Change log for modsecurity-apache package in Ubuntu

modsecurity-apache (2.9.7-1build3) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden>  Sun, 31 Mar 2024 20:08:03 +0000

Available diffs

• diff from 2.9.7-1build2 to 2.9.7-1build3 (337 bytes)

modsecurity-apache (2.9.7-1build2) noble; urgency=high

  * No change rebuild against libcurl3t64-gnutls.

 -- Julian Andres Klode <email address hidden>  Fri, 22 Mar 2024 18:18:11 +0100

Available diffs

• diff from 2.9.7-1 (in Debian) to 2.9.7-1build2 (673 bytes)
• diff from 2.9.7-1build1 to 2.9.7-1build2 (633 bytes)

modsecurity-apache (2.9.7-1build1) noble; urgency=medium

  * No-change rebuild against libaprutil t64.

 -- Matthias Klose <email address hidden>  Fri, 15 Mar 2024 22:27:39 +0100

Available diffs

• diff from 2.9.7-1 (in Debian) to 2.9.7-1build1 (331 bytes)

modsecurity-apache (2.9.3-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2021-42717.patch: added support for configurable
      limit on depth of JSON parsing.
  * SECURITY UPDATE: firewall failure
    - debian/patches/CVE-2022-48279.patch: fixed HTTP multipart parsing
      and added and new MULTIPART_PART_HEADERS collection.
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-24021.patch: fixed incomplete content in
      FILES_TMP_CONTENT.

 -- Allen Huang <email address hidden>  Wed, 13 Sep 2023 12:12:51 +0100

Available diffs

• diff from 2.9.3-1 (in Debian) to 2.9.3-1ubuntu0.1 (7.3 KiB)

modsecurity-apache (2.9.7-1) unstable; urgency=medium

  * New upstream version 2.9.7
  * Fixes CVE-2022-48279
  * Switched from old PCRE to PCRE2
    https://lists.debian.org/debian-devel/2021/11/msg00176.html
  * Bumped minimum version of libxml2-dev

 -- Ervin Hegedüs <email address hidden>  Mon, 23 Jan 2023 11:39:50 +0100

Available diffs

• diff from 2.9.6-1 to 2.9.7-1 (17.9 KiB)

modsecurity-apache (2.9.6-1) unstable; urgency=medium

  * New upstream version 2.9.6
  * Bump Standards-Version to 4.6.1

 -- Ervin Hegedus <email address hidden>  Fri, 09 Sep 2022 09:09:04 +0200

Available diffs

• diff from 2.9.5-1 to 2.9.6-1 (9.2 KiB)

modsecurity-apache (2.9.5-1) unstable; urgency=medium

  [ Ervin Hegedüs ]
  * New upstream version 2.9.5
  * Fixes CVE-2021-2021-42727
  * Removed d/patches/970833_fix.patch; upstream contains it
  * Added Ervin Hegedus <email address hidden> to Uploaders in d/control
  * Changed Homepage field in d/changelog
  * Added Vcs-Browser to d/changelog
  * Bump Standards-Versio to 4.6.0
  * Bump compat to 13
  * Aligned d/watch - old URI is no longer available

 -- Ervin Hegedus <email address hidden>  Tue, 23 Nov 2021 13:25:57 +0100

Available diffs

• diff from 2.9.3-3 to 2.9.5-1 (16.2 KiB)

modsecurity-apache (2.9.3-3) unstable; urgency=medium

  * Add upstream patch to fix Segfault when using SecRemoteRules.
    (Closes: #970833)

 -- Alberto Gonzalez Iniesta <email address hidden>  Thu, 10 Dec 2020 19:14:15 +0100

Available diffs

• diff from 2.9.3-2 to 2.9.3-3 (1.2 KiB)

modsecurity-apache (2.9.3-2) unstable; urgency=medium

  * Added `--enable-pcre-jit` option to configure script

 -- Ervin Hegedus <email address hidden>  Sun, 17 May 2020 19:47:56 +0000

Available diffs

• diff from 2.9.3-1 to 2.9.3-2 (585 bytes)

modsecurity-apache (2.9.3-1) unstable; urgency=medium

  * New upstream release.
  * Bumped to debhelper compatibility level 11, removed build-dep on
    dh-autoreconf.
  * Bumped Standards-Version to 4.2.1

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 10 Dec 2018 20:21:48 +0100

Available diffs

• diff from 2.9.2-2 to 2.9.3-1 (60.6 KiB)

modsecurity-apache (2.9.2-2) unstable; urgency=medium

  * Change CRS IncludeOptional to wildcard to get the desired behaviour (not
    failing when CRS not present). Thanks Walter Kleynscheldt for pointing
    this out. (Closes: #874542)

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 17 Sep 2018 09:11:12 +0200

Available diffs

• diff from 2.9.2-1 to 2.9.2-2 (576 bytes)

modsecurity-apache (2.9.2-1) unstable; urgency=medium

  * New upstream release. Remove logging patch.
  * Removed no longer needed libapache2-modsecurity transitional package.

 -- Alberto Gonzalez Iniesta <email address hidden>  Wed, 11 Oct 2017 12:53:50 +0200

Available diffs

• diff from 2.9.1-3 to 2.9.2-1 (447.3 KiB)

modsecurity-apache (2.9.1-3) unstable; urgency=medium

  * Apply upstream (#1216) patch to fix errors on logging.

 -- Alberto Gonzalez Iniesta <email address hidden>  Thu, 29 Jun 2017 11:19:57 +0200

Available diffs

• diff from 2.9.1-2 to 2.9.1-3 (945 bytes)

modsecurity-apache (2.9.1-2) unstable; urgency=medium

  * security2.load: Remove no longer needed load of libxml2.so.2
  * improve_defaults.patch: Increase PCRE limits, reorder SecAuditLogParts
    Thanks Christian Folini for the suggestions!
  * Add IncludeOptional directive for modsecurity-crs package.

 -- Alberto Gonzalez Iniesta <email address hidden>  Tue, 20 Dec 2016 17:14:15 +0100

Available diffs

• diff from 2.9.1-1 to 2.9.1-2 (1.2 KiB)

modsecurity-apache (2.9.1-1) unstable; urgency=medium

  * New upstream release.

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 19 Sep 2016 19:04:01 +0200

Available diffs

• diff from 2.9.0-1 to 2.9.1-1 (28.5 KiB)

modsecurity-apache (2.9.0-1) unstable; urgency=medium

  * New upstream release. (Closes: #790116)
  * Removed mlogc_TLS1.2.patch, not needed anymore.
  * Remove old (no longer applied) patches from debian/patches

 -- Alberto Gonzalez Iniesta <email address hidden>  Tue, 07 Jul 2015 12:26:36 +0200

Available diffs

• diff from 2.8.0-4 to 2.9.0-1 (348.4 KiB)

modsecurity-apache (2.8.0-4) unstable; urgency=medium


  * Apply upstream patch to make mlogc use TLS 1.2 instead of SSL v3.
  * Add support for JSON. (Closes: #765605)

 -- Alberto Gonzalez Iniesta <email address hidden>  Tue, 04 Nov 2014 12:54:04 +0100

Available diffs

• diff from 2.8.0-3 to 2.8.0-4 (1.4 KiB)

modsecurity-apache (2.8.0-3) unstable; urgency=medium


  * Add explicit Build-Dep on libpcre3-dev since libaprutil1-dev no longer
    does. (Closes: #765122)
  * Add pkg-config to Build-Dep so that lua support is picked up correctly.

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 13 Oct 2014 20:19:23 +0200

Available diffs

• diff from 2.8.0-1 to 2.8.0-3 (1.2 KiB)

modsecurity-apache (2.8.0-1) unstable; urgency=medium


  * New upstream version

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 21 Apr 2014 18:35:38 +0200

Available diffs

• diff from 2.7.7-2 to 2.8.0-1 (146.7 KiB)

modsecurity-apache (2.7.7-2) unstable; urgency=medium


  * Use dh-autoreconf to fix FTBFS on ppc64el. (Closes: #734573)
    Thanks Logan Rosen for the patch.

 -- Alberto Gonzalez Iniesta <email address hidden>  Wed, 15 Jan 2014 10:18:58 +0100

Available diffs

• diff from 2.7.7-1ubuntu1 (in Ubuntu) to 2.7.7-2 (692 bytes)

modsecurity-apache (2.7.7-1ubuntu1) trusty; urgency=medium

  * Use dh-autoreconf to get new libtool macros for ppc64el.
 -- Logan Rosen <email address hidden>   Sat, 04 Jan 2014 20:17:37 -0500

Available diffs

• diff from 2.7.7-1 (in Debian) to 2.7.7-1ubuntu1 (962 bytes)

modsecurity-apache (2.7.7-1) unstable; urgency=low


  * New upstream version
  * Bumped Standards-Version to 3.9.5
  * Renamed binary package so that it follows naming standards

 -- Alberto Gonzalez Iniesta <email address hidden>  Thu, 19 Dec 2013 17:09:28 +0100

Available diffs

• diff from 2.7.5-1 to 2.7.7-1 (406.2 KiB)

modsecurity-apache (2.7.5-1) unstable; urgency=low


  * New upstream version

 -- Alberto Gonzalez Iniesta <email address hidden>  Fri, 11 Oct 2013 11:24:43 +0200

Available diffs

• diff from 2.7.4-1 to 2.7.5-1 (77.2 KiB)

modsecurity-apache (2.7.4-1) unstable; urgency=low


  * New upstream version.
  * Remove doc-base since doc files were removed upstream.

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 01 Jul 2013 17:14:29 +0200

Available diffs

• diff from 2.6.6-6 to 2.7.4-1 (404.4 KiB)
• diff from 2.6.6-9 to 2.7.4-1 (402.5 KiB)

modsecurity-apache (2.6.6-9) unstable; urgency=high


  * Applied upstream patch to fix NULL pointer dereference.
    CVE-2013-2765. (Closes: #710217)

 -- Alberto Gonzalez Iniesta <email address hidden>  Tue, 04 Jun 2013 09:34:41 +0200

Available diffs

• diff from 2.6.6-8 to 2.6.6-9 (769 bytes)

modsecurity-apache (2.6.6-8) unstable; urgency=low


  * Upload to unstable.

 -- Alberto Gonzalez Iniesta <email address hidden>  Tue, 28 May 2013 18:20:39 +0200

modsecurity-apache (2.6.6-6) unstable; urgency=high


  * Applied upstream patch to fix XXE attacks. CVE-2013-1915
    Thanks Thomas Goirand for backporting the patch.
    (Closes: #704625)
    Adds new SecXmlExternalEntity option which by default (Off) disables
    the external entity load task executed by libxml2.

 -- Alberto Gonzalez Iniesta <email address hidden>  Sat, 06 Apr 2013 11:09:12 +0200

Available diffs

• diff from 2.6.6-5 to 2.6.6-6 (1.9 KiB)

modsecurity-apache (2.6.6-5) unstable; urgency=high


  * Applied upstream patch to fix multipart/invalid part
    ruleset bypass. CVE-2012-4528. (Closes: #691146)

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 22 Oct 2012 16:23:19 +0200

Available diffs

• diff from 2.6.6-3 to 2.6.6-5 (2.1 KiB)

modsecurity-apache (2.6.3-1ubuntu0.2) precise-proposed; urgency=low

  * debian/mod-security.load: revert previous change, since an alternate
    solution has been agreed in the bug.
  * debian/mod-security.load: drop LoadFile directive entirely, and rely on
    the loader to resolve all required dependencies. This avoids the
    hardcoded path which fails on multiarch-enabled systems (LP: #988819).

Available diffs

• diff from 2.6.3-1ubuntu0.1 to 2.6.3-1ubuntu0.2 (597 bytes)

modsecurity-apache (2.6.6-3) unstable; urgency=low


  * Relicense debian/* files to ASLv2 to avoid conflicts with upstream
    license.

