-
apache2 (2.4.10-1ubuntu1.1) utopic-security; urgency=medium
* SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
- debian/patches/CVE-2013-5704.patch: don't merge trailers by default
and add a "MergeTrailers" directive to revert to previous behaviour
to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
modules/http/http_request.c, modules/loggers/mod_log_config.c,
modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
- CVE-2013-5704
* SECURITY UPDATE: mod_cache denial of service via empty HTTP
Content-Type header
- debian/patches/CVE-2014-3581.patch: check for NULL in
modules/cache/cache_util.c.
- CVE-2014-3581
* SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
headers
- debian/patches/CVE-2014-3583.patch: properly handle length in
modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
- CVE-2014-3583
* SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
directives
- debian/patches/CVE-2014-8109.patch: handle multiple Require
directives with different arguments in modules/lua/mod_lua.c.
- CVE-2014-8109
* SECURITY UPDATE: denial of service in mod_lua via websockets PING
- debian/patches/CVE-2015-0228.patch: fix logic in
modules/lua/lua_request.c.
- CVE-2015-0228
-- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:05:47 -0500
-
apache2 (2.4.10-1ubuntu1) utopic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
d/apache2.install: Plymouth aware passphrase dialog program
ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
configure.
- debian/patches/086_svn_cross_compiles: Backport several cross fixes from
upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile command.
apache2 (2.4.10-1) unstable; urgency=medium
[ Arno Töll ]
* New upstream version
+ Refresh debian/patches/fhs_compliance.patch
+ Security Fixes:
- CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
- CVE-2014-0226 Fix a race condition resulting in a heap overflow in
scoreboard handling
- CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
length and compression ratio of inflated request to mitigate a
possible DoS
- CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
+ Fixes SNI with certificate defined in global scope. (Closes: #751361)
* Warn users if they try to disable modules that we consider essential for
operation of the Apache web server (Closes: #709461)
* Drop libcap from our build-dependencies. That was needed for itk which we
gave source out to it's own package again.
* Provide apache2.2-common package to avoid upgrading problems for people
using --purge (apt) or --purge-unused (aptitude) even though that's
clearly discouraged. This caused disappearing of conffiles because we move
them from apache2.2-common to apache2 during the upgrade. Ugh. This was
not a bug in our packaging, but an unfortunately people blame us
nonetheless even though it's not all our fault. This alternative helps
those people, but at the same time means that incompatible modules aren't
force-removed by dpkg during the upgrade. Hopefully we catch all of them
with the Breaks relation coming along (Closes: #716880, #752922, #711925)
apache2 (2.4.9-2) unstable; urgency=medium
* Fix logic in postinst to detect existing index.* files in both
DocumentRoots, the old /var/www and the new /var/www/html. Also
change the compiled in default DocumentRoot to /var/www/html.
Closes: #743915
* Fix buffer overflows in suexec with very long (unix) usernames. Not
exploitable due to FORTIFY_SOURCE. And creating users usually requires
root privileges, anyway. Thanks to Luca Bruno for the report.
* Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
* Remove obsolete warning in a2enmod about mpm-itk.
* Fix lintian warning: Remove image ref to w3.org, which is a privacy
breach.
-- Robie Basak <email address hidden> Thu, 24 Jul 2014 15:13:16 +0000
-
apache2 (2.4.9-1ubuntu2) utopic; urgency=medium
* Revert 2.4.4-6ubuntu3 and build against lua 5.1 again, since Apache doesn't
yet support building against lua 5.2 (LP: #1323930).
-- Robie Basak <email address hidden> Wed, 28 May 2014 08:55:25 +0000
-
apache2 (2.4.9-1ubuntu1) utopic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase,
d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase
dialog program ask-for-passphrase.
- debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to
configure.
- debian/patches/086_svn_cross_compiles: Backport several cross fixes from
upstream
- Build using lua5.2.
- d/tests/chroot: dep8 test for ChrootDir case.
- d/tests/ssl-passphrase: update for new default path /var/www/html.
- d/tests/duplicate-module-load: check for duplicate module loads.
- d/index.html: replace Debian with Ubuntu on default page (LP: #1288690).
- d/p/split-logfile.patch: fix completely broken split-logfile command
(LP: #1299162). Thanks to Holger Mauermann.
* Drop changes (upstreamed):
- d/p/ignore-quilt-dir: adjust build system so that it does not use
files find inside the .pc directory. This stops a double module load
causing later havoc, including "ChrootDir" directive failure.
- debian/patches/CVE-2013-6438.patch: properly calculate correct length
in modules/dav/main/util.c.
- debian/patches/CVE-2014-0098.patch: properly parse tokens in
modules/loggers/mod_log_config.c.
* d/tests/control: adjust dep8 tests for new "breaks-testbed" facility.
apache2 (2.4.9-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
- CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
cookies.
Notable new features:
- Support named groups and backreferences within the LocationMatch,
DirectoryMatch, FilesMatch and ProxyMatch directives.
- mod_proxy: Added support for unix domain sockets as the backend server
endpoint.
- mod_ssl: Add support for OpenSSL configuration commands by introducing
the SSLOpenSSLConfCmd directive.
- mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
require directives.
- mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
and IgnoreInherit.
- Bugfix in the build system to avoid problems with patched config.m4
files as in LP #1251939.
* Make default cipher list in ssl.conf more secure:
- Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
'HIGH' does not include MD5.
- Remove the 'Speed-optimized SSL Cipher' configuration example because
it depends on RC4, which is considered insecure.
* Change init script short description to describe the service, not the
script. Closes: #738315
* Bump Standards-Version (no changes).
-- Robie Basak <email address hidden> Fri, 09 May 2014 19:30:04 +0000
-
apache2 (2.4.7-1ubuntu4) trusty; urgency=medium
* d/p/split-logfile.patch: fix completely broken split-logfile command
(LP: #1299162). Thanks to Holger Mauermann.
-- Robie Basak <email address hidden> Thu, 03 Apr 2014 11:21:22 +0000
