Change log for apache2 package in Ubuntu

175 of 371 results
Published in impish-proposed
apache2 (2.4.48-3.1ubuntu3.4) impish; urgency=medium

  * d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
    Don't send GOAWAY too early on new connections when
    MaxRequestsPerChild has been reached.  (LP: #1969629)

 -- Sergio Durigan Junior <email address hidden>  Tue, 26 Apr 2022 15:55:37 -0400
Published in focal-proposed
apache2 (2.4.41-4ubuntu3.11) focal; urgency=medium

  * d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
    Don't send GOAWAY too early on new connections when
    MaxRequestsPerChild has been reached.  (LP: #1969629)

 -- Sergio Durigan Junior <email address hidden>  Tue, 26 Apr 2022 14:02:11 -0400
Published in bionic-proposed
apache2 (2.4.29-1ubuntu4.23) bionic; urgency=medium

  * d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
    Don't send GOAWAY too early on new connections when
    MaxRequestsPerChild has been reached.  (LP: #1969629)

 -- Sergio Durigan Junior <email address hidden>  Mon, 25 Apr 2022 20:46:43 -0400
Published in kinetic-release
Published in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.52-1ubuntu4) jammy; urgency=medium

  * d/apache2.postrm: Include md5 sum for updated index.html

 -- Bryce Harrington <email address hidden>  Thu, 24 Mar 2022 17:35:40 -0700
Superseded in jammy-proposed
apache2 (2.4.52-1ubuntu3) jammy; urgency=medium

  * d/index.html:
    - Redesign page's heading for the new logo
    - Use the Ubuntu font where available
    - Update service management directions
    - Copyedit grammar
    - Light reformatting and whitespace cleanup
  * d/icons/ubuntu-logo.png: Refresh ubuntu logo
    (LP: #1966004)

 -- Bryce Harrington <email address hidden>  Wed, 23 Mar 2022 16:18:11 -0700
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.52-1ubuntu2) jammy; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Thu, 17 Mar 2022 09:39:54 -0400
Published in focal-updates
Published in focal-security
apache2 (2.4.41-4ubuntu3.10) focal-security; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Wed, 16 Mar 2022 12:52:53 -0400
Published in bionic-updates
Published in bionic-security
apache2 (2.4.29-1ubuntu4.22) bionic-security; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Wed, 16 Mar 2022 12:53:42 -0400
Published in impish-updates
Published in impish-security
apache2 (2.4.48-3.1ubuntu3.3) impish-security; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden>  Wed, 16 Mar 2022 12:46:16 -0400
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.52-1ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1959924). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
  * Dropped:
    - d/p/support-openssl3-*.patch: Backport various patches from
      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
      failure to load when using OpenSSL 3.
      (LP #1951476)
      [Included in upstream release 2.4.52]
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      (LP 1832182)
      [This introduced a performance regression.]
    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
      (LP 1918209)
      [Not needed]

 -- Bryce Harrington <email address hidden>  Thu, 03 Feb 2022 10:25:47 -0800

Available diffs

Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.21) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:50:41 -0500
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.9) focal-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:49:56 -0500
Published in hirsute-updates
Published in hirsute-security
apache2 (2.4.46-4ubuntu1.5) hirsute-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:38:48 -0500
Superseded in impish-updates
Superseded in impish-security
apache2 (2.4.48-3.1ubuntu3.2) impish-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden>  Wed, 05 Jan 2022 09:29:15 -0500
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.51-2ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
    - d/p/support-openssl3-*.patch: Backport various patches from
      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
      failure to load when using OpenSSL 3.
      (LP #1951476)
  * Dropped:
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      (LP: 1832182)
      [This introduced a performance regression.]
    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
      (LP 1918209)
      [Not needed]
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
      [Fixed in 2.4.48-4]
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
      [Fixed in 2.4.49-1]
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
      [Fixed in 2.4.49-1]
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
      [Fixed in 2.4.49-1]
    - arbitrary origin server via crafted request uri-path
      + debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
        parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
        modules/proxy/proxy_util.c.
      + debian/patches/CVE-2021-40438.patch: add sanity checks on the
        configured UDS path in modules/proxy/proxy_util.c.
      [Fixed in 2.4.49-3]
    - SECURITY REGRESSION: Issues in UDS URIs.  (LP #1945311)
      + debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
        rules in modules/mappers/mod_rewrite.c.
      + debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
        hostname in modules/mappers/mod_rewrite.c,
        modules/proxy/proxy_util.c.
      [Fixed in 2.4.49-3]

 -- Bryce Harrington <email address hidden>  Thu, 16 Dec 2021 14:09:26 -0800
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium

  * d/p/support-openssl3-*.patch: Backport various patches from
    https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
    failure to load when using OpenSSL 3.  (LP: #1951476)

 -- Sergio Durigan Junior <email address hidden>  Fri, 26 Nov 2021 16:07:56 -0500
Superseded in impish-updates
Deleted in impish-proposed (Reason: moved to -updates)
apache2 (2.4.48-3.1ubuntu3.1) impish; urgency=medium

  * Revert fix from 2.4.46-1ubuntu2, due to performance regression.
    (LP 1832182)

 -- Bryce Harrington <email address hidden>  Sun, 14 Nov 2021 23:49:31 +0000
Superseded in hirsute-updates
Deleted in hirsute-proposed (Reason: moved to -updates)
apache2 (2.4.46-4ubuntu1.4) hirsute; urgency=medium

  * Revert fix from 2.4.46-1ubuntu2, due to performance regression.
    (LP 1832182)

 -- Bryce Harrington <email address hidden>  Sun, 14 Nov 2021 23:50:00 +0000
Superseded in bionic-updates
Deleted in bionic-proposed (Reason: moved to -updates)
apache2 (2.4.29-1ubuntu4.20) bionic; urgency=medium

  * Revert fix from 2.4.29-1ubuntu4.19, due to performance regression.
    (LP 1832182)

 -- Bryce Harrington <email address hidden>  Sun, 14 Nov 2021 23:52:18 +0000
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates)
apache2 (2.4.41-4ubuntu3.8) focal; urgency=medium

  * Revert fix from 2.4.41-4ubuntu3.7, due to performance regression.
    (LP 1832182)

 -- Bryce Harrington <email address hidden>  Thu, 14 Oct 2021 09:24:43 -0700
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates)
apache2 (2.4.41-4ubuntu3.7) focal; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden>  Tue, 28 Sep 2021 22:28:10 +0000
Superseded in bionic-updates
Deleted in bionic-proposed (Reason: moved to -updates)
apache2 (2.4.29-1ubuntu4.19) bionic; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden>  Tue, 28 Sep 2021 22:27:27 +0000
Superseded in jammy-release
Published in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Sep 2021 08:52:26 -0400
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.18) bionic-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Sep 2021 07:01:16 -0400
Superseded in hirsute-updates
Superseded in hirsute-security
apache2 (2.4.46-4ubuntu1.3) hirsute-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Sep 2021 06:57:42 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Sep 2021 07:00:45 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.5) focal-security; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
      dummy HTTP/1.1 request as well in modules/http2/h2.h,
      modules/http2/h2_request.c, modules/http2/h2_session.c,
      modules/http2/h2_stream.c.
    - debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
      version 1.15.17 in modules/http2/h2_bucket_beam.c,
      modules/http2/h2_config.c, modules/http2/h2_config.h,
      modules/http2/h2_h2.c, modules/http2/h2_headers.c,
      modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
      modules/http2/h2_request.c, modules/http2/h2_stream.h,
      modules/http2/h2_task.c, modules/http2/h2_task.h,
      modules/http2/h2_version.h.
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2021-36160
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

