diff -Nru apache2-2.4.7/debian/a2enmod apache2-2.4.7/debian/a2enmod --- apache2-2.4.7/debian/a2enmod 2014-01-07 13:23:42.000000000 +0000 +++ apache2-2.4.7/debian/a2enmod 2016-04-20 14:20:56.000000000 +0000 @@ -177,11 +177,6 @@ # handle module dependencies if ( $obj eq 'module' ) { if ( $act eq 'enable' ) { - if ( $acton eq 'mpm_itk' ) { - warning( "MPM_ITK is a third party module that is not part " - . "of the official Apache HTTPD. It has seen less " - . "testing than the official MPM modules." ); - } my @depends = get_deps("$availdir/$acton.load"); do_deps( $acton, @depends ) or return 0; diff -Nru apache2-2.4.7/debian/changelog apache2-2.4.7/debian/changelog --- apache2-2.4.7/debian/changelog 2015-07-24 16:44:37.000000000 +0000 +++ apache2-2.4.7/debian/changelog 2016-07-14 12:41:21.000000000 +0000 @@ -1,3 +1,74 @@ +apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium + + * SECURITY UPDATE: proxy request header vulnerability (httpoxy) + - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in + server/util_script.c. + - CVE-2016-5387 + * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in + trusty-proposed. + + -- Marc Deslauriers Thu, 14 Jul 2016 08:40:55 -0400 + +apache2 (2.4.7-1ubuntu4.11) trusty; urgency=medium + + * Fix hang until proxy timeout for Proxy responses with error status and + "ProxyErrorOverride On" being set (LP: #1495988). + + -- Christian Ehrhardt Tue, 07 Jun 2016 16:28:05 +0200 + +apache2 (2.4.7-1ubuntu4.10) trusty; urgency=medium + + * Add apache2 specific modification needed along with fix to + libapache2-mpm-itk so it becomes installable again (LP: #1286882): + - Removes warning on mpm_itk use + - Removes conflicts on mpm_itk + + -- Louis Bouchard Wed, 20 Apr 2016 16:21:03 +0200 + +apache2 (2.4.7-1ubuntu4.9) trusty; urgency=medium + + * Force disablereuse on for mod_proxy_wstunnel. Fixes "Unable to connect to: + ws://:/MAAS/ws" errors with maas, and other proxy applications. + https://bz.apache.org/bugzilla/show_bug.cgi?id=55890 + (LP: #1484696). + + -- Dave Chiluk Wed, 13 Jan 2016 15:34:51 -0600 + +apache2 (2.4.7-1ubuntu4.8) trusty; urgency=medium + + * Fix -D[efined] or [d] variables lifetime across restarts. + This fixes incorrect processing of configuration files on reload + (LP: #1504354). + + -- Jeffrey Hutzelman Thu, 08 Oct 2015 19:30:10 -0400 + +apache2 (2.4.7-1ubuntu4.7) trusty; urgency=medium + + * d/p/wstunnel-ssl.patch: mod_proxy_wstunnel: Fix the use of SSL + connections with the "wss:" scheme. PR55320. LP: #1445914 + Submitted by: Alex Liu + + -- Jeffrey Hutzelman Thu, 10 Sep 2015 12:50:00 -0400 + +apache2 (2.4.7-1ubuntu4.6) trusty; urgency=medium + + * d/p/fix_rewrite_rule.patch: Add a configurable option to keep mod_dir from + running when another handler is set. This makes default behavior + consistant with 2.2, and fixes (LP: #1394403) + - This adds the configuration option "DirectoryCheckHandler" which is + present in apache 2.4.8 and later versions. The default value is + "DirectoryCheckHandler Off". + - This will change default behavior. Instead of mod_dir running even if + other rules are being run, mod_dir will only run when no other rules + have been processed by default. This is the expected behavior of + mod_dir, and is consistant with the behavior of mod_dir in apache + versions < 2.4 and > 2.4.8, and so the default value of this + configuration option will correct the bug. + - The current default behavior, which is considered to be a bug, can be + kept by setting "DirectoryCheckHandler On". + + -- Wesley Wiedenmeier Tue, 18 Aug 2015 09:36:21 -0500 + apache2 (2.4.7-1ubuntu4.5) trusty-security; urgency=medium * SECURITY UPDATE: request smuggling via chunked transfer encoding diff -Nru apache2-2.4.7/debian/config-dir/mods-available/mpm_event.load apache2-2.4.7/debian/config-dir/mods-available/mpm_event.load --- apache2-2.4.7/debian/config-dir/mods-available/mpm_event.load 2014-01-03 14:48:41.000000000 +0000 +++ apache2-2.4.7/debian/config-dir/mods-available/mpm_event.load 2016-04-20 14:20:56.000000000 +0000 @@ -1,2 +1,2 @@ -# Conflicts: mpm_worker mpm_prefork mpm_itk +# Conflicts: mpm_worker mpm_prefork LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so diff -Nru apache2-2.4.7/debian/config-dir/mods-available/mpm_prefork.load apache2-2.4.7/debian/config-dir/mods-available/mpm_prefork.load --- apache2-2.4.7/debian/config-dir/mods-available/mpm_prefork.load 2014-01-03 14:48:41.000000000 +0000 +++ apache2-2.4.7/debian/config-dir/mods-available/mpm_prefork.load 2016-04-20 14:20:56.000000000 +0000 @@ -1,2 +1,2 @@ -# Conflicts: mpm_event mpm_worker mpm_itk +# Conflicts: mpm_event mpm_worker LoadModule mpm_prefork_module /usr/lib/apache2/modules/mod_mpm_prefork.so diff -Nru apache2-2.4.7/debian/config-dir/mods-available/mpm_worker.load apache2-2.4.7/debian/config-dir/mods-available/mpm_worker.load --- apache2-2.4.7/debian/config-dir/mods-available/mpm_worker.load 2014-01-03 14:48:41.000000000 +0000 +++ apache2-2.4.7/debian/config-dir/mods-available/mpm_worker.load 2016-04-20 14:20:56.000000000 +0000 @@ -1,2 +1,2 @@ -# Conflicts: mpm_event mpm_prefork mpm_itk +# Conflicts: mpm_event mpm_prefork LoadModule mpm_worker_module /usr/lib/apache2/modules/mod_mpm_worker.so diff -Nru apache2-2.4.7/debian/patches/CVE-2016-5387.patch apache2-2.4.7/debian/patches/CVE-2016-5387.patch --- apache2-2.4.7/debian/patches/CVE-2016-5387.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.7/debian/patches/CVE-2016-5387.patch 2016-07-14 12:40:50.000000000 +0000 @@ -0,0 +1,18 @@ +Description: fix proxy request header vulnerability (httpoxy) +Origin: based on patch provided by Kurt Seifried + +Index: apache2-2.4.12/server/util_script.c +=================================================================== +--- apache2-2.4.12.orig/server/util_script.c 2016-07-14 08:38:24.893558792 -0400 ++++ apache2-2.4.12/server/util_script.c 2016-07-14 08:38:24.893558792 -0400 +@@ -191,6 +191,10 @@ + continue; + } + #endif ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ /* Don't pass through HTTP_PROXY */ ++ continue; ++ } + else + add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); + } diff -Nru apache2-2.4.7/debian/patches/fix_mod_proxy_wstunnel.patch apache2-2.4.7/debian/patches/fix_mod_proxy_wstunnel.patch --- apache2-2.4.7/debian/patches/fix_mod_proxy_wstunnel.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.7/debian/patches/fix_mod_proxy_wstunnel.patch 2016-01-13 21:34:48.