apache2 2.4.33-3ubuntu2 source package in Ubuntu
Changelog
apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and libapache2-mod-md until we figure out their transitions. libapache2-mod-md in particular is problematic because that makes apache2-bin pull in libcurl4 which cannot be coinstalled with libcurl3. That situation breaks the installation of libapache2-mod-shib2. See https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 for details. - Don't ship md.load and remove build-requires that were added because of mod-md (see https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf) - Remove proxy_uwsgi.load as we are not building it for now (see https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9) apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium * Merge with Debian unstable (LP: #1770242). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - d/t/control, d/t/check-http2: add basic test for http2 support * Drop: - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig + debian/patches/CVE-2017-15710.patch: fix language long names detection as short name in modules/aaa/mod_authnz_ldap.c. + CVE-2017-15710 - SECURITY UPDATE: incorrect <FilesMatch> matching + debian/patches/CVE-2017-15715.patch: allow to configure global/default options for regexes, like caseless matching or extended format in include/ap_regex.h, server/core.c, server/util_pcre.c. + CVE-2017-15715 - SECURITY UPDATE: mod_session header manipulation + debian/patches/CVE-2018-1283.patch: strip Session header when SessionEnv is on in modules/session/mod_session.c. + CVE-2018-1283 - SECURITY UPDATE: DoS via specially-crafted request + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL terminated on any error, not only on buffer full in server/protocol.c. + CVE-2018-1301 - SECURITY UPDATE: mod_cache_socache DoS + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up to carriage return in modules/cache/mod_cache_socache.c. + CVE-2018-1303 - SECURITY UPDATE: insecure nonce generation + debian/patches/CVE-2018-1312.patch: actually use the secret when generating nonces in modules/aaa/mod_auth_digest.c. + CVE-2018-1312 - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. [type=Forking already in the base systemd service file, and RemainsAfterExit=no is the default value, so no need to customize these anymore.] - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683) + added debian/patches/util_ldap_cache_lock_fix.patch [Already applied upstream] apache2 (2.4.33-3) unstable; urgency=medium * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too. Closes: #894785 * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. Closes: #897218 * Migrate from alioth to salsa. apache2 (2.4.33-2) unstable; urgency=medium * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi and libapache2-mod-md. Closes: #894760, #894761, #894785 apache2 (2.4.33-1) unstable; urgency=medium * New upstream version. Security fixes: - CVE-2017-15710 Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled - CVE-2018-1283 mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. - CVE-2018-1303 mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. - CVE-2018-1301 core: Possible crash with excessively long HTTP request headers. Impractical to exploit with a production build and production LogLevel. - CVE-2017-15715 core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. - CVE-2018-1312 mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain. This change may cause problems if used with round robin load balancers. PR 54637 - CVE-2018-1302 mod_http2: Potential crash w/ mod_http2. - mod_proxy_uwsgi: New UWSGI proxy submodule. - mod_md: New experimental module for managing domains across virtual hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and renew certificates. - core: silently ignore a not existent file path when IncludeOptional is used. Closes: #878920 - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980 * Fix lintian warnings: - Include SupportApache-small.png in apache2-doc package instead of linking to apache.org, to avoid privacy issues. - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE - Remove deprecated use of autotools_dev with dh. - Add some overrides * Bump standards-version to 4.1.2 (no changes) apache2 (2.4.29-2) unstable; urgency=medium * Add myself to Uploaders * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634) * Run wrap-and-sort -a to canonicalize the debian/ directory * Add Build-Depends on libbrotli-dev and enable brotli module -- Andreas Hasenack <email address hidden> Thu, 17 May 2018 14:46:19 +0000
Upload details
- Uploaded by:
- Andreas Hasenack on 2018-05-22
- Uploaded to:
- Cosmic
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- web
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
apache2_2.4.33.orig.tar.bz2 | 6.6 MiB | de02511859b00d17845b9abdd1f975d5ccb5d0b280c567da5bf2ad4b70846f05 |
apache2_2.4.33-3ubuntu2.debian.tar.xz | 782.2 KiB | d1da52ea3bcf5c8b06eea8bd34fe488f7e65d7ac5b019a95ddfee549c08d1d90 |
apache2_2.4.33-3ubuntu2.dsc | 3.1 KiB | 8c0e1888f4ffbb261e791368bbf710a33d89607305838910a733304ad4cfb979 |
Available diffs
Binary packages built by this source
- apache2: Apache HTTP Server
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
Installing this package results in a full installation, including the
configuration files, init scripts and support scripts.
- apache2-bin: Apache HTTP Server (modules and other binary files)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains the binaries only and does not set up a working
web-server instance. Install the "apache2" package to get a fully working
instance.
- apache2-data: Apache HTTP Server (common files)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains architecture-independent common files such as icons,
error pages and static index files.
- apache2-dbg: Apache debugging symbols
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package includes the debugging symbols. It can be used to debug
crashing server instances and modules. See
/usr/share/doc/apache2/ README. backtrace for more information.
- apache2-dev: Apache HTTP Server (development headers)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides development headers and the apxs2 binary for the Apache
2 HTTP server, useful to develop and link third party additions to the Debian
Apache HTTP server package.
.
It also provides dh_apache2 and dh sequence addons useful to install various
Debian Apache2 extensions with debhelper. It supports
- Apache 2 module configurations and shared objects
- Site configuration files
- Global configuration files
- apache2-doc: Apache HTTP Server (on-site documentation)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides the documentation for the Apache 2 HTTP server. The
documentation is shipped in HTML format and can be accessed from a local
running Apache HTTP server instance or by browsing the file system directly.
- apache2-ssl-dev: Apache HTTP Server (mod_ssl development headers)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides the development header and the dependencies for
modules that interact with mod_ssl's internal openssl state.
- apache2-suexec-custom: Apache HTTP Server configurable suexec program for mod_suexec
Provides a customizable version of the suexec helper program for mod_suexec.
This is not the version from upstream, but can be configured with a
configuration file.
.
If you do not need non-standard document root or userdir settings, it is
recommended that you use the standard suexec helper program from the
apache2-suexec- pristine package instead.
- apache2-suexec-pristine: Apache HTTP Server standard suexec program for mod_suexec
Provides the standard suexec helper program for mod_suexec. This version is
compiled with document root /var/www and userdir suffix public_html. If you
need different settings, use the package apache2-suexec- custom.
- apache2-utils: Apache HTTP Server (utility programs for web servers)
Provides some add-on programs useful for any web server. These include:
- ab (Apache benchmark tool)
- fcgistarter (Start a FastCGI program)
- logresolve (Resolve IP addresses to hostnames in logfiles)
- htpasswd (Manipulate basic authentication files)
- htdigest (Manipulate digest authentication files)
- htdbm (Manipulate basic authentication files in DBM format, using APR)
- htcacheclean (Clean up the disk cache)
- rotatelogs (Periodically stop writing to a logfile and open a new one)
- split-logfile (Split a single log including multiple vhosts)
- checkgid (Checks whether the caller can setgid to the specified group)
- check_forensic (Extract mod_log_forensic output from Apache log files)
- httxt2dbm (Generate dbm files for use with RewriteMap)