lp:debian/experimental/apache2
- Get this branch:
- bzr branch lp:debian/experimental/apache2
Branch information
- Owner:
- Ubuntu branches
- Status:
- Development
Recent revisions
- 56. By Arno Töll <email address hidden>
-
[ Stefan Fritsch ]
* Explicitly enable mod_authz_core on upgrades. It can happen that it is
not pulled in by any of the enabled modules, but we need it in any case
for apache2.conf. Closes: #669876
* Don't ship the changelogs in the apache2-mpm-itk transitional package.[ Arno Töll ]
* Add mode lines to various configuration files and scripts. Reformat
configuration files for consitency.
* Fix "Fix typographic errors in configuration file comments": Thanks to Oxan
van Leeuwen for providing a patch (Closes: #669269)
* Formulate several clarifications in PACKAGING, start versioning this document
and add normative read hints. Moreover, document the -m switch for a2enmod.
* Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated!
* Change various state and run directories used by Apache from
/var/run/<basename> to /var/run/ apache2/ <basename> . This might change again
for Wheezy+1 to adopt /run.
* Use more exit status codes for a2query which allows to tell apart why a
module was disabled, also make its output more readable.
* Changes in apache2-maintscript- helper:
+ Finally apache2_invoke may behave correctly and catch all cases
including upgrades from Squeeze.
+ apache2_invoke: accepts a third argument to override the rc.d-action now
+ support APACHE2_MAINTSCRIPT_ DEBUG: When defined in the environment or in
/etc/apache2/ envvars, debug output is displayed.
* Implement a -r switch for dh_apache2 which allows to force a reload of the
web server if required. - 55. By Stefan Fritsch
-
* New upstream release
[ Arno Töll ]
* Drop update-alternative call in postrm. Our prerm script catches them
already anyway.
* Update my mail address.
* Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/ modules/ "
Set directory permissions to 755 by default (Closes: #666875). Thanks Axel
Beckert for the hint.
* Add /usr/share/doc/apache2/ migrate- sites.pl, a script to assist users to
give sites a .conf suffix, add a hint to the NEWS file.
* Do stateful configuration handling by remembering who enabled when a
particular piece of configuration. That way in can be told under which
circumstances for example modules should be re-enabled. Thanks to Filip M.
Nowak who was providing a patch where my changes are built upon.
* Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
to override LDFLAGS at compile time by defining LDLAGS in the environment,
just like it is possible for CFLAGS. This also means, config_vars.mk now
exports hardening build flags by default.
* Provide the virtual packages httpd and httpd-cgi again.[ Stefan Fritsch ]
* Change default config to deny access to / in the file system and only
allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
* Disable MultiViews in the default config.
* Update ssl default cipher config, add alternative speed optimized config.
Closes: #649020
* Move the configuration of /usr/lib/cgi-bin into a separate config file.
Closes: #589638
* Comment out per-vhost loglevel.
* Add section to security.conf that shows how to forbid access to VCS
directories. Closes: #548213
* Change the compiled in default of DocumentRoot to /var/www by updating
fhs_compliance.patch
* Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental! - 54. By Stefan Fritsch
-
[ Arno Töll ]
* apache2-suexec- {custom, pristine} : Fix argument order when removing
alternatives, do not remove alternatives on upgrades. Thanks Andreas
Beckmann for spotting the issue (Closes: #665002)
* Install suexec(8) link to /usr/share/man/man8/ ...
* Enable mod_version statically, drop associated module load file.
* Update PACKAGING hints and cope several questions raised among the
discussions with packagers. Thus, invokation of apache2-maintscript- helper
in maintainer scripts are covered now.
* Changes in dh_apache2:
+ Invoke the maintscript helper postrm action for simple package removals,
too.
+ Fix a bug which accidentally called "en{mod,site,conf}" instead of
"di{mod,site, conf}"
+ Set the default conditional back to "true", now the maintainer script is
expected to cope itself with upgrades correctly
* Changes in apache2_maintscript_ helper
+ Provide apache2_action_ needed, apache2_msg
+ Parse maintainer script arguments to find out which script called us
+ Support APACHE2_MAINTSCRIPT_ HELPER_ QUIET which, when set, omits any
visible output
+ Break APIs: apache2_invoke accepts a single configuration file argument
only now. However, other than dh_apache2 no users of this feature were
known.
* Build the apache2.2-bin transitional package again, without it updates from
Squeeze are broken from some use cases
* Remove 2.2's postrm script only if we're actually upgrading.
This previously didn't have bad side-effects, but caused a disturbing
warning.[ Stefan Fritsch ]
* Import lots of bug fixes from upstream svn: All code changes from branch
2.4.x up to r1307835, plus r1294306 and r1307067 from trunk.
* Remove /usr/share/doc alias from default virtual hosts' configs.
* Add 'Multi-Arch: foreign' to apache2-utils
* Make a2enconf and a2ensite warn if dependencies are not fullfilled. - 53. By Stefan Fritsch
-
[ Arno Töll ]
* Shift convert_docs script to a arch-indep target only. Debhelper does not
build apache2-doc on binary only builds causing a FTBS on binary-only (-B)
builds
* Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep
targets[ Stefan Fritsch ]
* dh_apache2: Make autoscripts only run on upgrades by default. Bump
debhelper dependency of apache2-dev. Escape slashes in conditionals. - 52. By Stefan Fritsch
-
* Package the coming up 2.4 branch of Apache by packaging the current
GA release 2.4.1.
+ Fix "IndexIgnore only allowes to add in vhost context, not replace"
(Closes: #296886)
+ Fix "mod_status stats are wrong." (Closes: #519322)
+ Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047)
+ Fix "apache2-common: there should be a possibility to access the
parsed configuration" (Closes: #350285)
+ Fix "AddOutputFilterByType is deprecated but used in deflate.conf"
(Closes: #601033)
+ Fixes "Renegotiation on POST request fails intermittently"
(Closes: #601606)
+ Allows configuring source address for proxy requests. (Closes: #465283)
+ Supports CONNECT request through https. (Closes: #307298)
+ New Upstream (2.4). (Closes: #662115)* Refresh patches but leave all hunks unchanged where possible. Give all
* patches a ".patch" suffix, drop sequence numbers as they are not needed when
* using quilt. Notable changes are.
+ [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller
parts of the patch to build two binaries: suexec-pristine and
suexec-custom (see below)
+ [AT] 201_build_suexec- custom: Patch the makefile to build
"suexec-pristine" instead. Aside of that, refresh hunks.
+ [AT] 010_fhs_compliance: Drop config.layout patches. These have been
applied upstream
+ [JMV] Drop patches:
+ 004_usr_bin_perl_ 0wnz_j00: printenv exemple doesn't refer to
/usr/local/ bin/perl anymore
+ 008_make_include_ safe: Include doesn't support directory anymore.
Include dir/*.conf must be used.
+ 009_apache2_has_dso: Upstream is no longer testing DSO is available. So
we don't need to remove that test anymore.
+ [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches,
drop obsolete hunks[ Arno Töll ]
* Rewrite most parts of debian/rules / debhelper configuration.
+ move cronjob and init script to debhelper configuration files
(apache2.cron.daily and apache2.init respectively)
+ move man pages to debian/manpages
+ Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu
specifics in their own patch set, as it diverges already anyway.
+ shake-up files installed in different packages
+ Do not copy the source tree anymore, build package in place.
* Push standards version to 3.9.3 - no special changes required
* Refactor binary packages, now as things simplified. MPMs are simple
modules now, they can be bundled into the same binary package which do not
need to conflict with each other. Thus, Apache now primarily consists of the
following packages:
+ apache2 - configuration files and init scripts, Debian specific helper
scripts
+ apache2-bin - binaries and modules
+ apache2-data - error pages and images
* Drop the ITK MPM entirely for now
* Consolidate development packages. As MPM packages are gone, we do not need
specific development packages either. Thus, drop all MPM specific apache2
development packages and provide a single apache2-dev package instead.
(Closes: #428095)
* Drop debian/source/ options again: We do not need to ignore .svn directories
anymore since the new package management system is based on git and includes
the full source
* Rework the suexec mechanism. Now there are two suexec packages providing
alternatives through the update-alternatives mechanism. The untouched
upstream "suexec" binary is provided by the apache2-suexec- pristine package,
whereas the configurable suexec can be found in the apache2-suexec- custom
package. Both are providing the "suexec" binary which are managed by the
update-alternatives( 9) mechanism.
This change is transparent to users at runtime and does not need any
configuration changes.
* Remove obsolete README.source file.
* Update doc-base metadata for the apache2-doc package
* Changes in the default configuration (not specific modules):
+ On the head of the apache2.conf configuration file, give a short summary
how configuration of the Apache web server works in Debian.
+ Drop NameVirtualHost entirely. It is deprecated (Closes: #511594)
+ Remove DefaultType. It is deprecated.
+ Replace Allow/Deny directives in the default configuration by using the
new Require directive. Load mod_access_compat if you rely on the old
syntax
+ Replace LockFile by Mutex which consolidates all lock file
synchronization files among modules
+ Update configuration to use the new IncludeOptional syntax
+ Enable these modules by default: authz_core authz_host alias cgi dir
+ Move MPM specific configuration to their respective configuration files.
Users can just load and unload MPMs like other modules, enable the worker
MPM by default
+ Move per-site global configuration from conf.d to conf-available and
manage it similar to modules and sites. To do so, the new tools
"a2enconf" and "a2disconf" are provided. Moreover, such configuration
files need to have a .conf suffix now. The following configuration
files are enabled by default: charset localized-error-pages
other-vhosts- access- log security. These were enabled by default
previously, too (Closes: #620347, Closes: #605227).
This holds for apache2-doc as well, which is still enabled by default but
can be disabled easily anytime by using a2disconf (Closes: #604980).
+ Give site configuration a .conf suffix, too. For example the default vhost
is called default.conf. Moreover, files without .conf suffix are ignored
upon startup. Please update your site links and confs. Also rename the
default vhost to 000-default.conf and don't do hacky things in a2enmod
anymore.
