diff -u apache2-2.2.14/debian/rules apache2-2.2.14/debian/rules --- apache2-2.2.14/debian/rules +++ apache2-2.2.14/debian/rules @@ -3,6 +3,7 @@ # Code for httpd 2.1, based on apache2 and others. # Copyright (C) Canonical Ltd, 2005 +export DEB_BUILD_HARDENING=1 export DEB_BUILD_OPTIONS export DH_OPTIONS @@ -34,7 +35,8 @@ --enable-log-config=static --enable-logio=static \ --with-apr=/usr/bin/apr-1-config \ --with-apr-util=/usr/bin/apu-1-config \ - --with-pcre=yes + --with-pcre=yes \ + --enable-pie AP2_MODS_CONFARGS = --enable-authn-alias=shared --enable-authnz-ldap=shared \ --enable-disk-cache=shared --enable-cache=shared \ @@ -222,6 +224,7 @@ dh_install --list-missing cp debian/bash_completion debian/apache2.2-common/etc/bash_completion.d/apache2.2-common + install -m644 debian/apache2.2-common.ufw.profile debian/apache2.2-common/etc/ufw/applications.d/apache2.2-common # standard suexec chmod 4754 debian/apache2-suexec/usr/lib/apache2/suexec diff -u apache2-2.2.14/debian/apache2.2-common.dirs apache2-2.2.14/debian/apache2.2-common.dirs --- apache2-2.2.14/debian/apache2.2-common.dirs +++ apache2-2.2.14/debian/apache2.2-common.dirs @@ -14,0 +15 @@ +etc/ufw/applications.d diff -u apache2-2.2.14/debian/changelog apache2-2.2.14/debian/changelog --- apache2-2.2.14/debian/changelog +++ apache2-2.2.14/debian/changelog @@ -1,3 +1,12 @@ +apache2 (2.2.14-5ubuntu1) lucid; urgency=low + + * Merge from debian testing. Remaining changes: LP: #506862 + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + + -- Bhavani Shankar Wed, 13 Jan 2010 14:28:41 +0530 + apache2 (2.2.14-5) unstable; urgency=low * Security: Further mitigation for the TLS renegotation attack @@ -21,6 +30,15 @@ -- Stefan Fritsch Sat, 02 Jan 2010 22:44:15 +0100 +apache2 (2.2.14-4ubuntu1) lucid; urgency=low + + * Resynchronzie with Debian, remaining changes are: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + + -- Chuck Short Wed, 23 Dec 2009 14:44:51 -0500 + apache2 (2.2.14-4) unstable; urgency=low * Disable localized error pages again by default because they break @@ -71,6 +89,17 @@ -- Stefan Fritsch Sat, 07 Nov 2009 14:37:37 +0100 +apache2 (2.2.14-1ubuntu1) lucid; urgency=low + + * Merge from debian testing, remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. + - debian/conrol: Add bzr tag and point it to our tree. + - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: + Already applied upstream. + + -- Chuck Short Fri, 06 Nov 2009 00:29:03 +0000 + apache2 (2.2.14-1) unstable; urgency=low * New upstream version: @@ -105,6 +134,24 @@ -- Stefan Fritsch Mon, 31 Aug 2009 20:28:56 +0200 +apache2 (2.2.12-1ubuntu2) karmic; urgency=low + + * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: + - Fix potential segfaults with the use of the legacy ap_rputs() etc + interfaces, in cases where an output filter fails. This happens + frequently after CVE-2009-1891 got fixed. (LP: #409987) + + -- Marc Deslauriers Mon, 17 Aug 2009 15:38:47 -0400 + +apache2 (2.2.12-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch. + + -- Chuck Short Tue, 04 Aug 2009 20:04:24 +0100 + apache2 (2.2.12-1) unstable; urgency=low * New upstream release: @@ -152,6 +199,16 @@ -- Stefan Fritsch Tue, 04 Aug 2009 11:02:34 +0200 +apache2 (2.2.11-7ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: LP: #398130 + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 11 Jul 2009 16:34:32 +0530 + apache2 (2.2.11-7) unstable; urgency=low * Security fixes: @@ -166,6 +223,16 @@ -- Stefan Fritsch Fri, 10 Jul 2009 22:42:57 +0200 +apache2 (2.2.11-6ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Tue, 09 Jun 2009 01:01:23 +0100 + apache2 (2.2.11-6) unstable; urgency=high * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server @@ -174,6 +241,16 @@ -- Stefan Fritsch Mon, 08 Jun 2009 19:22:58 +0200 +apache2 (2.2.11-5ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Wed, 03 Jun 2009 14:10:54 +1200 + apache2 (2.2.11-5) unstable; urgency=low * Move all binaries into a new package apache2.2-bin and make @@ -222,6 +299,16 @@ -- Stefan Fritsch Tue, 19 May 2009 22:55:27 +0200 +apache2 (2.2.11-3ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Tue, 12 May 2009 16:15:34 +1200 + apache2 (2.2.11-3) unstable; urgency=low * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap @@ -230,6 +317,21 @@ -- Stefan Fritsch Tue, 31 Mar 2009 21:07:26 +0200 +apache2 (2.2.11-2ubuntu2) jaunty; urgency=low + + * debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + + -- Chuck Short Wed, 01 Apr 2009 11:39:17 -0400 + +apache2 (2.2.11-2ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{contro,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Sat, 