[ubuntu/vivid-proposed] apache2 2.4.10-8ubuntu1 (Accepted)
Robie Basak
robie.basak at ubuntu.com
Fri Nov 21 15:35:15 UTC 2014
apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile
command.
* Fixes from Debian included in merge:
- Crash caused by OCSP stapling code; this was erroneously
attributed to Debian in my previous merge, but actually only
appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
* Cherry-pick versioned build-depend on dpkg from Debian for correct
dpkg-maintscript-helper symlink_to_dir support.
apache2 (2.4.10-8) unstable; urgency=medium
* Bump dpkg Pre-Depends to version that supports relative symlinks in
dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
* mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
though it does not seem to be exploitable.
* mpm_event: Fix use-after-free that may lead to a server crash.
* mod_ssl: Fix memory leak on graceful restart. Closes: #754492
* mod_ssl: Avoid crashes during startup or graceful restart due to
openssl using a callback to invalid memory. LP: #1366174
apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile command.
* Fixes from Debian included in merge:
- Don't use a2query in preinst, as it may not be available yet
(LP: #1312533).
- Crash caused by OCSP stapling code (LP: #1366174).
- Disable SSLv3 in default config (LP: #1358305).
- If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first (LP: #1312854).
apache2 (2.4.10-7) unstable; urgency=medium
* Handle transitions of doc dirs and symlinks correctly during upgrade.
Use dpkg-maintscript-helper for this and remove existing explicit logic.
Closes: #767850
* Remove obsolete conffiles in apache2.2-common, instead doing this only in
apache2. This partially fixes #768815
apache2 (2.4.10-6) unstable; urgency=medium
* Disable SSLv3 in default config. Closes: #765347
* Pull changes from upstream 2.4.x branch up to r1632831
- Fixes an LDAP regression in 2.4.10
- mod_cache: Avoid sending 304 responses during failed revalidations.
PR 56881
- mod_status: Honor client IP address using mod_remoteip. PR 55886
* Fix typo in package description. Closes: #765500
apache2 (2.4.10-5) unstable; urgency=medium
* Remove one forgotten instance of ident.load in the preinst.
apache2 (2.4.10-4) unstable; urgency=medium
[ Stefan Fritsch ]
* Make apache2 depend on apache2-utils. This got lost somewhere in the
2.4 update.
* Fix possible installation failure because of broken preinst script.
Closes: #764498
* Improve package descriptions. Closes: #763676
[ Arno Töll ]
* Add proper return codes to fail() conditions in a2query. Thanks to Ondřej
Surý for providing a patch.
apache2 (2.4.10-3) unstable; urgency=medium
* CVE-2014-3581: Fix a DoS in mod_cache.
* If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first. Closes: #745834
* Don't use a2query in preinst, as it may not be available yet.
Closes: #745812
* Include mod_authnz_fcgi. Closes: #762908
* Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
* Remove misleading sentence in apache2-bin's description. Closes: #762645
* Remove trailing space in apache2/suexec/www-data. Closes: #719930
* Add NEWS entry for the logrotate change in 2.4.10-2.
* Bump Standards-version (no changes).
* Fix lintian warning: Tweak licence short names in copyright file.
apache2 (2.4.10-2) unstable; urgency=medium
* Pull changes from upstream 2.4.x branch up to r1626207
+ Security Fix for CVE-2013-5704: HTTP trailers could be used to
replace HTTP headers late during request processing, potentially
undoing or otherwise confusing modules that examined or modified
request headers earlier.
Adds "MergeTrailers" directive to restore legacy behavior.
* Switch to apache2 providing the httpd and httpd-cgi virtual packages.
The previously providing apache2-bin package lacks the configuration
files. Closes: #756361
* Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
logs. The daily graceful restart also has the advantage of regenerating
things like TLS session ticket keys more often. Closes: #759382
* Clarify description of apache2 package. Closes: #755976
* In the maintainer script helper, print out Apache's error message if
the config check fails.
