Change log for apache2 package in Ubuntu

175 of 267 results
Published in bionic-release on 2017-11-14
Deleted in bionic-proposed (Reason: moved to release)
apache2 (2.4.29-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
  * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
    - debian/control: switch BuildDepends to libssl1.0-dev
    - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
    - debian/rules: remove openssl virtual package and logic

Available diffs

Superseded in bionic-release on 2017-11-14
Published in artful-release on 2017-09-21
Deleted in artful-proposed (Reason: moved to release)
apache2 (2.4.27-2ubuntu3) artful; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:05:48 -0400

Available diffs

Published in trusty-updates on 2017-09-19
Published in trusty-security on 2017-09-19
apache2 (2.4.7-1ubuntu4.18) trusty-security; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:10:30 -0400
Published in xenial-updates on 2017-09-19
Published in xenial-security on 2017-09-19
apache2 (2.4.18-2ubuntu3.5) xenial-security; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:09:02 -0400
Published in zesty-updates on 2017-09-19
Published in zesty-security on 2017-09-19
apache2 (2.4.25-3ubuntu2.3) zesty-security; urgency=medium

  * SECURITY UPDATE: optionsbleed information leak
    - debian/patches/CVE-2017-9798.patch: disallow method registration
      at run time in server/core.c.
    - CVE-2017-9798

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2017 11:08:28 -0400
Superseded in artful-release on 2017-09-21
Deleted in artful-proposed on 2017-09-23 (Reason: moved to release)
apache2 (2.4.27-2ubuntu2) artful; urgency=medium

  * Undrop (LP 1658469):
    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.

 -- Marc Deslauriers <email address hidden>  Wed, 02 Aug 2017 13:04:45 -0400
Superseded in artful-proposed on 2017-08-02
apache2 (2.4.27-2ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1702582). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.

 -- Nishanth Aravamudan <email address hidden>  Thu, 27 Jul 2017 13:38:39 -0700

Available diffs

Superseded in trusty-updates on 2017-09-19
Superseded in trusty-security on 2017-09-19
apache2 (2.4.7-1ubuntu4.17) trusty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden>  Thu, 27 Jul 2017 10:34:31 -0400
Superseded in xenial-updates on 2017-09-19
Superseded in xenial-security on 2017-09-19
apache2 (2.4.18-2ubuntu3.4) xenial-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden>  Thu, 27 Jul 2017 10:34:01 -0400
Superseded in zesty-updates on 2017-09-19
Superseded in zesty-security on 2017-09-19
apache2 (2.4.25-3ubuntu2.2) zesty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden>  Thu, 27 Jul 2017 10:32:31 -0400
Superseded in trusty-updates on 2017-07-27
Superseded in trusty-security on 2017-07-27
apache2 (2.4.7-1ubuntu4.16) trusty-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 08:04:58 -0400
Published in yakkety-updates on 2017-06-26
Published in yakkety-security on 2017-06-26
apache2 (2.4.18-2ubuntu4.2) yakkety-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 07:57:04 -0400
Superseded in zesty-updates on 2017-07-27
Superseded in zesty-security on 2017-07-27
apache2 (2.4.25-3ubuntu2.1) zesty-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 07:50:10 -0400
Superseded in xenial-updates on 2017-07-27
Superseded in xenial-security on 2017-07-27
apache2 (2.4.18-2ubuntu3.3) xenial-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden>  Mon, 26 Jun 2017 07:58:04 -0400
Superseded in trusty-updates on 2017-06-26
Superseded in trusty-security on 2017-06-26
apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden>  Fri, 05 May 2017 12:52:21 -0400
Superseded in xenial-updates on 2017-06-26
Superseded in xenial-security on 2017-06-26
apache2 (2.4.18-2ubuntu3.2) xenial-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden>  Fri, 05 May 2017 12:32:00 -0400
Superseded in yakkety-updates on 2017-06-26
Superseded in yakkety-security on 2017-06-26
apache2 (2.4.18-2ubuntu4.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden>  Fri, 05 May 2017 10:51:32 -0400
Superseded in artful-proposed on 2017-07-28
apache2 (2.4.25-3ubuntu3) artful; urgency=medium

  * Re-Drop (LP: #1658469):
    - Don't build experimental http2 module for LTS:
     + debian/control: removed libnghttp2-dev Build-Depends (in universe).
     + debian/config-dir/mods-available/http2.load: removed.
     + debian/rules: removed proxy_http2 from configure.
     + debian/apache2.maintscript: remove http2 conffile.

 -- Nishanth Aravamudan <email address hidden>  Mon, 01 May 2017 09:55:11 -0700
Superseded in artful-release on 2017-08-03
Published in zesty-release on 2017-02-22
Deleted in zesty-proposed (Reason: moved to release)
apache2 (2.4.25-3ubuntu2) zesty; urgency=medium

  * Undrop (LP 1658469):
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

 -- Nishanth Aravamudan <email address hidden>  Fri, 10 Feb 2017 08:53:43 -0800
Superseded in zesty-proposed on 2017-02-10
apache2 (2.4.25-3ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #1663425). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
   * Drop (LP: #1658469):
     - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.

 -- Nishanth Aravamudan <email address hidden>  Thu, 09 Feb 2017 15:48:28 -0800

Available diffs

Superseded in zesty-release on 2017-02-22
Deleted in zesty-proposed on 2017-02-23 (Reason: moved to release)
apache2 (2.4.23-8ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: replace Debian with Ubuntu on default
      page.
      [ include-binaries change previously undocumented ]
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
      + debian/apache2.maintscript: remove http2 conffile.
        [ Previously undocumented ]
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
  * Drop:
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]

 -- Nishanth Aravamudan <email address hidden>  Fri, 09 Dec 2016 11:02:38 +0100
Superseded in zesty-release on 2017-02-10
Deleted in zesty-proposed on 2017-02-11 (Reason: moved to release)
apache2 (2.4.23-7ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.

Available diffs

Published in trusty-backports on 2016-08-31
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.2) trusty-backports; urgency=medium

  * CVE-2016-5387 (LP: #1604209)

 -- Mike Gerow <email address hidden>  Thu, 21 Jul 2016 14:53:00 -0700
Deleted in trusty-proposed on 2016-11-21 (Reason: The package was removed due to its SRU bug(s) not being v...)
apache2 (2.4.7-1ubuntu4.14) trusty; urgency=medium

  * d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very
    long uri in alias match (LP: #1534538)

 -- Wesley Wiedenmeier <email address hidden>  Wed, 20 Jul 2016 19:07:41 -0500
Superseded in zesty-release on 2016-11-16
Published in yakkety-release on 2016-07-28
Deleted in yakkety-proposed (Reason: moved to release)
apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

 -- Marc Deslauriers <email address hidden>  Mon, 18 Jul 2016 14:32:02 -0400

Available diffs

Superseded in trusty-updates on 2017-05-09
Superseded in trusty-security on 2017-05-09
apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:40:55 -0400
Published in precise-updates on 2016-07-18
Published in precise-security on 2016-07-18
apache2 (2.2.22-1ubuntu1.11) precise-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:50:27 -0400
Superseded in xenial-updates on 2017-05-09
Superseded in xenial-security on 2017-05-09
apache2 (2.4.18-2ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:32:26 -0400
Published in wily-updates on 2016-07-18
Published in wily-security on 2016-07-18
apache2 (2.4.12-2ubuntu2.1) wily-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jul 2016 08:39:28 -0400
Deleted in trusty-proposed on 2016-07-19 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.12) trusty; urgency=medium

  * d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very
    long uri in alias match (LP: #1534538)

 -- Wesley Wiedenmeier <email address hidden>  Tue, 28 Jun 2016 09:55:36 -0500
Superseded in trusty-updates on 2016-07-18
Deleted in trusty-proposed on 2016-07-20 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.11) trusty; urgency=medium

  * Fix hang until proxy timeout for Proxy responses with error status and
    "ProxyErrorOverride On" being set (LP: #1495988).

 -- Christian Ehrhardt <email address hidden>  Tue, 07 Jun 2016 16:28:05 +0200
Superseded in trusty-backports on 2016-08-31
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.1) trusty-backports; urgency=medium

  * No-change backport to trusty (LP: #1335068)

Superseded in trusty-updates on 2016-07-12
Deleted in trusty-proposed on 2016-07-13 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.10) trusty; urgency=medium

  * Add apache2 specific modification needed along with fix to
    libapache2-mpm-itk so it becomes installable again (LP: #1286882):
    - Removes warning on mpm_itk use
    - Removes conflicts on mpm_itk

 -- Louis Bouchard <email address hidden>  Wed, 20 Apr 2016 16:21:03 +0200
Superseded in yakkety-release on 2016-07-28
Published in xenial-release on 2016-04-16
Deleted in xenial-proposed (Reason: moved to release)
apache2 (2.4.18-2ubuntu3) xenial; urgency=medium

  [ Ryan Harper ]
  * Drop /etc/apache2/mods-available/http2.load. This was inadvertently
    introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
    all, since http2 support is intentionally disabled (see LP 1531864).
  * d/apache2.maintscript: handle removal of http2.load conffile.

  [ Robie Basak ]
  * Re-write Ryan's changelog entry.

 -- Robie Basak <email address hidden>  Fri, 15 Apr 2016 18:00:57 +0000

Available diffs

Superseded in xenial-release on 2016-04-16
Deleted in xenial-proposed on 2016-04-17 (Reason: moved to release)
apache2 (2.4.18-2ubuntu2) xenial; urgency=medium

  * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
    - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
      unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
      between systemctl status and actual state of apache2 daemon.
    - d/apache2.install: place the apache2-systemd.conf file in the correct location.

 -- Pierre-André MOREY <email address hidden>  Fri, 08 Apr 2016 11:48:00 +0200

Available diffs

Superseded in xenial-release on 2016-04-12
Deleted in xenial-proposed on 2016-04-13 (Reason: moved to release)
apache2 (2.4.18-2ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Superseded in xenial-release on 2016-04-06
Deleted in xenial-proposed on 2016-04-07 (Reason: moved to release)
apache2 (2.4.18-1ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Available diffs

Superseded in trusty-updates on 2016-06-23
Deleted in trusty-proposed on 2016-06-25 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.9) trusty; urgency=medium

  * Force disablereuse on for mod_proxy_wstunnel. Fixes "Unable to connect to:
    ws://<maas IP>:/MAAS/ws" errors with maas, and other proxy applications.
    https://bz.apache.org/bugzilla/show_bug.cgi?id=55890
    (LP: #1484696).

 -- Dave Chiluk <email address hidden>  Wed, 13 Jan 2016 15:34:51 -0600
Superseded in xenial-release on 2016-01-22
Deleted in xenial-proposed on 2016-01-23 (Reason: moved to release)
apache2 (2.4.17-3ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Superseded in xenial-release on 2015-12-07
Deleted in xenial-proposed on 2015-12-08 (Reason: moved to release)
apache2 (2.4.17-2ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Don't build experimental http2 module for LTS:
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.

Superseded in xenial-release on 2015-11-20
Deleted in xenial-proposed on 2015-11-22 (Reason: moved to release)
apache2 (2.4.17-1ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
  * Drop patches (applied upstream):
    - debian/patches/CVE-2015-3183.patch
    - debian/patches/CVE-2015-3185.patch
  * Drop changes (adopted in Debian):
    - Allow "triggers-awaited" and "triggers-pending" states in addition
      to "installed" when determining whether to defer actions or
      process deferred actions.
  * Don't build experimental http2 module for LTS
    - debian/control: removed libnghttp2-dev Build-Depends (in universe).
    - debian/config-dir/mods-available/http2.load: removed.

Available diffs

Superseded in trusty-updates on 2016-01-27
Deleted in trusty-proposed on 2016-01-28 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.8) trusty; urgency=medium

  * Fix -D[efined] or <Define>[d] variables lifetime across restarts.
    This fixes incorrect processing of configuration files on reload
    (LP: #1504354).

 -- Jeffrey Hutzelman <email address hidden>  Thu, 08 Oct 2015 19:30:10 -0400
Superseded in trusty-updates on 2015-10-21
Superseded in trusty-proposed on 2015-10-14
apache2 (2.4.7-1ubuntu4.7) trusty; urgency=medium

  * d/p/wstunnel-ssl.patch: mod_proxy_wstunnel: Fix the use of SSL
    connections with the "wss:" scheme.  PR55320.  LP: #1445914
    Submitted by: Alex Liu <alex.leo.ca gmail.com>

 -- Jeffrey Hutzelman <email address hidden>  Thu, 10 Sep 2015 12:50:00 -0400
Superseded in trusty-updates on 2015-10-14
Superseded in trusty-proposed on 2015-09-23
apache2 (2.4.7-1ubuntu4.6) trusty; urgency=medium

  * d/p/fix_rewrite_rule.patch: Add a configurable option to keep mod_dir from
    running when another handler is set. This makes default behavior
    consistant with 2.2, and fixes (LP: #1394403)
    - This adds the configuration option "DirectoryCheckHandler" which is
      present in apache 2.4.8 and later versions. The default value is
      "DirectoryCheckHandler Off".
    - This will change default behavior. Instead of mod_dir running even if
      other rules are being run, mod_dir will only run when no other rules
      have been processed by default. This is the expected behavior of
      mod_dir, and is consistant with the behavior of mod_dir in apache
      versions < 2.4 and > 2.4.8, and so the default value of this
      configuration option will correct the bug.
    - The current default behavior, which is considered to be a bug, can be
      kept by setting "DirectoryCheckHandler On".

 -- Wesley Wiedenmeier <email address hidden>  Tue, 18 Aug 2015 09:36:21 -0500
Superseded in precise-updates on 2016-07-18
Superseded in precise-security on 2016-07-18
apache2 (2.2.22-1ubuntu1.10) precise-security; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 13:06:25 -0400
Superseded in trusty-updates on 2015-09-23
Superseded in trusty-security on 2016-07-18
apache2 (2.4.7-1ubuntu4.5) trusty-security; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 12:44:36 -0400
Published in vivid-updates on 2015-07-27
Published in vivid-security on 2015-07-27
apache2 (2.4.10-9ubuntu1.1) vivid-security; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 12:25:41 -0400
Superseded in xenial-release on 2015-11-04
Published in wily-release on 2015-07-28
Deleted in wily-proposed (Reason: moved to release)
apache2 (2.4.12-2ubuntu2) wily; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183
  * SECURITY UPDATE: access restriction bypass via deprecated API
    - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
      in include/http_request.h, server/request.c.
    - CVE-2015-3185

 -- Marc Deslauriers <email address hidden>  Fri, 24 Jul 2015 09:56:09 -0400
Superseded in wily-release on 2015-07-28
Deleted in wily-proposed on 2015-07-29 (Reason: moved to release)
apache2 (2.4.12-2ubuntu1) wily; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - Allow "triggers-awaited" and "triggers-pending" states in addition
      to "installed" when determining whether to defer actions or
      process deferred actions.
  * Drop patches (applied upstream):
    - d/p/split-logfile.patch
    - d/p/CVE-2015-0228.patch
  * Drop changes (superceded in Debian):
    - Cherry-pick versioned build-depend on dpkg from Debian for correct
      dpkg-maintscript-helper symlink_to_dir support.
  * Drop changes (adopted in Debian):
    - d/control, d/config-dir/mods-available/ssl.conf,
      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
      dialog program ask-for-passphrase.
  * Fix cross-building configure line in d/rules, which had bit-rotted in
    previous merges.

Available diffs

Superseded in precise-updates on 2015-07-27
Superseded in precise-security on 2015-07-27
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.

 -- Marc Deslauriers <email address hidden>  Thu, 28 May 2015 12:26:50 -0400
Superseded in trusty-updates on 2015-07-27
Superseded in trusty-security on 2015-07-27
apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
 -- Marc Deslauriers <email address hidden>   Tue, 10 Mar 2015 07:42:50 -0400
Superseded in wily-release on 2015-07-20
Published in vivid-release on 2015-03-09
Deleted in vivid-proposed (Reason: moved to release)
apache2 (2.4.10-9ubuntu1) vivid; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf,
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile
      command.
    - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
      denial of service in mod_lua via websockets PING
  * debian/tests/ssl-passphrase: Add password responder for
    systemd-ask-passphrase.

Obsolete in utopic-updates on 2016-11-03
Obsolete in utopic-security on 2016-11-03
apache2 (2.4.10-1ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 12:05:47 -0500
Superseded in precise-updates on 2015-06-02
Superseded in precise-security on 2015-06-02
apache2 (2.2.22-1ubuntu1.8) precise-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 12:40:00 -0500
Obsolete in lucid-updates on 2016-10-26
Obsolete in lucid-security on 2016-10-26
apache2 (2.2.14-5ubuntu8.15) lucid-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 12:45:09 -0500
Superseded in vivid-proposed on 2015-03-09
apache2 (2.4.10-8ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228
 -- Marc Deslauriers <email address hidden>   Thu, 05 Mar 2015 10:56:34 -0500
Deleted in trusty-proposed on 2015-03-12 (Reason: moved to -updates)
apache2 (2.4.7-1ubuntu4.2) trusty; urgency=medium

  * d/p/ocsp-stapling-memory-corruption.patch: fix crash on startup due
    to memory corruption while modules are reloaded (LP: #1366174).
    Thanks to Alex Bligh for reporting, debugging, fixing upstream,
    backporting and driving this fix through to Trusty.
 -- Robie Basak <email address hidden>   Thu, 26 Feb 2015 18:11:56 +0000
Superseded in vivid-release on 2015-03-09
Deleted in vivid-proposed on 2015-03-10 (Reason: moved to release)
apache2 (2.4.10-8ubuntu2) vivid; urgency=medium

  * Allow "triggers-awaited" and "triggers-pending" states in addition to
    "installed" when determining whether to defer actions or process
    deferred actions (LP: #1393832).
 -- Colin Watson <email address hidden>   Wed, 26 Nov 2014 11:31:44 +0000
Superseded in vivid-proposed on 2014-11-26
apache2 (2.4.10-8ubuntu1) vivid; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf,
      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
      dialog program ask-for-passphrase.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile
      command.
  * Fixes from Debian included in merge:
    - Crash caused by OCSP stapling code; this was erroneously
      attributed to Debian in my previous merge, but actually only
      appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
  * Cherry-pick versioned build-depend on dpkg from Debian for correct
    dpkg-maintscript-helper symlink_to_dir support.

Superseded in vivid-proposed on 2014-11-21
apache2 (2.4.10-7ubuntu1) vivid; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf,
      d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
      dialog program ask-for-passphrase.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing
      DEB_{HOST,BUILD}_GNU_TYPE to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile command.
  * Fixes from Debian included in merge:
    - Don't use a2query in preinst, as it may not be available yet
      (LP: #1312533).
    - Crash caused by OCSP stapling code (LP: #1366174).
    - Disable SSLv3 in default config (LP: #1358305).
    - If apache2 is not configured yet, defer actions executed via
      apache2-maintscript-helper. This fixes installation failures if a
      module package is configured first (LP: #1312854).

Available diffs

Superseded in vivid-release on 2014-11-26
Obsolete in utopic-release on 2016-11-03
Deleted in utopic-proposed on 2016-11-03 (Reason: moved to release)
apache2 (2.4.10-1ubuntu1) utopic; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
      d/apache2.install: Plymouth aware passphrase dialog program
      ask-for-passphrase.
    - Add dep8 tests.
    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
      configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
      upstream
    - d/index.html: replace Debian with Ubuntu on default page.
    - d/p/split-logfile.patch: fix completely broken split-logfile command.

Available diffs

Superseded in trusty-updates on 2015-03-10
Superseded in trusty-security on 2015-03-10
apache2 (2.4.7-1ubuntu4.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in mod_proxy
    - debian/patches/CVE-2014-0117.patch: also skip over semicolons in
      modules/proxy/proxy_util.c.
    - CVE-2014-0117
  * SECURITY UPDATE: resource consumption via mod_deflate body
    decompression
    - debian/patches/CVE-2014-0118.patch: added new configuration options
      DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
      DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
    - CVE-2014-0118
  * SECURITY UPDATE: denial of service via race in mod_status
    - debian/patches/CVE-2014-0226.patch: fix race by adding
      ap_copy_scoreboard_worker() to include/scoreboard.h,
      modules/generators/mod_status.c, modules/lua/lua_request.c,
      server/scoreboard.c.
    - CVE-2014-0226
  * SECURITY UPDATE: denial of service in mod_cgid
    - debian/patches/CVE-2014-0231.patch: added new configuration option
      CGIDScriptTimeout in modules/generators/mod_cgid.c.
    - CVE-2014-0231
 -- Marc Deslauriers <email address hidden>   Mon, 21 Jul 2014 15:46:10 -0400
Superseded in precise-updates on 2015-03-10
Superseded in precise-security on 2015-03-10
apache2 (2.2.22-1ubuntu1.7) precise-security; urgency=medium

