ubuntu/+source/apache2:ubuntu/zesty-devel

Last commit made on 2017-09-19
Get this branch:
git clone -b ubuntu/zesty-devel https://git.launchpad.net/ubuntu/+source/apache2
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/zesty-devel
Repository:
lp:ubuntu/+source/apache2

Recent commits

239d547... by Marc Deslauriers on 2017-09-18

Import patches-unapplied version 2.4.25-3ubuntu2.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 8840cd42bf40a2c00ee0748841c259cc96f7a7df

New changelog entries:
  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

8840cd4... by Marc Deslauriers on 2017-07-27

Import patches-unapplied version 2.4.25-3ubuntu2.2 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: de6a04cd4e4fe007482b019dc77dc16a086052de

New changelog entries:
  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

de6a04c... by Marc Deslauriers on 2017-06-26

Import patches-unapplied version 2.4.25-3ubuntu2.1 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 854603c0622ab578ce835b65ac69230e2729acde

New changelog entries:
  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

854603c... by Nish Aravamudan on 2017-02-10

Import patches-unapplied version 2.4.25-3ubuntu2 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: f110b98a2e759a131e5fa7b6b13c58d73f6c1550

New changelog entries:
  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

f110b98... by Nish Aravamudan on 2017-02-09

Import patches-unapplied version 2.4.25-3ubuntu1 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: 7674960d2cfb46d6dd941e44384ea880155a8188

New changelog entries:
  * Merge from Debian unstable (LP: #1663425). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
   * Drop (LP: #1658469):
     - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

7674960... by Stefan Fritsch on 2017-01-25

Import patches-unapplied version 2.4.25-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5838443ffdd2e4fcade4168049811f0a89641fdb

New changelog entries:
  * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
    Closes: #852543
  * Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
    the test suite, but don't add *.load files because they don't have any
    real-world use.
  * Include the upstream test suite and a corresponding autopkgtest. This
    is quite a hack but it may help quite a bit with security updates,
    especially if stretch gets LTS support, too.

5838443... by Stefan Fritsch on 2017-01-14

Import patches-unapplied version 2.4.25-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e3f3b995ccda824ea1f98974400a0e8b69631687

New changelog entries:
  * Activate mod_reqtimeout in new installs and during updates from
    before 2.4.25-2. It was wrongly not activated in new installs since
    jessie. This made the default installation vulnerable to some DoS
    attacks.
  * Restart htcacheclean on updates and tighten dependency on apache2-utils
    to ensure that apache2-utils cannot be upgraded without apache2.
    Closes: #851122
  * When running on systems with systemd, make 'apache2ctl start' invoke
    systemctl instead. Otherwise systemd will think apache2 is not running
    and ignore further commands like reload. Closes: #839227
  * Avoid segfault in mpm_event if a signal is received too soon after start.
    PR 60487
  * Add test for some modules to be enabled.
  * Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
    fixed in 2.4.23-2.

e3f3b99... by Stefan Fritsch on 2016-12-21

Import patches-unapplied version 2.4.25-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d0ab85635184f1f83ca54b0a0b3298a0b72ade50

New changelog entries:
  [ New upstream release ]
  * Security: CVE-2016-0736:
    mod_session_crypto: Authenticate the session data/cookie with a MAC to
    prevent deciphering or tampering with a padding oracle attack.
  * Security: CVE-2016-2161:
    mod_auth_digest: Prevent segfaults during client entry allocation when the
    shared memory space is exhausted.
  * Security: CVE-2016-5387:
    Mitigate [f]cgi "httpoxy" issues.
  * Security: CVE-2016-8740:
    mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
    Closes: #847124
  * Security: CVE-2016-8743:
    Enforce HTTP request grammar corresponding to RFC7230 for request lines
    and request headers, to prevent response splitting and cache pollution by
    malicious clients or downstream proxies.
  * The stricter HTTP enforcement may cause compatibility problems with
    non-conforming clients. Fine-tuning is possible with the new
    HttpProtocolOptions directive.
  * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
  * mod_http2: Many fixes and support for early pushes using the new
    H2PushResource directive.
  [ Stefan Fritsch ]
  * Switch to debhelper compatibility level 9.

d0ab856... by Stefan Fritsch on 2016-11-19

Import patches-unapplied version 2.4.23-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4e4d3675b4d968da9149885326d2a14d661aeef0

New changelog entries:
  * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
    new package apache2-ssl-dev. Packages that interface with openssl
    state from mod_ssl must build-depend on this new package.
    This will help to disentangle the build-deps in the openssl transition.
    Closes: #845033

4e4d367... by Stefan Fritsch on 2016-11-13

Import patches-unapplied version 2.4.23-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 261fbaae28d1aed5754a63aaf03543a06238618f

New changelog entries:
  * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
  * Move DefaultRuntimeDir and pid file for multi-instances to
    /var/run/apache2-xxx. Thanks to Horst Platz for the debugging.
    Closes: #838932 LP: #1627339
  * Fix systemd unit naming for multi-instances.
  * Tweak embedded .tar.gz some more to build reproducibly.