 -- Marc Deslauriers <email address hidden>  Thu, 23 Sep 2021 12:58:57 -0400
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.17) bionic-security; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
      dummy HTTP/1.1 request as well in modules/http2/h2.h,
      modules/http2/h2_request.c, modules/http2/h2_session.c,
      modules/http2/h2_stream.c.
    - debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
      version 1.15.17 in modules/http2/h2_bucket_beam.c,
      modules/http2/h2_config.c, modules/http2/h2_config.h,
      modules/http2/h2_h2.c, modules/http2/h2_headers.c,
      modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
      modules/http2/h2_request.c, modules/http2/h2_stream.h,
      modules/http2/h2_task.c, modules/http2/h2_task.h,
      modules/http2/h2_version.h.
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

 -- Marc Deslauriers <email address hidden>  Thu, 23 Sep 2021 13:01:10 -0400
Superseded in hirsute-updates
Superseded in hirsute-security
apache2 (2.4.46-4ubuntu1.2) hirsute-security; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
      dummy HTTP/1.1 request as well in modules/http2/h2.h,
      modules/http2/h2_request.c, modules/http2/h2_session.c,
      modules/http2/h2_stream.c.
    - debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
      version 1.15.17 in modules/http2/h2_bucket_beam.c,
      modules/http2/h2_config.c, modules/http2/h2_config.h,
      modules/http2/h2_h2.c, modules/http2/h2_headers.c,
      modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
      modules/http2/h2_request.c, modules/http2/h2_stream.h,
      modules/http2/h2_task.c, modules/http2/h2_task.h,
      modules/http2/h2_version.h.
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2021-36160
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

 -- Marc Deslauriers <email address hidden>  Thu, 23 Sep 2021 12:57:50 -0400
Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2021-36160
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

 -- Marc Deslauriers <email address hidden>  Thu, 23 Sep 2021 12:51:16 -0400
Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles. (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.  (LP 1288690)
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.  (LP 1832182)
    - d/apache2ctl: Also use /run/systemd to check for systemd usage
      (LP 1918209)

 -- Bryce Harrington <email address hidden>  Wed, 11 Aug 2021 20:03:24 -0700
Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
apache2 (2.4.48-3ubuntu1) impish; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles. (LP: 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP: 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.  (LP: 1288690)
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.  (LP: 1832182)
    - d/apache2ctl: Also use /run/systemd to check for systemd usage
      (LP: 1918209)
  * Dropped:
    - d/t/control, d/t/check-http2: add basic test for http2 support
      [Fixed in 2.4.48-2]
    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
      [Fixed in 2.4.48-1]
    - d/p/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
      [Fixed in 2.4.48 upstream]
    - d/p/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
      [Fixed in 2.4.48 upstream]
    - d/p/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
      [Fixed in 2.4.48 upstream]
    - d/p/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
      [Fixed in 2.4.48 upstream]
    - d/p/CVE-2021-30641.patch: change default behavior in
      server/request.c.
      [Fixed in 2.4.48 upstream]

 -- Bryce Harrington <email address hidden>  Thu, 08 Jul 2021 03:20:46 +0000
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates)
apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium

  * d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
    (LP: #1930430)

 -- Christian Ehrhardt <email address hidden>  Mon, 05 Jul 2021 09:16:56 +0200
Superseded in impish-proposed
apache2 (2.4.46-4ubuntu3) impish; urgency=medium

  * No-change rebuild due to OpenLDAP soname bump.

 -- Sergio Durigan Junior <email address hidden>  Mon, 21 Jun 2021 17:43:48 -0400

Available diffs

Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
apache2 (2.4.46-4ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641

 -- Marc Deslauriers <email address hidden>  Thu, 17 Jun 2021 13:09:41 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in
    focal-proposed.

 -- Marc Deslauriers <email address hidden>  Thu, 17 Jun 2021 14:27:53 -0400
Superseded in hirsute-updates
Superseded in hirsute-security
apache2 (2.4.46-4ubuntu1.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641

 -- Marc Deslauriers <email address hidden>  Thu, 17 Jun 2021 13:09:41 -0400
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.16) bionic-security; urgency=medium

  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.29-1ubuntu4.15 in
    bionic-proposed.

 -- Marc Deslauriers <email address hidden>  Fri, 18 Jun 2021 07:06:22 -0400
Obsolete in groovy-updates
Obsolete in groovy-security
apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in
    groovy-proposed.

 -- Marc Deslauriers <email address hidden>  Thu, 17 Jun 2021 13:45:11 -0400
Superseded in impish-release
Published in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute)
apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable, to allow moving from lua5.2 to
    lua5.3 (LP: #1910372). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
      issue reading error log too quickly after request, by adding a sleep.
      (LP #1890302)
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.
  * Drop:
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes #921024)
      [Included in Debian 2.4.46-3]
  * d/apache2ctl: Also use /run/systemd to check for systemd usage
    (LP: #1918209)

 -- Bryce Harrington <email address hidden>  Tue, 09 Mar 2021 00:45:35 +0000
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release)
apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes #921024)
    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
      issue reading error log too quickly after request, by adding a sleep.
      (LP #1890302)
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

Available diffs

Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release)
apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden>  Mon, 05 Oct 2020 16:06:32 -0700
Deleted in groovy-proposed (Reason: moved to -updates)
apache2 (2.4.46-1ubuntu1.1) groovy; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden>  Fri, 13 Nov 2020 01:36:38 +0000
Deleted in focal-proposed (Reason: moved to -updates)
apache2 (2.4.41-4ubuntu3.2) focal; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden>  Fri, 13 Nov 2020 01:36:32 +0000
Deleted in bionic-proposed (Reason: moved to -updates)
apache2 (2.4.29-1ubuntu4.15) bionic; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden>  Fri, 13 Nov 2020 01:36:35 +0000
Deleted in xenial-proposed (Reason: SRU failed (regression))
apache2 (2.4.18-2ubuntu3.18) xenial; urgency=medium

  * d/apache2ctl: Use systemd for start and graceful if in use.
    (LP: #1832182)
  * d/apache2.install: List confdir contents explicitly. Avoids
    installing *.in templates.
    (LP: #1899611)

 -- Bryce Harrington <email address hidden>  Fri, 13 Nov 2020 01:36:15 +0000
Superseded in hirsute-release
Obsolete in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
apache2 (2.4.46-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes #921024)
    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
      issue reading error log too quickly after request, by adding a sleep.
      (LP #1890302)
  * Dropped:
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
      [Unclear if it's still necessary, and upstream hasn't made a
      release with it yet]

Available diffs

Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.14) bionic-security; urgency=medium

  * SECURITY UPDATE: mod_rewrite redirect issue
    - debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
      in include/ap_regex.h, server/core.c, server/util_pcre.c.
    - debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
      opt-out of pcre defaults in include/ap_regex.h,
      modules/filters/mod_substitute.c, server/util_pcre.c,
      server/util_regex.c.
    - CVE-2020-1927
  * SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
    - debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
      modules/proxy/mod_proxy_ftp.c.
    - CVE-2020-1934
  * SECURITY UPDATE: DoS via invalid Cache-Digest header
    - debian/patches/CVE-2020-9490.patch: remove support for abandoned
      http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
    - CVE-2020-9490
  * SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
    - debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
      worker could deadlock the main connection in modules/http2/*.
    - debian/patches/CVE-2020-11993.patch: fix logging and rename
      terminology in modules/http2/*.
    - CVE-2020-11993

 -- Marc Deslauriers <email address hidden>  Wed, 12 Aug 2020 17:33:25 -0400
Superseded in focal-updates
Superseded in focal-security
apache2 (2.4.41-4ubuntu3.1) focal-security; urgency=medium

  * SECURITY UPDATE: mod_rewrite redirect issue
    - debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
      in include/ap_regex.h, server/core.c, server/util_pcre.c.
    - debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
      opt-out of pcre defaults in include/ap_regex.h,
      modules/filters/mod_substitute.c, server/util_pcre.c,
      server/util_regex.c.
    - CVE-2020-1927
  * SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
    - debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
      modules/proxy/mod_proxy_ftp.c.
    - CVE-2020-1934
  * SECURITY UPDATE: DoS via invalid Cache-Digest header
    - debian/patches/CVE-2020-9490.patch: remove support for abandoned
      http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
    - CVE-2020-9490
  * SECURITY UPDATE: mod_proxy_uwsgi info disclosure and possible RCE
    - debian/patches/CVE-2020-11984.patch: error out on HTTP header larger
      than 16K in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2020-11984
  * SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
    - debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
      worker could deadlock the main connection in modules/http2/*.
    - debian/patches/CVE-2020-11993.patch: fix logging and rename
      terminology in modules/http2/*.
    - CVE-2020-11993

