Change log for apache2 package in Ubuntu

175 of 432 results
Published in oracular-release
Deleted in oracular-proposed (Reason: Moved to oracular)
apache2 (2.4.62-1ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2077060). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries, d/t/check-ubuntu-branding: Replace
      Debian with Ubuntu on default homepage.
      (LP #1966004, LP #1947459)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
      dolphin and Konqueror/5 careful redirection so that directories can be
      deleted via webdav.
      (LP #1927742)
    - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
      postinst script through a trigger (i.e., postinst triggered).
      Thanks to Roel van Meer. (Closes: #1060450)
      (LP #2038912)
    - d/index.html, d/apache2.postrm: Fix https link to apache
      documentation.
      (LP #2045055)
  * Dropped:
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)
      [Included in Debian 2.4.60-1]
    - d/control: Upgrade lua build dependency to 5.4
      (LP #1910372)
      [Included in Debian 2.4.60-1]

Available diffs

Published in noble-updates
Published in noble-security
apache2 (2.4.58-1ubuntu8.4) noble-security; urgency=medium

  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
      subrequest in modules/http/http_request.c.
    - CVE-2024-40725

 -- Marc Deslauriers <email address hidden>  Wed, 17 Jul 2024 14:55:23 -0400
Published in jammy-updates
Published in jammy-security
apache2 (2.4.52-1ubuntu4.12) jammy-security; urgency=medium

  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
      subrequest in modules/http/http_request.c.
    - CVE-2024-40725

 -- Marc Deslauriers <email address hidden>  Wed, 17 Jul 2024 14:57:26 -0400
Published in focal-updates
Published in focal-security
apache2 (2.4.41-4ubuntu3.21) focal-security; urgency=medium

  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
      subrequest in modules/http/http_request.c.
    - CVE-2024-40725

 -- Marc Deslauriers <email address hidden>  Wed, 17 Jul 2024 14:58:09 -0400
Superseded in noble-updates
Superseded in noble-security
apache2 (2.4.58-1ubuntu8.3) noble-security; urgency=medium

  * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
    - debian/patches/CVE-2024-38477-2.patch: restart from the original URL
      on reconnect in modules/http2/mod_proxy_http2.c.

 -- Marc Deslauriers <email address hidden>  Thu, 11 Jul 2024 10:41:54 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.20) focal-security; urgency=medium

  * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
    - debian/patches/CVE-2024-38477-2.patch: restart from the original URL
      on reconnect in modules/http2/mod_proxy_http2.c.

 -- Marc Deslauriers <email address hidden>  Thu, 11 Jul 2024 10:39:23 -0400
Superseded in jammy-updates
Superseded in jammy-security
apache2 (2.4.52-1ubuntu4.11) jammy-security; urgency=medium

  * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
    - debian/patches/CVE-2024-38477-2.patch: restart from the original URL
      on reconnect in modules/http2/mod_proxy_http2.c.

 -- Marc Deslauriers <email address hidden>  Thu, 11 Jul 2024 08:20:46 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.19) focal-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference when serving WebSocket
    protocol upgrades over a HTTP/2
    - debian/patches/CVE-2024-36387.patch: early exit if bb is null in
      modules/http2/h2_c2.c.
    - CVE-2024-36387
  * SECURITY UPDATE: encoding problem in mod_proxy
    - debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
      configuration in modules/proxy/mod_proxy.c.
    - debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
      mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
      modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
    - debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
      special filenames in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
      on Windows in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
      fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
    - CVE-2024-38473
  * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
    - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
      handling in modules/mappers/mod_rewrite.c.
    - CVE-2024-38474
  * SECURITY UPDATE: Improper escaping of output in mod_rewrite
    - Included in CVE-2024-38474_5.patch.
    - CVE-2024-38475
  * SECURITY UPDATE: information disclosure, SSRF or local script execution
    - debian/patches/CVE-2024-38476-pre1.patch: add concept of binary notes
      to request_rec in include/httpd.h.
    - debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
      differentiate trusted sources in include/http_protocol.h,
      include/httpd.h, modules/http/http_protocol.c,
      modules/http/mod_mime.c, modules/mappers/mod_actions.c,
      modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
      modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
      server/config.c, server/core.c.
    - CVE-2024-38476
  * SECURITY UPDATE: null pointer dereference in mod_proxy
    - debian/patches/CVE-2024-38477.patch: validate hostname in
      modules/proxy/proxy_util.c.
    - CVE-2024-38477
  * SECURITY UPDATE: Potential SSRF in mod_rewrite
    - Fixed by patches in previous CVEs.
    - CVE-2024-39573
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-39884.patch: maintain trusted flag in
      modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
      modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
      modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
      modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
      modules/generators/mod_info.c, modules/generators/mod_status.c,
      modules/http/http_filters.c, modules/http/http_protocol.c,
      modules/http/http_request.c, modules/ldap/util_ldap.c,
      modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
    - CVE-2024-39884

