Change log for apache2 package in Debian
| 76 → 150 of 211 results | First • Previous • Next • Last |
apache2 (2.4.27-6) unstable; urgency=high
* CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
which could result in HTTP OPTIONS method leaking Apache's server memory.
Closes: #876109
* Fix argument escaping in apachectl. Closes: #876384
-- Stefan Fritsch <email address hidden> Sun, 24 Sep 2017 00:08:01 +0200
apache2 (2.4.27-5) unstable; urgency=medium * Upload to unstable. * Update "Breaks:" for openssl transition. * Bump Standards-Version to 4.1.0. No changes needed. -- Stefan Fritsch <email address hidden> Sun, 03 Sep 2017 17:18:57 +0200
| Deleted in experimental-release (Reason: None provided.) |
apache2 (2.4.27-4) experimental; urgency=medium
* Use 'invoke-rc.d' instead of init script in logrotate script.
Closes: #857607
* Make the apache-htcacheclean init script actually look into
/etc/default/apache-htcacheclean for its config. LP: #1691495
* mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
LP: #1675184
* Use 'service' instead of init script in monit example config.
* Bump Standards-Version to 4.0.1. Other changes:
- change package priorities from extra to optional
* Use libprotocol-http2-perl in autopkgtest.
* Update test suite to svn r1804214.
* Various tweaks to the test suite autopkgtest to avoid having to skip
any test.
* Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
to avoid them being used by apxs.
* deflate.conf: Remove mention of MSIE6
-- Stefan Fritsch <email address hidden> Tue, 08 Aug 2017 21:59:37 +0200
| Superseded in jessie-release |
apache2 (2.4.10-10+deb8u9) jessie-security; urgency=medium * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw() * CVE-2017-3169: mod_ssl NULL pointer dereference * CVE-2017-7668: Buffer overrun in ap_find_token() * CVE-2017-7679: mod_mime buffer overread -- Stefan Fritsch <email address hidden> Tue, 20 Jun 2017 21:02:39 +0200
| Superseded in stretch-release |
apache2 (2.4.25-3+deb9u1) stretch-security; urgency=high * Backport security fixes from 2.4.26: * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw() * CVE-2017-3169: mod_ssl NULL pointer dereference * CVE-2017-7668: Buffer overrun in ap_find_token() * CVE-2017-7679: mod_mime buffer overread * CVE-2017-7659: mod_http2 NULL pointer dereference -- Stefan Fritsch <email address hidden> Tue, 20 Jun 2017 21:29:11 +0200
apache2 (2.4.27-2) unstable; urgency=medium
* Switch back to openssl 1.0 for now. The transition to 1.1 needs more
work and should go into experimental, first. Reopens: #851094
-- Stefan Fritsch <email address hidden> Sun, 16 Jul 2017 23:01:10 +0200
| Superseded in experimental-release |
apache2 (2.4.27-3) experimental; urgency=medium
* Switch to openssl 1.1. Again closes: #851094
* Add versioned breaks for gridsite, libapache2-mod-dacs because of
openssl transition.
* Provide new apache2-api-20120211-openssl1.1 virtual package and make
dh_apache2 generate a dependency on it if there is a build-dep on
apache2-ssl-dev.
-- Stefan Fritsch <email address hidden> Sun, 16 Jul 2017 23:11:07 +0200
apache2 (2.4.27-1) unstable; urgency=medium
[ New upstream release ]
* Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
Closes: #868467
[ Stefan Fritsch ]
* Switch to openssl 1.1. Closes: #851094
-- Stefan Fritsch <email address hidden> Sun, 16 Jul 2017 10:39:15 +0200
apache2 (2.4.25-4) unstable; urgency=high * Backport security fixes from 2.4.26: * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw() * CVE-2017-3169: mod_ssl NULL pointer dereference * CVE-2017-7668: Buffer overrun in ap_find_token() * CVE-2017-7679: mod_mime buffer overread * CVE-2017-7659: mod_http2 NULL pointer dereference -- Stefan Fritsch <email address hidden> Tue, 20 Jun 2017 21:31:51 +0200
| Superseded in jessie-release |
apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium
* CVE-2016-8743: Enforce more HTTP conformance for request lines and
request headers, to prevent response splitting and cache pollution
by malicious clients or downstream proxies.
If this causes problems with non-conforming clients, some checks can
be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
to the configuration.
Differently than the upstream 2.4.25 release which will also be in the
Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
underscores in host and domain names even while 'HttpProtocolOptions
strict' is in effect.
More information is available at
http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions
* CVE-2016-0736: mod_session_crypto: Prevent padding oracle attack.
* CVE-2016-2161: mod_auth_digest: Prevent segfaults when the shared memory
space is exhausted.
* Activate mod_reqtimeout in new installs and during updates from
before 2.4.10-10+deb8u8. It was wrongly not activated in new installs
since jessie. This made the default installation vulnerable to some
DoS attacks.
* Don't run 2.2 to 2.4 upgrade logic again when upgrading from
2.4.10-10+deb8u*. Closes: #836818
-- Stefan Fritsch <email address hidden> Fri, 24 Feb 2017 19:36:41 +0100
apache2 (2.4.25-3) unstable; urgency=medium
* Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
Closes: #852543
* Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
the test suite, but don't add *.load files because they don't have any
real-world use.
* Include the upstream test suite and a corresponding autopkgtest. This
is quite a hack but it may help quite a bit with security updates,
especially if stretch gets LTS support, too.
-- Stefan Fritsch <email address hidden> Wed, 25 Jan 2017 23:59:26 +0100
Available diffs
- diff from 2.4.18-2 to 2.4.25-3 (1.4 MiB)
apache2 (2.4.25-2) unstable; urgency=medium
* Activate mod_reqtimeout in new installs and during updates from
before 2.4.25-2. It was wrongly not activated in new installs since
jessie. This made the default installation vulnerable to some DoS
attacks.
* Restart htcacheclean on updates and tighten dependency on apache2-utils
to ensure that apache2-utils cannot be upgraded without apache2.
Closes: #851122
* When running on systems with systemd, make 'apache2ctl start' invoke
systemctl instead. Otherwise systemd will think apache2 is not running
and ignore further commands like reload. Closes: #839227
* Avoid segfault in mpm_event if a signal is received too soon after start.
PR 60487
* Add test for some modules to be enabled.
* Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
fixed in 2.4.23-2.
-- Stefan Fritsch <email address hidden> Sat, 14 Jan 2017 19:27:34 +0100
apache2 (2.4.25-1) unstable; urgency=medium
[ New upstream release ]
* Security: CVE-2016-0736:
mod_session_crypto: Authenticate the session data/cookie with a MAC to
prevent deciphering or tampering with a padding oracle attack.
* Security: CVE-2016-2161:
mod_auth_digest: Prevent segfaults during client entry allocation when the
shared memory space is exhausted.
* Security: CVE-2016-5387:
Mitigate [f]cgi "httpoxy" issues.
* Security: CVE-2016-8740:
mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
Closes: #847124
* Security: CVE-2016-8743:
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
* The stricter HTTP enforcement may cause compatibility problems with
non-conforming clients. Fine-tuning is possible with the new
HttpProtocolOptions directive.
* mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
* mod_http2: Many fixes and support for early pushes using the new
H2PushResource directive.
[ Stefan Fritsch ]
* Switch to debhelper compatibility level 9.
-- Stefan Fritsch <email address hidden> Wed, 21 Dec 2016 23:46:06 +0100
apache2 (2.4.23-8) unstable; urgency=medium
* Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
new package apache2-ssl-dev. Packages that interface with openssl
state from mod_ssl must build-depend on this new package.
This will help to disentangle the build-deps in the openssl transition.
Closes: #845033
-- Stefan Fritsch <email address hidden> Sun, 20 Nov 2016 00:33:13 +0100
apache2 (2.4.23-7) unstable; urgency=medium
* Make apache2-dev depend on openssl 1.0, too. Closes: #844160
* Move DefaultRuntimeDir and pid file for multi-instances to
/var/run/apache2-xxx. Thanks to Horst Platz for the debugging.
Closes: #838932 LP: #1627339
* Fix systemd unit naming for multi-instances.
* Tweak embedded .tar.gz some more to build reproducibly.
-- Stefan Fritsch <email address hidden> Sun, 13 Nov 2016 13:08:28 +0100
apache2 (2.4.23-6) unstable; urgency=medium
* One more tweak for reproducible build. Thanks to Daniel Shahaf for the
patch. Closes: #839977
* Avoid building with openssl 1.1 for now. See #828236
-- Stefan Fritsch <email address hidden> Wed, 09 Nov 2016 23:51:25 +0100
apache2 (2.4.23-5) unstable; urgency=low
* Team upload.
[ Stefan Fritsch ]
* Tweak creation of .tar.gz embedded in preinst to get reproducible
build.
[ Raphaël Hertzog ]
* Add systemd unit files. Closes: #798430
* Improve a2enmod to enable apache-htcacheclean with systemctl and let
it enable '<email address hidden>' for multi-instance
support.
* Improve setup-instance to rely on the systemd <email address hidden> for
multi-instance support.
* Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have
proper native systemd support.
* Modify handling of /etc/init.d/apache-htcacheclean to have a usual
Default-Start value but instead we disable it manually in the postinst.
That way "systemctl enable apache-htcacheclean" works.
* Add some lintian overrides for non-problems (two update-rc.d calls in
postinst, and a .js file with a very long line).
-- Raphaël Hertzog <email address hidden> Thu, 29 Sep 2016 12:03:31 +0200
| Superseded in jessie-release |
apache2 (2.4.10-10+deb8u7) jessie; urgency=medium * Fix installation of /lib/systemd/system/apache2.service.d/forking.conf. -- Julien Cristau <email address hidden> Thu, 15 Sep 2016 22:42:19 +0200
apache2 (2.4.23-4) unstable; urgency=medium * Fix pre-inst script for new installations. Closes: #834169 -- Stefan Fritsch <email address hidden> Fri, 12 Aug 2016 21:44:31 +0200
apache2 (2.4.23-3) unstable; urgency=low
* Fix conffiles that may have got the wrong content during upgrade from
wheezy to early jessie versions. Closes: #794933
* Also restore re-introduced *.load files for mod_ident, mod_imagemap, and
mod_cern_meta. These may have gone missing due to dpkg thinking they still
belong to apache2.2-common. Reported by Markus Waldeck.
* apache2-maintscript-helper: Make apache2_switch_mpm do nothing if the
local admin has disabled the requested mpm manually.
Closes: #827446, #799630
* Make mod_proxy_html depend on mod_xml2enc.
* dh_apache2: Make versioned recommends on apache2 less strict. There is
no advantage in recommending the current version. Closes: #784290
-- Stefan Fritsch <email address hidden> Thu, 11 Aug 2016 21:40:35 +0200
apache2 (2.4.23-2) unstable; urgency=high
* CVE-2016-5387: Sets environmental variable based on user supplied Proxy
request header.
Don't pass through HTTP_PROXY in server/util_script.c
-- Stefan Fritsch <email address hidden> Thu, 21 Jul 2016 23:21:37 +0200
apache2 (2.4.23-1) unstable; urgency=high
* New upstream release
- Security: CVE-2016-4979: Fix bypass of TLS client certificate
verification in mod_http2.
- new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck
* Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657
* Set SHELL=/bin/bash during configure to get reproducible builds regardless
of where /bin/sh points to.
* Use 'Require method' instead of Limit/LimitExcept in userdir.conf.
-- Stefan Fritsch <email address hidden> Tue, 05 Jul 2016 23:57:25 +0200
apache2 (2.4.20-2) unstable; urgency=medium
* Fix crash in ap_get_useragent_host() triggered by mod_perl test.
Closes: #820824
* Fix race condition and logical error in init script. Thanks to Thomas
Stangner for the patch. Closes: #822144
* Remove links to manpages.debian.org in default index.html to avoid
broken robots doing a DoS on the site. Closes: #821313
* Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956
* Bump Standards-Version (no changes necessary).
* Fix segfault with logresolve -c. Closes: #823259
-- Stefan Fritsch <email address hidden> Sat, 28 May 2016 16:14:09 +0200
apache2 (2.4.20-1) unstable; urgency=medium
* New upstream release
- mostly bugfixes and HTTP/2 improvements
* Build against lua 5.2 instead of 5.1. Closes: #820243
* Correct systemd-sysv-generator behavior by customizing some parameters.
This fixes 'systemctl status' returning incorrect results. Thanks to
Pierre-André MOREY for the patch. LP: #1488962
* On Linux, use pthread mutexes. On kfreebsd/hurd, continue using fctnl
because they lack robust pthred mutexes. LP: #1565744, #1527044
-- Stefan Fritsch <email address hidden> Sun, 10 Apr 2016 14:03:41 +0200
apache2 (2.4.18-2) unstable; urgency=low
* htcacheclean:
- split starting/stopping into separate init script 'apache-htcacheclean'
- move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
- make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
- start htcacheclean as the apache2 run user/group
* Fix a2query -M not returning output if apache2 config is broken.
Fix missing quotes in apache2-maintscript-helper. Closes: #810500
* README.backtrace: Note that coredump directory needs to be owned by
www-data. Closes: #806697
* Remove ssl work-arounds for MSIE. Newer versions of IE work without them
and older versions are no longer supported by MS. Closes: #815852
* Give a hint about systemd in README.multiple-instances. Closes: #818904
* Don't treat mod_access_compat as essential. It's essentially broken,
anyway.
* Merge cross-compile tweaks for debian/rules from ubuntu.
* Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
Closes: #719245
* Fix duplicate-module-load test and make sure it fails if it cannot execute
apache2ctl.
* Bump Standards-Version (no changes necessary).
-- Stefan Fritsch <email address hidden> Mon, 28 Mar 2016 21:58:54 +0200
| Superseded in jessie-release |
apache2 (2.4.10-10+deb8u4) jessie; urgency=medium
* Add versioned replaces/breaks for libapache2-mod-macro to apache2,
for the config files in /etc. Closes: #806326
* Fix split-logfile to work with current perl. Closes: #803472
* Fix tests on deferred mpm switch. Add special casing for mpm_itk,
which is not an mpm anymore, despite the name. Closes: #789914
Closes: #791902
* Fix secondary-init-script to not source the main init script with 'set -e'.
Closes: #803177
-- Stefan Fritsch <email address hidden> Sat, 28 Nov 2015 15:02:23 +0100
apache2 (2.4.18-1) unstable; urgency=medium
* New upstream release:
- mostly HTTP/2 improvements
-- Stefan Fritsch <email address hidden> Sat, 19 Dec 2015 09:26:14 +0100
apache2 (2.4.17-3) unstable; urgency=medium * mpm_prefork: Fix segfault if started with -X. Closes: #805737 -- Stefan Fritsch <email address hidden> Mon, 23 Nov 2015 19:52:09 +0100
apache2 (2.4.17-2) unstable; urgency=medium
* Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
lots of web-apps. Closes: #803353
* Fix secondary-init-script to not source the main init script with 'set -e'.
Closes: #803177
* mod_http2: Write HTTP/2 into THE_REQUEST and the access log.
-- Stefan Fritsch <email address hidden> Sat, 31 Oct 2015 23:17:11 +0100
apache2 (2.4.17-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream release:
- New experimental http2 module
* reproducible build: Make symbol sorting consistent over different locales
* Conflict with apache2.2-common and apache2.2-bin to get the transitional
packages removed. Closes: #768815
* Don't treat mpm_itk as MPM module in a2query. Closes: #791902
* Don't treat mpm_itk as MPM module in deferred actions in postinst.
Hopefully really closes: #789914
* Don't treat mpm_itk as MPM module in a2enmod.
[ Jean-Michel Vourgère ]
* Updated upstream keyring used to check source authenticity.
-- Stefan Fritsch <email address hidden> Sat, 24 Oct 2015 22:14:32 +0200
| Published in wheezy-release |
apache2 (2.2.22-13+deb7u6) wheezy-security; urgency=medium
* Fix regression causing spurious errors when loading certificate chain.
Closes: #794383
-- Stefan Fritsch <email address hidden> Tue, 18 Aug 2015 11:41:11 +0200
| Superseded in jessie-release |
apache2 (2.4.10-10+deb8u3) jessie; urgency=medium
* Revert fix for deferred mpm switch for now, because it is at least not
complete or maybe causes regressions (see #791902). Re-opens #789914
-- Stefan Fritsch <email address hidden> Fri, 28 Aug 2015 18:24:17 +0200
apache2 (2.4.16-3) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* Have apache2.postrm removes content of /var/lib/apache2, not the
directory itself. Closes: #793862
* d/p/reproducible_builds.diff: Sort exported symbols list.
[ Stefan Fritsch ]
* apxs: Don't pass --silent to libtool. Closes: #795820
* Remove default /var/www/html/index.html on package purge.
-- Stefan Fritsch <email address hidden> Tue, 18 Aug 2015 13:49:09 +0200
apache2 (2.4.16-2) unstable; urgency=medium
* Make dh_apache2 add a versioned dependency on apache2-bin, for the
new symbols required for the CVE-2015-3185 fix.
-- Stefan Fritsch <email address hidden> Fri, 07 Aug 2015 23:43:16 +0200
apache2 (2.4.16-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream version, fixing the following security issues:
+ CVE-2015-3183: Fix chunk header parsing defect.
+ CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
unfixable way. Add a new replacement API ap_some_authn_required()
and ap_force_authn hook.
[ Jean-Michel Vourgère ]
* Allow "triggers-awaited" and "triggers-pending" states in addition to
"installed" when determining whether to defer actions or process
deferred actions. Thanks Colin Watson. Closes: #787103
* Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes:
#733979
* Remove pre-Jessie transition scripts, and remaining breaks.
* Made builds reproducible: d/rules set the date from the changelog in
CPPFLAGS, new reproducible_builds.diff patch to use it.
* Moved bash_completion from /etc to /usr/share/bash_completion. Added
links there for dynamic loading.
* Upgrade security.conf comments to 2.4 auth format. Thanks Werner
Detter. Closes: #789788
* apache2.postinst: Fixed tests on deferred mpm switch. Closes:
#789914
-- Stefan Fritsch <email address hidden> Sun, 02 Aug 2015 00:44:07 +0200
apache2 (2.4.12-2) unstable; urgency=medium
[ Jean-Michel Nirgal Vourgère ]
* d/control:
+ Update Vcs-Browser.
* d/copyright:
+ Change d/debhelper/dh_apache2 to dh_apache2.in.
+ Drop paragraph about inexistant itk patches.
[ Stefan Fritsch ]
* Remove all the transitional packages:
apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event,
apache2-mpm-itk, apache2.2-bin, apache2.2-common,
libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec
This also fixes the dependency problems caused by a recent version
of debhelper (see #784803).
-- Stefan Fritsch <email address hidden> Mon, 11 May 2015 22:07:26 +0200
apache2 (2.4.12-1) unstable; urgency=medium
* New upstream version
* Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which
was never shipped in Debian.
* Ship mod_proxy_html's default config file. Closes: #782022
* Fix typo in dh_apache2 man page. Closes: #781032
-- Stefan Fritsch <email address hidden> Tue, 28 Apr 2015 22:54:41 +0200
apache2 (2.4.10-11) unstable; urgency=medium
* core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
This could cause all kinds of strange behavior. PR 56008. PR 57328
* mpm_event: Fix process deadlock when shutting down a worker. PR 56960
* mpm_event: Fix crashes due to various race conditions. Closes: #779078
-- Stefan Fritsch <email address hidden> Tue, 31 Mar 2015 22:27:16 +0200
apache2 (2.4.10-10) unstable; urgency=medium
* CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
wsupgrade().
* Fix setup-instance example script to handle a2enconf/a2disconf.
LP: #1430936
* Tweak mention of mod_access_compat in NEWS.Debian. The module does
not really work in practice.
-- Stefan Fritsch <email address hidden> Sun, 15 Mar 2015 10:47:36 +0100
| Superseded in wheezy-release |
apache2 (2.2.22-13+deb7u4) wheezy; urgency=medium
* CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could
use this flaw to bypass intended mod_headers restrictions, allowing
them to send requests to applications that include headers that should
have been removed by mod_headers.
The new behavior is to not merge trailers into the headers autmatically.
A new directive "MergeTrailers" is introduced to restore the old
behavior.
* Fix hostname comparison with SNI to be case insensitive. Closes: #771199
* Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15).
Closes: #773841
* Add paragraph about session ticket key life-time and forward secrecy to
README.Debian. Closes: #762619
-- Stefan Fritsch <email address hidden> Tue, 23 Dec 2014 23:44:24 +0100
apache2 (2.4.10-9) unstable; urgency=medium
* CVE-2014-8109: mod_lua: Fix handling of the Require line when a
LuaAuthzProvider is used in multiple Require directives with different
arguments.
* Include ask-for-passphrase script from Ubuntu with some tweaks. This
fixes asking for certificate passphrases if started via systemd.
Closes: #773405
* Fix init script to not wait 20s if passphrase was wrong.
* Also bump debhelper build-depends to get dh_installdeb with support for
symlink_to_dir. Closes: #770421
-- Stefan Fritsch <email address hidden> Mon, 22 Dec 2014 20:24:36 +0100
apache2 (2.4.10-8) unstable; urgency=medium
* Bump dpkg Pre-Depends to version that supports relative symlinks in
dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
* mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
though it does not seem to be exploitable.
* mpm_event: Fix use-after-free that may lead to a server crash.
* mod_ssl: Fix memory leak on graceful restart. Closes: #754492
* mod_ssl: Avoid crashes during startup or graceful restart due to
openssl using a callback to invalid memory. LP: #1366174
-- Stefan Fritsch <email address hidden> Tue, 18 Nov 2014 15:18:18 +0100
apache2 (2.4.10-7) unstable; urgency=medium
* Handle transitions of doc dirs and symlinks correctly during upgrade.
Use dpkg-maintscript-helper for this and remove existing explicit logic.
Closes: #767850
* Remove obsolete conffiles in apache2.2-common, instead doing this only in
apache2. This partially fixes #768815
-- Stefan Fritsch <email address hidden> Sun, 09 Nov 2014 19:03:30 +0100
apache2 (2.4.10-6) unstable; urgency=medium
* Disable SSLv3 in default config. Closes: #765347
* Pull changes from upstream 2.4.x branch up to r1632831
- Fixes an LDAP regression in 2.4.10
- mod_cache: Avoid sending 304 responses during failed revalidations.
PR 56881
- mod_status: Honor client IP address using mod_remoteip. PR 55886
* Fix typo in package description. Closes: #765500
-- Stefan Fritsch <email address hidden> Tue, 21 Oct 2014 22:42:06 +0200
| Superseded in wheezy-release |
apache2 (2.2.22-13+deb7u3) wheezy-security; urgency=high
* CVE-2014-0226: Fix a race condition in scoreboard handling,
which could lead to a heap buffer overflow.
* CVE-2014-0231: mod_cgid: Fix a denial of service against CGI scripts
that do not consume stdin that could lead to lingering HTTPD child
processes filling up the scoreboard and eventually hanging the server.
By default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
* CVE-2014-0118: mod_deflate: The DEFLATE input filter (inflates request
bodies) now limits the length and compression ratio of inflated request
bodies to avoid denial of sevice via highly compressed bodies.
By default, LimitRequestBody is applied after decompression. Fine-tuning
is possible with the new directives DeflateInflateLimitRequestBody,
DeflateInflateRatioLimit, and DeflateInflateRatioBurst.
-- Stefan Fritsch <email address hidden> Wed, 23 Jul 2014 23:53:24 +0200
apache2 (2.4.10-5) unstable; urgency=medium * Remove one forgotten instance of ident.load in the preinst. -- Stefan Fritsch <email address hidden> Fri, 10 Oct 2014 00:20:09 +0200
apache2 (2.4.10-3) unstable; urgency=medium
* CVE-2014-3581: Fix a DoS in mod_cache.
* If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first. Closes: #745834
* Don't use a2query in preinst, as it may not be available yet.
Closes: #745812
* Include mod_authnz_fcgi. Closes: #762908
* Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
* Remove misleading sentence in apache2-bin's description. Closes: #762645
* Remove trailing space in apache2/suexec/www-data. Closes: #719930
* Add NEWS entry for the logrotate change in 2.4.10-2.
* Bump Standards-version (no changes).
* Fix lintian warning: Tweak licence short names in copyright file.
-- Stefan Fritsch <email address hidden> Sun, 28 Sep 2014 22:37:02 +0200
apache2 (2.4.10-2) unstable; urgency=medium
* Pull changes from upstream 2.4.x branch up to r1626207
+ Security Fix for CVE-2013-5704: HTTP trailers could be used to
replace HTTP headers late during request processing, potentially
undoing or otherwise confusing modules that examined or modified
request headers earlier.
Adds "MergeTrailers" directive to restore legacy behavior.
* Switch to apache2 providing the httpd and httpd-cgi virtual packages.
The previously providing apache2-bin package lacks the configuration
files. Closes: #756361
* Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
logs. The daily graceful restart also has the advantage of regenerating
things like TLS session ticket keys more often. Closes: #759382
* Clarify description of apache2 package. Closes: #755976
* In the maintainer script helper, print out Apache's error message if
the config check fails.
* Re-add mod_ident. It has still at least one user. LP: #1333388
-- Stefan Fritsch <email address hidden> Sun, 21 Sep 2014 22:58:33 +0200
apache2 (2.4.10-1) unstable; urgency=medium
[ Arno Töll ]
* New upstream version
+ Refresh debian/patches/fhs_compliance.patch
+ Security Fixes:
- CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
- CVE-2014-0226 Fix a race condition resulting in a heap overflow in
scoreboard handling
- CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
length and compression ratio of inflated request to mitigate a
possible DoS
- CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
+ Fixes SNI with certificate defined in global scope. (Closes: #751361)
* Warn users if they try to disable modules that we consider essential for
operation of the Apache web server (Closes: #709461)
* Drop libcap from our build-dependencies. That was needed for itk which we
gave source out to it's own package again.
* Provide apache2.2-common package to avoid upgrading problems for people
using --purge (apt) or --purge-unused (aptitude) even though that's
clearly discouraged. This caused disappearing of conffiles because we move
them from apache2.2-common to apache2 during the upgrade. Ugh. This was
not a bug in our packaging, but an unfortunately people blame us
nonetheless even though it's not all our fault. This alternative helps
those people, but at the same time means that incompatible modules aren't
force-removed by dpkg during the upgrade. Hopefully we catch all of them
with the Breaks relation coming along (Closes: #716880, #752922, #711925)
-- Stefan Fritsch <email address hidden> Tue, 22 Jul 2014 23:16:20 +0200
| Superseded in wheezy-release |
apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium
* Backport support for SSL ECC keys and ECDH ciphers.
Bump build-dependency for libssl-dev to 1.0.1e-2+deb7u8 to get the
compatibility fix for older Safari browsers. Apache2 will still
run with older libssl-1.0.0 but without the compatibility fix.
In case of problems, see README.Debian.
* CVE-2013-6438: mod_dav: Fix potential denial of service from
specifically crafted DAV WRITE requests.
* mod_log_config: Fix a bug that cookies whose values contain '=' would
only be logged partially. This is related to CVE-2014-0098, but Apache
2.2.22 is not vulnerable to this issue.
* mod_proxy: Fix crashes under high load with threaded mpms.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
-- Stefan Fritsch <email address hidden> Sun, 25 May 2014 17:35:34 +0200
apache2 (2.4.9-2) unstable; urgency=medium
* Fix logic in postinst to detect existing index.* files in both
DocumentRoots, the old /var/www and the new /var/www/html. Also
change the compiled in default DocumentRoot to /var/www/html.
Closes: #743915
* Fix buffer overflows in suexec with very long (unix) usernames. Not
exploitable due to FORTIFY_SOURCE. And creating users usually requires
root privileges, anyway. Thanks to Luca Bruno for the report.
* Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
* Remove obsolete warning in a2enmod about mpm-itk.
* Fix lintian warning: Remove image ref to w3.org, which is a privacy
breach.
-- Stefan Fritsch <email address hidden> Sun, 08 Jun 2014 10:38:04 +0200
apache2 (2.4.9-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
- CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
cookies.
Notable new features:
- Support named groups and backreferences within the LocationMatch,
DirectoryMatch, FilesMatch and ProxyMatch directives.
- mod_proxy: Added support for unix domain sockets as the backend server
endpoint.
- mod_ssl: Add support for OpenSSL configuration commands by introducing
the SSLOpenSSLConfCmd directive.
- mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
require directives.
- mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
and IgnoreInherit.
- Bugfix in the build system to avoid problems with patched config.m4
files as in LP #1251939.
* Make default cipher list in ssl.conf more secure:
- Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
'HIGH' does not include MD5.
- Remove the 'Speed-optimized SSL Cipher' configuration example because
it depends on RC4, which is considered insecure.
* Change init script short description to describe the service, not the
script. Closes: #738315
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sat, 29 Mar 2014 22:50:32 +0100
| Published in squeeze-release |
apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
* Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
the RewriteLog is escaped to prevent terminal escape sequences from
entering the log file. Closes: #722333
* Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
Closes: #717272
* mod_dav: Fix segfaults in certain error conditions.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
-- Stefan Fritsch <email address hidden> Tue, 28 Jan 2014 22:48:05 +0100
| Superseded in wheezy-release |
apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium
Low impact security fixes:
* CVE-2013-1862: mod_rewrite: Ensure that client data written to the
RewriteLog is escaped to prevent terminal escape sequences from entering
the log file. Closes: #722333
* CVE-2013-1896: mod_dav: denial of service via MERGE request.
Closes: #717272
* mod_dav: Fix segfaults in certain error conditions.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
* Make apache2ctl create the necessary directories even if started with
special options for apache2. Closes: #731531
* Adjust paragraph in README.Debian about MaxMemFree not working properly.
The issue has been fixed with apr 1.4.5-1.
-- Stefan Fritsch <email address hidden> Fri, 31 Jan 2014 19:43:07 +0100
apache2 (2.4.7-1) unstable; urgency=low
New upstream version
[ Stefan Fritsch ]
* In logrotate and init script, don't hardcode path to htcacheclean.
Instead, put sbin directories in PATH. Also fix one missed reference
to disk_cache.load, missed in 2.4.6-3. Really closes: #718909
* Remove possiblity to override path to apache2 executable via envvars.
This is no longer necessary with MPMs as modules.
* Fix typo in serve-cgi-bin.conf. Closes: #723196
* Bump Build-Depends. 2.4.7 requires apr 1.5.
[ Arno Töll ]
* Fix "No default site enabled after fresh install if /etc/apache2
exists" by using a condition in preinst which actually works as expected.
Thanks to Jean-Michel Vourgère for triaging the issue and providing a
patch (Closes: #711493).
