Change log for apache2 package in Ubuntu
| 1 → 75 of 398 results | First • Previous • Next • Last |
apache2 (2.4.57-2ubuntu2) mantic; urgency=medium * d/control: Upgrade lua build dependency to 5.4 -- Lena Voytek <email address hidden> Fri, 21 Jul 2023 14:17:42 -0700
Available diffs
- diff from 2.4.57-2ubuntu1 to 2.4.57-2ubuntu2 (434 bytes)
| Published in kinetic-proposed |
apache2 (2.4.54-2ubuntu1.5) kinetic; urgency=medium
* d/p/reenable-workers-in-standard-error-state-kinetic-apache2.patch:
fix the value discrepancy of MODULE_MAGIC_NUMBER_MINOR.
(LP: #2003189)
-- Michal Maloszewski <email address hidden> Wed, 21 Jun 2023 17:41:40 +0200
Available diffs
apache2 (2.4.57-2ubuntu1) mantic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: Replace Debian with Ubuntu on default
homepage.
- d/apache2.py, d/apache2-bin.install: Add apport hook
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
* Dropped changes included in new version:
- debian/patches/CVE-2023-25690-1.patch
- debian/patches/CVE-2023-25690-2.patch
- debian/patches/CVE-2023-27522.patch
Available diffs
- diff from 2.4.55-1ubuntu2 to 2.4.57-2ubuntu1 (89.9 KiB)
| Superseded in kinetic-proposed |
apache2 (2.4.54-2ubuntu1.4) kinetic; urgency=medium
* d/p/reenable-workers-in-standard-error-state-kinetic-apache2.patch:
fix issue with workers in apache2 which could not recover from its
error state (LP: #2003189)
-- Michal Maloszewski <email address hidden> Wed, 03 May 2023 21:41:59 +0200
Available diffs
apache2 (2.4.52-1ubuntu4.6) jammy; urgency=medium
* d/p/reenable-workers-in-standard-error-state-jammy-apache2.patch:
fix issue with workers in apache2 which could not recover from its
error state (LP: #2003189)
-- Michal Maloszewski <email address hidden> Wed, 03 May 2023 22:02:51 +0200
Available diffs
apache2 (2.4.54-2ubuntu1.3) kinetic; urgency=medium
* d/p/mod_proxy_hcheck_kinetic_fix_to_detect_support.patch: Fix issue
where enabling mod_proxy_hcheck results in error (LP: #1998311)
-- Michal Maloszewski <email address hidden> Thu, 02 Mar 2023 00:01:26 +0100
Available diffs
apache2 (2.4.52-1ubuntu4.5) jammy; urgency=medium
* d/p/mod_proxy_hcheck_jammy_fix_to_detect_support.patch: Fix issue
where enabling mod_proxy_hcheck results in error (LP: #1998311)
-- Michal Maloszewski <email address hidden> Wed, 01 Mar 2023 23:43:55 +0100
Available diffs
apache2 (2.4.52-1ubuntu4.4) jammy-security; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
* SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
- debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2023-27522
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:32:01 -0500
Available diffs
apache2 (2.4.41-4ubuntu3.14) focal-security; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
* SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
- debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2023-27522
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:32:54 -0500
Available diffs
apache2 (2.4.54-2ubuntu1.2) kinetic-security; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
* SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
- debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2023-27522
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:31:20 -0500
Available diffs
apache2 (2.4.29-1ubuntu4.27) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:34:33 -0500
Available diffs
| Superseded in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
apache2 (2.4.55-1ubuntu2) lunar; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
* SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
- debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2023-27522
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 11:32:34 -0500
Available diffs
apache2 (2.4.29-1ubuntu4.26) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via crafted If header in mod_dav
- debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
parsing in modules/dav/main/util.c.
- CVE-2006-20001
* SECURITY UPDATE: request smuggling in mod_proxy_ajp
- debian/patches/CVE-2022-36760.patch: cleanup on error in
modules/proxy/mod_proxy_ajp.c.
- CVE-2022-36760
* SECURITY UPDATE: response header truncation issue
- debian/patches/CVE-2022-37436.patch: fail on bad header in
modules/proxy/mod_proxy_http.c.
- CVE-2022-37436
-- Marc Deslauriers <email address hidden> Tue, 31 Jan 2023 09:01:53 -0500
Available diffs
apache2 (2.4.41-4ubuntu3.13) focal-security; urgency=medium
* SECURITY UPDATE: DoS via crafted If header in mod_dav
- debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
parsing in modules/dav/main/util.c.
- CVE-2006-20001
* SECURITY UPDATE: request smuggling in mod_proxy_ajp
- debian/patches/CVE-2022-36760.patch: cleanup on error in
modules/proxy/mod_proxy_ajp.c.
- CVE-2022-36760
* SECURITY UPDATE: response header truncation issue
- debian/patches/CVE-2022-37436.patch: fail on bad header in
modules/proxy/mod_proxy_http.c, server/protocol.c.
- CVE-2022-37436
-- Marc Deslauriers <email address hidden> Mon, 23 Jan 2023 13:36:09 -0500
Available diffs
apache2 (2.4.52-1ubuntu4.3) jammy-security; urgency=medium
* SECURITY UPDATE: DoS via crafted If header in mod_dav
- debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
parsing in modules/dav/main/util.c.
- CVE-2006-20001
* SECURITY UPDATE: request smuggling in mod_proxy_ajp
- debian/patches/CVE-2022-36760.patch: cleanup on error in
modules/proxy/mod_proxy_ajp.c.
- CVE-2022-36760
* SECURITY UPDATE: response header truncation issue
- debian/patches/CVE-2022-37436.patch: fail on bad header in
modules/proxy/mod_proxy_http.c, server/protocol.c.
- CVE-2022-37436
-- Marc Deslauriers <email address hidden> Mon, 23 Jan 2023 13:34:42 -0500
Available diffs
apache2 (2.4.54-2ubuntu1.1) kinetic-security; urgency=medium
* SECURITY UPDATE: DoS via crafted If header in mod_dav
- debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
parsing in modules/dav/main/util.c.
- CVE-2006-20001
* SECURITY UPDATE: request smuggling in mod_proxy_ajp
- debian/patches/CVE-2022-36760.patch: cleanup on error in
modules/proxy/mod_proxy_ajp.c.
- CVE-2022-36760
* SECURITY UPDATE: response header truncation issue
- debian/patches/CVE-2022-37436.patch: fail on bad header in
modules/proxy/mod_proxy_http.c, server/protocol.c.
- CVE-2022-37436
-- Marc Deslauriers <email address hidden> Mon, 23 Jan 2023 13:25:54 -0500
Available diffs
apache2 (2.4.55-1ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: Replace Debian with Ubuntu on default
homepage.
- d/apache2.py, d/apache2-bin.install: Add apport hook
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
Available diffs
- diff from 2.4.54-3ubuntu2 to 2.4.55-1ubuntu1 (484.3 KiB)
apache2 (2.4.54-3ubuntu2) lunar; urgency=medium * No-change rebuild against libldap-2 -- Steve Langasek <email address hidden> Thu, 15 Dec 2022 19:42:31 +0000
Available diffs
- diff from 2.4.54-3ubuntu1 to 2.4.54-3ubuntu2 (338 bytes)
apache2 (2.4.54-3ubuntu1) lunar; urgency=medium * Merge with Debian unstable (LP: #1993373). Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. (LP #1966004) - d/apache2.py, d/apache2-bin.install: Add apport hook (LP #609177) - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles (LP #261198) -- Bryce Harrington <email address hidden> Wed, 16 Nov 2022 16:44:44 -0800
Available diffs
apache2 (2.4.52-1ubuntu4.2) jammy; urgency=medium
* d/p/fix-a-possible-listener-deadlock.patch,
d/p/handle-children-killed-pathologically.patch: Fix situation
where Apache fails to start its child processes after a certain
number of requests, causing requests for new pages to hang.
(LP: #1988224)
* d/perl-framework/t/ssl/ocsp.t: Update test framework
- Cherry pick from Debian 2.4.53-1
-- Bryce Harrington <email address hidden> Thu, 29 Sep 2022 21:09:50 -0700
Available diffs
| Superseded in lunar-release |
| Published in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1982048). Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. (LP #1966004) - d/apache2.py, d/apache2-bin.install: Add apport hook (LP #609177) - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles (LP #261198) -- Bryce Harrington <email address hidden> Thu, 21 Jul 2022 19:38:00 +0000
Available diffs
- diff from 2.4.53-2ubuntu1 to 2.4.54-2ubuntu1 (123.8 KiB)
apache2 (2.4.29-1ubuntu4.25) bionic-security; urgency=medium
* SECURITY REGRESSION: Previous fix for CVE-2022-30522 caused
a regression
- debian/patches/CVE-2022-30522.patch: removing line should be removed
at the backport but was missing in modules/filters/sed1.c (LP: #1979641)
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 23 Jun 2022 09:51:37 -0300
Available diffs
apache2 (2.4.29-1ubuntu4.24) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling
- debian/patches/CVE-2022-26377.patch: changing
precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
- CVE-2022-26377
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28614.patch: handle large
writes in ap_rputs.
in server/util.c.
- CVE-2022-28614
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28615.patch: fix types
in server/util.c.
- CVE-2022-28615
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-29404.patch: cast first
in modules/lua/lua_request.c.
- CVE-2022-29404
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-30522.patch: limit mod_sed
memory use in modules/filters/mod_sec.c,
modules/filters/sed1.c.
- CVE-2022-30522
* SECURITY UPDATE: Returning point past of the buffer
- debian/patches/CVE-2022-30556.patch: use filters consistently
in modules/lua/lua_request.c.
- CVE-2022-30556
* SECURITY UPDATE: Bypass IP authentication
- debian/patches/CVE-2022-31813.patch: to clear
hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
- CVE-2022-31813
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 14 Jun 2022 14:52:48 -0300
Available diffs
apache2 (2.4.41-4ubuntu3.12) focal-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling
- debian/patches/CVE-2022-26377.patch: changing
precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
- CVE-2022-26377
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28614.patch: handle large
writes in ap_rputs.
in server/util.c.
- CVE-2022-28614
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28615.patch: fix types
in server/util.c.
- CVE-2022-28615
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-29404.patch: cast first
in modules/lua/lua_request.c.
- CVE-2022-29404
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-30522.patch: limit mod_sed
memory use in modules/filters/mod_sec.c,
modules/filters/sed1.c.
- CVE-2022-30522
* SECURITY UPDATE: Returning point past of the buffer
- debian/patches/CVE-2022-30556.patch: use filters consistently
in modules/lua/lua_request.c.
- CVE-2022-30556
* SECURITY UPDATE: Bypass IP authentication
- debian/patches/CVE-2022-31813.patch: to clear
hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
- CVE-2022-31813
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 14 Jun 2022 10:30:55 -0300
Available diffs
apache2 (2.4.52-1ubuntu4.1) jammy-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling
- debian/patches/CVE-2022-26377.patch: changing
precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
- CVE-2022-26377
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28614.patch: handle large
writes in ap_rputs.
in server/util.c.
- CVE-2022-28614
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28615.patch: fix types
in server/util.c.
- CVE-2022-28615
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-29404.patch: cast first
in modules/lua/lua_request.c.
- CVE-2022-29404
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-30522.patch: limit mod_sed
memory use in modules/filters/mod_sec.c,
modules/filters/sed1.c.
- CVE-2022-30522
* SECURITY UPDATE: Returning point past of the buffer
- debian/patches/CVE-2022-30556.patch: use filters consitently
in modules/lua/lua_request.c.
- CVE-2022-30556
* SECURITY UPDATE: Bypass IP authentication
- debian/patches/CVE-2022-31813.patch: to clear
hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
- CVE-2022-31813
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 14 Jun 2022 09:30:21 -0300
Available diffs
apache2 (2.4.48-3.1ubuntu3.5) impish-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling
- debian/patches/CVE-2022-26377.patch: changing
precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
- CVE-2022-26377
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28614.patch: handle large
writes in ap_rputs.
in server/util.c.
- CVE-2022-28614
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28615.patch: fix types
in server/util.c.
- CVE-2022-28615
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-29404.patch: cast first
in modules/lua/lua_request.c.
- CVE-2022-29404
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-30522.patch: limit mod_sed
memory use in modules/filters/mod_sec.c,
modules/filters/sed1.c.
- CVE-2022-30522
* SECURITY UPDATE: Returning point past of the buffer
- debian/patches/CVE-2022-30556.patch: use filters consitently
in modules/lua/lua_request.c.
- CVE-2022-30556
* SECURITY UPDATE: Bypass IP authentication
- debian/patches/CVE-2022-31813.patch: to clear
hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
- CVE-2022-31813
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 14 Jun 2022 09:33:28 -0300
Available diffs
apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1971248). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. (LP 261198) - debian/apache2.py, debian/apache2-bin.install: Add apport hook. (LP 609177) - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/s/include-binaries: replace Debian with Ubuntu on default page and add Ubuntu icon file. (LP 1288690) - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and new logo (LP 1966004) - d/apache2.postrm: Include md5 sum for updated index.html * Dropped: - OOB read in mod_lua via crafted request body + d/p/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. [Fixed in 2.4.53 upstream] - HTTP Request Smuggling via error discarding the request body + d/p/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. [Fixed in 2.4.53 upstream] - overflow via large LimitXMLRequestBody + d/p/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. [Fixed in 2.4.53 upstream] - out-of-bounds write in mod_sed + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. + d/p/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. [Fixed in 2.4.53 upstream] -- Bryce Harrington <email address hidden> Mon, 23 May 2022 19:34:18 -0700
Available diffs
- diff from 2.4.52-1ubuntu4 to 2.4.53-2ubuntu1 (297.9 KiB)
apache2 (2.4.48-3.1ubuntu3.4) impish; urgency=medium
* d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
Don't send GOAWAY too early on new connections when
MaxRequestsPerChild has been reached. (LP: #1969629)
-- Sergio Durigan Junior <email address hidden> Tue, 26 Apr 2022 15:55:37 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.11) focal; urgency=medium
* d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
Don't send GOAWAY too early on new connections when
MaxRequestsPerChild has been reached. (LP: #1969629)
-- Sergio Durigan Junior <email address hidden> Tue, 26 Apr 2022 14:02:11 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.23) bionic; urgency=medium
* d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
Don't send GOAWAY too early on new connections when
MaxRequestsPerChild has been reached. (LP: #1969629)
-- Sergio Durigan Junior <email address hidden> Mon, 25 Apr 2022 20:46:43 -0400
Available diffs
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington <email address hidden> Thu, 24 Mar 2022 17:35:40 -0700
Available diffs
- diff from 2.4.52-1ubuntu2 to 2.4.52-1ubuntu4 (2.8 KiB)
- diff from 2.4.52-1ubuntu3 to 2.4.52-1ubuntu4 (467 bytes)
| Superseded in jammy-proposed |
apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
* d/index.html:
- Redesign page's heading for the new logo
- Use the Ubuntu font where available
- Update service management directions
- Copyedit grammar
- Light reformatting and whitespace cleanup
* d/icons/ubuntu-logo.png: Refresh ubuntu logo
(LP: #1966004)
-- Bryce Harrington <email address hidden> Wed, 23 Mar 2022 16:18:11 -0700
Available diffs
apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <email address hidden> Thu, 17 Mar 2022 09:39:54 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.10) focal-security; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <email address hidden> Wed, 16 Mar 2022 12:52:53 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.22) bionic-security; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <email address hidden> Wed, 16 Mar 2022 12:53:42 -0400
Available diffs
apache2 (2.4.48-3.1ubuntu3.3) impish-security; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <email address hidden> Wed, 16 Mar 2022 12:46:16 -0400
Available diffs
apache2 (2.4.52-1ubuntu1) jammy; urgency=medium * Merge with Debian unstable (LP: #1959924). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. (LP 261198) - debian/apache2.py, debian/apache2-bin.install: Add apport hook. (LP 609177) - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/s/include-binaries: replace Debian with Ubuntu on default page and add Ubuntu icon file. (LP 1288690) * Dropped: - d/p/support-openssl3-*.patch: Backport various patches from https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's failure to load when using OpenSSL 3. (LP #1951476) [Included in upstream release 2.4.52] - d/apache2ctl: Also use systemd for graceful if it is in use. (LP 1832182) [This introduced a performance regression.] - d/apache2ctl: Also use /run/systemd to check for systemd usage. (LP 1918209) [Not needed] -- Bryce Harrington <email address hidden> Thu, 03 Feb 2022 10:25:47 -0800
Available diffs
- diff from 2.4.51-2ubuntu1 to 2.4.52-1ubuntu1 (714.5 KiB)
apache2 (2.4.29-1ubuntu4.21) bionic-security; urgency=medium
* SECURITY UPDATE: DoS or SSRF via forward proxy
- debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/http_protocol.h, modules/http/http_request.c,
modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c, server/protocol.c.
- debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
w/ no hostname in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/patches/CVE-2021-44790.patch: improve error handling in
modules/lua/lua_request.c.
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:50:41 -0500
Available diffs
apache2 (2.4.41-4ubuntu3.9) focal-security; urgency=medium
* SECURITY UPDATE: DoS or SSRF via forward proxy
- debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/http_protocol.h, modules/http/http_request.c,
modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c, server/protocol.c.
- debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
w/ no hostname in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/patches/CVE-2021-44790.patch: improve error handling in
modules/lua/lua_request.c.
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:49:56 -0500
Available diffs
apache2 (2.4.46-4ubuntu1.5) hirsute-security; urgency=medium
* SECURITY UPDATE: DoS or SSRF via forward proxy
- debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/http_protocol.h, modules/http/http_request.c,
modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c, server/protocol.c.
- debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
w/ no hostname in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/patches/CVE-2021-44790.patch: improve error handling in
modules/lua/lua_request.c.
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:38:48 -0500
Available diffs
apache2 (2.4.48-3.1ubuntu3.2) impish-security; urgency=medium
* SECURITY UPDATE: DoS or SSRF via forward proxy
- debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/http_protocol.h, modules/http/http_request.c,
modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c, server/protocol.c.
- debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
w/ no hostname in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/patches/CVE-2021-44790.patch: improve error handling in
modules/lua/lua_request.c.
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:29:15 -0500
Available diffs
apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
(LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file.
(LP 1288690)
- d/p/support-openssl3-*.patch: Backport various patches from
https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
failure to load when using OpenSSL 3.
(LP #1951476)
* Dropped:
- d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: 1832182)
[This introduced a performance regression.]
- d/apache2ctl: Also use /run/systemd to check for systemd usage.
(LP 1918209)
[Not needed]
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
[Fixed in 2.4.48-4]
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
[Fixed in 2.4.49-1]
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
[Fixed in 2.4.49-1]
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
[Fixed in 2.4.49-1]
- arbitrary origin server via crafted request uri-path
+ debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
+ debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
[Fixed in 2.4.49-3]
- SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
+ debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
rules in modules/mappers/mod_rewrite.c.
+ debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
hostname in modules/mappers/mod_rewrite.c,
modules/proxy/proxy_util.c.
[Fixed in 2.4.49-3]
-- Bryce Harrington <email address hidden> Thu, 16 Dec 2021 14:09:26 -0800
Available diffs
- diff from 2.4.48-3.1ubuntu4 to 2.4.51-2ubuntu1 (570.8 KiB)
apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
* d/p/support-openssl3-*.patch: Backport various patches from
https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
failure to load when using OpenSSL 3. (LP: #1951476)
-- Sergio Durigan Junior <email address hidden> Fri, 26 Nov 2021 16:07:56 -0500
Available diffs
apache2 (2.4.48-3.1ubuntu3.1) impish; urgency=medium
* Revert fix from 2.4.46-1ubuntu2, due to performance regression.
(LP 1832182)
-- Bryce Harrington <email address hidden> Sun, 14 Nov 2021 23:49:31 +0000
Available diffs
apache2 (2.4.46-4ubuntu1.4) hirsute; urgency=medium
* Revert fix from 2.4.46-1ubuntu2, due to performance regression.
(LP 1832182)
-- Bryce Harrington <email address hidden> Sun, 14 Nov 2021 23:50:00 +0000
Available diffs
apache2 (2.4.29-1ubuntu4.20) bionic; urgency=medium
* Revert fix from 2.4.29-1ubuntu4.19, due to performance regression.
(LP 1832182)
-- Bryce Harrington <email address hidden> Sun, 14 Nov 2021 23:52:18 +0000
Available diffs
apache2 (2.4.41-4ubuntu3.8) focal; urgency=medium
* Revert fix from 2.4.41-4ubuntu3.7, due to performance regression.
(LP 1832182)
-- Bryce Harrington <email address hidden> Thu, 14 Oct 2021 09:24:43 -0700
Available diffs
apache2 (2.4.41-4ubuntu3.7) focal; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Tue, 28 Sep 2021 22:28:10 +0000
Available diffs
apache2 (2.4.29-1ubuntu4.19) bionic; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Tue, 28 Sep 2021 22:27:27 +0000
Available diffs
| Superseded in jammy-release |
| Obsolete in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 08:52:26 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.18) bionic-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 07:01:16 -0400
Available diffs
apache2 (2.4.46-4ubuntu1.3) hirsute-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 06:57:42 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 07:00:45 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.5) focal-security; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
dummy HTTP/1.1 request as well in modules/http2/h2.h,
modules/http2/h2_request.c, modules/http2/h2_session.c,
modules/http2/h2_stream.c.
- debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
version 1.15.17 in modules/http2/h2_bucket_beam.c,
modules/http2/h2_config.c, modules/http2/h2_config.h,
modules/http2/h2_h2.c, modules/http2/h2_headers.c,
modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
modules/http2/h2_request.c, modules/http2/h2_stream.h,
modules/http2/h2_task.c, modules/http2/h2_task.h,
modules/http2/h2_version.h.
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:58:57 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.17) bionic-security; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
dummy HTTP/1.1 request as well in modules/http2/h2.h,
modules/http2/h2_request.c, modules/http2/h2_session.c,
modules/http2/h2_stream.c.
- debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
version 1.15.17 in modules/http2/h2_bucket_beam.c,
modules/http2/h2_config.c, modules/http2/h2_config.h,
modules/http2/h2_h2.c, modules/http2/h2_headers.c,
modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
modules/http2/h2_request.c, modules/http2/h2_stream.h,
modules/http2/h2_task.c, modules/http2/h2_task.h,
modules/http2/h2_version.h.
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 13:01:10 -0400
Available diffs
apache2 (2.4.46-4ubuntu1.2) hirsute-security; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
dummy HTTP/1.1 request as well in modules/http2/h2.h,
modules/http2/h2_request.c, modules/http2/h2_session.c,
modules/http2/h2_stream.c.
- debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
version 1.15.17 in modules/http2/h2_bucket_beam.c,
modules/http2/h2_config.c, modules/http2/h2_config.h,
modules/http2/h2_h2.c, modules/http2/h2_headers.c,
modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
modules/http2/h2_request.c, modules/http2/h2_stream.h,
modules/http2/h2_task.c, modules/http2/h2_task.h,
modules/http2/h2_version.h.
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:57:50 -0400
Available diffs
apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:51:16 -0400
Available diffs
apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP 1918209)
-- Bryce Harrington <email address hidden> Wed, 11 Aug 2021 20:03:24 -0700
Available diffs
- diff from 2.4.48-3ubuntu1 to 2.4.48-3.1ubuntu1 (944 bytes)
apache2 (2.4.48-3ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP: 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP: 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP: 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP: 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: 1918209)
* Dropped:
- d/t/control, d/t/check-http2: add basic test for http2 support
[Fixed in 2.4.48-2]
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
[Fixed in 2.4.48-1]
- d/p/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-30641.patch: change default behavior in
server/request.c.
[Fixed in 2.4.48 upstream]
-- Bryce Harrington <email address hidden> Thu, 08 Jul 2021 03:20:46 +0000
Available diffs
- diff from 2.4.46-4ubuntu2 to 2.4.48-3ubuntu1 (533.9 KiB)
- diff from 2.4.46-4ubuntu3 to 2.4.48-3ubuntu1 (533.9 KiB)
apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium
* d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
(LP: #1930430)
-- Christian Ehrhardt <email address hidden> Mon, 05 Jul 2021 09:16:56 +0200
Available diffs
| Superseded in impish-proposed |
apache2 (2.4.46-4ubuntu3) impish; urgency=medium * No-change rebuild due to OpenLDAP soname bump. -- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 17:43:48 -0400
Available diffs
- diff from 2.4.46-4ubuntu2 to 2.4.46-4ubuntu3 (362 bytes)
apache2 (2.4.46-4ubuntu2) impish; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:09:41 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
* This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in
focal-proposed.
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 14:27:53 -0400
Available diffs
apache2 (2.4.46-4ubuntu1.1) hirsute-security; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:09:41 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.16) bionic-security; urgency=medium
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
* This update does _not_ include the changes from 2.4.29-1ubuntu4.15 in
bionic-proposed.
-- Marc Deslauriers <email address hidden> Fri, 18 Jun 2021 07:06:22 -0400
Available diffs
apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
* This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in
groovy-proposed.
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:45:11 -0400
Available diffs
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: Moved to hirsute) |
apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable, to allow moving from lua5.2 to
lua5.3 (LP: #1910372). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
* Drop:
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
[Included in Debian 2.4.46-3]
* d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: #1918209)
-- Bryce Harrington <email address hidden> Tue, 09 Mar 2021 00:45:35 +0000
Available diffs
- diff from 2.4.46-2ubuntu1 to 2.4.46-4ubuntu1 (87.1 KiB)
apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
Available diffs
- diff from 2.4.46-1ubuntu2 to 2.4.46-2ubuntu1 (327.9 KiB)
apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Mon, 05 Oct 2020 16:06:32 -0700
Available diffs
| Deleted in groovy-proposed (Reason: moved to -updates) |
apache2 (2.4.46-1ubuntu1.1) groovy; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:38 +0000
Available diffs
| Deleted in focal-proposed (Reason: moved to -updates) |
apache2 (2.4.41-4ubuntu3.2) focal; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:32 +0000
Available diffs
| Deleted in bionic-proposed (Reason: moved to -updates) |
apache2 (2.4.29-1ubuntu4.15) bionic; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:35 +0000
Available diffs
| Deleted in xenial-proposed (Reason: SRU failed (regression)) |
apache2 (2.4.18-2ubuntu3.18) xenial; urgency=medium
* d/apache2ctl: Use systemd for start and graceful if in use.
(LP: #1832182)
* d/apache2.install: List confdir contents explicitly. Avoids
installing *.in templates.
(LP: #1899611)
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:15 +0000
Available diffs
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
* Dropped:
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Unclear if it's still necessary, and upstream hasn't made a
release with it yet]
Available diffs
- diff from 2.4.43-1ubuntu2 to 2.4.46-1ubuntu1 (430.1 KiB)
apache2 (2.4.29-1ubuntu4.14) bionic-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
* SECURITY UPDATE: DoS via invalid Cache-Digest header
- debian/patches/CVE-2020-9490.patch: remove support for abandoned
http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
- CVE-2020-9490
* SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
- debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
worker could deadlock the main connection in modules/http2/*.
- debian/patches/CVE-2020-11993.patch: fix logging and rename
terminology in modules/http2/*.
- CVE-2020-11993
-- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 17:33:25 -0400
Available diffs
| 1 → 75 of 398 results | First • Previous • Next • Last |
