Change log for apache2 package in Debian
151 → 211 of 211 results | First • Previous • Next • Last |
Superseded in experimental-release |
apache2 (2.4.2-2) experimental; urgency=low [ Stefan Fritsch ] * Explicitly enable mod_authz_core on upgrades. It can happen that it is not pulled in by any of the enabled modules, but we need it in any case for apache2.conf. Closes: #669876 * Don't ship the changelogs in the apache2-mpm-itk transitional package. [ Arno Töll ] * Add mode lines to various configuration files and scripts. Reformat configuration files for consitency. * Fix "Fix typographic errors in configuration file comments": Thanks to Oxan van Leeuwen for providing a patch (Closes: #669269) * Formulate several clarifications in PACKAGING, start versioning this document and add normative read hints. Moreover, document the -m switch for a2enmod. * Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated! * Change various state and run directories used by Apache from /var/run/<basename> to /var/run/apache2/<basename>. This might change again for Wheezy+1 to adopt /run. * Use more exit status codes for a2query which allows to tell apart why a module was disabled, also make its output more readable. * Changes in apache2-maintscript-helper: + Finally apache2_invoke may behave correctly and catch all cases including upgrades from Squeeze. + apache2_invoke: accepts a third argument to override the rc.d-action now + support APACHE2_MAINTSCRIPT_DEBUG: When defined in the environment or in /etc/apache2/envvars, debug output is displayed. * Implement a -r switch for dh_apache2 which allows to force a reload of the web server if required. -- Arno Töll <email address hidden> Mon, 28 May 2012 17:36:03 +0200
Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual hosts' config files. If scripting modules like mod_php or mod_rivet are enabled on systems where either 1) some frontend server forwards connections to an apache2 backend server on the localhost address, or 2) the machine running apache2 is also used for web browsing, this could allow a remote attacker to execute example scripts stored under /usr/share/doc. Depending on the installed packages, this could lead to issues like cross site scripting, code execution, or leakage of sensitive data. -- Stefan Fritsch <email address hidden> Sun, 01 Apr 2012 00:20:48 +0200
apache2 (2.2.22-5) unstable; urgency=low * Make LoadFile and LoadModule look in the standard search paths if the dso file name is given as a pure filename. This helps with the multi-arch transition. -- Stefan Fritsch <email address hidden> Mon, 30 Apr 2012 23:38:33 +0200
apache2 (2.2.22-4) unstable; urgency=high * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual hosts' config files. If scripting modules like mod_php or mod_rivet are enabled on systems where either 1) some frontend server forwards connections to an apache2 backend server on the localhost address, or 2) the machine running apache2 is also used for web browsing, this could allow a remote attacker to execute example scripts stored under /usr/share/doc. Depending on the installed packages, this could lead to issues like cross site scripting, code execution, or leakage of sensitive data. -- Stefan Fritsch <email address hidden> Sun, 15 Apr 2012 23:41:43 +0200
Superseded in experimental-release |
apache2 (2.4.2-1) experimental; urgency=low * New upstream release [ Arno Töll ] * Drop update-alternative call in postrm. Our prerm script catches them already anyway. * Update my mail address. * Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/" Set directory permissions to 755 by default (Closes: #666875). Thanks Axel Beckert for the hint. * Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to give sites a .conf suffix, add a hint to the NEWS file. * Do stateful configuration handling by remembering who enabled when a particular piece of configuration. That way in can be told under which circumstances for example modules should be re-enabled. Thanks to Filip M. Nowak who was providing a patch where my changes are built upon. * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible to override LDFLAGS at compile time by defining LDLAGS in the environment, just like it is possible for CFLAGS. This also means, config_vars.mk now exports hardening build flags by default. * Provide the virtual packages httpd and httpd-cgi again. [ Stefan Fritsch ] * Change default config to deny access to / in the file system and only allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022 * Disable MultiViews in the default config. * Update ssl default cipher config, add alternative speed optimized config. Closes: #649020 * Move the configuration of /usr/lib/cgi-bin into a separate config file. Closes: #589638 * Comment out per-vhost loglevel. * Add section to security.conf that shows how to forbid access to VCS directories. Closes: #548213 * Change the compiled in default of DocumentRoot to /var/www by updating fhs_compliance.patch * Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental! -- Stefan Fritsch <email address hidden> Sun, 15 Apr 2012 20:50:28 +0200
apache2 (2.2.22-3) unstable; urgency=low * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch': No such file or directory". Do not use internal rules targets which clash with build target names ... (Closes: #667069) * Drop apache2-dev virtual package. This had virtually no users but breaks our experimental package in some cases (e.g. #666793) * Push Standards version - no further changes * Update my maintainer address -- Arno Töll <email address hidden> Thu, 05 Apr 2012 13:21:42 +0200
Superseded in experimental-release |
