← Back to team overview

enterprise-support team mailing list archive

[Bug 1946270] [NEW] Merge apache2 from Debian unstable for j-series

 

Public bug reported:

Scheduled-For: 21.01
Upstream: 2.4.50
Debian:   2.4.50-1    
Ubuntu:   2.4.48-3.1ubuntu2


Debian does new releases regularly, so it's likely there will be newer
versions available before FF that we can pick up if this merge is done
later in the cycle.


### New Debian Changes ###

apache2
apache2 (2.4.50-1) unstable; urgency=high

  * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)
  * Remove patches already merged upstream

 -- Ondřej Surý <ondrej@xxxxxxxxxx>  Tue, 05 Oct 2021 13:25:23 +0200

apache2 (2.4.49-4) unstable; urgency=medium

  [ Ondřej Surý ]
  * Add upstream patch to fix crash in 2.4.49

 -- Yadd <yadd@xxxxxxxxxx>  Fri, 01 Oct 2021 11:34:24 +0200

apache2 (2.4.49-3) unstable; urgency=medium

  [ Yadd ]
  * Re-export upstream signing key without extra signatures.
  * Drop transition for old debug package migration.

  [ Moritz Muehlenhoff ]
  * Fix CVE-2021-40438 regression

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 30 Sep 2021 06:00:06 +0200

apache2 (2.4.49-2) unstable; urgency=medium

  [ Michiel Hazelhof ]
  * Fix multi instance issue (Closes: #868861)

  [ Philippe Ombredanne ]
  * Fix GPL version typo in copyright file

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 23 Sep 2021 13:55:55 +0200

apache2 (2.4.49-1) unstable; urgency=medium

  * Update upstream GPG keys
  * New upstream version 2.4.49 (Closes: CVE-2021-34798, CVE-2021-36160,
    CVE-2021-39275, CVE-2021-40438)
  * Refresh patches

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 16 Sep 2021 06:22:23 +0200

apache2 (2.4.48-4) unstable; urgency=medium

  * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193)

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 12 Aug 2021 11:37:43 +0200

apache2 (2.4.48-3.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Direct init script reload output from logrotate to syslog, to
    avoid mail-spamming the local admin (Closes: #990580)

 -- Thorsten Glaser <tg@xxxxxxxxx>  Sat, 10 Jul 2021 23:31:28 +0200

apache2 (2.4.48-3) unstable; urgency=medium

  * Fix debian/changelog

 -- Yadd <yadd@xxxxxxxxxx>  Sun, 20 Jun 2021 16:39:33 +0200

apache2 (2.4.48-2) unstable; urgency=medium

  * Back to unstable: Apache2 will follow upstream changes for Bullseye

  [ Christian Ehrhardt ]
  * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)

 -- Yadd <yadd@xxxxxxxxxx>  Sat, 19 Jun 2021 17:50:29 +0200

apache2 (2.4.48-1) experimental; urgency=medium

  [ Daniel Lewart ]
  * Update apache2.logrotate (Closes: #979813)

  [ Andreas Hasenack ]
  * Avoid test suite failure (Closes: #985012)

  [ Yadd ]
  * Update lintian overrides
  * Re-export upstream signing key without extra signatures.

  [ Ondřej Surý ]
  * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938,
    CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691,
    CVE-2021-30641, CVE-2021-31618)

 -- Ondřej Surý <ondrej@xxxxxxxxxx>  Tue, 08 Jun 2021 08:29:35 +0200

apache2 (2.4.47-1) experimental; urgency=medium

  * Update upstream keys file
  * New upstream version 2.4.47
  * Refresh patches

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 29 Apr 2021 08:03:33 +0200


### Old Ubuntu Delta ###

apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2021-36160
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the 'proxy:' URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Thu, 23 Sep 2021
12:51:16 -0400

apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles. (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.  (LP 1288690)
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.  (LP 1832182)
    - d/apache2ctl: Also use /run/systemd to check for systemd usage
      (LP 1918209)

 -- Bryce Harrington <bryce@xxxxxxxxxxxxx>  Wed, 11 Aug 2021 20:03:24
-0700

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: Invalid

** Changed in: apache2 (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1946270

Title:
  Merge apache2 from Debian unstable for j-series

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1946270/+subscriptions