Merge apache2 from Debian unstable for 22.04

Bug #1946831 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Bryce Harrington

Bug Description

Upstream: 2.4.51
Debian: 2.4.51-1
Ubuntu: 2.4.48-3.1ubuntu3

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

### New Debian Changes ###

apache2 (2.4.51-1) unstable; urgency=medium

  * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013)
  * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659)

 -- Yadd <email address hidden> Thu, 07 Oct 2021 20:35:33 +0200

apache2 (2.4.50-1) unstable; urgency=high

  * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)
  * Remove patches already merged upstream

 -- Ondřej Surý <email address hidden> Tue, 05 Oct 2021 13:25:23 +0200

apache2 (2.4.49-4) unstable; urgency=medium

  [ Ondřej Surý ]
  * Add upstream patch to fix crash in 2.4.49

 -- Yadd <email address hidden> Fri, 01 Oct 2021 11:34:24 +0200

apache2 (2.4.49-3) unstable; urgency=medium

  [ Yadd ]
  * Re-export upstream signing key without extra signatures.
  * Drop transition for old debug package migration.

  [ Moritz Muehlenhoff ]
  * Fix CVE-2021-40438 regression

 -- Yadd <email address hidden> Thu, 30 Sep 2021 06:00:06 +0200

apache2 (2.4.49-2) unstable; urgency=medium

  [ Michiel Hazelhof ]
  * Fix multi instance issue (Closes: #868861)

  [ Philippe Ombredanne ]
  * Fix GPL version typo in copyright file

 -- Yadd <email address hidden> Thu, 23 Sep 2021 13:55:55 +0200

apache2 (2.4.49-1) unstable; urgency=medium

  * Update upstream GPG keys
  * New upstream version 2.4.49 (Closes: CVE-2021-34798, CVE-2021-36160,
    CVE-2021-39275, CVE-2021-40438)
  * Refresh patches

 -- Yadd <email address hidden> Thu, 16 Sep 2021 06:22:23 +0200

apache2 (2.4.48-4) unstable; urgency=medium

  * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193)

 -- Yadd <email address hidden> Thu, 12 Aug 2021 11:37:43 +0200

apache2 (2.4.48-3.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Direct init script reload output from logrotate to syslog, to
    avoid mail-spamming the local admin (Closes: #990580)

 -- Thorsten Glaser <email address hidden> Sat, 10 Jul 2021 23:31:28 +0200

apache2 (2.4.48-3) unstable; urgency=medium

  * Fix debian/changelog

 -- Yadd <email address hidden> Sun, 20 Jun 2021 16:39:33 +0200

apache2 (2.4.48-2) unstable; urgency=medium

  * Back to unstable: Apache2 will follow upstream changes for Bullseye

  [ Christian Ehrhardt ]
  * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)

 -- Yadd <email address hidden> Sat, 19 Jun 2021 17:50:29 +0200

apache2 (2.4.48-1) experimental; urgency=medium

  [ Daniel Lewart ]
  * Update apache2.logrotate (Closes: #979813)

  [ Andreas Hasenack ]
  * Avoid test suite failure (Closes: #985012)

  [ Yadd ]
  * Update lintian overrides
  * Re-export upstream signing key without extra signatures.

  [ Ondřej Surý ]
  * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938,
    CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691,
    CVE-2021-30641, CVE-2021-31618)

 -- Ondřej Surý <email address hidden> Tue, 08 Jun 2021 08:29:35 +0200

apache2 (2.4.47-1) experimental; urgency=medium

### Old Ubuntu Delta ###

apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 08:52:26 -0400

apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2021-36160
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the 'proxy:' URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

 -- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:51:16 -0400

apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles. (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file. (LP 1288690)
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      This extends an earlier fix for the start command to behave
      similarly for restart / graceful. Fixes service failures on
      unattended upgrade. (LP 1832182)
    - d/apache2ctl: Also use /run/systemd to check for systemd usage
      (LP 1918209)

 -- Bryce Harrington <email address hidden> Wed, 11 Aug 2021 20:03:24 -0700

Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
description: updated
Changed in apache2 (Ubuntu):
milestone: none → ubuntu-22.01
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers