Merge apache2 from Debian unstable for kinetic

Bug #1971248 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Undecided
Bryce Harrington

Bug Description

Upstream: 2.4.53
Debian: 2.4.53-2
Ubuntu: 2.4.52-1ubuntu4

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

### New Debian Changes ###

apache2 (2.4.53-2) unstable; urgency=medium

  * Clean useless Conflicts/Replace
  * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254)

 -- Yadd <email address hidden> Tue, 15 Mar 2022 15:27:39 +0100

apache2 (2.4.53-1) unstable; urgency=medium

  * New upstream version 2.4.53 (Closes: CVE-2022-22719,
    CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
  * Update copyright
  * Patches:
    + Drop fix-2.4.52-regression.patch, now included in upstream
    + Refresh fhs_compliance.patch
    + Update and disable child_processes_fail_to_start.patch
  * Update test framework
  * Back to unstable

 -- Yadd <email address hidden> Mon, 14 Mar 2022 17:10:39 +0100

apache2 (2.4.52-3) experimental; urgency=medium

  * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL
    error)
  * Set hardening=+all instead of hardening=+bindnow

 -- Yadd <email address hidden> Tue, 28 Dec 2021 21:20:05 +0100

apache2 (2.4.52-2) experimental; urgency=medium

  * Build with pcre2 (Closes: #1000114)

 -- Yadd <email address hidden> Tue, 28 Dec 2021 20:01:43 +0100

apache2 (2.4.52-1) unstable; urgency=medium

  * Refresh suexec-custom.patch
  * Update lintian overrides
  * Wrap long lines in changelog entries: 2.4.51-2.
  * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790)
  * Refresh patches

 -- Yadd <email address hidden> Mon, 20 Dec 2021 18:42:09 +0100

apache2 (2.4.51-2) unstable; urgency=medium

  * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
    parameters

 -- Yadd <email address hidden> Mon, 25 Oct 2021 18:37:03 +0200

apache2 (2.4.51-1) unstable; urgency=medium

  * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013)
  * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659)

 -- Yadd <email address hidden> Thu, 07 Oct 2021 20:35:33 +0200

apache2 (2.4.50-1) unstable; urgency=high

  * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)
  * Remove patches already merged upstream

 -- Ondřej Surý <email address hidden> Tue, 05 Oct 2021 13:25:23 +0200

apache2 (2.4.49-4) unstable; urgency=medium

  [ Ondřej Surý ]
  * Add upstream patch to fix crash in 2.4.49

 -- Yadd <email address hidden> Fri, 01 Oct 2021 11:34:24 +0200

apache2 (2.4.49-3) unstable; urgency=medium

  [ Yadd ]
  * Re-export upstream signing key without extra signatures.
  * Drop transition for old debug package migration.

  [ Moritz Muehlenhoff ]
  * Fix CVE-2021-40438 regression

 -- Yadd <email address hidden> Thu, 30 Sep 2021 06:00:06 +0200

apache2 (2.4.49-2) unstable; urgency=medium

  [ Michiel Hazelhof ]
  * Fix multi instance issue (Closes: #868861)

  [ Philippe Ombredanne ]
  * Fix GPL version typo in copyright file

 -- Yadd <email address hidden> Thu, 23 Sep 2021 13:55:55 +0200

apache2 (2.4.49-1) unstable; urgency=medium

  * Update upstream GPG keys
  * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798,
    CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524,
    CVE-2021-41773, CVE-2021-42013)

### Old Ubuntu Delta ###

apache2 (2.4.52-1ubuntu4) jammy; urgency=medium

  * d/apache2.postrm: Include md5 sum for updated index.html

 -- Bryce Harrington <email address hidden> Thu, 24 Mar 2022 17:35:40 -0700

apache2 (2.4.52-1ubuntu3) jammy; urgency=medium

  * d/index.html:
    - Redesign page's heading for the new logo
    - Use the Ubuntu font where available
    - Update service management directions
    - Copyedit grammar
    - Light reformatting and whitespace cleanup
  * d/icons/ubuntu-logo.png: Refresh ubuntu logo
    (LP: #1966004)

 -- Bryce Harrington <email address hidden> Wed, 23 Mar 2022 16:18:11 -0700

apache2 (2.4.52-1ubuntu2) jammy; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden> Thu, 17 Mar 2022 09:39:54 -0400

apache2 (2.4.52-1ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1959924). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
  * Dropped:
    - d/p/support-openssl3-*.patch: Backport various patches from
      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
      failure to load when using OpenSSL 3.
      (LP #1951476)
      [Included in upstream release 2.4.52]
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      (LP 1832182)
      [This introduced a performance regression.]
    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
      (LP 1918209)
      [Not needed]

 -- Bryce Harrington <email address hidden> Thu, 03 Feb 2022 10:25:47 -0800

Related branches

Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
milestone: none → ubuntu-22.07
assignee: nobody → Bryce Harrington (bryce)
Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
status: New → In Progress
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

According to the user report, the following bug is fixed in version 2.4.53:

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1974251

Let's keep that in mind when finishing up the merge.

Revision history for this message
Bryce Harrington (bryce) wrote :

I considered including mention of lp 1974251 as fixed with the release, however more recent comments there leave the situation a bit ambiguous so I decided to omit mention of that for now.

Changed in apache2 (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.53-2ubuntu1

---------------
apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1971248). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
    - d/index.html, d/icons/ubuntu-logo.png: Refresh page design and
      new logo
      (LP 1966004)
    - d/apache2.postrm: Include md5 sum for updated index.html
  * Dropped:
    - OOB read in mod_lua via crafted request body
      + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
        lua_write_body() fail in modules/lua/lua_request.c.
      [Fixed in 2.4.53 upstream]
    - HTTP Request Smuggling via error discarding the
      request body
      + d/p/CVE-2022-22720.patch: simpler connection close logic
        if discarding the request body fails in modules/http/http_filters.c,
        server/protocol.c.
      [Fixed in 2.4.53 upstream]
    - overflow via large LimitXMLRequestBody
      + d/p/CVE-2022-22721.patch: make sure and check that
        LimitXMLRequestBody fits in system memory in server/core.c,
        server/util.c, server/util_xml.c.
      [Fixed in 2.4.53 upstream]
    - out-of-bounds write in mod_sed
      + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
        buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
        modules/filters/mod_sed.c, modules/filters/sed1.c.
      + d/p/CVE-2022-23943-2.patch: improve the logic flow in
        modules/filters/mod_sed.c.
      [Fixed in 2.4.53 upstream]

 -- Bryce Harrington <email address hidden> Mon, 23 May 2022 19:34:18 -0700

Changed in apache2 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers