Change log for apache2 package in Ubuntu

175 of 283 results
Published in xenial-proposed on 2018-06-13
apache2 (2.4.18-2ubuntu3.9) xenial; urgency=medium

  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional .  Closes LP:
    #1766186.

 -- Andreas Hasenack <email address hidden>  Thu, 07 Jun 2018 16:43:03 -0300
Published in artful-proposed on 2018-06-13
apache2 (2.4.27-2ubuntu4.2) artful; urgency=medium

  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional .  Closes LP:
    #1766186.

 -- Andreas Hasenack <email address hidden>  Thu, 07 Jun 2018 17:53:23 -0300
Published in bionic-proposed on 2018-06-13
apache2 (2.4.29-1ubuntu4.2) bionic; urgency=medium

  * debian/patches/includeoptional-ignore-non-existent.patch: silently
    ignore a not existent file path with IncludeOptional .  Closes LP:
    #1766186.

 -- Andreas Hasenack <email address hidden>  Thu, 07 Jun 2018 18:10:10 -0300
Published in cosmic-release on 2018-05-23
Deleted in cosmic-proposed (Reason: moved to release)
apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium

  * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
    libapache2-mod-md until we figure out their transitions.  libapache2-mod-md
    in particular is problematic because that makes apache2-bin pull in
    libcurl4 which cannot be coinstalled with libcurl3.  That situation breaks
    the installation of libapache2-mod-shib2.  See
    https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
    for details.
    - Don't ship md.load and remove build-requires that were added because of
      mod-md (see
      https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
    - Remove proxy_uwsgi.load as we are not building it for now (see
      https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)

Deleted in cosmic-proposed on 2018-05-23 (Reason: NBS)
apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable (LP: #1770242). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
  * Drop:
    - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
      + debian/patches/CVE-2017-15710.patch: fix language long names
        detection as short name in modules/aaa/mod_authnz_ldap.c.
      + CVE-2017-15710
    - SECURITY UPDATE: incorrect <FilesMatch> matching
      + debian/patches/CVE-2017-15715.patch: allow to configure
        global/default options for regexes, like caseless matching or
        extended format in include/ap_regex.h, server/core.c,
        server/util_pcre.c.
      + CVE-2017-15715
    - SECURITY UPDATE: mod_session header manipulation
      + debian/patches/CVE-2018-1283.patch: strip Session header when
        SessionEnv is on in modules/session/mod_session.c.
      + CVE-2018-1283
    - SECURITY UPDATE: DoS via specially-crafted request
      + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
        terminated on any error, not only on buffer full in
        server/protocol.c.
      + CVE-2018-1301
    - SECURITY UPDATE: mod_cache_socache DoS
      + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
        to carriage return in modules/cache/mod_cache_socache.c.
      + CVE-2018-1303
    - SECURITY UPDATE: insecure nonce generation
      + debian/patches/CVE-2018-1312.patch: actually use the secret when
        generating nonces in modules/aaa/mod_auth_digest.c.
      + CVE-2018-1312
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
      [type=Forking already in the base systemd service file, and
       RemainsAfterExit=no is the default value, so no need to
       customize these anymore.]
    - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
      + added debian/patches/util_ldap_cache_lock_fix.patch
      [Already applied upstream]

Superseded in cosmic-release on 2018-05-23
Deleted in cosmic-proposed (Reason: moved to release)
Published in bionic-updates on 2018-04-30
Published in bionic-security on 2018-04-30
apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

 -- Marc Deslauriers <email address hidden>  Wed, 25 Apr 2018 07:38:24 -0400
Published in trusty-updates on 2018-04-19
Published in trusty-security on 2018-04-19
apache2 (2.4.7-1ubuntu4.20) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
      include/httpd.h, server/util.c.
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

 -- Marc Deslauriers <email address hidden>  Wed, 18 Apr 2018 11:13:36 -0400
Published in xenial-updates on 2018-04-19
Published in xenial-security on 2018-04-19
apache2 (2.4.18-2ubuntu3.8) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
      include/httpd.h, server/util.c.
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

 -- Marc Deslauriers <email address hidden>  Wed, 18 Apr 2018 10:53:04 -0400
Published in artful-updates on 2018-04-19
Published in artful-security on 2018-04-19
apache2 (2.4.27-2ubuntu4.1) artful-security; urgency=medium

  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: incorrect <FilesMatch> matching
    - debian/patches/CVE-2017-15715.patch: allow to configure
      global/default options for regexes, like caseless matching or
      extended format in include/ap_regex.h, server/core.c,
      server/util_pcre.c.
    - CVE-2017-15715
  * SECURITY UPDATE: mod_session header manipulation
    - debian/patches/CVE-2018-1283.patch: strip Session header when
      SessionEnv is on in modules/session/mod_session.c.
    - CVE-2018-1283
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: mod_cache_socache DoS
    - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
      to carriage return in modules/cache/mod_cache_socache.c.
    - CVE-2018-1303
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

 -- Marc Deslauriers <email address hidden>  Wed, 18 Apr 2018 10:20:05 -0400
Superseded in trusty-updates on 2018-04-19
Deleted in trusty-proposed on 2018-04-20 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.19) trusty; urgency=medium

  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

 -- Rafael David Tinoco <email address hidden>  Fri, 02 Mar 2018 01:48:33 +0000
Superseded in xenial-updates on 2018-04-19
Deleted in xenial-proposed on 2018-04-20 (Reason: moved to -updates)
apache2 (2.4.18-2ubuntu3.7) xenial; urgency=medium

  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

 -- Rafael David Tinoco <email address hidden>  Thu, 01 Mar 2018 18:29:12 +0000
Superseded in artful-updates on 2018-04-19
Deleted in artful-proposed on 2018-04-20 (Reason: moved to -updates)
apache2 (2.4.27-2ubuntu4) artful; urgency=medium

  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

 -- Rafael David Tinoco <email address hidden>  Fri, 02 Mar 2018 02:14:42 +0000
Superseded in cosmic-release on 2018-05-03
Published in bionic-release on 2018-03-29
Deleted in bionic-proposed (Reason: moved to release)
apache2 (2.4.29-1ubuntu4) bionic; urgency=medium

  * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
    - added debian/patches/util_ldap_cache_lock_fix.patch

 -- Rafael David Tinoco <email address hidden>  Fri, 02 Mar 2018 02:19:31 +0000
Deleted in xenial-proposed on 2018-04-03 (Reason: requestd by rbasak: It's an SRU verification failure and ...)
apache2 (2.4.18-2ubuntu3.6) xenial; urgency=medium

  * d/p/apache2-bug-1466926-scoreboard-full-[123]-3.patch: backport of upstream
    fixes to avoid issues of workers in graceful shutdown blocking new
    requests (LP: #1466926)

 -- Christian Ehrhardt <email address hidden>  Tue, 14 Nov 2017 15:19:49 +0100
Superseded in bionic-release on 2018-03-29
Deleted in bionic-proposed on 2018-03-30 (Reason: moved to release)
apache2 (2.4.29-1ubuntu3) bionic; urgency=medium

  * Switch back to OpenSSL 1.1.

 -- Dimitri John Ledkov <email address hidden>  Tue, 06 Feb 2018 11:57:20 +0000
Superseded in bionic-release on 2018-02-10
Deleted in bionic-proposed on 2018-02-11 (Reason: moved to release)
apache2 (2.4.29-1ubuntu2) bionic; urgency=medium

  * enable http2 (LP: #1687454) by stopping to disable it
    - debian/control: no more removed libnghttp2-dev Build-Depends (in universe).
    - debian/config-dir/mods-available/http2.load: no more removed.
    - debian/rules: no more removed proxy_http2 from configure.
  * d/t/control, d/t/check-http2: add basic test for http2 support

 -- Christian Ehrhardt <email address hidden>  Tue, 05 Dec 2017 17:25:39 +0100
Superseded in bionic-release on 2017-12-09
Deleted in bionic-proposed on 2017-12-10 (Reason: moved to release)
apache2 (2.4.29-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
  * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
    - debian/control: switch BuildDepends to libssl1.0-dev
    - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
    - debian/rules: remove openssl virtual package and logic

Available diffs

Superseded in bionic-release on 2017-11-14
Published in artful-release on 2017-09-21
Deleted in artful-proposed (Reason: moved to release)
apache2 (2.4.27-2ubuntu3) artful; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:05:48 -0400

Available diffs

Superseded in trusty-updates on 2018-04-19
Superseded in trusty-security on 2018-04-19
apache2 (2.4.7-1ubuntu4.18) trusty-security; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:10:30 -0400
Superseded in xenial-updates on 2018-04-19
Superseded in xenial-security on 2018-04-19
apache2 (2.4.18-2ubuntu3.5) xenial-security; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:09:02 -0400
Published in zesty-updates on 2017-09-19
Published in zesty-security on 2017-09-19
apache2 (2.4.25-3ubuntu2.3) zesty-security; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:08:28 -0400
Superseded in artful-release on 2017-09-21
Deleted in artful-proposed on 2017-09-23 (Reason: moved to release)
apache2 (2.4.27-2ubuntu2) artful; urgency=medium

  * Undrop (LP 1658469):
    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.

