enterprise-support team mailing list archive

Thread
Date
[Bug 2018044] [NEW] Merge apache2 from Debian unstable for mantic

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <2018044@xxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Apr 2023 22:07:38 -0000
Reply-to: Bug 2018044 <2018044@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Upstream: 2.4.57
Debian:   2.4.57-2    
Ubuntu:   2.4.55-1ubuntu2


Debian does new releases regularly, so it's likely there will be newer
versions available before FF that we can pick up if this merge is done
later in the cycle.

If it turns out this needs a sync rather than a merge, please change the
tag 'needs-merge' to 'needs-sync', and (optionally) update the title as
desired.


### New Debian Changes ###

apache2 (2.4.57-2) unstable; urgency=medium

  * Revert debian/* changes (Bookworm freeze)

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 13 Apr 2023 07:26:51 +0400

apache2 (2.4.57-1) unstable; urgency=medium

  * New upstream version 2.4.57
  * Drop 2.4.56-regression patches

 -- Yadd <yadd@xxxxxxxxxx>  Sat, 08 Apr 2023 06:57:16 +0400

apache2 (2.4.56-2) unstable; urgency=medium

  * Fix regression in mod_rewrite introduced in version 2.4.56
    (Closes: #1033284)
  * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)

 -- Yadd <yadd@xxxxxxxxxx>  Sun, 02 Apr 2023 06:54:25 +0400

apache2 (2.4.56-1) unstable; urgency=medium

  * New upstream version (Closes: #1032476, CVE-2023-27522,
CVE-2023-25690)

 -- Yadd <yadd@xxxxxxxxxx>  Wed, 08 Mar 2023 06:44:05 +0400

apache2 (2.4.55-1) unstable; urgency=medium

  [ Hendrik Jäger ]
  * disable ssl session tickets
  * redundant example as already enabled in the default config
  * logrotate indentation
  * Update example how to prevent access to VCS directories

  [ lintian-brush ]
  * Update lintian override info to new format:
    + debian/source/lintian-overrides: line 2, 4-5, 8
    + debian/apache2-data.lintian-overrides: line 2-5
    + debian/apache2-bin.lintian-overrides: line 3
    + debian/apache2-doc.lintian-overrides: line 2
    + debian/apache2.lintian-overrides: line 6
  * Set upstream metadata fields: Repository-Browse.
  * Update standards version to 4.6.2, no changes needed.

  [ Yadd ]
  * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760,
    CVE-2022-37436)

 -- Yadd <yadd@xxxxxxxxxx>  Wed, 18 Jan 2023 07:41:55 +0400

apache2 (2.4.54-5) unstable; urgency=medium

  [ Hendrik Jäger ]
  * fix: one oom-killed thread should not take down the whole service
  * fix: remove modelines
  * fix: update clickjacking protection example
  * fix: use tab for indentation, even in commented examples

  [ Yadd ]
  * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy
    tests)

 -- Yadd <yadd@xxxxxxxxxx>  Tue, 29 Nov 2022 15:56:10 +0100

apache2 (2.4.54-4) unstable; urgency=medium

  [ Charles Plessy ]
  * Replace mime-support transition package with media-types (Closes: #980275)

  [ Hendrik Jäger ]
  * fix mislead safety precautions: don't hide errors when enabling a module.
    MR !20
  * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22
  * Fix confusing and impractical naming: rename default-ssl.conf into
    000-default-ssl.conf. MR !23
  * Fix confusing keyword: replace _default_ by *. MR !24

 -- Yadd <yadd@xxxxxxxxxx>  Thu, 24 Nov 2022 10:45:00 +0100

apache2 (2.4.54-3) unstable; urgency=medium

  [ Hendrik Jäger ]
  * Do not enable global alias /manual
  * mention not enabling /manual for the docs in the NEWS

 -- Yadd <yadd@xxxxxxxxxx>  Wed, 12 Oct 2022 09:20:52 +0200

apache2 (2.4.54-2) unstable; urgency=medium

  * Move cgid socket into a writeable directory (Closes: #1014056)
  * Update lintian overrides
  * Declare compliance with policy 4.6.1
  * Install NOTICE in each package

 -- Yadd <yadd@xxxxxxxxxx>  Tue, 05 Jul 2022 15:49:58 +0200

apache2 (2.4.54-1) unstable; urgency=medium

  [ Simon Deziel ]


### Old Ubuntu Delta ###

apache2 (2.4.55-1ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 08 Mar 2023
11:32:34 -0500

apache2 (2.4.55-1ubuntu1) lunar; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries: Replace Debian with Ubuntu on default
      homepage.
    - d/apache2.py, d/apache2-bin.install: Add apport hook
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles

 -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Tue, 24 Jan 2023
13:31:02 -0800

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: Invalid


** Tags: needs-merge upgrade-software-version

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2018044

Title:
  Merge apache2 from Debian unstable for mantic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018044/+subscriptions
Follow ups

[Bug 2018044] Re: Merge apache2 from Debian unstable for mantic
From: Bryce Harrington, 2023-04-28