Change log for apache2 package in Debian
1 → 75 of 217 results | First • Previous • Next • Last |
apache2 (2.4.62-1) unstable; urgency=medium * New upstream version 2.4.62 (Closes: CVE-2024-40725, CVE-2024-40898) -- Yadd <email address hidden> Thu, 18 Jul 2024 06:56:52 +0400
apache2 (2.4.61-1) unstable; urgency=medium * New upstream version 2.4.61 -- Yadd <email address hidden> Wed, 03 Jul 2024 19:22:29 +0400
apache2 (2.4.60-1) unstable; urgency=medium [ Bastien Roucariès ] * Forward port CVE-2023-25690 uwsgi tests * Fix depends of uwsgi test * Use python3 uwsgi plugin * Encode bytes for uwsgi test [ Bryce Harrington ] * Add UFW profile integration (Closes: #1071705) [Chris Murray] * Use https instead of http in doc (LP: #2045055) [ Yadd ] * Bump liblua from liblua5.3-dev to liblua5.4-dev (Closes: #1071701) * Update test framework * releasing package apache2 version 2.4.59-1~deb12u1 * New upstream version (CLoses: CVE-2024-36387, CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573) * Unfuzz patches -- Yadd <email address hidden> Mon, 01 Jul 2024 18:04:08 +0400
Published in bullseye-release |
apache2 (2.4.59-1~deb11u1) bullseye-security; urgency=medium * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Drop 2.4.56-regression patches * New upstream version 2.4.59 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709) * Install NOTICE files * Update test framework * Refresh patches -- Yadd <email address hidden> Fri, 05 Apr 2024 16:08:04 +0400
Published in bookworm-release |
apache2 (2.4.59-1~deb12u1) bookworm-security; urgency=medium * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * New upstream version 2.4.59 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709) * Refresh patches * Update test framework -- Yadd <email address hidden> Fri, 05 Apr 2024 16:02:26 +0400
apache2 (2.4.59-2) unstable; urgency=medium * Breaks against fossil due to CVE-2024-24795 follows up -- Bastien Roucariès <email address hidden> Mon, 29 Apr 2024 21:55:28 +0000
apache2 (2.4.59-1) unstable; urgency=medium [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 * Refresh patches * Update patches * Update test framework -- Yadd <email address hidden> Fri, 05 Apr 2024 08:08:11 +0400
apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd <email address hidden> Thu, 19 Oct 2023 14:56:29 +0400
apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd <email address hidden> Tue, 29 Aug 2023 11:39:32 +0400
Superseded in bullseye-release |
apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium [ Hendrik Jäger ] * Don't automatically enable apache2-doc.conf (Closes: #1018718) [ Yadd ] * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd <email address hidden> Sun, 02 Apr 2023 07:06:01 +0400
apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd <email address hidden> Thu, 13 Apr 2023 07:26:51 +0400
apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd <email address hidden> Sat, 08 Apr 2023 06:57:16 +0400
apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd <email address hidden> Sun, 02 Apr 2023 06:54:25 +0400
apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd <email address hidden> Wed, 08 Mar 2023 06:44:05 +0400
apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd <email address hidden> Wed, 18 Jan 2023 07:41:55 +0400
apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert "Fix: confusing and impractical naming" (unbreak squid and haproxy tests) -- Yadd <email address hidden> Tue, 29 Nov 2022 15:56:10 +0100
apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd <email address hidden> Thu, 24 Nov 2022 10:45:00 +0100
apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd <email address hidden> Wed, 12 Oct 2022 09:20:52 +0200
Published in buster-release |
apache2 (2.4.38-3+deb10u8) buster; urgency=medium * Non-maintainer upload. * CVE-2022-22719: denial of service in mod_lua via crafted request body. * CVE-2022-22720: HTTP request smuggling. * CVE-2022-22721: integer overflow leading to buffer overflow write. * CVE-2022-23943: heap memory overwrite via crafted data in mod_sed. * CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. * CVE-2022-28614: read beyond bounds via ap_rwrite(). * CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). * CVE-2022-29404: Denial of service in mod_lua r:parsebody. * CVE-2022-30522: mod_sed denial of service. * CVE-2022-30556: Information Disclosure in mod_lua with websockets. * CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. -- Roberto C. Sánchez <email address hidden> Mon, 20 Jun 2022 15:03:00 -0400
Superseded in bullseye-release |
apache2 (2.4.54-1~deb11u1) bullseye; urgency=medium [ Yadd ] * Fix htcacheclean doc (Closes: #1010455) [ Yadd ] * New upstream version 2.4.54 (closes: #1012513, CVE-2022-31813, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) -- Yadd <email address hidden> Thu, 09 Jun 2022 06:26:43 +0200
apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd <email address hidden> Tue, 05 Jul 2022 15:49:58 +0200
apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] * Escape literal "." for BrowserMatch directives in setenvif.conf * Use non-capturing regex with FilesMatch directive in default-ssl.conf [ Ondřej Surý ] * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) [ Yadd ] * Fix htcacheclean doc (Closes: #1010455) * New upstream version 2.4.54 -- Yadd <email address hidden> Thu, 09 Jun 2022 06:33:53 +0200
Superseded in buster-release |
apache2 (2.4.38-3+deb10u7) buster-security; urgency=medium * Fix possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224) * lua: improve error handling (Closes: CVE-2021-44790) * mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO (relaxes the behaviour introduced by the CVE-2021-36160 fix) -- Yadd <email address hidden> Tue, 21 Dec 2021 17:50:43 +0100
Superseded in bullseye-release |
apache2 (2.4.53-1~deb11u1) bullseye; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Drop fix-2.4.52-regression.patch, now included in upstream * Refresh fhs_compliance.patch * Update test framework (fixes autopkgtest) -- Yadd <email address hidden> Mon, 14 Mar 2022 17:28:35 +0100
apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd <email address hidden> Tue, 15 Mar 2022 15:27:39 +0100
apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd <email address hidden> Mon, 14 Mar 2022 17:10:39 +0100
Deleted in experimental-release (Reason: None provided.) |
apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd <email address hidden> Tue, 28 Dec 2021 21:20:05 +0100
Superseded in experimental-release |
apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd <email address hidden> Tue, 28 Dec 2021 20:01:43 +0100
apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd <email address hidden> Mon, 20 Dec 2021 18:42:09 +0100
Superseded in bullseye-release |
apache2 (2.4.51-1~deb11u1) bullseye-security; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Refresh patches -- Yadd <email address hidden> Thu, 07 Oct 2021 19:49:44 +0200
apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd <email address hidden> Mon, 25 Oct 2021 18:37:03 +0200
Superseded in buster-release |
apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium * Fix "NULL pointer dereference on specially crafted HTTP/2 request" (Closes: #989562, CVE-2021-31618) * Fix various low security issues (Closes: CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641) and fix related test -- Yadd <email address hidden> Thu, 10 Jun 2021 12:13:06 +0200
Superseded in bullseye-release |
apache2 (2.4.48-3.1+deb11u1) bullseye-security; urgency=medium * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193) -- Yadd <email address hidden> Thu, 12 Aug 2021 13:51:47 +0200
apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd <email address hidden> Thu, 07 Oct 2021 20:35:33 +0200
apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý <email address hidden> Tue, 05 Oct 2021 13:25:23 +0200
apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd <email address hidden> Fri, 01 Oct 2021 11:34:24 +0200
apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd <email address hidden> Thu, 30 Sep 2021 06:00:06 +0200
apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd <email address hidden> Thu, 23 Sep 2021 13:55:55 +0200
apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.49 * Refresh patches -- Yadd <email address hidden> Thu, 16 Sep 2021 06:22:23 +0200
apache2 (2.4.48-4) unstable; urgency=medium * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193) -- Yadd <email address hidden> Thu, 12 Aug 2021 11:37:43 +0200
apache2 (2.4.48-3.1) unstable; urgency=medium * Non-maintainer upload. * Direct init script reload output from logrotate to syslog, to avoid mail-spamming the local admin (Closes: #990580) -- Thorsten Glaser <email address hidden> Sat, 10 Jul 2021 23:31:28 +0200
apache2 (2.4.48-3) unstable; urgency=medium * Fix debian/changelog -- Yadd <email address hidden> Sun, 20 Jun 2021 16:39:33 +0200
apache2 (2.4.48-2) unstable; urgency=medium * Back to unstable: Apache2 will follow upstream changes for Bullseye [ Christian Ehrhardt ] * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068) -- Yadd <email address hidden> Sat, 19 Jun 2021 17:50:29 +0200
apache2 (2.4.46-6) unstable; urgency=medium * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641) -- Yadd <email address hidden> Thu, 10 Jun 2021 13:40:11 +0200
apache2 (2.4.46-5) unstable; urgency=medium * Fix "NULL pointer dereference on specially crafted HTTP/2 request" (Closes: #989562, CVE-2021-31618) -- Yadd <email address hidden> Thu, 10 Jun 2021 11:57:38 +0200
Deleted in experimental-release (Reason: None provided.) |
apache2 (2.4.48-1) experimental; urgency=medium [ Daniel Lewart ] * Update apache2.logrotate (Closes: #979813) [ Andreas Hasenack ] * Avoid test suite failure (Closes: #985012) [ Yadd ] * Update lintian overrides * Re-export upstream signing key without extra signatures. [ Ondřej Surý ] * New upstream version 2.4.48 (Closes: CVE-2021-31618) -- Ondřej Surý <email address hidden> Tue, 08 Jun 2021 08:29:35 +0200
Superseded in experimental-release |
apache2 (2.4.47-1) experimental; urgency=medium * Update upstream keys file * New upstream version 2.4.47 * Refresh patches -- Yadd <email address hidden> Thu, 29 Apr 2021 08:03:33 +0200
apache2 (2.4.46-4) unstable; urgency=medium * Ignore other random another test failures (Closes: #979664) -- Xavier Guimard <email address hidden> Mon, 11 Jan 2021 11:58:23 +0100
apache2 (2.4.46-3) unstable; urgency=medium * Remove postinst/preinst hooks concerning old versions * Clean include-binaries * Enable verbose test output during autopkgtest * Declare compliance with policy 4.5.1 * Add debian/gbp.conf * Disable temporary 3 subtests (Closes: #979664) -- Xavier Guimard <email address hidden> Sun, 10 Jan 2021 22:43:21 +0100
apache2 (2.4.46-2) unstable; urgency=medium [ Jean-Michel Vourgère ] * Man: Add missing options and see also in a2en*(8) [ Xavier Guimard ] * Bump debhelper compatibility level to 13 + Set debhelper-compat version in Build-Depends. * Use dh_installsystemd rather than deprecated dh_systemd_enable * Add extension .da for danish language in mime.conf (Closes: #972398) * Automatically deflate application/wasm files (Closes: #972400) * Use "graceful-stop" in systemd ExecStop (Closes: #974665) * Re-export upstream signing key without extra signatures. * Ignore lintian's national-encoding tag in test framework * Add ${misc:Pre-Depends} in apache2 package * Update lintian overrides * Refresh patches * Fix little spelling errors -- Xavier Guimard <email address hidden> Fri, 13 Nov 2020 16:59:01 +0100
Superseded in buster-release |
apache2 (2.4.38-3+deb10u4) buster-security; urgency=high * Import http2 modules from 2.4.46 (Closes: CVE-2020-9490, CVE-2020-11993) * Fix error out on HTTP header larger than 16K (Closes: CVE-2020-11984) * Fix bad regexp in mod_rewrite (Closes: CVE-2020-1927) * Fix uninitialized memory when proxying to a malicious FTP server (Closes: CVE-2020-1934) -- Xavier Guimard <email address hidden> Tue, 25 Aug 2020 22:08:29 +0200
apache2 (2.4.46-1) unstable; urgency=medium [ Xavier Guimard ] * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md [ Timo Tijhof ] * Compress text/javascript with mod_deflate by default (Closes: #959195) [ Xavier Guimard ] * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md * Update upstream keys * New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993, CVE-2020-9490) -- Xavier Guimard <email address hidden> Sat, 08 Aug 2020 08:33:36 +0200
apache2 (2.4.43-1) unstable; urgency=medium [ Timo Aaltonen ] * mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests (Closes: #955348) [ Moritz Schlarb ] * Fix logrotate script for multi-instance (Closes: #914606) [ Xavier Guimard ] * New upstream version 2.4.43 * Refresh patches -- Xavier Guimard <email address hidden> Tue, 31 Mar 2020 08:02:12 +0200
apache2 (2.4.41-5) unstable; urgency=medium [ Xavier Guimard ] * Avoid double mod_dav load (Closes: #951753) [ Timo Aaltonen ] * mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix AJP with current tomcat. (Closes: #954201) -- Xavier Guimard <email address hidden> Wed, 18 Mar 2020 21:06:49 +0100
Published in stretch-release |
apache2 (2.4.25-3+deb9u9) stretch-security; urgency=medium [ Xavier Guimard ] * Use correct patch for CVE-2019-10092. This fixes a regression in mod_proxy_balancer (Closes: #941202) -- Stefan Fritsch <email address hidden> Sun, 13 Oct 2019 17:43:54 +0200
apache2 (2.4.41-4) unstable; urgency=medium * Add gcc in chroot autopkgtest (fixes debci) -- Xavier Guimard <email address hidden> Fri, 07 Feb 2020 06:14:33 +0100
apache2 (2.4.41-3) unstable; urgency=medium * Don't use hardcoded libgcc_s.so.1 path in autopkgtest files. Thanks to Aurelien Jarno (Closes: #950711) -- Xavier Guimard <email address hidden> Wed, 05 Feb 2020 13:18:04 +0100
apache2 (2.4.41-2) unstable; urgency=medium [ Stefan Fritsch ] * Add *.load file for mod_socache_redis [ Vagrant Cascadian ] * Embeds path to EGREP in config_vars.mk (Closes: #948757) * Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759) -- Xavier Guimard <email address hidden> Mon, 13 Jan 2020 06:14:45 +0100
Superseded in buster-release |
apache2 (2.4.38-3+deb10u3) buster-security; urgency=high * Non-maintainer upload by the Security Team. * Annoatate patch for CVE-2019-10092: Add missing APLOGNO's in modules/proxy/mod_proxy.c and modules/proxy/mod_proxy_ftp.c -- Salvatore Bonaccorso <email address hidden> Tue, 15 Oct 2019 21:53:42 +0200
Superseded in stretch-release |
apache2 (2.4.25-3+deb9u8) stretch-security; urgency=high [ Xavier Guimard ] * Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092) * Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082, CVE-2019-10081) * Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098) [ Stefan Fritsch ] * Add -Werror=implicit-function-declaration to compile options to catch problems with backports. -- Stefan Fritsch <email address hidden> Mon, 19 Aug 2019 21:25:31 +0200
Superseded in buster-release |
apache2 (2.4.38-3+deb10u1) buster-security; urgency=high * Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092) * Add patch to fix stack buffer overflow and NULL pointer dereference in mod_remoteip (Closes: CVE-2019-10097) * Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082 and CVE-2019-10081 * Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098) -- Xavier Guimard <email address hidden> Sun, 18 Aug 2019 15:34:20 +0200
apache2 (2.4.41-1) unstable; urgency=medium * New upstream version 2.4.41 * Update lintian overrides * Remove README in usr/share/apache2 * Move httxt2dbm manpage in section 8 * Update test framework -- Xavier Guimard <email address hidden> Wed, 14 Aug 2019 06:42:29 +0200
apache2 (2.4.39-2) unstable; urgency=medium * Fix bad call of dh_link. Thanks to Daniel Baumann (Closes: #934640) -- Xavier Guimard <email address hidden> Mon, 12 Aug 2019 22:52:47 +0200
apache2 (2.4.39-1) unstable; urgency=medium [ Helmut Grohne ] * Do not install /usr/share/apache2/build/config.nice (Closes: #929510) [ Xavier Guimard ] * New upstream version 2.4.39 * Refresh patches * Remove patches now included in upstream * Replace duplicate doc files by links using jdupes * Add bison in build dependencies -- Xavier Guimard <email address hidden> Mon, 12 Aug 2019 21:30:33 +0200
Superseded in stretch-release |
apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium [ Xavier Guimard ] * CVE-2018-17199: mode_session: Fix missing check for session expiry time. Closes: #920303 [ Stefan Fritsch ] * mod_http2: Fix keepalive timeout behavior. This fixes a regression with Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. Closes: #920302 * CVE-2019-0196: mod_http2: Fix read after free * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. * CVE-2019-0217: mod_auth_digest: Access control bypass * CVE-2019-0220: URL normalization inconsistincy. Consecutive slashes in URL's are now merged before use in LocationMatch and RewriteRule. The old behavior can be restored with the new directive "MergeSlashes off". -- Stefan Fritsch <email address hidden> Tue, 02 Apr 2019 21:05:13 +0200
apache2 (2.4.38-3) unstable; urgency=high [ Marc Deslauriers ] * SECURITY UPDATE: read-after-free on a string compare in mod_http2 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and request method in modules/http2/h2_request.c. - CVE-2019-0196 * SECURITY UPDATE: privilege escalation from modules' scripts - debian/patches/CVE-2019-0211.patch: bind the bucket number of each child to its slot number in include/scoreboard.h, server/mpm/event/event.c, server/mpm/prefork/prefork.c, server/mpm/worker/worker.c. - CVE-2019-0211 * SECURITY UPDATE: mod_ssl access control bypass - debian/patches/CVE-2019-0215.patch: restore SSL verify state after PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c. - CVE-2019-0215 * SECURITY UPDATE: mod_auth_digest access control bypass - debian/patches/CVE-2019-0217.patch: fix a race condition in modules/aaa/mod_auth_digest.c. - CVE-2019-0217 * SECURITY UPDATE: URL normalization inconsistincy - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in the path in include/http_core.h, include/httpd.h, server/core.c, server/request.c, server/util.c. - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety in server/request.c, server/util.c. - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in server/util.c. - CVE-2019-0220 [ Stefan Fritsch ] * Pull security fixes from 2.4.39 via Ubuntu * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade -- Stefan Fritsch <email address hidden> Sun, 07 Apr 2019 20:15:40 +0200
apache2 (2.4.38-2) unstable; urgency=medium * Disable "reset" test in allowmethods.t (Closes: #921024) -- Xavier Guimard <email address hidden> Thu, 31 Jan 2019 21:54:05 +0100
apache2 (2.4.38-1) unstable; urgency=medium [ Jelmer Vernooij ] * Reverted for now: Transition to automatic debug package (from: apache2-dbg) * Trim trailing whitespace * Use secure copyright file specification URI [ Niels Thykier ] * Add Rules-Requires-Root: binary-targets [ Xavier Guimard ] * Convert signing-key.pgp into signing-key.asc * Add http2.conf (Closes: #880993) * Remove unnecessary greater-than versioned dependency to dpkg-dev, libbrotli-dev and libapache2-mod-md * Declare compliance with policy 4.2.1 * Add spelling errors patch (reported) * Fix some spelling errors in debian files * Add myself to uploaders * Refresh patches * Bump debhelper compatibility level to 10 * debian/rules: - Remove unnecessary dh argument --parallel - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog * Add upstream/metadata * Replace MIT by Expat in debian/copyright * debian/watch: use https url * Add documentation links in systemd service files * Team upload [ Cyrille Bollu ] * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as it gets automatically de-activated upon apache 'startup when using mpm_prefork. * Updated http2.conf to inform user that they may want to change their LogFormat directives. [ Xavier Guimard ] * New upstream version 2.4.38 (Closes: #920220, #920302, #920303) * Refresh patches * Remove setenvifexpr.diff patch now included in upstream * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed * Declare compliance with policy 4.3.0 * Fix homepage to https * Update debian/copyright -- Xavier Guimard <email address hidden> Tue, 29 Jan 2019 23:49:49 +0100
Superseded in stretch-release |
apache2 (2.4.25-3+deb9u6) stretch; urgency=medium * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106 * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS. Closes: #909591 * mod_proxy_fcgi: Fix segfault. Closes: #902906 -- Stefan Fritsch <email address hidden> Sat, 03 Nov 2018 19:46:19 +0100
apache2 (2.4.37-1) unstable; urgency=medium * New upstream version - mod_ssl: Add support for TLSv1.3 * Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218 * Update test-framework to r1845652 * Fix test suite to actually run by creating a test user. It turns out the test suite refuses to run as root but returns true even in that case. It seems this has been broken since 2.4.27-4, where the test suite had been updated and the debci test duration dropped from 15min to 3min. Also, don't rely on the exit status anymore but parse the test output. * Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure. -- Stefan Fritsch <email address hidden> Sat, 03 Nov 2018 14:26:31 +0100
apache2 (2.4.35-1) unstable; urgency=medium * New upstream version 2.4.35 Security fix: - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS Closes: #909591 * Fix lintian warning: Don't force xz in builddeb override. -- Stefan Fritsch <email address hidden> Sun, 07 Oct 2018 12:54:58 +0200
apache2 (2.4.34-1) unstable; urgency=medium [ Ondřej Surý ] * New upstream version 2.4.34 Security fixes: - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106 - CVE-2018-8011: Denial of service in mod_md. Closes: #904107 * Refresh patches for Apache2 2.4.34 release * Update the suexec-custom.patch for 2.4.34 release [ Stefan Fritsch ] * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34 * Remove debian/gbp.conf. Closes: #904641 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 -- Stefan Fritsch <email address hidden> Fri, 27 Jul 2018 21:37:37 +0200
Superseded in stretch-release |
apache2 (2.4.25-3+deb9u5) stretch; urgency=medium * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This fixes - CVE-2018-1302: mod_http2: Potential crash w/ mod_http2 - Segfaults in mod_http2 (Closes: #873945) - mod_http2 issue with option "Indexes" and directive "HeaderName" (Closes: #850947) Unfortunately, this also removes support for http2 when running on mpm_prefork. * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. Closes: #897218 * Make the apache-htcacheclean init script actually look into /etc/default/apache-htcacheclean for its config. Closes: #898563 -- Stefan Fritsch <email address hidden> Sat, 02 Jun 2018 10:01:13 +0200
Published in jessie-release |
apache2 (2.4.10-10+deb8u12) jessie-security; urgency=medium * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap when using too small Accept-Language values. * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file name. Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. * CVE-2018-1283: Tampering of mod_session data for CGI applications. * CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request * CVE-2018-1303: Possible out of bound read in mod_cache_socache * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation -- Stefan Fritsch <email address hidden> Sat, 31 Mar 2018 11:31:57 +0200
apache2 (2.4.33-3) unstable; urgency=medium * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too. Closes: #894785 * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. Closes: #897218 * Migrate from alioth to salsa. -- Stefan Fritsch <email address hidden> Sat, 05 May 2018 11:34:47 +0200
1 → 75 of 217 results | First • Previous • Next • Last |