Merge ~bryce/ubuntu/+source/apache2:merge-v2.4.59-2-oracular into ubuntu/+source/apache2:debian/sid

Proposed by Bryce Harrington
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: bc488d2eb57f4abdeec73735df5ff2d1806ae1fc
Proposed branch: ~bryce/ubuntu/+source/apache2:merge-v2.4.59-2-oracular
Merge into: ubuntu/+source/apache2:debian/sid
Diff against target: 3212 lines (+2410/-62)
16 files modified
debian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2230/-2)
debian/config-dir/mods-available/setenvif.conf (+2/-0)
debian/control (+5/-3)
debian/debhelper/apache2-maintscript-helper (+4/-0)
debian/index.html (+52/-57)
debian/patches/fix-dolphin-to-delete-webdav-dirs.patch (+16/-0)
debian/patches/series (+1/-0)
debian/source/include-binaries (+1/-0)
debian/tests/check-ubuntu-branding (+28/-0)
debian/tests/control (+4/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Andreas Hasenack Approve
Canonical Server packageset reviewers Pending
Canonical Server Reporter Pending
Canonical Server Core Reviewers Pending
Review via email: mp+466357@code.launchpad.net

Description of the change

Merge with Debian's package. I've taken this opportunity to do a deep dive review on each piece of delta, annotate it in the git-ubuntu changelog, and tag it according to its forwardability state.

Two bits of the delta looked relevant to Debian but lacked evidence they've been forwarded, so I've done so and updated the tags.

Three CVEs cherrypicked from upstream could be dropped. I've also pulled in the fix for LP: #2045055 that switches a http link in the default index.html page to https, which there is already a Debian PR for.

PPA with test packages: https://launchpad.net/~bryce/+archive/ubuntu/apache2-merge-v2.4.59-2

Usual tags pushed for review:
  - tags/old/debian f94de9fba
  - tags/new/debian 70cd25ddc
  - tags/old/ubuntu 581abf935
  - tags/logical/2.4.58-1ubuntu8.1 d6acc3d65
  - tags/reconstruct/2.4.58-1ubuntu8.1 e497b91fd
  - tags/split/2.4.58-1ubuntu8.1 f4587177a

Autopkgtest testing:
$ ppa tests ppa:bryce/apache2-merge-v2.4.59-2
  # time pkg release arch ppa trigger
  - 10 apache2 oracular amd64 bryce/apache2-merge-v2.4.59-2 apache2/2.4.59-2ubuntu1~oracular1
  - 10 apache2 oracular s390x bryce/apache2-merge-v2.4.59-2 apache2/2.4.59-2ubuntu1~oracular1
  - 10 apache2 oracular ppc64el bryce/apache2-merge-v2.4.59-2 apache2/2.4.59-2ubuntu1~oracular1
  - 10 apache2 oracular i386 bryce/apache2-merge-v2.4.59-2 apache2/2.4.59-2ubuntu1~oracular1

Install testing:
    $ sudo add-apt-repository -yus ppa:bryce/apache2-merge-v2.4.59-2
    $ sudo apt-get install apache2

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looking at this.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

- debian changes: ok (including the removal of transitional binary packages)
- upstream 2.4.59 changes: ok
- merge: ok

+1

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: bryce, ahasenack
Uploaders: bryce, ahasenack
MP auto-approved

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the review, pushed:

Successfully signed dsc, buildinfo, changes files
Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: bc488d2eb57f4abdeec73735df5ff2d1806ae1fc
Vcs-Git-Ref: refs/heads/merge-v2.4.59-2-oracular
gpg: ../apache2_2.4.59-2ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
gpg: ../apache2_2.4.59-2ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.59-2ubuntu1.dsc: done.
  Uploading apache2_2.4.59.orig.tar.gz: done.
  Uploading apache2_2.4.59-2ubuntu1.debian.tar.xz: done.
  Uploading apache2_2.4.59-2ubuntu1_source.buildinfo: done.
  Uploading apache2_2.4.59-2ubuntu1_source.changes: done.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apache2-bin.install b/debian/apache2-bin.install
2index 63c573f..3d1bdf1 100644
3--- a/debian/apache2-bin.install
4+++ b/debian/apache2-bin.install
5@@ -1,2 +1,3 @@
6 /usr/lib/apache2/modules/
7 /usr/sbin/apache2
8+debian/apache2.py usr/share/apport/package-hooks
9diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
10new file mode 100644
11index 0000000..974a655
12--- /dev/null
13+++ b/debian/apache2-utils.ufw.profile
14@@ -0,0 +1,14 @@
15+[Apache]
16+title=Web Server
17+description=Apache v2 is the next generation of the omnipresent Apache web server.
18+ports=80/tcp
19+
20+[Apache Secure]
21+title=Web Server (HTTPS)
22+description=Apache v2 is the next generation of the omnipresent Apache web server.
23+ports=443/tcp
24+
25+[Apache Full]
26+title=Web Server (HTTP,HTTPS)
27+description=Apache v2 is the next generation of the omnipresent Apache web server.
28+ports=80,443/tcp
29diff --git a/debian/apache2.dirs b/debian/apache2.dirs
30index 6089013..1aa6d3c 100644
31--- a/debian/apache2.dirs
32+++ b/debian/apache2.dirs
33@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
34 var/lib/apache2
35 var/log/apache2
36 var/www/html
37+/etc/ufw/applications.d/apache2
38diff --git a/debian/apache2.install b/debian/apache2.install
39index b6ad789..92865fc 100644
40--- a/debian/apache2.install
41+++ b/debian/apache2.install
42@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
43 debian/config-dir/envvars /etc/apache2
44 debian/config-dir/magic /etc/apache2
45 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
46+debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
47diff --git a/debian/apache2.postrm b/debian/apache2.postrm
48index a68583c..4a22601 100644
49--- a/debian/apache2.postrm
50+++ b/debian/apache2.postrm
51@@ -33,6 +33,8 @@ is_default_index_html () {
52 776221a94e5a174dc2396c0f3f6b6a74
53 c481228d439cbb54bdcedbaec5bbb11a
54 e2620d4a5a0f8d80dd4b16de59af981f
55+ 3526531ccd6c6a1d2340574a305a18f8
56+ 720999b43a3be0674180354ac41f20b1
57 EOF
58 }
59
60diff --git a/debian/apache2.py b/debian/apache2.py
61new file mode 100644
62index 0000000..a9fb9d8
63--- /dev/null
64+++ b/debian/apache2.py
65@@ -0,0 +1,48 @@
66+#!/usr/bin/python
67+
68+'''apport hook for apache2
69+
70+(c) 2010 Adam Sommer.
71+Author: Adam Sommer <asommer@ubuntu.com>
72+
73+This program is free software; you can redistribute it and/or modify it
74+under the terms of the GNU General Public License as published by the
75+Free Software Foundation; either version 2 of the License, or (at your
76+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
77+the full text of the license.
78+'''
79+
80+from apport.hookutils import *
81+import os
82+
83+SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/'
84+
85+def add_info(report, ui):
86+ if os.path.isdir(SITES_ENABLED_DIR):
87+ response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory "
88+ "may help developers diagnose your bug more "
89+ "quickly. However, it may contain sensitive "
90+ "information. Do you want to include it in your "
91+ "bug report?")
92+
93+ if response == None: # user cancelled
94+ raise StopIteration
95+
96+ elif response == True:
97+ # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d
98+ for conf_file in os.listdir(SITES_ENABLED_DIR):
99+ attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file)
100+
101+ try:
102+ report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d'))
103+ except OSError:
104+ report['Apache2ConfdDirListing'] = str(False)
105+
106+ # Attach default config files if changed.
107+ attach_conffiles(report, 'apache2', conffiles=None)
108+
109+ # Attach the error.log file.
110+ attach_file(report, '/var/log/apache2/error.log', key='error.log')
111+
112+ # Get loaded modules.
113+ report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
114diff --git a/debian/changelog b/debian/changelog
115index 8ab6c02..31b1ad7 100644
116--- a/debian/changelog
117+++ b/debian/changelog
118@@ -1,3 +1,45 @@
119+apache2 (2.4.59-2ubuntu1) oracular; urgency=medium
120+
121+ * Merge with Debian unstable (LP: #2064378). Remaining changes:
122+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
123+ d/source/include-binaries, d/t/check-ubuntu-branding: Replace
124+ Debian with Ubuntu on default homepage.
125+ (LP #1966004, LP #1947459)
126+ - d/apache2.py, d/apache2-bin.install: Add apport hook
127+ (LP #609177)
128+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
129+ d/apache2.dirs: Add ufw profiles
130+ (LP #261198)
131+ - d/control: Upgrade lua build dependency to 5.4
132+ (LP #1910372)
133+ - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
134+ dolphin and Konqueror/5 careful redirection so that directories can be
135+ deleted via webdav.
136+ (LP #1927742)
137+ - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
138+ postinst script through a trigger (i.e., postinst triggered).
139+ Thanks to Roel van Meer. (Closes: #1060450)
140+ (LP #2038912)
141+ * Dropped:
142+ - d/p/CVE-2023-38709.patch: header validation after
143+ content-* are eval'ed in modules/http/http_filters.c.
144+ [Included in 2.4.59]
145+ - HTTP Response Splitting in multiple modules
146+ + d/p/CVE-2024-24795.patch: let httpd handle CL/TE for
147+ non-http handlers in include/util_script.h,
148+ modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
149+ modules/generators/mod_cgid.c, modules/http/http_filters.c,
150+ modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
151+ modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
152+ [Included in 2.4.59]
153+ - HTTP/2 DoS by memory exhaustion on endless continuation frames
154+ + d/p/CVE-2024-27316.patch: bail after too many failed reads
155+ in modules/http2/h2_session.c, modules/http2/h2_stream.c,
156+ modules/http2/h2_stream.h.
157+ [Included in 2.4.59]
158+
159+ -- Bryce Harrington <bryce@canonical.com> Thu, 23 May 2024 13:30:30 -0700
160+
161 apache2 (2.4.59-2) unstable; urgency=medium
162
163 * Breaks against fossil due to CVE-2024-24795 follows up
164@@ -21,6 +63,93 @@ apache2 (2.4.59-1) unstable; urgency=medium
165
166 -- Yadd <yadd@debian.org> Fri, 05 Apr 2024 08:08:11 +0400
167
168+apache2 (2.4.58-1ubuntu8.1) noble-security; urgency=medium
169+
170+ * SECURITY UPDATE: HTTP response splitting
171+ - debian/patches/CVE-2023-38709.patch: header validation after
172+ content-* are eval'ed in modules/http/http_filters.c.
173+ - CVE-2023-38709
174+ * SECURITY UPDATE: HTTP Response Splitting in multiple modules
175+ - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
176+ non-http handlers in include/util_script.h,
177+ modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
178+ modules/generators/mod_cgid.c, modules/http/http_filters.c,
179+ modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
180+ modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
181+ - CVE-2024-24795
182+ * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
183+ continuation frames
184+ - debian/patches/CVE-2024-27316.patch: bail after too many failed reads
185+ in modules/http2/h2_session.c, modules/http2/h2_stream.c,
186+ modules/http2/h2_stream.h.
187+ - CVE-2024-27316
188+
189+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Apr 2024 11:13:41 -0400
190+
191+apache2 (2.4.58-1ubuntu8) noble; urgency=medium
192+
193+ * No-change rebuild against libapr1t64
194+
195+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 07 Apr 2024 07:02:29 +0000
196+
197+apache2 (2.4.58-1ubuntu7) noble; urgency=medium
198+
199+ * No-change rebuild for CVE-2024-3094
200+
201+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 08:37:28 +0000
202+
203+apache2 (2.4.58-1ubuntu6) noble; urgency=medium
204+
205+ * d/debhelper/apache2-maintscript-helper: Allow execution when called from a
206+ postinst script through a trigger (i.e., postinst triggered).
207+ Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)
208+
209+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 18 Mar 2024 09:35:36 -0300
210+
211+apache2 (2.4.58-1ubuntu5) noble; urgency=medium
212+
213+ * No-change rebuild against libcurl4t64
214+
215+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 16 Mar 2024 06:05:04 +0000
216+
217+apache2 (2.4.58-1ubuntu4) noble; urgency=medium
218+
219+ * No-change rebuild against libaprutil1t64
220+
221+ -- Zixing Liu <zixing.liu@canonical.com> Sat, 09 Mar 2024 23:05:43 -0700
222+
223+apache2 (2.4.58-1ubuntu3) noble; urgency=medium
224+
225+ * No-change rebuild against libssl3t64
226+
227+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 17:21:46 +0000
228+
229+apache2 (2.4.58-1ubuntu2) noble; urgency=medium
230+
231+ * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
232+ dolphin and Konqueror/5 careful redirection so that directories can be
233+ deleted via webdav.
234+ (LP: #1927742)
235+
236+ -- Bryce Harrington <bryce@canonical.com> Wed, 24 Jan 2024 14:00:03 -0800
237+
238+apache2 (2.4.58-1ubuntu1) noble; urgency=medium
239+
240+ * Merge with Debian unstable (LP: #2040357). Remaining changes:
241+
242+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
243+ d/source/include-binaries, d/t/check-ubuntu-branding: Replace
244+ Debian with Ubuntu on default homepage.
245+ (LP #1966004, LP #1947459)
246+ - d/apache2.py, d/apache2-bin.install: Add apport hook
247+ (LP #609177)
248+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
249+ d/apache2.dirs: Add ufw profiles
250+ (LP #261198)
251+ - d/control: Upgrade lua build dependency to 5.4
252+
253+ -- Bryce Harrington <bryce@canonical.com> Thu, 14 Dec 2023 23:52:39 -0800
254+
255 apache2 (2.4.58-1) unstable; urgency=medium
256
257 [ Bas Couwenberg ]
258@@ -41,6 +170,35 @@ apache2 (2.4.57-3) unstable; urgency=medium
259
260 -- Yadd <yadd@debian.org> Tue, 29 Aug 2023 11:39:32 +0400
261
262+apache2 (2.4.57-2ubuntu3) noble; urgency=medium
263+
264+ * d/icons/ubuntu-logo.png: add Ubuntu image for welcome page (LP: #1947459).
265+ * d/t/check-ubuntu-branding: add check for ubuntu branding.
266+
267+ -- Mitchell Dzurick <mitchell.dzurick@canonical.com> Mon, 13 Nov 2023 10:49:48 -0700
268+
269+apache2 (2.4.57-2ubuntu2) mantic; urgency=medium
270+
271+ * d/control: Upgrade lua build dependency to 5.4
272+
273+ -- Lena Voytek <lena.voytek@canonical.com> Fri, 21 Jul 2023 14:17:42 -0700
274+
275+apache2 (2.4.57-2ubuntu1) mantic; urgency=medium
276+
277+ * Merge from Debian unstable. Remaining changes:
278+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
279+ d/source/include-binaries: Replace Debian with Ubuntu on default
280+ homepage.
281+ - d/apache2.py, d/apache2-bin.install: Add apport hook
282+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
283+ d/apache2.dirs: Add ufw profiles
284+ * Dropped changes included in new version:
285+ - debian/patches/CVE-2023-25690-1.patch
286+ - debian/patches/CVE-2023-25690-2.patch
287+ - debian/patches/CVE-2023-27522.patch
288+
289+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Jun 2023 14:02:48 -0400
290+
291 apache2 (2.4.57-2) unstable; urgency=medium
292
293 * Revert debian/* changes (Bookworm freeze)
294@@ -68,6 +226,36 @@ apache2 (2.4.56-1) unstable; urgency=medium
295
296 -- Yadd <yadd@debian.org> Wed, 08 Mar 2023 06:44:05 +0400
297
298+apache2 (2.4.55-1ubuntu2) lunar; urgency=medium
299+
300+ * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
301+ - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
302+ strings in modules/http2/mod_proxy_http2.c,
303+ modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
304+ modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
305+ modules/proxy/mod_proxy_wstunnel.c.
306+ - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
307+ modules/http2/mod_proxy_http2.c.
308+ - CVE-2023-25690
309+ * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
310+ - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
311+ parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
312+ - CVE-2023-27522
313+
314+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 08 Mar 2023 11:32:34 -0500
315+
316+apache2 (2.4.55-1ubuntu1) lunar; urgency=low
317+
318+ * Merge from Debian unstable. Remaining changes:
319+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
320+ d/source/include-binaries: Replace Debian with Ubuntu on default
321+ homepage.
322+ - d/apache2.py, d/apache2-bin.install: Add apport hook
323+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
324+ d/apache2.dirs: Add ufw profiles
325+
326+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 24 Jan 2023 13:31:02 -0800
327+
328 apache2 (2.4.55-1) unstable; urgency=medium
329
330 [ Hendrik Jäger ]
331@@ -121,6 +309,27 @@ apache2 (2.4.54-4) unstable; urgency=medium
332
333 -- Yadd <yadd@debian.org> Thu, 24 Nov 2022 10:45:00 +0100
334
335+apache2 (2.4.54-3ubuntu2) lunar; urgency=medium
336+
337+ * No-change rebuild against libldap-2
338+
339+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:42:31 +0000
340+
341+apache2 (2.4.54-3ubuntu1) lunar; urgency=medium
342+
343+ * Merge with Debian unstable (LP: #1993373). Remaining changes:
344+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
345+ d/source/include-binaries: Replace Debian with Ubuntu on default
346+ homepage.
347+ (LP #1966004)
348+ - d/apache2.py, d/apache2-bin.install: Add apport hook
349+ (LP #609177)
350+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
351+ d/apache2.dirs: Add ufw profiles
352+ (LP #261198)
353+
354+ -- Bryce Harrington <bryce@canonical.com> Wed, 16 Nov 2022 16:44:44 -0800
355+
356 apache2 (2.4.54-3) unstable; urgency=medium
357
358 [ Hendrik Jäger ]
359@@ -129,6 +338,21 @@ apache2 (2.4.54-3) unstable; urgency=medium
360
361 -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:20:52 +0200
362
363+apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium
364+
365+ * Merge with Debian unstable (LP: #1982048). Remaining changes:
366+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
367+ d/source/include-binaries: Replace Debian with Ubuntu on default
368+ homepage.
369+ (LP #1966004)
370+ - d/apache2.py, d/apache2-bin.install: Add apport hook
371+ (LP #609177)
372+ - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
373+ d/apache2.dirs: Add ufw profiles
374+ (LP #261198)
375+
376+ -- Bryce Harrington <bryce@canonical.com> Thu, 21 Jul 2022 19:38:00 +0000
377+
378 apache2 (2.4.54-2) unstable; urgency=medium
379
380 * Move cgid socket into a writeable directory (Closes: #1014056)
381@@ -155,6 +379,48 @@ apache2 (2.4.54-1) unstable; urgency=medium
382
383 -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200
384
385+apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
386+
387+ * Merge with Debian unstable (LP: #1971248). Remaining changes:
388+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
389+ apache2.dirs}: Add ufw profiles.
390+ (LP 261198)
391+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
392+ (LP 609177)
393+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
394+ d/s/include-binaries: replace Debian with Ubuntu on default
395+ page and add Ubuntu icon file.
396+ (LP 1288690)
397+ - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
398+ new logo
399+ (LP 1966004)
400+ - d/apache2.postrm: Include md5 sum for updated index.html
401+ * Dropped:
402+ - OOB read in mod_lua via crafted request body
403+ + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
404+ lua_write_body() fail in modules/lua/lua_request.c.
405+ [Fixed in 2.4.53 upstream]
406+ - HTTP Request Smuggling via error discarding the
407+ request body
408+ + d/p/CVE-2022-22720.patch: simpler connection close logic
409+ if discarding the request body fails in modules/http/http_filters.c,
410+ server/protocol.c.
411+ [Fixed in 2.4.53 upstream]
412+ - overflow via large LimitXMLRequestBody
413+ + d/p/CVE-2022-22721.patch: make sure and check that
414+ LimitXMLRequestBody fits in system memory in server/core.c,
415+ server/util.c, server/util_xml.c.
416+ [Fixed in 2.4.53 upstream]
417+ - out-of-bounds write in mod_sed
418+ + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
419+ buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
420+ modules/filters/mod_sed.c, modules/filters/sed1.c.
421+ + d/p/CVE-2022-23943-2.patch: improve the logic flow in
422+ modules/filters/mod_sed.c.
423+ [Fixed in 2.4.53 upstream]
424+
425+ -- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700
426+
427 apache2 (2.4.53-2) unstable; urgency=medium
428
429 * Clean useless Conflicts/Replace
430@@ -190,6 +456,79 @@ apache2 (2.4.52-2) experimental; urgency=medium
431
432 -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100
433
434+apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
435+
436+ * d/apache2.postrm: Include md5 sum for updated index.html
437+
438+ -- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700
439+
440+apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
441+
442+ * d/index.html:
443+ - Redesign page's heading for the new logo
444+ - Use the Ubuntu font where available
445+ - Update service management directions
446+ - Copyedit grammar
447+ - Light reformatting and whitespace cleanup
448+ * d/icons/ubuntu-logo.png: Refresh ubuntu logo
449+ (LP: #1966004)
450+
451+ -- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700
452+
453+apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
454+
455+ * SECURITY UPDATE: OOB read in mod_lua via crafted request body
456+ - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
457+ lua_write_body() fail in modules/lua/lua_request.c.
458+ - CVE-2022-22719
459+ * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
460+ request body
461+ - debian/patches/CVE-2022-22720.patch: simpler connection close logic
462+ if discarding the request body fails in modules/http/http_filters.c,
463+ server/protocol.c.
464+ - CVE-2022-22720
465+ * SECURITY UPDATE: overflow via large LimitXMLRequestBody
466+ - debian/patches/CVE-2022-22721.patch: make sure and check that
467+ LimitXMLRequestBody fits in system memory in server/core.c,
468+ server/util.c, server/util_xml.c.
469+ - CVE-2022-22721
470+ * SECURITY UPDATE: out-of-bounds write in mod_sed
471+ - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
472+ buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
473+ modules/filters/mod_sed.c, modules/filters/sed1.c.
474+ - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
475+ modules/filters/mod_sed.c.
476+ - CVE-2022-23943
477+
478+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400
479+
480+apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
481+
482+ * Merge with Debian unstable (LP: #1959924). Remaining changes:
483+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
484+ apache2.dirs}: Add ufw profiles.
485+ (LP 261198)
486+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
487+ (LP 609177)
488+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
489+ d/s/include-binaries: replace Debian with Ubuntu on default
490+ page and add Ubuntu icon file.
491+ (LP 1288690)
492+ * Dropped:
493+ - d/p/support-openssl3-*.patch: Backport various patches from
494+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
495+ failure to load when using OpenSSL 3.
496+ (LP #1951476)
497+ [Included in upstream release 2.4.52]
498+ - d/apache2ctl: Also use systemd for graceful if it is in use.
499+ (LP 1832182)
500+ [This introduced a performance regression.]
501+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
502+ (LP 1918209)
503+ [Not needed]
504+
505+ -- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
506+
507 apache2 (2.4.52-1) unstable; urgency=medium
508
509 * Refresh suexec-custom.patch
510@@ -200,6 +539,60 @@ apache2 (2.4.52-1) unstable; urgency=medium
511
512 -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
513
514+apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
515+
516+ * Merge with Debian unstable. Remaining changes:
517+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
518+ apache2.dirs}: Add ufw profiles.
519+ (LP 261198)
520+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
521+ (LP 609177)
522+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
523+ d/s/include-binaries: replace Debian with Ubuntu on default
524+ page and add Ubuntu icon file.
525+ (LP 1288690)
526+ - d/p/support-openssl3-*.patch: Backport various patches from
527+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
528+ failure to load when using OpenSSL 3.
529+ (LP #1951476)
530+ * Dropped:
531+ - d/apache2ctl: Also use systemd for graceful if it is in use.
532+ (LP: 1832182)
533+ [This introduced a performance regression.]
534+ - d/apache2ctl: Also use /run/systemd to check for systemd usage.
535+ (LP 1918209)
536+ [Not needed]
537+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
538+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
539+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
540+ server/core_filters.c, server/protocol.c, server/vhost.c.
541+ [Fixed in 2.4.48-4]
542+ - debian/patches/CVE-2021-34798.patch: add NULL check in
543+ server/scoreboard.c.
544+ [Fixed in 2.4.49-1]
545+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
546+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
547+ [Fixed in 2.4.49-1]
548+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
549+ substitution logic in server/util.c.
550+ [Fixed in 2.4.49-1]
551+ - arbitrary origin server via crafted request uri-path
552+ + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
553+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
554+ modules/proxy/proxy_util.c.
555+ + debian/patches/CVE-2021-40438.patch: add sanity checks on the
556+ configured UDS path in modules/proxy/proxy_util.c.
557+ [Fixed in 2.4.49-3]
558+ - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
559+ + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
560+ rules in modules/mappers/mod_rewrite.c.
561+ + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
562+ hostname in modules/mappers/mod_rewrite.c,
563+ modules/proxy/proxy_util.c.
564+ [Fixed in 2.4.49-3]
565+
566+ -- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
567+
568 apache2 (2.4.51-2) unstable; urgency=medium
569
570 * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
571@@ -265,6 +658,74 @@ apache2 (2.4.48-4) unstable; urgency=medium
572
573 -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
574
575+apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
576+
577+ * d/p/support-openssl3-*.patch: Backport various patches from
578+ https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
579+ failure to load when using OpenSSL 3. (LP: #1951476)
580+
581+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
582+
583+apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
584+
585+ * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
586+ - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
587+ rules in modules/mappers/mod_rewrite.c.
588+ - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
589+ hostname in modules/mappers/mod_rewrite.c,
590+ modules/proxy/proxy_util.c.
591+
592+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
593+
594+apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
595+
596+ * SECURITY UPDATE: request splitting over HTTP/2
597+ - debian/patches/CVE-2021-33193.patch: refactor request parsing in
598+ include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
599+ include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
600+ server/core_filters.c, server/protocol.c, server/vhost.c.
601+ - CVE-2021-33193
602+ * SECURITY UPDATE: NULL deref via malformed requests
603+ - debian/patches/CVE-2021-34798.patch: add NULL check in
604+ server/scoreboard.c.
605+ - CVE-2021-34798
606+ * SECURITY UPDATE: DoS in mod_proxy_uwsgi
607+ - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
608+ generic worker in modules/proxy/mod_proxy_uwsgi.c.
609+ - CVE-2021-36160
610+ * SECURITY UPDATE: buffer overflow in ap_escape_quotes
611+ - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
612+ substitution logic in server/util.c.
613+ - CVE-2021-39275
614+ * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
615+ - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
616+ parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
617+ modules/proxy/proxy_util.c.
618+ - debian/patches/CVE-2021-40438.patch: add sanity checks on the
619+ configured UDS path in modules/proxy/proxy_util.c.
620+ - CVE-2021-40438
621+
622+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
623+
624+apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
625+
626+ * Merge with Debian unstable. Remaining changes:
627+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
628+ apache2.dirs}: Add ufw profiles. (LP 261198)
629+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
630+ (LP 609177)
631+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
632+ d/s/include-binaries: replace Debian with Ubuntu on default
633+ page and add Ubuntu icon file. (LP 1288690)
634+ - d/apache2ctl: Also use systemd for graceful if it is in use.
635+ This extends an earlier fix for the start command to behave
636+ similarly for restart / graceful. Fixes service failures on
637+ unattended upgrade. (LP 1832182)
638+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
639+ (LP 1918209)
640+
641+ -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
642+
643 apache2 (2.4.48-3.1) unstable; urgency=medium
644
645 * Non-maintainer upload.
646@@ -273,6 +734,46 @@ apache2 (2.4.48-3.1) unstable; urgency=medium
647
648 -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
649
650+apache2 (2.4.48-3ubuntu1) impish; urgency=medium
651+
652+ * Merge with Debian unstable. Remaining changes:
653+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
654+ apache2.dirs}: Add ufw profiles. (LP: 261198)
655+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
656+ (LP: 609177)
657+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
658+ d/s/include-binaries: replace Debian with Ubuntu on default
659+ page and add Ubuntu icon file. (LP: 1288690)
660+ - d/apache2ctl: Also use systemd for graceful if it is in use.
661+ This extends an earlier fix for the start command to behave
662+ similarly for restart / graceful. Fixes service failures on
663+ unattended upgrade. (LP: 1832182)
664+ - d/apache2ctl: Also use /run/systemd to check for systemd usage
665+ (LP: 1918209)
666+ * Dropped:
667+ - d/t/control, d/t/check-http2: add basic test for http2 support
668+ [Fixed in 2.4.48-2]
669+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
670+ [Fixed in 2.4.48-1]
671+ - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
672+ connection in modules/proxy/mod_proxy_http.c.
673+ [Fixed in 2.4.48 upstream]
674+ - d/p/CVE-2020-35452.patch: fast validation of the nonce's
675+ base64 to fail early if the format can't match anyway in
676+ modules/aaa/mod_auth_digest.c.
677+ [Fixed in 2.4.48 upstream]
678+ - d/p/CVE-2021-26690.patch: save one apr_strtok() in
679+ session_identity_decode() in modules/session/mod_session.c.
680+ [Fixed in 2.4.48 upstream]
681+ - d/p/CVE-2021-26691.patch: account for the '&' in
682+ identity_concat() in modules/session/mod_session.c.
683+ [Fixed in 2.4.48 upstream]
684+ - d/p/CVE-2021-30641.patch: change default behavior in
685+ server/request.c.
686+ [Fixed in 2.4.48 upstream]
687+
688+ -- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
689+
690 apache2 (2.4.48-3) unstable; urgency=medium
691
692 * Fix debian/changelog
693@@ -329,6 +830,65 @@ apache2 (2.4.46-5) unstable; urgency=medium
694
695 -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
696
697+apache2 (2.4.46-4ubuntu3) impish; urgency=medium
698+
699+ * No-change rebuild due to OpenLDAP soname bump.
700+
701+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
702+
703+apache2 (2.4.46-4ubuntu2) impish; urgency=medium
704+
705+ * SECURITY UPDATE: mod_proxy_http denial of service.
706+ - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
707+ connection in modules/proxy/mod_proxy_http.c.
708+ - CVE-2020-13950
709+ * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
710+ - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
711+ base64 to fail early if the format can't match anyway in
712+ modules/aaa/mod_auth_digest.c.
713+ - CVE-2020-35452
714+ * SECURITY UPDATE: DoS via cookie header in mod_session
715+ - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
716+ session_identity_decode() in modules/session/mod_session.c.
717+ - CVE-2021-26690
718+ * SECURITY UPDATE: heap overflow via SessionHeader
719+ - debian/patches/CVE-2021-26691.patch: account for the '&' in
720+ identity_concat() in modules/session/mod_session.c.
721+ - CVE-2021-26691
722+ * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
723+ - debian/patches/CVE-2021-30641.patch: change default behavior in
724+ server/request.c.
725+ - CVE-2021-30641
726+
727+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
728+
729+apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
730+
731+ * Merge with Debian unstable, to allow moving from lua5.2 to
732+ lua5.3 (LP: #1910372). Remaining changes:
733+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
734+ apache2.dirs}: Add ufw profiles.
735+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
736+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
737+ Debian with Ubuntu on default page.
738+ + d/source/include-binaries: add Ubuntu icon file
739+ - d/t/control, d/t/check-http2: add basic test for http2 support
740+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
741+ issue reading error log too quickly after request, by adding a sleep.
742+ (LP #1890302)
743+ - d/apache2ctl: Also use systemd for graceful if it is in use.
744+ This extends an earlier fix for the start command to behave
745+ similarly for restart / graceful. Fixes service failures on
746+ unattended upgrade.
747+ * Drop:
748+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
749+ was re-added by mistake in 2.4.41-1 (Closes #921024)
750+ [Included in Debian 2.4.46-3]
751+ * d/apache2ctl: Also use /run/systemd to check for systemd usage
752+ (LP: #1918209)
753+
754+ -- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
755+
756 apache2 (2.4.46-4) unstable; urgency=medium
757
758 * Ignore other random another test failures (Closes: #979664)
759@@ -346,6 +906,28 @@ apache2 (2.4.46-3) unstable; urgency=medium
760
761 -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
762
763+apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
764+
765+ * Merge with Debian unstable. Remaining changes:
766+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
767+ apache2.dirs}: Add ufw profiles.
768+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
769+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
770+ Debian with Ubuntu on default page.
771+ + d/source/include-binaries: add Ubuntu icon file
772+ - d/t/control, d/t/check-http2: add basic test for http2 support
773+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
774+ was re-added by mistake in 2.4.41-1 (Closes #921024)
775+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
776+ issue reading error log too quickly after request, by adding a sleep.
777+ (LP #1890302)
778+ - d/apache2ctl: Also use systemd for graceful if it is in use.
779+ This extends an earlier fix for the start command to behave
780+ similarly for restart / graceful. Fixes service failures on
781+ unattended upgrade.
782+
783+ -- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
784+
785 apache2 (2.4.46-2) unstable; urgency=medium
786
787 [ Jean-Michel Vourgère ]
788@@ -367,6 +949,39 @@ apache2 (2.4.46-2) unstable; urgency=medium
789
790 -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
791
792+apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
793+
794+ * d/apache2ctl: Also use systemd for graceful if it is in use.
795+ (LP: #1832182)
796+ - This extends an earlier fix for the start command to behave
797+ similarly for restart / graceful. Fixes service failures on
798+ unattended upgrade.
799+
800+ -- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
801+
802+apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
803+
804+ * Merge with Debian unstable. Remaining changes:
805+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
806+ apache2.dirs}: Add ufw profiles.
807+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
808+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
809+ Debian with Ubuntu on default page.
810+ + d/source/include-binaries: add Ubuntu icon file
811+ - d/t/control, d/t/check-http2: add basic test for http2 support
812+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
813+ was re-added by mistake in 2.4.41-1 (Closes #921024)
814+ - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
815+ issue reading error log too quickly after request, by adding a sleep.
816+ (LP #1890302)
817+ * Dropped:
818+ - debian/patches/086_svn_cross_compiles: Backport several cross
819+ fixes from upstream
820+ [Unclear if it's still necessary, and upstream hasn't made a
821+ release with it yet]
822+
823+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
824+
825 apache2 (2.4.46-1) unstable; urgency=medium
826
827 [ Xavier Guimard ]
828@@ -383,6 +998,39 @@ apache2 (2.4.46-1) unstable; urgency=medium
829
830 -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
831
832+apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
833+
834+ * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
835+ issue reading error log too quickly after request, by adding a sleep.
836+ (LP: #1890302)
837+
838+ -- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
839+
840+apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
841+
842+ * Merge with Debian unstable. Remaining changes:
843+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
844+ apache2.dirs}: Add ufw profiles.
845+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
846+ - debian/patches/086_svn_cross_compiles: Backport several cross
847+ fixes from upstream
848+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
849+ Debian with Ubuntu on default page.
850+ + d/source/include-binaries: add Ubuntu icon file
851+ - d/t/control, d/t/check-http2: add basic test for http2 support
852+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
853+ was re-added by mistake in 2.4.41-1 (Closes #921024)
854+ * Dropped:
855+ - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
856+ parameter to mod_proxy_ajp (LP #1865340)
857+ [Fixed upstream]
858+ - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
859+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
860+ Closes #955348, LP #1872478
861+ [In 2.4.43-1]
862+
863+ -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
864+
865 apache2 (2.4.43-1) unstable; urgency=medium
866
867 [ Timo Aaltonen ]
868@@ -410,6 +1058,39 @@ apache2 (2.4.41-5) unstable; urgency=medium
869
870 -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
871
872+apache2 (2.4.41-4ubuntu3) focal; urgency=medium
873+
874+ [ Timo Aaltonen ]
875+ * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
876+ mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
877+ Closes: #955348, LP: #1872478
878+
879+ -- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
880+
881+apache2 (2.4.41-4ubuntu2) focal; urgency=medium
882+
883+ * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
884+ parameter to mod_proxy_ajp (LP: #1865340)
885+
886+ -- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
887+
888+apache2 (2.4.41-4ubuntu1) focal; urgency=medium
889+
890+ * Merge with Debian unstable. Remaining changes:
891+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
892+ apache2.dirs}: Add ufw profiles.
893+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
894+ - debian/patches/086_svn_cross_compiles: Backport several cross
895+ fixes from upstream
896+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
897+ Debian with Ubuntu on default page.
898+ + d/source/include-binaries: add Ubuntu icon file
899+ - d/t/control, d/t/check-http2: add basic test for http2 support
900+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
901+ was re-added by mistake in 2.4.41-1 (Closes #921024)
902+
903+ -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
904+
905 apache2 (2.4.41-4) unstable; urgency=medium
906
907 * Add gcc in chroot autopkgtest (fixes debci)
908@@ -434,6 +1115,41 @@ apache2 (2.4.41-2) unstable; urgency=medium
909
910 -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
911
912+apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
913+
914+ * Merge with Debian unstable. Remaining changes:
915+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
916+ apache2.dirs}: Add ufw profiles.
917+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
918+ - debian/patches/086_svn_cross_compiles: Backport several cross
919+ fixes from upstream
920+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
921+ Debian with Ubuntu on default page.
922+ + d/source/include-binaries: add Ubuntu icon file
923+ - d/t/control, d/t/check-http2: add basic test for http2 support
924+ * Dropped:
925+ - Cherrypick upstream testsuite fix:
926+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
927+ as such).
928+ + Similarly use TLSv1.2 for pr12355 and pr43738.
929+ [Test suite updated in 2.4.41-1]
930+ - Cherrypick upstream test suite fix for buffer.
931+ [Included in 2.4.41-1]
932+ - d/p/spelling-errors.patch: removed hunks already fixed upstream
933+ [Included in 2.4.39-1]
934+ - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
935+ + d/p/CVE-2019-0196.patch
936+ + d/p/CVE-2019-0211.patch
937+ + d/p/CVE-2019-0215.patch
