Change log for apache2 package in Ubuntu
151 → 225 of 419 results | First • Previous • Next • Last |
Deleted in xenial-proposed (Reason: requestd by rbasak: It's an SRU verification failure and ...) |
apache2 (2.4.18-2ubuntu3.6) xenial; urgency=medium * d/p/apache2-bug-1466926-scoreboard-full-[123]-3.patch: backport of upstream fixes to avoid issues of workers in graceful shutdown blocking new requests (LP: #1466926) -- Christian Ehrhardt <email address hidden> Tue, 14 Nov 2017 15:19:49 +0100
Available diffs
apache2 (2.4.29-1ubuntu3) bionic; urgency=medium * Switch back to OpenSSL 1.1. -- Dimitri John Ledkov <email address hidden> Tue, 06 Feb 2018 11:57:20 +0000
Available diffs
apache2 (2.4.29-1ubuntu2) bionic; urgency=medium * enable http2 (LP: #1687454) by stopping to disable it - debian/control: no more removed libnghttp2-dev Build-Depends (in universe). - debian/config-dir/mods-available/http2.load: no more removed. - debian/rules: no more removed proxy_http2 from configure. * d/t/control, d/t/check-http2: add basic test for http2 support -- Christian Ehrhardt <email address hidden> Tue, 05 Dec 2017 17:25:39 +0100
Available diffs
apache2 (2.4.29-1ubuntu1) bionic; urgency=medium * Merge with Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. - Don't build http2 module (nghttp2 still not in main) (LP 1687454) + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. * Switch back to OpenSSL 1.0 as we don't yet have 1.1: - debian/control: switch BuildDepends to libssl1.0-dev - debian/control: remove Breaks on gridsite and libapache2-mod-dacs - debian/rules: remove openssl virtual package and logic
Available diffs
- diff from 2.4.27-2ubuntu3 to 2.4.29-1ubuntu1 (121.4 KiB)
Superseded in bionic-release |
Obsolete in artful-release |
Deleted in artful-proposed (Reason: moved to release) |
apache2 (2.4.27-2ubuntu3) artful; urgency=medium * SECURITY UPDATE: optionsbleed information leak - debian/patches/CVE-2017-9798.patch: disallow method registration at run time in server/core.c. - CVE-2017-9798 -- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:05:48 -0400
Available diffs
- diff from 2.4.27-2ubuntu2 to 2.4.27-2ubuntu3 (1018 bytes)
apache2 (2.4.7-1ubuntu4.18) trusty-security; urgency=medium * SECURITY UPDATE: optionsbleed information leak - debian/patches/CVE-2017-9798.patch: disallow method registration at run time in server/core.c. - CVE-2017-9798 -- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:10:30 -0400
Available diffs
- diff from 2.4.7-1ubuntu4.17 to 2.4.7-1ubuntu4.18 (1008 bytes)
apache2 (2.4.18-2ubuntu3.5) xenial-security; urgency=medium * SECURITY UPDATE: optionsbleed information leak - debian/patches/CVE-2017-9798.patch: disallow method registration at run time in server/core.c. - CVE-2017-9798 -- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:09:02 -0400
Available diffs
- diff from 2.4.18-2ubuntu3.4 to 2.4.18-2ubuntu3.5 (1019 bytes)
apache2 (2.4.25-3ubuntu2.3) zesty-security; urgency=medium * SECURITY UPDATE: optionsbleed information leak - debian/patches/CVE-2017-9798.patch: disallow method registration at run time in server/core.c. - CVE-2017-9798 -- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:08:28 -0400
Available diffs
apache2 (2.4.27-2ubuntu2) artful; urgency=medium * Undrop (LP 1658469): - Don't build http2 module (nghttp2 still not in main) (LP 1687454) + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. -- Marc Deslauriers <email address hidden> Wed, 02 Aug 2017 13:04:45 -0400
Available diffs
- diff from 2.4.25-3ubuntu2 to 2.4.27-2ubuntu2 (564.5 KiB)
- diff from 2.4.27-2ubuntu1 to 2.4.27-2ubuntu2 (1023 bytes)
Superseded in artful-proposed |
apache2 (2.4.27-2ubuntu1) artful; urgency=medium * Merge with Debian unstable (LP: #1702582). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. -- Nishanth Aravamudan <email address hidden> Thu, 27 Jul 2017 13:38:39 -0700
Available diffs
- diff from 2.4.25-3ubuntu3 to 2.4.27-2ubuntu1 (564.1 KiB)
apache2 (2.4.7-1ubuntu4.17) trusty-security; urgency=medium * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest - debian/patches/CVE-2017-9788.patch: correct string scope in modules/aaa/mod_auth_digest.c. - CVE-2017-9788 -- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:34:31 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.4) xenial-security; urgency=medium * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest - debian/patches/CVE-2017-9788.patch: correct string scope in modules/aaa/mod_auth_digest.c. - CVE-2017-9788 -- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:34:01 -0400
