[ubuntu/disco-proposed] apache2 2.4.38-2ubuntu1 (Accepted)

Andreas Hasenack andreas at canonical.com
Tue Feb 5 12:36:12 UTC 2019


apache2 (2.4.38-2ubuntu1) disco; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
   - debian/patches/086_svn_cross_compiles: Backport several cross
     fixes from upstream
     [Removed configure chunk, not needed since configure.in is being
      patched.]
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - d/t/control, d/t/check-http2: add basic test for http2 support
  * Dropped:
    - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
      libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
      cannot be coinstalled with libcurl3. That situation breaks the
      installation of libapache2-mod-shib2.  See
      https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
      for details.
      [This has been resolved in Disco, where libxmltooling8 is built with
      openssl 1.1]
    - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
      + debian/patches/CVE-2018-11763.patch: rework connection IO event
        handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
        modules/http2/h2_version.h.
        - CVE-2018-11763
        [Fixed in 2.4.35]

apache2 (2.4.38-2) unstable; urgency=medium

  * Disable "reset" test in allowmethods.t (Closes: #921024)

apache2 (2.4.38-1) unstable; urgency=medium

  [ Jelmer Vernooń≥ ]
  * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
  * Trim trailing whitespace
  * Use secure copyright file specification URI

  [ Niels Thykier ]
  * Add Rules-Requires-Root: binary-targets

  [ Xavier Guimard ]
  * Convert signing-key.pgp into signing-key.asc
  * Add http2.conf (Closes: #880993)
  * Remove unnecessary greater-than versioned dependency to dpkg-dev,
    libbrotli-dev and libapache2-mod-md
  * Declare compliance with policy 4.2.1
  * Add spelling errors patch (reported)
  * Fix some spelling errors in debian files
  * Add myself to uploaders
  * Refresh patches
  * Bump debhelper compatibility level to 10
  * debian/rules:
    - Remove unnecessary dh argument --parallel
    - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
  * Add upstream/metadata
  * Replace MIT by Expat in debian/copyright
  * debian/watch: use https url
  * Add documentation links in systemd service files
  * Team upload

  [ Cyrille Bollu ]
  * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
    it gets automatically de-activated upon apache 'startup when using
    mpm_prefork.
  * Updated http2.conf to inform user that they may want to change their
    LogFormat directives.

  [ Xavier Guimard ]
  * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
  * Refresh patches
  * Remove setenvifexpr.diff patch now included in upstream
  * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
  * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
  * Declare compliance with policy 4.3.0
  * Fix homepage to https
  * Update debian/copyright

apache2 (2.4.37-1) unstable; urgency=medium

  * New upstream version
    - mod_ssl: Add support for TLSv1.3
  * Add docs symlink for libapache2-mod-proxy-uwsgi.  Closes: #910218
  * Update test-framework to r1845652
  * Fix test suite to actually run by creating a test user. It turns out
    the test suite refuses to run as root but returns true even in that
    case. It seems this has been broken since 2.4.27-4, where the test suite
    had been updated and the debci test duration dropped from 15min to
    3min. Also, don't rely on the exit status anymore but parse the test
    output.
  * Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.

apache2 (2.4.35-1) unstable; urgency=medium

  * New upstream version 2.4.35
    Security fix:
    - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
      Closes: #909591
  * Fix lintian warning: Don't force xz in builddeb override.

