Change log for apache2 package in Debian

76150 of 152 results
Superseded in sid-release on 2013-07-22
apache2 (2.4.4-6) unstable; urgency=low


  * Denote exact versions breaking gnome-user-share now that Gnome maintainers
    have a fixed version in the works. That makes Gnome installable again.
  * Update our gbp.conf for our big merge next -> master. The eagle has
    landed, 2.4 is here.
  * Push Standards version to 3.9.4 - no changes needed.
  * Fix spelling errors in man pages.
  * Update the git VCS pointer to its canonical location for anonymous
    checkouts.
  * Boost the description for the LSB init script to appease Lintian.
  * Fix spurious warnings in the Apache2 bug report script (Closes: #711121,
    #711480)
  * Strip off file extensions from arguments to a2(en|dis)(site|conf|mod) so
    that "a2ensite 000-default.conf" works, as well as "a2ensite 000-default"
    (Closes: #711494)
  * Fix "apache2-dev: dh-apache2 does not strip .conf extension" for modules
    relying on the install heuristic, instead of writing an *.apache2 conf
    file (Closes: #711483)
  * Apply patch submitted by Robert Luberda and redirect all output of
    apache2-maintscript-helper to stderr (Closes: #711478)
  * Tell about essential operations in the init script (Closes: #711120)
  * Fix indentation mess in the init script, and add modelines
  * Make sure /etc/init.d/apache2 reload does not always return. Thanks to
    Thorsten Glaser for suggesting a patch (Closes: #711117)
  * Make apache2-maintscript-helper usable when sourced from weird
    environments (e.g. Perl maintainer scripts). Thanks to Robert Luberda
    for doing unexpected things, and providing patches for it, and to Axel
    Beckert for demangling shell specifics (Closes: #711479)
  * Fix "copyright file missing after upgrade (policy 12.5)" and add these for
    MPM transitional packages (Closes: #710914)
  * Fix "apache2.2-bin transitional package (binaries only) should not
    depend on apache2 package (which runs a system daemon)". This happened by
    accident added by debhelper since we are linking docs. We do to
    apache2-bin instead (Closes: #711127)
  * Refresh "upstream-fixes" patch
  * Fix "Disabling strtoul violates C89 and C99 and is unnecessary" by
    removing the symbol override in httpd.h(Closes: #711534)

 -- Arno Töll <email address hidden>  Fri, 07 Jun 2013 19:14:36 +0200
Superseded in sid-release on 2013-06-10
apache2 (2.4.4-5) unstable; urgency=low


  [ Arno Töll ]
  * Fix compile issue on kfreebsd.

 -- Stefan Fritsch <email address hidden>  Fri, 31 May 2013 10:19:18 +0200
Superseded in sid-release on 2013-05-31
apache2 (2.4.4-4) unstable; urgency=low


  [ Stefan Fritsch ]
  * Upload to unstable.
  * Fix FTBFS on hurd caused by mpm-itk linking fix.
  * Fix some lintian warnings:
    - fix pod error
    - add overrides for hardening-no-fortify-functions
    - don't use /lib/init/vars.sh in init script
  * Add note to README.Debian about CVE-2013-0966 if the document root is
    on HFS+ or on ZFS with filename normalization.
  * Add a note to README.Debian about how to change the max file limit.
    Make apache2ctl print a message pointing to README.Debian if setting
    the limit fails. (Closes: #706822)

  [ Arno Töll ]
  * Correct maintainer scripts by removing forgotten left-overs of our Squeeze
    -> Wheezy renaming

 -- Stefan Fritsch <email address hidden>  Thu, 30 May 2013 17:25:09 +0200
Deleted in experimental-release (Reason: None provided.)
apache2 (2.4.4-3) experimental; urgency=low


  [ Arno Töll ]
  * libapache2-mod-proxy-html is included in Apache 2.4 and not packaged
    separately anymore. Thus, we are using the most recent version available
    now (Closes: #695482).
  * Fix "typo in mpm_event.load" by applying the patch provided by Bastian
    Triller. Thanks (Closes: #704639)
  * Replace some occurrences of "Squeeze" in our scripts. It's Wheezy time.
  * Changes in dh_apache2:
    + Add -e|--noenable option to dh_apache2 (Closes: #681544)
    + Disable scripts in prerm, not postrm (Closes: #681546)
    + However, still hook into postrm and purge state when required
    + Call the postinst code always, not only during configure
      (Closes: #681545)
    + Fix "dh_apache2 postinst code needs to reload more" and reload the
      web-server in postinst when upgrading (Closes: #702929)
  * Let a2enmod purge state when calling -p for already disabled
    configurations.
  * Fix "don't assume apache2 is running 24 hours a day when rotating
    logs": Only restart the webserver when it was previously running
    (Closes: #707892)
  * Properly return the conf/site configuration fragments enabled for Apache
    when queried from a2query (Closes: #683212)
  * Fix "/etc/init.d/apache2 start and restart need to wait until really
    started" (Closes: #645460)
  * Fix "apxs2 outputs "uninitialized value" warnings" by removing the double
    declaration of variables in apxs. This problem was harmless, but noisy
    (Closes: #707109)
  * Make the DEBIAN_VERSION parsing in debian/rules more robust. Thanks to
    Ondřej Surý for noticing and providing a patch.
  * Fix "copyright file missing after upgrade (policy 12.5)" by linking to the
    apache2 doc-dir when upgrading (Closes: #707795)

  [ Stefan Fritsch ]
  * Backport various fixes from upstream svn branch '2.4.x'. 
  * Remove paragraph about MaxMemFree in README.Debian. The issue should be
    fixed in 2.4.
  * Enable mod_authn_core when upgrading from wheezy (Closes: #702866)
  * Bump libaprutil1-dev build dependency to get support for bcrypt password
    hashes.
  * Fix mod_mpm_itk.so not being linked to libcap.so (Closes: #702475)
  * Make apache2-dev not depend on apache2.

 -- Stefan Fritsch <email address hidden>  Tue, 28 May 2013 22:47:26 +0200
Deleted in experimental-release (Reason: None provided.)
apache2 (2.4.4-2) experimental; urgency=low


  * The "let's shorten up this discussion" release, and strip changelogs which
    are not a direct ancestor of the 2.4 branch.
  * Restart the server on upgrades. We need to make sure the new binary is
    loading all symbols from the core again to make sure, upgrades don't break
    the server.

 -- Arno Töll <email address hidden>  Sat, 09 Mar 2013 02:02:08 +0100
Superseded in experimental-release on 2013-03-10
apache2 (2.4.4-1) experimental; urgency=low


  * New upstream release
    - Fixes mod_log_forensic logging spurious '-' characters. Closes: #693292
    - Responds with HTTP/1.0 when talking http to https port. Closes: #701117
    - Fix various XSS flaws in modules (CVE-2012-3499, CVE-2012-4558)

  [ Stefan Fritsch ]
  * Add examples for X-Content-Type-Options and X-Frame-Options to
    security.conf.
  * Make dh_apache2 only accept shell function names as conditional, to avoid
    problems with shell and sed special characters.
  * Add Replaces for the old mpm packages to apache2-bin. Closes: #671683
  * Add transitional package for libapache2-mod-proxy-html. Closes: #666816
    - Override dh_gencontrol so that the package's version sorts later than
      the existing version in Wheezy.
  * Don't ship changelogs in the apache2.2-bin transitional package.
  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2

