Last commit made on 2018-06-23
Get this branch:
git clone -b debian/jessie https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

a8c8f86... by Stefan Fritsch on 2018-03-31

Import patches-unapplied version 2.4.10-10+deb8u12 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 2c986900081af76f74ef6d53bd789ecf4497af8e

New changelog entries:
  * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
    when using too small Accept-Language values.
  * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
    Configure the regular expression engine to match '$' to the end of
    the input string only, excluding matching the end of any embedded
    newline characters. Behavior can be changed with new directive
  * CVE-2018-1283: Tampering of mod_session data for CGI applications.
  * CVE-2018-1301: Possible out of bound access after failure in reading the
    HTTP request
  * CVE-2018-1303: Possible out of bound read in mod_cache_socache
  * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation

2c98690... by Salvatore Bonaccorso on 2017-09-19

Import patches-unapplied version 2.4.10-10+deb8u11 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 4306620a9efc1df641fc3c454f22c7a0dfbdb207

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)
  * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory

4306620... by Stefan Fritsch on 2017-06-20

Import patches-unapplied version 2.4.10-10+deb8u9 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 386763bd027994fcd385ee1cbfc333842754a948

New changelog entries:
  * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
  * CVE-2017-3169: mod_ssl NULL pointer dereference
  * CVE-2017-7668: Buffer overrun in ap_find_token()
  * CVE-2017-7679: mod_mime buffer overread

386763b... by Stefan Fritsch on 2017-02-24

Import patches-unapplied version 2.4.10-10+deb8u8 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: d7cddfe6f2c186423a7cb6b41637380aa5284659

New changelog entries:
  * CVE-2016-8743: Enforce more HTTP conformance for request lines and
    request headers, to prevent response splitting and cache pollution
    by malicious clients or downstream proxies.
    If this causes problems with non-conforming clients, some checks can
    be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
    to the configuration.
    Differently than the upstream 2.4.25 release which will also be in the
    Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
    underscores in host and domain names even while 'HttpProtocolOptions
    strict' is in effect.
    More information is available at
  * CVE-2016-0736: mod_session_crypto: Prevent padding oracle attack.
  * CVE-2016-2161: mod_auth_digest: Prevent segfaults when the shared memory
    space is exhausted.
  * Activate mod_reqtimeout in new installs and during updates from
    before 2.4.10-10+deb8u8. It was wrongly not activated in new installs
    since jessie. This made the default installation vulnerable to some
    DoS attacks.
  * Don't run 2.2 to 2.4 upgrade logic again when upgrading from
    2.4.10-10+deb8u*. Closes: #836818

d7cddfe... by Julien Cristau on 2016-09-15

Import patches-unapplied version 2.4.10-10+deb8u7 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: b4d9034e647a354795c00d56ccdd6f850cec187d

New changelog entries:
  * Fix installation of /lib/systemd/system/apache2.service.d/forking.conf.
  * Fix race condition and logical error in init script. Thanks to Thomas
    Stangner for the patch. Closes: #822144
  * Remove links to manpages.debian.org in default index.html to avoid
    broken robots doing a DoS on the site. Closes: #821313
  * mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive
    connections. Closes: #803035
  * mod_proxy_fcgi: Fix wrong behavior with 304 responses. Closes: #827472
  * Correct systemd-sysv-generator behavior by customizing some parameters.
    This fixes 'systemctl status' returning incorrect results.
    Closes: #827444
  * mod_proxy_html: Add missing config file mods-available/proxy_html.conf.
    This is intentionally not enabled during upgrade, to make it less
    likely to break existing setups. It will be enabled by a a2dismod/a2enmod
    cycle, though. Closes: #827258
  * Non-maintainer upload by the Security Team.
  * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
    request header.
    Don't pass through HTTP_PROXY in server/util_script.c

b4d9034... by Stefan Fritsch on 2015-11-28

Import patches-unapplied version 2.4.10-10+deb8u4 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: a0586c48075c74e100e3a36ae59ffb3cf0eec15d

New changelog entries:
  * Add versioned replaces/breaks for libapache2-mod-macro to apache2,
    for the config files in /etc. Closes: #806326
  * Fix split-logfile to work with current perl. Closes: #803472
  * Fix tests on deferred mpm switch. Add special casing for mpm_itk,
    which is not an mpm anymore, despite the name. Closes: #789914
    Closes: #791902
  * Fix secondary-init-script to not source the main init script with 'set -e'.
    Closes: #803177

a0586c4... by Stefan Fritsch on 2015-08-28

Import patches-unapplied version 2.4.10-10+deb8u3 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: d87b281ce5165a351c4c75234d05bb03608aaf8f

New changelog entries:
  * Revert fix for deferred mpm switch for now, because it is at least not
    complete or maybe causes regressions (see #791902). Re-opens #789914
  [ Stefan Fritsch ]
  * Fix upgrade logic: When upgrading from wheezy with apache2.2-common
    but without apache2 installed to jessie, part of the conffile handling
    logic would not run, causing outdated conffile content to be kept.
    This is part of the solution for bug #794933. The other part will be
    included in the upgrade to Debian 9 (stretch).
  * core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
    This could cause all kinds of strange behavior. PR 56008. PR 57328
  * mpm_event: Fix process deadlock when shutting down a worker. PR 56960
  * mpm_event: Fix crashes due to various race conditions. Closes: #779078
  [ Jean-Michel Vourgère ]
  * apache2.postinst: Fixed tests on deferred mpm switch. Closes: #789914
  * CVE-2015-3183: Fix chunk header parsing defect.
  * CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
    unfixable way. Add a new replacement API ap_some_authn_required()
    and ap_force_authn hook.

d87b281... by Stefan Fritsch on 2015-03-15

Import patches-unapplied version 2.4.10-10 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 17c775a090b998a69e6b861dff2feb279f63dafa

New changelog entries:
  * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
  * Fix setup-instance example script to handle a2enconf/a2disconf.
    LP: #1430936
  * Tweak mention of mod_access_compat in NEWS.Debian. The module does
    not really work in practice.

17c775a... by Stefan Fritsch on 2014-12-22

Import patches-unapplied version 2.4.10-9 to debian/sid

Imported using git-ubuntu import.

Changelog parent: fd7676df657ceb8377ee7649ec7c7000fbfed3e2

New changelog entries:
  * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
    LuaAuthzProvider is used in multiple Require directives with different
  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
    fixes asking for certificate passphrases if started via systemd.
    Closes: #773405
  * Fix init script to not wait 20s if passphrase was wrong.
  * Also bump debhelper build-depends to get dh_installdeb with support for
    symlink_to_dir. Closes: #770421

fd7676d... by Stefan Fritsch on 2014-11-18

Import patches-unapplied version 2.4.10-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4169270c04cdaffeb3d988bd336c7ae6917dd27f

New changelog entries:
  * Bump dpkg Pre-Depends to version that supports relative symlinks in
    dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
  * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
    script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
    though it does not seem to be exploitable.
  * mpm_event: Fix use-after-free that may lead to a server crash.
  * mod_ssl: Fix memory leak on graceful restart. Closes: #754492
  * mod_ssl: Avoid crashes during startup or graceful restart due to
    openssl using a callback to invalid memory. LP: #1366174