Change log for apache2 package in Debian
| 1 → 75 of 211 results | First • Previous • Next • Last |
apache2 (2.4.59-1) unstable; urgency=medium
[ Stefan Fritsch ]
* Remove old transitional packages libapache2-mod-md and
libapache2-mod-proxy-uwsgi. Closes: #1032628
[ Yadd ]
* mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
* Refresh patches
* New upstream version 2.4.59
* Refresh patches
* Update patches
* Update test framework
-- Yadd <email address hidden> Fri, 05 Apr 2024 08:08:11 +0400
apache2 (2.4.58-1) unstable; urgency=medium
[ Bas Couwenberg ]
* Provide dh-sequence-apache2 (Closes: #1050870)
[ Yadd ]
* Drop dependency to obsolete lsb-base
* New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622,
CVE-2023-45802)
* Refresh patches
-- Yadd <email address hidden> Thu, 19 Oct 2023 14:56:29 +0400
apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd <email address hidden> Tue, 29 Aug 2023 11:39:32 +0400
| Published in bullseye-release |
apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium
[ Hendrik Jäger ]
* Don't automatically enable apache2-doc.conf (Closes: #1018718)
[ Yadd ]
* Fix regression in mod_rewrite introduced in version 2.4.56
(Closes: #1033284)
* Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
-- Yadd <email address hidden> Sun, 02 Apr 2023 07:06:01 +0400
apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd <email address hidden> Thu, 13 Apr 2023 07:26:51 +0400
apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd <email address hidden> Sat, 08 Apr 2023 06:57:16 +0400
apache2 (2.4.56-2) unstable; urgency=medium
* Fix regression in mod_rewrite introduced in version 2.4.56
(Closes: #1033284)
* Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
-- Yadd <email address hidden> Sun, 02 Apr 2023 06:54:25 +0400
apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd <email address hidden> Wed, 08 Mar 2023 06:44:05 +0400
apache2 (2.4.55-1) unstable; urgency=medium
[ Hendrik Jäger ]
* disable ssl session tickets
* redundant example as already enabled in the default config
* logrotate indentation
* Update example how to prevent access to VCS directories
[ lintian-brush ]
* Update lintian override info to new format:
+ debian/source/lintian-overrides: line 2, 4-5, 8
+ debian/apache2-data.lintian-overrides: line 2-5
+ debian/apache2-bin.lintian-overrides: line 3
+ debian/apache2-doc.lintian-overrides: line 2
+ debian/apache2.lintian-overrides: line 6
* Set upstream metadata fields: Repository-Browse.
* Update standards version to 4.6.2, no changes needed.
[ Yadd ]
* New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436)
-- Yadd <email address hidden> Wed, 18 Jan 2023 07:41:55 +0400
apache2 (2.4.54-5) unstable; urgency=medium
[ Hendrik Jäger ]
* fix: one oom-killed thread should not take down the whole service
* fix: remove modelines
* fix: update clickjacking protection example
* fix: use tab for indentation, even in commented examples
[ Yadd ]
* Revert "Fix: confusing and impractical naming" (unbreak squid and haproxy
tests)
-- Yadd <email address hidden> Tue, 29 Nov 2022 15:56:10 +0100
apache2 (2.4.54-4) unstable; urgency=medium
[ Charles Plessy ]
* Replace mime-support transition package with media-types (Closes: #980275)
[ Hendrik Jäger ]
* fix mislead safety precautions: don't hide errors when enabling a module.
MR !20
* fix trailing spaces and indentation inconsistencies. MR !19 !21 !22
* Fix confusing and impractical naming: rename default-ssl.conf into
000-default-ssl.conf. MR !23
* Fix confusing keyword: replace _default_ by *. MR !24
-- Yadd <email address hidden> Thu, 24 Nov 2022 10:45:00 +0100
apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd <email address hidden> Wed, 12 Oct 2022 09:20:52 +0200
| Published in buster-release |
apache2 (2.4.38-3+deb10u8) buster; urgency=medium * Non-maintainer upload. * CVE-2022-22719: denial of service in mod_lua via crafted request body. * CVE-2022-22720: HTTP request smuggling. * CVE-2022-22721: integer overflow leading to buffer overflow write. * CVE-2022-23943: heap memory overwrite via crafted data in mod_sed. * CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. * CVE-2022-28614: read beyond bounds via ap_rwrite(). * CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). * CVE-2022-29404: Denial of service in mod_lua r:parsebody. * CVE-2022-30522: mod_sed denial of service. * CVE-2022-30556: Information Disclosure in mod_lua with websockets. * CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. -- Roberto C. Sánchez <email address hidden> Mon, 20 Jun 2022 15:03:00 -0400
| Superseded in bullseye-release |
apache2 (2.4.54-1~deb11u1) bullseye; urgency=medium
[ Yadd ]
* Fix htcacheclean doc (Closes: #1010455)
[ Yadd ]
* New upstream version 2.4.54 (closes: #1012513, CVE-2022-31813,
CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
-- Yadd <email address hidden> Thu, 09 Jun 2022 06:26:43 +0200
apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd <email address hidden> Tue, 05 Jul 2022 15:49:58 +0200
apache2 (2.4.54-1) unstable; urgency=medium
[ Simon Deziel ]
* Escape literal "." for BrowserMatch directives in setenvif.conf
* Use non-capturing regex with FilesMatch directive in default-ssl.conf
[ Ondřej Surý ]
* New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813,
CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
[ Yadd ]
* Fix htcacheclean doc (Closes: #1010455)
* New upstream version 2.4.54
-- Yadd <email address hidden> Thu, 09 Jun 2022 06:33:53 +0200
| Superseded in buster-release |
apache2 (2.4.38-3+deb10u7) buster-security; urgency=medium
* Fix possible NULL dereference or SSRF in forward proxy configurations
(CVE-2021-44224)
* lua: improve error handling (Closes: CVE-2021-44790)
* mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO
(relaxes the behaviour introduced by the CVE-2021-36160 fix)
-- Yadd <email address hidden> Tue, 21 Dec 2021 17:50:43 +0100
| Superseded in bullseye-release |
apache2 (2.4.53-1~deb11u1) bullseye; urgency=medium
* New upstream version 2.4.53 (Closes: CVE-2022-22719,
CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
* Update copyright
* Drop fix-2.4.52-regression.patch, now included in upstream
* Refresh fhs_compliance.patch
* Update test framework (fixes autopkgtest)
-- Yadd <email address hidden> Mon, 14 Mar 2022 17:28:35 +0100
apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd <email address hidden> Tue, 15 Mar 2022 15:27:39 +0100
apache2 (2.4.53-1) unstable; urgency=medium
* New upstream version 2.4.53 (Closes: CVE-2022-22719,
CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
* Update copyright
* Patches:
+ Drop fix-2.4.52-regression.patch, now included in upstream
+ Refresh fhs_compliance.patch
+ Update and disable child_processes_fail_to_start.patch
* Update test framework
* Back to unstable
-- Yadd <email address hidden> Mon, 14 Mar 2022 17:10:39 +0100
| Deleted in experimental-release (Reason: None provided.) |
apache2 (2.4.52-3) experimental; urgency=medium
* Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL
error)
* Set hardening=+all instead of hardening=+bindnow
-- Yadd <email address hidden> Tue, 28 Dec 2021 21:20:05 +0100
| Superseded in experimental-release |
apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd <email address hidden> Tue, 28 Dec 2021 20:01:43 +0100
apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd <email address hidden> Mon, 20 Dec 2021 18:42:09 +0100
| Superseded in bullseye-release |
apache2 (2.4.51-1~deb11u1) bullseye-security; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Refresh patches -- Yadd <email address hidden> Thu, 07 Oct 2021 19:49:44 +0200
apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd <email address hidden> Mon, 25 Oct 2021 18:37:03 +0200
| Superseded in buster-release |
apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium
* Fix "NULL pointer dereference on specially crafted HTTP/2 request"
(Closes: #989562, CVE-2021-31618)
* Fix various low security issues (Closes: CVE-2020-35452, CVE-2021-26690,
CVE-2021-26691, CVE-2021-30641) and fix related test
-- Yadd <email address hidden> Thu, 10 Jun 2021 12:13:06 +0200
| Superseded in bullseye-release |
apache2 (2.4.48-3.1+deb11u1) bullseye-security; urgency=medium * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193) -- Yadd <email address hidden> Thu, 12 Aug 2021 13:51:47 +0200
apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd <email address hidden> Thu, 07 Oct 2021 20:35:33 +0200
apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý <email address hidden> Tue, 05 Oct 2021 13:25:23 +0200
apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd <email address hidden> Fri, 01 Oct 2021 11:34:24 +0200
apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd <email address hidden> Thu, 30 Sep 2021 06:00:06 +0200
apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd <email address hidden> Thu, 23 Sep 2021 13:55:55 +0200
apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.49 * Refresh patches -- Yadd <email address hidden> Thu, 16 Sep 2021 06:22:23 +0200
apache2 (2.4.48-4) unstable; urgency=medium * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193) -- Yadd <email address hidden> Thu, 12 Aug 2021 11:37:43 +0200
apache2 (2.4.48-3.1) unstable; urgency=medium
* Non-maintainer upload.
* Direct init script reload output from logrotate to syslog, to
avoid mail-spamming the local admin (Closes: #990580)
-- Thorsten Glaser <email address hidden> Sat, 10 Jul 2021 23:31:28 +0200
apache2 (2.4.48-3) unstable; urgency=medium * Fix debian/changelog -- Yadd <email address hidden> Sun, 20 Jun 2021 16:39:33 +0200
apache2 (2.4.48-2) unstable; urgency=medium * Back to unstable: Apache2 will follow upstream changes for Bullseye [ Christian Ehrhardt ] * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068) -- Yadd <email address hidden> Sat, 19 Jun 2021 17:50:29 +0200
apache2 (2.4.46-6) unstable; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
-- Yadd <email address hidden> Thu, 10 Jun 2021 13:40:11 +0200
apache2 (2.4.46-5) unstable; urgency=medium
* Fix "NULL pointer dereference on specially crafted HTTP/2 request"
(Closes: #989562, CVE-2021-31618)
-- Yadd <email address hidden> Thu, 10 Jun 2021 11:57:38 +0200
| Deleted in experimental-release (Reason: None provided.) |
apache2 (2.4.48-1) experimental; urgency=medium [ Daniel Lewart ] * Update apache2.logrotate (Closes: #979813) [ Andreas Hasenack ] * Avoid test suite failure (Closes: #985012) [ Yadd ] * Update lintian overrides * Re-export upstream signing key without extra signatures. [ Ondřej Surý ] * New upstream version 2.4.48 (Closes: CVE-2021-31618) -- Ondřej Surý <email address hidden> Tue, 08 Jun 2021 08:29:35 +0200
| Superseded in experimental-release |
apache2 (2.4.47-1) experimental; urgency=medium * Update upstream keys file * New upstream version 2.4.47 * Refresh patches -- Yadd <email address hidden> Thu, 29 Apr 2021 08:03:33 +0200
apache2 (2.4.46-4) unstable; urgency=medium * Ignore other random another test failures (Closes: #979664) -- Xavier Guimard <email address hidden> Mon, 11 Jan 2021 11:58:23 +0100
apache2 (2.4.46-3) unstable; urgency=medium * Remove postinst/preinst hooks concerning old versions * Clean include-binaries * Enable verbose test output during autopkgtest * Declare compliance with policy 4.5.1 * Add debian/gbp.conf * Disable temporary 3 subtests (Closes: #979664) -- Xavier Guimard <email address hidden> Sun, 10 Jan 2021 22:43:21 +0100
apache2 (2.4.46-2) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* Man: Add missing options and see also in a2en*(8)
[ Xavier Guimard ]
* Bump debhelper compatibility level to 13
+ Set debhelper-compat version in Build-Depends.
* Use dh_installsystemd rather than deprecated dh_systemd_enable
* Add extension .da for danish language in mime.conf (Closes: #972398)
* Automatically deflate application/wasm files (Closes: #972400)
* Use "graceful-stop" in systemd ExecStop (Closes: #974665)
* Re-export upstream signing key without extra signatures.
* Ignore lintian's national-encoding tag in test framework
* Add ${misc:Pre-Depends} in apache2 package
* Update lintian overrides
* Refresh patches
* Fix little spelling errors
-- Xavier Guimard <email address hidden> Fri, 13 Nov 2020 16:59:01 +0100
| Superseded in buster-release |
apache2 (2.4.38-3+deb10u4) buster-security; urgency=high
* Import http2 modules from 2.4.46 (Closes: CVE-2020-9490, CVE-2020-11993)
* Fix error out on HTTP header larger than 16K (Closes: CVE-2020-11984)
* Fix bad regexp in mod_rewrite (Closes: CVE-2020-1927)
* Fix uninitialized memory when proxying to a malicious FTP server
(Closes: CVE-2020-1934)
-- Xavier Guimard <email address hidden> Tue, 25 Aug 2020 22:08:29 +0200
apache2 (2.4.46-1) unstable; urgency=medium
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
[ Timo Tijhof ]
* Compress text/javascript with mod_deflate by default (Closes: #959195)
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
* Update upstream keys
* New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
CVE-2020-9490)
-- Xavier Guimard <email address hidden> Sat, 08 Aug 2020 08:33:36 +0200
apache2 (2.4.43-1) unstable; urgency=medium
[ Timo Aaltonen ]
* mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST
requests (Closes: #955348)
[ Moritz Schlarb ]
* Fix logrotate script for multi-instance (Closes: #914606)
[ Xavier Guimard ]
* New upstream version 2.4.43
* Refresh patches
-- Xavier Guimard <email address hidden> Tue, 31 Mar 2020 08:02:12 +0200
apache2 (2.4.41-5) unstable; urgency=medium
[ Xavier Guimard ]
* Avoid double mod_dav load (Closes: #951753)
[ Timo Aaltonen ]
* mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix
AJP with current tomcat.
(Closes: #954201)
-- Xavier Guimard <email address hidden> Wed, 18 Mar 2020 21:06:49 +0100
| Published in stretch-release |
apache2 (2.4.25-3+deb9u9) stretch-security; urgency=medium
[ Xavier Guimard ]
* Use correct patch for CVE-2019-10092. This fixes a regression in
mod_proxy_balancer (Closes: #941202)
-- Stefan Fritsch <email address hidden> Sun, 13 Oct 2019 17:43:54 +0200
apache2 (2.4.41-4) unstable; urgency=medium * Add gcc in chroot autopkgtest (fixes debci) -- Xavier Guimard <email address hidden> Fri, 07 Feb 2020 06:14:33 +0100
apache2 (2.4.41-3) unstable; urgency=medium
* Don't use hardcoded libgcc_s.so.1 path in autopkgtest files. Thanks to
Aurelien Jarno (Closes: #950711)
-- Xavier Guimard <email address hidden> Wed, 05 Feb 2020 13:18:04 +0100
apache2 (2.4.41-2) unstable; urgency=medium [ Stefan Fritsch ] * Add *.load file for mod_socache_redis [ Vagrant Cascadian ] * Embeds path to EGREP in config_vars.mk (Closes: #948757) * Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759) -- Xavier Guimard <email address hidden> Mon, 13 Jan 2020 06:14:45 +0100
| Superseded in buster-release |
apache2 (2.4.38-3+deb10u3) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
* Annoatate patch for CVE-2019-10092: Add missing APLOGNO's in
modules/proxy/mod_proxy.c and modules/proxy/mod_proxy_ftp.c
-- Salvatore Bonaccorso <email address hidden> Tue, 15 Oct 2019 21:53:42 +0200
| Superseded in stretch-release |
apache2 (2.4.25-3+deb9u8) stretch-security; urgency=high
[ Xavier Guimard ]
* Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092)
* Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082, CVE-2019-10081)
* Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098)
[ Stefan Fritsch ]
* Add -Werror=implicit-function-declaration to compile options to catch
problems with backports.