  * SECURITY UPDATE: resource consumption via mod_deflate body
    decompression
    - debian/patches/CVE-2014-0118.patch: added new configuration options
      DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
      DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
    - CVE-2014-0118
  * SECURITY UPDATE: denial of service via race in mod_status
    - debian/patches/CVE-2014-0226.patch: fix race by adding
      ap_copy_scoreboard_worker() to include/scoreboard.h,
      modules/generators/mod_status.c, server/scoreboard.c.
    - CVE-2014-0226
  * SECURITY UPDATE: denial of service in mod_cgid
    - debian/patches/CVE-2014-0231.patch: added new configuration option
      CGIDScriptTimeout in modules/generators/mod_cgid.c.
    - CVE-2014-0231
 -- Marc Deslauriers <email address hidden>   Tue, 22 Jul 2014 09:53:35 -0400
Superseded in lucid-updates on 2015-03-10
Superseded in lucid-security on 2015-03-10
apache2 (2.2.14-5ubuntu8.14) lucid-security; urgency=medium

  * SECURITY UPDATE: resource consumption via mod_deflate body
    decompression
    - debian/patches/CVE-2014-0118.dpatch: added new configuration options
      DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
      DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
    - CVE-2014-0118
  * SECURITY UPDATE: denial of service via race in mod_status
    - debian/patches/CVE-2014-0226.dpatch: fix race by adding
      ap_copy_scoreboard_worker() to include/scoreboard.h,
      modules/generators/mod_status.c, server/scoreboard.c.
    - CVE-2014-0226
  * SECURITY UPDATE: denial of service in mod_cgid
    - debian/patches/CVE-2014-0231.dpatch: added new configuration option
      CGIDScriptTimeout in modules/generators/mod_cgid.c.
    - CVE-2014-0231
 -- Marc Deslauriers <email address hidden>   Tue, 22 Jul 2014 10:03:41 -0400
Superseded in utopic-release on 2014-07-25
Deleted in utopic-proposed on 2014-07-26 (Reason: moved to release)
apache2 (2.4.9-1ubuntu2) utopic; urgency=medium

  * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
    yet support building against lua 5.2 (LP: #1323930).
 -- Robie Basak <email address hidden>   Wed, 28 May 2014 08:55:25 +0000

Available diffs

Superseded in utopic-release on 2014-05-28
Deleted in utopic-proposed on 2014-05-29 (Reason: moved to release)
apache2 (2.4.9-1ubuntu1) utopic; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
      d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
      dialog program ask-for-passphrase.
    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
      configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross fixes from
      upstream
    - Build using lua5.2.
    - d/tests/chroot: dep8 test for ChrootDir case.
    - d/tests/ssl-passphrase: update for new default path /var/www/html.
    - d/tests/duplicate-module-load: check for duplicate module loads.
    - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
    - d/p/split-logfile.patch: fix completely broken split-logfile command
      (LP: #1299162). Thanks to Holger Mauermann.
  * Drop changes (upstreamed):
    - d/p/ignore-quilt-dir: adjust build system so that it does not use
      files find inside the .pc directory. This stops a double module load
      causing later havoc, including "ChrootDir" directive failure.
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
  * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.

