Change log for apache2 package in Debian
| 151 → 211 of 211 results | First • Previous • Next • Last |
| Superseded in experimental-release |
apache2 (2.4.2-2) experimental; urgency=low
[ Stefan Fritsch ]
* Explicitly enable mod_authz_core on upgrades. It can happen that it is
not pulled in by any of the enabled modules, but we need it in any case
for apache2.conf. Closes: #669876
* Don't ship the changelogs in the apache2-mpm-itk transitional package.
[ Arno Töll ]
* Add mode lines to various configuration files and scripts. Reformat
configuration files for consitency.
* Fix "Fix typographic errors in configuration file comments": Thanks to Oxan
van Leeuwen for providing a patch (Closes: #669269)
* Formulate several clarifications in PACKAGING, start versioning this document
and add normative read hints. Moreover, document the -m switch for a2enmod.
* Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated!
* Change various state and run directories used by Apache from
/var/run/<basename> to /var/run/apache2/<basename>. This might change again
for Wheezy+1 to adopt /run.
* Use more exit status codes for a2query which allows to tell apart why a
module was disabled, also make its output more readable.
* Changes in apache2-maintscript-helper:
+ Finally apache2_invoke may behave correctly and catch all cases
including upgrades from Squeeze.
+ apache2_invoke: accepts a third argument to override the rc.d-action now
+ support APACHE2_MAINTSCRIPT_DEBUG: When defined in the environment or in
/etc/apache2/envvars, debug output is displayed.
* Implement a -r switch for dh_apache2 which allows to force a reload of the
web server if required.
-- Arno Töll <email address hidden> Mon, 28 May 2012 17:36:03 +0200
| Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high
* CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
hosts' config files.
If scripting modules like mod_php or mod_rivet are enabled on systems
where either 1) some frontend server forwards connections to an apache2
backend server on the localhost address, or 2) the machine running
apache2 is also used for web browsing, this could allow a remote
attacker to execute example scripts stored under /usr/share/doc.
Depending on the installed packages, this could lead to issues like cross
site scripting, code execution, or leakage of sensitive data.
-- Stefan Fritsch <email address hidden> Sun, 01 Apr 2012 00:20:48 +0200
apache2 (2.2.22-5) unstable; urgency=low
* Make LoadFile and LoadModule look in the standard search paths if the
dso file name is given as a pure filename. This helps with the multi-arch
transition.
-- Stefan Fritsch <email address hidden> Mon, 30 Apr 2012 23:38:33 +0200
apache2 (2.2.22-4) unstable; urgency=high
* CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
hosts' config files.
If scripting modules like mod_php or mod_rivet are enabled on systems
where either 1) some frontend server forwards connections to an apache2
backend server on the localhost address, or 2) the machine running
apache2 is also used for web browsing, this could allow a remote
attacker to execute example scripts stored under /usr/share/doc.
Depending on the installed packages, this could lead to issues like cross
site scripting, code execution, or leakage of sensitive data.
-- Stefan Fritsch <email address hidden> Sun, 15 Apr 2012 23:41:43 +0200
| Superseded in experimental-release |
apache2 (2.4.2-1) experimental; urgency=low
* New upstream release
[ Arno Töll ]
* Drop update-alternative call in postrm. Our prerm script catches them
already anyway.
* Update my mail address.
* Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/"
Set directory permissions to 755 by default (Closes: #666875). Thanks Axel
Beckert for the hint.
* Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to
give sites a .conf suffix, add a hint to the NEWS file.
* Do stateful configuration handling by remembering who enabled when a
particular piece of configuration. That way in can be told under which
circumstances for example modules should be re-enabled. Thanks to Filip M.
Nowak who was providing a patch where my changes are built upon.
* Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
to override LDFLAGS at compile time by defining LDLAGS in the environment,
just like it is possible for CFLAGS. This also means, config_vars.mk now
exports hardening build flags by default.
* Provide the virtual packages httpd and httpd-cgi again.
[ Stefan Fritsch ]
* Change default config to deny access to / in the file system and only
allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
* Disable MultiViews in the default config.
* Update ssl default cipher config, add alternative speed optimized config.
Closes: #649020
* Move the configuration of /usr/lib/cgi-bin into a separate config file.
Closes: #589638
* Comment out per-vhost loglevel.
* Add section to security.conf that shows how to forbid access to VCS
directories. Closes: #548213
* Change the compiled in default of DocumentRoot to /var/www by updating
fhs_compliance.patch
* Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental!
-- Stefan Fritsch <email address hidden> Sun, 15 Apr 2012 20:50:28 +0200
apache2 (2.2.22-3) unstable; urgency=low
* Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
No such file or directory". Do not use internal rules targets which clash
with build target names ... (Closes: #667069)
* Drop apache2-dev virtual package. This had virtually no users but breaks our
experimental package in some cases (e.g. #666793)
* Push Standards version - no further changes
* Update my maintainer address
-- Arno Töll <email address hidden> Thu, 05 Apr 2012 13:21:42 +0200
| Superseded in experimental-release |
apache2 (2.4.1-3) experimental; urgency=low
[ Arno Töll ]
* apache2-suexec-{custom,pristine}: Fix argument order when removing
alternatives, do not remove alternatives on upgrades. Thanks Andreas
Beckmann for spotting the issue (Closes: #665002)
* Install suexec(8) link to /usr/share/man/man8/...
* Enable mod_version statically, drop associated module load file.
* Update PACKAGING hints and cope several questions raised among the
discussions with packagers. Thus, invokation of apache2-maintscript-helper
in maintainer scripts are covered now.
* Changes in dh_apache2:
+ Invoke the maintscript helper postrm action for simple package removals,
too.
+ Fix a bug which accidentally called "en{mod,site,conf}" instead of
"di{mod,site,conf}"
+ Set the default conditional back to "true", now the maintainer script is
expected to cope itself with upgrades correctly
* Changes in apache2_maintscript_helper
+ Provide apache2_action_needed, apache2_msg
+ Parse maintainer script arguments to find out which script called us
+ Support APACHE2_MAINTSCRIPT_HELPER_QUIET which, when set, omits any
visible output
+ Break APIs: apache2_invoke accepts a single configuration file argument
only now. However, other than dh_apache2 no users of this feature were
known.
* Build the apache2.2-bin transitional package again, without it updates from
Squeeze are broken from some use cases
* Remove 2.2's postrm script only if we're actually upgrading.
This previously didn't have bad side-effects, but caused a disturbing
warning.
[ Stefan Fritsch ]
* Import lots of bug fixes from upstream svn: All code changes from branch
2.4.x up to r1307835, plus r1294306 and r1307067 from trunk.
* Remove /usr/share/doc alias from default virtual hosts' configs.
* Add 'Multi-Arch: foreign' to apache2-utils
* Make a2enconf and a2ensite warn if dependencies are not fullfilled.
-- Stefan Fritsch <email address hidden> Sun, 01 Apr 2012 21:11:51 +0200
| Superseded in experimental-release |
apache2 (2.4.1-2) experimental; urgency=low
[ Arno Töll ]
* Shift convert_docs script to a arch-indep target only. Debhelper does not
build apache2-doc on binary only builds causing a FTBS on binary-only (-B)
builds
* Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep
targets
[ Stefan Fritsch ]
* dh_apache2: Make autoscripts only run on upgrades by default. Bump
debhelper dependency of apache2-dev. Escape slashes in conditionals.
-- Stefan Fritsch <email address hidden> Tue, 20 Mar 2012 21:32:43 +0100
| Superseded in experimental-release |
apache2 (2.4.1-1) experimental; urgency=low
* Package the coming up 2.4 branch of Apache by packaging the current
GA release 2.4.1.
+ Fix "IndexIgnore only allowes to add in vhost context, not replace"
(Closes: #296886)
+ Fix "mod_status stats are wrong." (Closes: #519322)
+ Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047)
+ Fix "apache2-common: there should be a possibility to access the
parsed configuration" (Closes: #350285)
+ Fix "AddOutputFilterByType is deprecated but used in deflate.conf"
(Closes: #601033)
+ Fixes "Renegotiation on POST request fails intermittently"
(Closes: #601606)
+ Allows configuring source address for proxy requests. (Closes: #465283)
+ Supports CONNECT request through https. (Closes: #307298)
+ New Upstream (2.4). (Closes: #662115)
* Refresh patches but leave all hunks unchanged where possible. Give all
* patches a ".patch" suffix, drop sequence numbers as they are not needed when
* using quilt. Notable changes are.
+ [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller
parts of the patch to build two binaries: suexec-pristine and
suexec-custom (see below)
+ [AT] 201_build_suexec-custom: Patch the makefile to build
"suexec-pristine" instead. Aside of that, refresh hunks.
+ [AT] 010_fhs_compliance: Drop config.layout patches. These have been
applied upstream
+ [JMV] Drop patches:
+ 004_usr_bin_perl_0wnz_j00: printenv exemple doesn't refer to
/usr/local/bin/perl anymore
+ 008_make_include_safe: Include doesn't support directory anymore.
Include dir/*.conf must be used.
+ 009_apache2_has_dso: Upstream is no longer testing DSO is available. So
we don't need to remove that test anymore.
+ [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches,
drop obsolete hunks
[ Arno Töll ]
* Rewrite most parts of debian/rules / debhelper configuration.
+ move cronjob and init script to debhelper configuration files
(apache2.cron.daily and apache2.init respectively)
+ move man pages to debian/manpages
+ Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu
specifics in their own patch set, as it diverges already anyway.
+ shake-up files installed in different packages
+ Do not copy the source tree anymore, build package in place.
* Push standards version to 3.9.3 - no special changes required
* Refactor binary packages, now as things simplified. MPMs are simple
modules now, they can be bundled into the same binary package which do not
need to conflict with each other. Thus, Apache now primarily consists of the
following packages:
+ apache2 - configuration files and init scripts, Debian specific helper
scripts
+ apache2-bin - binaries and modules
+ apache2-data - error pages and images
* Drop the ITK MPM entirely for now
* Consolidate development packages. As MPM packages are gone, we do not need
specific development packages either. Thus, drop all MPM specific apache2
development packages and provide a single apache2-dev package instead.
(Closes: #428095)
* Drop debian/source/options again: We do not need to ignore .svn directories
anymore since the new package management system is based on git and includes
the full source
* Rework the suexec mechanism. Now there are two suexec packages providing
alternatives through the update-alternatives mechanism. The untouched
upstream "suexec" binary is provided by the apache2-suexec-pristine package,
whereas the configurable suexec can be found in the apache2-suexec-custom
package. Both are providing the "suexec" binary which are managed by the
update-alternatives(9) mechanism.
This change is transparent to users at runtime and does not need any
configuration changes.
* Remove obsolete README.source file.
* Update doc-base metadata for the apache2-doc package
* Changes in the default configuration (not specific modules):
+ On the head of the apache2.conf configuration file, give a short summary
how configuration of the Apache web server works in Debian.
+ Drop NameVirtualHost entirely. It is deprecated (Closes: #511594)
+ Remove DefaultType. It is deprecated.
+ Replace Allow/Deny directives in the default configuration by using the
new Require directive. Load mod_access_compat if you rely on the old
syntax
+ Replace LockFile by Mutex which consolidates all lock file
synchronization files among modules
+ Update configuration to use the new IncludeOptional syntax
+ Enable these modules by default: authz_core authz_host alias cgi dir
+ Move MPM specific configuration to their respective configuration files.
Users can just load and unload MPMs like other modules, enable the worker
MPM by default
+ Move per-site global configuration from conf.d to conf-available and
manage it similar to modules and sites. To do so, the new tools
"a2enconf" and "a2disconf" are provided. Moreover, such configuration
files need to have a .conf suffix now. The following configuration
files are enabled by default: charset localized-error-pages
other-vhosts-access-log security. These were enabled by default
previously, too (Closes: #620347, Closes: #605227).
This holds for apache2-doc as well, which is still enabled by default but
can be disabled easily anytime by using a2disconf (Closes: #604980).
+ Give site configuration a .conf suffix, too. For example the default vhost
is called default.conf. Moreover, files without .conf suffix are ignored
upon startup. Please update your site links and confs. Also rename the
default vhost to 000-default.conf and don't do hacky things in a2enmod
anymore.
* Changes in a2enmod:
+ Parse "Conflicts: " header to denote conflicts between modules which
cannot be loaded into the same Apache server.
+ Remove dangling "module.conf" files, too. They were forgotten previously
if they existed and only the "module.load" file was removed.
+ Extend the tool to support conf-available/conf-enabled directories (see
also configuration changes).
+ Expect a .conf suffix for sites-enabled/sites-available configurations.
+ Remove the default vhost special handling. Instead, we expect the default
host to be named appropripriately (for example 000-default.conf;
Closes: #605535).
* The following modules and associated configuration files were removed:
+ mod_authz_default and mod_authn_default: Please use a proper
authentication module instead
+ mod_mem_cache: Use mod_cache_disk instead
* The following modules and associated configuration files are provided (but
not enabled by default):
access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua
proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector
remoteip, request, session, session_cookie, session_crypto, session_dbd
(Closes: #400881)
* Provide a dh_apache2 debhelper which can be used by reverse dependencies to
install modules, module configuration files, site configuration files and
global configuration files which need to be registered to the Apache web
server.
Thus, dh_apache2 can be used for Apache web server modules and web
applications providing configuration files for Apache.
* Write apache2-maintscript-helper which packagers can use to interface in a
reliable way with the Apache 2 web server in maintainer scripts
* Document programming hints how to interface with the Apache 2 web server for
* packagers of web applications and module maintainer in
/usr/share/doc/apache2/PACKAGING.gz.
* Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the
problem.
* Update debian/copyright and switch it to the copyright-format 1.0 (formerly
known as DEP5)
[ Stefan Fritsch ]
* Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
* Only include conf.d/*.conf, not conf.d/*.
* Don't create httpd.conf anymore. Also, do a proper transition of existing
httpd.conf files to /etc/apache2/conf-available (Closes: #639383)
* Add "AddCharset" for .brf files in default mod_mime config.
(Closes: #402567)
* Update the README.Debian file
[ Jean-Michel Vourgère ]
* Update bash completion functions to reflect the new site setup. (Closes:
#657492)
* Migrate patches to DEP-3 format. For particular changes see the summary
above.
-- Stefan Fritsch <email address hidden> Mon, 19 Mar 2012 10:46:02 +0100
apache2 (2.2.22-2) unstable; urgency=low
[ Arno Töll ]
* Fix "Incorrect debhelper build dependency" by raising the build-dependency
of debhelper to 8.9.7 (Closes: #659148)
-- Stefan Fritsch <email address hidden> Thu, 15 Mar 2012 00:02:31 +0100
| Published in lenny-release |
apache2 (2.2.9-10+lenny12) lenny-security; urgency=high
* Prevent unintended pattern expansion in some reverse proxy
configurations by strictly validating the request-URI. Fixes
CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
* CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
privilege escalation.
* CVE-2012-0031: Fix client process being able to crash parent process
during shutdown.
* CVE-2012-0053: Fix an issue in code 400 error responses that could expose
"httpOnly" cookies.
-- Stefan Fritsch <email address hidden> Sun, 05 Feb 2012 21:56:02 +0100
apache2 (2.2.22-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream release, urgency medium due to security fixes:
- Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
- Fix CVE-2012-0031: Unprivileged child process could cause the parent to
crash at shutdown
- Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
message.
* Move httxt2dbm to apache2-utils
* Adjust debian/control to point to new git repository.
[ Arno Töll ]
* Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)
-- Stefan Fritsch <email address hidden> Wed, 01 Feb 2012 21:49:04 +0100
apache2 (2.2.21-5) unstable; urgency=low
[ Arno Töll ]
* Fix build failures introduced as regregression by the previous build. Debian
buildds aren't rebuilding arch:all packages which caused problems for our
unconditional copying into binary package. I was warned.
-- Stefan Fritsch <email address hidden> Thu, 29 Dec 2011 17:36:41 +0100
apache2 (2.2.21-4) unstable; urgency=low
[ Stefan Fritsch ]
* Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
ap_pregsub).
* Optimize debian/rules again to improve build time by doing most work in a
single parallelized "build-%" target.
[ Arno Töll ]
* Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType
from text/plain to None. This lets the browser guess a proper MIME type
instead of being forced to treat a given file according to our default type
(Closes: #440058)
* Fix "add pre-rotate hook to logrotate script" execute scripts in
/etc/logrotate.d/httpd-prerotate if available (Closes: #590096).
* Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading
to Debian's 3.0/quilt source format also images don't need to be generated
at build time anymore. Hence, the icon date can no longer lead to
information disclosure (Closes: #649888).
* Upgrade package to 3.0/quilt.
+ Remove uuencoded images, keep them in their binary format in debian/icons
+ Upgrade to quilt from dpatch and refresh all patches by keeping all hunks
unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at
build time where needed Move the 200_cp_suexec.dpatch patch and
202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a
script, not a patch which is not supported by quilt.
* Rewrite debian/rules and base it on dh(1).
+ use overrides where possible, replace some debhelper calls by our own
implementation where needed. That's required since the Apache package is
compiled in parts several times for each MPM once.
+ move some install operations to the their respective .install files
+ Support dpkg-buildflags now, which also enables by default hardening
flags. Thus, remove them from their explicit appearance in debian/rules
+ Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using
dh(1)/dpkg-buildflags(1).
* Push debhelper compatibility to 8
* Remove unused Lintian overrides for the Debian source package remove and
redundant priorities in debian/control.
* Add myself to Uploaders
-- Stefan Fritsch <email address hidden> Thu, 29 Dec 2011 12:09:14 +0100
apache2 (2.2.21-3) unstable; urgency=medium
* Fix CVE-2011-4317: Prevent unintended pattern expansion in some
reverse proxy configurations. (Similar to CVE-2011-3368, but different
attack vector.)
* Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
via malicious .htaccess.
* Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
* Fix broken link in docs. Closes: #650528
* Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
Thanks for your work in the past.
-- Stefan Fritsch <email address hidden> Sat, 03 Dec 2011 18:54:03 +0100
apache2 (2.2.21-2) unstable; urgency=high
* Fix CVE-2011-3368: Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI.
* Correctly set permissions of suexec.load even if umask is 0002 during
build. LP: #872000
-- Stefan Fritsch <email address hidden> Tue, 11 Oct 2011 22:54:47 +0200
| Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze4) squeeze; urgency=low
* Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp
if combined with mod_proxy_balancer.
* Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
Closes: #613969
* Fix typo in init script. Closes: #615866
* For multiple instance setups, correctly determine the config dir in the
init script if it is called via a start/stop link. Closes: #627061
* Add hint in README.Debian about 403 error with mod_dav PUT.
Closes: #613438
* Add hint in README.Debian about how to increase max number of open
files. Closes: #615632
* Make it clear in README.multiple-instances that the MPMs are shipped
in the apache2.2-bin package.
* Tweak patch header to fix "dpatch unapply" with unstable's patch/dpatch.
-- Stefan Fritsch <email address hidden> Mon, 26 Sep 2011 00:12:23 +0200
| Superseded in lenny-release |
apache2 (2.2.9-10+lenny11) lenny-security; urgency=high
* Fix regressions related to range requests introduced by 2.2.9-10+lenny10.
Closes: #639825
-- Stefan Fritsch <email address hidden> Sun, 04 Sep 2011 22:09:38 +0200
apache2 (2.2.21-1) unstable; urgency=low
* New upstream release.
- Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp
if combined with mod_proxy_balancer
-- Stefan Fritsch <email address hidden> Mon, 26 Sep 2011 18:16:11 +0200
apache2 (2.2.20-1) unstable; urgency=low
* New upstream release.
* Fix some regressions related to Range requests caused by the CVE-2011-3192
fix. Closes: #639825
* Add build-arch and build-indep rules targets to make Lintian happy.
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sun, 04 Sep 2011 21:50:22 +0200
apache2 (2.2.19-2) unstable; urgency=high
* Fix CVE-2011-3192: DoS by high memory usage for a large number of
overlapping ranges.
* Reduce default KeepAliveTimeout from 15 to 5 seconds.
* Use "linux-any" in build-deps. Closes: #634709
* Improve reload message of a2enmod. Closes: #639291
* Improve description of the prefork MPM. Closes: #634242
* Mention .conf files in a2enmod man page. Closes: #634834
-- Stefan Fritsch <email address hidden> Mon, 29 Aug 2011 17:08:17 +0200
| Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze1) stable-security; urgency=high * Fix CVE-2011-1176 in apache2-mpm-itk: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group. Closes: #618857 -- Stefan Fritsch <email address hidden> Tue, 22 Mar 2011 21:44:39 +0100
apache2 (2.2.19-1) unstable; urgency=low * New upstream release. - Makes apr-md5 the default algorithm for htpasswd, removing the 8 character limit of the crypt()-algorithm. Closes: #539246 - Fixes merging of IndexOptions. Closes: #394688 - Documents why order of ProxyPass and <Proxy> blocks matters in the configuration. See "Workers" section in the mod_proxy documentation. Closes: #560020 * For multiple instance setups, correctly determine the config dir in the init script if it is called via a start/stop link. Closes: #627061 * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204 * Make it clear in README.multiple-instances that the MPMs are shipped in the apache2.2-bin package. -- Stefan Fritsch <email address hidden> Sun, 22 May 2011 10:21:21 +0200
apache2 (2.2.17-3) unstable; urgency=low * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049 * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in htpasswd/htdbm. -- Stefan Fritsch <email address hidden> Sun, 10 Apr 2011 20:43:55 +0200
apache2 (2.2.17-2) unstable; urgency=high * New mpm_itk upstream version 2.2.17-01: - Fix CVE-2011-1176: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group, due to the configuration merger having an incorrect default configuration. Closes: #618857 * Make exit code of '/etc/init.d/apache2 status' more LSB compatible. Closes: #613969 * Set the default file descriptor limit to 8192 instead of whatever the current limit is (usually 1024). Document how to change it in /etc/apache2/envvars . Closes: #615632 * Fix typo in init script. Closes: #615866 * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438 * Remove some obsolete Depends and Replaces. -- Stefan Fritsch <email address hidden> Mon, 21 Mar 2011 23:01:17 +0100
apache2 (2.2.17-1) unstable; urgency=low * New upstream version * Disable md5 in mod_ssl default cipher suite. Closes: #609126 * Fix order of comments in "worker" section in apache2.conf. Closes: #608488 -- Stefan Fritsch <email address hidden> Tue, 15 Feb 2011 23:30:18 +0100
| Superseded in lenny-release |
apache2 (2.2.9-10+lenny9) stable-security; urgency=high * Add the new SSLInsecureRenegotiation directive to configure if clients that have not been patched to support secure renegotiation (RFC 5746) are allowed to connect (CVE-2009-3555). Together with the recent openssl upgrade, this closes: #587037 This upgrade also adds support for the SSL_SECURE_RENEG variable, to allow testing if secure renegotiation is supported by the client. -- Stefan Fritsch <email address hidden> Sat, 11 Dec 2010 19:45:28 +0100
apache2 (2.2.16-6) unstable; urgency=low * Also add $named to the secondary-init-script example. -- Stefan Fritsch <email address hidden> Sat, 01 Jan 2011 22:55:15 +0100
apache2 (2.2.16-5) unstable; urgency=medium * Add $named to the init script dependency header, since apache depends on DNS in some configurations. Closes: #608437 * Update outdated description of /etc/apache2/magic in README.Debian. Closes: #603586 -- Stefan Fritsch <email address hidden> Fri, 31 Dec 2010 01:22:19 +0100
apache2 (2.2.16-4) unstable; urgency=medium
* Increase the mod_reqtimeout default timeouts to avoid potential problems
with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
* Remove bogus comment in conf.d/security about default in the "release
after Lenny".
* Clarify comments in suexec-custom's default config file. LP: #673289
-- Stefan Fritsch <email address hidden> Sun, 14 Nov 2010 19:05:55 +0100
apache2 (2.2.16-3) unstable; urgency=high
* CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
* Fix "Could not reliably determine the server's ..." error message in
README.Debian, to make it easier to search for it. Closes: #590528
-- Stefan Fritsch <email address hidden> Sat, 09 Oct 2010 20:59:34 +0200
apache2 (2.2.16-2) unstable; urgency=low
* Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036
* Add a note about the new behaviour of SSL/TLS renegotiation and the new
directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
* Support 'graceful' as alias for 'reload' in the init script.
* In README.Debian, suggest an Apache configuration change to get rid of the
"Could not reliably determine the server's fully qualified domain name"
warning, as alternative to changing DNS or /etc/hosts. Closes: #590528
* Add notes to README.Debian on how to reduce memory usage.
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sun, 29 Aug 2010 15:29:21 +0200
apache2 (2.2.16-1) unstable; urgency=medium
* Urgency medium for security fix.
* New upstream release:
- CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability
due to incorrect handling of requests without a path segment.
- mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite
* Fix mod_ssl header line corruption because of using memcpy for overlapping
buffers. PR 45444. LP: #609290, #589611, #595116
-- Stefan Fritsch <email address hidden> Sat, 24 Jul 2010 22:18:43 +0200
apache2 (2.2.15-6) unstable; urgency=low
* Fix init script not correctly killing htcacheclean. Closes: #580971
* Add a separate entry in README.Debian about the need to use apache2ctl
for starting instead of calling apache2 directly. Closes: #580445
* Fix debug info to allow gdb loading it automatically. Closes: #581514
* Fix install target in Makefile created by apxs2 -n. Closes: #588787
* Fix ab sending more requests than specified by the -n parameter.
Closes: #541158
* Add apache2 monit configuration to apache2.2-commons examples dir.
Closes: #583127
* Build as PIE, since gdb in squeeze now supports it.
* Update the postrm script to also purge the version of /var/www/index.html
introduced in 2.2.11-7.
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Fri, 16 Jul 2010 23:41:08 +0200
| Superseded in lenny-release |
apache2 (2.2.9-10+lenny8) stable; urgency=low
* Add missing psmisc dependency for killall used in the init script.
Closes: #568542
* Fix potential memory leaks related to the usage of apr_brigade_destroy().
-- Stefan Fritsch <email address hidden> Mon, 19 Apr 2010 21:17:33 +0200
apache2 (2.2.15-5) unstable; urgency=low
* Conflict with apache package as we now include apachectl. Closes: #579065
* Remove conflicts with old apache 2.0 modules. The conflicts are not
necessary anymore as skipping a stable release is not supported anyway.
* Silence the grep in preinst.
-- Stefan Fritsch <email address hidden> Sun, 25 Apr 2010 10:46:09 +0200
apache2 (2.2.15-3) unstable; urgency=low
* mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
including a fix for mod_proxy CONNECT requests.
* mod_dav_fs: Use correct permissions when creating new files. LP: #540747
-- Stefan Fritsch <email address hidden> Mon, 29 Mar 2010 22:16:24 +0200
apache2 (2.2.15-2) unstable; urgency=low
* Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
Satisfy all. Closes: #572075
* mod_reqtimeout: Various bug fixes, including:
- Don't mess up timeouts of mod_proxy's backend connections.
Closes: #573163
-- Stefan Fritsch <email address hidden> Wed, 10 Mar 2010 21:06:06 +0100
apache2 (2.2.15-1) unstable; urgency=low
* New upstream version:
- CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
- CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
prefix injection attack.
- CVE-2010-0434: mod_headers: Fix potential information leak with threaded
MPMs.
- mod_reqtimeout: New module limiting the time waiting for receiving
a request from the client. This is a (partial) mitigation against
slowloris-type resource exhaustion attacks. The module is enabled by
default. Closes: #533661
- mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
renegotiation with clients which do not yet support the secure
renegotiation protocol. As this requires openssl 0.9.8m, bump
build dependency accordingly.
* Fix bash completion for a2ensite if the site name contains 'conf' or
'load'. Closes: #572232
* Do a configcheck in the init script before doing a non-graceful restart.
Closes: #571461
-- Stefan Fritsch <email address hidden> Sun, 07 Mar 2010 23:22:56 +0100
apache2 (2.2.14-7) unstable; urgency=low
* Fix potential memory leaks related to the usage of apr_brigade_destroy().
* Add hints about correct mod_dav_fs configuration to README.Debian.
Closes: #257945
* Fix error in Polish translation of 404 error page. Closes: #570228
* Document ThreadLimit in apache2.conf's comments.
-- Stefan Fritsch <email address hidden> Sat, 20 Feb 2010 12:38:30 +0100
apache2 (2.2.14-6) unstable; urgency=low
* Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and
APACHE_LOG_DIR in the default configuration. If you have modified
/etc/apache2/envvars, make sure that these variables are set and exported.
* Add support for multiple apache2 instances to initscript and apache2ctl.
See /usr/share/doc/apache2.2-common/README.multiple-instances for details.
Closes: #353450
* Set default compiled-in ServerRoot to /etc/apache2 and make paths in
apache2.conf relative to ServerRoot.
* Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061
* Fix symlinks in apache2-dbg package. Closes: #567076
* Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383
* Add new init script action graceful-stop (LP: #456381)
* Add more languages to mime.conf. To limit this to useful entries, we only
add those for which a translation of the Debian intaller exists. LP: #217964
* Unset $HOME in /etc/apache2/envvars.
* Change default config of mod_info and mod_status to use IP addresses
instead of hostnames. Otherwise the hostname is sometimes logged even with
'HostnameLookup Off'. Closes: #568409
* Add a hook to apache2.2-common's postrm script that may come in handy
when upgrading to 2.4.
* Make bug script also display php extensions.
* Bump Standards-Version (no changes).
* Remove Adam Conrad from Uploaders. Thanks for your work in the past.
-- Stefan Fritsch <email address hidden> Sun, 07 Feb 2010 17:29:45 +0100
| Superseded in lenny-release |
apache2 (2.2.9-10+lenny6) stable-security; urgency=high
* Security:
- Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
Any configuration which requires renegotiation for per-directory/location
access control or uses "SSLVerifyClient optional" is still vulnerable.
-- Stefan Fritsch <email address hidden> Sat, 14 Nov 2009 21:10:47 +0100
apache2 (2.2.14-5) unstable; urgency=low
* Security: Further mitigation for the TLS renegotation attack
(CVE-2009-3555): Disable keep-alive if parts of the next request have
already been received when doing a renegotiation. This defends against
some request splicing attacks.
* Print a useful error message if 'apache2ctl status' fails. Add a comment
to /etc/apache2/envvars on how to change the options for www-browser.
Closes: #561496, #272069
* Improve function to detect apache2 pid in init-script (closes: #562583).
* Add hint README.Debian on how to pass auth info to CGI scripts.
Closes: #483219
* Re-introduce objcopy magic to avoid dangling symlinks to the debug info
in the mpm packages. Closes: #563278
* Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178,
LP: #500703
* Point to README.backtrace in apache2-dbg's description.
* Use more debhelper functions to simplify debian/rules.
* Add misc-depends to various packages to make lintian happy.
* Change build-dep from libcap2-dev to libcap-dev because of package rename.
-- Stefan Fritsch <email address hidden> Sat, 02 Jan 2010 22:44:15 +0100
apache2 (2.2.14-4) unstable; urgency=low
* Disable localized error pages again by default because they break
configurations with "<Location /> SetHandler ...". A workaround is
described in the comments in /etc/apache2/conf.d/localized-error-pages
(closes: #543333).
* mod_rewrite: Fix URLs in redirects with literal IPv6 hosts
(closes: #557015).
* Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234).
* Add man page for split-logfile.
* Link with -lcrypt where necessary to fix a FTBFS with binutils-gold
(closes: #553946).
-- Stefan Fritsch <email address hidden> Sun, 13 Dec 2009 20:05:37 +0100
apache2 (2.2.14-3) unstable; urgency=low
* Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This
includes:
- Make PUT replace files atomically (closes: #525137).
- Make MOVE not delete the destination if the source file disappeared in
the meantime (closes: #273476).
NOTE: The format of the DavLockDB has changed. The default DavLockDB will
be deleted on upgrade. Non-default DavLockDBs should be deleted manually.
* Fix output of "/etc/init.d/apache2 status" (closes: #555687).
* Update the comment about SNI in ports.conf (closes: #556932).
* Set redirect-carefully for Konqueror/4.
-- Stefan Fritsch <email address hidden> Sat, 21 Nov 2009 10:20:54 +0100
apache2 (2.2.14-2) unstable; urgency=medium
* Security:
Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
Any configuration which requires renegotiation for per-directory/location
access control is still vulnerable.
* Allow RemoveType to override the types from /etc/mime.types. This allows
to use .es and .tr for Spanish and Turkish files in mod_negotiation.
Closes: #496080
* Fix 'CacheEnable disk http://'. Closes: #442266
* Fix missing dependency by changing killall to pkill in the init script.
LP: #460692
* Add X-Interactive header to init script as it may ask for the ssl key
passphrase. Closes: #554824
* Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too.
* Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian
-- Stefan Fritsch <email address hidden> Sat, 07 Nov 2009 14:37:37 +0100
apache2 (2.2.14-1) unstable; urgency=low
* New upstream version:
- new module mod_proxy_scgi
* Disable hardening option -pie again, as gdb in Debian does not support
it properly and it is broken on mips*.
-- Stefan Fritsch <email address hidden> Tue, 29 Sep 2009 20:55:05 +0200
apache2 (2.2.13-2) unstable; urgency=high
* mod_proxy_ftp security fixes (closes: #545951):
- DoS by malicious ftp server (CVE-2009-3094)
- missing input sanitization: a user could execute arbitrary ftp commands
on the backend ftp server (CVE-2009-3095)
* Add entries to NEWS.Debian and README.Debian about Apache being stricter
about certain misconfigurations involving name based SSL virtual hosts.
Also make Apache print the location of the misconfigured VirtualHost when
it complains about a missing SSLCertificateFile statement. Closes: #541607
* Add Build-Conflicts: autoconf2.13 (closes: #541536).
* Adjust priority of apache2-mpm-itk to extra.
* Switch apache2.2-common and the four mpm packages from architecture all to
any. This is stupid but makes apache2 binNMUable again (closes: #544509).
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Wed, 16 Sep 2009 20:55:02 +0200
apache2 (2.2.13-1) unstable; urgency=low
* New upstream release:
- Fixes segfault with mod_deflate and mod_php (closes: #542623).
-- Stefan Fritsch <email address hidden> Mon, 31 Aug 2009 20:28:56 +0200
| Superseded in lenny-release |
apache2 (2.2.9-10+lenny4) stable-security; urgency=high
* Security fixes:
- CVE-2009-1890: denial of service in mod_proxy (closes: #536718)
- CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
Also prevent compressing the content for HEAD requests.
-- Stefan Fritsch <email address hidden> Tue, 14 Jul 2009 21:53:01 +0200
apache2 (2.2.12-1) unstable; urgency=low
* New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
(The Debian default configuration will be changed to use SNI in a later
version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
* Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
* Enable hardening compile options.
* Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
* Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
* Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
* Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
* Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
* Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
* Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
* Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
* Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
* Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
* Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
* Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
* Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
* Remove other_vhosts_access.log on package purge.
-- Stefan Fritsch <email address hidden> Tue, 04 Aug 2009 11:02:34 +0200
apache2 (2.2.11-7) unstable; urgency=low
* Security fixes:
- CVE-2009-1890: denial of service in mod_proxy
- CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
* Add symlinks for the debug info to the mpm packages.
