Superseded
by apache2 - 2.4.46-4+deb.sury.org+1+ubuntu16.04.1+deb.sury.org+1
Published
Changelog
apache2 (2.4.46-2+ubuntu16.04.1+deb.sury.org+3) xenial; urgency=medium
[ Jean-Michel Vourgère ]
* Man: Add missing options and see also in a2en*(8)
[ Xavier Guimard ]
* Bump debhelper compatibility level to 13
* Declare compliance with policy 4.5.0
[ Ondřej Surý ]
* No-change backport to xenial
apache2 (2.4.46-1) unstable; urgency=medium
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
[ Timo Tijhof ]
* Compress text/javascript with mod_deflate by default (Closes: #959195)
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
* Update upstream keys
* New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
CVE-2020-9490)
apache2 (2.4.43-1) unstable; urgency=medium
[ Timo Aaltonen ]
* mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST
requests (Closes: #955348)
[ Moritz Schlarb ]
* Fix logrotate script for multi-instance (Closes: #914606)
[ Xavier Guimard ]
* New upstream version 2.4.43
* Refresh patches
apache2 (2.4.41-5) unstable; urgency=medium
[ Xavier Guimard ]
* Avoid double mod_dav load (Closes: #951753)
[ Timo Aaltonen ]
* mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix
AJP with current tomcat.
(Closes: #954201)
apache2 (2.4.41-4) unstable; urgency=medium
* Add gcc in chroot autopkgtest (fixes debci)
apache2 (2.4.41-3) unstable; urgency=medium
* Don't use hardcoded libgcc_s.so.1 path in autopkgtest files. Thanks to
Aurelien Jarno (Closes: #950711)
apache2 (2.4.41-2) unstable; urgency=medium
[ Stefan Fritsch ]
* Add *.load file for mod_socache_redis
[ Vagrant Cascadian ]
* Embeds path to EGREP in config_vars.mk (Closes: #948757)
* Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759)
apache2 (2.4.41-1) unstable; urgency=medium
* New upstream version 2.4.41
* Update lintian overrides
* Remove README in usr/share/apache2
* Move httxt2dbm manpage in section 8
* Update test framework
apache2 (2.4.39-2) unstable; urgency=medium
* Fix bad call of dh_link. Thanks to Daniel Baumann (Closes: #934640)
apache2 (2.4.39-1) unstable; urgency=medium
[ Helmut Grohne ]
* Do not install /usr/share/apache2/build/config.nice (Closes: #929510)
[ Xavier Guimard ]
* New upstream version 2.4.39
* Refresh patches
* Remove patches now included in upstream
* Replace duplicate doc files by links using jdupes
* Add bison in build dependencies
apache2 (2.4.38-3) unstable; urgency=high
[ Marc Deslauriers ]
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_ssl access control bypass
- debian/patches/CVE-2019-0215.patch: restore SSL verify state after
PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
- CVE-2019-0215
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
[ Stefan Fritsch ]
* Pull security fixes from 2.4.39 via Ubuntu
* CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
apache2 (2.4.38-2) unstable; urgency=medium
* Disable "reset" test in allowmethods.t (Closes: #921024)
apache2 (2.4.38-1) unstable; urgency=medium
[ Jelmer Vernooij ]
* Reverted for now: Transition to automatic debug package (from: apache2-dbg)
* Trim trailing whitespace
* Use secure copyright file specification URI
[ Niels Thykier ]
* Add Rules-Requires-Root: binary-targets
[ Xavier Guimard ]
* Convert signing-key.pgp into signing-key.asc
* Add http2.conf (Closes: #880993)
* Remove unnecessary greater-than versioned dependency to dpkg-dev,
libbrotli-dev and libapache2-mod-md
* Declare compliance with policy 4.2.1
* Add spelling errors patch (reported)
* Fix some spelling errors in debian files
* Add myself to uploaders
* Refresh patches
* Bump debhelper compatibility level to 10
* debian/rules:
- Remove unnecessary dh argument --parallel
- use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
* Add upstream/metadata
* Replace MIT by Expat in debian/copyright
* debian/watch: use https url
* Add documentation links in systemd service files
* Team upload
[ Cyrille Bollu ]
* Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
it gets automatically de-activated upon apache 'startup when using
mpm_prefork.
* Updated http2.conf to inform user that they may want to change their
LogFormat directives.
[ Xavier Guimard ]
* New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
* Refresh patches
* Remove setenvifexpr.diff patch now included in upstream
* Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
* Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
* Declare compliance with policy 4.3.0
* Fix homepage to https
* Update debian/copyright
apache2 (2.4.37-1) unstable; urgency=medium
* New upstream version
- mod_ssl: Add support for TLSv1.3
* Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218
* Update test-framework to r1845652
* Fix test suite to actually run by creating a test user. It turns out
the test suite refuses to run as root but returns true even in that
case. It seems this has been broken since 2.4.27-4, where the test suite
had been updated and the debci test duration dropped from 15min to
3min. Also, don't rely on the exit status anymore but parse the test
output.
* Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.
apache2 (2.4.35-1) unstable; urgency=medium
* New upstream version 2.4.35
Security fix:
- CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
Closes: #909591
* Fix lintian warning: Don't force xz in builddeb override.
apache2 (2.4.34-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 2.4.34
Security fixes:
- CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
- CVE-2018-8011: Denial of service in mod_md. Closes: #904107
* Refresh patches for Apache2 2.4.34 release
* Update the suexec-custom.patch for 2.4.34 release
[ Stefan Fritsch ]
* Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
* Remove debian/gbp.conf. Closes: #904641
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
apache2 (2.4.33-3) unstable; urgency=medium
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
apache2 (2.4.33-2) unstable; urgency=medium
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
apache2 (2.4.33-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
apache2 (2.4.29-2) unstable; urgency=medium
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
apache2 (2.4.29-1) unstable; urgency=medium
[ Stefan Fritsch ]
* Replace outdated dependency on dh-systemd
[ Ondřej Surý ]
* New upstream version 2.4.29
* Refresh quilt patches
* Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343)
* Refresh patches on top of upstream release 2.4.29
* Fix Apache crash on restarts (ASF Bug 61558)
* Add deconfigure to the list of recognized scripts (Closes: #877524)
apache2 (2.4.27-6) unstable; urgency=high
* CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
which could result in HTTP OPTIONS method leaking Apache's server memory.
Closes: #876109
* Fix argument escaping in apachectl. Closes: #876384
apache2 (2.4.27-5) unstable; urgency=medium
* Upload to unstable.
* Update "Breaks:" for openssl transition.
* Bump Standards-Version to 4.1.0. No changes needed.
apache2 (2.4.27-4) experimental; urgency=medium
* Use 'invoke-rc.d' instead of init script in logrotate script.
Closes: #857607
* Make the apache-htcacheclean init script actually look into
/etc/default/apache-htcacheclean for its config. LP: #1691495
* mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
LP: #1675184
* Use 'service' instead of init script in monit example config.
* Bump Standards-Version to 4.0.1. Other changes:
- change package priorities from extra to optional
* Use libprotocol-http2-perl in autopkgtest.
* Update test suite to svn r1804214.
* Various tweaks to the test suite autopkgtest to avoid having to skip
any test.
* Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
to avoid them being used by apxs.
* deflate.conf: Remove mention of MSIE6
apache2 (2.4.27-3) experimental; urgency=medium
* Switch to openssl 1.1. Again closes: #851094
* Add versioned breaks for gridsite, libapache2-mod-dacs because of
openssl transition.
* Provide new apache2-api-20120211-openssl1.1 virtual package and make
dh_apache2 generate a dependency on it if there is a build-dep on
apache2-ssl-dev.
apache2 (2.4.27-2) unstable; urgency=medium
* Switch back to openssl 1.0 for now. The transition to 1.1 needs more
work and should go into experimental, first. Reopens: #851094
apache2 (2.4.27-1) unstable; urgency=medium
[ New upstream release ]
* Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
Closes: #868467
[ Stefan Fritsch ]
* Switch to openssl 1.1. Closes: #851094
apache2 (2.4.25-4) unstable; urgency=high
* Backport security fixes from 2.4.26:
* CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
* CVE-2017-3169: mod_ssl NULL pointer dereference
* CVE-2017-7668: Buffer overrun in ap_find_token()
* CVE-2017-7679: mod_mime buffer overread
* CVE-2017-7659: mod_http2 NULL pointer dereference
apache2 (2.4.25-3) unstable; urgency=medium
* Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
Closes: #852543
* Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
the test suite, but don't add *.load files because they don't have any
real-world use.
* Include the upstream test suite and a corresponding autopkgtest. This
is quite a hack but it may help quite a bit with security updates,
especially if stretch gets LTS support, too.
apache2 (2.4.25-2) unstable; urgency=medium
* Activate mod_reqtimeout in new installs and during updates from
before 2.4.25-2. It was wrongly not activated in new installs since
jessie. This made the default installation vulnerable to some DoS
attacks.
* Restart htcacheclean on updates and tighten dependency on apache2-utils
to ensure that apache2-utils cannot be upgraded without apache2.
Closes: #851122
* When running on systems with systemd, make 'apache2ctl start' invoke
systemctl instead. Otherwise systemd will think apache2 is not running
and ignore further commands like reload. Closes: #839227
* Avoid segfault in mpm_event if a signal is received too soon after start.
PR 60487
* Add test for some modules to be enabled.
* Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
fixed in 2.4.23-2.
apache2 (2.4.25-1) unstable; urgency=medium
[ New upstream release ]
* Security: CVE-2016-0736:
mod_session_crypto: Authenticate the session data/cookie with a MAC to
prevent deciphering or tampering with a padding oracle attack.
