Please merge from debian 2.4.33

Bug #1770242 reported by Andreas Hasenack on 2018-05-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)

Bug Description


please merge apache 2.4.33 from debian

Related branches

Changed in apache2 (Ubuntu):
assignee: Andreas Hasenack (ahasenack) → nobody
status: In Progress → New
Andreas Hasenack (ahasenack) wrote :

I'm dropping this because of a complicated chain of dependencies in the archive. It's even hard to explain, but let's try, so that others who stumble across this will have some context.

From excuses:
trying: apache2
skipped: apache2 (0, 56, 7)
    got: 15+0: a-8:a-1:a-1:i-1:p-3:s-1
    * ppc64el: libapache2-mod-proxy-uwsgi-dbg, libapache2-mod-shib2

IRC discussion started here:

 <slangasek> ahasenack: in cosmic, libapache2-mod-shib2 is installable (though not coinstallable with other things)
 <slangasek> ahasenack: in cosmic-proposed, it is not installable because apache2-bin now depends on libcurl4 where it did not previously

So apache2-bin now ships a new module called mod-mo ( This module we (and debian) have been carrying in the archive as its own source. In the apache build it links with libcurl4, which is fine and good. But it does add a libcurl4 dependency to apache2-bin which wasn't there before.

Cue in libapache2-mod-shib2, from the shibboleth-sp2 source. It requires libxmltooling7, which in the archive is built with libcurl-openssl1.0-dev that is provided by a special curl3 source linked with openssl 1.0. That brings in libcurl3, which cannot be coinstalled with libcurl4. The curl package is a bit weird, because even though it's called libcurl3, it does not ship libcurl3:

$ apt-file search
libcurl3: /usr/lib/x86_64-linux-gnu/
libcurl3: /usr/lib/x86_64-linux-gnu/
libcurl4: /usr/lib/x86_64-linux-gnu/
libcurl4: /usr/lib/x86_64-linux-gnu/

And we have explicit conflicts between libcurl3 and libcurl4.

I don't know how to solve this, so I'm unassigning myself from the bug.

Andreas Hasenack (ahasenack) wrote :

Even in current cosmic this doesn't work:
# apt install apache2 libapache2-mod-shib2 libapache2-mod-md

It's because it tries to pull in libcurl3, and that removes curl libcurl4 pollinate ubuntu-server.

So to install shib2 and mod-md in cosmic, *before* this upload of 2.4.33, one has to:
root@cosmic-apache-fix-migration:~# apt install apache2 libapache2-mod-shib2 libapache2-mod-md libcurl3
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
  apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libfcgi-bin libfcgi0ldbl libjansson4 liblog4shib1v5 libltdl7 liblua5.2-0 libmemcached11 libodbc1 libsaml9
  libshibsp-plugins libshibsp7 libxerces-c3.2 libxml-security-c17v5 libxmltooling7 opensaml2-schemas shibboleth-sp2-common shibboleth-sp2-utils ssl-cert xmltooling-schemas
Suggested packages:
  www-browser apache2-doc apache2-suexec-pristine | apache2-suexec-custom libmyodbc odbc-postgresql tdsodbc unixodbc-bin openssl-blacklist
The following packages will be REMOVED:
  curl libcurl4 pollinate ubuntu-server
The following NEW packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapache2-mod-md libapache2-mod-shib2 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl3 libfcgi-bin libfcgi0ldbl libjansson4 liblog4shib1v5
  libltdl7 liblua5.2-0 libmemcached11 libodbc1 libsaml9 libshibsp-plugins libshibsp7 libxerces-c3.2 libxml-security-c17v5 libxmltooling7 opensaml2-schemas shibboleth-sp2-common shibboleth-sp2-utils ssl-cert
0 upgraded, 30 newly installed, 4 to remove and 0 not upgraded.
Need to get 6356 kB of archives.
After this operation, 33.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Emphasis on the REMOVED bits:
The following packages will be REMOVED:
  curl libcurl4 pollinate ubuntu-server

Launchpad Janitor (janitor) wrote :
Download full text (6.4 KiB)

This bug was fixed in the package apache2 - 2.4.33-3ubuntu2

apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium

  * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
    libapache2-mod-md until we figure out their transitions. libapache2-mod-md
    in particular is problematic because that makes apache2-bin pull in
    libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
    the installation of libapache2-mod-shib2. See
    for details.
    - Don't ship md.load and remove build-requires that were added because of
      mod-md (see
    - Remove proxy_uwsgi.load as we are not building it for now (see

apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable (LP: #1770242). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
  * Drop:
    - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
      + debian/patches/CVE-2017-15710.patch: fix language long names
        detection as short name in modules/aaa/mod_authnz_ldap.c.
      + CVE-2017-15710
    - SECURITY UPDATE: incorrect <FilesMatch> matching
      + debian/patches/CVE-2017-15715.patch: allow to configure
        global/default options for regexes, like caseless matching or
        extended format in include/ap_regex.h, server/core.c,
      + CVE-2017-15715
    - SECURITY UPDATE: mod_session header manipulation
      + debian/patches/CVE-2018-1283.patch: strip Session header when
        SessionEnv is on in modules/session/mod_session.c.
      + CVE-2018-1283
    - SECURITY UPDATE: DoS via specially-crafted request
      + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
        terminated on any error, not only on buffer full in
      + CVE-2018-1301
    - SECURITY UPDATE: mod_cache_socache DoS
      + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
        to carriage return in modules/cache/mod_cache_socache.c.
      + CVE-2018-1303
    - SECURITY UPDATE: insecure nonce generation
      + debian/patches/CVE-2018-1312.patch: actually use the secret when
        generating nonces in modules/aaa/mod_auth_digest.c.
      + CVE-2018-1312
    - Correct systemd-sysv-generator behavior by customizing some
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisati...


Changed in apache2 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers