Change log for apache2 package in Debian

175 of 151 results
Published in buster-release on 2019-02-03
Published in sid-release on 2019-02-01
apache2 (2.4.38-2) unstable; urgency=medium

  * Disable "reset" test in allowmethods.t (Closes: #921024)

 -- Xavier Guimard <email address hidden>  Thu, 31 Jan 2019 21:54:05 +0100
Superseded in sid-release on 2019-02-01
apache2 (2.4.38-1) unstable; urgency=medium

  [ Jelmer Vernooij ]
  * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
  * Trim trailing whitespace
  * Use secure copyright file specification URI

  [ Niels Thykier ]
  * Add Rules-Requires-Root: binary-targets

  [ Xavier Guimard ]
  * Convert signing-key.pgp into signing-key.asc
  * Add http2.conf (Closes: #880993)
  * Remove unnecessary greater-than versioned dependency to dpkg-dev,
    libbrotli-dev and libapache2-mod-md
  * Declare compliance with policy 4.2.1
  * Add spelling errors patch (reported)
  * Fix some spelling errors in debian files
  * Add myself to uploaders
  * Refresh patches
  * Bump debhelper compatibility level to 10
  * debian/rules:
    - Remove unnecessary dh argument --parallel
    - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
  * Add upstream/metadata
  * Replace MIT by Expat in debian/copyright
  * debian/watch: use https url
  * Add documentation links in systemd service files
  * Team upload

  [ Cyrille Bollu ]
  * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
    it gets automatically de-activated upon apache 'startup when using
    mpm_prefork.
  * Updated http2.conf to inform user that they may want to change their
    LogFormat directives.

  [ Xavier Guimard ]
  * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
  * Refresh patches
  * Remove setenvifexpr.diff patch now included in upstream
  * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
  * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
  * Declare compliance with policy 4.3.0
  * Fix homepage to https
  * Update debian/copyright

 -- Xavier Guimard <email address hidden>  Tue, 29 Jan 2019 23:49:49 +0100
Published in stretch-release on 2018-11-10
apache2 (2.4.25-3+deb9u6) stretch; urgency=medium

  * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
  * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
    Closes: #909591
  * mod_proxy_fcgi: Fix segfault. Closes: #902906

 -- Stefan Fritsch <email address hidden>  Sat, 03 Nov 2018 19:46:19 +0100
Superseded in buster-release on 2019-02-03
Superseded in sid-release on 2019-02-02
apache2 (2.4.37-1) unstable; urgency=medium

  * New upstream version
    - mod_ssl: Add support for TLSv1.3
  * Add docs symlink for libapache2-mod-proxy-uwsgi.  Closes: #910218
  * Update test-framework to r1845652
  * Fix test suite to actually run by creating a test user. It turns out
    the test suite refuses to run as root but returns true even in that
    case. It seems this has been broken since 2.4.27-4, where the test suite
    had been updated and the debci test duration dropped from 15min to
    3min. Also, don't rely on the exit status anymore but parse the test
    output.
  * Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.

 -- Stefan Fritsch <email address hidden>  Sat, 03 Nov 2018 14:26:31 +0100
Superseded in buster-release on 2018-11-06
Superseded in sid-release on 2018-11-04
apache2 (2.4.35-1) unstable; urgency=medium

  * New upstream version 2.4.35
    Security fix:
    - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
      Closes: #909591
  * Fix lintian warning: Don't force xz in builddeb override.

 -- Stefan Fritsch <email address hidden>  Sun, 07 Oct 2018 12:54:58 +0200
Superseded in buster-release on 2018-10-26
Superseded in sid-release on 2018-10-11
apache2 (2.4.34-1) unstable; urgency=medium

  [ Ondřej Surý ]
  * New upstream version 2.4.34
    Security fixes:
    - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
    - CVE-2018-8011: Denial of service in mod_md. Closes: #904107
  * Refresh patches for Apache2 2.4.34 release
  * Update the suexec-custom.patch for 2.4.34 release

  [ Stefan Fritsch ]
  * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
  * Remove debian/gbp.conf. Closes: #904641
  * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
    Closes: #904150

 -- Stefan Fritsch <email address hidden>  Fri, 27 Jul 2018 21:37:37 +0200
Superseded in stretch-release on 2018-11-10
apache2 (2.4.25-3+deb9u5) stretch; urgency=medium

  * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
    fixes
    - CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
    - Segfaults in mod_http2 (Closes: #873945)
    - mod_http2 issue with option "Indexes" and directive "HeaderName"
      (Closes: #850947)
    Unfortunately, this also removes support for http2 when running on
    mpm_prefork.
  * mod_http2: Avoid high memory usage with large files, causing crashes on
    32bit archs. Closes: #897218
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. Closes: #898563

 -- Stefan Fritsch <email address hidden>  Sat, 02 Jun 2018 10:01:13 +0200
Published in jessie-release on 2018-06-23
apache2 (2.4.10-10+deb8u12) jessie-security; urgency=medium

  * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
    when using too small Accept-Language values.
  * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
    name.
    Configure the regular expression engine to match '$' to the end of
    the input string only, excluding matching the end of any embedded
    newline characters. Behavior can be changed with new directive
    'RegexDefaultOptions'.
  * CVE-2018-1283: Tampering of mod_session data for CGI applications.
  * CVE-2018-1301: Possible out of bound access after failure in reading the
    HTTP request
  * CVE-2018-1303: Possible out of bound read in mod_cache_socache
  * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation

 -- Stefan Fritsch <email address hidden>  Sat, 31 Mar 2018 11:31:57 +0200
Superseded in buster-release on 2018-07-30
Superseded in sid-release on 2018-07-31
apache2 (2.4.33-3) unstable; urgency=medium

  * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
    Closes: #894785
  * mod_http2: Avoid high memory usage with large files, causing crashes on
    32bit archs. Closes: #897218
  * Migrate from alioth to salsa.

 -- Stefan Fritsch <email address hidden>  Sat, 05 May 2018 11:34:47 +0200
Superseded in sid-release on 2018-05-06
apache2 (2.4.33-2) unstable; urgency=medium

  * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
    and libapache2-mod-md.
    Closes: #894760, #894761, #894785

 -- Stefan Fritsch <email address hidden>  Sun, 22 Apr 2018 11:14:19 +0200
Superseded in sid-release on 2018-04-22
apache2 (2.4.33-1) unstable; urgency=medium

  * New upstream version.
    Security fixes:
    - CVE-2017-15710
      Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
    - CVE-2018-1283
      mod_session: CGI-like applications that intend to read from mod_session's
      'SessionEnv ON' could be fooled into reading user-supplied data instead.
    - CVE-2018-1303
      mod_cache_socache: Fix request headers parsing to avoid a possible crash
      with specially crafted input data.
    - CVE-2018-1301
      core: Possible crash with excessively long HTTP request headers.
      Impractical to exploit with a production build and production LogLevel.
    - CVE-2017-15715
      core: Configure the regular expression engine to match '$' to the end of
      the input string only, excluding matching the end of any embedded
      newline characters. Behavior can be changed with new directive
      'RegexDefaultOptions'.
    - CVE-2018-1312
      mod_auth_digest: Fix generation of nonce values to prevent replay
      attacks across servers using a common Digest domain. This change
      may cause problems if used with round robin load balancers. PR 54637
    - CVE-2018-1302
      mod_http2: Potential crash w/ mod_http2.

    - mod_proxy_uwsgi: New UWSGI proxy submodule.
    - mod_md: New experimental module for managing domains across virtual
      hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
      renew certificates.
    - core: silently ignore a not existent file path when IncludeOptional
      is used. Closes: #878920
    - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980

  * Fix lintian warnings:
    - Include SupportApache-small.png in apache2-doc package instead of
      linking to apache.org, to avoid privacy issues.
    - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
    - Remove deprecated use of autotools_dev with dh.
    - Add some overrides
  * Bump standards-version to 4.1.2 (no changes)

 -- Stefan Fritsch <email address hidden>  Fri, 30 Mar 2018 22:53:13 +0200
Superseded in buster-release on 2018-05-26
Superseded in sid-release on 2018-04-01
apache2 (2.4.29-2) unstable; urgency=medium

  * Add myself to Uploaders
  * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
  * Run wrap-and-sort -a to canonicalize the debian/ directory
  * Add Build-Depends on libbrotli-dev and enable brotli module

 -- Ondřej Surý <email address hidden>  Sun, 14 Jan 2018 11:01:58 +0000
Superseded in jessie-release on 2018-06-23
apache2 (2.4.10-10+deb8u11) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)

 -- Salvatore Bonaccorso <email address hidden>  Tue, 19 Sep 2017 21:08:12 +0200
Superseded in buster-release on 2018-01-19
Superseded in sid-release on 2018-07-10
apache2 (2.4.29-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Replace outdated dependency on dh-systemd

  [ Ondřej Surý ]
  * New upstream version 2.4.29
  * Refresh quilt patches
  * Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343)
  * Refresh patches on top of upstream release 2.4.29
  * Fix Apache crash on restarts (ASF Bug 61558)
  * Add deconfigure to the list of recognized scripts (Closes: #877524)

 -- Ondřej Surý <email address hidden>  Mon, 23 Oct 2017 14:46:55 +0000
Superseded in stretch-release on 2018-07-14
apache2 (2.4.25-3+deb9u3) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
    (Closes: #876109)

 -- Salvatore Bonaccorso <email address hidden>  Tue, 19 Sep 2017 20:58:57 +0200
Superseded in buster-release on 2017-10-29
Superseded in sid-release on 2017-10-24
apache2 (2.4.27-6) unstable; urgency=high

  * CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
    which could result in HTTP OPTIONS method leaking Apache's server memory.
    Closes: #876109
  * Fix argument escaping in apachectl. Closes: #876384

 -- Stefan Fritsch <email address hidden>  Sun, 24 Sep 2017 00:08:01 +0200
Superseded in buster-release on 2017-09-26
Superseded in sid-release on 2017-09-24
apache2 (2.4.27-5) unstable; urgency=medium

  * Upload to unstable.
  * Update "Breaks:" for openssl transition.
  * Bump Standards-Version to 4.1.0. No changes needed.

 -- Stefan Fritsch <email address hidden>  Sun, 03 Sep 2017 17:18:57 +0200
Deleted in experimental-release (Reason: None provided.)
apache2 (2.4.27-4) experimental; urgency=medium

  * Use 'invoke-rc.d' instead of init script in logrotate script.
    Closes: #857607
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. LP: #1691495
  * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
    LP: #1675184
  * Use 'service' instead of init script in monit example config.
  * Bump Standards-Version to 4.0.1. Other changes:
    - change package priorities from extra to optional
  * Use libprotocol-http2-perl in autopkgtest.
  * Update test suite to svn r1804214.
  * Various tweaks to the test suite autopkgtest to avoid having to skip
    any test.
  * Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
    to avoid them being used by apxs.
  * deflate.conf: Remove mention of MSIE6

 -- Stefan Fritsch <email address hidden>  Tue, 08 Aug 2017 21:59:37 +0200
Superseded in jessie-release on 2017-12-09
apache2 (2.4.10-10+deb8u9) jessie-security; urgency=medium

  * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
  * CVE-2017-3169: mod_ssl NULL pointer dereference
  * CVE-2017-7668: Buffer overrun in ap_find_token()
  * CVE-2017-7679: mod_mime buffer overread

 -- Stefan Fritsch <email address hidden>  Tue, 20 Jun 2017 21:02:39 +0200
Superseded in stretch-release on 2017-10-07
apache2 (2.4.25-3+deb9u1) stretch-security; urgency=high

  * Backport security fixes from 2.4.26:
  * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
  * CVE-2017-3169: mod_ssl NULL pointer dereference
  * CVE-2017-7668: Buffer overrun in ap_find_token()
  * CVE-2017-7679: mod_mime buffer overread
  * CVE-2017-7659: mod_http2 NULL pointer dereference

 -- Stefan Fritsch <email address hidden>  Tue, 20 Jun 2017 21:29:11 +0200
Superseded in buster-release on 2017-09-09
Superseded in sid-release on 2017-09-04
apache2 (2.4.27-2) unstable; urgency=medium

  * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
    work and should go into experimental, first. Reopens: #851094

 -- Stefan Fritsch <email address hidden>  Sun, 16 Jul 2017 23:01:10 +0200
Superseded in experimental-release on 2017-08-09
apache2 (2.4.27-3) experimental; urgency=medium

  * Switch to openssl 1.1. Again closes: #851094
  * Add versioned breaks for gridsite, libapache2-mod-dacs because of
    openssl transition.
  * Provide new apache2-api-20120211-openssl1.1 virtual package and make
    dh_apache2 generate a dependency on it if there is a build-dep on
    apache2-ssl-dev.

 -- Stefan Fritsch <email address hidden>  Sun, 16 Jul 2017 23:11:07 +0200
Superseded in sid-release on 2017-07-17
apache2 (2.4.27-1) unstable; urgency=medium

  [ New upstream release ]
  * Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
    Closes: #868467

  [ Stefan Fritsch ]
  * Switch to openssl 1.1. Closes: #851094

 -- Stefan Fritsch <email address hidden>  Sun, 16 Jul 2017 10:39:15 +0200
Superseded in buster-release on 2017-07-22
Superseded in sid-release on 2017-07-16
apache2 (2.4.25-4) unstable; urgency=high

  * Backport security fixes from 2.4.26:
  * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
  * CVE-2017-3169: mod_ssl NULL pointer dereference
  * CVE-2017-7668: Buffer overrun in ap_find_token()
  * CVE-2017-7679: mod_mime buffer overread
  * CVE-2017-7659: mod_http2 NULL pointer dereference

 -- Stefan Fritsch <email address hidden>  Tue, 20 Jun 2017 21:31:51 +0200
Superseded in jessie-release on 2017-07-22
apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium

  * CVE-2016-8743: Enforce more HTTP conformance for request lines and
    request headers, to prevent response splitting and cache pollution
    by malicious clients or downstream proxies.
    If this causes problems with non-conforming clients, some checks can
    be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
    to the configuration.
    Differently than the upstream 2.4.25 release which will also be in the
    Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
    underscores in host and domain names even while 'HttpProtocolOptions
    strict' is in effect.
    More information is available at
    http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions
  * CVE-2016-0736: mod_session_crypto: Prevent padding oracle attack.
  * CVE-2016-2161: mod_auth_digest: Prevent segfaults when the shared memory
    space is exhausted.
  * Activate mod_reqtimeout in new installs and during updates from
    before 2.4.10-10+deb8u8. It was wrongly not activated in new installs
    since jessie. This made the default installation vulnerable to some
    DoS attacks.
  * Don't run 2.2 to 2.4 upgrade logic again when upgrading from
    2.4.10-10+deb8u*. Closes: #836818

 -- Stefan Fritsch <email address hidden>  Fri, 24 Feb 2017 19:36:41 +0100
Superseded in stretch-release on 2017-07-22
Superseded in sid-release on 2017-06-22
apache2 (2.4.25-3) unstable; urgency=medium

  * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
    Closes: #852543
  * Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
    the test suite, but don't add *.load files because they don't have any
    real-world use.
  * Include the upstream test suite and a corresponding autopkgtest. This
    is quite a hack but it may help quite a bit with security updates,
    especially if stretch gets LTS support, too.

 -- Stefan Fritsch <email address hidden>  Wed, 25 Jan 2017 23:59:26 +0100

Available diffs

Superseded in stretch-release on 2017-01-31
Superseded in sid-release on 2017-01-27
apache2 (2.4.25-2) unstable; urgency=medium

  * Activate mod_reqtimeout in new installs and during updates from
    before 2.4.25-2. It was wrongly not activated in new installs since
    jessie. This made the default installation vulnerable to some DoS
    attacks.
  * Restart htcacheclean on updates and tighten dependency on apache2-utils
    to ensure that apache2-utils cannot be upgraded without apache2.
    Closes: #851122
  * When running on systems with systemd, make 'apache2ctl start' invoke
    systemctl instead. Otherwise systemd will think apache2 is not running
    and ignore further commands like reload. Closes: #839227
  * Avoid segfault in mpm_event if a signal is received too soon after start.
    PR 60487
  * Add test for some modules to be enabled.
  * Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
    fixed in 2.4.23-2.

 -- Stefan Fritsch <email address hidden>  Sat, 14 Jan 2017 19:27:34 +0100
Superseded in stretch-release on 2017-01-25
Superseded in sid-release on 2017-01-15
apache2 (2.4.25-1) unstable; urgency=medium

  [ New upstream release ]
  * Security: CVE-2016-0736:
    mod_session_crypto: Authenticate the session data/cookie with a MAC to
    prevent deciphering or tampering with a padding oracle attack.
  * Security: CVE-2016-2161:
    mod_auth_digest: Prevent segfaults during client entry allocation when the
    shared memory space is exhausted.
  * Security: CVE-2016-5387:
    Mitigate [f]cgi "httpoxy" issues.
  * Security: CVE-2016-8740:
    mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
    Closes: #847124
  * Security: CVE-2016-8743:
    Enforce HTTP request grammar corresponding to RFC7230 for request lines
    and request headers, to prevent response splitting and cache pollution by
    malicious clients or downstream proxies.
  * The stricter HTTP enforcement may cause compatibility problems with
    non-conforming clients. Fine-tuning is possible with the new
    HttpProtocolOptions directive.
  * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
  * mod_http2: Many fixes and support for early pushes using the new
    H2PushResource directive.

  [ Stefan Fritsch ]
  * Switch to debhelper compatibility level 9.

 -- Stefan Fritsch <email address hidden>  Wed, 21 Dec 2016 23:46:06 +0100
Superseded in stretch-release on 2017-01-01
Superseded in sid-release on 2016-12-22
apache2 (2.4.23-8) unstable; urgency=medium

  * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
    new package apache2-ssl-dev.  Packages that interface with openssl
    state from mod_ssl must build-depend on this new package.
    This will help to disentangle the build-deps in the openssl transition.
    Closes: #845033

 -- Stefan Fritsch <email address hidden>  Sun, 20 Nov 2016 00:33:13 +0100
Superseded in stretch-release on 2016-11-28
Superseded in sid-release on 2016-11-23
apache2 (2.4.23-7) unstable; urgency=medium

  * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
  * Move DefaultRuntimeDir and pid file for multi-instances to
    /var/run/apache2-xxx. Thanks to Horst Platz for the debugging.
    Closes: #838932 LP: #1627339
  * Fix systemd unit naming for multi-instances.
  * Tweak embedded .tar.gz some more to build reproducibly.

 -- Stefan Fritsch <email address hidden>  Sun, 13 Nov 2016 13:08:28 +0100
Superseded in sid-release on 2016-11-14
apache2 (2.4.23-6) unstable; urgency=medium

  * One more tweak for reproducible build. Thanks to Daniel Shahaf for the
    patch. Closes: #839977
  * Avoid building with openssl 1.1 for now. See #828236

 -- Stefan Fritsch <email address hidden>  Wed, 09 Nov 2016 23:51:25 +0100
Superseded in stretch-release on 2016-11-19
Superseded in sid-release on 2016-11-10
apache2 (2.4.23-5) unstable; urgency=low

  * Team upload.

  [ Stefan Fritsch ]
  * Tweak creation of .tar.gz embedded in preinst to get reproducible
    build.

  [ Raphaël Hertzog ]
  * Add systemd unit files. Closes: #798430
  * Improve a2enmod to enable apache-htcacheclean with systemctl and let
    it enable '<email address hidden>' for multi-instance
    support.
  * Improve setup-instance to rely on the systemd <email address hidden> for
    multi-instance support.
  * Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have
    proper native systemd support.
  * Modify handling of /etc/init.d/apache-htcacheclean to have a usual
    Default-Start value but instead we disable it manually in the postinst.
    That way "systemctl enable apache-htcacheclean" works.
  * Add some lintian overrides for non-problems (two update-rc.d calls in
    postinst, and a .js file with a very long line).

 -- Raphaël Hertzog <email address hidden>  Thu, 29 Sep 2016 12:03:31 +0200
Superseded in jessie-release on 2017-05-07
apache2 (2.4.10-10+deb8u7) jessie; urgency=medium

  * Fix installation of /lib/systemd/system/apache2.service.d/forking.conf.

 -- Julien Cristau <email address hidden>  Thu, 15 Sep 2016 22:42:19 +0200
Superseded in stretch-release on 2016-10-10
Superseded in sid-release on 2016-09-30
apache2 (2.4.23-4) unstable; urgency=medium

  * Fix pre-inst script for new installations. Closes: #834169

 -- Stefan Fritsch <email address hidden>  Fri, 12 Aug 2016 21:44:31 +0200
Superseded in sid-release on 2016-08-15
apache2 (2.4.23-3) unstable; urgency=low

  * Fix conffiles that may have got the wrong content during upgrade from
    wheezy to early jessie versions. Closes: #794933
  * Also restore re-introduced *.load files for mod_ident, mod_imagemap, and
    mod_cern_meta. These may have gone missing due to dpkg thinking they still
    belong to apache2.2-common. Reported by Markus Waldeck.
  * apache2-maintscript-helper: Make apache2_switch_mpm do nothing if the
    local admin has disabled the requested mpm manually.
    Closes: #827446, #799630
  * Make mod_proxy_html depend on mod_xml2enc.
  * dh_apache2: Make versioned recommends on apache2 less strict. There is
    no advantage in recommending the current version. Closes: #784290

 -- Stefan Fritsch <email address hidden>  Thu, 11 Aug 2016 21:40:35 +0200
Superseded in stretch-release on 2016-08-18
Superseded in sid-release on 2016-08-12
apache2 (2.4.23-2) unstable; urgency=high

  * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
    request header.
    Don't pass through HTTP_PROXY in server/util_script.c

 -- Stefan Fritsch <email address hidden>  Thu, 21 Jul 2016 23:21:37 +0200
Superseded in stretch-release on 2016-07-24
Superseded in sid-release on 2016-07-22
apache2 (2.4.23-1) unstable; urgency=high

  * New upstream release
    - Security: CVE-2016-4979: Fix bypass of TLS client certificate
      verification in mod_http2.
    - new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck
  * Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657
  * Set SHELL=/bin/bash during configure to get reproducible builds regardless
    of where /bin/sh points to.
  * Use 'Require method' instead of Limit/LimitExcept in userdir.conf.

 -- Stefan Fritsch <email address hidden>  Tue, 05 Jul 2016 23:57:25 +0200
Superseded in stretch-release on 2016-07-08
Superseded in sid-release on 2016-07-06
apache2 (2.4.20-2) unstable; urgency=medium

  * Fix crash in ap_get_useragent_host() triggered by mod_perl test.
    Closes: #820824
  * Fix race condition and logical error in init script. Thanks to Thomas
    Stangner for the patch. Closes: #822144
  * Remove links to manpages.debian.org in default index.html to avoid
    broken robots doing a DoS on the site. Closes: #821313
  * Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956
  * Bump Standards-Version (no changes necessary).
  * Fix segfault with logresolve -c. Closes: #823259

 -- Stefan Fritsch <email address hidden>  Sat, 28 May 2016 16:14:09 +0200
Superseded in sid-release on 2017-09-03
apache2 (2.4.20-1) unstable; urgency=medium

  * New upstream release
    - mostly bugfixes and HTTP/2 improvements
  * Build against lua 5.2 instead of 5.1. Closes: #820243
  * Correct systemd-sysv-generator behavior by customizing some parameters.
    This fixes 'systemctl status' returning incorrect results. Thanks to
    Pierre-André MOREY for the patch. LP: #1488962
  * On Linux, use pthread mutexes. On kfreebsd/hurd, continue using fctnl
    because they lack robust pthred mutexes. LP: #1565744, #1527044

 -- Stefan Fritsch <email address hidden>  Sun, 10 Apr 2016 14:03:41 +0200
Superseded in stretch-release on 2016-06-03
Superseded in sid-release on 2016-04-11
apache2 (2.4.18-2) unstable; urgency=low

  * htcacheclean:
    - split starting/stopping into separate init script 'apache-htcacheclean'
    - move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
    - make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
    - start htcacheclean as the apache2 run user/group
  * Fix a2query -M not returning output if apache2 config is broken.
    Fix missing quotes in apache2-maintscript-helper. Closes: #810500
  * README.backtrace: Note that coredump directory needs to be owned by
    www-data. Closes: #806697
  * Remove ssl work-arounds for MSIE. Newer versions of IE work without them
    and older versions are no longer supported by MS. Closes: #815852
  * Give a hint about systemd in README.multiple-instances. Closes: #818904
  * Don't treat mod_access_compat as essential. It's essentially broken,
    anyway.
  * Merge cross-compile tweaks for debian/rules from ubuntu.
  * Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
    Closes: #719245
  * Fix duplicate-module-load test and make sure it fails if it cannot execute
    apache2ctl.
  * Bump Standards-Version (no changes necessary).

 -- Stefan Fritsch <email address hidden>  Mon, 28 Mar 2016 21:58:54 +0200
Superseded in jessie-release on 2016-09-17
apache2 (2.4.10-10+deb8u4) jessie; urgency=medium

  * Add versioned replaces/breaks for libapache2-mod-macro to apache2,
    for the config files in /etc. Closes: #806326
  * Fix split-logfile to work with current perl. Closes: #803472
  * Fix tests on deferred mpm switch. Add special casing for mpm_itk,
    which is not an mpm anymore, despite the name. Closes: #789914
    Closes: #791902
  * Fix secondary-init-script to not source the main init script with 'set -e'.
    Closes: #803177

 -- Stefan Fritsch <email address hidden>  Sat, 28 Nov 2015 15:02:23 +0100
Superseded in stretch-release on 2016-04-08
Superseded in sid-release on 2016-03-30
apache2 (2.4.18-1) unstable; urgency=medium

  * New upstream release:
    - mostly HTTP/2 improvements

 -- Stefan Fritsch <email address hidden>  Sat, 19 Dec 2015 09:26:14 +0100
Superseded in stretch-release on 2015-12-25
Superseded in sid-release on 2015-12-20
apache2 (2.4.17-3) unstable; urgency=medium

  * mpm_prefork: Fix segfault if started with -X. Closes: #805737

 -- Stefan Fritsch <email address hidden>  Mon, 23 Nov 2015 19:52:09 +0100
Superseded in stretch-release on 2015-11-29
Superseded in sid-release on 2015-11-25
apache2 (2.4.17-2) unstable; urgency=medium

  * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
    lots of web-apps. Closes: #803353
  * Fix secondary-init-script to not source the main init script with 'set -e'.
    Closes: #803177
  * mod_http2: Write HTTP/2 into THE_REQUEST and the access log.

 -- Stefan Fritsch <email address hidden>  Sat, 31 Oct 2015 23:17:11 +0100
Superseded in stretch-release on 2015-11-07
Superseded in sid-release on 2015-11-02
apache2 (2.4.17-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * New upstream release:
    - New experimental http2 module
  * reproducible build: Make symbol sorting consistent over different locales
  * Conflict with apache2.2-common and apache2.2-bin to get the transitional
    packages removed. Closes: #768815
  * Don't treat mpm_itk as MPM module in a2query. Closes: #791902
  * Don't treat mpm_itk as MPM module in deferred actions in postinst.
    Hopefully really closes: #789914
  * Don't treat mpm_itk as MPM module in a2enmod.

  [ Jean-Michel Vourgère ]
  * Updated upstream keyring used to check source authenticity.

 -- Stefan Fritsch <email address hidden>  Sat, 24 Oct 2015 22:14:32 +0200
Published in wheezy-release on 2015-09-05
apache2 (2.2.22-13+deb7u6) wheezy-security; urgency=medium

  * Fix regression causing spurious errors when loading certificate chain.
    Closes: #794383

 -- Stefan Fritsch <email address hidden>  Tue, 18 Aug 2015 11:41:11 +0200
Superseded in jessie-release on 2016-01-23
apache2 (2.4.10-10+deb8u3) jessie; urgency=medium

  * Revert fix for deferred mpm switch for now, because it is at least not
    complete or maybe causes regressions (see #791902). Re-opens #789914

 -- Stefan Fritsch <email address hidden>  Fri, 28 Aug 2015 18:24:17 +0200
Superseded in stretch-release on 2015-10-30
Superseded in sid-release on 2015-11-01
apache2 (2.4.16-3) unstable; urgency=medium

  [ Jean-Michel Vourgère ]
  * Have apache2.postrm removes content of /var/lib/apache2, not the
    directory itself. Closes: #793862
  * d/p/reproducible_builds.diff: Sort exported symbols list.

  [ Stefan Fritsch ]
  * apxs: Don't pass --silent to libtool. Closes: #795820
  * Remove default /var/www/html/index.html on package purge.

 -- Stefan Fritsch <email address hidden>  Tue, 18 Aug 2015 13:49:09 +0200
Superseded in stretch-release on 2015-08-24
Superseded in sid-release on 2015-08-18
apache2 (2.4.16-2) unstable; urgency=medium

  * Make dh_apache2 add a versioned dependency on apache2-bin, for the
    new symbols required for the CVE-2015-3185 fix.

 -- Stefan Fritsch <email address hidden>  Fri, 07 Aug 2015 23:43:16 +0200
Superseded in stretch-release on 2015-08-13
Superseded in sid-release on 2015-08-08
apache2 (2.4.16-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * New upstream version, fixing the following security issues:
    + CVE-2015-3183: Fix chunk header parsing defect.
    + CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
      unfixable way. Add a new replacement API ap_some_authn_required()
      and ap_force_authn hook.

  [ Jean-Michel Vourgère ]
  * Allow "triggers-awaited" and "triggers-pending" states in addition to
    "installed" when determining whether to defer actions or process
    deferred actions. Thanks Colin Watson. Closes: #787103
  * Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes:
    #733979
  * Remove pre-Jessie transition scripts, and remaining breaks.
  * Made builds reproducible: d/rules set the date from the changelog in
    CPPFLAGS, new reproducible_builds.diff patch to use it.
  * Moved bash_completion from /etc to /usr/share/bash_completion. Added
    links there for dynamic loading.
  * Upgrade security.conf comments to 2.4 auth format. Thanks Werner
    Detter. Closes: #789788
  * apache2.postinst: Fixed tests on deferred mpm switch. Closes:
    #789914

 -- Stefan Fritsch <email address hidden>  Sun, 02 Aug 2015 00:44:07 +0200
Superseded in stretch-release on 2015-08-07
Superseded in sid-release on 2015-08-03
apache2 (2.4.12-2) unstable; urgency=medium

  [ Jean-Michel Nirgal Vourgère ]
  * d/control:
    + Update Vcs-Browser.
  * d/copyright:
    + Change d/debhelper/dh_apache2 to dh_apache2.in.
    + Drop paragraph about inexistant itk patches.

  [ Stefan Fritsch ]
  * Remove all the transitional packages:
    apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event,
    apache2-mpm-itk, apache2.2-bin, apache2.2-common,
    libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec
    This also fixes the dependency problems caused by a recent version
    of debhelper (see #784803).

 -- Stefan Fritsch <email address hidden>  Mon, 11 May 2015 22:07:26 +0200
Superseded in sid-release on 2015-07-05
apache2 (2.4.12-1) unstable; urgency=medium

  * New upstream version
  * Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which
    was never shipped in Debian.
  * Ship mod_proxy_html's default config file. Closes: #782022
  * Fix typo in dh_apache2 man page. Closes: #781032

 -- Stefan Fritsch <email address hidden>  Tue, 28 Apr 2015 22:54:41 +0200
Superseded in stretch-release on 2015-07-15
Superseded in sid-release on 2015-05-08
apache2 (2.4.10-11) unstable; urgency=medium


  * core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
    This could cause all kinds of strange behavior. PR 56008. PR 57328
  * mpm_event: Fix process deadlock when shutting down a worker. PR 56960
  * mpm_event: Fix crashes due to various race conditions. Closes: #779078

 -- Stefan Fritsch <email address hidden>  Tue, 31 Mar 2015 22:27:16 +0200
Superseded in jessie-release on 2015-09-05
Superseded in sid-release on 2015-04-01
apache2 (2.4.10-10) unstable; urgency=medium


  * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
    wsupgrade().
  * Fix setup-instance example script to handle a2enconf/a2disconf.
    LP: #1430936
  * Tweak mention of mod_access_compat in NEWS.Debian. The module does
    not really work in practice.

 -- Stefan Fritsch <email address hidden>  Sun, 15 Mar 2015 10:47:36 +0100
Superseded in wheezy-release on 2015-09-05
apache2 (2.2.22-13+deb7u4) wheezy; urgency=medium


  * CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could
    use this flaw to bypass intended mod_headers restrictions, allowing
    them to send requests to applications that include headers that should
    have been removed by mod_headers.
    The new behavior is to not merge trailers into the headers autmatically.
    A new directive "MergeTrailers" is introduced to restore the old
    behavior.
  * Fix hostname comparison with SNI to be case insensitive. Closes: #771199
  * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15).
    Closes: #773841
  * Add paragraph about session ticket key life-time and forward secrecy to
    README.Debian. Closes: #762619

 -- Stefan Fritsch <email address hidden>  Tue, 23 Dec 2014 23:44:24 +0100
Superseded in jessie-release on 2015-03-23
Superseded in sid-release on 2015-03-16
apache2 (2.4.10-9) unstable; urgency=medium


  * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
    LuaAuthzProvider is used in multiple Require directives with different
    arguments.
  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
    fixes asking for certificate passphrases if started via systemd.
    Closes: #773405
  * Fix init script to not wait 20s if passphrase was wrong.
  * Also bump debhelper build-depends to get dh_installdeb with support for
    symlink_to_dir. Closes: #770421

 -- Stefan Fritsch <email address hidden>  Mon, 22 Dec 2014 20:24:36 +0100
Superseded in jessie-release on 2015-01-01
Superseded in sid-release on 2014-12-23
apache2 (2.4.10-8) unstable; urgency=medium


  * Bump dpkg Pre-Depends to version that supports relative symlinks in
    dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
  * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
    script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
    though it does not seem to be exploitable.
  * mpm_event: Fix use-after-free that may lead to a server crash.
  * mod_ssl: Fix memory leak on graceful restart. Closes: #754492
  * mod_ssl: Avoid crashes during startup or graceful restart due to
    openssl using a callback to invalid memory. LP: #1366174

 -- Stefan Fritsch <email address hidden>  Tue, 18 Nov 2014 15:18:18 +0100
Superseded in jessie-release on 2014-11-24
Superseded in sid-release on 2014-11-19
apache2 (2.4.10-7) unstable; urgency=medium


  * Handle transitions of doc dirs and symlinks correctly during upgrade.
    Use dpkg-maintscript-helper for this and remove existing explicit logic.
    Closes: #767850
  * Remove obsolete conffiles in apache2.2-common, instead doing this only in
    apache2. This partially fixes #768815

 -- Stefan Fritsch <email address hidden>  Sun, 09 Nov 2014 19:03:30 +0100
Superseded in jessie-release on 2014-11-15
Superseded in sid-release on 2014-11-10
apache2 (2.4.10-6) unstable; urgency=medium


  * Disable SSLv3 in default config. Closes: #765347
  * Pull changes from upstream 2.4.x branch up to r1632831
    - Fixes an LDAP regression in 2.4.10
    - mod_cache: Avoid sending 304 responses during failed revalidations.
      PR 56881
    - mod_status: Honor client IP address using mod_remoteip. PR 55886
  * Fix typo in package description. Closes: #765500

 -- Stefan Fritsch <email address hidden>  Tue, 21 Oct 2014 22:42:06 +0200
Superseded in wheezy-release on 2015-01-10
apache2 (2.2.22-13+deb7u3) wheezy-security; urgency=high


  * CVE-2014-0226: Fix a race condition in scoreboard handling,
    which could lead to a heap buffer overflow.
  * CVE-2014-0231: mod_cgid: Fix a denial of service against CGI scripts
    that do not consume stdin that could lead to lingering HTTPD child
    processes filling up the scoreboard and eventually hanging the server.
    By default, the client I/O timeout (Timeout directive) now applies to
    communication with scripts.  The CGIDScriptTimeout directive can be
    used to set a different timeout for communication with scripts.
  * CVE-2014-0118: mod_deflate: The DEFLATE input filter (inflates request
    bodies) now limits the length and compression ratio of inflated request
    bodies to avoid denial of sevice via highly compressed bodies.
    By default, LimitRequestBody is applied after decompression. Fine-tuning
    is possible with the new directives DeflateInflateLimitRequestBody,
    DeflateInflateRatioLimit, and DeflateInflateRatioBurst.

 -- Stefan Fritsch <email address hidden>  Wed, 23 Jul 2014 23:53:24 +0200
Superseded in jessie-release on 2014-11-01
Superseded in sid-release on 2014-10-25
apache2 (2.4.10-5) unstable; urgency=medium


  * Remove one forgotten instance of ident.load in the preinst.

 -- Stefan Fritsch <email address hidden>  Fri, 10 Oct 2014 00:20:09 +0200
Superseded in jessie-release on 2014-10-20
Superseded in sid-release on 2014-10-10
apache2 (2.4.10-3) unstable; urgency=medium


  * CVE-2014-3581: Fix a DoS in mod_cache.
  * If apache2 is not configured yet, defer actions executed via
    apache2-maintscript-helper. This fixes installation failures if a
    module package is configured first. Closes: #745834
  * Don't use a2query in preinst, as it may not be available yet.
    Closes: #745812
  * Include mod_authnz_fcgi. Closes: #762908
  * Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
  * Remove misleading sentence in apache2-bin's description. Closes: #762645
  * Remove trailing space in apache2/suexec/www-data. Closes: #719930
  * Add NEWS entry for the logrotate change in 2.4.10-2.
  * Bump Standards-version (no changes).
  * Fix lintian warning: Tweak licence short names in copyright file.

 -- Stefan Fritsch <email address hidden>  Sun, 28 Sep 2014 22:37:02 +0200
Superseded in jessie-release on 2014-10-04
Superseded in sid-release on 2014-09-30
apache2 (2.4.10-2) unstable; urgency=medium


  * Pull changes from upstream 2.4.x branch up to r1626207
    + Security Fix for CVE-2013-5704: HTTP trailers could be used to
      replace HTTP headers late during request processing, potentially
      undoing or otherwise confusing modules that examined or modified
      request headers earlier.
      Adds "MergeTrailers" directive to restore legacy behavior.

  * Switch to apache2 providing the httpd and httpd-cgi virtual packages.
    The previously providing apache2-bin package lacks the configuration
    files. Closes: #756361
  * Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
    logs. The daily graceful restart also has the advantage of regenerating
    things like TLS session ticket keys more often. Closes: #759382
  * Clarify description of apache2 package. Closes: #755976
  * In the maintainer script helper, print out Apache's error message if
    the config check fails.
  * Re-add mod_ident. It has still at least one user. LP: #1333388

 -- Stefan Fritsch <email address hidden>  Sun, 21 Sep 2014 22:58:33 +0200
Superseded in jessie-release on 2014-09-27
Superseded in sid-release on 2014-09-22
apache2 (2.4.10-1) unstable; urgency=medium


