-
apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
* This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in
groovy-proposed.
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:45:11 -0400
-
apache2 (2.4.46-1ubuntu1.1) groovy; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Fri, 13 Nov 2020 01:36:38 +0000
-
apache2 (2.4.46-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
* Dropped:
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Unclear if it's still necessary, and upstream hasn't made a
release with it yet]
apache2 (2.4.46-1) unstable; urgency=medium
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
[ Timo Tijhof ]
* Compress text/javascript with mod_deflate by default (Closes: #959195)
[ Xavier Guimard ]
* Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
* Update upstream keys
* New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
CVE-2020-9490)
-- Andreas Hasenack <email address hidden> Tue, 25 Aug 2020 09:13:38 -0300
-
apache2 (2.4.43-1ubuntu2) groovy; urgency=medium
* d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP: #1890302)
-- Bryce Harrington <email address hidden> Wed, 05 Aug 2020 12:44:59 -0700
-
apache2 (2.4.43-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
* Dropped:
- d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
parameter to mod_proxy_ajp (LP #1865340)
[Fixed upstream]
- d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
Closes #955348, LP #1872478
[In 2.4.43-1]
apache2 (2.4.43-1) unstable; urgency=medium
[ Timo Aaltonen ]
* mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST
requests (Closes: #955348)
[ Moritz Schlarb ]
* Fix logrotate script for multi-instance (Closes: #914606)
[ Xavier Guimard ]
* New upstream version 2.4.43
* Refresh patches
apache2 (2.4.41-5) unstable; urgency=medium
[ Xavier Guimard ]
* Avoid double mod_dav load (Closes: #951753)
[ Timo Aaltonen ]
* mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix
AJP with current tomcat.
(Closes: #954201)
-- Andreas Hasenack <email address hidden> Tue, 21 Jul 2020 10:22:42 -0300
-
apache2 (2.4.41-4ubuntu3) focal; urgency=medium
[ Timo Aaltonen ]
* d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
Closes: #955348, LP: #1872478
-- Andreas Hasenack <email address hidden> Mon, 13 Apr 2020 14:19:17 -0300