-
apache2 (2.4.10-10+deb8u12) jessie-security; urgency=medium
* CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
when using too small Accept-Language values.
* CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
name.
Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
* CVE-2018-1283: Tampering of mod_session data for CGI applications.
* CVE-2018-1301: Possible out of bound access after failure in reading the
HTTP request
* CVE-2018-1303: Possible out of bound read in mod_cache_socache
* CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation
-- Stefan Fritsch <email address hidden> Sat, 31 Mar 2018 11:31:57 +0200
-
apache2 (2.4.10-10+deb8u11) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
(Closes: #876109)
-- Salvatore Bonaccorso <email address hidden> Tue, 19 Sep 2017 21:08:12 +0200
-
apache2 (2.4.10-10+deb8u9) jessie-security; urgency=medium
* CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
* CVE-2017-3169: mod_ssl NULL pointer dereference
* CVE-2017-7668: Buffer overrun in ap_find_token()
* CVE-2017-7679: mod_mime buffer overread
-- Stefan Fritsch <email address hidden> Tue, 20 Jun 2017 21:02:39 +0200
-
apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium
* CVE-2016-8743: Enforce more HTTP conformance for request lines and
request headers, to prevent response splitting and cache pollution
by malicious clients or downstream proxies.
If this causes problems with non-conforming clients, some checks can
be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
to the configuration.
Differently than the upstream 2.4.25 release which will also be in the
Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
underscores in host and domain names even while 'HttpProtocolOptions
strict' is in effect.
More information is available at
http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions
* CVE-2016-0736: mod_session_crypto: Prevent padding oracle attack.
* CVE-2016-2161: mod_auth_digest: Prevent segfaults when the shared memory
space is exhausted.
* Activate mod_reqtimeout in new installs and during updates from
before 2.4.10-10+deb8u8. It was wrongly not activated in new installs
since jessie. This made the default installation vulnerable to some
DoS attacks.
* Don't run 2.2 to 2.4 upgrade logic again when upgrading from
2.4.10-10+deb8u*. Closes: #836818
-- Stefan Fritsch <email address hidden> Fri, 24 Feb 2017 19:36:41 +0100
-
apache2 (2.4.10-10+deb8u7) jessie; urgency=medium
* Fix installation of /lib/systemd/system/apache2.service.d/forking.conf.
-- Julien Cristau <email address hidden> Thu, 15 Sep 2016 22:42:19 +0200
-
apache2 (2.4.10-10+deb8u4) jessie; urgency=medium
* Add versioned replaces/breaks for libapache2-mod-macro to apache2,
for the config files in /etc. Closes: #806326
* Fix split-logfile to work with current perl. Closes: #803472
* Fix tests on deferred mpm switch. Add special casing for mpm_itk,
which is not an mpm anymore, despite the name. Closes: #789914
Closes: #791902
* Fix secondary-init-script to not source the main init script with 'set -e'.
Closes: #803177
-- Stefan Fritsch <email address hidden> Sat, 28 Nov 2015 15:02:23 +0100
-
apache2 (2.4.10-10+deb8u3) jessie; urgency=medium
* Revert fix for deferred mpm switch for now, because it is at least not
complete or maybe causes regressions (see #791902). Re-opens #789914
-- Stefan Fritsch <email address hidden> Fri, 28 Aug 2015 18:24:17 +0200
-
apache2 (2.4.10-10) unstable; urgency=medium
* CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
wsupgrade().
* Fix setup-instance example script to handle a2enconf/a2disconf.
LP: #1430936
* Tweak mention of mod_access_compat in NEWS.Debian. The module does
not really work in practice.
-- Stefan Fritsch <email address hidden> Sun, 15 Mar 2015 10:47:36 +0100
-
apache2 (2.4.10-9) unstable; urgency=medium
* CVE-2014-8109: mod_lua: Fix handling of the Require line when a
LuaAuthzProvider is used in multiple Require directives with different
arguments.
* Include ask-for-passphrase script from Ubuntu with some tweaks. This
fixes asking for certificate passphrases if started via systemd.
Closes: #773405
* Fix init script to not wait 20s if passphrase was wrong.
* Also bump debhelper build-depends to get dh_installdeb with support for
symlink_to_dir. Closes: #770421
-- Stefan Fritsch <email address hidden> Mon, 22 Dec 2014 20:24:36 +0100
-
apache2 (2.4.10-8) unstable; urgency=medium
* Bump dpkg Pre-Depends to version that supports relative symlinks in
dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
* mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
though it does not seem to be exploitable.
* mpm_event: Fix use-after-free that may lead to a server crash.
* mod_ssl: Fix memory leak on graceful restart. Closes: #754492
* mod_ssl: Avoid crashes during startup or graceful restart due to
openssl using a callback to invalid memory. LP: #1366174
-- Stefan Fritsch <email address hidden> Tue, 18 Nov 2014 15:18:18 +0100
-
apache2 (2.4.10-7) unstable; urgency=medium
* Handle transitions of doc dirs and symlinks correctly during upgrade.