  [ Arno Töll ]
  * New upstream version
    + Refresh debian/patches/fhs_compliance.patch
    + Security Fixes:
      - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
      - CVE-2014-0226 Fix a race condition resulting in a heap overflow in
        scoreboard handling
      - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
        length and compression ratio of inflated request to mitigate a
        possible DoS
      - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
    + Fixes SNI with certificate defined in global scope. (Closes: #751361)
  * Warn users if they try to disable modules that we consider essential for
    operation of the Apache web server (Closes: #709461)
  * Drop libcap from our build-dependencies. That was needed for itk which we
    gave source out to it's own package again.
  * Provide apache2.2-common package to avoid upgrading problems for people
    using --purge (apt) or --purge-unused (aptitude) even though that's
    clearly discouraged. This caused disappearing of conffiles because we move
    them from apache2.2-common to apache2 during the upgrade. Ugh. This was
    not a bug in our packaging, but an unfortunately people blame us
    nonetheless even though it's not all our fault. This alternative helps
    those people, but at the same time means that incompatible modules aren't
    force-removed by dpkg during the upgrade. Hopefully we catch all of them
    with the Breaks relation coming along (Closes: #716880, #752922, #711925)

 -- Stefan Fritsch <email address hidden>  Tue, 22 Jul 2014 23:16:20 +0200
Superseded in wheezy-release on 2014-10-18
apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium


  * Backport support for SSL ECC keys and ECDH ciphers.

    Bump build-dependency for libssl-dev to 1.0.1e-2+deb7u8 to get the
    compatibility fix for older Safari browsers. Apache2 will still
    run with older libssl-1.0.0 but without the compatibility fix.

    In case of problems, see README.Debian.

  * CVE-2013-6438: mod_dav: Fix potential denial of service from
    specifically crafted DAV WRITE requests.

  * mod_log_config: Fix a bug that cookies whose values contain '=' would
    only be logged partially. This is related to CVE-2014-0098, but Apache
    2.2.22 is not vulnerable to this issue.

  * mod_proxy: Fix crashes under high load with threaded mpms.
    https://issues.apache.org/bugzilla/show_bug.cgi?id=50335

 -- Stefan Fritsch <email address hidden>  Sun, 25 May 2014 17:35:34 +0200
Superseded in jessie-release on 2014-07-29
Superseded in sid-release on 2014-07-24
apache2 (2.4.9-2) unstable; urgency=medium


  * Fix logic in postinst to detect existing index.* files in both
    DocumentRoots, the old /var/www and the new /var/www/html. Also
    change the compiled in default DocumentRoot to /var/www/html.
    Closes: #743915
  * Fix buffer overflows in suexec with very long (unix) usernames. Not
    exploitable due to FORTIFY_SOURCE. And creating users usually requires
    root privileges, anyway. Thanks to Luca Bruno for the report.
  * Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
    anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
  * Remove obsolete warning in a2enmod about mpm-itk.
  * Fix lintian warning: Remove image ref to w3.org, which is a privacy
    breach.

 -- Stefan Fritsch <email address hidden>  Sun, 08 Jun 2014 10:38:04 +0200
Superseded in jessie-release on 2014-06-14
Superseded in sid-release on 2014-06-09
apache2 (2.4.9-1) unstable; urgency=medium


  * New upstream version.
    Security fixes:
    - CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
    - CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
                     cookies.
    Notable new features:
    - Support named groups and backreferences within the LocationMatch,
      DirectoryMatch, FilesMatch and ProxyMatch directives.
    - mod_proxy: Added support for unix domain sockets as the backend server
      endpoint.
    - mod_ssl: Add support for OpenSSL configuration commands by introducing
      the SSLOpenSSLConfCmd directive.
    - mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
      mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
      require directives.
    - mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
      and IgnoreInherit.
    - Bugfix in the build system to avoid problems with patched config.m4
      files as in LP #1251939.
  * Make default cipher list in ssl.conf more secure:
    - Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
      'HIGH' does not include MD5.
    - Remove the 'Speed-optimized SSL Cipher' configuration example because
      it depends on RC4, which is considered insecure.
  * Change init script short description to describe the service, not the
    script.  Closes: #738315
  * Bump Standards-Version (no changes).

 -- Stefan Fritsch <email address hidden>  Sat, 29 Mar 2014 22:50:32 +0100
Published in squeeze-release on 2014-02-15
apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium


  * Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
    the RewriteLog is escaped to prevent terminal escape sequences from
    entering the log file. Closes: #722333
  * Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
    Closes: #717272
  * mod_dav: Fix segfaults in certain error conditions.
    https://issues.apache.org/bugzilla/show_bug.cgi?id=52559

 -- Stefan Fritsch <email address hidden>  Tue, 28 Jan 2014 22:48:05 +0100
Superseded in wheezy-release on 2014-07-12
apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium


  Low impact security fixes:
  * CVE-2013-1862: mod_rewrite: Ensure that client data written to the
    RewriteLog is escaped to prevent terminal escape sequences from entering
    the log file. Closes: #722333
  * CVE-2013-1896: mod_dav: denial of service via MERGE request.
    Closes: #717272
  * mod_dav: Fix segfaults in certain error conditions.
    https://issues.apache.org/bugzilla/show_bug.cgi?id=52559

  * Make apache2ctl create the necessary directories even if started with
    special options for apache2. Closes: #731531
  * Adjust paragraph in README.Debian about MaxMemFree not working properly.
    The issue has been fixed with apr 1.4.5-1.

 -- Stefan Fritsch <email address hidden>  Fri, 31 Jan 2014 19:43:07 +0100
Superseded in jessie-release on 2014-04-04
Superseded in sid-release on 2014-03-30
apache2 (2.4.7-1) unstable; urgency=low


  New upstream version

  [ Stefan Fritsch ]
  * In logrotate and init script, don't hardcode path to htcacheclean.
    Instead, put sbin directories in PATH. Also fix one missed reference
    to disk_cache.load, missed in 2.4.6-3. Really closes: #718909
  * Remove possiblity to override path to apache2 executable via envvars.
    This is no longer necessary with MPMs as modules.
  * Fix typo in serve-cgi-bin.conf. Closes: #723196
  * Bump Build-Depends. 2.4.7 requires apr 1.5.

