[Enterprise-support] [Bug 2064466] [NEW] Merge squid from Debian unstable for oracular
Public bug reported: Upstream: tbd Debian: 6.9-1 Ubuntu: 6.6-1ubuntu5 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### squid (6.9-1) unstable; urgency=medium [ Amos Jeffries ] * New Upstream Release 6.9 -- Luigi Gangitano Tue, 9 Apr 2024 15:04:20 +0200 squid (6.8-1) unstable; urgency=high [ Amos Jeffries ] * New Upstream Release 6.8 Fixes: CVE-2024-25111. SQUID-2024:1 [ Luigi Gangitano ] * debian/control - Migrate from pkg-config to pkgconf -- Luigi Gangitano Mon, 4 Mar 2024 18:04:20 +0100 squid (6.6-1) unstable; urgency=high [ Amos Jeffries ] * New Upstream Release 6.6 Fixes: CVE-2023-50269. SQUID-2023:10 (Closes: #1058721) Fixes: CVE-2024-23638. SQUID-2023:11 [ Luigi Gangitano ] * debian/patches/ - Refreshed patches * debian/squid-openssl.dirs - Stop creating empty /lib/systemd/system directory (Closes: #1058860) * debian/changelog - Fixed typo in CVE reference -- Luigi Gangitano Thu, 18 Jan 2024 13:04:20 +0100 squid (6.5-1) unstable; urgency=high [ Amos Jeffries ] * New Upstream Release 6.5 Fixes: CVE-2023-46846. SQUID-2023:1 (Closes: #1054537) Fixes: CVE-2023-5824. SQUID-2023:2 (Closes: #1055249) Fixes: CVE-2023-46847. SQUID-2023:3 (Closes: #1055250) Fixes: CVE-2023-46724. SQUID-2023:4 (Closes: #1055252) Fixes: CVE-2023-46848. SQUID-2023:5 (Closes: #1055251) Fixes: CVE-2019-18860. SQUID-2023:6 Fixes: CVE-2023-49285. SQUID-2023:7 Fixes: CVE-2023-49286. SQUID-2023:8 Fixes: CVE-2024-25617. SQUID-2024:2 * Update debian/tests/upstream-test-suite for new version (Closes: #1053557) -- Luigi Gangitano Thu, 9 Nov 2023 15:04:20 +0100 squid (6.3-1) unstable; urgency=medium [ Amos Jeffries ] * New Upstream version 6.3 (Closes: #1049926, #1043505) * debian/patches/ - remove 0007-ftbfs-gnu-hurd.patch integrated upstream -- Luigi Gangitano Thu, 28 Sep 2023 16:04:20 +0200 squid (6.1-2) unstable; urgency=low [ Amos Jeffries ] * debian/patches/ - add 0007-ftbfs-gnu-hurd.patch to fix GNU/Hurd build -- Luigi Gangitano Thu, 13 Jul 2023 13:04:20 +0200 squid (6.1-1) unstable; urgency=medium [ Amos Jeffries ] * debian/{control,watch} - New Upstream Release * debian/patches/ - refresh for new upstream version - add 0006-upstream-807ae4df2164defbb5f59b99282e24010b4a0b85.patch - remove 0003-installed-binary-for-debian-ci.patch integrated upstream - remove 1f13f721263a4cc75e4b798a230022561047899c.patch integrated upstream - remove edad3f150de8af0aeb2f629508be3219b83369b9.patch integrated upstream [ Luigi Gangitano ] * debian/patches/ - add Fordwarded tag * debian/control - Bumped Standards-Version to 4.6.2, no change needed -- Luigi Gangitano Mon, 10 Jul 2023 11:04:20 +0200 squid (5.7-2) unstable; urgency=medium * Add a couple of upstream picked patches to fix some issues on 5.7 that upstream has fixed on 5.8. ### Old Ubuntu Delta ### squid (6.6-1ubuntu5) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- William Grant Mon, 01 Apr 2024 19:03:50 +1100 squid (6.6-1ubuntu4) noble; urgency=medium * SECURITY UPDATE: DoS via chunked decoder uncontrolled recursion bug - debian/patches/CVE-2024-25111.patch: fix infinite recursion in src/http.cc, src/http.h. - CVE-2024-25111 -- Marc Deslauriers Thu, 14 Mar 2024 10:36:04 -0400 squid (6.6-1ubuntu3) noble; urgency=medium * No-change rebuild against libcom-err2 -- Steve Langasek Tue, 12 Mar 2024 20:34:17 + squid (6.6-1ubuntu2) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek Mon, 04 Mar 2024 21:25:34 + squid (6.6-1ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2055179). Remaining changes: - d/usr.sbin.squid: Add sections for squid-deb-proxy and squidguard - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb packaging - Use snakeoil certificates: + d/control: add ssl-cert to dependencies + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the default config file - d/NEWS: drop the NIS basic auth helper (LP #1895694) - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. - d/rules: halt build upon test failures. - d/rules: do not include additional configuration files during build time tests. This would lead to test failures due to missing
[Enterprise-support] [Bug 2064434] [NEW] Merge openldap from Debian unstable for oracular
Public bug reported: Upstream: tbd Debian: 2.5.17+dfsg-12.6.7+dfsg-1~exp1 Ubuntu: 2.6.7+dfsg-1~exp1ubuntu8 Debian new has 2.6.7+dfsg-1~exp1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### openldap (2.5.17+dfsg-1) unstable; urgency=medium * New upstream release. - fixed slapo-dynlist so it can't be global (ITS#10091) (Closes: #1040382) * debian/copyright: Exclude doc/guide/admin/guide.html from the upstream source, because the tool required to build it from source is not packaged in Debian. Fixes a Lintian error (source-is-missing). * Update Swedish debconf translation. (Closes: #1056955) Thanks to Martin Bagge and Anders Jonsson. * debian/salsa-ci.yml: Enable Salsa CI pipeline. -- Ryan Tandy Fri, 26 Apr 2024 16:09:29 -0700 openldap (2.5.16+dfsg-2) unstable; urgency=medium * debian/patches/64-bit-time-t-compat: handle sizeof(time_t) > sizeof(long) in format strings. -- Steve Langasek Tue, 12 Mar 2024 06:26:07 + openldap (2.5.16+dfsg-1) unstable; urgency=medium [ Ryan Tandy ] * New upstream release. - fixed possible null pointer dereferences if strdup fails (ITS#9904) (Closes: #1036995, CVE-2023-2953) - fixed unaligned accesses in LMDB on sparc64 (ITS#9916) (Closes: #1020319) * Update Turkish debconf translation. (Closes: #1029758) Thanks to Atila KOÇ. * Add Romanian debconf translation. (Closes: #1033177) Thanks to Remus-Gabriel Chelu. * Create an autopkgtest covering basic TLS functionality. Thanks to John Scott. * Drop transitional package slapd-smbk5pwd. (Closes: #1032742) * Drop dbgsym migration for slapd-dbg. * Build and install the ppm module in slapd-contrib. (Closes: #1039740) * Fix implicit declaration of kadm5_s_init_with_password_ctx. (Closes: #1065633) [ Sergio Durigan Junior ] * d/control: Bump Standards-Version to 4.6.2; no changes needed. * d/control: Bump debhelper-compat to 13. * d/control: Drop lsb-base from slapd's Depends. * Enable SASL/GSSAPI tests. Thanks to Andreas Hasenack -- Ryan Tandy Fri, 08 Mar 2024 21:46:26 -0800 openldap (2.5.13+dfsg-5) unstable; urgency=medium * Fix sha2-contrib autopkgtest failure. Call slappasswd using its full path. (Closes: #1030814) * Disable flaky test test069-delta-multiprovider-starttls. -- Ryan Tandy Tue, 07 Feb 2023 17:56:12 -0800 openldap (2.5.13+dfsg-4) unstable; urgency=medium [ Andreas Hasenack ] * d/rules: Fix passwd/sha2 build (Closes: #1030716, LP: #2000817) * d/t/sha2-contrib: add test for sha2 module -- Ryan Tandy Mon, 06 Feb 2023 19:21:05 -0800 openldap (2.5.13+dfsg-3) unstable; urgency=medium [ Ryan Tandy ] * Disable flaky test test063-delta-multiprovider. Mitigates #1010608. [ Gioele Barabucci ] * slapd.scripts-common: Avoid double-UTF8-encoding org name (Closes: #1016185) * d/slapd.scripts-common: Remove outdated `migrate_to_slapd_d_style` * d/slapd.postinst: Remove test for ancient version * slapd.scripts-common: Remove unused `normalize_ldif` * d/slapd.scripts-common: Use sed instead of perl in `release_diagnostics` -- Ryan Tandy Fri, 13 Jan 2023 16:29:59 -0800 openldap (2.5.13+dfsg-2) unstable; urgency=medium * d/tests/smbk5pwd: Grant slapd access to /var/lib/heimdal-kdc. Fixes the autopkgtest failure due to heimdal setting mode 700 on this directory. (Closes: #1020442) * d/source/lintian-overrides: Add wildcards to make overrides compatible with both older and newer versions of lintian. * d/slapd-contrib.lintian-overrides: Remove unused custom-library-search-path override now that krb5-config no longer sets -rpath. -- Ryan Tandy Sat, 24 Sep 2022 12:40:21 -0700 openldap (2.5.13+dfsg-1) unstable; urgency=medium * d/rules: Remove get-orig-source, now unnecessary. * Check PGP signature when running uscan. * d/watch: Modernize watch file; use repacksuffix. * d/copyright: Update according to DEP-5. * d/control: Add myself to Uploaders. * New upstream release. ### Old Ubuntu Delta ### openldap (2.6.7+dfsg-1~exp1ubuntu8) noble; urgency=medium * Fix implicit declaration of kadm5_s_init_with_password_ctx. (Closes: #1065633) -- Matthias Klose Wed, 03 Apr 2024 20:47:41 +0200 openldap (2.6.7+dfsg-1~exp1ubuntu7) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 06:41:33 + openldap (2.6.7+dfsg-1~exp1ubuntu6) noble; urgency=medium * Revert change to ignore test failures. * debian/patches/64-bit-time-t-compat.patch: handle sizeof(time_t) > sizeof(long) in format strings. -- Steve Langasek Tue, 12 Mar 2024 07:32:43 +
[Enterprise-support] [Bug 2064411] [NEW] Merge krb5 from Debian unstable for oracular
Public bug reported: Scheduled-For: Backlog Upstream: tbd Debian: 1.20.1-6 Ubuntu: 1.20.1-6ubuntu2 There is nothing yet to merge for krb5 currently, but this ticket is filed prospectfully for tracking purposes in case a merge does become available later this cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### krb5 (1.20.1-6) unstable; urgency=medium * Fix up libverto1*->libverto1*t64, Closes: #1065702 -- Sam Hartman Sun, 10 Mar 2024 19:36:33 -0600 krb5 (1.20.1-5.1) unstable; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. Closes: #1064164 -- Lukas Märdian Wed, 28 Feb 2024 15:25:37 + krb5 (1.20.1-5) unstable; urgency=medium [ Helmut Grohne ] * Annotate test dependencies . (Closes: #1054461) [ Sam Hartman ] * Fix keyutils to be linux-any -- Helmut Grohne Tue, 24 Oct 2023 07:17:27 +0200 krb5 (1.20.1-4) unstable; urgency=low [ Steve Langasek ] * libkrb5support0: require strict binary dependency to deal with glibc 2.38, Closes: #1043184 [Jelmer Vernooij] * krb5-user: Use alternatives for kinit, klist, kswitch, ksu, kpasswd, kdestroy, kadmin and ktutil. This allows installation together with heimdal-clients. Closes: #213316, #751203 [ Sam Hartman ] * Enable build-time tests, Thanks Andreas Hasenack, Closes: #1017763 * Work around doxygen change that breaks doc build, Thanks Greg Hudson, Closes: #1051523 -- Sam Hartman Mon, 11 Sep 2023 11:06:57 -0600 krb5 (1.20.1-3) unstable; urgency=high * Fixes CVE-2023-36054: a remote authenticated attacker can cause kadmind to free an uninitialized pointer. Upstream believes remote code execusion is unlikely, Closes: #1043431 -- Sam Hartman Mon, 14 Aug 2023 14:06:53 -0600 krb5 (1.20.1-2) unstable; urgency=medium * Tighten dependencies on libkrb5support0. This means that the entire upgrade from bullseye to bookworm needs to be lockstep, but it appears that's what is required, Closes: #1036055 -- Sam Hartman Mon, 15 May 2023 17:44:41 -0600 krb5 (1.20.1-1) unstable; urgency=high [ Bastian Germann ] * Sync debian/copyright with NOTICE from upstream [ Debian Janitor ] * Trim trailing whitespace. * Strip unusual field spacing from debian/control. * Use secure URI in Homepage field. * Merge upstream signing key files. * Update renamed lintian tag names in lintian overrides. * Update standards version to 4.6.1, no changes needed. * Remove field Section on binary package krb5-gss-samples that duplicates source. * Fix field name cases in debian/control (VCS-Browser => Vcs-Browser, VCS-Git => Vcs-Git). [ Sam Hartman ] * New upstream release - Integer overflows in PAC parsing; potentially critical for 32-bit KDCs or when cross-realm acts maliciously; DOS in other conditions; CVE-2022-42898, Closes: #1024267 * Tighten version dependencies around crypto library, Closes: 1020424 * krb5-user reccomends rather than Depends on krb5-config. This avoids a hard dependency on bind9-host, but also supports cases where krb5-config is externally managed, Closes: #1005821 -- Sam Hartman Thu, 17 Nov 2022 10:34:28 -0700 krb5 (1.20-1) unstable; urgency=medium * New Upstream Version * Do not specify master key type to avoid weak crypto, Closes: #1009927 -- Sam Hartman Fri, 22 Jul 2022 16:32:38 -0600 krb5 (1.20~beta1-1) experimental; urgency=medium * New Upstream version -- Sam Hartman Thu, 07 Apr 2022 11:57:27 -0600 krb5 (1.19.2-2) unstable; urgency=medium ### Old Ubuntu Delta ### krb5 (1.20.1-6ubuntu2) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 07:42:10 + krb5 (1.20.1-6ubuntu1) noble; urgency=medium * Fix tests with Python 3.12. -- Matthias Klose Sun, 24 Mar 2024 12:51:41 +0100 ** Affects: krb5 (Ubuntu) Importance: Undecided Status: Incomplete ** Tags: needs-merge upgrade-software-version ** Changed in: krb5 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to krb5 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2064411 Title: Merge krb5 from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2064411/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2064373] Re: Merge apache2 from Debian unstable for oracular
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2064373 Title: Merge apache2 from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2064373/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2064376] [NEW] Merge apache2 from Debian unstable for oracular
Public bug reported: Upstream: 2.4.59 Debian: 2.4.59-2 Ubuntu: 2.4.58-1ubuntu8 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### apache2 (2.4.59-2) unstable; urgency=medium * Breaks against fossil due to CVE-2024-24795 follows up -- Bastien Roucariès Mon, 29 Apr 2024 21:55:28 + apache2 (2.4.59-1) unstable; urgency=medium [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709) * Refresh patches * Update patches * Update test framework -- Yadd Fri, 05 Apr 2024 08:08:11 +0400 apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example ### Old Ubuntu Delta ### apache2 (2.4.58-1ubuntu8) noble; urgency=medium * No-change rebuild against libapr1t64 -- Steve Langasek Sun, 07 Apr 2024 07:02:29 + apache2 (2.4.58-1ubuntu7) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 08:37:28 + apache2 (2.4.58-1ubuntu6) noble; urgency=medium * d/debhelper/apache2-maintscript-helper: Allow execution when called from a postinst script through a trigger (i.e., postinst triggered). Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450) -- Athos Ribeiro Mon, 18 Mar 2024 09:35:36 -0300 apache2 (2.4.58-1ubuntu5) noble; urgency=medium * No-change rebuild against libcurl4t64 -- Steve Langasek Sat, 16 Mar 2024 06:05:04 + apache2 (2.4.58-1ubuntu4) noble; urgency=medium * No-change rebuild against libaprutil1t64 -- Zixing Liu Sat, 09 Mar 2024 23:05:43 -0700 apache2 (2.4.58-1ubuntu3) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek Mon, 04 Mar 2024 17:21:46 + apache2 (2.4.58-1ubuntu2) noble; urgency=medium * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add dolphin and Konqueror/5 careful redirection so that directories can be deleted via webdav. (LP: #1927742) -- Bryce Harrington Wed, 24 Jan 2024 14:00:03 -0800 apache2 (2.4.58-1ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2040357). Remaining changes
[Enterprise-support] [Bug 2064358] Re: Merge apache2 from Debian unstable for oracular
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2064358 Title: Merge apache2 from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2064358/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2064375] Re: Merge apache2 from Debian unstable for oracular
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2064375 Title: Merge apache2 from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2064375/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2064378] [NEW] Merge apache2 from Debian unstable for oracular
Public bug reported: Upstream: 2.4.59 Debian: 2.4.59-2 Ubuntu: 2.4.58-1ubuntu8 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### apache2 (2.4.59-2) unstable; urgency=medium * Breaks against fossil due to CVE-2024-24795 follows up -- Bastien Roucariès Mon, 29 Apr 2024 21:55:28 + apache2 (2.4.59-1) unstable; urgency=medium [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709) * Refresh patches * Update patches * Update test framework -- Yadd Fri, 05 Apr 2024 08:08:11 +0400 apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example ### Old Ubuntu Delta ### apache2 (2.4.58-1ubuntu8) noble; urgency=medium * No-change rebuild against libapr1t64 -- Steve Langasek Sun, 07 Apr 2024 07:02:29 + apache2 (2.4.58-1ubuntu7) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 08:37:28 + apache2 (2.4.58-1ubuntu6) noble; urgency=medium * d/debhelper/apache2-maintscript-helper: Allow execution when called from a postinst script through a trigger (i.e., postinst triggered). Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450) -- Athos Ribeiro Mon, 18 Mar 2024 09:35:36 -0300 apache2 (2.4.58-1ubuntu5) noble; urgency=medium * No-change rebuild against libcurl4t64 -- Steve Langasek Sat, 16 Mar 2024 06:05:04 + apache2 (2.4.58-1ubuntu4) noble; urgency=medium * No-change rebuild against libaprutil1t64 -- Zixing Liu Sat, 09 Mar 2024 23:05:43 -0700 apache2 (2.4.58-1ubuntu3) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek Mon, 04 Mar 2024 17:21:46 + apache2 (2.4.58-1ubuntu2) noble; urgency=medium * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add dolphin and Konqueror/5 careful redirection so that directories can be deleted via webdav. (LP: #1927742) -- Bryce Harrington Wed, 24 Jan 2024 14:00:03 -0800 apache2 (2.4.58-1ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2040357). Remaining changes
[Enterprise-support] [Bug 2064377] [NEW] Merge apache2 from Debian unstable for oracular
Public bug reported: Upstream: 2.4.59 Debian: 2.4.59-2 Ubuntu: 2.4.58-1ubuntu8 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### apache2 (2.4.59-2) unstable; urgency=medium * Breaks against fossil due to CVE-2024-24795 follows up -- Bastien Roucariès Mon, 29 Apr 2024 21:55:28 + apache2 (2.4.59-1) unstable; urgency=medium [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709) * Refresh patches * Update patches * Update test framework -- Yadd Fri, 05 Apr 2024 08:08:11 +0400 apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example ### Old Ubuntu Delta ### apache2 (2.4.58-1ubuntu8) noble; urgency=medium * No-change rebuild against libapr1t64 -- Steve Langasek Sun, 07 Apr 2024 07:02:29 + apache2 (2.4.58-1ubuntu7) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 08:37:28 + apache2 (2.4.58-1ubuntu6) noble; urgency=medium * d/debhelper/apache2-maintscript-helper: Allow execution when called from a postinst script through a trigger (i.e., postinst triggered). Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450) -- Athos Ribeiro Mon, 18 Mar 2024 09:35:36 -0300 apache2 (2.4.58-1ubuntu5) noble; urgency=medium * No-change rebuild against libcurl4t64 -- Steve Langasek Sat, 16 Mar 2024 06:05:04 + apache2 (2.4.58-1ubuntu4) noble; urgency=medium * No-change rebuild against libaprutil1t64 -- Zixing Liu Sat, 09 Mar 2024 23:05:43 -0700 apache2 (2.4.58-1ubuntu3) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek Mon, 04 Mar 2024 17:21:46 + apache2 (2.4.58-1ubuntu2) noble; urgency=medium * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add dolphin and Konqueror/5 careful redirection so that directories can be deleted via webdav. (LP: #1927742) -- Bryce Harrington Wed, 24 Jan 2024 14:00:03 -0800 apache2 (2.4.58-1ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2040357). Remaining changes
[Enterprise-support] [Bug 2064384] [NEW] Merge samba from Debian unstable for oracular
Public bug reported: Upstream: 4.19.6 Debian: 2:4.19.6+dfsg-12:4.20.0+dfsg-1~exp2 Ubuntu: 2:4.19.5+dfsg-4ubuntu9 Debian new has 2:4.20.0+dfsg-1~exp2, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### samba (2:4.19.6+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release: - https://bugzilla.samba.org/show_bug.cgi?id=15527 fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close() - https://bugzilla.samba.org/show_bug.cgi?id=15580 Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED - https://bugzilla.samba.org/show_bug.cgi?id=15588 samba-gpupdate: Correctly implement site support - https://bugzilla.samba.org/show_bug.cgi?id=15599 libgpo: Segfault in python bindings * revert d/rules: remove Debian/Ubuntu 'branding' -- Michael Tokarev Mon, 08 Apr 2024 11:18:38 +0300 samba (2:4.19.5+dfsg-5) unstable; urgency=medium * implement pkg.samba.before-trixie build profile (undo t64 changhes and drop build-dep) * d/rules: remove Debian/Ubuntu 'branding', no need in that * d/control: samba-dsdb-modules: drop hardcoded dependency on libgpgme11 (Closes: #1068526) -- Michael Tokarev Sun, 07 Apr 2024 16:04:30 +0300 samba (2:4.19.5+dfsg-4) unstable; urgency=medium * stop shipping python3/dist-packages/samba/tests (Closes: #1064512, #1063149) * add Debian-Specific tag to debian-specific patches * d/genshlibs: run dh_makeshlibs on libsmbclient0 (Closes: #1065349) -- Michael Tokarev Sun, 03 Mar 2024 15:37:16 +0300 samba (2:4.19.5+dfsg-3) unstable; urgency=medium * d/control: add versioned depends on dpkg-dev to avoid accidental build of time64_t packages on older systems * +lower-dns-lookup-mismatch-messages.patch (reduce log noise) * d/control: add libtirpc-dev and rpcsvc-proto to Build-Depends-Arch (Closes: #1065188) -- Michael Tokarev Fri, 01 Mar 2024 19:18:35 +0300 samba (2:4.19.5+dfsg-2) unstable; urgency=medium * rename libsmbclient => libsmbclient0 for 64-bit time_t transition Closes: #1064337 * d/libsmbclient.lintian-overrides: remove, soname now = package name * add Breaks: of sssd packages to samba-libs * +passchange-error-message.patch - fix password change error message * +edns0.patch: enable EDNS0 support in internal UDP-only DNS client https://bugzilla.samba.org/show_bug.cgi?id=15536 -- Michael Tokarev Wed, 28 Feb 2024 19:38:48 +0300 samba (2:4.19.5+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release (4.19.5) * reformat previous changelog entry to fit in 80cols * d/winbind.postrm: stop recursively removing plain files * d/winbind.postrm: winbindd_cache.tdb is in /var/lib now, not in /var/cache * d/control: RulesRequiresRoot:no * d/*.symbols: use #PACKAGE# placeholders where appropriate (or add comments where it is not) * +silence-can-not-convert-group-sid.diff - make another log message less annoying * -python-fix-invalid-escape-sequences.patch (applied upstream) * d/control: replace pkg-config=>pkgconf in Build-Depends, remove pkg-config from Depends of libldb-dev and python3-ldb-dev * d/samba-libs.symbols, d/control: make libsmbldapN a virtual package provided by samba-libs too, like libndrN -- Michael Tokarev Mon, 19 Feb 2024 15:21:14 +0300 samba (2:4.19.4+dfsg-3) unstable; urgency=medium * samba,winbind: remove logrotate scripts samba does its own log rotation (max log size (=5000 by default) and renaming to .old). The two clashes with each other in an interesting way. * d/samba-libs.symbols, d/control: make libndrN a virtual package to ensure rdeps pick the right dependency -- Michael Tokarev Tue, 30 Jan 2024 12:12:42 +0300 samba (2:4.19.4+dfsg-2) unstable; urgency=medium * d/samba.smbd.service, d/samba.nmbd.service: expand forgotten @BINDIR@ -- Michael Tokarev Mon, 08 Jan 2024 20:44:51 +0300 samba (2:4.19.4+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release. See WHATSNEW.txt for details. * d/control: drop pkg.samba.nouring build profile: was needed for focal which we do not support anymore * remove /etc/cron.daily/samba: there's no reason to keep backing it up, ### Old Ubuntu Delta ### samba (2:4.19.5+dfsg-4ubuntu9) noble; urgency=high * No change rebuild against libgpgme11t64. -- Julian Andres Klode Mon, 08 Apr 2024 16:49:25 +0200 samba (2:4.19.5+dfsg-4ubuntu8) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 08:22:04 + samba
[Enterprise-support] [Bug 2064375] [NEW] Merge apache2 from Debian unstable for oracular
Public bug reported: Upstream: 2.4.59 Debian: 2.4.59-2 Ubuntu: 2.4.58-1ubuntu8 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### apache2 (2.4.59-2) unstable; urgency=medium * Breaks against fossil due to CVE-2024-24795 follows up -- Bastien Roucariès Mon, 29 Apr 2024 21:55:28 + apache2 (2.4.59-1) unstable; urgency=medium [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709) * Refresh patches * Update patches * Update test framework -- Yadd Fri, 05 Apr 2024 08:08:11 +0400 apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example ### Old Ubuntu Delta ### apache2 (2.4.58-1ubuntu8) noble; urgency=medium * No-change rebuild against libapr1t64 -- Steve Langasek Sun, 07 Apr 2024 07:02:29 + apache2 (2.4.58-1ubuntu7) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 08:37:28 + apache2 (2.4.58-1ubuntu6) noble; urgency=medium * d/debhelper/apache2-maintscript-helper: Allow execution when called from a postinst script through a trigger (i.e., postinst triggered). Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450) -- Athos Ribeiro Mon, 18 Mar 2024 09:35:36 -0300 apache2 (2.4.58-1ubuntu5) noble; urgency=medium * No-change rebuild against libcurl4t64 -- Steve Langasek Sat, 16 Mar 2024 06:05:04 + apache2 (2.4.58-1ubuntu4) noble; urgency=medium * No-change rebuild against libaprutil1t64 -- Zixing Liu Sat, 09 Mar 2024 23:05:43 -0700 apache2 (2.4.58-1ubuntu3) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek Mon, 04 Mar 2024 17:21:46 + apache2 (2.4.58-1ubuntu2) noble; urgency=medium * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add dolphin and Konqueror/5 careful redirection so that directories can be deleted via webdav. (LP: #1927742) -- Bryce Harrington Wed, 24 Jan 2024 14:00:03 -0800 apache2 (2.4.58-1ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2040357). Remaining changes
[Enterprise-support] [Bug 2064373] [NEW] Merge apache2 from Debian unstable for oracular
Public bug reported: Scheduled-For: 24.07 Upstream: 2.4.59 Debian: 2.4.59-2 Ubuntu: 2.4.58-1ubuntu8 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### apache2 (2.4.59-2) unstable; urgency=medium * Breaks against fossil due to CVE-2024-24795 follows up -- Bastien Roucariès Mon, 29 Apr 2024 21:55:28 + apache2 (2.4.59-1) unstable; urgency=medium [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709) * Refresh patches * Update patches * Update test framework -- Yadd Fri, 05 Apr 2024 08:08:11 +0400 apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example ### Old Ubuntu Delta ### apache2 (2.4.58-1ubuntu8) noble; urgency=medium * No-change rebuild against libapr1t64 -- Steve Langasek Sun, 07 Apr 2024 07:02:29 + apache2 (2.4.58-1ubuntu7) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 08:37:28 + apache2 (2.4.58-1ubuntu6) noble; urgency=medium * d/debhelper/apache2-maintscript-helper: Allow execution when called from a postinst script through a trigger (i.e., postinst triggered). Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450) -- Athos Ribeiro Mon, 18 Mar 2024 09:35:36 -0300 apache2 (2.4.58-1ubuntu5) noble; urgency=medium * No-change rebuild against libcurl4t64 -- Steve Langasek Sat, 16 Mar 2024 06:05:04 + apache2 (2.4.58-1ubuntu4) noble; urgency=medium * No-change rebuild against libaprutil1t64 -- Zixing Liu Sat, 09 Mar 2024 23:05:43 -0700 apache2 (2.4.58-1ubuntu3) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek Mon, 04 Mar 2024 17:21:46 + apache2 (2.4.58-1ubuntu2) noble; urgency=medium * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add dolphin and Konqueror/5 careful redirection so that directories can be deleted via webdav. (LP: #1927742) -- Bryce Harrington Wed, 24 Jan 2024 14:00:03 -0800 apache2 (2.4.58-1ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2040357
[Enterprise-support] [Bug 2064358] [NEW] Merge apache2 from Debian unstable for oracular
Public bug reported: Scheduled-For: 24.07 Upstream: 2.4.59 Debian: 2.4.59-1 Ubuntu: 2.4.58-1ubuntu8 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.59-1) unstable; urgency=medium [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 * Refresh patches * Update patches * Update test framework -- Yadd Fri, 05 Apr 2024 08:08:11 +0400 apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 ### Old Ubuntu Delta ### apache2 (2.4.58-1ubuntu8) noble; urgency=medium * No-change rebuild against libapr1t64 -- Steve Langasek Sun, 07 Apr 2024 07:02:29 + apache2 (2.4.58-1ubuntu7) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek Sun, 31 Mar 2024 08:37:28 + apache2 (2.4.58-1ubuntu6) noble; urgency=medium * d/debhelper/apache2-maintscript-helper: Allow execution when called from a postinst script through a trigger (i.e., postinst triggered). Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450) -- Athos Ribeiro Mon, 18 Mar 2024 09:35:36 -0300 apache2 (2.4.58-1ubuntu5) noble; urgency=medium * No-change rebuild against libcurl4t64 -- Steve Langasek Sat, 16 Mar 2024 06:05:04 + apache2 (2.4.58-1ubuntu4) noble; urgency=medium * No-change rebuild against libaprutil1t64 -- Zixing Liu Sat, 09 Mar 2024 23:05:43 -0700 apache2 (2.4.58-1ubuntu3) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek Mon, 04 Mar 2024 17:21:46 + apache2 (2.4.58-1ubuntu2) noble; urgency=medium * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add dolphin and Konqueror/5 careful redirection so that directories can be deleted via webdav. (LP: #1927742) -- Bryce Harrington Wed, 24 Jan 2024 14:00:03 -0800 apache2 (2.4.58-1ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2040357). Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries, d/t/check-ubuntu-branding: Replace Debian
[Enterprise-support] [Bug 2055414] Re: Merge samba 4.19.5-2 from debian
** Changed in: samba (Ubuntu) Status: In Progress => Fix Released ** Changed in: samba (Ubuntu) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2055414 Title: Merge samba 4.19.5-2 from debian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2055414/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1927742] Re: dolphin in focal can't delete webdav directories running on focal's apache
** Changed in: apache2 (Ubuntu Lunar) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1927742 Title: dolphin in focal can't delete webdav directories running on focal's apache To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1927742/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2046994] Re: Spotlight search function broken with macOS Ventura and later client
** Bug watch added: Samba Bugzilla #15299 https://bugzilla.samba.org/show_bug.cgi?id=15299 ** Also affects: samba via https://bugzilla.samba.org/show_bug.cgi?id=15299 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2046994 Title: Spotlight search function broken with macOS Ventura and later client To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/2046994/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1927742] Re: dolphin in focal can't delete webdav directories running on focal's apache
** Also affects: apache2 (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Noble) Importance: Low Assignee: Bryce Harrington (bryce) Status: In Progress ** Changed in: apache2 (Ubuntu Mantic) Status: New => In Progress ** Changed in: apache2 (Ubuntu Mantic) Importance: Undecided => Low ** Changed in: apache2 (Ubuntu Noble) Importance: Low => High ** Changed in: apache2 (Ubuntu Mantic) Assignee: (unassigned) => Bryce Harrington (bryce) -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1927742 Title: dolphin in focal can't delete webdav directories running on focal's apache To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1927742/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1927742] Re: dolphin in focal can't delete webdav directories running on focal's apache
** Also affects: apache2 via https://bz.apache.org/bugzilla/show_bug.cgi?id=67039 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1927742 Title: dolphin in focal can't delete webdav directories running on focal's apache To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1927742/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2040465] [NEW] MRE updates of openldap for noble
Public bug reported: Backport openldap as MRE to noble once the update for noble has been completed. [Impact] TBD [Major Changes] TBD [Test Plan] TBD [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Affects: openldap (Ubuntu Noble) Importance: Undecided Status: New ** Tags: needs-mre-backport ** Changed in: openldap (Ubuntu) Milestone: None => ubuntu-24.02 ** Also affects: openldap (Ubuntu Noble) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to openldap in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2040465 Title: MRE updates of openldap for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2040465/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2040470] [NEW] MRE updates of squid for noble
Public bug reported: Backport squid as MRE to noble once the update for noble has been completed. [Impact] TBD [Major Changes] TBD [Test Plan] TBD [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. ** Affects: squid (Ubuntu) Importance: Undecided Status: New ** Affects: squid (Ubuntu Noble) Importance: Undecided Status: New ** Tags: needs-mre-backport ** Changed in: squid (Ubuntu) Milestone: None => ubuntu-24.02 ** Also affects: squid (Ubuntu Noble) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to squid in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2040470 Title: MRE updates of squid for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2040470/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2040405] [NEW] Merge openldap from Debian unstable for noble
Public bug reported: Upstream: tbd Debian: 2.5.13+dfsg-52.6.6+dfsg-1~exp2 Ubuntu: 2.6.6+dfsg-1~exp1ubuntu1 Debian new has 2.6.6+dfsg-1~exp2, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### openldap (2.5.13+dfsg-5) unstable; urgency=medium * Fix sha2-contrib autopkgtest failure. Call slappasswd using its full path. (Closes: #1030814) * Disable flaky test test069-delta-multiprovider-starttls. -- Ryan Tandy Tue, 07 Feb 2023 17:56:12 -0800 openldap (2.5.13+dfsg-4) unstable; urgency=medium [ Andreas Hasenack ] * d/rules: Fix passwd/sha2 build (Closes: #1030716, LP: #2000817) * d/t/sha2-contrib: add test for sha2 module -- Ryan Tandy Mon, 06 Feb 2023 19:21:05 -0800 openldap (2.5.13+dfsg-3) unstable; urgency=medium [ Ryan Tandy ] * Disable flaky test test063-delta-multiprovider. Mitigates #1010608. [ Gioele Barabucci ] * slapd.scripts-common: Avoid double-UTF8-encoding org name (Closes: #1016185) * d/slapd.scripts-common: Remove outdated `migrate_to_slapd_d_style` * d/slapd.postinst: Remove test for ancient version * slapd.scripts-common: Remove unused `normalize_ldif` * d/slapd.scripts-common: Use sed instead of perl in `release_diagnostics` -- Ryan Tandy Fri, 13 Jan 2023 16:29:59 -0800 openldap (2.5.13+dfsg-2) unstable; urgency=medium * d/tests/smbk5pwd: Grant slapd access to /var/lib/heimdal-kdc. Fixes the autopkgtest failure due to heimdal setting mode 700 on this directory. (Closes: #1020442) * d/source/lintian-overrides: Add wildcards to make overrides compatible with both older and newer versions of lintian. * d/slapd-contrib.lintian-overrides: Remove unused custom-library-search-path override now that krb5-config no longer sets -rpath. -- Ryan Tandy Sat, 24 Sep 2022 12:40:21 -0700 openldap (2.5.13+dfsg-1) unstable; urgency=medium * d/rules: Remove get-orig-source, now unnecessary. * Check PGP signature when running uscan. * d/watch: Modernize watch file; use repacksuffix. * d/copyright: Update according to DEP-5. * d/control: Add myself to Uploaders. * New upstream release. -- Sergio Durigan Junior Sun, 18 Sep 2022 18:29:46 -0400 openldap (2.5.12+dfsg-2) unstable; urgency=medium * Stop slapd explicitly in prerm as a workaround for #1006147, which caused dpkg-reconfigure to not restart the service, so the new configuration was not applied. See also #994204. (Closes: #1010971) -- Ryan Tandy Mon, 23 May 2022 10:14:53 -0700 openldap (2.5.12+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed SQL injection in back-sql (ITS#9815) (CVE-2022-29155) * Update debconf translations: - German, thanks to Helge Kreutzmann. (Closes: #1007728) - Spanish, thanks to Camaleón. (Closes: #1008529) - Dutch, thanks to Frans Spiesschaert. (Closes: #1010034) -- Ryan Tandy Wed, 04 May 2022 18:00:16 -0700 openldap (2.5.11+dfsg-1) unstable; urgency=medium * Upload to unstable. -- Ryan Tandy Fri, 11 Mar 2022 19:38:02 -0800 openldap (2.5.11+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Add openssl to Build-Depends to enable more checks in test067-tls. * Update slapd-contrib's custom-library-search-path override to work with current Lintian. -- Ryan Tandy Sun, 23 Jan 2022 17:16:05 -0800 openldap (2.5.8+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Update slapd-contrib's custom-library-search-path override to work with Lintian 2.108.0. -- Ryan Tandy Wed, 13 Oct 2021 18:42:55 -0700 openldap (2.5.7+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Don't run autoreconf in contrib/ldapc++. We don't build it, and it is not ### Old Ubuntu Delta ### openldap (2.6.6+dfsg-1~exp1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2028721). Remaining changes: - Enable AppArmor support: + d/apparmor-profile: add AppArmor profile + d/rules: use dh_apparmor + d/control: Build-Depends on dh-apparmor + d/slapd.README.Debian: add note about AppArmor - Enable ufw support: + d/control: suggest ufw. + d/rules: install ufw profile. + d/slapd.ufw.profile: add ufw profile. - d/{rules,slapd.py}: Add apport hook. - d/rules: better regexp to match the Maintainer tag in d/control, needed in the Ubuntu case because of XSBC-Original-Maintainer (Closes #960448, LP #1875697) - d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the smbk5pwd DEP8 test (LP #2004560) [ Partially incorporated by Debian. ] -- Sergio Durigan Junior Wed, 02 Aug 2023 19:53:17 -0400 ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in:
[Enterprise-support] [Bug 2040426] [NEW] Merge squid from Debian unstable for noble
Public bug reported: Upstream: tbd Debian: 6.3-1 Ubuntu: 6.1-2ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### squid (6.3-1) unstable; urgency=medium [ Amos Jeffries ] * New Upstream version 6.3 (Closes: #1049926, #1043505) * debian/patches/ - remove 0007-ftbfs-gnu-hurd.patch integrated upstream -- Luigi Gangitano Thu, 28 Sep 2023 16:04:20 +0200 squid (6.1-2) unstable; urgency=low [ Amos Jeffries ] * debian/patches/ - add 0007-ftbfs-gnu-hurd.patch to fix GNU/Hurd build -- Luigi Gangitano Thu, 13 Jul 2023 13:04:20 +0200 squid (6.1-1) unstable; urgency=medium [ Amos Jeffries ] * debian/{control,watch} - New Upstream Release * debian/patches/ - refresh for new upstream version - add 0006-upstream-807ae4df2164defbb5f59b99282e24010b4a0b85.patch - remove 0003-installed-binary-for-debian-ci.patch integrated upstream - remove 1f13f721263a4cc75e4b798a230022561047899c.patch integrated upstream - remove edad3f150de8af0aeb2f629508be3219b83369b9.patch integrated upstream [ Luigi Gangitano ] * debian/patches/ - add Fordwarded tag * debian/control - Bumped Standards-Version to 4.6.2, no change needed -- Luigi Gangitano Mon, 10 Jul 2023 11:04:20 +0200 squid (5.7-2) unstable; urgency=medium * Add a couple of upstream picked patches to fix some issues on 5.7 that upstream has fixed on 5.8. -- Santiago Garcia Mantinan Fri, 28 Apr 2023 08:35:27 +0200 squid (5.7-1) unstable; urgency=medium * Urgency high due to security fixes [ Luigi Gangitano ] * New upstream version 5.7 * Exposure of Sensitive Information in Cache Manager (CVE-2022-41317) (Closes: #1020587) * Buffer Over Read in SSPI and SMB Authentication (CVE-2022-41318) (Closes: #1020586) * debian/patches/ - Removed 0006-Fix-build-against-OpenSSL-3-0.patch integrated upstream * debian/control - Bumped Standards-Version to 4.6.1, no change needed * Using new DH level format. Consequently: - debian/compat: removed. - debian/control: - Changed from 'debhelper' to 'debhelper-compat' in Build-Depends field and bumped level to 13. - debian/rules: - Disable dh_missing - Dropped unnecessary dependencies in Build-Depends field. * debian/salsa-ci.yml - Added to provide CI tests for Salsa * debian/upstream/metadata - Created upstream metadata file * debian/upstream/signing-key.asc - Strip extra signatures from upstream key -- Luigi Gangitano Tue, 4 Oct 2022 11:04:20 +0200 squid (5.6-1) unstable; urgency=high * Urgency high due to security fixes [ Amos Jeffries ] * New Upstream Release Fixes: CVE-2021-46784. Denial of Service in Gopher Processing -- Luigi Gangitano Sun, 19 Jun 2022 13:39:54 +0200 squid (5.5-1.1) unstable; urgency=medium * Non-maintainer upload. ### Old Ubuntu Delta ### squid (6.1-2ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2018110). Remaining changes: - d/usr.sbin.squid: Add sections for squid-deb-proxy and squidguard - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb packaging - Use snakeoil certificates: + d/control: add ssl-cert to dependencies + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the default config file - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch: Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12. - d/rules: halt build upon test failures. - d/rules: do not include additional configuration files during build time tests. This would lead to test failures due to missing paths. - d/t/upstream-test-suite: use installed squid binary for autopkgtest config file checks. * Drop changes: - d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Adjust MAX_PKT{4,6}_SZ to account for icmpEchoData padding, fixing FTBFS with GCC 11 (LP #1939352). [ Applied upstream in 6.0.1 ] - d/p/series: do not rely on installed binaries for build time tests. [ Applied in 6.1-1 ] - d/rules: disable LTO related compilation errors for s390x builds. [ Fixed in 6.1-1 ] * New changes: - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison between signed and unsigned values. - d/p/0011-Fix-ftp-support.patch: Fix pure virtual call in Ftp::Client constructor leading to problems in FTP support. - d/rules: disable LTO related compilation errors for ppc64el builds. - d/t/upstream-test-suite: make missing targets for squid 6. --
[Enterprise-support] [Bug 2040363] [NEW] Merge samba from Debian unstable for noble
Public bug reported: Upstream: 4.18.8 Debian: 2:4.19.2+dfsg-1 Ubuntu: 2:4.18.6+dfsg-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### samba (2:4.19.2+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release: - https://bugzilla.samba.org/show_bug.cgi?id=15423 Use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE - https://bugzilla.samba.org/show_bug.cgi?id=15426 clidfs.c do_connect() missing a 'return' after a cli_shutdown() call - https://bugzilla.samba.org/show_bug.cgi?id=15463 macOS mdfind returns only 50 results - https://bugzilla.samba.org/show_bug.cgi?id=15481 GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value - https://bugzilla.samba.org/show_bug.cgi?id=15464 libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more - https://bugzilla.samba.org/show_bug.cgi?id=15479 ctdbd: setproctitle not initialized messages flooding logs - https://bugzilla.samba.org/show_bug.cgi?id=15491 CVE-2023-5568 Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19 - https://bugzilla.samba.org/show_bug.cgi?id=15477 The heimdal KDC doesn't detect s4u2self correctly when fast is in use * d/samba-common.maintscript: remove obsolete conffile /etc/dhcp/dhclient-enter-hooks.d/samba conffile (Closes: #1053780) -- Michael Tokarev Mon, 16 Oct 2023 18:26:31 +0300 samba (2:4.19.1+dfsg-4) unstable; urgency=medium * d/samba-common.postinst: restore installing of smb.conf using ucf -- Michael Tokarev Tue, 10 Oct 2023 22:33:32 +0300 samba (2:4.19.1+dfsg-3) unstable; urgency=medium * d/ctdb.install: sync ceph arch list * d/control: mention other places where ceph arch list is used -- Michael Tokarev Tue, 10 Oct 2023 20:12:20 +0300 samba (2:4.19.1+dfsg-2) unstable; urgency=medium * d/rules: sync with-ceph arch list from d/control -- Michael Tokarev Tue, 10 Oct 2023 19:03:42 +0300 samba (2:4.19.1+dfsg-1) unstable; urgency=medium * new stable security bugfix release: o CVE-2023-3961: https://www.samba.org/samba/security/CVE-2023-3961.html Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. o CVE-2023-4091: https://www.samba.org/samba/security/CVE-2023-4091.html SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting 'acl_xattr:ignore system acls = yes' o CVE-2023-4154: https://www.samba.org/samba/security/CVE-2023-4154.html An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. o CVE-2023-42669: https://www.samba.org/samba/security/CVE-2023-42669.html Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. o CVE-2023-42670: https://www.samba.org/samba/security/CVE-2023-42670.html Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. * remove debconf questions and wins dhcp hooks together with po files (wins is not relevant today anymore) * d/control: bump mit-krb5 build-dep (on mitkrb5 profile) to 1.20 * d/control: disable ceph (libcephfs-dev, librados-dev) on 32bit architectures (Closes: #1053202) * d/control: enable rados on riscv64 once it's available there * d/control: samba-libs: depend on libldb of the same version since libldb symbols might appear during previous stable series but they don't propagate to next releases with previous minor version numbers. This is ABI breakage but the symbols are mostly internal to samba itself * debian/libldb2.symbols: update * drop attempts to keep ldb ABI versioning -- Michael Tokarev Tue, 10 Oct 2023 18:02:05 +0300 samba (2:4.19.0+dfsg-1) unstable; urgency=medium * new upstream release. Some highlights: o changed command-line interface of smbget utility o improved winbindd logging o AD database prepared to FL 2016 standards for new domains o initial, partial implementation of AD FL 2012, 2012R2 and 2016 o samba-tool support for silos, claims, sites and subnets o updated Heimdal import o other improvements and changes, see WHATSNEW.txt file for details. * d/patches: remove patches applied upstream, refresh patches * d/control: update talloc/tevent/tdb build-deps *
[Enterprise-support] [Bug 2040386] [NEW] Merge krb5 from Debian unstable for noble
Public bug reported: Upstream: tbd Debian: 1.20.1-5 Ubuntu: 1.20.1-3ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### krb5 (1.20.1-5) unstable; urgency=medium [ Helmut Grohne ] * Annotate test dependencies . (Closes: #1054461) [ Sam Hartman ] * Fix keyutils to be linux-any -- Helmut Grohne Tue, 24 Oct 2023 07:17:27 +0200 krb5 (1.20.1-4) unstable; urgency=low [ Steve Langasek ] * libkrb5support0: require strict binary dependency to deal with glibc 2.38, Closes: #1043184 [Jelmer Vernooij] * krb5-user: Use alternatives for kinit, klist, kswitch, ksu, kpasswd, kdestroy, kadmin and ktutil. This allows installation together with heimdal-clients. Closes: #213316, #751203 [ Sam Hartman ] * Enable build-time tests, Thanks Andreas Hasenack, Closes: #1017763 * Work around doxygen change that breaks doc build, Thanks Greg Hudson, Closes: #1051523 -- Sam Hartman Mon, 11 Sep 2023 11:06:57 -0600 krb5 (1.20.1-3) unstable; urgency=high * Fixes CVE-2023-36054: a remote authenticated attacker can cause kadmind to free an uninitialized pointer. Upstream believes remote code execusion is unlikely, Closes: #1043431 -- Sam Hartman Mon, 14 Aug 2023 14:06:53 -0600 krb5 (1.20.1-2) unstable; urgency=medium * Tighten dependencies on libkrb5support0. This means that the entire upgrade from bullseye to bookworm needs to be lockstep, but it appears that's what is required, Closes: #1036055 -- Sam Hartman Mon, 15 May 2023 17:44:41 -0600 krb5 (1.20.1-1) unstable; urgency=high [ Bastian Germann ] * Sync debian/copyright with NOTICE from upstream [ Debian Janitor ] * Trim trailing whitespace. * Strip unusual field spacing from debian/control. * Use secure URI in Homepage field. * Merge upstream signing key files. * Update renamed lintian tag names in lintian overrides. * Update standards version to 4.6.1, no changes needed. * Remove field Section on binary package krb5-gss-samples that duplicates source. * Fix field name cases in debian/control (VCS-Browser => Vcs-Browser, VCS-Git => Vcs-Git). [ Sam Hartman ] * New upstream release - Integer overflows in PAC parsing; potentially critical for 32-bit KDCs or when cross-realm acts maliciously; DOS in other conditions; CVE-2022-42898, Closes: #1024267 * Tighten version dependencies around crypto library, Closes: 1020424 * krb5-user reccomends rather than Depends on krb5-config. This avoids a hard dependency on bind9-host, but also supports cases where krb5-config is externally managed, Closes: #1005821 -- Sam Hartman Thu, 17 Nov 2022 10:34:28 -0700 krb5 (1.20-1) unstable; urgency=medium * New Upstream Version * Do not specify master key type to avoid weak crypto, Closes: #1009927 -- Sam Hartman Fri, 22 Jul 2022 16:32:38 -0600 krb5 (1.20~beta1-1) experimental; urgency=medium * New Upstream version -- Sam Hartman Thu, 07 Apr 2022 11:57:27 -0600 krb5 (1.19.2-2) unstable; urgency=medium * Standards version 4.6.0; no change * kpropd: run after network.target, Closes: #948820 * krb5-kdc: Remove /var from PidFile, Closes: #982009 -- Sam Hartman Mon, 21 Feb 2022 13:05:20 -0700 krb5 (1.19.2-1) experimental; urgency=medium * New Upstream version * Include patch to work with OpenSSL 3.0, Closes: #995152 * Depend on tex-gyre, Closes: #997407 ### Old Ubuntu Delta ### krb5 (1.20.1-3ubuntu1) mantic; urgency=medium * Make krb5int_strl(cat|copy) optional symbols, since they are not needed when built against glibc 2.38. Closes: #1043184. * Declare Breaks: against older packages using these symbols. * Make dependencies on libkrb5support0 strict to avoid future symbol skew. -- Steve Langasek Thu, 24 Aug 2023 18:07:33 + ** Affects: krb5 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: krb5 (Ubuntu) Milestone: None => ubuntu-24.01 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to krb5 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2040386 Title: Merge krb5 from Debian unstable for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2040386/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2040355] [NEW] Merge apache2 from Debian unstable for noble
Public bug reported: Scheduled-For: 24.01 Upstream: 2.4.58 Debian: 2.4.58-1 Ubuntu: 2.4.57-2ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 ### Old Ubuntu Delta ### apache2 (2.4.57-2ubuntu2) mantic; urgency=medium * d/control: Upgrade lua build dependency to 5.4 -- Lena Voytek Fri, 21 Jul 2023 14:17:42 -0700 apache2 (2.4.57-2ubuntu1) mantic; urgency=medium * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles * Dropped changes included in new version: - debian/patches/CVE-2023-25690-1.patch - debian/patches/CVE-2023-25690-2.patch - debian/patches/CVE-2023-27522.patch -- Marc Deslauriers Wed, 07 Jun 2023 14:02:48 -0400 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2040355 Title: Merge apache2 from Debian unstable for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2040355/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to :
[Enterprise-support] [Bug 2040357] [NEW] Merge apache2 from Debian unstable for noble
Public bug reported: Upstream: 2.4.58 Debian: 2.4.58-1 Ubuntu: 2.4.57-2ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 ### Old Ubuntu Delta ### apache2 (2.4.57-2ubuntu2) mantic; urgency=medium * d/control: Upgrade lua build dependency to 5.4 -- Lena Voytek Fri, 21 Jul 2023 14:17:42 -0700 apache2 (2.4.57-2ubuntu1) mantic; urgency=medium * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles * Dropped changes included in new version: - debian/patches/CVE-2023-25690-1.patch - debian/patches/CVE-2023-25690-2.patch - debian/patches/CVE-2023-27522.patch -- Marc Deslauriers Wed, 07 Jun 2023 14:02:48 -0400 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Milestone: None => ubuntu-24.01 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2040357 Title: Merge apache2 from Debian unstable for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2040357/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to :
[Enterprise-support] [Bug 2040356] [NEW] Merge apache2 from Debian unstable for noble
Public bug reported: Upstream: 2.4.58 Debian: 2.4.58-1 Ubuntu: 2.4.57-2ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.58-1) unstable; urgency=medium [ Bas Couwenberg ] * Provide dh-sequence-apache2 (Closes: #1050870) [ Yadd ] * Drop dependency to obsolete lsb-base * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802) * Refresh patches -- Yadd Thu, 19 Oct 2023 14:56:29 +0400 apache2 (2.4.57-3) unstable; urgency=medium * Update a2enmod to drop given/when (Closes: #1050458) * Restore changes not included in Bookworm (set -e in apache2ctl) -- Yadd Tue, 29 Aug 2023 11:39:32 +0400 apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 ### Old Ubuntu Delta ### apache2 (2.4.57-2ubuntu2) mantic; urgency=medium * d/control: Upgrade lua build dependency to 5.4 -- Lena Voytek Fri, 21 Jul 2023 14:17:42 -0700 apache2 (2.4.57-2ubuntu1) mantic; urgency=medium * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles * Dropped changes included in new version: - debian/patches/CVE-2023-25690-1.patch - debian/patches/CVE-2023-25690-2.patch - debian/patches/CVE-2023-27522.patch -- Marc Deslauriers Wed, 07 Jun 2023 14:02:48 -0400 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Milestone: None => ubuntu-24.01 ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2040356 Title: Merge apache2 from Debian unstable for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2040356/+subscriptions -- Mailing list:
[Enterprise-support] [Bug 2028354] Re: Code Review- Int- Login mechanism of schedule services
Sorry, there is not enough detail in this bug report to understand what the problem is or what action is being requested. ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2028354 Title: Code Review- Int- Login mechanism of schedule services To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2028354/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2028427] [NEW] MRE updates of squid for focal, jammy and lunar
Public bug reported: Backport squid as MRE to focal, jammy and lunar once the update for mantic has been completed. [Impact] TBD [Major Changes] TBD [Test Plan] TBD [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. ** Affects: squid (Ubuntu) Importance: Undecided Status: New ** Affects: squid (Ubuntu Focal) Importance: Undecided Status: New ** Affects: squid (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: squid (Ubuntu Lunar) Importance: Undecided Status: New ** Tags: needs-mre-backport ** Changed in: squid (Ubuntu) Milestone: None => ubuntu-23.08 ** Also affects: squid (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: squid (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: squid (Ubuntu Lunar) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to squid in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2028427 Title: MRE updates of squid for focal, jammy and lunar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2028427/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2028419] [NEW] MRE updates of openldap for focal, jammy and lunar
Public bug reported: Backport openldap as MRE to focal, jammy and lunar once the update for mantic has been completed. [Impact] TBD [Major Changes] TBD [Test Plan] TBD [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Affects: openldap (Ubuntu Focal) Importance: Undecided Status: New ** Affects: openldap (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: openldap (Ubuntu Lunar) Importance: Undecided Status: New ** Tags: needs-mre-backport ** Changed in: openldap (Ubuntu) Milestone: None => ubuntu-23.08 ** Also affects: openldap (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Lunar) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to openldap in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2028419 Title: MRE updates of openldap for focal, jammy and lunar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2028419/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2023704] Re: proposed-migration for apache2 False
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2023704 Title: proposed-migration for apache2 False To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2023704/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2023704] [NEW] proposed-migration for apache2 False
Public bug reported: apache2 False is stuck in -proposed. ** Affects: apache2 (Ubuntu) Importance: Undecided Assignee: Bryce Harrington (bryce) Status: New ** Tags: update-excuse ** Changed in: apache2 (Ubuntu) Assignee: (unassigned) => Bryce Harrington (bryce) -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2023704 Title: proposed-migration for apache2 False To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2023704/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018048] Re: Merge apache2 from Debian unstable for mantic
### Debian ### apache2 | 2.4.57-2 | sid ### Ubuntu ### apache2 | 2.4.55-1ubuntu2| lunar apache2 | 2.4.57-2ubuntu1| mantic apache2 (2.4.57-2ubuntu1) mantic; urgency=medium * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles * Dropped changes included in new version: - debian/patches/CVE-2023-25690-1.patch - debian/patches/CVE-2023-25690-2.patch - debian/patches/CVE-2023-27522.patch -- Marc Deslauriers Wed, 07 Jun 2023 14:02:48 -0400 ** Changed in: apache2 (Ubuntu) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-25690 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-27522 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2018048 Title: Merge apache2 from Debian unstable for mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018048/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018034] Re: Merge apache2 from Debian unstable for mantic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2018034 Title: Merge apache2 from Debian unstable for mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018034/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018040] Re: Merge apache2 from Debian unstable for mantic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2018040 Title: Merge apache2 from Debian unstable for mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018040/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018041] Re: Merge apache2 from Debian unstable for mantic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2018041 Title: Merge apache2 from Debian unstable for mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018041/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018093] [NEW] Merge openldap from Debian unstable for mantic
Public bug reported: Upstream: tbd Debian: 2.5.13+dfsg-52.6.4+dfsg-1~exp1 Ubuntu: 2.6.3+dfsg-1~exp1ubuntu2 Debian new has 2.6.4+dfsg-1~exp1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### openldap (2.5.13+dfsg-5) unstable; urgency=medium * Fix sha2-contrib autopkgtest failure. Call slappasswd using its full path. (Closes: #1030814) * Disable flaky test test069-delta-multiprovider-starttls. -- Ryan Tandy Tue, 07 Feb 2023 17:56:12 -0800 openldap (2.5.13+dfsg-4) unstable; urgency=medium [ Andreas Hasenack ] * d/rules: Fix passwd/sha2 build (Closes: #1030716, LP: #2000817) * d/t/sha2-contrib: add test for sha2 module -- Ryan Tandy Mon, 06 Feb 2023 19:21:05 -0800 openldap (2.5.13+dfsg-3) unstable; urgency=medium [ Ryan Tandy ] * Disable flaky test test063-delta-multiprovider. Mitigates #1010608. [ Gioele Barabucci ] * slapd.scripts-common: Avoid double-UTF8-encoding org name (Closes: #1016185) * d/slapd.scripts-common: Remove outdated `migrate_to_slapd_d_style` * d/slapd.postinst: Remove test for ancient version * slapd.scripts-common: Remove unused `normalize_ldif` * d/slapd.scripts-common: Use sed instead of perl in `release_diagnostics` -- Ryan Tandy Fri, 13 Jan 2023 16:29:59 -0800 openldap (2.5.13+dfsg-2) unstable; urgency=medium * d/tests/smbk5pwd: Grant slapd access to /var/lib/heimdal-kdc. Fixes the autopkgtest failure due to heimdal setting mode 700 on this directory. (Closes: #1020442) * d/source/lintian-overrides: Add wildcards to make overrides compatible with both older and newer versions of lintian. * d/slapd-contrib.lintian-overrides: Remove unused custom-library-search-path override now that krb5-config no longer sets -rpath. -- Ryan Tandy Sat, 24 Sep 2022 12:40:21 -0700 openldap (2.5.13+dfsg-1) unstable; urgency=medium * d/rules: Remove get-orig-source, now unnecessary. * Check PGP signature when running uscan. * d/watch: Modernize watch file; use repacksuffix. * d/copyright: Update according to DEP-5. * d/control: Add myself to Uploaders. * New upstream release. -- Sergio Durigan Junior Sun, 18 Sep 2022 18:29:46 -0400 openldap (2.5.12+dfsg-2) unstable; urgency=medium * Stop slapd explicitly in prerm as a workaround for #1006147, which caused dpkg-reconfigure to not restart the service, so the new configuration was not applied. See also #994204. (Closes: #1010971) -- Ryan Tandy Mon, 23 May 2022 10:14:53 -0700 openldap (2.5.12+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed SQL injection in back-sql (ITS#9815) (CVE-2022-29155) * Update debconf translations: - German, thanks to Helge Kreutzmann. (Closes: #1007728) - Spanish, thanks to Camaleón. (Closes: #1008529) - Dutch, thanks to Frans Spiesschaert. (Closes: #1010034) -- Ryan Tandy Wed, 04 May 2022 18:00:16 -0700 openldap (2.5.11+dfsg-1) unstable; urgency=medium * Upload to unstable. -- Ryan Tandy Fri, 11 Mar 2022 19:38:02 -0800 openldap (2.5.11+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Add openssl to Build-Depends to enable more checks in test067-tls. * Update slapd-contrib's custom-library-search-path override to work with current Lintian. -- Ryan Tandy Sun, 23 Jan 2022 17:16:05 -0800 openldap (2.5.8+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Update slapd-contrib's custom-library-search-path override to work with Lintian 2.108.0. -- Ryan Tandy Wed, 13 Oct 2021 18:42:55 -0700 openldap (2.5.7+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Don't run autoreconf in contrib/ldapc++. We don't build it, and it is not ### Old Ubuntu Delta ### openldap (2.6.3+dfsg-1~exp1ubuntu2) lunar; urgency=medium * Build the passwd/sha2 contrib module with -fno-strict-aliasing to avoid computing an incorrect SHA256 hash with some versions of the compiler (LP: #2000817): - d/t/{control,sha2-contrib}: test to verify the SHA256 hash produced by passwd/sha2 - d/rules: set -fno-strict-aliasing only when building the passwd/sha2 contrib module * d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the smbk5pwd DEP8 test (LP: #2004560) -- Andreas Hasenack Fri, 03 Feb 2023 09:33:14 -0300 openldap (2.6.3+dfsg-1~exp1ubuntu1) lunar; urgency=medium * Merge with Debian unstable (LP: #1993426). Remaining changes: - Enable AppArmor support: + d/apparmor-profile: add AppArmor profile + d/rules: use dh_apparmor + d/control: Build-Depends on dh-apparmor + d/slapd.README.Debian: add note about AppArmor - Enable ufw support: + d/control: suggest ufw. + d/rules: install ufw profile. + d/slapd.ufw.profile: add ufw
[Enterprise-support] [Bug 2018048] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Milestone: None => ubuntu-23.07 -- You received this bug
[Enterprise-support] [Bug 2018054] [NEW] Merge samba from Debian unstable for mantic
Public bug reported: Upstream: 4.17.7 Debian: 2:4.17.7+dfsg-12:4.18.2+dfsg-1 Ubuntu: 2:4.17.7+dfsg-1ubuntu1 Debian new has 2:4.18.2+dfsg-1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### samba (2:4.17.7+dfsg-1) unstable; urgency=high * upstream stable/security/bugfix release, fixing the following issues: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: Fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html Closes: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614 * update libldb symbols and versions -- Michael Tokarev Wed, 29 Mar 2023 17:59:17 +0300 samba (2:4.17.6+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release 4.17.6: * https://bugzilla.samba.org/show_bug.cgi?id=15314 streams_xattr is creating unexpected locks on folders. * https://bugzilla.samba.org/show_bug.cgi?id=10635 Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. * https://bugzilla.samba.org/show_bug.cgi?id=15299 Spotlight doesn't work with latest macOS Ventura. * https://bugzilla.samba.org/show_bug.cgi?id=15310 New samba-dcerpc architecture does not scale gracefully. * https://bugzilla.samba.org/show_bug.cgi?id=15307 vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. * https://bugzilla.samba.org/show_bug.cgi?id=15293 With clustering enabled samba-bgqd can core dump due to use after free. * https://bugzilla.samba.org/show_bug.cgi?id=15311 fd_load() function implicitly closes the fd where it should not. * debian/po/ro.po update from Remus-Gabriel Chelu * s3-smbd-open.c-smbd_calculate_access_mask_fsp-lower-.patch makes smbd a bit less spammy in logs * d/control: clarify some package descriptions (Closes: #1031922) -- Michael Tokarev Thu, 09 Mar 2023 12:52:14 +0300 samba (2:4.17.5+dfsg-2) unstable; urgency=medium * d/control: samba: depends on exact version of python3-samba * d/control: fix typo * more tweaks for foreign/cross build * d/control: work around autodep8 #904999 again * introduce upstream-like aliases for debian .service names, add rationale -- Michael Tokarev Sat, 04 Feb 2023 17:15:40 +0300 samba (2:4.17.5+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release. From WHATSNEW.txt: * BUG 14808: smbc_getxattr() return value is incorrect. * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly. * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors. * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an record for the DC in DNS (Closes: #1023606). * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle. * BUG 15277: DFS links don't work anymore on Mac clients since 4.17. * BUG 15283: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value). * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes). * BUG 15243: %U for include directive doesn't work for share listing (netshareenum) (the fix was in debian before). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4 (the fix was in debian before). * BUG 15269: ctdb: use-after-free in run_proc. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. * BUG 15268: smbclient segfaults with use after free on an optimized build * BUG 15282: smbstatus leaking files in msg.sock and msg.lock. * BUG 15164: Leak in wbcCtxPingDc2. * BUG 15265: Access based share enum does not work in Samba 4.16+. * BUG 15267: Crash during share enumeration. * BUG 15271: rep_listxattr on FreeBSD does not
[Enterprise-support] [Bug 2018044] Re: Merge apache2 from Debian unstable for mantic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2018044 Title: Merge apache2 from Debian unstable for mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018044/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018045] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug
[Enterprise-support] [Bug 2018046] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Wishlist Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Importance: Undecided => Wishlist ** Changed in: apache2
[Enterprise-support] [Bug 2018047] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Wishlist Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Importance: Undecided => Wishlist ** Changed in: apache2
[Enterprise-support] [Bug 2018036] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Milestone: None => ubuntu-23.07 ** Changed in: apache2
[Enterprise-support] [Bug 2018038] Re: Merge apache2 from Debian unstable for mantic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2018038 Title: Merge apache2 from Debian unstable for mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018038/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018041] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Server/Client Support
[Enterprise-support] [Bug 2018042] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug
[Enterprise-support] [Bug 2018044] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Server/Client
[Enterprise-support] [Bug 2018035] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug
[Enterprise-support] [Bug 2018038] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Server/Client
[Enterprise-support] [Bug 2018040] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Server/Client Support
[Enterprise-support] [Bug 2018031] Re: Merge apache2 from Debian unstable for mantic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2018031 Title: Merge apache2 from Debian unstable for mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2018031/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2018032] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug
[Enterprise-support] [Bug 2018034] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Server/Client Support
[Enterprise-support] [Bug 2018031] [NEW] Merge apache2 from Debian unstable for mantic
Public bug reported: Scheduled-For: 23.07 Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of
[Enterprise-support] [Bug 2017622] Re: Merge apache2 from Debian unstable for 23.10
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2017622 Title: Merge apache2 from Debian unstable for 23.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2017622/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2017619] Re: Merge apache2 from Debian unstable for mseries
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2017619 Title: Merge apache2 from Debian unstable for mseries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2017619/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 2017622] [NEW] Merge apache2 from Debian unstable for 23.10
Public bug reported: Scheduled-For: 23.07 Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu
[Enterprise-support] [Bug 2017619] [NEW] Merge apache2 from Debian unstable for mseries
Public bug reported: Scheduled-For: 23.07 Upstream: 2.4.57 Debian: 2.4.57-2 Ubuntu: 2.4.55-1ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### apache2 (2.4.57-2) unstable; urgency=medium * Revert debian/* changes (Bookworm freeze) -- Yadd Thu, 13 Apr 2023 07:26:51 +0400 apache2 (2.4.57-1) unstable; urgency=medium * New upstream version 2.4.57 * Drop 2.4.56-regression patches -- Yadd Sat, 08 Apr 2023 06:57:16 +0400 apache2 (2.4.56-2) unstable; urgency=medium * Fix regression in mod_rewrite introduced in version 2.4.56 (Closes: #1033284) * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) -- Yadd Sun, 02 Apr 2023 06:54:25 +0400 apache2 (2.4.56-1) unstable; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) -- Yadd Wed, 08 Mar 2023 06:44:05 +0400 apache2 (2.4.55-1) unstable; urgency=medium [ Hendrik Jäger ] * disable ssl session tickets * redundant example as already enabled in the default config * logrotate indentation * Update example how to prevent access to VCS directories [ lintian-brush ] * Update lintian override info to new format: + debian/source/lintian-overrides: line 2, 4-5, 8 + debian/apache2-data.lintian-overrides: line 2-5 + debian/apache2-bin.lintian-overrides: line 3 + debian/apache2-doc.lintian-overrides: line 2 + debian/apache2.lintian-overrides: line 6 * Set upstream metadata fields: Repository-Browse. * Update standards version to 4.6.2, no changes needed. [ Yadd ] * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) -- Yadd Wed, 18 Jan 2023 07:41:55 +0400 apache2 (2.4.54-5) unstable; urgency=medium [ Hendrik Jäger ] * fix: one oom-killed thread should not take down the whole service * fix: remove modelines * fix: update clickjacking protection example * fix: use tab for indentation, even in commented examples [ Yadd ] * Revert 'Fix: confusing and impractical naming' (unbreak squid and haproxy tests) -- Yadd Tue, 29 Nov 2022 15:56:10 +0100 apache2 (2.4.54-4) unstable; urgency=medium [ Charles Plessy ] * Replace mime-support transition package with media-types (Closes: #980275) [ Hendrik Jäger ] * fix mislead safety precautions: don't hide errors when enabling a module. MR !20 * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 * Fix confusing and impractical naming: rename default-ssl.conf into 000-default-ssl.conf. MR !23 * Fix confusing keyword: replace _default_ by *. MR !24 -- Yadd Thu, 24 Nov 2022 10:45:00 +0100 apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] ### Old Ubuntu Delta ### apache2 (2.4.55-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query strings in modules/http2/mod_proxy_http2.c, modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c, modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c, modules/proxy/mod_proxy_wstunnel.c. - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in modules/http2/mod_proxy_http2.c. - CVE-2023-25690 * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response parsing/validation in modules/proxy/mod_proxy_uwsgi.c. - CVE-2023-27522 -- Marc Deslauriers Wed, 08 Mar 2023 11:32:34 -0500 apache2 (2.4.55-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. - d/apache2.py, d/apache2-bin.install: Add apport hook - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles -- Steve Langasek Tue, 24 Jan 2023 13:31:02 -0800 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu
[Enterprise-support] [Bug 2016776] [NEW] Samba apport hook - AttributeError: 'NoneType' object has no attribute 'information'
Public bug reported: Forwarding for Johan van Dijk, that hit this when reporting LP: #2015666 """ when I run "ubuntu-bug /var/crash/_usr_sbin_smbd.0.crash" I get an error: ERROR: hook /usr/share/apport/package-hooks/source_samba.py crashed: ...Traceback (most recent call last): File "/usr/lib/python3/dist-packages/apport/report.py", line 228, in _run_hook symb['add_info'](report, ui) .. File "/usr/share/apport/package-hooks/source_samba.py", line 93, in add_info ui.information("As a part of the bug reporting process, you'll be asked as series of questions to help provide a more descriptive bug report. Please answer the following questions to the best of your abilities. Afterwards, a browser will be opened to finish filing this as a bug in the Launchpad bug tracking system.") .AttributeError: 'NoneType' object has no attribute 'information' """ I was not able to reproduce this filing from my own computer using his _usr_sbin_smdb.0.crash file, however in looking at the source code, it looks like add_info(report, ui) uses the ui parameter without first checking if its defined. So the fix would be to add a check and take appropriate action, for example: if not ui: raise StopIteration # no GUI available for interacting with user However, possibly this use case includes reporting bugs from headless servers, which might be why ui is undefined. That's probably a usecase we want to support. So in this case, instead of refusing to file a bug report, it may be better to make some informed assumptions regarding the files and logs to collect, and JFDI. ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2016776 Title: Samba apport hook - AttributeError: 'NoneType' object has no attribute 'information' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2016776/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1998662] Re: failed to mount windows share invalid argument, Ubuntu 22.04, samba client Version 4.15.9
Hi clintcli, sorry you're having trouble. From the limited information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We understand the difficulties you are facing, but it is better to raise problems you are having in the support tracker at https://answers.launchpad.net/ubuntu if you are uncertain if they are bugs. If you would prefer live chat support, you can find an IRC support channel for your flavor of Ubuntu here: https://wiki.ubuntu.com/IRC/ChannelList. You can also find help with your problem in the support forum of your local Ubuntu community http://loco.ubuntu.com/ or asking at https://askubuntu.com or https://ubuntuforums.org. For help on reporting bugs, see https://help.ubuntu.com/community/ReportingBugs. For Samba issues specifically, you may also find https://wiki.ubuntu.com/DebuggingSamba of some use. ** Changed in: samba (Ubuntu) Status: New => Invalid ** Converted to question: https://answers.launchpad.net/ubuntu/+source/samba/+question/704039 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1998662 Title: failed to mount windows share invalid argument,Ubuntu 22.04,samba client Version 4.15.9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1998662/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
Re: [Enterprise-support] [Question #704039]: failed to mount windows share invalid argument, Ubuntu 22.04, samba client Version 4.15.9
Question #704039 on samba in Ubuntu changed: https://answers.launchpad.net/ubuntu/+source/samba/+question/704039 Bryce Harrington posted a new comment: Hi clintcli, sorry you're having trouble. From the limited information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We understand the difficulties you are facing, but it is better to raise problems you are having in the support tracker at https://answers.launchpad.net/ubuntu if you are uncertain if they are bugs. If you would prefer live chat support, you can find an IRC support channel for your flavor of Ubuntu here: https://wiki.ubuntu.com/IRC/ChannelList. You can also find help with your problem in the support forum of your local Ubuntu community http://loco.ubuntu.com/ or asking at https://askubuntu.com or https://ubuntuforums.org. For help on reporting bugs, see https://help.ubuntu.com/community/ReportingBugs. For Samba issues specifically, you may also find https://wiki.ubuntu.com/DebuggingSamba of some use. -- You received this question notification because your team Ubuntu Server/Client Support Team is an answer contact for samba in Ubuntu. -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1993426] [NEW] Merge openldap from Debian unstable for l-series
Public bug reported: Scheduled-For: ubuntu-22.12 Upstream: tbd Debian: 2.5.13+dfsg-22.6.3+dfsg-1~exp1 Ubuntu: 2.5.13+dfsg-1ubuntu1 Debian new has 2.6.3+dfsg-1~exp1 ### New Debian Changes ### openldap (2.5.13+dfsg-2) unstable; urgency=medium * d/tests/smbk5pwd: Grant slapd access to /var/lib/heimdal-kdc. Fixes the autopkgtest failure due to heimdal setting mode 700 on this directory. (Closes: #1020442) * d/source/lintian-overrides: Add wildcards to make overrides compatible with both older and newer versions of lintian. * d/slapd-contrib.lintian-overrides: Remove unused custom-library-search-path override now that krb5-config no longer sets -rpath. -- Ryan Tandy Sat, 24 Sep 2022 12:40:21 -0700 openldap (2.5.13+dfsg-1) unstable; urgency=medium * d/rules: Remove get-orig-source, now unnecessary. * Check PGP signature when running uscan. * d/watch: Modernize watch file; use repacksuffix. * d/copyright: Update according to DEP-5. * d/control: Add myself to Uploaders. * New upstream release. -- Sergio Durigan Junior Sun, 18 Sep 2022 18:29:46 -0400 openldap (2.5.12+dfsg-2) unstable; urgency=medium * Stop slapd explicitly in prerm as a workaround for #1006147, which caused dpkg-reconfigure to not restart the service, so the new configuration was not applied. See also #994204. (Closes: #1010971) -- Ryan Tandy Mon, 23 May 2022 10:14:53 -0700 openldap (2.5.12+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed SQL injection in back-sql (ITS#9815) (CVE-2022-29155) * Update debconf translations: - German, thanks to Helge Kreutzmann. (Closes: #1007728) - Spanish, thanks to Camaleón. (Closes: #1008529) - Dutch, thanks to Frans Spiesschaert. (Closes: #1010034) -- Ryan Tandy Wed, 04 May 2022 18:00:16 -0700 openldap (2.5.11+dfsg-1) unstable; urgency=medium * Upload to unstable. -- Ryan Tandy Fri, 11 Mar 2022 19:38:02 -0800 openldap (2.5.11+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Add openssl to Build-Depends to enable more checks in test067-tls. * Update slapd-contrib's custom-library-search-path override to work with current Lintian. -- Ryan Tandy Sun, 23 Jan 2022 17:16:05 -0800 openldap (2.5.8+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Update slapd-contrib's custom-library-search-path override to work with Lintian 2.108.0. -- Ryan Tandy Wed, 13 Oct 2021 18:42:55 -0700 openldap (2.5.7+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Don't run autoreconf in contrib/ldapc++. We don't build it, and it is not yet compatible with autoconf 2.71. (Closes: #993032) * Stop disabling automake in debian/rules now that upstream removed the AM_INIT_AUTOMAKE invocation. * Drop custom config.{guess,sub} handling. dh_update_autotools_config does the right thing for us. * Update Standards-Version to 4.6.0; no changes required. * debian/not-installed: Add the ldapvc.1 man page. -- Ryan Tandy Mon, 30 Aug 2021 18:54:25 -0700 openldap (2.5.6+dfsg-1~exp1) experimental; urgency=medium [ Ryan Tandy ] * New upstream release. * Export the cn=config database to LDIF format before upgrading from 2.4. * slapd.README.Debian: - Remove text about the dropped evolution-ntlm patch. - Add guidance for recovering from upgrade failures. * Remove the debconf warning and README text about the unsafe ACL configured by default in versions before jessie. * Remove upgrade code for adding the pwdMaxRecordedFailure attribute to the ppolicy schema. It's obsolete since the schema has been internalized. [ Sergio Durigan Junior ] * Implement the 'escape hatch' mechanism. - d/po/*.po: Update PO files given the new template note. - d/po/templates.pot: Update file. - d/slapd.templates: Add note warning user about a postinst failure, its possible cause and what to do. - d/slapd.postinst: Make certain upgrade functions return failure ### Old Ubuntu Delta ### openldap (2.5.13+dfsg-1ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1983618). Remaining changes: - Enable AppArmor support: + d/apparmor-profile: add AppArmor profile + d/rules: use dh_apparmor + d/control: Build-Depends on dh-apparmor + d/slapd.README.Debian: add note about AppArmor - Enable ufw support: + d/control: suggest ufw. + d/rules: install ufw profile. + d/slapd.ufw.profile: add ufw profile. - d/{rules,slapd.py}: Add apport hook. - d/rules: better regexp to match the Maintainer tag in d/control, needed in the Ubuntu case because of XSBC-Original-Maintainer (Closes #960448, LP #1875697) - Enable SASL/GSSAPI tests. (LP #1976508) + d/control: Update B-D to include required dependencies needed to run SASL/GSSAPI tests during build time, and mark them '!nocheck'. Thanks: Andreas Hasenack
[Enterprise-support] [Bug 1993446] [NEW] Merge squid from Debian unstable for l-series
Public bug reported: Scheduled-For: ubuntu-23.01 Upstream: tbd Debian: 5.7-1 Ubuntu: 5.6-1ubuntu3 ### New Debian Changes ### squid (5.7-1) unstable; urgency=medium * Urgency high due to security fixes [ Luigi Gangitano ] * New upstream version 5.7 * Exposure of Sensitive Information in Cache Manager (CVE-2022-41317) (Closes: #1020587) * Buffer Over Read in SSPI and SMB Authentication (CVE-2022-41318) (Closes: #1020586) * debian/patches/ - Removed 0006-Fix-build-against-OpenSSL-3-0.patch integrated upstream * debian/control - Bumped Standards-Version to 4.6.1, no change needed * Using new DH level format. Consequently: - debian/compat: removed. - debian/control: - Changed from 'debhelper' to 'debhelper-compat' in Build-Depends field and bumped level to 13. - debian/rules: - Disable dh_missing - Dropped unnecessary dependencies in Build-Depends field. * debian/salsa-ci.yml - Added to provide CI tests for Salsa * debian/upstream/metadata - Created upstream metadata file * debian/upstream/signing-key.asc - Strip extra signatures from upstream key -- Luigi Gangitano Tue, 4 Oct 2022 11:04:20 +0200 squid (5.6-1) unstable; urgency=high * Urgency high due to security fixes [ Amos Jeffries ] * New Upstream Release Fixes: CVE-2021-46784. Denial of Service in Gopher Processing -- Luigi Gangitano Sun, 19 Jun 2022 13:39:54 +0200 squid (5.5-1.1) unstable; urgency=medium * Non-maintainer upload. [ Nicholas Guriev ] * Fixing build against OpenSSL 3.0 (Closes: #1005650, LP: #1946205) * debian/rules - Do not fail on errors about deprecated declarations from OpenSSL. - Remove -Wall in CFLAGS from the debian/rules file since upstream build scripts already pass this flag. * debian/patches/ - New 0006-Fix-build-against-OpenSSL-3-0.patch [ Simon Deziel ] * apparmor: allow reading /etc/ssl/openssl.cnf -- Nicholas Guriev Tue, 31 May 2022 23:13:38 +0300 squid (5.5-1) unstable; urgency=medium [ Amos Jeffries ] * New Upstream Release * debian/patches/ - remove upstreamed 0004-Change-default-Makefiles-for-debian.patch -- Luigi Gangitano Fri, 15 Apr 2022 14:39:54 +0200 squid (5.2-1) unstable; urgency=medium [ Amos Jeffries ] * New Upstream Release (Closes: #986804, #976131) Fixes: CVE-2021-28116. Out-Of-Bounds memory access in WCCPv2 Fixes: CVE-2021-41611. Improper Certificate Validation of TLS server certificates [ L.P.H. van Belle ] * debian/rules - polish override_dh_installsystemd action to match other sequences * debian/NEWS - bump version number to make Lintian happy -- Luigi Gangitano Sat, 9 Oct 2021 17:03:54 +0200 squid (5.1-2) unstable; urgency=medium [ Amos Jeffries ] * New Upstream Release (Closes: #984351, #943692) ### Old Ubuntu Delta ### squid (5.6-1ubuntu3) kinetic; urgency=medium * SECURITY UPDATE: Exposure of Sensitive Information in Cache Manager - debian/patches/CVE-2022-41317.patch: fix typo in ACL in src/cf.data.pre. - CVE-2022-41317 * SECURITY UPDATE: Buffer Over Read in SSPI and SMB Authentication - debian/patches/CVE-2022-41318.patch: improve checks in lib/ntlmauth/ntlmauth.cc. - CVE-2022-41318 -- Marc Deslauriers Fri, 23 Sep 2022 08:02:41 -0400 squid (5.6-1ubuntu2) kinetic; urgency=medium * d/t/upstream-test-suite: Also export DEB_*_MAINT_APPEND variables here. (LP: #1988217) -- Sergio Durigan Junior Tue, 30 Aug 2022 19:32:59 -0400 squid (5.6-1ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1971325). Remaining changes: - d/usr.sbin.squid: Add sections for squid-deb-proxy and squidguard - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb packaging - Use snakeoil certificates: + d/control: add ssl-cert to dependencies + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl to the default config file - d/rules, d/NEWS: drop the NIS basic auth helper (LP #1895694) - Fix FTBFS with GCC 11 (LP #1939352) + d/p/fix-max-pkt-sz-for-icmpEchoData-padding.patch: Fix MAX_PKT{4,6}_SZ to account for icmpEchoData padding. * Drop changes: - Fix FTBFS with OpenSSL 3.0 (LP #1946205). The following new patches have been added: + d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. + d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. + d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. + d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. + d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. + d/p/openssl3-Remove-stale-TODO-and-comment.patch. + d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. + d/p/openssl3-Switch-to-BN_rand.patch. + d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. +
[Enterprise-support] [Bug 1993373] [NEW] Merge apache2 from Debian unstable for l-series
Public bug reported: Scheduled-For: ubuntu-23.01 Upstream: 2.4.54 Debian: 2.4.54-3 Ubuntu: 2.4.54-2ubuntu1 ### New Debian Changes ### apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] * Escape literal '.' for BrowserMatch directives in setenvif.conf * Use non-capturing regex with FilesMatch directive in default-ssl.conf [ Ondřej Surý ] * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) [ Yadd ] * Fix htcacheclean doc (Closes: #1010455) * New upstream version 2.4.54 -- Yadd Thu, 09 Jun 2022 06:33:53 +0200 apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 ### Old Ubuntu Delta ### apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1982048). Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. (LP #1966004) - d/apache2.py, d/apache2-bin.install: Add apport hook (LP #609177) - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles (LP #261198) -- Bryce Harrington Thu, 21 Jul 2022 19:38:00 + ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1993373 Title: Merge apache2 from Debian unstable for l-series To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1993373/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1993380] [NEW] Merge samba from Debian unstable for l-series
Public bug reported: Scheduled-For: ubuntu-22.12 Upstream: 4.16.5 Debian: 2:4.16.5+dfsg-22:4.17.0+dfsg-2 Ubuntu: 2:4.16.4+dfsg-2ubuntu1 Debian new has 2:4.17.0+dfsg-2 ### New Debian Changes ### samba (2:4.16.5+dfsg-2) unstable; urgency=medium [ Michael Tokarev ] * d/tests/util: use printf for formatting password for smbpasswd, not non-standard echo /n (mr !60) * introduce LDB_2.4.4 version symbol (Closes: #1021371) Create an empty ABI file just to make the scripts run during the build stage to introduce LDB_2.4.4 version symbol into libldb.so, and remove this empty file in the clean target. It is a bit hackish but works fine. This is only needed to upgrade from bullseye to bookworm, from 4.13.13+dfsg-1~deb11u5+ to the next release, 4.16+. Remove this for bookworm+. * dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch: GnuTLS gnutls_rnd() can fail and give predictable random values. Closes: #1021024, CVE-2022-1615 [ John Paul Adrian Glaubitz ] * disable ceph support on ppc64 and x32 (Closes: #1020781, #1012165) -- Michael Tokarev Sat, 08 Oct 2022 15:11:15 +0300 samba (2:4.16.5+dfsg-1) unstable; urgency=medium * new (minor) upstream release 4.16.5 * removed fix-samba-tool-domain-join-segfault.patch (included upstream) * d/gbp.conf: no need to filter orig.tar: uscan already does that -- Michael Tokarev Thu, 08 Sep 2022 12:44:38 +0300 samba (2:4.16.4+dfsg-2) unstable; urgency=medium * d/libldb2.symbols: include newly added symbols -- Michael Tokarev Mon, 01 Aug 2022 15:43:11 +0300 samba (2:4.16.4+dfsg-1) unstable; urgency=high * new upstream security release fixing: o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords. https://www.samba.org/samba/security/CVE-2022-2031.html o CVE-2022-32742: Server memory information leak via SMB1. https://www.samba.org/samba/security/CVE-2022-32742.html o CVE-2022-32744: Samba AD users can forge password change requests for any user. https://www.samba.org/samba/security/CVE-2022-32744.html o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32745.html o CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32746.html * Closes: #1016449, CVE-2022-2031 CVE-2022-32742, CVE-2022-32744, CVE-2022-32745, CVE-2022-32746 -- Michael Tokarev Wed, 27 Jul 2022 18:35:53 +0300 samba (2:4.16.3+dfsg-1) unstable; urgency=medium [ Michael Tokarev ] * new upstream minor/bugfix releae. See WHATSNEW.txt for details. * d/watch: add the forgotten repacksuffix=+dfsg [ Andreas Hasenack ] * update nfs configuration examples for ctdb -- Michael Tokarev Mon, 18 Jul 2022 17:15:07 +0300 samba (2:4.16.2+dfsg-1) unstable; urgency=medium * new upstream minor/bugfix release. * removed waf-add-support-for-GNU-kFreeBSD.patch (applied upstream) * new minor version of libldb (no code changes, just the build system update to support python 3.11) * move samba-dcerpcd from samba package to samba-common-bin due to winbind New in 4.16 samba-dcerpcd binary is used by smbd and winbind, so putting it to samba package makes winbind unable to run it without samba. For now, in order to fix this issue, move this binary from samba to samba-common-bin package. It might be worth creating its own package for this binary (or maybe some more binaries), once it is clear where upstream is going to. Making this binary a part of samba-common-bin adds some more files to smbclient-only setup. (Closes: #1012240) * remove mksmbpasswd script and manpage: we have smbpasswd whcih can add entries to smbpasswd file if needed, and can handle other passwod storage formats too -- Michael Tokarev Mon, 13 Jun 2022 19:08:44 +0300 samba (2:4.16.1+dfsg-8) unstable; urgency=medium * fix the Breaks/Replaces versions in the previous upload for moving libsamba-utils.so, and use the same Breaks/Replaces for the -dev packages too -- Michael Tokarev Tue, 07 Jun 2022 14:11:09 +0300 samba (2:4.16.1+dfsg-7) unstable; urgency=medium * drop libunwind-dev build dependency again: it turned out the ### Old Ubuntu Delta ### samba (2:4.16.4+dfsg-2ubuntu1) kinetic; urgency=medium * Merge with Debian unstable. Remaining changes: - d/p/VERSION.patch: Update vendor string to 'Ubuntu'. - debian/smb.conf; + Add '(Samba, Ubuntu)' to server string. + Comment out the default [homes] share, and add a comment about 'valid users = %s' to show users how to restrict access to /server/username to only username. - debian/control: Ubuntu i386 binary compatibility: + drop ceph support - d/control:
[Enterprise-support] [Bug 1926119] Re: Server Browse List missing
** Also affects: samba via https://bugzilla.samba.org/show_bug.cgi?id=12061 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1926119 Title: Server Browse List missing To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1926119/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1993057] [NEW] Merge apache2 from Debian unstable for l-series
Public bug reported: Scheduled-For: ubuntu-23.01 Upstream: 2.4.54 Debian: 2.4.54-3 Ubuntu: 2.4.54-2ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.54-3) unstable; urgency=medium [ Hendrik Jäger ] * Do not enable global alias /manual * mention not enabling /manual for the docs in the NEWS -- Yadd Wed, 12 Oct 2022 09:20:52 +0200 apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] * Escape literal '.' for BrowserMatch directives in setenvif.conf * Use non-capturing regex with FilesMatch directive in default-ssl.conf [ Ondřej Surý ] * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) [ Yadd ] * Fix htcacheclean doc (Closes: #1010455) * New upstream version 2.4.54 -- Yadd Thu, 09 Jun 2022 06:33:53 +0200 apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 ### Old Ubuntu Delta ### apache2 (2.4.54-2ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1982048). Remaining changes: - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm, d/source/include-binaries: Replace Debian with Ubuntu on default homepage. (LP #1966004) - d/apache2.py, d/apache2-bin.install: Add apport hook (LP #609177) - d/control, d/apache2.install, d/apache2-utils.ufw.profile, d/apache2.dirs: Add ufw profiles (LP #261198) -- Bryce Harrington Thu, 21 Jul 2022 19:38:00 + ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid ** Tags: needs-merge upgrade-software-version ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1993057 Title: Merge apache2 from Debian unstable for l-series To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1993057/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1979942] Re: mpm_event fails to restart all childs gracefully
Attached is the patch upstream backported to the 2.4.x branch. It applies cleanly to bionic and focal's apache2 (with -p4), but jammy already has this fix. >From what I understand, this is an issue that crops up only when apache2 is under intense load, so identifying a reliable test case may be a challenge. However, the fix makes sense and the patch seems reasonable to me. ** Patch added: "mpm-event-fix-overspawned-children-ignored-on-graceful-restart.patch" https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1979942/+attachment/5605446/+files/mpm-event-fix-overspawned-children-ignored-on-graceful-restart.patch ** No longer affects: apache2 (Ubuntu Impish) ** Also affects: apache2 (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1979942 Title: mpm_event fails to restart all childs gracefully To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1979942/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1982048] [NEW] Re-merge apache2 for kinetic
Public bug reported: We already did the Apache2 merge once for kinetic, as version 2.4.53-2ubuntu1. However there is a new merge available from Debian with a new upstream and some security fixes: apache2 (2.4.54-2) unstable; urgency=medium * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package -- Yadd Tue, 05 Jul 2022 15:49:58 +0200 apache2 (2.4.54-1) unstable; urgency=medium [ Simon Deziel ] * Escape literal "." for BrowserMatch directives in setenvif.conf * Use non-capturing regex with FilesMatch directive in default-ssl.conf [ Ondřej Surý ] * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) [ Yadd ] * Fix htcacheclean doc (Closes: #1010455) * New upstream version 2.4.54 -- Yadd Thu, 09 Jun 2022 06:33:53 +0200 No Ubuntu delta gets dropped this time; everything that remains is ubuntu-specific. Security wants this merge included in kinetic since it carries a number of CVEs. So this saves them some patching work that would otherwise be necessary. ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1982048 Title: Re-merge apache2 for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1982048/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1952531] Re: samba: Access Time of File is set to far future: Access: 30828-09-14 04:48:05.477580700 +0200
>From the Debian bug report it sounds like this issue was resolved upstream in version 4.14.11 or 4.15.3 or higher. Kinetic includes 4.16, but presumably focal and jammy are affected. I think steps to reproduce would be required to be identified before considering SRU, but I've opened the bug tasks for those releases. ** Tags added: server-triage-discuss ** Also affects: samba (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998355 Importance: Unknown Status: Unknown ** Bug watch added: Samba Bugzilla #14127 https://bugzilla.samba.org/show_bug.cgi?id=14127 ** Changed in: samba Status: Fix Released => Unknown ** Changed in: samba Remote watch: Debian Bug tracker #998355 => Samba Bugzilla #14127 ** Changed in: samba Remote watch: Samba Bugzilla #14127 => Debian Bug tracker #998355 ** Changed in: samba Remote watch: Debian Bug tracker #998355 => Samba Bugzilla #14127 ** Also affects: samba (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: samba (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: samba (Ubuntu Kinetic) Importance: Undecided Status: New ** Changed in: samba (Ubuntu Kinetic) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1952531 Title: samba: Access Time of File is set to far future: Access: 30828-09-14 04:48:05.477580700 +0200 To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1952531/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1974251] Re: libapache2-mod-shib module doesn't work with 2.4.52
** Tags added: packaging ** Also affects: apache2 (Ubuntu Kinetic) Importance: Undecided Status: Incomplete ** Also affects: apache2 (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: apache2 (Ubuntu Jammy) Status: New => Incomplete ** Changed in: apache2 (Ubuntu Kinetic) Status: Incomplete => In Progress ** Changed in: apache2 (Ubuntu Kinetic) Assignee: (unassigned) => Bryce Harrington (bryce) ** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/apache2/+git/apache2/+merge/423205 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1974251 Title: libapache2-mod-shib module doesn't work with 2.4.52 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1974251/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1973079] Re: Update apache2 OCI for kinetic
** Package changed: apache2 (Ubuntu) => ubuntu-docker-images ** Changed in: ubuntu-docker-images Milestone: ubuntu-22.09 => None -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1973079 Title: Update apache2 OCI for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-docker-images/+bug/1973079/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1973080] Re: Update squid OCI for kinetic
** Package changed: squid (Ubuntu) => ubuntu-docker-images ** Changed in: ubuntu-docker-images Milestone: ubuntu-22.09 => None -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to squid in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1973080 Title: Update squid OCI for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-docker-images/+bug/1973080/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1973079] [NEW] Update apache2 OCI for kinetic
Public bug reported: Update apache2 OCI for kinetic ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-oci-update ** Changed in: apache2 (Ubuntu) Milestone: None => ubuntu-22.09 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1973079 Title: Update apache2 OCI for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1973079/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1973078] Re: Update apache2 OCI for kinetic
** Tags removed: needs-oci-update ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1973078 Title: Update apache2 OCI for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1973078/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1973080] [NEW] Update squid OCI for kinetic
Public bug reported: Update squid OCI for kinetic ** Affects: squid (Ubuntu) Importance: Undecided Status: New ** Tags: needs-oci-update ** Changed in: squid (Ubuntu) Milestone: None => ubuntu-22.09 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to squid in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1973080 Title: Update squid OCI for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1973080/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1973078] [NEW] Update apache2 OCI for kinetic
Public bug reported: Scheduled-For: 22.03 Update apache2 OCI for kinetic ** Affects: apache2 (Ubuntu) Importance: Undecided Status: Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1973078 Title: Update apache2 OCI for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1973078/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971325] [NEW] Merge squid from Debian unstable for kinetic
Public bug reported: Upstream: tbd Debian: 5.5-1 Ubuntu: 5.2-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### squid (5.5-1) unstable; urgency=medium [ Amos Jeffries ] * New Upstream Release * debian/patches/ - remove upstreamed 0004-Change-default-Makefiles-for-debian.patch -- Luigi Gangitano Fri, 15 Apr 2022 14:39:54 +0200 squid (5.2-1) unstable; urgency=medium [ Amos Jeffries ] * New Upstream Release (Closes: #986804, #976131) Fixes: CVE-2021-28116. Out-Of-Bounds memory access in WCCPv2 Fixes: CVE-2021-41611. Improper Certificate Validation of TLS server certificates [ L.P.H. van Belle ] * debian/rules - polish override_dh_installsystemd action to match other sequences * debian/NEWS - bump version number to make Lintian happy -- Luigi Gangitano Sat, 9 Oct 2021 17:03:54 +0200 squid (5.1-2) unstable; urgency=medium [ Amos Jeffries ] * New Upstream Release (Closes: #984351, #943692) * debian/control - switch build-dep to libtdb-dev. libdb is deprecated - Bumped Standards-Version to 4.6.0, no change needed * debian/patches/ - refresh patches for new version - fix 0001-Default-configuration-file-for-debian.patch (Closes: #970025) - add 0004-Change-default-Makefiles-for-debian.patch to fix FTBFS 'cp: cannot create regular file tests/stub_*.cc' * debian/rules - remove basic_nis_auth helper * Drop squid3 upgrade compatibility. Debian has not contained a squid3 package for at least two full release cycles. -- Luigi Gangitano Fri, 17 Sep 2021 09:27:54 +0200 squid (4.13-10) unstable; urgency=medium [ Francisco Vilmar Cardoso Ruviaro ] * Add debian/patches/0007-CVE-2021-28651.patch to fix a Denial of Service in URN processing. (Closes: #988893, CVE-2021-28651) [ Santiago Garcia Mantinan ] * Add patch to fix a Denial of Service in HTTP Response Processing. Fixes: CVE-2021-28662. Closes: #988891. * Add patch to fix a Denial of Service issue in Cache Manager. Fixes: CVE-2021-28652. Closes: #988892. * Add patch to fix Multiple Issues in HTTP Range header. Fixes: CVE-2021-31806 CVE-2021-31807 CVE-2021-31808. Closes: #989043. * Add patch to fix a Denial of Service in HTTP Response processing. Fixes: GHSA-572g-rvwr-6c7f. -- Santiago Garcia Mantinan Fri, 28 May 2021 12:28:20 +0200 squid (4.13-9) unstable; urgency=medium * Clarify on NEWS and scripts that we no longer remove logs on purge. * Clarify on postrm script that the debhelper code was put manually. * Add README.Debian to squid-openssl. -- Santiago Garcia Mantinan Tue, 23 Mar 2021 00:18:11 +0100 squid (4.13-8) unstable; urgency=medium * Add SQUID-2020_11.patch to fix HTTP Request Smuggling. Fixes: CVE-2020-25097. Closes: #985068. -- Santiago Garcia Mantinan Sun, 21 Mar 2021 00:58:29 +0100 squid (4.13-7) unstable; urgency=medium * Add full postrm scripts while we don't solve #984897 on debhelper. Closes: #984880. -- Santiago Garcia Mantinan Wed, 10 Mar 2021 09:19:32 +0100 squid (4.13-6) unstable; urgency=medium * Stop removing cache and config file on postrm. Closes: #984510. * Increase debhelper build dependency to 12.8 as we need that from -5. * Add NEWS note on the problem with purge on previous versions. -- Santiago Garcia Mantinan Thu, 04 Mar 2021 14:45:00 +0100 squid (4.13-5) unstable; urgency=high ### Old Ubuntu Delta ### squid (5.2-1ubuntu4) jammy; urgency=medium * Do not enable openssl as a default. This hinders packaging since we ship squid in two different flavours (gnutls and openssl). Drop d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. (LP: #1968200) -- Athos Ribeiro Tue, 12 Apr 2022 23:41:41 -0300 squid (5.2-1ubuntu3) jammy; urgency=medium * Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new patches have been added: - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. - d/p/openssl3-Remove-stale-TODO-and-comment.patch. - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. - d/p/openssl3-Switch-to-BN_rand.patch. - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. - d/p/openssl3-Tweak-RSA-key-generator.patch. - d/p/openssl3-Update-ECDH-key-settings.patch. - d/p/openssl3-Update-license-disclaimer.patch. -- Sergio Durigan Junior Tue, 08 Feb 2022 17:15:20 -0500 squid (5.2-1ubuntu2) jammy; urgency=medium * No-change rebuild against libssl3 -- Steve Langasek Thu, 09 Dec 2021 00:19:10 + squid (5.2-1ubuntu1) jammy;
[Enterprise-support] [Bug 1971305] [NEW] Merge openldap from Debian unstable for kinetic
Public bug reported: Upstream: tbd Debian: 2.5.11+dfsg-1 Ubuntu: 2.5.11+dfsg-1~exp1ubuntu3 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### openldap (2.5.11+dfsg-1) unstable; urgency=medium * Upload to unstable. -- Ryan Tandy Fri, 11 Mar 2022 19:38:02 -0800 openldap (2.5.11+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Add openssl to Build-Depends to enable more checks in test067-tls. * Update slapd-contrib's custom-library-search-path override to work with current Lintian. -- Ryan Tandy Sun, 23 Jan 2022 17:16:05 -0800 openldap (2.5.8+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Update slapd-contrib's custom-library-search-path override to work with Lintian 2.108.0. -- Ryan Tandy Wed, 13 Oct 2021 18:42:55 -0700 openldap (2.5.7+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Don't run autoreconf in contrib/ldapc++. We don't build it, and it is not yet compatible with autoconf 2.71. (Closes: #993032) * Stop disabling automake in debian/rules now that upstream removed the AM_INIT_AUTOMAKE invocation. * Drop custom config.{guess,sub} handling. dh_update_autotools_config does the right thing for us. * Update Standards-Version to 4.6.0; no changes required. * debian/not-installed: Add the ldapvc.1 man page. -- Ryan Tandy Mon, 30 Aug 2021 18:54:25 -0700 openldap (2.5.6+dfsg-1~exp1) experimental; urgency=medium [ Ryan Tandy ] * New upstream release. * Export the cn=config database to LDIF format before upgrading from 2.4. * slapd.README.Debian: - Remove text about the dropped evolution-ntlm patch. - Add guidance for recovering from upgrade failures. * Remove the debconf warning and README text about the unsafe ACL configured by default in versions before jessie. * Remove upgrade code for adding the pwdMaxRecordedFailure attribute to the ppolicy schema. It's obsolete since the schema has been internalized. [ Sergio Durigan Junior ] * Implement the 'escape hatch' mechanism. - d/po/*.po: Update PO files given the new template note. - d/po/templates.pot: Update file. - d/slapd.templates: Add note warning user about a postinst failure, its possible cause and what to do. - d/slapd.postinst: Make certain upgrade functions return failure instead of exiting, which allows the postinst script to gracefully fail when applicable. Also, when the general configuration upgrade fails, display a critical warning to the user. Implement ignore_init_failure function. - d/slapd.prerm: Implement ignore_init_failure function. - d/slapd.scripts-common: Make certain functions return failure instead of exiting. - d/rules: Use dh_installinit's --error-handler to instruct it on how to handle possible errors with the init script. - d/slapd.NEWS: Add excerpt mentioning that the postinst script might error out if it can't migrate the existing (old) database backend. -- Ryan Tandy Mon, 16 Aug 2021 18:32:29 -0700 openldap (2.5.5+dfsg-1~exp1) experimental; urgency=medium * New upstream release. - Drop patches applied upstream: ITS#9544, ITS#9548. * Mark slapd-contrib as breaking the old version of slapd to reduce the chance of upgrade failure due to slapd-contrib being unpacked first. -- Ryan Tandy Fri, 11 Jun 2021 11:43:15 -0700 openldap (2.5.4+dfsg-1~exp1) experimental; urgency=medium * New upstream release. - Changing olcAuthzRegexp dynamically is supported. (Closes: #761407) - Support for LANMAN password hashes has been removed. (Closes: #988033) - Added pkg-config files for liblber and libldap. (Closes: #670824) - libldap_r has been merged into libldap. The Debian package will continue to install a libldap_r.so symlink for backwards compatibility with applications that still link with -lldap_r. - The Berkeley DB backends, slapd-bdb(5) and slapd-hdb(5), have been removed. - The shell backend, slapd-shell(5), has been removed. - New backend: slapd-asyncmeta(5). - New core overlays: slapd-homedir(5), slapd-otp(5), and slapd-remoteauth(5). - The ppolicy schema has been merged into the slapo-ppolicy(5) module. - The argon2 password module has been promoted from contrib to core. * Add a superficial autopkgtest for smbk5pwd. * Update Standards-Version to 4.5.1; no changes needed. * Upgrade to debhelper compat level 12. ### Old Ubuntu Delta ### openldap (2.5.11+dfsg-1~exp1ubuntu3) jammy; urgency=medium * No-change rebuild to update maintainer scripts, see LP: 1959054 -- Dave Jones Wed, 16 Feb 2022 17:15:26 + openldap (2.5.11+dfsg-1~exp1ubuntu2) jammy; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose Mon, 07 Feb
[Enterprise-support] [Bug 1971240] Re: Merge apache2 from Debian unstable for kinetic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971240 Title: Merge apache2 from Debian unstable for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971240/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971243] Re: Merge apache2 from Debian unstable for kinetic
** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971243 Title: Merge apache2 from Debian unstable for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971243/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971248] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971256] [NEW] Merge samba from Debian unstable for kinetic
Public bug reported: Upstream: 4.15.7 Debian: 2:4.16.1+dfsg-3 Ubuntu: 2:4.15.5~dfsg-0ubuntu5 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### samba (2:4.16.1+dfsg-3) unstable; urgency=medium * fix ldb package version generation in d/make_shlibs which was wrong in 2 previous uploads. Will I *ever* make it actually work someday? -- Michael Tokarev Mon, 02 May 2022 18:32:24 +0300 samba (2:4.16.1+dfsg-2) unstable; urgency=medium * rethink ldb version *again*, to be 2.5.0+smb4.16.1-2 or else 2.5.0+smb-1 from samba-4.16.1-2 sorts before 2.5.0+smb-7 from samba-4.16.0-7. -- Michael Tokarev Mon, 02 May 2022 17:02:16 +0300 samba (2:4.16.1+dfsg-1) unstable; urgency=medium * new upstream minor release 4.16.1 * move-msg.sock-from-var-lib-samba-to-run-samba.patch: move /var/lib/samba/private/msg.sock/ to /run/samba/msg.sock/. This is a (private) socket directory for IPC, it should not be in /var. * Remove /var/lib/samba/private/msg.sock/ in postinst * testparm-do-not-fail-if-pid-dir-does-not-exist.patch: testparm deliberately fails if /run/samba does not exist, while testparam itself does not use it and daemons will create it on demand. Just make it a warning instead of a fatal error, and we'll not need to pre-create this dir in a random place using hackish ways * ctdb-create-piddir.patch: create /run/ctdb/ in ctdb.service and ctdb.init before invoking ctdbd (as the latter does not create its pid directory on demand). * stop (ab)using tmpfiles.d to pre-create /run/samba/ and /run/ctdb/ and stop creating /run/samba/ in samba-common-bin.postinst just to make testparam happy. * d/rules: minor tweaks -- Michael Tokarev Mon, 02 May 2022 13:16:12 +0300 samba (2:4.16.0+dfsg-7) unstable; urgency=medium * another bunch of small tweaks to d/rules: - set SHELL to /bin/sh -e - rework the clean target - provide fast replacement of architecture.mk - better expression for DEB_REVISION - rearrange configure options * do not disable glusterfs on ubuntu-i386 (glusterfs is now in main) * mention closing of #1001053 by the 4.16 upload * change the ldb version string again, removing te '+samba*' suffix to allow bin-NMUs +b1 (Closes: #1010100) -- Michael Tokarev Sun, 24 Apr 2022 16:56:34 +0300 samba (2:4.16.0+dfsg-6) unstable; urgency=medium * another attempt to fix/work around #221618. Re-enable libsmbclient-ensure-lfs-221618.patch and change it to just define an extra type array int[sizeof(off_t)-7]. If off_t is small it will become a compile error. It is an ugly way to do it, but it should actually work, unlike various static_assert/_Static_assert which are language (C/C++) and standard-dependent. Closes: #221618. -- Michael Tokarev Sat, 09 Apr 2022 17:27:09 +0300 samba (2:4.16.0+dfsg-5) unstable; urgency=medium * disable libsmbclient-ensure-lfs-221618.patch for now. It throws errors in one or another configuration no matter what. Repoens: #221618 * d/salsa-ci.yml: re-allow blhc salsa-ci test to fail again due to different bug in blhc -- Michael Tokarev Sat, 09 Apr 2022 16:33:57 +0300 samba (2:4.16.0+dfsg-4) unstable; urgency=medium * libsmbclient-ensure-lfs-221618.patch: replace _Static_assert with static_assert (and include to make C++ happy too (Closes: #1009211) * disable-setuid-confchecks.patch: when running configure tests, samba tries to verify setuid/setgid etc calls are actually *working*, not just exists. This is only possible when the configure is running as root. But it turns out in some salsa-ci configuration (namely in the reprotest), the second build is actually running as root, and in that environment, actual setegid call is failing somehow. Just disable the config-time check for correctly working setgid and assume it 'just works' if present, exactly like non-root build will do. * d/salsa-ci.yml: do not expect failure in blhc test (the original prob has been fixed long ago), and stop requiring experimental * mention closing of #999876 by 4.16 -- Michael Tokarev Sat, 09 Apr 2022 00:42:38 +0300 samba (2:4.16.0+dfsg-3) unstable; urgency=medium * d/control: comment out the selftest-mode build deps for now * d/control: forgotten python3-samba:Replaces against samba package too, not just samba-libs, when moving dckeytab python lib (Closes: #1009175) ### Old Ubuntu Delta ### samba (2:4.15.5~dfsg-0ubuntu5) jammy; urgency=medium * Enable glusterfs support (LP: #1894618): - d/control: revert disabling of glusterfs, since it's in main now - d/rules: in Ubuntu, glusterfs is not built for i386, so don't enable the samba glusterfs vfs mofule in that case - d/control: build-depend on libglusterfs-dev only on !i386
[Enterprise-support] [Bug 1971246] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971247] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971245] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971244] Re: Merge apache2 from Debian unstable for kinetic
(TESTING) ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971244 Title: Merge apache2 from Debian unstable for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971244/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971244] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971238] Re: Merge apache2 from Debian unstable for kinetic
(TESTING) ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971238 Title: Merge apache2 from Debian unstable for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971238/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971243] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971234] Re: Merge apache2 from Debian unstable for kinetic
(JUST TESTING) ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971234 Title: Merge apache2 from Debian unstable for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971234/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971236] Re: Merge apache2 from Debian unstable for kinetic
(JUST TESTING) ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971236 Title: Merge apache2 from Debian unstable for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971236/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971236] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971237] Re: Merge apache2 from Debian unstable for kinetic
(STILL TESTING) ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971237 Title: Merge apache2 from Debian unstable for kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971237/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971237] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971238] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52-1ubuntu1) jammy
[Enterprise-support] [Bug 1971229] Re: Merge apache2 from Debian unstable for k-series
(JUST TESTING) ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1971229 Title: Merge apache2 from Debian unstable for k-series To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971229/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
[Enterprise-support] [Bug 1971234] [NEW] Merge apache2 from Debian unstable for kinetic
Public bug reported: Scheduled-For: 22.07 Upstream: 2.4.53 Debian: 2.4.53-2 Ubuntu: 2.4.52-1ubuntu4 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### apache2 (2.4.53-2) unstable; urgency=medium * Clean useless Conflicts/Replace * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) -- Yadd Tue, 15 Mar 2022 15:27:39 +0100 apache2 (2.4.53-1) unstable; urgency=medium * New upstream version 2.4.53 (Closes: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) * Update copyright * Patches: + Drop fix-2.4.52-regression.patch, now included in upstream + Refresh fhs_compliance.patch + Update and disable child_processes_fail_to_start.patch * Update test framework * Back to unstable -- Yadd Mon, 14 Mar 2022 17:10:39 +0100 apache2 (2.4.52-3) experimental; urgency=medium * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL error) * Set hardening=+all instead of hardening=+bindnow -- Yadd Tue, 28 Dec 2021 21:20:05 +0100 apache2 (2.4.52-2) experimental; urgency=medium * Build with pcre2 (Closes: #1000114) -- Yadd Tue, 28 Dec 2021 20:01:43 +0100 apache2 (2.4.52-1) unstable; urgency=medium * Refresh suexec-custom.patch * Update lintian overrides * Wrap long lines in changelog entries: 2.4.51-2. * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) * Refresh patches -- Yadd Mon, 20 Dec 2021 18:42:09 +0100 apache2 (2.4.51-2) unstable; urgency=medium * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting parameters -- Yadd Mon, 25 Oct 2021 18:37:03 +0200 apache2 (2.4.51-1) unstable; urgency=medium * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) -- Yadd Thu, 07 Oct 2021 20:35:33 +0200 apache2 (2.4.50-1) unstable; urgency=high * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) * Remove patches already merged upstream -- Ondřej Surý Tue, 05 Oct 2021 13:25:23 +0200 apache2 (2.4.49-4) unstable; urgency=medium [ Ondřej Surý ] * Add upstream patch to fix crash in 2.4.49 -- Yadd Fri, 01 Oct 2021 11:34:24 +0200 apache2 (2.4.49-3) unstable; urgency=medium [ Yadd ] * Re-export upstream signing key without extra signatures. * Drop transition for old debug package migration. [ Moritz Muehlenhoff ] * Fix CVE-2021-40438 regression -- Yadd Thu, 30 Sep 2021 06:00:06 +0200 apache2 (2.4.49-2) unstable; urgency=medium [ Michiel Hazelhof ] * Fix multi instance issue (Closes: #868861) [ Philippe Ombredanne ] * Fix GPL version typo in copyright file -- Yadd Thu, 23 Sep 2021 13:55:55 +0200 apache2 (2.4.49-1) unstable; urgency=medium * Update upstream GPG keys * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013) ### Old Ubuntu Delta ### apache2 (2.4.52-1ubuntu4) jammy; urgency=medium * d/apache2.postrm: Include md5 sum for updated index.html -- Bryce Harrington Thu, 24 Mar 2022 17:35:40 -0700 apache2 (2.4.52-1ubuntu3) jammy; urgency=medium * d/index.html: - Redesign page's heading for the new logo - Use the Ubuntu font where available - Update service management directions - Copyedit grammar - Light reformatting and whitespace cleanup * d/icons/ubuntu-logo.png: Refresh ubuntu logo (LP: #1966004) -- Bryce Harrington Wed, 23 Mar 2022 16:18:11 -0700 apache2 (2.4.52-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: OOB read in mod_lua via crafted request body - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or lua_write_body() fail in modules/lua/lua_request.c. - CVE-2022-22719 * SECURITY UPDATE: HTTP Request Smuggling via error discarding the request body - debian/patches/CVE-2022-22720.patch: simpler connection close logic if discarding the request body fails in modules/http/http_filters.c, server/protocol.c. - CVE-2022-22720 * SECURITY UPDATE: overflow via large LimitXMLRequestBody - debian/patches/CVE-2022-22721.patch: make sure and check that LimitXMLRequestBody fits in system memory in server/core.c, server/util.c, server/util_xml.c. - CVE-2022-22721 * SECURITY UPDATE: out-of-bounds write in mod_sed - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger buffer sizes and unsigned arithmetics in modules/filters/libsed.h, modules/filters/mod_sed.c, modules/filters/sed1.c. - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in modules/filters/mod_sed.c. - CVE-2022-23943 -- Marc Deslauriers Thu, 17 Mar 2022 09:39:54 -0400 apache2 (2.4.52
[Enterprise-support] [Bug 1966004] [NEW] Logo refresh
Public bug reported: LP: #1288690 added a ubuntu logo for the Apache front page 8 years ago. This needs replaced with a logo that matches current Ubuntu visual identity. ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1966004 Title: Logo refresh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1966004/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp