Ubuntu
apache2 package

Merge apache2 from Debian unstable for k-series

Bug #1971229 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Scheduled-For: 00.07
Upstream: 2.4.53
Debian: 2.4.53-2
Ubuntu: 2.4.52-1ubuntu4

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

### New Debian Changes ###

apache2 (2.4.53-2) unstable; urgency=medium

  * Clean useless Conflicts/Replace
  * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254)

 -- Yadd <email address hidden> Tue, 15 Mar 2022 15:27:39 +0100

apache2 (2.4.53-1) unstable; urgency=medium

  * New upstream version 2.4.53 (Closes: CVE-2022-22719,
    CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
  * Update copyright
  * Patches:
    + Drop fix-2.4.52-regression.patch, now included in upstream
    + Refresh fhs_compliance.patch
    + Update and disable child_processes_fail_to_start.patch
  * Update test framework
  * Back to unstable

 -- Yadd <email address hidden> Mon, 14 Mar 2022 17:10:39 +0100

apache2 (2.4.52-3) experimental; urgency=medium

  * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL
    error)
  * Set hardening=+all instead of hardening=+bindnow

 -- Yadd <email address hidden> Tue, 28 Dec 2021 21:20:05 +0100

apache2 (2.4.52-2) experimental; urgency=medium

  * Build with pcre2 (Closes: #1000114)

 -- Yadd <email address hidden> Tue, 28 Dec 2021 20:01:43 +0100

apache2 (2.4.52-1) unstable; urgency=medium

  * Refresh suexec-custom.patch
  * Update lintian overrides
  * Wrap long lines in changelog entries: 2.4.51-2.
  * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790)
  * Refresh patches

 -- Yadd <email address hidden> Mon, 20 Dec 2021 18:42:09 +0100

apache2 (2.4.51-2) unstable; urgency=medium

  * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
    parameters

 -- Yadd <email address hidden> Mon, 25 Oct 2021 18:37:03 +0200

apache2 (2.4.51-1) unstable; urgency=medium

  * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013)
  * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659)

 -- Yadd <email address hidden> Thu, 07 Oct 2021 20:35:33 +0200

apache2 (2.4.50-1) unstable; urgency=high

  * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)
  * Remove patches already merged upstream

 -- Ondřej Surý <email address hidden> Tue, 05 Oct 2021 13:25:23 +0200

apache2 (2.4.49-4) unstable; urgency=medium

  [ Ondřej Surý ]
  * Add upstream patch to fix crash in 2.4.49

 -- Yadd <email address hidden> Fri, 01 Oct 2021 11:34:24 +0200

apache2 (2.4.49-3) unstable; urgency=medium

  [ Yadd ]
  * Re-export upstream signing key without extra signatures.
  * Drop transition for old debug package migration.

  [ Moritz Muehlenhoff ]
  * Fix CVE-2021-40438 regression

 -- Yadd <email address hidden> Thu, 30 Sep 2021 06:00:06 +0200

apache2 (2.4.49-2) unstable; urgency=medium

  [ Michiel Hazelhof ]
  * Fix multi instance issue (Closes: #868861)

  [ Philippe Ombredanne ]
  * Fix GPL version typo in copyright file

 -- Yadd <email address hidden> Thu, 23 Sep 2021 13:55:55 +0200

apache2 (2.4.49-1) unstable; urgency=medium

  * Update upstream GPG keys
  * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798,
    CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524,
    CVE-2021-41773, CVE-2021-42013)

### Old Ubuntu Delta ###

apache2 (2.4.52-1ubuntu4) jammy; urgency=medium

  * d/apache2.postrm: Include md5 sum for updated index.html

 -- Bryce Harrington <email address hidden> Thu, 24 Mar 2022 17:35:40 -0700

apache2 (2.4.52-1ubuntu3) jammy; urgency=medium

  * d/index.html:
    - Redesign page's heading for the new logo
    - Use the Ubuntu font where available
    - Update service management directions
    - Copyedit grammar
    - Light reformatting and whitespace cleanup
  * d/icons/ubuntu-logo.png: Refresh ubuntu logo
    (LP: #1966004)

 -- Bryce Harrington <email address hidden> Wed, 23 Mar 2022 16:18:11 -0700

apache2 (2.4.52-1ubuntu2) jammy; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden> Thu, 17 Mar 2022 09:39:54 -0400

apache2 (2.4.52-1ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1959924). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
  * Dropped:
    - d/p/support-openssl3-*.patch: Backport various patches from
      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
      failure to load when using OpenSSL 3.
      (LP #1951476)
      [Included in upstream release 2.4.52]
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      (LP 1832182)
      [This introduced a performance regression.]
    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
      (LP 1918209)
      [Not needed]

 -- Bryce Harrington <email address hidden> Thu, 03 Feb 2022 10:25:47 -0800

Revision history for this message
Bryce Harrington (bryce) wrote :

(JUST TESTING)

Changed in apache2 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.