This bug was fixed in the package apache2 - 2.4.33-3ubuntu2 --------------- apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and libapache2-mod-md until we figure out their transitions. libapache2-mod-md in particular is problematic because that makes apache2-bin pull in libcurl4 which cannot be coinstalled with libcurl3. That situation breaks the installation of libapache2-mod-shib2. See https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 for details. - Don't ship md.load and remove build-requires that were added because of mod-md (see https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf) - Remove proxy_uwsgi.load as we are not building it for now (see https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9) apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium * Merge with Debian unstable (LP: #1770242). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - d/t/control, d/t/check-http2: add basic test for http2 support * Drop: - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig + debian/patches/CVE-2017-15710.patch: fix language long names detection as short name in modules/aaa/mod_authnz_ldap.c. + CVE-2017-15710 - SECURITY UPDATE: incorrect matching + debian/patches/CVE-2017-15715.patch: allow to configure global/default options for regexes, like caseless matching or extended format in include/ap_regex.h, server/core.c, server/util_pcre.c. + CVE-2017-15715 - SECURITY UPDATE: mod_session header manipulation + debian/patches/CVE-2018-1283.patch: strip Session header when SessionEnv is on in modules/session/mod_session.c. + CVE-2018-1283 - SECURITY UPDATE: DoS via specially-crafted request + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL terminated on any error, not only on buffer full in server/protocol.c. + CVE-2018-1301 - SECURITY UPDATE: mod_cache_socache DoS + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up to carriage return in modules/cache/mod_cache_socache.c. + CVE-2018-1303 - SECURITY UPDATE: insecure nonce generation + debian/patches/CVE-2018-1312.patch: actually use the secret when generating nonces in modules/aaa/mod_auth_digest.c. + CVE-2018-1312 - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. [type=Forking already in the base systemd service file, and RemainsAfterExit=no is the default value, so no need to customize these anymore.] - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683) + added debian/patches/util_ldap_cache_lock_fix.patch [Already applied upstream] apache2 (2.4.33-3) unstable; urgency=medium * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too. Closes: #894785 * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. Closes: #897218 * Migrate from alioth to salsa. apache2 (2.4.33-2) unstable; urgency=medium * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi and libapache2-mod-md. Closes: #894760, #894761, #894785 apache2 (2.4.33-1) unstable; urgency=medium * New upstream version. Security fixes: - CVE-2017-15710 Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled - CVE-2018-1283 mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. - CVE-2018-1303 mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. - CVE-2018-1301 core: Possible crash with excessively long HTTP request headers. Impractical to exploit with a production build and production LogLevel. - CVE-2017-15715 core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. - CVE-2018-1312 mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain. This change may cause problems if used with round robin load balancers. PR 54637 - CVE-2018-1302 mod_http2: Potential crash w/ mod_http2. - mod_proxy_uwsgi: New UWSGI proxy submodule. - mod_md: New experimental module for managing domains across virtual hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and renew certificates. - core: silently ignore a not existent file path when IncludeOptional is used. Closes: #878920 - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980 * Fix lintian warnings: - Include SupportApache-small.png in apache2-doc package instead of linking to apache.org, to avoid privacy issues. - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE - Remove deprecated use of autotools_dev with dh. - Add some overrides * Bump standards-version to 4.1.2 (no changes) apache2 (2.4.29-2) unstable; urgency=medium * Add myself to Uploaders * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634) * Run wrap-and-sort -a to canonicalize the debian/ directory * Add Build-Depends on libbrotli-dev and enable brotli module -- Andreas Hasenack