17 Jan 2009 00:02:55 +0000 + apache2 (2.2.11-2) unstable; urgency=low * Report an error instead instead of segfaulting when apr_pollset_create @@ -239,6 +341,14 @@ -- Stefan Fritsch Fri, 16 Jan 2009 19:01:59 +0100 +apache2 (2.2.11-1ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Mon, 15 Dec 2008 00:06:50 +0000 + apache2 (2.2.11-1) unstable; urgency=low [Thom May] @@ -253,6 +363,14 @@ -- Stefan Fritsch Sun, 14 Dec 2008 09:34:24 +0100 +apache2 (2.2.9-11ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: (LP: #303375) + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 29 Nov 2008 14:02:31 +0530 + apache2 (2.2.9-11) unstable; urgency=low * Regression fix from upstream svn for mod_proxy: @@ -267,6 +385,14 @@ -- Stefan Fritsch Wed, 26 Nov 2008 23:10:22 +0100 +apache2 (2.2.9-10ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Wed, 05 Nov 2008 02:23:18 -0400 + apache2 (2.2.9-10) unstable; urgency=low * Regression fix from upstream svn for mod_proxy_http: @@ -297,6 +423,27 @@ -- Stefan Fritsch Thu, 11 Sep 2008 09:17:33 +0200 +apache2 (2.2.9-7ubuntu3) intrepid; urgency=low + + * Revert logrotate change since it will break it for everyone. + + -- Chuck Short Fri, 19 Sep 2008 09:32:01 -0400 + +apache2 (2.2.9-7ubuntu2) intrepid; urgency=low + + * debian/logrotate: Restart rather than reload for busy websites. + (LP: #270899) + + -- Chuck Short Thu, 18 Sep 2008 08:42:22 -0400 + +apache2 (2.2.9-7ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control,rules}: enable PIE hardening. + - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles. + + -- Kees Cook Thu, 28 Aug 2008 08:10:59 -0700 + apache2 (2.2.9-7) unstable; urgency=low * Fix XSS in mod_proxy_ftp (CVE-2008-2939). @@ -339,6 +486,23 @@ -- Stefan Fritsch Sun, 06 Jul 2008 10:38:37 +0200 +apache2 (2.2.9-3ubuntu2) intrepid; urgency=low + + * add ufw integration (see + https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages) + (LP: #261198) + - debian/control: suggest ufw for apache2.2-common + - add apache2.2-common.ufw.profile with 3 profiles and install it to + /etc/ufw/applications.d/apache2.2-common + + -- Didier Roche Tue, 26 Aug 2008 19:03:42 +0200 + +apache2 (2.2.9-3ubuntu1) intrepid; urgency=low + + * debian/{control,rules}: enable PIE hardening + + -- Kees Cook Wed, 20 Aug 2008 15:45:00 -0700 + apache2 (2.2.9-3) unstable; urgency=low [ Stefan Fritsch ] + diff -u apache2-2.2.14/debian/control apache2-2.2.14/debian/control --- apache2-2.2.14/debian/control +++ apache2-2.2.14/debian/control @@ -1,20 +1,22 @@ Source: apache2 Section: httpd Priority: optional -Maintainer: Debian Apache Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Apache Maintainers Uploaders: Tollef Fog Heen , Thom May , Adam Conrad , Peter Samuelson , Stefan Fritsch , Steinar H. Gunderson -Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf +Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf,hardening-wrapper Build-Conflicts: autoconf2.13 Standards-Version: 3.8.3 -Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2 -Vcs-svn: svn://svn.debian.org/pkg-apache/trunk/apache2 +Vcs-Bzr: http://code.launchpad.net/ubuntu/+source/apache2 +XSBC-Original-Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2 +XSBC-Original-Vcs-svn: svn://svn.debian.org/pkg-apache/trunk/apache2 Homepage: http://httpd.apache.org/ Package: apache2.2-common Architecture: any Depends: ${misc:Depends}, apache2.2-bin (= ${binary:Version}), apache2-utils, libmagic1, mime-support, lsb-base, procps [!hurd-i386], perl Recommends: ssl-cert -Suggests: www-browser, apache2-doc, apache2-suexec | apache2-suexec-custom +Suggests: www-browser, apache2-doc, apache2-suexec | apache2-suexec-custom, ufw Conflicts: apache2-common, libapache2-mod-php5 (<= 5.1.6-3), libapache2-mod-php4 (<= 4:4.4.4-2), libapache2-mod-mime-xattr (<= 0.3-2), libapache2-mod-mono (<= 1.1.17-3), libapache2-mod-proxy-html (<= 2.4.3-2), libapache2-mod-scgi (<= 1.11-1), libapache2-mod-speedycgi (<= 2.22-3), libapache2-modxslt (<= 2005072700-1), libapache2-redirtoservername (<= 0.1-1), libapache2-webauth (<= 3.5.3-1), libapache2-webkdc (<= 3.5.3-1) Replaces: apache2-common Description: Apache HTTP Server common files only in patch2: unchanged: --- apache2-2.2.14.orig/debian/apache2.2-common.ufw.profile +++ apache2-2.2.14/debian/apache2.2-common.ufw.profile @@ -0,0 +1,14 @@ +[Apache] +title=Web Server +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80/tcp + +[Apache Secure] +title=Web Server (HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=443/tcp + +[Apache Full] +title=Web Server (HTTP,HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80,443/tcp