Last commit made on 2016-08-31
Get this branch:
git clone -b ubuntu/trusty-backports https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

21979d8... by Mike Gerow on 2016-07-21

Import patches-unapplied version 2.4.10-1ubuntu1.1~ubuntu14.04.2 to ubuntu/trusty-backports

Imported using git-ubuntu import.

Changelog parent: 3921bce3edba179bfd690db4379555e796b54371

New changelog entries:
  * CVE-2016-5387 (LP: #1604209)

3921bce... by Iain Lane on 2016-05-13

Import patches-unapplied version 2.4.10-1ubuntu1.1~ubuntu14.04.1 to ubuntu/trusty-backports

Imported using git-ubuntu import.

Changelog parent: a31af92312f511c45aca68a250e49c95c15ad7e8

New changelog entries:
  * No-change backport to trusty (LP: #1335068)

a31af92... by Marc Deslauriers on 2015-03-05

Import patches-unapplied version 2.4.10-1ubuntu1.1 to ubuntu/utopic-security

Imported using git-ubuntu import.

Changelog parent: 5b08bf02d55e56ec279fa287234935a46eecfd0e

New changelog entries:
  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
    - CVE-2015-0228

5b08bf0... by Robie Basak on 2014-07-24

Import patches-unapplied version 2.4.10-1ubuntu1 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: cb4b1f159d987435b5ce0707fb56052f7dfa0cec

New changelog entries:
  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
      d/apache2.install: Plymouth aware passphrase dialog program
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
    - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile command.

cb4b1f1... by Stefan Fritsch on 2014-07-22

Import patches-unapplied version 2.4.10-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: eb78c2681ce89b7341bce32b60a4bcaed53ff81d

New changelog entries:
  [ Arno Töll ]
  * New upstream version
    + Refresh debian/patches/fhs_compliance.patch
    + Security Fixes:
      - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
      - CVE-2014-0226 Fix a race condition resulting in a heap overflow in
        scoreboard handling
      - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
        length and compression ratio of inflated request to mitigate a
        possible DoS
      - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
    + Fixes SNI with certificate defined in global scope. (Closes: #751361)
  * Warn users if they try to disable modules that we consider essential for
    operation of the Apache web server (Closes: #709461)
  * Drop libcap from our build-dependencies. That was needed for itk which we
    gave source out to it's own package again.
  * Provide apache2.2-common package to avoid upgrading problems for people
    using --purge (apt) or --purge-unused (aptitude) even though that's
    clearly discouraged. This caused disappearing of conffiles because we move
    them from apache2.2-common to apache2 during the upgrade. Ugh. This was
    not a bug in our packaging, but an unfortunately people blame us
    nonetheless even though it's not all our fault. This alternative helps
    those people, but at the same time means that incompatible modules aren't
    force-removed by dpkg during the upgrade. Hopefully we catch all of them
    with the Breaks relation coming along (Closes: #716880, #752922, #711925)

eb78c26... by Stefan Fritsch on 2014-06-08

Import patches-unapplied version 2.4.9-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2f99ac29bc0ba506535fbc76b000bfe1a19a8773

New changelog entries:
  * Fix logic in postinst to detect existing index.* files in both
    DocumentRoots, the old /var/www and the new /var/www/html. Also
    change the compiled in default DocumentRoot to /var/www/html.
    Closes: #743915
  * Fix buffer overflows in suexec with very long (unix) usernames. Not
    exploitable due to FORTIFY_SOURCE. And creating users usually requires
    root privileges, anyway. Thanks to Luca Bruno for the report.
  * Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
    anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
  * Remove obsolete warning in a2enmod about mpm-itk.
  * Fix lintian warning: Remove image ref to w3.org, which is a privacy

2f99ac2... by Stefan Fritsch on 2014-03-29

Import patches-unapplied version 2.4.9-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 83b2a2992ed0775ea86b1d1a24b8bfb1951827c3

New changelog entries:
  * New upstream version.
    Security fixes:
    - CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
    - CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
    Notable new features:
    - Support named groups and backreferences within the LocationMatch,
      DirectoryMatch, FilesMatch and ProxyMatch directives.
    - mod_proxy: Added support for unix domain sockets as the backend server
    - mod_ssl: Add support for OpenSSL configuration commands by introducing
      the SSLOpenSSLConfCmd directive.
    - mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
      mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
      require directives.
    - mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
      and IgnoreInherit.
    - Bugfix in the build system to avoid problems with patched config.m4
      files as in LP #1251939.
  * Make default cipher list in ssl.conf more secure:
    - Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
      'HIGH' does not include MD5.
    - Remove the 'Speed-optimized SSL Cipher' configuration example because
      it depends on RC4, which is considered insecure.
  * Change init script short description to describe the service, not the
    script. Closes: #738315
  * Bump Standards-Version (no changes).

