Ubuntu
apache2 package

Change logs for apache2 source package in Kinetic

  1. Kinetic (22.10)
  2. Change log 
  • apache2 (2.4.54-2ubuntu1.5) kinetic; urgency=medium

  * d/p/reenable-workers-in-standard-error-state-kinetic-apache2.patch:
    fix the value discrepancy of MODULE_MAGIC_NUMBER_MINOR.
    (LP: #2003189)

 -- Michal Maloszewski <email address hidden>  Wed, 21 Jun 2023 17:41:40 +0200
  • apache2 (2.4.54-2ubuntu1.4) kinetic; urgency=medium

  * d/p/reenable-workers-in-standard-error-state-kinetic-apache2.patch:
    fix issue with workers in apache2 which could not recover from its
    error state (LP: #2003189)

 -- Michal Maloszewski <email address hidden>  Wed, 03 May 2023 21:41:59 +0200
  • apache2 (2.4.54-2ubuntu1.3) kinetic; urgency=medium

  * d/p/mod_proxy_hcheck_kinetic_fix_to_detect_support.patch: Fix issue
    where enabling mod_proxy_hcheck results in error (LP: #1998311)

 -- Michal Maloszewski <email address hidden>  Thu, 02 Mar 2023 00:01:26 +0100
  • apache2 (2.4.54-2ubuntu1.2) kinetic-security; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <email address hidden>  Wed, 08 Mar 2023 12:31:20 -0500
  • apache2 (2.4.54-2ubuntu1.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted If header in mod_dav
    - debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
      parsing in modules/dav/main/util.c.
    - CVE-2006-20001
  * SECURITY UPDATE: request smuggling in mod_proxy_ajp
    - debian/patches/CVE-2022-36760.patch: cleanup on error in
      modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-36760
  * SECURITY UPDATE: response header truncation issue
    - debian/patches/CVE-2022-37436.patch: fail on bad header in
      modules/proxy/mod_proxy_http.c, server/protocol.c.
    - CVE-2022-37436

 -- Marc Deslauriers <email address hidden>  Mon, 23 Jan 2023 13:25:54 -0500
  • apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1982048). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: Replace Debian with Ubuntu on default
      homepage.
      (LP #1966004)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)

 -- Bryce Harrington <email address hidden>  Thu, 21 Jul 2022 19:38:00 +0000
  • apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1971248). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
    - d/index.html, d/icons/ubuntu-logo.png:  Refresh page design and
      new logo
      (LP 1966004)
    - d/apache2.postrm: Include md5 sum for updated index.html
  * Dropped:
    - OOB read in mod_lua via crafted request body
      + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
        lua_write_body() fail in modules/lua/lua_request.c.
      [Fixed in 2.4.53 upstream]
    - HTTP Request Smuggling via error discarding the
      request body
      + d/p/CVE-2022-22720.patch: simpler connection close logic
        if discarding the request body fails in modules/http/http_filters.c,
        server/protocol.c.
      [Fixed in 2.4.53 upstream]
    - overflow via large LimitXMLRequestBody
      + d/p/CVE-2022-22721.patch: make sure and check that
        LimitXMLRequestBody fits in system memory in server/core.c,
        server/util.c, server/util_xml.c.
      [Fixed in 2.4.53 upstream]
    - out-of-bounds write in mod_sed
      + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
        buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
        modules/filters/mod_sed.c, modules/filters/sed1.c.
      + d/p/CVE-2022-23943-2.patch: improve the logic flow in
        modules/filters/mod_sed.c.
      [Fixed in 2.4.53 upstream]

 -- Bryce Harrington <email address hidden>  Mon, 23 May 2022 19:34:18 -0700
  • apache2 (2.4.52-1ubuntu4) jammy; urgency=medium

  * d/apache2.postrm: Include md5 sum for updated index.html

 -- Bryce Harrington <email address hidden>  Thu, 24 Mar 2022 17:35:40 -0700