Merge apache2 from Debian unstable for plucky

Bug #2085206 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
High
Bryce Harrington

Bug Description

Upstream: 2.4.62
Debian: 2.4.62-3 2.4.62-4
Ubuntu: 2.4.62-1ubuntu1

Debian new has 2.4.62-4, which may be available for merge soon.

If this merge pulls in a new upstream version, also consider adding an entry to the Plucky Release Notes: https://discourse.ubuntu.com/c/release/38

### New Debian Changes ###

apache2 (2.4.62-3) unstable; urgency=medium

  * Fix debian/changelog

 -- Bastien Roucariès <email address hidden> Fri, 04 Oct 2024 13:35:02 +0000

apache2 (2.4.62-2) unstable; urgency=medium

  * Add myself as maintainer with yadd agreement.
  * Fix CVE-2024-38474 regression:
    Better question mark tracking to avoid UnsafeAllow3F
    (Closes: #1079172)
  * Fix CVE-2024-39884 regression:
    Trust strings from configuration in mod_proxy
    (Closes: #1079206)

 -- Bastien Roucariès <email address hidden> Sun, 29 Sep 2024 18:47:03 +0000

apache2 (2.4.62-1) unstable; urgency=medium

  * New upstream version 2.4.62 (Closes: CVE-2024-40725, CVE-2024-40898)

 -- Yadd <email address hidden> Thu, 18 Jul 2024 06:56:52 +0400

apache2 (2.4.61-1) unstable; urgency=medium

  * New upstream version 2.4.61 (Closes: CVE-2024-39884)

 -- Yadd <email address hidden> Wed, 03 Jul 2024 19:22:29 +0400

apache2 (2.4.60-1) unstable; urgency=medium

  [ Bastien Roucariès ]
  * Forward port CVE-2023-25690 uwsgi tests
  * Fix depends of uwsgi test
  * Use python3 uwsgi plugin
  * Encode bytes for uwsgi test

  [ Bryce Harrington ]
  * Add UFW profile integration (Closes: #1071705)

  [Chris Murray]
  * Use https instead of http in doc (LP: #2045055)

  [ Yadd ]
  * Bump liblua from liblua5.3-dev to liblua5.4-dev (Closes: #1071701)
  * Update test framework
  * releasing package apache2 version 2.4.59-1~deb12u1
  * New upstream version (CLoses: CVE-2024-36387, CVE-2024-38472,
    CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476,
    CVE-2024-38477, CVE-2024-39573)
  * Unfuzz patches

 -- Yadd <email address hidden> Mon, 01 Jul 2024 18:04:08 +0400

apache2 (2.4.59-2) unstable; urgency=medium

  * Breaks against fossil due to CVE-2024-24795 follows up

 -- Bastien Roucariès <email address hidden> Mon, 29 Apr 2024 21:55:28 +0000

apache2 (2.4.59-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Remove old transitional packages libapache2-mod-md and
    libapache2-mod-proxy-uwsgi. Closes: #1032628

  [ Yadd ]
  * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
  * Refresh patches
  * New upstream version 2.4.59
    (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
  * Refresh patches
  * Update patches
  * Update test framework

 -- Yadd <email address hidden> Fri, 05 Apr 2024 08:08:11 +0400

apache2 (2.4.58-1) unstable; urgency=medium

  [ Bas Couwenberg ]
  * Provide dh-sequence-apache2 (Closes: #1050870)

  [ Yadd ]
  * Drop dependency to obsolete lsb-base
  * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622,
    CVE-2023-45802)
  * Refresh patches

 -- Yadd <email address hidden> Thu, 19 Oct 2023 14:56:29 +0400

apache2 (2.4.57-3) unstable; urgency=medium

  * Update a2enmod to drop given/when (Closes: #1050458)
  * Restore changes not included in Bookworm (set -e in apache2ctl)

 -- Yadd <email address hidden> Tue, 29 Aug 2023 11:39:32 +0400

apache2 (2.4.57-2) unstable; urgency=medium

### Old Ubuntu Delta ###

apache2 (2.4.62-1ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2077060). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries, d/t/check-ubuntu-branding: Replace
      Debian with Ubuntu on default homepage.
      (LP #1966004, LP #1947459)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
      dolphin and Konqueror/5 careful redirection so that directories can be
      deleted via webdav.
      (LP #1927742)
    - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
      postinst script through a trigger (i.e., postinst triggered).
      Thanks to Roel van Meer. (Closes: #1060450)
      (LP #2038912)
    - d/index.html, d/apache2.postrm: Fix https link to apache
      documentation.
      (LP #2045055)
  * Dropped:
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)
      [Included in Debian 2.4.60-1]
    - d/control: Upgrade lua build dependency to 5.4
      (LP #1910372)
      [Included in Debian 2.4.60-1]

 -- Bryce Harrington <email address hidden> Thu, 15 Aug 2024 00:32:14 -0700

Related branches

CVE References

Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
milestone: none → ubuntu-24.12
Bryce Harrington (bryce)
summary: - Merge apache2 from Debian unstable for jammy
+ Merge apache2 from Debian unstable for plucky
Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
description: updated
description: updated
Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
status: New → In Progress
importance: Undecided → High
Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.62-3ubuntu1

---------------
apache2 (2.4.62-3ubuntu1) plucky; urgency=medium

  * Merge with Debian unstable (LP: #2085206). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries, d/t/check-ubuntu-branding: Replace
      Debian with Ubuntu on default homepage.
      (LP #1966004, LP #1947459)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
      dolphin and Konqueror/5 careful redirection so that directories can be
      deleted via webdav.
      (LP #1927742)
    - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
      postinst script through a trigger (i.e., postinst triggered).
      Thanks to Roel van Meer. (Closes: #1060450)
      (LP #2038912)
    - d/index.html, d/apache2.postrm: Fix https link to apache
      documentation.
      (LP #2045055)

apache2 (2.4.62-3) unstable; urgency=medium

  * Fix debian/changelog

apache2 (2.4.62-2) unstable; urgency=medium

  * Add myself as maintainer with yadd agreement.
  * Fix CVE-2024-38474 regression:
    Better question mark tracking to avoid UnsafeAllow3F
    (Closes: #1079172)
  * Fix CVE-2024-39884 regression:
    Trust strings from configuration in mod_proxy
    (Closes: #1079206)

 -- Bryce Harrington <email address hidden> Thu, 21 Nov 2024 13:36:30 -0800

Changed in apache2 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.