* Changes in a2enmod:
+ Parse "Conflicts: " header to denote conflicts between modules which
cannot be loaded into the same Apache server.
+ Remove dangling "module.conf" files, too. They were forgotten previously
if they existed and only the "module.load" file was removed.
+ Extend the tool to support conf-available/conf-enabled directories (see
also configuration changes).
+ Expect a .conf suffix for sites-enabled/sites-available configurations.
+ Remove the default vhost special handling. Instead, we expect the default
host to be named appropripriately (for example 000-default.conf;
Closes: #605535).
* The following modules and associated configuration files were removed:
+ mod_authz_default and mod_authn_default: Please use a proper
authentication module instead
+ mod_mem_cache: Use mod_cache_disk instead
* The following modules and associated configuration files are provided (but
not enabled by default):
access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua
proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector
remoteip, request, session, session_cookie, session_crypto, session_dbd
(Closes: #400881)
* Provide a dh_apache2 debhelper which can be used by reverse dependencies to
install modules, module configuration files, site configuration files and
global configuration files which need to be registered to the Apache web
server.
Thus, dh_apache2 can be used for Apache web server modules and web
applications providing configuration files for Apache.
* Write apache2-maintscript- helper which packagers can use to interface in a
reliable way with the Apache 2 web server in maintainer scripts
* Document programming hints how to interface with the Apache 2 web server for
* packagers of web applications and module maintainer in
/usr/share/doc/ apache2/ PACKAGING. gz.
* Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the
problem.
* Update debian/copyright and switch it to the copyright-format 1.0 (formerly
known as DEP5)[ Stefan Fritsch ]
* Use "dh --with autotools_dev" instead of patching config.
sub/config. guess.
* Only include conf.d/*.conf, not conf.d/*.
* Don't create httpd.conf anymore. Also, do a proper transition of existing
httpd.conf files to /etc/apache2/conf-available (Closes: #639383)
* Add "AddCharset" for .brf files in default mod_mime config.
(Closes: #402567)
* Update the README.Debian file[ Jean-Michel Vourgère ]
* Update bash completion functions to reflect the new site setup. (Closes:
#657492)
* Migrate patches to DEP-3 format. For particular changes see the summary
above. - 51. By Stefan Fritsch
-
[ Stefan Fritsch ]
* New upstream release, urgency medium due to security fixes:
- Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
- Fix CVE-2012-0031: Unprivileged child process could cause the parent to
crash at shutdown
- Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
message.
* Move httxt2dbm to apache2-utils
* Adjust debian/control to point to new git repository.[ Arno Töll ]
* Fix "typo in /etc/apache2/apache2. conf" (Closes: #653801) - 50. By Stefan Fritsch
-
[ Arno Töll ]
Fix build failures introduced as regregression by the previous build. Debian
buildds aren't rebuilding arch:all packages which caused problems for our
unconditional copying into binary package. I was warned. - 49. By Stefan Fritsch
-
[ Stefan Fritsch ]
* Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
ap_pregsub).
* Optimize debian/rules again to improve build time by doing most work in a
single parallelized "build-%" target.[ Arno Töll ]
* Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType
from text/plain to None. This lets the browser guess a proper MIME type
instead of being forced to treat a given file according to our default type
(Closes: #440058)
* Fix "add pre-rotate hook to logrotate script" execute scripts in
/etc/logrotate. d/httpd- prerotate if available (Closes: #590096).
* Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading
to Debian's 3.0/quilt source format also images don't need to be generated
at build time anymore. Hence, the icon date can no longer lead to
information disclosure (Closes: #649888).
* Upgrade package to 3.0/quilt.
+ Remove uuencoded images, keep them in their binary format in debian/icons
+ Upgrade to quilt from dpatch and refresh all patches by keeping all hunks
unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at
build time where needed Move the 200_cp_suexec. dpatch patch and
202_suexec- custom. dpatch patch to debian/rules. 200_cp_ suexec. dpatch was a
script, not a patch which is not supported by quilt.
* Rewrite debian/rules and base it on dh(1).
+ use overrides where possible, replace some debhelper calls by our own
implementation where needed. That's required since the Apache package is
compiled in parts several times for each MPM once.
+ move some install operations to the their respective .install files
+ Support dpkg-buildflags now, which also enables by default hardening
flags. Thus, remove them from their explicit appearance in debian/rules
+ Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using
dh(1)/dpkg- buildflags( 1).
* Push debhelper compatibility to 8
* Remove unused Lintian overrides for the Debian source package remove and
redundant priorities in debian/control.
* Add myself to Uploaders - 48. By Stefan Fritsch
-
* Fix CVE-2011-4317: Prevent unintended pattern expansion in some
reverse proxy configurations. (Similar to CVE-2011-3368, but different
attack vector.)
* Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
via malicious .htaccess.
* Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
* Fix broken link in docs. Closes: #650528
* Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
Thanks for your work in the past. - 47. By Stefan Fritsch
-
* Fix CVE-2011-3368: Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI.
* Correctly set permissions of suexec.load even if umask is 0002 during
build. LP: #872000
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:debian/apache2