← Back to team overview

enterprise-support team mailing list archive

[Bug 1971237] [NEW] Merge apache2 from Debian unstable for kinetic

 

Public bug reported:

Upstream: 2.4.53
Debian:   2.4.53-2    
Ubuntu:   2.4.52-1ubuntu4


Debian does new releases regularly, so it's likely there will be newer
versions available before FF that we can pick up if this merge is done
later in the cycle.


### New Debian Changes ###

apache2 (2.4.53-2) unstable; urgency=medium

  * Clean useless Conflicts/Replace
  * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254)

 -- Yadd <yadd@xxxxxxxxxx>  Tue, 15 Mar 2022 15:27:39 +0100

apache2 (2.4.53-1) unstable; urgency=medium

  * New upstream version 2.4.53 (Closes: CVE-2022-22719,
    CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
  * Update copyright
  * Patches:
    + Drop fix-2.4.52-regression.patch, now included in upstream
    + Refresh fhs_compliance.patch
    + Update and disable child_processes_fail_to_start.patch
  * Update test framework
  * Back to unstable

 -- Yadd <yadd@xxxxxxxxxx>  Mon, 14 Mar 2022 17:10:39 +0100

apache2 (2.4.52-3) experimental; urgency=medium

  * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL
    error)
  * Set hardening=+all instead of hardening=+bindnow

 -- Yadd <yadd@xxxxxxxxxx>  Tue, 28 Dec 2021 21:20:05 +0100

apache2 (2.4.52-2) experimental; urgency=medium

  * Build with pcre2 (Closes: #1000114)

 -- Yadd <yadd@xxxxxxxxxx>  Tue, 28 Dec 2021 20:01:43 +0100

apache2 (2.4.52-1) unstable; urgency=medium

  * Refresh suexec-custom.patch
  * Update lintian overrides
  * Wrap long lines in changelog entries: 2.4.51-2.
  * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790)
  * Refresh patches

 -- Yadd <yadd@xxxxxxxxxx>  Mon, 20 Dec 2021 18:42:09 +0100

apache2 (2.4.51-2) unstable; urgency=medium

  * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting
    parameters

 -- Yadd <yadd@xxxxxxxxxx>  Mon, 25 Oct 2021 18:37:03 +0200

apache2 (2.4.51-1) unstable; urgency=medium

  * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013)
  * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659)

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 07 Oct 2021 20:35:33 +0200

apache2 (2.4.50-1) unstable; urgency=high

  * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524)
  * Remove patches already merged upstream

 -- Ondřej Surý <ondrej@xxxxxxxxxx>  Tue, 05 Oct 2021 13:25:23 +0200

apache2 (2.4.49-4) unstable; urgency=medium

  [ Ondřej Surý ]
  * Add upstream patch to fix crash in 2.4.49

 -- Yadd <yadd@xxxxxxxxxx>  Fri, 01 Oct 2021 11:34:24 +0200

apache2 (2.4.49-3) unstable; urgency=medium

  [ Yadd ]
  * Re-export upstream signing key without extra signatures.
  * Drop transition for old debug package migration.

  [ Moritz Muehlenhoff ]
  * Fix CVE-2021-40438 regression

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 30 Sep 2021 06:00:06 +0200

apache2 (2.4.49-2) unstable; urgency=medium

  [ Michiel Hazelhof ]
  * Fix multi instance issue (Closes: #868861)

  [ Philippe Ombredanne ]
  * Fix GPL version typo in copyright file

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 23 Sep 2021 13:55:55 +0200

apache2 (2.4.49-1) unstable; urgency=medium

  * Update upstream GPG keys
  * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798,
    CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524,
    CVE-2021-41773, CVE-2021-42013)


### Old Ubuntu Delta ###

apache2 (2.4.52-1ubuntu4) jammy; urgency=medium

  * d/apache2.postrm: Include md5 sum for updated index.html

 -- Bryce Harrington <bryce@xxxxxxxxxxxxx>  Thu, 24 Mar 2022 17:35:40
-0700

apache2 (2.4.52-1ubuntu3) jammy; urgency=medium

  * d/index.html:
    - Redesign page's heading for the new logo
    - Use the Ubuntu font where available
    - Update service management directions
    - Copyedit grammar
    - Light reformatting and whitespace cleanup
  * d/icons/ubuntu-logo.png: Refresh ubuntu logo
    (LP: #1966004)

 -- Bryce Harrington <bryce@xxxxxxxxxxxxx>  Wed, 23 Mar 2022 16:18:11
-0700

apache2 (2.4.52-1ubuntu2) jammy; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Thu, 17 Mar 2022
09:39:54 -0400

apache2 (2.4.52-1ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1959924). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
  * Dropped:
    - d/p/support-openssl3-*.patch: Backport various patches from
      https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
      failure to load when using OpenSSL 3.
      (LP #1951476)
      [Included in upstream release 2.4.52]
    - d/apache2ctl: Also use systemd for graceful if it is in use.
      (LP 1832182)
      [This introduced a performance regression.]
    - d/apache2ctl: Also use /run/systemd to check for systemd usage.
      (LP 1918209)
      [Not needed]

 -- Bryce Harrington <bryce@xxxxxxxxxxxxx>  Thu, 03 Feb 2022 10:25:47
-0800

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: Invalid


** Tags: needs-merge upgrade-software-version

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1971237

Title:
  Merge apache2 from Debian unstable for kinetic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971237/+subscriptions



Follow ups