-
apache2 (2.4.18-2ubuntu3.18) xenial; urgency=medium
* d/apache2ctl: Use systemd for start and graceful if in use.
(LP: #1832182)
* d/apache2.install: List confdir contents explicitly. Avoids
installing *.in templates.
(LP: #1899611)
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:15 +0000
-
apache2 (2.4.18-2ubuntu3.17) xenial-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
-- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 17:35:50 -0400
-
apache2 (2.4.18-2ubuntu3.16) xenial; urgency=medium
* On Linux, use pthread mutexes. On kfreebsd/hurd, continue using
fctnl because they lack robust pthread mutexes.
(LP: #1565744)
-- Bryce Harrington <email address hidden> Thu, 16 Jul 2020 00:20:55 +0000
-
apache2 (2.4.18-2ubuntu3.15) xenial; urgency=medium
* d/p/lp-1875299-Merge-r1688399-from-trunk.patch: use r_useragent_addr as
the root trusted address (LP: #1875299)
-- Christian Ehrhardt <email address hidden> Mon, 15 Jun 2020 16:09:55 +0200
-
apache2 (2.4.18-2ubuntu3.14) xenial; urgency=medium
* Backport mod_reqtimeout with handshake support (LP: #1846138)
- d/p/0001-mod-reqtimeout-revent-long-response-times.patch
- d/p/0002-mod_reqtimeout-fix-body-timeout-disabling-for-CONNECT-request.patch
- d/p/0003-mod_reqtimeout-Merge-r1853901-r1853906-r1853908-r1853929-r1853935-r.patch
-- Jesse Williamson <email address hidden> Tue, 08 Oct 2019 13:31:25 +0000
-
apache2 (2.4.18-2ubuntu3.13) xenial-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-- Steve Beattie <email address hidden> Mon, 16 Sep 2019 06:13:53 -0700
-
apache2 (2.4.18-2ubuntu3.12) xenial-security; urgency=medium
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:43:29 -0700
-
apache2 (2.4.18-2ubuntu3.10) xenial-security; urgency=medium
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 09:34:47 -0400
-
apache2 (2.4.18-2ubuntu3.9) xenial; urgency=medium
* debian/patches/includeoptional-ignore-non-existent.patch: silently
ignore a not existent file path with IncludeOptional . Closes LP:
#1766186.
-- Andreas Hasenack <email address hidden> Thu, 07 Jun 2018 16:43:03 -0300
-
apache2 (2.4.18-2ubuntu3.8) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
include/httpd.h, server/util.c.
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-- Marc Deslauriers <email address hidden> Wed, 18 Apr 2018 10:53:04 -0400
-
apache2 (2.4.18-2ubuntu3.7) xenial; urgency=medium
* Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
- added debian/patches/util_ldap_cache_lock_fix.patch
-- Rafael David Tinoco <email address hidden> Thu, 01 Mar 2018 18:29:12 +0000
-
apache2 (2.4.18-2ubuntu3.6) xenial; urgency=medium
* d/p/apache2-bug-1466926-scoreboard-full-[123]-3.patch: backport of upstream
fixes to avoid issues of workers in graceful shutdown blocking new
requests (LP: #1466926)
-- Christian Ehrhardt <email address hidden> Tue, 14 Nov 2017 15:19:49 +0100
-
apache2 (2.4.18-2ubuntu3.5) xenial-security; urgency=medium
* SECURITY UPDATE: optionsbleed information leak
- debian/patches/CVE-2017-9798.patch: disallow method registration
at run time in server/core.c.
- CVE-2017-9798
-- Marc Deslauriers <email address hidden> Mon, 18 Sep 2017 11:09:02 -0400
-
apache2 (2.4.18-2ubuntu3.4) xenial-security; urgency=medium
* SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
- debian/patches/CVE-2017-9788.patch: correct string scope in
modules/aaa/mod_auth_digest.c.
- CVE-2017-9788
-- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:34:01 -0400
-
apache2 (2.4.18-2ubuntu3.3) xenial-security; urgency=medium
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:58:04 -0400
-
apache2 (2.4.18-2ubuntu3.2) xenial-security; urgency=medium
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
-- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:32:00 -0400
-
apache2 (2.4.18-2ubuntu3.1) xenial-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
-- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:32:26 -0400
-
apache2 (2.4.18-2ubuntu3) xenial; urgency=medium
[ Ryan Harper ]
* Drop /etc/apache2/mods-available/http2.load. This was inadvertently
introduced in 2.4.18-2ubuntu1. The intention is to not carry this at
all, since http2 support is intentionally disabled (see LP 1531864).
* d/apache2.maintscript: handle removal of http2.load conffile.
[ Robie Basak ]
* Re-write Ryan's changelog entry.
-- Robie Basak <email address hidden> Fri, 15 Apr 2016 18:00:57 +0000
-
apache2 (2.4.18-2ubuntu2) xenial; urgency=medium
* Correct systemd-sysv-generator behavior by customizing some parameters (LP: #1488962)
- d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd
unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
- d/apache2.install: place the apache2-systemd.conf file in the correct location.
-- Pierre-André MOREY <email address hidden> Fri, 08 Apr 2016 11:48:00 +0200
-
apache2 (2.4.18-2ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
apache2 (2.4.18-2) unstable; urgency=low
* htcacheclean:
- split starting/stopping into separate init script 'apache-htcacheclean'
- move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
- make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
- start htcacheclean as the apache2 run user/group
* Fix a2query -M not returning output if apache2 config is broken.
