Change log for apache2 package in Ubuntu
| 76 → 150 of 421 results | First • Previous • Next • Last |
apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 07:00:45 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.5) focal-security; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
dummy HTTP/1.1 request as well in modules/http2/h2.h,
modules/http2/h2_request.c, modules/http2/h2_session.c,
modules/http2/h2_stream.c.
- debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
version 1.15.17 in modules/http2/h2_bucket_beam.c,
modules/http2/h2_config.c, modules/http2/h2_config.h,
modules/http2/h2_h2.c, modules/http2/h2_headers.c,
modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
modules/http2/h2_request.c, modules/http2/h2_stream.h,
modules/http2/h2_task.c, modules/http2/h2_task.h,
modules/http2/h2_version.h.
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:58:57 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.17) bionic-security; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
dummy HTTP/1.1 request as well in modules/http2/h2.h,
modules/http2/h2_request.c, modules/http2/h2_session.c,
modules/http2/h2_stream.c.
- debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
version 1.15.17 in modules/http2/h2_bucket_beam.c,
modules/http2/h2_config.c, modules/http2/h2_config.h,
modules/http2/h2_h2.c, modules/http2/h2_headers.c,
modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
modules/http2/h2_request.c, modules/http2/h2_stream.h,
modules/http2/h2_task.c, modules/http2/h2_task.h,
modules/http2/h2_version.h.
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 13:01:10 -0400
Available diffs
apache2 (2.4.46-4ubuntu1.2) hirsute-security; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
dummy HTTP/1.1 request as well in modules/http2/h2.h,
modules/http2/h2_request.c, modules/http2/h2_session.c,
modules/http2/h2_stream.c.
- debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
version 1.15.17 in modules/http2/h2_bucket_beam.c,
modules/http2/h2_config.c, modules/http2/h2_config.h,
modules/http2/h2_h2.c, modules/http2/h2_headers.c,
modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
modules/http2/h2_request.c, modules/http2/h2_stream.h,
modules/http2/h2_task.c, modules/http2/h2_task.h,
modules/http2/h2_version.h.
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:57:50 -0400
Available diffs
apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:51:16 -0400
Available diffs
apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP 1918209)
-- Bryce Harrington <email address hidden> Wed, 11 Aug 2021 20:03:24 -0700
Available diffs
- diff from 2.4.48-3ubuntu1 to 2.4.48-3.1ubuntu1 (944 bytes)
apache2 (2.4.48-3ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP: 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP: 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP: 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP: 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: 1918209)
* Dropped:
- d/t/control, d/t/check-http2: add basic test for http2 support
[Fixed in 2.4.48-2]
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
[Fixed in 2.4.48-1]
- d/p/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-30641.patch: change default behavior in
server/request.c.
[Fixed in 2.4.48 upstream]
-- Bryce Harrington <email address hidden> Thu, 08 Jul 2021 03:20:46 +0000
Available diffs
- diff from 2.4.46-4ubuntu2 to 2.4.48-3ubuntu1 (533.9 KiB)
- diff from 2.4.46-4ubuntu3 to 2.4.48-3ubuntu1 (533.9 KiB)
apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium
* d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
(LP: #1930430)
-- Christian Ehrhardt <email address hidden> Mon, 05 Jul 2021 09:16:56 +0200
Available diffs
| Superseded in impish-proposed |
apache2 (2.4.46-4ubuntu3) impish; urgency=medium * No-change rebuild due to OpenLDAP soname bump. -- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 17:43:48 -0400
Available diffs
- diff from 2.4.46-4ubuntu2 to 2.4.46-4ubuntu3 (362 bytes)
apache2 (2.4.46-4ubuntu2) impish; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:09:41 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
* This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in
focal-proposed.
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 14:27:53 -0400
Available diffs
apache2 (2.4.46-4ubuntu1.1) hirsute-security; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:09:41 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.16) bionic-security; urgency=medium
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
* This update does _not_ include the changes from 2.4.29-1ubuntu4.15 in
bionic-proposed.
-- Marc Deslauriers <email address hidden> Fri, 18 Jun 2021 07:06:22 -0400
Available diffs
apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
* This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in
groovy-proposed.
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:45:11 -0400
Available diffs
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: Moved to hirsute) |
apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable, to allow moving from lua5.2 to
lua5.3 (LP: #1910372). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
* Drop:
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
[Included in Debian 2.4.46-3]
* d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: #1918209)
-- Bryce Harrington <email address hidden> Tue, 09 Mar 2021 00:45:35 +0000
Available diffs
- diff from 2.4.46-2ubuntu1 to 2.4.46-4ubuntu1 (87.1 KiB)
apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
Available diffs
- diff from 2.4.46-1ubuntu2 to 2.4.46-2ubuntu1 (327.9 KiB)
apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Mon, 05 Oct 2020 16:06:32 -0700
Available diffs
| Deleted in groovy-proposed (Reason: moved to -updates) |
apache2 (2.4.46-1ubuntu1.1) groovy; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:38 +0000
Available diffs
| Deleted in focal-proposed (Reason: moved to -updates) |
apache2 (2.4.41-4ubuntu3.2) focal; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:32 +0000
Available diffs
| Deleted in bionic-proposed (Reason: moved to -updates) |
apache2 (2.4.29-1ubuntu4.15) bionic; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:35 +0000
Available diffs
| Deleted in xenial-proposed (Reason: SRU failed (regression)) |
apache2 (2.4.18-2ubuntu3.18) xenial; urgency=medium
* d/apache2ctl: Use systemd for start and graceful if in use.
(LP: #1832182)
* d/apache2.install: List confdir contents explicitly. Avoids
installing *.in templates.
(LP: #1899611)
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:15 +0000
Available diffs
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
* Dropped:
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Unclear if it's still necessary, and upstream hasn't made a
release with it yet]
Available diffs
- diff from 2.4.43-1ubuntu2 to 2.4.46-1ubuntu1 (430.1 KiB)
apache2 (2.4.29-1ubuntu4.14) bionic-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
* SECURITY UPDATE: DoS via invalid Cache-Digest header
- debian/patches/CVE-2020-9490.patch: remove support for abandoned
http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
- CVE-2020-9490
* SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
- debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
worker could deadlock the main connection in modules/http2/*.
- debian/patches/CVE-2020-11993.patch: fix logging and rename
terminology in modules/http2/*.
- CVE-2020-11993
-- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 17:33:25 -0400
Available diffs
apache2 (2.4.41-4ubuntu3.1) focal-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
* SECURITY UPDATE: DoS via invalid Cache-Digest header
- debian/patches/CVE-2020-9490.patch: remove support for abandoned
http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
- CVE-2020-9490
* SECURITY UPDATE: mod_proxy_uwsgi info disclosure and possible RCE
- debian/patches/CVE-2020-11984.patch: error out on HTTP header larger
than 16K in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2020-11984
* SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
- debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
worker could deadlock the main connection in modules/http2/*.
- debian/patches/CVE-2020-11993.patch: fix logging and rename
terminology in modules/http2/*.
- CVE-2020-11993
-- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 15:46:17 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.17) xenial-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
-- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 17:35:50 -0400
Available diffs
- diff from 2.4.18-2ubuntu3.15 (in Ubuntu) to 2.4.18-2ubuntu3.17 (7.9 KiB)
- diff from 2.4.18-2ubuntu3.13 (in ~ubuntu-security/ubuntu/ppa) to 2.4.18-2ubuntu3.17 (14.7 KiB)
- diff from 2.4.18-2ubuntu3.13 to 2.4.18-2ubuntu3.17 (pending)
apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
* d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP: #1890302)
-- Bryce Harrington <email address hidden> Wed, 05 Aug 2020 12:44:59 -0700
Available diffs
- diff from 2.4.43-1ubuntu1 to 2.4.43-1ubuntu2 (730 bytes)
| Deleted in xenial-proposed (Reason: moved to -updates) |
apache2 (2.4.18-2ubuntu3.16) xenial; urgency=medium
* On Linux, use pthread mutexes. On kfreebsd/hurd, continue using
fctnl because they lack robust pthread mutexes.
(LP: #1565744)
-- Bryce Harrington <email address hidden> Thu, 16 Jul 2020 00:20:55 +0000
Available diffs
apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
* Dropped:
- d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
parameter to mod_proxy_ajp (LP #1865340)
[Fixed upstream]
- d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
Closes #955348, LP #1872478
[In 2.4.43-1]
Available diffs
- diff from 2.4.41-4ubuntu3 to 2.4.43-1ubuntu1 (609.5 KiB)
apache2 (2.4.18-2ubuntu3.15) xenial; urgency=medium
* d/p/lp-1875299-Merge-r1688399-from-trunk.patch: use r_useragent_addr as
the root trusted address (LP: #1875299)
-- Christian Ehrhardt <email address hidden> Mon, 15 Jun 2020 16:09:55 +0200
Available diffs
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
apache2 (2.4.41-4ubuntu3) focal; urgency=medium
[ Timo Aaltonen ]
* d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
Closes: #955348, LP: #1872478
-- Andreas Hasenack <email address hidden> Mon, 13 Apr 2020 14:19:17 -0300
Available diffs
apache2 (2.4.29-1ubuntu4.13) bionic-security; urgency=medium * Add additional missing commits to TLSv1.3 support. (LP: #1867223) - debian/patches/tlsv1.3-support-2.patch: fix whitespace and copy/paste typos in modules/ssl/ssl_engine_kernel.c. - debian/patches/tlsv1.3-support-3.patch: fail with 403 if SSL_verify_client_post_handshake fails in modules/ssl/ssl_engine_kernel.c. - debian/patches/tlsv1.3-support-4.patch: disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes post-handshake authentication in modules/ssl/ssl_engine_init.c. - debian/patches/tlsv1.3-support-5.patch: retrieve and set sslconn->client_cert here for both "modern" and classic access control in modules/ssl/ssl_engine_kernel.c. -- Marc Deslauriers <email address hidden> Fri, 13 Mar 2020 08:26:16 -0400
Available diffs
- diff from 2.4.29-1ubuntu4.12 (in Ubuntu) to 2.4.29-1ubuntu4.13 (5.1 KiB)
- diff from 2.4.29-1ubuntu4.11 (in ~ubuntu-security/ubuntu/ppa) to 2.4.29-1ubuntu4.13 (13.5 KiB)
- diff from 2.4.29-1ubuntu4.12 to 2.4.29-1ubuntu4.13 (pending)
| Superseded in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
| Deleted in focal-release (Reason: back out libxcrypt vs glibc breakage from the release pocket) |
| Deleted in focal-proposed (Reason: moved to Release) |
apache2 (2.4.41-4ubuntu2) focal; urgency=medium
* d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
parameter to mod_proxy_ajp (LP: #1865340)
-- Andreas Hasenack <email address hidden> Thu, 05 Mar 2020 15:51:00 -0300
Available diffs
| Superseded in focal-release |
| Superseded in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
apache2 (2.4.41-4ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
Available diffs
apache2 (2.4.29-1ubuntu4.12) bionic; urgency=medium * Add TLSv1.3 support. (LP: #1845263) - debian/patches/tlsv1.3-support.patch: backport upstream 2.4 commit which introduced TLSv1.3 support. -- Marc Deslauriers <email address hidden> Tue, 03 Dec 2019 10:55:03 -0500
Available diffs
apache2 (2.4.18-2ubuntu3.14) xenial; urgency=medium * Backport mod_reqtimeout with handshake support (LP: #1846138) - d/p/0001-mod-reqtimeout-revent-long-response-times.patch - d/p/0002-mod_reqtimeout-fix-body-timeout-disabling-for-CONNECT-request.patch - d/p/0003-mod_reqtimeout-Merge-r1853901-r1853906-r1853908-r1853929-r1853935-r.patch -- Jesse Williamson <email address hidden> Tue, 08 Oct 2019 13:31:25 +0000
Available diffs
apache2 (2.4.18-2ubuntu3.13) xenial-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-- Steve Beattie <email address hidden> Mon, 16 Sep 2019 06:13:53 -0700
Available diffs
apache2 (2.4.38-2ubuntu2.3) disco-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-- Steve Beattie <email address hidden> Mon, 16 Sep 2019 05:36:25 -0700
Available diffs
apache2 (2.4.29-1ubuntu4.11) bionic-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-- Steve Beattie <email address hidden> Mon, 16 Sep 2019 05:58:48 -0700
Available diffs
apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
- d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
pointer dereference.
- d/p/CVE-2019-10097.patch: add better sanity checks.
- CVE-2019-10097
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_http2-1.14.1-backport-*.patches and
d/p/mod_http2-1.15.4-backport-*.patches
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:31:40 -0700
Available diffs
- diff from 2.4.38-2ubuntu2.1 to 2.4.38-2ubuntu2.2 (723 bytes)
apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
- d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_http2-1.14.1-backport-*.patches and
d/p/mod_http2-1.15.4-backport-*.patches
- dropped the following patches included above:
+ d/p/CVE-2018-1302.patch
+ d/p/CVE-2018-1333.patch
+ d/p/CVE-2018-11763.patch
+ d/p/CVE-2018-17189.patch
+ d/p/CVE-2019-0196.patch
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:41:23 -0700
Available diffs
apache2 (2.4.18-2ubuntu3.12) xenial-security; urgency=medium
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:43:29 -0700
Available diffs
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to release) |
apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Dropped:
- Cherrypick upstream testsuite fix:
+ r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
+ Similarly use TLSv1.2 for pr12355 and pr43738.
[Test suite updated in 2.4.41-1]
- Cherrypick upstream test suite fix for buffer.
[Included in 2.4.41-1]
- d/p/spelling-errors.patch: removed hunks already fixed upstream
[Included in 2.4.39-1]
- Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
+ d/p/CVE-2019-0196.patch
+ d/p/CVE-2019-0211.patch
+ d/p/CVE-2019-0215.patch
+ d/p/CVE-2019-0217.patch
+ d/p/CVE-2019-0220-*.patch
+ d/p/CVE-2019-0197.patch
* Added:
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes: #921024)
Available diffs
- diff from 2.4.39-0ubuntu1 to 2.4.41-1ubuntu1 (358.8 KiB)
apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
* New upstream version: 2.4.39
* d/p/spelling-errors.patch: removed hunks already fixed upstream
* Remaining changes:
- Cherrypick upstream test suite fix for buffer.
- Cherrypick upstream testsuite fix:
+ r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
- Similarly use TLSv1.2 for pr12355 and pr43738.
