-
apache2 (2.4.57-2ubuntu2.4) mantic-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2023-38709.patch: header validation after
content-* are eval'ed in modules/http/http_filters.c.
- CVE-2023-38709
* SECURITY UPDATE: HTTP Response Splitting in multiple modules
- debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
non-http handlers in include/util_script.h,
modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
modules/generators/mod_cgid.c, modules/http/http_filters.c,
modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
- CVE-2024-24795
* SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
continuation frames
- debian/patches/CVE-2024-27316.patch: bail after too many failed reads
in modules/http2/h2_session.c, modules/http2/h2_stream.c,
modules/http2/h2_stream.h.
- CVE-2024-27316
-- Marc Deslauriers <email address hidden> Wed, 10 Apr 2024 13:41:02 -0400
-
apache2 (2.4.57-2ubuntu2.3) mantic; urgency=medium
* d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
dolphin and Konqueror/5 careful redirection so that directories can be
deleted via webdav.
(LP: #1927742)
apache2 (2.4.57-2ubuntu2.2) mantic; urgency=medium
* d/icons/ubuntu-logo.png: add Ubuntu image for welcome page (LP: #1947459).
-- Bryce Harrington <email address hidden> Wed, 24 Jan 2024 22:51:25 -0800
-
apache2 (2.4.57-2ubuntu2.2) mantic; urgency=medium
* d/icons/ubuntu-logo.png: add Ubuntu image for welcome page (LP: #1947459).
-- Mitchell Dzurick <email address hidden> Fri, 05 Jan 2024 14:39:55 -0700
-
apache2 (2.4.57-2ubuntu2.1) mantic-security; urgency=medium
* SECURITY UPDATE: mod_macro buffer over-read
- debian/patches/CVE-2023-31122.patch: fix length in
modules/core/mod_macro.c.
- CVE-2023-31122
* SECURITY UPDATE: Multiple issues in HTTP/2
- CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
- CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
- debian/patches/update_http2.patch: backport version 2.0.22 of
mod_http2 from httpd 2.4.58.
- CVE-2023-43622
- CVE-2023-45802
-- Marc Deslauriers <email address hidden> Thu, 26 Oct 2023 09:28:30 -0400
-
apache2 (2.4.57-2ubuntu2) mantic; urgency=medium
* d/control: Upgrade lua build dependency to 5.4
-- Lena Voytek <email address hidden> Fri, 21 Jul 2023 14:17:42 -0700
-
apache2 (2.4.57-2ubuntu1) mantic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/source/include-binaries: Replace Debian with Ubuntu on default
homepage.
- d/apache2.py, d/apache2-bin.install: Add apport hook
- d/control, d/apache2.install, d/apache2-utils.ufw.profile,
d/apache2.dirs: Add ufw profiles
* Dropped changes included in new version:
- debian/patches/CVE-2023-25690-1.patch
- debian/patches/CVE-2023-25690-2.patch
- debian/patches/CVE-2023-27522.patch
apache2 (2.4.57-2) unstable; urgency=medium
* Revert debian/* changes (Bookworm freeze)
apache2 (2.4.57-1) unstable; urgency=medium
* New upstream version 2.4.57
* Drop 2.4.56-regression patches
apache2 (2.4.56-2) unstable; urgency=medium
* Fix regression in mod_rewrite introduced in version 2.4.56
(Closes: #1033284)
* Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
apache2 (2.4.56-1) unstable; urgency=medium
* New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
-- Marc Deslauriers <email address hidden> Wed, 07 Jun 2023 14:02:48 -0400
-
apache2 (2.4.55-1ubuntu2) lunar; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
* SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
- debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2023-27522
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 11:32:34 -0500
