1064 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1065 | + fixes from upstream |
1066 | + [Removed configure chunk, not needed since configure.in is being |
1067 | + patched.] |
1068 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1069 | + Debian with Ubuntu on default page. |
1070 | + + d/source/include-binaries: add Ubuntu icon file |
1071 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
1072 | + * Dropped: |
1073 | + - d/control, d/rules, d/config-dir/mods-available/md.load: don't build |
1074 | + libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which |
1075 | + cannot be coinstalled with libcurl3. That situation breaks the |
1076 | + installation of libapache2-mod-shib2. See |
1077 | + https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 |
1078 | + for details. |
1079 | + [This has been resolved in Disco, where libxmltooling8 is built with |
1080 | + openssl 1.1] |
1081 | + - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames |
1082 | + + debian/patches/CVE-2018-11763.patch: rework connection IO event |
1083 | + handling in modules/http2/h2_session.c, modules/http2/h2_session.h, |
1084 | + modules/http2/h2_version.h. |
1085 | + - CVE-2018-11763 |
1086 | + [Fixed in 2.4.35] |
1087 | + |
1088 | + -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200 |
1089 | + |
1090 | apache2 (2.4.38-2) unstable; urgency=medium |
1091 | |
1092 | * Disable "reset" test in allowmethods.t (Closes: #921024) |
1093 | @@ -585,6 +1430,37 @@ apache2 (2.4.35-1) unstable; urgency=medium |
1094 | |
1095 | -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200 |
1096 | |
1097 | +apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium |
1098 | + |
1099 | + * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames |
1100 | + - debian/patches/CVE-2018-11763.patch: rework connection IO event |
1101 | + handling in modules/http2/h2_session.c, modules/http2/h2_session.h, |
1102 | + modules/http2/h2_version.h. |
1103 | + - CVE-2018-11763 |
1104 | + |
1105 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400 |
1106 | + |
1107 | +apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium |
1108 | + |
1109 | + * Merge with Debian unstable. Remaining changes: |
1110 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1111 | + apache2.dirs}: Add ufw profiles. |
1112 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1113 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1114 | + fixes from upstream |
1115 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1116 | + Debian with Ubuntu on default page. |
1117 | + + d/source/include-binaries: add Ubuntu icon file |
1118 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
1119 | + - d/control, d/rules, d/config-dir/mods-available/md.load: don't build |
1120 | + libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which |
1121 | + cannot be coinstalled with libcurl3. That situation breaks the |
1122 | + installation of libapache2-mod-shib2. See |
1123 | + https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 |
1124 | + for details. |
1125 | + |
1126 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300 |
1127 | + |
1128 | apache2 (2.4.34-1) unstable; urgency=medium |
1129 | |
1130 | [ Ondřej Surý ] |
1131 | @@ -603,6 +1479,87 @@ apache2 (2.4.34-1) unstable; urgency=medium |
1132 | |
1133 | -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200 |
1134 | |
1135 | +apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium |
1136 | + |
1137 | + * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load: |
1138 | + re-enable proxy_uwsgi, as the uwsgi source no longer builds this module. |
1139 | + |
1140 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300 |
1141 | + |
1142 | +apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium |
1143 | + |
1144 | + * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and |
1145 | + libapache2-mod-md until we figure out their transitions. libapache2-mod-md |
1146 | + in particular is problematic because that makes apache2-bin pull in |
1147 | + libcurl4 which cannot be coinstalled with libcurl3. That situation breaks |
1148 | + the installation of libapache2-mod-shib2. See |
1149 | + https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 |
1150 | + for details. |
1151 | + - Don't ship md.load and remove build-requires that were added because of |
1152 | + mod-md (see |
1153 | + https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf) |
1154 | + - Remove proxy_uwsgi.load as we are not building it for now (see |
1155 | + https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9) |
1156 | + |
1157 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000 |
1158 | + |
1159 | +apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium |
1160 | + |
1161 | + * Merge with Debian unstable (LP: #1770242). Remaining changes: |
1162 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1163 | + apache2.dirs}: Add ufw profiles. |
1164 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1165 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1166 | + fixes from upstream |
1167 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1168 | + Debian with Ubuntu on default page. |
1169 | + + d/source/include-binaries: add Ubuntu icon file |
1170 | + - d/t/control, d/t/check-http2: add basic test for http2 support |
1171 | + * Drop: |
1172 | + - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig |
1173 | + + debian/patches/CVE-2017-15710.patch: fix language long names |
1174 | + detection as short name in modules/aaa/mod_authnz_ldap.c. |
1175 | + + CVE-2017-15710 |
1176 | + - SECURITY UPDATE: incorrect <FilesMatch> matching |
1177 | + + debian/patches/CVE-2017-15715.patch: allow to configure |
1178 | + global/default options for regexes, like caseless matching or |
1179 | + extended format in include/ap_regex.h, server/core.c, |
1180 | + server/util_pcre.c. |
1181 | + + CVE-2017-15715 |
1182 | + - SECURITY UPDATE: mod_session header manipulation |
1183 | + + debian/patches/CVE-2018-1283.patch: strip Session header when |
1184 | + SessionEnv is on in modules/session/mod_session.c. |
1185 | + + CVE-2018-1283 |
1186 | + - SECURITY UPDATE: DoS via specially-crafted request |
1187 | + + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL |
1188 | + terminated on any error, not only on buffer full in |
1189 | + server/protocol.c. |
1190 | + + CVE-2018-1301 |
1191 | + - SECURITY UPDATE: mod_cache_socache DoS |
1192 | + + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up |
1193 | + to carriage return in modules/cache/mod_cache_socache.c. |
1194 | + + CVE-2018-1303 |
1195 | + - SECURITY UPDATE: insecure nonce generation |
1196 | + + debian/patches/CVE-2018-1312.patch: actually use the secret when |
1197 | + generating nonces in modules/aaa/mod_auth_digest.c. |
1198 | + + CVE-2018-1312 |
1199 | + - Correct systemd-sysv-generator behavior by customizing some |
1200 | + parameters: |
1201 | + + d/apache2-systemd.conf: add a drop-in file to specify some |
1202 | + parameters for the systemd unit (type=Forking and |
1203 | + RemainsAfterExit=no), this allow a correct state synchronisation |
1204 | + between systemctl status and actual state of apache2 daemon. |
1205 | + + d/apache2.install: place the apache2-systemd.conf file in the |
1206 | + correct location. |
1207 | + [type=Forking already in the base systemd service file, and |
1208 | + RemainsAfterExit=no is the default value, so no need to |
1209 | + customize these anymore.] |
1210 | + - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683) |
1211 | + + added debian/patches/util_ldap_cache_lock_fix.patch |
1212 | + [Already applied upstream] |
1213 | + |
1214 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300 |
1215 | + |
1216 | apache2 (2.4.33-3) unstable; urgency=medium |
1217 | |
1218 | * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too. |
1219 | @@ -675,6 +1632,91 @@ apache2 (2.4.29-2) unstable; urgency=medium |
1220 | |
1221 | -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000 |
1222 | |
1223 | +apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium |
1224 | + |
1225 | + * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig |
1226 | + - debian/patches/CVE-2017-15710.patch: fix language long names |
1227 | + detection as short name in modules/aaa/mod_authnz_ldap.c. |
1228 | + - CVE-2017-15710 |
1229 | + * SECURITY UPDATE: incorrect <FilesMatch> matching |
1230 | + - debian/patches/CVE-2017-15715.patch: allow to configure |
1231 | + global/default options for regexes, like caseless matching or |
1232 | + extended format in include/ap_regex.h, server/core.c, |
1233 | + server/util_pcre.c. |
1234 | + - CVE-2017-15715 |
1235 | + * SECURITY UPDATE: mod_session header manipulation |
1236 | + - debian/patches/CVE-2018-1283.patch: strip Session header when |
1237 | + SessionEnv is on in modules/session/mod_session.c. |
1238 | + - CVE-2018-1283 |
1239 | + * SECURITY UPDATE: DoS via specially-crafted request |
1240 | + - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL |
1241 | + terminated on any error, not only on buffer full in |
1242 | + server/protocol.c. |
1243 | + - CVE-2018-1301 |
1244 | + * SECURITY UPDATE: mod_cache_socache DoS |
1245 | + - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up |
1246 | + to carriage return in modules/cache/mod_cache_socache.c. |
1247 | + - CVE-2018-1303 |
1248 | + * SECURITY UPDATE: insecure nonce generation |
1249 | + - debian/patches/CVE-2018-1312.patch: actually use the secret when |
1250 | + generating nonces in modules/aaa/mod_auth_digest.c. |
1251 | + - CVE-2018-1312 |
1252 | + |
1253 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400 |
1254 | + |
1255 | +apache2 (2.4.29-1ubuntu4) bionic; urgency=medium |
1256 | + |
1257 | + * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683) |
1258 | + - added debian/patches/util_ldap_cache_lock_fix.patch |
1259 | + |
1260 | + -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000 |
1261 | + |
1262 | +apache2 (2.4.29-1ubuntu3) bionic; urgency=medium |
1263 | + |
1264 | + * Switch back to OpenSSL 1.1. |
1265 | + |
1266 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000 |
1267 | + |
1268 | +apache2 (2.4.29-1ubuntu2) bionic; urgency=medium |
1269 | + |
1270 | + * enable http2 (LP: #1687454) by stopping to disable it |
1271 | + - debian/control: no more removed libnghttp2-dev Build-Depends (in universe). |
1272 | + - debian/config-dir/mods-available/http2.load: no more removed. |
1273 | + - debian/rules: no more removed proxy_http2 from configure. |
1274 | + * d/t/control, d/t/check-http2: add basic test for http2 support |
1275 | + |
1276 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100 |
1277 | + |
1278 | +apache2 (2.4.29-1ubuntu1) bionic; urgency=medium |
1279 | + |
1280 | + * Merge with Debian unstable. Remaining changes: |
1281 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1282 | + apache2.dirs}: Add ufw profiles. |
1283 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1284 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1285 | + fixes from upstream |
1286 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1287 | + Debian with Ubuntu on default page. |
1288 | + + d/source/include-binaries: add Ubuntu icon file |
1289 | + - Correct systemd-sysv-generator behavior by customizing some |
1290 | + parameters: |
1291 | + + d/apache2-systemd.conf: add a drop-in file to specify some |
1292 | + parameters for the systemd unit (type=Forking and |
1293 | + RemainsAfterExit=no), this allow a correct state synchronisation |
1294 | + between systemctl status and actual state of apache2 daemon. |
1295 | + + d/apache2.install: place the apache2-systemd.conf file in the |
1296 | + correct location. |
1297 | + - Don't build http2 module (nghttp2 still not in main) (LP 1687454) |
1298 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1299 | + + debian/config-dir/mods-available/http2.load: removed. |
1300 | + + debian/rules: removed proxy_http2 from configure. |
1301 | + * Switch back to OpenSSL 1.0 as we don't yet have 1.1: |
1302 | + - debian/control: switch BuildDepends to libssl1.0-dev |
1303 | + - debian/control: remove Breaks on gridsite and libapache2-mod-dacs |
1304 | + - debian/rules: remove openssl virtual package and logic |
1305 | + |
