[Bug 1770242] Re: Please merge from debian 2.4.33
This bug was fixed in the package apache2 - 2.4.33-3ubuntu2 --- apache2 (2.4.33-3ubuntu2) cosmic; urgency=medium * d/control, d/rules: Don't build libapache2-mod-proxy-uwsgi and libapache2-mod-md until we figure out their transitions. libapache2-mod-md in particular is problematic because that makes apache2-bin pull in libcurl4 which cannot be coinstalled with libcurl3. That situation breaks the installation of libapache2-mod-shib2. See https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 for details. - Don't ship md.load and remove build-requires that were added because of mod-md (see https://salsa.debian.org/apache-team/apache2/commit/b9d37f2a96da2fd69bf) - Remove proxy_uwsgi.load as we are not building it for now (see https://salsa.debian.org/apache-team/apache2/commit/4e3168562d75ce398b9) apache2 (2.4.33-3ubuntu1) cosmic; urgency=medium * Merge with Debian unstable (LP: #1770242). Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - d/t/control, d/t/check-http2: add basic test for http2 support * Drop: - SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig + debian/patches/CVE-2017-15710.patch: fix language long names detection as short name in modules/aaa/mod_authnz_ldap.c. + CVE-2017-15710 - SECURITY UPDATE: incorrect matching + debian/patches/CVE-2017-15715.patch: allow to configure global/default options for regexes, like caseless matching or extended format in include/ap_regex.h, server/core.c, server/util_pcre.c. + CVE-2017-15715 - SECURITY UPDATE: mod_session header manipulation + debian/patches/CVE-2018-1283.patch: strip Session header when SessionEnv is on in modules/session/mod_session.c. + CVE-2018-1283 - SECURITY UPDATE: DoS via specially-crafted request + debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL terminated on any error, not only on buffer full in server/protocol.c. + CVE-2018-1301 - SECURITY UPDATE: mod_cache_socache DoS + debian/patches/CVE-2018-1303.patch: fix caching of empty headers up to carriage return in modules/cache/mod_cache_socache.c. + CVE-2018-1303 - SECURITY UPDATE: insecure nonce generation + debian/patches/CVE-2018-1312.patch: actually use the secret when generating nonces in modules/aaa/mod_auth_digest.c. + CVE-2018-1312 - Correct systemd-sysv-generator behavior by customizing some parameters: + d/apache2-systemd.conf: add a drop-in file to specify some parameters for the systemd unit (type=Forking and RemainsAfterExit=no), this allow a correct state synchronisation between systemctl status and actual state of apache2 daemon. + d/apache2.install: place the apache2-systemd.conf file in the correct location. [type=Forking already in the base systemd service file, and RemainsAfterExit=no is the default value, so no need to customize these anymore.] - Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP #1752683) + added debian/patches/util_ldap_cache_lock_fix.patch [Already applied upstream] apache2 (2.4.33-3) unstable; urgency=medium * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too. Closes: #894785 * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. Closes: #897218 * Migrate from alioth to salsa. apache2 (2.4.33-2) unstable; urgency=medium * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi and libapache2-mod-md. Closes: #894760, #894761, #894785 apache2 (2.4.33-1) unstable; urgency=medium * New upstream version. Security fixes: - CVE-2017-15710 Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled - CVE-2018-1283 mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. - CVE-2018-1303 mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. - CVE-2018-1301 core: Possible crash with excessively long HTTP request headers. Impractical to exploit with a production build and production LogLevel. - CVE-2017-15715 core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of
[Bug 1770242] Re: Please merge from debian 2.4.33
Even in current cosmic this doesn't work: # apt install apache2 libapache2-mod-shib2 libapache2-mod-md It's because it tries to pull in libcurl3, and that removes curl libcurl4 pollinate ubuntu-server. So to install shib2 and mod-md in cosmic, *before* this upload of 2.4.33, one has to: root@cosmic-apache-fix-migration:~# apt install apache2 libapache2-mod-shib2 libapache2-mod-md libcurl3 Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libfreetype6 Use 'apt autoremove' to remove it. The following additional packages will be installed: apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libfcgi-bin libfcgi0ldbl libjansson4 liblog4shib1v5 libltdl7 liblua5.2-0 libmemcached11 libodbc1 libsaml9 libshibsp-plugins libshibsp7 libxerces-c3.2 libxml-security-c17v5 libxmltooling7 opensaml2-schemas shibboleth-sp2-common shibboleth-sp2-utils ssl-cert xmltooling-schemas Suggested packages: www-browser apache2-doc apache2-suexec-pristine | apache2-suexec-custom libmyodbc odbc-postgresql tdsodbc unixodbc-bin openssl-blacklist The following packages will be REMOVED: curl libcurl4 pollinate ubuntu-server The following NEW packages will be installed: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-md libapache2-mod-shib2 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl3 libfcgi-bin libfcgi0ldbl libjansson4 liblog4shib1v5 libltdl7 liblua5.2-0 libmemcached11 libodbc1 libsaml9 libshibsp-plugins libshibsp7 libxerces-c3.2 libxml-security-c17v5 libxmltooling7 opensaml2-schemas shibboleth-sp2-common shibboleth-sp2-utils ssl-cert xmltooling-schemas 0 upgraded, 30 newly installed, 4 to remove and 0 not upgraded. Need to get 6356 kB of archives. After this operation, 33.0 MB of additional disk space will be used. Do you want to continue? [Y/n] Emphasis on the REMOVED bits: The following packages will be REMOVED: curl libcurl4 pollinate ubuntu-server -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
