Am 18.03.24 um 13:59 schrieb Yaroslav Halchenko:
Package: apache2
Version: 2.4.57-2
Severity: important
Server was working just fine for years and recently started to stall
completely after 3-7 days of functioning normally. error logs get filled up
first with AH03490 and then eventually with
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: apac...@packages.debian.org
Control: affects -1 + src:apache2
User: release.debian@packages.debian.org
Usertags: binnmu
libaprutil1t64 1.6.3-1.1 contains a wrong symbol file, causing a wrong
dependency on libaprutil164 (missing a "t")
Am 18.03.24 um 19:30 schrieb Stefan Fritsch:
Am 13.03.24 um 22:32 schrieb Sebastian Ramacher:
Source: apr-util
Version: 1.6.3-1.1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in
the past)
X-Debbugs-Cc: sramac...@debian.org
https
Am 13.03.24 um 22:32 schrieb Sebastian Ramacher:
Source: apr-util
Version: 1.6.3-1.1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
X-Debbugs-Cc: sramac...@debian.org
Hi,
Am 30.11.23 um 09:05 schrieb Peter Krefting:
we are experiencing that the Apache httpd locks up, filling the
error.log with errors after the nightly maintenance (not every night,
though):
[Wed Nov 29 00:00:01.922731 2023] [mpm_event:notice] [pid 62346:tid
139841215223680] AH00489:
It seems a large transition will be needed for 64bit time_t, anyway. And
glibc enforces _FILE_OFFSET_BITS=64 if _TIME_BITS=64 is set. apr should
do both transitions at the same time.
It seems there won't be a transition for i386 but the whole point of
i386 is running old binaries.
Hi Helge,
Am 10.02.23 um 17:24 schrieb Helge Deller:
On 32-bit platforms it's necessary to compile programs and libraries
with Large File Support (LFS) in order to allow them to function
correctly on
filesystems with > 2GB or 4GB size.
This can be solved by adding "-D_LARGEFILE_SOURCE
Package: apache2
Version: 2.4.55-1
Severity: important
It seems db5.3 will go away sooner or later [1], probably after the
bookworm release. Apache httpd supports using auth/authz data from DBM
files with mod_authn_dbm/mod_authz_dbm [2,3] and in a bunch of other
places, at least mod_authn_socache
Hi,
Am 21.08.22 um 21:59 schrieb наб:
The installed make-ssl-cert depends on bash,
but doesn't really need to.
I am sorry, but I don't see any advantage here in switching away from
bash. The performance advantage of dash over bash is completely
irrelevant in make-ssl-cert, and bash is
I won't be able to deal with this for at least 1-2 weeks. It would be
nice if someone could look at it and downgrade or NMU+unblock.
Am 06.06.21 um 13:14 schrieb Stefan Bühler:
Hi,
On Mon, 10 May 2021 11:09:58 +0200 Parodper wrote:
Package: ssl-cert
Version: 1.1.0
Severity: grave
Tags:
Am 18.04.21 um 17:10 schrieb MichaIng:
Hence I believe that this module dependency might come from some
previous use of setenvif directives in the default mod_ssl config, which
have been removed meanwhile, rendering this dependency as obsolete.
I'm not sure how those dependencies are defined
Am 27.12.20 um 12:24 schrieb David W:
I think a perfectly valid fix would be to document (in the changelog or
elsewhere) that this hard requirement was added, in particular because
(IIUC) using getrandom() instead of one of the other codepaths is the
choice of the package maintainer. (I.e.
reassign 978045 libapr1
found 978045 1.7.0-1
thanks
Am 25.12.20 um 03:18 schrieb David W:
You can see that the associated call/failure is happening inside APR
here, on
line 216:
https://svn.apache.org/viewvc/apr/apr/trunk/misc/unix/rand.c?revision=1832691=markup#l216
notforwarded 489625
thanks
Am 29.08.20 um 11:20 schrieb Stefan Fritsch:
According to the changelog, apr 1.7 adds all the --tag parameters to the
libtool invocations. Maybe this allows this to be fixed.
This is not enough. There are many projects that use apr that don't pass
the --tag
According to the changelog, apr 1.7 adds all the --tag parameters to the
libtool invocations. Maybe this allows this to be fixed. But I won't
change that in the -1 upload because I want the python builddep fix to
make it to testing without problems.
reassign 936034 libapache2-mod-svn
found 936034 1.9.0-1
fixed 1.10.4-1
affects 936034 apache2
thanks
DSA-4509-1 for apache2 caused a regression with libapache2-mod-svn that
needs a fix in subversion. In agreement with the security team, I will
upload a fix for this to security.debian.org
Sorry for the late response.
This is unfortunately a bug in subversion that is now triggered by the
new http2 module. The fix is here
http://svn.apache.org/viewvc?view=revision=1845204 .
I will have to ask how this can be fixed, by DSA or by stable point release.
Am 29.08.19 um 11:55 schrieb
Thank you very much for the testing.
On Fri, 14 Jun 2019, Jean-Louis Dupond wrote:
> We had the test2 version running for some days on a machine.
> But we noticed a quite important issue with it.
>
> The configuration has a lot of SSL certificates.
> Now when doing a lot of sequential requests,
On Monday, 29 April 2019 13:22:56 CEST Olaf Zaplinski wrote:
> I have set
> SSLCipherSuite "-ALL ECDHE-ECDSA-CHACHA20-POLY1305
> ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384" in
> mods-enabled/ssl.conf
>
> SSLProtocol is not defined anywhere. SSLCipherSuite is only defined here.
>
>
Hi,
On Tue, Mar 19, 2019 at 05:18:49PM +0100, Thomas Knaller wrote:
> Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it
> states "SSLProtocol TLSv1.2", which should disable all SSLProtocols
> except for TLS1.2, but TLS1.0 und TLS1.1 are still active, as seen
> with nmap:
>
> #
forwarded 489625 https://bz.apache.org/bugzilla/show_bug.cgi?id=62640
thanks
https://bz.apache.org/bugzilla/show_bug.cgi?id=62640 has some infos and
a patch
ath safety
+ in server/request.c, server/util.c.
+- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
+ server/util.c.
+- CVE-2019-0220
+
+ [ Stefan Fritsch ]
+ * Pull security fixes from 2.4.39 via Ubuntu
+ * CVE-2019-0197: mod_http2: Fix possible crash on late upgr
On Friday, 1 February 2019 03:49:22 CEST Nye Liu wrote:
> Package: apache2
> Version: 2.4.38-1
> Followup-For: Bug #913823
>
> Workaround in /etc/apache2/mods-available/dav.load:
>
>
> LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so
>
>
> Alternately just make dav_fs not depend
serverity 926400 grave
thanks
On Thu, Apr 04, 2019 at 03:00:19PM +0200, csta...@digitus.itk.ppke.hu wrote:
> AH00526: Syntax error on line 19 of /etc/apache2/sites-enabled/mydomain.conf:
> Can't load driver file apr_dbd_mysql.so
> Action 'start' failed.
> In this current form this might be
Hi,
On Tuesday, 2 April 2019 22:21:31 CEST Xavier wrote:
> New Apache 2.4.39 fixes many bugs (including 5 CVEs [1]) with only 2
> minor new features. Do you think it is a good idea to upgrade Apache
> version in Buster or do you prefer a 2.4.38 with 2.4.39 fixes (means
> 2.4.39 without ~2
On Monday, 11 March 2019 09:35:45 CET Sven Hartge wrote:
> This breaks quite fast, resulting in apache2 processes at 100% CPU, doing
> nothing but:
Thanks for the quick feed-back.
Second try with different approach is at
Hi,
I am not comfortable with switching to mpm_worker, either, since this would be
a significant behavior change.
I have however tried a backport of the patch referenced in the upstream bug
report and put a build here:
On Tuesday, 12 February 2019 16:45:34 CET Philip Iezzi wrote:
> Hi Stefan,
>
> Confirming again that your patch from Feb 4th fixed the issue. I've got now
> positive feedback from my customers and have upgraded all HTTPS-sites back
> to HTTP/2. Will this patch make it into Debian Stretch?
