apache2 (2.4.58-1ubuntu8.8) noble-security; urgency=medium
* SECURITY REGRESSION: Removing duplicated lines
- debian/patches/CVE-2024-38474-regression.patch: (LP: #2119395)
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 11 Aug 2025 08:10:09 -0300
apache2 (2.4.58-1ubuntu8.7) noble-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2024-42516.patch: fix header merging in
modules/http/http_filters.c.
- CVE-2024-42516
* SECURITY UPDATE: SSRF with mod_headers setting Content-Type header
- debian/patches/CVE-2024-43204-pre1.patch: avoid ap_set_content_type
when processing a _Request_Header set|edit|unset Content-Type in
modules/metadata/mod_headers.c.
- debian/patches/CVE-2024-43204.patch: use header only in
modules/metadata/mod_headers.c.
- CVE-2024-43204
* SECURITY UPDATE: mod_ssl error log variable escaping
- debian/patches/CVE-2024-47252.patch: escape ssl vars in
modules/ssl/ssl_engine_vars.c.
- CVE-2024-47252
* SECURITY UPDATE: mod_ssl access control bypass with session resumption
- debian/patches/CVE-2025-23048.patch: update SNI validation in
modules/ssl/ssl_engine_kernel.c.
- CVE-2025-23048
* SECURITY UPDATE: mod_proxy_http2 denial of service
- debian/patches/CVE-2025-49630.patch: tolerate missing host header in
h2 proxy in modules/http2/h2_proxy_session.c.
- CVE-2025-49630
* SECURITY UPDATE: mod_ssl TLS upgrade attack
- debian/patches/CVE-2025-49812.patch: remove antiquated 'SSLEngine
optional' TLS upgrade in modules/ssl/ssl_engine_config.c,
modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
modules/ssl/ssl_private.h.
- CVE-2025-49812
* SECURITY UPDATE:
- debian/patches/CVE-2025-53020.patch: improve h2 header error handling
in modules/http2/h2_request.c, modules/http2/h2_request.h,
modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_stream.c, modules/http2/h2_util.c,
modules/http2/h2_util.h,
test/modules/http2/test_200_header_invalid.py.
- CVE-2025-53020
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Jul 2025 12:22:22 -0400
apache2 (2.4.58-1ubuntu8.6) noble-security; urgency=medium
* SECURITY REGRESSION: Better question mark tracking
- debian/patches/CVE-2024-38474-regression.patch: improve
previous patch allowing to avoid [UnsafeAllow3F] for most
cases in modules/mappers/mod_rewrite.c (LP: #2103723).
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 03 Apr 2025 11:36:49 -0300
apache2 (2.4.58-1ubuntu8.5) noble; urgency=medium
* SRU: LP: #2083480: No-change rebuild to disable frame pointers on
ppc64el and s390x.
-- Matthias Klose <doko@ubuntu.com> Wed, 02 Oct 2024 14:40:51 +0200
apache2 (2.4.58-1ubuntu8.4) noble-security; urgency=medium
* SECURITY UPDATE: source code disclosure with handlers configured via
AddType
- debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
subrequest in modules/http/http_request.c.
- CVE-2024-40725
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 17 Jul 2024 14:55:23 -0400
apache2 (2.4.58-1ubuntu8.3) noble-security; urgency=medium
* SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
- debian/patches/CVE-2024-38477-2.patch: restart from the original URL
on reconnect in modules/http2/mod_proxy_http2.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 11 Jul 2024 10:41:54 -0400
apache2 (2.4.58-1ubuntu8.2) noble-security; urgency=medium
* SECURITY UPDATE: null pointer dereference when serving WebSocket
protocol upgrades over a HTTP/2
- debian/patches/CVE-2024-36387.patch: early exit if bb is null in
modules/http2/h2_c2.c.
- CVE-2024-36387
* SECURITY UPDATE: encoding problem in mod_proxy
- debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
configuration in modules/proxy/mod_proxy.c.
- debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
- debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
special filenames in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
on Windows in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
- CVE-2024-38473
* SECURITY UPDATE: Substitution encoding issue in mod_rewrite
- debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
handling in modules/mappers/mod_rewrite.c.
- CVE-2024-38474
* SECURITY UPDATE: Improper escaping of output in mod_rewrite
- Included in CVE-2024-38474_5.patch.
- CVE-2024-38475
* SECURITY UPDATE: information disclosure, SSRF or local script execution
- debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
differentiate trusted sources in include/http_protocol.h,
include/httpd.h, modules/http/http_protocol.c,
modules/http/mod_mime.c, modules/mappers/mod_actions.c,
modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
server/config.c, server/core.c.
- CVE-2024-38476
* SECURITY UPDATE: null pointer dereference in mod_proxy
- debian/patches/CVE-2024-38477.patch: validate hostname in
modules/proxy/proxy_util.c.
- CVE-2024-38477
* SECURITY UPDATE: Potential SSRF in mod_rewrite
- Fixed by patches in previous CVEs.
- CVE-2024-39573
* SECURITY UPDATE: source code disclosure with handlers configured via
AddType
- debian/patches/CVE-2024-39884.patch: maintain trusted flag in
modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
modules/generators/mod_info.c, modules/generators/mod_status.c,
modules/http/http_filters.c, modules/http/http_protocol.c,
modules/http/http_request.c, modules/ldap/util_ldap.c,
modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
- CVE-2024-39884
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 04 Jul 2024 07:15:14 -0400
apache2 (2.4.58-1ubuntu8.1) noble-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2023-38709.patch: header validation after
content-* are eval'ed in modules/http/http_filters.c.
- CVE-2023-38709
* SECURITY UPDATE: HTTP Response Splitting in multiple modules
- debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
non-http handlers in include/util_script.h,
modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
modules/generators/mod_cgid.c, modules/http/http_filters.c,
modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
- CVE-2024-24795
* SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
continuation frames
- debian/patches/CVE-2024-27316.patch: bail after too many failed reads
in modules/http2/h2_session.c, modules/http2/h2_stream.c,
modules/http2/h2_stream.h.
- CVE-2024-27316
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Apr 2024 11:13:41 -0400
apache2 (2.4.58-1ubuntu8) noble; urgency=medium
* No-change rebuild against libapr1t64
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 07 Apr 2024 07:02:29 +0000
apache2 (2.4.58-1ubuntu7) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 08:37:28 +0000
apache2 (2.4.58-1ubuntu6) noble; urgency=medium
* d/debhelper/apache2-maintscript-helper: Allow execution when called from a
postinst script through a trigger (i.e., postinst triggered).
Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 18 Mar 2024 09:35:36 -0300
apache2 (2.4.58-1ubuntu5) noble; urgency=medium
* No-change rebuild against libcurl4t64
-- Steve Langasek <steve.langasek@ubuntu.com> Sat, 16 Mar 2024 06:05:04 +0000
apache2 (2.4.58-1ubuntu4) noble; urgency=medium
* No-change rebuild against libaprutil1t64
-- Zixing Liu <zixing.liu@canonical.com> Sat, 09 Mar 2024 23:05:43 -0700
apache2 (2.4.58-1ubuntu3) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 17:21:46 +0000
apache2 (2.4.58-1ubuntu2) noble; urgency=medium
* d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
dolphin and Konqueror/5 careful redirection so that directories can be
deleted via webdav.
(LP: #1927742)
-- Bryce Harrington <bryce@canonical.com> Wed, 24 Jan 2024 14:00:03 -0800
apache2 (2.4.58-1ubuntu1) noble; urgency=medium
* Merge with Debian unstable (LP: #2040357). Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries, d/t/check-ubuntu-branding: Replace
Debian with Ubuntu on default homepage.