  [ Arno Töll ]
  * Rewrite most parts of the init script to make it more readable and improve
    visual feedback when fancy output is in use.
  * Drop the dbmanage tool from apache2-utils. It is mostly unmaintained and
    outdated. Users of mod_authn_dbm should use htdbm instead.
  * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
    with ext3" by changing the default to more moderate values. Note, some file
    systems have a hard limit of supported subdirectories (Closes: #682840).
    Ported from our 2.2 tree targeted for Wheezy.
  * Properly check return code of a2query in the apache2_invoke library
    function. This caused reverse dependencies to fail for newly installed
    modules previously.
  * Implement -q (quiet) option for a2query (Closes: #681541).
  * Properly honor -p/-N options as understood by debhelper (Closes: 681542).
    Thanks Russ Allbery for the hint.
  * Be more careful regarding link attacks when for the the cache disk
    directory.
  * Compress the data.tar in binary packages using xz to save some space on
    installation medias (Debian only).
  * Fix "invoke-rc.d apache2 status fails" by merging patch of Jean-Michel
    Vourgère. Thanks! (Closes: #691365)
  * Fix "copyright file missing after upgrade (policy 12.5)" - add link
    manually when necessary in postinst (Closes: #691440)
  * Document APACHE_ARGUMENTS in envvars (ported from our 2.2 branch, reported as #693299)
  * Don't croak about lacking permissions in apache2ctl when the script is
    executed as a non-privileged user

  [ Bernhard R. Link ]

  * Rearrane patches: Move all the patches or parts of patches touching non-itk
    specific files (i.e. those from the upstream tarball) directly in the
    debian/patches/series series.  While this seperates the itk patches into two
    heaps, it makes both more visible what changes happen to the general code (and
    thus are also done to the other servers generated)

 -- Arno Töll <email address hidden>  Thu, 07 Mar 2013 01:24:51 +0100
Superseded in jessie-release on 2013-08-02
Superseded in wheezy-release on 2014-02-08
Superseded in sid-release on 2013-07-24
apache2 (2.2.22-13) unstable; urgency=medium


  [ Stefan Fritsch ]
  * Urgency medium for security fixes.
  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
  * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
  * mod_log_forensic: Fix spurious '-' characters being logged, causing
    false positives. Closes: #693292

  [ Arno Töll ]
  * Document APACHE_ARGUMENTS in envvars (Closes: #693299)

 -- Stefan Fritsch <email address hidden>  Mon, 04 Mar 2013 22:21:05 +0100

Available diffs

Superseded in squeeze-release on 2013-10-19
apache2 (2.2.16-6+squeeze10) squeeze-security; urgency=low


  [ Arno Töll ]
  * Backport disable-ssl-compression.patch from Wheezy. This patch disabled
    SSL compression upon request by introducing a "Compression on|off"
    directive to mod_ssl. This is to mitigate impact of CRIME attacks to SSL -
    which is a browser issue, however.
    See also Debian bug #674142 and #689936.

  [ Stefan Fritsch ]
  * CVE-2012-4557: mod_proxy_ajp: Remote denial of service (temporary, until
    mod_proxy_ajp's retry timeout expired).

 -- Stefan Fritsch <email address hidden>  Fri, 30 Nov 2012 09:26:36 +0100
Superseded in wheezy-release on 2013-03-10
Superseded in sid-release on 2013-03-05
apache2 (2.2.22-12) unstable; urgency=low


  * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
    "off". This mitigates impact of CRIME attacks. Fixes:
    - "handling the CRIME attack" (Closes: #689936)
    - "make it possible to disable ssl compression in apache2 mod_ssl"
      (Closes: #674142)

 -- Arno Töll <email address hidden>  Wed, 31 Oct 2012 00:23:59 +0100
Superseded in squeeze-release on 2013-02-23
apache2 (2.2.16-6+squeeze8) squeeze; urgency=low


  * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
    prevent a possible XSS vulnerability for a site where untrusted users
    can upload files to a location with MultiViews enabled.
  * Send 408 status instead of 400 if reading of a request fails with a
    timeout. This allows browsers to retry. Closes: #677086
  * mod_cache: Prevent Partial Content responses from being cached and served
    as normal response. Closes: #671204
  * mpm_itk: Fix an issue where users can sometimes get spurious 403s on
    persistent connections. Closes: #672333

 -- Stefan Fritsch <email address hidden>  Sun, 09 Sep 2012 23:08:04 +0200
Superseded in wheezy-release on 2012-11-10
Superseded in sid-release on 2012-10-31
apache2 (2.2.22-11) unstable; urgency=low


  * Be more careful regarding link attacks when purging the cache disk
    directory.
  * Change file ownership of /var/cache/apache2/ to root.
  * Compress the data.tar in binary packages using xz to save some space on
    installation medias (Debian only).

 -- Arno Töll <email address hidden>  Fri, 03 Aug 2012 23:20:50 +0200

Available diffs

Superseded in sid-release on 2012-08-04
apache2 (2.2.22-10) unstable; urgency=low


  [ Arno Töll ]
  * Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing
    perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes:
    #682401)
  * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
    with ext3" by changing the default to more moderate values. Some file
    systems have a hard limit for the number of subdirectories in a single
    directory. This change requires the cache directory to be purged.
    (Closes: #682840)

  [ Stefan Fritsch ]
  * Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
    directives. Closes: #682897

 -- Stefan Fritsch <email address hidden>  Mon, 30 Jul 2012 22:23:02 +0200
Superseded in wheezy-release on 2012-08-14
Superseded in sid-release on 2012-07-31
apache2 (2.2.22-9) unstable; urgency=low


  * Fix typo in conf.d/security comment. Closes: #678740

 -- Stefan Fritsch <email address hidden>  Sun, 24 Jun 2012 20:10:27 +0200
Superseded in sid-release on 2012-06-26
apache2 (2.2.22-8) unstable; urgency=medium


  [ Stefan Fritsch ]
  * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent
    a possible XSS for a site where untrusted users can upload files to a
    location with MultiViews enabled.
  * Add example for X-XSS-Protection to conf.d/security.

  [ Arno Töll ]
  * Fix "contradictory comment in /etc/apache2/apache2.conf about the
    .load suffix" (Closes: #676975). Hopefully you are now happy, Vincent. :-)

 -- Stefan Fritsch <email address hidden>  Sat, 23 Jun 2012 17:50:47 +0200
Superseded in wheezy-release on 2012-06-30
Superseded in sid-release on 2012-06-24
apache2 (2.2.22-7) unstable; urgency=low


  [ Arno Töll ]
  * Fix "ambiguous comment in /etc/apache2/apache2.conf" by clarifying
    contradicting statements. (Closes: #675184)

  [ Stefan Fritsch ]
  * Allow colons in filenames when using wildcards with "Include".
    Closes: #676610
  * Add examples for X-Content-Type-Options and X-Frame-Options to
    conf.d/security.
  * Fix the VCS dir example in conf.d/security.
  * Pick some bug fixes from upstram trunk:
    - core/mod_cgi: Fix script logging in error case
    - mod_dumpio: Fix possible loop in input filter.
    - mod_proxy_ajp: Reduce memory usage in case of many requests on one
      connection

 -- Stefan Fritsch <email address hidden>  Sun, 10 Jun 2012 12:27:02 +0200
Superseded in wheezy-release on 2012-06-21
Superseded in sid-release on 2012-06-11
apache2 (2.2.22-6) unstable; urgency=low


  [ Stefan Fritsch ]
  * Fix regression causing apache2 to cache "206 partial content" responses,
    and then serving these partial responses when replying to normal requests.
    Closes: #671204
  * Add section to security.conf that shows how to forbid access to VCS
    directories. Closes: #548213
  * Update ssl default cipher config, add alternative speed optimized config.
    Closes: #649020
  * Add "AddCharset" for .brf files in default mod_mime config.
    Closes: #402567
  * Don't create httpd.conf anymore and don't include it in apache2.conf. If
    it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
  * Port some of the comments in apache2.conf from the 2.4 package.
  * Compile mod_version statically, drop associated module load file.
  * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
    configtest.
  * Note in README.Debian that future versions of the package will have the
    include statements changed to include only *.conf.
  * Change compiled-in document root to /var/www, to avoid strange error
    messages.
  * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.

  [ Arno Töll ]
  * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
    to override LDFLAGS at compile time by defining LDLAGS in the environment,
    just like it is possible for CFLAGS. This also means, config_vars.mk now
    exports hardening build flags by default.
  * Update doc-base metadata for the apache2-doc package.

 -- Stefan Fritsch <email address hidden>  Tue, 29 May 2012 22:05:48 +0200
Superseded in experimental-release on 2013-03-07
apache2 (2.4.2-2) experimental; urgency=low


  [ Stefan Fritsch ]
  * Explicitly enable mod_authz_core on upgrades. It can happen that it is
    not pulled in by any of the enabled modules, but we need it in any case
    for apache2.conf. Closes: #669876
  * Don't ship the changelogs in the apache2-mpm-itk transitional package.

  [ Arno Töll ]
  * Add mode lines to various configuration files and scripts. Reformat
    configuration files for consitency.
  * Fix "Fix typographic errors in configuration file comments": Thanks to Oxan
    van Leeuwen for providing a patch (Closes: #669269)
  * Formulate several clarifications in PACKAGING, start versioning this document
    and add normative read hints. Moreover, document the -m switch for a2enmod.
  * Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated!
  * Change various state and run directories used by Apache from
    /var/run/<basename> to /var/run/apache2/<basename>. This might change again
    for Wheezy+1 to adopt /run.
  * Use more exit status codes for a2query which allows to tell apart why a
    module was disabled, also make its output more readable.
  * Changes in apache2-maintscript-helper:
    + Finally apache2_invoke may  behave correctly and catch all cases
      including upgrades from Squeeze.
    + apache2_invoke: accepts a third argument to override the rc.d-action now
    + support APACHE2_MAINTSCRIPT_DEBUG: When defined in the environment or in
      /etc/apache2/envvars, debug output is displayed.
  * Implement a -r switch for dh_apache2 which allows to force a reload of the
    web server if required.

 -- Arno Töll <email address hidden>  Mon, 28 May 2012 17:36:03 +0200
Superseded in squeeze-release on 2012-09-29
apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high


  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
    hosts' config files.
    If scripting modules like mod_php or mod_rivet are enabled on systems
    where either 1) some frontend server forwards connections to an apache2
    backend server on the localhost address, or 2) the machine running
    apache2 is also used for web browsing, this could allow a remote
    attacker to execute example scripts stored under /usr/share/doc.
    Depending on the installed packages, this could lead to issues like cross
    site scripting, code execution, or leakage of sensitive data.

 -- Stefan Fritsch <email address hidden>  Sun, 01 Apr 2012 00:20:48 +0200
Superseded in wheezy-release on 2012-06-09
Superseded in sid-release on 2012-05-31
apache2 (2.2.22-5) unstable; urgency=low


  * Make LoadFile and LoadModule look in the standard search paths if the
    dso file name is given as a pure filename. This helps with the multi-arch
    transition.

 -- Stefan Fritsch <email address hidden>  Mon, 30 Apr 2012 23:38:33 +0200
Superseded in wheezy-release on 2012-05-12
Superseded in sid-release on 2012-05-06
apache2 (2.2.22-4) unstable; urgency=high


  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
    hosts' config files.
    If scripting modules like mod_php or mod_rivet are enabled on systems
    where either 1) some frontend server forwards connections to an apache2
    backend server on the localhost address, or 2) the machine running
    apache2 is also used for web browsing, this could allow a remote
    attacker to execute example scripts stored under /usr/share/doc.
    Depending on the installed packages, this could lead to issues like cross
    site scripting, code execution, or leakage of sensitive data.

 -- Stefan Fritsch <email address hidden>  Sun, 15 Apr 2012 23:41:43 +0200
Superseded in experimental-release on 2012-06-19
apache2 (2.4.2-1) experimental; urgency=low


  * New upstream release

  [ Arno Töll ]
  * Drop update-alternative call in postrm. Our prerm script catches them
    already anyway.
  * Update my mail address.
  * Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/"
    Set directory permissions to 755 by default (Closes: #666875). Thanks Axel
    Beckert for the hint.
  * Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to
    give sites a .conf suffix, add a hint to the NEWS file.
  * Do stateful configuration handling by remembering who enabled when a
    particular piece of configuration. That way in can be told under which
    circumstances for example modules should be re-enabled. Thanks to Filip M.
    Nowak who was providing a patch where my changes are built upon.
  * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
    to override LDFLAGS at compile time by defining LDLAGS in the environment,
    just like it is possible for CFLAGS. This also means, config_vars.mk now
    exports hardening build flags by default.
  * Provide the virtual packages httpd and httpd-cgi again.


  [ Stefan Fritsch ]
  * Change default config to deny access to / in the file system and only
    allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
  * Disable MultiViews in the default config.
  * Update ssl default cipher config, add alternative speed optimized config.
    Closes: #649020
  * Move the configuration of /usr/lib/cgi-bin into a separate config file.
    Closes: #589638
  * Comment out per-vhost loglevel.
  * Add section to security.conf that shows how to forbid access to VCS
    directories. Closes: #548213
  * Change the compiled in default of DocumentRoot to /var/www by updating
    fhs_compliance.patch
  * Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental!

 -- Stefan Fritsch <email address hidden>  Sun, 15 Apr 2012 20:50:28 +0200
Superseded in wheezy-release on 2012-04-23
Superseded in sid-release on 2012-04-22
apache2 (2.2.22-3) unstable; urgency=low


  * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
    No such file or directory". Do not use internal rules targets which clash
    with build target names ... (Closes: #667069)
  * Drop apache2-dev virtual package. This had virtually no users but breaks our
    experimental package in some cases (e.g. #666793)
  * Push Standards version - no further changes
  * Update my maintainer address

 -- Arno Töll <email address hidden>  Thu, 05 Apr 2012 13:21:42 +0200
Superseded in experimental-release on 2012-04-17
apache2 (2.4.1-3) experimental; urgency=low


  [ Arno Töll ]
  * apache2-suexec-{custom,pristine}: Fix argument order when removing
    alternatives, do not remove alternatives on upgrades. Thanks Andreas
    Beckmann for spotting the issue (Closes: #665002)
  * Install suexec(8) link to /usr/share/man/man8/...
  * Enable mod_version statically, drop associated module load file.
  * Update PACKAGING hints and cope several questions raised among the
    discussions with packagers. Thus, invokation of apache2-maintscript-helper
    in maintainer scripts are covered now.
  * Changes in dh_apache2:
    + Invoke the maintscript helper postrm action for simple package removals,
      too.
    + Fix a bug which accidentally called "en{mod,site,conf}" instead of
      "di{mod,site,conf}"
    + Set the default conditional back to "true", now the maintainer script is
      expected to cope itself with upgrades correctly
  * Changes in apache2_maintscript_helper
    + Provide apache2_action_needed, apache2_msg
    + Parse maintainer script arguments to find out which script called us
    + Support APACHE2_MAINTSCRIPT_HELPER_QUIET which, when set, omits any
      visible output
    + Break APIs: apache2_invoke accepts a single configuration file argument
      only now. However, other than dh_apache2 no users of this feature were
      known.
  * Build the apache2.2-bin transitional package again, without it updates from
    Squeeze are broken from some use cases
  * Remove 2.2's postrm script only if we're actually upgrading.
    This previously didn't have bad side-effects, but caused a disturbing
    warning.

