-
apache2 (2.4.25-3+deb9u9) stretch-security; urgency=medium
[ Xavier Guimard ]
* Use correct patch for CVE-2019-10092. This fixes a regression in
mod_proxy_balancer (Closes: #941202)
-- Stefan Fritsch <email address hidden> Sun, 13 Oct 2019 17:43:54 +0200
-
apache2 (2.4.25-3+deb9u8) stretch-security; urgency=high
[ Xavier Guimard ]
* Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092)
* Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082, CVE-2019-10081)
* Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098)
[ Stefan Fritsch ]
* Add -Werror=implicit-function-declaration to compile options to catch
problems with backports.
-- Stefan Fritsch <email address hidden> Mon, 19 Aug 2019 21:25:31 +0200
-
apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium
[ Xavier Guimard ]
* CVE-2018-17199: mode_session: Fix missing check for session expiry time.
Closes: #920303
[ Stefan Fritsch ]
* mod_http2: Fix keepalive timeout behavior. This fixes a regression with
Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
* CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
Closes: #920302
* CVE-2019-0196: mod_http2: Fix read after free
* CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
* CVE-2019-0217: mod_auth_digest: Access control bypass
* CVE-2019-0220: URL normalization inconsistincy.
Consecutive slashes in URL's are now merged before use in LocationMatch
and RewriteRule. The old behavior can be restored with the new directive
"MergeSlashes off".
-- Stefan Fritsch <email address hidden> Tue, 02 Apr 2019 21:05:13 +0200
-
apache2 (2.4.25-3+deb9u6) stretch; urgency=medium
* CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
* CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
Closes: #909591
* mod_proxy_fcgi: Fix segfault. Closes: #902906
-- Stefan Fritsch <email address hidden> Sat, 03 Nov 2018 19:46:19 +0100
-
apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
* Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
fixes
- CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
- Segfaults in mod_http2 (Closes: #873945)
- mod_http2 issue with option "Indexes" and directive "HeaderName"
(Closes: #850947)
Unfortunately, this also removes support for http2 when running on
mpm_prefork.
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Make the apache-htcacheclean init script actually look into
/etc/default/apache-htcacheclean for its config. Closes: #898563
-- Stefan Fritsch <email address hidden> Sat, 02 Jun 2018 10:01:13 +0200
-
apache2 (2.4.25-3+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
(Closes: #876109)
-- Salvatore Bonaccorso <email address hidden> Tue, 19 Sep 2017 20:58:57 +0200
-
apache2 (2.4.25-3+deb9u1) stretch-security; urgency=high
* Backport security fixes from 2.4.26:
* CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
* CVE-2017-3169: mod_ssl NULL pointer dereference
* CVE-2017-7668: Buffer overrun in ap_find_token()
* CVE-2017-7679: mod_mime buffer overread
* CVE-2017-7659: mod_http2 NULL pointer dereference
-- Stefan Fritsch <email address hidden> Tue, 20 Jun 2017 21:29:11 +0200
-
apache2 (2.4.25-3) unstable; urgency=medium
* Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
Closes: #852543
* Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
the test suite, but don't add *.load files because they don't have any
real-world use.
* Include the upstream test suite and a corresponding autopkgtest. This
is quite a hack but it may help quite a bit with security updates,
especially if stretch gets LTS support, too.
-- Stefan Fritsch <email address hidden> Wed, 25 Jan 2017 23:59:26 +0100
-
apache2 (2.4.25-2) unstable; urgency=medium
* Activate mod_reqtimeout in new installs and during updates from
before 2.4.25-2. It was wrongly not activated in new installs since
jessie. This made the default installation vulnerable to some DoS
attacks.
* Restart htcacheclean on updates and tighten dependency on apache2-utils
to ensure that apache2-utils cannot be upgraded without apache2.
Closes: #851122
* When running on systems with systemd, make 'apache2ctl start' invoke
systemctl instead. Otherwise systemd will think apache2 is not running
and ignore further commands like reload. Closes: #839227
* Avoid segfault in mpm_event if a signal is received too soon after start.
PR 60487
* Add test for some modules to be enabled.
* Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
fixed in 2.4.23-2.
-- Stefan Fritsch <email address hidden> Sat, 14 Jan 2017 19:27:34 +0100
-
apache2 (2.4.25-1) unstable; urgency=medium
[ New upstream release ]
* Security: CVE-2016-0736:
mod_session_crypto: Authenticate the session data/cookie with a MAC to
prevent deciphering or tampering with a padding oracle attack.
* Security: CVE-2016-2161:
mod_auth_digest: Prevent segfaults during client entry allocation when the
shared memory space is exhausted.
* Security: CVE-2016-5387:
Mitigate [f]cgi "httpoxy" issues.