(LP #1966004, LP #1947459)
- d/apache2.py, d/apache2-bin.install: Add apport hook
(LP #609177)
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
(LP #261198)
- d/control: Upgrade lua build dependency to 5.4
-- Bryce Harrington <bryce@canonical.com> Thu, 14 Dec 2023 23:52:39 -0800
apache2 (2.4.58-1) unstable; urgency=medium
[ Bas Couwenberg ]
* Provide dh-sequence-apache2 (Closes: #1050870)
[ Yadd ]
* Drop dependency to obsolete lsb-base
* New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622,
CVE-2023-45802)
* Refresh patches
-- Yadd <yadd@debian.org> Thu, 19 Oct 2023 14:56:29 +0400
apache2 (2.4.57-3) unstable; urgency=medium
* Update a2enmod to drop given/when (Closes: #1050458)
* Restore changes not included in Bookworm (set -e in apache2ctl)
-- Yadd <yadd@debian.org> Tue, 29 Aug 2023 11:39:32 +0400
apache2 (2.4.57-2ubuntu3) noble; urgency=medium
* d/icons/ubuntu-logo.png: add Ubuntu image for welcome page (LP: #1947459).
* d/t/check-ubuntu-branding: add check for ubuntu branding.
-- Mitchell Dzurick <mitchell.dzurick@canonical.com> Mon, 13 Nov 2023 10:49:48 -0700
apache2 (2.4.57-2ubuntu2) mantic; urgency=medium
* d/control: Upgrade lua build dependency to 5.4
-- Lena Voytek <lena.voytek@canonical.com> Fri, 21 Jul 2023 14:17:42 -0700
apache2 (2.4.57-2ubuntu1) mantic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: Replace Debian with Ubuntu on default
homepage.
- d/apache2.py, d/apache2-bin.install: Add apport hook
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
* Dropped changes included in new version:
- debian/patches/CVE-2023-25690-1.patch
- debian/patches/CVE-2023-25690-2.patch
- debian/patches/CVE-2023-27522.patch
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Jun 2023 14:02:48 -0400
apache2 (2.4.57-2) unstable; urgency=medium
* Revert debian/* changes (Bookworm freeze)
-- Yadd <yadd@debian.org> Thu, 13 Apr 2023 07:26:51 +0400
apache2 (2.4.57-1) unstable; urgency=medium
* New upstream version 2.4.57
* Drop 2.4.56-regression patches
-- Yadd <yadd@debian.org> Sat, 08 Apr 2023 06:57:16 +0400
apache2 (2.4.56-2) unstable; urgency=medium
* Fix regression in mod_rewrite introduced in version 2.4.56
(Closes: #1033284)
* Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
-- Yadd <yadd@debian.org> Sun, 02 Apr 2023 06:54:25 +0400
apache2 (2.4.56-1) unstable; urgency=medium
* New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
-- Yadd <yadd@debian.org> Wed, 08 Mar 2023 06:44:05 +0400
apache2 (2.4.55-1ubuntu2) lunar; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
* SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
- debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2023-27522
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 08 Mar 2023 11:32:34 -0500
apache2 (2.4.55-1ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: Replace Debian with Ubuntu on default
homepage.
- d/apache2.py, d/apache2-bin.install: Add apport hook
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 24 Jan 2023 13:31:02 -0800
apache2 (2.4.55-1) unstable; urgency=medium
[ Hendrik Jäger ]
* disable ssl session tickets
* redundant example as already enabled in the default config
* logrotate indentation
* Update example how to prevent access to VCS directories
[ lintian-brush ]
* Update lintian override info to new format:
+ debian/source/lintian-overrides: line 2, 4-5, 8
+ debian/apache2-data.lintian-overrides: line 2-5
+ debian/apache2-bin.lintian-overrides: line 3
+ debian/apache2-doc.lintian-overrides: line 2
+ debian/apache2.lintian-overrides: line 6
* Set upstream metadata fields: Repository-Browse.
* Update standards version to 4.6.2, no changes needed.