  [ Stefan Fritsch ]
  * Import lots of bug fixes from upstream svn: All code changes from branch
    2.4.x up to r1307835, plus r1294306 and r1307067 from trunk.
  * Remove /usr/share/doc alias from default virtual hosts' configs.
  * Add 'Multi-Arch: foreign' to apache2-utils
  * Make a2enconf and a2ensite warn if dependencies are not fullfilled.

 -- Stefan Fritsch <email address hidden>  Sun, 01 Apr 2012 21:11:51 +0200
Superseded in experimental-release on 2012-04-02
apache2 (2.4.1-2) experimental; urgency=low


  [ Arno Töll ]
  * Shift convert_docs script to a arch-indep target only. Debhelper does not
    build apache2-doc on binary only builds causing a FTBS on binary-only (-B)
    builds
  * Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep
    targets

  [ Stefan Fritsch ]
  * dh_apache2: Make autoscripts only run on upgrades by default. Bump
    debhelper dependency of apache2-dev. Escape slashes in conditionals.

 -- Stefan Fritsch <email address hidden>  Tue, 20 Mar 2012 21:32:43 +0100
Superseded in experimental-release on 2012-03-21
apache2 (2.4.1-1) experimental; urgency=low


  * Package the coming up 2.4 branch of Apache by packaging the current
    GA release 2.4.1.
    + Fix "IndexIgnore only allowes to add in vhost context, not replace"
     (Closes: #296886)
    + Fix "mod_status stats are wrong." (Closes: #519322)
    + Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047)
    + Fix "apache2-common: there should be a possibility to access the
      parsed configuration" (Closes: #350285)
    + Fix "AddOutputFilterByType is deprecated but used in deflate.conf"
      (Closes: #601033)
    + Fixes "Renegotiation on POST request fails intermittently"
      (Closes: #601606)
    + Allows configuring source address for proxy requests. (Closes: #465283)
    + Supports CONNECT request through https. (Closes: #307298)
    + New Upstream (2.4). (Closes: #662115)

  * Refresh patches but leave all hunks unchanged where possible. Give all
  * patches a ".patch" suffix, drop sequence numbers as they are not needed when
  * using quilt. Notable changes are.
    + [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller
      parts of the patch to build two binaries: suexec-pristine and
      suexec-custom (see below)
    + [AT] 201_build_suexec-custom: Patch the makefile to build
      "suexec-pristine" instead. Aside of that, refresh hunks.
    + [AT] 010_fhs_compliance: Drop config.layout patches. These have been
      applied upstream
    + [JMV] Drop patches:
      + 004_usr_bin_perl_0wnz_j00: printenv exemple doesn't refer to
        /usr/local/bin/perl anymore
      + 008_make_include_safe: Include doesn't support directory anymore.
        Include dir/*.conf must be used.
      + 009_apache2_has_dso: Upstream is no longer testing DSO is available. So
        we don't need to remove that test anymore.
    + [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches,
      drop obsolete hunks

  [ Arno Töll ]

  * Rewrite most parts of debian/rules / debhelper configuration.
    + move cronjob and init script to debhelper configuration files
      (apache2.cron.daily and apache2.init respectively)
    + move man pages to debian/manpages
    + Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu
      specifics in their own patch set, as it diverges already anyway.
    + shake-up files installed in different packages
    + Do not copy the source tree anymore, build package in place.
  * Push standards version to 3.9.3 - no special changes required
  * Refactor binary packages, now as things simplified. MPMs are simple
    modules now, they can be bundled into the same binary package which do not
    need to conflict with each other. Thus, Apache now primarily consists of the
    following packages:
    + apache2 - configuration files and init scripts, Debian specific helper
      scripts
    + apache2-bin - binaries and modules
    + apache2-data - error pages and images
  * Drop the ITK MPM entirely for now
  * Consolidate development packages. As MPM packages are gone, we do not need
    specific development packages either. Thus, drop all MPM specific apache2
    development packages and provide a single apache2-dev package instead.
    (Closes: #428095)
  * Drop debian/source/options again: We do not need to ignore .svn directories
    anymore since the new package management system is based on git and includes
    the full source
  * Rework the suexec mechanism. Now there are two suexec packages providing
    alternatives through the update-alternatives mechanism. The untouched
    upstream "suexec" binary is provided by the apache2-suexec-pristine package,
    whereas the configurable suexec can be found in the apache2-suexec-custom
    package. Both are providing the "suexec" binary which are managed by the
    update-alternatives(9) mechanism.
    This change is transparent to users at runtime and does not need any
    configuration changes.
  * Remove obsolete README.source file.
  * Update doc-base metadata for the apache2-doc package
  * Changes in the default configuration (not specific modules):
    + On the head of the apache2.conf configuration file, give a short summary
      how configuration of the Apache web server works in Debian.
    + Drop NameVirtualHost entirely. It is deprecated (Closes: #511594)
    + Remove DefaultType. It is deprecated.
    + Replace Allow/Deny directives in the default configuration by using the
      new Require directive. Load mod_access_compat if you rely on the old
      syntax
    + Replace LockFile by Mutex which consolidates all lock file
      synchronization files among modules
    + Update configuration to use the new IncludeOptional syntax
    + Enable these modules by default: authz_core authz_host alias cgi dir
    + Move MPM specific configuration to their respective configuration files.
      Users can just load and unload MPMs like other modules, enable the worker
      MPM by default
    + Move per-site global configuration from conf.d to conf-available and
      manage it similar to modules and sites. To do so, the new tools
      "a2enconf" and "a2disconf" are provided. Moreover, such configuration
      files need  to have a .conf suffix now. The following configuration
      files are enabled by default: charset localized-error-pages
      other-vhosts-access-log  security.  These were enabled by default
      previously, too (Closes: #620347, Closes: #605227).
      This holds for apache2-doc as well, which is still enabled by default but
      can be disabled easily anytime by using a2disconf (Closes: #604980).
    + Give site configuration a .conf suffix, too. For example the default vhost
      is called default.conf. Moreover, files without .conf suffix are ignored
      upon startup. Please update your site links and confs. Also rename the
      default vhost to 000-default.conf and don't do hacky things in a2enmod
      anymore.
  * Changes in a2enmod:
    + Parse "Conflicts: " header to denote conflicts between modules which
      cannot be loaded into the same Apache server.
    + Remove dangling "module.conf" files, too. They were forgotten previously
      if they existed and only the "module.load" file was removed.
    + Extend the tool to support conf-available/conf-enabled directories (see
      also configuration changes).
    + Expect a .conf suffix for sites-enabled/sites-available configurations.
    + Remove the default vhost special handling. Instead, we expect the default
      host to be named appropripriately (for example 000-default.conf;
      Closes: #605535).
  * The following modules and associated configuration files were removed:
    + mod_authz_default and mod_authn_default: Please use a proper
      authentication module instead
    + mod_mem_cache: Use mod_cache_disk instead
  * The following modules and associated configuration files are provided (but
    not enabled by default):
    access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua
    proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector
    remoteip, request, session, session_cookie, session_crypto, session_dbd
    (Closes: #400881)
  * Provide a dh_apache2 debhelper which can be used by reverse dependencies to
    install modules, module configuration files, site configuration files and
    global configuration files which need to be registered to the Apache web
    server.
    Thus, dh_apache2 can be used for Apache web server modules and web
    applications providing configuration files for Apache.
  * Write apache2-maintscript-helper which packagers can use to interface in a
    reliable way with the Apache 2 web server in maintainer scripts
  * Document programming hints how to interface with the Apache 2 web server for
  * packagers of web applications and module maintainer in
    /usr/share/doc/apache2/PACKAGING.gz.
  * Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the
    problem.
  * Update debian/copyright and switch it to the copyright-format 1.0 (formerly
    known as DEP5)

  [ Stefan Fritsch ]

  * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
  * Only include conf.d/*.conf, not conf.d/*.
  * Don't create httpd.conf anymore. Also, do a proper transition of existing
    httpd.conf files to /etc/apache2/conf-available (Closes: #639383)
  * Add "AddCharset" for .brf files in default mod_mime config.
    (Closes: #402567)
  * Update the README.Debian file

  [ Jean-Michel Vourgère ]

  * Update bash completion functions to reflect the new site setup. (Closes:
    #657492)
  * Migrate patches to DEP-3 format. For particular changes see the summary
    above.