-- Stefan Fritsch <email address hidden> Mon, 19 Aug 2019 21:25:31 +0200
| Superseded in buster-release |
apache2 (2.4.38-3+deb10u1) buster-security; urgency=high
* Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092)
* Add patch to fix stack buffer overflow and NULL pointer dereference in
mod_remoteip (Closes: CVE-2019-10097)
* Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082 and
CVE-2019-10081
* Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098)
-- Xavier Guimard <email address hidden> Sun, 18 Aug 2019 15:34:20 +0200
apache2 (2.4.41-1) unstable; urgency=medium * New upstream version 2.4.41 * Update lintian overrides * Remove README in usr/share/apache2 * Move httxt2dbm manpage in section 8 * Update test framework -- Xavier Guimard <email address hidden> Wed, 14 Aug 2019 06:42:29 +0200
apache2 (2.4.39-2) unstable; urgency=medium * Fix bad call of dh_link. Thanks to Daniel Baumann (Closes: #934640) -- Xavier Guimard <email address hidden> Mon, 12 Aug 2019 22:52:47 +0200
apache2 (2.4.39-1) unstable; urgency=medium [ Helmut Grohne ] * Do not install /usr/share/apache2/build/config.nice (Closes: #929510) [ Xavier Guimard ] * New upstream version 2.4.39 * Refresh patches * Remove patches now included in upstream * Replace duplicate doc files by links using jdupes * Add bison in build dependencies -- Xavier Guimard <email address hidden> Mon, 12 Aug 2019 21:30:33 +0200
| Superseded in stretch-release |
apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium
[ Xavier Guimard ]
* CVE-2018-17199: mode_session: Fix missing check for session expiry time.
Closes: #920303
[ Stefan Fritsch ]
* mod_http2: Fix keepalive timeout behavior. This fixes a regression with
Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
* CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
Closes: #920302
* CVE-2019-0196: mod_http2: Fix read after free
* CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
* CVE-2019-0217: mod_auth_digest: Access control bypass
* CVE-2019-0220: URL normalization inconsistincy.
Consecutive slashes in URL's are now merged before use in LocationMatch
and RewriteRule. The old behavior can be restored with the new directive
"MergeSlashes off".
-- Stefan Fritsch <email address hidden> Tue, 02 Apr 2019 21:05:13 +0200
apache2 (2.4.38-3) unstable; urgency=high
[ Marc Deslauriers ]
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_ssl access control bypass
- debian/patches/CVE-2019-0215.patch: restore SSL verify state after
PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
- CVE-2019-0215
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
[ Stefan Fritsch ]
* Pull security fixes from 2.4.39 via Ubuntu
* CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
-- Stefan Fritsch <email address hidden> Sun, 07 Apr 2019 20:15:40 +0200
apache2 (2.4.38-2) unstable; urgency=medium * Disable "reset" test in allowmethods.t (Closes: #921024) -- Xavier Guimard <email address hidden> Thu, 31 Jan 2019 21:54:05 +0100
apache2 (2.4.38-1) unstable; urgency=medium
[ Jelmer Vernooij ]
* Reverted for now: Transition to automatic debug package (from: apache2-dbg)
* Trim trailing whitespace
* Use secure copyright file specification URI
[ Niels Thykier ]
* Add Rules-Requires-Root: binary-targets
[ Xavier Guimard ]
* Convert signing-key.pgp into signing-key.asc
* Add http2.conf (Closes: #880993)
* Remove unnecessary greater-than versioned dependency to dpkg-dev,
libbrotli-dev and libapache2-mod-md
* Declare compliance with policy 4.2.1
* Add spelling errors patch (reported)
* Fix some spelling errors in debian files
* Add myself to uploaders
* Refresh patches
* Bump debhelper compatibility level to 10
* debian/rules:
- Remove unnecessary dh argument --parallel
- use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
* Add upstream/metadata
* Replace MIT by Expat in debian/copyright
* debian/watch: use https url
* Add documentation links in systemd service files
* Team upload
[ Cyrille Bollu ]
* Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
it gets automatically de-activated upon apache 'startup when using
mpm_prefork.
* Updated http2.conf to inform user that they may want to change their
LogFormat directives.
[ Xavier Guimard ]
* New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
* Refresh patches
* Remove setenvifexpr.diff patch now included in upstream
* Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
* Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
* Declare compliance with policy 4.3.0
* Fix homepage to https
* Update debian/copyright
-- Xavier Guimard <email address hidden> Tue, 29 Jan 2019 23:49:49 +0100
| Superseded in stretch-release |
apache2 (2.4.25-3+deb9u6) stretch; urgency=medium
* CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
* CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
Closes: #909591
* mod_proxy_fcgi: Fix segfault. Closes: #902906
-- Stefan Fritsch <email address hidden> Sat, 03 Nov 2018 19:46:19 +0100
apache2 (2.4.37-1) unstable; urgency=medium
* New upstream version
- mod_ssl: Add support for TLSv1.3
* Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218
* Update test-framework to r1845652
* Fix test suite to actually run by creating a test user. It turns out
the test suite refuses to run as root but returns true even in that
case. It seems this has been broken since 2.4.27-4, where the test suite
had been updated and the debci test duration dropped from 15min to
3min. Also, don't rely on the exit status anymore but parse the test
output.
* Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.
-- Stefan Fritsch <email address hidden> Sat, 03 Nov 2018 14:26:31 +0100
apache2 (2.4.35-1) unstable; urgency=medium
* New upstream version 2.4.35
Security fix:
- CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
Closes: #909591
* Fix lintian warning: Don't force xz in builddeb override.
-- Stefan Fritsch <email address hidden> Sun, 07 Oct 2018 12:54:58 +0200
apache2 (2.4.34-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 2.4.34
Security fixes:
- CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
- CVE-2018-8011: Denial of service in mod_md. Closes: #904107
* Refresh patches for Apache2 2.4.34 release
* Update the suexec-custom.patch for 2.4.34 release
[ Stefan Fritsch ]
* Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
* Remove debian/gbp.conf. Closes: #904641
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
-- Stefan Fritsch <email address hidden> Fri, 27 Jul 2018 21:37:37 +0200
| Superseded in stretch-release |
apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
* Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
fixes
- CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
- Segfaults in mod_http2 (Closes: #873945)
- mod_http2 issue with option "Indexes" and directive "HeaderName"
(Closes: #850947)
Unfortunately, this also removes support for http2 when running on
mpm_prefork.
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Make the apache-htcacheclean init script actually look into
/etc/default/apache-htcacheclean for its config. Closes: #898563
-- Stefan Fritsch <email address hidden> Sat, 02 Jun 2018 10:01:13 +0200
| Published in jessie-release |
apache2 (2.4.10-10+deb8u12) jessie-security; urgency=medium
* CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
when using too small Accept-Language values.
* CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
name.
Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
* CVE-2018-1283: Tampering of mod_session data for CGI applications.
* CVE-2018-1301: Possible out of bound access after failure in reading the
HTTP request
* CVE-2018-1303: Possible out of bound read in mod_cache_socache
* CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation
-- Stefan Fritsch <email address hidden> Sat, 31 Mar 2018 11:31:57 +0200
apache2 (2.4.33-3) unstable; urgency=medium
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
-- Stefan Fritsch <email address hidden> Sat, 05 May 2018 11:34:47 +0200
apache2 (2.4.33-2) unstable; urgency=medium
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
-- Stefan Fritsch <email address hidden> Sun, 22 Apr 2018 11:14:19 +0200
apache2 (2.4.33-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
-- Stefan Fritsch <email address hidden> Fri, 30 Mar 2018 22:53:13 +0200
apache2 (2.4.29-2) unstable; urgency=medium * Add myself to Uploaders * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634) * Run wrap-and-sort -a to canonicalize the debian/ directory * Add Build-Depends on libbrotli-dev and enable brotli module -- Ondřej Surý <email address hidden> Sun, 14 Jan 2018 11:01:58 +0000
| Superseded in jessie-release |
apache2 (2.4.10-10+deb8u11) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
(Closes: #876109)
-- Salvatore Bonaccorso <email address hidden> Tue, 19 Sep 2017 21:08:12 +0200
apache2 (2.4.29-1) unstable; urgency=medium [ Stefan Fritsch ] * Replace outdated dependency on dh-systemd [ Ondřej Surý ] * New upstream version 2.4.29 * Refresh quilt patches * Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343) * Refresh patches on top of upstream release 2.4.29 * Fix Apache crash on restarts (ASF Bug 61558) * Add deconfigure to the list of recognized scripts (Closes: #877524) -- Ondřej Surý <email address hidden> Mon, 23 Oct 2017 14:46:55 +0000
| Superseded in stretch-release |
apache2 (2.4.25-3+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
(Closes: #876109)
-- Salvatore Bonaccorso <email address hidden> Tue, 19 Sep 2017 20:58:57 +0200
| 1 → 75 of 211 results | First • Previous • Next • Last |