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Dropped patches (fixed upstream):
- d/p/CVE-2019-0196.patch
- d/p/CVE-2019-0211.patch
- d/p/CVE-2019-0215.patch
- d/p/CVE-2019-0217.patch
- d/p/CVE-2019-0220-*.patch
- d/p/CVE-2019-0197.patch
-- Andreas Hasenack <email address hidden> Mon, 05 Aug 2019 18:09:08 -0300
Available diffs
- diff from 2.4.38-3ubuntu2 to 2.4.39-0ubuntu1 (196.4 KiB)
apache2 (2.4.34-1ubuntu2.3) cosmic; urgency=medium
* d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
similarly to <0 with openssl 1.1.1
* d/p/clear-retry-flags-before-abort.patch: clear retry flags before
aborting on client-initiated reneg (LP: #1836329)
-- Andreas Hasenack <email address hidden> Tue, 16 Jul 2019 17:27:06 -0300
Available diffs
apache2 (2.4.29-1ubuntu4.8) bionic; urgency=medium
* d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
similarly to <0 with openssl 1.1.1
* d/p/clear-retry-flags-before-abort.patch: clear retry flags before
aborting on client-initiated reneg (LP: #1836329)
-- Andreas Hasenack <email address hidden> Tue, 16 Jul 2019 15:14:45 -0300
Available diffs
apache2 (2.4.34-1ubuntu2.2) cosmic; urgency=medium
* d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
authentication when built with openssl 1.1.1 (LP: #1833039)
-- Andreas Hasenack <email address hidden> Fri, 28 Jun 2019 17:41:48 -0300
Available diffs
apache2 (2.4.29-1ubuntu4.7) bionic; urgency=medium
* d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
authentication when built with openssl 1.1.1 (LP: #1833039)
-- Andreas Hasenack <email address hidden> Fri, 28 Jun 2019 13:49:35 -0300
Available diffs
apache2 (2.4.38-3ubuntu2) eoan; urgency=medium * Cherrypick upstream test suite fix for buffer. -- Dimitri John Ledkov <email address hidden> Thu, 13 Jun 2019 11:08:24 +0100
Available diffs
- diff from 2.4.38-2ubuntu3 to 2.4.38-3ubuntu2 (3.3 KiB)
- diff from 2.4.38-3ubuntu1 to 2.4.38-3ubuntu2 (746 bytes)
| Superseded in eoan-proposed |
apache2 (2.4.38-3ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- Cherrypick upstream testsuite fix:
+ r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
- Similarly use TLSv1.2 for pr12355 and pr43738.
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Removed configure chunk, not needed since configure.in is being
patched.]
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
Available diffs
apache2 (2.4.38-2ubuntu3) eoan; urgency=medium
* Cherrypick upstream testsuite fix:
- r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
* Similarly use TLSv1.2 for pr12355 and pr43738.
-- Dimitri John Ledkov <email address hidden> Tue, 07 May 2019 10:39:47 +0100
Available diffs
- diff from 2.4.38-2ubuntu2 to 2.4.38-2ubuntu3 (869 bytes)
apache2 (2.2.22-1ubuntu1.15) precise-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312-*.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
-- <email address hidden> (Leonidas S. Barbosa) Tue, 09 Apr 2019 12:48:30 -0300
Available diffs
| Superseded in eoan-release |
| Obsolete in disco-release |
| Deleted in disco-proposed (Reason: moved to release) |
apache2 (2.4.38-2ubuntu2) disco; urgency=medium
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_ssl access control bypass
- debian/patches/CVE-2019-0215.patch: restore SSL verify state after
PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
- CVE-2019-0215
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 14:31:46 -0400
Available diffs
- diff from 2.4.38-2ubuntu1 to 2.4.38-2ubuntu2 (10.3 KiB)
apache2 (2.4.7-1ubuntu4.22) trusty-security; urgency=medium
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions
that could not be decoded in modules/session/mod_session.c.
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 10:37:52 -0400
Available diffs
apache2 (2.4.29-1ubuntu4.6) bionic-security; urgency=medium
* SECURITY UPDATE: slowloris DoS in mod_http2
- debian/patches/CVE-2018-17189.patch: change cleanup strategy for
slave connections in modules/http2/h2_conn.c.
- CVE-2018-17189
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 09:22:37 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.10) xenial-security; urgency=medium
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 09:34:47 -0400
Available diffs
apache2 (2.4.34-1ubuntu2.1) cosmic-security; urgency=medium
* SECURITY UPDATE: slowloris DoS in mod_http2
- debian/patches/CVE-2018-17189.patch: change cleanup strategy for
slave connections in modules/http2/h2_conn.c.
- CVE-2018-17189
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 08:50:09 -0400
Available diffs
apache2 (2.4.38-2ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Removed configure chunk, not needed since configure.in is being
patched.]
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Dropped:
- d/control, d/rules, d/config-dir/mods-available/md.load: don't build
libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
cannot be coinstalled with libcurl3. That situation breaks the
installation of libapache2-mod-shib2. See
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
for details.
[This has been resolved in Disco, where libxmltooling8 is built with
openssl 1.1]
- SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
+ debian/patches/CVE-2018-11763.patch: rework connection IO event
handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_version.h.
- CVE-2018-11763
[Fixed in 2.4.35]
Available diffs
apache2 (2.4.7-1ubuntu4.21) trusty; urgency=medium
* d/p/AuthzProviderAlias-visibility.patch: Allow <AuthzProviderAlias>'es
to be seen from auth stanzas under virtual hosts (LP: #1529355)
-- Andreas Hasenack <email address hidden> Fri, 23 Nov 2018 17:45:20 -0200
Available diffs
apache2 (2.4.29-1ubuntu4.5) bionic; urgency=medium
* d/debhelper/apache2-maintscript-helper: fix typo in apache2_switch_mpm()'s
a2query call. (LP: #1782806)
-- Andreas Hasenack <email address hidden> Wed, 10 Oct 2018 15:59:25 -0300
Available diffs
apache2 (2.4.29-1ubuntu4.4) bionic-security; urgency=medium
* SECURITY UPDATE: DoS in HTTP/2 via NULL pointer
- debian/patches/CVE-2018-1302.patch: remove obsolete stream detach
code in modules/http2/h2_bucket_beam.c, modules/http2/h2_stream.c,
modules/http2/h2_stream.h.
- CVE-2018-1302
* SECURITY UPDATE: DoS in HTTP/2 via worker exhaustion
- debian/patches/CVE-2018-1333.patch: always wake up any conditional
waits when streams are aborted in modules/http2/h2_bucket_beam.c.
- CVE-2018-1333
* SECURITY UPDATE: DoS in HTTP/2 via large SETTINGS frames
- debian/patches/CVE-2018-11763.patch: rework connection IO event
handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_version.h.
- CVE-2018-11763
-- Marc Deslauriers <email address hidden> Wed, 03 Oct 2018 10:41:08 -0400
Available diffs
| Superseded in disco-release |
| Obsolete in cosmic-release |
| Deleted in cosmic-proposed (Reason: moved to release) |
apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
* SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
- debian/patches/CVE-2018-11763.patch: rework connection IO event
handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_version.h.
- CVE-2018-11763
-- Marc Deslauriers <email address hidden> Wed, 03 Oct 2018 09:57:22 -0400
Available diffs
apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/control, d/rules, d/config-dir/mods-available/md.load: don't build
libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
cannot be coinstalled with libcurl3. That situation breaks the
installation of libapache2-mod-shib2. See
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
for details.
Available diffs
- diff from 2.4.33-3ubuntu3 to 2.4.34-1ubuntu1 (343.3 KiB)
apache2 (2.4.29-1ubuntu4.3) bionic; urgency=medium
* d/p/balance-member-long-hostname-part{1,2}.patch: Provide an RFC1035
compliant version of the hostname in the
proxy_worker_shared structure. A hostname that is too long is no longer a
fatal error. (LP: #1750356)
-- Andreas Hasenack <email address hidden> Wed, 27 Jun 2018 14:05:04 -0300
Available diffs
apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
* d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
-- Andreas Hasenack <email address hidden> Thu, 28 Jun 2018 10:07:06 -0300
Available diffs
apache2 (2.4.18-2ubuntu3.9) xenial; urgency=medium
* debian/patches/includeoptional-ignore-non-existent.patch: silently
ignore a not existent file path with IncludeOptional . Closes LP:
#1766186.
-- Andreas Hasenack <email address hidden> Thu, 07 Jun 2018 16:43:03 -0300
Available diffs
apache2 (2.4.27-2ubuntu4.2) artful; urgency=medium
* debian/patches/includeoptional-ignore-non-existent.patch: silently
ignore a not existent file path with IncludeOptional . Closes LP:
#1766186.