938+ + d/p/CVE-2019-0217.patch
939+ + d/p/CVE-2019-0220-*.patch
940+ + d/p/CVE-2019-0197.patch
941+ * Added:
942+ - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
943+ was re-added by mistake in 2.4.41-1 (Closes: #921024)
944+
945+ -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
946+
947 apache2 (2.4.41-1) unstable; urgency=medium
948
949 * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
950@@ -466,6 +1182,62 @@ apache2 (2.4.39-1) unstable; urgency=medium
951
952 -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
953
954+apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
955+
956+ * New upstream version: 2.4.39
957+ * d/p/spelling-errors.patch: removed hunks already fixed upstream
958+ * Remaining changes:
959+ - Cherrypick upstream test suite fix for buffer.
960+ - Cherrypick upstream testsuite fix:
961+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
962+ as such).
963+ - Similarly use TLSv1.2 for pr12355 and pr43738.
964+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
965+ apache2.dirs}: Add ufw profiles.
966+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
967+ - debian/patches/086_svn_cross_compiles: Backport several cross
968+ fixes from upstream
969+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
970+ Debian with Ubuntu on default page.
971+ + d/source/include-binaries: add Ubuntu icon file
972+ - d/t/control, d/t/check-http2: add basic test for http2 support
973+ * Dropped patches (fixed upstream):
974+ - d/p/CVE-2019-0196.patch
975+ - d/p/CVE-2019-0211.patch
976+ - d/p/CVE-2019-0215.patch
977+ - d/p/CVE-2019-0217.patch
978+ - d/p/CVE-2019-0220-*.patch
979+ - d/p/CVE-2019-0197.patch
980+
981+ -- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
982+
983+apache2 (2.4.38-3ubuntu2) eoan; urgency=medium
984+
985+ * Cherrypick upstream test suite fix for buffer.
986+
987+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 13 Jun 2019 11:08:24 +0100
988+
989+apache2 (2.4.38-3ubuntu1) eoan; urgency=low
990+
991+ * Merge from Debian unstable. Remaining changes:
992+ - Cherrypick upstream testsuite fix:
993+ + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
994+ as such).
995+ - Similarly use TLSv1.2 for pr12355 and pr43738.
996+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
997+ apache2.dirs}: Add ufw profiles.
998+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
999+ - debian/patches/086_svn_cross_compiles: Backport several cross
1000+ fixes from upstream
1001+ [Removed configure chunk, not needed since configure.in is being
1002+ patched.]
1003+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1004+ Debian with Ubuntu on default page.
1005+ + d/source/include-binaries: add Ubuntu icon file
1006+ - d/t/control, d/t/check-http2: add basic test for http2 support
1007+
1008+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Jun 2019 19:17:38 +0100
1009+
1010 apache2 (2.4.38-3) unstable; urgency=high
1011
1012 [ Marc Deslauriers ]
1013@@ -503,6 +1275,79 @@ apache2 (2.4.38-3) unstable; urgency=high
1014
1015 -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
1016
1017+apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
1018+
1019+ * Cherrypick upstream testsuite fix:
1020+ - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
1021+ as such).
1022+ * Similarly use TLSv1.2 for pr12355 and pr43738.
1023+
1024+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 07 May 2019 10:39:47 +0100
1025+
1026+apache2 (2.4.38-2ubuntu2) disco; urgency=medium
1027+
1028+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
1029+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
1030+ request method in modules/http2/h2_request.c.
1031+ - CVE-2019-0196
1032+ * SECURITY UPDATE: privilege escalation from modules' scripts
1033+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
1034+ child to its slot number in include/scoreboard.h,
1035+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
1036+ server/mpm/worker/worker.c.
1037+ - CVE-2019-0211
1038+ * SECURITY UPDATE: mod_ssl access control bypass
1039+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
1040+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
1041+ - CVE-2019-0215
1042+ * SECURITY UPDATE: mod_auth_digest access control bypass
1043+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
1044+ modules/aaa/mod_auth_digest.c.
1045+ - CVE-2019-0217
1046+ * SECURITY UPDATE: URL normalization inconsistincy
1047+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
1048+ the path in include/http_core.h, include/httpd.h, server/core.c,
1049+ server/request.c, server/util.c.
1050+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
1051+ in server/request.c, server/util.c.
1052+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
1053+ server/util.c.
1054+ - CVE-2019-0220
1055+
1056+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Apr 2019 14:31:46 -0400
1057+
1058+apache2 (2.4.38-2ubuntu1) disco; urgency=medium
1059+
1060+ * Merge with Debian unstable. Remaining changes:
1061+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1062+ apache2.dirs}: Add ufw profiles.
1063+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1064+ - debian/patches/086_svn_cross_compiles: Backport several cross
1065+ fixes from upstream
1066+ [Removed configure chunk, not needed since configure.in is being
1067+ patched.]
1068+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1069+ Debian with Ubuntu on default page.
1070+ + d/source/include-binaries: add Ubuntu icon file
1071+ - d/t/control, d/t/check-http2: add basic test for http2 support
1072+ * Dropped:
1073+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
1074+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
1075+ cannot be coinstalled with libcurl3. That situation breaks the
1076+ installation of libapache2-mod-shib2. See
1077+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1078+ for details.
1079+ [This has been resolved in Disco, where libxmltooling8 is built with
1080+ openssl 1.1]
1081+ - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
1082+ + debian/patches/CVE-2018-11763.patch: rework connection IO event
1083+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
1084+ modules/http2/h2_version.h.
1085+ - CVE-2018-11763
1086+ [Fixed in 2.4.35]
1087+
1088+ -- Andreas Hasenack <andreas@canonical.com> Sun, 03 Feb 2019 14:57:13 -0200
1089+
1090 apache2 (2.4.38-2) unstable; urgency=medium
1091
1092 * Disable "reset" test in allowmethods.t (Closes: #921024)
1093@@ -585,6 +1430,37 @@ apache2 (2.4.35-1) unstable; urgency=medium
1094
1095 -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
1096
1097+apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
1098+
1099+ * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
1100+ - debian/patches/CVE-2018-11763.patch: rework connection IO event
1101+ handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
1102+ modules/http2/h2_version.h.
1103+ - CVE-2018-11763
1104+
1105+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400
1106+
1107+apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
1108+
1109+ * Merge with Debian unstable. Remaining changes:
1110+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1111+ apache2.dirs}: Add ufw profiles.
1112+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1113+ - debian/patches/086_svn_cross_compiles: Backport several cross
1114+ fixes from upstream
1115+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1116+ Debian with Ubuntu on default page.
1117+ + d/source/include-binaries: add Ubuntu icon file
1118+ - d/t/control, d/t/check-http2: add basic test for http2 support
1119+ - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
1120+ libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
1121+ cannot be coinstalled with libcurl3. That situation breaks the
1122+ installation of libapache2-mod-shib2. See
1123+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1124+ for details.
1125+
1126+ -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300
1127+
1128 apache2 (2.4.34-1) unstable; urgency=medium
1129
1130 [ Ondřej Surý ]
1131@@ -603,6 +1479,87 @@ apache2 (2.4.34-1) unstable; urgency=medium
1132
1133 -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
1134
1135+apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
1136+
1137+ * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
1138+ re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
1139+
1140+ -- Andreas Hasenack <andreas@canonical.com> Thu, 28 Jun 2018 10:07:06 -0300
1141+
1142+apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
1143+
1144+ * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
1145+ libapache2-mod-md until we figure out their transitions. libapache2-mod-md
1146+ in particular is problematic because that makes apache2-bin pull in
1147+ libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
1148+ the installation of libapache2-mod-shib2. See
1149+ https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
1150+ for details.
1151+ - Don't ship md.load and remove build-requires that were added because of
1152+ mod-md (see
1153+ https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
1154+ - Remove proxy_uwsgi.load as we are not building it for now (see
1155+ https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
1156+
1157+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 May 2018 14:46:19 +0000
1158+
1159+apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
1160+
1161+ * Merge with Debian unstable (LP: #1770242). Remaining changes:
1162+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1163+ apache2.dirs}: Add ufw profiles.
1164+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1165+ - debian/patches/086_svn_cross_compiles: Backport several cross
1166+ fixes from upstream
1167+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1168+ Debian with Ubuntu on default page.
1169+ + d/source/include-binaries: add Ubuntu icon file
1170+ - d/t/control, d/t/check-http2: add basic test for http2 support
1171+ * Drop:
1172+ - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1173+ + debian/patches/CVE-2017-15710.patch: fix language long names
1174+ detection as short name in modules/aaa/mod_authnz_ldap.c.
1175+ + CVE-2017-15710
1176+ - SECURITY UPDATE: incorrect <FilesMatch> matching
1177+ + debian/patches/CVE-2017-15715.patch: allow to configure
1178+ global/default options for regexes, like caseless matching or
1179+ extended format in include/ap_regex.h, server/core.c,
1180+ server/util_pcre.c.
1181+ + CVE-2017-15715
1182+ - SECURITY UPDATE: mod_session header manipulation
1183+ + debian/patches/CVE-2018-1283.patch: strip Session header when
1184+ SessionEnv is on in modules/session/mod_session.c.
1185+ + CVE-2018-1283
1186+ - SECURITY UPDATE: DoS via specially-crafted request
1187+ + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1188+ terminated on any error, not only on buffer full in
1189+ server/protocol.c.
1190+ + CVE-2018-1301
1191+ - SECURITY UPDATE: mod_cache_socache DoS
1192+ + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1193+ to carriage return in modules/cache/mod_cache_socache.c.
1194+ + CVE-2018-1303
1195+ - SECURITY UPDATE: insecure nonce generation
1196+ + debian/patches/CVE-2018-1312.patch: actually use the secret when
1197+ generating nonces in modules/aaa/mod_auth_digest.c.
1198+ + CVE-2018-1312
1199+ - Correct systemd-sysv-generator behavior by customizing some
1200+ parameters:
1201+ + d/apache2-systemd.conf: add a drop-in file to specify some
1202+ parameters for the systemd unit (type=Forking and
1203+ RemainsAfterExit=no), this allow a correct state synchronisation
1204+ between systemctl status and actual state of apache2 daemon.
1205+ + d/apache2.install: place the apache2-systemd.conf file in the
1206+ correct location.
1207+ [type=Forking already in the base systemd service file, and
1208+ RemainsAfterExit=no is the default value, so no need to
1209+ customize these anymore.]
1210+ - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
1211+ + added debian/patches/util_ldap_cache_lock_fix.patch
1212+ [Already applied upstream]
1213+
1214+ -- Andreas Hasenack <andreas@canonical.com> Tue, 15 May 2018 11:03:34 -0300
1215+
1216 apache2 (2.4.33-3) unstable; urgency=medium
1217
1218 * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
1219@@ -675,6 +1632,91 @@ apache2 (2.4.29-2) unstable; urgency=medium
1220
1221 -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
1222
1223+apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
1224+
1225+ * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
1226+ - debian/patches/CVE-2017-15710.patch: fix language long names
1227+ detection as short name in modules/aaa/mod_authnz_ldap.c.
1228+ - CVE-2017-15710
1229+ * SECURITY UPDATE: incorrect <FilesMatch> matching
1230+ - debian/patches/CVE-2017-15715.patch: allow to configure
1231+ global/default options for regexes, like caseless matching or
1232+ extended format in include/ap_regex.h, server/core.c,
1233+ server/util_pcre.c.
1234+ - CVE-2017-15715
1235+ * SECURITY UPDATE: mod_session header manipulation
1236+ - debian/patches/CVE-2018-1283.patch: strip Session header when
1237+ SessionEnv is on in modules/session/mod_session.c.
1238+ - CVE-2018-1283
1239+ * SECURITY UPDATE: DoS via specially-crafted request
1240+ - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
1241+ terminated on any error, not only on buffer full in
1242+ server/protocol.c.
1243+ - CVE-2018-1301
1244+ * SECURITY UPDATE: mod_cache_socache DoS
1245+ - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
1246+ to carriage return in modules/cache/mod_cache_socache.c.
1247+ - CVE-2018-1303
1248+ * SECURITY UPDATE: insecure nonce generation
1249+ - debian/patches/CVE-2018-1312.patch: actually use the secret when
1250+ generating nonces in modules/aaa/mod_auth_digest.c.
1251+ - CVE-2018-1312
1252+
1253+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Apr 2018 07:38:24 -0400
1254+
1255+apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
1256+
1257+ * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
1258+ - added debian/patches/util_ldap_cache_lock_fix.patch
1259+
1260+ -- Rafael David Tinoco <rafael.tinoco@canonical.com> Fri, 02 Mar 2018 02:19:31 +0000
1261+
1262+apache2 (2.4.29-1ubuntu3) bionic; urgency=medium
1263+
1264+ * Switch back to OpenSSL 1.1.
1265+
1266+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 11:57:20 +0000
1267+
1268+apache2 (2.4.29-1ubuntu2) bionic; urgency=medium
1269+
1270+ * enable http2 (LP: #1687454) by stopping to disable it
1271+ - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
1272+ - debian/config-dir/mods-available/http2.load: no more removed.
1273+ - debian/rules: no more removed proxy_http2 from configure.
1274+ * d/t/control, d/t/check-http2: add basic test for http2 support
1275+
1276+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 05 Dec 2017 17:25:39 +0100
1277+
1278+apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
1279+
1280+ * Merge with Debian unstable. Remaining changes:
1281+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1282+ apache2.dirs}: Add ufw profiles.
1283+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1284+ - debian/patches/086_svn_cross_compiles: Backport several cross
1285+ fixes from upstream
1286+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1287+ Debian with Ubuntu on default page.
1288+ + d/source/include-binaries: add Ubuntu icon file
1289+ - Correct systemd-sysv-generator behavior by customizing some
1290+ parameters:
1291+ + d/apache2-systemd.conf: add a drop-in file to specify some
1292+ parameters for the systemd unit (type=Forking and
1293+ RemainsAfterExit=no), this allow a correct state synchronisation
1294+ between systemctl status and actual state of apache2 daemon.
1295+ + d/apache2.install: place the apache2-systemd.conf file in the
1296+ correct location.
1297+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1298+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1299+ + debian/config-dir/mods-available/http2.load: removed.
1300+ + debian/rules: removed proxy_http2 from configure.
1301+ * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
1302+ - debian/control: switch BuildDepends to libssl1.0-dev
1303+ - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
1304+ - debian/rules: remove openssl virtual package and logic
1305+
1306+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Nov 2017 10:51:46 -0500
1307+
1308 apache2 (2.4.29-1) unstable; urgency=medium
1309
1310 [ Stefan Fritsch ]
1311@@ -739,6 +1781,47 @@ apache2 (2.4.27-3) experimental; urgency=medium
1312
1313 -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
1314
1315+apache2 (2.4.27-2ubuntu3) artful; urgency=medium
1316+
1317+ * SECURITY UPDATE: optionsbleed information leak
1318+ - debian/patches/CVE-2017-9798.patch: disallow method registration
1319+ at run time in server/core.c.
1320+ - CVE-2017-9798
1321+
1322+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Sep 2017 11:05:48 -0400
1323+
1324+apache2 (2.4.27-2ubuntu2) artful; urgency=medium
1325+
1326+ * Undrop (LP 1658469):
1327+ - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
1328+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1329+ + debian/config-dir/mods-available/http2.load: removed.
1330+ + debian/rules: removed proxy_http2 from configure.
1331+
1332+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Aug 2017 13:04:45 -0400
1333+
1334+apache2 (2.4.27-2ubuntu1) artful; urgency=medium
1335+
1336+ * Merge with Debian unstable (LP: #1702582). Remaining changes:
1337+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1338+ apache2.dirs}: Add ufw profiles.
1339+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1340+ - debian/patches/086_svn_cross_compiles: Backport several cross
1341+ fixes from upstream
1342+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1343+ Debian with Ubuntu on default page.
1344+ + d/source/include-binaries: add Ubuntu icon file
1345+ - Correct systemd-sysv-generator behavior by customizing some
1346+ parameters:
1347+ + d/apache2-systemd.conf: add a drop-in file to specify some
1348+ parameters for the systemd unit (type=Forking and
1349+ RemainsAfterExit=no), this allow a correct state synchronisation
1350+ between systemctl status and actual state of apache2 daemon.
1351+ + d/apache2.install: place the apache2-systemd.conf file in the
1352+ correct location.
1353+
1354+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 27 Jul 2017 13:38:39 -0700
1355+
1356 apache2 (2.4.27-2) unstable; urgency=medium
1357
1358 * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
1359@@ -768,6 +1851,55 @@ apache2 (2.4.25-4) unstable; urgency=high
1360
1361 -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
1362
1363+apache2 (2.4.25-3ubuntu3) artful; urgency=medium
1364+
1365+ * Re-Drop (LP: #1658469):
1366+ - Don't build experimental http2 module for LTS:
1367+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1368+ + debian/config-dir/mods-available/http2.load: removed.
1369+ + debian/rules: removed proxy_http2 from configure.