Available diffs

Superseded in utopic-release on 2014-05-09
Published in trusty-release on 2014-04-03
Deleted in trusty-proposed (Reason: moved to release)
apache2 (2.4.7-1ubuntu4) trusty; urgency=medium

  * d/p/split-logfile.patch: fix completely broken split-logfile command
    (LP: #1299162). Thanks to Holger Mauermann.
 -- Robie Basak <email address hidden>   Thu, 03 Apr 2014 11:21:22 +0000

Available diffs

Superseded in precise-updates on 2014-07-23
Deleted in precise-proposed on 2014-07-25 (Reason: moved to -updates)
apache2 (2.2.22-1ubuntu1.6) precise; urgency=low

  * debian/patches/sni.patch:
    - apache2 doesn't compare SNI hostname against Host header
      case-insensitively (lp: #1298273)
 -- Ritesh Khadgaray <email address hidden>   Thu, 27 Mar 2014 15:06:16 +0530
Superseded in trusty-release on 2014-04-03
Deleted in trusty-proposed on 2014-04-04 (Reason: moved to release)
apache2 (2.4.7-1ubuntu3) trusty; urgency=medium

  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
  * SECURITY UPDATE: denial of service via truncated cookie and
    mod_log_config
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
    - CVE-2014-0098
 -- Marc Deslauriers <email address hidden>   Thu, 20 Mar 2014 08:34:10 -0400

Available diffs

Superseded in lucid-updates on 2014-07-23
Superseded in lucid-security on 2014-07-23
apache2 (2.2.14-5ubuntu8.13) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.dpatch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
 -- Marc Deslauriers <email address hidden>   Wed, 19 Mar 2014 15:51:06 -0400
Obsolete in quantal-updates on 2015-04-24
Obsolete in quantal-security on 2015-04-24
apache2 (2.2.22-6ubuntu2.4) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
  * SECURITY UPDATE: denial of service via truncated cookie and
    mod_log_config
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
    - CVE-2014-0098
 -- Marc Deslauriers <email address hidden>   Wed, 19 Mar 2014 15:38:47 -0400
Superseded in precise-updates on 2014-05-08
Superseded in precise-security on 2014-07-23
apache2 (2.2.22-1ubuntu1.5) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
  * SECURITY UPDATE: denial of service via truncated cookie and
    mod_log_config
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
    - CVE-2014-0098
 -- Marc Deslauriers <email address hidden>   Wed, 19 Mar 2014 15:42:46 -0400
Obsolete in saucy-updates on 2015-04-24
Obsolete in saucy-security on 2015-04-24
apache2 (2.4.6-2ubuntu2.2) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service via mod_dav incorrect end of string
    calculation
    - debian/patches/CVE-2013-6438.patch: properly calculate correct length
      in modules/dav/main/util.c.
    - CVE-2013-6438
  * SECURITY UPDATE: denial of service via truncated cookie and
    mod_log_config
    - debian/patches/CVE-2014-0098.patch: properly parse tokens in
      modules/loggers/mod_log_config.c.
    - CVE-2014-0098
 -- Marc Deslauriers <email address hidden>   Wed, 19 Mar 2014 15:32:18 -0400
Superseded in trusty-release on 2014-03-20
Deleted in trusty-proposed on 2014-03-21 (Reason: moved to release)
apache2 (2.4.7-1ubuntu2) trusty; urgency=medium

  * d/index.html: replace Debian with Ubuntu on default page
    (LP: #1288690).
 -- Robie Basak <email address hidden>   Wed, 19 Mar 2014 11:04:21 +0000

Available diffs

Superseded in trusty-release on 2014-03-19
Deleted in trusty-proposed on 2014-03-20 (Reason: moved to release)
apache2 (2.4.7-1ubuntu1) trusty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/control, d/config-dir/mods-available/ssl.conf,
      d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase:
      Plymouth aware passphrase dialog program ask-for-passphrase.
    - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE
      to configure.
    - debian/patches/086_svn_cross_compiles: Backport several cross fixes
      from upstream
    - Build using lua5.2.
    - d/tests/chroot: dep8 test for ChrootDir case.
    - d/p/ignore-quilt-dir: adjust build system so that it does not use
      files find inside the .pc directory. This stops a double module load
      causing later havoc, including "ChrootDir" directive failure.
  * Drop changes:
    - debian/{control, rules}: Enable PIE hardening: no longer required;
      2.4.7-1 is already hardened.
    - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved
      out of this package.
  * d/tests/ssl-passphrase: update for new default path /var/www/html.
  * d/tests/duplicate-module-load: check for duplicate module loads.
 -- Robie Basak <email address hidden>   Tue, 14 Jan 2014 17:23:47 +0000

Available diffs

175 of 267 results