apache2 (2.4.1-3) experimental; urgency=low [ Arno Töll ] * apache2-suexec-{custom,pristine}: Fix argument order when removing alternatives, do not remove alternatives on upgrades. Thanks Andreas Beckmann for spotting the issue (Closes: #665002) * Install suexec(8) link to /usr/share/man/man8/... * Enable mod_version statically, drop associated module load file. * Update PACKAGING hints and cope several questions raised among the discussions with packagers. Thus, invokation of apache2-maintscript-helper in maintainer scripts are covered now. * Changes in dh_apache2: + Invoke the maintscript helper postrm action for simple package removals, too. + Fix a bug which accidentally called "en{mod,site,conf}" instead of "di{mod,site,conf}" + Set the default conditional back to "true", now the maintainer script is expected to cope itself with upgrades correctly * Changes in apache2_maintscript_helper + Provide apache2_action_needed, apache2_msg + Parse maintainer script arguments to find out which script called us + Support APACHE2_MAINTSCRIPT_HELPER_QUIET which, when set, omits any visible output + Break APIs: apache2_invoke accepts a single configuration file argument only now. However, other than dh_apache2 no users of this feature were known. * Build the apache2.2-bin transitional package again, without it updates from Squeeze are broken from some use cases * Remove 2.2's postrm script only if we're actually upgrading. This previously didn't have bad side-effects, but caused a disturbing warning. [ Stefan Fritsch ] * Import lots of bug fixes from upstream svn: All code changes from branch 2.4.x up to r1307835, plus r1294306 and r1307067 from trunk. * Remove /usr/share/doc alias from default virtual hosts' configs. * Add 'Multi-Arch: foreign' to apache2-utils * Make a2enconf and a2ensite warn if dependencies are not fullfilled. -- Stefan Fritsch <email address hidden> Sun, 01 Apr 2012 21:11:51 +0200
Superseded in experimental-release |
apache2 (2.4.1-2) experimental; urgency=low [ Arno Töll ] * Shift convert_docs script to a arch-indep target only. Debhelper does not build apache2-doc on binary only builds causing a FTBS on binary-only (-B) builds * Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep targets [ Stefan Fritsch ] * dh_apache2: Make autoscripts only run on upgrades by default. Bump debhelper dependency of apache2-dev. Escape slashes in conditionals. -- Stefan Fritsch <email address hidden> Tue, 20 Mar 2012 21:32:43 +0100
Superseded in experimental-release |
apache2 (2.4.1-1) experimental; urgency=low * Package the coming up 2.4 branch of Apache by packaging the current GA release 2.4.1. + Fix "IndexIgnore only allowes to add in vhost context, not replace" (Closes: #296886) + Fix "mod_status stats are wrong." (Closes: #519322) + Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047) + Fix "apache2-common: there should be a possibility to access the parsed configuration" (Closes: #350285) + Fix "AddOutputFilterByType is deprecated but used in deflate.conf" (Closes: #601033) + Fixes "Renegotiation on POST request fails intermittently" (Closes: #601606) + Allows configuring source address for proxy requests. (Closes: #465283) + Supports CONNECT request through https. (Closes: #307298) + New Upstream (2.4). (Closes: #662115) * Refresh patches but leave all hunks unchanged where possible. Give all * patches a ".patch" suffix, drop sequence numbers as they are not needed when * using quilt. Notable changes are. + [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller parts of the patch to build two binaries: suexec-pristine and suexec-custom (see below) + [AT] 201_build_suexec-custom: Patch the makefile to build "suexec-pristine" instead. Aside of that, refresh hunks. + [AT] 010_fhs_compliance: Drop config.layout patches. These have been applied upstream + [JMV] Drop patches: + 004_usr_bin_perl_0wnz_j00: printenv exemple doesn't refer to /usr/local/bin/perl anymore + 008_make_include_safe: Include doesn't support directory anymore. Include dir/*.conf must be used. + 009_apache2_has_dso: Upstream is no longer testing DSO is available. So we don't need to remove that test anymore. + [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches, drop obsolete hunks [ Arno Töll ] * Rewrite most parts of debian/rules / debhelper configuration. + move cronjob and init script to debhelper configuration files (apache2.cron.daily and apache2.init respectively) + move man pages to debian/manpages + Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu specifics in their own patch set, as it diverges already anyway. + shake-up files installed in different packages + Do not copy the source tree anymore, build package in place. * Push standards version to 3.9.3 - no special changes required * Refactor binary packages, now as things simplified. MPMs are simple modules now, they can be bundled into the same binary package which do not need to conflict with each other. Thus, Apache now primarily consists of the following packages: + apache2 - configuration files and init scripts, Debian specific helper scripts + apache2-bin - binaries and modules + apache2-data - error pages and images * Drop the ITK MPM entirely for now * Consolidate development packages. As MPM packages are gone, we do not need specific development packages either. Thus, drop all MPM specific apache2 development packages and provide a single apache2-dev package instead. (Closes: #428095) * Drop debian/source/options again: We do not need to ignore .svn directories anymore since the new package management system is based on git and includes the full source * Rework the suexec mechanism. Now there are two suexec packages providing alternatives through the update-alternatives mechanism. The untouched upstream "suexec" binary is provided by the apache2-suexec-pristine package, whereas the configurable suexec can be found in the apache2-suexec-custom package. Both