Last commit made on 2019-10-08
Get this branch:
git clone -b ubuntu/xenial-updates https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

ca65472... by Jesse Williamson on 2019-10-08

Import patches-unapplied version 2.4.18-2ubuntu3.14 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 77680cde0c65256b267966a5f34bff41578644a7

New changelog entries:
  * Backport mod_reqtimeout with handshake support (LP: #1846138)
    - d/p/0001-mod-reqtimeout-revent-long-response-times.patch
    - d/p/0002-mod_reqtimeout-fix-body-timeout-disabling-for-CONNECT-request.patch
    - d/p/0003-mod_reqtimeout-Merge-r1853901-r1853906-r1853908-r1853929-r1853935-r.patch

77680cd... by Steve Beattie on 2019-09-16

Import patches-unapplied version 2.4.18-2ubuntu3.13 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 9753035d2b58c6df6e643f1c86517ba839118265

New changelog entries:
  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

9753035... by Steve Beattie on 2019-08-26

Import patches-unapplied version 2.4.18-2ubuntu3.12 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 718e5625748d3e7515c8ebd6ed821eebec5e2e9e

New changelog entries:
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
    - CVE-2019-10092
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098

718e562... by Marc Deslauriers on 2019-04-03

Import patches-unapplied version 2.4.18-2ubuntu3.10 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: d7a2c9922f3a2122925aa4b3b2aa3b47a52eb920

New changelog entries:
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
    - CVE-2019-0220

d7a2c99... by Andreas Hasenack on 2018-06-07

Import patches-unapplied version 2.4.18-2ubuntu3.9 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 70003688226c7b2b0040a7bb651616a86e4f1b50

New changelog entries:
  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional . Closes LP:

7000368... by Marc Deslauriers on 2018-04-18

Import patches-unapplied version 2.4.18-2ubuntu3.8 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: ad98b12e5bbe8e87b62464dc6422eb7b01ace3a5

New changelog entries:
  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
      include/httpd.h, server/util.c.
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

ad98b12... by Rafael David Tinoco on 2018-03-01

Import patches-unapplied version 2.4.18-2ubuntu3.7 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 1b78f08b4e9adf6bec26ed6ae6ed85a0fc1c5ebd

New changelog entries:
  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

1b78f08... by Marc Deslauriers on 2017-09-18

Import patches-unapplied version 2.4.18-2ubuntu3.5 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 910037212e26d3d24ffd68cf603774b05846e16b

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

9100372... by Marc Deslauriers on 2017-07-27

Import patches-unapplied version 2.4.18-2ubuntu3.4 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: fa59408214f5788af92a23d2dd17ac03559b4cba

New changelog entries:
  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
    - CVE-2017-9788

fa59408... by Marc Deslauriers on 2017-06-26

Import patches-unapplied version 2.4.18-2ubuntu3.3 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 674de8a5e180015cc60cb09267fcf60f72c5745c

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
    - CVE-2017-7679