Change log for apache2 package in Ubuntu
| 151 → 225 of 419 results | First • Previous • Next • Last |
| Deleted in xenial-proposed (Reason: requestd by rbasak: It's an SRU verification failure and ...) |
apache2 (2.4.18-2ubuntu3.6) xenial; urgency=medium
* d/p/apache2-bug-1466926-scoreboard-full-[123]-3.patch: backport of upstream
fixes to avoid issues of workers in graceful shutdown blocking new
requests (LP: #1466926)
-- Christian Ehrhardt <email address hidden> Tue, 14 Nov 2017 15:19:49 +0100
Available diffs
apache2 (2.4.29-1ubuntu3) bionic; urgency=medium * Switch back to OpenSSL 1.1. -- Dimitri John Ledkov <email address hidden> Tue, 06 Feb 2018 11:57:20 +0000
Available diffs
apache2 (2.4.29-1ubuntu2) bionic; urgency=medium * enable http2 (LP: #1687454) by stopping to disable it - debian/control: no more removed libnghttp2-dev Build-Depends (in universe). - debian/config-dir/mods-available/http2.load: no more removed. - debian/rules: no more removed proxy_http2 from configure. * d/t/control, d/t/check-http2: add basic test for http2 support -- Christian Ehrhardt <email address hidden> Tue, 05 Dec 2017 17:25:39 +0100
Available diffs
apache2 (2.4.29-1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
- Don't build http2 module (nghttp2 still not in main) (LP 1687454)
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
+ debian/rules: removed proxy_http2 from configure.
* Switch back to OpenSSL 1.0 as we don't yet have 1.1:
- debian/control: switch BuildDepends to libssl1.0-dev
- debian/control: remove Breaks on gridsite and libapache2-mod-dacs
- debian/rules: remove openssl virtual package and logic
Available diffs
- diff from 2.4.27-2ubuntu3 to 2.4.29-1ubuntu1 (121.4 KiB)
| Superseded in bionic-release |
| Obsolete in artful-release |
| Deleted in artful-proposed (Reason: moved to release) |
apache2 (2.4.27-2ubuntu3) artful; urgency=medium
* SECURITY UPDATE: optionsbleed information leak
- debian/patches/CVE-2017-9798.patch: disallow method registration
at run time in server/core.c.
- CVE-2017-9798
-- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:05:48 -0400
Available diffs
- diff from 2.4.27-2ubuntu2 to 2.4.27-2ubuntu3 (1018 bytes)
apache2 (2.4.7-1ubuntu4.18) trusty-security; urgency=medium
* SECURITY UPDATE: optionsbleed information leak
- debian/patches/CVE-2017-9798.patch: disallow method registration
at run time in server/core.c.
- CVE-2017-9798
-- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:10:30 -0400
Available diffs
- diff from 2.4.7-1ubuntu4.17 to 2.4.7-1ubuntu4.18 (1008 bytes)
apache2 (2.4.18-2ubuntu3.5) xenial-security; urgency=medium
* SECURITY UPDATE: optionsbleed information leak
- debian/patches/CVE-2017-9798.patch: disallow method registration
at run time in server/core.c.
- CVE-2017-9798
-- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:09:02 -0400
Available diffs
- diff from 2.4.18-2ubuntu3.4 to 2.4.18-2ubuntu3.5 (1019 bytes)
apache2 (2.4.25-3ubuntu2.3) zesty-security; urgency=medium
* SECURITY UPDATE: optionsbleed information leak
- debian/patches/CVE-2017-9798.patch: disallow method registration
at run time in server/core.c.
- CVE-2017-9798
-- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:08:28 -0400
Available diffs
apache2 (2.4.27-2ubuntu2) artful; urgency=medium
* Undrop (LP 1658469):
- Don't build http2 module (nghttp2 still not in main) (LP 1687454)
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
+ debian/rules: removed proxy_http2 from configure.