[ Yadd ]
* New upstream version (Closes: CVE-2006-20001, CVE-2022-36760,
CVE-2022-37436)
-- Yadd <yadd@debian.org> Wed, 18 Jan 2023 07:41:55 +0400
apache2 (2.4.54-5) unstable; urgency=medium
[ Hendrik Jäger ]
* fix: one oom-killed thread should not take down the whole service
* fix: remove modelines
* fix: update clickjacking protection example
* fix: use tab for indentation, even in commented examples
[ Yadd ]
* Revert "Fix: confusing and impractical naming" (unbreak squid and haproxy
tests)
-- Yadd <yadd@debian.org> Tue, 29 Nov 2022 15:56:10 +0100
apache2 (2.4.54-4) unstable; urgency=medium
[ Charles Plessy ]
* Replace mime-support transition package with media-types (Closes: #980275)
[ Hendrik Jäger ]
* fix mislead safety precautions: don't hide errors when enabling a module.
MR !20
* fix trailing spaces and indentation inconsistencies. MR !19 !21 !22
* Fix confusing and impractical naming: rename default-ssl.conf into
000-default-ssl.conf. MR !23
* Fix confusing keyword: replace _default_ by *. MR !24
-- Yadd <yadd@debian.org> Thu, 24 Nov 2022 10:45:00 +0100
apache2 (2.4.54-3ubuntu2) lunar; urgency=medium
* No-change rebuild against libldap-2
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:42:31 +0000
apache2 (2.4.54-3ubuntu1) lunar; urgency=medium
* Merge with Debian unstable (LP: #1993373). Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: Replace Debian with Ubuntu on default
homepage.
(LP #1966004)
- d/apache2.py, d/apache2-bin.install: Add apport hook
(LP #609177)
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
(LP #261198)
-- Bryce Harrington <bryce@canonical.com> Wed, 16 Nov 2022 16:44:44 -0800
apache2 (2.4.54-3) unstable; urgency=medium
[ Hendrik Jäger ]
* Do not enable global alias /manual
* mention not enabling /manual for the docs in the NEWS
-- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:20:52 +0200
apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1982048). Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: Replace Debian with Ubuntu on default
homepage.
(LP #1966004)
- d/apache2.py, d/apache2-bin.install: Add apport hook
(LP #609177)
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
(LP #261198)
-- Bryce Harrington <bryce@canonical.com> Thu, 21 Jul 2022 19:38:00 +0000
apache2 (2.4.54-2) unstable; urgency=medium
* Move cgid socket into a writeable directory (Closes: #1014056)
* Update lintian overrides
* Declare compliance with policy 4.6.1
* Install NOTICE in each package
-- Yadd <yadd@debian.org> Tue, 05 Jul 2022 15:49:58 +0200
apache2 (2.4.54-1) unstable; urgency=medium
[ Simon Deziel ]
* Escape literal "." for BrowserMatch directives in setenvif.conf
* Use non-capturing regex with FilesMatch directive in default-ssl.conf
[ Ondřej Surý ]
* New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813,
CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
[ Yadd ]
* Fix htcacheclean doc (Closes: #1010455)
* New upstream version 2.4.54
-- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200
apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1971248). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
(LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file.