Date: Sun, 03 Feb 2019 14:57:13 -0200
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.38-2ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Feb 2019 14:57:13 -0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source
Version: 2.4.38-2ubuntu1
Distribution: disco
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 libapache2-mod-md - transitional package
 libapache2-mod-proxy-uwsgi - transitional package
Closes: 880993 909591 910218 920220 920302 920303 921024
Changes:
 apache2 (2.4.38-2ubuntu1) disco; urgency=medium
 .
   * Merge with Debian unstable. Remaining changes:
     - debian/{control, apache2.install, apache2-utils.ufw.profile,
       apache2.dirs}: Add ufw profiles.
     - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
      [Removed configure chunk, not needed since configure.in is being
       patched.]
     - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
       Debian with Ubuntu on default page.
       + d/source/include-binaries: add Ubuntu icon file
     - d/t/control, d/t/check-http2: add basic test for http2 support
   * Dropped:
     - d/control, d/rules, d/config-dir/mods-available/md.load: don't build
       libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which
       cannot be coinstalled with libcurl3. That situation breaks the
       installation of libapache2-mod-shib2.  See
       https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1
       for details.
       [This has been resolved in Disco, where libxmltooling8 is built with
       openssl 1.1]
     - SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames
       + debian/patches/CVE-2018-11763.patch: rework connection IO event
         handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
         modules/http2/h2_version.h.
         - CVE-2018-11763
         [Fixed in 2.4.35]
 .
 apache2 (2.4.38-2) unstable; urgency=medium
 .
   * Disable "reset" test in allowmethods.t (Closes: #921024)
 .
 apache2 (2.4.38-1) unstable; urgency=medium
 .
   [ Jelmer Vernooń≥ ]
   * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
   * Trim trailing whitespace
   * Use secure copyright file specification URI
 .
   [ Niels Thykier ]
   * Add Rules-Requires-Root: binary-targets
 .
   [ Xavier Guimard ]
   * Convert signing-key.pgp into signing-key.asc
   * Add http2.conf (Closes: #880993)
   * Remove unnecessary greater-than versioned dependency to dpkg-dev,
     libbrotli-dev and libapache2-mod-md
   * Declare compliance with policy 4.2.1
   * Add spelling errors patch (reported)
   * Fix some spelling errors in debian files
   * Add myself to uploaders
   * Refresh patches
   * Bump debhelper compatibility level to 10
   * debian/rules:
     - Remove unnecessary dh argument --parallel
     - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
   * Add upstream/metadata
   * Replace MIT by Expat in debian/copyright
   * debian/watch: use https url
   * Add documentation links in systemd service files
   * Team upload
 .
   [ Cyrille Bollu ]
   * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
     it gets automatically de-activated upon apache 'startup when using
     mpm_prefork.
   * Updated http2.conf to inform user that they may want to change their
     LogFormat directives.
 .
   [ Xavier Guimard ]
   * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
   * Refresh patches
   * Remove setenvifexpr.diff patch now included in upstream
   * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
   * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
   * Declare compliance with policy 4.3.0
   * Fix homepage to https
   * Update debian/copyright
 .
 apache2 (2.4.37-1) unstable; urgency=medium
 .
   * New upstream version
     - mod_ssl: Add support for TLSv1.3
   * Add docs symlink for libapache2-mod-proxy-uwsgi.  Closes: #910218
   * Update test-framework to r1845652
   * Fix test suite to actually run by creating a test user. It turns out
     the test suite refuses to run as root but returns true even in that
     case. It seems this has been broken since 2.4.27-4, where the test suite
     had been updated and the debci test duration dropped from 15min to
     3min. Also, don't rely on the exit status anymore but parse the test
     output.
   * Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.
 .
 apache2 (2.4.35-1) unstable; urgency=medium
 .
   * New upstream version 2.4.35
     Security fix:
     - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
       Closes: #909591
   * Fix lintian warning: Don't force xz in builddeb override.
Checksums-Sha1:
 1a0ae8c0f21dba57aa8b966ead075db2f09284c5 3354 apache2_2.4.38-2ubuntu1.dsc
 6ee19a7b936a6ddbbf81b313c4a8b38bf232b40e 9187294 apache2_2.4.38.orig.tar.gz
 173cabbe6666974fc29ceeab939a7d3dd09ef1c4 1026972 apache2_2.4.38-2ubuntu1.debian.tar.xz
 bdc33d40b9b982f9838f757f2bdd503b924b9681 7278 apache2_2.4.38-2ubuntu1_source.buildinfo
Checksums-Sha256:
 73870d369b2177baa47f6c94fd42842bbe34340f66e0daffb3e17a72ed4b4731 3354 apache2_2.4.38-2ubuntu1.dsc
 38d0b73aa313c28065bf58faf64cec12bf7c7d5196146107df2ad07541aa26a6 9187294 apache2_2.4.38.orig.tar.gz
 378f1646b15c2ac272335b0b8569091cefe969f1b4fdf0d43360038f9007efb9 1026972 apache2_2.4.38-2ubuntu1.debian.tar.xz
 10cbbcbe414de9195a8ae7a180e8107f352847fe20e2fe07ff5edfd2f02d27a6 7278 apache2_2.4.38-2ubuntu1_source.buildinfo
Files:
 656236a876e36c60355f6214291db4b2 3354 httpd optional apache2_2.4.38-2ubuntu1.dsc
 626083caac6d85a048abac6d5ea61e5b 9187294 httpd optional apache2_2.4.38.orig.tar.gz
 5a077bb14861bdb2fd3220f198d1300a 1026972 httpd optional apache2_2.4.38-2ubuntu1.debian.tar.xz
 5126d46362290f780610865846ff6f60 7278 httpd optional apache2_2.4.38-2ubuntu1_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAlxZgZ8ACgkQrJg+tb9r
y6l6ug//eHiNhEOY7H89RA9VdVwU/uIvwMDemWFYmJxBBeBDhJxwr7SsW/OdNXc8
4TVDxpCK2DTaePh98IJgcHbJAaDMc7xO3ULIhLR7hfZlDyLyteLjmqQ3Kx1ZChqc
6/1JgxGhqwaAu+8j72ZJxrfJDhNGpes3kgwljSJz6E5NAK+EQ9DMcNCCFFukHNUh
4soGG3heT+kG6G3cRwl/GejgNHop2glQRr2E+OSvQjs3CXNqWcDrZS3CTlibzG4y
MGyfN6QrXxsAdd2AaOuNHTMikkqaxLHjme26qjb6wxRrccAjxiqCago50DWYTfq4
nYid03U2rDp/ecs8CwvysvXX9i+6vOCz5YFisSKujs4/LiU914p+f4QETDmnZrEi
thTB52sg8nPQIEVFSkOvhl1njyOraC1VfwvLzxMm/cHcK/5qOsfmN0q6s5R+1zVZ
z9TZZYSVX10YoHQZ3p+vZZLTURnwaXy6szyb4rBTV47N5a6kOt8YEGZzCWs+WHub
DNJFJKVaTCqlvOUItssUVTgim8/n/yAbZDwWY6OfrD6l73fE+gF/PVwNRz1Dgk1s
U9imrBkWekpgFF9c6oDIxwZ3ug0CyG0+OuKteNuZCTS7XWihsJZMy+/401stkbDj
3Ijb5ZGW5gIFCjI+to+8+7V6e/CC9iyWnSxQ6fi+TKcb0wEb9p4=
=Oo6z
-----END PGP SIGNATURE-----


More information about the Disco-changes mailing list