 -- Marc Deslauriers <email address hidden>  Thu, 04 Jul 2024 08:31:12 -0400
Published in mantic-updates
Published in mantic-security
apache2 (2.4.57-2ubuntu2.5) mantic-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference when serving WebSocket
    protocol upgrades over a HTTP/2
    - debian/patches/CVE-2024-36387.patch: early exit if bb is null in
      modules/http2/h2_c2.c.
    - CVE-2024-36387
  * SECURITY UPDATE: encoding problem in mod_proxy
    - debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
      configuration in modules/proxy/mod_proxy.c.
    - debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
      mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
      modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
    - debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
      special filenames in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
      on Windows in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
      fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
    - CVE-2024-38473
  * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
    - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
      handling in modules/mappers/mod_rewrite.c.
    - CVE-2024-38474
  * SECURITY UPDATE: Improper escaping of output in mod_rewrite
    - Included in CVE-2024-38474_5.patch.
    - CVE-2024-38475
  * SECURITY UPDATE: information disclosure, SSRF or local script execution
    - debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
      differentiate trusted sources in include/http_protocol.h,
      include/httpd.h, modules/http/http_protocol.c,
      modules/http/mod_mime.c, modules/mappers/mod_actions.c,
      modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
      modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
      server/config.c, server/core.c.
    - CVE-2024-38476
  * SECURITY UPDATE: null pointer dereference in mod_proxy
    - debian/patches/CVE-2024-38477.patch: validate hostname in
      modules/proxy/proxy_util.c.
    - CVE-2024-38477
  * SECURITY UPDATE: Potential SSRF in mod_rewrite
    - Fixed by patches in previous CVEs.
    - CVE-2024-39573
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-39884.patch: maintain trusted flag in
      modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
      modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
      modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
      modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
      modules/generators/mod_info.c, modules/generators/mod_status.c,
      modules/http/http_filters.c, modules/http/http_protocol.c,
      modules/http/http_request.c, modules/ldap/util_ldap.c,
      modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
    - CVE-2024-39884

 -- Marc Deslauriers <email address hidden>  Thu, 04 Jul 2024 07:51:13 -0400
Superseded in jammy-updates
Superseded in jammy-security
apache2 (2.4.52-1ubuntu4.10) jammy-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference when serving WebSocket
    protocol upgrades over a HTTP/2
    - debian/patches/CVE-2024-36387.patch: early exit if bb is null in
      modules/http2/h2_c2.c.
    - CVE-2024-36387
  * SECURITY UPDATE: encoding problem in mod_proxy
    - debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
      configuration in modules/proxy/mod_proxy.c.
    - debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
      mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
      modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
    - debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
      special filenames in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
      on Windows in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
      fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
    - CVE-2024-38473
  * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
    - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
      handling in modules/mappers/mod_rewrite.c.
    - CVE-2024-38474
  * SECURITY UPDATE: Improper escaping of output in mod_rewrite
    - Included in CVE-2024-38474_5.patch.
    - CVE-2024-38475
  * SECURITY UPDATE: information disclosure, SSRF or local script execution
    - debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
      differentiate trusted sources in include/http_protocol.h,
      include/httpd.h, modules/http/http_protocol.c,
      modules/http/mod_mime.c, modules/mappers/mod_actions.c,
      modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
      modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
      server/config.c, server/core.c.
    - CVE-2024-38476
  * SECURITY UPDATE: null pointer dereference in mod_proxy
    - debian/patches/CVE-2024-38477.patch: validate hostname in
      modules/proxy/proxy_util.c.
    - CVE-2024-38477
  * SECURITY UPDATE: Potential SSRF in mod_rewrite
    - Fixed by patches in previous CVEs.
    - CVE-2024-39573
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-39884.patch: maintain trusted flag in
      modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
      modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
      modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
      modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
      modules/generators/mod_info.c, modules/generators/mod_status.c,
      modules/http/http_filters.c, modules/http/http_protocol.c,
      modules/http/http_request.c, modules/ldap/util_ldap.c,
      modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
    - CVE-2024-39884