-- Marc Deslauriers <email address hidden> Wed, 02 Aug 2017 13:04:45 -0400
Available diffs
- diff from 2.4.25-3ubuntu2 to 2.4.27-2ubuntu2 (564.5 KiB)
- diff from 2.4.27-2ubuntu1 to 2.4.27-2ubuntu2 (1023 bytes)
| Superseded in artful-proposed |
apache2 (2.4.27-2ubuntu1) artful; urgency=medium * Merge with Debian unstable (LP: #1702582). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. -- Nishanth Aravamudan <email address hidden> Thu, 27 Jul 2017 13:38:39 -0700
Available diffs
- diff from 2.4.25-3ubuntu3 to 2.4.27-2ubuntu1 (564.1 KiB)
apache2 (2.4.7-1ubuntu4.17) trusty-security; urgency=medium
* SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
- debian/patches/CVE-2017-9788.patch: correct string scope in
modules/aaa/mod_auth_digest.c.
- CVE-2017-9788
-- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:34:31 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.4) xenial-security; urgency=medium
* SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
- debian/patches/CVE-2017-9788.patch: correct string scope in
modules/aaa/mod_auth_digest.c.
- CVE-2017-9788
-- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:34:01 -0400
Available diffs
apache2 (2.4.25-3ubuntu2.2) zesty-security; urgency=medium
* SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
- debian/patches/CVE-2017-9788.patch: correct string scope in
modules/aaa/mod_auth_digest.c.
- CVE-2017-9788
-- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:32:31 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.16) trusty-security; urgency=medium
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 08:04:58 -0400
Available diffs
apache2 (2.4.18-2ubuntu4.2) yakkety-security; urgency=medium
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:57:04 -0400
Available diffs
apache2 (2.4.25-3ubuntu2.1) zesty-security; urgency=medium
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:50:10 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.3) xenial-security; urgency=medium
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:58:04 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
-- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:52:21 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.2) xenial-security; urgency=medium
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
-- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:32:00 -0400
Available diffs
apache2 (2.4.18-2ubuntu4.1) yakkety-security; urgency=medium
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
-- Marc Deslauriers <email address hidden> Fri, 05 May 2017 10:51:32 -0400
Available diffs
| Superseded in artful-proposed |
apache2 (2.4.25-3ubuntu3) artful; urgency=medium * Re-Drop (LP: #1658469): - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. + debian/apache2.maintscript: remove http2 conffile. -- Nishanth Aravamudan <email address hidden> Mon, 01 May 2017 09:55:11 -0700
Available diffs
| Superseded in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
apache2 (2.4.25-3ubuntu2) zesty; urgency=medium
* Undrop (LP 1658469):
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
+ debian/rules: removed proxy_http2 from configure.
+ debian/apache2.maintscript: remove http2 conffile.
-- Nishanth Aravamudan <email address hidden> Fri, 10 Feb 2017 08:53:43 -0800
Available diffs
- diff from 2.4.23-8ubuntu1 to 2.4.25-3ubuntu2 (683.8 KiB)
- diff from 2.4.25-3ubuntu1 to 2.4.25-3ubuntu2 (1.2 KiB)
| Superseded in zesty-proposed |
apache2 (2.4.25-3ubuntu1) zesty; urgency=medium * Merge from Debian unstable (LP: #1663425). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. * Drop (LP: #1658469): - Don't build experimental http2 module for LTS: + debian/control: removed libnghttp2-dev Build-Depends (in universe). + debian/config-dir/mods-available/http2.load: removed. + debian/rules: removed proxy_http2 from configure. + debian/apache2.maintscript: remove http2 conffile. -- Nishanth Aravamudan <email address hidden> Thu, 09 Feb 2017 15:48:28 -0800
Available diffs
- diff from 2.4.23-8ubuntu1 to 2.4.25-3ubuntu1 (684.1 KiB)
apache2 (2.4.23-8ubuntu1) zesty; urgency=medium
* Merge from Debian unstable (LP: #). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: replace Debian with Ubuntu on default
page.
[ include-binaries change previously undocumented ]
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
+ debian/rules: removed proxy_http2 from configure.
+ debian/apache2.maintscript: remove http2 conffile.
[ Previously undocumented ]
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
* Drop:
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
[ Incorrectly indicated as delta, fixed by Debian in 2.4.18-2 ]
-- Nishanth Aravamudan <email address hidden> Fri, 09 Dec 2016 11:02:38 +0100
Available diffs
apache2 (2.4.23-7ubuntu1) zesty; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
+ debian/rules: removed proxy_http2 from configure.
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
Available diffs
- diff from 2.4.18-2ubuntu4 to 2.4.23-7ubuntu1 (914.6 KiB)
| Published in trusty-backports |
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.2) trusty-backports; urgency=medium * CVE-2016-5387 (LP: #1604209) -- Mike Gerow <email address hidden> Thu, 21 Jul 2016 14:53:00 -0700
Available diffs
| Deleted in trusty-proposed (Reason: The package was removed due to its SRU bug(s) not being v...) |
apache2 (2.4.7-1ubuntu4.14) trusty; urgency=medium
* d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very
long uri in alias match (LP: #1534538)
-- Wesley Wiedenmeier <email address hidden> Wed, 20 Jul 2016 19:07:41 -0500
Available diffs
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
apache2 (2.4.18-2ubuntu4) yakkety; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
-- Marc Deslauriers <email address hidden> Mon, 18 Jul 2016 14:32:02 -0400
Available diffs
- diff from 2.4.18-2ubuntu3 to 2.4.18-2ubuntu4 (803 bytes)
apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
* This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
trusty-proposed.
-- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:40:55 -0400
Available diffs
apache2 (2.2.22-1ubuntu1.11) precise-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
* This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
trusty-proposed.
-- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:50:27 -0400
Available diffs
apache2 (2.4.18-2ubuntu3.1) xenial-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
-- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:32:26 -0400
Available diffs
apache2 (2.4.12-2ubuntu2.1) wily-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
-- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:39:28 -0400
Available diffs
| Deleted in trusty-proposed (Reason: moved to -updates) |
apache2 (2.4.7-1ubuntu4.12) trusty; urgency=medium
* d/p/fix_aliasmatch_long_uri.patch: Fix handling memory allocation for very
long uri in alias match (LP: #1534538)
-- Wesley Wiedenmeier <email address hidden> Tue, 28 Jun 2016 09:55:36 -0500
Available diffs
- diff from 2.4.7-1ubuntu4.11 to 2.4.7-1ubuntu4.12 (1002 bytes)
apache2 (2.4.7-1ubuntu4.11) trusty; urgency=medium
* Fix hang until proxy timeout for Proxy responses with error status and
"ProxyErrorOverride On" being set (LP: #1495988).
-- Christian Ehrhardt <email address hidden> Tue, 07 Jun 2016 16:28:05 +0200
Available diffs
| Superseded in trusty-backports |
apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.1) trusty-backports; urgency=medium * No-change backport to trusty (LP: #1335068)
Available diffs
apache2 (2.4.7-1ubuntu4.10) trusty; urgency=medium
* Add apache2 specific modification needed along with fix to
libapache2-mpm-itk so it becomes installable again (LP: #1286882):
- Removes warning on mpm_itk use
- Removes conflicts on mpm_itk
-- Louis Bouchard <email address hidden> Wed, 20 Apr 2016 16:21:03 +0200
Available diffs
- diff from 2.4.7-1ubuntu4.9 to 2.4.7-1ubuntu4.10 (927 bytes)
| Superseded in yakkety-release |
| Published in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
[ Ryan Harper ]
* Drop /etc/apache2/mods-available/http2.load. This was inadvertently
introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
all, since http2 support is intentionally disabled (see LP 1531864).
* d/apache2.maintscript: handle removal of http2.load conffile.
[ Robie Basak ]
* Re-write Ryan's changelog entry.
-- Robie Basak <email address hidden> Fri, 15 Apr 2016 18:00:57 +0000
Available diffs
- diff from 2.4.18-2ubuntu2 to 2.4.18-2ubuntu3 (726 bytes)
apache2 (2.4.18-2ubuntu2) xenial; urgency=medium * Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962) - d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. - d/apache2.install: place the apache2-systemd.conf file in the correct location. -- Pierre-André MOREY <email address hidden> Fri, 08 Apr 2016 11:48:00 +0200
Available diffs
- diff from 2.4.18-2ubuntu1 to 2.4.18-2ubuntu2 (738 bytes)
apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
Available diffs
apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
Available diffs
- diff from 2.4.17-3ubuntu1 to 2.4.18-1ubuntu1 (228.2 KiB)
apache2 (2.4.7-1ubuntu4.9) trusty; urgency=medium
* Force disablereuse on for mod_proxy_wstunnel. Fixes "Unable to connect to:
ws://<maas IP>:/MAAS/ws" errors with maas, and other proxy applications.
https://bz.apache.org/bugzilla/show_bug.cgi?id=55890
(LP: #1484696).