(LP 1288690)
- d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
new logo
(LP 1966004)
- d/apache2.postrm: Include md5 sum for updated index.html
* Dropped:
- OOB read in mod_lua via crafted request body
+ d/p/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
[Fixed in 2.4.53 upstream]
- HTTP Request Smuggling via error discarding the
request body
+ d/p/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
[Fixed in 2.4.53 upstream]
- overflow via large LimitXMLRequestBody
+ d/p/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
[Fixed in 2.4.53 upstream]
- out-of-bounds write in mod_sed
+ d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
+ d/p/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
[Fixed in 2.4.53 upstream]
-- Bryce Harrington <bryce@canonical.com> Mon, 23 May 2022 19:34:18 -0700
apache2 (2.4.53-2) unstable; urgency=medium
* Clean useless Conflicts/Replace
* apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254)
-- Yadd <yadd@debian.org> Tue, 15 Mar 2022 15:27:39 +0100
apache2 (2.4.53-1) unstable; urgency=medium
* New upstream version 2.4.53 (Closes: CVE-2022-22719,
CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
* Update copyright
* Patches:
+ Drop fix-2.4.52-regression.patch, now included in upstream
+ Refresh fhs_compliance.patch
+ Update and disable child_processes_fail_to_start.patch
* Update test framework
* Back to unstable
-- Yadd <yadd@debian.org> Mon, 14 Mar 2022 17:10:39 +0100
apache2 (2.4.52-3) experimental; urgency=medium
* Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL
error)
* Set hardening=+all instead of hardening=+bindnow
-- Yadd <yadd@debian.org> Tue, 28 Dec 2021 21:20:05 +0100
apache2 (2.4.52-2) experimental; urgency=medium
* Build with pcre2 (Closes: #1000114)
-- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100
apache2 (2.4.52-1ubuntu4) jammy; urgency=medium
* d/apache2.postrm: Include md5 sum for updated index.html
-- Bryce Harrington <bryce@canonical.com> Thu, 24 Mar 2022 17:35:40 -0700
apache2 (2.4.52-1ubuntu3) jammy; urgency=medium
* d/index.html:
- Redesign page's heading for the new logo
- Use the Ubuntu font where available
- Update service management directions
- Copyedit grammar
- Light reformatting and whitespace cleanup
* d/icons/ubuntu-logo.png: Refresh ubuntu logo
(LP: #1966004)
-- Bryce Harrington <bryce@canonical.com> Wed, 23 Mar 2022 16:18:11 -0700
apache2 (2.4.52-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:39:54 -0400
apache2 (2.4.52-1ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1959924). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
(LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file.
(LP 1288690)
* Dropped:
- d/p/support-openssl3-*.patch: Backport various patches from
https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
failure to load when using OpenSSL 3.
(LP #1951476)
[Included in upstream release 2.4.52]
- d/apache2ctl: Also use systemd for graceful if it is in use.
(LP 1832182)
[This introduced a performance regression.]
- d/apache2ctl: Also use /run/systemd to check for systemd usage.
(LP 1918209)
[Not needed]
-- Bryce Harrington <bryce@canonical.com> Thu, 03 Feb 2022 10:25:47 -0800
apache2 (2.4.52-1) unstable; urgency=medium
* Refresh suexec-custom.patch
* Update lintian overrides
* Wrap long lines in changelog entries: 2.4.51-2.
* New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790)
* Refresh patches
-- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100
apache2 (2.4.51-2ubuntu1) jammy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
(LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file.
(LP 1288690)
- d/p/support-openssl3-*.patch: Backport various patches from
https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
failure to load when using OpenSSL 3.
(LP #1951476)
* Dropped:
- d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: 1832182)
[This introduced a performance regression.]
- d/apache2ctl: Also use /run/systemd to check for systemd usage.
(LP 1918209)
[Not needed]
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
[Fixed in 2.4.48-4]
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
[Fixed in 2.4.49-1]
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
[Fixed in 2.4.49-1]
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
[Fixed in 2.4.49-1]
- arbitrary origin server via crafted request uri-path
+ debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
+ debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
[Fixed in 2.4.49-3]
- SECURITY REGRESSION: Issues in UDS URIs. (LP #1945311)
+ debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
rules in modules/mappers/mod_rewrite.c.
+ debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
hostname in modules/mappers/mod_rewrite.c,
modules/proxy/proxy_util.c.
[Fixed in 2.4.49-3]
-- Bryce Harrington <bryce@canonical.com> Thu, 16 Dec 2021 14:09:26 -0800
apache2 (2.4.51-2) unstable; urgency=medium
* Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
parameters
-- Yadd <yadd@debian.org> Mon, 25 Oct 2021 18:37:03 +0200
apache2 (2.4.51-1) unstable; urgency=medium
* New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013)
* Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659)
-- Yadd <yadd@debian.org> Thu, 07 Oct 2021 20:35:33 +0200
apache2 (2.4.50-1) unstable; urgency=high
* New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)
* Remove patches already merged upstream
-- Ondřej Surý <ondrej@debian.org> Tue, 05 Oct 2021 13:25:23 +0200
apache2 (2.4.49-4) unstable; urgency=medium
[ Ondřej Surý ]
* Add upstream patch to fix crash in 2.4.49
-- Yadd <yadd@debian.org> Fri, 01 Oct 2021 11:34:24 +0200
apache2 (2.4.49-3) unstable; urgency=medium
[ Yadd ]
* Re-export upstream signing key without extra signatures.
