apache2 2.4.33-3ubuntu2 source package in Ubuntu

Changelog

apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium

  * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
    libapache2-mod-md until we figure out their transitions.  libapache2-mod-md
    in particular is problematic because that makes apache2-bin pull in
    libcurl4 which cannot be coinstalled with libcurl3.  That situation breaks
    the installation of libapache2-mod-shib2.  See
    https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
    for details.
    - Don't ship md.load and remove build-requires that were added because of
      mod-md (see
      https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
    - Remove proxy_uwsgi.load as we are not building it for now (see
      https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)

apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable (LP: #1770242). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
  * Drop:
    - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
      + debian/patches/CVE-2017-15710.patch: fix language long names
        detection as short name in modules/aaa/mod_authnz_ldap.c.
      + CVE-2017-15710
    - SECURITY UPDATE: incorrect <FilesMatch> matching
      + debian/patches/CVE-2017-15715.patch: allow to configure
        global/default options for regexes, like caseless matching or
        extended format in include/ap_regex.h, server/core.c,
        server/util_pcre.c.
      + CVE-2017-15715
    - SECURITY UPDATE: mod_session header manipulation
      + debian/patches/CVE-2018-1283.patch: strip Session header when
        SessionEnv is on in modules/session/mod_session.c.
      + CVE-2018-1283
    - SECURITY UPDATE: DoS via specially-crafted request
      + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
        terminated on any error, not only on buffer full in
        server/protocol.c.
      + CVE-2018-1301
    - SECURITY UPDATE: mod_cache_socache DoS
      + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
        to carriage return in modules/cache/mod_cache_socache.c.
      + CVE-2018-1303
    - SECURITY UPDATE: insecure nonce generation
      + debian/patches/CVE-2018-1312.patch: actually use the secret when
        generating nonces in modules/aaa/mod_auth_digest.c.
      + CVE-2018-1312
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
      [type=Forking already in the base systemd service file, and
       RemainsAfterExit=no is the default value, so no need to
       customize these anymore.]
    - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
      + added debian/patches/util_ldap_cache_lock_fix.patch
      [Already applied upstream]

apache2 (2.4.33-3) unstable; urgency=medium

  * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
    Closes: #894785
  * mod_http2: Avoid high memory usage with large files, causing crashes on
    32bit archs. Closes: #897218
  * Migrate from alioth to salsa.

apache2 (2.4.33-2) unstable; urgency=medium

  * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
    and libapache2-mod-md.
    Closes: #894760, #894761, #894785

apache2 (2.4.33-1) unstable; urgency=medium

  * New upstream version.
    Security fixes:
    - CVE-2017-15710
      Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
    - CVE-2018-1283
      mod_session: CGI-like applications that intend to read from mod_session's
      'SessionEnv ON' could be fooled into reading user-supplied data instead.
    - CVE-2018-1303
      mod_cache_socache: Fix request headers parsing to avoid a possible crash
      with specially crafted input data.
    - CVE-2018-1301
      core: Possible crash with excessively long HTTP request headers.
      Impractical to exploit with a production build and production LogLevel.
    - CVE-2017-15715
      core: Configure the regular expression engine to match '$' to the end of
      the input string only, excluding matching the end of any embedded
      newline characters. Behavior can be changed with new directive
      'RegexDefaultOptions'.
    - CVE-2018-1312
      mod_auth_digest: Fix generation of nonce values to prevent replay
      attacks across servers using a common Digest domain. This change
      may cause problems if used with round robin load balancers. PR 54637
    - CVE-2018-1302
      mod_http2: Potential crash w/ mod_http2.

    - mod_proxy_uwsgi: New UWSGI proxy submodule.
    - mod_md: New experimental module for managing domains across virtual
      hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
      renew certificates.
    - core: silently ignore a not existent file path when IncludeOptional
      is used. Closes: #878920
    - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980

  * Fix lintian warnings:
    - Include SupportApache-small.png in apache2-doc package instead of
      linking to apache.org, to avoid privacy issues.
    - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
    - Remove deprecated use of autotools_dev with dh.
    - Add some overrides
  * Bump standards-version to 4.1.2 (no changes)

apache2 (2.4.29-2) unstable; urgency=medium

  * Add myself to Uploaders
  * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
  * Run wrap-and-sort -a to canonicalize the debian/ directory
  * Add Build-Depends on libbrotli-dev and enable brotli module

 -- Andreas Hasenack <email address hidden>  Thu, 17 May 2018 14:46:19 +0000

Upload details

Uploaded by:
Andreas Hasenack on 2018-05-22
Uploaded to:
Cosmic
Original maintainer:
Ubuntu Developers
Architectures:
any all
Section:
web
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Cosmic release on 2018-05-23 main web

