Format: 1.8
Date: Tue, 11 Oct 2022 19:03:32 +0100
Source: apache2
Built-For-Profiles: noudeb
Architecture: source
Version: 2.4.54-2ubuntu1~bpo22.04.1~ppa1
Distribution: jammy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Changed-By: Grant Slater <ubuntu@firefishy.com>
Closes: 1000114 1007254 1010455 1012513 1014056
Launchpad-Bugs-Fixed: 1971248 1982048
Changes:
 apache2 (2.4.54-2ubuntu1~bpo22.04.1~ppa1) jammy; urgency=medium
 .
   * No-change backport to jammy.
 .
 apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium
 .
   * Merge with Debian unstable (LP: #1982048). Remaining changes:
     - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
       d/source/include-binaries: Replace Debian with Ubuntu on default
       homepage.
       (LP #1966004)
     - d/apache2.py, d/apache2-bin.install: Add apport hook
       (LP #609177)
     - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
       d/apache2.dirs: Add ufw profiles
       (LP #261198)
 .
 apache2 (2.4.54-2) unstable; urgency=medium
 .
   * Move cgid socket into a writeable directory (Closes: #1014056)
   * Update lintian overrides
   * Declare compliance with policy 4.6.1
   * Install NOTICE in each package
 .
 apache2 (2.4.54-1) unstable; urgency=medium
 .
   [ Simon Deziel ]
   * Escape literal "." for BrowserMatch directives in setenvif.conf
   * Use non-capturing regex with FilesMatch directive in default-ssl.conf
 .
   [ Ondřej Surý ]
   * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813,
     CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
     CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
 .
   [ Yadd ]
   * Fix htcacheclean doc (Closes: #1010455)
   * New upstream version 2.4.54
 .
 apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
 .
   * Merge with Debian unstable (LP: #1971248). Remaining changes:
     - debian/{control, apache2.install, apache2-utils.ufw.profile,
       apache2.dirs}: Add ufw profiles.
       (LP 261198)
     - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
       (LP 609177)
     - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
       d/s/include-binaries: replace Debian with Ubuntu on default
       page and add Ubuntu icon file.
       (LP 1288690)
     - d/index.html, d/icons/ubuntu-logo.png:  Refresh page design and
       new logo
       (LP 1966004)
     - d/apache2.postrm: Include md5 sum for updated index.html
   * Dropped:
     - OOB read in mod_lua via crafted request body
       + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
         lua_write_body() fail in modules/lua/lua_request.c.
       [Fixed in 2.4.53 upstream]
     - HTTP Request Smuggling via error discarding the
       request body
       + d/p/CVE-2022-22720.patch: simpler connection close logic
         if discarding the request body fails in modules/http/http_filters.c,
         server/protocol.c.
       [Fixed in 2.4.53 upstream]
     - overflow via large LimitXMLRequestBody
       + d/p/CVE-2022-22721.patch: make sure and check that
         LimitXMLRequestBody fits in system memory in server/core.c,
         server/util.c, server/util_xml.c.
       [Fixed in 2.4.53 upstream]
     - out-of-bounds write in mod_sed
       + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
         buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
         modules/filters/mod_sed.c, modules/filters/sed1.c.
       + d/p/CVE-2022-23943-2.patch: improve the logic flow in
         modules/filters/mod_sed.c.
       [Fixed in 2.4.53 upstream]
 .
 apache2 (2.4.53-2) unstable; urgency=medium
 .
   * Clean useless Conflicts/Replace
   * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254)
 .
 apache2 (2.4.53-1) unstable; urgency=medium
 .
   * New upstream version 2.4.53 (Closes: CVE-2022-22719,
     CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
   * Update copyright
   * Patches:
     + Drop fix-2.4.52-regression.patch, now included in upstream
     + Refresh fhs_compliance.patch
     + Update and disable child_processes_fail_to_start.patch
   * Update test framework
   * Back to unstable
 .
 apache2 (2.4.52-3) experimental; urgency=medium
 .
   * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL
     error)
   * Set hardening=+all instead of hardening=+bindnow
 .
 apache2 (2.4.52-2) experimental; urgency=medium
 .
   * Build with pcre2 (Closes: #1000114)
Checksums-Sha1:
 da34d4a037b71d819d55c698e41f3a4fd0df0b75 3095 apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1.dsc
 5121eed65951d525db5bde8c8997dffa6daa613a 9743277 apache2_2.4.54.orig.tar.gz
 1ed1a8255a5ff8279f10e2274616506c99e41a7c 918912 apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1.debian.tar.xz
 628270ac2b290d7bce17739339f1dcf0d2d3a66b 8317 apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1_source.buildinfo
Checksums-Sha256:
 ec8f94eab9a54e42d20bb733449a3bbf7fa61638f1a978ca2ae821c373903990 3095 apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1.dsc
 c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 9743277 apache2_2.4.54.orig.tar.gz
 531d100a3ebdd3d449c1c85d8928ac9f84a5ef8ec21d6f54415ee624ea178d4a 918912 apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1.debian.tar.xz
 b0cbdd90f7bc74c1e59bb71350ec1891603a01a49abc4dbb5d5e403193461545 8317 apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1_source.buildinfo
Files:
 7b80eaa2adb4c9605432d9c50f48c8e9 3095 httpd optional apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1.dsc
 5830f69aeed1f4a00a563862aaf2c67d 9743277 httpd optional apache2_2.4.54.orig.tar.gz
 3efc13acddc07d0d237de442ac39fa32 918912 httpd optional apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1.debian.tar.xz
 2033bacc6a1f8ce012380c354e5c42d0 8317 httpd optional apache2_2.4.54-2ubuntu1~bpo22.04.1~ppa1_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>