* Leave a2disconf with rc=0 when purging a configuration which does not
exist. (Closes: #718166)
* Explicitly express the dependency for mod_access_compat depending on
authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes:
#710412)
* Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693)
* Rework the default index.html file. Instead of a blank, minimalistic page
give a quick start guide, since nobody seems to read our docs. This site
is hopefully explaining the most important questions.
* Add a virtual provides line to the itk/worker/event/prefork transitional
packages so that people with an unusual (unsupported) Apache setup
can upgrade neatless in some corner cases (Closes: #728937)
* Drop the Apache ITK patches. The Apache ITK MPM is a standalone package
now and will be provided by libapache2-mpm-itk in future. The
apache2-mpm-itk package depends on this package from now on. Users of itk
are advised to consult the itk manual.
This also resolves a build-system problem that caused mod_unixd to be
initialized twice. (LP: #1251939)
* Remove Steinar H. Gunderson from uploaders, he will continue to support
itk in his own package in future. The remaining Apache team thanks Steinar
for all the work in the past.
* Change the Default Document root directory where files are served from
(Closes: #730372).
* Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor
for this suggestion and for providing a patch (Closes: #732450)
* Refresh suexec-custom.patch.
-- Arno Töll <email address hidden> Thu, 02 Jan 2014 00:17:56 -1100
| Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules. -- Stefan Fritsch <email address hidden> Sun, 03 Mar 2013 12:25:22 +0100
apache2 (2.4.6-3) unstable; urgency=low
* Fix 'implicit declaration' compiler warnings.
* Fix module dependencies in lbmethod_*.load files. Closes: #717910
LP: #1205314
* Mark apache2-data as Multi-Arch: foreign. Closes: #718387
* Backport open_htaccess hook from upstream 2.4.x branch to allow
building mpm-itk as separate package.
* Improve comment for LogLevel in apache2.conf. Closes: #718677
* Fix comment in ports.conf. Closes: #718650
* Fix htcacheclean path and function name in init script. Closes: #718909
* Enable bindnow hardening compiler option, patch by Felix Geyer.
Closes: #714872
-- Stefan Fritsch <email address hidden> Mon, 12 Aug 2013 20:15:38 +0200
apache2 (2.4.6-2) unstable; urgency=low
[ Stefan Fritsch ]
* Fix watch file
* Don't pass --silent to libtool, allowing blhc to check the compiler
options in the build logs.
[ Arno Töll ]
* Allow third party packages to use triggers if they use them in a
maintainer script invoking apache2-maintscript-helper (Closes: #717610)
-- Arno Töll <email address hidden> Tue, 23 Jul 2013 13:25:30 +0200
apache2 (2.4.6-1) unstable; urgency=low
New upstream release:
* CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request
(Closes: #717272)
* New modules mod_cache_socache, mod_proxy_wstunnel.
* mod_ssl: Add support for subjectAltName-based host name checking in proxy
mode (SSLProxyCheckPeerName).
* mod_lua: Many new functions.
* mod_auth_basic: Add a generic mechanism to fake basic authentication
using the ap_expr parser (AuthBasicFake).
* mod_proxy: New BalancerInherit and ProxyPassInherit options.
* mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password.
[ Arno Töll ]
* Document our security model in our NEWS file and highlight we do not allow
access to /srv. Thanks to joeyh for pointing this out.
* Allow the use of apache2-maintscript-helper from a sub-function. We rely
on dpkg's arguments supplied in $1, $2 etc. This clashes with function
arguments supplied to to sh sub-function. Allow manual override in such
cases.
* Mention that the dh_apache2 conditional must be present in postrm too
(Closes: #716694)
* Fix "dh_apache2 ignores alternative httpd on conf files" by correctly
checking the supplied arguments, we were off by one (Closes: #717299).
* Reinstall index.html also on upgrades as it is removed during upgrades.
* Add mod_macro transitional package as it was promoted to core and does not
exist as individual package anymore (Closes: #706962)
[ Stefan Fritsch ]
* Don't fail package upgrade or removal just because the configuration is in
an inconsistent state (Closes: #716921, #717343, LP: #1202653).
* Improve error output of init script.
* Fix broken dependency information in several *.load files.
* Add mod_authn_core as dependency of the mod_auth_* modules.
(Closes: #717448)
-- Arno Töll <email address hidden> Sun, 21 Jul 2013 18:44:42 +0200
apache2 (2.4.4-6) unstable; urgency=low
* Denote exact versions breaking gnome-user-share now that Gnome maintainers
have a fixed version in the works. That makes Gnome installable again.
* Update our gbp.conf for our big merge next -> master. The eagle has
landed, 2.4 is here.
* Push Standards version to 3.9.4 - no changes needed.
* Fix spelling errors in man pages.
* Update the git VCS pointer to its canonical location for anonymous
checkouts.
* Boost the description for the LSB init script to appease Lintian.
* Fix spurious warnings in the Apache2 bug report script (Closes: #711121,
#711480)
* Strip off file extensions from arguments to a2(en|dis)(site|conf|mod) so
that "a2ensite 000-default.conf" works, as well as "a2ensite 000-default"
(Closes: #711494)
* Fix "apache2-dev: dh-apache2 does not strip .conf extension" for modules
relying on the install heuristic, instead of writing an *.apache2 conf
file (Closes: #711483)
* Apply patch submitted by Robert Luberda and redirect all output of
apache2-maintscript-helper to stderr (Closes: #711478)
* Tell about essential operations in the init script (Closes: #711120)
* Fix indentation mess in the init script, and add modelines
* Make sure /etc/init.d/apache2 reload does not always return. Thanks to
Thorsten Glaser for suggesting a patch (Closes: #711117)
* Make apache2-maintscript-helper usable when sourced from weird
environments (e.g. Perl maintainer scripts). Thanks to Robert Luberda
for doing unexpected things, and providing patches for it, and to Axel
Beckert for demangling shell specifics (Closes: #711479)
* Fix "copyright file missing after upgrade (policy 12.5)" and add these for
MPM transitional packages (Closes: #710914)
* Fix "apache2.2-bin transitional package (binaries only) should not
depend on apache2 package (which runs a system daemon)". This happened by
accident added by debhelper since we are linking docs. We do to
apache2-bin instead (Closes: #711127)
* Refresh "upstream-fixes" patch
* Fix "Disabling strtoul violates C89 and C99 and is unnecessary" by
removing the symbol override in httpd.h(Closes: #711534)
-- Arno Töll <email address hidden> Fri, 07 Jun 2013 19:14:36 +0200
apache2 (2.4.4-5) unstable; urgency=low [ Arno Töll ] * Fix compile issue on kfreebsd. -- Stefan Fritsch <email address hidden> Fri, 31 May 2013 10:19:18 +0200
apache2 (2.4.4-4) unstable; urgency=low
[ Stefan Fritsch ]
* Upload to unstable.