Downloads

File Size SHA-256 Checksum
apache2_2.4.33.orig.tar.bz2 6.6 MiB de02511859b00d17845b9abdd1f975d5ccb5d0b280c567da5bf2ad4b70846f05
apache2_2.4.33-3ubuntu2.debian.tar.xz 782.2 KiB d1da52ea3bcf5c8b06eea8bd34fe488f7e65d7ac5b019a95ddfee549c08d1d90
apache2_2.4.33-3ubuntu2.dsc 3.1 KiB 8c0e1888f4ffbb261e791368bbf710a33d89607305838910a733304ad4cfb979

View changes file

Binary packages built by this source

apache2: Apache HTTP Server

 The Apache HTTP Server Project's goal is to build a secure, efficient and
 extensible HTTP server as standards-compliant open source software. The
 result has long been the number one web server on the Internet.
 .
 Installing this package results in a full installation, including the
 configuration files, init scripts and support scripts.

apache2-bin: Apache HTTP Server (modules and other binary files)

 The Apache HTTP Server Project's goal is to build a secure, efficient and
 extensible HTTP server as standards-compliant open source software. The
 result has long been the number one web server on the Internet.
 .
 This package contains the binaries only and does not set up a working
 web-server instance. Install the "apache2" package to get a fully working
 instance.

apache2-data: Apache HTTP Server (common files)

 The Apache HTTP Server Project's goal is to build a secure, efficient and
 extensible HTTP server as standards-compliant open source software. The
 result has long been the number one web server on the Internet.
 .
 This package contains architecture-independent common files such as icons,
 error pages and static index files.

apache2-dbg: Apache debugging symbols

 The Apache HTTP Server Project's goal is to build a secure, efficient and
 extensible HTTP server as standards-compliant open source software. The
 result has long been the number one web server on the Internet.
 .
 This package includes the debugging symbols. It can be used to debug
 crashing server instances and modules. See
 /usr/share/doc/apache2/README.backtrace for more information.

apache2-dev: Apache HTTP Server (development headers)

 The Apache HTTP Server Project's goal is to build a secure, efficient and
 extensible HTTP server as standards-compliant open source software. The
 result has long been the number one web server on the Internet.
 .
 This package provides development headers and the apxs2 binary for the Apache
 2 HTTP server, useful to develop and link third party additions to the Debian
 Apache HTTP server package.
 .
 It also provides dh_apache2 and dh sequence addons useful to install various
 Debian Apache2 extensions with debhelper. It supports
  - Apache 2 module configurations and shared objects
  - Site configuration files
  - Global configuration files

apache2-doc: Apache HTTP Server (on-site documentation)

 The Apache HTTP Server Project's goal is to build a secure, efficient and
 extensible HTTP server as standards-compliant open source software. The
 result has long been the number one web server on the Internet.
 .
 This package provides the documentation for the Apache 2 HTTP server. The
 documentation is shipped in HTML format and can be accessed from a local
 running Apache HTTP server instance or by browsing the file system directly.

apache2-ssl-dev: Apache HTTP Server (mod_ssl development headers)

 The Apache HTTP Server Project's goal is to build a secure, efficient and
 extensible HTTP server as standards-compliant open source software. The
 result has long been the number one web server on the Internet.
 .
 This package provides the development header and the dependencies for
 modules that interact with mod_ssl's internal openssl state.

apache2-suexec-custom: Apache HTTP Server configurable suexec program for mod_suexec

 Provides a customizable version of the suexec helper program for mod_suexec.
 This is not the version from upstream, but can be configured with a
 configuration file.
 .
 If you do not need non-standard document root or userdir settings, it is
 recommended that you use the standard suexec helper program from the
 apache2-suexec-pristine package instead.

apache2-suexec-pristine: Apache HTTP Server standard suexec program for mod_suexec

 Provides the standard suexec helper program for mod_suexec. This version is
 compiled with document root /var/www and userdir suffix public_html. If you
 need different settings, use the package apache2-suexec-custom.

apache2-utils: Apache HTTP Server (utility programs for web servers)

 Provides some add-on programs useful for any web server. These include:
  - ab (Apache benchmark tool)
  - fcgistarter (Start a FastCGI program)
  - logresolve (Resolve IP addresses to hostnames in logfiles)
  - htpasswd (Manipulate basic authentication files)
  - htdigest (Manipulate digest authentication files)
  - htdbm (Manipulate basic authentication files in DBM format, using APR)
  - htcacheclean (Clean up the disk cache)
  - rotatelogs (Periodically stop writing to a logfile and open a new one)
  - split-logfile (Split a single log including multiple vhosts)
  - checkgid (Checks whether the caller can setgid to the specified group)
  - check_forensic (Extract mod_log_forensic output from Apache log files)
  - httxt2dbm (Generate dbm files for use with RewriteMap)