 -- Marc Deslauriers <email address hidden>  Thu, 04 Jul 2024 07:56:21 -0400
Superseded in noble-updates
Superseded in noble-security
apache2 (2.4.58-1ubuntu8.2) noble-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference when serving WebSocket
    protocol upgrades over a HTTP/2
    - debian/patches/CVE-2024-36387.patch: early exit if bb is null in
      modules/http2/h2_c2.c.
    - CVE-2024-36387
  * SECURITY UPDATE: encoding problem in mod_proxy
    - debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
      configuration in modules/proxy/mod_proxy.c.
    - debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
      mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
      modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
    - debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
      special filenames in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
      on Windows in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
      fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
    - CVE-2024-38473
  * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
    - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
      handling in modules/mappers/mod_rewrite.c.
    - CVE-2024-38474
  * SECURITY UPDATE: Improper escaping of output in mod_rewrite
    - Included in CVE-2024-38474_5.patch.
    - CVE-2024-38475
  * SECURITY UPDATE: information disclosure, SSRF or local script execution
    - debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
      differentiate trusted sources in include/http_protocol.h,
      include/httpd.h, modules/http/http_protocol.c,
      modules/http/mod_mime.c, modules/mappers/mod_actions.c,
      modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
      modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
      server/config.c, server/core.c.
    - CVE-2024-38476
  * SECURITY UPDATE: null pointer dereference in mod_proxy
    - debian/patches/CVE-2024-38477.patch: validate hostname in
      modules/proxy/proxy_util.c.
    - CVE-2024-38477
  * SECURITY UPDATE: Potential SSRF in mod_rewrite
    - Fixed by patches in previous CVEs.
    - CVE-2024-39573
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-39884.patch: maintain trusted flag in
      modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
      modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
      modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
      modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
      modules/generators/mod_info.c, modules/generators/mod_status.c,
      modules/http/http_filters.c, modules/http/http_protocol.c,
      modules/http/http_request.c, modules/ldap/util_ldap.c,
      modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
    - CVE-2024-39884

 -- Marc Deslauriers <email address hidden>  Thu, 04 Jul 2024 07:15:14 -0400
Superseded in oracular-release
Deleted in oracular-proposed (Reason: Moved to oracular)
apache2 (2.4.59-2ubuntu2) oracular; urgency=medium

  * d/index.html, d/apache2.postrm: Fix https link to apache documentation.
    (LP: #2045055)

Superseded in oracular-proposed
apache2 (2.4.59-2ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064378). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries, d/t/check-ubuntu-branding: Replace
      Debian with Ubuntu on default homepage.
      (LP #1966004, LP #1947459)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)
    - d/control: Upgrade lua build dependency to 5.4
      (LP #1910372)
    - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
      dolphin and Konqueror/5 careful redirection so that directories can be
      deleted via webdav.
      (LP #1927742)
    - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
      postinst script through a trigger (i.e., postinst triggered).
      Thanks to Roel van Meer. (Closes: #1060450)
      (LP #2038912)
  * Dropped:
    - d/p/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
      [Included in 2.4.59]
    - HTTP Response Splitting in multiple modules
      + d/p/CVE-2024-24795.patch: let httpd handle CL/TE for
        non-http handlers in include/util_script.h,
        modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
        modules/generators/mod_cgid.c, modules/http/http_filters.c,
        modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
        modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
      [Included in 2.4.59]
    - HTTP/2 DoS by memory exhaustion on endless continuation frames
      + d/p/CVE-2024-27316.patch: bail after too many failed reads
        in modules/http2/h2_session.c, modules/http2/h2_stream.c,
        modules/http2/h2_stream.h.
      [Included in 2.4.59]

Superseded in oracular-release
Deleted in oracular-proposed (Reason: Moved to oracular)
Superseded in oracular-proposed
Superseded in noble-updates
Superseded in noble-security
apache2 (2.4.58-1ubuntu8.1) noble-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
    - CVE-2023-38709
  * SECURITY UPDATE: HTTP Response Splitting in multiple modules
    - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
      non-http handlers in include/util_script.h,
      modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
      modules/generators/mod_cgid.c, modules/http/http_filters.c,
      modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
      modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2024-24795
  * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
    continuation frames
    - debian/patches/CVE-2024-27316.patch: bail after too many failed reads
      in modules/http2/h2_session.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2024-27316

 -- Marc Deslauriers <email address hidden>  Thu, 18 Apr 2024 11:13:41 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.17) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
    - CVE-2023-38709
  * SECURITY UPDATE: HTTP Response Splitting in multiple modules
    - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
      non-http handlers in include/util_script.h,
      modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
      modules/generators/mod_cgid.c, modules/http/http_filters.c,
      modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
      modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2024-24795
  * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
    continuation frames
    - debian/patches/CVE-2024-27316.patch: bail after too many failed reads
      in modules/http2/h2_session.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2024-27316

 -- Marc Deslauriers <email address hidden>  Wed, 10 Apr 2024 13:46:26 -0400
Superseded in mantic-updates
Superseded in mantic-security
apache2 (2.4.57-2ubuntu2.4) mantic-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
    - CVE-2023-38709
  * SECURITY UPDATE: HTTP Response Splitting in multiple modules
    - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
      non-http handlers in include/util_script.h,
      modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
      modules/generators/mod_cgid.c, modules/http/http_filters.c,
      modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
      modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2024-24795
  * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
    continuation frames
    - debian/patches/CVE-2024-27316.patch: bail after too many failed reads
      in modules/http2/h2_session.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2024-27316