* Drop transition for old debug package migration.
[ Moritz Muehlenhoff ]
* Fix CVE-2021-40438 regression
-- Yadd <yadd@debian.org> Thu, 30 Sep 2021 06:00:06 +0200
apache2 (2.4.49-2) unstable; urgency=medium
[ Michiel Hazelhof ]
* Fix multi instance issue (Closes: #868861)
[ Philippe Ombredanne ]
* Fix GPL version typo in copyright file
-- Yadd <yadd@debian.org> Thu, 23 Sep 2021 13:55:55 +0200
apache2 (2.4.49-1) unstable; urgency=medium
* Update upstream GPG keys
* New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798,
CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524,
CVE-2021-41773, CVE-2021-42013)
* Refresh patches
-- Yadd <yadd@debian.org> Thu, 16 Sep 2021 06:22:23 +0200
apache2 (2.4.48-4) unstable; urgency=medium
* Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193)
-- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200
apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
* d/p/support-openssl3-*.patch: Backport various patches from
https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
failure to load when using OpenSSL 3. (LP: #1951476)
-- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
* SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
- debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
rules in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
hostname in modules/mappers/mod_rewrite.c,
modules/proxy/proxy_util.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400
apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400
apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP 1918209)
-- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
apache2 (2.4.48-3.1) unstable; urgency=medium
* Non-maintainer upload.
* Direct init script reload output from logrotate to syslog, to
avoid mail-spamming the local admin (Closes: #990580)
-- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200
apache2 (2.4.48-3ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP: 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP: 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP: 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP: 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: 1918209)
* Dropped:
- d/t/control, d/t/check-http2: add basic test for http2 support
[Fixed in 2.4.48-2]
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
[Fixed in 2.4.48-1]
- d/p/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-30641.patch: change default behavior in
server/request.c.
[Fixed in 2.4.48 upstream]
-- Bryce Harrington <bryce@canonical.com> Thu, 08 Jul 2021 03:20:46 +0000
apache2 (2.4.48-3) unstable; urgency=medium
* Fix debian/changelog
-- Yadd <yadd@debian.org> Sun, 20 Jun 2021 16:39:33 +0200
apache2 (2.4.48-2) unstable; urgency=medium
* Back to unstable: Apache2 will follow upstream changes for Bullseye
[ Christian Ehrhardt ]
* d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)
-- Yadd <yadd@debian.org> Sat, 19 Jun 2021 17:50:29 +0200
apache2 (2.4.48-1) experimental; urgency=medium
[ Daniel Lewart ]
* Update apache2.logrotate (Closes: #979813)
[ Andreas Hasenack ]
* Avoid test suite failure (Closes: #985012)
[ Yadd ]
* Update lintian overrides
* Re-export upstream signing key without extra signatures.
[ Ondřej Surý ]
* New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938,
CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691,
CVE-2021-30641, CVE-2021-31618)
-- Ondřej Surý <ondrej@debian.org> Tue, 08 Jun 2021 08:29:35 +0200
apache2 (2.4.47-1) experimental; urgency=medium
* Update upstream keys file
* New upstream version 2.4.47
* Refresh patches
-- Yadd <yadd@debian.org> Thu, 29 Apr 2021 08:03:33 +0200
apache2 (2.4.46-6) unstable; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
-- Yadd <yadd@debian.org> Thu, 10 Jun 2021 13:40:11 +0200
apache2 (2.4.46-5) unstable; urgency=medium
* Fix "NULL pointer dereference on specially crafted HTTP/2 request"
(Closes: #989562, CVE-2021-31618)
-- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
apache2 (2.4.46-4ubuntu3) impish; urgency=medium
* No-change rebuild due to OpenLDAP soname bump.
-- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:43:48 -0400
apache2 (2.4.46-4ubuntu2) impish; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Jun 2021 13:09:41 -0400
apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable, to allow moving from lua5.2 to
lua5.3 (LP: #1910372). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
* Drop:
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
[Included in Debian 2.4.46-3]
* d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: #1918209)
-- Bryce Harrington <bryce@canonical.com> Tue, 09 Mar 2021 00:45:35 +0000
apache2 (2.4.46-4) unstable; urgency=medium
* Ignore other random another test failures (Closes: #979664)
-- Xavier Guimard <yadd@debian.org> Mon, 11 Jan 2021 11:58:23 +0100
apache2 (2.4.46-3) unstable; urgency=medium
* Remove postinst/preinst hooks concerning old versions
* Clean include-binaries
* Enable verbose test output during autopkgtest
* Declare compliance with policy 4.5.1
* Add debian/gbp.conf
* Disable temporary 3 subtests (Closes: #979664)
-- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100
apache2 (2.4.46-2ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Paride Legovini <paride.legovini@canonical.com> Mon, 14 Dec 2020 18:12:15 +0100
apache2 (2.4.46-2) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* Man: Add missing options and see also in a2en*(8)
[ Xavier Guimard ]
* Bump debhelper compatibility level to 13
+ Set debhelper-compat version in Build-Depends.
* Use dh_installsystemd rather than deprecated dh_systemd_enable
* Add extension .da for danish language in mime.conf (Closes: #972398)
* Automatically deflate application/wasm files (Closes: #972400)
* Use "graceful-stop" in systemd ExecStop (Closes: #974665)
* Re-export upstream signing key without extra signatures.
* Ignore lintian's national-encoding tag in test framework
* Add ${misc:Pre-Depends} in apache2 package
* Update lintian overrides
* Refresh patches
* Fix little spelling errors
-- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100
apache2 (2.4.46-1ubuntu2) hirsute; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <bryce@canonical.com> Mon, 05 Oct 2020 16:06:32 -0700
apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
* Dropped:
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Unclear if it's still necessary, and upstream hasn't made a
release with it yet]
-- Andreas Hasenack <andreas@canonical.com> Tue, 25 Aug 2020 09:13:38 -0300
apache2 (2.4.46-1) unstable; urgency=medium
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
[ Timo Tijhof ]
* Compress text/javascript with mod_deflate by default (Closes: #959195)
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
* Update upstream keys
* New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
CVE-2020-9490)
-- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200
apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
* d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP: #1890302)
-- Bryce Harrington <bryce@canonical.com> Wed, 05 Aug 2020 12:44:59 -0700
apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
* Dropped:
- d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
parameter to mod_proxy_ajp (LP #1865340)
[Fixed upstream]
- d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
Closes #955348, LP #1872478
[In 2.4.43-1]
-- Andreas Hasenack <andreas@canonical.com> Tue, 21 Jul 2020 10:22:42 -0300
apache2 (2.4.43-1) unstable; urgency=medium
[ Timo Aaltonen ]
* mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST
requests (Closes: #955348)
[ Moritz Schlarb ]
* Fix logrotate script for multi-instance (Closes: #914606)
[ Xavier Guimard ]
* New upstream version 2.4.43 (Closes: CVE-2020-1927, CVE-2020-1934)
* Refresh patches
-- Xavier Guimard <yadd@debian.org> Tue, 31 Mar 2020 08:02:12 +0200
apache2 (2.4.41-5) unstable; urgency=medium
[ Xavier Guimard ]
* Avoid double mod_dav load (Closes: #951753)
[ Timo Aaltonen ]
* mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix
AJP with current tomcat.