1306 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500 |
1307 | + |
1308 | apache2 (2.4.29-1) unstable; urgency=medium |
1309 | |
1310 | [ Stefan Fritsch ] |
1311 | @@ -739,6 +1781,47 @@ apache2 (2.4.27-3) experimental; urgency=medium |
1312 | |
1313 | -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200 |
1314 | |
1315 | +apache2 (2.4.27-2ubuntu3) artful; urgency=medium |
1316 | + |
1317 | + * SECURITY UPDATE: optionsbleed information leak |
1318 | + - debian/patches/CVE-2017-9798.patch: disallow method registration |
1319 | + at run time in server/core.c. |
1320 | + - CVE-2017-9798 |
1321 | + |
1322 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400 |
1323 | + |
1324 | +apache2 (2.4.27-2ubuntu2) artful; urgency=medium |
1325 | + |
1326 | + * Undrop (LP 1658469): |
1327 | + - Don't build http2 module (nghttp2 still not in main) (LP 1687454) |
1328 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1329 | + + debian/config-dir/mods-available/http2.load: removed. |
1330 | + + debian/rules: removed proxy_http2 from configure. |
1331 | + |
1332 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400 |
1333 | + |
1334 | +apache2 (2.4.27-2ubuntu1) artful; urgency=medium |
1335 | + |
1336 | + * Merge with Debian unstable (LP: #1702582). Remaining changes: |
1337 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1338 | + apache2.dirs}: Add ufw profiles. |
1339 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1340 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1341 | + fixes from upstream |
1342 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1343 | + Debian with Ubuntu on default page. |
1344 | + + d/source/include-binaries: add Ubuntu icon file |
1345 | + - Correct systemd-sysv-generator behavior by customizing some |
1346 | + parameters: |
1347 | + + d/apache2-systemd.conf: add a drop-in file to specify some |
1348 | + parameters for the systemd unit (type=Forking and |
1349 | + RemainsAfterExit=no), this allow a correct state synchronisation |
1350 | + between systemctl status and actual state of apache2 daemon. |
1351 | + + d/apache2.install: place the apache2-systemd.conf file in the |
1352 | + correct location. |
1353 | + |
1354 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700 |
1355 | + |
1356 | apache2 (2.4.27-2) unstable; urgency=medium |
1357 | |
1358 | * Switch back to openssl 1.0 for now. The transition to 1.1 needs more |
1359 | @@ -768,6 +1851,55 @@ apache2 (2.4.25-4) unstable; urgency=high |
1360 | |
1361 | -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200 |
1362 | |
1363 | +apache2 (2.4.25-3ubuntu3) artful; urgency=medium |
1364 | + |
1365 | + * Re-Drop (LP: #1658469): |
1366 | + - Don't build experimental http2 module for LTS: |
1367 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1368 | + + debian/config-dir/mods-available/http2.load: removed. |
1369 | + + debian/rules: removed proxy_http2 from configure. |
1370 | + + debian/apache2.maintscript: remove http2 conffile. |
1371 | + |
1372 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700 |
1373 | + |
1374 | +apache2 (2.4.25-3ubuntu2) zesty; urgency=medium |
1375 | + * Undrop (LP 1658469): |
1376 | + - Don't build experimental http2 module for LTS: |
1377 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1378 | + + debian/config-dir/mods-available/http2.load: removed. |
1379 | + + debian/rules: removed proxy_http2 from configure. |
1380 | + + debian/apache2.maintscript: remove http2 conffile. |
1381 | + |
1382 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800 |
1383 | + |
1384 | +apache2 (2.4.25-3ubuntu1) zesty; urgency=medium |
1385 | + |
1386 | + * Merge from Debian unstable (LP: #1663425). Remaining changes: |
1387 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1388 | + apache2.dirs}: Add ufw profiles. |
1389 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1390 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1391 | + fixes from upstream |
1392 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1393 | + Debian with Ubuntu on default page. |
1394 | + + d/source/include-binaries: add Ubuntu icon file |
1395 | + - Correct systemd-sysv-generator behavior by customizing some |
1396 | + parameters: |
1397 | + + d/apache2-systemd.conf: add a drop-in file to specify some |
1398 | + parameters for the systemd unit (type=Forking and |
1399 | + RemainsAfterExit=no), this allow a correct state synchronisation |
1400 | + between systemctl status and actual state of apache2 daemon. |
1401 | + + d/apache2.install: place the apache2-systemd.conf file in the |
1402 | + correct location. |
1403 | + * Drop (LP: #1658469): |
1404 | + - Don't build experimental http2 module for LTS: |
1405 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1406 | + + debian/config-dir/mods-available/http2.load: removed. |
1407 | + + debian/rules: removed proxy_http2 from configure. |
1408 | + + debian/apache2.maintscript: remove http2 conffile. |
1409 | + |
1410 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800 |
1411 | + |
1412 | apache2 (2.4.25-3) unstable; urgency=medium |
1413 | |
1414 | * Fix detection of systemd to fix 'apache2ctl start' on sysv-init. |
1415 | @@ -829,6 +1961,39 @@ apache2 (2.4.25-1) unstable; urgency=medium |
1416 | |
1417 | -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100 |
1418 | |
1419 | +apache2 (2.4.23-8ubuntu1) zesty; urgency=medium |
1420 | + |
1421 | + * Merge from Debian unstable (LP: #). Remaining changes: |
1422 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1423 | + apache2.dirs}: Add ufw profiles. |
1424 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1425 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1426 | + fixes from upstream |
1427 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, |
1428 | + d/source/include-binaries: replace Debian with Ubuntu on default |
1429 | + page. |
1430 | + [ include-binaries change previously undocumented ] |
1431 | + - Don't build experimental http2 module for LTS: |
1432 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1433 | + + debian/config-dir/mods-available/http2.load: removed. |
1434 | + + debian/rules: removed proxy_http2 from configure. |
1435 | + + debian/apache2.maintscript: remove http2 conffile. |
1436 | + [ Previously undocumented ] |
1437 | + - Correct systemd-sysv-generator behavior by customizing some |
1438 | + parameters: |
1439 | + + d/apache2-systemd.conf: add a drop-in file to specify some |
1440 | + parameters for the systemd unit (type=Forking and |
1441 | + RemainsAfterExit=no), this allow a correct state synchronisation |
1442 | + between systemctl status and actual state of apache2 daemon. |
1443 | + + d/apache2.install: place the apache2-systemd.conf file in the |
1444 | + correct location. |
1445 | + * Drop: |
1446 | + - debian/rules: Fix cross-building by passing |
1447 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1448 | + [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ] |
1449 | + |
1450 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100 |
1451 | + |
1452 | apache2 (2.4.23-8) unstable; urgency=medium |
1453 | |
1454 | * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a |
1455 | @@ -839,6 +2004,33 @@ apache2 (2.4.23-8) unstable; urgency=medium |
1456 | |
1457 | -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100 |
1458 | |
1459 | +apache2 (2.4.23-7ubuntu1) zesty; urgency=medium |
1460 | + |
1461 | + * Merge from Debian unstable. Remaining changes: |
1462 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1463 | + apache2.dirs}: Add ufw profiles. |
1464 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1465 | + - debian/rules: Fix cross-building by passing |
1466 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1467 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1468 | + fixes from upstream |
1469 | + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace |
1470 | + Debian with Ubuntu on default page. |
1471 | + - Don't build experimental http2 module for LTS: |
1472 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1473 | + + debian/config-dir/mods-available/http2.load: removed. |
1474 | + + debian/rules: removed proxy_http2 from configure. |
1475 | + - Correct systemd-sysv-generator behavior by customizing some |
1476 | + parameters: |
1477 | + + d/apache2-systemd.conf: add a drop-in file to specify some |
1478 | + parameters for the systemd unit (type=Forking and |
1479 | + RemainsAfterExit=no), this allow a correct state synchronisation |
1480 | + between systemctl status and actual state of apache2 daemon. |
1481 | + + d/apache2.install: place the apache2-systemd.conf file in the |
1482 | + correct location. |
1483 | + |
1484 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500 |
1485 | + |
1486 | apache2 (2.4.23-7) unstable; urgency=medium |
1487 | |
1488 | * Make apache2-dev depend on openssl 1.0, too. Closes: #844160 |
1489 | @@ -953,6 +2145,55 @@ apache2 (2.4.20-1) unstable; urgency=medium |
1490 | |
1491 | -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200 |
1492 | |
1493 | +apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium |
1494 | + |
1495 | + * SECURITY UPDATE: proxy request header vulnerability (httpoxy) |
1496 | + - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in |
1497 | + server/util_script.c. |
1498 | + - CVE-2016-5387 |
1499 | + |
1500 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400 |
1501 | + |
1502 | +apache2 (2.4.18-2ubuntu3) xenial; urgency=medium |
1503 | + |
1504 | + [ Ryan Harper ] |
1505 | + * Drop /etc/apache2/mods-available/http2.load. This was inadvertently |
1506 | + introduced in 2.4.18-2ubuntu1. The intention is to not carry this at |
1507 | + all, since http2 support is intentionally disabled (see LP 1531864). |
1508 | + * d/apache2.maintscript: handle removal of http2.load conffile. |
1509 | + |
1510 | + [ Robie Basak ] |
1511 | + * Re-write Ryan's changelog entry. |
1512 | + |
1513 | + -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000 |
1514 | + |
1515 | +apache2 (2.4.18-2ubuntu2) xenial; urgency=medium |
1516 | + |
1517 | + * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962) |
1518 | + - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd |
1519 | + unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation |
1520 | + between systemctl status and actual state of apache2 daemon. |
1521 | + - d/apache2.install: place the apache2-systemd.conf file in the correct location. |
1522 | + |
1523 | + -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200 |
1524 | + |
1525 | +apache2 (2.4.18-2ubuntu1) xenial; urgency=medium |
1526 | + |
1527 | + * Merge from Debian unstable. Remaining changes: |
1528 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1529 | + apache2.dirs}: Add ufw profiles. |
1530 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1531 | + - debian/rules: Fix cross-building by passing |
1532 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1533 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1534 | + fixes from upstream |
1535 | + - d/index.html: replace Debian with Ubuntu on default page. |
1536 | + - Don't build experimental http2 module for LTS: |
1537 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1538 | + + debian/config-dir/mods-available/http2.load: removed. |
1539 | + |
1540 | + -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300 |
1541 | + |
1542 | apache2 (2.4.18-2) unstable; urgency=low |
1543 | |
1544 | * htcacheclean: |
1545 | @@ -978,6 +2219,24 @@ apache2 (2.4.18-2) unstable; urgency=low |
1546 | |
1547 | -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200 |
1548 | |
1549 | +apache2 (2.4.18-1ubuntu1) xenial; urgency=medium |
1550 | + |
1551 | + * Merge from Debian unstable. Remaining changes: |
1552 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1553 | + apache2.dirs}: Add ufw profiles. |
1554 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1555 | + - Add dep8 tests. |
1556 | + - debian/rules: Fix cross-building by passing |
1557 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1558 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1559 | + fixes from upstream |
1560 | + - d/index.html: replace Debian with Ubuntu on default page. |
1561 | + - Don't build experimental http2 module for LTS: |
1562 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1563 | + + debian/config-dir/mods-available/http2.load: removed. |
1564 | + |
1565 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500 |
1566 | + |
1567 | apache2 (2.4.18-1) unstable; urgency=medium |
1568 | |
1569 | * New upstream release: |
1570 | @@ -985,12 +2244,48 @@ apache2 (2.4.18-1) unstable; urgency=medium |
1571 | |
1572 | -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100 |
1573 | |
1574 | +apache2 (2.4.17-3ubuntu1) xenial; urgency=medium |
1575 | + |
1576 | + * Merge from Debian unstable. Remaining changes: |
1577 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1578 | + apache2.dirs}: Add ufw profiles. |
1579 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1580 | + - Add dep8 tests. |
1581 | + - debian/rules: Fix cross-building by passing |
1582 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1583 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1584 | + fixes from upstream |
1585 | + - d/index.html: replace Debian with Ubuntu on default page. |
1586 | + - Don't build experimental http2 module for LTS: |
1587 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1588 | + + debian/config-dir/mods-available/http2.load: removed. |
1589 | + |
1590 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500 |
1591 | + |
1592 | apache2 (2.4.17-3) unstable; urgency=medium |
1593 | |
1594 | * mpm_prefork: Fix segfault if started with -X. Closes: #805737 |
1595 | |
1596 | -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100 |
1597 | |
1598 | +apache2 (2.4.17-2ubuntu1) xenial; urgency=medium |
1599 | + |
1600 | + * Merge from Debian unstable. Remaining changes: |
1601 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1602 | + apache2.dirs}: Add ufw profiles. |
1603 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1604 | + - Add dep8 tests. |
1605 | + - debian/rules: Fix cross-building by passing |
1606 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1607 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1608 | + fixes from upstream |
1609 | + - d/index.html: replace Debian with Ubuntu on default page. |
1610 | + - Don't build experimental http2 module for LTS: |
1611 | + + debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1612 | + + debian/config-dir/mods-available/http2.load: removed. |
1613 | + |
1614 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500 |
1615 | + |
1616 | apache2 (2.4.17-2) unstable; urgency=medium |
1617 | |
1618 | * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke |
1619 | @@ -1001,6 +2296,31 @@ apache2 (2.4.17-2) unstable; urgency=medium |
1620 | |
1621 | -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100 |
1622 | |
1623 | +apache2 (2.4.17-1ubuntu1) xenial; urgency=medium |
1624 | + |
1625 | + * Merge from Debian unstable. Remaining changes: |
1626 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1627 | + apache2.dirs}: Add ufw profiles. |
1628 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1629 | + - Add dep8 tests. |
1630 | + - debian/rules: Fix cross-building by passing |
1631 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1632 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1633 | + fixes from upstream |
1634 | + - d/index.html: replace Debian with Ubuntu on default page. |
1635 | + * Drop patches (applied upstream): |
1636 | + - debian/patches/CVE-2015-3183.patch |
1637 | + - debian/patches/CVE-2015-3185.patch |
1638 | + * Drop changes (adopted in Debian): |
1639 | + - Allow "triggers-awaited" and "triggers-pending" states in addition |
1640 | + to "installed" when determining whether to defer actions or |
1641 | + process deferred actions. |
1642 | + * Don't build experimental http2 module for LTS |
1643 | + - debian/control: removed libnghttp2-dev Build-Depends (in universe). |
1644 | + - debian/config-dir/mods-available/http2.load: removed. |
1645 | + |
1646 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400 |
1647 | + |
1648 | apache2 (2.4.17-1) unstable; urgency=medium |
1649 | |
1650 | [ Stefan Fritsch ] |
1651 | @@ -1066,6 +2386,49 @@ apache2 (2.4.16-1) unstable; urgency=medium |
1652 | |
1653 | -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200 |
1654 | |
1655 | +apache2 (2.4.12-2ubuntu2) wily; urgency=medium |
1656 | + |
1657 | + * SECURITY UPDATE: request smuggling via chunked transfer encoding |
1658 | + - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in |
1659 | + modules/http/http_filters.c. |
1660 | + - CVE-2015-3183 |
1661 | + * SECURITY UPDATE: access restriction bypass via deprecated API |
1662 | + - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one |
1663 | + in include/http_request.h, server/request.c. |
1664 | + - CVE-2015-3185 |
1665 | + |
1666 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400 |
1667 | + |
1668 | +apache2 (2.4.12-2ubuntu1) wily; urgency=medium |
1669 | + |
1670 | + * Merge from Debian unstable. Remaining changes: |
1671 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1672 | + apache2.dirs}: Add ufw profiles. |
1673 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1674 | + - Add dep8 tests. |
1675 | + - debian/rules: Fix cross-building by passing |
1676 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1677 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1678 | + fixes from upstream |
1679 | + - d/index.html: replace Debian with Ubuntu on default page. |
1680 | + - Allow "triggers-awaited" and "triggers-pending" states in addition |
1681 | + to "installed" when determining whether to defer actions or |
1682 | + process deferred actions. |
1683 | + * Drop patches (applied upstream): |
1684 | + - d/p/split-logfile.patch |
1685 | + - d/p/CVE-2015-0228.patch |
1686 | + * Drop changes (superceded in Debian): |
1687 | + - Cherry-pick versioned build-depend on dpkg from Debian for correct |
1688 | + dpkg-maintscript-helper symlink_to_dir support. |
1689 | + * Drop changes (adopted in Debian): |
1690 | + - d/control, d/config-dir/mods-available/ssl.conf, |
1691 | + d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase |
1692 | + dialog program ask-for-passphrase. |
1693 | + * Fix cross-building configure line in d/rules, which had bit-rotted in |
1694 | + previous merges. |
1695 | + |
1696 | + -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000 |
1697 | + |
1698 | apache2 (2.4.12-2) unstable; urgency=medium |
1699 | |
1700 | [ Jean-Michel Nirgal Vourgère ] |
1701 | @@ -1115,6 +2478,28 @@ apache2 (2.4.10-10) unstable; urgency=medium |
1702 | |
1703 | -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100 |
1704 | |
1705 | +apache2 (2.4.10-9ubuntu1) vivid; urgency=medium |
1706 | + |
1707 | + * Merge from Debian unstable. Remaining changes: |
1708 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1709 | + apache2.dirs}: Add ufw profiles. |
1710 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1711 | + - d/control, d/config-dir/mods-available/ssl.conf, |
1712 | + - Add dep8 tests. |
1713 | + - debian/rules: Fix cross-building by passing |
1714 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1715 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1716 | + fixes from upstream |
1717 | + - d/index.html: replace Debian with Ubuntu on default page. |
1718 | + - d/p/split-logfile.patch: fix completely broken split-logfile |
1719 | + command. |
1720 | + - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a |
1721 | + denial of service in mod_lua via websockets PING |
1722 | + * debian/tests/ssl-passphrase: Add password responder for |
1723 | + systemd-ask-passphrase. |
1724 | + |
1725 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100 |
1726 | + |
1727 | apache2 (2.4.10-9) unstable; urgency=medium |
1728 | |
1729 | * CVE-2014-8109: mod_lua: Fix handling of the Require line when a |
1730 | @@ -1129,6 +2514,54 @@ apache2 (2.4.10-9) unstable; urgency=medium |
1731 | |
1732 | -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100 |
1733 | |
1734 | +apache2 (2.4.10-8ubuntu3) vivid; urgency=medium |
1735 | + |
1736 | + * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require |
1737 | + directives |
1738 | + - debian/patches/CVE-2014-8109.patch: handle multiple Require |
1739 | + directives with different arguments in modules/lua/mod_lua.c. |
1740 | + - CVE-2014-8109 |
1741 | + * SECURITY UPDATE: denial of service in mod_lua via websockets PING |
1742 | + - debian/patches/CVE-2015-0228.patch: fix logic in |
1743 | + modules/lua/lua_request.c. |
1744 | + - CVE-2015-0228 |
1745 | + |
1746 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500 |
1747 | + |
1748 | +apache2 (2.4.10-8ubuntu2) vivid; urgency=medium |
1749 | + |
1750 | + * Allow "triggers-awaited" and "triggers-pending" states in addition to |
1751 | + "installed" when determining whether to defer actions or process |
1752 | + deferred actions (LP: #1393832). |
1753 | + |
1754 | + -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000 |
1755 | + |
1756 | +apache2 (2.4.10-8ubuntu1) vivid; urgency=medium |
1757 | + |
1758 | + * Merge from Debian unstable. Remaining changes: |
1759 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1760 | + apache2.dirs}: Add ufw profiles. |
1761 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1762 | + - d/control, d/config-dir/mods-available/ssl.conf, |
1763 | + d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase |
1764 | + dialog program ask-for-passphrase. |
1765 | + - Add dep8 tests. |
1766 | + - debian/rules: Fix cross-building by passing |
1767 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1768 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1769 | + fixes from upstream |
1770 | + - d/index.html: replace Debian with Ubuntu on default page. |
1771 | + - d/p/split-logfile.patch: fix completely broken split-logfile |
1772 | + command. |
1773 | + * Fixes from Debian included in merge: |
1774 | + - Crash caused by OCSP stapling code; this was erroneously |
1775 | + attributed to Debian in my previous merge, but actually only |
1776 | + appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174). |
1777 | + * Cherry-pick versioned build-depend on dpkg from Debian for correct |
1778 | + dpkg-maintscript-helper symlink_to_dir support. |
1779 | + |
1780 | + -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000 |
1781 | + |
1782 | apache2 (2.4.10-8) unstable; urgency=medium |
1783 | |
1784 | * Bump dpkg Pre-Depends to version that supports relative symlinks in |
1785 | @@ -1143,6 +2576,33 @@ apache2 (2.4.10-8) unstable; urgency=medium |
1786 | |
1787 | -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100 |
1788 | |
1789 | +apache2 (2.4.10-7ubuntu1) vivid; urgency=medium |
1790 | + |
1791 | + * Merge from Debian unstable. Remaining changes: |
1792 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1793 | + apache2.dirs}: Add ufw profiles. |
1794 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1795 | + - d/control, d/config-dir/mods-available/ssl.conf, |
1796 | + d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase |
1797 | + dialog program ask-for-passphrase. |
1798 | + - Add dep8 tests. |
1799 | + - debian/rules: Fix cross-building by passing |
1800 | + DEB_{HOST,BUILD}_GNU_TYPE to configure. |
1801 | + - debian/patches/086_svn_cross_compiles: Backport several cross |
1802 | + fixes from upstream |
1803 | + - d/index.html: replace Debian with Ubuntu on default page. |
1804 | + - d/p/split-logfile.patch: fix completely broken split-logfile command. |
1805 | + * Fixes from Debian included in merge: |
1806 | + - Don't use a2query in preinst, as it may not be available yet |
1807 | + (LP: #1312533). |
1808 | + - Crash caused by OCSP stapling code (LP: #1366174). |
1809 | + - Disable SSLv3 in default config (LP: #1358305). |
1810 | + - If apache2 is not configured yet, defer actions executed via |
1811 | + apache2-maintscript-helper. This fixes installation failures if a |
1812 | + module package is configured first (LP: #1312854). |
1813 | + |
1814 | + -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000 |
1815 | + |
1816 | apache2 (2.4.10-7) unstable; urgency=medium |
1817 | |
1818 | * Handle transitions of doc dirs and symlinks correctly during upgrade. |
1819 | @@ -1226,6 +2686,25 @@ apache2 (2.4.10-2) unstable; urgency=medium |
