-
2c3db4e...
by
Marc Deslauriers
on 2017-06-26
-
Import patches-unapplied version 2.4.18-2ubuntu4.2 to ubuntu/yakkety-security
Imported using git-ubuntu import.
Changelog parent: 0f872b4a1d471912b5ed65424bd22f3e11b801d7
New changelog entries:
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-
0f872b4...
by
Marc Deslauriers
on 2017-05-05
-
Import patches-unapplied version 2.4.18-2ubuntu4.1 to ubuntu/yakkety-security
Imported using git-ubuntu import.
Changelog parent: a472bec867fedc2df4ec2cebf2e9562d45a4af9c
New changelog entries:
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
-
a472bec...
by
Marc Deslauriers
on 2016-07-18
-
Import patches-unapplied version 2.4.18-2ubuntu4 to ubuntu/yakkety-proposed
Imported using git-ubuntu import.
Changelog parent: e16db65293a582fc13e9b00194ba3287590f5fb6
New changelog entries:
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
-
e16db65...
by
Robie Basak
on 2016-04-15
-
Import patches-unapplied version 2.4.18-2ubuntu3 to ubuntu/xenial-proposed
Imported using git-ubuntu import.
Changelog parent: cd6688141c7aecd46fd9dece4683e114cc605535
New changelog entries:
[ Ryan Harper ]
* Drop /etc/apache2/mods-available/http2.load. This was inadvertently
introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
all, since http2 support is intentionally disabled (see LP 1531864).
* d/apache2.maintscript: handle removal of http2.load conffile.
[ Robie Basak ]
* Re-write Ryan's changelog entry.
-
cd66881...
by
Kick In
on 2016-04-08
-
Import patches-unapplied version 2.4.18-2ubuntu2 to ubuntu/xenial-proposed
Imported using git-ubuntu import.
Changelog parent: 00d5abc3c62fc321395832bde92c84c9ef93096f
New changelog entries:
* Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
- d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
- d/apache2.install: place the apache2-systemd.conf file in the correct location.
-
00d5abc...
by
Timo Aaltonen
on 2016-04-05
-
Import patches-unapplied version 2.4.18-2ubuntu1 to ubuntu/xenial-proposed
Imported using git-ubuntu import.
Changelog parent: ba43d54ccae34996fb3a6b1c1f405d9d2df625e2
New changelog entries:
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
-
ba43d54...
by
Stefan Fritsch
on 2016-03-28
-
Import patches-unapplied version 2.4.18-2 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 52a93b96c8e04498475ce378d9a138e3d5f81651
New changelog entries:
* htcacheclean:
- split starting/stopping into separate init script 'apache-htcacheclean'
- move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
- make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
- start htcacheclean as the apache2 run user/group
* Fix a2query -M not returning output if apache2 config is broken.
Fix missing quotes in apache2-maintscript-helper. Closes: #810500
* README.backtrace: Note that coredump directory needs to be owned by
www-data. Closes: #806697
* Remove ssl work-arounds for MSIE. Newer versions of IE work without them
and older versions are no longer supported by MS. Closes: #815852
* Give a hint about systemd in README.multiple-instances. Closes: #818904
* Don't treat mod_access_compat as essential. It's essentially broken,
anyway.
* Merge cross-compile tweaks for debian/rules from ubuntu.
* Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
Closes: #719245
* Fix duplicate-module-load test and make sure it fails if it cannot execute
apache2ctl.
* Bump Standards-Version (no changes necessary).
-
52a93b9...
by
Stefan Fritsch
on 2015-12-19
-
Import patches-unapplied version 2.4.18-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: da78123d9ddb3a245eed7a8db74e3a73c955aa91
New changelog entries:
* New upstream release:
- mostly HTTP/2 improvements
-
da78123...
by
Stefan Fritsch
on 2015-11-23
-
Import patches-unapplied version 2.4.17-3 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 6b158cad3add79cfeaf3ca257925cfe52b25d917
New changelog entries:
* mpm_prefork: Fix segfault if started with -X. Closes: #805737
-
6b158ca...
by
Stefan Fritsch
on 2015-10-31
-
Import patches-unapplied version 2.4.17-2 to debian/sid
Imported using git-ubuntu import.
Changelog parent: d1c28cedba97a32c273689e08ab5ac57fb1ea2a6
New changelog entries:
* Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
lots of web-apps. Closes: #803353
* Fix secondary-init-script to not source the main init script with 'set -e'.
Closes: #803177
* mod_http2: Write HTTP/2 into THE_REQUEST and the access log.