Changelog
apache2 (2.4.33-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
-- Stefan Fritsch <email address hidden> Fri, 30 Mar 2018 22:53:13 +0200