 -- Alberto Gonzalez Iniesta <email address hidden>  Thu, 12 Jul 2012 13:05:20 +0200

Available diffs

• diff from 2.6.6-2 to 2.6.6-3 (998 bytes)

modsecurity-apache (2.6.6-2) unstable; urgency=low


  * Updated debian/copyright with right license.

 -- Alberto Gonzalez Iniesta <email address hidden>  Mon, 02 Jul 2012 17:23:08 +0200

Available diffs

• diff from 2.6.6-1 to 2.6.6-2 (3.2 KiB)

modsecurity-apache (2.6.6-1) unstable; urgency=low


  * New upstream release.
  * Remove patches/fix_non_linux.patch. Applied upstream.
  * debian/rules: cleanup.
  * Add hardening flags to build process.

 -- Alberto Gonzalez Iniesta <email address hidden>  Fri, 15 Jun 2012 12:34:20 +0200

Available diffs

• diff from 2.6.5-2 to 2.6.6-1 (31.4 KiB)

modsecurity-apache (2.6.3-1ubuntu0.1) precise-proposed; urgency=low

  * debian/mod-security.load: remove libxml2.so.2 path, since with
    multiarch it is always incorrect on i386 and amd64. Use no path and
    a corresponding apache2 change to use the standard dlopen search
    path in this case to allow the library to be found (LP: #988819).
 -- Robie Basak <email address hidden>   Fri, 08 Jun 2012 15:40:04 +0100

Available diffs

• diff from 2.6.3-1 (in Debian) to 2.6.3-1ubuntu0.1 (866 bytes)

modsecurity-apache (2.6.5-2) unstable; urgency=low


  * mod-security.load: removed /usr/lib/ from libxml2's LoadFile path.
    (Closes: #670247)
  * README.Debian: Fix name of example configuration file. 
    (Closes: #668938, #659858)
  * debian/control: Remove mention to modsecurity-common.
    (Closes: #662862)

 -- Alberto Gonzalez Iniesta <email address hidden>  Thu, 03 May 2012 17:36:01 +0200

Available diffs

• diff from 2.6.5-1 to 2.6.5-2 (1.1 KiB)

modsecurity-apache (2.6.5-1) unstable; urgency=low


  * New upstream release

 -- Alberto Gonzalez Iniesta <email address hidden>  Tue, 20 Mar 2012 20:05:09 +0100

Available diffs

• diff from 2.6.3-1 to 2.6.5-1 (34.1 KiB)

modsecurity-apache (2.6.3-1) unstable; urgency=low


  * New upstream release
  * Include mlogc (still missing manpage). (Closes: #645875)
  * postinst: changed force-reload to restart to avoid apache from segfaulting
    when upgrading modsecurity module (Closes: #574376)

 -- Alberto Gonzalez Iniesta <email address hidden>  Wed, 28 Dec 2011 16:51:11 +0100

Available diffs

• diff from 2.6.0-1 (in Ubuntu) to 2.6.3-1 (491.4 KiB)

modsecurity-apache (2.6.0-1) unstable; urgency=low

  * New upstream release (Closes: #627858, #607763)
  * Bumped Standards-Version to 3.9.2
 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  16 Jun 2011 22:57:36 +0000

Available diffs

• diff from 2.5.13-1 to 2.6.0-1 (2.0 MiB)

modsecurity-apache (2.5.13-1) unstable; urgency=low

  * The "Rename the whole thing" release
    Move to libapache2- for the binary package to match the rest of
    Apache 2.x modules.
    Rename the source package to its current name, modsecurity-apache,
    since the former source name came from very old versions (1.x).
    Also allowing the future modsecurity-crs to have a more related source
    name.  (Closes: #516540)
  * Merge documentation in libapache2-modsecurity temporarily.
    mod-security-common is going away. modsecurity-crs will soon come.
  * New upstream release
  * debian/control:
    - Added Homepage field
    - Bumped Standards-Version to 3.9.1
  * Added watch file