 -- Marc Deslauriers <email address hidden>  Wed, 12 Aug 2020 15:46:17 -0400
Published in xenial-updates
Published in xenial-security
apache2 (2.4.18-2ubuntu3.17) xenial-security; urgency=medium

  * SECURITY UPDATE: mod_rewrite redirect issue
    - debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
      in include/ap_regex.h, server/core.c, server/util_pcre.c.
    - debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
      opt-out of pcre defaults in include/ap_regex.h,
      modules/filters/mod_substitute.c, server/util_pcre.c,
      server/util_regex.c.
    - CVE-2020-1927
  * SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
    - debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
      modules/proxy/mod_proxy_ftp.c.
    - CVE-2020-1934

 -- Marc Deslauriers <email address hidden>  Wed, 12 Aug 2020 17:35:50 -0400

Available diffs

Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
apache2 (2.4.43-1ubuntu2) groovy; urgency=medium

  * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
    issue reading error log too quickly after request, by adding a sleep.
    (LP: #1890302)

 -- Bryce Harrington <email address hidden>  Wed, 05 Aug 2020 12:44:59 -0700

Available diffs

Deleted in xenial-proposed (Reason: moved to -updates)
apache2 (2.4.18-2ubuntu3.16) xenial; urgency=medium

  * On Linux, use pthread mutexes. On kfreebsd/hurd, continue using
    fctnl because they lack robust pthread mutexes.
    (LP: #1565744)

 -- Bryce Harrington <email address hidden>  Thu, 16 Jul 2020 00:20:55 +0000
Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
apache2 (2.4.43-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes #921024)
  * Dropped:
    - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
      parameter to mod_proxy_ajp (LP #1865340)
      [Fixed upstream]
    - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
      mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
      Closes #955348, LP #1872478
      [In 2.4.43-1]

Available diffs

Superseded in xenial-updates
Deleted in xenial-proposed (Reason: moved to -updates)
apache2 (2.4.18-2ubuntu3.15) xenial; urgency=medium

  * d/p/lp-1875299-Merge-r1688399-from-trunk.patch: use r_useragent_addr as
    the root trusted address (LP: #1875299)

 -- Christian Ehrhardt <email address hidden>  Mon, 15 Jun 2020 16:09:55 +0200
Superseded in groovy-release
Published in focal-release
Deleted in focal-proposed (Reason: moved to Release)
apache2 (2.4.41-4ubuntu3) focal; urgency=medium

  [ Timo Aaltonen ]
  * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
    mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
    Closes: #955348, LP: #1872478

 -- Andreas Hasenack <email address hidden>  Mon, 13 Apr 2020 14:19:17 -0300
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.13) bionic-security; urgency=medium

  * Add additional missing commits to TLSv1.3 support. (LP: #1867223)
    - debian/patches/tlsv1.3-support-2.patch: fix whitespace and copy/paste
      typos in modules/ssl/ssl_engine_kernel.c.
    - debian/patches/tlsv1.3-support-3.patch: fail with 403 if
      SSL_verify_client_post_handshake fails in
      modules/ssl/ssl_engine_kernel.c.
    - debian/patches/tlsv1.3-support-4.patch: disable AUTO_RETRY mode for
      OpenSSL 1.1.1, which fixes post-handshake authentication in
      modules/ssl/ssl_engine_init.c.
    - debian/patches/tlsv1.3-support-5.patch: retrieve and set
      sslconn->client_cert here for both "modern" and classic access
      control in modules/ssl/ssl_engine_kernel.c.

 -- Marc Deslauriers <email address hidden>  Fri, 13 Mar 2020 08:26:16 -0400

Available diffs

Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
Deleted in focal-release (Reason: back out libxcrypt vs glibc breakage from the release pocket)
Deleted in focal-proposed (Reason: moved to Release)
apache2 (2.4.41-4ubuntu2) focal; urgency=medium

  * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
    parameter to mod_proxy_ajp (LP: #1865340)

 -- Andreas Hasenack <email address hidden>  Thu, 05 Mar 2020 15:51:00 -0300
Superseded in focal-release
Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
apache2 (2.4.41-4ubuntu1) focal; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes #921024)

Superseded in bionic-updates
Deleted in bionic-proposed (Reason: moved to -updates)
apache2 (2.4.29-1ubuntu4.12) bionic; urgency=medium

  * Add TLSv1.3 support. (LP: #1845263)
    - debian/patches/tlsv1.3-support.patch: backport upstream 2.4 commit
      which introduced TLSv1.3 support.

 -- Marc Deslauriers <email address hidden>  Tue, 03 Dec 2019 10:55:03 -0500
Superseded in xenial-updates
Deleted in xenial-proposed (Reason: moved to -updates)
apache2 (2.4.18-2ubuntu3.14) xenial; urgency=medium

  * Backport mod_reqtimeout with handshake support (LP: #1846138)
    - d/p/0001-mod-reqtimeout-revent-long-response-times.patch
    - d/p/0002-mod_reqtimeout-fix-body-timeout-disabling-for-CONNECT-request.patch
    - d/p/0003-mod_reqtimeout-Merge-r1853901-r1853906-r1853908-r1853929-r1853935-r.patch

 -- Jesse Williamson <email address hidden>  Tue, 08 Oct 2019 13:31:25 +0000
Superseded in xenial-updates
Superseded in xenial-security
apache2 (2.4.18-2ubuntu3.13) xenial-security; urgency=medium

  * SECURITY REGRESSION:  mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden>  Mon, 16 Sep 2019 06:13:53 -0700
Obsolete in disco-updates
Obsolete in disco-security
apache2 (2.4.38-2ubuntu2.3) disco-security; urgency=medium

  * SECURITY REGRESSION:  mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden>  Mon, 16 Sep 2019 05:36:25 -0700
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.11) bionic-security; urgency=medium

  * SECURITY REGRESSION:  mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden>  Mon, 16 Sep 2019 05:58:48 -0700
Superseded in disco-updates
Superseded in disco-security
apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
    pointer dereference.
    - d/p/CVE-2019-10097.patch: add better sanity checks.
    - CVE-2019-10097
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches

 -- Steve Beattie <email address hidden>  Mon, 26 Aug 2019 06:31:40 -0700
Superseded in bionic-updates
Superseded in bionic-security
apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches
    - dropped the following patches included above:
      + d/p/CVE-2018-1302.patch
      + d/p/CVE-2018-1333.patch
      + d/p/CVE-2018-11763.patch
      + d/p/CVE-2018-17189.patch
      + d/p/CVE-2019-0196.patch

 -- Steve Beattie <email address hidden>  Mon, 26 Aug 2019 06:41:23 -0700
Superseded in xenial-updates
Superseded in xenial-security
apache2 (2.4.18-2ubuntu3.12) xenial-security; urgency=medium

  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098

 -- Steve Beattie <email address hidden>  Mon, 26 Aug 2019 06:43:29 -0700
Superseded in focal-release
Obsolete in eoan-release
Deleted in eoan-proposed (Reason: moved to release)
apache2 (2.4.41-1ubuntu1) eoan; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
  * Dropped:
    - Cherrypick upstream testsuite fix:
      + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
      + Similarly use TLSv1.2 for pr12355 and pr43738.
        [Test suite updated in 2.4.41-1]
    - Cherrypick upstream test suite fix for buffer.
      [Included in 2.4.41-1]
    - d/p/spelling-errors.patch: removed hunks already fixed upstream
      [Included in 2.4.39-1]
    - Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
      + d/p/CVE-2019-0196.patch
      + d/p/CVE-2019-0211.patch
      + d/p/CVE-2019-0215.patch
      + d/p/CVE-2019-0217.patch
      + d/p/CVE-2019-0220-*.patch
      + d/p/CVE-2019-0197.patch
  * Added:
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes: #921024)

Available diffs

Superseded in eoan-release
Deleted in eoan-proposed (Reason: moved to release)
apache2 (2.4.39-0ubuntu1) eoan; urgency=medium

  * New upstream version: 2.4.39
  * d/p/spelling-errors.patch: removed hunks already fixed upstream
  * Remaining changes:
    - Cherrypick upstream test suite fix for buffer.
    - Cherrypick upstream testsuite fix:
      + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
    - Similarly use TLSv1.2 for pr12355 and pr43738.
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
  * Dropped patches (fixed upstream):
    - d/p/CVE-2019-0196.patch
    - d/p/CVE-2019-0211.patch
    - d/p/CVE-2019-0215.patch
    - d/p/CVE-2019-0217.patch
    - d/p/CVE-2019-0220-*.patch
    - d/p/CVE-2019-0197.patch

 -- Andreas Hasenack <email address hidden>  Mon, 05 Aug 2019 18:09:08 -0300

Available diffs

Obsolete in cosmic-updates
Deleted in cosmic-proposed (Reason: moved to -updates)
apache2 (2.4.34-1ubuntu2.3) cosmic; urgency=medium

  * d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
    similarly to <0 with openssl 1.1.1
  * d/p/clear-retry-flags-before-abort.patch: clear retry flags before
    aborting on client-initiated reneg (LP: #1836329)

 -- Andreas Hasenack <email address hidden>  Tue, 16 Jul 2019 17:27:06 -0300
Superseded in bionic-updates
Deleted in bionic-proposed (Reason: moved to -updates)
apache2 (2.4.29-1ubuntu4.8) bionic; urgency=medium

  * d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
    similarly to <0 with openssl 1.1.1
  * d/p/clear-retry-flags-before-abort.patch: clear retry flags before
    aborting on client-initiated reneg (LP: #1836329)

 -- Andreas Hasenack <email address hidden>  Tue, 16 Jul 2019 15:14:45 -0300
Superseded in cosmic-updates
Deleted in cosmic-proposed (Reason: moved to -updates)
apache2 (2.4.34-1ubuntu2.2) cosmic; urgency=medium

  * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
    authentication when built with openssl 1.1.1 (LP: #1833039)

 -- Andreas Hasenack <email address hidden>  Fri, 28 Jun 2019 17:41:48 -0300
Superseded in bionic-updates
Deleted in bionic-proposed (Reason: moved to -updates)
apache2 (2.4.29-1ubuntu4.7) bionic; urgency=medium

  * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
    authentication when built with openssl 1.1.1 (LP: #1833039)

 -- Andreas Hasenack <email address hidden>  Fri, 28 Jun 2019 13:49:35 -0300
Superseded in eoan-release
Deleted in eoan-proposed (Reason: moved to release)
apache2 (2.4.38-3ubuntu2) eoan; urgency=medium

  * Cherrypick upstream test suite fix for buffer.

 -- Dimitri John Ledkov <email address hidden>  Thu, 13 Jun 2019 11:08:24 +0100
Superseded in eoan-proposed
apache2 (2.4.38-3ubuntu1) eoan; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Cherrypick upstream testsuite fix:
      + r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
    - Similarly use TLSv1.2 for pr12355 and pr43738.
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
      [Removed configure chunk, not needed since configure.in is being
       patched.]
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support

Superseded in eoan-release
Deleted in eoan-proposed (Reason: moved to release)
apache2 (2.4.38-2ubuntu3) eoan; urgency=medium

  * Cherrypick upstream testsuite fix:
    - r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
      as such).
  * Similarly use TLSv1.2 for pr12355 and pr43738.

 -- Dimitri John Ledkov <email address hidden>  Tue, 07 May 2019 10:39:47 +0100

Available diffs

175 of 371 results