lp:debian/experimental/apache2

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

56. By Arno Töll <email address hidden> on 2012-05-28

[ Stefan Fritsch ]
* Explicitly enable mod_authz_core on upgrades. It can happen that it is
  not pulled in by any of the enabled modules, but we need it in any case
  for apache2.conf. Closes: #669876
* Don't ship the changelogs in the apache2-mpm-itk transitional package.

[ Arno Töll ]
* Add mode lines to various configuration files and scripts. Reformat
  configuration files for consitency.
* Fix "Fix typographic errors in configuration file comments": Thanks to Oxan
  van Leeuwen for providing a patch (Closes: #669269)
* Formulate several clarifications in PACKAGING, start versioning this document
  and add normative read hints. Moreover, document the -m switch for a2enmod.
* Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated!
* Change various state and run directories used by Apache from
  /var/run/<basename> to /var/run/apache2/<basename>. This might change again
  for Wheezy+1 to adopt /run.
* Use more exit status codes for a2query which allows to tell apart why a
  module was disabled, also make its output more readable.
* Changes in apache2-maintscript-helper:
  + Finally apache2_invoke may behave correctly and catch all cases
    including upgrades from Squeeze.
  + apache2_invoke: accepts a third argument to override the rc.d-action now
  + support APACHE2_MAINTSCRIPT_DEBUG: When defined in the environment or in
    /etc/apache2/envvars, debug output is displayed.
* Implement a -r switch for dh_apache2 which allows to force a reload of the
  web server if required.

55. By Stefan Fritsch on 2012-04-15

* New upstream release

[ Arno Töll ]
* Drop update-alternative call in postrm. Our prerm script catches them
  already anyway.
* Update my mail address.
* Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/"
  Set directory permissions to 755 by default (Closes: #666875). Thanks Axel
  Beckert for the hint.
* Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to
  give sites a .conf suffix, add a hint to the NEWS file.
* Do stateful configuration handling by remembering who enabled when a
  particular piece of configuration. That way in can be told under which
  circumstances for example modules should be re-enabled. Thanks to Filip M.
  Nowak who was providing a patch where my changes are built upon.
* Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
  to override LDFLAGS at compile time by defining LDLAGS in the environment,
  just like it is possible for CFLAGS. This also means, config_vars.mk now
  exports hardening build flags by default.
* Provide the virtual packages httpd and httpd-cgi again.

[ Stefan Fritsch ]
* Change default config to deny access to / in the file system and only
  allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
* Disable MultiViews in the default config.
* Update ssl default cipher config, add alternative speed optimized config.
  Closes: #649020
* Move the configuration of /usr/lib/cgi-bin into a separate config file.
  Closes: #589638
* Comment out per-vhost loglevel.
* Add section to security.conf that shows how to forbid access to VCS
  directories. Closes: #548213
* Change the compiled in default of DocumentRoot to /var/www by updating
  fhs_compliance.patch
* Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental!

54. By Stefan Fritsch on 2012-04-01

[ Arno Töll ]
* apache2-suexec-{custom,pristine}: Fix argument order when removing
  alternatives, do not remove alternatives on upgrades. Thanks Andreas
  Beckmann for spotting the issue (Closes: #665002)
* Install suexec(8) link to /usr/share/man/man8/...
* Enable mod_version statically, drop associated module load file.
* Update PACKAGING hints and cope several questions raised among the
  discussions with packagers. Thus, invokation of apache2-maintscript-helper
  in maintainer scripts are covered now.
* Changes in dh_apache2:
  + Invoke the maintscript helper postrm action for simple package removals,
    too.
  + Fix a bug which accidentally called "en{mod,site,conf}" instead of
    "di{mod,site,conf}"
  + Set the default conditional back to "true", now the maintainer script is
    expected to cope itself with upgrades correctly
* Changes in apache2_maintscript_helper
  + Provide apache2_action_needed, apache2_msg
  + Parse maintainer script arguments to find out which script called us
  + Support APACHE2_MAINTSCRIPT_HELPER_QUIET which, when set, omits any
    visible output
  + Break APIs: apache2_invoke accepts a single configuration file argument
    only now. However, other than dh_apache2 no users of this feature were
    known.
* Build the apache2.2-bin transitional package again, without it updates from
  Squeeze are broken from some use cases
* Remove 2.2's postrm script only if we're actually upgrading.
  This previously didn't have bad side-effects, but caused a disturbing
  warning.

[ Stefan Fritsch ]
* Import lots of bug fixes from upstream svn: All code changes from branch
  2.4.x up to r1307835, plus r1294306 and r1307067 from trunk.
* Remove /usr/share/doc alias from default virtual hosts' configs.
* Add 'Multi-Arch: foreign' to apache2-utils
* Make a2enconf and a2ensite warn if dependencies are not fullfilled.

53. By Stefan Fritsch on 2012-03-20

[ Arno Töll ]
* Shift convert_docs script to a arch-indep target only. Debhelper does not
  build apache2-doc on binary only builds causing a FTBS on binary-only (-B)
  builds
* Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep
  targets

[ Stefan Fritsch ]
* dh_apache2: Make autoscripts only run on upgrades by default. Bump
  debhelper dependency of apache2-dev. Escape slashes in conditionals.