(Closes: #954201)
-- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100
apache2 (2.4.41-4ubuntu3) focal; urgency=medium
[ Timo Aaltonen ]
* d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
Closes: #955348, LP: #1872478
-- Andreas Hasenack <andreas@canonical.com> Mon, 13 Apr 2020 14:19:17 -0300
apache2 (2.4.41-4ubuntu2) focal; urgency=medium
* d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
parameter to mod_proxy_ajp (LP: #1865340)
-- Andreas Hasenack <andreas@canonical.com> Thu, 05 Mar 2020 15:51:00 -0300
apache2 (2.4.41-4ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
-- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 10:36:13 -0300
apache2 (2.4.41-4) unstable; urgency=medium
* Add gcc in chroot autopkgtest (fixes debci)
-- Xavier Guimard <yadd@debian.org> Fri, 07 Feb 2020 06:14:33 +0100
apache2 (2.4.41-3) unstable; urgency=medium
* Don't use hardcoded libgcc_s.so.1 path in autopkgtest files. Thanks to
Aurelien Jarno (Closes: #950711)
-- Xavier Guimard <yadd@debian.org> Wed, 05 Feb 2020 13:18:04 +0100
apache2 (2.4.41-2) unstable; urgency=medium
[ Stefan Fritsch ]
* Add *.load file for mod_socache_redis
[ Vagrant Cascadian ]
* Embeds path to EGREP in config_vars.mk (Closes: #948757)
* Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759)
-- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100
apache2 (2.4.41-1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Dropped:
- Cherrypick upstream testsuite fix:
+ r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
+ Similarly use TLSv1.2 for pr12355 and pr43738.
[Test suite updated in 2.4.41-1]
- Cherrypick upstream test suite fix for buffer.
[Included in 2.4.41-1]
- d/p/spelling-errors.patch: removed hunks already fixed upstream
[Included in 2.4.39-1]
- Dropped from Ubuntu delta now (removed from Debian since 2.4.39-1):
+ d/p/CVE-2019-0196.patch
+ d/p/CVE-2019-0211.patch
+ d/p/CVE-2019-0215.patch
+ d/p/CVE-2019-0217.patch
+ d/p/CVE-2019-0220-*.patch
+ d/p/CVE-2019-0197.patch
* Added:
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes: #921024)
-- Andreas Hasenack <andreas@canonical.com> Wed, 14 Aug 2019 11:36:32 -0300
apache2 (2.4.41-1) unstable; urgency=medium
* New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
CVE-2019-10082, CVE-2019-10092, CVE-2019-10098)
* Update lintian overrides
* Remove README in usr/share/apache2
* Move httxt2dbm manpage in section 8
* Update test framework
-- Xavier Guimard <yadd@debian.org> Wed, 14 Aug 2019 06:42:29 +0200
apache2 (2.4.39-2) unstable; urgency=medium
* Fix bad call of dh_link. Thanks to Daniel Baumann (Closes: #934640)
-- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 22:52:47 +0200
apache2 (2.4.39-1) unstable; urgency=medium
[ Helmut Grohne ]
* Do not install /usr/share/apache2/build/config.nice (Closes: #929510)
[ Xavier Guimard ]
* New upstream version 2.4.39 (Closes: CVE-2019-0196, CVE-2019-0197,
CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220)
* Refresh patches
* Remove patches now included in upstream
* Replace duplicate doc files by links using jdupes
* Add bison in build dependencies
-- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200
apache2 (2.4.39-0ubuntu1) eoan; urgency=medium
* New upstream version: 2.4.39
* d/p/spelling-errors.patch: removed hunks already fixed upstream
* Remaining changes:
- Cherrypick upstream test suite fix for buffer.
- Cherrypick upstream testsuite fix:
+ r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
- Similarly use TLSv1.2 for pr12355 and pr43738.
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Dropped patches (fixed upstream):
- d/p/CVE-2019-0196.patch
- d/p/CVE-2019-0211.patch
- d/p/CVE-2019-0215.patch
- d/p/CVE-2019-0217.patch
- d/p/CVE-2019-0220-*.patch
- d/p/CVE-2019-0197.patch
-- Andreas Hasenack <andreas@canonical.com> Mon, 05 Aug 2019 18:09:08 -0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog apache2-doc`.
Generated by dwww version 1.16 on Mon Dec 15 21:02:30 CET 2025.