 -- Marc Deslauriers <email address hidden>  Wed, 10 Apr 2024 13:41:02 -0400
Superseded in jammy-updates
Superseded in jammy-security
apache2 (2.4.52-1ubuntu4.9) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
    - CVE-2023-38709
  * SECURITY UPDATE: HTTP Response Splitting in multiple modules
    - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
      non-http handlers in include/util_script.h,
      modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
      modules/generators/mod_cgid.c, modules/http/http_filters.c,
      modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
      modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2024-24795
  * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
    continuation frames
    - debian/patches/CVE-2024-27316.patch: bail after too many failed reads
      in modules/http2/h2_session.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2024-27316

 -- Marc Deslauriers <email address hidden>  Wed, 10 Apr 2024 13:45:18 -0400
Superseded in oracular-release
Published in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
apache2 (2.4.58-1ubuntu8) noble; urgency=medium

  * No-change rebuild against libapr1t64

 -- Steve Langasek <email address hidden>  Sun, 07 Apr 2024 07:02:29 +0000

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
apache2 (2.4.58-1ubuntu7) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden>  Sun, 31 Mar 2024 08:37:28 +0000

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
apache2 (2.4.58-1ubuntu6) noble; urgency=medium

  * d/debhelper/apache2-maintscript-helper: Allow execution when called from a
    postinst script through a trigger (i.e., postinst triggered).
    Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)

 -- Athos Ribeiro <email address hidden>  Mon, 18 Mar 2024 09:35:36 -0300
Superseded in noble-proposed
apache2 (2.4.58-1ubuntu5) noble; urgency=medium

  * No-change rebuild against libcurl4t64

 -- Steve Langasek <email address hidden>  Sat, 16 Mar 2024 06:05:04 +0000
Superseded in noble-proposed
apache2 (2.4.58-1ubuntu4) noble; urgency=medium

  * No-change rebuild against libaprutil1t64

 -- Zixing Liu <email address hidden>  Sat, 09 Mar 2024 23:05:43 -0700
Superseded in noble-proposed
apache2 (2.4.58-1ubuntu3) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <email address hidden>  Mon, 04 Mar 2024 17:21:46 +0000

Available diffs

Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates)
apache2 (2.4.41-4ubuntu3.16) focal; urgency=medium

  * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
    dolphin and Konqueror/5 careful redirection so that directories can be
    deleted via webdav.
    (LP: #1927742)

 -- Bryce Harrington <email address hidden>  Tue, 16 Jan 2024 19:00:27 -0800
Superseded in mantic-updates
Deleted in mantic-proposed (Reason: moved to -updates)
apache2 (2.4.57-2ubuntu2.3) mantic; urgency=medium

  * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
    dolphin and Konqueror/5 careful redirection so that directories can be
    deleted via webdav.
    (LP: #1927742)

Superseded in jammy-updates
Deleted in jammy-proposed (Reason: moved to -updates)
apache2 (2.4.52-1ubuntu4.8) jammy; urgency=medium

  * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
    dolphin and Konqueror/5 careful redirection so that directories can be
    deleted via webdav.
    (LP: #1927742)

 -- Bryce Harrington <email address hidden>  Tue, 16 Jan 2024 19:00:18 -0800
Deleted in noble-updates (Reason: superseded by release)
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
apache2 (2.4.58-1ubuntu2) noble; urgency=medium

  * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
    dolphin and Konqueror/5 careful redirection so that directories can be
    deleted via webdav.
    (LP: #1927742)

 -- Bryce Harrington <email address hidden>  Wed, 24 Jan 2024 14:00:03 -0800

Available diffs

Superseded in mantic-proposed
apache2 (2.4.57-2ubuntu2.2) mantic; urgency=medium

  * d/icons/ubuntu-logo.png: add Ubuntu image for welcome page (LP: #1947459).

 -- Mitchell Dzurick <email address hidden>  Fri, 05 Jan 2024 14:39:55 -0700
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
apache2 (2.4.58-1ubuntu1) noble; urgency=medium

  * Merge with Debian unstable (LP: #2040357). Remaining changes:

    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries, d/t/check-ubuntu-branding: Replace
      Debian with Ubuntu on default homepage.
      (LP #1966004, LP #1947459)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)
    - d/control: Upgrade lua build dependency to 5.4

 -- Bryce Harrington <email address hidden>  Thu, 14 Dec 2023 23:52:39 -0800

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
apache2 (2.4.57-2ubuntu3) noble; urgency=medium

  * d/icons/ubuntu-logo.png: add Ubuntu image for welcome page (LP: #1947459).
  * d/t/check-ubuntu-branding: add check for ubuntu branding.

