Public bug reported: Scheduled-For: 23.01 Upstream: 2.4.51 Debian: 2.4.51-1 Ubuntu: 2.4.48-3.1ubuntu3
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd <[email protected]> Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý <[email protected]> Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd <[email protected]> Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd <[email protected]> Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd <[email protected]> Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.49 (Closes: CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438) * Refresh patches -- Yadd <[email protected]> Thu, 16 Sep 2021 06:22:23 +0200 apache2 (2.4.48-4) unstable; urgency=medium * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193) -- Yadd <[email protected]> Thu, 12 Aug 2021 11:37:43 +0200 apache2 (2.4.48-3.1) unstable; urgency=medium * Non-maintainer upload. * Direct init script reload output from logrotate to syslog, to avoid mail-spamming the local admin (Closes: #990580) -- Thorsten Glaser <[email protected]> Sat, 10 Jul 2021 23:31:28 +0200 apache2 (2.4.48-3) unstable; urgency=medium * Fix debian/changelog -- Yadd <[email protected]> Sun, 20 Jun 2021 16:39:33 +0200 apache2 (2.4.48-2) unstable; urgency=medium * Back to unstable: Apache2 will follow upstream changes for Bullseye [ Christian Ehrhardt ] * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068) -- Yadd <[email protected]> Sat, 19 Jun 2021 17:50:29 +0200 apache2 (2.4.48-1) experimental; urgency=medium [ Daniel Lewart ] * Update apache2.logrotate (Closes: #979813) [ Andreas Hasenack ] * Avoid test suite failure (Closes: #985012) [ Yadd ] * Update lintian overrides * Re-export upstream signing key without extra signatures. [ Ondřej Surý ] * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-31618) -- Ondřej Surý <[email protected]> Tue, 08 Jun 2021 08:29:35 +0200 apache2 (2.4.47-1) experimental; urgency=medium ### Old Ubuntu Delta ### apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers <[email protected]> Tue, 28 Sep 2021 08:52:26 -0400 apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium * SECURITY UPDATE: request splitting over HTTP/2 - debian/patches/CVE-2021-33193.patch: refactor request parsing in include/ap_mmn.h, include/http_core.h, include/http_protocol.h, include/http_vhost.h, modules/http2/h2_request.c, server/core.c, server/core_filters.c, server/protocol.c, server/vhost.c. - CVE-2021-33193 * SECURITY UPDATE: NULL deref via malformed requests - debian/patches/CVE-2021-34798.patch: add NULL check in server/scoreboard.c. - CVE-2021-34798 * SECURITY UPDATE: DoS in mod_proxy_uwsgi - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for generic worker in modules/proxy/mod_proxy_uwsgi.c. - CVE-2021-36160 * SECURITY UPDATE: buffer overflow in ap_escape_quotes - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes substitution logic in server/util.c. - CVE-2021-39275 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path parsing in the 'proxy:' URL in modules/proxy/mod_proxy.c, modules/proxy/proxy_util.c. - debian/patches/CVE-2021-40438.patch: add sanity checks on the configured UDS path in modules/proxy/proxy_util.c. - CVE-2021-40438 -- Marc Deslauriers <[email protected]> Thu, 23 Sep 2021 12:51:16 -0400 apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium * Merge with Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. (LP 261198) - debian/apache2.py, debian/apache2-bin.install: Add apport hook. (LP 609177) - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/s/include-binaries: replace Debian with Ubuntu on default page and add Ubuntu icon file. (LP 1288690) - d/apache2ctl: Also use systemd for graceful if it is in use. This extends an earlier fix for the start command to behave similarly for restart / graceful. Fixes service failures on unattended upgrade. (LP 1832182) - d/apache2ctl: Also use /run/systemd to check for systemd usage (LP 1918209) -- Bryce Harrington <[email protected]> Wed, 11 Aug 2021 20:03:24 -0700 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1946831 Title: Merge apache2 from Debian unstable for 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1946831/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
