-
64fe79b...
by
Marc Deslauriers
on 2019-04-03
-
Import patches-unapplied version 2.4.29-1ubuntu4.6 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: cafd33c017ea25062f023347aed73e9241a8f4a3
New changelog entries:
* SECURITY UPDATE: slowloris DoS in mod_http2
- debian/patches/CVE-2018-17189.patch: change cleanup strategy for
slave connections in modules/http2/h2_conn.c.
- CVE-2018-17189
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-
cafd33c...
by
Andreas Hasenack
on 2018-10-10
-
Import patches-unapplied version 2.4.29-1ubuntu4.5 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 7a4ca66b9ce3095183ac8bc28c5d484434de2bf0
New changelog entries:
* d/debhelper/apache2-maintscript-helper: fix typo in apache2_switch_mpm()'s
a2query call. (LP: #1782806)
-
7a4ca66...
by
Marc Deslauriers
on 2018-10-03
-
Import patches-unapplied version 2.4.29-1ubuntu4.4 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: e726c4c3de1290561c5a3b79ddc270ba5862ebb0
New changelog entries:
* SECURITY UPDATE: DoS in HTTP/2 via NULL pointer
- debian/patches/CVE-2018-1302.patch: remove obsolete stream detach
code in modules/http2/h2_bucket_beam.c, modules/http2/h2_stream.c,
modules/http2/h2_stream.h.
- CVE-2018-1302
* SECURITY UPDATE: DoS in HTTP/2 via worker exhaustion
- debian/patches/CVE-2018-1333.patch: always wake up any conditional
waits when streams are aborted in modules/http2/h2_bucket_beam.c.
- CVE-2018-1333
* SECURITY UPDATE: DoS in HTTP/2 via large SETTINGS frames
- debian/patches/CVE-2018-11763.patch: rework connection IO event
handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_version.h.
- CVE-2018-11763
-
e726c4c...
by
Andreas Hasenack
on 2018-06-27
-
Import patches-unapplied version 2.4.29-1ubuntu4.3 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 92eb26b8a9119d35f330876fdc314690527f8964
New changelog entries:
* d/p/balance-member-long-hostname-part{1,2}.patch: Provide an RFC1035
compliant version of the hostname in the
proxy_worker_shared structure. A hostname that is too long is no longer a
fatal error. (LP: #1750356)
-
92eb26b...
by
Andreas Hasenack
on 2018-06-07
-
Import patches-unapplied version 2.4.29-1ubuntu4.2 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 6c8f20d9ae1e908fc845bee1b80669f70153f127
New changelog entries:
* debian/patches/includeoptional-ignore-non-existent.patch: silently
ignore a not existent file path with IncludeOptional . Closes LP:
#1766186.
-
6c8f20d...
by
Marc Deslauriers
on 2018-04-25
-
Import patches-unapplied version 2.4.29-1ubuntu4.1 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: cb2b84735ee83e83e8d277ce4a346fff956f7fd4
New changelog entries:
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-
cb2b847...
by
Rafael David Tinoco
on 2018-03-02
-
Import patches-unapplied version 2.4.29-1ubuntu4 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 37630b8cc1dfd80c1b632f3e56c6a507e68d17be
New changelog entries:
* Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
- added debian/patches/util_ldap_cache_lock_fix.patch
-
37630b8...
by
Dimitri John Ledkov
on 2018-02-06
-
Import patches-unapplied version 2.4.29-1ubuntu3 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: cee1373bae8b05cf72102a280b9c3da239934f63
New changelog entries:
* Switch back to OpenSSL 1.1.
-
cee1373...
by
Christian Ehrhardt
on 2017-12-05
-
Import patches-unapplied version 2.4.29-1ubuntu2 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 8eb2f0f67135d0ede19f5b3f26d85ac0a7ea9afb
New changelog entries:
* enable http2 (LP: #1687454) by stopping to disable it
- debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
- debian/config-dir/mods-available/http2.load: no more removed.
- debian/rules: no more removed proxy_http2 from configure.
* d/t/control, d/t/check-http2: add basic test for http2 support
-
8eb2f0f...
by
Marc Deslauriers
on 2017-11-10
-
Import patches-unapplied version 2.4.29-1ubuntu1 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: e71b57f8076ca227cd6c0a452857cb81a4bad93d
New changelog entries:
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
- Don't build http2 module (nghttp2 still not in main) (LP 1687454)
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
+ debian/rules: removed proxy_http2 from configure.
* Switch back to OpenSSL 1.0 as we don't yet have 1.1:
- debian/control: switch BuildDepends to libssl1.0-dev
- debian/control: remove Breaks on gridsite and libapache2-mod-dacs
- debian/rules: remove openssl virtual package and logic