  [ Arno Töll ]
  * Fix "No default site enabled after fresh install if /etc/apache2
    exists" by using a condition in preinst which actually works as expected.
    Thanks to Jean-Michel Vourgère for triaging the issue and providing a
    patch (Closes: #711493).
  * Leave a2disconf with rc=0 when purging a configuration which does not
    exist. (Closes: #718166)
  * Explicitly express the dependency for mod_access_compat depending on
    authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes:
    #710412)
  * Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693)
  * Rework the default index.html file. Instead of a blank, minimalistic page
    give a quick start guide, since nobody seems to read our docs. This site
    is hopefully explaining the most important questions.
  * Add a virtual provides line to the itk/worker/event/prefork transitional
    packages so that people with an unusual (unsupported) Apache setup
    can upgrade neatless in some corner cases (Closes: #728937)
  * Drop the Apache ITK patches. The Apache ITK MPM is a standalone package
    now and will be provided by libapache2-mpm-itk in future. The
    apache2-mpm-itk package depends on this package from now on. Users of itk
    are advised to consult the itk manual.
    This also resolves a build-system problem that caused mod_unixd to be
    initialized twice. (LP: #1251939)
  * Remove Steinar H. Gunderson from uploaders, he will continue to support
    itk in his own package in future. The remaining Apache team thanks Steinar
    for all the work in the past.
  * Change the Default Document root directory where files are served from
    (Closes: #730372).
  * Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor
    for this suggestion and for providing a patch (Closes: #732450)
  * Refresh suexec-custom.patch.

 -- Arno Töll <email address hidden>  Thu, 02 Jan 2014 00:17:56 -1100
Superseded in squeeze-release on 2014-02-15
apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high


  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
  * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.

 -- Stefan Fritsch <email address hidden>  Sun, 03 Mar 2013 12:25:22 +0100
Superseded in jessie-release on 2014-02-04
Superseded in sid-release on 2014-01-03
apache2 (2.4.6-3) unstable; urgency=low


  * Fix 'implicit declaration' compiler warnings.
  * Fix module dependencies in lbmethod_*.load files. Closes: #717910
    LP: #1205314
  * Mark apache2-data as Multi-Arch: foreign. Closes: #718387
  * Backport open_htaccess hook from upstream 2.4.x branch to allow
    building mpm-itk as separate package.
  * Improve comment for LogLevel in apache2.conf. Closes: #718677
  * Fix comment in ports.conf. Closes: #718650
  * Fix htcacheclean path and function name in init script. Closes: #718909
  * Enable bindnow hardening compiler option, patch by Felix Geyer.
    Closes: #714872

 -- Stefan Fritsch <email address hidden>  Mon, 12 Aug 2013 20:15:38 +0200
Superseded in jessie-release on 2013-08-23
Superseded in sid-release on 2013-08-13
apache2 (2.4.6-2) unstable; urgency=low


  [ Stefan Fritsch ]
  * Fix watch file
  * Don't pass --silent to libtool, allowing blhc to check the compiler
    options in the build logs.

  [ Arno Töll ]
  * Allow third party packages to use triggers if they use them in a
    maintainer script invoking apache2-maintscript-helper (Closes: #717610)

 -- Arno Töll <email address hidden>  Tue, 23 Jul 2013 13:25:30 +0200
Superseded in sid-release on 2013-07-24
apache2 (2.4.6-1) unstable; urgency=low


  New upstream release:
  * CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request
    (Closes: #717272)
  * New modules mod_cache_socache, mod_proxy_wstunnel.
  * mod_ssl: Add support for subjectAltName-based host name checking in proxy
    mode (SSLProxyCheckPeerName).
  * mod_lua: Many new functions.
  * mod_auth_basic: Add a generic mechanism to fake basic authentication
    using the ap_expr parser (AuthBasicFake).
  * mod_proxy: New BalancerInherit and ProxyPassInherit options.
  * mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password.

  [ Arno Töll ]
  * Document our security model in our NEWS file and highlight we do not allow
    access to /srv. Thanks to joeyh for pointing this out.
  * Allow the use of apache2-maintscript-helper from a sub-function. We rely
    on dpkg's arguments supplied in $1, $2 etc. This clashes with function
    arguments supplied to to sh sub-function. Allow manual override in such
    cases.
  * Mention that the dh_apache2 conditional must be present in postrm too
    (Closes: #716694)
  * Fix "dh_apache2 ignores alternative httpd on conf files" by correctly
    checking the supplied arguments, we were off by one (Closes: #717299).
  * Reinstall index.html also on upgrades as it is removed during upgrades.
  * Add mod_macro transitional package as it was promoted to core and does not
    exist as individual package anymore (Closes: #706962)

  [ Stefan Fritsch ]
  * Don't fail package upgrade or removal just because the configuration is in
    an inconsistent state (Closes: #716921, #717343, LP: #1202653).
  * Improve error output of init script.
  * Fix broken dependency information in several *.load files.
  * Add mod_authn_core as dependency of the mod_auth_* modules.
    (Closes: #717448)

 -- Arno Töll <email address hidden>  Sun, 21 Jul 2013 18:44:42 +0200
Superseded in sid-release on 2013-07-22
apache2 (2.4.4-6) unstable; urgency=low


  * Denote exact versions breaking gnome-user-share now that Gnome maintainers
    have a fixed version in the works. That makes Gnome installable again.
  * Update our gbp.conf for our big merge next -> master. The eagle has
    landed, 2.4 is here.
  * Push Standards version to 3.9.4 - no changes needed.
  * Fix spelling errors in man pages.
  * Update the git VCS pointer to its canonical location for anonymous
    checkouts.
  * Boost the description for the LSB init script to appease Lintian.
  * Fix spurious warnings in the Apache2 bug report script (Closes: #711121,
    #711480)
  * Strip off file extensions from arguments to a2(en|dis)(site|conf|mod) so
    that "a2ensite 000-default.conf" works, as well as "a2ensite 000-default"
    (Closes: #711494)
  * Fix "apache2-dev: dh-apache2 does not strip .conf extension" for modules
    relying on the install heuristic, instead of writing an *.apache2 conf
    file (Closes: #711483)
  * Apply patch submitted by Robert Luberda and redirect all output of
    apache2-maintscript-helper to stderr (Closes: #711478)
  * Tell about essential operations in the init script (Closes: #711120)
  * Fix indentation mess in the init script, and add modelines
  * Make sure /etc/init.d/apache2 reload does not always return. Thanks to
    Thorsten Glaser for suggesting a patch (Closes: #711117)
  * Make apache2-maintscript-helper usable when sourced from weird
    environments (e.g. Perl maintainer scripts). Thanks to Robert Luberda
    for doing unexpected things, and providing patches for it, and to Axel
    Beckert for demangling shell specifics (Closes: #711479)
  * Fix "copyright file missing after upgrade (policy 12.5)" and add these for
    MPM transitional packages (Closes: #710914)
  * Fix "apache2.2-bin transitional package (binaries only) should not
    depend on apache2 package (which runs a system daemon)". This happened by
    accident added by debhelper since we are linking docs. We do to
    apache2-bin instead (Closes: #711127)
  * Refresh "upstream-fixes" patch
  * Fix "Disabling strtoul violates C89 and C99 and is unnecessary" by
    removing the symbol override in httpd.h(Closes: #711534)

 -- Arno Töll <email address hidden>  Fri, 07 Jun 2013 19:14:36 +0200
175 of 151 results