 -- Stefan Fritsch <email address hidden>  Mon, 19 Mar 2012 10:46:02 +0100
Superseded in wheezy-release on 2012-04-16
Superseded in sid-release on 2012-04-07
apache2 (2.2.22-2) unstable; urgency=low


  [ Arno Töll ]
  * Fix "Incorrect debhelper build dependency" by raising the build-dependency
    of debhelper to 8.9.7  (Closes: #659148)

 -- Stefan Fritsch <email address hidden>  Thu, 15 Mar 2012 00:02:31 +0100
Published in lenny-release on 2012-03-10
apache2 (2.2.9-10+lenny12) lenny-security; urgency=high


  * Prevent unintended pattern expansion in some reverse proxy
    configurations by strictly validating the request-URI. Fixes
    CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
  * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
    privilege escalation.
  * CVE-2012-0031: Fix client process being able to crash parent process
    during shutdown.
  * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
    "httpOnly" cookies.

 -- Stefan Fritsch <email address hidden>  Sun, 05 Feb 2012 21:56:02 +0100
Superseded in wheezy-release on 2012-03-25
Superseded in sid-release on 2012-03-16
apache2 (2.2.22-1) unstable; urgency=medium


  [ Stefan Fritsch ]
  * New upstream release, urgency medium due to security fixes:
    - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
    - Fix CVE-2012-0031: Unprivileged child process could cause the parent to
      crash at shutdown
    - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
      message.
  * Move httxt2dbm to apache2-utils
  * Adjust debian/control to point to new git repository.

  [ Arno Töll ]
  * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)

 -- Stefan Fritsch <email address hidden>  Wed, 01 Feb 2012 21:49:04 +0100
Superseded in wheezy-release on 2012-02-07
Superseded in sid-release on 2012-02-04
apache2 (2.2.21-5) unstable; urgency=low


  [ Arno Töll ]
  * Fix build failures introduced as regregression by the previous build. Debian
    buildds aren't rebuilding arch:all packages which caused problems for our
    unconditional copying into binary package. I was warned.

 -- Stefan Fritsch <email address hidden>  Thu, 29 Dec 2011 17:36:41 +0100
Superseded in sid-release on 2011-12-30
apache2 (2.2.21-4) unstable; urgency=low


  [ Stefan Fritsch ]

  * Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
    ap_pregsub).
  * Optimize debian/rules again to improve build time by doing most work in a
    single parallelized "build-%" target.

  [ Arno Töll ]

  * Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType
    from text/plain to None. This lets the browser guess a proper MIME type
    instead of being forced to treat a given file according to our default type
    (Closes: #440058)
  * Fix "add pre-rotate hook to logrotate script" execute scripts in
    /etc/logrotate.d/httpd-prerotate if available (Closes: #590096).
  * Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading
    to Debian's 3.0/quilt source format also images don't need to be generated
    at build time anymore. Hence, the icon date can no longer lead to
    information disclosure (Closes: #649888).
  * Upgrade package to 3.0/quilt.
    + Remove uuencoded images, keep them in their binary format in debian/icons
    + Upgrade to quilt from dpatch and refresh all patches by keeping all hunks
      unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at
      build time where needed Move the 200_cp_suexec.dpatch patch and
      202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a
      script, not a patch which is not supported by quilt.
  * Rewrite debian/rules and base it on dh(1).
    + use overrides where possible, replace some debhelper calls by our own
      implementation where needed. That's required since the Apache package is
      compiled in parts several times for each MPM once.
    + move some install operations to the their respective .install files
    + Support dpkg-buildflags now, which also enables by default hardening
      flags. Thus, remove them from their explicit appearance in debian/rules
    + Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using
      dh(1)/dpkg-buildflags(1).
  * Push debhelper compatibility to 8
  * Remove unused Lintian overrides for the Debian source package remove and
    redundant priorities in debian/control.
  * Add myself to Uploaders

 -- Stefan Fritsch <email address hidden>  Thu, 29 Dec 2011 12:09:14 +0100
Superseded in wheezy-release on 2012-01-09
Superseded in sid-release on 2011-12-31
apache2 (2.2.21-3) unstable; urgency=medium


  * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
    reverse proxy configurations. (Similar to CVE-2011-3368, but different
    attack vector.)
  * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
    via malicious .htaccess. 
  * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
  * Fix broken link in docs. Closes: #650528
  * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
    Thanks for your work in the past.

 -- Stefan Fritsch <email address hidden>  Sat, 03 Dec 2011 18:54:03 +0100
Superseded in wheezy-release on 2011-12-09
Superseded in sid-release on 2011-12-08
apache2 (2.2.21-2) unstable; urgency=high


  * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
    reverse proxy configurations by strictly validating the request-URI.
  * Correctly set permissions of suexec.load even if umask is 0002 during
    build. LP: #872000

 -- Stefan Fritsch <email address hidden>  Tue, 11 Oct 2011 22:54:47 +0200
Superseded in squeeze-release on 2012-05-12
apache2 (2.2.16-6+squeeze4) squeeze; urgency=low


  * Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp
    if combined with mod_proxy_balancer.
  * Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
    Closes: #613969
  * Fix typo in init script. Closes: #615866
  * For multiple instance setups, correctly determine the config dir in the
    init script if it is called via a start/stop link. Closes: #627061
  * Add hint in README.Debian about 403 error with mod_dav PUT.
    Closes: #613438
  * Add hint in README.Debian about how to increase max number of open
    files. Closes: #615632
  * Make it clear in README.multiple-instances that the MPMs are shipped
    in the apache2.2-bin package.
  * Tweak patch header to fix "dpatch unapply" with unstable's patch/dpatch.

 -- Stefan Fritsch <email address hidden>  Mon, 26 Sep 2011 00:12:23 +0200
Superseded in lenny-release on 2012-03-10
apache2 (2.2.9-10+lenny11) lenny-security; urgency=high


  * Fix regressions related to range requests introduced by 2.2.9-10+lenny10.
    Closes: #639825

 -- Stefan Fritsch <email address hidden>  Sun, 04 Sep 2011 22:09:38 +0200
Superseded in wheezy-release on 2011-10-14
Superseded in sid-release on 2011-10-12
apache2 (2.2.21-1) unstable; urgency=low


  * New upstream release.
    - Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp
      if combined with mod_proxy_balancer

 -- Stefan Fritsch <email address hidden>  Mon, 26 Sep 2011 18:16:11 +0200
Superseded in wheezy-release on 2011-10-07
Superseded in sid-release on 2011-09-27
apache2 (2.2.20-1) unstable; urgency=low


  * New upstream release.
  * Fix some regressions related to Range requests caused by the CVE-2011-3192
    fix. Closes: #639825
  * Add build-arch and build-indep rules targets to make Lintian happy.
  * Bump Standards-Version (no changes).

