Last commit made on 2020-02-08
Get this branch:
git clone -b debian/stretch https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

64c0330... by Stefan Fritsch on 2019-10-13

Import patches-unapplied version 2.4.25-3+deb9u9 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: a4e538ac6919aca336b507be098bedfe67a9c0dd

New changelog entries:
  [ Xavier Guimard ]
  * Use correct patch for CVE-2019-10092. This fixes a regression in
    mod_proxy_balancer (Closes: #941202)

a4e538a... by Stefan Fritsch on 2019-08-19

Import patches-unapplied version 2.4.25-3+deb9u8 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: affacb033dd1f0938497d8551999d33159a0694a

New changelog entries:
  [ Xavier Guimard ]
  * Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092)
  * Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082, CVE-2019-10081)
  * Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098)
  [ Stefan Fritsch ]
  * Add -Werror=implicit-function-declaration to compile options to catch
    problems with backports.

affacb0... by Stefan Fritsch on 2019-04-02

Import patches-unapplied version 2.4.25-3+deb9u7 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: b408c29c36dd316a29de39410df8cdb08a633bd0

New changelog entries:
  [ Xavier Guimard ]
  * CVE-2018-17199: mode_session: Fix missing check for session expiry time.
    Closes: #920303
  [ Stefan Fritsch ]
  * mod_http2: Fix keepalive timeout behavior. This fixes a regression with
    Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
  * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
    Closes: #904150
  * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
    Closes: #920302
  * CVE-2019-0196: mod_http2: Fix read after free
  * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
  * CVE-2019-0217: mod_auth_digest: Access control bypass
  * CVE-2019-0220: URL normalization inconsistincy.
    Consecutive slashes in URL's are now merged before use in LocationMatch
    and RewriteRule. The old behavior can be restored with the new directive
    "MergeSlashes off".

b408c29... by Stefan Fritsch on 2018-11-03

Import patches-unapplied version 2.4.25-3+deb9u6 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 5481797e2caa19e93ab07da5f13362586b9fddae

New changelog entries:
  * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
  * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
    Closes: #909591
  * mod_proxy_fcgi: Fix segfault. Closes: #902906

5481797... by Stefan Fritsch on 2018-06-02

Import patches-unapplied version 2.4.25-3+deb9u5 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 8bf2e49e6b4e62c7a67f25b37448bd4602afdda5

New changelog entries:
  * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
    - CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
    - Segfaults in mod_http2 (Closes: #873945)
    - mod_http2 issue with option "Indexes" and directive "HeaderName"
      (Closes: #850947)
    Unfortunately, this also removes support for http2 when running on
  * mod_http2: Avoid high memory usage with large files, causing crashes on
    32bit archs. Closes: #897218
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. Closes: #898563
  * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
    when using too small Accept-Language values.
  * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
    Configure the regular expression engine to match '$' to the end of
    the input string only, excluding matching the end of any embedded
    newline characters. Behavior can be changed with new directive
  * CVE-2018-1283: Tampering of mod_session data for CGI applications.
  * CVE-2018-1301: Possible out of bound access after failure in reading the
    HTTP request
  * CVE-2018-1303: Possible out of bound read in mod_cache_socache
  * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation

8bf2e49... by Salvatore Bonaccorso on 2017-09-19

Import patches-unapplied version 2.4.25-3+deb9u3 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 2d4efdff06294a12500b0324e326f72b9aabfd3e

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)
  * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory

2d4efdf... by Stefan Fritsch on 2017-06-20

Import patches-unapplied version 2.4.25-3+deb9u1 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 7674960d2cfb46d6dd941e44384ea880155a8188

New changelog entries:
  * Backport security fixes from 2.4.26:
  * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
  * CVE-2017-3169: mod_ssl NULL pointer dereference
  * CVE-2017-7668: Buffer overrun in ap_find_token()
  * CVE-2017-7679: mod_mime buffer overread
  * CVE-2017-7659: mod_http2 NULL pointer dereference

7674960... by Stefan Fritsch on 2017-01-25

Import patches-unapplied version 2.4.25-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5838443ffdd2e4fcade4168049811f0a89641fdb

New changelog entries:
  * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
    Closes: #852543
  * Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
    the test suite, but don't add *.load files because they don't have any
    real-world use.
  * Include the upstream test suite and a corresponding autopkgtest. This
    is quite a hack but it may help quite a bit with security updates,
    especially if stretch gets LTS support, too.

5838443... by Stefan Fritsch on 2017-01-14

Import patches-unapplied version 2.4.25-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e3f3b995ccda824ea1f98974400a0e8b69631687

New changelog entries:
  * Activate mod_reqtimeout in new installs and during updates from
    before 2.4.25-2. It was wrongly not activated in new installs since
    jessie. This made the default installation vulnerable to some DoS
  * Restart htcacheclean on updates and tighten dependency on apache2-utils
    to ensure that apache2-utils cannot be upgraded without apache2.
    Closes: #851122
  * When running on systems with systemd, make 'apache2ctl start' invoke
    systemctl instead. Otherwise systemd will think apache2 is not running
    and ignore further commands like reload. Closes: #839227
  * Avoid segfault in mpm_event if a signal is received too soon after start.
    PR 60487
  * Add test for some modules to be enabled.
  * Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
    fixed in 2.4.23-2.

e3f3b99... by Stefan Fritsch on 2016-12-21

Import patches-unapplied version 2.4.25-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d0ab85635184f1f83ca54b0a0b3298a0b72ade50

New changelog entries:
  [ New upstream release ]
  * Security: CVE-2016-0736:
    mod_session_crypto: Authenticate the session data/cookie with a MAC to
    prevent deciphering or tampering with a padding oracle attack.
  * Security: CVE-2016-2161:
    mod_auth_digest: Prevent segfaults during client entry allocation when the
    shared memory space is exhausted.
  * Security: CVE-2016-5387:
    Mitigate [f]cgi "httpoxy" issues.
  * Security: CVE-2016-8740:
    mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
    Closes: #847124
  * Security: CVE-2016-8743:
    Enforce HTTP request grammar corresponding to RFC7230 for request lines
    and request headers, to prevent response splitting and cache pollution by
    malicious clients or downstream proxies.
  * The stricter HTTP enforcement may cause compatibility problems with
    non-conforming clients. Fine-tuning is possible with the new
    HttpProtocolOptions directive.
  * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
  * mod_http2: Many fixes and support for early pushes using the new
    H2PushResource directive.
  [ Stefan Fritsch ]
  * Switch to debhelper compatibility level 9.