-- Dave Chiluk <email address hidden> Wed, 13 Jan 2016 15:34:51 -0600
Available diffs
apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
Available diffs
apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
Available diffs
apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
* Drop patches (applied upstream):
- debian/patches/CVE-2015-3183.patch
- debian/patches/CVE-2015-3185.patch
* Drop changes (adopted in Debian):
- Allow "triggers-awaited" and "triggers-pending" states in addition
to "installed" when determining whether to defer actions or
process deferred actions.
* Don't build experimental http2 module for LTS
- debian/control: removed libnghttp2-dev Build-Depends (in universe).
- debian/config-dir/mods-available/http2.load: removed.
Available diffs
- diff from 2.4.12-2ubuntu2 to 2.4.17-1ubuntu1 (731.0 KiB)
apache2 (2.4.7-1ubuntu4.8) trusty; urgency=medium
* Fix -D[efined] or <Define>[d] variables lifetime across restarts.
This fixes incorrect processing of configuration files on reload
(LP: #1504354).
-- Jeffrey Hutzelman <email address hidden> Thu, 08 Oct 2015 19:30:10 -0400
Available diffs
- diff from 2.4.7-1ubuntu4.7 to 2.4.7-1ubuntu4.8 (921 bytes)
apache2 (2.4.7-1ubuntu4.7) trusty; urgency=medium
* d/p/wstunnel-ssl.patch: mod_proxy_wstunnel: Fix the use of SSL
connections with the "wss:" scheme. PR55320. LP: #1445914
Submitted by: Alex Liu <alex.leo.ca gmail.com>
-- Jeffrey Hutzelman <email address hidden> Thu, 10 Sep 2015 12:50:00 -0400
Available diffs
- diff from 2.4.7-1ubuntu4.6 to 2.4.7-1ubuntu4.7 (947 bytes)
apache2 (2.4.7-1ubuntu4.6) trusty; urgency=medium
* d/p/fix_rewrite_rule.patch: Add a configurable option to keep mod_dir from
running when another handler is set. This makes default behavior
consistant with 2.2, and fixes (LP: #1394403)
- This adds the configuration option "DirectoryCheckHandler" which is
present in apache 2.4.8 and later versions. The default value is
"DirectoryCheckHandler Off".
- This will change default behavior. Instead of mod_dir running even if
other rules are being run, mod_dir will only run when no other rules
have been processed by default. This is the expected behavior of
mod_dir, and is consistant with the behavior of mod_dir in apache
versions < 2.4 and > 2.4.8, and so the default value of this
configuration option will correct the bug.
- The current default behavior, which is considered to be a bug, can be
kept by setting "DirectoryCheckHandler On".
-- Wesley Wiedenmeier <email address hidden> Tue, 18 Aug 2015 09:36:21 -0500
Available diffs
apache2 (2.2.22-1ubuntu1.10) precise-security; urgency=medium
* SECURITY UPDATE: request smuggling via chunked transfer encoding
- debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
modules/http/http_filters.c.
- CVE-2015-3183
-- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 13:06:25 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.5) trusty-security; urgency=medium
* SECURITY UPDATE: request smuggling via chunked transfer encoding
- debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
modules/http/http_filters.c.
- CVE-2015-3183
* SECURITY UPDATE: access restriction bypass via deprecated API
- debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
in include/http_request.h, server/request.c.
- CVE-2015-3185
-- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 12:44:36 -0400
Available diffs
apache2 (2.4.10-9ubuntu1.1) vivid-security; urgency=medium
* SECURITY UPDATE: request smuggling via chunked transfer encoding
- debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
modules/http/http_filters.c.
- CVE-2015-3183
* SECURITY UPDATE: access restriction bypass via deprecated API
- debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
in include/http_request.h, server/request.c.
- CVE-2015-3185
-- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 12:25:41 -0400
Available diffs
| Superseded in xenial-release |
| Obsolete in wily-release |
| Deleted in wily-proposed (Reason: moved to release) |
apache2 (2.4.12-2ubuntu2) wily; urgency=medium
* SECURITY UPDATE: request smuggling via chunked transfer encoding
- debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
modules/http/http_filters.c.
- CVE-2015-3183
* SECURITY UPDATE: access restriction bypass via deprecated API
- debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
in include/http_request.h, server/request.c.
- CVE-2015-3185
-- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 09:56:09 -0400
Available diffs
apache2 (2.4.12-2ubuntu1) wily; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Allow "triggers-awaited" and "triggers-pending" states in addition
to "installed" when determining whether to defer actions or
process deferred actions.
* Drop patches (applied upstream):
- d/p/split-logfile.patch
- d/p/CVE-2015-0228.patch
* Drop changes (superceded in Debian):
- Cherry-pick versioned build-depend on dpkg from Debian for correct
dpkg-maintscript-helper symlink_to_dir support.
* Drop changes (adopted in Debian):
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
* Fix cross-building configure line in d/rules, which had bit-rotted in
previous merges.
Available diffs
- diff from 2.4.10-9ubuntu1 to 2.4.12-2ubuntu1 (558.5 KiB)
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium
* SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
(LP: #1197884)
- debian/patches/ecc_support.patch: add support to
modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
* SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
- debian/patches/tls_options.patch: allow specifying later TLSv1.x
options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
modules/ssl/ssl_private.h.
* SECURITY IMPROVEMENT: improve ephemeral key handling, including
allowing DH parameters to be loaded from SSLCertificateFile and
disabling EXPORT ciphers.
- debian/patches/ephemeral_key_handling.patch: numerous improvements to
modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.
-- Marc Deslauriers <email address hidden> Thu, 28 May 2015 12:26:50 -0400
Available diffs
apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.patch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c. - CVE-2013-5704 * SECURITY UPDATE: mod_cache denial of service via empty HTTP Content-Type header - debian/patches/CVE-2014-3581.patch: check for NULL in modules/cache/cache_util.c. - CVE-2014-3581 -- Marc Deslauriers <email address hidden> Tue, 10 Mar 2015 07:42:50 -0400
Available diffs
| Superseded in wily-release |
| Obsolete in vivid-release |
| Deleted in vivid-proposed (Reason: moved to release) |
apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile
command.
- d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
denial of service in mod_lua via websockets PING
* debian/tests/ssl-passphrase: Add password responder for
systemd-ask-passphrase.
Available diffs
apache2 (2.4.10-1ubuntu1.1) utopic-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.patch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c. - CVE-2013-5704 * SECURITY UPDATE: mod_cache denial of service via empty HTTP Content-Type header - debian/patches/CVE-2014-3581.patch: check for NULL in modules/cache/cache_util.c. - CVE-2014-3581 * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response headers - debian/patches/CVE-2014-3583.patch: properly handle length in modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c. - CVE-2014-3583 * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require directives - debian/patches/CVE-2014-8109.patch: handle multiple Require directives with different arguments in modules/lua/mod_lua.c. - CVE-2014-8109 * SECURITY UPDATE: denial of service in mod_lua via websockets PING - debian/patches/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c. - CVE-2015-0228 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:05:47 -0500
Available diffs
apache2 (2.2.22-1ubuntu1.8) precise-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.patch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c, server/core.c, server/protocol.c. - CVE-2013-5704 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:40:00 -0500
Available diffs
apache2 (2.2.14-5ubuntu8.15) lucid-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c, server/core.c, server/protocol.c. - CVE-2013-5704 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:45:09 -0500
Available diffs
| Superseded in vivid-proposed |
apache2 (2.4.10-8ubuntu3) vivid; urgency=medium
* SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
directives
- debian/patches/CVE-2014-8109.patch: handle multiple Require
directives with different arguments in modules/lua/mod_lua.c.
- CVE-2014-8109
* SECURITY UPDATE: denial of service in mod_lua via websockets PING
- debian/patches/CVE-2015-0228.patch: fix logic in
modules/lua/lua_request.c.
- CVE-2015-0228
-- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 10:56:34 -0500
Available diffs
| Deleted in trusty-proposed (Reason: moved to -updates) |
apache2 (2.4.7-1ubuntu4.2) trusty; urgency=medium
* d/p/ocsp-stapling-memory-corruption.patch: fix crash on startup due
to memory corruption while modules are reloaded (LP: #1366174).
Thanks to Alex Bligh for reporting, debugging, fixing upstream,
backporting and driving this fix through to Trusty.
-- Robie Basak <email address hidden> Thu, 26 Feb 2015 18:11:56 +0000
Available diffs
apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
* Allow "triggers-awaited" and "triggers-pending" states in addition to
"installed" when determining whether to defer actions or process
deferred actions (LP: #1393832).
-- Colin Watson <email address hidden> Wed, 26 Nov 2014 11:31:44 +0000
Available diffs
- diff from 2.4.10-1ubuntu1 to 2.4.10-8ubuntu2 (198.4 KiB)
- diff from 2.4.10-8ubuntu1 to 2.4.10-8ubuntu2 (792 bytes)
| Superseded in vivid-proposed |
apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile
command.
* Fixes from Debian included in merge:
- Crash caused by OCSP stapling code; this was erroneously
attributed to Debian in my previous merge, but actually only
appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
* Cherry-pick versioned build-depend on dpkg from Debian for correct
dpkg-maintscript-helper symlink_to_dir support.
Available diffs
| Superseded in vivid-proposed |
apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile command.
* Fixes from Debian included in merge:
- Don't use a2query in preinst, as it may not be available yet
(LP: #1312533).
- Crash caused by OCSP stapling code (LP: #1366174).
- Disable SSLv3 in default config (LP: #1358305).
- If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first (LP: #1312854).
Available diffs
- diff from 2.4.10-1ubuntu1 to 2.4.10-7ubuntu1 (192.5 KiB)
| Superseded in vivid-release |
| Obsolete in utopic-release |
| Deleted in utopic-proposed (Reason: moved to release) |
apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
d/apache2.install: Plymouth aware passphrase dialog program
ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
configure.
- debian/patches/086_svn_cross_compiles: Backport several cross fixes from
upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile command.
Available diffs
- diff from 2.4.9-1ubuntu2 to 2.4.10-1ubuntu1 (294.5 KiB)
apache2 (2.4.7-1ubuntu4.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service in mod_proxy
- debian/patches/CVE-2014-0117.patch: also skip over semicolons in
modules/proxy/proxy_util.c.
- CVE-2014-0117
* SECURITY UPDATE: resource consumption via mod_deflate body
decompression
- debian/patches/CVE-2014-0118.patch: added new configuration options
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
- CVE-2014-0118
* SECURITY UPDATE: denial of service via race in mod_status
- debian/patches/CVE-2014-0226.patch: fix race by adding
ap_copy_scoreboard_worker() to include/scoreboard.h,
modules/generators/mod_status.c, modules/lua/lua_request.c,
server/scoreboard.c.
- CVE-2014-0226
* SECURITY UPDATE: denial of service in mod_cgid
- debian/patches/CVE-2014-0231.patch: added new configuration option
CGIDScriptTimeout in modules/generators/mod_cgid.c.
- CVE-2014-0231
-- Marc Deslauriers <email address hidden> Mon, 21 Jul 2014 15:46:10 -0400
Available diffs
apache2 (2.2.22-1ubuntu1.7) precise-security; urgency=medium
* SECURITY UPDATE: resource consumption via mod_deflate body
decompression
- debian/patches/CVE-2014-0118.patch: added new configuration options
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
- CVE-2014-0118
* SECURITY UPDATE: denial of service via race in mod_status
- debian/patches/CVE-2014-0226.patch: fix race by adding
ap_copy_scoreboard_worker() to include/scoreboard.h,
modules/generators/mod_status.c, server/scoreboard.c.
- CVE-2014-0226
* SECURITY UPDATE: denial of service in mod_cgid
- debian/patches/CVE-2014-0231.patch: added new configuration option
CGIDScriptTimeout in modules/generators/mod_cgid.c.
- CVE-2014-0231
-- Marc Deslauriers <email address hidden> Tue, 22 Jul 2014 09:53:35 -0400
Available diffs
apache2 (2.2.14-5ubuntu8.14) lucid-security; urgency=medium
* SECURITY UPDATE: resource consumption via mod_deflate body
decompression
- debian/patches/CVE-2014-0118.dpatch: added new configuration options
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
- CVE-2014-0118
* SECURITY UPDATE: denial of service via race in mod_status
- debian/patches/CVE-2014-0226.dpatch: fix race by adding
ap_copy_scoreboard_worker() to include/scoreboard.h,
modules/generators/mod_status.c, server/scoreboard.c.
- CVE-2014-0226
* SECURITY UPDATE: denial of service in mod_cgid
- debian/patches/CVE-2014-0231.dpatch: added new configuration option
CGIDScriptTimeout in modules/generators/mod_cgid.c.