Available diffs
apache2 (2.4.25-3ubuntu2.2) zesty-security; urgency=medium * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest - debian/patches/CVE-2017-9788.patch: correct string scope in modules/aaa/mod_auth_digest.c. - CVE-2017-9788 -- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:32:31 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.16) trusty-security; urgency=medium * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw() - debian/patches/CVE-2017-3167.patch: deprecate and replace ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h, server/protocol.c, server/request.c. - CVE-2017-3167 * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection() - debian/patches/CVE-2017-3169.patch: fix ctx passed to ssl_io_filter_error() in modules/ssl/ssl_engine_io.c. - CVE-2017-3169 * SECURITY UPDATE: denial of service and possible incorrect value return in HTTP strict parsing changes - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in server/util.c. - CVE-2017-7668 * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in modules/http/mod_mime.c. - CVE-2017-7679 -- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 08:04:58 -0400
Available diffs
apache2 (2.4.18-2ubuntu4.2) yakkety-security; urgency=medium * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw() - debian/patches/CVE-2017-3167.patch: deprecate and replace ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h, server/protocol.c, server/request.c. - CVE-2017-3167 * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection() - debian/patches/CVE-2017-3169.patch: fix ctx passed to ssl_io_filter_error() in modules/ssl/ssl_engine_io.c. - CVE-2017-3169 * SECURITY UPDATE: denial of service and possible incorrect value return in HTTP strict parsing changes - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in server/util.c. - CVE-2017-7668 * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in modules/http/mod_mime.c. - CVE-2017-7679 -- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:57:04 -0400
Available diffs
apache2 (2.4.25-3ubuntu2.1) zesty-security; urgency=medium * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw() - debian/patches/CVE-2017-3167.patch: deprecate and replace ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h, server/protocol.c, server/request.c. - CVE-2017-3167 * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection() - debian/patches/CVE-2017-3169.patch: fix ctx passed to ssl_io_filter_error() in modules/ssl/ssl_engine_io.c. - CVE-2017-3169 * SECURITY UPDATE: denial of service and possible incorrect value return in HTTP strict parsing changes - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in server/util.c. - CVE-2017-7668 * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in modules/http/mod_mime.c. - CVE-2017-7679 -- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:50:10 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.3) xenial-security; urgency=medium * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw() - debian/patches/CVE-2017-3167.patch: deprecate and replace ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h, server/protocol.c, server/request.c. - CVE-2017-3167 * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection() - debian/patches/CVE-2017-3169.patch: fix ctx passed to ssl_io_filter_error() in modules/ssl/ssl_engine_io.c. - CVE-2017-3169 * SECURITY UPDATE: denial of service and possible incorrect value return in HTTP strict parsing changes - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in server/util.c. - CVE-2017-7668 * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in modules/http/mod_mime.c. - CVE-2017-7679 -- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:58:04 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue - debian/patches/CVE-2016-0736.patch: authenticate the session data/cookie with a MAC in modules/session/mod_session_crypto.c. - CVE-2016-0736 * SECURITY UPDATE: denial of service via malicious mod_auth_digest input - debian/patches/CVE-2016-2161.patch: improve memory handling in modules/aaa/mod_auth_digest.c. - CVE-2016-2161 * SECURITY UPDATE: response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in include/http_core.h, include/http_protocol.h, include/httpd.h, modules/http/http_filters.c, server/core.c, server/gen_test_char.c, server/protocol.c, server/util.c, server/vhost.c. - debian/patches/hostnames_with_underscores.diff: relax hostname restrictions in server/vhost.c. - CVE-2016-8743 * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. -- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:52:21 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.2) xenial-security; urgency=medium * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue - debian/patches/CVE-2016-0736.patch: authenticate the session data/cookie with a MAC in modules/session/mod_session_crypto.c. - CVE-2016-0736 * SECURITY UPDATE: denial of service via malicious mod_auth_digest input - debian/patches/CVE-2016-2161.patch: improve memory handling in modules/aaa/mod_auth_digest.c. - CVE-2016-2161 * SECURITY UPDATE: response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in include/http_core.h, include/http_protocol.h, include/httpd.h, modules/http/http_filters.c, server/core.c, server/gen_test_char.c, server/protocol.c, server/util.c, server/vhost.c. - debian/patches/hostnames_with_underscores.diff: relax hostname restrictions in server/vhost.c. - CVE-2016-8743 * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. -- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:32:00 -0400
Available diffs
apache2 (2.4.18-2ubuntu4.1) yakkety-security; urgency=medium * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue - debian/patches/CVE-2016-0736.patch: authenticate the session data/cookie with a MAC in modules/session/mod_session_crypto.c. - CVE-2016-0736 * SECURITY UPDATE: denial of service via malicious mod_auth_digest input - debian/patches/CVE-2016-2161.patch: improve memory handling in modules/aaa/mod_auth_digest.c. - CVE-2016-2161 * SECURITY UPDATE: response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in include/http_core.h, include/http_protocol.h, include/httpd.h, modules/http/http_filters.c, server/core.c, server/gen_test_char.c, server/protocol.c, server/util.c, server/vhost.c. - debian/patches/hostnames_with_underscores.diff: relax hostname restrictions in server/vhost.c. - CVE-2016-8743 * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. -- Marc Deslauriers <email address hidden> Fri, 05 May 2017 10:51:32 -0400
Available diffs
Superseded in artful-proposed |
apache2 (2.4.25-3ubuntu3) artful; urgency=medium * Re-Drop (LP: #1658469): - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. + debian/apache2.maintscript: remove http2 conffile. -- Nishanth Aravamudan <email address hidden> Mon, 01 May 2017 09:55:11 -0700
Available diffs
Superseded in artful-release |
Obsolete in zesty-release |
Deleted in zesty-proposed (Reason: moved to release) |
apache2 (2.4.25-3ubuntu2) zesty; urgency=medium * Undrop (LP 1658469): - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. + debian/apache2.maintscript: remove http2 conffile. -- Nishanth Aravamudan <email address hidden> Fri, 10 Feb 2017 08:53:43 -0800
Available diffs
- diff from 2.4.23-8ubuntu1 to 2.4.25-3ubuntu2 (683.8 KiB)
- diff from 2.4.25-3ubuntu1 to 2.4.25-3ubuntu2 (1.2 KiB)
Superseded in zesty-proposed |
apache2 (2.4.25-3ubuntu1) zesty; urgency=medium * Merge from Debian unstable (LP: #1663425). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. * Drop (LP: #1658469): - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. + debian/apache2.maintscript: remove http2 conffile. -- Nishanth Aravamudan <email address hidden> Thu, 09 Feb 2017 15:48:28 -0800
Available diffs
- diff from 2.4.23-8ubuntu1 to 2.4.25-3ubuntu1 (684.1 KiB)
apache2 (2.4.23-8ubuntu1) zesty; urgency=medium * Merge from Debian unstable (LP: #). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: replace Debian with Ubuntu on default page. [ include-binaries change previously undocumented ] - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. + debian/apache2.maintscript: remove http2 conffile. [ Previously undocumented ] - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. * Drop: - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. [ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ] -- Nishanth Aravamudan <email address hidden> Fri, 09 Dec 2016 11:02:38 +0100
Available diffs
apache2 (2.4.23-7ubuntu1) zesty; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location.
