Merge apache2 from Debian unstable for oracular
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Bryce Harrington |
Bug Description
Upstream: 2.4.59
Debian: 2.4.59-2
Ubuntu: 2.4.58-1ubuntu8
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https:/
### New Debian Changes ###
apache2 (2.4.59-2) unstable; urgency=medium
* Breaks against fossil due to CVE-2024-24795 follows up
-- Bastien Roucariès <email address hidden> Mon, 29 Apr 2024 21:55:28 +0000
apache2 (2.4.59-1) unstable; urgency=medium
[ Stefan Fritsch ]
* Remove old transitional packages libapache2-mod-md and
libapache2-
[ Yadd ]
* mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
* Refresh patches
* New upstream version 2.4.59
(Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
* Refresh patches
* Update patches
* Update test framework
-- Yadd <email address hidden> Fri, 05 Apr 2024 08:08:11 +0400
apache2 (2.4.58-1) unstable; urgency=medium
[ Bas Couwenberg ]
* Provide dh-sequence-apache2 (Closes: #1050870)
[ Yadd ]
* Drop dependency to obsolete lsb-base
* New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622,
CVE-2023-45802)
* Refresh patches
-- Yadd <email address hidden> Thu, 19 Oct 2023 14:56:29 +0400
apache2 (2.4.57-3) unstable; urgency=medium
* Update a2enmod to drop given/when (Closes: #1050458)
* Restore changes not included in Bookworm (set -e in apache2ctl)
-- Yadd <email address hidden> Tue, 29 Aug 2023 11:39:32 +0400
apache2 (2.4.57-2) unstable; urgency=medium
* Revert debian/* changes (Bookworm freeze)
-- Yadd <email address hidden> Thu, 13 Apr 2023 07:26:51 +0400
apache2 (2.4.57-1) unstable; urgency=medium
* New upstream version 2.4.57
* Drop 2.4.56-regression patches
-- Yadd <email address hidden> Sat, 08 Apr 2023 06:57:16 +0400
apache2 (2.4.56-2) unstable; urgency=medium
* Fix regression in mod_rewrite introduced in version 2.4.56
(Closes: #1033284)
* Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
-- Yadd <email address hidden> Sun, 02 Apr 2023 06:54:25 +0400
apache2 (2.4.56-1) unstable; urgency=medium
* New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
-- Yadd <email address hidden> Wed, 08 Mar 2023 06:44:05 +0400
apache2 (2.4.55-1) unstable; urgency=medium
[ Hendrik Jäger ]
* disable ssl session tickets
* redundant example as already enabled in the default config
* logrotate indentation
* Update example how to prevent access to VCS directories
[ lintian-brush ]
* Update lintian override info to new format:
+ debian/
+ debian/
+ debian/
+ debian/
+ debian/
* Set upstream metadata fields: Repository-Browse.
* Update standards version to 4.6.2, no changes needed.
[ Yadd ]
* New upstream version (Closes: CVE-2006-20001, CVE-2022-36760,
CVE-2022-37436)
-- Yadd <email address hidden> Wed, 18 Jan 2023 07:41:55 +0400
apache2 (2.4.54-5) unstable; urgency=medium
[ Hendrik Jäger ]
* fix: one oom-killed thread should not take down the whole service
* fix: remove modelines
* fix: update clickjacking protection example
### Old Ubuntu Delta ###
apache2 (2.4.58-1ubuntu8) noble; urgency=medium
* No-change rebuild against libapr1t64
-- Steve Langasek <email address hidden> Sun, 07 Apr 2024 07:02:29 +0000
apache2 (2.4.58-1ubuntu7) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <email address hidden> Sun, 31 Mar 2024 08:37:28 +0000
apache2 (2.4.58-1ubuntu6) noble; urgency=medium
* d/debhelper/
postinst script through a trigger (i.e., postinst triggered).
Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)
-- Athos Ribeiro <email address hidden> Mon, 18 Mar 2024 09:35:36 -0300
apache2 (2.4.58-1ubuntu5) noble; urgency=medium
* No-change rebuild against libcurl4t64
-- Steve Langasek <email address hidden> Sat, 16 Mar 2024 06:05:04 +0000
apache2 (2.4.58-1ubuntu4) noble; urgency=medium
* No-change rebuild against libaprutil1t64
-- Zixing Liu <email address hidden> Sat, 09 Mar 2024 23:05:43 -0700
apache2 (2.4.58-1ubuntu3) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <email address hidden> Mon, 04 Mar 2024 17:21:46 +0000
apache2 (2.4.58-1ubuntu2) noble; urgency=medium
* d/c/m/setenvif.
dolphin and Konqueror/5 careful redirection so that directories can be
deleted via webdav.
(LP: #1927742)
-- Bryce Harrington <email address hidden> Wed, 24 Jan 2024 14:00:03 -0800
apache2 (2.4.58-1ubuntu1) noble; urgency=medium
* Merge with Debian unstable (LP: #2040357). Remaining changes:
- d/index.html, d/icons/
d/
Debian with Ubuntu on default homepage.
(LP #1966004, LP #1947459)
- d/apache2.py, d/apache2-
(LP #609177)
- d/control, d/apache2.install, d/apache2-
d/
(LP #261198)
- d/control: Upgrade lua build dependency to 5.4
-- Bryce Harrington <email address hidden> Thu, 14 Dec 2023 23:52:39 -0800
Related branches
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 3212 lines (+2410/-62)16 files modifieddebian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2230/-2)
debian/config-dir/mods-available/setenvif.conf (+2/-0)
debian/control (+5/-3)
debian/debhelper/apache2-maintscript-helper (+4/-0)
debian/index.html (+52/-57)
debian/patches/fix-dolphin-to-delete-webdav-dirs.patch (+16/-0)
debian/patches/series (+1/-0)
debian/source/include-binaries (+1/-0)
debian/tests/check-ubuntu-branding (+28/-0)
debian/tests/control (+4/-0)
CVE References
Changed in apache2 (Ubuntu): | |
milestone: | none → ubuntu-24.07 |
Changed in apache2 (Ubuntu): | |
assignee: | nobody → Bryce Harrington (bryce) |
Changed in apache2 (Ubuntu): | |
milestone: | ubuntu-24.07 → ubuntu-24.06 |
Changed in apache2 (Ubuntu): | |
milestone: | ubuntu-24.06 → ubuntu-24.05 |
Changed in apache2 (Ubuntu): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu): | |
milestone: | ubuntu-24.05 → ubuntu-24.06 |
Changed in apache2 (Ubuntu): | |
status: | In Progress → Fix Committed |
This bug was fixed in the package apache2 - 2.4.59-2ubuntu2
---------------
apache2 (2.4.59-2ubuntu2) oracular; urgency=medium
* d/index.html, d/apache2.postrm: Fix https link to apache documentation.
(LP: #2045055)
apache2 (2.4.59-2ubuntu1) oracular; urgency=medium
* Merge with Debian unstable (LP: #2064378). Remaining changes: ubuntu- logo.png, d/apache2.postrm, source/ include- binaries, d/t/check- ubuntu- branding: Replace bin.install: Add apport hook utils.ufw. profile, apache2. dirs: Add ufw profiles conf, d/p/fix- dolphin- to-delete- webdav- dirs.patch: Add apache2- maintscript- helper: Allow execution when called from a 2023-38709. patch: header validation after http/http_ filters. c. 2024-24795. patch: let httpd handle CL/TE for util_script. h,
modules/ aaa/mod_ authnz_ fcgi.c, modules/ generators/ mod_cgi. c,
modules/ generators/ mod_cgid. c, modules/ http/http_ filters. c,
modules/ proxy/ajp_ header. c, modules/ proxy/mod_ proxy_fcgi. c,
modules/ proxy/mod_ proxy_scgi. c, modules/ proxy/mod_ proxy_uwsgi. c. 2024-27316. patch: bail after too many failed reads http2/h2_ session. c, modules/ http2/h2_ stream. c,
modules/ http2/h2_ stream. h.
- d/index.html, d/icons/
d/
Debian with Ubuntu on default homepage.
(LP #1966004, LP #1947459)
- d/apache2.py, d/apache2-
(LP #609177)
- d/control, d/apache2.install, d/apache2-
d/
(LP #261198)
- d/control: Upgrade lua build dependency to 5.4
(LP #1910372)
- d/c/m/setenvif.
dolphin and Konqueror/5 careful redirection so that directories can be
deleted via webdav.
(LP #1927742)
- d/debhelper/
postinst script through a trigger (i.e., postinst triggered).
Thanks to Roel van Meer. (Closes: #1060450)
(LP #2038912)
* Dropped:
- d/p/CVE-
content-* are eval'ed in modules/
[Included in 2.4.59]
- HTTP Response Splitting in multiple modules
+ d/p/CVE-
non-http handlers in include/
[Included in 2.4.59]
- HTTP/2 DoS by memory exhaustion on endless continuation frames
+ d/p/CVE-
in modules/
[Included in 2.4.59]
apache2 (2.4.59-2) unstable; urgency=medium
* Breaks against fossil due to CVE-2024-24795 follows up
apache2 (2.4.59-1) unstable; urgency=medium
[ Stefan Fritsch ] mod-proxy- uwsgi. Closes: #1032628
* Remove old transitional packages libapache2-mod-md and
libapache2-
[ Yadd ]
* mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
* Refresh patches
* New upstream version 2.4.59
(Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
* Refresh patches
* Update patches
* Update test framework
-- Bryce Harrington <email address hidden> Mon, 10 Jun 2024 23:04:49 +0000