1370+ + debian/apache2.maintscript: remove http2 conffile.
1371+
1372+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 01 May 2017 09:55:11 -0700
1373+
1374+apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
1375+ * Undrop (LP 1658469):
1376+ - Don't build experimental http2 module for LTS:
1377+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1378+ + debian/config-dir/mods-available/http2.load: removed.
1379+ + debian/rules: removed proxy_http2 from configure.
1380+ + debian/apache2.maintscript: remove http2 conffile.
1381+
1382+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 08:53:43 -0800
1383+
1384+apache2 (2.4.25-3ubuntu1) zesty; urgency=medium
1385+
1386+ * Merge from Debian unstable (LP: #1663425). Remaining changes:
1387+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1388+ apache2.dirs}: Add ufw profiles.
1389+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1390+ - debian/patches/086_svn_cross_compiles: Backport several cross
1391+ fixes from upstream
1392+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1393+ Debian with Ubuntu on default page.
1394+ + d/source/include-binaries: add Ubuntu icon file
1395+ - Correct systemd-sysv-generator behavior by customizing some
1396+ parameters:
1397+ + d/apache2-systemd.conf: add a drop-in file to specify some
1398+ parameters for the systemd unit (type=Forking and
1399+ RemainsAfterExit=no), this allow a correct state synchronisation
1400+ between systemctl status and actual state of apache2 daemon.
1401+ + d/apache2.install: place the apache2-systemd.conf file in the
1402+ correct location.
1403+ * Drop (LP: #1658469):
1404+ - Don't build experimental http2 module for LTS:
1405+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1406+ + debian/config-dir/mods-available/http2.load: removed.
1407+ + debian/rules: removed proxy_http2 from configure.
1408+ + debian/apache2.maintscript: remove http2 conffile.
1409+
1410+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 09 Feb 2017 15:48:28 -0800
1411+
1412 apache2 (2.4.25-3) unstable; urgency=medium
1413
1414 * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
1415@@ -829,6 +1961,39 @@ apache2 (2.4.25-1) unstable; urgency=medium
1416
1417 -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
1418
1419+apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
1420+
1421+ * Merge from Debian unstable (LP: #). Remaining changes:
1422+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1423+ apache2.dirs}: Add ufw profiles.
1424+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1425+ - debian/patches/086_svn_cross_compiles: Backport several cross
1426+ fixes from upstream
1427+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
1428+ d/source/include-binaries: replace Debian with Ubuntu on default
1429+ page.
1430+ [ include-binaries change previously undocumented ]
1431+ - Don't build experimental http2 module for LTS:
1432+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1433+ + debian/config-dir/mods-available/http2.load: removed.
1434+ + debian/rules: removed proxy_http2 from configure.
1435+ + debian/apache2.maintscript: remove http2 conffile.
1436+ [ Previously undocumented ]
1437+ - Correct systemd-sysv-generator behavior by customizing some
1438+ parameters:
1439+ + d/apache2-systemd.conf: add a drop-in file to specify some
1440+ parameters for the systemd unit (type=Forking and
1441+ RemainsAfterExit=no), this allow a correct state synchronisation
1442+ between systemctl status and actual state of apache2 daemon.
1443+ + d/apache2.install: place the apache2-systemd.conf file in the
1444+ correct location.
1445+ * Drop:
1446+ - debian/rules: Fix cross-building by passing
1447+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1448+ [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
1449+
1450+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 09 Dec 2016 11:02:38 +0100
1451+
1452 apache2 (2.4.23-8) unstable; urgency=medium
1453
1454 * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
1455@@ -839,6 +2004,33 @@ apache2 (2.4.23-8) unstable; urgency=medium
1456
1457 -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
1458
1459+apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
1460+
1461+ * Merge from Debian unstable. Remaining changes:
1462+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1463+ apache2.dirs}: Add ufw profiles.
1464+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1465+ - debian/rules: Fix cross-building by passing
1466+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1467+ - debian/patches/086_svn_cross_compiles: Backport several cross
1468+ fixes from upstream
1469+ - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
1470+ Debian with Ubuntu on default page.
1471+ - Don't build experimental http2 module for LTS:
1472+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1473+ + debian/config-dir/mods-available/http2.load: removed.
1474+ + debian/rules: removed proxy_http2 from configure.
1475+ - Correct systemd-sysv-generator behavior by customizing some
1476+ parameters:
1477+ + d/apache2-systemd.conf: add a drop-in file to specify some
1478+ parameters for the systemd unit (type=Forking and
1479+ RemainsAfterExit=no), this allow a correct state synchronisation
1480+ between systemctl status and actual state of apache2 daemon.
1481+ + d/apache2.install: place the apache2-systemd.conf file in the
1482+ correct location.
1483+
1484+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Nov 2016 09:17:24 -0500
1485+
1486 apache2 (2.4.23-7) unstable; urgency=medium
1487
1488 * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
1489@@ -953,6 +2145,55 @@ apache2 (2.4.20-1) unstable; urgency=medium
1490
1491 -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
1492
1493+apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
1494+
1495+ * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
1496+ - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
1497+ server/util_script.c.
1498+ - CVE-2016-5387
1499+
1500+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Jul 2016 14:32:02 -0400
1501+
1502+apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
1503+
1504+ [ Ryan Harper ]
1505+ * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
1506+ introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
1507+ all, since http2 support is intentionally disabled (see LP 1531864).
1508+ * d/apache2.maintscript: handle removal of http2.load conffile.
1509+
1510+ [ Robie Basak ]
1511+ * Re-write Ryan's changelog entry.
1512+
1513+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 15 Apr 2016 18:00:57 +0000
1514+
1515+apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
1516+
1517+ * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
1518+ - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
1519+ unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
1520+ between systemctl status and actual state of apache2 daemon.
1521+ - d/apache2.install: place the apache2-systemd.conf file in the correct location.
1522+
1523+ -- Pierre-André MOREY <pierre-andre.morey@canonical.com> Fri, 08 Apr 2016 11:48:00 +0200
1524+
1525+apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
1526+
1527+ * Merge from Debian unstable. Remaining changes:
1528+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1529+ apache2.dirs}: Add ufw profiles.
1530+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1531+ - debian/rules: Fix cross-building by passing
1532+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1533+ - debian/patches/086_svn_cross_compiles: Backport several cross
1534+ fixes from upstream
1535+ - d/index.html: replace Debian with Ubuntu on default page.
1536+ - Don't build experimental http2 module for LTS:
1537+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1538+ + debian/config-dir/mods-available/http2.load: removed.
1539+
1540+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Apr 2016 00:18:31 +0300
1541+
1542 apache2 (2.4.18-2) unstable; urgency=low
1543
1544 * htcacheclean:
1545@@ -978,6 +2219,24 @@ apache2 (2.4.18-2) unstable; urgency=low
1546
1547 -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
1548
1549+apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
1550+
1551+ * Merge from Debian unstable. Remaining changes:
1552+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1553+ apache2.dirs}: Add ufw profiles.
1554+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1555+ - Add dep8 tests.
1556+ - debian/rules: Fix cross-building by passing
1557+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1558+ - debian/patches/086_svn_cross_compiles: Backport several cross
1559+ fixes from upstream
1560+ - d/index.html: replace Debian with Ubuntu on default page.
1561+ - Don't build experimental http2 module for LTS:
1562+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1563+ + debian/config-dir/mods-available/http2.load: removed.
1564+
1565+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 15:15:22 -0500
1566+
1567 apache2 (2.4.18-1) unstable; urgency=medium
1568
1569 * New upstream release:
1570@@ -985,12 +2244,48 @@ apache2 (2.4.18-1) unstable; urgency=medium
1571
1572 -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
1573
1574+apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
1575+
1576+ * Merge from Debian unstable. Remaining changes:
1577+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1578+ apache2.dirs}: Add ufw profiles.
1579+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1580+ - Add dep8 tests.
1581+ - debian/rules: Fix cross-building by passing
1582+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1583+ - debian/patches/086_svn_cross_compiles: Backport several cross
1584+ fixes from upstream
1585+ - d/index.html: replace Debian with Ubuntu on default page.
1586+ - Don't build experimental http2 module for LTS:
1587+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1588+ + debian/config-dir/mods-available/http2.load: removed.
1589+
1590+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Dec 2015 10:07:35 -0500
1591+
1592 apache2 (2.4.17-3) unstable; urgency=medium
1593
1594 * mpm_prefork: Fix segfault if started with -X. Closes: #805737
1595
1596 -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
1597
1598+apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
1599+
1600+ * Merge from Debian unstable. Remaining changes:
1601+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1602+ apache2.dirs}: Add ufw profiles.
1603+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1604+ - Add dep8 tests.
1605+ - debian/rules: Fix cross-building by passing
1606+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1607+ - debian/patches/086_svn_cross_compiles: Backport several cross
1608+ fixes from upstream
1609+ - d/index.html: replace Debian with Ubuntu on default page.
1610+ - Don't build experimental http2 module for LTS:
1611+ + debian/control: removed libnghttp2-dev Build-Depends (in universe).
1612+ + debian/config-dir/mods-available/http2.load: removed.
1613+
1614+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Nov 2015 09:11:52 -0500
1615+
1616 apache2 (2.4.17-2) unstable; urgency=medium
1617
1618 * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
1619@@ -1001,6 +2296,31 @@ apache2 (2.4.17-2) unstable; urgency=medium
1620
1621 -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
1622
1623+apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
1624+
1625+ * Merge from Debian unstable. Remaining changes:
1626+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1627+ apache2.dirs}: Add ufw profiles.
1628+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1629+ - Add dep8 tests.
1630+ - debian/rules: Fix cross-building by passing
1631+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1632+ - debian/patches/086_svn_cross_compiles: Backport several cross
1633+ fixes from upstream
1634+ - d/index.html: replace Debian with Ubuntu on default page.
1635+ * Drop patches (applied upstream):
1636+ - debian/patches/CVE-2015-3183.patch
1637+ - debian/patches/CVE-2015-3185.patch
1638+ * Drop changes (adopted in Debian):
1639+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1640+ to "installed" when determining whether to defer actions or
1641+ process deferred actions.
1642+ * Don't build experimental http2 module for LTS
1643+ - debian/control: removed libnghttp2-dev Build-Depends (in universe).
1644+ - debian/config-dir/mods-available/http2.load: removed.
1645+
1646+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 09:35:46 -0400
1647+
1648 apache2 (2.4.17-1) unstable; urgency=medium
1649
1650 [ Stefan Fritsch ]
1651@@ -1066,6 +2386,49 @@ apache2 (2.4.16-1) unstable; urgency=medium
1652
1653 -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
1654
1655+apache2 (2.4.12-2ubuntu2) wily; urgency=medium
1656+
1657+ * SECURITY UPDATE: request smuggling via chunked transfer encoding
1658+ - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
1659+ modules/http/http_filters.c.
1660+ - CVE-2015-3183
1661+ * SECURITY UPDATE: access restriction bypass via deprecated API
1662+ - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
1663+ in include/http_request.h, server/request.c.
1664+ - CVE-2015-3185
1665+
1666+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Jul 2015 09:56:09 -0400
1667+
1668+apache2 (2.4.12-2ubuntu1) wily; urgency=medium
1669+
1670+ * Merge from Debian unstable. Remaining changes:
1671+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1672+ apache2.dirs}: Add ufw profiles.
1673+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1674+ - Add dep8 tests.
1675+ - debian/rules: Fix cross-building by passing
1676+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1677+ - debian/patches/086_svn_cross_compiles: Backport several cross
1678+ fixes from upstream
1679+ - d/index.html: replace Debian with Ubuntu on default page.
1680+ - Allow "triggers-awaited" and "triggers-pending" states in addition
1681+ to "installed" when determining whether to defer actions or
1682+ process deferred actions.
1683+ * Drop patches (applied upstream):
1684+ - d/p/split-logfile.patch
1685+ - d/p/CVE-2015-0228.patch
1686+ * Drop changes (superceded in Debian):
1687+ - Cherry-pick versioned build-depend on dpkg from Debian for correct
1688+ dpkg-maintscript-helper symlink_to_dir support.
1689+ * Drop changes (adopted in Debian):
1690+ - d/control, d/config-dir/mods-available/ssl.conf,
1691+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1692+ dialog program ask-for-passphrase.
1693+ * Fix cross-building configure line in d/rules, which had bit-rotted in
1694+ previous merges.
1695+
1696+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 May 2015 16:34:00 +0000
1697+
1698 apache2 (2.4.12-2) unstable; urgency=medium
1699
1700 [ Jean-Michel Nirgal Vourgère ]
1701@@ -1115,6 +2478,28 @@ apache2 (2.4.10-10) unstable; urgency=medium
1702
1703 -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
1704
1705+apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
1706+
1707+ * Merge from Debian unstable. Remaining changes:
1708+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1709+ apache2.dirs}: Add ufw profiles.
1710+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1711+ - d/control, d/config-dir/mods-available/ssl.conf,
1712+ - Add dep8 tests.
1713+ - debian/rules: Fix cross-building by passing
1714+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1715+ - debian/patches/086_svn_cross_compiles: Backport several cross
1716+ fixes from upstream
1717+ - d/index.html: replace Debian with Ubuntu on default page.
1718+ - d/p/split-logfile.patch: fix completely broken split-logfile
1719+ command.
1720+ - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
1721+ denial of service in mod_lua via websockets PING
1722+ * debian/tests/ssl-passphrase: Add password responder for
1723+ systemd-ask-passphrase.
1724+
1725+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 09 Mar 2015 12:03:16 +0100
1726+
1727 apache2 (2.4.10-9) unstable; urgency=medium
1728
1729 * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
1730@@ -1129,6 +2514,54 @@ apache2 (2.4.10-9) unstable; urgency=medium
1731
1732 -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
1733
1734+apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
1735+
1736+ * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
1737+ directives
1738+ - debian/patches/CVE-2014-8109.patch: handle multiple Require
1739+ directives with different arguments in modules/lua/mod_lua.c.
1740+ - CVE-2014-8109
1741+ * SECURITY UPDATE: denial of service in mod_lua via websockets PING
1742+ - debian/patches/CVE-2015-0228.patch: fix logic in
1743+ modules/lua/lua_request.c.
1744+ - CVE-2015-0228
1745+
1746+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 05 Mar 2015 10:56:34 -0500
1747+
1748+apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
1749+
1750+ * Allow "triggers-awaited" and "triggers-pending" states in addition to
1751+ "installed" when determining whether to defer actions or process
1752+ deferred actions (LP: #1393832).
1753+
1754+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Nov 2014 11:31:44 +0000
1755+
1756+apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
1757+
1758+ * Merge from Debian unstable. Remaining changes:
1759+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1760+ apache2.dirs}: Add ufw profiles.
1761+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1762+ - d/control, d/config-dir/mods-available/ssl.conf,
1763+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1764+ dialog program ask-for-passphrase.
1765+ - Add dep8 tests.
1766+ - debian/rules: Fix cross-building by passing
1767+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1768+ - debian/patches/086_svn_cross_compiles: Backport several cross
1769+ fixes from upstream
1770+ - d/index.html: replace Debian with Ubuntu on default page.
1771+ - d/p/split-logfile.patch: fix completely broken split-logfile
1772+ command.
1773+ * Fixes from Debian included in merge:
1774+ - Crash caused by OCSP stapling code; this was erroneously
1775+ attributed to Debian in my previous merge, but actually only
1776+ appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
1777+ * Cherry-pick versioned build-depend on dpkg from Debian for correct
1778+ dpkg-maintscript-helper symlink_to_dir support.
1779+
1780+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 21 Nov 2014 15:15:58 +0000
1781+
1782 apache2 (2.4.10-8) unstable; urgency=medium
1783
1784 * Bump dpkg Pre-Depends to version that supports relative symlinks in
1785@@ -1143,6 +2576,33 @@ apache2 (2.4.10-8) unstable; urgency=medium
1786
1787 -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
1788
1789+apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
1790+
1791+ * Merge from Debian unstable. Remaining changes:
1792+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1793+ apache2.dirs}: Add ufw profiles.
1794+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1795+ - d/control, d/config-dir/mods-available/ssl.conf,
