ubuntu/+source/apache2:ubuntu/xenial-security

Last commit made on 2017-09-19
Get this branch:
git clone -b ubuntu/xenial-security https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-security
Repository:
lp:ubuntu/+source/apache2

Recent commits

1b78f08... by Marc Deslauriers on 2017-09-18

Import patches-unapplied version 2.4.18-2ubuntu3.5 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 910037212e26d3d24ffd68cf603774b05846e16b

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

9100372... by Marc Deslauriers on 2017-07-27

Import patches-unapplied version 2.4.18-2ubuntu3.4 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: fa59408214f5788af92a23d2dd17ac03559b4cba

New changelog entries:
  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

fa59408... by Marc Deslauriers on 2017-06-26

Import patches-unapplied version 2.4.18-2ubuntu3.3 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 674de8a5e180015cc60cb09267fcf60f72c5745c

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

674de8a... by Marc Deslauriers on 2017-05-05

Import patches-unapplied version 2.4.18-2ubuntu3.2 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 79adcb376bae737ff27723285aba2b5d8f338b53

New changelog entries:
  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

79adcb3... by Marc Deslauriers on 2016-07-14

Import patches-unapplied version 2.4.18-2ubuntu3.1 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: e16db65293a582fc13e9b00194ba3287590f5fb6

New changelog entries:
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

e16db65... by Robie Basak on 2016-04-15

Import patches-unapplied version 2.4.18-2ubuntu3 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: cd6688141c7aecd46fd9dece4683e114cc605535

New changelog entries:
  [ Ryan Harper ]
  * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
    introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
    all, since http2 support is intentionally disabled (see LP 1531864).
  * d/apache2.maintscript: handle removal of http2.load conffile.
  [ Robie Basak ]
  * Re-write Ryan's changelog entry.

cd66881... by Kick In on 2016-04-08

Import patches-unapplied version 2.4.18-2ubuntu2 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 00d5abc3c62fc321395832bde92c84c9ef93096f

New changelog entries:
  * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
    - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
      unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
      between systemctl status and actual state of apache2 daemon.
    - d/apache2.install: place the apache2-systemd.conf file in the correct location.

00d5abc... by Timo Aaltonen on 2016-04-05

Import patches-unapplied version 2.4.18-2ubuntu1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: ba43d54ccae34996fb3a6b1c1f405d9d2df625e2

New changelog entries:
  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

ba43d54... by Stefan Fritsch on 2016-03-28

Import patches-unapplied version 2.4.18-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 52a93b96c8e04498475ce378d9a138e3d5f81651

New changelog entries:
  * htcacheclean:
    - split starting/stopping into separate init script 'apache-htcacheclean'
    - move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
    - make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
    - start htcacheclean as the apache2 run user/group
  * Fix a2query -M not returning output if apache2 config is broken.
    Fix missing quotes in apache2-maintscript-helper. Closes: #810500
  * README.backtrace: Note that coredump directory needs to be owned by
    www-data. Closes: #806697
  * Remove ssl work-arounds for MSIE. Newer versions of IE work without them
    and older versions are no longer supported by MS. Closes: #815852
  * Give a hint about systemd in README.multiple-instances. Closes: #818904
  * Don't treat mod_access_compat as essential. It's essentially broken,
    anyway.
  * Merge cross-compile tweaks for debian/rules from ubuntu.
  * Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
    Closes: #719245
  * Fix duplicate-module-load test and make sure it fails if it cannot execute
    apache2ctl.
  * Bump Standards-Version (no changes necessary).

52a93b9... by Stefan Fritsch on 2015-12-19

Import patches-unapplied version 2.4.18-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: da78123d9ddb3a245eed7a8db74e3a73c955aa91

New changelog entries:
  * New upstream release:
    - mostly HTTP/2 improvements