1820 | |
1821 | -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200 |
1822 | |
1823 | +apache2 (2.4.10-1ubuntu1) utopic; urgency=medium |
1824 | + |
1825 | + * Merge from Debian unstable. Remaining changes: |
1826 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1827 | + apache2.dirs}: Add ufw profiles. |
1828 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1829 | + - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, |
1830 | + d/apache2.install: Plymouth aware passphrase dialog program |
1831 | + ask-for-passphrase. |
1832 | + - Add dep8 tests. |
1833 | + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to |
1834 | + configure. |
1835 | + - debian/patches/086_svn_cross_compiles: Backport several cross fixes from |
1836 | + upstream |
1837 | + - d/index.html: replace Debian with Ubuntu on default page. |
1838 | + - d/p/split-logfile.patch: fix completely broken split-logfile command. |
1839 | + |
1840 | + -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000 |
1841 | + |
1842 | apache2 (2.4.10-1) unstable; urgency=medium |
1843 | |
1844 | [ Arno Töll ] |
1845 | @@ -1273,6 +2752,45 @@ apache2 (2.4.9-2) unstable; urgency=medium |
1846 | |
1847 | -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200 |
1848 | |
1849 | +apache2 (2.4.9-1ubuntu2) utopic; urgency=medium |
1850 | + |
1851 | + * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't |
1852 | + yet support building against lua 5.2 (LP: #1323930). |
1853 | + |
1854 | + -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000 |
1855 | + |
1856 | +apache2 (2.4.9-1ubuntu1) utopic; urgency=medium |
1857 | + |
1858 | + * Merge from Debian unstable. Remaining changes: |
1859 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1860 | + apache2.dirs}: Add ufw profiles. |
1861 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1862 | + - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, |
1863 | + d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase |
1864 | + dialog program ask-for-passphrase. |
1865 | + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to |
1866 | + configure. |
1867 | + - debian/patches/086_svn_cross_compiles: Backport several cross fixes from |
1868 | + upstream |
1869 | + - Build using lua5.2. |
1870 | + - d/tests/chroot: dep8 test for ChrootDir case. |
1871 | + - d/tests/ssl-passphrase: update for new default path /var/www/html. |
1872 | + - d/tests/duplicate-module-load: check for duplicate module loads. |
1873 | + - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690). |
1874 | + - d/p/split-logfile.patch: fix completely broken split-logfile command |
1875 | + (LP: #1299162). Thanks to Holger Mauermann. |
1876 | + * Drop changes (upstreamed): |
1877 | + - d/p/ignore-quilt-dir: adjust build system so that it does not use |
1878 | + files find inside the .pc directory. This stops a double module load |
1879 | + causing later havoc, including "ChrootDir" directive failure. |
1880 | + - debian/patches/CVE-2013-6438.patch: properly calculate correct length |
1881 | + in modules/dav/main/util.c. |
1882 | + - debian/patches/CVE-2014-0098.patch: properly parse tokens in |
1883 | + modules/loggers/mod_log_config.c. |
1884 | + * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility. |
1885 | + |
1886 | + -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000 |
1887 | + |
1888 | apache2 (2.4.9-1) unstable; urgency=medium |
1889 | |
1890 | * New upstream version. |
1891 | @@ -1305,6 +2823,63 @@ apache2 (2.4.9-1) unstable; urgency=medium |
1892 | |
1893 | -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100 |
1894 | |
1895 | +apache2 (2.4.7-1ubuntu4) trusty; urgency=medium |
1896 | + |
1897 | + * d/p/split-logfile.patch: fix completely broken split-logfile command |
1898 | + (LP: #1299162). Thanks to Holger Mauermann. |
1899 | + |
1900 | + -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000 |
1901 | + |
1902 | +apache2 (2.4.7-1ubuntu3) trusty; urgency=medium |
1903 | + |
1904 | + * SECURITY UPDATE: denial of service via mod_dav incorrect end of string |
1905 | + calculation |
1906 | + - debian/patches/CVE-2013-6438.patch: properly calculate correct length |
1907 | + in modules/dav/main/util.c. |
1908 | + - CVE-2013-6438 |
1909 | + * SECURITY UPDATE: denial of service via truncated cookie and |
1910 | + mod_log_config |
1911 | + - debian/patches/CVE-2014-0098.patch: properly parse tokens in |
1912 | + modules/loggers/mod_log_config.c. |
1913 | + - CVE-2014-0098 |
1914 | + |
1915 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400 |
1916 | + |
1917 | +apache2 (2.4.7-1ubuntu2) trusty; urgency=medium |
1918 | + |
1919 | + * d/index.html: replace Debian with Ubuntu on default page |
1920 | + (LP: #1288690). |
1921 | + |
1922 | + -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000 |
1923 | + |
1924 | +apache2 (2.4.7-1ubuntu1) trusty; urgency=medium |
1925 | + |
1926 | + * Merge from Debian unstable. Remaining changes: |
1927 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1928 | + apache2.dirs}: Add ufw profiles. |
1929 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1930 | + - d/control, d/config-dir/mods-available/ssl.conf, |
1931 | + d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase: |
1932 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
1933 | + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE |
1934 | + to configure. |
1935 | + - debian/patches/086_svn_cross_compiles: Backport several cross fixes |
1936 | + from upstream |
1937 | + - Build using lua5.2. |
1938 | + - d/tests/chroot: dep8 test for ChrootDir case. |
1939 | + - d/p/ignore-quilt-dir: adjust build system so that it does not use |
1940 | + files find inside the .pc directory. This stops a double module load |
1941 | + causing later havoc, including "ChrootDir" directive failure. |
1942 | + * Drop changes: |
1943 | + - debian/{control, rules}: Enable PIE hardening: no longer required; |
1944 | + 2.4.7-1 is already hardened. |
1945 | + - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved |
1946 | + out of this package. |
1947 | + * d/tests/ssl-passphrase: update for new default path /var/www/html. |
1948 | + * d/tests/duplicate-module-load: check for duplicate module loads. |
1949 | + |
1950 | + -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000 |
1951 | + |
1952 | apache2 (2.4.7-1) unstable; urgency=low |
1953 | |
1954 | New upstream version |
1955 | @@ -1368,6 +2943,53 @@ apache2 (2.4.6-3) unstable; urgency=low |
1956 | |
1957 | -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200 |
1958 | |
1959 | +apache2 (2.4.6-2ubuntu4) trusty; urgency=low |
1960 | + |
1961 | + * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so |
1962 | + that it does not use files find inside the .pc directory. This stops a |
1963 | + double module load causing later havoc, including "ChrootDir" directive |
1964 | + failure (LP: #1251939). Thanks to Stefan Fritsch. |
1965 | + * d/tests/chroot: dep8 test for ChrootDir case. |
1966 | + |
1967 | + -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000 |
1968 | + |
1969 | +apache2 (2.4.6-2ubuntu3) trusty; urgency=low |
1970 | + |
1971 | + * debian/apache2.install: Correct path for ufw. |
1972 | + (LP: #1252722) |
1973 | + |
1974 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500 |
1975 | + |
1976 | +apache2 (2.4.6-2ubuntu2) saucy; urgency=low |
1977 | + |
1978 | + * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes |
1979 | + passphrase prompting for SSL certificates that are passphrase protected. |
1980 | + * Add dep8 test for SSL passphrase prompting. |
1981 | + |
1982 | + -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000 |
1983 | + |
1984 | +apache2 (2.4.6-2ubuntu1) saucy; urgency=low |
1985 | + |
1986 | + * Merge from Debian unstable. Remaining changes: |
1987 | + - debian/{control, rules}: Enable PIE hardening. |
1988 | + - debian/{control, apache2.install, apache2-utils.ufw.profile, |
1989 | + apache2.dirs}: Add ufw profiles. |
1990 | + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. |
1991 | + - debian/control, debian/config-dir/mods-available/ssl.conf, |
1992 | + debian/ask-for-passphrase, debian/apache2.install: Plymouth aware |
1993 | + passphrase dialog program ask-for-passphrase. |
1994 | + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE |
1995 | + to configure. |
1996 | + - debian/patches/086_svn_cross_compiles: Backport several cross fixes |
1997 | + from upstream |
1998 | + * Dropped changes: |
1999 | + - debian/patches/CVE-2013-1896.patch: upstream |
2000 | + * Fixed module dependencies (LP: #1205314) |
2001 | + - debian/config-dir/mods-available/lbmethod_*: properly specify |
2002 | + proxy_balancer, not mod_proxy_balancer. |
2003 | + |
2004 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400 |
2005 | + |
2006 | apache2 (2.4.6-2) unstable; urgency=low |
2007 | |
2008 | [ Stefan Fritsch ] |
2009 | @@ -1420,6 +3042,56 @@ apache2 (2.4.6-1) unstable; urgency=low |
2010 | |
2011 | -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200 |
2012 | |
2013 | +apache2 (2.4.4-6ubuntu5) saucy; urgency=low |
2014 | + |
2015 | + * SECURITY UPDATE: denial of service via MERGE request |
2016 | + - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI |
2017 | + in modules/dav/main/mod_dav.c. |
2018 | + - CVE-2013-1896 |
2019 | + |
2020 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400 |
2021 | + |
2022 | +apache2 (2.4.4-6ubuntu4) saucy; urgency=low |
2023 | + |
2024 | + * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to |
2025 | + apache2-bin. apache2-utils is only suggested by apache2, so may not |
2026 | + always be installed by bug reporters. However, apache2-bin will always |
2027 | + need to be installed for Apache to be functional, so this is a better |
2028 | + place for the apport hook. apache2-bin already Conflicts/Replaces |
2029 | + apache2.2-common, so this also fixes (LP: #1199318). |
2030 | + * d/apache2.py: adjust apport hook for new location of configuration |
2031 | + files in apache2 >= 2.4: they have moved from apache2.2-common to |
2032 | + apache2. |
2033 | + |
2034 | + -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000 |
2035 | + |
2036 | +apache2 (2.4.4-6ubuntu3) saucy; urgency=low |
2037 | + |
2038 | + * Build using lua5.2. |
2039 | + |
2040 | + -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200 |
2041 | + |
2042 | +apache2 (2.4.4-6ubuntu2) saucy; urgency=low |
2043 | + |
2044 | + * debian/rules: Fix FTBFS while installing ufw. |
2045 | + |
2046 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500 |
2047 | + |
2048 | +apache2 (2.4.4-6ubuntu1) saucy; urgency=low |
2049 | + |
2050 | + * Merge from Debian unstable. Remaining changes: |
2051 | + - debian/{control, rules}: Enable PIE hardening. |
2052 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2053 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2054 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2055 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2056 | + * Dropped changes: |
2057 | + - debian/patches/CVE-2012-2687.patch: Dropped no longer needed. |
2058 | + - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed. |
2059 | + - debian/patches/CVE-2012-4929.patch: Dropped no longer needed. |
2060 | + |
2061 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500 |
2062 | + |
2063 | apache2 (2.4.4-6) unstable; urgency=low |
2064 | |
2065 | * Denote exact versions breaking gnome-user-share now that Gnome maintainers |
2066 | @@ -1891,6 +3563,122 @@ apache2 (2.4.1-1) experimental; urgency=low |
2067 | |
2068 | -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100 |
2069 | |
2070 | +apache2 (2.2.22-6ubuntu5) raring; urgency=low |
2071 | + |
2072 | + * SECURITY UPDATE: multiple cross-site scripting issues |
2073 | + - debian/patches/CVE-2012-3499_4558.patch: properly escape html in |
2074 | + modules/generators/{mod_info.c,mod_status.c}, |
2075 | + modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c, |
2076 | + modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}. |
2077 | + - CVE-2012-3499 |
2078 | + - CVE-2012-4558 |
2079 | + * SECURITY UPDATE: symlink attack in apache2ctl script |
2080 | + - debian/apache2ctl: introduce and use a safer mkdir_chown() function. |
2081 | + - Thanks to Stefan Fritsch for the fix. |