* Be slightly more informative in the default index.html without pointing
to Apache or Debian (LP: #89364)
* Remove dependency on net-tools, which is no longer necessary
(closes: #535849)
* Bump Standards-Version (no changes)
-- Stefan Fritsch <email address hidden> Fri, 10 Jul 2009 22:42:57 +0200
apache2 (2.2.11-6) unstable; urgency=high
* CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
Side Includes (closes: #530834).
* Fix postinst scripts (closes: #532278).
-- Stefan Fritsch <email address hidden> Mon, 08 Jun 2009 19:22:58 +0200
apache2 (2.2.11-4) unstable; urgency=low
[ Stefan Fritsch ]
* Disable TRACE method by default (closes: #492130).
* Compress some more mime types with mod_deflate by default. This may cause
problems with MSIE 6, but that browser should now be considered obsolete.
Closes: #397526, #521209
* Various backports from upstream svn branches/2.2.x:
- CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous
request which failed to send a request body
- Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with
server-side-includes PR 45959 (closes: #524474)
- Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268)
- Fix mod_deflate etag handling PR 45023 (LP: #358314)
- Fix mod_ldap segfault if LDAP initialization failed PR 45994
* Allow apache2-mpm-itk as alternate dependency in apache2 meta package
(closes: #527225).
* Fix some misuse of command substitution in the init script. Thanks to
Jari Aalto for the patch. (Closes: #523398)
* Extend the gnome-vfs DAV workaround to gvfs (closes: #522845).
* Add more info to check_forensic man page (closes: #528424).
* Make "apache2ctl help" point to help on apache2 args (closes: #528425).
* Lintian warnings:
- fix spelling error in apache2-utils description
- tweak debian/copyright to make lintian not complain about pointers to GPL
- bump standards-version (no changes)
[ Peter Samuelson ]
* Adjust sections to match recent ftpmaster overrides.
-- Stefan Fritsch <email address hidden> Tue, 19 May 2009 22:55:27 +0200
apache2 (2.2.11-3) unstable; urgency=low
* Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
(see #521899). This also creates the dependencies on the new external
libaprutil1-dbd-* and libaprutil1-ldap packages.
-- Stefan Fritsch <email address hidden> Tue, 31 Mar 2009 21:07:26 +0200
| Superseded in lenny-release |
apache2 (2.2.9-10+lenny2) testing-proposed-updates; urgency=low
* Report an error instead instead of segfaulting when apr_pollset_create
fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
/proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
value of MaxClients in the Apache configuration. Closes: #511103
-- Stefan Fritsch <email address hidden> Tue, 20 Jan 2009 18:17:27 +0100
| Superseded in sid-release |
| Superseded in squeeze-release |
| Superseded in squeeze-release |
| Superseded in sid-release |
apache2 (2.2.11-2) unstable; urgency=low
* Report an error instead instead of segfaulting when apr_pollset_create
fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
/proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
value of MaxClients in the Apache configuration. Closes: #511103
-- Stefan Fritsch <email address hidden> Fri, 16 Jan 2009 19:01:59 +0100
apache2 (2.2.11-1) unstable; urgency=low [Thom May] * New Upstream Version (Closes: #508186, LP: #307397) - Contains rewritten shmcb code which should fix alignment problems on alpha (Closes: #419720). - Notable new features: chroot support, mod_proxy improvements. [Ryan Niebur] * fix segfault in ab when being verbose on ssl sites (Closes: #495982) * remove trailing slash for DocumentRoot (Closes: #495110) -- Stefan Fritsch <email address hidden> Sun, 14 Dec 2008 09:34:24 +0100
apache2 (2.2.9-10+lenny1) testing-proposed-updates; urgency=low
* Regression fix from upstream svn for mod_proxy:
Prevent segmentation faults by correctly adjusting the lifetime of the
buckets read from the proxy backend. PR 45792
* Fix from upstream svn for mpm_worker:
Crosscheck that idle workers are still available before using them and
thus preventing an overflow of the worker queue which causes a SegFault.
PR 45605
* Add a comment to ports.conf to point to NEWS.Debian.gz in case of
upgrading problems.
-- Stefan Fritsch <email address hidden> Tue, 02 Dec 2008 22:00:50 +0100
apache2 (2.2.9-11) unstable; urgency=low
* Regression fix from upstream svn for mod_proxy:
Prevent segmentation faults by correctly adjusting the lifetime of the
buckets read from the proxy backend. PR 45792
* Fix from upstream svn for mpm_worker:
Crosscheck that idle workers are still available before using them and
thus preventing an overflow of the worker queue which causes a SegFault.
PR 45605
* Add a comment to ports.conf to point to NEWS.Debian.gz in case of
upgrading problems.
-- Stefan Fritsch <email address hidden> Wed, 26 Nov 2008 23:10:22 +0100
apache2 (2.2.9-10) unstable; urgency=low
* Regression fix from upstream svn for mod_proxy_http:
Don't trigger a retry by the client if a failure to read the response line
was the result of a timeout.
-- Stefan Fritsch <email address hidden> Wed, 01 Oct 2008 11:50:18 +0200
| 151 → 211 of 211 results | First • Previous • Next • Last |