83b2a29... by Arno Töll <email address hidden> on 2014-01-02

Import patches-unapplied version 2.4.7-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ca99e445a13894adc2b9a554ada724158dde5ef2

New changelog entries:
  New upstream version
  [ Stefan Fritsch ]
  * In logrotate and init script, don't hardcode path to htcacheclean.
    Instead, put sbin directories in PATH. Also fix one missed reference
    to disk_cache.load, missed in 2.4.6-3. Really closes: #718909
  * Remove possiblity to override path to apache2 executable via envvars.
    This is no longer necessary with MPMs as modules.
  * Fix typo in serve-cgi-bin.conf. Closes: #723196
  * Bump Build-Depends. 2.4.7 requires apr 1.5.
  [ Arno Töll ]
  * Fix "No default site enabled after fresh install if /etc/apache2
    exists" by using a condition in preinst which actually works as expected.
    Thanks to Jean-Michel Vourgère for triaging the issue and providing a
    patch (Closes: #711493).
  * Leave a2disconf with rc=0 when purging a configuration which does not
    exist. (Closes: #718166)
  * Explicitly express the dependency for mod_access_compat depending on
    authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes:
  * Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693)
  * Rework the default index.html file. Instead of a blank, minimalistic page
    give a quick start guide, since nobody seems to read our docs. This site
    is hopefully explaining the most important questions.
  * Add a virtual provides line to the itk/worker/event/prefork transitional
    packages so that people with an unusual (unsupported) Apache setup
    can upgrade neatless in some corner cases (Closes: #728937)
  * Drop the Apache ITK patches. The Apache ITK MPM is a standalone package
    now and will be provided by libapache2-mpm-itk in future. The
    apache2-mpm-itk package depends on this package from now on. Users of itk
    are advised to consult the itk manual.
    This also resolves a build-system problem that caused mod_unixd to be
    initialized twice. (LP: #1251939)
  * Remove Steinar H. Gunderson from uploaders, he will continue to support
    itk in his own package in future. The remaining Apache team thanks Steinar
    for all the work in the past.
  * Change the Default Document root directory where files are served from
    (Closes: #730372).
  * Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor
    for this suggestion and for providing a patch (Closes: #732450)
  * Refresh suexec-custom.patch.

ca99e44... by Stefan Fritsch on 2013-08-12

Import patches-unapplied version 2.4.6-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 93f4781a7b4db26030c42fe8a195315afbbacfde

New changelog entries:
  * Fix 'implicit declaration' compiler warnings.
  * Fix module dependencies in lbmethod_*.load files. Closes: #717910
    LP: #1205314
  * Mark apache2-data as Multi-Arch: foreign. Closes: #718387
  * Backport open_htaccess hook from upstream 2.4.x branch to allow
    building mpm-itk as separate package.
  * Improve comment for LogLevel in apache2.conf. Closes: #718677
  * Fix comment in ports.conf. Closes: #718650
  * Fix htcacheclean path and function name in init script. Closes: #718909
  * Enable bindnow hardening compiler option, patch by Felix Geyer.
    Closes: #714872

93f4781... by Arno Töll <email address hidden> on 2013-07-23

Import patches-unapplied version 2.4.6-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e4cf4dc06e5736da1b50aedd1699172eb206910b

New changelog entries:
  [ Stefan Fritsch ]
  * Fix watch file
  * Don't pass --silent to libtool, allowing blhc to check the compiler
    options in the build logs.
  [ Arno Töll ]
  * Allow third party packages to use triggers if they use them in a
    maintainer script invoking apache2-maintscript-helper (Closes: #717610)