1796+ d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
1797+ dialog program ask-for-passphrase.
1798+ - Add dep8 tests.
1799+ - debian/rules: Fix cross-building by passing
1800+ DEB_{HOST,BUILD}_GNU_TYPE to configure.
1801+ - debian/patches/086_svn_cross_compiles: Backport several cross
1802+ fixes from upstream
1803+ - d/index.html: replace Debian with Ubuntu on default page.
1804+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1805+ * Fixes from Debian included in merge:
1806+ - Don't use a2query in preinst, as it may not be available yet
1807+ (LP: #1312533).
1808+ - Crash caused by OCSP stapling code (LP: #1366174).
1809+ - Disable SSLv3 in default config (LP: #1358305).
1810+ - If apache2 is not configured yet, defer actions executed via
1811+ apache2-maintscript-helper. This fixes installation failures if a
1812+ module package is configured first (LP: #1312854).
1813+
1814+ -- Robie Basak <robie.basak@ubuntu.com> Mon, 17 Nov 2014 18:04:40 +0000
1815+
1816 apache2 (2.4.10-7) unstable; urgency=medium
1817
1818 * Handle transitions of doc dirs and symlinks correctly during upgrade.
1819@@ -1226,6 +2686,25 @@ apache2 (2.4.10-2) unstable; urgency=medium
1820
1821 -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
1822
1823+apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
1824+
1825+ * Merge from Debian unstable. Remaining changes:
1826+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1827+ apache2.dirs}: Add ufw profiles.
1828+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1829+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1830+ d/apache2.install: Plymouth aware passphrase dialog program
1831+ ask-for-passphrase.
1832+ - Add dep8 tests.
1833+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1834+ configure.
1835+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1836+ upstream
1837+ - d/index.html: replace Debian with Ubuntu on default page.
1838+ - d/p/split-logfile.patch: fix completely broken split-logfile command.
1839+
1840+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 24 Jul 2014 15:13:16 +0000
1841+
1842 apache2 (2.4.10-1) unstable; urgency=medium
1843
1844 [ Arno Töll ]
1845@@ -1273,6 +2752,45 @@ apache2 (2.4.9-2) unstable; urgency=medium
1846
1847 -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
1848
1849+apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
1850+
1851+ * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
1852+ yet support building against lua 5.2 (LP: #1323930).
1853+
1854+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 28 May 2014 08:55:25 +0000
1855+
1856+apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
1857+
1858+ * Merge from Debian unstable. Remaining changes:
1859+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1860+ apache2.dirs}: Add ufw profiles.
1861+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1862+ - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
1863+ d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
1864+ dialog program ask-for-passphrase.
1865+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
1866+ configure.
1867+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
1868+ upstream
1869+ - Build using lua5.2.
1870+ - d/tests/chroot: dep8 test for ChrootDir case.
1871+ - d/tests/ssl-passphrase: update for new default path /var/www/html.
1872+ - d/tests/duplicate-module-load: check for duplicate module loads.
1873+ - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
1874+ - d/p/split-logfile.patch: fix completely broken split-logfile command
1875+ (LP: #1299162). Thanks to Holger Mauermann.
1876+ * Drop changes (upstreamed):
1877+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1878+ files find inside the .pc directory. This stops a double module load
1879+ causing later havoc, including "ChrootDir" directive failure.
1880+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1881+ in modules/dav/main/util.c.
1882+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1883+ modules/loggers/mod_log_config.c.
1884+ * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
1885+
1886+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 May 2014 19:30:04 +0000
1887+
1888 apache2 (2.4.9-1) unstable; urgency=medium
1889
1890 * New upstream version.
1891@@ -1305,6 +2823,63 @@ apache2 (2.4.9-1) unstable; urgency=medium
1892
1893 -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
1894
1895+apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
1896+
1897+ * d/p/split-logfile.patch: fix completely broken split-logfile command
1898+ (LP: #1299162). Thanks to Holger Mauermann.
1899+
1900+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 03 Apr 2014 11:21:22 +0000
1901+
1902+apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
1903+
1904+ * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
1905+ calculation
1906+ - debian/patches/CVE-2013-6438.patch: properly calculate correct length
1907+ in modules/dav/main/util.c.
1908+ - CVE-2013-6438
1909+ * SECURITY UPDATE: denial of service via truncated cookie and
1910+ mod_log_config
1911+ - debian/patches/CVE-2014-0098.patch: properly parse tokens in
1912+ modules/loggers/mod_log_config.c.
1913+ - CVE-2014-0098
1914+
1915+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Mar 2014 08:34:10 -0400
1916+
1917+apache2 (2.4.7-1ubuntu2) trusty; urgency=medium
1918+
1919+ * d/index.html: replace Debian with Ubuntu on default page
1920+ (LP: #1288690).
1921+
1922+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 19 Mar 2014 11:04:21 +0000
1923+
1924+apache2 (2.4.7-1ubuntu1) trusty; urgency=medium
1925+
1926+ * Merge from Debian unstable. Remaining changes:
1927+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1928+ apache2.dirs}: Add ufw profiles.
1929+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1930+ - d/control, d/config-dir/mods-available/ssl.conf,
1931+ d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
1932+ Plymouth aware passphrase dialog program ask-for-passphrase.
1933+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1934+ to configure.
1935+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1936+ from upstream
1937+ - Build using lua5.2.
1938+ - d/tests/chroot: dep8 test for ChrootDir case.
1939+ - d/p/ignore-quilt-dir: adjust build system so that it does not use
1940+ files find inside the .pc directory. This stops a double module load
1941+ causing later havoc, including "ChrootDir" directive failure.
1942+ * Drop changes:
1943+ - debian/{control, rules}: Enable PIE hardening: no longer required;
1944+ 2.4.7-1 is already hardened.
1945+ - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
1946+ out of this package.
1947+ * d/tests/ssl-passphrase: update for new default path /var/www/html.
1948+ * d/tests/duplicate-module-load: check for duplicate module loads.
1949+
1950+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 14 Jan 2014 17:23:47 +0000
1951+
1952 apache2 (2.4.7-1) unstable; urgency=low
1953
1954 New upstream version
1955@@ -1368,6 +2943,53 @@ apache2 (2.4.6-3) unstable; urgency=low
1956
1957 -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
1958
1959+apache2 (2.4.6-2ubuntu4) trusty; urgency=low
1960+
1961+ * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
1962+ that it does not use files find inside the .pc directory. This stops a
1963+ double module load causing later havoc, including "ChrootDir" directive
1964+ failure (LP: #1251939). Thanks to Stefan Fritsch.
1965+ * d/tests/chroot: dep8 test for ChrootDir case.
1966+
1967+ -- Robie Basak <robie.basak@ubuntu.com> Thu, 28 Nov 2013 16:21:51 +0000
1968+
1969+apache2 (2.4.6-2ubuntu3) trusty; urgency=low
1970+
1971+ * debian/apache2.install: Correct path for ufw.
1972+ (LP: #1252722)
1973+
1974+ -- Chuck Short <zulcss@ubuntu.com> Tue, 19 Nov 2013 08:59:54 -0500
1975+
1976+apache2 (2.4.6-2ubuntu2) saucy; urgency=low
1977+
1978+ * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes
1979+ passphrase prompting for SSL certificates that are passphrase protected.
1980+ * Add dep8 test for SSL passphrase prompting.
1981+
1982+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 09 Aug 2013 13:08:52 +0000
1983+
1984+apache2 (2.4.6-2ubuntu1) saucy; urgency=low
1985+
1986+ * Merge from Debian unstable. Remaining changes:
1987+ - debian/{control, rules}: Enable PIE hardening.
1988+ - debian/{control, apache2.install, apache2-utils.ufw.profile,
1989+ apache2.dirs}: Add ufw profiles.
1990+ - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
1991+ - debian/control, debian/config-dir/mods-available/ssl.conf,
1992+ debian/ask-for-passphrase, debian/apache2.install: Plymouth aware
1993+ passphrase dialog program ask-for-passphrase.
1994+ - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
1995+ to configure.
1996+ - debian/patches/086_svn_cross_compiles: Backport several cross fixes
1997+ from upstream
1998+ * Dropped changes:
1999+ - debian/patches/CVE-2013-1896.patch: upstream
2000+ * Fixed module dependencies (LP: #1205314)
2001+ - debian/config-dir/mods-available/lbmethod_*: properly specify
2002+ proxy_balancer, not mod_proxy_balancer.
2003+
2004+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2013 08:31:33 -0400
2005+
2006 apache2 (2.4.6-2) unstable; urgency=low
2007
2008 [ Stefan Fritsch ]
2009@@ -1420,6 +3042,56 @@ apache2 (2.4.6-1) unstable; urgency=low
2010
2011 -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
2012
2013+apache2 (2.4.4-6ubuntu5) saucy; urgency=low
2014+
2015+ * SECURITY UPDATE: denial of service via MERGE request
2016+ - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
2017+ in modules/dav/main/mod_dav.c.
2018+ - CVE-2013-1896
2019+
2020+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jul 2013 11:20:47 -0400
2021+
2022+apache2 (2.4.4-6ubuntu4) saucy; urgency=low
2023+
2024+ * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to
2025+ apache2-bin. apache2-utils is only suggested by apache2, so may not
2026+ always be installed by bug reporters. However, apache2-bin will always
2027+ need to be installed for Apache to be functional, so this is a better
2028+ place for the apport hook. apache2-bin already Conflicts/Replaces
2029+ apache2.2-common, so this also fixes (LP: #1199318).
2030+ * d/apache2.py: adjust apport hook for new location of configuration
2031+ files in apache2 >= 2.4: they have moved from apache2.2-common to
2032+ apache2.
2033+
2034+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 17 Jul 2013 17:54:22 +0000
2035+
2036+apache2 (2.4.4-6ubuntu3) saucy; urgency=low
2037+
2038+ * Build using lua5.2.
2039+
2040+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Jul 2013 14:24:42 +0200
2041+
2042+apache2 (2.4.4-6ubuntu2) saucy; urgency=low
2043+
2044+ * debian/rules: Fix FTBFS while installing ufw.
2045+
2046+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 10:10:14 -0500
2047+
2048+apache2 (2.4.4-6ubuntu1) saucy; urgency=low
2049+
2050+ * Merge from Debian unstable. Remaining changes:
2051+ - debian/{control, rules}: Enable PIE hardening.
2052+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2053+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2054+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2055+ Plymouth aware passphrase dialog program ask-for-passphrase.
2056+ * Dropped changes:
2057+ - debian/patches/CVE-2012-2687.patch: Dropped no longer needed.
2058+ - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed.
2059+ - debian/patches/CVE-2012-4929.patch: Dropped no longer needed.
2060+
2061+ -- Chuck Short <zulcss@ubuntu.com> Tue, 02 Jul 2013 08:34:01 -0500
2062+
2063 apache2 (2.4.4-6) unstable; urgency=low
2064
2065 * Denote exact versions breaking gnome-user-share now that Gnome maintainers
2066@@ -1891,6 +3563,122 @@ apache2 (2.4.1-1) experimental; urgency=low
2067
2068 -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
2069
2070+apache2 (2.2.22-6ubuntu5) raring; urgency=low
2071+
2072+ * SECURITY UPDATE: multiple cross-site scripting issues
2073+ - debian/patches/CVE-2012-3499_4558.patch: properly escape html in
2074+ modules/generators/{mod_info.c,mod_status.c},
2075+ modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c,
2076+ modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}.
2077+ - CVE-2012-3499
2078+ - CVE-2012-4558
2079+ * SECURITY UPDATE: symlink attack in apache2ctl script
2080+ - debian/apache2ctl: introduce and use a safer mkdir_chown() function.
2081+ - Thanks to Stefan Fritsch for the fix.
2082+ - CVE-2013-1048
2083+
2084+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 15 Mar 2013 07:59:58 -0400
2085+
2086+apache2 (2.2.22-6ubuntu4) raring; urgency=low
2087+
2088+ * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure.
2089+ * Skip module sanity check between MPMs if cross-building without the
2090+ kernel/binfmt support to run our target binaries on the build system.
2091+ * Backport several cross fixes from upstream as 086_svn_cross_compiles.
2092+
2093+ -- Adam Conrad <adconrad@ubuntu.com> Wed, 05 Dec 2012 02:21:46 -0700
2094+
2095+apache2 (2.2.22-6ubuntu3) raring; urgency=low
2096+
2097+ * SECURITY UPDATE: XSS vulnerability in mod_negotiation
2098+ - debian/patches/CVE-2012-2687.patch: escape filenames in
2099+ modules/mappers/mod_negotiation.c.
2100+ - CVE-2012-2687
2101+ * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
2102+ - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off
2103+ directive. Defaults to off as enabling compression enables the CRIME
2104+ attack.
2105+ - CVE-2012-4929
2106+
2107+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 08 Nov 2012 17:56:24 -0500
2108+
2109+apache2 (2.2.22-6ubuntu2) quantal; urgency=low
2110+
2111+ * debian/apache2.py
2112+ - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171)
2113+ - Check if this directory exists: /etc/apache2/sites-enabled/
2114+
2115+ -- Matthieu Baerts (matttbe) <matttbe@gmail.com> Mon, 16 Jul 2012 10:02:18 +0200
2116+
2117+apache2 (2.2.22-6ubuntu1) quantal; urgency=low
2118+
2119+ * Merge from Debian unstable. Remaining changes:
2120+ - debian/{control, rules}: Enable PIE hardening.
2121+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2122+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2123+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2124+ Plymouth aware passphrase dialog program ask-for-passphrase.
2125+ * Dropped changes:
2126+ - debian/control: Add bzr tag and point it to our tree; this is not
2127+ really required and just increases the delta.
2128+
2129+ -- Robie Basak <robie.basak@ubuntu.com> Fri, 08 Jun 2012 11:37:31 +0100
2130+
2131+apache2 (2.2.22-6) unstable; urgency=low
2132+
2133+ [ Stefan Fritsch ]
2134+ * Fix regression causing apache2 to cache "206 partial content" responses,
2135+ and then serving these partial responses when replying to normal requests.
2136+ Closes: #671204
2137+ * Add section to security.conf that shows how to forbid access to VCS
2138+ directories. Closes: #548213
2139+ * Update ssl default cipher config, add alternative speed optimized config.
2140+ Closes: #649020
2141+ * Add "AddCharset" for .brf files in default mod_mime config.
2142+ Closes: #402567
2143+ * Don't create httpd.conf anymore and don't include it in apache2.conf. If
2144+ it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
2145+ * Port some of the comments in apache2.conf from the 2.4 package.
2146+ * Compile mod_version statically, drop associated module load file.
2147+ * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
2148+ configtest.
2149+ * Note in README.Debian that future versions of the package will have the
2150+ include statements changed to include only *.conf.
2151+ * Change compiled-in document root to /var/www, to avoid strange error
2152+ messages.
2153+ * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
2154+
2155+ [ Arno Töll ]
2156+ * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
2157+ to override LDFLAGS at compile time by defining LDLAGS in the environment,
2158+ just like it is possible for CFLAGS. This also means, config_vars.mk now
2159+ exports hardening build flags by default.
2160+ * Update doc-base metadata for the apache2-doc package.
2161+
2162+ -- Stefan Fritsch <sf@debian.org> Tue, 29 May 2012 22:05:48 +0200
2163+
2164+apache2 (2.2.22-5) unstable; urgency=low
2165+
2166+ * Make LoadFile and LoadModule look in the standard search paths if the
2167+ dso file name is given as a pure filename. This helps with the multi-arch
2168+ transition.
2169+
2170+ -- Stefan Fritsch <sf@debian.org> Mon, 30 Apr 2012 23:38:33 +0200
2171+
2172+apache2 (2.2.22-4) unstable; urgency=high
2173+
2174+ * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
2175+ hosts' config files.
2176+ If scripting modules like mod_php or mod_rivet are enabled on systems
2177+ where either 1) some frontend server forwards connections to an apache2
2178+ backend server on the localhost address, or 2) the machine running
2179+ apache2 is also used for web browsing, this could allow a remote
2180+ attacker to execute example scripts stored under /usr/share/doc.
2181+ Depending on the installed packages, this could lead to issues like cross
2182+ site scripting, code execution, or leakage of sensitive data.
2183+
2184+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
2185+
2186 apache2 (2.2.22-3) unstable; urgency=low
2187
2188 * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
2189@@ -1911,6 +3699,18 @@ apache2 (2.2.22-2) unstable; urgency=low
2190
2191 -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
2192
2193+apache2 (2.2.22-1ubuntu1) precise; urgency=low
2194+
2195+ * Merge from Debian testing. Remaining changes:
2196+ - debian/{control, rules}: Enable PIE hardening.
2197+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2198+ - debian/control: Add bzr tag and point it to our tree
2199+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2200+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2201+ Plymouth aware passphrase dialog program ask-for-passphrase.
2202+
2203+ -- Chuck Short <zulcss@ubuntu.com> Sun, 12 Feb 2012 20:06:35 -0500
2204+
2205 apache2 (2.2.22-1) unstable; urgency=low
2206
2207 [ Stefan Fritsch ]
2208@@ -1928,6 +3728,18 @@ apache2 (2.2.22-1) unstable; urgency=low
2209
2210 -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
2211
2212+apache2 (2.2.21-5ubuntu1) precise; urgency=low
2213+
2214+ * Merge from Debian testing. Remaining changes:
2215+ - debian/{control, rules}: Enable PIE hardening.
2216+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2217+ - debian/control: Add bzr tag and point it to our tree
2218+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2219+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2220+ Plymouth aware passphrase dialog program ask-for-passphrase.
2221+
2222+ -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jan 2012 06:26:31 +0000
2223+
2224 apache2 (2.2.21-5) unstable; urgency=low
2225
2226 [ Arno Töll ]
2227@@ -1981,6 +3793,26 @@ apache2 (2.2.21-4) unstable; urgency=low
2228
2229 -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
2230