 -- Marc Deslauriers <email address hidden>  Wed, 02 Aug 2017 13:04:45 -0400
Superseded in artful-proposed on 2017-08-02
apache2 (2.4.27-2ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1702582). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.

 -- Nishanth Aravamudan <email address hidden>  Thu, 27 Jul 2017 13:38:39 -0700

Available diffs

Superseded in trusty-updates on 2017-09-19
Superseded in trusty-security on 2017-09-19
apache2 (2.4.7-1ubuntu4.17) trusty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden>  Thu, 27 Jul 2017 10:34:31 -0400
Superseded in xenial-updates on 2017-09-19
Superseded in xenial-security on 2017-09-19
apache2 (2.4.18-2ubuntu3.4) xenial-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden>  Thu, 27 Jul 2017 10:34:01 -0400
Superseded in zesty-updates on 2017-09-19
Superseded in zesty-security on 2017-09-19
apache2 (2.4.25-3ubuntu2.2) zesty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden>  Thu, 27 Jul 2017 10:32:31 -0400
Superseded in trusty-updates on 2017-07-27
Superseded in trusty-security on 2017-07-27
apache2 (2.4.7-1ubuntu4.16) trusty-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 08:04:58 -0400
Obsolete in yakkety-updates on 2018-01-23
Obsolete in yakkety-security on 2018-01-23
apache2 (2.4.18-2ubuntu4.2) yakkety-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 07:57:04 -0400
Superseded in zesty-updates on 2017-07-27
Superseded in zesty-security on 2017-07-27
apache2 (2.4.25-3ubuntu2.1) zesty-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 07:50:10 -0400
Superseded in xenial-updates on 2017-07-27
Superseded in xenial-security on 2017-07-27
apache2 (2.4.18-2ubuntu3.3) xenial-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 07:58:04 -0400
Superseded in trusty-updates on 2017-06-26
Superseded in trusty-security on 2017-06-26
apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden>  Fri, 05 May 2017 12:52:21 -0400
Superseded in xenial-updates on 2017-06-26
Superseded in xenial-security on 2017-06-26
apache2 (2.4.18-2ubuntu3.2) xenial-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden>  Fri, 05 May 2017 12:32:00 -0400
Superseded in yakkety-updates on 2017-06-26
Superseded in yakkety-security on 2017-06-26
apache2 (2.4.18-2ubuntu4.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden>  Fri, 05 May 2017 10:51:32 -0400
Superseded in artful-proposed on 2017-07-28
apache2 (2.4.25-3ubuntu3) artful; urgency=medium

  * Re-Drop (LP: #1658469):
    - Don't build experimental http2 module for LTS:
     + debian/control: removed libnghttp2-dev Build-Depends (in universe).
     + debian/config-dir/mods-available/http2.load: removed.
     + debian/rules: removed proxy_http2 from configure.
     + debian/apache2.maintscript: remove http2 conffile.

 -- Nishanth Aravamudan <email address hidden>  Mon, 01 May 2017 09:55:11 -0700
Superseded in artful-release on 2017-08-03
Published in zesty-release on 2017-02-22
Deleted in zesty-proposed (Reason: moved to release)
apache2 (2.4.25-3ubuntu2) zesty; urgency=medium

  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

 -- Nishanth Aravamudan <email address hidden>  Fri, 10 Feb 2017 08:53:43 -0800
Superseded in zesty-proposed on 2017-02-10
apache2 (2.4.25-3ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #1663425). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
   * Drop (LP: #1658469):
     - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

 -- Nishanth Aravamudan <email address hidden>  Thu, 09 Feb 2017 15:48:28 -0800

Available diffs

Superseded in zesty-release on 2017-02-22
Deleted in zesty-proposed on 2017-02-23 (Reason: moved to release)
apache2 (2.4.23-8ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: replace Debian with Ubuntu on default
      page.
      [ include-binaries change previously undocumented ]
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.
        [ Previously undocumented ]
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
  * Drop:
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]

 -- Nishanth Aravamudan <email address hidden>  Fri, 09 Dec 2016 11:02:38 +0100
Superseded in zesty-release on 2017-02-10
Deleted in zesty-proposed on 2017-02-11 (Reason: moved to release)
apache2 (2.4.23-7ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.

Available diffs

Published in trusty-backports on 2016-08-31
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.2) trusty-backports; urgency=medium

  * CVE-2016-5387 (LP: #1604209)

 -- Mike Gerow <email address hidden>  Thu, 21 Jul 2016 14:53:00 -0700
Deleted in trusty-proposed on 2016-11-21 (Reason: The package was removed due to its SRU bug(s) not being v...)
apache2 (2.4.7-1ubuntu4.14) trusty; urgency=medium

  * d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very
    long uri in alias match (LP: #1534538)

 -- Wesley Wiedenmeier <email address hidden>  Wed, 20 Jul 2016 19:07:41 -0500
Superseded in zesty-release on 2016-11-16
Obsolete in yakkety-release on 2018-01-23
Deleted in yakkety-proposed on 2018-01-23 (Reason: moved to release)
apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

 -- Marc Deslauriers <email address hidden>  Mon, 18 Jul 2016 14:32:02 -0400

Available diffs

Superseded in trusty-updates on 2017-05-09
Superseded in trusty-security on 2017-05-09
apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:40:55 -0400
Published in precise-updates on 2016-07-18
Published in precise-security on 2016-07-18
apache2 (2.2.22-1ubuntu1.11) precise-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:50:27 -0400
Superseded in xenial-updates on 2017-05-09
Superseded in xenial-security on 2017-05-09
apache2 (2.4.18-2ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:32:26 -0400
Obsolete in wily-updates on 2018-01-22
Obsolete in wily-security on 2018-01-22
apache2 (2.4.12-2ubuntu2.1) wily-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:39:28 -0400
Deleted in trusty-proposed on 2016-07-19 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.12) trusty; urgency=medium

  * d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very
    long uri in alias match (LP: #1534538)

 -- Wesley Wiedenmeier <email address hidden>  Tue, 28 Jun 2016 09:55:36 -0500
Superseded in trusty-updates on 2016-07-18
Deleted in trusty-proposed on 2016-07-20 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.11) trusty; urgency=medium

  * Fix hang until proxy timeout for Proxy responses with error status and
    "ProxyErrorOverride On" being set (LP: #1495988).

 -- Christian Ehrhardt <email address hidden>  Tue, 07 Jun 2016 16:28:05 +0200
Superseded in trusty-backports on 2016-08-31
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.1) trusty-backports; urgency=medium

  * No-change backport to trusty (LP: #1335068)

Superseded in trusty-updates on 2016-07-12
Deleted in trusty-proposed on 2016-07-13 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.10) trusty; urgency=medium

  * Add apache2 specific modification needed along with fix to
    libapache2-mpm-itk so it becomes installable again (LP: #1286882):
    - Removes warning on mpm_itk use
    - Removes conflicts on mpm_itk

 -- Louis Bouchard <email address hidden>  Wed, 20 Apr 2016 16:21:03 +0200
Superseded in yakkety-release on 2016-07-28
Published in xenial-release on 2016-04-16
Deleted in xenial-proposed (Reason: moved to release)
apache2 (2.4.18-2ubuntu3) xenial; urgency=medium

  [ Ryan Harper ]
  * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
    introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
    all, since http2 support is intentionally disabled (see LP 1531864).
  * d/apache2.maintscript: handle removal of http2.load conffile.

  [ Robie Basak ]
  * Re-write Ryan's changelog entry.

 -- Robie Basak <email address hidden>  Fri, 15 Apr 2016 18:00:57 +0000

Available diffs

Superseded in xenial-release on 2016-04-16
Deleted in xenial-proposed on 2016-04-17 (Reason: moved to release)
apache2 (2.4.18-2ubuntu2) xenial; urgency=medium

  * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
    - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
      unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
      between systemctl status and actual state of apache2 daemon.
    - d/apache2.install: place the apache2-systemd.conf file in the correct location.

 -- Pierre-André MOREY <email address hidden>  Fri, 08 Apr 2016 11:48:00 +0200

Available diffs

Superseded in xenial-release on 2016-04-12
Deleted in xenial-proposed on 2016-04-13 (Reason: moved to release)
apache2 (2.4.18-2ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Superseded in xenial-release on 2016-04-06
Deleted in xenial-proposed on 2016-04-07 (Reason: moved to release)
apache2 (2.4.18-1ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Available diffs

Superseded in trusty-updates on 2016-06-23
Deleted in trusty-proposed on 2016-06-25 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.9) trusty; urgency=medium

  * Force disablereuse on for mod_proxy_wstunnel. Fixes "Unable to connect to:
    ws://<maas IP>:/MAAS/ws" errors with maas, and other proxy applications.
    https://bz.apache.org/bugzilla/show_bug.cgi?id=55890
    (LP: #1484696).

 -- Dave Chiluk <email address hidden>  Wed, 13 Jan 2016 15:34:51 -0600
Superseded in xenial-release on 2016-01-22
Deleted in xenial-proposed on 2016-01-23 (Reason: moved to release)
apache2 (2.4.17-3ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Superseded in xenial-release on 2015-12-07
Deleted in xenial-proposed on 2015-12-08 (Reason: moved to release)
apache2 (2.4.17-2ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Superseded in xenial-release on 2015-11-20
Deleted in xenial-proposed on 2015-11-22 (Reason: moved to release)
apache2 (2.4.17-1ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
  * Drop patches (applied upstream):
    - debian/patches/CVE-2015-3183.patch
    - debian/patches/CVE-2015-3185.patch
  * Drop changes (adopted in Debian):
    - Allow "triggers-awaited" and "triggers-pending" states in addition
      to "installed" when determining whether to defer actions or
      process deferred actions.
  * Don't build experimental http2 module for LTS
    - debian/control: removed libnghttp2-dev Build-Depends (in universe).
    - debian/config-dir/mods-available/http2.load: removed.

Available diffs

Superseded in trusty-updates on 2016-01-27
Deleted in trusty-proposed on 2016-01-28 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.8) trusty; urgency=medium

  * Fix -D[efined] or <Define>[d] variables lifetime across restarts.
    This fixes incorrect processing of configuration files on reload
    (LP: #1504354).

 -- Jeffrey Hutzelman <email address hidden>  Thu, 08 Oct 2015 19:30:10 -0400
Superseded in trusty-updates on 2015-10-21
Superseded in trusty-proposed on 2015-10-14
apache2 (2.4.7-1ubuntu4.7) trusty; urgency=medium

  * d/p/wstunnel-ssl.patch: mod_proxy_wstunnel: Fix the use of SSL
    connections with the "wss:" scheme.  PR55320.  LP: #1445914
    Submitted by: Alex Liu <alex.leo.ca gmail.com>

 -- Jeffrey Hutzelman <email address hidden>  Thu, 10 Sep 2015 12:50:00 -0400
Superseded in trusty-updates on 2015-10-14
Superseded in trusty-proposed on 2015-09-23
apache2 (2.4.7-1ubuntu4.6) trusty; urgency=medium

  * d/p/fix_rewrite_rule.patch: Add a configurable option to keep mod_dir from
    running when another handler is set. This makes default behavior
    consistant with 2.2, and fixes (LP: #1394403)
    - This adds the configuration option "DirectoryCheckHandler" which is
      present in apache 2.4.8 and later versions. The default value is
      "DirectoryCheckHandler Off".
    - This will change default behavior. Instead of mod_dir running even if
      other rules are being run, mod_dir will only run when no other rules
      have been processed by default. This is the expected behavior of
      mod_dir, and is consistant with the behavior of mod_dir in apache
      versions < 2.4 and > 2.4.8, and so the default value of this
      configuration option will correct the bug.
    - The current default behavior, which is considered to be a bug, can be
      kept by setting "DirectoryCheckHandler On".

 -- Wesley Wiedenmeier <email address hidden>  Tue, 18 Aug 2015 09:36:21 -0500
Superseded in precise-updates on 2016-07-18
Superseded in precise-security on 2016-07-18
apache2 (2.2.22-1ubuntu1.10) precise-security; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 13:06:25 -0400
Superseded in trusty-updates on 2015-09-23
Superseded in trusty-security on 2016-07-18
apache2 (2.4.7-1ubuntu4.5) trusty-security; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 12:44:36 -0400
Obsolete in vivid-updates on 2018-01-18
Obsolete in vivid-security on 2018-01-18
apache2 (2.4.10-9ubuntu1.1) vivid-security; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 12:25:41 -0400
Superseded in xenial-release on 2015-11-04
Obsolete in wily-release on 2018-01-22
Deleted in wily-proposed on 2018-01-22 (Reason: moved to release)
apache2 (2.4.12-2ubuntu2) wily; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 09:56:09 -0400
Superseded in wily-release on 2015-07-28
Deleted in wily-proposed on 2015-07-29 (Reason: moved to release)
apache2 (2.4.12-2ubuntu1) wily; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Allow "triggers-awaited" and "triggers-pending" states in addition
      to "installed" when determining whether to defer actions or
      process deferred actions.
  * Drop patches (applied upstream):
    - d/p/split-logfile.patch
    - d/p/CVE-2015-0228.patch
  * Drop changes (superceded in Debian):
    - Cherry-pick versioned build-depend on dpkg from Debian for correct
      dpkg-maintscript-helper symlink_to_dir support.
  * Drop changes (adopted in Debian):
    - d/control, d/config-dir/mods-available/ssl.conf,
      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
      dialog program ask-for-passphrase.
  * Fix cross-building configure line in d/rules, which had bit-rotted in
    previous merges.

Available diffs

Superseded in precise-updates on 2015-07-27
Superseded in precise-security on 2015-07-27
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.

 -- Marc Deslauriers <email address hidden>  Thu, 28 May 2015 12:26:50 -0400
Superseded in trusty-updates on 2015-07-27
Superseded in trusty-security on 2015-07-27
apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
 -- Marc Deslauriers <email address hidden>   Tue, 10 Mar 2015 07:42:50 -0400
Superseded in wily-release on 2015-07-20
Obsolete in vivid-release on 2018-01-18
Deleted in vivid-proposed on 2018-01-19 (Reason: moved to release)
apache2 (2.4.10-9ubuntu1) vivid; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf,
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile
      command.
    - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
      denial of service in mod_lua via websockets PING
  * debian/tests/ssl-passphrase: Add password responder for
    systemd-ask-passphrase.

Obsolete in utopic-updates on 2016-11-03
Obsolete in utopic-security on 2016-11-03
apache2 (2.4.10-1ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 12:05:47 -0500
Superseded in precise-updates on 2015-06-02
Superseded in precise-security on 2015-06-02
apache2 (2.2.22-1ubuntu1.8) precise-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 12:40:00 -0500
Obsolete in lucid-updates on 2016-10-26
Obsolete in lucid-security on 2016-10-26
apache2 (2.2.14-5ubuntu8.15) lucid-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 12:45:09 -0500
Superseded in vivid-proposed on 2015-03-09
apache2 (2.4.10-8ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 10:56:34 -0500
Deleted in trusty-proposed on 2015-03-12 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.2) trusty; urgency=medium

  * d/p/ocsp-stapling-memory-corruption.patch: fix crash on startup due
    to memory corruption while modules are reloaded (LP: #1366174).
    Thanks to Alex Bligh for reporting, debugging, fixing upstream,
    backporting and driving this fix through to Trusty.
 -- Robie Basak <email address hidden>   Thu, 26 Feb 2015 18:11:56 +0000
Superseded in vivid-release on 2015-03-09
Deleted in vivid-proposed on 2015-03-10 (Reason: moved to release)
apache2 (2.4.10-8ubuntu2) vivid; urgency=medium

  * Allow "triggers-awaited" and "triggers-pending" states in addition to
    "installed" when determining whether to defer actions or process
    deferred actions (LP: #1393832).
 -- Colin Watson <email address hidden>   Wed, 26 Nov 2014 11:31:44 +0000
Superseded in vivid-proposed on 2014-11-26
apache2 (2.4.10-8ubuntu1) vivid; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf,
      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
      dialog program ask-for-passphrase.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile
      command.
  * Fixes from Debian included in merge:
    - Crash caused by OCSP stapling code; this was erroneously
      attributed to Debian in my previous merge, but actually only
      appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
  * Cherry-pick versioned build-depend on dpkg from Debian for correct
    dpkg-maintscript-helper symlink_to_dir support.

175 of 283 results