Package: apache2 Version: 2.4.17-1 Severity: normal Dear Maintainer,
There appears to have been a mistake upstream. The following change was proposed on April Fools Day this year: https://bz.apache.org/bugzilla/show_bug.cgi?id=57785 Despite breaking all kinds of things, this patch somehow made it into apache 2.4.17. It changes the REDIRECT_URL variable, which untold numbers of sites (millions?) rely on. That page says that REDIRECT_URL was introduced in 2010, but that is not true. The earliest version of apache source I can find is from 1996, and it includes the REDIRECT_URL variable: http://svn.apache.org/viewvc/httpd/httpd/tags/1.3/apache_1_0_0/src/main/util_script.c?revision=76316&view=markup I understand that sometimes breaking changes need to be made, but not with little fanfare when only the tertiary version number changes. apache 2.5.0 appears to have already fixed this, by making the new behavior opt-in: https://github.com/apache/httpd/blob/42fe5bdacc3395981f717e70c8b03e587bbf865b/CHANGES And it looks like 2.4.18 will have that fix as well: http://mail-archives.apache.org/mod_mbox/httpd-dev/201510.mbox/%3C8E4D5EDE-E9F5-4551-BE25-694E4D9B3C1B%40jaguNET.com%3E I'm not sure what should be done about this, but it breaks almost every site I've ever made (at least 50), so I thought you all should at least know about it. Here are some fun quotes from the upstream bug: "This patch appears to break the prexisting PHP behaviour (all versions, verified as far back as PHP 5.2)." "Here at cPanel we are reverting our 2.4.17 release and are going to re-release 2.4.16. Too many issues with mod_rewrite/REDIRECT_URL causing a *lot* of applications to stop working." -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 4.2.0-1-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.17-1 ii apache2-data 2.4.17-1 ii apache2-utils 2.4.17-1 ii dpkg 1.18.3 ii lsb-base 9.20150917 ii mime-support 3.59 ii perl 5.20.2-6 ii procps 2:3.3.10-4 Versions of packages apache2 recommends: ii ssl-cert 1.0.37 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii chromium [www-browser] 46.0.2490.71-1 ii elinks [www-browser] 0.12~pre6-10 ii iceweasel [www-browser] 38.3.0esr-1 ii lynx-cur [www-browser] 2.8.9dev6-4 ii w3m [www-browser] 0.5.3-25 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-3 ii libaprutil1 1.5.4-1 ii libaprutil1-dbd-sqlite3 1.5.4-1 ii libaprutil1-ldap 1.5.4-1 ii libc6 2.19-22 ii libldap-2.4-2 2.4.42+dfsg-2 ii liblua5.1-0 5.1.5-8 ii libnghttp2-14 1.3.4-2 ii libpcre3 2:8.35-7.2 ii libssl1.0.0 1.0.2d-1 ii libxml2 2.9.2+zdfsg1-4 ii perl 5.20.2-6 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii chromium [www-browser] 46.0.2490.71-1 ii elinks [www-browser] 0.12~pre6-10 ii iceweasel [www-browser] 38.3.0esr-1 ii lynx-cur [www-browser] 2.8.9dev6-4 ii w3m [www-browser] 0.5.3-25 Versions of packages apache2 is related to: ii apache2 2.4.17-1 ii apache2-bin 2.4.17-1 -- Configuration Files: /etc/apache2/mods-available/ident.load [Errno 2] No such file or directory: u'/etc/apache2/mods-available/ident.load' /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] -- no debconf information