ubuntu/+source/apache2:ubuntu/disco-devel

Last commit made on 2019-09-17
Get this branch:
git clone -b ubuntu/disco-devel https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/disco-devel
Repository:
lp:ubuntu/+source/apache2

Recent commits

97b8bac... by Steve Beattie on 2019-09-16

Import patches-unapplied version 2.4.38-2ubuntu2.3 to ubuntu/disco-security

Imported using git-ubuntu import.

Changelog parent: 327c9ae8953815325ec0f428ce5c36801c16a0f2

New changelog entries:
  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

327c9ae... by Steve Beattie on 2019-08-26

Import patches-unapplied version 2.4.38-2ubuntu2.2 to ubuntu/disco-security

Imported using git-ubuntu import.

Changelog parent: 966926b3120edbcedd8c5dc2fe9920ebaf6cae97

New changelog entries:
  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
    pointer dereference.
    - d/p/CVE-2019-10097.patch: add better sanity checks.
    - CVE-2019-10097
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches

966926b... by Marc Deslauriers on 2019-04-03

Import patches-unapplied version 2.4.38-2ubuntu2 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: 065c91fc0057a94d466f1f3589984b27fcfbf53c

New changelog entries:
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

065c91f... by Andreas Hasenack on 2019-02-03

Import patches-unapplied version 2.4.38-2ubuntu1 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: 847b2dd6c945b42d4b49bbc8fbb24a7dd4fc4897

New changelog entries:
  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
   - debian/patches/086_svn_cross_compiles: Backport several cross
     fixes from upstream
     [Removed configure chunk, not needed since configure.in is being
      patched.]
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
  * Dropped:
    - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
      libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
      cannot be coinstalled with libcurl3. That situation breaks the
      installation of libapache2-mod-shib2. See
      https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
      for details.
      [This has been resolved in Disco, where libxmltooling8 is built with
      openssl 1.1]
    - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
      + debian/patches/CVE-2018-11763.patch: rework connection IO event
        handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
        modules/http2/h2_version.h.
        - CVE-2018-11763
        [Fixed in 2.4.35]

847b2dd... by Xavier Guimard <email address hidden> on 2019-01-31

Import patches-unapplied version 2.4.38-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9da9dfa1e43b5d69d2783d1a3e1a5b6dcde606c1

New changelog entries:
  * Disable "reset" test in allowmethods.t (Closes: #921024)

9da9dfa... by Xavier Guimard <email address hidden> on 2019-01-29

Import patches-unapplied version 2.4.38-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7387d718ca26d92498f9ed1584fea8cbcb4f704e

New changelog entries:
  [ Jelmer Vernooij ]
  * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
  * Trim trailing whitespace
  * Use secure copyright file specification URI
  [ Niels Thykier ]
  * Add Rules-Requires-Root: binary-targets
  [ Xavier Guimard ]
  * Convert signing-key.pgp into signing-key.asc
  * Add http2.conf (Closes: #880993)
  * Remove unnecessary greater-than versioned dependency to dpkg-dev,
    libbrotli-dev and libapache2-mod-md
  * Declare compliance with policy 4.2.1
  * Add spelling errors patch (reported)
  * Fix some spelling errors in debian files
  * Add myself to uploaders
  * Refresh patches
  * Bump debhelper compatibility level to 10
  * debian/rules:
    - Remove unnecessary dh argument --parallel
    - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
  * Add upstream/metadata
  * Replace MIT by Expat in debian/copyright
  * debian/watch: use https url
  * Add documentation links in systemd service files
  * Team upload
  [ Cyrille Bollu ]
  * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
    it gets automatically de-activated upon apache 'startup when using
    mpm_prefork.
  * Updated http2.conf to inform user that they may want to change their
    LogFormat directives.
  [ Xavier Guimard ]
  * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
  * Refresh patches
  * Remove setenvifexpr.diff patch now included in upstream
  * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
  * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
  * Declare compliance with policy 4.3.0
  * Fix homepage to https
  * Update debian/copyright

7387d71... by Stefan Fritsch on 2018-11-03

Import patches-unapplied version 2.4.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: bf7f8f045ccf34c2c08f02ecdd0f46ef7a97ee46

New changelog entries:
  * New upstream version
    - mod_ssl: Add support for TLSv1.3
  * Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218
  * Update test-framework to r1845652
  * Fix test suite to actually run by creating a test user. It turns out
    the test suite refuses to run as root but returns true even in that
    case. It seems this has been broken since 2.4.27-4, where the test suite
    had been updated and the debci test duration dropped from 15min to
    3min. Also, don't rely on the exit status anymore but parse the test
    output.
  * Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.

bf7f8f0... by Stefan Fritsch on 2018-10-07

Import patches-unapplied version 2.4.35-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ef5d2450201d96722e86ff11a816bf14e3b9cfca

New changelog entries:
  * New upstream version 2.4.35
    Security fix:
    - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
      Closes: #909591
  * Fix lintian warning: Don't force xz in builddeb override.

ef5d245... by Stefan Fritsch on 2018-07-27

Import patches-unapplied version 2.4.34-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f9135dfca55cef91c3af3074fc3ba3826d3f95d8

New changelog entries:
  [ Ondřej Surý ]
  * New upstream version 2.4.34
    Security fixes:
    - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
    - CVE-2018-8011: Denial of service in mod_md. Closes: #904107
  * Refresh patches for Apache2 2.4.34 release
  * Update the suexec-custom.patch for 2.4.34 release
  [ Stefan Fritsch ]
  * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
  * Remove debian/gbp.conf. Closes: #904641
  * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
    Closes: #904150

f9135df... by Stefan Fritsch on 2018-05-05

Import patches-unapplied version 2.4.33-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b13a69a4c7ec1ab4ee90a70d5dff9e013a2d26d0

New changelog entries:
  * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
    Closes: #894785
  * mod_http2: Avoid high memory usage with large files, causing crashes on
    32bit archs. Closes: #897218
  * Migrate from alioth to salsa.