Activity log for bug #1946831

Date Who What changed Old value New value Message
2021-10-13 04:01:11 Bryce Harrington bug added bug
2021-10-13 04:01:13 Bryce Harrington bug added subscriber Canonical Server Team
2021-10-13 04:14:37 Bryce Harrington apache2 (Ubuntu): assignee Bryce Harrington (bryce)
2021-10-19 02:39:26 Bryce Harrington description Scheduled-For: 23.01 Upstream: 2.4.51 Debian: 2.4.51-1 Ubuntu: 2.4.48-3.1ubuntu3 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd <yadd@debian.org> Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý <ondrej@debian.org> Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd <yadd@debian.org> Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd <yadd@debian.org> Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd <yadd@debian.org> Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.49 (Closes: CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438) * Refresh patches -- Yadd <yadd@debian.org> Thu, 16 Sep 2021 06:22:23 +0200 apache2 (2.4.48-4) unstable; urgency=medium * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193) -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200 apache2 (2.4.48-3.1) unstable; urgency=medium * Non-maintainer upload. * Direct init script reload output from logrotate to syslog, to avoid mail-spamming the local admin (Closes: #990580) -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200 apache2 (2.4.48-3) unstable; urgency=medium * Fix debian/changelog -- Yadd <yadd@debian.org> Sun, 20 Jun 2021 16:39:33 +0200 apache2 (2.4.48-2) unstable; urgency=medium * Back to unstable: Apache2 will follow upstream changes for Bullseye [ Christian Ehrhardt ] * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068) -- Yadd <yadd@debian.org> Sat, 19 Jun 2021 17:50:29 +0200 apache2 (2.4.48-1) experimental; urgency=medium [ Daniel Lewart ] * Update apache2.logrotate (Closes: #979813) [ Andreas Hasenack ] * Avoid test suite failure (Closes: #985012) [ Yadd ] * Update lintian overrides * Re-export upstream signing key without extra signatures. [ Ondřej Surý ] * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-31618) -- Ondřej Surý <ondrej@debian.org> Tue, 08 Jun 2021 08:29:35 +0200 apache2 (2.4.47-1) experimental; urgency=medium ### Old Ubuntu Delta ### apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400 apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium * SECURITY UPDATE: request splitting over HTTP/2 - debian/patches/CVE-2021-33193.patch: refactor request parsing in include/ap_mmn.h, include/http_core.h, include/http_protocol.h, include/http_vhost.h, modules/http2/h2_request.c, server/core.c, server/core_filters.c, server/protocol.c, server/vhost.c. - CVE-2021-33193 * SECURITY UPDATE: NULL deref via malformed requests - debian/patches/CVE-2021-34798.patch: add NULL check in server/scoreboard.c. - CVE-2021-34798 * SECURITY UPDATE: DoS in mod_proxy_uwsgi - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for generic worker in modules/proxy/mod_proxy_uwsgi.c. - CVE-2021-36160 * SECURITY UPDATE: buffer overflow in ap_escape_quotes - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes substitution logic in server/util.c. - CVE-2021-39275 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path parsing in the 'proxy:' URL in modules/proxy/mod_proxy.c, modules/proxy/proxy_util.c. - debian/patches/CVE-2021-40438.patch: add sanity checks on the configured UDS path in modules/proxy/proxy_util.c. - CVE-2021-40438 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400 apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium * Merge with Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. (LP 261198) - debian/apache2.py, debian/apache2-bin.install: Add apport hook. (LP 609177) - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/s/include-binaries: replace Debian with Ubuntu on default page and add Ubuntu icon file. (LP 1288690) - d/apache2ctl: Also use systemd for graceful if it is in use. This extends an earlier fix for the start command to behave similarly for restart / graceful. Fixes service failures on unattended upgrade. (LP 1832182) - d/apache2ctl: Also use /run/systemd to check for systemd usage (LP 1918209) -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700 Upstream: 2.4.51 Debian: 2.4.51-1 Ubuntu: 2.4.48-3.1ubuntu3 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.51-1) unstable; urgency=medium   * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013)   * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659)  -- Yadd <yadd@debian.org> Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high   * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)   * Remove patches already merged upstream  -- Ondřej Surý <ondrej@debian.org> Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium   [ Ondřej Surý ]   * Add upstream patch to fix crash in 2.4.49  -- Yadd <yadd@debian.org> Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium   [ Yadd ]   * Re-export upstream signing key without extra signatures.   * Drop transition for old debug package migration.   [ Moritz Muehlenhoff ]   * Fix CVE-2021-40438 regression  -- Yadd <yadd@debian.org> Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium   [ Michiel Hazelhof ]   * Fix multi instance issue (Closes: #868861)   [ Philippe Ombredanne ]   * Fix GPL version typo in copyright file  -- Yadd <yadd@debian.org> Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium   * Update upstream GPG keys   * New upstream version 2.4.49 (Closes: CVE-2021-34798, CVE-2021-36160,     CVE-2021-39275, CVE-2021-40438)   * Refresh patches  -- Yadd <yadd@debian.org> Thu, 16 Sep 2021 06:22:23 +0200 apache2 (2.4.48-4) unstable; urgency=medium   * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193)  -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200 apache2 (2.4.48-3.1) unstable; urgency=medium   * Non-maintainer upload.   * Direct init script reload output from logrotate to syslog, to     avoid mail-spamming the local admin (Closes: #990580)  -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200 apache2 (2.4.48-3) unstable; urgency=medium   * Fix debian/changelog  -- Yadd <yadd@debian.org> Sun, 20 Jun 2021 16:39:33 +0200 apache2 (2.4.48-2) unstable; urgency=medium   * Back to unstable: Apache2 will follow upstream changes for Bullseye   [ Christian Ehrhardt ]   * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)  -- Yadd <yadd@debian.org> Sat, 19 Jun 2021 17:50:29 +0200 apache2 (2.4.48-1) experimental; urgency=medium   [ Daniel Lewart ]   * Update apache2.logrotate (Closes: #979813)   [ Andreas Hasenack ]   * Avoid test suite failure (Closes: #985012)   [ Yadd ]   * Update lintian overrides   * Re-export upstream signing key without extra signatures.   [ Ondřej Surý ]   * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938,     CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691,     CVE-2021-30641, CVE-2021-31618)  -- Ondřej Surý <ondrej@debian.org> Tue, 08 Jun 2021 08:29:35 +0200 apache2 (2.4.47-1) experimental; urgency=medium ### Old Ubuntu Delta ### apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium   * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)     - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P       rules in modules/mappers/mod_rewrite.c.     - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty       hostname in modules/mappers/mod_rewrite.c,       modules/proxy/proxy_util.c.  -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Sep 2021 08:52:26 -0400 apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium   * SECURITY UPDATE: request splitting over HTTP/2     - debian/patches/CVE-2021-33193.patch: refactor request parsing in       include/ap_mmn.h, include/http_core.h, include/http_protocol.h,       include/http_vhost.h, modules/http2/h2_request.c, server/core.c,       server/core_filters.c, server/protocol.c, server/vhost.c.     - CVE-2021-33193   * SECURITY UPDATE: NULL deref via malformed requests     - debian/patches/CVE-2021-34798.patch: add NULL check in       server/scoreboard.c.     - CVE-2021-34798   * SECURITY UPDATE: DoS in mod_proxy_uwsgi     - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for       generic worker in modules/proxy/mod_proxy_uwsgi.c.     - CVE-2021-36160   * SECURITY UPDATE: buffer overflow in ap_escape_quotes     - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes       substitution logic in server/util.c.     - CVE-2021-39275   * SECURITY UPDATE: arbitrary origin server via crafted request uri-path     - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path       parsing in the 'proxy:' URL in modules/proxy/mod_proxy.c,       modules/proxy/proxy_util.c.     - debian/patches/CVE-2021-40438.patch: add sanity checks on the       configured UDS path in modules/proxy/proxy_util.c.     - CVE-2021-40438  -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Sep 2021 12:51:16 -0400 apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium   * Merge with Debian unstable. Remaining changes:     - debian/{control, apache2.install, apache2-utils.ufw.profile,       apache2.dirs}: Add ufw profiles. (LP 261198)     - debian/apache2.py, debian/apache2-bin.install: Add apport hook.       (LP 609177)     - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,       d/s/include-binaries: replace Debian with Ubuntu on default       page and add Ubuntu icon file. (LP 1288690)     - d/apache2ctl: Also use systemd for graceful if it is in use.       This extends an earlier fix for the start command to behave       similarly for restart / graceful. Fixes service failures on       unattended upgrade. (LP 1832182)     - d/apache2ctl: Also use /run/systemd to check for systemd usage       (LP 1918209)  -- Bryce Harrington <bryce@canonical.com> Wed, 11 Aug 2021 20:03:24 -0700
2021-10-19 02:39:35 Bryce Harrington apache2 (Ubuntu): milestone ubuntu-22.01
2021-12-01 01:34:56 Bryce Harrington apache2 (Ubuntu): milestone ubuntu-22.01 ubuntu-21.12
2021-12-03 07:28:26 Bryce Harrington apache2 (Ubuntu): status New In Progress
2021-12-17 22:38:10 Bryce Harrington apache2 (Ubuntu): status In Progress Fix Committed
2022-01-05 08:44:18 Bryce Harrington apache2 (Ubuntu): status Fix Committed Fix Released