Available diffs
- diff from 2.4.18-2ubuntu4 to 2.4.23-7ubuntu1 (914.6 KiB)
Published in trusty-backports |
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.2) trusty-backports; urgency=medium * CVE-2016-5387 (LP: #1604209) -- Mike Gerow <email address hidden> Thu, 21 Jul 2016 14:53:00 -0700
Available diffs
Deleted in trusty-proposed (Reason: The package was removed due to its SRU bug(s) not being v...) |
apache2 (2.4.7-1ubuntu4.14) trusty; urgency=medium * d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very long uri in alias match (LP: #1534538) -- Wesley Wiedenmeier <email address hidden> Wed, 20 Jul 2016 19:07:41 -0500
Available diffs
Superseded in zesty-release |
Obsolete in yakkety-release |
Deleted in yakkety-proposed (Reason: moved to release) |
apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in server/util_script.c. - CVE-2016-5387 -- Marc Deslauriers <email address hidden> Mon, 18 Jul 2016 14:32:02 -0400
Available diffs
- diff from 2.4.18-2ubuntu3 to 2.4.18-2ubuntu4 (803 bytes)
apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in server/util_script.c. - CVE-2016-5387 * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in trusty-proposed. -- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:40:55 -0400
Available diffs
apache2 (2.2.22-1ubuntu1.11) precise-security; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in server/util_script.c. - CVE-2016-5387 * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in trusty-proposed. -- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:50:27 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.1) xenial-security; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in server/util_script.c. - CVE-2016-5387 -- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:32:26 -0400
Available diffs
apache2 (2.4.12-2ubuntu2.1) wily-security; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in server/util_script.c. - CVE-2016-5387 -- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:39:28 -0400
Available diffs
Deleted in trusty-proposed (Reason: moved to -updates) |
apache2 (2.4.7-1ubuntu4.12) trusty; urgency=medium * d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very long uri in alias match (LP: #1534538) -- Wesley Wiedenmeier <email address hidden> Tue, 28 Jun 2016 09:55:36 -0500
Available diffs
- diff from 2.4.7-1ubuntu4.11 to 2.4.7-1ubuntu4.12 (1002 bytes)
apache2 (2.4.7-1ubuntu4.11) trusty; urgency=medium * Fix hang until proxy timeout for Proxy responses with error status and "ProxyErrorOverride On" being set (LP: #1495988). -- Christian Ehrhardt <email address hidden> Tue, 07 Jun 2016 16:28:05 +0200
Available diffs
Superseded in trusty-backports |
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.1) trusty-backports; urgency=medium * No-change backport to trusty (LP: #1335068)
Available diffs
apache2 (2.4.7-1ubuntu4.10) trusty; urgency=medium * Add apache2 specific modification needed along with fix to libapache2-mpm-itk so it becomes installable again (LP: #1286882): - Removes warning on mpm_itk use - Removes conflicts on mpm_itk -- Louis Bouchard <email address hidden> Wed, 20 Apr 2016 16:21:03 +0200
Available diffs
- diff from 2.4.7-1ubuntu4.9 to 2.4.7-1ubuntu4.10 (927 bytes)
Superseded in yakkety-release |
Published in xenial-release |
Deleted in xenial-proposed (Reason: moved to release) |
apache2 (2.4.18-2ubuntu3) xenial; urgency=medium [ Ryan Harper ] * Drop /etc/apache2/mods-available/http2.load. This was inadvertently introduced in 2.4.18-2ubuntu1. The intention is to not carry this at all, since http2 support is intentionally disabled (see LP 1531864). * d/apache2.maintscript: handle removal of http2.load conffile. [ Robie Basak ] * Re-write Ryan's changelog entry. -- Robie Basak <email address hidden> Fri, 15 Apr 2016 18:00:57 +0000
Available diffs
- diff from 2.4.18-2ubuntu2 to 2.4.18-2ubuntu3 (726 bytes)
apache2 (2.4.18-2ubuntu2) xenial; urgency=medium * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962) - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. - d/apache2.install: place the apache2-systemd.conf file in the correct location. -- Pierre-André MOREY <email address hidden> Fri, 08 Apr 2016 11:48:00 +0200
Available diffs
- diff from 2.4.18-2ubuntu1 to 2.4.18-2ubuntu2 (738 bytes)
apache2 (2.4.18-2ubuntu1) xenial; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed.
Available diffs
apache2 (2.4.18-1ubuntu1) xenial; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed.
Available diffs
- diff from 2.4.17-3ubuntu1 to 2.4.18-1ubuntu1 (228.2 KiB)
apache2 (2.4.7-1ubuntu4.9) trusty; urgency=medium * Force disablereuse on for mod_proxy_wstunnel. Fixes "Unable to connect to: ws://<maas IP>:/MAAS/ws" errors with maas, and other proxy applications. https://bz.apache.org/bugzilla/show_bug.cgi?id=55890 (LP: #1484696). -- Dave Chiluk <email address hidden> Wed, 13 Jan 2016 15:34:51 -0600
Available diffs
apache2 (2.4.17-3ubuntu1) xenial; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed.
Available diffs
apache2 (2.4.17-2ubuntu1) xenial; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed.
Available diffs
apache2 (2.4.17-1ubuntu1) xenial; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. * Drop patches (applied upstream): - debian/patches/CVE-2015-3183.patch - debian/patches/CVE-2015-3185.patch * Drop changes (adopted in Debian): - Allow "triggers-awaited" and "triggers-pending" states in addition to "installed" when determining whether to defer actions or process deferred actions. * Don't build experimental http2 module for LTS - debian/control: removed libnghttp2-dev Build-Depends (in universe). - debian/config-dir/mods-available/http2.load: removed.
Available diffs
- diff from 2.4.12-2ubuntu2 to 2.4.17-1ubuntu1 (731.0 KiB)
apache2 (2.4.7-1ubuntu4.8) trusty; urgency=medium * Fix -D[efined] or <Define>[d] variables lifetime across restarts. This fixes incorrect processing of configuration files on reload (LP: #1504354). -- Jeffrey Hutzelman <email address hidden> Thu, 08 Oct 2015 19:30:10 -0400
Available diffs
- diff from 2.4.7-1ubuntu4.7 to 2.4.7-1ubuntu4.8 (921 bytes)
apache2 (2.4.7-1ubuntu4.7) trusty; urgency=medium * d/p/wstunnel-ssl.patch: mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" scheme. PR55320. LP: #1445914 Submitted by: Alex Liu <alex.leo.ca gmail.com> -- Jeffrey Hutzelman <email address hidden> Thu, 10 Sep 2015 12:50:00 -0400
Available diffs
- diff from 2.4.7-1ubuntu4.6 to 2.4.7-1ubuntu4.7 (947 bytes)
apache2 (2.4.7-1ubuntu4.6) trusty; urgency=medium * d/p/fix_rewrite_rule.patch: Add a configurable option to keep mod_dir from running when another handler is set. This makes default behavior consistant with 2.2, and fixes (LP: #1394403) - This adds the configuration option "DirectoryCheckHandler" which is present in apache 2.4.8 and later versions. The default value is "DirectoryCheckHandler Off". - This will change default behavior. Instead of mod_dir running even if other rules are being run, mod_dir will only run when no other rules have been processed by default. This is the expected behavior of mod_dir, and is consistant with the behavior of mod_dir in apache versions < 2.4 and > 2.4.8, and so the default value of this configuration option will correct the bug. - The current default behavior, which is considered to be a bug, can be kept by setting "DirectoryCheckHandler On". -- Wesley Wiedenmeier <email address hidden> Tue, 18 Aug 2015 09:36:21 -0500
Available diffs
apache2 (2.2.22-1ubuntu1.10) precise-security; urgency=medium * SECURITY UPDATE: request smuggling via chunked transfer encoding - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in modules/http/http_filters.c. - CVE-2015-3183 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 13:06:25 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.5) trusty-security; urgency=medium * SECURITY UPDATE: request smuggling via chunked transfer encoding - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in modules/http/http_filters.c. - CVE-2015-3183 * SECURITY UPDATE: access restriction bypass via deprecated API - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one in include/http_request.h, server/request.c. - CVE-2015-3185 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 12:44:36 -0400
Available diffs
apache2 (2.4.10-9ubuntu1.1) vivid-security; urgency=medium * SECURITY UPDATE: request smuggling via chunked transfer encoding - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in modules/http/http_filters.c. - CVE-2015-3183 * SECURITY UPDATE: access restriction bypass via deprecated API - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one in include/http_request.h, server/request.c. - CVE-2015-3185 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 12:25:41 -0400
Available diffs
Superseded in xenial-release |
Obsolete in wily-release |
Deleted in wily-proposed (Reason: moved to release) |
apache2 (2.4.12-2ubuntu2) wily; urgency=medium * SECURITY UPDATE: request smuggling via chunked transfer encoding - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in modules/http/http_filters.c. - CVE-2015-3183 * SECURITY UPDATE: access restriction bypass via deprecated API - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one in include/http_request.h, server/request.c. - CVE-2015-3185 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 09:56:09 -0400
Available diffs
apache2 (2.4.12-2ubuntu1) wily; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - Allow "triggers-awaited" and "triggers-pending" states in addition to "installed" when determining whether to defer actions or process deferred actions. * Drop patches (applied upstream): - d/p/split-logfile.patch - d/p/CVE-2015-0228.patch * Drop changes (superceded in Debian): - Cherry-pick versioned build-depend on dpkg from Debian for correct dpkg-maintscript-helper symlink_to_dir support. * Drop changes (adopted in Debian): - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase dialog program ask-for-passphrase. * Fix cross-building configure line in d/rules, which had bit-rotted in previous merges.