Fix missing quotes in apache2-maintscript-helper. Closes: #810500
* README.backtrace: Note that coredump directory needs to be owned by
www-data. Closes: #806697
* Remove ssl work-arounds for MSIE. Newer versions of IE work without them
and older versions are no longer supported by MS. Closes: #815852
* Give a hint about systemd in README.multiple-instances. Closes: #818904
* Don't treat mod_access_compat as essential. It's essentially broken,
anyway.
* Merge cross-compile tweaks for debian/rules from ubuntu.
* Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
Closes: #719245
* Fix duplicate-module-load test and make sure it fails if it cannot execute
apache2ctl.
* Bump Standards-Version (no changes necessary).
-- Timo Aaltonen <email address hidden> Wed, 06 Apr 2016 00:18:31 +0300
-
apache2 (2.4.18-1ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
apache2 (2.4.18-1) unstable; urgency=medium
* New upstream release:
- mostly HTTP/2 improvements
-- Marc Deslauriers <email address hidden> Thu, 21 Jan 2016 15:15:22 -0500
-
apache2 (2.4.17-3ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
apache2 (2.4.17-3) unstable; urgency=medium
* mpm_prefork: Fix segfault if started with -X. Closes: #805737
-- Marc Deslauriers <email address hidden> Thu, 03 Dec 2015 10:07:35 -0500
-
apache2 (2.4.17-2ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Don't build experimental http2 module for LTS:
+ debian/control: removed libnghttp2-dev Build-Depends (in universe).
+ debian/config-dir/mods-available/http2.load: removed.
apache2 (2.4.17-2) unstable; urgency=medium
* Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
lots of web-apps. Closes: #803353
* Fix secondary-init-script to not source the main init script with 'set -e'.
Closes: #803177
* mod_http2: Write HTTP/2 into THE_REQUEST and the access log.
-- Marc Deslauriers <email address hidden> Fri, 20 Nov 2015 09:11:52 -0500
-
apache2 (2.4.17-1ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
* Drop patches (applied upstream):
- debian/patches/CVE-2015-3183.patch
- debian/patches/CVE-2015-3185.patch
* Drop changes (adopted in Debian):
- Allow "triggers-awaited" and "triggers-pending" states in addition
to "installed" when determining whether to defer actions or
process deferred actions.
* Don't build experimental http2 module for LTS
- debian/control: removed libnghttp2-dev Build-Depends (in universe).
- debian/config-dir/mods-available/http2.load: removed.
apache2 (2.4.17-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream release:
- New experimental http2 module
* reproducible build: Make symbol sorting consistent over different locales
* Conflict with apache2.2-common and apache2.2-bin to get the transitional
packages removed. Closes: #768815
* Don't treat mpm_itk as MPM module in a2query. Closes: #791902
* Don't treat mpm_itk as MPM module in deferred actions in postinst.
Hopefully really closes: #789914
* Don't treat mpm_itk as MPM module in a2enmod.
[ Jean-Michel Vourgère ]
* Updated upstream keyring used to check source authenticity.
apache2 (2.4.16-3) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* Have apache2.postrm removes content of /var/lib/apache2, not the
directory itself. Closes: #793862
* d/p/reproducible_builds.diff: Sort exported symbols list.
[ Stefan Fritsch ]
* apxs: Don't pass --silent to libtool. Closes: #795820
* Remove default /var/www/html/index.html on package purge.
apache2 (2.4.16-2) unstable; urgency=medium
* Make dh_apache2 add a versioned dependency on apache2-bin, for the
new symbols required for the CVE-2015-3185 fix.
apache2 (2.4.16-1) unstable; urgency=medium
[ Stefan Fritsch ]
* New upstream version, fixing the following security issues:
+ CVE-2015-3183: Fix chunk header parsing defect.
+ CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
unfixable way. Add a new replacement API ap_some_authn_required()
and ap_force_authn hook.
[ Jean-Michel Vourgère ]
* Allow "triggers-awaited" and "triggers-pending" states in addition to
"installed" when determining whether to defer actions or process
deferred actions. Thanks Colin Watson. Closes: #787103
* Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes:
#733979
* Remove pre-Jessie transition scripts, and remaining breaks.
* Made builds reproducible: d/rules set the date from the changelog in
CPPFLAGS, new reproducible_builds.diff patch to use it.
* Moved bash_completion from /etc to /usr/share/bash_completion. Added
links there for dynamic loading.
* Upgrade security.conf comments to 2.4 auth format. Thanks Werner
Detter. Closes: #789788
* apache2.postinst: Fixed tests on deferred mpm switch. Closes:
#789914
-- Marc Deslauriers <email address hidden> Fri, 30 Oct 2015 09:35:46 -0400
-
apache2 (2.4.12-2ubuntu2) wily; urgency=medium
* SECURITY UPDATE: request smuggling via chunked transfer encoding
- debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
modules/http/http_filters.c.
- CVE-2015-3183
* SECURITY UPDATE: access restriction bypass via deprecated API
- debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
in include/http_request.h, server/request.c.
- CVE-2015-3185
-- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 09:56:09 -0400