Change logs for apache2 source package in Cosmic

  • apache2 (2.4.34-1ubuntu2.3) cosmic; urgency=medium
    
      * d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
        similarly to <0 with openssl 1.1.1
      * d/p/clear-retry-flags-before-abort.patch: clear retry flags before
        aborting on client-initiated reneg (LP: #1836329)
    
     -- Andreas Hasenack <email address hidden>  Tue, 16 Jul 2019 17:27:06 -0300
  • apache2 (2.4.34-1ubuntu2.2) cosmic; urgency=medium
    
      * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
        authentication when built with openssl 1.1.1 (LP: #1833039)
    
     -- Andreas Hasenack <email address hidden>  Fri, 28 Jun 2019 17:41:48 -0300
  • apache2 (2.4.34-1ubuntu2.1) cosmic-security; urgency=medium
    
      * SECURITY UPDATE: slowloris DoS in mod_http2
        - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
          slave connections in modules/http2/h2_conn.c.
        - CVE-2018-17189
      * SECURITY UPDATE: mod_session expiry time issue
        - debian/patches/CVE-2018-17199.patch: always decode session attributes
          early in modules/session/mod_session.c.
        - CVE-2018-17199
      * SECURITY UPDATE: read-after-free on a string compare in mod_http2
        - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
          request method in modules/http2/h2_request.c.
        - CVE-2019-0196
      * SECURITY UPDATE: privilege escalation from modules' scripts
        - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
          child to its slot number in include/scoreboard.h,
          server/mpm/event/event.c, server/mpm/prefork/prefork.c,
          server/mpm/worker/worker.c.
        - CVE-2019-0211
      * SECURITY UPDATE: mod_auth_digest access control bypass
        - debian/patches/CVE-2019-0217.patch: fix a race condition in
          modules/aaa/mod_auth_digest.c.
        - CVE-2019-0217
      * SECURITY UPDATE: URL normalization inconsistincy
        - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
          the path in include/http_core.h, include/httpd.h, server/core.c,
          server/request.c, server/util.c.
        - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
          in server/request.c, server/util.c.
        - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
          server/util.c.
        - CVE-2019-0220
    
     -- Marc Deslauriers <email address hidden>  Wed, 03 Apr 2019 08:50:09 -0400
  • apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium
    
      * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
        - debian/patches/CVE-2018-11763.patch: rework connection IO event
          handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
          modules/http2/h2_version.h.
        - CVE-2018-11763
    
     -- Marc Deslauriers <email address hidden>  Wed, 03 Oct 2018 09:57:22 -0400
  • apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium
    
      * Merge with Debian unstable. Remaining changes:
        - debian/{control, apache2.install, apache2-utils.ufw.profile,
          apache2.dirs}: Add ufw profiles.
        - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
        - debian/patches/086_svn_cross_compiles: Backport several cross
          fixes from upstream
        - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
          Debian with Ubuntu on default page.
          + d/source/include-binaries: add Ubuntu icon file
        - d/t/control, d/t/check-http2: add basic test for http2 support
        - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
          libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
          cannot be coinstalled with libcurl3. That situation breaks the
          installation of libapache2-mod-shib2.  See
          https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
          for details.
    
    apache2 (2.4.34-1) unstable; urgency=medium
    
      [ Ondřej Surý ]
      * New upstream version 2.4.34
        Security fixes:
        - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
        - CVE-2018-8011: Denial of service in mod_md. Closes: #904107
      * Refresh patches for Apache2 2.4.34 release
      * Update the suexec-custom.patch for 2.4.34 release
    
      [ Stefan Fritsch ]
      * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
      * Remove debian/gbp.conf. Closes: #904641
      * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
        Closes: #904150
    
     -- Andreas Hasenack <email address hidden>  Fri, 03 Aug 2018 17:09:27 -0300
  • apache2 (2.4.33-3ubuntu3) cosmic; urgency=medium
    
      * d/control, d/rules, d/config-dir/mods-available/proxy_uwsgi.load:
        re-enable proxy_uwsgi, as the uwsgi source no longer builds this module.
    
     -- Andreas Hasenack <email address hidden>  Thu, 28 Jun 2018 10:07:06 -0300
  • apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
    
      * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
        libapache2-mod-md until we figure out their transitions.  libapache2-mod-md
        in particular is problematic because that makes apache2-bin pull in
        libcurl4 which cannot be coinstalled with libcurl3.  That situation breaks
        the installation of libapache2-mod-shib2.  See
        https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
        for details.
        - Don't ship md.load and remove build-requires that were added because of
          mod-md (see
          https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
        - Remove proxy_uwsgi.load as we are not building it for now (see
          https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
    
    apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
    
      * Merge with Debian unstable (LP: #1770242). Remaining changes:
        - debian/{control, apache2.install, apache2-utils.ufw.profile,
          apache2.dirs}: Add ufw profiles.
        - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
        - debian/patches/086_svn_cross_compiles: Backport several cross
          fixes from upstream
        - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
          Debian with Ubuntu on default page.
          + d/source/include-binaries: add Ubuntu icon file
        - d/t/control, d/t/check-http2: add basic test for http2 support
      * Drop:
        - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
          + debian/patches/CVE-2017-15710.patch: fix language long names
            detection as short name in modules/aaa/mod_authnz_ldap.c.
          + CVE-2017-15710
        - SECURITY UPDATE: incorrect <FilesMatch> matching
          + debian/patches/CVE-2017-15715.patch: allow to configure
            global/default options for regexes, like caseless matching or
            extended format in include/ap_regex.h, server/core.c,
            server/util_pcre.c.
          + CVE-2017-15715
        - SECURITY UPDATE: mod_session header manipulation
          + debian/patches/CVE-2018-1283.patch: strip Session header when
            SessionEnv is on in modules/session/mod_session.c.
          + CVE-2018-1283
        - SECURITY UPDATE: DoS via specially-crafted request
          + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
            terminated on any error, not only on buffer full in
            server/protocol.c.
          + CVE-2018-1301
        - SECURITY UPDATE: mod_cache_socache DoS
          + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
            to carriage return in modules/cache/mod_cache_socache.c.
          + CVE-2018-1303
        - SECURITY UPDATE: insecure nonce generation
          + debian/patches/CVE-2018-1312.patch: actually use the secret when
            generating nonces in modules/aaa/mod_auth_digest.c.
          + CVE-2018-1312
        - Correct systemd-sysv-generator behavior by customizing some
          parameters:
          + d/apache2-systemd.conf: add a drop-in file to specify some
            parameters for the systemd unit (type=Forking and
            RemainsAfterExit=no), this allow a correct state synchronisation
            between systemctl status and actual state of apache2 daemon.
          + d/apache2.install: place the apache2-systemd.conf file in the
            correct location.
          [type=Forking already in the base systemd service file, and
           RemainsAfterExit=no is the default value, so no need to
           customize these anymore.]
        - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
          + added debian/patches/util_ldap_cache_lock_fix.patch
          [Already applied upstream]
    
    apache2 (2.4.33-3) unstable; urgency=medium
    
      * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
        Closes: #894785
      * mod_http2: Avoid high memory usage with large files, causing crashes on
        32bit archs. Closes: #897218
      * Migrate from alioth to salsa.
    
    apache2 (2.4.33-2) unstable; urgency=medium
    
      * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
        and libapache2-mod-md.
        Closes: #894760, #894761, #894785
    
    apache2 (2.4.33-1) unstable; urgency=medium
    
      * New upstream version.
        Security fixes:
        - CVE-2017-15710
          Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
        - CVE-2018-1283
          mod_session: CGI-like applications that intend to read from mod_session's
          'SessionEnv ON' could be fooled into reading user-supplied data instead.
        - CVE-2018-1303
          mod_cache_socache: Fix request headers parsing to avoid a possible crash
          with specially crafted input data.
        - CVE-2018-1301
          core: Possible crash with excessively long HTTP request headers.
          Impractical to exploit with a production build and production LogLevel.
        - CVE-2017-15715
          core: Configure the regular expression engine to match '$' to the end of
          the input string only, excluding matching the end of any embedded
          newline characters. Behavior can be changed with new directive
          'RegexDefaultOptions'.
        - CVE-2018-1312
          mod_auth_digest: Fix generation of nonce values to prevent replay
          attacks across servers using a common Digest domain. This change
          may cause problems if used with round robin load balancers. PR 54637
        - CVE-2018-1302
          mod_http2: Potential crash w/ mod_http2.
    
        - mod_proxy_uwsgi: New UWSGI proxy submodule.
        - mod_md: New experimental module for managing domains across virtual
          hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
          renew certificates.
        - core: silently ignore a not existent file path when IncludeOptional
          is used. Closes: #878920
        - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
    
      * Fix lintian warnings:
        - Include SupportApache-small.png in apache2-doc package instead of
          linking to apache.org, to avoid privacy issues.
        - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
        - Remove deprecated use of autotools_dev with dh.
        - Add some overrides
      * Bump standards-version to 4.1.2 (no changes)
    
    apache2 (2.4.29-2) unstable; urgency=medium
    
      * Add myself to Uploaders
      * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
      * Run wrap-and-sort -a to canonicalize the debian/ directory
      * Add Build-Depends on libbrotli-dev and enable brotli module
    
     -- Andreas Hasenack <email address hidden>  Thu, 17 May 2018 14:46:19 +0000
  • apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
    
      * Merge with Debian unstable (LP: #1770242). Remaining changes:
        - debian/{control, apache2.install, apache2-utils.ufw.profile,
          apache2.dirs}: Add ufw profiles.
        - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
        - debian/patches/086_svn_cross_compiles: Backport several cross
          fixes from upstream
        - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
          Debian with Ubuntu on default page.
          + d/source/include-binaries: add Ubuntu icon file
        - d/t/control, d/t/check-http2: add basic test for http2 support
      * Drop:
        - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
          + debian/patches/CVE-2017-15710.patch: fix language long names
            detection as short name in modules/aaa/mod_authnz_ldap.c.
          + CVE-2017-15710
        - SECURITY UPDATE: incorrect <FilesMatch> matching
          + debian/patches/CVE-2017-15715.patch: allow to configure
            global/default options for regexes, like caseless matching or
            extended format in include/ap_regex.h, server/core.c,
            server/util_pcre.c.
          + CVE-2017-15715
        - SECURITY UPDATE: mod_session header manipulation
          + debian/patches/CVE-2018-1283.patch: strip Session header when
            SessionEnv is on in modules/session/mod_session.c.
          + CVE-2018-1283
        - SECURITY UPDATE: DoS via specially-crafted request
          + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
            terminated on any error, not only on buffer full in
            server/protocol.c.
          + CVE-2018-1301
        - SECURITY UPDATE: mod_cache_socache DoS
          + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
            to carriage return in modules/cache/mod_cache_socache.c.
          + CVE-2018-1303
        - SECURITY UPDATE: insecure nonce generation
          + debian/patches/CVE-2018-1312.patch: actually use the secret when
            generating nonces in modules/aaa/mod_auth_digest.c.
          + CVE-2018-1312
        - Correct systemd-sysv-generator behavior by customizing some
          parameters:
          + d/apache2-systemd.conf: add a drop-in file to specify some
            parameters for the systemd unit (type=Forking and
            RemainsAfterExit=no), this allow a correct state synchronisation
            between systemctl status and actual state of apache2 daemon.
          + d/apache2.install: place the apache2-systemd.conf file in the
            correct location.
          [type=Forking already in the base systemd service file, and
           RemainsAfterExit=no is the default value, so no need to
           customize these anymore.]
        - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
          + added debian/patches/util_ldap_cache_lock_fix.patch
          [Already applied upstream]
    
    apache2 (2.4.33-3) unstable; urgency=medium
    
      * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
        Closes: #894785
      * mod_http2: Avoid high memory usage with large files, causing crashes on
        32bit archs. Closes: #897218
      * Migrate from alioth to salsa.
    