* Fix FTBFS on hurd caused by mpm-itk linking fix.
* Fix some lintian warnings:
- fix pod error
- add overrides for hardening-no-fortify-functions
- don't use /lib/init/vars.sh in init script
* Add note to README.Debian about CVE-2013-0966 if the document root is
on HFS+ or on ZFS with filename normalization.
* Add a note to README.Debian about how to change the max file limit.
Make apache2ctl print a message pointing to README.Debian if setting
the limit fails. (Closes: #706822)
[ Arno Töll ]
* Correct maintainer scripts by removing forgotten left-overs of our Squeeze
-> Wheezy renaming
-- Stefan Fritsch <email address hidden> Thu, 30 May 2013 17:25:09 +0200
| Deleted in experimental-release (Reason: None provided.) |
apache2 (2.4.4-3) experimental; urgency=low
[ Arno Töll ]
* libapache2-mod-proxy-html is included in Apache 2.4 and not packaged
separately anymore. Thus, we are using the most recent version available
now (Closes: #695482).
* Fix "typo in mpm_event.load" by applying the patch provided by Bastian
Triller. Thanks (Closes: #704639)
* Replace some occurrences of "Squeeze" in our scripts. It's Wheezy time.
* Changes in dh_apache2:
+ Add -e|--noenable option to dh_apache2 (Closes: #681544)
+ Disable scripts in prerm, not postrm (Closes: #681546)
+ However, still hook into postrm and purge state when required
+ Call the postinst code always, not only during configure
(Closes: #681545)
+ Fix "dh_apache2 postinst code needs to reload more" and reload the
web-server in postinst when upgrading (Closes: #702929)
* Let a2enmod purge state when calling -p for already disabled
configurations.
* Fix "don't assume apache2 is running 24 hours a day when rotating
logs": Only restart the webserver when it was previously running
(Closes: #707892)
* Properly return the conf/site configuration fragments enabled for Apache
when queried from a2query (Closes: #683212)
* Fix "/etc/init.d/apache2 start and restart need to wait until really
started" (Closes: #645460)
* Fix "apxs2 outputs "uninitialized value" warnings" by removing the double
declaration of variables in apxs. This problem was harmless, but noisy
(Closes: #707109)
* Make the DEBIAN_VERSION parsing in debian/rules more robust. Thanks to
Ondřej Surý for noticing and providing a patch.
* Fix "copyright file missing after upgrade (policy 12.5)" by linking to the
apache2 doc-dir when upgrading (Closes: #707795)
[ Stefan Fritsch ]
* Backport various fixes from upstream svn branch '2.4.x'.
* Remove paragraph about MaxMemFree in README.Debian. The issue should be
fixed in 2.4.
* Enable mod_authn_core when upgrading from wheezy (Closes: #702866)
* Bump libaprutil1-dev build dependency to get support for bcrypt password
hashes.
* Fix mod_mpm_itk.so not being linked to libcap.so (Closes: #702475)
* Make apache2-dev not depend on apache2.
-- Stefan Fritsch <email address hidden> Tue, 28 May 2013 22:47:26 +0200
| Deleted in experimental-release (Reason: None provided.) |
apache2 (2.4.4-2) experimental; urgency=low
* The "let's shorten up this discussion" release, and strip changelogs which
are not a direct ancestor of the 2.4 branch.
* Restart the server on upgrades. We need to make sure the new binary is
loading all symbols from the core again to make sure, upgrades don't break
the server.
-- Arno Töll <email address hidden> Sat, 09 Mar 2013 02:02:08 +0100
| Superseded in experimental-release |
apache2 (2.4.4-1) experimental; urgency=low
* New upstream release
- Fixes mod_log_forensic logging spurious '-' characters. Closes: #693292
- Responds with HTTP/1.0 when talking http to https port. Closes: #701117
- Fix various XSS flaws in modules (CVE-2012-3499, CVE-2012-4558)
[ Stefan Fritsch ]
* Add examples for X-Content-Type-Options and X-Frame-Options to
security.conf.
* Make dh_apache2 only accept shell function names as conditional, to avoid
problems with shell and sed special characters.
* Add Replaces for the old mpm packages to apache2-bin. Closes: #671683
* Add transitional package for libapache2-mod-proxy-html. Closes: #666816
- Override dh_gencontrol so that the package's version sorts later than
the existing version in Wheezy.
* Don't ship changelogs in the apache2.2-bin transitional package.
* CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
[ Arno Töll ]
* Rewrite most parts of the init script to make it more readable and improve
visual feedback when fancy output is in use.
* Drop the dbmanage tool from apache2-utils. It is mostly unmaintained and
outdated. Users of mod_authn_dbm should use htdbm instead.
* Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
with ext3" by changing the default to more moderate values. Note, some file
systems have a hard limit of supported subdirectories (Closes: #682840).
Ported from our 2.2 tree targeted for Wheezy.
* Properly check return code of a2query in the apache2_invoke library
function. This caused reverse dependencies to fail for newly installed
modules previously.
* Implement -q (quiet) option for a2query (Closes: #681541).
* Properly honor -p/-N options as understood by debhelper (Closes: 681542).
Thanks Russ Allbery for the hint.
* Be more careful regarding link attacks when for the the cache disk
directory.
* Compress the data.tar in binary packages using xz to save some space on
installation medias (Debian only).
* Fix "invoke-rc.d apache2 status fails" by merging patch of Jean-Michel
Vourgère. Thanks! (Closes: #691365)
* Fix "copyright file missing after upgrade (policy 12.5)" - add link
manually when necessary in postinst (Closes: #691440)
* Document APACHE_ARGUMENTS in envvars (ported from our 2.2 branch, reported as #693299)
* Don't croak about lacking permissions in apache2ctl when the script is
executed as a non-privileged user
[ Bernhard R. Link ]
* Rearrane patches: Move all the patches or parts of patches touching non-itk
specific files (i.e. those from the upstream tarball) directly in the
debian/patches/series series. While this seperates the itk patches into two
heaps, it makes both more visible what changes happen to the general code (and
thus are also done to the other servers generated)
-- Arno Töll <email address hidden> Thu, 07 Mar 2013 01:24:51 +0100
apache2 (2.2.22-13) unstable; urgency=medium
[ Stefan Fritsch ]
* Urgency medium for security fixes.
* CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
* CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
* mod_log_forensic: Fix spurious '-' characters being logged, causing
false positives. Closes: #693292
[ Arno Töll ]
* Document APACHE_ARGUMENTS in envvars (Closes: #693299)
-- Stefan Fritsch <email address hidden> Mon, 04 Mar 2013 22:21:05 +0100
Available diffs
- diff from 2.2.22-6 to 2.2.22-13 (11.6 KiB)
| Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze10) squeeze-security; urgency=low
[ Arno Töll ]
* Backport disable-ssl-compression.patch from Wheezy. This patch disabled
SSL compression upon request by introducing a "Compression on|off"
directive to mod_ssl. This is to mitigate impact of CRIME attacks to SSL -
which is a browser issue, however.
See also Debian bug #674142 and #689936.
[ Stefan Fritsch ]
* CVE-2012-4557: mod_proxy_ajp: Remote denial of service (temporary, until
mod_proxy_ajp's retry timeout expired).
-- Stefan Fritsch <email address hidden> Fri, 30 Nov 2012 09:26:36 +0100
apache2 (2.2.22-12) unstable; urgency=low
* Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
"off". This mitigates impact of CRIME attacks. Fixes:
- "handling the CRIME attack" (Closes: #689936)
- "make it possible to disable ssl compression in apache2 mod_ssl"
(Closes: #674142)
-- Arno Töll <email address hidden> Wed, 31 Oct 2012 00:23:59 +0100
| Superseded in squeeze-release |
apache2 (2.2.16-6+squeeze8) squeeze; urgency=low
* CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
prevent a possible XSS vulnerability for a site where untrusted users
can upload files to a location with MultiViews enabled.
* Send 408 status instead of 400 if reading of a request fails with a
timeout. This allows browsers to retry. Closes: #677086
* mod_cache: Prevent Partial Content responses from being cached and served
as normal response. Closes: #671204
* mpm_itk: Fix an issue where users can sometimes get spurious 403s on
persistent connections. Closes: #672333
-- Stefan Fritsch <email address hidden> Sun, 09 Sep 2012 23:08:04 +0200
apache2 (2.2.22-11) unstable; urgency=low
* Be more careful regarding link attacks when purging the cache disk
directory.
* Change file ownership of /var/cache/apache2/ to root.
* Compress the data.tar in binary packages using xz to save some space on
installation medias (Debian only).
-- Arno Töll <email address hidden> Fri, 03 Aug 2012 23:20:50 +0200
Available diffs
- diff from 2.2.22-6 to 2.2.22-11 (7.5 KiB)
apache2 (2.2.22-10) unstable; urgency=low
[ Arno Töll ]
* Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing
perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes:
#682401)
* Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
with ext3" by changing the default to more moderate values. Some file
systems have a hard limit for the number of subdirectories in a single
directory. This change requires the cache directory to be purged.
(Closes: #682840)
[ Stefan Fritsch ]
* Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
directives. Closes: #682897
-- Stefan Fritsch <email address hidden> Mon, 30 Jul 2012 22:23:02 +0200
apache2 (2.2.22-9) unstable; urgency=low * Fix typo in conf.d/security comment. Closes: #678740 -- Stefan Fritsch <email address hidden> Sun, 24 Jun 2012 20:10:27 +0200
apache2 (2.2.22-8) unstable; urgency=medium
[ Stefan Fritsch ]
* CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent
a possible XSS for a site where untrusted users can upload files to a
location with MultiViews enabled.
* Add example for X-XSS-Protection to conf.d/security.
[ Arno Töll ]
* Fix "contradictory comment in /etc/apache2/apache2.conf about the
.load suffix" (Closes: #676975). Hopefully you are now happy, Vincent. :-)
-- Stefan Fritsch <email address hidden> Sat, 23 Jun 2012 17:50:47 +0200
apache2 (2.2.22-7) unstable; urgency=low
[ Arno Töll ]
* Fix "ambiguous comment in /etc/apache2/apache2.conf" by clarifying
contradicting statements. (Closes: #675184)
[ Stefan Fritsch ]
* Allow colons in filenames when using wildcards with "Include".
Closes: #676610
* Add examples for X-Content-Type-Options and X-Frame-Options to
conf.d/security.
* Fix the VCS dir example in conf.d/security.
* Pick some bug fixes from upstram trunk:
- core/mod_cgi: Fix script logging in error case
- mod_dumpio: Fix possible loop in input filter.
- mod_proxy_ajp: Reduce memory usage in case of many requests on one
connection
-- Stefan Fritsch <email address hidden> Sun, 10 Jun 2012 12:27:02 +0200
apache2 (2.2.22-6) unstable; urgency=low
[ Stefan Fritsch ]
* Fix regression causing apache2 to cache "206 partial content" responses,
and then serving these partial responses when replying to normal requests.
Closes: #671204
* Add section to security.conf that shows how to forbid access to VCS
directories. Closes: #548213
* Update ssl default cipher config, add alternative speed optimized config.
Closes: #649020
* Add "AddCharset" for .brf files in default mod_mime config.
Closes: #402567
* Don't create httpd.conf anymore and don't include it in apache2.conf. If
it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
* Port some of the comments in apache2.conf from the 2.4 package.
* Compile mod_version statically, drop associated module load file.
* If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
configtest.
* Note in README.Debian that future versions of the package will have the
include statements changed to include only *.conf.
* Change compiled-in document root to /var/www, to avoid strange error
messages.
* Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
[ Arno Töll ]
* Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
to override LDFLAGS at compile time by defining LDLAGS in the environment,
just like it is possible for CFLAGS. This also means, config_vars.mk now
exports hardening build flags by default.
* Update doc-base metadata for the apache2-doc package.
-- Stefan Fritsch <email address hidden> Tue, 29 May 2012 22:05:48 +0200
| 76 → 150 of 211 results | First • Previous • Next • Last |