Available diffs
- diff from 2.4.10-9ubuntu1 to 2.4.12-2ubuntu1 (558.5 KiB)
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers (LP: #1197884) - debian/patches/ecc_support.patch: add support to modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h, modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c, * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473) - debian/patches/tls_options.patch: allow specifying later TLSv1.x options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c, modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h. * SECURITY IMPROVEMENT: improve ephemeral key handling, including allowing DH parameters to be loaded from SSLCertificateFile and disabling EXPORT ciphers. - debian/patches/ephemeral_key_handling.patch: numerous improvements to modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c, modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h, modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h. -- Marc Deslauriers <email address hidden> Thu, 28 May 2015 12:26:50 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.patch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c. - CVE-2013-5704 * SECURITY UPDATE: mod_cache denial of service via empty HTTP Content-Type header - debian/patches/CVE-2014-3581.patch: check for NULL in modules/cache/cache_util.c. - CVE-2014-3581 -- Marc Deslauriers <email address hidden> Tue, 10 Mar 2015 07:42:50 -0400
Available diffs
Superseded in wily-release |
Obsolete in vivid-release |
Deleted in vivid-proposed (Reason: moved to release) |
apache2 (2.4.10-9ubuntu1) vivid; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - d/control, d/config-dir/mods-available/ssl.conf, - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - d/p/split-logfile.patch: fix completely broken split-logfile command. - d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a denial of service in mod_lua via websockets PING * debian/tests/ssl-passphrase: Add password responder for systemd-ask-passphrase.
Available diffs
apache2 (2.4.10-1ubuntu1.1) utopic-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.patch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c. - CVE-2013-5704 * SECURITY UPDATE: mod_cache denial of service via empty HTTP Content-Type header - debian/patches/CVE-2014-3581.patch: check for NULL in modules/cache/cache_util.c. - CVE-2014-3581 * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response headers - debian/patches/CVE-2014-3583.patch: properly handle length in modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c. - CVE-2014-3583 * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require directives - debian/patches/CVE-2014-8109.patch: handle multiple Require directives with different arguments in modules/lua/mod_lua.c. - CVE-2014-8109 * SECURITY UPDATE: denial of service in mod_lua via websockets PING - debian/patches/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c. - CVE-2015-0228 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:05:47 -0500
Available diffs
apache2 (2.2.22-1ubuntu1.8) precise-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.patch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c, server/core.c, server/protocol.c. - CVE-2013-5704 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:40:00 -0500
Available diffs
apache2 (2.2.14-5ubuntu8.15) lucid-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c, server/core.c, server/protocol.c. - CVE-2013-5704 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:45:09 -0500
Available diffs
Superseded in vivid-proposed |
apache2 (2.4.10-8ubuntu3) vivid; urgency=medium * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require directives - debian/patches/CVE-2014-8109.patch: handle multiple Require directives with different arguments in modules/lua/mod_lua.c. - CVE-2014-8109 * SECURITY UPDATE: denial of service in mod_lua via websockets PING - debian/patches/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c. - CVE-2015-0228 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 10:56:34 -0500
Available diffs
Deleted in trusty-proposed (Reason: moved to -updates) |
apache2 (2.4.7-1ubuntu4.2) trusty; urgency=medium * d/p/ocsp-stapling-memory-corruption.patch: fix crash on startup due to memory corruption while modules are reloaded (LP: #1366174). Thanks to Alex Bligh for reporting, debugging, fixing upstream, backporting and driving this fix through to Trusty. -- Robie Basak <email address hidden> Thu, 26 Feb 2015 18:11:56 +0000
Available diffs
apache2 (2.4.10-8ubuntu2) vivid; urgency=medium * Allow "triggers-awaited" and "triggers-pending" states in addition to "installed" when determining whether to defer actions or process deferred actions (LP: #1393832). -- Colin Watson <email address hidden> Wed, 26 Nov 2014 11:31:44 +0000
Available diffs
- diff from 2.4.10-1ubuntu1 to 2.4.10-8ubuntu2 (198.4 KiB)
- diff from 2.4.10-8ubuntu1 to 2.4.10-8ubuntu2 (792 bytes)
Superseded in vivid-proposed |
apache2 (2.4.10-8ubuntu1) vivid; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase dialog program ask-for-passphrase. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - d/p/split-logfile.patch: fix completely broken split-logfile command. * Fixes from Debian included in merge: - Crash caused by OCSP stapling code; this was erroneously attributed to Debian in my previous merge, but actually only appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174). * Cherry-pick versioned build-depend on dpkg from Debian for correct dpkg-maintscript-helper symlink_to_dir support.
Available diffs
Superseded in vivid-proposed |
apache2 (2.4.10-7ubuntu1) vivid; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase dialog program ask-for-passphrase. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - d/p/split-logfile.patch: fix completely broken split-logfile command. * Fixes from Debian included in merge: - Don't use a2query in preinst, as it may not be available yet (LP: #1312533). - Crash caused by OCSP stapling code (LP: #1366174). - Disable SSLv3 in default config (LP: #1358305). - If apache2 is not configured yet, defer actions executed via apache2-maintscript-helper. This fixes installation failures if a module package is configured first (LP: #1312854).
Available diffs
- diff from 2.4.10-1ubuntu1 to 2.4.10-7ubuntu1 (192.5 KiB)
Superseded in vivid-release |
Obsolete in utopic-release |
Deleted in utopic-proposed (Reason: moved to release) |
apache2 (2.4.10-1ubuntu1) utopic; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase dialog program ask-for-passphrase. - Add dep8 tests. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html: replace Debian with Ubuntu on default page. - d/p/split-logfile.patch: fix completely broken split-logfile command.
Available diffs
- diff from 2.4.9-1ubuntu2 to 2.4.10-1ubuntu1 (294.5 KiB)
apache2 (2.4.7-1ubuntu4.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service in mod_proxy - debian/patches/CVE-2014-0117.patch: also skip over semicolons in modules/proxy/proxy_util.c. - CVE-2014-0117 * SECURITY UPDATE: resource consumption via mod_deflate body decompression - debian/patches/CVE-2014-0118.patch: added new configuration options DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst in modules/filters/mod_deflate.c. - CVE-2014-0118 * SECURITY UPDATE: denial of service via race in mod_status - debian/patches/CVE-2014-0226.patch: fix race by adding ap_copy_scoreboard_worker() to include/scoreboard.h, modules/generators/mod_status.c, modules/lua/lua_request.c, server/scoreboard.c. - CVE-2014-0226 * SECURITY UPDATE: denial of service in mod_cgid - debian/patches/CVE-2014-0231.patch: added new configuration option CGIDScriptTimeout in modules/generators/mod_cgid.c. - CVE-2014-0231 -- Marc Deslauriers <email address hidden> Mon, 21 Jul 2014 15:46:10 -0400
Available diffs
apache2 (2.2.22-1ubuntu1.7) precise-security; urgency=medium * SECURITY UPDATE: resource consumption via mod_deflate body decompression - debian/patches/CVE-2014-0118.patch: added new configuration options DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst in modules/filters/mod_deflate.c. - CVE-2014-0118 * SECURITY UPDATE: denial of service via race in mod_status - debian/patches/CVE-2014-0226.patch: fix race by adding ap_copy_scoreboard_worker() to include/scoreboard.h, modules/generators/mod_status.c, server/scoreboard.c. - CVE-2014-0226 * SECURITY UPDATE: denial of service in mod_cgid - debian/patches/CVE-2014-0231.patch: added new configuration option CGIDScriptTimeout in modules/generators/mod_cgid.c. - CVE-2014-0231 -- Marc Deslauriers <email address hidden> Tue, 22 Jul 2014 09:53:35 -0400
Available diffs
apache2 (2.2.14-5ubuntu8.14) lucid-security; urgency=medium * SECURITY UPDATE: resource consumption via mod_deflate body decompression - debian/patches/CVE-2014-0118.dpatch: added new configuration options DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst in modules/filters/mod_deflate.c. - CVE-2014-0118 * SECURITY UPDATE: denial of service via race in mod_status - debian/patches/CVE-2014-0226.dpatch: fix race by adding ap_copy_scoreboard_worker() to include/scoreboard.h, modules/generators/mod_status.c, server/scoreboard.c. - CVE-2014-0226 * SECURITY UPDATE: denial of service in mod_cgid - debian/patches/CVE-2014-0231.dpatch: added new configuration option CGIDScriptTimeout in modules/generators/mod_cgid.c. - CVE-2014-0231 -- Marc Deslauriers <email address hidden> Tue, 22 Jul 2014 10:03:41 -0400
Available diffs
apache2 (2.4.9-1ubuntu2) utopic; urgency=medium * Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't yet support building against lua 5.2 (LP: #1323930). -- Robie Basak <email address hidden> Wed, 28 May 2014 08:55:25 +0000
Available diffs
- diff from 2.4.9-1ubuntu1 to 2.4.9-1ubuntu2 (657 bytes)
apache2 (2.4.9-1ubuntu1) utopic; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase dialog program ask-for-passphrase. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - Build using lua5.2. - d/tests/chroot: dep8 test for ChrootDir case. - d/tests/ssl-passphrase: update for new default path /var/www/html. - d/tests/duplicate-module-load: check for duplicate module loads. - d/index.html: replace Debian with Ubuntu on default page (LP: #1288690). - d/p/split-logfile.patch: fix completely broken split-logfile command (LP: #1299162). Thanks to Holger Mauermann. * Drop changes (upstreamed): - d/p/ignore-quilt-dir: adjust build system so that it does not use files find inside the .pc directory. This stops a double module load causing later havoc, including "ChrootDir" directive failure. - debian/patches/CVE-2013-6438.patch: properly calculate correct length in modules/dav/main/util.c. - debian/patches/CVE-2014-0098.patch: properly parse tokens in modules/loggers/mod_log_config.c. * d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
Available diffs
- diff from 2.4.7-1ubuntu4 to 2.4.9-1ubuntu1 (685.2 KiB)
Superseded in utopic-release |
Published in trusty-release |
Deleted in trusty-proposed (Reason: moved to release) |
apache2 (2.4.7-1ubuntu4) trusty; urgency=medium * d/p/split-logfile.patch: fix completely broken split-logfile command (LP: #1299162). Thanks to Holger Mauermann. -- Robie Basak <email address hidden> Thu, 03 Apr 2014 11:21:22 +0000
Available diffs
apache2 (2.2.22-1ubuntu1.6) precise; urgency=low * debian/patches/sni.patch: - apache2 doesn't compare SNI hostname against Host header case-insensitively (lp: #1298273) -- Ritesh Khadgaray <email address hidden> Thu, 27 Mar 2014 15:06:16 +0530
Available diffs
apache2 (2.4.7-1ubuntu3) trusty; urgency=medium * SECURITY UPDATE: denial of service via mod_dav incorrect end of string calculation - debian/patches/CVE-2013-6438.patch: properly calculate correct length in modules/dav/main/util.c. - CVE-2013-6438 * SECURITY UPDATE: denial of service via truncated cookie and mod_log_config - debian/patches/CVE-2014-0098.patch: properly parse tokens in modules/loggers/mod_log_config.c. - CVE-2014-0098 -- Marc Deslauriers <email address hidden> Thu, 20 Mar 2014 08:34:10 -0400
Available diffs
apache2 (2.2.14-5ubuntu8.13) lucid-security; urgency=medium * SECURITY UPDATE: denial of service via mod_dav incorrect end of string calculation - debian/patches/CVE-2013-6438.dpatch: properly calculate correct length in modules/dav/main/util.c. - CVE-2013-6438 -- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:51:06 -0400
Available diffs
apache2 (2.2.22-6ubuntu2.4) quantal-security; urgency=medium * SECURITY UPDATE: denial of service via mod_dav incorrect end of string calculation - debian/patches/CVE-2013-6438.patch: properly calculate correct length in modules/dav/main/util.c. - CVE-2013-6438 * SECURITY UPDATE: denial of service via truncated cookie and mod_log_config - debian/patches/CVE-2014-0098.patch: properly parse tokens in modules/loggers/mod_log_config.c. - CVE-2014-0098 -- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:38:47 -0400
Available diffs
apache2 (2.2.22-1ubuntu1.5) precise-security; urgency=medium * SECURITY UPDATE: denial of service via mod_dav incorrect end of string calculation - debian/patches/CVE-2013-6438.patch: properly calculate correct length in modules/dav/main/util.c. - CVE-2013-6438 * SECURITY UPDATE: denial of service via truncated cookie and mod_log_config - debian/patches/CVE-2014-0098.patch: properly parse tokens in modules/loggers/mod_log_config.c. - CVE-2014-0098 -- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:42:46 -0400
Available diffs
151 → 225 of 419 results | First • Previous • Next • Last |