52. By Stefan Fritsch on 2012-03-19

* Package the coming up 2.4 branch of Apache by packaging the current
  GA release 2.4.1.
  + Fix "IndexIgnore only allowes to add in vhost context, not replace"
   (Closes: #296886)
  + Fix "mod_status stats are wrong." (Closes: #519322)
  + Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047)
  + Fix "apache2-common: there should be a possibility to access the
    parsed configuration" (Closes: #350285)
  + Fix "AddOutputFilterByType is deprecated but used in deflate.conf"
    (Closes: #601033)
  + Fixes "Renegotiation on POST request fails intermittently"
    (Closes: #601606)
  + Allows configuring source address for proxy requests. (Closes: #465283)
  + Supports CONNECT request through https. (Closes: #307298)
  + New Upstream (2.4). (Closes: #662115)

* Refresh patches but leave all hunks unchanged where possible. Give all
* patches a ".patch" suffix, drop sequence numbers as they are not needed when
* using quilt. Notable changes are.
  + [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller
    parts of the patch to build two binaries: suexec-pristine and
    suexec-custom (see below)
  + [AT] 201_build_suexec-custom: Patch the makefile to build
    "suexec-pristine" instead. Aside of that, refresh hunks.
  + [AT] 010_fhs_compliance: Drop config.layout patches. These have been
    applied upstream
  + [JMV] Drop patches:
    + 004_usr_bin_perl_0wnz_j00: printenv exemple doesn't refer to
      /usr/local/bin/perl anymore
    + 008_make_include_safe: Include doesn't support directory anymore.
      Include dir/*.conf must be used.
    + 009_apache2_has_dso: Upstream is no longer testing DSO is available. So
      we don't need to remove that test anymore.
  + [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches,
    drop obsolete hunks

[ Arno Töll ]

* Rewrite most parts of debian/rules / debhelper configuration.
  + move cronjob and init script to debhelper configuration files
    (apache2.cron.daily and apache2.init respectively)
  + move man pages to debian/manpages
  + Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu
    specifics in their own patch set, as it diverges already anyway.
  + shake-up files installed in different packages
  + Do not copy the source tree anymore, build package in place.
* Push standards version to 3.9.3 - no special changes required
* Refactor binary packages, now as things simplified. MPMs are simple
  modules now, they can be bundled into the same binary package which do not
  need to conflict with each other. Thus, Apache now primarily consists of the
  following packages:
  + apache2 - configuration files and init scripts, Debian specific helper
    scripts
  + apache2-bin - binaries and modules
  + apache2-data - error pages and images
* Drop the ITK MPM entirely for now
* Consolidate development packages. As MPM packages are gone, we do not need
  specific development packages either. Thus, drop all MPM specific apache2
  development packages and provide a single apache2-dev package instead.
  (Closes: #428095)
* Drop debian/source/options again: We do not need to ignore .svn directories
  anymore since the new package management system is based on git and includes
  the full source
* Rework the suexec mechanism. Now there are two suexec packages providing
  alternatives through the update-alternatives mechanism. The untouched
  upstream "suexec" binary is provided by the apache2-suexec-pristine package,
  whereas the configurable suexec can be found in the apache2-suexec-custom
  package. Both are providing the "suexec" binary which are managed by the
  update-alternatives(9) mechanism.
  This change is transparent to users at runtime and does not need any
  configuration changes.
* Remove obsolete README.source file.
* Update doc-base metadata for the apache2-doc package
* Changes in the default configuration (not specific modules):
  + On the head of the apache2.conf configuration file, give a short summary
    how configuration of the Apache web server works in Debian.
  + Drop NameVirtualHost entirely. It is deprecated (Closes: #511594)
  + Remove DefaultType. It is deprecated.
  + Replace Allow/Deny directives in the default configuration by using the
    new Require directive. Load mod_access_compat if you rely on the old
    syntax
  + Replace LockFile by Mutex which consolidates all lock file
    synchronization files among modules
  + Update configuration to use the new IncludeOptional syntax
  + Enable these modules by default: authz_core authz_host alias cgi dir
  + Move MPM specific configuration to their respective configuration files.
    Users can just load and unload MPMs like other modules, enable the worker
    MPM by default
  + Move per-site global configuration from conf.d to conf-available and
    manage it similar to modules and sites. To do so, the new tools
    "a2enconf" and "a2disconf" are provided. Moreover, such configuration
    files need to have a .conf suffix now. The following configuration
    files are enabled by default: charset localized-error-pages
    other-vhosts-access-log security. These were enabled by default
    previously, too (Closes: #620347, Closes: #605227).
    This holds for apache2-doc as well, which is still enabled by default but
    can be disabled easily anytime by using a2disconf (Closes: #604980).
  + Give site configuration a .conf suffix, too. For example the default vhost
    is called default.conf. Moreover, files without .conf suffix are ignored
    upon startup. Please update your site links and confs. Also rename the
    default vhost to 000-default.conf and don't do hacky things in a2enmod
    anymore.
* Changes in a2enmod:
  + Parse "Conflicts: " header to denote conflicts between modules which
    cannot be loaded into the same Apache server.
  + Remove dangling "module.conf" files, too. They were forgotten previously
    if they existed and only the "module.load" file was removed.
  + Extend the tool to support conf-available/conf-enabled directories (see
    also configuration changes).
  + Expect a .conf suffix for sites-enabled/sites-available configurations.
  + Remove the default vhost special handling. Instead, we expect the default
    host to be named appropripriately (for example 000-default.conf;
    Closes: #605535).
* The following modules and associated configuration files were removed:
  + mod_authz_default and mod_authn_default: Please use a proper
    authentication module instead
  + mod_mem_cache: Use mod_cache_disk instead
* The following modules and associated configuration files are provided (but
  not enabled by default):
  access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua
  proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector
  remoteip, request, session, session_cookie, session_crypto, session_dbd
  (Closes: #400881)
* Provide a dh_apache2 debhelper which can be used by reverse dependencies to
  install modules, module configuration files, site configuration files and
  global configuration files which need to be registered to the Apache web
  server.
  Thus, dh_apache2 can be used for Apache web server modules and web
  applications providing configuration files for Apache.
* Write apache2-maintscript-helper which packagers can use to interface in a
  reliable way with the Apache 2 web server in maintainer scripts
* Document programming hints how to interface with the Apache 2 web server for
* packagers of web applications and module maintainer in
  /usr/share/doc/apache2/PACKAGING.gz.
* Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the
  problem.
* Update debian/copyright and switch it to the copyright-format 1.0 (formerly
  known as DEP5)

