-
apache2 (2.4.59-2) unstable; urgency=medium
* Breaks against fossil due to CVE-2024-24795 follows up
-- Bastien Roucariès <email address hidden> Mon, 29 Apr 2024 21:55:28 +0000
-
apache2 (2.4.59-1) unstable; urgency=medium
[ Stefan Fritsch ]
* Remove old transitional packages libapache2-mod-md and
libapache2-mod-proxy-uwsgi. Closes: #1032628
[ Yadd ]
* mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
* Refresh patches
* New upstream version 2.4.59
* Refresh patches
* Update patches
* Update test framework
-- Yadd <email address hidden> Fri, 05 Apr 2024 08:08:11 +0400
-
apache2 (2.4.58-1) unstable; urgency=medium
[ Bas Couwenberg ]
* Provide dh-sequence-apache2 (Closes: #1050870)
[ Yadd ]
* Drop dependency to obsolete lsb-base
* New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622,
CVE-2023-45802)
* Refresh patches
-- Yadd <email address hidden> Thu, 19 Oct 2023 14:56:29 +0400
-
apache2 (2.4.57-3) unstable; urgency=medium
* Update a2enmod to drop given/when (Closes: #1050458)
* Restore changes not included in Bookworm (set -e in apache2ctl)
-- Yadd <email address hidden> Tue, 29 Aug 2023 11:39:32 +0400
-
apache2 (2.4.57-2) unstable; urgency=medium
* Revert debian/* changes (Bookworm freeze)
-- Yadd <email address hidden> Thu, 13 Apr 2023 07:26:51 +0400
-
apache2 (2.4.57-1) unstable; urgency=medium
* New upstream version 2.4.57
* Drop 2.4.56-regression patches
-- Yadd <email address hidden> Sat, 08 Apr 2023 06:57:16 +0400
-
apache2 (2.4.56-2) unstable; urgency=medium
* Fix regression in mod_rewrite introduced in version 2.4.56
(Closes: #1033284)
* Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
-- Yadd <email address hidden> Sun, 02 Apr 2023 06:54:25 +0400
-
apache2 (2.4.56-1) unstable; urgency=medium
* New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
-- Yadd <email address hidden> Wed, 08 Mar 2023 06:44:05 +0400
-
apache2 (2.4.55-1) unstable; urgency=medium
[ Hendrik Jäger ]
* disable ssl session tickets
* redundant example as already enabled in the default config
* logrotate indentation
* Update example how to prevent access to VCS directories
[ lintian-brush ]
* Update lintian override info to new format:
+ debian/source/lintian-overrides: line 2, 4-5, 8
+ debian/apache2-data.lintian-overrides: line 2-5
+ debian/apache2-bin.lintian-overrides: line 3
+ debian/apache2-doc.lintian-overrides: line 2
+ debian/apache2.lintian-overrides: line 6
* Set upstream metadata fields: Repository-Browse.
* Update standards version to 4.6.2, no changes needed.
[ Yadd ]
* New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436)
-- Yadd <email address hidden> Wed, 18 Jan 2023 07:41:55 +0400
-
apache2 (2.4.54-5) unstable; urgency=medium
[ Hendrik Jäger ]
* fix: one oom-killed thread should not take down the whole service
* fix: remove modelines
* fix: update clickjacking protection example
* fix: use tab for indentation, even in commented examples
[ Yadd ]
* Revert "Fix: confusing and impractical naming" (unbreak squid and haproxy
tests)
-- Yadd <email address hidden> Tue, 29 Nov 2022 15:56:10 +0100
-
apache2 (2.4.54-4) unstable; urgency=medium
[ Charles Plessy ]
* Replace mime-support transition package with media-types (Closes: #980275)
[ Hendrik Jäger ]
* fix mislead safety precautions: don't hide errors when enabling a module.
MR !20
* fix trailing spaces and indentation inconsistencies. MR !19 !21 !22
* Fix confusing and impractical naming: rename default-ssl.conf into
000-default-ssl.conf. MR !23
* Fix confusing keyword: replace _default_ by *. MR !24
-- Yadd <email address hidden> Thu, 24 Nov 2022 10:45:00 +0100
-
apache2 (2.4.54-3) unstable; urgency=medium
[ Hendrik Jäger ]
* Do not enable global alias /manual
* mention not enabling /manual for the docs in the NEWS
-- Yadd <email address hidden> Wed, 12 Oct 2022 09:20:52 +0200
-
apache2 (2.4.54-2) unstable; urgency=medium
* Move cgid socket into a writeable directory (Closes: #1014056)
* Update lintian overrides
* Declare compliance with policy 4.6.1
* Install NOTICE in each package
-- Yadd <email address hidden> Tue, 05 Jul 2022 15:49:58 +0200
-
apache2 (2.4.54-1) unstable; urgency=medium
[ Simon Deziel ]
* Escape literal "." for BrowserMatch directives in setenvif.conf
* Use non-capturing regex with FilesMatch directive in default-ssl.conf
[ Ondřej Surý ]
* New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813,
CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
[ Yadd ]
* Fix htcacheclean doc (Closes: #1010455)
* New upstream version 2.4.54
-- Yadd <email address hidden> Thu, 09 Jun 2022 06:33:53 +0200
-
apache2 (2.4.53-2) unstable; urgency=medium
* Clean useless Conflicts/Replace
* apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254)
-- Yadd <email address hidden> Tue, 15 Mar 2022 15:27:39 +0100
-
apache2 (2.4.53-1) unstable; urgency=medium
* New upstream version 2.4.53 (Closes: CVE-2022-22719,
CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
* Update copyright
* Patches:
+ Drop fix-2.4.52-regression.patch, now included in upstream
+ Refresh fhs_compliance.patch
+ Update and disable child_processes_fail_to_start.patch
* Update test framework
* Back to unstable
-- Yadd <email address hidden> Mon, 14 Mar 2022 17:10:39 +0100
-
apache2 (2.4.52-1) unstable; urgency=medium
* Refresh suexec-custom.patch
* Update lintian overrides
* Wrap long lines in changelog entries: 2.4.51-2.
* New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790)
* Refresh patches
-- Yadd <email address hidden> Mon, 20 Dec 2021 18:42:09 +0100
-
apache2 (2.4.51-2) unstable; urgency=medium
* Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters
-- Yadd <email address hidden> Mon, 25 Oct 2021 18:37:03 +0200
-
apache2 (2.4.51-1) unstable; urgency=medium
* New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013)
* Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659)
-- Yadd <email address hidden> Thu, 07 Oct 2021 20:35:33 +0200
-
apache2 (2.4.50-1) unstable; urgency=high
* New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)
* Remove patches already merged upstream
-- Ondřej Surý <email address hidden> Tue, 05 Oct 2021 13:25:23 +0200
-
apache2 (2.4.49-4) unstable; urgency=medium
[ Ondřej Surý ]
* Add upstream patch to fix crash in 2.4.49
-- Yadd <email address hidden> Fri, 01 Oct 2021 11:34:24 +0200
-
apache2 (2.4.49-3) unstable; urgency=medium
[ Yadd ]
* Re-export upstream signing key without extra signatures.
* Drop transition for old debug package migration.
[ Moritz Muehlenhoff ]
* Fix CVE-2021-40438 regression
-- Yadd <email address hidden> Thu, 30 Sep 2021 06:00:06 +0200
-
apache2 (2.4.49-2) unstable; urgency=medium
[ Michiel Hazelhof ]
* Fix multi instance issue (Closes: #868861)
[ Philippe Ombredanne ]
* Fix GPL version typo in copyright file
-- Yadd <email address hidden> Thu, 23 Sep 2021 13:55:55 +0200
-
apache2 (2.4.49-1) unstable; urgency=medium
* Update upstream GPG keys
* New upstream version 2.4.49
* Refresh patches
-- Yadd <email address hidden> Thu, 16 Sep 2021 06:22:23 +0200
-
apache2 (2.4.48-4) unstable; urgency=medium
* Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193)
-- Yadd <email address hidden> Thu, 12 Aug 2021 11:37:43 +0200
-
apache2 (2.4.48-3.1) unstable; urgency=medium
* Non-maintainer upload.
* Direct init script reload output from logrotate to syslog, to
avoid mail-spamming the local admin (Closes: #990580)
-- Thorsten Glaser <email address hidden> Sat, 10 Jul 2021 23:31:28 +0200
-
apache2 (2.4.48-3) unstable; urgency=medium
* Fix debian/changelog
-- Yadd <email address hidden> Sun, 20 Jun 2021 16:39:33 +0200
-
apache2 (2.4.48-2) unstable; urgency=medium
* Back to unstable: Apache2 will follow upstream changes for Bullseye
[ Christian Ehrhardt ]
* d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)
-- Yadd <email address hidden> Sat, 19 Jun 2021 17:50:29 +0200
-
apache2 (2.4.46-6) unstable; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
-- Yadd <email address hidden> Thu, 10 Jun 2021 13:40:11 +0200
-
apache2 (2.4.46-5) unstable; urgency=medium
* Fix "NULL pointer dereference on specially crafted HTTP/2 request"
(Closes: #989562, CVE-2021-31618)
-- Yadd <email address hidden> Thu, 10 Jun 2021 11:57:38 +0200
-
apache2 (2.4.46-4) unstable; urgency=medium
* Ignore other random another test failures (Closes: #979664)
-- Xavier Guimard <email address hidden> Mon, 11 Jan 2021 11:58:23 +0100
-
apache2 (2.4.46-3) unstable; urgency=medium
* Remove postinst/preinst hooks concerning old versions
* Clean include-binaries
* Enable verbose test output during autopkgtest
* Declare compliance with policy 4.5.1
* Add debian/gbp.conf
* Disable temporary 3 subtests (Closes: #979664)
-- Xavier Guimard <email address hidden> Sun, 10 Jan 2021 22:43:21 +0100
-
apache2 (2.4.46-2) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* Man: Add missing options and see also in a2en*(8)
[ Xavier Guimard ]
* Bump debhelper compatibility level to 13
+ Set debhelper-compat version in Build-Depends.
* Use dh_installsystemd rather than deprecated dh_systemd_enable
* Add extension .da for danish language in mime.conf (Closes: #972398)
* Automatically deflate application/wasm files (Closes: #972400)
* Use "graceful-stop" in systemd ExecStop (Closes: #974665)
* Re-export upstream signing key without extra signatures.
* Ignore lintian's national-encoding tag in test framework
* Add ${misc:Pre-Depends} in apache2 package
* Update lintian overrides
* Refresh patches
* Fix little spelling errors
-- Xavier Guimard <email address hidden> Fri, 13 Nov 2020 16:59:01 +0100
-
apache2 (2.4.46-1) unstable; urgency=medium
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
[ Timo Tijhof ]
* Compress text/javascript with mod_deflate by default (Closes: #959195)
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
* Update upstream keys
* New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
CVE-2020-9490)
-- Xavier Guimard <email address hidden> Sat, 08 Aug 2020 08:33:36 +0200
-
apache2 (2.4.43-1) unstable; urgency=medium
[ Timo Aaltonen ]
* mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST
requests (Closes: #955348)
[ Moritz Schlarb ]
* Fix logrotate script for multi-instance (Closes: #914606)
[ Xavier Guimard ]
* New upstream version 2.4.43
* Refresh patches
-- Xavier Guimard <email address hidden> Tue, 31 Mar 2020 08:02:12 +0200
-
apache2 (2.4.41-5) unstable; urgency=medium
[ Xavier Guimard ]
* Avoid double mod_dav load (Closes: #951753)
[ Timo Aaltonen ]
* mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix
AJP with current tomcat.
(Closes: #954201)
-- Xavier Guimard <email address hidden> Wed, 18 Mar 2020 21:06:49 +0100
-
apache2 (2.4.41-4) unstable; urgency=medium
* Add gcc in chroot autopkgtest (fixes debci)
-- Xavier Guimard <email address hidden> Fri, 07 Feb 2020 06:14:33 +0100
-
apache2 (2.4.41-3) unstable; urgency=medium
* Don't use hardcoded libgcc_s.so.1 path in autopkgtest files. Thanks to
Aurelien Jarno (Closes: #950711)
-- Xavier Guimard <email address hidden> Wed, 05 Feb 2020 13:18:04 +0100
-
apache2 (2.4.41-2) unstable; urgency=medium
[ Stefan Fritsch ]
* Add *.load file for mod_socache_redis
[ Vagrant Cascadian ]
* Embeds path to EGREP in config_vars.mk (Closes: #948757)
* Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759)
-- Xavier Guimard <email address hidden> Mon, 13 Jan 2020 06:14:45 +0100
-
apache2 (2.4.41-1) unstable; urgency=medium
* New upstream version 2.4.41
* Update lintian overrides
* Remove README in usr/share/apache2
* Move httxt2dbm manpage in section 8
* Update test framework
-- Xavier Guimard <email address hidden> Wed, 14 Aug 2019 06:42:29 +0200
-
apache2 (2.4.39-2) unstable; urgency=medium
* Fix bad call of dh_link. Thanks to Daniel Baumann (Closes: #934640)
-- Xavier Guimard <email address hidden> Mon, 12 Aug 2019 22:52:47 +0200
-
apache2 (2.4.39-1) unstable; urgency=medium
[ Helmut Grohne ]
* Do not install /usr/share/apache2/build/config.nice (Closes: #929510)
[ Xavier Guimard ]
* New upstream version 2.4.39
* Refresh patches
* Remove patches now included in upstream
* Replace duplicate doc files by links using jdupes
* Add bison in build dependencies
-- Xavier Guimard <email address hidden> Mon, 12 Aug 2019 21:30:33 +0200
-
apache2 (2.4.38-3) unstable; urgency=high
[ Marc Deslauriers ]
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_ssl access control bypass
- debian/patches/CVE-2019-0215.patch: restore SSL verify state after
PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
- CVE-2019-0215
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
[ Stefan Fritsch ]
* Pull security fixes from 2.4.39 via Ubuntu
* CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
-- Stefan Fritsch <email address hidden> Sun, 07 Apr 2019 20:15:40 +0200
-
apache2 (2.4.38-2) unstable; urgency=medium
* Disable "reset" test in allowmethods.t (Closes: #921024)
-- Xavier Guimard <email address hidden> Thu, 31 Jan 2019 21:54:05 +0100
-
apache2 (2.4.38-1) unstable; urgency=medium
[ Jelmer Vernooij ]
* Reverted for now: Transition to automatic debug package (from: apache2-dbg)
* Trim trailing whitespace
* Use secure copyright file specification URI
[ Niels Thykier ]
* Add Rules-Requires-Root: binary-targets
[ Xavier Guimard ]
* Convert signing-key.pgp into signing-key.asc
* Add http2.conf (Closes: #880993)
* Remove unnecessary greater-than versioned dependency to dpkg-dev,
libbrotli-dev and libapache2-mod-md
* Declare compliance with policy 4.2.1
* Add spelling errors patch (reported)
* Fix some spelling errors in debian files
* Add myself to uploaders
* Refresh patches
* Bump debhelper compatibility level to 10
* debian/rules:
- Remove unnecessary dh argument --parallel
- use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
* Add upstream/metadata
* Replace MIT by Expat in debian/copyright
* debian/watch: use https url
* Add documentation links in systemd service files
* Team upload
[ Cyrille Bollu ]
* Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
it gets automatically de-activated upon apache 'startup when using
mpm_prefork.
* Updated http2.conf to inform user that they may want to change their
LogFormat directives.
[ Xavier Guimard ]
* New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
* Refresh patches
* Remove setenvifexpr.diff patch now included in upstream
* Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
* Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
* Declare compliance with policy 4.3.0
* Fix homepage to https
* Update debian/copyright
-- Xavier Guimard <email address hidden> Tue, 29 Jan 2019 23:49:49 +0100
-
apache2 (2.4.37-1) unstable; urgency=medium
* New upstream version
- mod_ssl: Add support for TLSv1.3
* Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218
* Update test-framework to r1845652
* Fix test suite to actually run by creating a test user. It turns out
the test suite refuses to run as root but returns true even in that
case. It seems this has been broken since 2.4.27-4, where the test suite
had been updated and the debci test duration dropped from 15min to
3min. Also, don't rely on the exit status anymore but parse the test
output.
* Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.
-- Stefan Fritsch <email address hidden> Sat, 03 Nov 2018 14:26:31 +0100
-
apache2 (2.4.35-1) unstable; urgency=medium
* New upstream version 2.4.35
Security fix:
- CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
Closes: #909591
* Fix lintian warning: Don't force xz in builddeb override.
-- Stefan Fritsch <email address hidden> Sun, 07 Oct 2018 12:54:58 +0200
-
apache2 (2.4.34-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 2.4.34
Security fixes:
- CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
- CVE-2018-8011: Denial of service in mod_md. Closes: #904107
* Refresh patches for Apache2 2.4.34 release
* Update the suexec-custom.patch for 2.4.34 release
[ Stefan Fritsch ]
* Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
* Remove debian/gbp.conf. Closes: #904641
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
-- Stefan Fritsch <email address hidden> Fri, 27 Jul 2018 21:37:37 +0200
-
apache2 (2.4.33-3) unstable; urgency=medium
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
-- Stefan Fritsch <email address hidden> Sat, 05 May 2018 11:34:47 +0200
-
apache2 (2.4.33-2) unstable; urgency=medium
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
-- Stefan Fritsch <email address hidden> Sun, 22 Apr 2018 11:14:19 +0200
-
apache2 (2.4.33-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
-- Stefan Fritsch <email address hidden> Fri, 30 Mar 2018 22:53:13 +0200
-
apache2 (2.4.29-2) unstable; urgency=medium
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
-- Ondřej Surý <email address hidden> Sun, 14 Jan 2018 11:01:58 +0000
-
apache2 (2.4.29-1) unstable; urgency=medium
[ Stefan Fritsch ]
* Replace outdated dependency on dh-systemd
[ Ondřej Surý ]
* New upstream version 2.4.29
* Refresh quilt patches
* Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343)
* Refresh patches on top of upstream release 2.4.29
* Fix Apache crash on restarts (ASF Bug 61558)
* Add deconfigure to the list of recognized scripts (Closes: #877524)
-- Ondřej Surý <email address hidden> Mon, 23 Oct 2017 14:46:55 +0000
-
apache2 (2.4.27-6) unstable; urgency=high
* CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
which could result in HTTP OPTIONS method leaking Apache's server memory.
Closes: #876109
* Fix argument escaping in apachectl. Closes: #876384
-- Stefan Fritsch <email address hidden> Sun, 24 Sep 2017 00:08:01 +0200
-
apache2 (2.4.27-5) unstable; urgency=medium
* Upload to unstable.
* Update "Breaks:" for openssl transition.
* Bump Standards-Version to 4.1.0. No changes needed.
-- Stefan Fritsch <email address hidden> Sun, 03 Sep 2017 17:18:57 +0200
-
apache2 (2.4.27-2) unstable; urgency=medium
* Switch back to openssl 1.0 for now. The transition to 1.1 needs more
work and should go into experimental, first. Reopens: #851094
-- Stefan Fritsch <email address hidden> Sun, 16 Jul 2017 23:01:10 +0200
-
apache2 (2.4.27-1) unstable; urgency=medium
[ New upstream release ]
* Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
Closes: #868467
[ Stefan Fritsch ]
* Switch to openssl 1.1. Closes: #851094
-- Stefan Fritsch <email address hidden> Sun, 16 Jul 2017 10:39:15 +0200
-
apache2 (2.4.25-4) unstable; urgency=high
* Backport security fixes from 2.4.26:
* CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
* CVE-2017-3169: mod_ssl NULL pointer dereference
* CVE-2017-7668: Buffer overrun in ap_find_token()
* CVE-2017-7679: mod_mime buffer overread
* CVE-2017-7659: mod_http2 NULL pointer dereference
-- Stefan Fritsch <email address hidden> Tue, 20 Jun 2017 21:31:51 +0200
-
apache2 (2.4.25-3) unstable; urgency=medium
* Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
Closes: #852543
* Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
the test suite, but don't add *.load files because they don't have any
real-world use.
* Include the upstream test suite and a corresponding autopkgtest. This
is quite a hack but it may help quite a bit with security updates,
especially if stretch gets LTS support, too.
-- Stefan Fritsch <email address hidden> Wed, 25 Jan 2017 23:59:26 +0100
-
apache2 (2.4.25-2) unstable; urgency=medium
* Activate mod_reqtimeout in new installs and during updates from
before 2.4.25-2. It was wrongly not activated in new installs since
jessie. This made the default installation vulnerable to some DoS
attacks.
* Restart htcacheclean on updates and tighten dependency on apache2-utils
to ensure that apache2-utils cannot be upgraded without apache2.
Closes: #851122
* When running on systems with systemd, make 'apache2ctl start' invoke
systemctl instead. Otherwise systemd will think apache2 is not running
and ignore further commands like reload. Closes: #839227
* Avoid segfault in mpm_event if a signal is received too soon after start.
PR 60487
* Add test for some modules to be enabled.
* Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
fixed in 2.4.23-2.
-- Stefan Fritsch <email address hidden> Sat, 14 Jan 2017 19:27:34 +0100
-
apache2 (2.4.25-1) unstable; urgency=medium
[ New upstream release ]
* Security: CVE-2016-0736:
mod_session_crypto: Authenticate the session data/cookie with a MAC to
prevent deciphering or tampering with a padding oracle attack.
* Security: CVE-2016-2161:
mod_auth_digest: Prevent segfaults during client entry allocation when the
shared memory space is exhausted.
* Security: CVE-2016-5387:
Mitigate [f]cgi "httpoxy" issues.
* Security: CVE-2016-8740:
mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
Closes: #847124
* Security: CVE-2016-8743:
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
* The stricter HTTP enforcement may cause compatibility problems with
non-conforming clients. Fine-tuning is possible with the new
HttpProtocolOptions directive.
* mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
* mod_http2: Many fixes and support for early pushes using the new
H2PushResource directive.
[ Stefan Fritsch ]
* Switch to debhelper compatibility level 9.
-- Stefan Fritsch <email address hidden> Wed, 21 Dec 2016 23:46:06 +0100
-
apache2 (2.4.23-8) unstable; urgency=medium
* Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
new package apache2-ssl-dev. Packages that interface with openssl
state from mod_ssl must build-depend on this new package.
This will help to disentangle the build-deps in the openssl transition.
Closes: #845033
-- Stefan Fritsch <email address hidden> Sun, 20 Nov 2016 00:33:13 +0100
-
apache2 (2.4.23-7) unstable; urgency=medium
* Make apache2-dev depend on openssl 1.0, too. Closes: #844160
* Move DefaultRuntimeDir and pid file for multi-instances to
/var/run/apache2-xxx. Thanks to Horst Platz for the debugging.
Closes: #838932 LP: #1627339
* Fix systemd unit naming for multi-instances.
* Tweak embedded .tar.gz some more to build reproducibly.
-- Stefan Fritsch <email address hidden> Sun, 13 Nov 2016 13:08:28 +0100
-
apache2 (2.4.23-6) unstable; urgency=medium
* One more tweak for reproducible build. Thanks to Daniel Shahaf for the
patch. Closes: #839977
* Avoid building with openssl 1.1 for now. See #828236
-- Stefan Fritsch <email address hidden> Wed, 09 Nov 2016 23:51:25 +0100
-
apache2 (2.4.23-5) unstable; urgency=low
* Team upload.
[ Stefan Fritsch ]
* Tweak creation of .tar.gz embedded in preinst to get reproducible
build.
[ Raphaël Hertzog ]
* Add systemd unit files. Closes: #798430
* Improve a2enmod to enable apache-htcacheclean with systemctl and let
it enable '<email address hidden>' for multi-instance
support.
* Improve setup-instance to rely on the systemd <email address hidden> for
multi-instance support.
* Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have
proper native systemd support.
* Modify handling of /etc/init.d/apache-htcacheclean to have a usual
Default-Start value but instead we disable it manually in the postinst.
That way "systemctl enable apache-htcacheclean" works.
* Add some lintian overrides for non-problems (two update-rc.d calls in
postinst, and a .js file with a very long line).
-- Raphaël Hertzog <email address hidden> Thu, 29 Sep 2016 12:03:31 +0200
-
apache2 (2.4.23-4) unstable; urgency=medium
* Fix pre-inst script for new installations. Closes: #834169
-- Stefan Fritsch <email address hidden> Fri, 12 Aug 2016 21:44:31 +0200
-
apache2 (2.4.23-3) unstable; urgency=low
* Fix conffiles that may have got the wrong content during upgrade from
wheezy to early jessie versions. Closes: #794933
* Also restore re-introduced *.load files for mod_ident, mod_imagemap, and
mod_cern_meta. These may have gone missing due to dpkg thinking they still
belong to apache2.2-common. Reported by Markus Waldeck.
* apache2-maintscript-helper: Make apache2_switch_mpm do nothing if the
local admin has disabled the requested mpm manually.
Closes: #827446, #799630
* Make mod_proxy_html depend on mod_xml2enc.
* dh_apache2: Make versioned recommends on apache2 less strict. There is
no advantage in recommending the current version. Closes: #784290
-- Stefan Fritsch <email address hidden> Thu, 11 Aug 2016 21:40:35 +0200
-
apache2 (2.4.23-2) unstable; urgency=high
* CVE-2016-5387: Sets environmental variable based on user supplied Proxy
request header.
Don't pass through HTTP_PROXY in server/util_script.c
-- Stefan Fritsch <email address hidden> Thu, 21 Jul 2016 23:21:37 +0200
-
apache2 (2.4.23-1) unstable; urgency=high
* New upstream release
- Security: CVE-2016-4979: Fix bypass of TLS client certificate
verification in mod_http2.
- new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck
* Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657
* Set SHELL=/bin/bash during configure to get reproducible builds regardless
of where /bin/sh points to.
* Use 'Require method' instead of Limit/LimitExcept in userdir.conf.
-- Stefan Fritsch <email address hidden> Tue, 05 Jul 2016 23:57:25 +0200
-
apache2 (2.4.20-2) unstable; urgency=medium
* Fix crash in ap_get_useragent_host() triggered by mod_perl test.
Closes: #820824
* Fix race condition and logical error in init script. Thanks to Thomas
Stangner for the patch. Closes: #822144
* Remove links to manpages.debian.org in default index.html to avoid
broken robots doing a DoS on the site. Closes: #821313
* Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956
* Bump Standards-Version (no changes necessary).
* Fix segfault with logresolve -c. Closes: #823259
-- Stefan Fritsch <email address hidden> Sat, 28 May 2016 16:14:09 +0200
-
apache2 (2.4.20-1) unstable; urgency=medium
* New upstream release
- mostly bugfixes and HTTP/2 improvements
* Build against lua 5.2 instead of 5.1. Closes: #820243
* Correct systemd-sysv-generator behavior by customizing some parameters.
This fixes 'systemctl status' returning incorrect results. Thanks to
Pierre-André MOREY for the patch. LP: #1488962
* On Linux, use pthread mutexes. On kfreebsd/hurd, continue using fctnl
because they lack robust pthred mutexes. LP: #1565744, #1527044
-- Stefan Fritsch <email address hidden> Sun, 10 Apr 2016 14:03:41 +0200
-
apache2 (2.4.18-2) unstable; urgency=low
* htcacheclean:
- split starting/stopping into separate init script 'apache-htcacheclean'
- move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
- make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
- start htcacheclean as the apache2 run user/group
* Fix a2query -M not returning output if apache2 config is broken.
Fix missing quotes in apache2-maintscript-helper. Closes: #810500
* README.backtrace: Note that coredump directory needs to be owned by
www-data. Closes: #806697
* Remove ssl work-arounds for MSIE. Newer versions of IE work without them
and older versions are no longer supported by MS. Closes: #815852
* Give a hint about systemd in README.multiple-instances. Closes: #818904
* Don't treat mod_access_compat as essential. It's essentially broken,
anyway.
* Merge cross-compile tweaks for debian/rules from ubuntu.
* Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
Closes: #719245
* Fix duplicate-module-load test and make sure it fails if it cannot execute
apache2ctl.
* Bump Standards-Version (no changes necessary).
-- Stefan Fritsch <email address hidden> Mon, 28 Mar 2016 21:58:54 +0200
-
apache2 (2.4.18-1) unstable; urgency=medium
* New upstream release:
- mostly HTTP/2 improvements
-- Stefan Fritsch <email address hidden> Sat, 19 Dec 2015 09:26:14 +0100
-
apache2 (2.4.17-3) unstable; urgency=medium
* mpm_prefork: Fix segfault if started with -X. Closes: #805737
-- Stefan Fritsch <email address hidden> Mon, 23 Nov 2015 19:52:09 +0100
-
apache2 (2.4.17-2) unstable; urgency=medium
* Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
lots of web-apps. Closes: #803353
* Fix secondary-init-script to not source the main init script with 'set -e'.
Closes: #803177
* mod_http2: Write HTTP/2 into THE_REQUEST and the access log.
-- Stefan Fritsch <email address hidden> Sat, 31 Oct 2015 23:17:11 +0100
-
apache2 (2.4.17-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream release:
- New experimental http2 module
* reproducible build: Make symbol sorting consistent over different locales
* Conflict with apache2.2-common and apache2.2-bin to get the transitional
packages removed. Closes: #768815
* Don't treat mpm_itk as MPM module in a2query. Closes: #791902
* Don't treat mpm_itk as MPM module in deferred actions in postinst.
Hopefully really closes: #789914
* Don't treat mpm_itk as MPM module in a2enmod.
[ Jean-Michel Vourgère ]
* Updated upstream keyring used to check source authenticity.
-- Stefan Fritsch <email address hidden> Sat, 24 Oct 2015 22:14:32 +0200
-
apache2 (2.4.16-3) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* Have apache2.postrm removes content of /var/lib/apache2, not the
directory itself. Closes: #793862
* d/p/reproducible_builds.diff: Sort exported symbols list.
[ Stefan Fritsch ]
* apxs: Don't pass --silent to libtool. Closes: #795820
* Remove default /var/www/html/index.html on package purge.
-- Stefan Fritsch <email address hidden> Tue, 18 Aug 2015 13:49:09 +0200
-
apache2 (2.4.16-2) unstable; urgency=medium
* Make dh_apache2 add a versioned dependency on apache2-bin, for the
new symbols required for the CVE-2015-3185 fix.
-- Stefan Fritsch <email address hidden> Fri, 07 Aug 2015 23:43:16 +0200
-
apache2 (2.4.16-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream version, fixing the following security issues:
+ CVE-2015-3183: Fix chunk header parsing defect.
+ CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
unfixable way. Add a new replacement API ap_some_authn_required()
and ap_force_authn hook.
[ Jean-Michel Vourgère ]
* Allow "triggers-awaited" and "triggers-pending" states in addition to
"installed" when determining whether to defer actions or process
deferred actions. Thanks Colin Watson. Closes: #787103
* Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes:
#733979
* Remove pre-Jessie transition scripts, and remaining breaks.
* Made builds reproducible: d/rules set the date from the changelog in
CPPFLAGS, new reproducible_builds.diff patch to use it.
* Moved bash_completion from /etc to /usr/share/bash_completion. Added
links there for dynamic loading.
* Upgrade security.conf comments to 2.4 auth format. Thanks Werner
Detter. Closes: #789788
* apache2.postinst: Fixed tests on deferred mpm switch. Closes:
#789914
-- Stefan Fritsch <email address hidden> Sun, 02 Aug 2015 00:44:07 +0200
-
apache2 (2.4.12-2) unstable; urgency=medium
[ Jean-Michel Nirgal Vourgère ]
* d/control:
+ Update Vcs-Browser.
* d/copyright:
+ Change d/debhelper/dh_apache2 to dh_apache2.in.
+ Drop paragraph about inexistant itk patches.
[ Stefan Fritsch ]
* Remove all the transitional packages:
apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event,
apache2-mpm-itk, apache2.2-bin, apache2.2-common,
libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec
This also fixes the dependency problems caused by a recent version
of debhelper (see #784803).
-- Stefan Fritsch <email address hidden> Mon, 11 May 2015 22:07:26 +0200
-
apache2 (2.4.12-1) unstable; urgency=medium
* New upstream version
* Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which
was never shipped in Debian.
* Ship mod_proxy_html's default config file. Closes: #782022
* Fix typo in dh_apache2 man page. Closes: #781032
-- Stefan Fritsch <email address hidden> Tue, 28 Apr 2015 22:54:41 +0200
-
apache2 (2.4.10-11) unstable; urgency=medium
* core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
This could cause all kinds of strange behavior. PR 56008. PR 57328
* mpm_event: Fix process deadlock when shutting down a worker. PR 56960
* mpm_event: Fix crashes due to various race conditions. Closes: #779078
-- Stefan Fritsch <email address hidden> Tue, 31 Mar 2015 22:27:16 +0200
-
apache2 (2.4.10-10) unstable; urgency=medium
* CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
wsupgrade().
* Fix setup-instance example script to handle a2enconf/a2disconf.
LP: #1430936
* Tweak mention of mod_access_compat in NEWS.Debian. The module does
not really work in practice.
-- Stefan Fritsch <email address hidden> Sun, 15 Mar 2015 10:47:36 +0100
-
apache2 (2.4.10-9) unstable; urgency=medium
* CVE-2014-8109: mod_lua: Fix handling of the Require line when a
LuaAuthzProvider is used in multiple Require directives with different
arguments.
* Include ask-for-passphrase script from Ubuntu with some tweaks. This
fixes asking for certificate passphrases if started via systemd.
Closes: #773405
* Fix init script to not wait 20s if passphrase was wrong.
* Also bump debhelper build-depends to get dh_installdeb with support for
symlink_to_dir. Closes: #770421
-- Stefan Fritsch <email address hidden> Mon, 22 Dec 2014 20:24:36 +0100
-
apache2 (2.4.10-8) unstable; urgency=medium
* Bump dpkg Pre-Depends to version that supports relative symlinks in
dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
* mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
though it does not seem to be exploitable.
* mpm_event: Fix use-after-free that may lead to a server crash.
* mod_ssl: Fix memory leak on graceful restart. Closes: #754492
* mod_ssl: Avoid crashes during startup or graceful restart due to
openssl using a callback to invalid memory. LP: #1366174
-- Stefan Fritsch <email address hidden> Tue, 18 Nov 2014 15:18:18 +0100
-
apache2 (2.4.10-7) unstable; urgency=medium
* Handle transitions of doc dirs and symlinks correctly during upgrade.
Use dpkg-maintscript-helper for this and remove existing explicit logic.
Closes: #767850
* Remove obsolete conffiles in apache2.2-common, instead doing this only in
apache2. This partially fixes #768815
-- Stefan Fritsch <email address hidden> Sun, 09 Nov 2014 19:03:30 +0100
-
apache2 (2.4.10-6) unstable; urgency=medium
* Disable SSLv3 in default config. Closes: #765347
* Pull changes from upstream 2.4.x branch up to r1632831
- Fixes an LDAP regression in 2.4.10
- mod_cache: Avoid sending 304 responses during failed revalidations.
PR 56881
- mod_status: Honor client IP address using mod_remoteip. PR 55886
* Fix typo in package description. Closes: #765500
-- Stefan Fritsch <email address hidden> Tue, 21 Oct 2014 22:42:06 +0200
-
apache2 (2.4.10-5) unstable; urgency=medium
* Remove one forgotten instance of ident.load in the preinst.
-- Stefan Fritsch <email address hidden> Fri, 10 Oct 2014 00:20:09 +0200
-
apache2 (2.4.10-3) unstable; urgency=medium
* CVE-2014-3581: Fix a DoS in mod_cache.
* If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first. Closes: #745834
* Don't use a2query in preinst, as it may not be available yet.
Closes: #745812
* Include mod_authnz_fcgi. Closes: #762908
* Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
* Remove misleading sentence in apache2-bin's description. Closes: #762645
* Remove trailing space in apache2/suexec/www-data. Closes: #719930
* Add NEWS entry for the logrotate change in 2.4.10-2.
* Bump Standards-version (no changes).
* Fix lintian warning: Tweak licence short names in copyright file.
-- Stefan Fritsch <email address hidden> Sun, 28 Sep 2014 22:37:02 +0200
-
apache2 (2.4.10-2) unstable; urgency=medium
* Pull changes from upstream 2.4.x branch up to r1626207
+ Security Fix for CVE-2013-5704: HTTP trailers could be used to
replace HTTP headers late during request processing, potentially
undoing or otherwise confusing modules that examined or modified
request headers earlier.
Adds "MergeTrailers" directive to restore legacy behavior.
* Switch to apache2 providing the httpd and httpd-cgi virtual packages.
The previously providing apache2-bin package lacks the configuration
files. Closes: #756361
* Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
logs. The daily graceful restart also has the advantage of regenerating
things like TLS session ticket keys more often. Closes: #759382
* Clarify description of apache2 package. Closes: #755976
* In the maintainer script helper, print out Apache's error message if
the config check fails.
* Re-add mod_ident. It has still at least one user. LP: #1333388
-- Stefan Fritsch <email address hidden> Sun, 21 Sep 2014 22:58:33 +0200
-
apache2 (2.4.10-1) unstable; urgency=medium
[ Arno Töll ]
* New upstream version
+ Refresh debian/patches/fhs_compliance.patch
+ Security Fixes:
- CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
- CVE-2014-0226 Fix a race condition resulting in a heap overflow in
scoreboard handling
- CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
length and compression ratio of inflated request to mitigate a
possible DoS
- CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
+ Fixes SNI with certificate defined in global scope. (Closes: #751361)
* Warn users if they try to disable modules that we consider essential for
operation of the Apache web server (Closes: #709461)
* Drop libcap from our build-dependencies. That was needed for itk which we
gave source out to it's own package again.
* Provide apache2.2-common package to avoid upgrading problems for people
using --purge (apt) or --purge-unused (aptitude) even though that's
clearly discouraged. This caused disappearing of conffiles because we move
them from apache2.2-common to apache2 during the upgrade. Ugh. This was
not a bug in our packaging, but an unfortunately people blame us
nonetheless even though it's not all our fault. This alternative helps
those people, but at the same time means that incompatible modules aren't
force-removed by dpkg during the upgrade. Hopefully we catch all of them
with the Breaks relation coming along (Closes: #716880, #752922, #711925)
-- Stefan Fritsch <email address hidden> Tue, 22 Jul 2014 23:16:20 +0200
-
apache2 (2.4.9-2) unstable; urgency=medium
* Fix logic in postinst to detect existing index.* files in both
DocumentRoots, the old /var/www and the new /var/www/html. Also
change the compiled in default DocumentRoot to /var/www/html.
Closes: #743915
* Fix buffer overflows in suexec with very long (unix) usernames. Not
exploitable due to FORTIFY_SOURCE. And creating users usually requires
root privileges, anyway. Thanks to Luca Bruno for the report.
* Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
* Remove obsolete warning in a2enmod about mpm-itk.
* Fix lintian warning: Remove image ref to w3.org, which is a privacy
breach.
-- Stefan Fritsch <email address hidden> Sun, 08 Jun 2014 10:38:04 +0200
-
apache2 (2.4.9-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
- CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
cookies.
Notable new features:
- Support named groups and backreferences within the LocationMatch,
DirectoryMatch, FilesMatch and ProxyMatch directives.
- mod_proxy: Added support for unix domain sockets as the backend server
endpoint.
- mod_ssl: Add support for OpenSSL configuration commands by introducing
the SSLOpenSSLConfCmd directive.
- mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
require directives.
- mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
and IgnoreInherit.
- Bugfix in the build system to avoid problems with patched config.m4
files as in LP #1251939.
* Make default cipher list in ssl.conf more secure:
- Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
'HIGH' does not include MD5.
- Remove the 'Speed-optimized SSL Cipher' configuration example because
it depends on RC4, which is considered insecure.
* Change init script short description to describe the service, not the
script. Closes: #738315
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sat, 29 Mar 2014 22:50:32 +0100
-
apache2 (2.4.7-1) unstable; urgency=low
New upstream version
[ Stefan Fritsch ]
* In logrotate and init script, don't hardcode path to htcacheclean.
Instead, put sbin directories in PATH. Also fix one missed reference
to disk_cache.load, missed in 2.4.6-3. Really closes: #718909
* Remove possiblity to override path to apache2 executable via envvars.
This is no longer necessary with MPMs as modules.
* Fix typo in serve-cgi-bin.conf. Closes: #723196
* Bump Build-Depends. 2.4.7 requires apr 1.5.
[ Arno Töll ]
* Fix "No default site enabled after fresh install if /etc/apache2
exists" by using a condition in preinst which actually works as expected.
Thanks to Jean-Michel Vourgère for triaging the issue and providing a
patch (Closes: #711493).
* Leave a2disconf with rc=0 when purging a configuration which does not
exist. (Closes: #718166)
* Explicitly express the dependency for mod_access_compat depending on
authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes:
#710412)
* Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693)
* Rework the default index.html file. Instead of a blank, minimalistic page
give a quick start guide, since nobody seems to read our docs. This site
is hopefully explaining the most important questions.
* Add a virtual provides line to the itk/worker/event/prefork transitional
packages so that people with an unusual (unsupported) Apache setup
can upgrade neatless in some corner cases (Closes: #728937)
* Drop the Apache ITK patches. The Apache ITK MPM is a standalone package
now and will be provided by libapache2-mpm-itk in future. The
apache2-mpm-itk package depends on this package from now on. Users of itk
are advised to consult the itk manual.
This also resolves a build-system problem that caused mod_unixd to be
initialized twice. (LP: #1251939)
* Remove Steinar H. Gunderson from uploaders, he will continue to support
itk in his own package in future. The remaining Apache team thanks Steinar
for all the work in the past.
* Change the Default Document root directory where files are served from
(Closes: #730372).
* Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor
for this suggestion and for providing a patch (Closes: #732450)
* Refresh suexec-custom.patch.
-- Arno Töll <email address hidden> Thu, 02 Jan 2014 00:17:56 -1100
-
apache2 (2.4.6-3) unstable; urgency=low
* Fix 'implicit declaration' compiler warnings.
* Fix module dependencies in lbmethod_*.load files. Closes: #717910
LP: #1205314
* Mark apache2-data as Multi-Arch: foreign. Closes: #718387
* Backport open_htaccess hook from upstream 2.4.x branch to allow
building mpm-itk as separate package.
* Improve comment for LogLevel in apache2.conf. Closes: #718677
* Fix comment in ports.conf. Closes: #718650
* Fix htcacheclean path and function name in init script. Closes: #718909
* Enable bindnow hardening compiler option, patch by Felix Geyer.
Closes: #714872
-- Stefan Fritsch <email address hidden> Mon, 12 Aug 2013 20:15:38 +0200
-
apache2 (2.4.6-2) unstable; urgency=low
[ Stefan Fritsch ]
* Fix watch file
* Don't pass --silent to libtool, allowing blhc to check the compiler
options in the build logs.
[ Arno Töll ]
* Allow third party packages to use triggers if they use them in a
maintainer script invoking apache2-maintscript-helper (Closes: #717610)
-- Arno Töll <email address hidden> Tue, 23 Jul 2013 13:25:30 +0200
-
apache2 (2.4.6-1) unstable; urgency=low
New upstream release:
* CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request
(Closes: #717272)
* New modules mod_cache_socache, mod_proxy_wstunnel.
* mod_ssl: Add support for subjectAltName-based host name checking in proxy
mode (SSLProxyCheckPeerName).
* mod_lua: Many new functions.
* mod_auth_basic: Add a generic mechanism to fake basic authentication
using the ap_expr parser (AuthBasicFake).
* mod_proxy: New BalancerInherit and ProxyPassInherit options.
* mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password.
[ Arno Töll ]
* Document our security model in our NEWS file and highlight we do not allow
access to /srv. Thanks to joeyh for pointing this out.
* Allow the use of apache2-maintscript-helper from a sub-function. We rely
on dpkg's arguments supplied in $1, $2 etc. This clashes with function
arguments supplied to to sh sub-function. Allow manual override in such
cases.
* Mention that the dh_apache2 conditional must be present in postrm too
(Closes: #716694)
* Fix "dh_apache2 ignores alternative httpd on conf files" by correctly
checking the supplied arguments, we were off by one (Closes: #717299).
* Reinstall index.html also on upgrades as it is removed during upgrades.
* Add mod_macro transitional package as it was promoted to core and does not
exist as individual package anymore (Closes: #706962)
[ Stefan Fritsch ]
* Don't fail package upgrade or removal just because the configuration is in
an inconsistent state (Closes: #716921, #717343, LP: #1202653).
* Improve error output of init script.
* Fix broken dependency information in several *.load files.
* Add mod_authn_core as dependency of the mod_auth_* modules.
(Closes: #717448)
-- Arno Töll <email address hidden> Sun, 21 Jul 2013 18:44:42 +0200
-
apache2 (2.4.4-6) unstable; urgency=low
* Denote exact versions breaking gnome-user-share now that Gnome maintainers
have a fixed version in the works. That makes Gnome installable again.
* Update our gbp.conf for our big merge next -> master. The eagle has
landed, 2.4 is here.
* Push Standards version to 3.9.4 - no changes needed.
* Fix spelling errors in man pages.
* Update the git VCS pointer to its canonical location for anonymous
checkouts.
* Boost the description for the LSB init script to appease Lintian.
* Fix spurious warnings in the Apache2 bug report script (Closes: #711121,
#711480)
* Strip off file extensions from arguments to a2(en|dis)(site|conf|mod) so
that "a2ensite 000-default.conf" works, as well as "a2ensite 000-default"
(Closes: #711494)
* Fix "apache2-dev: dh-apache2 does not strip .conf extension" for modules
relying on the install heuristic, instead of writing an *.apache2 conf
file (Closes: #711483)
* Apply patch submitted by Robert Luberda and redirect all output of
apache2-maintscript-helper to stderr (Closes: #711478)
* Tell about essential operations in the init script (Closes: #711120)
* Fix indentation mess in the init script, and add modelines
* Make sure /etc/init.d/apache2 reload does not always return. Thanks to
Thorsten Glaser for suggesting a patch (Closes: #711117)
* Make apache2-maintscript-helper usable when sourced from weird
environments (e.g. Perl maintainer scripts). Thanks to Robert Luberda
for doing unexpected things, and providing patches for it, and to Axel
Beckert for demangling shell specifics (Closes: #711479)
* Fix "copyright file missing after upgrade (policy 12.5)" and add these for
MPM transitional packages (Closes: #710914)
* Fix "apache2.2-bin transitional package (binaries only) should not
depend on apache2 package (which runs a system daemon)". This happened by
accident added by debhelper since we are linking docs. We do to
apache2-bin instead (Closes: #711127)
* Refresh "upstream-fixes" patch
* Fix "Disabling strtoul violates C89 and C99 and is unnecessary" by
removing the symbol override in httpd.h(Closes: #711534)
-- Arno Töll <email address hidden> Fri, 07 Jun 2013 19:14:36 +0200
-
apache2 (2.4.4-5) unstable; urgency=low
[ Arno Töll ]
* Fix compile issue on kfreebsd.
