-
6afa380...
by
Andreas Hasenack
on 2019-07-16
-
Import patches-unapplied version 2.4.34-1ubuntu2.3 to ubuntu/cosmic-proposed
Imported using git-ubuntu import.
Changelog parent: 628cf297002077e42ee70d2240dded26209c294d
New changelog entries:
* d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
similarly to <0 with openssl 1.1.1
* d/p/clear-retry-flags-before-abort.patch: clear retry flags before
aborting on client-initiated reneg (LP: #1836329)
-
628cf29...
by
Andreas Hasenack
on 2019-06-28
-
Import patches-unapplied version 2.4.34-1ubuntu2.2 to ubuntu/cosmic-proposed
Imported using git-ubuntu import.
Changelog parent: f5c83c8c9ea5c79365025eb930c52bcd7fffc6fd
New changelog entries:
* d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
authentication when built with openssl 1.1.1 (LP: #1833039)
-
f5c83c8...
by
Marc Deslauriers
on 2019-04-03
-
Import patches-unapplied version 2.4.34-1ubuntu2.1 to ubuntu/cosmic-security
Imported using git-ubuntu import.
Changelog parent: c01ee5a6ff12c19ca89f37cf3f112ad04e0d951b
New changelog entries:
* SECURITY UPDATE: slowloris DoS in mod_http2
- debian/patches/CVE-2018-17189.patch: change cleanup strategy for
slave connections in modules/http2/h2_conn.c.
- CVE-2018-17189
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-
c01ee5a...
by
Marc Deslauriers
on 2018-10-03
-
Import patches-unapplied version 2.4.34-1ubuntu2 to ubuntu/cosmic-proposed
Imported using git-ubuntu import.
Changelog parent: 54cf94ea486abd9b821825e9707ccbab064f95a2
New changelog entries:
* SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
- debian/patches/CVE-2018-11763.patch: rework connection IO event
handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_version.h.
- CVE-2018-11763
-
54cf94e...
by
Andreas Hasenack
on 2018-08-03
-
Import patches-unapplied version 2.4.34-1ubuntu1 to ubuntu/cosmic-proposed
Imported using git-ubuntu import.
Changelog parent: ef5d2450201d96722e86ff11a816bf14e3b9cfca
New changelog entries:
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/control, d/rules, d/config-dir/mods-available/md.load: don't build
libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
cannot be coinstalled with libcurl3. That situation breaks the
installation of libapache2-mod-shib2. See
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
for details.
-
ef5d245...
by
Stefan Fritsch
on 2018-07-27
-
Import patches-unapplied version 2.4.34-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: f9135dfca55cef91c3af3074fc3ba3826d3f95d8
New changelog entries:
[ Ondřej Surý ]
* New upstream version 2.4.34
Security fixes:
- CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
- CVE-2018-8011: Denial of service in mod_md. Closes: #904107
* Refresh patches for Apache2 2.4.34 release
* Update the suexec-custom.patch for 2.4.34 release
[ Stefan Fritsch ]
* Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
* Remove debian/gbp.conf. Closes: #904641
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
-
f9135df...
by
Stefan Fritsch
on 2018-05-05
-
Import patches-unapplied version 2.4.33-3 to debian/sid
Imported using git-ubuntu import.
Changelog parent: b13a69a4c7ec1ab4ee90a70d5dff9e013a2d26d0
New changelog entries:
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
-
b13a69a...
by
Stefan Fritsch
on 2018-04-22
-
Import patches-unapplied version 2.4.33-2 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 3e69ee740b7685d9d4399b12bf8aa5f4b7e23e36
New changelog entries:
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
-
3e69ee7...
by
Stefan Fritsch
on 2018-03-30
-
Import patches-unapplied version 2.4.33-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 4d9e478148bbfba2ec7ea63e425f3425c76e6b42
New changelog entries:
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
-
4d9e478...
by
Ondřej Surý
on 2018-01-14
-
Import patches-unapplied version 2.4.29-2 to debian/sid
Imported using git-ubuntu import.
Changelog parent: e71b57f8076ca227cd6c0a452857cb81a4bad93d
New changelog entries:
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module