2231+apache2 (2.2.21-3ubuntu2) precise; urgency=low
2232+
2233+ * d/ask-for-passphrase: Flip the logic of this script so that it checks
2234+ first to see if apache is being started from a TTY, and then if not,
2235+ tries plymouth. (LP: #887410)
2236+
2237+ -- Clint Byrum <clint@ubuntu.com> Tue, 06 Dec 2011 16:49:33 -0800
2238+
2239+apache2 (2.2.21-3ubuntu1) precise; urgency=low
2240+
2241+ * Merge from Debian testing. Remaining changes:
2242+ - debian/{control, rules}: Enable PIE hardening.
2243+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2244+ - debian/control: Add bzr tag and point it to our tree
2245+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2246+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2247+ Plymouth aware passphrase dialog program ask-for-passphrase.
2248+
2249+ -- Chuck Short <zulcss@ubuntu.com> Fri, 09 Dec 2011 05:20:43 +0000
2250+
2251 apache2 (2.2.21-3) unstable; urgency=medium
2252
2253 * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
2254@@ -1995,6 +3827,24 @@ apache2 (2.2.21-3) unstable; urgency=medium
2255
2256 -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
2257
2258+apache2 (2.2.21-2ubuntu2) precise; urgency=low
2259+
2260+ * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
2261+
2262+ -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Dec 2011 17:36:28 -0700
2263+
2264+apache2 (2.2.21-2ubuntu1) precise; urgency=low
2265+
2266+ * Merge from debian unstable. Remaining changes:
2267+ - debian/{control, rules}: Enable PIE hardening.
2268+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2269+ - debian/control: Add bzr tag and point it to our tree
2270+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2271+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2272+ Plymouth aware passphrase dialog program ask-for-passphrase.
2273+
2274+ -- Chuck Short <zulcss@ubuntu.com> Fri, 14 Oct 2011 16:01:29 +0000
2275+
2276 apache2 (2.2.21-2) unstable; urgency=high
2277
2278 * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
2279@@ -2012,6 +3862,19 @@ apache2 (2.2.21-1) unstable; urgency=low
2280
2281 -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
2282
2283+apache2 (2.2.20-1ubuntu1) oneiric; urgency=low
2284+
2285+ * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
2286+ Remaining changes:
2287+ - debian/{control, rules}: Enable PIE hardening.
2288+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2289+ - debian/control: Add bzr tag and point it to our tree
2290+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2291+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2292+ Plymouth aware passphrase dialog program ask-for-passphrase.
2293+
2294+ -- Steve Beattie <sbeattie@ubuntu.com> Tue, 06 Sep 2011 01:17:15 -0700
2295+
2296 apache2 (2.2.20-1) unstable; urgency=low
2297
2298 * New upstream release.
2299@@ -2034,6 +3897,18 @@ apache2 (2.2.19-2) unstable; urgency=high
2300
2301 -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
2302
2303+apache2 (2.2.19-1ubuntu1) oneiric; urgency=low
2304+
2305+ * Merge from debian unstable (LP: #787013). Remaining changes:
2306+ - debian/{control, rules}: Enable PIE hardening.
2307+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2308+ - debian/control: Add bzr tag and point it to our tree
2309+ - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
2310+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2311+ Plymouth aware passphrase dialog program ask-for-passphrase.
2312+
2313+ -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 23 May 2011 10:16:09 -0400
2314+
2315 apache2 (2.2.19-1) unstable; urgency=low
2316
2317 * New upstream release.
2318@@ -2051,6 +3926,18 @@ apache2 (2.2.19-1) unstable; urgency=low
2319
2320 -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
2321
2322+apache2 (2.2.17-3ubuntu1) oneiric; urgency=low
2323+
2324+ * Merge from debian unstable. Remaining changes:
2325+ - debian/{control, rules}: Enable PIE hardening.
2326+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2327+ - debian/control: Add bzr tag and point it to our tree
2328+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2329+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2330+ Plymouth aware passphrase dialog program ask-for-passphrase.
2331+
2332+ -- Chuck Short <zulcss@ubuntu.com> Mon, 11 Apr 2011 02:13:30 +0100
2333+
2334 apache2 (2.2.17-3) unstable; urgency=low
2335
2336 * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
2337@@ -2077,6 +3964,18 @@ apache2 (2.2.17-2) unstable; urgency=high
2338
2339 -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
2340
2341+apache2 (2.2.17-1ubuntu1) natty; urgency=low
2342+
2343+ * Merge from debian unstable, remaining changes:
2344+ - debian/{control, rules}: Enable PIE hardening.
2345+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2346+ - debian/control: Add bzr tag and point it to our tree
2347+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2348+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2349+ Plymouth aware passphrase dialog program ask-for-passphrase.
2350+
2351+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Feb 2011 13:02:08 -0500
2352+
2353 apache2 (2.2.17-1) unstable; urgency=low
2354
2355 * New upstream version
2356@@ -2085,6 +3984,32 @@ apache2 (2.2.17-1) unstable; urgency=low
2357
2358 -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
2359
2360+apache2 (2.2.16-6ubuntu3) natty; urgency=low
2361+
2362+ * debian/rules: Don't use "-fno-strict-aliasing" since it causes
2363+ apache FTBFS on amd64. (LP: #711293)
2364+
2365+ -- Chuck Short <zulcss@ubuntu.com> Tue, 01 Feb 2011 10:19:55 -0500
2366+
2367+apache2 (2.2.16-6ubuntu2) natty; urgency=low
2368+
2369+ * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug.
2370+ (LP: #697105)
2371+
2372+ -- Chuck Short <zulcss@ubuntu.com> Tue, 25 Jan 2011 11:14:58 -0500
2373+
2374+apache2 (2.2.16-6ubuntu1) natty; urgency=low
2375+
2376+ * Merge from debian unstable. Remaining changes:
2377+ - debian/{control, rules}: Enable PIE hardening.
2378+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2379+ - debian/control: Add bzr tag and point it to our tree
2380+ - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook.
2381+ - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
2382+ Plymouth aware passphrase dialog program ask-for-passphrase.
2383+
2384+ -- Chuck Short <zulcss@ubuntu.com> Sun, 02 Jan 2011 06:05:51 +0000
2385+
2386 apache2 (2.2.16-6) unstable; urgency=low
2387
2388 * Also add $named to the secondary-init-script example.
2389@@ -2100,6 +4025,30 @@ apache2 (2.2.16-5) unstable; urgency=medium
2390
2391 -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
2392
2393+apache2 (2.2.16-4ubuntu2) natty; urgency=low
2394+
2395+ [Clint Byrum]
2396+ * Adding plymouth aware passphrase dialog program ask-for-passphrase.
2397+ (LP: #582963)
2398+ + debian/control: apache2.2-common depends on bash for ask-for-passphrase
2399+ + debian/config-dir/mods-available/ssl.conf:
2400+ - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase
2401+
2402+ [Chuck Short]
2403+ * Add apport hook. (LP: #609177)
2404+ + debian/apache2.py, debian/apache2.2-common.install
2405+
2406+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:43 -0500
2407+
2408+apache2 (2.2.16-4ubuntu1) natty; urgency=low
2409+
2410+ * Merge from debian unstable. Remaining changes:
2411+ - debian/{control, rules}: Enable PIE hardening.
2412+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2413+ - debian/control: Add bzr tag and point it to our tree
2414+
2415+ -- Chuck Short <zulcss@ubuntu.com> Mon, 22 Nov 2010 09:43:41 -0500
2416+
2417 apache2 (2.2.16-4) unstable; urgency=medium
2418
2419 * Increase the mod_reqtimeout default timeouts to avoid potential problems
2420@@ -2110,6 +4059,15 @@ apache2 (2.2.16-4) unstable; urgency=medium
2421
2422 -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
2423
2424+apache2 (2.2.16-3ubuntu1) natty; urgency=low
2425+
2426+ * Merge from debian unstable. Remaining changes:
2427+ - debian/{control, rules}: Enable PIE hardening.
2428+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2429+ - debian/control: Add bzr tag and point it to our tree.
2430+
2431+ -- Chuck Short <zulcss@ubuntu.com> Tue, 12 Oct 2010 11:54:48 +0100
2432+
2433 apache2 (2.2.16-3) unstable; urgency=high
2434
2435 * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
2436@@ -2132,6 +4090,30 @@ apache2 (2.2.16-2) unstable; urgency=low
2437
2438 -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
2439
2440+apache2 (2.2.16-1ubuntu3) maverick; urgency=low
2441+
2442+ * Revert "stty sane" to unbreak apache starting, this will have to be
2443+ fixed a different way. (LP: #626723)
2444+
2445+ -- Chuck Short <zulcss@ubuntu.com> Wed, 08 Sep 2010 08:33:17 -0400
2446+
2447+apache2 (2.2.16-1ubuntu2) maverick; urgency=low
2448+
2449+ * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
2450+ password prompt when using apache-ssl. (LP: #582963)
2451+
2452+ -- Chuck Short <zulcss@ubuntu.com> Wed, 25 Aug 2010 09:25:05 -0400
2453+
2454+apache2 (2.2.16-1ubuntu1) maverick; urgency=low
2455+
2456+ * Merge from debian unstable. Remaining changes:
2457+ - debian/{control, rules}: Enable PIE hardening.
2458+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2459+ - debian/control: Add bzr tag and point it to our tree.
2460+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2461+
2462+ -- Chuck Short <zulcss@ubuntu.com> Mon, 26 Jul 2010 20:21:37 +0100
2463+
2464 apache2 (2.2.16-1) unstable; urgency=medium
2465
2466 * Urgency medium for security fix.
2467@@ -2164,6 +4146,24 @@ apache2 (2.2.15-6) unstable; urgency=low
2468
2469 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
2470
2471+apache2 (2.2.15-5ubuntu1) maverick; urgency=low
2472+
2473+ * Merge from debian unstable. Remaining changes:
2474+ - debian/{control, rules}: Enable PIE hardening.
2475+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2476+ - debian/control: Add bzr tag and point it to our tree.
2477+ - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
2478+ + Dropped:
2479+ - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
2480+ - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
2481+ - debian/config-dir/apache2.conf: Merged back from debian.
2482+ - mod-reqtimeout functionality: Merge back from debian.
2483+ - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
2484+ - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
2485+ - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.
2486+
2487+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 01:28:04 +0100
2488+
2489 apache2 (2.2.15-5) unstable; urgency=low
2490
2491 * Conflict with apache package as we now include apachectl. Closes: #579065
2492@@ -2284,6 +4284,80 @@ apache2 (2.2.14-6) unstable; urgency=low
2493
2494 -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
2495
2496+apache2 (2.2.14-5ubuntu8) lucid; urgency=low
2497+
2498+ * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so
2499+ (LP: #562370)
2500+
2501+ -- Chuck Short <zulcss@ubuntu.com> Tue, 13 Apr 2010 15:09:57 -0400
2502+
2503+apache2 (2.2.14-5ubuntu7) lucid; urgency=low
2504+
2505+ * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory
2506+ leaks by making sure to not destroy bucket brigades that have been created
2507+ by earlier filters. Backported from 2.2.15.
2508+ * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server
2509+ has reached MaxClients until it has. Backported from 2.2.15
2510+ * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf
2511+ more secure by adding Satisfy all. (Debian bug: #572075)
2512+ * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch,
2513+ debian/config2-dir/mods-available/reqtimeout.load,
2514+ debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the
2515+ mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris
2516+ bug in apache. Enable it by default. (LP: #392759)
2517+
2518+ -- Chuck Short <zulcss@ubuntu.com> Mon, 05 Apr 2010 09:53:35 -0400
2519+
2520+apache2 (2.2.14-5ubuntu6) lucid; urgency=low
2521+
2522+ * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681)
2523+
2524+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 09:41:11 -0400
2525+
2526+apache2 (2.2.14-5ubuntu5) lucid; urgency=low
2527+
2528+ * Revert 99-fix-mod-dav-permissions.dpatch
2529+
2530+ -- Chuck Short <zulcss@ubuntu.com> Tue, 30 Mar 2010 07:55:46 -0400
2531+
2532+apache2 (2.2.14-5ubuntu4) lucid; urgency=low
2533+
2534+ * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
2535+ downloading files from webdav (LP: #540747)
2536+ * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
2537+
2538+ -- Chuck Short <zulcss@ubuntu.com> Mon, 29 Mar 2010 13:37:39 -0400
2539+
2540+apache2 (2.2.14-5ubuntu3) lucid; urgency=low
2541+
2542+ * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp
2543+ - debian/patches/204_CVE-2010-0408.dpatch: return the right error code
2544+ in modules/proxy/mod_proxy_ajp.c.
2545+ - CVE-2010-0408
2546+ * SECURITY UPDATE: information disclosure via improper handling of
2547+ headers in subrequests
2548+ - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in
2549+ in server/protocol.c.
2550+ - CVE-2010-0434
2551+
2552+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Mar 2010 14:48:48 -0500
2553+
2554+apache2 (2.2.14-5ubuntu2) lucid; urgency=low
2555+
2556+ * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really
2557+ wacky options. (LP: #450501)
2558+
2559+ -- Chuck Short <zulcss@ubuntu.com> Mon, 08 Mar 2010 14:53:17 -0500
2560+
2561+apache2 (2.2.14-5ubuntu1) lucid; urgency=low
2562+
2563+ * Merge from debian testing. Remaining changes: LP: #506862
2564+ - debian/{control, rules}: Enable PIE hardening.
2565+ - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
2566+ - debian/control: Add bzr tag and point it to our tree.
2567+
2568+ -- Bhavani Shankar <right2bhavi@gmail.com> Wed, 13 Jan 2010 14:28:41 +0530
2569+
2570 apache2 (2.2.14-5) unstable; urgency=low
2571
2572 * Security: Further mitigation for the TLS renegotation attack
2573@@ -2307,6 +4381,15 @@ apache2 (2.2.14-5) unstable; urgency=low
2574
2575 -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
2576
2577+apache2 (2.2.14-4ubuntu1) lucid; urgency=low
2578+
2579+ * Resynchronzie with Debian, remaining changes are:
2580+ - debian/{control, rules}: Enable PIE hardening.
2581+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2582+ - debian/control: Add bzr tag and point it to our tree.
2583+
2584+ -- Chuck Short <zulcss@ubuntu.com> Wed, 23 Dec 2009 14:44:51 -0500
2585+
2586 apache2 (2.2.14-4) unstable; urgency=low
2587
2588 * Disable localized error pages again by default because they break
2589@@ -2357,6 +4440,17 @@ apache2 (2.2.14-2) unstable; urgency=medium
2590
2591 -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
2592
2593+apache2 (2.2.14-1ubuntu1) lucid; urgency=low
2594+
2595+ * Merge from debian testing, remaining changes:
2596+ - debian/{control, rules}: Enable PIE hardening.
2597+ - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles.
2598+ - debian/conrol: Add bzr tag and point it to our tree.
2599+ - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2600+ Already applied upstream.
2601+
2602+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 00:29:03 +0000
2603+
2604 apache2 (2.2.14-1) unstable; urgency=low
2605
2606 * New upstream version:
2607@@ -2391,6 +4485,24 @@ apache2 (2.2.13-1) unstable; urgency=low
2608
2609 -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
2610
2611+apache2 (2.2.12-1ubuntu2) karmic; urgency=low
2612+
2613+ * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
2614+ - Fix potential segfaults with the use of the legacy ap_rputs() etc
2615+ interfaces, in cases where an output filter fails. This happens
2616+ frequently after CVE-2009-1891 got fixed. (LP: #409987)
2617+
2618+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Aug 2009 15:38:47 -0400
2619+
2620+apache2 (2.2.12-1ubuntu1) karmic; urgency=low
2621+
2622+ * Merge from debian unstable, remaining changes:
2623+ - debian/{control,rules}: enable PIE hardening.
2624+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2625+ - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.
2626+
2627+ -- Chuck Short <zulcss@ubuntu.com> Tue, 04 Aug 2009 20:04:24 +0100
2628+
2629 apache2 (2.2.12-1) unstable; urgency=low
2630
2631 * New upstream release:
2632@@ -2438,6 +4550,16 @@ apache2 (2.2.12-1) unstable; urgency=low
2633
2634 -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
2635
2636+apache2 (2.2.11-7ubuntu1) karmic; urgency=low
2637+
2638+ * Merge from debian unstable, remaining changes: LP: #398130
2639+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2640+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2641+ - debian/{control,rules}: enable PIE hardening.
2642+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2643+
2644+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 11 Jul 2009 16:34:32 +0530
2645+
2646 apache2 (2.2.11-7) unstable; urgency=low
2647
2648 * Security fixes:
2649@@ -2452,6 +4574,16 @@ apache2 (2.2.11-7) unstable; urgency=low
2650
2651 -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
2652
2653+apache2 (2.2.11-6ubuntu1) karmic; urgency=low
2654+
2655+ * Merge from debian unstable, remaining changes:
2656+ - debian/patches/203_fix-ssl-timeftm-ignored.dpatch:
2657+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2658+ - debian/{control,rules}: enable PIE hardening.
2659+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2660+
2661+ -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Jun 2009 01:01:23 +0100
2662+
2663 apache2 (2.2.11-6) unstable; urgency=high
2664
2665 * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
2666@@ -2460,6 +4592,16 @@ apache2 (2.2.11-6) unstable; urgency=high
2667
2668 -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
2669
2670+apache2 (2.2.11-5ubuntu1) karmic; urgency=low
2671+
2672+ * Merge from debian unstable, remaining changes:
2673+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2674+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2675+ - debian/{control,rules}: enable PIE hardening.
2676+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2677+
2678+ -- Andrew Mitchell <ajmitch@ubuntu.com> Wed, 03 Jun 2009 14:10:54 +1200
2679+
2680 apache2 (2.2.11-5) unstable; urgency=low
2681
2682 * Move all binaries into a new package apache2.2-bin and make
2683@@ -2508,6 +4650,16 @@ apache2 (2.2.11-4) unstable; urgency=low
2684
2685 -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
2686
2687+apache2 (2.2.11-3ubuntu1) karmic; urgency=low
2688+
2689+ * Merge from debian unstable, remaining changes:
2690+ - debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2691+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2692+ - debian/{control,rules}: enable PIE hardening.
2693+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2694+
2695+ -- Andrew Mitchell <ajmitch@ubuntu.com> Tue, 12 May 2009 16:15:34 +1200
2696+
2697 apache2 (2.2.11-3) unstable; urgency=low
2698
2699 * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
