Ubuntu
apache2 package

ubuntu/+source/apache2:ubuntu/trusty-proposed

  1. Git
  2. lp:ubuntu/+source/apache2
  3. ubuntu/trusty-proposed
Last commit made on 2018-11-28
Get this branch:
git clone -b ubuntu/trusty-proposed https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/trusty-proposed
Repository:
lp:ubuntu/+source/apache2

Recent commits

0b650c8... by Andreas Hasenack on 2018-11-23

Import patches-unapplied version 2.4.7-1ubuntu4.21 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: b6bc6bdec9edcafb645ba0012ba945909c0a4445

New changelog entries:
  * d/p/AuthzProviderAlias-visibility.patch: Allow <AuthzProviderAlias>'es
    to be seen from auth stanzas under virtual hosts (LP: #1529355)

b6bc6bd... by Marc Deslauriers on 2018-04-18

Import patches-unapplied version 2.4.7-1ubuntu4.20 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: d9db5529d303ec4e7cc77ba09f647d9f75f00929

New changelog entries:
  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
      include/httpd.h, server/util.c.
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

d9db552... by Rafael David Tinoco on 2018-03-02

Import patches-unapplied version 2.4.7-1ubuntu4.19 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: 4ce8f475fe1a7c4af97f6dc09ecf28efdee0d12b

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

4ce8f47... by Marc Deslauriers on 2017-09-18

Import patches-unapplied version 2.4.7-1ubuntu4.18 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 181b6d05779ecf34634cb44f74771a9f25cc5387

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

181b6d0... by Marc Deslauriers on 2017-07-27

Import patches-unapplied version 2.4.7-1ubuntu4.17 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 85378f36afd9fb3303888d983153f29b342d26ee

New changelog entries:
  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

85378f3... by Marc Deslauriers on 2017-06-26

Import patches-unapplied version 2.4.7-1ubuntu4.16 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 14a42d6bee0f8d416de61b834f193934893c6b58

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

14a42d6... by Marc Deslauriers on 2017-05-05

Import patches-unapplied version 2.4.7-1ubuntu4.15 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 5e537cd787b3a5bd8ac3c08836b3d4a2ecf30b47

New changelog entries:
  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

5e537cd... by Marc Deslauriers on 2016-07-14

Import patches-unapplied version 2.4.7-1ubuntu4.13 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: fe526ba278235a37d3b808793acf0da3ecaa76e5

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

fe526ba... by Christian Ehrhardt  on 2016-06-07

Import patches-unapplied version 2.4.7-1ubuntu4.11 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: 604ac30cde956f740ae42a005fdc08283b1c06bb

New changelog entries:
  * Fix hang until proxy timeout for Proxy responses with error status and
    "ProxyErrorOverride On" being set (LP: #1495988).

604ac30... by Louis Bouchard on 2016-04-20

Import patches-unapplied version 2.4.7-1ubuntu4.10 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: 7d9ca92cae55b0bdd87b7fd64ded8f17e77e84ab

New changelog entries:
  * Add apache2 specific modification needed along with fix to
    libapache2-mpm-itk so it becomes installable again (LP: #1286882):
    - Removes warning on mpm_itk use
    - Removes conflicts on mpm_itk