>
>
On Tuesday, 12 February 2019 17:44:39 CET Gedalya wrote:
> On 2/13/19 12:38 AM, Jan Wagner wrote:
> > backports is not meant for fixing things. beside that it would require
> > all rebuilding most of the additional apache modules not shiped by the
> > apache2 source package.
>
> So we're back to
Between 2.4.25 and the fix for this issue, there were some intrusive
changes in mpm_evnt. If we did a backport, rhe risk of introducing
regressions would be quite high. Therefore, and because the next Debian
stable release is quite near, I don't think it makes sense to backport the
fix.
On Thursday, 31 January 2019 19:16:06 CET Andreas Hasenack wrote:
> Package: apache2
> Version: 2.4.38-1
> Severity: normal
>
> Dear Maintainer,
>
> The updated 2.4.38-1 package for apache2 triggered a DEP8 test failure:
>
> https://ci.debian.net/packages/a/apache2/unstable/amd64/
>
> >From
Hi Philip,
sorry for the late respone, I have been quite busy with other things.
I could find no indication that any other upstream release has the same bug.
Therefore I hope that adding more fixes from upstream versions up to the
version from where I took the security fixes (2.4.34 and
Hi Philip,
On Friday, 14 December 2018 22:49:13 CET Philip Iezzi wrote:
> But the patch from bee2facd9343beda10677b139cd9b2e49e986f01
> (https://salsa.debian.org/apache-team/apache2/commit/bee2facd9343beda10677b
> 139cd9b2e49e986f01) was already applied to latest apache2 package in Debian
> 9.6
reassign 914297 systemd
affects 914297 apache2
thanks
On Saturday, 15 December 2018 02:24:54 CET Alexander E. Patrakov wrote:
> Stefan Fritsch :
> > The rng should be initialized after the seed is loaded from disk.
>
> This is false according to systemd developers. Its s
On Friday, 14 December 2018 12:43:29 CET Adrian Bunk wrote:
> On Sun, Nov 25, 2018 at 11:35:37PM +0100, Stefan Fritsch wrote:
> >...
> >
> > I don't see why it should take so
> > long for the random number generator to initialize.
> >
> >...
>
>
On Friday, 30 November 2018 15:54:07 CET Andreas Ziegler wrote:
> Package: apache2
> Version: 2.4.25-3+deb9u6
>
> When i load a picture using safari from an apache webserver with HTTP/2
> enabled and repeat that multiple times in a row (F5),
> at least each 3rd request fails with
> "Failed to
How long is the timeout after which it is killed? What is the status of
systemd-random-seed.service in that case? I don't see why it should take so
long for the random number generator to initialize. But maybe apache2 needs to
add a dependency.
Please provide the output of
journalctl -b
On Sunday, 25 November 2018 19:07:56 CET Bernhard Übelacker wrote:
> Dear Maintainer,
> tried to find out the actual location that the backtrace points to.
>
> Unfortunately I could not make any clue out of the line
> containing /usr/sbin/apache2(+0x29e450).
>
> But at least, I think, the line
On Sunday, 4 November 2018 18:36:19 CET Thorsten Glaser wrote:
> This is a real WTF. I found https://serverfault.com/a/892300/189656
> and thought “hey, Apache 2 still documents SSLCertificateChainFile,
> plus it’s the proper way to specify the chain given it’s normally
> separate from the
On Monday, 29 October 2018 20:31:54 CET Thorsten Glaser wrote:
> tglase@tglase:~ $ cat /var/log/apache2/error.log
> [Mon Oct 29 20:18:58.090841 2018] [ssl:emerg] [pid 17306] AH01903: Failed to
> configure CA certificate chain!
> [Mon Oct 29 20:18:58.090919 2018] [ssl:emerg] [pid 17306] AH02311:
Package: wnpp
Severity: normal
I am looking for new maintainers for the Apache httpd server (the
apache2 package).
The apache2 package has a relatively complex packaging and config file
handling. There are also a lot of third-party module packages in Debian.
Therefore, some experience with using
retitle 902657 graceful/restart results in segfault if libcap-ng0 is loaded
severity 902657 important
block 902657 by 904808
thanks
The problem is caused by libcap-ng0 0.7.9 . This is usually pulled in by php
extensions. There is nothing apache can do.
