Last commit made on 2015-03-09
Get this branch:
git clone -b ubuntu/vivid https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

c0aaa22... by Martin Pitt on 2015-03-09

Import patches-unapplied version 2.4.10-9ubuntu1 to ubuntu/vivid-proposed

Imported using git-ubuntu import.

Changelog parent: 17c775a090b998a69e6b861dff2feb279f63dafa

New changelog entries:
  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf,
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile
    - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
      denial of service in mod_lua via websockets PING
  * debian/tests/ssl-passphrase: Add password responder for

17c775a... by Stefan Fritsch on 2014-12-22

Import patches-unapplied version 2.4.10-9 to debian/sid

Imported using git-ubuntu import.

Changelog parent: fd7676df657ceb8377ee7649ec7c7000fbfed3e2

New changelog entries:
  * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
    LuaAuthzProvider is used in multiple Require directives with different
  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
    fixes asking for certificate passphrases if started via systemd.
    Closes: #773405
  * Fix init script to not wait 20s if passphrase was wrong.
  * Also bump debhelper build-depends to get dh_installdeb with support for
    symlink_to_dir. Closes: #770421

fd7676d... by Stefan Fritsch on 2014-11-18

Import patches-unapplied version 2.4.10-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4169270c04cdaffeb3d988bd336c7ae6917dd27f

New changelog entries:
  * Bump dpkg Pre-Depends to version that supports relative symlinks in
    dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
  * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
    script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
    though it does not seem to be exploitable.
  * mpm_event: Fix use-after-free that may lead to a server crash.
  * mod_ssl: Fix memory leak on graceful restart. Closes: #754492
  * mod_ssl: Avoid crashes during startup or graceful restart due to
    openssl using a callback to invalid memory. LP: #1366174

4169270... by Stefan Fritsch on 2014-11-09

Import patches-unapplied version 2.4.10-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5dfb01394a39404c813eee0a5d207009639806ed

New changelog entries:
  * Handle transitions of doc dirs and symlinks correctly during upgrade.
    Use dpkg-maintscript-helper for this and remove existing explicit logic.
    Closes: #767850
  * Remove obsolete conffiles in apache2.2-common, instead doing this only in
    apache2. This partially fixes #768815

5dfb013... by Stefan Fritsch on 2014-10-21

Import patches-unapplied version 2.4.10-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 56d2fb20e156b90466135f97d2c111cd4feefcc9

New changelog entries:
  * Disable SSLv3 in default config. Closes: #765347
  * Pull changes from upstream 2.4.x branch up to r1632831
    - Fixes an LDAP regression in 2.4.10
    - mod_cache: Avoid sending 304 responses during failed revalidations.
      PR 56881
    - mod_status: Honor client IP address using mod_remoteip. PR 55886
  * Fix typo in package description. Closes: #765500

56d2fb2... by Stefan Fritsch on 2014-10-09

Import patches-unapplied version 2.4.10-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 0b21cd8a8eb331c0d3ebb5345315d15ef0639dcf

New changelog entries:
  * Remove one forgotten instance of ident.load in the preinst.
  [ Stefan Fritsch ]
  * Make apache2 depend on apache2-utils. This got lost somewhere in the
    2.4 update.
  * Fix possible installation failure because of broken preinst script.
    Closes: #764498
  * Improve package descriptions. Closes: #763676
  [ Arno Töll ]
  * Add proper return codes to fail() conditions in a2query. Thanks to Ondřej
    Surý for providing a patch.

0b21cd8... by Stefan Fritsch on 2014-09-28

Import patches-unapplied version 2.4.10-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 732679ab707ad0fce52105e8096182dc80f0d850

New changelog entries:
  * CVE-2014-3581: Fix a DoS in mod_cache.
  * If apache2 is not configured yet, defer actions executed via
    apache2-maintscript-helper. This fixes installation failures if a
    module package is configured first. Closes: #745834
  * Don't use a2query in preinst, as it may not be available yet.
    Closes: #745812
  * Include mod_authnz_fcgi. Closes: #762908
  * Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
  * Remove misleading sentence in apache2-bin's description. Closes: #762645
  * Remove trailing space in apache2/suexec/www-data. Closes: #719930
  * Add NEWS entry for the logrotate change in 2.4.10-2.
  * Bump Standards-version (no changes).
  * Fix lintian warning: Tweak licence short names in copyright file.

732679a... by Stefan Fritsch on 2014-09-21

Import patches-unapplied version 2.4.10-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: cb4b1f159d987435b5ce0707fb56052f7dfa0cec

New changelog entries:
  * Pull changes from upstream 2.4.x branch up to r1626207
    + Security Fix for CVE-2013-5704: HTTP trailers could be used to
      replace HTTP headers late during request processing, potentially
      undoing or otherwise confusing modules that examined or modified
      request headers earlier.
      Adds "MergeTrailers" directive to restore legacy behavior.
  * Switch to apache2 providing the httpd and httpd-cgi virtual packages.
    The previously providing apache2-bin package lacks the configuration
    files. Closes: #756361
  * Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
    logs. The daily graceful restart also has the advantage of regenerating
    things like TLS session ticket keys more often. Closes: #759382
  * Clarify description of apache2 package. Closes: #755976
  * In the maintainer script helper, print out Apache's error message if
    the config check fails.
  * Re-add mod_ident. It has still at least one user. LP: #1333388

cb4b1f1... by Stefan Fritsch on 2014-07-22

Import patches-unapplied version 2.4.10-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: eb78c2681ce89b7341bce32b60a4bcaed53ff81d

New changelog entries:
  [ Arno Töll ]
  * New upstream version
    + Refresh debian/patches/fhs_compliance.patch
    + Security Fixes:
      - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
      - CVE-2014-0226 Fix a race condition resulting in a heap overflow in
        scoreboard handling
      - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
        length and compression ratio of inflated request to mitigate a
        possible DoS
      - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
    + Fixes SNI with certificate defined in global scope. (Closes: #751361)
  * Warn users if they try to disable modules that we consider essential for
    operation of the Apache web server (Closes: #709461)
  * Drop libcap from our build-dependencies. That was needed for itk which we
    gave source out to it's own package again.
  * Provide apache2.2-common package to avoid upgrading problems for people
    using --purge (apt) or --purge-unused (aptitude) even though that's
    clearly discouraged. This caused disappearing of conffiles because we move
    them from apache2.2-common to apache2 during the upgrade. Ugh. This was
    not a bug in our packaging, but an unfortunately people blame us
    nonetheless even though it's not all our fault. This alternative helps
    those people, but at the same time means that incompatible modules aren't
    force-removed by dpkg during the upgrade. Hopefully we catch all of them
    with the Breaks relation coming along (Closes: #716880, #752922, #711925)

eb78c26... by Stefan Fritsch on 2014-06-08

Import patches-unapplied version 2.4.9-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2f99ac29bc0ba506535fbc76b000bfe1a19a8773

New changelog entries:
  * Fix logic in postinst to detect existing index.* files in both
    DocumentRoots, the old /var/www and the new /var/www/html. Also
    change the compiled in default DocumentRoot to /var/www/html.
    Closes: #743915
  * Fix buffer overflows in suexec with very long (unix) usernames. Not
    exploitable due to FORTIFY_SOURCE. And creating users usually requires
    root privileges, anyway. Thanks to Luca Bruno for the report.
  * Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
    anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
  * Remove obsolete warning in a2enmod about mpm-itk.
  * Fix lintian warning: Remove image ref to w3.org, which is a privacy