* Security: CVE-2016-8740:
mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
Closes: #847124
* Security: CVE-2016-8743:
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
* The stricter HTTP enforcement may cause compatibility problems with
non-conforming clients. Fine-tuning is possible with the new
HttpProtocolOptions directive.
* mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
* mod_http2: Many fixes and support for early pushes using the new
H2PushResource directive.
[ Stefan Fritsch ]
* Switch to debhelper compatibility level 9.
-- Stefan Fritsch <email address hidden> Wed, 21 Dec 2016 23:46:06 +0100
-
apache2 (2.4.23-8) unstable; urgency=medium
* Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
new package apache2-ssl-dev. Packages that interface with openssl
state from mod_ssl must build-depend on this new package.
This will help to disentangle the build-deps in the openssl transition.
Closes: #845033
-- Stefan Fritsch <email address hidden> Sun, 20 Nov 2016 00:33:13 +0100
-
apache2 (2.4.23-7) unstable; urgency=medium
* Make apache2-dev depend on openssl 1.0, too. Closes: #844160
* Move DefaultRuntimeDir and pid file for multi-instances to
/var/run/apache2-xxx. Thanks to Horst Platz for the debugging.
Closes: #838932 LP: #1627339
* Fix systemd unit naming for multi-instances.
* Tweak embedded .tar.gz some more to build reproducibly.
-- Stefan Fritsch <email address hidden> Sun, 13 Nov 2016 13:08:28 +0100
-
apache2 (2.4.23-5) unstable; urgency=low
* Team upload.
[ Stefan Fritsch ]
* Tweak creation of .tar.gz embedded in preinst to get reproducible
build.
[ Raphaël Hertzog ]
* Add systemd unit files. Closes: #798430
* Improve a2enmod to enable apache-htcacheclean with systemctl and let
it enable '<email address hidden>' for multi-instance
support.
* Improve setup-instance to rely on the systemd <email address hidden> for
multi-instance support.
* Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have
proper native systemd support.
* Modify handling of /etc/init.d/apache-htcacheclean to have a usual
Default-Start value but instead we disable it manually in the postinst.
That way "systemctl enable apache-htcacheclean" works.
* Add some lintian overrides for non-problems (two update-rc.d calls in
postinst, and a .js file with a very long line).
-- Raphaël Hertzog <email address hidden> Thu, 29 Sep 2016 12:03:31 +0200
-
apache2 (2.4.23-4) unstable; urgency=medium
* Fix pre-inst script for new installations. Closes: #834169
-- Stefan Fritsch <email address hidden> Fri, 12 Aug 2016 21:44:31 +0200
-
apache2 (2.4.23-2) unstable; urgency=high
* CVE-2016-5387: Sets environmental variable based on user supplied Proxy
request header.
Don't pass through HTTP_PROXY in server/util_script.c
-- Stefan Fritsch <email address hidden> Thu, 21 Jul 2016 23:21:37 +0200
-
apache2 (2.4.23-1) unstable; urgency=high
* New upstream release
- Security: CVE-2016-4979: Fix bypass of TLS client certificate
verification in mod_http2.
- new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck
* Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657
* Set SHELL=/bin/bash during configure to get reproducible builds regardless
of where /bin/sh points to.
* Use 'Require method' instead of Limit/LimitExcept in userdir.conf.
-- Stefan Fritsch <email address hidden> Tue, 05 Jul 2016 23:57:25 +0200
-
apache2 (2.4.20-2) unstable; urgency=medium
* Fix crash in ap_get_useragent_host() triggered by mod_perl test.
Closes: #820824
* Fix race condition and logical error in init script. Thanks to Thomas
Stangner for the patch. Closes: #822144
* Remove links to manpages.debian.org in default index.html to avoid
broken robots doing a DoS on the site. Closes: #821313
* Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956
* Bump Standards-Version (no changes necessary).
* Fix segfault with logresolve -c. Closes: #823259
-- Stefan Fritsch <email address hidden> Sat, 28 May 2016 16:14:09 +0200
-
apache2 (2.4.18-2) unstable; urgency=low
* htcacheclean:
- split starting/stopping into separate init script 'apache-htcacheclean'
- move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
- make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
- start htcacheclean as the apache2 run user/group
* Fix a2query -M not returning output if apache2 config is broken.
Fix missing quotes in apache2-maintscript-helper. Closes: #810500
* README.backtrace: Note that coredump directory needs to be owned by
www-data. Closes: #806697
* Remove ssl work-arounds for MSIE. Newer versions of IE work without them
and older versions are no longer supported by MS. Closes: #815852
* Give a hint about systemd in README.multiple-instances. Closes: #818904
* Don't treat mod_access_compat as essential. It's essentially broken,
anyway.
* Merge cross-compile tweaks for debian/rules from ubuntu.
* Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
Closes: #719245
* Fix duplicate-module-load test and make sure it fails if it cannot execute
apache2ctl.
* Bump Standards-Version (no changes necessary).
-- Stefan Fritsch <email address hidden> Mon, 28 Mar 2016 21:58:54 +0200
-
apache2 (2.4.18-1) unstable; urgency=medium
* New upstream release:
- mostly HTTP/2 improvements
-- Stefan Fritsch <email address hidden> Sat, 19 Dec 2015 09:26:14 +0100
-
apache2 (2.4.17-3) unstable; urgency=medium
* mpm_prefork: Fix segfault if started with -X. Closes: #805737
-- Stefan Fritsch <email address hidden> Mon, 23 Nov 2015 19:52:09 +0100
-
apache2 (2.4.17-2) unstable; urgency=medium
* Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
lots of web-apps. Closes: #803353
* Fix secondary-init-script to not source the main init script with 'set -e'.
Closes: #803177
* mod_http2: Write HTTP/2 into THE_REQUEST and the access log.
-- Stefan Fritsch <email address hidden> Sat, 31 Oct 2015 23:17:11 +0100
-
apache2 (2.4.17-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream release:
- New experimental http2 module
* reproducible build: Make symbol sorting consistent over different locales
* Conflict with apache2.2-common and apache2.2-bin to get the transitional
packages removed. Closes: #768815
* Don't treat mpm_itk as MPM module in a2query. Closes: #791902
* Don't treat mpm_itk as MPM module in deferred actions in postinst.
Hopefully really closes: #789914
* Don't treat mpm_itk as MPM module in a2enmod.
[ Jean-Michel Vourgère ]
* Updated upstream keyring used to check source authenticity.
-- Stefan Fritsch <email address hidden> Sat, 24 Oct 2015 22:14:32 +0200
-
apache2 (2.4.16-3) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* Have apache2.postrm removes content of /var/lib/apache2, not the
directory itself. Closes: #793862
* d/p/reproducible_builds.diff: Sort exported symbols list.
[ Stefan Fritsch ]
* apxs: Don't pass --silent to libtool. Closes: #795820
* Remove default /var/www/html/index.html on package purge.
-- Stefan Fritsch <email address hidden> Tue, 18 Aug 2015 13:49:09 +0200
-
apache2 (2.4.16-2) unstable; urgency=medium
* Make dh_apache2 add a versioned dependency on apache2-bin, for the
new symbols required for the CVE-2015-3185 fix.
-- Stefan Fritsch <email address hidden> Fri, 07 Aug 2015 23:43:16 +0200
-
apache2 (2.4.16-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream version, fixing the following security issues:
+ CVE-2015-3183: Fix chunk header parsing defect.
+ CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
unfixable way. Add a new replacement API ap_some_authn_required()
and ap_force_authn hook.
[ Jean-Michel Vourgère ]
* Allow "triggers-awaited" and "triggers-pending" states in addition to
"installed" when determining whether to defer actions or process
deferred actions. Thanks Colin Watson. Closes: #787103
* Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes:
#733979
* Remove pre-Jessie transition scripts, and remaining breaks.
* Made builds reproducible: d/rules set the date from the changelog in
CPPFLAGS, new reproducible_builds.diff patch to use it.
* Moved bash_completion from /etc to /usr/share/bash_completion. Added
links there for dynamic loading.
* Upgrade security.conf comments to 2.4 auth format. Thanks Werner
Detter. Closes: #789788
* apache2.postinst: Fixed tests on deferred mpm switch. Closes:
#789914
-- Stefan Fritsch <email address hidden> Sun, 02 Aug 2015 00:44:07 +0200
-
apache2 (2.4.12-2) unstable; urgency=medium
[ Jean-Michel Nirgal Vourgère ]
* d/control:
+ Update Vcs-Browser.
* d/copyright:
+ Change d/debhelper/dh_apache2 to dh_apache2.in.
+ Drop paragraph about inexistant itk patches.
[ Stefan Fritsch ]
* Remove all the transitional packages:
apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event,
apache2-mpm-itk, apache2.2-bin, apache2.2-common,
libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec
This also fixes the dependency problems caused by a recent version
of debhelper (see #784803).
-- Stefan Fritsch <email address hidden> Mon, 11 May 2015 22:07:26 +0200
-
apache2 (2.4.10-11) unstable; urgency=medium
* core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
This could cause all kinds of strange behavior. PR 56008. PR 57328
* mpm_event: Fix process deadlock when shutting down a worker. PR 56960
* mpm_event: Fix crashes due to various race conditions. Closes: #779078
-- Stefan Fritsch <email address hidden> Tue, 31 Mar 2015 22:27:16 +0200