2700@@ -2516,6 +4668,21 @@ apache2 (2.2.11-3) unstable; urgency=low
2701
2702 -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
2703
2704+apache2 (2.2.11-2ubuntu2) jaunty; urgency=low
2705+
2706+ * debian/patches/203_fix-ssi-timeftm-ignored.dpatch:
2707+ Fix timefmt is ignored when XBitHack is on. (LP: #258914)
2708+
2709+ -- Chuck Short <zulcss@ubuntu.com> Wed, 01 Apr 2009 11:39:17 -0400
2710+
2711+apache2 (2.2.11-2ubuntu1) jaunty; urgency=low
2712+
2713+ * Merge from debian unstable, remaining changes:
2714+ - debian/{contro,rules}: enable PIE hardening.
2715+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2716+
2717+ -- Chuck Short <zulcss@ubuntu.com> Sat, 17 Jan 2009 00:02:55 +0000
2718+
2719 apache2 (2.2.11-2) unstable; urgency=low
2720
2721 * Report an error instead instead of segfaulting when apr_pollset_create
2722@@ -2525,6 +4692,14 @@ apache2 (2.2.11-2) unstable; urgency=low
2723
2724 -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
2725
2726+apache2 (2.2.11-1ubuntu1) jaunty; urgency=low
2727+
2728+ * Merge from debian unstable, remaining changes:
2729+ - debian/{control, rules}: enable PIE hardening.
2730+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2731+
2732+ -- Chuck Short <zulcss@ubuntu.com> Mon, 15 Dec 2008 00:06:50 +0000
2733+
2734 apache2 (2.2.11-1) unstable; urgency=low
2735
2736 [Thom May]
2737@@ -2539,6 +4714,14 @@ apache2 (2.2.11-1) unstable; urgency=low
2738
2739 -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
2740
2741+apache2 (2.2.9-11ubuntu1) jaunty; urgency=low
2742+
2743+ * Merge from debian unstable, remaining changes: (LP: #303375)
2744+ - debian/{control, rules}: enable PIE hardening.
2745+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2746+
2747+ -- Bhavani Shankar <right2bhavi@gmail.com> Sat, 29 Nov 2008 14:02:31 +0530
2748+
2749 apache2 (2.2.9-11) unstable; urgency=low
2750
2751 * Regression fix from upstream svn for mod_proxy:
2752@@ -2553,6 +4736,14 @@ apache2 (2.2.9-11) unstable; urgency=low
2753
2754 -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
2755
2756+apache2 (2.2.9-10ubuntu1) jaunty; urgency=low
2757+
2758+ * Merge from debian unstable, remaining changes:
2759+ - debian/{control, rules}: enable PIE hardening.
2760+ - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
2761+
2762+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 Nov 2008 02:23:18 -0400
2763+
2764 apache2 (2.2.9-10) unstable; urgency=low
2765
2766 * Regression fix from upstream svn for mod_proxy_http:
2767@@ -2583,6 +4774,27 @@ apache2 (2.2.9-8) unstable; urgency=low
2768
2769 -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
2770
2771+apache2 (2.2.9-7ubuntu3) intrepid; urgency=low
2772+
2773+ * Revert logrotate change since it will break it for everyone.
2774+
2775+ -- Chuck Short <zulcss@ubuntu.com> Fri, 19 Sep 2008 09:32:01 -0400
2776+
2777+apache2 (2.2.9-7ubuntu2) intrepid; urgency=low
2778+
2779+ * debian/logrotate: Restart rather than reload for busy websites.
2780+ (LP: #270899)
2781+
2782+ -- Chuck Short <zulcss@ubuntu.com> Thu, 18 Sep 2008 08:42:22 -0400
2783+
2784+apache2 (2.2.9-7ubuntu1) intrepid; urgency=low
2785+
2786+ * Merge from debian unstable, remaining changes:
2787+ - debian/{control,rules}: enable PIE hardening.
2788+ - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles.
2789+
2790+ -- Kees Cook <kees@ubuntu.com> Thu, 28 Aug 2008 08:10:59 -0700
2791+
2792 apache2 (2.2.9-7) unstable; urgency=low
2793
2794 * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
2795@@ -2625,6 +4837,23 @@ apache2 (2.2.9-4) unstable; urgency=low
2796
2797 -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
2798
2799+apache2 (2.2.9-3ubuntu2) intrepid; urgency=low
2800+
2801+ * add ufw integration (see
2802+ https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages)
2803+ (LP: #261198)
2804+ - debian/control: suggest ufw for apache2.2-common
2805+ - add apache2.2-common.ufw.profile with 3 profiles and install it to
2806+ /etc/ufw/applications.d/apache2.2-common
2807+
2808+ -- Didier Roche <didrocks@ubuntu-fr.org> Tue, 26 Aug 2008 19:03:42 +0200
2809+
2810+apache2 (2.2.9-3ubuntu1) intrepid; urgency=low
2811+
2812+ * debian/{control,rules}: enable PIE hardening
2813+
2814+ -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:45:00 -0700
2815+
2816 apache2 (2.2.9-3) unstable; urgency=low
2817
2818 [ Stefan Fritsch ]
2819@@ -4195,9 +6424,7 @@ apache2 (2.0.37-1) unstable; urgency=low
2820 -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
2821
2822 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
2823-
2824 * New upstream release
2825-
2826 -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
2827
2828 apache2 (2.0.36-2) unstable; urgency=low
2829@@ -4705,3 +6932,4 @@ apache2 (2.0.18-1) unstable; urgency=low
2830 * Initial Release.
2831
2832 -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000
2833+
2834diff --git a/debian/config-dir/mods-available/setenvif.conf b/debian/config-dir/mods-available/setenvif.conf
2835index 8bba04c..8b96bb9 100644
2836--- a/debian/config-dir/mods-available/setenvif.conf
2837+++ b/debian/config-dir/mods-available/setenvif.conf
2838@@ -24,3 +24,5 @@ BrowserMatch "^gvfs/1" redirect-carefully
2839 BrowserMatch "^XML Spy" redirect-carefully
2840 BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
2841 BrowserMatch " Konqueror/4" redirect-carefully
2842+BrowserMatch " Konqueror/5" redirect-carefully
2843+BrowserMatch " dolphin/" redirect-carefully
2844diff --git a/debian/control b/debian/control
2845index a5d33f2..6794923 100644
2846--- a/debian/control
2847+++ b/debian/control
2848@@ -1,5 +1,6 @@
2849 Source: apache2
2850-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2851+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2852+XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
2853 Uploaders: Stefan Fritsch <sf@debian.org>,
2854 Arno Töll <arno@debian.org>,
2855 Ondřej Surý <ondrej@debian.org>,
2856@@ -14,7 +15,7 @@ Build-Depends: debhelper-compat (= 13),
2857 libapr1-dev,
2858 libaprutil1-dev,
2859 libbrotli-dev,
2860- liblua5.3-dev,
2861+ liblua5.4-dev,
2862 libnghttp2-dev,
2863 libpcre2-dev,
2864 libssl-dev,
2865@@ -43,7 +44,8 @@ Depends: apache2-bin (= ${binary:Version}),
2866 Recommends: ssl-cert
2867 Suggests: apache2-doc,
2868 apache2-suexec-pristine | apache2-suexec-custom,
2869- www-browser
2870+ www-browser,
2871+ ufw
2872 Pre-Depends: ${misc:Pre-Depends}
2873 Provides: httpd,
2874 httpd-cgi
2875diff --git a/debian/debhelper/apache2-maintscript-helper b/debian/debhelper/apache2-maintscript-helper
2876index ce20fb1..f6c53f6 100644
2877--- a/debian/debhelper/apache2-maintscript-helper
2878+++ b/debian/debhelper/apache2-maintscript-helper
2879@@ -198,6 +198,8 @@ apache2_needs_action()
2880 # Probably the most important invokation. When invoked in configure we:
2881 # - enable the piece of configuration on fresh installs
2882 # - do nothing on upgrades UNLESS the configuration was removed automatically in the past
2883+ # postinst triggered:
2884+ # - use package triggers to restart apache2
2885 # postrm remove|purge
2886 # - disable the configuration, mark it as automatically disabled in remove
2887 # - disable the configuration, remove any trace we have on purge
2888@@ -223,6 +225,8 @@ apache2_needs_action()
2889 [ -z "$APACHE2_MAINTSCRIPT_ARGUMENT" ] && return 0
2890 # act if someone told us
2891 [ -n "$APACHE2_NEED_ACTION" ] && return 0
2892+ elif [ "$APACHE2_MAINTSCRIPT_METHOD" = "triggered" ] ; then
2893+ return 0
2894 fi
2895 ;;
2896 esac
2897diff --git a/debian/icons/ubuntu-logo.png b/debian/icons/ubuntu-logo.png
2898new file mode 100644
2899index 0000000..eee686c
2900Binary files /dev/null and b/debian/icons/ubuntu-logo.png differ
2901diff --git a/debian/index.html b/debian/index.html
2902index 766401d..51c4332 100644
2903--- a/debian/index.html
2904+++ b/debian/index.html
2905@@ -1,9 +1,13 @@
2906-
2907 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2908 <html xmlns="http://www.w3.org/1999/xhtml">
2909+ <!--
2910+ Modified from the Debian original for Ubuntu
2911+ Last updated: 2022-03-22
2912+ See: https://launchpad.net/bugs/1966004
2913+ -->
2914 <head>
2915 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
2916- <title>Apache2 Debian Default Page: It works</title>
2917+ <title>Apache2 Ubuntu Default Page: It works</title>
2918 <style type="text/css" media="screen">
2919 * {
2920 margin: 0px 0px 0px 0px;
2921@@ -15,7 +19,7 @@
2922
2923 background-color: #D8DBE2;
2924
2925- font-family: Verdana, sans-serif;
2926+ font-family: Ubuntu, Verdana, sans-serif;
2927 font-size: 11pt;
2928 text-align: center;
2929 }
2930@@ -41,7 +45,7 @@
2931 }
2932
2933 div.page_header {
2934- height: 99px;
2935+ height: 180px;
2936 width: 100%;
2937
2938 background-color: #F5F6F7;
2939@@ -60,6 +64,19 @@
2940 border: 0px 0px 0px;
2941 }
2942
2943+ div.banner {
2944+ padding: 9px 6px 9px 6px;
2945+ background-color: #E9510E;
2946+ color: #FFFFFF;
2947+ font-weight: bold;
2948+ font-size: 112%;
2949+ text-align: center;
2950+ position: absolute;
2951+ left: 40%;
2952+ bottom: 30px;
2953+ width: 20%;
2954+ }
2955+
2956 div.table_of_contents {
2957 clear: left;
2958
2959@@ -136,10 +153,6 @@
2960 text-align: center;
2961 }
2962
2963- div.section_header_red {
2964- background-color: #CD214F;
2965- }
2966-
2967 div.section_header_grey {
2968 background-color: #9F9386;
2969 }
2970@@ -188,46 +201,31 @@
2971 <body>
2972 <div class="main_page">
2973 <div class="page_header floating_element">
2974- <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
2975- <span class="floating_element">
2976- Apache2 Debian Default Page
2977- </span>
2978- </div>
2979-<!-- <div class="table_of_contents floating_element">
2980- <div class="section_header section_header_grey">
2981- TABLE OF CONTENTS
2982- </div>
2983- <div class="table_of_contents_item floating_element">
2984- <a href="#about">About</a>
2985- </div>
2986- <div class="table_of_contents_item floating_element">
2987- <a href="#changes">Changes</a>
2988- </div>
2989- <div class="table_of_contents_item floating_element">
2990- <a href="#scope">Scope</a>
2991- </div>
2992- <div class="table_of_contents_item floating_element">
2993- <a href="#files">Config files</a>
2994+ <img src="icons/ubuntu-logo.png" alt="Ubuntu Logo"
2995+ style="width:184px;height:146px;" class="floating_element" />
2996+ <div>
2997+ <span style="margin-top: 1.5em;" class="floating_element">
2998+ Apache2 Default Page
2999+ </span>
3000 </div>
3001- </div>
3002--->
3003- <div class="content_section floating_element">
3004-
3005-
3006- <div class="section_header section_header_red">
3007+ <div class="banner">
3008 <div id="about"></div>
3009 It works!
3010 </div>
3011+
3012+ </div>
3013+ <div class="content_section floating_element">
3014 <div class="content_section_text">
3015 <p>
3016 This is the default welcome page used to test the correct
3017- operation of the Apache2 server after installation on Debian systems.
3018+ operation of the Apache2 server after installation on Ubuntu systems.
3019+ It is based on the equivalent page on Debian, from which the Ubuntu Apache
3020+ packaging is derived.
3021 If you can read this page, it means that the Apache HTTP server installed at
3022 this site is working properly. You should <b>replace this file</b> (located at
3023 <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
3024 </p>
3025
3026-
3027 <p>
3028 If you are a normal user of this web site and don't know what this page is
3029 about, this probably means that the site is currently unavailable due to
3030@@ -242,18 +240,17 @@
3031 </div>
3032 <div class="content_section_text">
3033 <p>
3034- Debian's Apache2 default configuration is different from the
3035+ Ubuntu's Apache2 default configuration is different from the
3036 upstream default configuration, and split into several files optimized for
3037- interaction with Debian tools. The configuration system is
3038+ interaction with Ubuntu tools. The configuration system is
3039 <b>fully documented in
3040 /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
3041 documentation. Documentation for the web server itself can be
3042 found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
3043 package was installed on this server.
3044-
3045 </p>
3046 <p>
3047- The configuration layout for an Apache2 web server installation on Debian systems is as follows:
3048+ The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
3049 </p>
3050 <pre>
3051 /etc/apache2/
3052@@ -308,9 +305,12 @@
3053 </li>
3054
3055 <li>
3056- The binary is called apache2. Due to the use of
3057- environment variables, in the default configuration, apache2 needs to be
3058- started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
3059+ The binary is called apache2 and is managed using systemd, so to
3060+ start/stop the service use <tt>systemctl start apache2</tt> and
3061+ <tt>systemctl stop apache2</tt>, and use <tt>systemctl status apache2</tt>
3062+ and <tt>journalctl -u apache2</tt> to check status. <tt>system</tt>
3063+ and <tt>apache2ctl</tt> can also be used for service management if
3064+ desired.
3065 <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
3066 default configuration.
3067 </li>
3068@@ -324,18 +324,17 @@
3069
3070 <div class="content_section_text">
3071 <p>
3072- By default, Debian does not allow access through the web browser to
3073- <em>any</em> file apart of those located in <tt>/var/www</tt>,
3074- <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
3075+ By default, Ubuntu does not allow access through the web browser to
3076+ <em>any</em> file outside of those located in <tt>/var/www</tt>,
3077+ <a href="https://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
3078 directories (when enabled) and <tt>/usr/share</tt> (for web
3079 applications). If your site is using a web document root
3080 located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
3081 document root directory in <tt>/etc/apache2/apache2.conf</tt>.
3082 </p>
3083 <p>
3084- The default Debian document root is <tt>/var/www/html</tt>. You
3085- can make your own virtual hosts under /var/www. This is different
3086- to previous releases which provides better security out of the box.
3087+ The default Ubuntu document root is <tt>/var/www/html</tt>. You
3088+ can make your own virtual hosts under /var/www.
3089 </p>
3090 </div>
3091
3092@@ -345,24 +344,20 @@
3093 </div>
3094 <div class="content_section_text">
3095 <p>
3096- Please use the <tt>reportbug</tt> tool to report bugs in the
3097- Apache2 package with Debian. However, check <a
3098- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
3099+ Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
3100+ Apache2 package with Ubuntu. However, check <a
3101+ href="https://bugs.launchpad.net/ubuntu/+source/apache2"
3102 rel="nofollow">existing bug reports</a> before reporting a new bug.
3103 </p>
3104 <p>
3105 Please report bugs specific to modules (such as PHP and others)
3106- to respective packages, not to the web server itself.
3107+ to their respective packages, not to the web server itself.
3108 </p>
3109 </div>
3110
3111-
3112-
3113-
3114 </div>
3115 </div>
3116 <div class="validator">
3117 </div>
3118 </body>
3119 </html>
3120-
3121diff --git a/debian/patches/fix-dolphin-to-delete-webdav-dirs.patch b/debian/patches/fix-dolphin-to-delete-webdav-dirs.patch
3122new file mode 100644
3123index 0000000..1fac833
3124--- /dev/null
3125+++ b/debian/patches/fix-dolphin-to-delete-webdav-dirs.patch
3126@@ -0,0 +1,16 @@
3127+Description: Recognize dolphin and Konqueror/5 browsers for webdav.
3128+ Without these settings, these browsers will be sent redirects on
3129+ URLs for directories specified without a trailing '/'. That can
3130+ prevent webdav DELETE operations from working.
3131+Author: Michal Maloszewski <michal.maloszewski@canonical.com>
3132+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=67039
3133+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1927742
3134+Last-Update: 2024-01-16
3135+--- a/docs/conf/extra/httpd-dav.conf.in
3136++++ b/docs/conf/extra/httpd-dav.conf.in
3137+@@ -48,3 +48,5 @@
3138+ BrowserMatch "^XML Spy" redirect-carefully
3139+ BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
3140+ BrowserMatch " Konqueror/4" redirect-carefully
3141++BrowserMatch " Konqueror/5" redirect-carefully
3142++BrowserMatch " dolphin/" redirect-carefully
3143diff --git a/debian/patches/series b/debian/patches/series
3144index d2c00e2..ae14d4c 100644
3145--- a/debian/patches/series
3146+++ b/debian/patches/series
3147@@ -1,3 +1,4 @@
3148+fix-dolphin-to-delete-webdav-dirs.patch
3149 fhs_compliance.patch
3150 no_LD_LIBRARY_PATH.patch
3151 suexec-CVE-2007-1742.patch
3152diff --git a/debian/source/include-binaries b/debian/source/include-binaries
3153index 35c26b8..2ddf252 100644
3154--- a/debian/source/include-binaries
3155+++ b/debian/source/include-binaries
3156@@ -17,6 +17,7 @@ debian/icons/odf6otp-20x22.png
3157 debian/icons/odf6ots-20x22.png
3158 debian/icons/odf6ott-20x22.png
3159 debian/icons/openlogo-75.png
3160+debian/icons/ubuntu-logo.png
3161 debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml
3162 debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
3163 debian/perl-framework/t/htdocs/apache/acceptpathinfo/off/index.shtml
3164diff --git a/debian/tests/check-ubuntu-branding b/debian/tests/check-ubuntu-branding
3165new file mode 100644
3166index 0000000..0bf90b6
3167--- /dev/null
3168+++ b/debian/tests/check-ubuntu-branding
3169@@ -0,0 +1,28 @@
3170+#!/bin/bash
3171+#
3172+# Check the ubuntu branding exists
3173+set -uxe -o pipefail
3174+
3175+ubuntu_logo_path="icons/ubuntu-logo.png"
3176+
3177+# Use curl to fetch the HTML content and check its exit status
3178+if html_content=$(curl -s http://localhost); then
3179+ # The curl command succeeded, so proceed with further processing
3180+ if ! [[ "$html_content" =~ "$ubuntu_logo_path" ]]; then
3181+ echo "ERROR: $ubuntu_logo_path string not found in html page"
3182+ exit 1
3183+ fi
3184+else
3185+ # The curl command encountered an error
3186+ echo "ERROR: Curl command failed to fetch web content"
3187+ exit 1
3188+fi
3189+
3190+# Check the type of $ubuntu_logo_path
3191+content_type=$(curl -s -I http://localhost/$ubuntu_logo_path \
3192+ | grep Content-Type | cut -d ' ' -f 2- | tr -d '[:space:]')
3193+expected="image/png"
3194+if [ "$content_type" != "$expected" ]; then
3195+ echo "Content-Type is not $expected it is $content_type"
3196+ exit 1
3197+fi
3198diff --git a/debian/tests/control b/debian/tests/control
3199index 2453137..8a93e5f 100644
3200--- a/debian/tests/control
3201+++ b/debian/tests/control
3202@@ -23,6 +23,10 @@ Tests: check-http2
3203 Restrictions: needs-root allow-stderr breaks-testbed
3204 Depends: apache2, curl, ssl-cert, nghttp2-client
3205
3206+Tests: check-ubuntu-branding
3207+Restrictions: allow-stderr
3208+Depends: apache2, curl
3209+
3210 Tests: chroot
3211 Features: no-build-needed
3212 Restrictions: needs-root allow-stderr breaks-testbed

Subscribers

People subscribed via source and target branches