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Don't reuse socket in proxy_wstunnel +Reusing sockets causes issue for ssl connections while proxying. +Initial commit 0c3795fee530e0e40243f723d2750cdfed909045 is reverted and reimplemented by +53038bd5b1e9f072460e6aeac2ae433c4854f2ad. This was due to the socket being closed too early in +the connection. +Author: Eric Covener +Reviewed-by: Dave Chiluk +Origin: upstream, https://github.com/apache/httpd/commit/0c3795fee530e0e40243f723d2750cdfed909045 +Origin: upstream, https://github.com/apache/httpd/commit/53038bd5b1e9f072460e6aeac2ae433c4854f2ad +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=55890 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: apache2-2.4.7/CHANGES +=================================================================== +--- apache2-2.4.7.orig/CHANGES 2016-01-13 14:05:14.080105323 -0600 ++++ apache2-2.4.7/CHANGES 2016-01-13 14:05:14.076105304 -0600 +@@ -2,6 +2,10 @@ + + Changes with Apache 2.4.7 + ++ *) mod_proxy_wstunnel: Don't pool backend websockets connections, ++ because we need to handshake every time. PR 55890. ++ [Eric Covener] ++ + *) APR 1.5.0 or later is now required for the event MPM. + + *) slotmem_shm: Error detection. [Jim Jagielski] +Index: apache2-2.4.7/modules/proxy/mod_proxy_wstunnel.c +=================================================================== +--- apache2-2.4.7.orig/modules/proxy/mod_proxy_wstunnel.c 2016-01-13 14:05:14.080105323 -0600 ++++ apache2-2.4.7/modules/proxy/mod_proxy_wstunnel.c 2016-01-13 14:06:19.544395119 -0600 +@@ -373,6 +373,8 @@ + break; + } + ++ backend->close = 1; /* must be after ap_proxy_determine_connection */ ++ + /* Step Three: Process the Request */ + status = ap_proxy_wstunnel_request(p, r, backend, worker, conf, uri, locurl, + server_portstr); diff -Nru apache2-2.4.7/debian/patches/fix-proxy-error-overwrite-timeout.patch apache2-2.4.7/debian/patches/fix-proxy-error-overwrite-timeout.patch --- apache2-2.4.7/debian/patches/fix-proxy-error-overwrite-timeout.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.7/debian/patches/fix-proxy-error-overwrite-timeout.patch 2016-06-27 12:29:02.000000000 +0000 @@ -0,0 +1,54 @@ +Description: Fix Proxy responses with error status and "ProxyErrorOverride On" + +PR53420: Proxy responses with error status and +"ProxyErrorOverride On" hang until proxy timeout. + +Regression from 2.2. It was introduced by r912063 +in order to fix PR41646. + +Switch preference for headers, Transfer-Encoding +first, Content-Length second. + +Author: Jim Jagielski +Reviewed-by: Christian Ehrhardt +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1621601 +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=53420 +Bug-Ubuntu: https://launchpad.net/bugs/1495988 +Index: apache2-2.4.7/CHANGES +=================================================================== +--- apache2-2.4.7.orig/CHANGES ++++ apache2-2.4.7/CHANGES +@@ -2,6 +2,10 @@ + + Changes with Apache 2.4.7 + ++ *) mod_proxy_http: Proxy responses with error status and ++ "ProxyErrorOverride On" hang until proxy timeout. ++ PR53420 [Rainer Jung] ++ + *) mod_proxy_wstunnel: Don't pool backend websockets connections, + because we need to handshake every time. PR 55890. + [Eric Covener] +Index: apache2-2.4.7/modules/proxy/mod_proxy_http.c +=================================================================== +--- apache2-2.4.7.orig/modules/proxy/mod_proxy_http.c ++++ apache2-2.4.7/modules/proxy/mod_proxy_http.c +@@ -1635,6 +1635,18 @@ apr_status_t ap_proxy_http_process_respo + if (!r->header_only && /* not HEAD request */ + (proxy_status != HTTP_NO_CONTENT) && /* not 204 */ + (proxy_status != HTTP_NOT_MODIFIED)) { /* not 