2082 | + - CVE-2013-1048 |
2083 | + |
2084 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400 |
2085 | + |
2086 | +apache2 (2.2.22-6ubuntu4) raring; urgency=low |
2087 | + |
2088 | + * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. |
2089 | + * Skip module sanity check between MPMs if cross-building without the |
2090 | + kernel/binfmt support to run our target binaries on the build system. |
2091 | + * Backport several cross fixes from upstream as 086_svn_cross_compiles. |
2092 | + |
2093 | + -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700 |
2094 | + |
2095 | +apache2 (2.2.22-6ubuntu3) raring; urgency=low |
2096 | + |
2097 | + * SECURITY UPDATE: XSS vulnerability in mod_negotiation |
2098 | + - debian/patches/CVE-2012-2687.patch: escape filenames in |
2099 | + modules/mappers/mod_negotiation.c. |
2100 | + - CVE-2012-2687 |
2101 | + * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854) |
2102 | + - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off |
2103 | + directive. Defaults to off as enabling compression enables the CRIME |
2104 | + attack. |
2105 | + - CVE-2012-4929 |
2106 | + |
2107 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500 |
2108 | + |
2109 | +apache2 (2.2.22-6ubuntu2) quantal; urgency=low |
2110 | + |
2111 | + * debian/apache2.py |
2112 | + - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171) |
2113 | + - Check if this directory exists: /etc/apache2/sites-enabled/ |
2114 | + |
2115 | + -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200 |
2116 | + |
2117 | +apache2 (2.2.22-6ubuntu1) quantal; urgency=low |
2118 | + |
2119 | + * Merge from Debian unstable. Remaining changes: |
2120 | + - debian/{control, rules}: Enable PIE hardening. |
2121 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2122 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2123 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2124 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2125 | + * Dropped changes: |
2126 | + - debian/control: Add bzr tag and point it to our tree; this is not |
2127 | + really required and just increases the delta. |
2128 | + |
2129 | + -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100 |
2130 | + |
2131 | +apache2 (2.2.22-6) unstable; urgency=low |
2132 | + |
2133 | + [ Stefan Fritsch ] |
2134 | + * Fix regression causing apache2 to cache "206 partial content" responses, |
2135 | + and then serving these partial responses when replying to normal requests. |
2136 | + Closes: #671204 |
2137 | + * Add section to security.conf that shows how to forbid access to VCS |
2138 | + directories. Closes: #548213 |
2139 | + * Update ssl default cipher config, add alternative speed optimized config. |
2140 | + Closes: #649020 |
2141 | + * Add "AddCharset" for .brf files in default mod_mime config. |
2142 | + Closes: #402567 |
2143 | + * Don't create httpd.conf anymore and don't include it in apache2.conf. If |
2144 | + it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf |
2145 | + * Port some of the comments in apache2.conf from the 2.4 package. |
2146 | + * Compile mod_version statically, drop associated module load file. |
2147 | + * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the |
2148 | + configtest. |
2149 | + * Note in README.Debian that future versions of the package will have the |
2150 | + include statements changed to include only *.conf. |
2151 | + * Change compiled-in document root to /var/www, to avoid strange error |
2152 | + messages. |
2153 | + * Use "dh --with autotools_dev" instead of patching config.sub/config.guess. |
2154 | + |
2155 | + [ Arno Töll ] |
2156 | + * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible |
2157 | + to override LDFLAGS at compile time by defining LDLAGS in the environment, |
2158 | + just like it is possible for CFLAGS. This also means, config_vars.mk now |
2159 | + exports hardening build flags by default. |
2160 | + * Update doc-base metadata for the apache2-doc package. |
2161 | + |
2162 | + -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200 |
2163 | + |
2164 | +apache2 (2.2.22-5) unstable; urgency=low |
2165 | + |
2166 | + * Make LoadFile and LoadModule look in the standard search paths if the |
2167 | + dso file name is given as a pure filename. This helps with the multi-arch |
2168 | + transition. |
2169 | + |
2170 | + -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200 |
2171 | + |
2172 | +apache2 (2.2.22-4) unstable; urgency=high |
2173 | + |
2174 | + * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual |
2175 | + hosts' config files. |
2176 | + If scripting modules like mod_php or mod_rivet are enabled on systems |
2177 | + where either 1) some frontend server forwards connections to an apache2 |
2178 | + backend server on the localhost address, or 2) the machine running |
2179 | + apache2 is also used for web browsing, this could allow a remote |
2180 | + attacker to execute example scripts stored under /usr/share/doc. |
2181 | + Depending on the installed packages, this could lead to issues like cross |
2182 | + site scripting, code execution, or leakage of sensitive data. |
2183 | + |
2184 | + -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200 |
2185 | + |
2186 | apache2 (2.2.22-3) unstable; urgency=low |
2187 | |
2188 | * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch': |
2189 | @@ -1911,6 +3699,18 @@ apache2 (2.2.22-2) unstable; urgency=low |
2190 | |
2191 | -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100 |
2192 | |
2193 | +apache2 (2.2.22-1ubuntu1) precise; urgency=low |
2194 | + |
2195 | + * Merge from Debian testing. Remaining changes: |
2196 | + - debian/{control, rules}: Enable PIE hardening. |
2197 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2198 | + - debian/control: Add bzr tag and point it to our tree |
2199 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2200 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2201 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2202 | + |
2203 | + -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500 |
2204 | + |
2205 | apache2 (2.2.22-1) unstable; urgency=low |
2206 | |
2207 | [ Stefan Fritsch ] |
2208 | @@ -1928,6 +3728,18 @@ apache2 (2.2.22-1) unstable; urgency=low |
2209 | |
2210 | -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100 |
2211 | |
2212 | +apache2 (2.2.21-5ubuntu1) precise; urgency=low |
2213 | + |
2214 | + * Merge from Debian testing. Remaining changes: |
2215 | + - debian/{control, rules}: Enable PIE hardening. |
2216 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2217 | + - debian/control: Add bzr tag and point it to our tree |
2218 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2219 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2220 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2221 | + |
2222 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000 |
2223 | + |
2224 | apache2 (2.2.21-5) unstable; urgency=low |
2225 | |
2226 | [ Arno Töll ] |
2227 | @@ -1981,6 +3793,26 @@ apache2 (2.2.21-4) unstable; urgency=low |
2228 | |
2229 | -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100 |
2230 | |
2231 | +apache2 (2.2.21-3ubuntu2) precise; urgency=low |
2232 | + |
2233 | + * d/ask-for-passphrase: Flip the logic of this script so that it checks |
2234 | + first to see if apache is being started from a TTY, and then if not, |
2235 | + tries plymouth. (LP: #887410) |
2236 | + |
2237 | + -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800 |
2238 | + |
2239 | +apache2 (2.2.21-3ubuntu1) precise; urgency=low |
2240 | + |
2241 | + * Merge from Debian testing. Remaining changes: |
2242 | + - debian/{control, rules}: Enable PIE hardening. |
2243 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2244 | + - debian/control: Add bzr tag and point it to our tree |
2245 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2246 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2247 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2248 | + |
2249 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000 |
2250 | + |
2251 | apache2 (2.2.21-3) unstable; urgency=medium |
2252 | |
2253 | * Fix CVE-2011-4317: Prevent unintended pattern expansion in some |
2254 | @@ -1995,6 +3827,24 @@ apache2 (2.2.21-3) unstable; urgency=medium |
2255 | |
2256 | -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100 |
2257 | |
2258 | +apache2 (2.2.21-2ubuntu2) precise; urgency=low |
2259 | + |
2260 | + * No-change rebuild to drop spurious libsfgcc1 dependency on armhf. |
2261 | + |
2262 | + -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700 |
2263 | + |
2264 | +apache2 (2.2.21-2ubuntu1) precise; urgency=low |
2265 | + |
2266 | + * Merge from debian unstable. Remaining changes: |
2267 | + - debian/{control, rules}: Enable PIE hardening. |
2268 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2269 | + - debian/control: Add bzr tag and point it to our tree |
2270 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2271 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2272 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2273 | + |
2274 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000 |
2275 | + |
2276 | apache2 (2.2.21-2) unstable; urgency=high |
2277 | |
2278 | * Fix CVE-2011-3368: Prevent unintended pattern expansion in some |
2279 | @@ -2012,6 +3862,19 @@ apache2 (2.2.21-1) unstable; urgency=low |
2280 | |
2281 | -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200 |
2282 | |
2283 | +apache2 (2.2.20-1ubuntu1) oneiric; urgency=low |
2284 | + |
2285 | + * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991). |
2286 | + Remaining changes: |
2287 | + - debian/{control, rules}: Enable PIE hardening. |
2288 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2289 | + - debian/control: Add bzr tag and point it to our tree |
2290 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2291 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2292 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2293 | + |
2294 | + -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700 |
2295 | + |
2296 | apache2 (2.2.20-1) unstable; urgency=low |
2297 | |
2298 | * New upstream release. |
2299 | @@ -2034,6 +3897,18 @@ apache2 (2.2.19-2) unstable; urgency=high |
2300 | |
2301 | -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200 |
2302 | |
2303 | +apache2 (2.2.19-1ubuntu1) oneiric; urgency=low |
2304 | + |
2305 | + * Merge from debian unstable (LP: #787013). Remaining changes: |
2306 | + - debian/{control, rules}: Enable PIE hardening. |
2307 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2308 | + - debian/control: Add bzr tag and point it to our tree |
2309 | + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. |
2310 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2311 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2312 | + |
2313 | + -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400 |
2314 | + |
2315 | apache2 (2.2.19-1) unstable; urgency=low |
2316 | |
2317 | * New upstream release. |
2318 | @@ -2051,6 +3926,18 @@ apache2 (2.2.19-1) unstable; urgency=low |
2319 | |
2320 | -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200 |
2321 | |
2322 | +apache2 (2.2.17-3ubuntu1) oneiric; urgency=low |
2323 | + |
2324 | + * Merge from debian unstable. Remaining changes: |
2325 | + - debian/{control, rules}: Enable PIE hardening. |
2326 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2327 | + - debian/control: Add bzr tag and point it to our tree |
2328 | + - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. |
2329 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2330 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2331 | + |
2332 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100 |
2333 | + |
2334 | apache2 (2.2.17-3) unstable; urgency=low |
2335 | |
2336 | * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049 |
2337 | @@ -2077,6 +3964,18 @@ apache2 (2.2.17-2) unstable; urgency=high |
2338 | |
2339 | -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100 |
2340 | |
2341 | +apache2 (2.2.17-1ubuntu1) natty; urgency=low |
2342 | + |
2343 | + * Merge from debian unstable, remaining changes: |
2344 | + - debian/{control, rules}: Enable PIE hardening. |
