ubuntu/+source/apache2:ubuntu/artful-security

Last commit made on 2018-04-19
Get this branch:
git clone -b ubuntu/artful-security https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/artful-security
Repository:
lp:ubuntu/+source/apache2

Recent commits

cbc3200... by Marc Deslauriers on 2018-04-18

Import patches-unapplied version 2.4.27-2ubuntu4.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: c7c79f29748d24bb5f9fbc71b131aef8cc4117c2

New changelog entries:
  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

c7c79f2... by Rafael David Tinoco on 2018-03-02

Import patches-unapplied version 2.4.27-2ubuntu4 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: c484172d3a6599603ebbf2fbbc81312301b61e72

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

c484172... by Marc Deslauriers on 2017-09-18

Import patches-unapplied version 2.4.27-2ubuntu3 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: f09ecdf404a45f84d3f6706d7415653f3faa38d7

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

f09ecdf... by Marc Deslauriers on 2017-08-02

Import patches-unapplied version 2.4.27-2ubuntu2 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: 0c22eaa464e098765fdace1b667f458294cb7203

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.

0c22eaa... by Nish Aravamudan on 2017-07-27

Import patches-unapplied version 2.4.27-2ubuntu1 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: eebc1582658d9efdd5c48781816735fa69d6487d

New changelog entries:
  * Merge with Debian unstable (LP: #1702582). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.

eebc158... by Stefan Fritsch on 2017-07-16

Import patches-unapplied version 2.4.27-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ee067d5fe3b294b6a1bf001de49d876e8cf21999

New changelog entries:
  * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
    work and should go into experimental, first. Reopens: #851094

ee067d5... by Stefan Fritsch on 2017-07-16

Import patches-unapplied version 2.4.27-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 88a61448d240fbc3a7b134767d9837bd10071bf6

New changelog entries:
  [ New upstream release ]
  * Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
    Closes: #868467
  [ Stefan Fritsch ]
  * Switch to openssl 1.1. Closes: #851094

88a6144... by Stefan Fritsch on 2017-06-20

Import patches-unapplied version 2.4.25-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7674960d2cfb46d6dd941e44384ea880155a8188

New changelog entries:
  * Backport security fixes from 2.4.26:
  * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
  * CVE-2017-3169: mod_ssl NULL pointer dereference
  * CVE-2017-7668: Buffer overrun in ap_find_token()
  * CVE-2017-7679: mod_mime buffer overread
  * CVE-2017-7659: mod_http2 NULL pointer dereference

7674960... by Stefan Fritsch on 2017-01-25

Import patches-unapplied version 2.4.25-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5838443ffdd2e4fcade4168049811f0a89641fdb

New changelog entries:
  * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
    Closes: #852543
  * Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
    the test suite, but don't add *.load files because they don't have any
    real-world use.
  * Include the upstream test suite and a corresponding autopkgtest. This
    is quite a hack but it may help quite a bit with security updates,
    especially if stretch gets LTS support, too.

5838443... by Stefan Fritsch on 2017-01-14

Import patches-unapplied version 2.4.25-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e3f3b995ccda824ea1f98974400a0e8b69631687

New changelog entries:
  * Activate mod_reqtimeout in new installs and during updates from
    before 2.4.25-2. It was wrongly not activated in new installs since
    jessie. This made the default installation vulnerable to some DoS
    attacks.
  * Restart htcacheclean on updates and tighten dependency on apache2-utils
    to ensure that apache2-utils cannot be upgraded without apache2.
    Closes: #851122
  * When running on systems with systemd, make 'apache2ctl start' invoke
    systemctl instead. Otherwise systemd will think apache2 is not running
    and ignore further commands like reload. Closes: #839227
  * Avoid segfault in mpm_event if a signal is received too soon after start.
    PR 60487
  * Add test for some modules to be enabled.
  * Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
    fixed in 2.4.23-2.