    apache2 (2.4.33-2) unstable; urgency=medium
    
      * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
        and libapache2-mod-md.
        Closes: #894760, #894761, #894785
    
    apache2 (2.4.33-1) unstable; urgency=medium
    
      * New upstream version.
        Security fixes:
        - CVE-2017-15710
          Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
        - CVE-2018-1283
          mod_session: CGI-like applications that intend to read from mod_session's
          'SessionEnv ON' could be fooled into reading user-supplied data instead.
        - CVE-2018-1303
          mod_cache_socache: Fix request headers parsing to avoid a possible crash
          with specially crafted input data.
        - CVE-2018-1301
          core: Possible crash with excessively long HTTP request headers.
          Impractical to exploit with a production build and production LogLevel.
        - CVE-2017-15715
          core: Configure the regular expression engine to match '$' to the end of
          the input string only, excluding matching the end of any embedded
          newline characters. Behavior can be changed with new directive
          'RegexDefaultOptions'.
        - CVE-2018-1312
          mod_auth_digest: Fix generation of nonce values to prevent replay
          attacks across servers using a common Digest domain. This change
          may cause problems if used with round robin load balancers. PR 54637
        - CVE-2018-1302
          mod_http2: Potential crash w/ mod_http2.
    
        - mod_proxy_uwsgi: New UWSGI proxy submodule.
        - mod_md: New experimental module for managing domains across virtual
          hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
          renew certificates.
        - core: silently ignore a not existent file path when IncludeOptional
          is used. Closes: #878920
        - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
    
      * Fix lintian warnings:
        - Include SupportApache-small.png in apache2-doc package instead of
          linking to apache.org, to avoid privacy issues.
        - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
        - Remove deprecated use of autotools_dev with dh.
        - Add some overrides
      * Bump standards-version to 4.1.2 (no changes)
    
    apache2 (2.4.29-2) unstable; urgency=medium
    
      * Add myself to Uploaders
      * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
      * Run wrap-and-sort -a to canonicalize the debian/ directory
      * Add Build-Depends on libbrotli-dev and enable brotli module
    
     -- Andreas Hasenack <email address hidden>  Tue, 15 May 2018 11:03:34 -0300
  • apache2 (2.4.29-1ubuntu4.1) bionic-security; urgency=medium
    
      * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
        - debian/patches/CVE-2017-15710.patch: fix language long names
          detection as short name in modules/aaa/mod_authnz_ldap.c.
        - CVE-2017-15710
      * SECURITY UPDATE: incorrect <FilesMatch> matching
        - debian/patches/CVE-2017-15715.patch: allow to configure
          global/default options for regexes, like caseless matching or
          extended format in include/ap_regex.h, server/core.c,
          server/util_pcre.c.
        - CVE-2017-15715
      * SECURITY UPDATE: mod_session header manipulation
        - debian/patches/CVE-2018-1283.patch: strip Session header when
          SessionEnv is on in modules/session/mod_session.c.
        - CVE-2018-1283
      * SECURITY UPDATE: DoS via specially-crafted request
        - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
          terminated on any error, not only on buffer full in
          server/protocol.c.
        - CVE-2018-1301
      * SECURITY UPDATE: mod_cache_socache DoS
        - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
          to carriage return in modules/cache/mod_cache_socache.c.
        - CVE-2018-1303
      * SECURITY UPDATE: insecure nonce generation
        - debian/patches/CVE-2018-1312.patch: actually use the secret when
          generating nonces in modules/aaa/mod_auth_digest.c.
        - CVE-2018-1312
    
     -- Marc Deslauriers <email address hidden>  Wed, 25 Apr 2018 07:38:24 -0400
  • apache2 (2.4.29-1ubuntu4) bionic; urgency=medium
    
      * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
        - added debian/patches/util_ldap_cache_lock_fix.patch
    
     -- Rafael David Tinoco <email address hidden>  Fri, 02 Mar 2018 02:19:31 +0000