2345 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2346 | + - debian/control: Add bzr tag and point it to our tree |
2347 | + - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. |
2348 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2349 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2350 | + |
2351 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500 |
2352 | + |
2353 | apache2 (2.2.17-1) unstable; urgency=low |
2354 | |
2355 | * New upstream version |
2356 | @@ -2085,6 +3984,32 @@ apache2 (2.2.17-1) unstable; urgency=low |
2357 | |
2358 | -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100 |
2359 | |
2360 | +apache2 (2.2.16-6ubuntu3) natty; urgency=low |
2361 | + |
2362 | + * debian/rules: Don't use "-fno-strict-aliasing" since it causes |
2363 | + apache FTBFS on amd64. (LP: #711293) |
2364 | + |
2365 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500 |
2366 | + |
2367 | +apache2 (2.2.16-6ubuntu2) natty; urgency=low |
2368 | + |
2369 | + * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug. |
2370 | + (LP: #697105) |
2371 | + |
2372 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500 |
2373 | + |
2374 | +apache2 (2.2.16-6ubuntu1) natty; urgency=low |
2375 | + |
2376 | + * Merge from debian unstable. Remaining changes: |
2377 | + - debian/{control, rules}: Enable PIE hardening. |
2378 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2379 | + - debian/control: Add bzr tag and point it to our tree |
2380 | + - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. |
2381 | + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: |
2382 | + Plymouth aware passphrase dialog program ask-for-passphrase. |
2383 | + |
2384 | + -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000 |
2385 | + |
2386 | apache2 (2.2.16-6) unstable; urgency=low |
2387 | |
2388 | * Also add $named to the secondary-init-script example. |
2389 | @@ -2100,6 +4025,30 @@ apache2 (2.2.16-5) unstable; urgency=medium |
2390 | |
2391 | -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100 |
2392 | |
2393 | +apache2 (2.2.16-4ubuntu2) natty; urgency=low |
2394 | + |
2395 | + [Clint Byrum] |
2396 | + * Adding plymouth aware passphrase dialog program ask-for-passphrase. |
2397 | + (LP: #582963) |
2398 | + + debian/control: apache2.2-common depends on bash for ask-for-passphrase |
2399 | + + debian/config-dir/mods-available/ssl.conf: |
2400 | + - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase |
2401 | + |
2402 | + [Chuck Short] |
2403 | + * Add apport hook. (LP: #609177) |
2404 | + + debian/apache2.py, debian/apache2.2-common.install |
2405 | + |
2406 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500 |
2407 | + |
2408 | +apache2 (2.2.16-4ubuntu1) natty; urgency=low |
2409 | + |
2410 | + * Merge from debian unstable. Remaining changes: |
2411 | + - debian/{control, rules}: Enable PIE hardening. |
2412 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2413 | + - debian/control: Add bzr tag and point it to our tree |
2414 | + |
2415 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500 |
2416 | + |
2417 | apache2 (2.2.16-4) unstable; urgency=medium |
2418 | |
2419 | * Increase the mod_reqtimeout default timeouts to avoid potential problems |
2420 | @@ -2110,6 +4059,15 @@ apache2 (2.2.16-4) unstable; urgency=medium |
2421 | |
2422 | -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100 |
2423 | |
2424 | +apache2 (2.2.16-3ubuntu1) natty; urgency=low |
2425 | + |
2426 | + * Merge from debian unstable. Remaining changes: |
2427 | + - debian/{control, rules}: Enable PIE hardening. |
2428 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2429 | + - debian/control: Add bzr tag and point it to our tree. |
2430 | + |
2431 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100 |
2432 | + |
2433 | apache2 (2.2.16-3) unstable; urgency=high |
2434 | |
2435 | * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage. |
2436 | @@ -2132,6 +4090,30 @@ apache2 (2.2.16-2) unstable; urgency=low |
2437 | |
2438 | -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200 |
2439 | |
2440 | +apache2 (2.2.16-1ubuntu3) maverick; urgency=low |
2441 | + |
2442 | + * Revert "stty sane" to unbreak apache starting, this will have to be |
2443 | + fixed a different way. (LP: #626723) |
2444 | + |
2445 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400 |
2446 | + |
2447 | +apache2 (2.2.16-1ubuntu2) maverick; urgency=low |
2448 | + |
2449 | + * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a |
2450 | + password prompt when using apache-ssl. (LP: #582963) |
2451 | + |
2452 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400 |
2453 | + |
2454 | +apache2 (2.2.16-1ubuntu1) maverick; urgency=low |
2455 | + |
2456 | + * Merge from debian unstable. Remaining changes: |
2457 | + - debian/{control, rules}: Enable PIE hardening. |
2458 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2459 | + - debian/control: Add bzr tag and point it to our tree. |
2460 | + - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) |
2461 | + |
2462 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100 |
2463 | + |
2464 | apache2 (2.2.16-1) unstable; urgency=medium |
2465 | |
2466 | * Urgency medium for security fix. |
2467 | @@ -2164,6 +4146,24 @@ apache2 (2.2.15-6) unstable; urgency=low |
2468 | |
2469 | -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200 |
2470 | |
2471 | +apache2 (2.2.15-5ubuntu1) maverick; urgency=low |
2472 | + |
2473 | + * Merge from debian unstable. Remaining changes: |
2474 | + - debian/{control, rules}: Enable PIE hardening. |
2475 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2476 | + - debian/control: Add bzr tag and point it to our tree. |
2477 | + - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) |
2478 | + + Dropped: |
2479 | + - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed. |
2480 | + - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed. |
2481 | + - debian/config-dir/apache2.conf: Merged back from debian. |
2482 | + - mod-reqtimeout functionality: Merge back from debian. |
2483 | + - debian/patches/204_CVE-2010-0408.dpatch: No longer needed. |
2484 | + - debian/patches/205_CVE-2010-0434.dpatch: No longer needed. |
2485 | + - debian/patches/203_fix-ab-segfault.dpatch: No longer needed. |
2486 | + |
2487 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100 |
2488 | + |
2489 | apache2 (2.2.15-5) unstable; urgency=low |
2490 | |
2491 | * Conflict with apache package as we now include apachectl. Closes: #579065 |
2492 | @@ -2284,6 +4284,80 @@ apache2 (2.2.14-6) unstable; urgency=low |
2493 | |
2494 | -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100 |
2495 | |
2496 | +apache2 (2.2.14-5ubuntu8) lucid; urgency=low |
2497 | + |
2498 | + * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so |
2499 | + (LP: #562370) |
2500 | + |
2501 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400 |
2502 | + |
2503 | +apache2 (2.2.14-5ubuntu7) lucid; urgency=low |
2504 | + |
2505 | + * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory |
2506 | + leaks by making sure to not destroy bucket brigades that have been created |
2507 | + by earlier filters. Backported from 2.2.15. |
2508 | + * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server |
2509 | + has reached MaxClients until it has. Backported from 2.2.15 |
2510 | + * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf |
2511 | + more secure by adding Satisfy all. (Debian bug: #572075) |
2512 | + * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch, |
2513 | + debian/config2-dir/mods-available/reqtimeout.load, |
2514 | + debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the |
2515 | + mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris |
2516 | + bug in apache. Enable it by default. (LP: #392759) |
2517 | + |
2518 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400 |
2519 | + |
2520 | +apache2 (2.2.14-5ubuntu6) lucid; urgency=low |
2521 | + |
2522 | + * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681) |
2523 | + |
2524 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400 |
2525 | + |
2526 | +apache2 (2.2.14-5ubuntu5) lucid; urgency=low |
2527 | + |
2528 | + * Revert 99-fix-mod-dav-permissions.dpatch |
2529 | + |
2530 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400 |
2531 | + |
2532 | +apache2 (2.2.14-5ubuntu4) lucid; urgency=low |
2533 | + |
2534 | + * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when |
2535 | + downloading files from webdav (LP: #540747) |
2536 | + * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381) |
2537 | + |
2538 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400 |
2539 | + |
2540 | +apache2 (2.2.14-5ubuntu3) lucid; urgency=low |
2541 | + |
2542 | + * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp |
2543 | + - debian/patches/204_CVE-2010-0408.dpatch: return the right error code |
2544 | + in modules/proxy/mod_proxy_ajp.c. |
2545 | + - CVE-2010-0408 |
2546 | + * SECURITY UPDATE: information disclosure via improper handling of |
2547 | + headers in subrequests |
2548 | + - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in |
2549 | + in server/protocol.c. |
2550 | + - CVE-2010-0434 |
2551 | + |
2552 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500 |
2553 | + |
2554 | +apache2 (2.2.14-5ubuntu2) lucid; urgency=low |
2555 | + |
2556 | + * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really |
2557 | + wacky options. (LP: #450501) |
2558 | + |
2559 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500 |
2560 | + |
2561 | +apache2 (2.2.14-5ubuntu1) lucid; urgency=low |
2562 | + |
2563 | + * Merge from debian testing. Remaining changes: LP: #506862 |
2564 | + - debian/{control, rules}: Enable PIE hardening. |
2565 | + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. |
2566 | + - debian/control: Add bzr tag and point it to our tree. |
2567 | + |
2568 | + -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530 |
2569 | + |
2570 | apache2 (2.2.14-5) unstable; urgency=low |
2571 | |
2572 | * Security: Further mitigation for the TLS renegotation attack |
2573 | @@ -2307,6 +4381,15 @@ apache2 (2.2.14-5) unstable; urgency=low |
2574 | |
2575 | -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100 |
2576 | |
2577 | +apache2 (2.2.14-4ubuntu1) lucid; urgency=low |
2578 | + |
2579 | + * Resynchronzie with Debian, remaining changes are: |
2580 | + - debian/{control, rules}: Enable PIE hardening. |
2581 | + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. |
2582 | + - debian/control: Add bzr tag and point it to our tree. |
2583 | + |
2584 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500 |
2585 | + |
2586 | apache2 (2.2.14-4) unstable; urgency=low |
2587 | |
2588 | * Disable localized error pages again by default because they break |
2589 | @@ -2357,6 +4440,17 @@ apache2 (2.2.14-2) unstable; urgency=medium |
2590 | |
2591 | -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100 |
2592 | |
2593 | +apache2 (2.2.14-1ubuntu1) lucid; urgency=low |
2594 | + |
2595 | + * Merge from debian testing, remaining changes: |
2596 | + - debian/{control, rules}: Enable PIE hardening. |
2597 | + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. |
2598 | + - debian/conrol: Add bzr tag and point it to our tree. |
2599 | + - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: |
2600 | + Already applied upstream. |
2601 | + |
2602 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000 |
2603 | + |
2604 | apache2 (2.2.14-1) unstable; urgency=low |
2605 | |
2606 | * New upstream version: |
2607 | @@ -2391,6 +4485,24 @@ apache2 (2.2.13-1) unstable; urgency=low |
2608 | |
2609 | -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200 |
2610 | |
2611 | +apache2 (2.2.12-1ubuntu2) karmic; urgency=low |
2612 | + |
2613 | + * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: |
2614 | + - Fix potential segfaults with the use of the legacy ap_rputs() etc |
2615 | + interfaces, in cases where an output filter fails. This happens |
2616 | + frequently after CVE-2009-1891 got fixed. (LP: #409987) |
2617 | + |
2618 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400 |
2619 | + |
2620 | +apache2 (2.2.12-1ubuntu1) karmic; urgency=low |
2621 | + |
2622 | + * Merge from debian unstable, remaining changes: |
2623 | + - debian/{control,rules}: enable PIE hardening. |
2624 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2625 | + - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch. |
2626 | + |
2627 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100 |
2628 | + |
2629 | apache2 (2.2.12-1) unstable; urgency=low |
2630 | |
2631 | * New upstream release: |
2632 | @@ -2438,6 +4550,16 @@ apache2 (2.2.12-1) unstable; urgency=low |
2633 | |
2634 | -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200 |
2635 | |
2636 | +apache2 (2.2.11-7ubuntu1) karmic; urgency=low |
2637 | + |
2638 | + * Merge from debian unstable, remaining changes: LP: #398130 |
2639 | + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: |
2640 | + Fix timefmt is ignored when XBitHack is on. (LP: #258914) |
2641 | + - debian/{control,rules}: enable PIE hardening. |
2642 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2643 | + |
2644 | + -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530 |
2645 | + |
2646 | apache2 (2.2.11-7) unstable; urgency=low |
2647 | |
2648 | * Security fixes: |
2649 | @@ -2452,6 +4574,16 @@ apache2 (2.2.11-7) unstable; urgency=low |
2650 | |
2651 | -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200 |
2652 | |
2653 | +apache2 (2.2.11-6ubuntu1) karmic; urgency=low |
2654 | + |
2655 | + * Merge from debian unstable, remaining changes: |
2656 | + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: |
2657 | + Fix timefmt is ignored when XBitHack is on. (LP: #258914) |
2658 | + - debian/{control,rules}: enable PIE hardening. |
2659 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2660 | + |
2661 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100 |
2662 | + |
2663 | apache2 (2.2.11-6) unstable; urgency=high |
2664 | |
2665 | * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server |
2666 | @@ -2460,6 +4592,16 @@ apache2 (2.2.11-6) unstable; urgency=high |
2667 | |
2668 | -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200 |
2669 | |
2670 | +apache2 (2.2.11-5ubuntu1) karmic; urgency=low |
2671 | + |
2672 | + * Merge from debian unstable, remaining changes: |
2673 | + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: |
2674 | + Fix timefmt is ignored when XBitHack is on. (LP: #258914) |
2675 | + - debian/{control,rules}: enable PIE hardening. |
2676 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2677 | + |
2678 | + -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200 |
2679 | + |
2680 | apache2 (2.2.11-5) unstable; urgency=low |
2681 | |
2682 | * Move all binaries into a new package apache2.2-bin and make |
2683 | @@ -2508,6 +4650,16 @@ apache2 (2.2.11-4) unstable; urgency=low |
2684 | |
2685 | -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200 |
2686 | |
2687 | +apache2 (2.2.11-3ubuntu1) karmic; urgency=low |
2688 | + |
2689 | + * Merge from debian unstable, remaining changes: |
2690 | + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: |
2691 | + Fix timefmt is ignored when XBitHack is on. (LP: #258914) |
2692 | + - debian/{control,rules}: enable PIE hardening. |
2693 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2694 | + |
2695 | + -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200 |
2696 | + |
2697 | apache2 (2.2.11-3) unstable; urgency=low |
2698 | |
2699 | * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap |
2700 | @@ -2516,6 +4668,21 @@ apache2 (2.2.11-3) unstable; urgency=low |
2701 | |
2702 | -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200 |
2703 | |
2704 | +apache2 (2.2.11-2ubuntu2) jaunty; urgency=low |
2705 | + |
2706 | + * debian/patches/203_fix-ssi-timeftm-ignored.dpatch: |
2707 | + Fix timefmt is ignored when XBitHack is on. (LP: #258914) |
2708 | + |
2709 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400 |
2710 | + |
2711 | +apache2 (2.2.11-2ubuntu1) jaunty; urgency=low |
2712 | + |
2713 | + * Merge from debian unstable, remaining changes: |
2714 | + - debian/{contro,rules}: enable PIE hardening. |
2715 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2716 | + |
2717 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000 |
2718 | + |
2719 | apache2 (2.2.11-2) unstable; urgency=low |
2720 | |
2721 | * Report an error instead instead of segfaulting when apr_pollset_create |
2722 | @@ -2525,6 +4692,14 @@ apache2 (2.2.11-2) unstable; urgency=low |
2723 | |
2724 | -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100 |
2725 | |
2726 | +apache2 (2.2.11-1ubuntu1) jaunty; urgency=low |
2727 | + |
2728 | + * Merge from debian unstable, remaining changes: |
2729 | + - debian/{control, rules}: enable PIE hardening. |
2730 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2731 | + |
2732 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000 |
2733 | + |
2734 | apache2 (2.2.11-1) unstable; urgency=low |
2735 | |
2736 | [Thom May] |
2737 | @@ -2539,6 +4714,14 @@ apache2 (2.2.11-1) unstable; urgency=low |
2738 | |
2739 | -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100 |
2740 | |
2741 | +apache2 (2.2.9-11ubuntu1) jaunty; urgency=low |
2742 | + |
2743 | + * Merge from debian unstable, remaining changes: (LP: #303375) |
2744 | + - debian/{control, rules}: enable PIE hardening. |
2745 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2746 | + |
2747 | + -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530 |
2748 | + |
2749 | apache2 (2.2.9-11) unstable; urgency=low |
2750 | |
2751 | * Regression fix from upstream svn for mod_proxy: |
2752 | @@ -2553,6 +4736,14 @@ apache2 (2.2.9-11) unstable; urgency=low |
2753 | |
2754 | -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100 |
2755 | |
2756 | +apache2 (2.2.9-10ubuntu1) jaunty; urgency=low |
2757 | + |
2758 | + * Merge from debian unstable, remaining changes: |
2759 | + - debian/{control, rules}: enable PIE hardening. |
2760 | + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. |
2761 | + |
2762 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400 |
2763 | + |
2764 | apache2 (2.2.9-10) unstable; urgency=low |
2765 | |
2766 | * Regression fix from upstream svn for mod_proxy_http: |
2767 | @@ -2583,6 +4774,27 @@ apache2 (2.2.9-8) unstable; urgency=low |
2768 | |
2769 | -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200 |
2770 | |
2771 | +apache2 (2.2.9-7ubuntu3) intrepid; urgency=low |
2772 | + |
2773 | + * Revert logrotate change since it will break it for everyone. |
2774 | + |
2775 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400 |
2776 | + |
2777 | +apache2 (2.2.9-7ubuntu2) intrepid; urgency=low |
2778 | + |
2779 | + * debian/logrotate: Restart rather than reload for busy websites. |
2780 | + (LP: #270899) |
2781 | + |
2782 | + -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400 |
2783 | + |
2784 | +apache2 (2.2.9-7ubuntu1) intrepid; urgency=low |
2785 | + |
2786 | + * Merge from debian unstable, remaining changes: |
2787 | + - debian/{control,rules}: enable PIE hardening. |
2788 | + - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles. |
2789 | + |
2790 | + -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700 |
2791 | + |
2792 | apache2 (2.2.9-7) unstable; urgency=low |
2793 | |
2794 | * Fix XSS in mod_proxy_ftp (CVE-2008-2939). |
2795 | @@ -2625,6 +4837,23 @@ apache2 (2.2.9-4) unstable; urgency=low |
2796 | |
2797 | -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200 |
2798 | |
2799 | +apache2 (2.2.9-3ubuntu2) intrepid; urgency=low |
2800 | + |
2801 | + * add ufw integration (see |
2802 | + https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages) |
2803 | + (LP: #261198) |
2804 | + - debian/control: suggest ufw for apache2.2-common |
2805 | + - add apache2.2-common.ufw.profile with 3 profiles and install it to |
2806 | + /etc/ufw/applications.d/apache2.2-common |
2807 | + |
2808 | + -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200 |
2809 | + |
2810 | +apache2 (2.2.9-3ubuntu1) intrepid; urgency=low |
2811 | + |
2812 | + * debian/{control,rules}: enable PIE hardening |
2813 | + |
2814 | + -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700 |
2815 | + |
2816 | apache2 (2.2.9-3) unstable; urgency=low |
2817 | |
2818 | [ Stefan Fritsch ] |
2819 | @@ -4195,9 +6424,7 @@ apache2 (2.0.37-1) unstable; urgency=low |
2820 | -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100 |
2821 | |
2822 | apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low |
2823 | - |
2824 | * New upstream release |
2825 | - |
2826 | -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100 |
2827 | |
2828 | apache2 (2.0.36-2) unstable; urgency=low |
2829 | @@ -4705,3 +6932,4 @@ apache2 (2.0.18-1) unstable; urgency=low |
2830 | * Initial Release. |
2831 | |
2832 | -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000 |
2833 | + |
2834 | diff --git a/debian/config-dir/mods-available/setenvif.conf b/debian/config-dir/mods-available/setenvif.conf |
2835 | index 8bba04c..8b96bb9 100644 |
2836 | --- a/debian/config-dir/mods-available/setenvif.conf |
2837 | +++ b/debian/config-dir/mods-available/setenvif.conf |
2838 | @@ -24,3 +24,5 @@ BrowserMatch "^gvfs/1" redirect-carefully |
2839 | BrowserMatch "^XML Spy" redirect-carefully |
2840 | BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully |
2841 | BrowserMatch " Konqueror/4" redirect-carefully |
2842 | +BrowserMatch " Konqueror/5" redirect-carefully |
2843 | +BrowserMatch " dolphin/" redirect-carefully |
2844 | diff --git a/debian/control b/debian/control |
2845 | index a5d33f2..6794923 100644 |
2846 | --- a/debian/control |
2847 | +++ b/debian/control |
2848 | @@ -1,5 +1,6 @@ |
2849 | Source: apache2 |
2850 | -Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> |
2851 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
2852 | +XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> |
2853 | Uploaders: Stefan Fritsch <sf@debian.org>, |
2854 | Arno Töll <arno@debian.org>, |
2855 | Ondřej Surý <ondrej@debian.org>, |
2856 | @@ -14,7 +15,7 @@ Build-Depends: debhelper-compat (= 13), |
2857 | libapr1-dev, |
2858 | libaprutil1-dev, |
2859 | libbrotli-dev, |
2860 | - liblua5.3-dev, |
2861 | + liblua5.4-dev, |
2862 | libnghttp2-dev, |
2863 | libpcre2-dev, |
2864 | libssl-dev, |
2865 | @@ -43,7 +44,8 @@ Depends: apache2-bin (= ${binary:Version}), |
2866 | Recommends: ssl-cert |
2867 | Suggests: apache2-doc, |
2868 | apache2-suexec-pristine | apache2-suexec-custom, |
2869 | - www-browser |
2870 | + www-browser, |
2871 | + ufw |
2872 | Pre-Depends: ${misc:Pre-Depends} |
2873 | Provides: httpd, |
2874 | httpd-cgi |
2875 | diff --git a/debian/debhelper/apache2-maintscript-helper b/debian/debhelper/apache2-maintscript-helper |
2876 | index ce20fb1..f6c53f6 100644 |
2877 | --- a/debian/debhelper/apache2-maintscript-helper |
2878 | +++ b/debian/debhelper/apache2-maintscript-helper |
2879 | @@ -198,6 +198,8 @@ apache2_needs_action() |
2880 | # Probably the most important invokation. When invoked in configure we: |
2881 | # - enable the piece of configuration on fresh installs |
2882 | # - do nothing on upgrades UNLESS the configuration was removed automatically in the past |
2883 | + # postinst triggered: |
2884 | + # - use package triggers to restart apache2 |
2885 | # postrm remove|purge |
2886 | # - disable the configuration, mark it as automatically disabled in remove |
2887 | # - disable the configuration, remove any trace we have on purge |
2888 | @@ -223,6 +225,8 @@ apache2_needs_action() |
2889 | [ -z "$APACHE2_MAINTSCRIPT_ARGUMENT" ] && return 0 |
2890 | # act if someone told us |
2891 | [ -n "$APACHE2_NEED_ACTION" ] && return 0 |
2892 | + elif [ "$APACHE2_MAINTSCRIPT_METHOD" = "triggered" ] ; then |
2893 | + return 0 |
2894 | fi |
2895 | ;; |
2896 | esac |
2897 | diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png |
2898 | new file mode 100644 |
2899 | index 0000000..eee686c |
2900 | Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ |
2901 | diff --git a/debian/index.html b/debian/index.html |
2902 | index 766401d..51c4332 100644 |
2903 | --- a/debian/index.html |
2904 | +++ b/debian/index.html |
2905 | @@ -1,9 +1,13 @@ |
2906 | - |
2907 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
2908 | <html xmlns="http://www.w3.org/1999/xhtml"> |
2909 | + <!-- |
2910 | + Modified from the Debian original for Ubuntu |
2911 | + Last updated: 2022-03-22 |
2912 | + See: https://launchpad.net/bugs/1966004 |
2913 | + --> |
2914 | <head> |
