-
apache2 (2.4.12-2ubuntu2.1) wily-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
-- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:39:28 -0400
-
apache2 (2.4.12-2ubuntu2) wily; urgency=medium
* SECURITY UPDATE: request smuggling via chunked transfer encoding
- debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
modules/http/http_filters.c.
- CVE-2015-3183
* SECURITY UPDATE: access restriction bypass via deprecated API
- debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
in include/http_request.h, server/request.c.
- CVE-2015-3185
-- Marc Deslauriers <email address hidden> Fri, 24 Jul 2015 09:56:09 -0400
-
apache2 (2.4.12-2ubuntu1) wily; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- Allow "triggers-awaited" and "triggers-pending" states in addition
to "installed" when determining whether to defer actions or
process deferred actions.
* Drop patches (applied upstream):
- d/p/split-logfile.patch
- d/p/CVE-2015-0228.patch
* Drop changes (superceded in Debian):
- Cherry-pick versioned build-depend on dpkg from Debian for correct
dpkg-maintscript-helper symlink_to_dir support.
* Drop changes (adopted in Debian):
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
* Fix cross-building configure line in d/rules, which had bit-rotted in
previous merges.
apache2 (2.4.12-2) unstable; urgency=medium
[ Jean-Michel Nirgal Vourgère ]
* d/control:
+ Update Vcs-Browser.
* d/copyright:
+ Change d/debhelper/dh_apache2 to dh_apache2.in.
+ Drop paragraph about inexistant itk patches.
[ Stefan Fritsch ]
* Remove all the transitional packages:
apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event,
apache2-mpm-itk, apache2.2-bin, apache2.2-common,
libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec
This also fixes the dependency problems caused by a recent version
of debhelper (see #784803).
apache2 (2.4.12-1) unstable; urgency=medium
* New upstream version
* Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which
was never shipped in Debian.
* Ship mod_proxy_html's default config file. Closes: #782022
* Fix typo in dh_apache2 man page. Closes: #781032
apache2 (2.4.10-11) unstable; urgency=medium
* core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
This could cause all kinds of strange behavior. PR 56008. PR 57328
* mpm_event: Fix process deadlock when shutting down a worker. PR 56960
* mpm_event: Fix crashes due to various race conditions. Closes: #779078
apache2 (2.4.10-10) unstable; urgency=medium
* CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
wsupgrade().
* Fix setup-instance example script to handle a2enconf/a2disconf.
LP: #1430936
* Tweak mention of mod_access_compat in NEWS.Debian. The module does
not really work in practice.
-- Robie Basak <email address hidden> Thu, 28 May 2015 16:34:00 +0000
-
apache2 (2.4.10-9ubuntu1) vivid; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile
command.
- d/p/CVE-2015-0228.patch: fix logic in modules/lua/lua_request.c to fix a
denial of service in mod_lua via websockets PING
* debian/tests/ssl-passphrase: Add password responder for
systemd-ask-passphrase.
apache2 (2.4.10-9) unstable; urgency=medium
* CVE-2014-8109: mod_lua: Fix handling of the Require line when a
LuaAuthzProvider is used in multiple Require directives with different
arguments.
* Include ask-for-passphrase script from Ubuntu with some tweaks. This
fixes asking for certificate passphrases if started via systemd.
Closes: #773405
* Fix init script to not wait 20s if passphrase was wrong.
* Also bump debhelper build-depends to get dh_installdeb with support for
symlink_to_dir. Closes: #770421
-- Martin Pitt <email address hidden> Mon, 09 Mar 2015 12:03:16 +0100