Use dpkg-maintscript-helper for this and remove existing explicit logic.
Closes: #767850
* Remove obsolete conffiles in apache2.2-common, instead doing this only in
apache2. This partially fixes #768815
-- Stefan Fritsch <email address hidden> Sun, 09 Nov 2014 19:03:30 +0100
-
apache2 (2.4.10-6) unstable; urgency=medium
* Disable SSLv3 in default config. Closes: #765347
* Pull changes from upstream 2.4.x branch up to r1632831
- Fixes an LDAP regression in 2.4.10
- mod_cache: Avoid sending 304 responses during failed revalidations.
PR 56881
- mod_status: Honor client IP address using mod_remoteip. PR 55886
* Fix typo in package description. Closes: #765500
-- Stefan Fritsch <email address hidden> Tue, 21 Oct 2014 22:42:06 +0200
-
apache2 (2.4.10-5) unstable; urgency=medium
* Remove one forgotten instance of ident.load in the preinst.
-- Stefan Fritsch <email address hidden> Fri, 10 Oct 2014 00:20:09 +0200
-
apache2 (2.4.10-3) unstable; urgency=medium
* CVE-2014-3581: Fix a DoS in mod_cache.
* If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first. Closes: #745834
* Don't use a2query in preinst, as it may not be available yet.
Closes: #745812
* Include mod_authnz_fcgi. Closes: #762908
* Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
* Remove misleading sentence in apache2-bin's description. Closes: #762645
* Remove trailing space in apache2/suexec/www-data. Closes: #719930
* Add NEWS entry for the logrotate change in 2.4.10-2.
* Bump Standards-version (no changes).
* Fix lintian warning: Tweak licence short names in copyright file.
-- Stefan Fritsch <email address hidden> Sun, 28 Sep 2014 22:37:02 +0200
-
apache2 (2.4.10-2) unstable; urgency=medium
* Pull changes from upstream 2.4.x branch up to r1626207
+ Security Fix for CVE-2013-5704: HTTP trailers could be used to
replace HTTP headers late during request processing, potentially
undoing or otherwise confusing modules that examined or modified
request headers earlier.
Adds "MergeTrailers" directive to restore legacy behavior.
* Switch to apache2 providing the httpd and httpd-cgi virtual packages.
The previously providing apache2-bin package lacks the configuration
files. Closes: #756361
* Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
logs. The daily graceful restart also has the advantage of regenerating
things like TLS session ticket keys more often. Closes: #759382
* Clarify description of apache2 package. Closes: #755976
* In the maintainer script helper, print out Apache's error message if
the config check fails.
* Re-add mod_ident. It has still at least one user. LP: #1333388
-- Stefan Fritsch <email address hidden> Sun, 21 Sep 2014 22:58:33 +0200
-
apache2 (2.4.10-1) unstable; urgency=medium
[ Arno Töll ]
* New upstream version
+ Refresh debian/patches/fhs_compliance.patch
+ Security Fixes:
- CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
- CVE-2014-0226 Fix a race condition resulting in a heap overflow in
scoreboard handling
- CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
length and compression ratio of inflated request to mitigate a
possible DoS
- CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
+ Fixes SNI with certificate defined in global scope. (Closes: #751361)
* Warn users if they try to disable modules that we consider essential for
operation of the Apache web server (Closes: #709461)
* Drop libcap from our build-dependencies. That was needed for itk which we
gave source out to it's own package again.
* Provide apache2.2-common package to avoid upgrading problems for people
using --purge (apt) or --purge-unused (aptitude) even though that's
clearly discouraged. This caused disappearing of conffiles because we move
them from apache2.2-common to apache2 during the upgrade. Ugh. This was
not a bug in our packaging, but an unfortunately people blame us
nonetheless even though it's not all our fault. This alternative helps
those people, but at the same time means that incompatible modules aren't
force-removed by dpkg during the upgrade. Hopefully we catch all of them
with the Breaks relation coming along (Closes: #716880, #752922, #711925)
-- Stefan Fritsch <email address hidden> Tue, 22 Jul 2014 23:16:20 +0200
-
apache2 (2.4.9-2) unstable; urgency=medium
* Fix logic in postinst to detect existing index.* files in both
DocumentRoots, the old /var/www and the new /var/www/html. Also
change the compiled in default DocumentRoot to /var/www/html.
Closes: #743915
* Fix buffer overflows in suexec with very long (unix) usernames. Not
exploitable due to FORTIFY_SOURCE. And creating users usually requires
root privileges, anyway. Thanks to Luca Bruno for the report.
* Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
* Remove obsolete warning in a2enmod about mpm-itk.
* Fix lintian warning: Remove image ref to w3.org, which is a privacy
breach.
-- Stefan Fritsch <email address hidden> Sun, 08 Jun 2014 10:38:04 +0200
-
apache2 (2.4.9-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
- CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
cookies.
Notable new features:
- Support named groups and backreferences within the LocationMatch,
DirectoryMatch, FilesMatch and ProxyMatch directives.
- mod_proxy: Added support for unix domain sockets as the backend server
endpoint.
- mod_ssl: Add support for OpenSSL configuration commands by introducing
the SSLOpenSSLConfCmd directive.
- mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
require directives.
- mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
and IgnoreInherit.
- Bugfix in the build system to avoid problems with patched config.m4
files as in LP #1251939.
* Make default cipher list in ssl.conf more secure:
- Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
'HIGH' does not include MD5.
- Remove the 'Speed-optimized SSL Cipher' configuration example because
it depends on RC4, which is considered insecure.
* Change init script short description to describe the service, not the
script. Closes: #738315
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sat, 29 Mar 2014 22:50:32 +0100
-
apache2 (2.4.7-1) unstable; urgency=low
New upstream version
[ Stefan Fritsch ]
* In logrotate and init script, don't hardcode path to htcacheclean.
Instead, put sbin directories in PATH. Also fix one missed reference
to disk_cache.load, missed in 2.4.6-3. Really closes: #718909
* Remove possiblity to override path to apache2 executable via envvars.
This is no longer necessary with MPMs as modules.
* Fix typo in serve-cgi-bin.conf. Closes: #723196
* Bump Build-Depends. 2.4.7 requires apr 1.5.
[ Arno Töll ]
* Fix "No default site enabled after fresh install if /etc/apache2
exists" by using a condition in preinst which actually works as expected.
Thanks to Jean-Michel Vourgère for triaging the issue and providing a
patch (Closes: #711493).
* Leave a2disconf with rc=0 when purging a configuration which does not
exist. (Closes: #718166)
* Explicitly express the dependency for mod_access_compat depending on
authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes:
#710412)
* Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693)
* Rework the default index.html file. Instead of a blank, minimalistic page
give a quick start guide, since nobody seems to read our docs. This site
is hopefully explaining the most important questions.
* Add a virtual provides line to the itk/worker/event/prefork transitional
packages so that people with an unusual (unsupported) Apache setup
can upgrade neatless in some corner cases (Closes: #728937)
* Drop the Apache ITK patches. The Apache ITK MPM is a standalone package
now and will be provided by libapache2-mpm-itk in future. The
apache2-mpm-itk package depends on this package from now on. Users of itk
are advised to consult the itk manual.
This also resolves a build-system problem that caused mod_unixd to be
initialized twice. (LP: #1251939)
* Remove Steinar H. Gunderson from uploaders, he will continue to support
itk in his own package in future. The remaining Apache team thanks Steinar
for all the work in the past.
* Change the Default Document root directory where files are served from
(Closes: #730372).
* Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor
for this suggestion and for providing a patch (Closes: #732450)
* Refresh suexec-custom.patch.
-- Arno Töll <email address hidden> Thu, 02 Jan 2014 00:17:56 -1100
-
apache2 (2.4.6-3) unstable; urgency=low
* Fix 'implicit declaration' compiler warnings.
* Fix module dependencies in lbmethod_*.load files. Closes: #717910
LP: #1205314
* Mark apache2-data as Multi-Arch: foreign. Closes: #718387
* Backport open_htaccess hook from upstream 2.4.x branch to allow
building mpm-itk as separate package.
* Improve comment for LogLevel in apache2.conf. Closes: #718677
* Fix comment in ports.conf. Closes: #718650
* Fix htcacheclean path and function name in init script. Closes: #718909
* Enable bindnow hardening compiler option, patch by Felix Geyer.
Closes: #714872
-- Stefan Fritsch <email address hidden> Mon, 12 Aug 2013 20:15:38 +0200
-
apache2 (2.4.6-2) unstable; urgency=low
[ Stefan Fritsch ]
* Fix watch file
* Don't pass --silent to libtool, allowing blhc to check the compiler
options in the build logs.
[ Arno Töll ]
* Allow third party packages to use triggers if they use them in a
maintainer script invoking apache2-maintscript-helper (Closes: #717610)
-- Arno Töll <email address hidden> Tue, 23 Jul 2013 13:25:30 +0200
-
apache2 (2.2.22-13) unstable; urgency=medium
[ Stefan Fritsch ]
* Urgency medium for security fixes.
* CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
* CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
* mod_log_forensic: Fix spurious '-' characters being logged, causing
false positives. Closes: #693292
[ Arno Töll ]
* Document APACHE_ARGUMENTS in envvars (Closes: #693299)
-- Stefan Fritsch <email address hidden> Mon, 04 Mar 2013 22:21:05 +0100