Even in current cosmic this doesn't work: # apt install apache2 libapache2-mod-shib2 libapache2-mod-md It's because it tries to pull in libcurl3, and that removes curl libcurl4 pollinate ubuntu-server. So to install shib2 and mod-md in cosmic, *before* this upload of 2.4.33, one has to: root@cosmic-apache-fix-migration:~# apt install apache2 libapache2-mod-shib2 libapache2-mod-md libcurl3 Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libfreetype6 Use 'apt autoremove' to remove it. The following additional packages will be installed: apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libfcgi-bin libfcgi0ldbl libjansson4 liblog4shib1v5 libltdl7 liblua5.2-0 libmemcached11 libodbc1 libsaml9 libshibsp-plugins libshibsp7 libxerces-c3.2 libxml-security-c17v5 libxmltooling7 opensaml2-schemas shibboleth-sp2-common shibboleth-sp2-utils ssl-cert xmltooling-schemas Suggested packages: www-browser apache2-doc apache2-suexec-pristine | apache2-suexec-custom libmyodbc odbc-postgresql tdsodbc unixodbc-bin openssl-blacklist The following packages will be REMOVED: curl libcurl4 pollinate ubuntu-server The following NEW packages will be installed: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-md libapache2-mod-shib2 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl3 libfcgi-bin libfcgi0ldbl libjansson4 liblog4shib1v5 libltdl7 liblua5.2-0 libmemcached11 libodbc1 libsaml9 libshibsp-plugins libshibsp7 libxerces-c3.2 libxml-security-c17v5 libxmltooling7 opensaml2-schemas shibboleth-sp2-common shibboleth-sp2-utils ssl-cert xmltooling-schemas 0 upgraded, 30 newly installed, 4 to remove and 0 not upgraded. Need to get 6356 kB of archives. After this operation, 33.0 MB of additional disk space will be used. Do you want to continue? [Y/n] Emphasis on the REMOVED bits: The following packages will be REMOVED: curl libcurl4 pollinate ubuntu-server -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
I'm dropping this because of a complicated chain of dependencies in the archive. It's even hard to explain, but let's try, so that others who stumble across this will have some context. >From excuses: trying: apache2 skipped: apache2 (0, 56, 7) got: 15+0: a-8:a-1:a-1:i-1:p-3:s-1 * ppc64el: libapache2-mod-proxy-uwsgi-dbg, libapache2-mod-shib2 IRC discussion started here: https://irclogs.ubuntu.com/2018/05/16 /%23ubuntu-release.html#t16:45 Highlight: ahasenack: in cosmic, libapache2-mod-shib2 is installable (though not coinstallable with other things) ahasenack: in cosmic-proposed, it is not installable because apache2-bin now depends on libcurl4 where it did not previously So apache2-bin now ships a new module called mod-mo (https://httpd.apache.org/docs/2.4/mod/mod_md.html). This module we (and debian) have been carrying in the archive as its own source. In the apache build it links with libcurl4, which is fine and good. But it does add a libcurl4 dependency to apache2-bin which wasn't there before. Cue in libapache2-mod-shib2, from the shibboleth-sp2 source. It requires libxmltooling7, which in the archive is built with libcurl- openssl1.0-dev that is provided by a special curl3 source linked with openssl 1.0. That brings in libcurl3, which cannot be coinstalled with libcurl4. The curl package is a bit weird, because even though it's called libcurl3, it does not ship libcurl3: $ apt-file search libcurl.so. libcurl3: /usr/lib/x86_64-linux-gnu/libcurl.so.4 libcurl3: /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0 libcurl4: /usr/lib/x86_64-linux-gnu/libcurl.so.4 libcurl4: /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0 And we have explicit conflicts between libcurl3 and libcurl4. I don't know how to solve this, so I'm unassigning myself from the bug. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
I'm dropping this because of a complicated chain of dependencies in the archive. It's even hard to explain, but let's try, so that others who stumble across this will have some context. >From excuses: trying: apache2 skipped: apache2 (0, 56, 7) got: 15+0: a-8:a-1:a-1:i-1:p-3:s-1 * ppc64el: libapache2-mod-proxy-uwsgi-dbg, libapache2-mod-shib2 IRC discussion started here: https://irclogs.ubuntu.com/2018/05/16 /%23ubuntu-release.html#t16:45 Highlight: ahasenack: in cosmic, libapache2-mod-shib2 is installable (though not coinstallable with other things) ahasenack: in cosmic-proposed, it is not installable because apache2-bin now depends on libcurl4 where it did not previously So apache2-bin now ships a new module called mod-mo (https://httpd.apache.org/docs/2.4/mod/mod_md.html). This module we (and debian) have been carrying in the archive as its own source. In the apache build it links with libcurl4, which is fine and good. But it does add a libcurl4 dependency to apache2-bin which wasn't there before. Cue in libapache2-mod-shib2, from the shibboleth-sp2 source. It requires libxmltooling7, which in the archive is built with libcurl- openssl1.0-dev that is provided by a special curl3 source linked with openssl 1.0. That brings in libcurl3, which cannot be coinstalled with libcurl4. The curl package is a bit weird, because even though it's called libcurl3, it does not ship libcurl3: $ apt-file search libcurl.so. libcurl3: /usr/lib/x86_64-linux-gnu/libcurl.so.4 libcurl3: /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0 libcurl4: /usr/lib/x86_64-linux-gnu/libcurl.so.4 libcurl4: /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0 And we have explicit conflicts between libcurl3 and libcurl4. I don't know how to solve this, so I'm unassigning myself from the bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
** Changed in: apache2 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: apache2 (Ubuntu) Status: In Progress => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
** Changed in: apache2 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: apache2 (Ubuntu) Status: In Progress => New -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345312 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345312 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345311 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1770242] Re: Please merge from debian 2.4.33
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345311 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770242 Title: Please merge from debian 2.4.33 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs