Change logs for apache2 source package in Groovy

apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in
    groovy-proposed.

 -- Marc Deslauriers <email address hidden>  Thu, 17 Jun 2021 13:45:11 -0400

apache2 (2.4.46-1ubuntu1.1) groovy; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden>  Fri, 13 Nov 2020 01:36:38 +0000

apache2 (2.4.46-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes #921024)
    - d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
      issue reading error log too quickly after request, by adding a sleep.
      (LP #1890302)
  * Dropped:
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
      [Unclear if it's still necessary, and upstream hasn't made a
      release with it yet]

apache2 (2.4.46-1) unstable; urgency=medium

  [ Xavier Guimard ]
  * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md

  [ Timo Tijhof ]
  * Compress text/javascript with mod_deflate by default (Closes: #959195)

  [ Xavier Guimard ]
  * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
  * Update upstream keys
  * New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
    CVE-2020-9490)

 -- Andreas Hasenack <email address hidden>  Tue, 25 Aug 2020 09:13:38 -0300

apache2 (2.4.43-1ubuntu2) groovy; urgency=medium

  * d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
    issue reading error log too quickly after request, by adding a sleep.
    (LP: #1890302)

 -- Bryce Harrington <email address hidden>  Wed, 05 Aug 2020 12:44:59 -0700

apache2 (2.4.43-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
    - d/perl-framework/t/modules/allowmethods.t: disable reset test. This
      was re-added by mistake in 2.4.41-1 (Closes #921024)
  * Dropped:
    - d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
      parameter to mod_proxy_ajp (LP #1865340)
      [Fixed upstream]
    - d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
      mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
      Closes #955348, LP #1872478
      [In 2.4.43-1]

apache2 (2.4.43-1) unstable; urgency=medium

  [ Timo Aaltonen ]
  * mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST
    requests (Closes: #955348)

  [ Moritz Schlarb ]
  * Fix logrotate script for multi-instance (Closes: #914606)

  [ Xavier Guimard ]
  * New upstream version 2.4.43
  * Refresh patches

apache2 (2.4.41-5) unstable; urgency=medium

  [ Xavier Guimard ]
  * Avoid double mod_dav load (Closes: #951753)

  [ Timo Aaltonen ]
  * mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix
    AJP with current tomcat.
    (Closes: #954201)

 -- Andreas Hasenack <email address hidden>  Tue, 21 Jul 2020 10:22:42 -0300

apache2 (2.4.41-4ubuntu3) focal; urgency=medium

  [ Timo Aaltonen ]
  * d/p/buffer-http-request-bodies-for-tlsv13.diff, d/p/tlsv13-add-logno.diff:
    mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST requests.
    Closes: #955348, LP: #1872478

 -- Andreas Hasenack <email address hidden>  Mon, 13 Apr 2020 14:19:17 -0300