2915 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> |
2916 | - <title>Apache2 Debian Default Page: It works</title> |
2917 | + <title>Apache2 Ubuntu Default Page: It works</title> |
2918 | <style type="text/css" media="screen"> |
2919 | * { |
2920 | margin: 0px 0px 0px 0px; |
2921 | @@ -15,7 +19,7 @@ |
2922 | |
2923 | background-color: #D8DBE2; |
2924 | |
2925 | - font-family: Verdana, sans-serif; |
2926 | + font-family: Ubuntu, Verdana, sans-serif; |
2927 | font-size: 11pt; |
2928 | text-align: center; |
2929 | } |
2930 | @@ -41,7 +45,7 @@ |
2931 | } |
2932 | |
2933 | div.page_header { |
2934 | - height: 99px; |
2935 | + height: 180px; |
2936 | width: 100%; |
2937 | |
2938 | background-color: #F5F6F7; |
2939 | @@ -60,6 +64,19 @@ |
2940 | border: 0px 0px 0px; |
2941 | } |
2942 | |
2943 | + div.banner { |
2944 | + padding: 9px 6px 9px 6px; |
2945 | + background-color: #E9510E; |
2946 | + color: #FFFFFF; |
2947 | + font-weight: bold; |
2948 | + font-size: 112%; |
2949 | + text-align: center; |
2950 | + position: absolute; |
2951 | + left: 40%; |
2952 | + bottom: 30px; |
2953 | + width: 20%; |
2954 | + } |
2955 | + |
2956 | div.table_of_contents { |
2957 | clear: left; |
2958 | |
2959 | @@ -136,10 +153,6 @@ |
2960 | text-align: center; |
2961 | } |
2962 | |
2963 | - div.section_header_red { |
2964 | - background-color: #CD214F; |
2965 | - } |
2966 | - |
2967 | div.section_header_grey { |
2968 | background-color: #9F9386; |
2969 | } |
2970 | @@ -188,46 +201,31 @@ |
2971 | <body> |
2972 | <div class="main_page"> |
2973 | <div class="page_header floating_element"> |
2974 | - <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/> |
2975 | - <span class="floating_element"> |
2976 | - Apache2 Debian Default Page |
2977 | - </span> |
2978 | - </div> |
2979 | -<!-- <div class="table_of_contents floating_element"> |
2980 | - <div class="section_header section_header_grey"> |
2981 | - TABLE OF CONTENTS |
2982 | - </div> |
2983 | - <div class="table_of_contents_item floating_element"> |
2984 | - <a href="#about">About</a> |
2985 | - </div> |
2986 | - <div class="table_of_contents_item floating_element"> |
2987 | - <a href="#changes">Changes</a> |
2988 | - </div> |
2989 | - <div class="table_of_contents_item floating_element"> |
2990 | - <a href="#scope">Scope</a> |
2991 | - </div> |
2992 | - <div class="table_of_contents_item floating_element"> |
2993 | - <a href="#files">Config files</a> |
2994 | + <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo" |
2995 | + style="width:184px;height:146px;" class="floating_element" /> |
2996 | + <div> |
2997 | + <span style="margin-top: 1.5em;" class="floating_element"> |
2998 | + Apache2 Default Page |
2999 | + </span> |
3000 | </div> |
3001 | - </div> |
3002 | ---> |
3003 | - <div class="content_section floating_element"> |
3004 | - |
3005 | - |
3006 | - <div class="section_header section_header_red"> |
3007 | + <div class="banner"> |
3008 | <div id="about"></div> |
3009 | It works! |
3010 | </div> |
3011 | + |
3012 | + </div> |
3013 | + <div class="content_section floating_element"> |
3014 | <div class="content_section_text"> |
3015 | <p> |
3016 | This is the default welcome page used to test the correct |
3017 | - operation of the Apache2 server after installation on Debian systems. |
3018 | + operation of the Apache2 server after installation on Ubuntu systems. |
3019 | + It is based on the equivalent page on Debian, from which the Ubuntu Apache |
3020 | + packaging is derived. |
3021 | If you can read this page, it means that the Apache HTTP server installed at |
3022 | this site is working properly. You should <b>replace this file</b> (located at |
3023 | <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server. |
3024 | </p> |
3025 | |
3026 | - |
3027 | <p> |
3028 | If you are a normal user of this web site and don't know what this page is |
3029 | about, this probably means that the site is currently unavailable due to |
3030 | @@ -242,18 +240,17 @@ |
3031 | </div> |
3032 | <div class="content_section_text"> |
3033 | <p> |
3034 | - Debian's Apache2 default configuration is different from the |
3035 | + Ubuntu's Apache2 default configuration is different from the |
3036 | upstream default configuration, and split into several files optimized for |
3037 | - interaction with Debian tools. The configuration system is |
3038 | + interaction with Ubuntu tools. The configuration system is |
3039 | <b>fully documented in |
3040 | /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full |
3041 | documentation. Documentation for the web server itself can be |
3042 | found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt> |
3043 | package was installed on this server. |
3044 | - |
3045 | </p> |
3046 | <p> |
3047 | - The configuration layout for an Apache2 web server installation on Debian systems is as follows: |
3048 | + The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows: |
3049 | </p> |
3050 | <pre> |
3051 | /etc/apache2/ |
3052 | @@ -308,9 +305,12 @@ |
3053 | </li> |
3054 | |
3055 | <li> |
3056 | - The binary is called apache2. Due to the use of |
3057 | - environment variables, in the default configuration, apache2 needs to be |
3058 | - started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>. |
3059 | + The binary is called apache2 and is managed using systemd, so to |
3060 | + start/stop the service use <tt>systemctl start apache2</tt> and |
3061 | + <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt> |
3062 | + and <tt>journalctl -u apache2</tt> to check status. <tt>system</tt> |
3063 | + and <tt>apache2ctl</tt> can also be used for service management if |
3064 | + desired. |
3065 | <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the |
3066 | default configuration. |
3067 | </li> |
3068 | @@ -324,18 +324,17 @@ |
3069 | |
3070 | <div class="content_section_text"> |
3071 | <p> |
3072 | - By default, Debian does not allow access through the web browser to |
3073 | - <em>any</em> file apart of those located in <tt>/var/www</tt>, |
3074 | - <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> |
3075 | + By default, Ubuntu does not allow access through the web browser to |
3076 | + <em>any</em> file outside of those located in <tt>/var/www</tt>, |
3077 | + <a href="https://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> |
3078 | directories (when enabled) and <tt>/usr/share</tt> (for web |
3079 | applications). If your site is using a web document root |
3080 | located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your |
3081 | document root directory in <tt>/etc/apache2/apache2.conf</tt>. |
3082 | </p> |
3083 | <p> |
3084 | - The default Debian document root is <tt>/var/www/html</tt>. You |
3085 | - can make your own virtual hosts under /var/www. This is different |
3086 | - to previous releases which provides better security out of the box. |
3087 | + The default Ubuntu document root is <tt>/var/www/html</tt>. You |
3088 | + can make your own virtual hosts under /var/www. |
3089 | </p> |
3090 | </div> |
3091 | |
3092 | @@ -345,24 +344,20 @@ |
3093 | </div> |
3094 | <div class="content_section_text"> |
3095 | <p> |
3096 | - Please use the <tt>reportbug</tt> tool to report bugs in the |
3097 | - Apache2 package with Debian. However, check <a |
3098 | - href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" |
3099 | + Please use the <tt>ubuntu-bug</tt> tool to report bugs in the |
3100 | + Apache2 package with Ubuntu. However, check <a |
3101 | + href="https://bugs.launchpad.net/ubuntu/+source/apache2" |
3102 | rel="nofollow">existing bug reports</a> before reporting a new bug. |
3103 | </p> |
3104 | <p> |
3105 | Please report bugs specific to modules (such as PHP and others) |
3106 | - to respective packages, not to the web server itself. |
3107 | + to their respective packages, not to the web server itself. |
3108 | </p> |
3109 | </div> |
3110 | |
3111 | - |
3112 | - |
3113 | - |
3114 | </div> |
3115 | </div> |
3116 | <div class="validator"> |
3117 | </div> |
3118 | </body> |
3119 | </html> |
3120 | - |
3121 | diff --git a/debian/patches/fix-dolphin-to-delete-webdav-dirs.patch b/debian/patches/fix-dolphin-to-delete-webdav-dirs.patch |
3122 | new file mode 100644 |
3123 | index 0000000..1fac833 |
3124 | --- /dev/null |
3125 | +++ b/debian/patches/fix-dolphin-to-delete-webdav-dirs.patch |
3126 | @@ -0,0 +1,16 @@ |
3127 | +Description: Recognize dolphin and Konqueror/5 browsers for webdav. |
3128 | + Without these settings, these browsers will be sent redirects on |
3129 | + URLs for directories specified without a trailing '/'. That can |
3130 | + prevent webdav DELETE operations from working. |
3131 | +Author: Michal Maloszewski <michal.maloszewski@canonical.com> |
3132 | +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=67039 |
3133 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1927742 |
3134 | +Last-Update: 2024-01-16 |
3135 | +--- a/docs/conf/extra/httpd-dav.conf.in |
3136 | ++++ b/docs/conf/extra/httpd-dav.conf.in |
3137 | +@@ -48,3 +48,5 @@ |
3138 | + BrowserMatch "^XML Spy" redirect-carefully |
3139 | + BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully |
3140 | + BrowserMatch " Konqueror/4" redirect-carefully |
3141 | ++BrowserMatch " Konqueror/5" redirect-carefully |
3142 | ++BrowserMatch " dolphin/" redirect-carefully |
3143 | diff --git a/debian/patches/series b/debian/patches/series |
3144 | index d2c00e2..ae14d4c 100644 |
3145 | --- a/debian/patches/series |
3146 | +++ b/debian/patches/series |
3147 | @@ -1,3 +1,4 @@ |
3148 | +fix-dolphin-to-delete-webdav-dirs.patch |
3149 | fhs_compliance.patch |
3150 | no_LD_LIBRARY_PATH.patch |
3151 | suexec-CVE-2007-1742.patch |
3152 | diff --git a/debian/source/include-binaries b/debian/source/include-binaries |
3153 | index 35c26b8..2ddf252 100644 |
3154 | --- a/debian/source/include-binaries |
3155 | +++ b/debian/source/include-binaries |
3156 | @@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png |
3157 | debian/icons/odf6ots-20x22.png |
3158 | debian/icons/odf6ott-20x22.png |
3159 | debian/icons/openlogo-75.png |
3160 | +debian/icons/ubuntu-logo.png |
3161 | debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml |
3162 | debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php |
3163 | debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml |
3164 | diff --git a/debian/tests/check-ubuntu-branding b/debian/tests/check-ubuntu-branding |
3165 | new file mode 100644 |
3166 | index 0000000..0bf90b6 |
3167 | --- /dev/null |
3168 | +++ b/debian/tests/check-ubuntu-branding |
3169 | @@ -0,0 +1,28 @@ |
3170 | +#!/bin/bash |
3171 | +# |
3172 | +# Check the ubuntu branding exists |
3173 | +set -uxe -o pipefail |
3174 | + |
3175 | +ubuntu_logo_path="icons/ubuntu-logo.png" |
3176 | + |
3177 | +# Use curl to fetch the HTML content and check its exit status |
3178 | +if html_content=$(curl -s http://localhost); then |
3179 | + # The curl command succeeded, so proceed with further processing |
3180 | + if ! [[ "$html_content" =~ "$ubuntu_logo_path" ]]; then |
3181 | + echo "ERROR: $ubuntu_logo_path string not found in html page" |
3182 | + exit 1 |
3183 | + fi |
3184 | +else |
3185 | + # The curl command encountered an error |
3186 | + echo "ERROR: Curl command failed to fetch web content" |
3187 | + exit 1 |
3188 | +fi |
3189 | + |
3190 | +# Check the type of $ubuntu_logo_path |
3191 | +content_type=$(curl -s -I http://localhost/$ubuntu_logo_path \ |
3192 | + | grep Content-Type | cut -d ' ' -f 2- | tr -d '[:space:]') |
3193 | +expected="image/png" |
3194 | +if [ "$content_type" != "$expected" ]; then |
3195 | + echo "Content-Type is not $expected it is $content_type" |
3196 | + exit 1 |
3197 | +fi |
3198 | diff --git a/debian/tests/control b/debian/tests/control |
3199 | index 2453137..8a93e5f 100644 |
3200 | --- a/debian/tests/control |
3201 | +++ b/debian/tests/control |
3202 | @@ -23,6 +23,10 @@ Tests: check-http2 |
3203 | Restrictions: needs-root allow-stderr breaks-testbed |
3204 | Depends: apache2, curl, ssl-cert, nghttp2-client |
3205 | |
3206 | +Tests: check-ubuntu-branding |
3207 | +Restrictions: allow-stderr |
3208 | +Depends: apache2, curl |
3209 | + |
3210 | Tests: chroot |
3211 | Features: no-build-needed |
3212 | Restrictions: needs-root allow-stderr breaks-testbed |
Looking at this.