[ubuntu/cosmic-proposed] apache2 2.4.33-3ubuntu1 (Accepted)
Andreas Hasenack
andreas at canonical.com
Tue May 15 17:52:14 UTC 2018
apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable (LP: #1770242). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Drop:
- SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
+ debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
+ CVE-2017-15710
- SECURITY UPDATE: incorrect <FilesMatch> matching
+ debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
+ CVE-2017-15715
- SECURITY UPDATE: mod_session header manipulation
+ debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
+ CVE-2018-1283
- SECURITY UPDATE: DoS via specially-crafted request
+ debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
+ CVE-2018-1301
- SECURITY UPDATE: mod_cache_socache DoS
+ debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
+ CVE-2018-1303
- SECURITY UPDATE: insecure nonce generation
+ debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
+ CVE-2018-1312
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
[type=Forking already in the base systemd service file, and
RemainsAfterExit=no is the default value, so no need to
customize these anymore.]
- Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
+ added debian/patches/util_ldap_cache_lock_fix.patch
[Already applied upstream]
apache2 (2.4.33-3) unstable; urgency=medium
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
apache2 (2.4.33-2) unstable; urgency=medium
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
apache2 (2.4.33-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
apache2 (2.4.29-2) unstable; urgency=medium
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
Date: Tue, 15 May 2018 11:03:34 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.33-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 15 May 2018 11:03:34 -0300
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source
Version: 2.4.33-3ubuntu1
Distribution: cosmic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Description:
apache2 - Apache HTTP Server
apache2-bin - Apache HTTP Server (modules and other binary files)
apache2-data - Apache HTTP Server (common files)
apache2-dbg - Apache debugging symbols
apache2-dev - Apache HTTP Server (development headers)
apache2-doc - Apache HTTP Server (on-site documentation)
apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
apache2-utils - Apache HTTP Server (utility programs for web servers)
libapache2-mod-md - transitional package
libapache2-mod-proxy-uwsgi - transitional package
Closes: 814980 878920 879634 894760 894761 894785 897218
Launchpad-Bugs-Fixed: 1770242
Changes:
apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
.
* Merge with Debian unstable (LP: #1770242). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Drop:
- SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
+ debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
+ CVE-2017-15710
- SECURITY UPDATE: incorrect <FilesMatch> matching
+ debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
+ CVE-2017-15715
- SECURITY UPDATE: mod_session header manipulation
+ debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
+ CVE-2018-1283
- SECURITY UPDATE: DoS via specially-crafted request
+ debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
+ CVE-2018-1301
- SECURITY UPDATE: mod_cache_socache DoS
+ debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
+ CVE-2018-1303
- SECURITY UPDATE: insecure nonce generation
+ debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
+ CVE-2018-1312
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
[type=Forking already in the base systemd service file, and
RemainsAfterExit=no is the default value, so no need to
customize these anymore.]
- Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
+ added debian/patches/util_ldap_cache_lock_fix.patch
[Already applied upstream]
.
apache2 (2.4.33-3) unstable; urgency=medium
.
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
.
apache2 (2.4.33-2) unstable; urgency=medium
.
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
.
apache2 (2.4.33-1) unstable; urgency=medium
.
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
.
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
.
apache2 (2.4.29-2) unstable; urgency=medium
.
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
Checksums-Sha1:
746963896e5fa291f2075f4b02899d823dde23ae 3391 apache2_2.4.33-3ubuntu1.dsc
9e56042515793a6992adc4b9f3a0345a0cb98176 6934765 apache2_2.4.33.orig.tar.bz2
48267c3dfe0775847b2ee39f6a4b354e562dc647 800756 apache2_2.4.33-3ubuntu1.debian.tar.xz
5df328b4a09bca1404a77b09460da19eaadcbd11 8132 apache2_2.4.33-3ubuntu1_source.buildinfo
Checksums-Sha256:
9c12e250286ded84185713b4aa07083bce698f56097c9e7d3d00a6c0d055fa39 3391 apache2_2.4.33-3ubuntu1.dsc
de02511859b00d17845b9abdd1f975d5ccb5d0b280c567da5bf2ad4b70846f05 6934765 apache2_2.4.33.orig.tar.bz2
41553d57169e6a49eb68ec62cf9dbb2b10d70a0a3c11e0a3eea75eff7f3132bc 800756 apache2_2.4.33-3ubuntu1.debian.tar.xz
7c7d7301ceb1469a0f875efe2e6e147f0837122b952c75f859dca2f5dd7dd9f4 8132 apache2_2.4.33-3ubuntu1_source.buildinfo
Files:
9cc75aa169446d7a67d4d1accf965679 3391 httpd optional apache2_2.4.33-3ubuntu1.dsc
6ef469d3f16fffeb688bc6e0346823e5 6934765 httpd optional apache2_2.4.33.orig.tar.bz2
53699b8d857a356eefb6c653bba3152e 800756 httpd optional apache2_2.4.33-3ubuntu1.debian.tar.xz
cb5d420a84f94557ab1275d6671ca384 8132 httpd optional apache2_2.4.33-3ubuntu1_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAlr7HaQACgkQrJg+tb9r
y6njpQ/+K9FV/+aBJHrgp7r3oV6VLEejOP4UxZv+Xrie7oCWXBC5VSVYKbSpBmrn
l0ZfjJh5Jdxzs3Ma2h7F6MpfWnKB3gzKPmM1quIoog+kKfhfFrRukOsqNntn1zG3
VyGUtjCPZDhGwi+1kQ2Neb7qjDXTWIHjoUMfr/US4qotLIjlYfLiUB8FGJ7zi6+V
088mPJzWAMeHOo0j5INqF0hJk8AMxgQwXk2wggAcJgA0xfMSUT1gxlhMmuPi8of3
iCJvX81Tr1sE7jww+lAaNQ+qAs9tUoJof56wX0ZO6isePCwhDSVlztNHgHY4KLbD
iAQSy7pvFwUJc4nuSkCjGwCJ8KHLPI4E/NJQMapls/bBo2vMMin59Dsqv0b7wAXP
40S3JaI38YeKAK0tUyObTBXGFqvKnLVDTXOY0QiuewczPYn4QlIdtFVVMdSwgZbo
ZBvOTxaDSp1K70mg7yVv5gNvzq8IA09urJBTjk+vruhRCMK2MOd/JVOM5gQYFKQ+
Fsm0TRMQZO0WBR+SOPTiF1d0FSBmEhEBfbSsFMShVzgh7th9ssaQEZ8FQDBx8SX2
O3651abAuJvQt0QOw9ACJtTaQg/4Ls6n05cFERM+/uCFWeV06GMV8de1oh/aR9UX
Y5JIyYj2Vx1Rxl7fnO/Wi6OZ5bD579RS1jq2WzsLEndMv/OE46Y=
=1nod
-----END PGP SIGNATURE-----
More information about the Cosmic-changes
mailing list