diff -pruN 2.4.52-1/debian/apache2-bin.install 2.4.52-1ubuntu4/debian/apache2-bin.install --- 2.4.52-1/debian/apache2-bin.install 2021-10-07 18:28:08.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/apache2-bin.install 2022-03-23 02:00:46.000000000 +0000 @@ -1,2 +1,3 @@ /usr/lib/apache2/modules/ /usr/sbin/apache2 +debian/apache2.py usr/share/apport/package-hooks diff -pruN 2.4.52-1/debian/apache2.dirs 2.4.52-1ubuntu4/debian/apache2.dirs --- 2.4.52-1/debian/apache2.dirs 2020-09-01 12:50:51.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/apache2.dirs 2022-03-23 02:00:46.000000000 +0000 @@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk var/lib/apache2 var/log/apache2 var/www/html +/etc/ufw/applications.d/apache2 diff -pruN 2.4.52-1/debian/apache2.install 2.4.52-1ubuntu4/debian/apache2.install --- 2.4.52-1/debian/apache2.install 2020-09-01 12:50:51.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/apache2.install 2022-03-23 02:00:46.000000000 +0000 @@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2 debian/config-dir/envvars /etc/apache2 debian/config-dir/magic /etc/apache2 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/ +debian/apache2-utils.ufw.profile /etc/ufw/applications.d/ diff -pruN 2.4.52-1/debian/apache2.postrm 2.4.52-1ubuntu4/debian/apache2.postrm --- 2.4.52-1/debian/apache2.postrm 2020-08-08 07:47:06.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/apache2.postrm 2022-03-25 00:35:40.000000000 +0000 @@ -33,6 +33,8 @@ is_default_index_html () { 776221a94e5a174dc2396c0f3f6b6a74 c481228d439cbb54bdcedbaec5bbb11a e2620d4a5a0f8d80dd4b16de59af981f + 3526531ccd6c6a1d2340574a305a18f8 + 720999b43a3be0674180354ac41f20b1 EOF } diff -pruN 2.4.52-1/debian/apache2.py 2.4.52-1ubuntu4/debian/apache2.py --- 2.4.52-1/debian/apache2.py 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/apache2.py 2022-03-23 02:00:46.000000000 +0000 @@ -0,0 +1,48 @@ +#!/usr/bin/python + +'''apport hook for apache2 + +(c) 2010 Adam Sommer. +Author: Adam Sommer + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import os + +SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/' + +def add_info(report, ui): + if os.path.isdir(SITES_ENABLED_DIR): + response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + + elif response == True: + # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d + for conf_file in os.listdir(SITES_ENABLED_DIR): + attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file) + + try: + report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d')) + except OSError: + report['Apache2ConfdDirListing'] = str(False) + + # Attach default config files if changed. + attach_conffiles(report, 'apache2', conffiles=None) + + # Attach the error.log file. + attach_file(report, '/var/log/apache2/error.log', key='error.log') + + # Get loaded modules. + report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES']) diff -pruN 2.4.52-1/debian/apache2-utils.ufw.profile 2.4.52-1ubuntu4/debian/apache2-utils.ufw.profile --- 2.4.52-1/debian/apache2-utils.ufw.profile 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/apache2-utils.ufw.profile 2022-03-23 02:00:46.000000000 +0000 @@ -0,0 +1,14 @@ +[Apache] +title=Web Server +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80/tcp + +[Apache Secure] +title=Web Server (HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=443/tcp + +[Apache Full] +title=Web Server (HTTP,HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80,443/tcp diff -pruN 2.4.52-1/debian/changelog 2.4.52-1ubuntu4/debian/changelog --- 2.4.52-1/debian/changelog 2021-12-20 17:42:09.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/changelog 2022-03-25 00:35:40.000000000 +0000 @@ -1,3 +1,76 @@ +apache2 (2.4.52-1ubuntu4) jammy; urgency=medium + + * d/apache2.postrm: Include md5 sum for updated index.html + + -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 + +apache2 (2.4.52-1ubuntu3) jammy; urgency=medium + + * d/index.html: + - Redesign page's heading for the new logo + - Use the Ubuntu font where available + - Update service management directions + - Copyedit grammar + - Light reformatting and whitespace cleanup + * d/icons/ubuntu-logo.png: Refresh ubuntu logo + (LP: #1966004) + + -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 + +apache2 (2.4.52-1ubuntu2) jammy; urgency=medium + + * SECURITY UPDATE: OOB read in mod_lua via crafted request body + - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or + lua_write_body() fail in modules/lua/lua_request.c. + - CVE-2022-22719 + * SECURITY UPDATE: HTTP Request Smuggling via error discarding the + request body + - debian/patches/CVE-2022-22720.patch: simpler connection close logic + if discarding the request body fails in modules/http/http_filters.c, + server/protocol.c. + - CVE-2022-22720 + * SECURITY UPDATE: overflow via large LimitXMLRequestBody + - debian/patches/CVE-2022-22721.patch: make sure and check that + LimitXMLRequestBody fits in system memory in server/core.c, + server/util.c, server/util_xml.c. + - CVE-2022-22721 + * SECURITY UPDATE: out-of-bounds write in mod_sed + - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger + buffer sizes and unsigned arithmetics in modules/filters/libsed.h, + modules/filters/mod_sed.c, modules/filters/sed1.c. + - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in + modules/filters/mod_sed.c. + - CVE-2022-23943 + + -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 + +apache2 (2.4.52-1ubuntu1) jammy; urgency=medium + + * Merge with Debian unstable (LP: #1959924). Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + (LP 261198) + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + (LP 609177) + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, + d/s/include-binaries: replace Debian with Ubuntu on default + page and add Ubuntu icon file. + (LP 1288690) + * Dropped: + - d/p/support-openssl3-*.patch: Backport various patches from + https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's + failure to load when using OpenSSL 3. + (LP #1951476) + [Included in upstream release 2.4.52] + - d/apache2ctl: Also use systemd for graceful if it is in use. + (LP 1832182) + [This introduced a performance regression.] + - d/apache2ctl: Also use /run/systemd to check for systemd usage. + (LP 1918209) + [Not needed] + + -- Bryce Harrington Thu, 03 Feb 2022 10:25:47 -0800 + apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch @@ -8,6 +81,60 @@ apache2 (2.4.52-1) unstable; urgency=med -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 +apache2 (2.4.51-2ubuntu1) jammy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + (LP 261198) + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + (LP 609177) + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, + d/s/include-binaries: replace Debian with Ubuntu on default + page and add Ubuntu icon file. + (LP 1288690) + - d/p/support-openssl3-*.patch: Backport various patches from + https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's + failure to load when using OpenSSL 3. + (LP #1951476) + * Dropped: + - d/apache2ctl: Also use systemd for graceful if it is in use. + (LP: 1832182) + [This introduced a performance regression.] + - d/apache2ctl: Also use /run/systemd to check for systemd usage. + (LP 1918209) + [Not needed] + - debian/patches/CVE-2021-33193.patch: refactor request parsing in + include/ap_mmn.h, include/http_core.h, include/http_protocol.h, + include/http_vhost.h, modules/http2/h2_request.c, server/core.c, + server/core_filters.c, server/protocol.c, server/vhost.c. + [Fixed in 2.4.48-4] + - debian/patches/CVE-2021-34798.patch: add NULL check in + server/scoreboard.c. + [Fixed in 2.4.49-1] + - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for + generic worker in modules/proxy/mod_proxy_uwsgi.c. + [Fixed in 2.4.49-1] + - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes + substitution logic in server/util.c. + [Fixed in 2.4.49-1] + - arbitrary origin server via crafted request uri-path + + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path + parsing in the "proxy:" URL in modules/proxy/mod_proxy.c, + modules/proxy/proxy_util.c. + + debian/patches/CVE-2021-40438.patch: add sanity checks on the + configured UDS path in modules/proxy/proxy_util.c. + [Fixed in 2.4.49-3] + - SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311) + + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P + rules in modules/mappers/mod_rewrite.c. + + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty + hostname in modules/mappers/mod_rewrite.c, + modules/proxy/proxy_util.c. + [Fixed in 2.4.49-3] + + -- Bryce Harrington Thu, 16 Dec 2021 14:09:26 -0800 + apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting @@ -73,6 +200,74 @@ apache2 (2.4.48-4) unstable; urgency=med -- Yadd Thu, 12 Aug 2021 11:37:43 +0200 +apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium + + * d/p/support-openssl3-*.patch: Backport various patches from + https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's + failure to load when using OpenSSL 3. (LP: #1951476) + + -- Sergio Durigan Junior Fri, 26 Nov 2021 16:07:56 -0500 + +apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium + + * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) + - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P + rules in modules/mappers/mod_rewrite.c. + - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty + hostname in modules/mappers/mod_rewrite.c, + modules/proxy/proxy_util.c. + + -- Marc Deslauriers Tue, 28 Sep 2021 08:52:26 -0400 + +apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium + + * SECURITY UPDATE: request splitting over HTTP/2 + - debian/patches/CVE-2021-33193.patch: refactor request parsing in + include/ap_mmn.h, include/http_core.h, include/http_protocol.h, + include/http_vhost.h, modules/http2/h2_request.c, server/core.c, + server/core_filters.c, server/protocol.c, server/vhost.c. + - CVE-2021-33193 + * SECURITY UPDATE: NULL deref via malformed requests + - debian/patches/CVE-2021-34798.patch: add NULL check in + server/scoreboard.c. + - CVE-2021-34798 + * SECURITY UPDATE: DoS in mod_proxy_uwsgi + - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for + generic worker in modules/proxy/mod_proxy_uwsgi.c. + - CVE-2021-36160 + * SECURITY UPDATE: buffer overflow in ap_escape_quotes + - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes + substitution logic in server/util.c. + - CVE-2021-39275 + * SECURITY UPDATE: arbitrary origin server via crafted request uri-path + - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path + parsing in the "proxy:" URL in modules/proxy/mod_proxy.c, + modules/proxy/proxy_util.c. + - debian/patches/CVE-2021-40438.patch: add sanity checks on the + configured UDS path in modules/proxy/proxy_util.c. + - CVE-2021-40438 + + -- Marc Deslauriers Thu, 23 Sep 2021 12:51:16 -0400 + +apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. (LP 261198) + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + (LP 609177) + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, + d/s/include-binaries: replace Debian with Ubuntu on default + page and add Ubuntu icon file. (LP 1288690) + - d/apache2ctl: Also use systemd for graceful if it is in use. + This extends an earlier fix for the start command to behave + similarly for restart / graceful. Fixes service failures on + unattended upgrade. (LP 1832182) + - d/apache2ctl: Also use /run/systemd to check for systemd usage + (LP 1918209) + + -- Bryce Harrington Wed, 11 Aug 2021 20:03:24 -0700 + apache2 (2.4.48-3.1) unstable; urgency=medium * Non-maintainer upload. @@ -81,6 +276,46 @@ apache2 (2.4.48-3.1) unstable; urgency=m -- Thorsten Glaser Sat, 10 Jul 2021 23:31:28 +0200 +apache2 (2.4.48-3ubuntu1) impish; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. (LP: 261198) + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + (LP: 609177) + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, + d/s/include-binaries: replace Debian with Ubuntu on default + page and add Ubuntu icon file. (LP: 1288690) + - d/apache2ctl: Also use systemd for graceful if it is in use. + This extends an earlier fix for the start command to behave + similarly for restart / graceful. Fixes service failures on + unattended upgrade. (LP: 1832182) + - d/apache2ctl: Also use /run/systemd to check for systemd usage + (LP: 1918209) + * Dropped: + - d/t/control, d/t/check-http2: add basic test for http2 support + [Fixed in 2.4.48-2] + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing + [Fixed in 2.4.48-1] + - d/p/CVE-2020-13950.patch: don't dereference NULL proxy + connection in modules/proxy/mod_proxy_http.c. + [Fixed in 2.4.48 upstream] + - d/p/CVE-2020-35452.patch: fast validation of the nonce's + base64 to fail early if the format can't match anyway in + modules/aaa/mod_auth_digest.c. + [Fixed in 2.4.48 upstream] + - d/p/CVE-2021-26690.patch: save one apr_strtok() in + session_identity_decode() in modules/session/mod_session.c. + [Fixed in 2.4.48 upstream] + - d/p/CVE-2021-26691.patch: account for the '&' in + identity_concat() in modules/session/mod_session.c. + [Fixed in 2.4.48 upstream] + - d/p/CVE-2021-30641.patch: change default behavior in + server/request.c. + [Fixed in 2.4.48 upstream] + + -- Bryce Harrington Thu, 08 Jul 2021 03:20:46 +0000 + apache2 (2.4.48-3) unstable; urgency=medium * Fix debian/changelog @@ -137,6 +372,65 @@ apache2 (2.4.46-5) unstable; urgency=med -- Yadd Thu, 10 Jun 2021 11:57:38 +0200 +apache2 (2.4.46-4ubuntu3) impish; urgency=medium + + * No-change rebuild due to OpenLDAP soname bump. + + -- Sergio Durigan Junior Mon, 21 Jun 2021 17:43:48 -0400 + +apache2 (2.4.46-4ubuntu2) impish; urgency=medium + + * SECURITY UPDATE: mod_proxy_http denial of service. + - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy + connection in modules/proxy/mod_proxy_http.c. + - CVE-2020-13950 + * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest + - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's + base64 to fail early if the format can't match anyway in + modules/aaa/mod_auth_digest.c. + - CVE-2020-35452 + * SECURITY UPDATE: DoS via cookie header in mod_session + - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in + session_identity_decode() in modules/session/mod_session.c. + - CVE-2021-26690 + * SECURITY UPDATE: heap overflow via SessionHeader + - debian/patches/CVE-2021-26691.patch: account for the '&' in + identity_concat() in modules/session/mod_session.c. + - CVE-2021-26691 + * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF' + - debian/patches/CVE-2021-30641.patch: change default behavior in + server/request.c. + - CVE-2021-30641 + + -- Marc Deslauriers Thu, 17 Jun 2021 13:09:41 -0400 + +apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium + + * Merge with Debian unstable, to allow moving from lua5.2 to + lua5.3 (LP: #1910372). Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing + issue reading error log too quickly after request, by adding a sleep. + (LP #1890302) + - d/apache2ctl: Also use systemd for graceful if it is in use. + This extends an earlier fix for the start command to behave + similarly for restart / graceful. Fixes service failures on + unattended upgrade. + * Drop: + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This + was re-added by mistake in 2.4.41-1 (Closes #921024) + [Included in Debian 2.4.46-3] + * d/apache2ctl: Also use /run/systemd to check for systemd usage + (LP: #1918209) + + -- Bryce Harrington Tue, 09 Mar 2021 00:45:35 +0000 + apache2 (2.4.46-4) unstable; urgency=medium * Ignore other random another test failures (Closes: #979664) @@ -154,6 +448,28 @@ apache2 (2.4.46-3) unstable; urgency=med -- Xavier Guimard Sun, 10 Jan 2021 22:43:21 +0100 +apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This + was re-added by mistake in 2.4.41-1 (Closes #921024) + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing + issue reading error log too quickly after request, by adding a sleep. + (LP #1890302) + - d/apache2ctl: Also use systemd for graceful if it is in use. + This extends an earlier fix for the start command to behave + similarly for restart / graceful. Fixes service failures on + unattended upgrade. + + -- Paride Legovini Mon, 14 Dec 2020 18:12:15 +0100 + apache2 (2.4.46-2) unstable; urgency=medium [ Jean-Michel Vourgère ] @@ -175,6 +491,39 @@ apache2 (2.4.46-2) unstable; urgency=med -- Xavier Guimard Fri, 13 Nov 2020 16:59:01 +0100 +apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium + + * d/apache2ctl: Also use systemd for graceful if it is in use. + (LP: #1832182) + - This extends an earlier fix for the start command to behave + similarly for restart / graceful. Fixes service failures on + unattended upgrade. + + -- Bryce Harrington Mon, 05 Oct 2020 16:06:32 -0700 + +apache2 (2.4.46-1ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This + was re-added by mistake in 2.4.41-1 (Closes #921024) + - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing + issue reading error log too quickly after request, by adding a sleep. + (LP #1890302) + * Dropped: + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + [Unclear if it's still necessary, and upstream hasn't made a + release with it yet] + + -- Andreas Hasenack Tue, 25 Aug 2020 09:13:38 -0300 + apache2 (2.4.46-1) unstable; urgency=medium [ Xavier Guimard ] @@ -191,6 +540,39 @@ apache2 (2.4.46-1) unstable; urgency=med -- Xavier Guimard Sat, 08 Aug 2020 08:33:36 +0200 +apache2 (2.4.43-1ubuntu2) groovy; urgency=medium + + * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing + issue reading error log too quickly after request, by adding a sleep. + (LP: #1890302) + + -- Bryce Harrington Wed, 05 Aug 2020 12:44:59 -0700 + +apache2 (2.4.43-1ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This + was re-added by mistake in 2.4.41-1 (Closes #921024) + * Dropped: + - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret" + parameter to mod_proxy_ajp (LP #1865340) + [Fixed upstream] + - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff: + mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests. + Closes #955348, LP #1872478 + [In 2.4.43-1] + + -- Andreas Hasenack Tue, 21 Jul 2020 10:22:42 -0300 + apache2 (2.4.43-1) unstable; urgency=medium [ Timo Aaltonen ] @@ -218,6 +600,39 @@ apache2 (2.4.41-5) unstable; urgency=med -- Xavier Guimard Wed, 18 Mar 2020 21:06:49 +0100 +apache2 (2.4.41-4ubuntu3) focal; urgency=medium + + [ Timo Aaltonen ] + * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff: + mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests. + Closes: #955348, LP: #1872478 + + -- Andreas Hasenack Mon, 13 Apr 2020 14:19:17 -0300 + +apache2 (2.4.41-4ubuntu2) focal; urgency=medium + + * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret" + parameter to mod_proxy_ajp (LP: #1865340) + + -- Andreas Hasenack Thu, 05 Mar 2020 15:51:00 -0300 + +apache2 (2.4.41-4ubuntu1) focal; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This + was re-added by mistake in 2.4.41-1 (Closes #921024) + + -- Andreas Hasenack Wed, 26 Feb 2020 10:36:13 -0300 + apache2 (2.4.41-4) unstable; urgency=medium * Add gcc in chroot autopkgtest (fixes debci) @@ -242,6 +657,41 @@ apache2 (2.4.41-2) unstable; urgency=med -- Xavier Guimard Mon, 13 Jan 2020 06:14:45 +0100 +apache2 (2.4.41-1ubuntu1) eoan; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + * Dropped: + - Cherrypick upstream testsuite fix: + + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" + as such). + + Similarly use TLSv1.2 for pr12355 and pr43738. + [Test suite updated in 2.4.41-1] + - Cherrypick upstream test suite fix for buffer. + [Included in 2.4.41-1] + - d/p/spelling-errors.patch: removed hunks already fixed upstream + [Included in 2.4.39-1] + - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1): + + d/p/CVE-2019-0196.patch + + d/p/CVE-2019-0211.patch + + d/p/CVE-2019-0215.patch + + d/p/CVE-2019-0217.patch + + d/p/CVE-2019-0220-*.patch + + d/p/CVE-2019-0197.patch + * Added: + - d/perl-framework/t/modules/allowmethods.t: disable reset test. This + was re-added by mistake in 2.4.41-1 (Closes: #921024) + + -- Andreas Hasenack Wed, 14 Aug 2019 11:36:32 -0300 + apache2 (2.4.41-1) unstable; urgency=medium * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081, @@ -274,6 +724,62 @@ apache2 (2.4.39-1) unstable; urgency=med -- Xavier Guimard Mon, 12 Aug 2019 21:30:33 +0200 +apache2 (2.4.39-0ubuntu1) eoan; urgency=medium + + * New upstream version: 2.4.39 + * d/p/spelling-errors.patch: removed hunks already fixed upstream + * Remaining changes: + - Cherrypick upstream test suite fix for buffer. + - Cherrypick upstream testsuite fix: + + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" + as such). + - Similarly use TLSv1.2 for pr12355 and pr43738. + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + * Dropped patches (fixed upstream): + - d/p/CVE-2019-0196.patch + - d/p/CVE-2019-0211.patch + - d/p/CVE-2019-0215.patch + - d/p/CVE-2019-0217.patch + - d/p/CVE-2019-0220-*.patch + - d/p/CVE-2019-0197.patch + + -- Andreas Hasenack Mon, 05 Aug 2019 18:09:08 -0300 + +apache2 (2.4.38-3ubuntu2) eoan; urgency=medium + + * Cherrypick upstream test suite fix for buffer. + + -- Dimitri John Ledkov Thu, 13 Jun 2019 11:08:24 +0100 + +apache2 (2.4.38-3ubuntu1) eoan; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Cherrypick upstream testsuite fix: + + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" + as such). + - Similarly use TLSv1.2 for pr12355 and pr43738. + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + [Removed configure chunk, not needed since configure.in is being + patched.] + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + + -- Dimitri John Ledkov Mon, 10 Jun 2019 19:17:38 +0100 + apache2 (2.4.38-3) unstable; urgency=high [ Marc Deslauriers ] @@ -311,6 +817,79 @@ apache2 (2.4.38-3) unstable; urgency=hig -- Stefan Fritsch Sun, 07 Apr 2019 20:15:40 +0200 +apache2 (2.4.38-2ubuntu3) eoan; urgency=medium + + * Cherrypick upstream testsuite fix: + - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation" + as such). + * Similarly use TLSv1.2 for pr12355 and pr43738. + + -- Dimitri John Ledkov Tue, 07 May 2019 10:39:47 +0100 + +apache2 (2.4.38-2ubuntu2) disco; urgency=medium + + * SECURITY UPDATE: read-after-free on a string compare in mod_http2 + - debian/patches/CVE-2019-0196.patch: disentangelment of stream and + request method in modules/http2/h2_request.c. + - CVE-2019-0196 + * SECURITY UPDATE: privilege escalation from modules' scripts + - debian/patches/CVE-2019-0211.patch: bind the bucket number of each + child to its slot number in include/scoreboard.h, + server/mpm/event/event.c, server/mpm/prefork/prefork.c, + server/mpm/worker/worker.c. + - CVE-2019-0211 + * SECURITY UPDATE: mod_ssl access control bypass + - debian/patches/CVE-2019-0215.patch: restore SSL verify state after + PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c. + - CVE-2019-0215 + * SECURITY UPDATE: mod_auth_digest access control bypass + - debian/patches/CVE-2019-0217.patch: fix a race condition in + modules/aaa/mod_auth_digest.c. + - CVE-2019-0217 + * SECURITY UPDATE: URL normalization inconsistincy + - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in + the path in include/http_core.h, include/httpd.h, server/core.c, + server/request.c, server/util.c. + - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety + in server/request.c, server/util.c. + - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in + server/util.c. + - CVE-2019-0220 + + -- Marc Deslauriers Wed, 03 Apr 2019 14:31:46 -0400 + +apache2 (2.4.38-2ubuntu1) disco; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + [Removed configure chunk, not needed since configure.in is being + patched.] + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + * Dropped: + - d/control, d/rules, d/config-dir/mods-available/md.load: don't build + libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which + cannot be coinstalled with libcurl3. That situation breaks the + installation of libapache2-mod-shib2. See + https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 + for details. + [This has been resolved in Disco, where libxmltooling8 is built with + openssl 1.1] + - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames + + debian/patches/CVE-2018-11763.patch: rework connection IO event + handling in modules/http2/h2_session.c, modules/http2/h2_session.h, + modules/http2/h2_version.h. + - CVE-2018-11763 + [Fixed in 2.4.35] + + -- Andreas Hasenack Sun, 03 Feb 2019 14:57:13 -0200 + apache2 (2.4.38-2) unstable; urgency=medium * Disable "reset" test in allowmethods.t (Closes: #921024) @@ -393,6 +972,37 @@ apache2 (2.4.35-1) unstable; urgency=med -- Stefan Fritsch Sun, 07 Oct 2018 12:54:58 +0200 +apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium + + * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames + - debian/patches/CVE-2018-11763.patch: rework connection IO event + handling in modules/http2/h2_session.c, modules/http2/h2_session.h, + modules/http2/h2_version.h. + - CVE-2018-11763 + + -- Marc Deslauriers Wed, 03 Oct 2018 09:57:22 -0400 + +apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + - d/control, d/rules, d/config-dir/mods-available/md.load: don't build + libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which + cannot be coinstalled with libcurl3. That situation breaks the + installation of libapache2-mod-shib2. See + https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 + for details. + + -- Andreas Hasenack Fri, 03 Aug 2018 17:09:27 -0300 + apache2 (2.4.34-1) unstable; urgency=medium [ Ondřej Surý ] @@ -411,6 +1021,87 @@ apache2 (2.4.34-1) unstable; urgency=med -- Stefan Fritsch Fri, 27 Jul 2018 21:37:37 +0200 +apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium + + * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load: + re-enable proxy_uwsgi, as the uwsgi source no longer builds this module. + + -- Andreas Hasenack Thu, 28 Jun 2018 10:07:06 -0300 + +apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium + + * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and + libapache2-mod-md until we figure out their transitions. libapache2-mod-md + in particular is problematic because that makes apache2-bin pull in + libcurl4 which cannot be coinstalled with libcurl3. That situation breaks + the installation of libapache2-mod-shib2. See + https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 + for details. + - Don't ship md.load and remove build-requires that were added because of + mod-md (see + https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf) + - Remove proxy_uwsgi.load as we are not building it for now (see + https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9) + + -- Andreas Hasenack Thu, 17 May 2018 14:46:19 +0000 + +apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium + + * Merge with Debian unstable (LP: #1770242). Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - d/t/control, d/t/check-http2: add basic test for http2 support + * Drop: + - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig + + debian/patches/CVE-2017-15710.patch: fix language long names + detection as short name in modules/aaa/mod_authnz_ldap.c. + + CVE-2017-15710 + - SECURITY UPDATE: incorrect matching + + debian/patches/CVE-2017-15715.patch: allow to configure + global/default options for regexes, like caseless matching or + extended format in include/ap_regex.h, server/core.c, + server/util_pcre.c. + + CVE-2017-15715 + - SECURITY UPDATE: mod_session header manipulation + + debian/patches/CVE-2018-1283.patch: strip Session header when + SessionEnv is on in modules/session/mod_session.c. + + CVE-2018-1283 + - SECURITY UPDATE: DoS via specially-crafted request + + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL + terminated on any error, not only on buffer full in + server/protocol.c. + + CVE-2018-1301 + - SECURITY UPDATE: mod_cache_socache DoS + + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up + to carriage return in modules/cache/mod_cache_socache.c. + + CVE-2018-1303 + - SECURITY UPDATE: insecure nonce generation + + debian/patches/CVE-2018-1312.patch: actually use the secret when + generating nonces in modules/aaa/mod_auth_digest.c. + + CVE-2018-1312 + - Correct systemd-sysv-generator behavior by customizing some + parameters: + + d/apache2-systemd.conf: add a drop-in file to specify some + parameters for the systemd unit (type=Forking and + RemainsAfterExit=no), this allow a correct state synchronisation + between systemctl status and actual state of apache2 daemon. + + d/apache2.install: place the apache2-systemd.conf file in the + correct location. + [type=Forking already in the base systemd service file, and + RemainsAfterExit=no is the default value, so no need to + customize these anymore.] + - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683) + + added debian/patches/util_ldap_cache_lock_fix.patch + [Already applied upstream] + + -- Andreas Hasenack Tue, 15 May 2018 11:03:34 -0300 + apache2 (2.4.33-3) unstable; urgency=medium * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too. @@ -483,6 +1174,91 @@ apache2 (2.4.29-2) unstable; urgency=med -- Ondřej Surý Sun, 14 Jan 2018 11:01:58 +0000 +apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium + + * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig + - debian/patches/CVE-2017-15710.patch: fix language long names + detection as short name in modules/aaa/mod_authnz_ldap.c. + - CVE-2017-15710 + * SECURITY UPDATE: incorrect matching + - debian/patches/CVE-2017-15715.patch: allow to configure + global/default options for regexes, like caseless matching or + extended format in include/ap_regex.h, server/core.c, + server/util_pcre.c. + - CVE-2017-15715 + * SECURITY UPDATE: mod_session header manipulation + - debian/patches/CVE-2018-1283.patch: strip Session header when + SessionEnv is on in modules/session/mod_session.c. + - CVE-2018-1283 + * SECURITY UPDATE: DoS via specially-crafted request + - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL + terminated on any error, not only on buffer full in + server/protocol.c. + - CVE-2018-1301 + * SECURITY UPDATE: mod_cache_socache DoS + - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up + to carriage return in modules/cache/mod_cache_socache.c. + - CVE-2018-1303 + * SECURITY UPDATE: insecure nonce generation + - debian/patches/CVE-2018-1312.patch: actually use the secret when + generating nonces in modules/aaa/mod_auth_digest.c. + - CVE-2018-1312 + + -- Marc Deslauriers Wed, 25 Apr 2018 07:38:24 -0400 + +apache2 (2.4.29-1ubuntu4) bionic; urgency=medium + + * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683) + - added debian/patches/util_ldap_cache_lock_fix.patch + + -- Rafael David Tinoco Fri, 02 Mar 2018 02:19:31 +0000 + +apache2 (2.4.29-1ubuntu3) bionic; urgency=medium + + * Switch back to OpenSSL 1.1. + + -- Dimitri John Ledkov Tue, 06 Feb 2018 11:57:20 +0000 + +apache2 (2.4.29-1ubuntu2) bionic; urgency=medium + + * enable http2 (LP: #1687454) by stopping to disable it + - debian/control: no more removed libnghttp2-dev Build-Depends (in universe). + - debian/config-dir/mods-available/http2.load: no more removed. + - debian/rules: no more removed proxy_http2 from configure. + * d/t/control, d/t/check-http2: add basic test for http2 support + + -- Christian Ehrhardt Tue, 05 Dec 2017 17:25:39 +0100 + +apache2 (2.4.29-1ubuntu1) bionic; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - Correct systemd-sysv-generator behavior by customizing some + parameters: + + d/apache2-systemd.conf: add a drop-in file to specify some + parameters for the systemd unit (type=Forking and + RemainsAfterExit=no), this allow a correct state synchronisation + between systemctl status and actual state of apache2 daemon. + + d/apache2.install: place the apache2-systemd.conf file in the + correct location. + - Don't build http2 module (nghttp2 still not in main) (LP 1687454) + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + debian/rules: removed proxy_http2 from configure. + * Switch back to OpenSSL 1.0 as we don't yet have 1.1: + - debian/control: switch BuildDepends to libssl1.0-dev + - debian/control: remove Breaks on gridsite and libapache2-mod-dacs + - debian/rules: remove openssl virtual package and logic + + -- Marc Deslauriers Fri, 10 Nov 2017 10:51:46 -0500 + apache2 (2.4.29-1) unstable; urgency=medium [ Stefan Fritsch ] @@ -547,6 +1323,47 @@ apache2 (2.4.27-3) experimental; urgency -- Stefan Fritsch Sun, 16 Jul 2017 23:11:07 +0200 +apache2 (2.4.27-2ubuntu3) artful; urgency=medium + + * SECURITY UPDATE: optionsbleed information leak + - debian/patches/CVE-2017-9798.patch: disallow method registration + at run time in server/core.c. + - CVE-2017-9798 + + -- Marc Deslauriers Mon, 18 Sep 2017 11:05:48 -0400 + +apache2 (2.4.27-2ubuntu2) artful; urgency=medium + + * Undrop (LP 1658469): + - Don't build http2 module (nghttp2 still not in main) (LP 1687454) + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + debian/rules: removed proxy_http2 from configure. + + -- Marc Deslauriers Wed, 02 Aug 2017 13:04:45 -0400 + +apache2 (2.4.27-2ubuntu1) artful; urgency=medium + + * Merge with Debian unstable (LP: #1702582). Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - Correct systemd-sysv-generator behavior by customizing some + parameters: + + d/apache2-systemd.conf: add a drop-in file to specify some + parameters for the systemd unit (type=Forking and + RemainsAfterExit=no), this allow a correct state synchronisation + between systemctl status and actual state of apache2 daemon. + + d/apache2.install: place the apache2-systemd.conf file in the + correct location. + + -- Nishanth Aravamudan Thu, 27 Jul 2017 13:38:39 -0700 + apache2 (2.4.27-2) unstable; urgency=medium * Switch back to openssl 1.0 for now. The transition to 1.1 needs more @@ -576,6 +1393,55 @@ apache2 (2.4.25-4) unstable; urgency=hig -- Stefan Fritsch Tue, 20 Jun 2017 21:31:51 +0200 +apache2 (2.4.25-3ubuntu3) artful; urgency=medium + + * Re-Drop (LP: #1658469): + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + debian/rules: removed proxy_http2 from configure. + + debian/apache2.maintscript: remove http2 conffile. + + -- Nishanth Aravamudan Mon, 01 May 2017 09:55:11 -0700 + +apache2 (2.4.25-3ubuntu2) zesty; urgency=medium + * Undrop (LP 1658469): + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + debian/rules: removed proxy_http2 from configure. + + debian/apache2.maintscript: remove http2 conffile. + + -- Nishanth Aravamudan Fri, 10 Feb 2017 08:53:43 -0800 + +apache2 (2.4.25-3ubuntu1) zesty; urgency=medium + + * Merge from Debian unstable (LP: #1663425). Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + + d/source/include-binaries: add Ubuntu icon file + - Correct systemd-sysv-generator behavior by customizing some + parameters: + + d/apache2-systemd.conf: add a drop-in file to specify some + parameters for the systemd unit (type=Forking and + RemainsAfterExit=no), this allow a correct state synchronisation + between systemctl status and actual state of apache2 daemon. + + d/apache2.install: place the apache2-systemd.conf file in the + correct location. + * Drop (LP: #1658469): + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + debian/rules: removed proxy_http2 from configure. + + debian/apache2.maintscript: remove http2 conffile. + + -- Nishanth Aravamudan Thu, 09 Feb 2017 15:48:28 -0800 + apache2 (2.4.25-3) unstable; urgency=medium * Fix detection of systemd to fix 'apache2ctl start' on sysv-init. @@ -637,6 +1503,39 @@ apache2 (2.4.25-1) unstable; urgency=med -- Stefan Fritsch Wed, 21 Dec 2016 23:46:06 +0100 +apache2 (2.4.23-8ubuntu1) zesty; urgency=medium + + * Merge from Debian unstable (LP: #). Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, + d/source/include-binaries: replace Debian with Ubuntu on default + page. + [ include-binaries change previously undocumented ] + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + debian/rules: removed proxy_http2 from configure. + + debian/apache2.maintscript: remove http2 conffile. + [ Previously undocumented ] + - Correct systemd-sysv-generator behavior by customizing some + parameters: + + d/apache2-systemd.conf: add a drop-in file to specify some + parameters for the systemd unit (type=Forking and + RemainsAfterExit=no), this allow a correct state synchronisation + between systemctl status and actual state of apache2 daemon. + + d/apache2.install: place the apache2-systemd.conf file in the + correct location. + * Drop: + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ] + + -- Nishanth Aravamudan Fri, 09 Dec 2016 11:02:38 +0100 + apache2 (2.4.23-8) unstable; urgency=medium * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a @@ -647,6 +1546,33 @@ apache2 (2.4.23-8) unstable; urgency=med -- Stefan Fritsch Sun, 20 Nov 2016 00:33:13 +0100 +apache2 (2.4.23-7ubuntu1) zesty; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace + Debian with Ubuntu on default page. + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + debian/rules: removed proxy_http2 from configure. + - Correct systemd-sysv-generator behavior by customizing some + parameters: + + d/apache2-systemd.conf: add a drop-in file to specify some + parameters for the systemd unit (type=Forking and + RemainsAfterExit=no), this allow a correct state synchronisation + between systemctl status and actual state of apache2 daemon. + + d/apache2.install: place the apache2-systemd.conf file in the + correct location. + + -- Marc Deslauriers Wed, 16 Nov 2016 09:17:24 -0500 + apache2 (2.4.23-7) unstable; urgency=medium * Make apache2-dev depend on openssl 1.0, too. Closes: #844160 @@ -761,6 +1687,55 @@ apache2 (2.4.20-1) unstable; urgency=med -- Stefan Fritsch Sun, 10 Apr 2016 14:03:41 +0200 +apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium + + * SECURITY UPDATE: proxy request header vulnerability (httpoxy) + - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in + server/util_script.c. + - CVE-2016-5387 + + -- Marc Deslauriers Mon, 18 Jul 2016 14:32:02 -0400 + +apache2 (2.4.18-2ubuntu3) xenial; urgency=medium + + [ Ryan Harper ] + * Drop /etc/apache2/mods-available/http2.load. This was inadvertently + introduced in 2.4.18-2ubuntu1. The intention is to not carry this at + all, since http2 support is intentionally disabled (see LP 1531864). + * d/apache2.maintscript: handle removal of http2.load conffile. + + [ Robie Basak ] + * Re-write Ryan's changelog entry. + + -- Robie Basak Fri, 15 Apr 2016 18:00:57 +0000 + +apache2 (2.4.18-2ubuntu2) xenial; urgency=medium + + * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962) + - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd + unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation + between systemctl status and actual state of apache2 daemon. + - d/apache2.install: place the apache2-systemd.conf file in the correct location. + + -- Pierre-André MOREY Fri, 08 Apr 2016 11:48:00 +0200 + +apache2 (2.4.18-2ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + -- Timo Aaltonen Wed, 06 Apr 2016 00:18:31 +0300 + apache2 (2.4.18-2) unstable; urgency=low * htcacheclean: @@ -786,6 +1761,24 @@ apache2 (2.4.18-2) unstable; urgency=low -- Stefan Fritsch Mon, 28 Mar 2016 21:58:54 +0200 +apache2 (2.4.18-1ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + -- Marc Deslauriers Thu, 21 Jan 2016 15:15:22 -0500 + apache2 (2.4.18-1) unstable; urgency=medium * New upstream release: @@ -793,12 +1786,48 @@ apache2 (2.4.18-1) unstable; urgency=med -- Stefan Fritsch Sat, 19 Dec 2015 09:26:14 +0100 +apache2 (2.4.17-3ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + -- Marc Deslauriers Thu, 03 Dec 2015 10:07:35 -0500 + apache2 (2.4.17-3) unstable; urgency=medium * mpm_prefork: Fix segfault if started with -X. Closes: #805737 -- Stefan Fritsch Mon, 23 Nov 2015 19:52:09 +0100 +apache2 (2.4.17-2ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - Don't build experimental http2 module for LTS: + + debian/control: removed libnghttp2-dev Build-Depends (in universe). + + debian/config-dir/mods-available/http2.load: removed. + + -- Marc Deslauriers Fri, 20 Nov 2015 09:11:52 -0500 + apache2 (2.4.17-2) unstable; urgency=medium * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke @@ -809,6 +1838,31 @@ apache2 (2.4.17-2) unstable; urgency=med -- Stefan Fritsch Sat, 31 Oct 2015 23:17:11 +0100 +apache2 (2.4.17-1ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + * Drop patches (applied upstream): + - debian/patches/CVE-2015-3183.patch + - debian/patches/CVE-2015-3185.patch + * Drop changes (adopted in Debian): + - Allow "triggers-awaited" and "triggers-pending" states in addition + to "installed" when determining whether to defer actions or + process deferred actions. + * Don't build experimental http2 module for LTS + - debian/control: removed libnghttp2-dev Build-Depends (in universe). + - debian/config-dir/mods-available/http2.load: removed. + + -- Marc Deslauriers Fri, 30 Oct 2015 09:35:46 -0400 + apache2 (2.4.17-1) unstable; urgency=medium [ Stefan Fritsch ] @@ -874,6 +1928,49 @@ apache2 (2.4.16-1) unstable; urgency=med -- Stefan Fritsch Sun, 02 Aug 2015 00:44:07 +0200 +apache2 (2.4.12-2ubuntu2) wily; urgency=medium + + * SECURITY UPDATE: request smuggling via chunked transfer encoding + - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in + modules/http/http_filters.c. + - CVE-2015-3183 + * SECURITY UPDATE: access restriction bypass via deprecated API + - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one + in include/http_request.h, server/request.c. + - CVE-2015-3185 + + -- Marc Deslauriers Fri, 24 Jul 2015 09:56:09 -0400 + +apache2 (2.4.12-2ubuntu1) wily; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - Allow "triggers-awaited" and "triggers-pending" states in addition + to "installed" when determining whether to defer actions or + process deferred actions. + * Drop patches (applied upstream): + - d/p/split-logfile.patch + - d/p/CVE-2015-0228.patch + * Drop changes (superceded in Debian): + - Cherry-pick versioned build-depend on dpkg from Debian for correct + dpkg-maintscript-helper symlink_to_dir support. + * Drop changes (adopted in Debian): + - d/control, d/config-dir/mods-available/ssl.conf, + d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase + dialog program ask-for-passphrase. + * Fix cross-building configure line in d/rules, which had bit-rotted in + previous merges. + + -- Robie Basak Thu, 28 May 2015 16:34:00 +0000 + apache2 (2.4.12-2) unstable; urgency=medium [ Jean-Michel Nirgal Vourgère ] @@ -923,6 +2020,28 @@ apache2 (2.4.10-10) unstable; urgency=me -- Stefan Fritsch Sun, 15 Mar 2015 10:47:36 +0100 +apache2 (2.4.10-9ubuntu1) vivid; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/control, d/config-dir/mods-available/ssl.conf, + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - d/p/split-logfile.patch: fix completely broken split-logfile + command. + - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a + denial of service in mod_lua via websockets PING + * debian/tests/ssl-passphrase: Add password responder for + systemd-ask-passphrase. + + -- Martin Pitt Mon, 09 Mar 2015 12:03:16 +0100 + apache2 (2.4.10-9) unstable; urgency=medium * CVE-2014-8109: mod_lua: Fix handling of the Require line when a @@ -937,6 +2056,54 @@ apache2 (2.4.10-9) unstable; urgency=med -- Stefan Fritsch Mon, 22 Dec 2014 20:24:36 +0100 +apache2 (2.4.10-8ubuntu3) vivid; urgency=medium + + * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require + directives + - debian/patches/CVE-2014-8109.patch: handle multiple Require + directives with different arguments in modules/lua/mod_lua.c. + - CVE-2014-8109 + * SECURITY UPDATE: denial of service in mod_lua via websockets PING + - debian/patches/CVE-2015-0228.patch: fix logic in + modules/lua/lua_request.c. + - CVE-2015-0228 + + -- Marc Deslauriers Thu, 05 Mar 2015 10:56:34 -0500 + +apache2 (2.4.10-8ubuntu2) vivid; urgency=medium + + * Allow "triggers-awaited" and "triggers-pending" states in addition to + "installed" when determining whether to defer actions or process + deferred actions (LP: #1393832). + + -- Colin Watson Wed, 26 Nov 2014 11:31:44 +0000 + +apache2 (2.4.10-8ubuntu1) vivid; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/control, d/config-dir/mods-available/ssl.conf, + d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase + dialog program ask-for-passphrase. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - d/p/split-logfile.patch: fix completely broken split-logfile + command. + * Fixes from Debian included in merge: + - Crash caused by OCSP stapling code; this was erroneously + attributed to Debian in my previous merge, but actually only + appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174). + * Cherry-pick versioned build-depend on dpkg from Debian for correct + dpkg-maintscript-helper symlink_to_dir support. + + -- Robie Basak Fri, 21 Nov 2014 15:15:58 +0000 + apache2 (2.4.10-8) unstable; urgency=medium * Bump dpkg Pre-Depends to version that supports relative symlinks in @@ -951,6 +2118,33 @@ apache2 (2.4.10-8) unstable; urgency=med -- Stefan Fritsch Tue, 18 Nov 2014 15:18:18 +0100 +apache2 (2.4.10-7ubuntu1) vivid; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/control, d/config-dir/mods-available/ssl.conf, + d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase + dialog program ask-for-passphrase. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing + DEB_{HOST,BUILD}_GNU_TYPE to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross + fixes from upstream + - d/index.html: replace Debian with Ubuntu on default page. + - d/p/split-logfile.patch: fix completely broken split-logfile command. + * Fixes from Debian included in merge: + - Don't use a2query in preinst, as it may not be available yet + (LP: #1312533). + - Crash caused by OCSP stapling code (LP: #1366174). + - Disable SSLv3 in default config (LP: #1358305). + - If apache2 is not configured yet, defer actions executed via + apache2-maintscript-helper. This fixes installation failures if a + module package is configured first (LP: #1312854). + + -- Robie Basak Mon, 17 Nov 2014 18:04:40 +0000 + apache2 (2.4.10-7) unstable; urgency=medium * Handle transitions of doc dirs and symlinks correctly during upgrade. @@ -1034,6 +2228,25 @@ apache2 (2.4.10-2) unstable; urgency=med -- Stefan Fritsch Sun, 21 Sep 2014 22:58:33 +0200 +apache2 (2.4.10-1ubuntu1) utopic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, + d/apache2.install: Plymouth aware passphrase dialog program + ask-for-passphrase. + - Add dep8 tests. + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to + configure. + - debian/patches/086_svn_cross_compiles: Backport several cross fixes from + upstream + - d/index.html: replace Debian with Ubuntu on default page. + - d/p/split-logfile.patch: fix completely broken split-logfile command. + + -- Robie Basak Thu, 24 Jul 2014 15:13:16 +0000 + apache2 (2.4.10-1) unstable; urgency=medium [ Arno Töll ] @@ -1081,6 +2294,45 @@ apache2 (2.4.9-2) unstable; urgency=medi -- Stefan Fritsch Sun, 08 Jun 2014 10:38:04 +0200 +apache2 (2.4.9-1ubuntu2) utopic; urgency=medium + + * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't + yet support building against lua 5.2 (LP: #1323930). + + -- Robie Basak Wed, 28 May 2014 08:55:25 +0000 + +apache2 (2.4.9-1ubuntu1) utopic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, + d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase + dialog program ask-for-passphrase. + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to + configure. + - debian/patches/086_svn_cross_compiles: Backport several cross fixes from + upstream + - Build using lua5.2. + - d/tests/chroot: dep8 test for ChrootDir case. + - d/tests/ssl-passphrase: update for new default path /var/www/html. + - d/tests/duplicate-module-load: check for duplicate module loads. + - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690). + - d/p/split-logfile.patch: fix completely broken split-logfile command + (LP: #1299162). Thanks to Holger Mauermann. + * Drop changes (upstreamed): + - d/p/ignore-quilt-dir: adjust build system so that it does not use + files find inside the .pc directory. This stops a double module load + causing later havoc, including "ChrootDir" directive failure. + - debian/patches/CVE-2013-6438.patch: properly calculate correct length + in modules/dav/main/util.c. + - debian/patches/CVE-2014-0098.patch: properly parse tokens in + modules/loggers/mod_log_config.c. + * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility. + + -- Robie Basak Fri, 09 May 2014 19:30:04 +0000 + apache2 (2.4.9-1) unstable; urgency=medium * New upstream version. @@ -1113,6 +2365,63 @@ apache2 (2.4.9-1) unstable; urgency=medi -- Stefan Fritsch Sat, 29 Mar 2014 22:50:32 +0100 +apache2 (2.4.7-1ubuntu4) trusty; urgency=medium + + * d/p/split-logfile.patch: fix completely broken split-logfile command + (LP: #1299162). Thanks to Holger Mauermann. + + -- Robie Basak Thu, 03 Apr 2014 11:21:22 +0000 + +apache2 (2.4.7-1ubuntu3) trusty; urgency=medium + + * SECURITY UPDATE: denial of service via mod_dav incorrect end of string + calculation + - debian/patches/CVE-2013-6438.patch: properly calculate correct length + in modules/dav/main/util.c. + - CVE-2013-6438 + * SECURITY UPDATE: denial of service via truncated cookie and + mod_log_config + - debian/patches/CVE-2014-0098.patch: properly parse tokens in + modules/loggers/mod_log_config.c. + - CVE-2014-0098 + + -- Marc Deslauriers Thu, 20 Mar 2014 08:34:10 -0400 + +apache2 (2.4.7-1ubuntu2) trusty; urgency=medium + + * d/index.html: replace Debian with Ubuntu on default page + (LP: #1288690). + + -- Robie Basak Wed, 19 Mar 2014 11:04:21 +0000 + +apache2 (2.4.7-1ubuntu1) trusty; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - d/control, d/config-dir/mods-available/ssl.conf, + d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase: + Plymouth aware passphrase dialog program ask-for-passphrase. + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE + to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross fixes + from upstream + - Build using lua5.2. + - d/tests/chroot: dep8 test for ChrootDir case. + - d/p/ignore-quilt-dir: adjust build system so that it does not use + files find inside the .pc directory. This stops a double module load + causing later havoc, including "ChrootDir" directive failure. + * Drop changes: + - debian/{control, rules}: Enable PIE hardening: no longer required; + 2.4.7-1 is already hardened. + - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved + out of this package. + * d/tests/ssl-passphrase: update for new default path /var/www/html. + * d/tests/duplicate-module-load: check for duplicate module loads. + + -- Robie Basak Tue, 14 Jan 2014 17:23:47 +0000 + apache2 (2.4.7-1) unstable; urgency=low New upstream version @@ -1176,6 +2485,53 @@ apache2 (2.4.6-3) unstable; urgency=low -- Stefan Fritsch Mon, 12 Aug 2013 20:15:38 +0200 +apache2 (2.4.6-2ubuntu4) trusty; urgency=low + + * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so + that it does not use files find inside the .pc directory. This stops a + double module load causing later havoc, including "ChrootDir" directive + failure (LP: #1251939). Thanks to Stefan Fritsch. + * d/tests/chroot: dep8 test for ChrootDir case. + + -- Robie Basak Thu, 28 Nov 2013 16:21:51 +0000 + +apache2 (2.4.6-2ubuntu3) trusty; urgency=low + + * debian/apache2.install: Correct path for ufw. + (LP: #1252722) + + -- Chuck Short Tue, 19 Nov 2013 08:59:54 -0500 + +apache2 (2.4.6-2ubuntu2) saucy; urgency=low + + * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes + passphrase prompting for SSL certificates that are passphrase protected. + * Add dep8 test for SSL passphrase prompting. + + -- Robie Basak Fri, 09 Aug 2013 13:08:52 +0000 + +apache2 (2.4.6-2ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, apache2.install, apache2-utils.ufw.profile, + apache2.dirs}: Add ufw profiles. + - debian/apache2.py, debian/apache2-bin.install: Add apport hook. + - debian/control, debian/config-dir/mods-available/ssl.conf, + debian/ask-for-passphrase, debian/apache2.install: Plymouth aware + passphrase dialog program ask-for-passphrase. + - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE + to configure. + - debian/patches/086_svn_cross_compiles: Backport several cross fixes + from upstream + * Dropped changes: + - debian/patches/CVE-2013-1896.patch: upstream + * Fixed module dependencies (LP: #1205314) + - debian/config-dir/mods-available/lbmethod_*: properly specify + proxy_balancer, not mod_proxy_balancer. + + -- Marc Deslauriers Fri, 26 Jul 2013 08:31:33 -0400 + apache2 (2.4.6-2) unstable; urgency=low [ Stefan Fritsch ] @@ -1228,6 +2584,56 @@ apache2 (2.4.6-1) unstable; urgency=low -- Arno Töll Sun, 21 Jul 2013 18:44:42 +0200 +apache2 (2.4.4-6ubuntu5) saucy; urgency=low + + * SECURITY UPDATE: denial of service via MERGE request + - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI + in modules/dav/main/mod_dav.c. + - CVE-2013-1896 + + -- Marc Deslauriers Thu, 18 Jul 2013 11:20:47 -0400 + +apache2 (2.4.4-6ubuntu4) saucy; urgency=low + + * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to + apache2-bin. apache2-utils is only suggested by apache2, so may not + always be installed by bug reporters. However, apache2-bin will always + need to be installed for Apache to be functional, so this is a better + place for the apport hook. apache2-bin already Conflicts/Replaces + apache2.2-common, so this also fixes (LP: #1199318). + * d/apache2.py: adjust apport hook for new location of configuration + files in apache2 >= 2.4: they have moved from apache2.2-common to + apache2. + + -- Robie Basak Wed, 17 Jul 2013 17:54:22 +0000 + +apache2 (2.4.4-6ubuntu3) saucy; urgency=low + + * Build using lua5.2. + + -- Matthias Klose Wed, 17 Jul 2013 14:24:42 +0200 + +apache2 (2.4.4-6ubuntu2) saucy; urgency=low + + * debian/rules: Fix FTBFS while installing ufw. + + -- Chuck Short Tue, 02 Jul 2013 10:10:14 -0500 + +apache2 (2.4.4-6ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + * Dropped changes: + - debian/patches/CVE-2012-2687.patch: Dropped no longer needed. + - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed. + - debian/patches/CVE-2012-4929.patch: Dropped no longer needed. + + -- Chuck Short Tue, 02 Jul 2013 08:34:01 -0500 + apache2 (2.4.4-6) unstable; urgency=low * Denote exact versions breaking gnome-user-share now that Gnome maintainers @@ -1699,6 +3105,122 @@ apache2 (2.4.1-1) experimental; urgency= -- Stefan Fritsch Mon, 19 Mar 2012 10:46:02 +0100 +apache2 (2.2.22-6ubuntu5) raring; urgency=low + + * SECURITY UPDATE: multiple cross-site scripting issues + - debian/patches/CVE-2012-3499_4558.patch: properly escape html in + modules/generators/{mod_info.c,mod_status.c}, + modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c, + modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}. + - CVE-2012-3499 + - CVE-2012-4558 + * SECURITY UPDATE: symlink attack in apache2ctl script + - debian/apache2ctl: introduce and use a safer mkdir_chown() function. + - Thanks to Stefan Fritsch for the fix. + - CVE-2013-1048 + + -- Marc Deslauriers Fri, 15 Mar 2013 07:59:58 -0400 + +apache2 (2.2.22-6ubuntu4) raring; urgency=low + + * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. + * Skip module sanity check between MPMs if cross-building without the + kernel/binfmt support to run our target binaries on the build system. + * Backport several cross fixes from upstream as 086_svn_cross_compiles. + + -- Adam Conrad Wed, 05 Dec 2012 02:21:46 -0700 + +apache2 (2.2.22-6ubuntu3) raring; urgency=low + + * SECURITY UPDATE: XSS vulnerability in mod_negotiation + - debian/patches/CVE-2012-2687.patch: escape filenames in + modules/mappers/mod_negotiation.c. + - CVE-2012-2687 + * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854) + - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off + directive. Defaults to off as enabling compression enables the CRIME + attack. + - CVE-2012-4929 + + -- Marc Deslauriers Thu, 08 Nov 2012 17:56:24 -0500 + +apache2 (2.2.22-6ubuntu2) quantal; urgency=low + + * debian/apache2.py + - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171) + - Check if this directory exists: /etc/apache2/sites-enabled/ + + -- Matthieu Baerts (matttbe) Mon, 16 Jul 2012 10:02:18 +0200 + +apache2 (2.2.22-6ubuntu1) quantal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + * Dropped changes: + - debian/control: Add bzr tag and point it to our tree; this is not + really required and just increases the delta. + + -- Robie Basak Fri, 08 Jun 2012 11:37:31 +0100 + +apache2 (2.2.22-6) unstable; urgency=low + + [ Stefan Fritsch ] + * Fix regression causing apache2 to cache "206 partial content" responses, + and then serving these partial responses when replying to normal requests. + Closes: #671204 + * Add section to security.conf that shows how to forbid access to VCS + directories. Closes: #548213 + * Update ssl default cipher config, add alternative speed optimized config. + Closes: #649020 + * Add "AddCharset" for .brf files in default mod_mime config. + Closes: #402567 + * Don't create httpd.conf anymore and don't include it in apache2.conf. If + it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf + * Port some of the comments in apache2.conf from the 2.4 package. + * Compile mod_version statically, drop associated module load file. + * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the + configtest. + * Note in README.Debian that future versions of the package will have the + include statements changed to include only *.conf. + * Change compiled-in document root to /var/www, to avoid strange error + messages. + * Use "dh --with autotools_dev" instead of patching config.sub/config.guess. + + [ Arno Töll ] + * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible + to override LDFLAGS at compile time by defining LDLAGS in the environment, + just like it is possible for CFLAGS. This also means, config_vars.mk now + exports hardening build flags by default. + * Update doc-base metadata for the apache2-doc package. + + -- Stefan Fritsch Tue, 29 May 2012 22:05:48 +0200 + +apache2 (2.2.22-5) unstable; urgency=low + + * Make LoadFile and LoadModule look in the standard search paths if the + dso file name is given as a pure filename. This helps with the multi-arch + transition. + + -- Stefan Fritsch Mon, 30 Apr 2012 23:38:33 +0200 + +apache2 (2.2.22-4) unstable; urgency=high + + * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual + hosts' config files. + If scripting modules like mod_php or mod_rivet are enabled on systems + where either 1) some frontend server forwards connections to an apache2 + backend server on the localhost address, or 2) the machine running + apache2 is also used for web browsing, this could allow a remote + attacker to execute example scripts stored under /usr/share/doc. + Depending on the installed packages, this could lead to issues like cross + site scripting, code execution, or leakage of sensitive data. + + -- Stefan Fritsch Sun, 15 Apr 2012 23:41:43 +0200 + apache2 (2.2.22-3) unstable; urgency=low * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch': @@ -1719,6 +3241,18 @@ apache2 (2.2.22-2) unstable; urgency=low -- Stefan Fritsch Thu, 15 Mar 2012 00:02:31 +0100 +apache2 (2.2.22-1ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Chuck Short Sun, 12 Feb 2012 20:06:35 -0500 + apache2 (2.2.22-1) unstable; urgency=low [ Stefan Fritsch ] @@ -1736,6 +3270,18 @@ apache2 (2.2.22-1) unstable; urgency=low -- Stefan Fritsch Wed, 01 Feb 2012 21:49:04 +0100 +apache2 (2.2.21-5ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Chuck Short Mon, 09 Jan 2012 06:26:31 +0000 + apache2 (2.2.21-5) unstable; urgency=low [ Arno Töll ] @@ -1789,6 +3335,26 @@ apache2 (2.2.21-4) unstable; urgency=low -- Stefan Fritsch Thu, 29 Dec 2011 12:09:14 +0100 +apache2 (2.2.21-3ubuntu2) precise; urgency=low + + * d/ask-for-passphrase: Flip the logic of this script so that it checks + first to see if apache is being started from a TTY, and then if not, + tries plymouth. (LP: #887410) + + -- Clint Byrum Tue, 06 Dec 2011 16:49:33 -0800 + +apache2 (2.2.21-3ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Chuck Short Fri, 09 Dec 2011 05:20:43 +0000 + apache2 (2.2.21-3) unstable; urgency=medium * Fix CVE-2011-4317: Prevent unintended pattern expansion in some @@ -1803,6 +3369,24 @@ apache2 (2.2.21-3) unstable; urgency=med -- Stefan Fritsch Sat, 03 Dec 2011 18:54:03 +0100 +apache2 (2.2.21-2ubuntu2) precise; urgency=low + + * No-change rebuild to drop spurious libsfgcc1 dependency on armhf. + + -- Adam Conrad Fri, 02 Dec 2011 17:36:28 -0700 + +apache2 (2.2.21-2ubuntu1) precise; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Chuck Short Fri, 14 Oct 2011 16:01:29 +0000 + apache2 (2.2.21-2) unstable; urgency=high * Fix CVE-2011-3368: Prevent unintended pattern expansion in some @@ -1820,6 +3404,19 @@ apache2 (2.2.21-1) unstable; urgency=low -- Stefan Fritsch Mon, 26 Sep 2011 18:16:11 +0200 +apache2 (2.2.20-1ubuntu1) oneiric; urgency=low + + * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991). + Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Steve Beattie Tue, 06 Sep 2011 01:17:15 -0700 + apache2 (2.2.20-1) unstable; urgency=low * New upstream release. @@ -1842,6 +3439,18 @@ apache2 (2.2.19-2) unstable; urgency=hig -- Stefan Fritsch Mon, 29 Aug 2011 17:08:17 +0200 +apache2 (2.2.19-1ubuntu1) oneiric; urgency=low + + * Merge from debian unstable (LP: #787013). Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Andres Rodriguez Mon, 23 May 2011 10:16:09 -0400 + apache2 (2.2.19-1) unstable; urgency=low * New upstream release. @@ -1859,6 +3468,18 @@ apache2 (2.2.19-1) unstable; urgency=low -- Stefan Fritsch Sun, 22 May 2011 10:21:21 +0200 +apache2 (2.2.17-3ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Chuck Short Mon, 11 Apr 2011 02:13:30 +0100 + apache2 (2.2.17-3) unstable; urgency=low * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049 @@ -1885,6 +3506,18 @@ apache2 (2.2.17-2) unstable; urgency=hig -- Stefan Fritsch Mon, 21 Mar 2011 23:01:17 +0100 +apache2 (2.2.17-1ubuntu1) natty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Chuck Short Tue, 22 Feb 2011 13:02:08 -0500 + apache2 (2.2.17-1) unstable; urgency=low * New upstream version @@ -1893,6 +3526,32 @@ apache2 (2.2.17-1) unstable; urgency=low -- Stefan Fritsch Tue, 15 Feb 2011 23:30:18 +0100 +apache2 (2.2.16-6ubuntu3) natty; urgency=low + + * debian/rules: Don't use "-fno-strict-aliasing" since it causes + apache FTBFS on amd64. (LP: #711293) + + -- Chuck Short Tue, 01 Feb 2011 10:19:55 -0500 + +apache2 (2.2.16-6ubuntu2) natty; urgency=low + + * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug. + (LP: #697105) + + -- Chuck Short Tue, 25 Jan 2011 11:14:58 -0500 + +apache2 (2.2.16-6ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. + - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: + Plymouth aware passphrase dialog program ask-for-passphrase. + + -- Chuck Short Sun, 02 Jan 2011 06:05:51 +0000 + apache2 (2.2.16-6) unstable; urgency=low * Also add $named to the secondary-init-script example. @@ -1908,6 +3567,30 @@ apache2 (2.2.16-5) unstable; urgency=med -- Stefan Fritsch Fri, 31 Dec 2010 01:22:19 +0100 +apache2 (2.2.16-4ubuntu2) natty; urgency=low + + [Clint Byrum] + * Adding plymouth aware passphrase dialog program ask-for-passphrase. + (LP: #582963) + + debian/control: apache2.2-common depends on bash for ask-for-passphrase + + debian/config-dir/mods-available/ssl.conf: + - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase + + [Chuck Short] + * Add apport hook. (LP: #609177) + + debian/apache2.py, debian/apache2.2-common.install + + -- Chuck Short Mon, 22 Nov 2010 09:43:43 -0500 + +apache2 (2.2.16-4ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree + + -- Chuck Short Mon, 22 Nov 2010 09:43:41 -0500 + apache2 (2.2.16-4) unstable; urgency=medium * Increase the mod_reqtimeout default timeouts to avoid potential problems @@ -1918,6 +3601,15 @@ apache2 (2.2.16-4) unstable; urgency=med -- Stefan Fritsch Sun, 14 Nov 2010 19:05:55 +0100 +apache2 (2.2.16-3ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + + -- Chuck Short Tue, 12 Oct 2010 11:54:48 +0100 + apache2 (2.2.16-3) unstable; urgency=high * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage. @@ -1940,6 +3632,30 @@ apache2 (2.2.16-2) unstable; urgency=low -- Stefan Fritsch Sun, 29 Aug 2010 15:29:21 +0200 +apache2 (2.2.16-1ubuntu3) maverick; urgency=low + + * Revert "stty sane" to unbreak apache starting, this will have to be + fixed a different way. (LP: #626723) + + -- Chuck Short Wed, 08 Sep 2010 08:33:17 -0400 + +apache2 (2.2.16-1ubuntu2) maverick; urgency=low + + * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a + password prompt when using apache-ssl. (LP: #582963) + + -- Chuck Short Wed, 25 Aug 2010 09:25:05 -0400 + +apache2 (2.2.16-1ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) + + -- Chuck Short Mon, 26 Jul 2010 20:21:37 +0100 + apache2 (2.2.16-1) unstable; urgency=medium * Urgency medium for security fix. @@ -1972,6 +3688,24 @@ apache2 (2.2.15-6) unstable; urgency=low -- Stefan Fritsch Fri, 16 Jul 2010 23:41:08 +0200 +apache2 (2.2.15-5ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) + + Dropped: + - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed. + - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed. + - debian/config-dir/apache2.conf: Merged back from debian. + - mod-reqtimeout functionality: Merge back from debian. + - debian/patches/204_CVE-2010-0408.dpatch: No longer needed. + - debian/patches/205_CVE-2010-0434.dpatch: No longer needed. + - debian/patches/203_fix-ab-segfault.dpatch: No longer needed. + + -- Chuck Short Wed, 05 May 2010 01:28:04 +0100 + apache2 (2.2.15-5) unstable; urgency=low * Conflict with apache package as we now include apachectl. Closes: #579065 @@ -2092,6 +3826,80 @@ apache2 (2.2.14-6) unstable; urgency=low -- Stefan Fritsch Sun, 07 Feb 2010 17:29:45 +0100 +apache2 (2.2.14-5ubuntu8) lucid; urgency=low + + * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so + (LP: #562370) + + -- Chuck Short Tue, 13 Apr 2010 15:09:57 -0400 + +apache2 (2.2.14-5ubuntu7) lucid; urgency=low + + * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory + leaks by making sure to not destroy bucket brigades that have been created + by earlier filters. Backported from 2.2.15. + * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server + has reached MaxClients until it has. Backported from 2.2.15 + * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf + more secure by adding Satisfy all. (Debian bug: #572075) + * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch, + debian/config2-dir/mods-available/reqtimeout.load, + debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the + mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris + bug in apache. Enable it by default. (LP: #392759) + + -- Chuck Short Mon, 05 Apr 2010 09:53:35 -0400 + +apache2 (2.2.14-5ubuntu6) lucid; urgency=low + + * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681) + + -- Chuck Short Tue, 30 Mar 2010 09:41:11 -0400 + +apache2 (2.2.14-5ubuntu5) lucid; urgency=low + + * Revert 99-fix-mod-dav-permissions.dpatch + + -- Chuck Short Tue, 30 Mar 2010 07:55:46 -0400 + +apache2 (2.2.14-5ubuntu4) lucid; urgency=low + + * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when + downloading files from webdav (LP: #540747) + * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381) + + -- Chuck Short Mon, 29 Mar 2010 13:37:39 -0400 + +apache2 (2.2.14-5ubuntu3) lucid; urgency=low + + * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp + - debian/patches/204_CVE-2010-0408.dpatch: return the right error code + in modules/proxy/mod_proxy_ajp.c. + - CVE-2010-0408 + * SECURITY UPDATE: information disclosure via improper handling of + headers in subrequests + - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in + in server/protocol.c. + - CVE-2010-0434 + + -- Marc Deslauriers Wed, 10 Mar 2010 14:48:48 -0500 + +apache2 (2.2.14-5ubuntu2) lucid; urgency=low + + * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really + wacky options. (LP: #450501) + + -- Chuck Short Mon, 08 Mar 2010 14:53:17 -0500 + +apache2 (2.2.14-5ubuntu1) lucid; urgency=low + + * Merge from debian testing. Remaining changes: LP: #506862 + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + + -- Bhavani Shankar Wed, 13 Jan 2010 14:28:41 +0530 + apache2 (2.2.14-5) unstable; urgency=low * Security: Further mitigation for the TLS renegotation attack @@ -2115,6 +3923,15 @@ apache2 (2.2.14-5) unstable; urgency=low -- Stefan Fritsch Sat, 02 Jan 2010 22:44:15 +0100 +apache2 (2.2.14-4ubuntu1) lucid; urgency=low + + * Resynchronzie with Debian, remaining changes are: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + + -- Chuck Short Wed, 23 Dec 2009 14:44:51 -0500 + apache2 (2.2.14-4) unstable; urgency=low * Disable localized error pages again by default because they break @@ -2165,6 +3982,17 @@ apache2 (2.2.14-2) unstable; urgency=med -- Stefan Fritsch Sat, 07 Nov 2009 14:37:37 +0100 +apache2 (2.2.14-1ubuntu1) lucid; urgency=low + + * Merge from debian testing, remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. + - debian/conrol: Add bzr tag and point it to our tree. + - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: + Already applied upstream. + + -- Chuck Short Fri, 06 Nov 2009 00:29:03 +0000 + apache2 (2.2.14-1) unstable; urgency=low * New upstream version: @@ -2199,6 +4027,24 @@ apache2 (2.2.13-1) unstable; urgency=low -- Stefan Fritsch Mon, 31 Aug 2009 20:28:56 +0200 +apache2 (2.2.12-1ubuntu2) karmic; urgency=low + + * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: + - Fix potential segfaults with the use of the legacy ap_rputs() etc + interfaces, in cases where an output filter fails. This happens + frequently after CVE-2009-1891 got fixed. (LP: #409987) + + -- Marc Deslauriers Mon, 17 Aug 2009 15:38:47 -0400 + +apache2 (2.2.12-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch. + + -- Chuck Short Tue, 04 Aug 2009 20:04:24 +0100 + apache2 (2.2.12-1) unstable; urgency=low * New upstream release: @@ -2246,6 +4092,16 @@ apache2 (2.2.12-1) unstable; urgency=low -- Stefan Fritsch Tue, 04 Aug 2009 11:02:34 +0200 +apache2 (2.2.11-7ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: LP: #398130 + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 11 Jul 2009 16:34:32 +0530 + apache2 (2.2.11-7) unstable; urgency=low * Security fixes: @@ -2260,6 +4116,16 @@ apache2 (2.2.11-7) unstable; urgency=low -- Stefan Fritsch Fri, 10 Jul 2009 22:42:57 +0200 +apache2 (2.2.11-6ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Tue, 09 Jun 2009 01:01:23 +0100 + apache2 (2.2.11-6) unstable; urgency=high * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server @@ -2268,6 +4134,16 @@ apache2 (2.2.11-6) unstable; urgency=hig -- Stefan Fritsch Mon, 08 Jun 2009 19:22:58 +0200 +apache2 (2.2.11-5ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Wed, 03 Jun 2009 14:10:54 +1200 + apache2 (2.2.11-5) unstable; urgency=low * Move all binaries into a new package apache2.2-bin and make @@ -2316,6 +4192,16 @@ apache2 (2.2.11-4) unstable; urgency=low -- Stefan Fritsch Tue, 19 May 2009 22:55:27 +0200 +apache2 (2.2.11-3ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Tue, 12 May 2009 16:15:34 +1200 + apache2 (2.2.11-3) unstable; urgency=low * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap @@ -2324,6 +4210,21 @@ apache2 (2.2.11-3) unstable; urgency=low -- Stefan Fritsch Tue, 31 Mar 2009 21:07:26 +0200 +apache2 (2.2.11-2ubuntu2) jaunty; urgency=low + + * debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + + -- Chuck Short Wed, 01 Apr 2009 11:39:17 -0400 + +apache2 (2.2.11-2ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{contro,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Sat, 17 Jan 2009 00:02:55 +0000 + apache2 (2.2.11-2) unstable; urgency=low * Report an error instead instead of segfaulting when apr_pollset_create @@ -2333,6 +4234,14 @@ apache2 (2.2.11-2) unstable; urgency=low -- Stefan Fritsch Fri, 16 Jan 2009 19:01:59 +0100 +apache2 (2.2.11-1ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Mon, 15 Dec 2008 00:06:50 +0000 + apache2 (2.2.11-1) unstable; urgency=low [Thom May] @@ -2347,6 +4256,14 @@ apache2 (2.2.11-1) unstable; urgency=low -- Stefan Fritsch Sun, 14 Dec 2008 09:34:24 +0100 +apache2 (2.2.9-11ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: (LP: #303375) + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 29 Nov 2008 14:02:31 +0530 + apache2 (2.2.9-11) unstable; urgency=low * Regression fix from upstream svn for mod_proxy: @@ -2361,6 +4278,14 @@ apache2 (2.2.9-11) unstable; urgency=low -- Stefan Fritsch Wed, 26 Nov 2008 23:10:22 +0100 +apache2 (2.2.9-10ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Wed, 05 Nov 2008 02:23:18 -0400 + apache2 (2.2.9-10) unstable; urgency=low * Regression fix from upstream svn for mod_proxy_http: @@ -2391,6 +4316,27 @@ apache2 (2.2.9-8) unstable; urgency=low -- Stefan Fritsch Thu, 11 Sep 2008 09:17:33 +0200 +apache2 (2.2.9-7ubuntu3) intrepid; urgency=low + + * Revert logrotate change since it will break it for everyone. + + -- Chuck Short Fri, 19 Sep 2008 09:32:01 -0400 + +apache2 (2.2.9-7ubuntu2) intrepid; urgency=low + + * debian/logrotate: Restart rather than reload for busy websites. + (LP: #270899) + + -- Chuck Short Thu, 18 Sep 2008 08:42:22 -0400 + +apache2 (2.2.9-7ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control,rules}: enable PIE hardening. + - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles. + + -- Kees Cook Thu, 28 Aug 2008 08:10:59 -0700 + apache2 (2.2.9-7) unstable; urgency=low * Fix XSS in mod_proxy_ftp (CVE-2008-2939). @@ -2433,6 +4379,23 @@ apache2 (2.2.9-4) unstable; urgency=low -- Stefan Fritsch Sun, 06 Jul 2008 10:38:37 +0200 +apache2 (2.2.9-3ubuntu2) intrepid; urgency=low + + * add ufw integration (see + https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages) + (LP: #261198) + - debian/control: suggest ufw for apache2.2-common + - add apache2.2-common.ufw.profile with 3 profiles and install it to + /etc/ufw/applications.d/apache2.2-common + + -- Didier Roche Tue, 26 Aug 2008 19:03:42 +0200 + +apache2 (2.2.9-3ubuntu1) intrepid; urgency=low + + * debian/{control,rules}: enable PIE hardening + + -- Kees Cook Wed, 20 Aug 2008 15:45:00 -0700 + apache2 (2.2.9-3) unstable; urgency=low [ Stefan Fritsch ] @@ -4003,9 +5966,7 @@ apache2 (2.0.37-1) unstable; urgency=low -- Thom May Thu, 13 Jun 2002 17:47:12 +0100 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low - * New upstream release - -- Thom May Wed, 5 Jun 2002 12:42:34 +0100 apache2 (2.0.36-2) unstable; urgency=low @@ -4513,3 +6474,4 @@ apache2 (2.0.18-1) unstable; urgency=low * Initial Release. -- Daniel Stone Wed, 4 Jul 2001 21:29:29 +1000 + diff -pruN 2.4.52-1/debian/control 2.4.52-1ubuntu4/debian/control --- 2.4.52-1/debian/control 2021-12-20 17:42:02.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/control 2022-03-23 02:00:46.000000000 +0000 @@ -1,5 +1,6 @@ Source: apache2 -Maintainer: Debian Apache Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Apache Maintainers Uploaders: Stefan Fritsch , Arno Töll , Ondřej Surý , @@ -44,7 +45,8 @@ Depends: apache2-bin (= ${binary:Version Recommends: ssl-cert Suggests: apache2-doc, apache2-suexec-pristine | apache2-suexec-custom, - www-browser + www-browser, + ufw Pre-Depends: ${misc:Pre-Depends} Conflicts: apache2.2-bin, apache2.2-common Binary files 2.4.52-1/debian/icons/ubuntu-logo.png and 2.4.52-1ubuntu4/debian/icons/ubuntu-logo.png differ diff -pruN 2.4.52-1/debian/index.html 2.4.52-1ubuntu4/debian/index.html --- 2.4.52-1/debian/index.html 2020-08-08 07:47:06.000000000 +0000 +++ 2.4.52-1ubuntu4/debian/index.html 2022-03-25 00:18:20.000000000 +0000 @@ -1,9 +1,13 @@ - + - Apache2 Debian Default Page: It works + Apache2 Ubuntu Default Page: It works