 -- Stefan Fritsch <email address hidden>  Sun, 04 Sep 2011 21:50:22 +0200
Superseded in wheezy-release on 2011-09-21
Superseded in sid-release on 2011-09-20
apache2 (2.2.19-2) unstable; urgency=high


  * Fix CVE-2011-3192: DoS by high memory usage for a large number of
    overlapping ranges.
  * Reduce default KeepAliveTimeout from 15 to 5 seconds. 
  * Use "linux-any" in build-deps. Closes: #634709
  * Improve reload message of a2enmod. Closes: #639291
  * Improve description of the prefork MPM. Closes: #634242
  * Mention .conf files in a2enmod man page. Closes: #634834

 -- Stefan Fritsch <email address hidden>  Mon, 29 Aug 2011 17:08:17 +0200
Superseded in squeeze-release on 2011-10-08
apache2 (2.2.16-6+squeeze1) stable-security; urgency=high
  * Fix CVE-2011-1176 in apache2-mpm-itk: If NiceValue was set, the default    with no AssignUserID was to run as root:root instead of the default Apache    user and group. Closes: #618857 -- Stefan Fritsch <email address hidden>  Tue, 22 Mar 2011 21:44:39 +0100
Superseded in wheezy-release on 2011-09-21
Superseded in sid-release on 2011-09-20
apache2 (2.2.19-1) unstable; urgency=low
  * New upstream release.    - Makes apr-md5 the default algorithm for htpasswd, removing the 8      character limit of the crypt()-algorithm. Closes: #539246    - Fixes merging of IndexOptions. Closes: #394688    - Documents why order of ProxyPass and <Proxy> blocks matters in the      configuration. See "Workers" section in the mod_proxy documentation.      Closes: #560020  * For multiple instance setups, correctly determine the config dir in the    init script if it is called via a start/stop link. Closes: #627061  * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204  * Make it clear in README.multiple-instances that the MPMs are shipped    in the apache2.2-bin package. -- Stefan Fritsch <email address hidden>  Sun, 22 May 2011 10:21:21 +0200
Superseded in wheezy-release on 2011-09-21
Superseded in sid-release on 2011-09-20
apache2 (2.2.17-3) unstable; urgency=low
  * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049  * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in    htpasswd/htdbm. -- Stefan Fritsch <email address hidden>  Sun, 10 Apr 2011 20:43:55 +0200
Superseded in wheezy-release on 2011-09-21
Superseded in sid-release on 2011-09-20
apache2 (2.2.17-2) unstable; urgency=high
  * New mpm_itk upstream version 2.2.17-01:    - Fix CVE-2011-1176: If NiceValue was set, the default with no      AssignUserID was to run as root:root instead of the default Apache user      and group, due to the configuration merger having an incorrect default      configuration. Closes: #618857  * Make exit code of '/etc/init.d/apache2 status' more LSB compatible.    Closes: #613969  * Set the default file descriptor limit to 8192 instead of whatever the    current limit is (usually 1024). Document how to change it in    /etc/apache2/envvars . Closes: #615632  * Fix typo in init script. Closes: #615866  * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438  * Remove some obsolete Depends and Replaces. -- Stefan Fritsch <email address hidden>  Mon, 21 Mar 2011 23:01:17 +0100
Superseded in wheezy-release on 2011-09-21
Superseded in sid-release on 2011-09-20
apache2 (2.2.17-1) unstable; urgency=low
  * New upstream version  * Disable md5 in mod_ssl default cipher suite. Closes: #609126  * Fix order of comments in "worker" section in apache2.conf. Closes: #608488 -- Stefan Fritsch <email address hidden>  Tue, 15 Feb 2011 23:30:18 +0100
Superseded in lenny-release on 2011-10-01
apache2 (2.2.9-10+lenny9) stable-security; urgency=high
  * Add the new SSLInsecureRenegotiation directive to configure if clients    that have not been patched to support secure renegotiation (RFC 5746)    are allowed to connect (CVE-2009-3555).    Together with the recent openssl upgrade, this closes: #587037    This upgrade also adds support for the SSL_SECURE_RENEG variable, to    allow testing if secure renegotiation is supported by the client. -- Stefan Fritsch <email address hidden>  Sat, 11 Dec 2010 19:45:28 +0100
Superseded in wheezy-release on 2011-09-21
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.16-6) unstable; urgency=low
  * Also add $named to the secondary-init-script example. -- Stefan Fritsch <email address hidden>  Sat, 01 Jan 2011 22:55:15 +0100
Superseded in sid-release on 2011-09-20
apache2 (2.2.16-5) unstable; urgency=medium
  * Add $named to the init script dependency header, since apache depends on    DNS in some configurations. Closes: #608437  * Update outdated description of /etc/apache2/magic in README.Debian.    Closes: #603586 -- Stefan Fritsch <email address hidden>  Fri, 31 Dec 2010 01:22:19 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.16-4) unstable; urgency=medium


  * Increase the mod_reqtimeout default timeouts to avoid potential problems
    with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
  * Remove bogus comment in conf.d/security about default in the "release
    after Lenny".
  * Clarify comments in suexec-custom's default config file. LP: #673289

 -- Stefan Fritsch <email address hidden>  Sun, 14 Nov 2010 19:05:55 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.16-3) unstable; urgency=high


  * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
  * Fix "Could not reliably determine the server's ..." error message in
    README.Debian, to make it easier to search for it.  Closes: #590528

 -- Stefan Fritsch <email address hidden>  Sat, 09 Oct 2010 20:59:34 +0200
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.16-2) unstable; urgency=low


  * Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036
  * Add a note about the new behaviour of SSL/TLS renegotiation and the new
    directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
  * Support 'graceful' as alias for 'reload' in the init script.
  * In README.Debian, suggest an Apache configuration change to get rid of the
    "Could not reliably determine the server's fully qualified domain name"
    warning, as alternative to changing DNS or /etc/hosts.  Closes: #590528
  * Add notes to README.Debian on how to reduce memory usage.
  * Bump Standards-Version (no changes).

 -- Stefan Fritsch <email address hidden>  Sun, 29 Aug 2010 15:29:21 +0200
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.16-1) unstable; urgency=medium


  * Urgency medium for security fix.
  * New upstream release:
    - CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability
      due to incorrect handling of requests without a path segment.
    - mod_dir: add FallbackResource directive, to enable admin to specify
      an action to happen when a URL maps to no file, without resorting
      to ErrorDocument or mod_rewrite
  * Fix mod_ssl header line corruption because of using memcpy for overlapping
    buffers. PR 45444. LP: #609290, #589611, #595116

 -- Stefan Fritsch <email address hidden>  Sat, 24 Jul 2010 22:18:43 +0200
Superseded in sid-release on 2011-09-20
apache2 (2.2.15-6) unstable; urgency=low


  * Fix init script not correctly killing htcacheclean. Closes: #580971
  * Add a separate entry in README.Debian about the need to use apache2ctl
    for starting instead of calling apache2 directly. Closes: #580445
  * Fix debug info to allow gdb loading it automatically. Closes: #581514
  * Fix install target in Makefile created by apxs2 -n. Closes: #588787
  * Fix ab sending more requests than specified by the -n parameter.
    Closes: #541158
  * Add apache2 monit configuration to apache2.2-commons examples dir.
    Closes: #583127
  * Build as PIE, since gdb in squeeze now supports it.
  * Update the postrm script to also purge the version of /var/www/index.html
    introduced in 2.2.11-7.
  * Bump Standards-Version (no changes).

 -- Stefan Fritsch <email address hidden>  Fri, 16 Jul 2010 23:41:08 +0200
Superseded in lenny-release on 2011-09-13
apache2 (2.2.9-10+lenny8) stable; urgency=low


  * Add missing psmisc dependency for killall used in the init script.
    Closes: #568542
  * Fix potential memory leaks related to the usage of apr_brigade_destroy().

 -- Stefan Fritsch <email address hidden>  Mon, 19 Apr 2010 21:17:33 +0200
Superseded in sid-release on 2011-09-20
Superseded in squeeze-release on 2011-09-13
apache2 (2.2.15-5) unstable; urgency=low


  * Conflict with apache package as we now include apachectl. Closes: #579065
  * Remove conflicts with old apache 2.0 modules. The conflicts are not
    necessary anymore as skipping a stable release is not supported anyway.
  * Silence the grep in preinst.

 -- Stefan Fritsch <email address hidden>  Sun, 25 Apr 2010 10:46:09 +0200
Superseded in sid-release on 2011-09-20
apache2 (2.2.15-3) unstable; urgency=low


  * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
    including a fix for mod_proxy CONNECT requests.
  * mod_dav_fs: Use correct permissions when creating new files. LP: #540747

 -- Stefan Fritsch <email address hidden>  Mon, 29 Mar 2010 22:16:24 +0200
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.15-2) unstable; urgency=low


  * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
    Satisfy all. Closes: #572075
  * mod_reqtimeout: Various bug fixes, including:
    - Don't mess up timeouts of mod_proxy's backend connections.
      Closes: #573163

 -- Stefan Fritsch <email address hidden>  Wed, 10 Mar 2010 21:06:06 +0100
Superseded in sid-release on 2011-09-20
apache2 (2.2.15-1) unstable; urgency=low


  * New upstream version:
    - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
    - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
      prefix injection attack.
    - CVE-2010-0434: mod_headers: Fix potential information leak with threaded
      MPMs.
    - mod_reqtimeout: New module limiting the time waiting for receiving
      a request from the client. This is a (partial) mitigation against
      slowloris-type resource exhaustion attacks. The module is enabled by
      default. Closes: #533661
    - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
      renegotiation with clients which do not yet support the secure
      renegotiation protocol. As this requires openssl 0.9.8m, bump
      build dependency accordingly.
  * Fix bash completion for a2ensite if the site name contains 'conf' or
    'load'. Closes: #572232
  * Do a configcheck in the init script before doing a non-graceful restart.
    Closes: #571461

 -- Stefan Fritsch <email address hidden>  Sun, 07 Mar 2010 23:22:56 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.14-7) unstable; urgency=low


  * Fix potential memory leaks related to the usage of apr_brigade_destroy().
  * Add hints about correct mod_dav_fs configuration to README.Debian.
    Closes: #257945
  * Fix error in Polish translation of 404 error page. Closes: #570228
  * Document ThreadLimit in apache2.conf's comments.

 -- Stefan Fritsch <email address hidden>  Sat, 20 Feb 2010 12:38:30 +0100
Superseded in sid-release on 2011-09-20
apache2 (2.2.14-6) unstable; urgency=low


  * Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and
    APACHE_LOG_DIR in the default configuration. If you have modified
    /etc/apache2/envvars, make sure that these variables are set and exported.
  * Add support for multiple apache2 instances to initscript and apache2ctl.
    See /usr/share/doc/apache2.2-common/README.multiple-instances for details.
    Closes: #353450
  * Set default compiled-in ServerRoot to /etc/apache2 and make paths in
    apache2.conf relative to ServerRoot.
  * Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061
  * Fix symlinks in apache2-dbg package. Closes: #567076
  * Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383
  * Add new init script action graceful-stop (LP: #456381)
  * Add more languages to mime.conf. To limit this to useful entries, we only
    add those for which a translation of the Debian intaller exists. LP: #217964
  * Unset $HOME in /etc/apache2/envvars.
  * Change default config of mod_info and mod_status to use IP addresses
    instead of hostnames. Otherwise the hostname is sometimes logged even with
    'HostnameLookup Off'. Closes: #568409
  * Add a hook to apache2.2-common's postrm script that may come in handy
    when upgrading to 2.4.
  * Make bug script also display php extensions.
  * Bump Standards-Version (no changes).
  * Remove Adam Conrad from Uploaders. Thanks for your work in the past.

 -- Stefan Fritsch <email address hidden>  Sun, 07 Feb 2010 17:29:45 +0100
Superseded in lenny-release on 2011-09-13
apache2 (2.2.9-10+lenny6) stable-security; urgency=high


  * Security:
    - Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
      for the TLS renegotiation prefix injection attack (CVE-2009-3555).
      Any configuration which requires renegotiation for per-directory/location
      access control or uses "SSLVerifyClient optional" is still vulnerable.

 -- Stefan Fritsch <email address hidden>  Sat, 14 Nov 2009 21:10:47 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.14-5) unstable; urgency=low


  * Security: Further mitigation for the TLS renegotation attack
    (CVE-2009-3555): Disable keep-alive if parts of the next request have
    already been received when doing a renegotiation. This defends against
    some request splicing attacks.
  * Print a useful error message if 'apache2ctl status' fails. Add a comment
    to /etc/apache2/envvars on how to change the options for www-browser.
    Closes: #561496, #272069
  * Improve function to detect apache2 pid in init-script (closes: #562583).
  * Add hint README.Debian on how to pass auth info to CGI scripts.
    Closes: #483219
  * Re-introduce objcopy magic to avoid dangling symlinks to the debug info
    in the mpm packages. Closes: #563278
  * Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178,
    LP: #500703
  * Point to README.backtrace in apache2-dbg's description.
  * Use more debhelper functions to simplify debian/rules.
  * Add misc-depends to various packages to make lintian happy.
  * Change build-dep from libcap2-dev to libcap-dev because of package rename.

 -- Stefan Fritsch <email address hidden>  Sat, 02 Jan 2010 22:44:15 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.14-4) unstable; urgency=low


  * Disable localized error pages again by default because they break
    configurations with "<Location /> SetHandler ...". A workaround is
    described in the comments in /etc/apache2/conf.d/localized-error-pages
    (closes: #543333).
  * mod_rewrite: Fix URLs in redirects with literal IPv6 hosts
    (closes: #557015).
  * Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234).
  * Add man page for split-logfile.
  * Link with -lcrypt where necessary to fix a FTBFS with binutils-gold
    (closes: #553946).

 -- Stefan Fritsch <email address hidden>  Sun, 13 Dec 2009 20:05:37 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.14-3) unstable; urgency=low


  * Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This
    includes:
    - Make PUT replace files atomically (closes: #525137).
    - Make MOVE not delete the destination if the source file disappeared in
      the meantime (closes: #273476).
    NOTE: The format of the DavLockDB has changed. The default DavLockDB will
    be deleted on upgrade. Non-default DavLockDBs should be deleted manually.
  * Fix output of "/etc/init.d/apache2 status" (closes: #555687).
  * Update the comment about SNI in ports.conf (closes: #556932).
  * Set redirect-carefully for Konqueror/4.

 -- Stefan Fritsch <email address hidden>  Sat, 21 Nov 2009 10:20:54 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.14-2) unstable; urgency=medium


  * Security:
    Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
    for the TLS renegotiation prefix injection attack (CVE-2009-3555).
    Any configuration which requires renegotiation for per-directory/location
    access control is still vulnerable.
  * Allow RemoveType to override the types from /etc/mime.types. This allows
    to use .es and .tr for Spanish and Turkish files in mod_negotiation.
    Closes: #496080
  * Fix 'CacheEnable disk http://'. Closes: #442266
  * Fix missing dependency by changing killall to pkill in the init script.
    LP: #460692
  * Add X-Interactive header to init script as it may ask for the ssl key
    passphrase. Closes: #554824
  * Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too.
  * Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian

 -- Stefan Fritsch <email address hidden>  Sat, 07 Nov 2009 14:37:37 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.14-1) unstable; urgency=low


  * New upstream version:
    - new module mod_proxy_scgi
  * Disable hardening option -pie again, as gdb in Debian does not support
    it properly and it is broken on mips*.