[ Stefan Fritsch ]

* Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
* Only include conf.d/*.conf, not conf.d/*.
* Don't create httpd.conf anymore. Also, do a proper transition of existing
  httpd.conf files to /etc/apache2/conf-available (Closes: #639383)
* Add "AddCharset" for .brf files in default mod_mime config.
  (Closes: #402567)
* Update the README.Debian file

[ Jean-Michel Vourgère ]

* Update bash completion functions to reflect the new site setup. (Closes:
  #657492)
* Migrate patches to DEP-3 format. For particular changes see the summary
  above.

51. By Stefan Fritsch on 2012-02-01

[ Stefan Fritsch ]
* New upstream release, urgency medium due to security fixes:
  - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
  - Fix CVE-2012-0031: Unprivileged child process could cause the parent to
    crash at shutdown
  - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
    message.
* Move httxt2dbm to apache2-utils
* Adjust debian/control to point to new git repository.

[ Arno Töll ]
* Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)

50. By Stefan Fritsch on 2011-12-29

[ Arno Töll ]
Fix build failures introduced as regregression by the previous build. Debian
buildds aren't rebuilding arch:all packages which caused problems for our
unconditional copying into binary package. I was warned.

49. By Stefan Fritsch on 2011-12-29

[ Stefan Fritsch ]

* Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
  ap_pregsub).
* Optimize debian/rules again to improve build time by doing most work in a
  single parallelized "build-%" target.

[ Arno Töll ]

* Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType
  from text/plain to None. This lets the browser guess a proper MIME type
  instead of being forced to treat a given file according to our default type
  (Closes: #440058)
* Fix "add pre-rotate hook to logrotate script" execute scripts in
  /etc/logrotate.d/httpd-prerotate if available (Closes: #590096).
* Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading
  to Debian's 3.0/quilt source format also images don't need to be generated
  at build time anymore. Hence, the icon date can no longer lead to
  information disclosure (Closes: #649888).
* Upgrade package to 3.0/quilt.
  + Remove uuencoded images, keep them in their binary format in debian/icons
  + Upgrade to quilt from dpatch and refresh all patches by keeping all hunks
    unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at
    build time where needed Move the 200_cp_suexec.dpatch patch and
    202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a
    script, not a patch which is not supported by quilt.
* Rewrite debian/rules and base it on dh(1).
  + use overrides where possible, replace some debhelper calls by our own
    implementation where needed. That's required since the Apache package is
    compiled in parts several times for each MPM once.
  + move some install operations to the their respective .install files
  + Support dpkg-buildflags now, which also enables by default hardening
    flags. Thus, remove them from their explicit appearance in debian/rules
  + Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using
    dh(1)/dpkg-buildflags(1).
* Push debhelper compatibility to 8
* Remove unused Lintian overrides for the Debian source package remove and
  redundant priorities in debian/control.
* Add myself to Uploaders

48. By Stefan Fritsch on 2011-12-03

* Fix CVE-2011-4317: Prevent unintended pattern expansion in some
  reverse proxy configurations. (Similar to CVE-2011-3368, but different
  attack vector.)
* Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
  via malicious .htaccess.
* Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
* Fix broken link in docs. Closes: #650528
* Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
  Thanks for your work in the past.

47. By Stefan Fritsch on 2011-10-11

* Fix CVE-2011-3368: Prevent unintended pattern expansion in some
  reverse proxy configurations by strictly validating the request-URI.
* Correctly set permissions of suexec.load even if umask is 0002 during
  build. LP: #872000