[ubuntu/oracular-proposed] apache2 2.4.59-2ubuntu1 (Accepted)

Bryce Harrington bryce at canonical.com
Mon Jun 10 18:27:14 UTC 2024 

apache2 (2.4.59-2ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064378). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries, d/t/check-ubuntu-branding: Replace
      Debian with Ubuntu on default homepage.
      (LP #1966004, LP #1947459)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)
    - d/control: Upgrade lua build dependency to 5.4
      (LP #1910372)
    - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
      dolphin and Konqueror/5 careful redirection so that directories can be
      deleted via webdav.
      (LP #1927742)
    - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
      postinst script through a trigger (i.e., postinst triggered).
      Thanks to Roel van Meer. (Closes: #1060450)
      (LP #2038912)
  * Dropped:
    - d/p/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
      [Included in 2.4.59]
    - HTTP Response Splitting in multiple modules
      + d/p/CVE-2024-24795.patch: let httpd handle CL/TE for
        non-http handlers in include/util_script.h,
        modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
        modules/generators/mod_cgid.c, modules/http/http_filters.c,
        modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
        modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
      [Included in 2.4.59]
    - HTTP/2 DoS by memory exhaustion on endless continuation frames
      + d/p/CVE-2024-27316.patch: bail after too many failed reads
        in modules/http2/h2_session.c, modules/http2/h2_stream.c,
        modules/http2/h2_stream.h.
      [Included in 2.4.59]

apache2 (2.4.59-2) unstable; urgency=medium

  * Breaks against fossil due to CVE-2024-24795 follows up

apache2 (2.4.59-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Remove old transitional packages libapache2-mod-md and
    libapache2-mod-proxy-uwsgi. Closes: #1032628

  [ Yadd ]
  * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
  * Refresh patches
  * New upstream version 2.4.59
    (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
  * Refresh patches
  * Update patches
  * Update test framework

Date: Thu, 23 May 2024 13:30:30 -0700
Changed-By: Bryce Harrington <bryce at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.59-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 23 May 2024 13:30:30 -0700
Source: apache2
Built-For-Profiles: noudeb
Architecture: source
Version: 2.4.59-2ubuntu1
Distribution: oracular
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Bryce Harrington <bryce at canonical.com>
Closes: 1032628 1054564 1060450 1068412
Launchpad-Bugs-Fixed: 2064378
Changes:
 apache2 (2.4.59-2ubuntu1) oracular; urgency=medium
 .
   * Merge with Debian unstable (LP: #2064378). Remaining changes:
     - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
       d/source/include-binaries, d/t/check-ubuntu-branding: Replace
       Debian with Ubuntu on default homepage.
       (LP #1966004, LP #1947459)
     - d/apache2.py, d/apache2-bin.install: Add apport hook
       (LP #609177)
     - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
       d/apache2.dirs: Add ufw profiles
       (LP #261198)
     - d/control: Upgrade lua build dependency to 5.4
       (LP #1910372)
     - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
       dolphin and Konqueror/5 careful redirection so that directories can be
       deleted via webdav.
       (LP #1927742)
     - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
       postinst script through a trigger (i.e., postinst triggered).
       Thanks to Roel van Meer. (Closes: #1060450)
       (LP #2038912)
   * Dropped:
     - d/p/CVE-2023-38709.patch: header validation after
       content-* are eval'ed in modules/http/http_filters.c.
       [Included in 2.4.59]
     - HTTP Response Splitting in multiple modules
       + d/p/CVE-2024-24795.patch: let httpd handle CL/TE for
         non-http handlers in include/util_script.h,
         modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
         modules/generators/mod_cgid.c, modules/http/http_filters.c,
         modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
         modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
       [Included in 2.4.59]
     - HTTP/2 DoS by memory exhaustion on endless continuation frames
       + d/p/CVE-2024-27316.patch: bail after too many failed reads
         in modules/http2/h2_session.c, modules/http2/h2_stream.c,
         modules/http2/h2_stream.h.
       [Included in 2.4.59]
 .
 apache2 (2.4.59-2) unstable; urgency=medium
 .
   * Breaks against fossil due to CVE-2024-24795 follows up
 .
 apache2 (2.4.59-1) unstable; urgency=medium
 .
   [ Stefan Fritsch ]
   * Remove old transitional packages libapache2-mod-md and
     libapache2-mod-proxy-uwsgi. Closes: #1032628
 .
   [ Yadd ]
   * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
   * Refresh patches
   * New upstream version 2.4.59
     (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
   * Refresh patches
   * Update patches
   * Update test framework
Checksums-Sha1:
 a4b42d5c270687a3cd2c2f012ae6a3628b6fdceb 3194 apache2_2.4.59-2ubuntu1.dsc
 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz
 951c3496fd6eefa4d6d48bde572e42fdecd1be90 840404 apache2_2.4.59-2ubuntu1.debian.tar.xz
 2336ffed35b6bd5258817c58c95f31f5a0722ae4 10385 apache2_2.4.59-2ubuntu1_source.buildinfo
Checksums-Sha256:
 44b3a607d26ae656017ce02aacd1cd88d44e405f9558e19e5b2f44c19cc1d4af 3194 apache2_2.4.59-2ubuntu1.dsc
 e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f 9843252 apache2_2.4.59.orig.tar.gz
 78b6c542d810c13a1779303015dd00db466f8a2dc085c66dcdbe0aa134d7f805 840404 apache2_2.4.59-2ubuntu1.debian.tar.xz
 6ae27cee5e06018de972946e525e8bab0d65c41c872c4b93b3f00868a3fb0c47 10385 apache2_2.4.59-2ubuntu1_source.buildinfo
Files:
 28f52160ba4cce85a377883a63d5f6b2 3194 httpd optional apache2_2.4.59-2ubuntu1.dsc
 c39d28e0777bc95631cb49958fdb6601 9843252 httpd optional apache2_2.4.59.orig.tar.gz
 99e2c174266e0d12b6b372be7989319b 840404 httpd optional apache2_2.4.59-2ubuntu1.debian.tar.xz
 992fa3cd163fba2bec20b2c44a57f383 10385 httpd optional apache2_2.4.59-2ubuntu1_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/apache2
Vcs-Git-Commit: bc488d2eb57f4abdeec73735df5ff2d1806ae1fc
Vcs-Git-Ref: refs/heads/merge-v2.4.59-2-oracular

More information about the oracular-changes mailing list