-
0ce9b25...
by
Stefan Fritsch
on 2018-03-30
-
Import patches-applied version 2.4.33-1 to applied/debian/sid
Imported using git-ubuntu import.
Changelog parent: d8eeb4126b1ab2ef92ceb89629b9edb3a8089b3e
Unapplied parent: 80ec81c53c05d766dea5b8a165d52a9b8073be03
New changelog entries:
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
-
80ec81c...
by
Stefan Fritsch
on 2018-03-30
-
Make builds reproducible
Gbp-Pq: reproducible_builds.diff.
-
4d1f781...
by
Stefan Fritsch
on 2018-03-30
-
add suexec-custom to the build system
Gbp-Pq: build_suexec-custom.patch.
-
7a66306...
by
Stefan Fritsch
on 2018-03-30
-
Adapt apxs to Debian specific changes
Gbp-Pq: customize_apxs.patch.
-
b6654d1...
by
Stefan Fritsch
on 2018-03-30
-
Fix race condition with chdir
Gbp-Pq: suexec-CVE-2007-1742.patch.
-
985883e...
by
Stefan Fritsch
on 2018-03-30
-
Remove LD_LIBRARY_PATH from envvars-std
Gbp-Pq: no_LD_LIBRARY_PATH.patch.
-
c5f599a...
by
Stefan Fritsch
on 2018-03-30
-
Fix up FHS file locations for apache2 droppings.
Gbp-Pq: fhs_compliance.patch.
-
3e69ee7...
by
Stefan Fritsch
on 2018-03-30
-
Import patches-unapplied version 2.4.33-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 4d9e478148bbfba2ec7ea63e425f3425c76e6b42
New changelog entries:
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
-
4d9e478...
by
Ondřej Surý
on 2018-01-14
-
Import patches-unapplied version 2.4.29-2 to debian/sid
Imported using git-ubuntu import.
Changelog parent: e71b57f8076ca227cd6c0a452857cb81a4bad93d
New changelog entries:
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
-
e71b57f...
by
Ondřej Surý
on 2017-10-23
-
Import patches-unapplied version 2.4.29-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 06779c1600a4c3af43e43591723c3f5fdb1a1a8a
New changelog entries:
[ Stefan Fritsch ]
* Replace outdated dependency on dh-systemd
[ Ondřej Surý ]
* New upstream version 2.4.29
* Refresh quilt patches
* Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343)
* Refresh patches on top of upstream release 2.4.29
* Fix Apache crash on restarts (ASF Bug 61558)
* Add deconfigure to the list of recognized scripts (Closes: #877524)