apache2 2.4.33-3ubuntu2 source package in Ubuntu
Changelog
apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium
* d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and
libapache2-mod-md until we figure out their transitions. libapache2-mod-md
in particular is problematic because that makes apache2-bin pull in
libcurl4 which cannot be coinstalled with libcurl3. That situation breaks
the installation of libapache2-mod-shib2. See
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
for details.
- Don't ship md.load and remove build-requires that were added because of
mod-md (see
https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf)
- Remove proxy_uwsgi.load as we are not building it for now (see
https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9)
apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable (LP: #1770242). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
* Drop:
- SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
+ debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
+ CVE-2017-15710
- SECURITY UPDATE: incorrect <FilesMatch> matching
+ debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
+ CVE-2017-15715
- SECURITY UPDATE: mod_session header manipulation
+ debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
+ CVE-2018-1283
- SECURITY UPDATE: DoS via specially-crafted request
+ debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
+ CVE-2018-1301
- SECURITY UPDATE: mod_cache_socache DoS
+ debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
+ CVE-2018-1303
- SECURITY UPDATE: insecure nonce generation
+ debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
+ CVE-2018-1312
- Correct systemd-sysv-generator behavior by customizing some
parameters:
+ d/apache2-systemd.conf: add a drop-in file to specify some
parameters for the systemd unit (type=Forking and
RemainsAfterExit=no), this allow a correct state synchronisation
between systemctl status and actual state of apache2 daemon.
+ d/apache2.install: place the apache2-systemd.conf file in the
correct location.
[type=Forking already in the base systemd service file, and
RemainsAfterExit=no is the default value, so no need to
customize these anymore.]
- Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683)
+ added debian/patches/util_ldap_cache_lock_fix.patch
[Already applied upstream]
apache2 (2.4.33-3) unstable; urgency=medium
* Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
Closes: #894785
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Migrate from alioth to salsa.
apache2 (2.4.33-2) unstable; urgency=medium
* Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
and libapache2-mod-md.
Closes: #894760, #894761, #894785
apache2 (2.4.33-1) unstable; urgency=medium
* New upstream version.
Security fixes:
- CVE-2017-15710
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
- CVE-2018-1283
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
- CVE-2018-1303
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
- CVE-2018-1301
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
- CVE-2017-15715
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
- CVE-2018-1312
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
- CVE-2018-1302
mod_http2: Potential crash w/ mod_http2.
- mod_proxy_uwsgi: New UWSGI proxy submodule.
- mod_md: New experimental module for managing domains across virtual
hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
renew certificates.
- core: silently ignore a not existent file path when IncludeOptional
is used. Closes: #878920
- mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
* Fix lintian warnings:
- Include SupportApache-small.png in apache2-doc package instead of
linking to apache.org, to avoid privacy issues.
- Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
- Remove deprecated use of autotools_dev with dh.
- Add some overrides
* Bump standards-version to 4.1.2 (no changes)
apache2 (2.4.29-2) unstable; urgency=medium
* Add myself to Uploaders
* Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
* Run wrap-and-sort -a to canonicalize the debian/ directory
* Add Build-Depends on libbrotli-dev and enable brotli module
-- Andreas Hasenack <email address hidden> Thu, 17 May 2018 14:46:19 +0000
Upload details
- Uploaded by:
- Andreas Hasenack on 2018-05-22
- Uploaded to:
- Cosmic
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- web
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section | |
|---|---|---|---|---|
| Cosmic | release | on 2018-05-23 | main | web |
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| apache2_2.4.33.orig.tar.bz2 | 6.6 MiB | de02511859b00d17845b9abdd1f975d5ccb5d0b280c567da5bf2ad4b70846f05 |
| apache2_2.4.33-3ubuntu2.debian.tar.xz | 782.2 KiB | d1da52ea3bcf5c8b06eea8bd34fe488f7e65d7ac5b019a95ddfee549c08d1d90 |
| apache2_2.4.33-3ubuntu2.dsc | 3.1 KiB | 8c0e1888f4ffbb261e791368bbf710a33d89607305838910a733304ad4cfb979 |
Available diffs
Binary packages built by this source
- apache2: Apache HTTP Server
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
Installing this package results in a full installation, including the
configuration files, init scripts and support scripts.
- apache2-bin: Apache HTTP Server (modules and other binary files)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains the binaries only and does not set up a working
web-server instance. Install the "apache2" package to get a fully working
instance.
- apache2-data: Apache HTTP Server (common files)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains architecture-independent common files such as icons,
error pages and static index files.
- apache2-dbg: Apache debugging symbols
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package includes the debugging symbols. It can be used to debug
crashing server instances and modules. See
/usr/share/doc/apache2/ README. backtrace for more information.
- apache2-dev: Apache HTTP Server (development headers)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides development headers and the apxs2 binary for the Apache
2 HTTP server, useful to develop and link third party additions to the Debian
Apache HTTP server package.
.
It also provides dh_apache2 and dh sequence addons useful to install various
Debian Apache2 extensions with debhelper. It supports
- Apache 2 module configurations and shared objects
- Site configuration files
- Global configuration files
- apache2-doc: Apache HTTP Server (on-site documentation)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides the documentation for the Apache 2 HTTP server. The
documentation is shipped in HTML format and can be accessed from a local
running Apache HTTP server instance or by browsing the file system directly.
- apache2-ssl-dev: Apache HTTP Server (mod_ssl development headers)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides the development header and the dependencies for
modules that interact with mod_ssl's internal openssl state.
- apache2-suexec-custom: Apache HTTP Server configurable suexec program for mod_suexec
Provides a customizable version of the suexec helper program for mod_suexec.
This is not the version from upstream, but can be configured with a
configuration file.
.
If you do not need non-standard document root or userdir settings, it is
recommended that you use the standard suexec helper program from the
apache2-suexec- pristine package instead.
- apache2-suexec-pristine: Apache HTTP Server standard suexec program for mod_suexec
Provides the standard suexec helper program for mod_suexec. This version is
compiled with document root /var/www and userdir suffix public_html. If you
need different settings, use the package apache2-suexec- custom.
- apache2-utils: Apache HTTP Server (utility programs for web servers)
Provides some add-on programs useful for any web server. These include:
- ab (Apache benchmark tool)
- fcgistarter (Start a FastCGI program)
- logresolve (Resolve IP addresses to hostnames in logfiles)
- htpasswd (Manipulate basic authentication files)
- htdigest (Manipulate digest authentication files)
- htdbm (Manipulate basic authentication files in DBM format, using APR)
- htcacheclean (Clean up the disk cache)
- rotatelogs (Periodically stop writing to a logfile and open a new one)
- split-logfile (Split a single log including multiple vhosts)
- checkgid (Checks whether the caller can setgid to the specified group)
- check_forensic (Extract mod_log_forensic output from Apache log files)
- httxt2dbm (Generate dbm files for use with RewriteMap)