are providing the "suexec" binary which are managed by the update-alternatives(9) mechanism. This change is transparent to users at runtime and does not need any configuration changes. * Remove obsolete README.source file. * Update doc-base metadata for the apache2-doc package * Changes in the default configuration (not specific modules): + On the head of the apache2.conf configuration file, give a short summary how configuration of the Apache web server works in Debian. + Drop NameVirtualHost entirely. It is deprecated (Closes: #511594) + Remove DefaultType. It is deprecated. + Replace Allow/Deny directives in the default configuration by using the new Require directive. Load mod_access_compat if you rely on the old syntax + Replace LockFile by Mutex which consolidates all lock file synchronization files among modules + Update configuration to use the new IncludeOptional syntax + Enable these modules by default: authz_core authz_host alias cgi dir + Move MPM specific configuration to their respective configuration files. Users can just load and unload MPMs like other modules, enable the worker MPM by default + Move per-site global configuration from conf.d to conf-available and manage it similar to modules and sites. To do so, the new tools "a2enconf" and "a2disconf" are provided. Moreover, such configuration files need to have a .conf suffix now. The following configuration files are enabled by default: charset localized-error-pages other-vhosts-access-log security. These were enabled by default previously, too (Closes: #620347, Closes: #605227). This holds for apache2-doc as well, which is still enabled by default but can be disabled easily anytime by using a2disconf (Closes: #604980). + Give site configuration a .conf suffix, too. For example the default vhost is called default.conf. Moreover, files without .conf suffix are ignored upon startup. Please update your site links and confs. Also rename the default vhost to 000-default.conf and don't do hacky things in a2enmod anymore. * Changes in a2enmod: + Parse "Conflicts: " header to denote conflicts between modules which cannot be loaded into the same Apache server. + Remove dangling "module.conf" files, too. They were forgotten previously if they existed and only the "module.load" file was removed. + Extend the tool to support conf-available/conf-enabled directories (see also configuration changes). + Expect a .conf suffix for sites-enabled/sites-available configurations. + Remove the default vhost special handling. Instead, we expect the default host to be named appropripriately (for example 000-default.conf; Closes: #605535). * The following modules and associated configuration files were removed: + mod_authz_default and mod_authn_default: Please use a proper authentication module instead + mod_mem_cache: Use mod_cache_disk instead * The following modules and associated configuration files are provided (but not enabled by default): access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector remoteip, request, session, session_cookie, session_crypto, session_dbd (Closes: #400881) * Provide a dh_apache2 debhelper which can be used by reverse dependencies to install modules, module configuration files, site configuration files and global configuration files which need to be registered to the Apache web server. Thus, dh_apache2 can be used for Apache web server modules and web applications providing configuration files for Apache. * Write apache2-maintscript-helper which packagers can use to interface in a reliable way with the Apache 2 web server in maintainer scripts * Document programming hints how to interface with the Apache 2 web server for * packagers of web applications and module maintainer in /usr/share/doc/apache2/PACKAGING.gz. * Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the problem. * Update debian/copyright and switch it to the copyright-format 1.0 (formerly known as DEP5) [ Stefan Fritsch ] * Use "dh --with autotools_dev" instead of patching config.sub/config.guess. * Only include conf.d/*.conf, not conf.d/*. * Don't create httpd.conf anymore. Also, do a proper transition of existing httpd.conf files to /etc/apache2/conf-available (Closes: #639383) * Add "AddCharset" for .brf files in default mod_mime config. (Closes: #402567) * Update the README.Debian file [ Jean-Michel Vourgère ] * Update bash completion functions to reflect the new site setup. (Closes: #657492) * Migrate patches to DEP-3 format. For particular changes see the summary above. -- Stefan Fritsch <email address hidden> Mon, 19 Mar 2012 10:46:02 +0100
apache2 (2.2.22-2) unstable; urgency=low [ Arno Töll ] * Fix "Incorrect debhelper build dependency" by raising the build-dependency of debhelper to 8.9.7 (Closes: #659148) -- Stefan Fritsch <email address hidden> Thu, 15 Mar 2012 00:02:31 +0100
Published in lenny-release |
apache2 (2.2.9-10+lenny12) lenny-security; urgency=high * Prevent unintended pattern expansion in some reverse proxy configurations by strictly validating the request-URI. Fixes CVE-2011-3368, CVE-2011-3639, CVE-2011-4317. * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local privilege escalation. * CVE-2012-0031: Fix client process being able to crash parent process during shutdown. * CVE-2012-0053: Fix an issue in code 400 error responses that could expose "httpOnly" cookies. -- Stefan Fritsch <email address hidden> Sun, 05 Feb 2012 21:56:02 +0100
apache2 (2.2.22-1) unstable; urgency=medium [ Stefan Fritsch ] * New upstream release, urgency medium due to security fixes: - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format - Fix CVE-2012-0031: Unprivileged child process could cause the parent to crash at shutdown - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error message. * Move httxt2dbm to apache2-utils * Adjust debian/control to point to new git repository. [ Arno Töll ] * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801) -- Stefan Fritsch <email address hidden> Wed, 01 Feb 2012 21:49:04 +0100
apache2 (2.2.21-5) unstable; urgency=low [ Arno Töll ] * Fix build failures introduced as regregression by the previous build. Debian buildds aren't rebuilding arch:all packages which caused problems for our unconditional copying into binary package. I was warned. -- Stefan Fritsch <email address hidden> Thu, 29 Dec 2011 17:36:41 +0100
apache2 (2.2.21-4) unstable; urgency=low [ Stefan Fritsch ] * Security: Fix broken patch for CVE-2011-3607 (Integer overflow in ap_pregsub). * Optimize debian/rules again to improve build time by doing most work in a single parallelized "build-%" target. [ Arno Töll ] * Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType from text/plain to None. This lets the browser guess a proper MIME type instead of being forced to treat a given file according to our default type (Closes: #440058) * Fix "add pre-rotate hook to logrotate script" execute scripts in /etc/logrotate.d/httpd-prerotate if available (Closes: #590096). * Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading to Debian's 3.0/quilt source format also images don't need to be generated at build time anymore. Hence, the icon date can no longer lead to information disclosure (Closes: #649888). * Upgrade package to 3.0/quilt. + Remove uuencoded images, keep them in their binary format in debian/icons + Upgrade to quilt from dpatch and refresh all patches by keeping all hunks unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at build time where needed Move the 200_cp_suexec.dpatch patch and 202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a script, not a patch which is not supported by quilt. * Rewrite debian/rules and base it on dh(1). + use overrides where possible, replace some debhelper calls by our own implementation where needed. That's required since the Apache package is compiled in parts several times for each MPM once. + move some install operations to the their respective .install files + Support dpkg-buildflags now, which also enables by default hardening flags. Thus, remove them from their explicit appearance in debian/rules + Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using dh(1)/dpkg-buildflags(1). * Push debhelper compatibility to 8 * Remove unused Lintian overrides for the Debian source package remove and redundant priorities in debian/control. * Add myself to Uploaders -- Stefan Fritsch <email address hidden> Thu, 29 Dec 2011 12:09:14 +0100
apache2 (2.2.21-3) unstable; urgency=medium * Fix CVE-2011-4317: Prevent unintended pattern expansion in some reverse proxy configurations. (Similar to CVE-2011-3368, but different attack vector.) * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault via malicious .htaccess. * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120 * Fix broken link in docs. Closes: #650528 * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders. Thanks for your work in the past. -- Stefan Fritsch <email address hidden> Sat, 03 Dec 2011 18:54:03 +0100
apache2 (2.2.21-2) unstable; urgency=high * Fix CVE-2011-3368: Prevent unintended pattern expansion in some reverse proxy configurations by strictly validating the request-URI. * Correctly set permissions of suexec.load even if umask is 0002 during build. LP: #872000 -- Stefan Fritsch <email address hidden> Tue, 11 Oct 2011 22:54:47 +0200
Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze4) squeeze; urgency=low * Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp if combined with mod_proxy_balancer. * Make exit code of '/etc/init.d/apache2 status' more LSB compatible. Closes: #613969 * Fix typo in init script. Closes: #615866 * For multiple instance setups, correctly determine the config dir in the init script if it is called via a start/stop link. Closes: #627061 * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438 * Add hint in README.Debian about how to increase max number of open files. Closes: #615632 * Make it clear in README.multiple-instances that the MPMs are shipped in the apache2.2-bin package. * Tweak patch header to fix "dpatch unapply" with unstable's patch/dpatch. -- Stefan Fritsch <email address hidden> Mon, 26 Sep 2011 00:12:23 +0200
Superseded in lenny-release |
apache2 (2.2.9-10+lenny11) lenny-security; urgency=high * Fix regressions related to range requests introduced by 2.2.9-10+lenny10. Closes: #639825 -- Stefan Fritsch <email address hidden> Sun, 04 Sep 2011 22:09:38 +0200
apache2 (2.2.21-1) unstable; urgency=low * New upstream release. - Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp if combined with mod_proxy_balancer -- Stefan Fritsch <email address hidden> Mon, 26 Sep 2011 18:16:11 +0200
apache2 (2.2.20-1) unstable; urgency=low * New upstream release. * Fix some regressions related to Range requests caused by the CVE-2011-3192 fix. Closes: #639825 * Add build-arch and build-indep rules targets to make Lintian happy. * Bump Standards-Version (no changes). -- Stefan Fritsch <email address hidden> Sun, 04 Sep 2011 21:50:22 +0200
apache2 (2.2.19-2) unstable; urgency=high * Fix CVE-2011-3192: DoS by high memory usage for a large number of overlapping ranges. * Reduce default KeepAliveTimeout from 15 to 5 seconds. * Use "linux-any" in build-deps. Closes: #634709 * Improve reload message of a2enmod. Closes: #639291 * Improve description of the prefork MPM. Closes: #634242 * Mention .conf files in a2enmod man page. Closes: #634834 -- Stefan Fritsch <email address hidden> Mon, 29 Aug 2011 17:08:17 +0200
Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze1) stable-security; urgency=high * Fix CVE-2011-1176 in apache2-mpm-itk: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group. Closes: #618857 -- Stefan Fritsch <email address hidden> Tue, 22 Mar 2011 21:44:39 +0100
apache2 (2.2.19-1) unstable; urgency=low * New upstream release. - Makes apr-md5 the default algorithm for htpasswd, removing the 8 character limit of the crypt()-algorithm. Closes: #539246 - Fixes merging of IndexOptions. Closes: #394688 - Documents why order of ProxyPass and <Proxy> blocks matters in the configuration. See "Workers" section in the mod_proxy documentation. Closes: #560020 * For multiple instance setups, correctly determine the config dir in the init script if it is called via a start/stop link. Closes: #627061 * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204 * Make it clear in README.multiple-instances that the MPMs are shipped in the apache2.2-bin package. -- Stefan Fritsch <email address hidden> Sun, 22 May 2011 10:21:21 +0200
apache2 (2.2.17-3) unstable; urgency=low * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049 * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in htpasswd/htdbm. -- Stefan Fritsch <email address hidden> Sun, 10 Apr 2011 20:43:55 +0200
apache2 (2.2.17-2) unstable; urgency=high * New mpm_itk upstream version 2.2.17-01: - Fix CVE-2011-1176: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group, due to the configuration merger having an incorrect default configuration. Closes: #618857 * Make exit code of '/etc/init.d/apache2 status' more LSB compatible. Closes: #613969 * Set the default file descriptor limit to 8192 instead of whatever the current limit is (usually 1024). Document how to change it in /etc/apache2/envvars . Closes: #615632 * Fix typo in init script. Closes: #615866 * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438 * Remove some obsolete Depends and Replaces. -- Stefan Fritsch <email address hidden> Mon, 21 Mar 2011 23:01:17 +0100
apache2 (2.2.17-1) unstable; urgency=low * New upstream version * Disable md5 in mod_ssl default cipher suite. Closes: #609126 * Fix order of comments in "worker" section in apache2.conf. Closes: #608488 -- Stefan Fritsch <email address hidden> Tue, 15 Feb 2011 23:30:18 +0100
Superseded in lenny-release |
apache2 (2.2.9-10+lenny9) stable-security; urgency=high * Add the new SSLInsecureRenegotiation directive to configure if clients that have not been patched to support secure renegotiation (RFC 5746) are allowed to connect (CVE-2009-3555). Together with the recent openssl upgrade, this closes: #587037 This upgrade also adds support for the SSL_SECURE_RENEG variable, to allow testing if secure renegotiation is supported by the client. -- Stefan Fritsch <email address hidden> Sat, 11 Dec 2010 19:45:28 +0100
apache2 (2.2.16-6) unstable; urgency=low * Also add $named to the secondary-init-script example. -- Stefan Fritsch <email address hidden> Sat, 01 Jan 2011 22:55:15 +0100
apache2 (2.2.16-5) unstable; urgency=medium * Add $named to the init script dependency header, since apache depends on DNS in some configurations. Closes: #608437 * Update outdated description of /etc/apache2/magic in README.Debian. Closes: #603586 -- Stefan Fritsch <email address hidden> Fri, 31 Dec 2010 01:22:19 +0100
apache2 (2.2.16-4) unstable; urgency=medium * Increase the mod_reqtimeout default timeouts to avoid potential problems with CRL-requesting browsers. Also extend the comments in reqtimeout.conf. * Remove bogus comment in conf.d/security about default in the "release after Lenny". * Clarify comments in suexec-custom's default config file. LP: #673289 -- Stefan Fritsch <email address hidden> Sun, 14 Nov 2010 19:05:55 +0100
apache2 (2.2.16-3) unstable; urgency=high * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage. * Fix "Could not reliably determine the server's ..." error message in README.Debian, to make it easier to search for it. Closes: #590528 -- Stefan Fritsch <email address hidden> Sat, 09 Oct 2010 20:59:34 +0200
apache2 (2.2.16-2) unstable; urgency=low * Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036 * Add a note about the new behaviour of SSL/TLS renegotiation and the new directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334 * Support 'graceful' as alias for 'reload' in the init script. * In README.Debian, suggest an Apache configuration change to get rid of the "Could not reliably determine the server's fully qualified domain name" warning, as alternative to changing DNS or /etc/hosts. Closes: #590528 * Add notes to README.Debian on how to reduce memory usage. * Bump Standards-Version (no changes). -- Stefan Fritsch <email address hidden> Sun, 29 Aug 2010 15:29:21 +0200
apache2 (2.2.16-1) unstable; urgency=medium * Urgency medium for security fix. * New upstream release: - CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability due to incorrect handling of requests without a path segment. - mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite * Fix mod_ssl header line corruption because of using memcpy for overlapping buffers. PR 45444. LP: #609290, #589611, #595116 -- Stefan Fritsch <email address hidden> Sat, 24 Jul 2010 22:18:43 +0200
apache2 (2.2.15-6) unstable; urgency=low * Fix init script not correctly killing htcacheclean. Closes: #580971 * Add a separate entry in README.Debian about the need to use apache2ctl for starting instead of calling apache2 directly. Closes: #580445 * Fix debug info to allow gdb loading it automatically. Closes: #581514 * Fix install target in Makefile created by apxs2 -n. Closes: #588787 * Fix ab sending more requests than specified by the -n parameter. Closes: #541158 * Add apache2 monit configuration to apache2.2-commons examples dir. Closes: #583127 * Build as PIE, since gdb in squeeze now supports it. * Update the postrm script to also purge the version of /var/www/index.html introduced in 2.2.11-7. * Bump Standards-Version (no changes). -- Stefan Fritsch <email address hidden> Fri, 16 Jul 2010 23:41:08 +0200
Superseded in lenny-release |
apache2 (2.2.9-10+lenny8) stable; urgency=low * Add missing psmisc dependency for killall used in the init script. Closes: #568542 * Fix potential memory leaks related to the usage of apr_brigade_destroy(). -- Stefan Fritsch <email address hidden> Mon, 19 Apr 2010 21:17:33 +0200
apache2 (2.2.15-5) unstable; urgency=low * Conflict with apache package as we now include apachectl. Closes: #579065 * Remove conflicts with old apache 2.0 modules. The conflicts are not necessary anymore as skipping a stable release is not supported anyway. * Silence the grep in preinst. -- Stefan Fritsch <email address hidden> Sun, 25 Apr 2010 10:46:09 +0200
apache2 (2.2.15-3) unstable; urgency=low * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881, including a fix for mod_proxy CONNECT requests. * mod_dav_fs: Use correct permissions when creating new files. LP: #540747 -- Stefan Fritsch <email address hidden> Mon, 29 Mar 2010 22:16:24 +0200
apache2 (2.2.15-2) unstable; urgency=low * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding Satisfy all. Closes: #572075 * mod_reqtimeout: Various bug fixes, including: - Don't mess up timeouts of mod_proxy's backend connections. Closes: #573163 -- Stefan Fritsch <email address hidden> Wed, 10 Mar 2010 21:06:06 +0100
apache2 (2.2.15-1) unstable; urgency=low * New upstream version: - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol prefix injection attack. - CVE-2010-0434: mod_headers: Fix potential information leak with threaded MPMs. - mod_reqtimeout: New module limiting the time waiting for receiving a request from the client. This is a (partial) mitigation against slowloris-type resource exhaustion attacks. The module is enabled by default. Closes: #533661 - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure renegotiation with clients which do not yet support the secure renegotiation protocol. As this requires openssl 0.9.8m, bump build dependency accordingly. * Fix bash completion for a2ensite if the site name contains 'conf' or 'load'. Closes: #572232 * Do a configcheck in the init script before doing a non-graceful restart. Closes: #571461 -- Stefan Fritsch <email address hidden> Sun, 07 Mar 2010 23:22:56 +0100
apache2 (2.2.14-7) unstable; urgency=low * Fix potential memory leaks related to the usage of apr_brigade_destroy(). * Add hints about correct mod_dav_fs configuration to README.Debian. Closes: #257945 * Fix error in Polish translation of 404 error page. Closes: #570228 * Document ThreadLimit in apache2.conf's comments. -- Stefan Fritsch <email address hidden> Sat, 20 Feb 2010 12:38:30 +0100
apache2 (2.2.14-6) unstable; urgency=low * Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and APACHE_LOG_DIR in the default configuration. If you have modified /etc/apache2/envvars, make sure that these variables are set and exported. * Add support for multiple apache2 instances to initscript and apache2ctl. See /usr/share/doc/apache2.2-common/README.multiple-instances for details. Closes: #353450 * Set default compiled-in ServerRoot to /etc/apache2 and make paths in apache2.conf relative to ServerRoot. * Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061 * Fix symlinks in apache2-dbg package. Closes: #567076 * Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383 * Add new init script action graceful-stop (LP: #456381) * Add more languages to mime.conf. To limit this to useful entries, we only add those for which a translation of the Debian intaller exists. LP: #217964 * Unset $HOME in /etc/apache2/envvars. * Change default config of mod_info and mod_status to use IP addresses instead of hostnames. Otherwise the hostname is sometimes logged even with 'HostnameLookup Off'. Closes: #568409 * Add a hook to apache2.2-common's postrm script that may come in handy when upgrading to 2.4. * Make bug script also display php extensions. * Bump Standards-Version (no changes). * Remove Adam Conrad from Uploaders. Thanks for your work in the past. -- Stefan Fritsch <email address hidden> Sun, 07 Feb 2010 17:29:45 +0100
Superseded in lenny-release |
apache2 (2.2.9-10+lenny6) stable-security; urgency=high * Security: - Reject any client-initiated SSL/TLS renegotiations. This is a partial fix for the TLS renegotiation prefix injection attack (CVE-2009-3555). Any configuration which requires renegotiation for per-directory/location access control or uses "SSLVerifyClient optional" is still vulnerable. -- Stefan Fritsch <email address hidden> Sat, 14 Nov 2009 21:10:47 +0100
apache2 (2.2.14-5) unstable; urgency=low * Security: Further mitigation for the TLS renegotation attack (CVE-2009-3555): Disable keep-alive if parts of the next request have already been received when doing a renegotiation. This defends against some request splicing attacks. * Print a useful error message if 'apache2ctl status' fails. Add a comment to /etc/apache2/envvars on how to change the options for www-browser. Closes: #561496, #272069 * Improve function to detect apache2 pid in init-script (closes: #562583). * Add hint README.Debian on how to pass auth info to CGI scripts. Closes: #483219 * Re-introduce objcopy magic to avoid dangling symlinks to the debug info in the mpm packages. Closes: #563278 * Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178, LP: #500703 * Point to README.backtrace in apache2-dbg's description. * Use more debhelper functions to simplify debian/rules. * Add misc-depends to various packages to make lintian happy. * Change build-dep from libcap2-dev to libcap-dev because of package rename. -- Stefan Fritsch <email address hidden> Sat, 02 Jan 2010 22:44:15 +0100
apache2 (2.2.14-4) unstable; urgency=low * Disable localized error pages again by default because they break configurations with "<Location /> SetHandler ...". A workaround is described in the comments in /etc/apache2/conf.d/localized-error-pages (closes: #543333). * mod_rewrite: Fix URLs in redirects with literal IPv6 hosts (closes: #557015). * Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234). * Add man page for split-logfile. * Link with -lcrypt where necessary to fix a FTBFS with binutils-gold (closes: #553946). -- Stefan Fritsch <email address hidden> Sun, 13 Dec 2009 20:05:37 +0100
apache2 (2.2.14-3) unstable; urgency=low * Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This includes: - Make PUT replace files atomically (closes: #525137). - Make MOVE not delete the destination if the source file disappeared in the meantime (closes: #273476). NOTE: The format of the DavLockDB has changed. The default DavLockDB will be deleted on upgrade. Non-default DavLockDBs should be deleted manually. * Fix output of "/etc/init.d/apache2 status" (closes: #555687). * Update the comment about SNI in ports.conf (closes: #556932). * Set redirect-carefully for Konqueror/4. -- Stefan Fritsch <email address hidden> Sat, 21 Nov 2009 10:20:54 +0100
apache2 (2.2.14-2) unstable; urgency=medium * Security: Reject any client-initiated SSL/TLS renegotiations. This is a partial fix for the TLS renegotiation prefix injection attack (CVE-2009-3555). Any configuration which requires renegotiation for per-directory/location access control is still vulnerable. * Allow RemoveType to override the types from /etc/mime.types. This allows to use .es and .tr for Spanish and Turkish files in mod_negotiation. Closes: #496080 * Fix 'CacheEnable disk http://'. Closes: #442266 * Fix missing dependency by changing killall to pkill in the init script. LP: #460692 * Add X-Interactive header to init script as it may ask for the ssl key passphrase. Closes: #554824 * Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too. * Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian -- Stefan Fritsch <email address hidden> Sat, 07 Nov 2009 14:37:37 +0100
apache2 (2.2.14-1) unstable; urgency=low * New upstream version: - new module mod_proxy_scgi * Disable hardening option -pie again, as gdb in Debian does not support it properly and it is broken on mips*. -- Stefan Fritsch <email address hidden> Tue, 29 Sep 2009 20:55:05 +0200
apache2 (2.2.13-2) unstable; urgency=high * mod_proxy_ftp security fixes (closes: #545951): - DoS by malicious ftp server (CVE-2009-3094) - missing input sanitization: a user could execute arbitrary ftp commands on the backend ftp server (CVE-2009-3095) * Add entries to NEWS.Debian and README.Debian about Apache being stricter about certain misconfigurations involving name based SSL virtual hosts. Also make Apache print the location of the misconfigured VirtualHost when it complains about a missing SSLCertificateFile statement. Closes: #541607 * Add Build-Conflicts: autoconf2.13 (closes: #541536). * Adjust priority of apache2-mpm-itk to extra. * Switch apache2.2-common and the four mpm packages from architecture all to any. This is stupid but makes apache2 binNMUable again (closes: #544509). * Bump Standards-Version (no changes). -- Stefan Fritsch <email address hidden> Wed, 16 Sep 2009 20:55:02 +0200
apache2 (2.2.13-1) unstable; urgency=low * New upstream release: - Fixes segfault with mod_deflate and mod_php (closes: #542623). -- Stefan Fritsch <email address hidden> Mon, 31 Aug 2009 20:28:56 +0200
Superseded in lenny-release |
apache2 (2.2.9-10+lenny4) stable-security; urgency=high * Security fixes: - CVE-2009-1890: denial of service in mod_proxy (closes: #536718) - CVE-2009-1891: denial of service in mod_deflate (closes: #534712) Also prevent compressing the content for HEAD requests. -- Stefan Fritsch <email address hidden> Tue, 14 Jul 2009 21:53:01 +0200
apache2 (2.2.12-1) unstable; urgency=low * New upstream release: - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131). (The Debian default configuration will be changed to use SNI in a later version.) - Fixes timefmt config in SSI (closes: #363964). - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. * Make mod_deflate not compress the content for HEAD requests. This is a similar issue as CVE-2009-1891. * Enable hardening compile options. * Switch default LogFormat from %b (size of file sent) to %O (bytes actually sent) (closes: #272476 LP: #255124) * Add the default LANG=C to /etc/apache2/envvars and document it in README.Debian (closes: #511878). * Enable localized error pages by default if the necessary modules are loaded. Move the config for it from apache2.conf to /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the required order of the aliases in the comment (closes: #196795). * Change default for ServerTokens to 'OS', to not announce the exact module versions to the world (LP: #205996) * Make a2ensite and friends ignore the same filenames as apache does for included config files, even if LANG is not C. * Merge source packages apache2 and apache2-mpm-itk (current itk version is 2.2.11-02). This removes the binNMU mess necessary for every apache2 upload (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src package, which is no longer necessary. * Ship our own version of the magic config file (taken from file 4.17-5etch3) which is still compatible with mod_mime_magic (closes: #483111). * Add ThreadLimit to the default config and put ThreadsPerChild and MaxClients into the correct order so that Apache does not complain (closes: #495656). Also add a configuration block for the event MPM in apache2.conf. * Fix HTTP PUT with mod_dav failing to detect an aborted connection (closes: #451563). * Change references to httpd.conf in apache2-doc to apache2.conf (closes: #465393). * Clarify the recommended permissions for SSL certificates in README.Debian (closes: #512778). * Document in README.Debian how to name files in conf.d to avoid conflicts with packages (closes: #493252) * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts. * Remove other_vhosts_access.log on package purge. -- Stefan Fritsch <email address hidden> Tue, 04 Aug 2009 11:02:34 +0200
apache2 (2.2.11-7) unstable; urgency=low * Security fixes: - CVE-2009-1890: denial of service in mod_proxy - CVE-2009-1891: denial of service in mod_deflate (closes: #534712) * Add symlinks for the debug info to the mpm packages. * Be slightly more informative in the default index.html without pointing to Apache or Debian (LP: #89364) * Remove dependency on net-tools, which is no longer necessary (closes: #535849) * Bump Standards-Version (no changes) -- Stefan Fritsch <email address hidden> Fri, 10 Jul 2009 22:42:57 +0200
apache2 (2.2.11-6) unstable; urgency=high * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server Side Includes (closes: #530834). * Fix postinst scripts (closes: #532278). -- Stefan Fritsch <email address hidden> Mon, 08 Jun 2009 19:22:58 +0200
apache2 (2.2.11-4) unstable; urgency=low [ Stefan Fritsch ] * Disable TRACE method by default (closes: #492130). * Compress some more mime types with mod_deflate by default. This may cause problems with MSIE 6, but that browser should now be considered obsolete. Closes: #397526, #521209 * Various backports from upstream svn branches/2.2.x: - CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body - Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes PR 45959 (closes: #524474) - Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268) - Fix mod_deflate etag handling PR 45023 (LP: #358314) - Fix mod_ldap segfault if LDAP initialization failed PR 45994 * Allow apache2-mpm-itk as alternate dependency in apache2 meta package (closes: #527225). * Fix some misuse of command substitution in the init script. Thanks to Jari Aalto for the patch. (Closes: #523398) * Extend the gnome-vfs DAV workaround to gvfs (closes: #522845). * Add more info to check_forensic man page (closes: #528424). * Make "apache2ctl help" point to help on apache2 args (closes: #528425). * Lintian warnings: - fix spelling error in apache2-utils description - tweak debian/copyright to make lintian not complain about pointers to GPL - bump standards-version (no changes) [ Peter Samuelson ] * Adjust sections to match recent ftpmaster overrides. -- Stefan Fritsch <email address hidden> Tue, 19 May 2009 22:55:27 +0200
apache2 (2.2.11-3) unstable; urgency=low * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap (see #521899). This also creates the dependencies on the new external libaprutil1-dbd-* and libaprutil1-ldap packages. -- Stefan Fritsch <email address hidden> Tue, 31 Mar 2009 21:07:26 +0200
Superseded in lenny-release |
apache2 (2.2.9-10+lenny2) testing-proposed-updates; urgency=low * Report an error instead instead of segfaulting when apr_pollset_create fails (PR 46467). On Linux kernels since 2.6.27.8, the value in /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the value of MaxClients in the Apache configuration. Closes: #511103 -- Stefan Fritsch <email address hidden> Tue, 20 Jan 2009 18:17:27 +0100
Superseded in sid-release |
Superseded in squeeze-release |
Superseded in squeeze-release |
Superseded in sid-release |
apache2 (2.2.11-2) unstable; urgency=low * Report an error instead instead of segfaulting when apr_pollset_create fails (PR 46467). On Linux kernels since 2.6.27.8, the value in /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the value of MaxClients in the Apache configuration. Closes: #511103 -- Stefan Fritsch <email address hidden> Fri, 16 Jan 2009 19:01:59 +0100
apache2 (2.2.11-1) unstable; urgency=low [Thom May] * New Upstream Version (Closes: #508186, LP: #307397) - Contains rewritten shmcb code which should fix alignment problems on alpha (Closes: #419720). - Notable new features: chroot support, mod_proxy improvements. [Ryan Niebur] * fix segfault in ab when being verbose on ssl sites (Closes: #495982) * remove trailing slash for DocumentRoot (Closes: #495110) -- Stefan Fritsch <email address hidden> Sun, 14 Dec 2008 09:34:24 +0100
apache2 (2.2.9-10+lenny1) testing-proposed-updates; urgency=low * Regression fix from upstream svn for mod_proxy: Prevent segmentation faults by correctly adjusting the lifetime of the buckets read from the proxy backend. PR 45792 * Fix from upstream svn for mpm_worker: Crosscheck that idle workers are still available before using them and thus preventing an overflow of the worker queue which causes a SegFault. PR 45605 * Add a comment to ports.conf to point to NEWS.Debian.gz in case of upgrading problems. -- Stefan Fritsch <email address hidden> Tue, 02 Dec 2008 22:00:50 +0100
apache2 (2.2.9-11) unstable; urgency=low * Regression fix from upstream svn for mod_proxy: Prevent segmentation faults by correctly adjusting the lifetime of the buckets read from the proxy backend. PR 45792 * Fix from upstream svn for mpm_worker: Crosscheck that idle workers are still available before using them and thus preventing an overflow of the worker queue which causes a SegFault. PR 45605 * Add a comment to ports.conf to point to NEWS.Debian.gz in case of upgrading problems. -- Stefan Fritsch <email address hidden> Wed, 26 Nov 2008 23:10:22 +0100
apache2 (2.2.9-10) unstable; urgency=low * Regression fix from upstream svn for mod_proxy_http: Don't trigger a retry by the client if a failure to read the response line was the result of a timeout. -- Stefan Fritsch <email address hidden> Wed, 01 Oct 2008 11:50:18 +0200
151 → 211 of 211 results | First • Previous • Next • Last |