-- Andreas Hasenack <email address hidden> Thu, 07 Jun 2018 17:53:23 -0300
Available diffs
apache2 (2.4.29-1ubuntu4.2) bionic; urgency=medium
* debian/patches/includeoptional-ignore-non-existent.patch: silently
ignore a not existent file path with IncludeOptional . Closes LP:
#1766186.
-- Andreas Hasenack <email address hidden> Thu, 07 Jun 2018 18:10:10 -0300
Available diffs
apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
* d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
libapache2-mod-md until we figure out their transitions. libapache2-mod-md
in particular is problematic because that makes apache2-bin pull in
libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
the installation of libapache2-mod-shib2. See
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
for details.
- Don't ship md.load and remove build-requires that were added because of
mod-md (see
https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
- Remove proxy_uwsgi.load as we are not building it for now (see
https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
Available diffs
| Deleted in cosmic-proposed (Reason: NBS) |
apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium * Merge with Debian unstable (LP: #1770242). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - d/t/control, d/t/check-http2: add basic test for http2 support * Drop: - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig + debian/patches/CVE-2017-15710.patch: fix language long names detection as short name in modules/aaa/mod_authnz_ldap.c. + CVE-2017-15710 - SECURITY UPDATE: incorrect <FilesMatch> matching + debian/patches/CVE-2017-15715.patch: allow to configure global/default options for regexes, like caseless matching or extended format in include/ap_regex.h, server/core.c, server/util_pcre.c. + CVE-2017-15715 - SECURITY UPDATE: mod_session header manipulation + debian/patches/CVE-2018-1283.patch: strip Session header when SessionEnv is on in modules/session/mod_session.c. + CVE-2018-1283 - SECURITY UPDATE: DoS via specially-crafted request + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL terminated on any error, not only on buffer full in server/protocol.c. + CVE-2018-1301 - SECURITY UPDATE: mod_cache_socache DoS + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up to carriage return in modules/cache/mod_cache_socache.c. + CVE-2018-1303 - SECURITY UPDATE: insecure nonce generation + debian/patches/CVE-2018-1312.patch: actually use the secret when generating nonces in modules/aaa/mod_auth_digest.c. + CVE-2018-1312 - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. [type=Forking already in the base systemd service file, and RemainsAfterExit=no is the default value, so no need to customize these anymore.] - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683) + added debian/patches/util_ldap_cache_lock_fix.patch [Already applied upstream]
Available diffs
| Superseded in cosmic-release |
| Deleted in cosmic-proposed (Reason: moved to release) |
| Superseded in bionic-updates |
| Superseded in bionic-security |
apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-- Marc Deslauriers <email address hidden> Wed, 25 Apr 2018 07:38:24 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.20) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
include/httpd.h, server/util.c.
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-- Marc Deslauriers <email address hidden> Wed, 18 Apr 2018 11:13:36 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.8) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
include/httpd.h, server/util.c.
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-- Marc Deslauriers <email address hidden> Wed, 18 Apr 2018 10:53:04 -0400
Available diffs
apache2 (2.4.27-2ubuntu4.1) artful-security; urgency=medium
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-- Marc Deslauriers <email address hidden> Wed, 18 Apr 2018 10:20:05 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.19) trusty; urgency=medium * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683) - added debian/patches/util_ldap_cache_lock_fix.patch -- Rafael David Tinoco <email address hidden> Fri, 02 Mar 2018 01:48:33 +0000
Available diffs
apache2 (2.4.18-2ubuntu3.7) xenial; urgency=medium * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683) - added debian/patches/util_ldap_cache_lock_fix.patch -- Rafael David Tinoco <email address hidden> Thu, 01 Mar 2018 18:29:12 +0000
Available diffs
| 76 → 150 of 421 results | First • Previous • Next • Last |