* Re-add mod_ident. It has still at least one user. LP: #1333388
Date: Fri, 21 Nov 2014 15:15:58 +0000
Changed-By: Robie Basak <robie.basak at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.10-8ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Nov 2014 15:15:58 +0000
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin apache2.2-common libapache2-mod-proxy-html libapache2-mod-macro apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: source
Version: 2.4.10-8ubuntu1
Distribution: vivid
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Robie Basak <robie.basak at ubuntu.com>
Description:
apache2 - Apache HTTP Server
apache2-bin - Apache HTTP Server (modules and other binary files)
apache2-data - Apache HTTP Server (common files)
apache2-dbg - Apache debugging symbols
apache2-dev - Apache HTTP Server (development headers)
apache2-doc - Apache HTTP Server (on-site documentation)
apache2-mpm-event - transitional event MPM package for apache2
apache2-mpm-itk - transitional itk MPM package for apache2
apache2-mpm-prefork - transitional prefork MPM package for apache2
apache2-mpm-worker - transitional worker MPM package for apache2
apache2-suexec - transitional package for apache2-suexec-pristine
apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
apache2-utils - Apache HTTP Server (utility programs for web servers)
apache2.2-bin - Transitional package for apache2-bin
apache2.2-common - Transitional package for apache2
libapache2-mod-macro - Transitional package for apache2-bin
libapache2-mod-proxy-html - Transitional package for apache2-bin
Closes: 719930 745812 745834 746359 754492 755976 756361 759382 762645 762908 763676 764498 765347 765500 767850 769821
Launchpad-Bugs-Fixed: 1312533 1312854 1333388 1358305 1366174
Changes:
apache2 (2.4.10-8ubuntu1) vivid; urgency=medium
.
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile
command.
* Fixes from Debian included in merge:
- Crash caused by OCSP stapling code; this was erroneously
attributed to Debian in my previous merge, but actually only
appears in 2.4.10-8; with thanks to Stefan Fritsch (LP: #1366174).
* Cherry-pick versioned build-depend on dpkg from Debian for correct
dpkg-maintscript-helper symlink_to_dir support.
.
apache2 (2.4.10-8) unstable; urgency=medium
.
* Bump dpkg Pre-Depends to version that supports relative symlinks in
dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
* mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
though it does not seem to be exploitable.
* mpm_event: Fix use-after-free that may lead to a server crash.
* mod_ssl: Fix memory leak on graceful restart. Closes: #754492
* mod_ssl: Avoid crashes during startup or graceful restart due to
openssl using a callback to invalid memory. LP: #1366174
.
apache2 (2.4.10-7ubuntu1) vivid; urgency=medium
.
* Merge from Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/control, d/config-dir/mods-available/ssl.conf,
d/ask-for-passphrase, d/apache2.install: Plymouth aware passphrase
dialog program ask-for-passphrase.
- Add dep8 tests.
- debian/rules: Fix cross-building by passing
DEB_{HOST,BUILD}_GNU_TYPE to configure.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
- d/index.html: replace Debian with Ubuntu on default page.
- d/p/split-logfile.patch: fix completely broken split-logfile command.
* Fixes from Debian included in merge:
- Don't use a2query in preinst, as it may not be available yet
(LP: #1312533).
- Crash caused by OCSP stapling code (LP: #1366174).
- Disable SSLv3 in default config (LP: #1358305).
- If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first (LP: #1312854).
.
apache2 (2.4.10-7) unstable; urgency=medium
.
* Handle transitions of doc dirs and symlinks correctly during upgrade.
Use dpkg-maintscript-helper for this and remove existing explicit logic.
Closes: #767850
* Remove obsolete conffiles in apache2.2-common, instead doing this only in
apache2. This partially fixes #768815
.
apache2 (2.4.10-6) unstable; urgency=medium
.
* Disable SSLv3 in default config. Closes: #765347
* Pull changes from upstream 2.4.x branch up to r1632831
- Fixes an LDAP regression in 2.4.10
- mod_cache: Avoid sending 304 responses during failed revalidations.
PR 56881
- mod_status: Honor client IP address using mod_remoteip. PR 55886
* Fix typo in package description. Closes: #765500
.
apache2 (2.4.10-5) unstable; urgency=medium
.
* Remove one forgotten instance of ident.load in the preinst.
.
apache2 (2.4.10-4) unstable; urgency=medium
.
[ Stefan Fritsch ]
* Make apache2 depend on apache2-utils. This got lost somewhere in the
2.4 update.
* Fix possible installation failure because of broken preinst script.
Closes: #764498
* Improve package descriptions. Closes: #763676
.
[ Arno Töll ]
* Add proper return codes to fail() conditions in a2query. Thanks to Ondřej
Surý for providing a patch.
.
apache2 (2.4.10-3) unstable; urgency=medium
.
* CVE-2014-3581: Fix a DoS in mod_cache.
* If apache2 is not configured yet, defer actions executed via
apache2-maintscript-helper. This fixes installation failures if a
module package is configured first. Closes: #745834
* Don't use a2query in preinst, as it may not be available yet.