- CVE-2014-0231
-- Marc Deslauriers <email address hidden> Tue, 22 Jul 2014 10:03:41 -0400
Available diffs
apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
* Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
yet support building against lua 5.2 (LP: #1323930).
-- Robie Basak <email address hidden> Wed, 28 May 2014 08:55:25 +0000
Available diffs
- diff from 2.4.9-1ubuntu1 to 2.4.9-1ubuntu2 (657 bytes)
apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
dialog program ask-for-passphrase.
- debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
configure.
- debian/patches/086_svn_cross_compiles: Backport several cross fixes from
upstream
- Build using lua5.2.
- d/tests/chroot: dep8 test for ChrootDir case.
- d/tests/ssl-passphrase: update for new default path /var/www/html.
- d/tests/duplicate-module-load: check for duplicate module loads.
- d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
- d/p/split-logfile.patch: fix completely broken split-logfile command
(LP: #1299162). Thanks to Holger Mauermann.
* Drop changes (upstreamed):
- d/p/ignore-quilt-dir: adjust build system so that it does not use
files find inside the .pc directory. This stops a double module load
causing later havoc, including "ChrootDir" directive failure.
- debian/patches/CVE-2013-6438.patch: properly calculate correct length
in modules/dav/main/util.c.
- debian/patches/CVE-2014-0098.patch: properly parse tokens in
modules/loggers/mod_log_config.c.
* d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
Available diffs
- diff from 2.4.7-1ubuntu4 to 2.4.9-1ubuntu1 (685.2 KiB)
| Superseded in utopic-release |
| Published in trusty-release |
| Deleted in trusty-proposed (Reason: moved to release) |
apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
* d/p/split-logfile.patch: fix completely broken split-logfile command
(LP: #1299162). Thanks to Holger Mauermann.
-- Robie Basak <email address hidden> Thu, 03 Apr 2014 11:21:22 +0000
Available diffs
apache2 (2.2.22-1ubuntu1.6) precise; urgency=low
* debian/patches/sni.patch:
- apache2 doesn't compare SNI hostname against Host header
case-insensitively (lp: #1298273)
-- Ritesh Khadgaray <email address hidden> Thu, 27 Mar 2014 15:06:16 +0530
Available diffs
apache2 (2.4.7-1ubuntu3) trusty; urgency=medium
* SECURITY UPDATE: denial of service via mod_dav incorrect end of string
calculation
- debian/patches/CVE-2013-6438.patch: properly calculate correct length
in modules/dav/main/util.c.
- CVE-2013-6438
* SECURITY UPDATE: denial of service via truncated cookie and
mod_log_config
- debian/patches/CVE-2014-0098.patch: properly parse tokens in
modules/loggers/mod_log_config.c.
- CVE-2014-0098
-- Marc Deslauriers <email address hidden> Thu, 20 Mar 2014 08:34:10 -0400
Available diffs
apache2 (2.2.14-5ubuntu8.13) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service via mod_dav incorrect end of string
calculation
- debian/patches/CVE-2013-6438.dpatch: properly calculate correct length
in modules/dav/main/util.c.
- CVE-2013-6438
-- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:51:06 -0400
Available diffs
apache2 (2.2.22-6ubuntu2.4) quantal-security; urgency=medium
* SECURITY UPDATE: denial of service via mod_dav incorrect end of string
calculation
- debian/patches/CVE-2013-6438.patch: properly calculate correct length
in modules/dav/main/util.c.
- CVE-2013-6438
* SECURITY UPDATE: denial of service via truncated cookie and
mod_log_config
- debian/patches/CVE-2014-0098.patch: properly parse tokens in
modules/loggers/mod_log_config.c.
- CVE-2014-0098
-- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:38:47 -0400
Available diffs
apache2 (2.2.22-1ubuntu1.5) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via mod_dav incorrect end of string
calculation
- debian/patches/CVE-2013-6438.patch: properly calculate correct length
in modules/dav/main/util.c.
- CVE-2013-6438
* SECURITY UPDATE: denial of service via truncated cookie and
mod_log_config
- debian/patches/CVE-2014-0098.patch: properly parse tokens in
modules/loggers/mod_log_config.c.
- CVE-2014-0098
-- Marc Deslauriers <email address hidden> Wed, 19 Mar 2014 15:42:46 -0400
Available diffs
| 151 → 225 of 419 results | First • Previous • Next • Last |
