ubuntu/+source/apache2:ubuntu/bionic-devel

Last commit made on 2019-09-17
Get this branch:
git clone -b ubuntu/bionic-devel https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/bionic-devel
Repository:
lp:ubuntu/+source/apache2

Recent commits

2ad0745... by Steve Beattie on 2019-09-16

Import patches-unapplied version 2.4.29-1ubuntu4.11 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: e7a4a4340e4c6bae39d8f974aab81fdc05518e62

New changelog entries:
  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

e7a4a43... by Steve Beattie on 2019-08-26

Import patches-unapplied version 2.4.29-1ubuntu4.10 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: e651ec676e2a594b8ad5d8b9322ba128919f00e5

New changelog entries:
  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches
    - dropped the following patches included above:
      + d/p/CVE-2018-1302.patch
      + d/p/CVE-2018-1333.patch
      + d/p/CVE-2018-11763.patch
      + d/p/CVE-2018-17189.patch
      + d/p/CVE-2019-0196.patch

e651ec6... by Andreas Hasenack on 2019-07-16

Import patches-unapplied version 2.4.29-1ubuntu4.8 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 06081c62bf15d6904f01d0e3e626e3b5bb40af4a

New changelog entries:
  * d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
    similarly to <0 with openssl 1.1.1
  * d/p/clear-retry-flags-before-abort.patch: clear retry flags before
    aborting on client-initiated reneg (LP: #1836329)

06081c6... by Andreas Hasenack on 2019-06-28

Import patches-unapplied version 2.4.29-1ubuntu4.7 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 64fe79b956209c10f0f9af747120b1f62188c352

New changelog entries:
  * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
    authentication when built with openssl 1.1.1 (LP: #1833039)

64fe79b... by Marc Deslauriers on 2019-04-03

Import patches-unapplied version 2.4.29-1ubuntu4.6 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: cafd33c017ea25062f023347aed73e9241a8f4a3

New changelog entries:
  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

cafd33c... by Andreas Hasenack on 2018-10-10

Import patches-unapplied version 2.4.29-1ubuntu4.5 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 7a4ca66b9ce3095183ac8bc28c5d484434de2bf0

New changelog entries:
  * d/debhelper/apache2-maintscript-helper: fix typo in apache2_switch_mpm()'s
    a2query call. (LP: #1782806)

7a4ca66... by Marc Deslauriers on 2018-10-03

Import patches-unapplied version 2.4.29-1ubuntu4.4 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: e726c4c3de1290561c5a3b79ddc270ba5862ebb0

New changelog entries:
  * SECURITY UPDATE: DoS in HTTP/2 via NULL pointer
    - debian/patches/CVE-2018-1302.patch: remove obsolete stream detach
      code in modules/http2/h2_bucket_beam.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2018-1302
  * SECURITY UPDATE: DoS in HTTP/2 via worker exhaustion
    - debian/patches/CVE-2018-1333.patch: always wake up any conditional
      waits when streams are aborted in modules/http2/h2_bucket_beam.c.
    - CVE-2018-1333
  * SECURITY UPDATE: DoS in HTTP/2 via large SETTINGS frames
    - debian/patches/CVE-2018-11763.patch: rework connection IO event
      handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_version.h.
    - CVE-2018-11763

e726c4c... by Andreas Hasenack on 2018-06-27

Import patches-unapplied version 2.4.29-1ubuntu4.3 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 92eb26b8a9119d35f330876fdc314690527f8964

New changelog entries:
  * d/p/balance-member-long-hostname-part{1,2}.patch: Provide an RFC1035
    compliant version of the hostname in the
    proxy_worker_shared structure. A hostname that is too long is no longer a
    fatal error. (LP: #1750356)

92eb26b... by Andreas Hasenack on 2018-06-07

Import patches-unapplied version 2.4.29-1ubuntu4.2 to ubuntu/bionic-proposed

Imported using git-ubuntu import.

Changelog parent: 6c8f20d9ae1e908fc845bee1b80669f70153f127

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:
    #1766186.

6c8f20d... by Marc Deslauriers on 2018-04-25

Import patches-unapplied version 2.4.29-1ubuntu4.1 to ubuntu/bionic-security

Imported using git-ubuntu import.

Changelog parent: cb2b84735ee83e83e8d277ce4a346fff956f7fd4

New changelog entries:
  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312