Closes: #745812
* Include mod_authnz_fcgi. Closes: #762908
* Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
* Remove misleading sentence in apache2-bin's description. Closes: #762645
* Remove trailing space in apache2/suexec/www-data. Closes: #719930
* Add NEWS entry for the logrotate change in 2.4.10-2.
* Bump Standards-version (no changes).
* Fix lintian warning: Tweak licence short names in copyright file.
.
apache2 (2.4.10-2) unstable; urgency=medium
.
* Pull changes from upstream 2.4.x branch up to r1626207
+ Security Fix for CVE-2013-5704: HTTP trailers could be used to
replace HTTP headers late during request processing, potentially
undoing or otherwise confusing modules that examined or modified
request headers earlier.
Adds "MergeTrailers" directive to restore legacy behavior.
.
* Switch to apache2 providing the httpd and httpd-cgi virtual packages.
The previously providing apache2-bin package lacks the configuration
files. Closes: #756361
* Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
logs. The daily graceful restart also has the advantage of regenerating
things like TLS session ticket keys more often. Closes: #759382
* Clarify description of apache2 package. Closes: #755976
* In the maintainer script helper, print out Apache's error message if
the config check fails.
* Re-add mod_ident. It has still at least one user. LP: #1333388
Checksums-Sha1:
5f2d6e73f2bfc0622cfdde9d5bf84df773fd549c 3217 apache2_2.4.10-8ubuntu1.dsc
00f5c3f8274139bd6160eda2cf514fa9b74549e5 5031834 apache2_2.4.10.orig.tar.bz2
9a2efe56d20887043ca0b06faf871037c9335972 700879 apache2_2.4.10-8ubuntu1.debian.tar.gz
Checksums-Sha256:
4312055836d450829eefa1438c8b98649b69efffb10a1415b9804198f8634046 3217 apache2_2.4.10-8ubuntu1.dsc
176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a 5031834 apache2_2.4.10.orig.tar.bz2
8b12299c7546efb0198f946f19f0d08bb5cef9e324879b07c18ef17e0a228d3b 700879 apache2_2.4.10-8ubuntu1.debian.tar.gz
Files:
aeae51aa053f70347a19396e2dd2ba64 3217 httpd optional apache2_2.4.10-8ubuntu1.dsc
44543dff14a4ebc1e9e2d86780507156 5031834 httpd optional apache2_2.4.10.orig.tar.bz2
0505729d11d4366c4f2d87d6ce3204c1 700879 httpd optional apache2_2.4.10-8ubuntu1.debian.tar.gz
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUb1uZAAoJEOVkucJ1vdUucpwP/jCJGgRMVbYVhVhC6sEuDbEk
ykFtkyy2cN1RU46euVZfMlfkEgI2EMw6LuqaaDVTLCeNS4cdpVtmjn0nWkdG+H1F
PL16YzJ38jWirFenD/vYVVS40BTdg+Bd9SEy6itHujmNyFONiZVk959TxpxKEHSz
QOjxfZhDvmLcb7WE0Kay2P1QR1AkbJ8IOX7muK6hlUbutaTRgm8PudbhJqU59tfZ
uL83JG1Ibhy+39cB0YlOzDGIh+Sqbv5MUqaAokGzrLkUw5LGgWmQsKINgAnDnUA0
xlCx+WzIIxuz1PN6UzSIDuRmr8DVCPcGVM0mcig17QJNmA0iUkbvlYR8OuixJZLL
RYUbe/zv4vJbM0Zmt7YX9b4flhMRcYbK6nvqtaI5yE8jKOeQSshZLyfmWG/79HnA
L7SSeJQyBAyNhx3UtsAqmcQxIo0+txchmiSwg+CEjFS7MJ0OkNqhS6Xwf9CgDz3G
GVEqN9xnvNloAm3who+tCnFOManGNCd/g3wz8+6cmqOQUYAKt3OrkcFKnyvWHqiJ
L1IGHtDiB7qVY5zmw+JJOMDa0qq+swNTNfa8P5kI7XU9/SHo4EgyH6sUFvbcjJ0i
tLQHUOWv5WCNGh9wVxt/rfkJNCcx7Cbf1s/gZH8VOb/Ad6v/hGOwRDdiVTzgmTyr
OD/05SkmlEbHHQfD5qek
=smrr
-----END PGP SIGNATURE-----
More information about the Vivid-changes
mailing list