* Security: CVE-2016-2161:
mod_auth_digest: Prevent segfaults during client entry allocation when the
shared memory space is exhausted.
* Security: CVE-2016-8740:
mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
Closes: #847124
* Security: CVE-2016-8743:
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
* The stricter HTTP enforcement may cause compatibility problems with
non-conforming clients. Fine-tuning is possible with the new
HttpProtocolOptions directive.
* mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
* mod_http2: Many fixes and support for early pushes using the new
H2PushResource directive.
[ Stefan Fritsch ]
* Switch to debhelper compatibility level 9.
apache2 (2.4.23-8) unstable; urgency=medium
* Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
new package apache2-ssl-dev. Packages that interface with openssl
state from mod_ssl must build-depend on this new package.
This will help to disentangle the build-deps in the openssl transition.
Closes: #845033
apache2 (2.4.23-7) unstable; urgency=medium
* Make apache2-dev depend on openssl 1.0, too. Closes: #844160
* Move DefaultRuntimeDir and pid file for multi-instances to
/var/run/apache2-xxx. Thanks to Horst Platz for the debugging.
Closes: #838932 LP: #1627339
* Fix systemd unit naming for multi-instances.
* Tweak embedded .tar.gz some more to build reproducibly.
apache2 (2.4.23-6) unstable; urgency=medium
* One more tweak for reproducible build. Thanks to Daniel Shahaf for the
patch. Closes: #839977
* Avoid building with openssl 1.1 for now. See #828236
apache2 (2.4.23-5) unstable; urgency=low
* Team upload.
[ Stefan Fritsch ]
* Tweak creation of .tar.gz embedded in preinst to get reproducible
build.
[ Raphaël Hertzog ]
* Add systemd unit files. Closes: #798430
* Improve a2enmod to enable apache-htcacheclean with systemctl and let
it enable '<email address hidden>' for multi-instance
support.
* Improve setup-instance to rely on the systemd <email address hidden> for
multi-instance support.
* Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have
proper native systemd support.
* Modify handling of /etc/init.d/apache-htcacheclean to have a usual
Default-Start value but instead we disable it manually in the postinst.
That way "systemctl enable apache-htcacheclean" works.
* Add some lintian overrides for non-problems (two update-rc.d calls in
postinst, and a .js file with a very long line).
apache2 (2.4.23-4) unstable; urgency=medium
* Fix pre-inst script for new installations. Closes: #834169
apache2 (2.4.23-3) unstable; urgency=low
* Fix conffiles that may have got the wrong content during upgrade from
wheezy to early jessie versions. Closes: #794933
* Also restore re-introduced *.load files for mod_ident, mod_imagemap, and
mod_cern_meta. These may have gone missing due to dpkg thinking they still
belong to apache2.2-common. Reported by Markus Waldeck.
* apache2-maintscript-helper: Make apache2_switch_mpm do nothing if the
local admin has disabled the requested mpm manually.
Closes: #827446, #799630
* Make mod_proxy_html depend on mod_xml2enc.
* dh_apache2: Make versioned recommends on apache2 less strict. There is
no advantage in recommending the current version. Closes: #784290
apache2 (2.4.23-2) unstable; urgency=high
* CVE-2016-5387: Sets environmental variable based on user supplied Proxy
request header.
Don't pass through HTTP_PROXY in server/util_script.c
apache2 (2.4.23-1) unstable; urgency=high
* New upstream release
- Security: CVE-2016-4979: Fix bypass of TLS client certificate
verification in mod_http2.
- new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck
* Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657
* Set SHELL=/bin/bash during configure to get reproducible builds regardless
of where /bin/sh points to.
* Use 'Require method' instead of Limit/LimitExcept in userdir.conf.
apache2 (2.4.20-2) unstable; urgency=medium
* Fix crash in ap_get_useragent_host() triggered by mod_perl test.
Closes: #820824
* Fix race condition and logical error in init script. Thanks to Thomas
Stangner for the patch. Closes: #822144
* Remove links to manpages.debian.org in default index.html to avoid
broken robots doing a DoS on the site. Closes: #821313
* Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956
* Bump Standards-Version (no changes necessary).
* Fix segfault with logresolve -c. Closes: #823259
apache2 (2.4.20-1) unstable; urgency=medium
* New upstream release
- mostly bugfixes and HTTP/2 improvements
* Build against lua 5.2 instead of 5.1. Closes: #820243
* Correct systemd-sysv-generator behavior by customizing some parameters.
This fixes 'systemctl status' returning incorrect results. Thanks to
Pierre-André MOREY for the patch. LP: #1488962
* On Linux, use pthread mutexes. On kfreebsd/hurd, continue using fctnl
because they lack robust pthred mutexes. LP: #1565744, #1527044
-- Ondřej Surý <email address hidden> Tue, 08 Sep 2020 12:12:22 +0200