 -- Stefan Fritsch <email address hidden>  Tue, 29 Sep 2009 20:55:05 +0200
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.13-2) unstable; urgency=high


  * mod_proxy_ftp security fixes (closes: #545951):
    - DoS by malicious ftp server (CVE-2009-3094) 
    - missing input sanitization: a user could execute arbitrary ftp commands
      on the backend ftp server (CVE-2009-3095)
  * Add entries to NEWS.Debian and README.Debian about Apache being stricter
    about certain misconfigurations involving name based SSL virtual hosts.
    Also make Apache print the location of the misconfigured VirtualHost when
    it complains about a missing SSLCertificateFile statement. Closes: #541607
  * Add Build-Conflicts: autoconf2.13 (closes: #541536).
  * Adjust priority of apache2-mpm-itk to extra.
  * Switch apache2.2-common and the four mpm packages from architecture all to
    any. This is stupid but makes apache2 binNMUable again (closes: #544509).
  * Bump Standards-Version (no changes).

 -- Stefan Fritsch <email address hidden>  Wed, 16 Sep 2009 20:55:02 +0200
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.13-1) unstable; urgency=low


  * New upstream release:
    - Fixes segfault with mod_deflate and mod_php (closes: #542623).

 -- Stefan Fritsch <email address hidden>  Mon, 31 Aug 2009 20:28:56 +0200
Superseded in lenny-release on 2011-09-13
apache2 (2.2.9-10+lenny4) stable-security; urgency=high


  * Security fixes:
    - CVE-2009-1890: denial of service in mod_proxy (closes: #536718)
    - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
      Also prevent compressing the content for HEAD requests.

 -- Stefan Fritsch <email address hidden>  Tue, 14 Jul 2009 21:53:01 +0200
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.12-1) unstable; urgency=low


  * New upstream release:
    - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
      (The Debian default configuration will be changed to use SNI in a later
      version.)
    - Fixes timefmt config in SSI (closes: #363964).
    - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
      to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
    similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
    sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
    README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
    loaded. Move the config for it from apache2.conf to
    /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
    required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
    versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
    included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
    2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
    (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
    package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
    which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
    MaxClients into the correct order so that Apache does not complain
    (closes: #495656).
    Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
    (closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
    (closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
    (closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
    with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Stefan Fritsch <email address hidden>  Tue, 04 Aug 2009 11:02:34 +0200
Superseded in sid-release on 2011-09-20
apache2 (2.2.11-7) unstable; urgency=low


  * Security fixes:
    - CVE-2009-1890: denial of service in mod_proxy
    - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
  * Add symlinks for the debug info to the mpm packages.
  * Be slightly more informative in the default index.html without pointing
    to Apache or Debian (LP: #89364)
  * Remove dependency on net-tools, which is no longer necessary 
    (closes: #535849)
  * Bump Standards-Version (no changes)

 -- Stefan Fritsch <email address hidden>  Fri, 10 Jul 2009 22:42:57 +0200
Superseded in squeeze-release on 2011-09-13
apache2 (2.2.11-6) unstable; urgency=high


  * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
    Side Includes (closes: #530834).
  * Fix postinst scripts (closes: #532278).

 -- Stefan Fritsch <email address hidden>  Mon, 08 Jun 2009 19:22:58 +0200
Superseded in sid-release on 2011-09-20
apache2 (2.2.11-4) unstable; urgency=low


  [ Stefan Fritsch ]
  * Disable TRACE method by default (closes: #492130).
  * Compress some more mime types with mod_deflate by default. This may cause
    problems with MSIE 6, but that browser should now be considered obsolete.
    Closes: #397526, #521209
  * Various backports from upstream svn branches/2.2.x:
    - CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous
      request which failed to send a request body
    - Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with
      server-side-includes PR 45959 (closes: #524474)
    - Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268)
    - Fix mod_deflate etag handling PR 45023 (LP: #358314)
    - Fix mod_ldap segfault if LDAP initialization failed PR 45994
  * Allow apache2-mpm-itk as alternate dependency in apache2 meta package
    (closes: #527225).
  * Fix some misuse of command substitution in the init script. Thanks to
    Jari Aalto for the patch. (Closes: #523398)
  * Extend the gnome-vfs DAV workaround to gvfs (closes: #522845).
  * Add more info to check_forensic man page (closes: #528424).
  * Make "apache2ctl help" point to help on apache2 args (closes: #528425).
  * Lintian warnings:
    - fix spelling error in apache2-utils description
    - tweak debian/copyright to make lintian not complain about pointers to GPL
    - bump standards-version (no changes)

  [ Peter Samuelson ]
  * Adjust sections to match recent ftpmaster overrides.

 -- Stefan Fritsch <email address hidden>  Tue, 19 May 2009 22:55:27 +0200
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.11-3) unstable; urgency=low


  * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
    (see #521899). This also creates the dependencies on the new external
    libaprutil1-dbd-* and libaprutil1-ldap packages.

 -- Stefan Fritsch <email address hidden>  Tue, 31 Mar 2009 21:07:26 +0200
Superseded in lenny-release on 2011-09-13
apache2 (2.2.9-10+lenny2) testing-proposed-updates; urgency=low


  * Report an error instead instead of segfaulting when apr_pollset_create
    fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
    /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
    value of MaxClients in the Apache configuration. Closes: #511103

 -- Stefan Fritsch <email address hidden>  Tue, 20 Jan 2009 18:17:27 +0100
Superseded in sid-release on 2011-09-20
Superseded in squeeze-release on 2011-09-13
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
apache2 (2.2.11-2) unstable; urgency=low


  * Report an error instead instead of segfaulting when apr_pollset_create
    fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
    /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
    value of MaxClients in the Apache configuration. Closes: #511103

 -- Stefan Fritsch <email address hidden>  Fri, 16 Jan 2009 19:01:59 +0100
Superseded in sid-release on 2011-09-20
Superseded in sid-release on 2011-09-20
apache2 (2.2.11-1) unstable; urgency=low


  [Thom May]
  * New Upstream Version (Closes: #508186, LP: #307397)
    - Contains rewritten shmcb code which should fix alignment problems on
      alpha (Closes: #419720).
    - Notable new features: chroot support, mod_proxy improvements.

  [Ryan Niebur]
  * fix segfault in ab when being verbose on ssl sites (Closes: #495982)
  * remove trailing slash for DocumentRoot (Closes: #495110)

 -- Stefan Fritsch <email address hidden>  Sun, 14 Dec 2008 09:34:24 +0100
Superseded in lenny-release on 2011-09-13
Superseded in lenny-release on 2011-09-13
apache2 (2.2.9-10+lenny1) testing-proposed-updates; urgency=low


  * Regression fix from upstream svn for mod_proxy:
    Prevent segmentation faults by correctly adjusting the lifetime of the
    buckets read from the proxy backend. PR 45792
  * Fix from upstream svn for mpm_worker:
    Crosscheck that idle workers are still available before using them and
    thus preventing an overflow of the worker queue which causes a SegFault.
    PR 45605
  * Add a comment to ports.conf to point to NEWS.Debian.gz in case of
    upgrading problems.

 -- Stefan Fritsch <email address hidden>  Tue, 02 Dec 2008 22:00:50 +0100
76150 of 152 results