-- Stefan Fritsch <email address hidden> Fri, 31 May 2013 10:19:18 +0200
-
apache2 (2.4.4-4) unstable; urgency=low
[ Stefan Fritsch ]
* Upload to unstable.
* Fix FTBFS on hurd caused by mpm-itk linking fix.
* Fix some lintian warnings:
- fix pod error
- add overrides for hardening-no-fortify-functions
- don't use /lib/init/vars.sh in init script
* Add note to README.Debian about CVE-2013-0966 if the document root is
on HFS+ or on ZFS with filename normalization.
* Add a note to README.Debian about how to change the max file limit.
Make apache2ctl print a message pointing to README.Debian if setting
the limit fails. (Closes: #706822)
[ Arno Töll ]
* Correct maintainer scripts by removing forgotten left-overs of our Squeeze
-> Wheezy renaming
-- Stefan Fritsch <email address hidden> Thu, 30 May 2013 17:25:09 +0200
-
apache2 (2.2.22-13) unstable; urgency=medium
[ Stefan Fritsch ]
* Urgency medium for security fixes.
* CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
* CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
* mod_log_forensic: Fix spurious '-' characters being logged, causing
false positives. Closes: #693292
[ Arno Töll ]
* Document APACHE_ARGUMENTS in envvars (Closes: #693299)
-- Stefan Fritsch <email address hidden> Mon, 04 Mar 2013 22:21:05 +0100
-
apache2 (2.2.22-12) unstable; urgency=low
* Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
"off". This mitigates impact of CRIME attacks. Fixes:
- "handling the CRIME attack" (Closes: #689936)
- "make it possible to disable ssl compression in apache2 mod_ssl"
(Closes: #674142)
-- Arno Töll <email address hidden> Wed, 31 Oct 2012 00:23:59 +0100
-
apache2 (2.2.22-11) unstable; urgency=low
* Be more careful regarding link attacks when purging the cache disk
directory.
* Change file ownership of /var/cache/apache2/ to root.
* Compress the data.tar in binary packages using xz to save some space on
installation medias (Debian only).
-- Arno Töll <email address hidden> Fri, 03 Aug 2012 23:20:50 +0200
-
apache2 (2.2.22-10) unstable; urgency=low
[ Arno Töll ]
* Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing
perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes:
#682401)
* Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
with ext3" by changing the default to more moderate values. Some file
systems have a hard limit for the number of subdirectories in a single
directory. This change requires the cache directory to be purged.
(Closes: #682840)
[ Stefan Fritsch ]
* Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
directives. Closes: #682897
-- Stefan Fritsch <email address hidden> Mon, 30 Jul 2012 22:23:02 +0200
-
apache2 (2.2.22-9) unstable; urgency=low
* Fix typo in conf.d/security comment. Closes: #678740
-- Stefan Fritsch <email address hidden> Sun, 24 Jun 2012 20:10:27 +0200
-
apache2 (2.2.22-8) unstable; urgency=medium
[ Stefan Fritsch ]
* CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent
a possible XSS for a site where untrusted users can upload files to a
location with MultiViews enabled.
* Add example for X-XSS-Protection to conf.d/security.
[ Arno Töll ]
* Fix "contradictory comment in /etc/apache2/apache2.conf about the
.load suffix" (Closes: #676975). Hopefully you are now happy, Vincent. :-)
-- Stefan Fritsch <email address hidden> Sat, 23 Jun 2012 17:50:47 +0200
-
apache2 (2.2.22-7) unstable; urgency=low
[ Arno Töll ]
* Fix "ambiguous comment in /etc/apache2/apache2.conf" by clarifying
contradicting statements. (Closes: #675184)
[ Stefan Fritsch ]
* Allow colons in filenames when using wildcards with "Include".
Closes: #676610
* Add examples for X-Content-Type-Options and X-Frame-Options to
conf.d/security.
* Fix the VCS dir example in conf.d/security.
* Pick some bug fixes from upstram trunk:
- core/mod_cgi: Fix script logging in error case
- mod_dumpio: Fix possible loop in input filter.
- mod_proxy_ajp: Reduce memory usage in case of many requests on one
connection
-- Stefan Fritsch <email address hidden> Sun, 10 Jun 2012 12:27:02 +0200
-
apache2 (2.2.22-6) unstable; urgency=low
[ Stefan Fritsch ]
* Fix regression causing apache2 to cache "206 partial content" responses,
and then serving these partial responses when replying to normal requests.
Closes: #671204
* Add section to security.conf that shows how to forbid access to VCS
directories. Closes: #548213
* Update ssl default cipher config, add alternative speed optimized config.
Closes: #649020
* Add "AddCharset" for .brf files in default mod_mime config.
Closes: #402567
* Don't create httpd.conf anymore and don't include it in apache2.conf. If
it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
* Port some of the comments in apache2.conf from the 2.4 package.
* Compile mod_version statically, drop associated module load file.
* If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
configtest.
* Note in README.Debian that future versions of the package will have the
include statements changed to include only *.conf.
* Change compiled-in document root to /var/www, to avoid strange error
messages.
* Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
[ Arno Töll ]
* Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
to override LDFLAGS at compile time by defining LDLAGS in the environment,
just like it is possible for CFLAGS. This also means, config_vars.mk now
exports hardening build flags by default.
* Update doc-base metadata for the apache2-doc package.
-- Stefan Fritsch <email address hidden> Tue, 29 May 2012 22:05:48 +0200
-
apache2 (2.2.22-5) unstable; urgency=low
* Make LoadFile and LoadModule look in the standard search paths if the
dso file name is given as a pure filename. This helps with the multi-arch
transition.
-- Stefan Fritsch <email address hidden> Mon, 30 Apr 2012 23:38:33 +0200
-
apache2 (2.2.22-4) unstable; urgency=high
* CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
hosts' config files.
If scripting modules like mod_php or mod_rivet are enabled on systems
where either 1) some frontend server forwards connections to an apache2
backend server on the localhost address, or 2) the machine running
apache2 is also used for web browsing, this could allow a remote
attacker to execute example scripts stored under /usr/share/doc.
Depending on the installed packages, this could lead to issues like cross
site scripting, code execution, or leakage of sensitive data.
-- Stefan Fritsch <email address hidden> Sun, 15 Apr 2012 23:41:43 +0200
-
apache2 (2.2.22-3) unstable; urgency=low
* Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
No such file or directory". Do not use internal rules targets which clash
with build target names ... (Closes: #667069)
* Drop apache2-dev virtual package. This had virtually no users but breaks our
experimental package in some cases (e.g. #666793)
* Push Standards version - no further changes
* Update my maintainer address
-- Arno Töll <email address hidden> Thu, 05 Apr 2012 13:21:42 +0200
-
apache2 (2.2.22-2) unstable; urgency=low
[ Arno Töll ]
* Fix "Incorrect debhelper build dependency" by raising the build-dependency
of debhelper to 8.9.7 (Closes: #659148)
-- Stefan Fritsch <email address hidden> Thu, 15 Mar 2012 00:02:31 +0100
-
apache2 (2.2.22-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream release, urgency medium due to security fixes:
- Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
- Fix CVE-2012-0031: Unprivileged child process could cause the parent to
crash at shutdown
- Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
message.
* Move httxt2dbm to apache2-utils
* Adjust debian/control to point to new git repository.
[ Arno Töll ]
* Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)
-- Stefan Fritsch <email address hidden> Wed, 01 Feb 2012 21:49:04 +0100
-
apache2 (2.2.21-5) unstable; urgency=low
[ Arno Töll ]
* Fix build failures introduced as regregression by the previous build. Debian
buildds aren't rebuilding arch:all packages which caused problems for our
unconditional copying into binary package. I was warned.
-- Stefan Fritsch <email address hidden> Thu, 29 Dec 2011 17:36:41 +0100
-
apache2 (2.2.21-4) unstable; urgency=low
[ Stefan Fritsch ]
* Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
ap_pregsub).
* Optimize debian/rules again to improve build time by doing most work in a
single parallelized "build-%" target.
[ Arno Töll ]
* Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType
from text/plain to None. This lets the browser guess a proper MIME type
instead of being forced to treat a given file according to our default type
(Closes: #440058)
* Fix "add pre-rotate hook to logrotate script" execute scripts in
/etc/logrotate.d/httpd-prerotate if available (Closes: #590096).
* Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading
to Debian's 3.0/quilt source format also images don't need to be generated
at build time anymore. Hence, the icon date can no longer lead to
information disclosure (Closes: #649888).
* Upgrade package to 3.0/quilt.
+ Remove uuencoded images, keep them in their binary format in debian/icons
+ Upgrade to quilt from dpatch and refresh all patches by keeping all hunks
unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at
build time where needed Move the 200_cp_suexec.dpatch patch and
202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a
script, not a patch which is not supported by quilt.
* Rewrite debian/rules and base it on dh(1).
+ use overrides where possible, replace some debhelper calls by our own
implementation where needed. That's required since the Apache package is
compiled in parts several times for each MPM once.
+ move some install operations to the their respective .install files
+ Support dpkg-buildflags now, which also enables by default hardening
flags. Thus, remove them from their explicit appearance in debian/rules
+ Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using
dh(1)/dpkg-buildflags(1).
* Push debhelper compatibility to 8
* Remove unused Lintian overrides for the Debian source package remove and
redundant priorities in debian/control.
* Add myself to Uploaders
-- Stefan Fritsch <email address hidden> Thu, 29 Dec 2011 12:09:14 +0100
-
apache2 (2.2.21-3) unstable; urgency=medium
* Fix CVE-2011-4317: Prevent unintended pattern expansion in some
reverse proxy configurations. (Similar to CVE-2011-3368, but different
attack vector.)
* Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
via malicious .htaccess.
* Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
* Fix broken link in docs. Closes: #650528
* Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
Thanks for your work in the past.
-- Stefan Fritsch <email address hidden> Sat, 03 Dec 2011 18:54:03 +0100
-
apache2 (2.2.21-2) unstable; urgency=high
* Fix CVE-2011-3368: Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI.
* Correctly set permissions of suexec.load even if umask is 0002 during
build. LP: #872000
-- Stefan Fritsch <email address hidden> Tue, 11 Oct 2011 22:54:47 +0200
-
apache2 (2.2.21-1) unstable; urgency=low
* New upstream release.
- Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp
if combined with mod_proxy_balancer
-- Stefan Fritsch <email address hidden> Mon, 26 Sep 2011 18:16:11 +0200
-
apache2 (2.2.20-1) unstable; urgency=low
* New upstream release.
* Fix some regressions related to Range requests caused by the CVE-2011-3192
fix. Closes: #639825
* Add build-arch and build-indep rules targets to make Lintian happy.
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sun, 04 Sep 2011 21:50:22 +0200
-
apache2 (2.2.19-2) unstable; urgency=high
* Fix CVE-2011-3192: DoS by high memory usage for a large number of
overlapping ranges.
* Reduce default KeepAliveTimeout from 15 to 5 seconds.
* Use "linux-any" in build-deps. Closes: #634709
* Improve reload message of a2enmod. Closes: #639291
* Improve description of the prefork MPM. Closes: #634242
* Mention .conf files in a2enmod man page. Closes: #634834
-- Stefan Fritsch <email address hidden> Mon, 29 Aug 2011 17:08:17 +0200
-
apache2 (2.2.19-1) unstable; urgency=low
* New upstream release. - Makes apr-md5 the default algorithm for htpasswd, removing the 8 character limit of the crypt()-algorithm. Closes: #539246 - Fixes merging of IndexOptions. Closes: #394688 - Documents why order of ProxyPass and <Proxy> blocks matters in the configuration. See "Workers" section in the mod_proxy documentation. Closes: #560020 * For multiple instance setups, correctly determine the config dir in the init script if it is called via a start/stop link. Closes: #627061 * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204 * Make it clear in README.multiple-instances that the MPMs are shipped in the apache2.2-bin package. -- Stefan Fritsch <email address hidden> Sun, 22 May 2011 10:21:21 +0200
-
apache2 (2.2.17-3) unstable; urgency=low
* Fix compilation with OpenSSL without SSLv2 support. Closes: #622049 * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in htpasswd/htdbm. -- Stefan Fritsch <email address hidden> Sun, 10 Apr 2011 20:43:55 +0200
-
apache2 (2.2.17-2) unstable; urgency=high
* New mpm_itk upstream version 2.2.17-01: - Fix CVE-2011-1176: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group, due to the configuration merger having an incorrect default configuration. Closes: #618857 * Make exit code of '/etc/init.d/apache2 status' more LSB compatible. Closes: #613969 * Set the default file descriptor limit to 8192 instead of whatever the current limit is (usually 1024). Document how to change it in /etc/apache2/envvars . Closes: #615632 * Fix typo in init script. Closes: #615866 * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438 * Remove some obsolete Depends and Replaces. -- Stefan Fritsch <email address hidden> Mon, 21 Mar 2011 23:01:17 +0100
-
apache2 (2.2.17-1) unstable; urgency=low
* New upstream version * Disable md5 in mod_ssl default cipher suite. Closes: #609126 * Fix order of comments in "worker" section in apache2.conf. Closes: #608488 -- Stefan Fritsch <email address hidden> Tue, 15 Feb 2011 23:30:18 +0100
-
apache2 (2.2.16-6) unstable; urgency=low
* Also add $named to the secondary-init-script example. -- Stefan Fritsch <email address hidden> Sat, 01 Jan 2011 22:55:15 +0100
-
apache2 (2.2.16-5) unstable; urgency=medium
* Add $named to the init script dependency header, since apache depends on DNS in some configurations. Closes: #608437 * Update outdated description of /etc/apache2/magic in README.Debian. Closes: #603586 -- Stefan Fritsch <email address hidden> Fri, 31 Dec 2010 01:22:19 +0100
-
apache2 (2.2.16-4) unstable; urgency=medium
* Increase the mod_reqtimeout default timeouts to avoid potential problems
with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
* Remove bogus comment in conf.d/security about default in the "release
after Lenny".
* Clarify comments in suexec-custom's default config file. LP: #673289
-- Stefan Fritsch <email address hidden> Sun, 14 Nov 2010 19:05:55 +0100
-
apache2 (2.2.16-3) unstable; urgency=high
* CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
* Fix "Could not reliably determine the server's ..." error message in
README.Debian, to make it easier to search for it. Closes: #590528
-- Stefan Fritsch <email address hidden> Sat, 09 Oct 2010 20:59:34 +0200
-
apache2 (2.2.16-2) unstable; urgency=low
* Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036
* Add a note about the new behaviour of SSL/TLS renegotiation and the new
directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
* Support 'graceful' as alias for 'reload' in the init script.
* In README.Debian, suggest an Apache configuration change to get rid of the
"Could not reliably determine the server's fully qualified domain name"
warning, as alternative to changing DNS or /etc/hosts. Closes: #590528
* Add notes to README.Debian on how to reduce memory usage.
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Sun, 29 Aug 2010 15:29:21 +0200
-
apache2 (2.2.16-1) unstable; urgency=medium
* Urgency medium for security fix.
* New upstream release:
- CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability
due to incorrect handling of requests without a path segment.
- mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite
* Fix mod_ssl header line corruption because of using memcpy for overlapping
buffers. PR 45444. LP: #609290, #589611, #595116
-- Stefan Fritsch <email address hidden> Sat, 24 Jul 2010 22:18:43 +0200
-
apache2 (2.2.15-6) unstable; urgency=low
* Fix init script not correctly killing htcacheclean. Closes: #580971
* Add a separate entry in README.Debian about the need to use apache2ctl
for starting instead of calling apache2 directly. Closes: #580445
* Fix debug info to allow gdb loading it automatically. Closes: #581514
* Fix install target in Makefile created by apxs2 -n. Closes: #588787
* Fix ab sending more requests than specified by the -n parameter.
Closes: #541158
* Add apache2 monit configuration to apache2.2-commons examples dir.
Closes: #583127
* Build as PIE, since gdb in squeeze now supports it.
* Update the postrm script to also purge the version of /var/www/index.html
introduced in 2.2.11-7.
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Fri, 16 Jul 2010 23:41:08 +0200
-
apache2 (2.2.15-5) unstable; urgency=low
* Conflict with apache package as we now include apachectl. Closes: #579065
* Remove conflicts with old apache 2.0 modules. The conflicts are not
necessary anymore as skipping a stable release is not supported anyway.
* Silence the grep in preinst.
-- Stefan Fritsch <email address hidden> Sun, 25 Apr 2010 10:46:09 +0200
-
apache2 (2.2.15-3) unstable; urgency=low
* mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
including a fix for mod_proxy CONNECT requests.
* mod_dav_fs: Use correct permissions when creating new files. LP: #540747
-- Stefan Fritsch <email address hidden> Mon, 29 Mar 2010 22:16:24 +0200
-
apache2 (2.2.15-2) unstable; urgency=low
* Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
Satisfy all. Closes: #572075
* mod_reqtimeout: Various bug fixes, including:
- Don't mess up timeouts of mod_proxy's backend connections.
Closes: #573163
-- Stefan Fritsch <email address hidden> Wed, 10 Mar 2010 21:06:06 +0100
-
apache2 (2.2.15-1) unstable; urgency=low
* New upstream version:
- CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
- CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
prefix injection attack.
- CVE-2010-0434: mod_headers: Fix potential information leak with threaded
MPMs.
- mod_reqtimeout: New module limiting the time waiting for receiving
a request from the client. This is a (partial) mitigation against
slowloris-type resource exhaustion attacks. The module is enabled by
default. Closes: #533661
- mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
renegotiation with clients which do not yet support the secure
renegotiation protocol. As this requires openssl 0.9.8m, bump
build dependency accordingly.
* Fix bash completion for a2ensite if the site name contains 'conf' or
'load'. Closes: #572232
* Do a configcheck in the init script before doing a non-graceful restart.
Closes: #571461
-- Stefan Fritsch <email address hidden> Sun, 07 Mar 2010 23:22:56 +0100
-
apache2 (2.2.14-7) unstable; urgency=low
* Fix potential memory leaks related to the usage of apr_brigade_destroy().
* Add hints about correct mod_dav_fs configuration to README.Debian.
Closes: #257945
* Fix error in Polish translation of 404 error page. Closes: #570228
* Document ThreadLimit in apache2.conf's comments.
-- Stefan Fritsch <email address hidden> Sat, 20 Feb 2010 12:38:30 +0100
-
apache2 (2.2.14-6) unstable; urgency=low
* Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and
APACHE_LOG_DIR in the default configuration. If you have modified
/etc/apache2/envvars, make sure that these variables are set and exported.
* Add support for multiple apache2 instances to initscript and apache2ctl.
See /usr/share/doc/apache2.2-common/README.multiple-instances for details.
Closes: #353450
* Set default compiled-in ServerRoot to /etc/apache2 and make paths in
apache2.conf relative to ServerRoot.
* Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061
* Fix symlinks in apache2-dbg package. Closes: #567076
* Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383
* Add new init script action graceful-stop (LP: #456381)
* Add more languages to mime.conf. To limit this to useful entries, we only
add those for which a translation of the Debian intaller exists. LP: #217964
* Unset $HOME in /etc/apache2/envvars.
* Change default config of mod_info and mod_status to use IP addresses
instead of hostnames. Otherwise the hostname is sometimes logged even with
'HostnameLookup Off'. Closes: #568409
* Add a hook to apache2.2-common's postrm script that may come in handy
when upgrading to 2.4.
* Make bug script also display php extensions.
* Bump Standards-Version (no changes).
* Remove Adam Conrad from Uploaders. Thanks for your work in the past.
-- Stefan Fritsch <email address hidden> Sun, 07 Feb 2010 17:29:45 +0100
-
apache2 (2.2.14-5) unstable; urgency=low
* Security: Further mitigation for the TLS renegotation attack
(CVE-2009-3555): Disable keep-alive if parts of the next request have
already been received when doing a renegotiation. This defends against
some request splicing attacks.
* Print a useful error message if 'apache2ctl status' fails. Add a comment
to /etc/apache2/envvars on how to change the options for www-browser.
Closes: #561496, #272069
* Improve function to detect apache2 pid in init-script (closes: #562583).
* Add hint README.Debian on how to pass auth info to CGI scripts.
Closes: #483219
* Re-introduce objcopy magic to avoid dangling symlinks to the debug info
in the mpm packages. Closes: #563278
* Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178,
LP: #500703
* Point to README.backtrace in apache2-dbg's description.
* Use more debhelper functions to simplify debian/rules.
* Add misc-depends to various packages to make lintian happy.
* Change build-dep from libcap2-dev to libcap-dev because of package rename.
-- Stefan Fritsch <email address hidden> Sat, 02 Jan 2010 22:44:15 +0100
-
apache2 (2.2.14-4) unstable; urgency=low
* Disable localized error pages again by default because they break
configurations with "<Location /> SetHandler ...". A workaround is
described in the comments in /etc/apache2/conf.d/localized-error-pages
(closes: #543333).
* mod_rewrite: Fix URLs in redirects with literal IPv6 hosts
(closes: #557015).
* Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234).
* Add man page for split-logfile.
* Link with -lcrypt where necessary to fix a FTBFS with binutils-gold
(closes: #553946).
-- Stefan Fritsch <email address hidden> Sun, 13 Dec 2009 20:05:37 +0100
-
apache2 (2.2.14-3) unstable; urgency=low
* Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This
includes:
- Make PUT replace files atomically (closes: #525137).
- Make MOVE not delete the destination if the source file disappeared in
the meantime (closes: #273476).
NOTE: The format of the DavLockDB has changed. The default DavLockDB will
be deleted on upgrade. Non-default DavLockDBs should be deleted manually.
* Fix output of "/etc/init.d/apache2 status" (closes: #555687).
* Update the comment about SNI in ports.conf (closes: #556932).
* Set redirect-carefully for Konqueror/4.
-- Stefan Fritsch <email address hidden> Sat, 21 Nov 2009 10:20:54 +0100
-
apache2 (2.2.14-2) unstable; urgency=medium
* Security:
Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
Any configuration which requires renegotiation for per-directory/location
access control is still vulnerable.
* Allow RemoveType to override the types from /etc/mime.types. This allows
to use .es and .tr for Spanish and Turkish files in mod_negotiation.
Closes: #496080
* Fix 'CacheEnable disk http://'. Closes: #442266
* Fix missing dependency by changing killall to pkill in the init script.
LP: #460692
* Add X-Interactive header to init script as it may ask for the ssl key
passphrase. Closes: #554824
* Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too.
* Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian
-- Stefan Fritsch <email address hidden> Sat, 07 Nov 2009 14:37:37 +0100
-
apache2 (2.2.14-1) unstable; urgency=low
* New upstream version:
- new module mod_proxy_scgi
* Disable hardening option -pie again, as gdb in Debian does not support
it properly and it is broken on mips*.
-- Stefan Fritsch <email address hidden> Tue, 29 Sep 2009 20:55:05 +0200
-
apache2 (2.2.13-2) unstable; urgency=high
* mod_proxy_ftp security fixes (closes: #545951):
- DoS by malicious ftp server (CVE-2009-3094)
- missing input sanitization: a user could execute arbitrary ftp commands
on the backend ftp server (CVE-2009-3095)
* Add entries to NEWS.Debian and README.Debian about Apache being stricter
about certain misconfigurations involving name based SSL virtual hosts.
Also make Apache print the location of the misconfigured VirtualHost when
it complains about a missing SSLCertificateFile statement. Closes: #541607
* Add Build-Conflicts: autoconf2.13 (closes: #541536).
* Adjust priority of apache2-mpm-itk to extra.
* Switch apache2.2-common and the four mpm packages from architecture all to
any. This is stupid but makes apache2 binNMUable again (closes: #544509).
* Bump Standards-Version (no changes).
-- Stefan Fritsch <email address hidden> Wed, 16 Sep 2009 20:55:02 +0200
-
apache2 (2.2.13-1) unstable; urgency=low
* New upstream release:
- Fixes segfault with mod_deflate and mod_php (closes: #542623).
-- Stefan Fritsch <email address hidden> Mon, 31 Aug 2009 20:28:56 +0200
-
apache2 (2.2.12-1) unstable; urgency=low
* New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
(The Debian default configuration will be changed to use SNI in a later
version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
* Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
* Enable hardening compile options.
* Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
* Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
* Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
* Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
* Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
* Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
* Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
* Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
* Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
* Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
* Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
* Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
* Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
* Remove other_vhosts_access.log on package purge.
-- Stefan Fritsch <email address hidden> Tue, 04 Aug 2009 11:02:34 +0200
-
apache2 (2.2.11-7) unstable; urgency=low
* Security fixes:
- CVE-2009-1890: denial of service in mod_proxy
- CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
* Add symlinks for the debug info to the mpm packages.
* Be slightly more informative in the default index.html without pointing
to Apache or Debian (LP: #89364)
* Remove dependency on net-tools, which is no longer necessary
(closes: #535849)
* Bump Standards-Version (no changes)
-- Stefan Fritsch <email address hidden> Fri, 10 Jul 2009 22:42:57 +0200
-
apache2 (2.2.11-4) unstable; urgency=low
[ Stefan Fritsch ]
* Disable TRACE method by default (closes: #492130).
* Compress some more mime types with mod_deflate by default. This may cause
problems with MSIE 6, but that browser should now be considered obsolete.
Closes: #397526, #521209
* Various backports from upstream svn branches/2.2.x:
- CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous
request which failed to send a request body
- Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with
server-side-includes PR 45959 (closes: #524474)
- Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268)
- Fix mod_deflate etag handling PR 45023 (LP: #358314)
- Fix mod_ldap segfault if LDAP initialization failed PR 45994
* Allow apache2-mpm-itk as alternate dependency in apache2 meta package
(closes: #527225).
* Fix some misuse of command substitution in the init script. Thanks to
Jari Aalto for the patch. (Closes: #523398)
* Extend the gnome-vfs DAV workaround to gvfs (closes: #522845).
* Add more info to check_forensic man page (closes: #528424).
* Make "apache2ctl help" point to help on apache2 args (closes: #528425).
* Lintian warnings:
- fix spelling error in apache2-utils description
- tweak debian/copyright to make lintian not complain about pointers to GPL
- bump standards-version (no changes)
[ Peter Samuelson ]
* Adjust sections to match recent ftpmaster overrides.
-- Stefan Fritsch <email address hidden> Tue, 19 May 2009 22:55:27 +0200
-
apache2 (2.2.11-3) unstable; urgency=low
* Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
(see #521899). This also creates the dependencies on the new external
libaprutil1-dbd-* and libaprutil1-ldap packages.
-- Stefan Fritsch <email address hidden> Tue, 31 Mar 2009 21:07:26 +0200
-
apache2 (2.2.11-2) unstable; urgency=low
* Report an error instead instead of segfaulting when apr_pollset_create
fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
/proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
value of MaxClients in the Apache configuration. Closes: #511103
-- Stefan Fritsch <email address hidden> Fri, 16 Jan 2009 19:01:59 +0100
-
apache2 (2.2.11-1) unstable; urgency=low
[Thom May]
* New Upstream Version (Closes: #508186, LP: #307397)
- Contains rewritten shmcb code which should fix alignment problems on
alpha (Closes: #419720).
- Notable new features: chroot support, mod_proxy improvements.
[Ryan Niebur]
* fix segfault in ab when being verbose on ssl sites (Closes: #495982)
* remove trailing slash for DocumentRoot (Closes: #495110)
-- Stefan Fritsch <email address hidden> Sun, 14 Dec 2008 09:34:24 +0100
-
apache2 (2.2.9-11) unstable; urgency=low
* Regression fix from upstream svn for mod_proxy:
Prevent segmentation faults by correctly adjusting the lifetime of the
buckets read from the proxy backend. PR 45792
* Fix from upstream svn for mpm_worker:
Crosscheck that idle workers are still available before using them and
thus preventing an overflow of the worker queue which causes a SegFault.
PR 45605
* Add a comment to ports.conf to point to NEWS.Debian.gz in case of
upgrading problems.
-- Stefan Fritsch <email address hidden> Wed, 26 Nov 2008 23:10:22 +0100
-
apache2 (2.2.9-10) unstable; urgency=low
* Regression fix from upstream svn for mod_proxy_http:
Don't trigger a retry by the client if a failure to read the response line
was the result of a timeout.
-- Stefan Fritsch <email address hidden> Wed, 01 Oct 2008 11:50:18 +0200
