[ubuntu/cosmic-proposed] apache2 2.4.33-3ubuntu2 (Accepted)
Andreas Hasenack
andreas at canonical.com
Tue May 22 14:25:13 UTC 2018
apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
* d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
libapache2-mod-md until we figure out their transitions. libapache2-mod-md
in particular is problematic because that makes apache2-bin pull in
libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
the installation of libapache2-mod-shib2. See
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
for details.
- Don't ship md.load and remove build-requires that were added because of
mod-md (see
https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
- Remove proxy_uwsgi.load as we are not building it for now (see
https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable (LP: #1770242). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Drop:
- SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
+ debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
+ CVE-2017-15710
- SECURITY UPDATE: incorrect <FilesMatch> matching
+ debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
+ CVE-2017-15715
- SECURITY UPDATE: mod_session header manipulation
+ debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
+ CVE-2018-1283
- SECURITY UPDATE: DoS via specially-crafted request
+ debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
+ CVE-2018-1301
- SECURITY UPDATE: mod_cache_socache DoS
+ debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
+ CVE-2018-1303
- SECURITY UPDATE: insecure nonce generation
+ debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
+ CVE-2018-1312
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
[type=Forking already in the base systemd service file, and
RemainsAfterExit=no is the default value, so no need to
customize these anymore.]
- Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
+ added debian/patches/util_ldap_cache_lock_fix.patch
[Already applied upstream]
apache2 (2.4.33-3) unstable; urgency=medium
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
apache2 (2.4.33-2) unstable; urgency=medium
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
apache2 (2.4.33-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
apache2 (2.4.29-2) unstable; urgency=medium
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
Date: Thu, 17 May 2018 14:46:19 +0000
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.33-3ubuntu2
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 May 2018 14:46:19 +0000
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source
Version: 2.4.33-3ubuntu2
Distribution: cosmic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Description:
apache2 - Apache HTTP Server
apache2-bin - Apache HTTP Server (modules and other binary files)
apache2-data - Apache HTTP Server (common files)
apache2-dbg - Apache debugging symbols
apache2-dev - Apache HTTP Server (development headers)
apache2-doc - Apache HTTP Server (on-site documentation)
apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 814980 878920 879634 894760 894761 894785 897218
Launchpad-Bugs-Fixed: 1770242
Changes:
apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
.
* d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
libapache2-mod-md until we figure out their transitions. libapache2-mod-md
in particular is problematic because that makes apache2-bin pull in
libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
the installation of libapache2-mod-shib2. See
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
for details.
- Don't ship md.load and remove build-requires that were added because of
mod-md (see
https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
- Remove proxy_uwsgi.load as we are not building it for now (see
https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
.
apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
.
* Merge with Debian unstable (LP: #1770242). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Drop:
- SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
+ debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
+ CVE-2017-15710
- SECURITY UPDATE: incorrect <FilesMatch> matching
+ debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
+ CVE-2017-15715
- SECURITY UPDATE: mod_session header manipulation
+ debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
+ CVE-2018-1283
- SECURITY UPDATE: DoS via specially-crafted request
+ debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
+ CVE-2018-1301
- SECURITY UPDATE: mod_cache_socache DoS
+ debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
+ CVE-2018-1303
- SECURITY UPDATE: insecure nonce generation
+ debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
+ CVE-2018-1312
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
[type=Forking already in the base systemd service file, and
RemainsAfterExit=no is the default value, so no need to
customize these anymore.]
- Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
+ added debian/patches/util_ldap_cache_lock_fix.patch
[Already applied upstream]
.
apache2 (2.4.33-3) unstable; urgency=medium
.
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
.
apache2 (2.4.33-2) unstable; urgency=medium
.
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
.
apache2 (2.4.33-1) unstable; urgency=medium
.
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
.
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
.
apache2 (2.4.29-2) unstable; urgency=medium
.
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
Checksums-Sha1:
8444ec402816b3b319710bea1d0676607382da0c 3184 apache2_2.4.33-3ubuntu2.dsc
c241f028c608abd8b8f85b1c1e5a4bfad18cc34f 800992 apache2_2.4.33-3ubuntu2.debian.tar.xz
0eed6b1265fb0e198b06f7e9d7d69a6226a23096 7700 apache2_2.4.33-3ubuntu2_source.buildinfo
Checksums-Sha256:
8c0e1888f4ffbb261e791368bbf710a33d89607305838910a733304ad4cfb979 3184 apache2_2.4.33-3ubuntu2.dsc
d1da52ea3bcf5c8b06eea8bd34fe488f7e65d7ac5b019a95ddfee549c08d1d90 800992 apache2_2.4.33-3ubuntu2.debian.tar.xz
1e7a0ade8cb40e376893fdeea050d80b9e0f7204144128afebbbb6d59f54cd4d 7700 apache2_2.4.33-3ubuntu2_source.buildinfo
Files:
9d9e009dddfbe35341a343fb9ffcf06b 3184 httpd optional apache2_2.4.33-3ubuntu2.dsc
ec486cc58c4c2de57124cd6ae461e4c0 800992 httpd optional apache2_2.4.33-3ubuntu2.debian.tar.xz
ea312880960666004420d75c94f63ea5 7700 httpd optional apache2_2.4.33-3ubuntu2_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAlsEJwsACgkQrJg+tb9r
y6kczxAAzG7N9b86dlo4qrwXnbyZvy3wppMZ0elFJNea2wyq8DGhSJggeppBlVSa
EUHZr14Un92oEgibpuuYPDOGqeMzpvIT+ZuHGHPzcvhCkKXXGebMVERFRCsnJ+7x
RSl+pXJLLD1u8tCDi8R5LONbsEl1cGU15BEj6h9kuPuzGftbaHO8V6D+Sh+8h39p
XGfCCHUPEF8932QLquNns+Le01fFaAOpGjXL/B0ly/hEQiSChkrFJjCdOkrKZMJ9
JU03uZCYZasIUiCIiLfL1DUkHvrkc9n8dFcCISwg9+xY1MpX5ll6C1R/HO4zRFh4
UcMK1fsdkr8GznigmfXtxRDl4It88x1FBj3MZ6aK8Gc5MxdU95HW+LIYRzJdjGYk
j3v24AnfT22ANzy7oud1cipKcMh8v5Vxv0bb7CN3E9Ono4/k4lBTqzr0FK24hJO4
5oaNceceVUKHzbDX0GCU3T8T+kFyhjAzun4cCUnFvH8FSUxGXL90FlApiY0wsGvf
5EpZf7owWD11Gi/sFzqH2et0Q9Sk/3ckUi2iDFT9hFNz3soHBwnELiC7SU5/KVn/
hb6IkCqsh1DOvjOFndwLdQGF8e50f3hhS2g2KKFtr6TFxcMCWF9BDLhaKIbm1K0m
jIy6IPbEH/5RR1YzDp1pSfIP9m+nEgmTq+AHmMa+51QnMhXly+U=
=4Ghh
-----END PGP SIGNATURE-----
More information about the Cosmic-changes
mailing list