 -- Mitchell Dzurick <email address hidden>  Mon, 13 Nov 2023 10:49:48 -0700
Published in lunar-updates
Published in lunar-security
apache2 (2.4.55-1ubuntu2.1) lunar-security; urgency=medium

  * SECURITY UPDATE: mod_macro buffer over-read
    - debian/patches/CVE-2023-31122.patch: fix length in
      modules/core/mod_macro.c.
    - CVE-2023-31122
  * SECURITY UPDATE: Multiple issues in HTTP/2
    - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
    - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
    - debian/patches/update_http2.patch: backport version 2.0.22 of
      mod_http2 from httpd 2.4.58.
    - CVE-2023-43622
    - CVE-2023-45802

 -- Marc Deslauriers <email address hidden>  Thu, 26 Oct 2023 09:37:01 -0400
Superseded in jammy-updates
Superseded in jammy-security
apache2 (2.4.52-1ubuntu4.7) jammy-security; urgency=medium

  * SECURITY UPDATE: mod_macro buffer over-read
    - debian/patches/CVE-2023-31122.patch: fix length in
      modules/core/mod_macro.c.
    - CVE-2023-31122
  * SECURITY UPDATE: Multiple issues in HTTP/2
    - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
    - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
    - debian/patches/update_http2.patch: backport version 2.0.22 of
      mod_http2 from httpd 2.4.58.
    - CVE-2023-43622
    - CVE-2023-45802

 -- Marc Deslauriers <email address hidden>  Thu, 26 Oct 2023 09:44:44 -0400
Superseded in mantic-updates
Superseded in mantic-security
apache2 (2.4.57-2ubuntu2.1) mantic-security; urgency=medium

  * SECURITY UPDATE: mod_macro buffer over-read
    - debian/patches/CVE-2023-31122.patch: fix length in
      modules/core/mod_macro.c.
    - CVE-2023-31122
  * SECURITY UPDATE: Multiple issues in HTTP/2
    - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
    - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
    - debian/patches/update_http2.patch: backport version 2.0.22 of
      mod_http2 from httpd 2.4.58.
    - CVE-2023-43622
    - CVE-2023-45802

 -- Marc Deslauriers <email address hidden>  Thu, 26 Oct 2023 09:28:30 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.15) focal-security; urgency=medium

  * SECURITY UPDATE: mod_macro buffer over-read
    - debian/patches/CVE-2023-31122.patch: fix length in
      modules/core/mod_macro.c.
    - CVE-2023-31122
  * SECURITY UPDATE: Multiple issues in HTTP/2
    - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
    - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
    - debian/tests/run-test-suite: run with HARNESS_VERBOSE=1.
    - debian/patches/update_tests.patch: backport tests from jammy's
      2.4.52 to improve test coverage.
    - debian/patches/update_http2.patch: backport version 2.0.22 of
      mod_http2 from httpd 2.4.58.
    - CVE-2023-43622
    - CVE-2023-45802

 -- Marc Deslauriers <email address hidden>  Thu, 26 Oct 2023 09:54:09 -0400
Superseded in noble-release
Published in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
apache2 (2.4.57-2ubuntu2) mantic; urgency=medium

  * d/control: Upgrade lua build dependency to 5.4

 -- Lena Voytek <email address hidden>  Fri, 21 Jul 2023 14:17:42 -0700

Available diffs

Obsolete in kinetic-proposed
apache2 (2.4.54-2ubuntu1.5) kinetic; urgency=medium

  * d/p/reenable-workers-in-standard-error-state-kinetic-apache2.patch:
    fix the value discrepancy of MODULE_MAGIC_NUMBER_MINOR.
    (LP: #2003189)

 -- Michal Maloszewski <email address hidden>  Wed, 21 Jun 2023 17:41:40 +0200
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
apache2 (2.4.57-2ubuntu1) mantic; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: Replace Debian with Ubuntu on default
      homepage.
    - d/apache2.py, d/apache2-bin.install: Add apport hook
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
  * Dropped changes included in new version:
    - debian/patches/CVE-2023-25690-1.patch
    - debian/patches/CVE-2023-25690-2.patch
    - debian/patches/CVE-2023-27522.patch

Superseded in kinetic-proposed
apache2 (2.4.54-2ubuntu1.4) kinetic; urgency=medium

  * d/p/reenable-workers-in-standard-error-state-kinetic-apache2.patch:
    fix issue with workers in apache2 which could not recover from its
    error state (LP: #2003189)

 -- Michal Maloszewski <email address hidden>  Wed, 03 May 2023 21:41:59 +0200
Superseded in jammy-updates
Deleted in jammy-proposed (Reason: moved to -updates)
apache2 (2.4.52-1ubuntu4.6) jammy; urgency=medium

  * d/p/reenable-workers-in-standard-error-state-jammy-apache2.patch:
    fix issue with workers in apache2 which could not recover from its
    error state (LP: #2003189)

 -- Michal Maloszewski <email address hidden>  Wed, 03 May 2023 22:02:51 +0200
Obsolete in kinetic-updates
Deleted in kinetic-proposed (Reason: moved to -updates)
apache2 (2.4.54-2ubuntu1.3) kinetic; urgency=medium

  * d/p/mod_proxy_hcheck_kinetic_fix_to_detect_support.patch: Fix issue
    where enabling mod_proxy_hcheck results in error (LP: #1998311)