304 */ ++ const char *tmp; ++ /* Add minimal headers needed to allow http_in filter ++ * detecting end of body without waiting for a timeout. */ ++ if ((tmp = apr_table_get(r->headers_out, "Transfer-Encoding"))) { ++ apr_table_set(backend->r->headers_in, "Transfer-Encoding", tmp); ++ } ++ else if ((tmp = apr_table_get(r->headers_out, "Content-Length"))) { ++ apr_table_set(backend->r->headers_in, "Content-Length", tmp); ++ } ++ else if (te) { ++ apr_table_set(backend->r->headers_in, "Transfer-Encoding", te); ++ } + ap_discard_request_body(backend->r); + } + return proxy_status; diff -Nru apache2-2.4.7/debian/patches/fix_rewrite_rule.patch apache2-2.4.7/debian/patches/fix_rewrite_rule.patch --- apache2-2.4.7/debian/patches/fix_rewrite_rule.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.7/debian/patches/fix_rewrite_rule.patch 2015-09-01 10:45:06.000000000 +0000 @@ -0,0 +1,92 @@ +Description: Add DirectoryCheckHandler to allow a 2.2-like behavior, + skipping execution when handler is already set. +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1394403 +Origin: upstream, https://github.com/apache/httpd/commit/f0529e54b8d889322b5113eb623e263556bfa28e +Last-Update: 2015-08-18 + +Index: apache2-2.4.7/modules/mappers/mod_dir.c +=================================================================== +--- apache2-2.4.7.orig/modules/mappers/mod_dir.c ++++ apache2-2.4.7/modules/mappers/mod_dir.c +@@ -33,17 +33,18 @@ + module AP_MODULE_DECLARE_DATA dir_module; + + typedef enum { +- SLASH_OFF = 0, +- SLASH_ON, +- SLASH_UNSET +-} slash_cfg; ++ MODDIR_OFF = 0, ++ MODDIR_ON, ++ MODDIR_UNSET ++} moddir_cfg; + + #define REDIRECT_OFF 0 + #define REDIRECT_UNSET 1 + + typedef struct dir_config_struct { + apr_array_header_t *index_names; +- slash_cfg do_slash; ++ moddir_cfg do_slash; ++ moddir_cfg checkhandler; + int redirect_index; + const char *dflt; + } dir_config_rec; +@@ -83,7 +84,14 @@ static const char *configure_slash(cmd_p + { + dir_config_rec *d = d_; + +- d->do_slash = arg ? SLASH_ON : SLASH_OFF; ++ d->do_slash = arg ? MODDIR_ON : MODDIR_OFF; ++ return NULL; ++} ++static const char *configure_checkhandler(cmd_parms *cmd, void *d_, int arg) ++{ ++ dir_config_rec *d = d_; ++ ++ d->checkhandler = arg ? MODDIR_ON : MODDIR_OFF; + return NULL; + } + static const char *configure_redirect(cmd_parms *cmd, void *d_, const char *arg1) +@@ -123,6 +131,8 @@ static const command_rec dir_cmds[] = + "a list of file names"), + AP_INIT_FLAG("DirectorySlash", configure_slash, NULL, DIR_CMD_PERMS, + "On or Off"), ++ AP_INIT_FLAG("DirectoryCheckHandler", configure_checkhandler, NULL, DIR_CMD_PERMS, ++ "On or Off"), + AP_INIT_TAKE1("DirectoryIndexRedirect", configure_redirect, + NULL, DIR_CMD_PERMS, "On, Off, or a 3xx status code."), + +@@ -134,7 +144,8 @@ static void *create_dir_config(apr_pool_ + dir_config_rec *new = apr_pcalloc(p, sizeof(dir_config_rec)); + + new->index_names = NULL; +- new->do_slash = SLASH_UNSET; ++ new->do_slash = MODDIR_UNSET; ++ new->checkhandler = MODDIR_UNSET; + new->redirect_index = REDIRECT_UNSET; + return (void *) new; + } +@@ -147,7 +158,9 @@ static void *merge_dir_configs(apr_pool_ + + new->index_names = add->index_names ? add->index_names : base->index_names; + new->do_slash = +- (add->do_slash == SLASH_UNSET) ? base->do_slash : add->do_slash; ++ (add->do_slash == MODDIR_UNSET) ? base->do_slash : add->do_slash; ++ new->checkhandler = ++ (add->checkhandler == MODDIR_UNSET) ? base->checkhandler : add->checkhandler; + new->redirect_index= + (add->redirect_index == REDIRECT_UNSET) ? base->redirect_index : add->redirect_index; + new->dflt = add->dflt ? add->dflt : base->dflt; +@@ -260,6 +273,10 @@ static int fixup_dir(request_rec *r) + return HTTP_MOVED_PERMANENTLY; + } + ++ if (d->checkhandler == MODDIR_ON && strcmp(r->handler, DIR_MAGIC_TYPE)) { ++ return DECLINED; ++ } ++ + if (d->index_names) { + names_ptr = (char **)d->index_names->elts; + num_names = d->index_names->nelts; diff -Nru apache2-2.4.7/debian/patches/series apache2-2.4.7/debian/patches/series --- apache2-2.4.7/debian/patches/series 2015-07-24 16:44:02.000000000 +0000 +++ apache2-2.4.7/debian/patches/series 2016-07-14 12:40:50.000000000 +0000 @@ -20,3 +20,9 @@ CVE-2014-3581.patch CVE-2015-3183.patch CVE-2015-3185.patch +fix_rewrite_rule.patch +wstunnel-ssl.patch +server_config_defines.patch +fix_mod_proxy_wstunnel.patch +fix-proxy-error-overwrite-timeout.patch +CVE-2016-5387.patch diff -Nru apache2-2.4.7/debian/patches/server_config_defines.patch apache2-2.4.7/debian/patches/server_config_defines.patch --- apache2-2.4.7/debian/patches/server_config_defines.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.7/debian/patches/server_config_defines.patch 2015-10-13 10:53:58.000000000 +0000 @@ -0,0 +1,18 @@ +Description: core: Fix -D[efined] or [d] variables lifetime accross restarts. + This could cause all kinds of strange behavior. PR 56008. PR 57328. +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1651083 +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=57328 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1504354 +Last-Update: 2015-10-08 +Index: apache2-2.4.7/server/core.c +=================================================================== +--- apache2-2.4.7.orig/server/core.c 2015-10-08 19:14:34.103217971 -0400 ++++ apache2-2.4.7/server/core.c 2015-10-08 19:14:34.099217896 -0400 +@@ -1270,6 +1270,7 @@ + static int reset_config_defines(void *dummy) + { + ap_server_config_defines = saved_server_config_defines; ++ saved_server_config_defines = NULL; + server_config_defined_vars = NULL; + return OK; + } diff -Nru apache2-2.4.7/debian/patches/wstunnel-ssl.patch apache2-2.4.7/debian/patches/wstunnel-ssl.patch --- apache2-2.4.7/debian/patches/wstunnel-ssl.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.7/debian/patches/wstunnel-ssl.patch 2015-09-18 05:29:49.000000000 +0000 @@ -0,0 +1,28 @@ +Description: mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" scheme. PR55320. +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1594625 +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=55320 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1445914 +Last-Update: 2015-11-15 +--- ./modules/proxy/mod_proxy_wstunnel.c 2013-06-13 10:09:31.000000000 -0500 ++++ ./modules/proxy/mod_proxy_wstunnel.c 2013-11-11 15:58:51.000000000 -0600 +@@ -315,9 +315,11 @@ + conn_rec *c = r->connection; + apr_pool_t *p = r->pool; + apr_uri_t *uri; ++ int is_ssl = 0; + + if (strncasecmp(url, "wss:", 4) == 0) { + scheme = "WSS"; ++ is_ssl = 1; + } + else if (strncasecmp(url, "ws:", 3) == 0) { + scheme = "WS"; +@@ -341,7 +343,7 @@ + return status; + } + +- backend->is_ssl = 0; ++ backend->is_ssl = is_ssl; + backend->close = 0; + + retry = 0;