Unfortunately, downgrading to 0.7.7 from
Package: libcap-ng0
Version: 0.7.9-1
Severity: grave
Justification: renders package unusable
Hi,
apache httpd loads and unloads modules during a reload of the server
configuration. This causes the pthread_atfork entry that is installed by
libcap-ng0 to point to code that is no longer in the
Hi Ondřej,
On Wednesday, 25 July 2018 14:50:43 CEST Ondřej Surý wrote:
> while updating apache2 to 2.4.34, I found out (or rather users found out)
> that lbmethod_bybusyness module now require symbols from mod_proxy.
>
> Unfortunately, because the modules are loaded in alphabetical order, this
On Tuesday, 17 July 2018 21:12:48 CEST gregor herrmann wrote:
> On Tue, 17 Jul 2018 20:54:02 +0200, Stefan Fritsch wrote:
> > Can one of you please check how libcap-ng is pulled into the process.
> > Something like this should do the trick (replace XXX with the pid of one
> &g
On Friday, 29 June 2018 10:35:32 CEST mer.at wrote:
> when i do an "apachectl graceful" or "apachectl restart", i get
> segfaults.
I don't think this is a bug in apache, at least not directly.
> if i then do a /etc/init.d/apache2 restart, it works normally
> /etc/init.d/apache2 restart and
On Tuesday, 17 July 2018 09:50:08 CEST Thomas Mühlberg wrote:
> Package: apache2 apache2-bin apache2-data apache2-utils
> Version: 2.4.25-3+deb9u5
>
> After upgrade from version 2.4.25-3+deb9u4 to 2.4.25-3+deb9u5 the Apache
> processes are limited to 1000.
> After rollback to version
On Friday, 13 July 2018 19:33:24 CEST marcelo wrote:
> The mod_md not works in the last version in apache, i understood the mod_md
> now is part of apache, but the mod_md not work, because missing archives,
> for example the archive mod_md.so, i believe the solution is the same apply
> in
On Sunday, 24 June 2018 19:00:22 CEST Adam D. Barratt wrote:
> On Sat, 2018-06-02 at 10:29 +0200, Stefan Fritsch wrote:
> > +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
> > +
> > + * This package upgrades mod_http2 to the version from apache2
> > 2.4.33. This
&
On Thursday, 10 May 2018 00:21:44 CEST 積丹尼 Dan Jacobson wrote:
> Package: apache2-bin
> Version: 2.4.33-3
>
> Please Depend on libcurl3 | libcurl4,
> else we cannot upgrade our system.
The dependency is generated automatically depending on which version of
libcurl is used during compilation.
Hi,
On Sunday, 13 May 2018 19:15:22 CEST Stefan Fritsch wrote:
> On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote:
> > I would like to do an upgrade of apache2 in stretch that upgrades the
> > complete mod_http2 and mod_proxy_http2 modules from the versions
Hi,
On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote:
> I would like to do an upgrade of apache2 in stretch that upgrades the
> complete mod_http2 and mod_proxy_http2 modules from the versions from
> 2.4.25 to the versions from 2.4.33.
>
> The reason is that the fix fo
Package: apache2
Version: 2.4.25-3+deb9u4
Severity: normal
While /etc/init.d/apache-htcacheclean contains this comment
# Default values. Edit /etc/default/apache-htcacheclean$DIR_SUFFIX to
# change these
it does not actually read that file. This has been fixed in sid in
2.4.27-4 .
The package repositories have been migrated from alioth to salsa:
https://salsa.debian.org/apache-team/
Cheer,
Stefan
On Sunday, 15 April 2018 21:50:57 CEST Jan Heitkötter wrote:
> The hooks in Let’s Encrypt’s conffile say “apachectl -k”; the manpage
> does not explain this option. Omitting -k makes things work:
options unknown to apachectl are passed to apache2 and apache2 -k start tells
apache2 to do a normal
On Monday, 16 April 2018 21:51:36 CEST Stefan Fritsch wrote:
> So tmpreaper should exclude systemd-private-* files by default. Moritz, do
> you also have some cron job cleaning up stale files in /tmp ?
tmpreaper needs to exclude dirs inside the systemd-private-* dir, too (there
is a t
On Monday, 16 April 2018 20:34:00 CEST Matthew Gabeler-Lee wrote:
> On Sat, 14 Apr 2018, Stefan Fritsch wrote:
> > This seems to be a systemd bug. Changing PrivateTmp from true to false in
> > apache2.service fixes the issue. But even with PrivateTmp it works for
> >
Dear libapache2-mod-proxy-uwsgi maintainers,
mod-proxy-uwsgi has been donated to the ASF and since version 2.4.33, it is
included in apache2. Now, as uwsgi builds a bunch of other packages, the
question is from which source package should the libapache2-mod-proxy-uwsgi
transitional package be
On Thursday, 12 April 2018 11:56:04 CEST Axel Beckert wrote:
> Jan Heitkötter wrote:
> > Default behaviour is do stop/start Apache using apachectl which fails in
> > installations running systemd. Apache will stop, but not start again.
Using apachectl stop / start / restart works fine for me with
On Fri, 9 Mar 2018, Moritz Muehlenhoff wrote:
> On Tue, Nov 14, 2017 at 02:46:00PM +, Matthew Gabeler-Lee wrote:
> > Package: apache2
> > Version: 2.4.25-3+deb9u3
> > Severity: normal
> >
> > When running inside a libvirt-managed lxc os container, the reload command
> > on the systemd unit
Hi Dan,
On Wed, 4 Apr 2018, Dan Benton wrote:
> Package: apache2
> Version: 2.4.10-10+deb8u12
> Severity: normal
Is this a new issue with version 2.4.10-10+deb8u12 (from the security
update a few days ago) or have you also observed it with the previous
version 2.4.10-10+deb8u11?
Cheers,
org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
apache2- Apache HTTP Server
apache2-bin - Apache HTTP Server (modules and other binary files)
apache2-data - Apache HTTP Server (common files)
apache2-dbg - Apache debugging symbols
apache2-dev - Apache HTTP Server
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I would like to do an upgrade of apache2 in stretch that upgrades the
complete mod_http2 and mod_proxy_http2 modules from the versions from
2.4.25 to the versions from 2.4.33.
all
Version: 2.4.33-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
apache2- Apache HTTP Server
apache2-bin - Apache HTTP Server (modules and other binary fil
On Friday, 2 February 2018 23:32:35 CET Gianfranco Costamagna wrote:
> Hello, before uploading new gdbm in unstable, I tested all the
> reverse-dependencies, except for the packages that were already broken/not
> building.
>
> This sounds to be the case for this one, and now I don't know how to
amd64
Version: 1.6.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
libaprutil1 - Apache Portable Runtime Utility Library
libaprutil1-dbd-mysql - Apache Port
Hi Ben,
On Wednesday, 27 December 2017 11:26:14 CET Ben RUBSON wrote:
> Could it be possible to backport the following very useful (and therefore
> tiny) patch to Apache in Debian Stretch please ?
> https://svn.apache.org/viewvc?view=revision=1807707
I am sorry, but we don't backport new
Hi Matthew,
I don't know libvirt lxc containers at all, but ...
On Tue, 14 Nov 2017, Matthew Gabeler-Lee wrote:
> Nov 14 14:38:33 hostname systemd[1]: Reloading The Apache HTTP Server.
> Nov 14 14:38:33 hostname systemd[11798]: apache2.service: Failed at step
> NAMESPACE spawning
Hi Markus,
On Friday, 3 November 2017 22:40:02 CET Markus Koschany wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of apr and apr-util:
> https://security-tracker.debian.org/tracker/source-package/apr
>
On Wednesday, 4 October 2017 20:41:38 CEST Tiger!P wrote:
> I tried to add a file /etc/systemd/system/apache2.service.d/after.conf
> with the following content:
> 8<
> [Unit]
> Wants=network-online.target
> After=network.target remote-fs.target nss-lookup.target
> network-online.target
>
Hi Mattias,
I have just uploaded apache2 2.4.27-5 which links to openssl 1.1 to unstable.
You should do the same for your canl-c and gridsite updates.
Cheers,
Stefan
On Fri, 4 Aug 2017, John Paul Adrian Glaubitz wrote:
> > Not sure if m68k is alive anymore. The build log urls are not reachable
> > anymore this bug report is no longer useful. Closing.
>
> Well, maybe you should just ask people instead of just closing bug
> reports without further notice?
>
>
Hi Andrew,
On Fri, 4 Aug 2017, Andrew Murphy wrote:
>
> Please add mod_brotli
>
> Note: Originally I raised an Ubuntu bug, but they said raise it upstream
> with you. But I couldn't find a 'new bug' button on debian apache2 package.
The debian bts is email based (unless you use the reportbug
Is there anything relevant in the log files?
In the apache error log?
In the output of "journalctl -u apache2.service"?
For the upgrades, if you still know the date, look into /var/log/apt/term.log*
Cheers,
Stefan
Hi Antoine,
On Wednesday, 19 July 2017 15:45:20 CEST Antoine Beaupre wrote:
> As I mentioned in the #858373 bug report, I started looking at fixing
> the regression introduced by the 2.2.22-13+deb7u8 upload, part of
> DLA-841-1. The problem occurs when a CGI(d) ErrorDocument is configured
> to
On Monday, 17 July 2017 16:57:00 CEST Roberto C. Sánchez wrote:
> I did the deb7u9 update of apache2 and I was not aware of the regression
> either. I wonder if it makes sense for bugs above a certain severity
> affecting versions of a package which are security uploads to show up in
> the
Hi Raphael,
On Saturday, 15 July 2017 11:52:49 CEST Raphael Hertzog wrote:
> Hello Stefan,
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of apache2:
> https://security-tracker.debian.org/tracker/CVE-2017-9788
>
> Would you like to
reopen 851094
found 851094 2.4.27-2
thanks
Hi Valentin,
Thanks for the report.
On Friday, 7 July 2017 14:30:59 CEST Valentin Vidic wrote:
> Stopping or restaring apache2 produces an error in kernel log:
>
> # systemctl apache2 stop
>
> Jul 7 14:13:52 stretch kernel: [ 5393.547573] apache2[7588]: segfault at
> 7f7e1113b7a0 ip
Hi Raphael,
On Tuesday, 20 June 2017 16:38:12 CEST Raphael Hertzog wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of apache2:
> https://security-tracker.debian.org/tracker/CVE-2017-3167
>
On Monday, 13 March 2017 08:07:01 CET Sergio Gelato wrote:
> Now that apache2 includes a native systemd unit, it may be prudent to stop
> assuming that /etc/init.d/apache2 exists. (It's still distributed as part
> of the package, but since it's a configuration file system administrators
> are free
On Thursday, 2 March 2017 16:15:45 CET Thorsten Glaser wrote:
> Apache 2 does not send *any* Content-Type header for plaintext files
> any more,
With "any more", do you mean that this is a regression, i.e. did it work in an
earlier version? If yes, which version?
On Friday, 3 March 2017
Hi,
On Thursday, 23 February 2017 19:14:59 CET Jonas Meurer wrote:
> All right, then we should go for the update. Antoine, do you take care
> of it?
Great work and sorry that I did not have time to help you more.
In case it helps: For stable, I have suggested this text for the DSA to the
On Monday, 20 February 2017 15:27:23 CET Antoine Beaupré wrote:
> > Probably a good idea is to put the packages somewhere and ask for testers
> > on secur...@lists.debian.org.
>
> security@lists.d.o is not a list, as far as i know. there's
> debian-security@lists.d.o, but I never posted there...
anuary 2017 17:03:55 CET Antoine Beaupré wrote:
> On 2017-01-23 15:14:30, Antoine Beaupré wrote:
> > On 2017-01-22 11:25:08, Stefan Fritsch wrote:
> >> Test Summary Report
> >> ---
> >> t/apache/chunkinput.t (Wstat: 0 Tes
tags 851357 wontfix
thanks
Upstream does not intend to change this behavior. See the thread starting at
http://mail-archives.apache.org/mod_mbox/httpd-dev/201702.mbox/
%3C20170202125319.GA15948%40redhat.com%3E
I won't deviate from upstream in the Debian 9 squeeze release, but I will
allow
On Thursday, 2 February 2017 18:56:38 CET Julian Gilbey wrote:
> [Thu Feb 02 18:14:44.630796 2017] [core:notice] [pid 3650] AH00052: child
> pid 3696 exit signal Aborted (6)
Please follow the instructions in /usr/share/doc/apache2/README.backtrace and
add a backtrace to this report. Thanks.
On Thursday, 19 January 2017 20:47:15 CET Stefan Fritsch wrote:
> On Tuesday, 17 January 2017 11:59:17 CET Antoine Beaupré wrote:
> > I would need people to start testing the package at this point, not
> > necessarily in production considering how big the change is, but your
&g
On Tuesday, 17 January 2017 11:59:17 CET Antoine Beaupré wrote:
> I would need people to start testing the package at this point, not
> necessarily in production considering how big the change is, but your
> comfort level will vary with the severity and complexity of services. :)
There is a
reassign 850885 dwww
severity 850885 grave
tags 850885 patch
thanks
On Thursday, 12 January 2017 06:50:16 CET Arjan Opmeer wrote:
> > is correct however, here's the HTTP header part:
> > Content-type: text/html
> > Last modified: Tue Dec 13 14:16:35 2016
> > Content-Disposition:
On Saturday, 14 January 2017 19:36:34 CET Ondřej Surý wrote:
> Stefan,
>
> JFTR underscores in domain names are allowed, just not for hostnames. SRV,
> TLSA and other RRs make use of them.
But the character restriction for hostnames is valid for all parts of the FQDN
of a host. From RFC1035
On Saturday, 14 January 2017 12:19:17 CET Jonathan Vollebregt wrote:
> Does this mean it's now impossible to create virtual hosts in apache for
> domain names with underscores?
>
> Unless they've silently added a DomainName directive somewhere this
> change breaks virtual hosts with
On Saturday, 14 January 2017 12:33:55 CET Jonathan Vollebregt wrote:
> Actually that makes another point: according to RFC952 hostnames are
> allowed only a single period:
>
> http://www.ietf.org/rfc/rfc952.txt
>
> > ::= *["."]
> >::= [*[]]
>
> Unless this was updated in another
Hi Ola,
On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of apache2:
> https://security-tracker.debian.org/tracker/CVE-2016-8743
>
> Would you like to take care of this
On Friday, 23 December 2016 18:56:54 CET Niko Tyni wrote:
> This passage in RFC 7230, section 9.4., seems relevant:
>
>A more effective mitigation is to prevent anything other than the
>server's core protocol libraries from sending a CR or LF within the
>header section, which means
On Monday, 5 December 2016 21:13:04 CET Salvatore Bonaccorso wrote:
> CVE-2016-8740 was announced for apache, CVE-2016-8740, Server memory
> can be exhausted and service denied when HTTP/2 is used.
There are a few more security issues fixed in the pending 2.4.24 release. I
will wait a bit more
On Friday, 2 December 2016 00:16:24 CET Sebastian Andrzej Siewior wrote:
> is there a reason for gridsite not to go for 3.0 (or backport the
> change) and libssl-dev? Apache stays 1.0 but does not expose anything
> SSL related (unless I read #828236 too quick).
(assuming you meant 1.1 instead of
On Monday, 14 November 2016 05:03:45 CET Ondřej Surý wrote:
> > Looking at mod_ssl_openssl.h and the comment in #828330,
> > I'd suggest the change below to add a dependency on libssl1.0-dev
> > to apache2-dev.
>
> And that exactly happens meaning that PHP 7.0 can no longer be built
> unless all
On Saturday, 19 November 2016 18:06:44 CET Peter Colberg wrote:
> On Sat, Nov 19, 2016 at 11:58:41PM +0100, Stefan Fritsch wrote:
> > I will move the libssl-dev dependency to a new mod_ssl dev package. That
> > should avoid this issue without having to modify loads of other packag
On Saturday, 19 November 2016 12:39:18 CET Peter Colberg wrote:
> apache2-dev was changed to depend on libssl1.0-dev | libssl-dev (<< 1.1)
> recently (#844160), which has caused a FTBFS in cgit that depends on
> libssl-dev without a version constraint.
>
> I would rather not constrain cgit’s
1 - 100 of 748 matches
Mail list logo