 -- Michal Maloszewski <email address hidden>  Thu, 02 Mar 2023 00:01:26 +0100
Superseded in jammy-updates
Deleted in jammy-proposed (Reason: moved to -updates)
apache2 (2.4.52-1ubuntu4.5) jammy; urgency=medium

  * d/p/mod_proxy_hcheck_jammy_fix_to_detect_support.patch: Fix issue
    where enabling mod_proxy_hcheck results in error (LP: #1998311)

 -- Michal Maloszewski <email address hidden>  Wed, 01 Mar 2023 23:43:55 +0100
Superseded in jammy-updates
Superseded in jammy-security
apache2 (2.4.52-1ubuntu4.4) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <email address hidden>  Wed, 08 Mar 2023 12:32:01 -0500
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.14) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <email address hidden>  Wed, 08 Mar 2023 12:32:54 -0500
Superseded in kinetic-updates
Obsolete in kinetic-security
apache2 (2.4.54-2ubuntu1.2) kinetic-security; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <email address hidden>  Wed, 08 Mar 2023 12:31:20 -0500
Published in bionic-updates
Published in bionic-security
apache2 (2.4.29-1ubuntu4.27) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690

 -- Marc Deslauriers <email address hidden>  Wed, 08 Mar 2023 12:34:33 -0500
Superseded in mantic-release
Published in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
apache2 (2.4.55-1ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <email address hidden>  Wed, 08 Mar 2023 11:32:34 -0500
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.26) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted If header in mod_dav
    - debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
      parsing in modules/dav/main/util.c.
    - CVE-2006-20001
  * SECURITY UPDATE: request smuggling in mod_proxy_ajp
    - debian/patches/CVE-2022-36760.patch: cleanup on error in
      modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-36760
  * SECURITY UPDATE: response header truncation issue
    - debian/patches/CVE-2022-37436.patch: fail on bad header in
      modules/proxy/mod_proxy_http.c.
    - CVE-2022-37436

 -- Marc Deslauriers <email address hidden>  Tue, 31 Jan 2023 09:01:53 -0500
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.13) focal-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted If header in mod_dav
    - debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
      parsing in modules/dav/main/util.c.
    - CVE-2006-20001
  * SECURITY UPDATE: request smuggling in mod_proxy_ajp
    - debian/patches/CVE-2022-36760.patch: cleanup on error in
      modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-36760
  * SECURITY UPDATE: response header truncation issue
    - debian/patches/CVE-2022-37436.patch: fail on bad header in
      modules/proxy/mod_proxy_http.c, server/protocol.c.
    - CVE-2022-37436

 -- Marc Deslauriers <email address hidden>  Mon, 23 Jan 2023 13:36:09 -0500
Superseded in jammy-updates
Superseded in jammy-security
apache2 (2.4.52-1ubuntu4.3) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted If header in mod_dav
    - debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
      parsing in modules/dav/main/util.c.
    - CVE-2006-20001
  * SECURITY UPDATE: request smuggling in mod_proxy_ajp
    - debian/patches/CVE-2022-36760.patch: cleanup on error in
      modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-36760
  * SECURITY UPDATE: response header truncation issue
    - debian/patches/CVE-2022-37436.patch: fail on bad header in
      modules/proxy/mod_proxy_http.c, server/protocol.c.
    - CVE-2022-37436

 -- Marc Deslauriers <email address hidden>  Mon, 23 Jan 2023 13:34:42 -0500
Superseded in kinetic-updates
Superseded in kinetic-security
apache2 (2.4.54-2ubuntu1.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted If header in mod_dav
    - debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
      parsing in modules/dav/main/util.c.
    - CVE-2006-20001
  * SECURITY UPDATE: request smuggling in mod_proxy_ajp
    - debian/patches/CVE-2022-36760.patch: cleanup on error in
      modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-36760
  * SECURITY UPDATE: response header truncation issue
    - debian/patches/CVE-2022-37436.patch: fail on bad header in
      modules/proxy/mod_proxy_http.c, server/protocol.c.
    - CVE-2022-37436

 -- Marc Deslauriers <email address hidden>  Mon, 23 Jan 2023 13:25:54 -0500
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
apache2 (2.4.55-1ubuntu1) lunar; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: Replace Debian with Ubuntu on default
      homepage.
    - d/apache2.py, d/apache2-bin.install: Add apport hook
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles

Available diffs

Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
apache2 (2.4.54-3ubuntu2) lunar; urgency=medium

  * No-change rebuild against libldap-2

 -- Steve Langasek <email address hidden>  Thu, 15 Dec 2022 19:42:31 +0000

Available diffs

Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
apache2 (2.4.54-3ubuntu1) lunar; urgency=medium

  * Merge with Debian unstable (LP: #1993373). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: Replace Debian with Ubuntu on default
      homepage.
      (LP #1966004)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)

 -- Bryce Harrington <email address hidden>  Wed, 16 Nov 2022 16:44:44 -0800
Superseded in jammy-updates
Deleted in jammy-proposed (Reason: moved to -updates)
apache2 (2.4.52-1ubuntu4.2) jammy; urgency=medium

  * d/p/fix-a-possible-listener-deadlock.patch,
    d/p/handle-children-killed-pathologically.patch:  Fix situation
    where Apache fails to start its child processes after a certain
    number of requests, causing requests for new pages to hang.
    (LP: #1988224)
  * d/perl-framework/t/ssl/ocsp.t: Update test framework
    - Cherry pick from Debian 2.4.53-1

 -- Bryce Harrington <email address hidden>  Thu, 29 Sep 2022 21:09:50 -0700
Superseded in lunar-release
Obsolete in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic)
apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1982048). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: Replace Debian with Ubuntu on default
      homepage.
      (LP #1966004)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)

 -- Bryce Harrington <email address hidden>  Thu, 21 Jul 2022 19:38:00 +0000

Available diffs

Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.25) bionic-security; urgency=medium

  * SECURITY REGRESSION: Previous fix for CVE-2022-30522 caused
    a regression
    - debian/patches/CVE-2022-30522.patch: removing line should be removed
      at the backport but was missing in modules/filters/sed1.c (LP: #1979641)

 -- Leonidas Da Silva Barbosa <email address hidden>  Thu, 23 Jun 2022 09:51:37 -0300
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.24) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-26377.patch: changing
      precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-26377
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28614.patch: handle large
      writes in ap_rputs.
      in server/util.c.
    - CVE-2022-28614
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28615.patch: fix types
      in server/util.c.
    - CVE-2022-28615
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-29404.patch: cast first
      in modules/lua/lua_request.c.
    - CVE-2022-29404
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-30522.patch: limit mod_sed
      memory use in modules/filters/mod_sec.c,
      modules/filters/sed1.c.
    - CVE-2022-30522
  * SECURITY UPDATE: Returning point past of the buffer
    - debian/patches/CVE-2022-30556.patch: use filters consistently
      in modules/lua/lua_request.c.
    - CVE-2022-30556
  * SECURITY UPDATE: Bypass IP authentication
    - debian/patches/CVE-2022-31813.patch: to clear
      hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
    - CVE-2022-31813

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 14 Jun 2022 14:52:48 -0300
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.12) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-26377.patch: changing
      precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-26377
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28614.patch: handle large
      writes in ap_rputs.
      in server/util.c.
    - CVE-2022-28614
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28615.patch: fix types
      in server/util.c.
    - CVE-2022-28615
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-29404.patch: cast first
      in modules/lua/lua_request.c.
    - CVE-2022-29404
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-30522.patch: limit mod_sed
      memory use in modules/filters/mod_sec.c,
      modules/filters/sed1.c.
    - CVE-2022-30522
  * SECURITY UPDATE: Returning point past of the buffer
    - debian/patches/CVE-2022-30556.patch: use filters consistently
      in modules/lua/lua_request.c.
    - CVE-2022-30556
  * SECURITY UPDATE: Bypass IP authentication
    - debian/patches/CVE-2022-31813.patch: to clear
      hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
    - CVE-2022-31813

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 14 Jun 2022 10:30:55 -0300
Superseded in jammy-updates
Superseded in jammy-security
apache2 (2.4.52-1ubuntu4.1) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-26377.patch: changing
      precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-26377
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28614.patch: handle large
      writes in ap_rputs.
      in server/util.c.
    - CVE-2022-28614
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28615.patch: fix types
      in server/util.c.
    - CVE-2022-28615
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-29404.patch: cast first
      in modules/lua/lua_request.c.
    - CVE-2022-29404
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-30522.patch: limit mod_sed
      memory use in modules/filters/mod_sec.c,
      modules/filters/sed1.c.
    - CVE-2022-30522
  * SECURITY UPDATE: Returning point past of the buffer
    - debian/patches/CVE-2022-30556.patch: use filters consitently
      in modules/lua/lua_request.c.
    - CVE-2022-30556
  * SECURITY UPDATE: Bypass IP authentication
    - debian/patches/CVE-2022-31813.patch: to clear
      hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
    - CVE-2022-31813

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 14 Jun 2022 09:30:21 -0300
Obsolete in impish-updates
Obsolete in impish-security
apache2 (2.4.48-3.1ubuntu3.5) impish-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-26377.patch: changing
      precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-26377
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28614.patch: handle large
      writes in ap_rputs.
      in server/util.c.
    - CVE-2022-28614
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28615.patch: fix types
      in server/util.c.
    - CVE-2022-28615
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-29404.patch: cast first
      in modules/lua/lua_request.c.
    - CVE-2022-29404
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-30522.patch: limit mod_sed
      memory use in modules/filters/mod_sec.c,
      modules/filters/sed1.c.
    - CVE-2022-30522
  * SECURITY UPDATE: Returning point past of the buffer
    - debian/patches/CVE-2022-30556.patch: use filters consitently
      in modules/lua/lua_request.c.
    - CVE-2022-30556
  * SECURITY UPDATE: Bypass IP authentication
    - debian/patches/CVE-2022-31813.patch: to clear
      hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
    - CVE-2022-31813

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 14 Jun 2022 09:33:28 -0300
Superseded in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic)
apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1971248). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
    - d/index.html, d/icons/ubuntu-logo.png:  Refresh page design and
      new logo
      (LP 1966004)
    - d/apache2.postrm: Include md5 sum for updated index.html
  * Dropped:
    - OOB read in mod_lua via crafted request body
      + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
        lua_write_body() fail in modules/lua/lua_request.c.
      [Fixed in 2.4.53 upstream]
    - HTTP Request Smuggling via error discarding the
      request body
      + d/p/CVE-2022-22720.patch: simpler connection close logic
        if discarding the request body fails in modules/http/http_filters.c,
        server/protocol.c.
      [Fixed in 2.4.53 upstream]
    - overflow via large LimitXMLRequestBody
      + d/p/CVE-2022-22721.patch: make sure and check that
        LimitXMLRequestBody fits in system memory in server/core.c,
        server/util.c, server/util_xml.c.
      [Fixed in 2.4.53 upstream]
    - out-of-bounds write in mod_sed
      + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
        buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
        modules/filters/mod_sed.c, modules/filters/sed1.c.
      + d/p/CVE-2022-23943-2.patch: improve the logic flow in
        modules/filters/mod_sed.c.
      [Fixed in 2.4.53 upstream]

 -- Bryce Harrington <email address hidden>  Mon, 23 May 2022 19:34:18 -0700

Available diffs

Superseded in impish-updates
Deleted in impish-proposed (Reason: moved to -updates)
apache2 (2.4.48-3.1ubuntu3.4) impish; urgency=medium

  * d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
    Don't send GOAWAY too early on new connections when
    MaxRequestsPerChild has been reached.  (LP: #1969629)

 -- Sergio Durigan Junior <email address hidden>  Tue, 26 Apr 2022 15:55:37 -0400
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates)
apache2 (2.4.41-4ubuntu3.11) focal; urgency=medium

  * d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
    Don't send GOAWAY too early on new connections when
    MaxRequestsPerChild has been reached.  (LP: #1969629)

 -- Sergio Durigan Junior <email address hidden>  Tue, 26 Apr 2022 14:02:11 -0400
Superseded in bionic-updates
Deleted in bionic-proposed (Reason: moved to -updates)
apache2 (2.4.29-1ubuntu4.23) bionic; urgency=medium

  * d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
    Don't send GOAWAY too early on new connections when
    MaxRequestsPerChild has been reached.  (LP: #1969629)

 -- Sergio Durigan Junior <email address hidden>  Mon, 25 Apr 2022 20:46:43 -0400
Superseded in kinetic-release
Published in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.52-1ubuntu4) jammy; urgency=medium

  * d/apache2.postrm: Include md5 sum for updated index.html

 -- Bryce Harrington <email address hidden>  Thu, 24 Mar 2022 17:35:40 -0700
Superseded in jammy-proposed
apache2 (2.4.52-1ubuntu3) jammy; urgency=medium

  * d/index.html:
    - Redesign page's heading for the new logo
    - Use the Ubuntu font where available
    - Update service management directions
    - Copyedit grammar
    - Light reformatting and whitespace cleanup
  * d/icons/ubuntu-logo.png: Refresh ubuntu logo
    (LP: #1966004)

 -- Bryce Harrington <email address hidden>  Wed, 23 Mar 2022 16:18:11 -0700
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.52-1ubuntu2) jammy; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Thu, 17 Mar 2022 09:39:54 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.10) focal-security; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Wed, 16 Mar 2022 12:52:53 -0400
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.22) bionic-security; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Wed, 16 Mar 2022 12:53:42 -0400
Superseded in impish-updates
Superseded in impish-security
apache2 (2.4.48-3.1ubuntu3.3) impish-security; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Wed, 16 Mar 2022 12:46:16 -0400
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.52-1ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1959924). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
  * Dropped:
    - d/p/support-openssl3-*.patch: Backport various patches from
      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
      failure to load when using OpenSSL 3.
      (LP #1951476)
      [Included in upstream release 2.4.52]
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      (LP 1832182)
      [This introduced a performance regression.]
    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
      (LP 1918209)
      [Not needed]

 -- Bryce Harrington <email address hidden>  Thu, 03 Feb 2022 10:25:47 -0800

Available diffs

Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.21) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:50:41 -0500
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.9) focal-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:49:56 -0500
Obsolete in hirsute-updates
Obsolete in hirsute-security
apache2 (2.4.46-4ubuntu1.5) hirsute-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:38:48 -0500
Superseded in impish-updates
Superseded in impish-security
apache2 (2.4.48-3.1ubuntu3.2) impish-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:29:15 -0500
175 of 432 results