246 lines
11 KiB
Text
246 lines
11 KiB
Text
apache2 (2.4.10-2) unstable; urgency=low
|
|
|
|
The default period for which rotated log files are kept has been
|
|
reduced from one year to 14 days.
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Tue, 23 Sep 2014 22:25:06 +0200
|
|
|
|
apache2 (2.4.1-1) unstable; urgency=low
|
|
|
|
This package introduces a new major release of the Apache HTTP server. It is
|
|
likely the site configuration needs changes to work with this release.
|
|
Notable changes which need special care are:
|
|
|
|
The module interface (ABI) has changed. If you have any locally compiled
|
|
modules, you have to re-compile them for apache2 2.4.
|
|
|
|
The authorization and authentication system has changed. Existing
|
|
configurations using deprecated Order/Allow/Deny directives need to be
|
|
upgraded to the new system. Please review upstream's "Authentication,
|
|
Authorization and Access Control Howto" [1]. There is a new module
|
|
"mod_access_compat", which is supposed to provide backward compatibility,
|
|
but it does not work well in practice.
|
|
|
|
Furthermore, MPMs are simple modules now. Thus, the MPM can be changed
|
|
at any time by (un-)loading a specific module. Be careful when upgrading. An
|
|
example of changing the MPM is given below:
|
|
|
|
a2dismod mpm_worker
|
|
a2enmod mpm_prefork
|
|
|
|
MPM ITK users should be advised, that ITK is not a MPM anymore. Instead, it
|
|
is a simple Apache module, expanding functionality of the prefork MPM. Thus,
|
|
users should switch to the prefork MPM and enable ITK as a module. The
|
|
upgrade scripts ensure this for the upgrade from Debian Wheezy.
|
|
|
|
We did change the security model for Apache in our default configuration. We
|
|
do not allow access to the file system outside /var/www and /usr/share.
|
|
If you are running virtual hosts or scripts outside these directories, you
|
|
need to whitelist them in your configuration to grant access through HTTP.
|
|
Special care must be taken if you are using a sub-directory in /srv to serve
|
|
your content as recommended by the File Hierarchy Standard (FHS). You must
|
|
allow access to your served directory explicity in the corresponding virtual
|
|
host, or by allowing access in apache2.conf as proposed.
|
|
|
|
Along the security model, we did also change the default Document Root, files
|
|
are served from. Previous releases served /var/www by default when no other
|
|
virtual host matched the request. Starting with this release, we changed the
|
|
default document root to /var/www/html, so that sensitive files from other
|
|
virtual hosts wich are typically put into some directory below /var/www are
|
|
not exposed by the default virtual host. This change further improves the out
|
|
of box security.
|
|
|
|
Moreover, the configuration mechanism in Debian has changed. All
|
|
configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
|
|
The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is
|
|
not supported any more) and works just like {sites,mods}-{available,enabled}
|
|
via the "a2enconf" tool. The upgrade tries to migrate known configuration
|
|
files from /etc/apache2/conf.d/ to /etc/apache2/conf-available/ - please
|
|
review these changes.
|
|
|
|
Note this means all existing sites are ignored until they get a ".conf"
|
|
suffix and are re-enabled by the use of a2ensite. The script in [3] can
|
|
automate that for simple cases. This change also includes Debian default
|
|
sites, so the default site has been renamed to 000-default to avoid naming
|
|
confusions. The rename of the config files to *.conf makes the special
|
|
handling inside apache2 to ignore *.dpkg-* backup files obsolete. This
|
|
special handling has been removed.
|
|
|
|
Users of mod_authn_dbm should switch to htdbm to manage their DBM user
|
|
databases. The pure-perl management utility "dbmmanage" was removed as it was
|
|
outdated and orphaned upstream.
|
|
|
|
Packagers are advised to review whether their packages comply with this
|
|
new version. Please see [2] for detailed documentation and instructions.
|
|
|
|
[1] http://httpd.apache.org/docs/2.4/howto/auth.html
|
|
[2] </usr/share/doc/apache2/PACKAGING>
|
|
[3] </usr/share/doc/apache2/migrate-sites.pl>
|
|
|
|
-- Arno Töll <arno@debian.org> Fri, 23 July 2012 23:50:13 +0200
|
|
|
|
apache2 (2.2.15-4) unstable; urgency=low
|
|
|
|
* Note to people using mod_proxy as forward proxy, i.e. with
|
|
'ProxyRequests on':
|
|
This release disables the configuration in mods-available/proxy.conf
|
|
by default. You should verify that access control for proxy access
|
|
still works as intended. This is especially important if you have
|
|
your forward proxy configuration in a different configuration file
|
|
than proxy.conf.
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Mon, 19 Apr 2010 22:36:57 +0200
|
|
|
|
apache2 (2.2.15-1) unstable; urgency=low
|
|
|
|
* To fix a security vulnerability in the design of the SSL/TLS protocol
|
|
(CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
|
|
session renegotiation is no longer supported with old clients that do not
|
|
implement this extension. This breaks certain configurations with client
|
|
certificate authentication. If you still need to support old clients, you
|
|
may restore the old (insecure) behaviour by uncommenting the
|
|
|
|
SSLInsecureRenegotiation on
|
|
|
|
line in /etc/apache2/mods-available/ssl.conf
|
|
|
|
* This release adds and enables mod_reqtimeout, which limits the time
|
|
Apache waits for a client to send a complete request. This helps to
|
|
mitigate against certain denial of service attacks. In case of problems
|
|
with slow clients, the timeout values can be adjusted in
|
|
/etc/apache2/mods-available/reqtimeout.conf , or the module can be
|
|
disabled with "a2dismod reqtimeout".
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Sat, 28 Aug 2010 20:49:30 +0100
|
|
|
|
apache2 (2.2.14-6) unstable; urgency=low
|
|
|
|
* Apache now uses the environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR,
|
|
and APACHE_LOG_DIR in the default configuration. If you have modified
|
|
/etc/apache2/envvars, make sure that these variables are set and exported.
|
|
* There is now some support for running multiple instances of Apache on the
|
|
same machine. See the documentation in /usr/share/doc/apache2.2-common for
|
|
details.
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 13:56:59 +0100
|
|
|
|
apache2 (2.2.13-2) unstable; urgency=high
|
|
|
|
* The new support for TLS Server Name Indication added in 2.2.12 causes
|
|
Apache to be stricter about certain misconfigurations involving name
|
|
based SSL virtual hosts. This may result in Apache refusing to start
|
|
with the logged error message:
|
|
|
|
Server should be SSL-aware but has no certificate configured
|
|
[Hint: SSLCertificateFile]
|
|
|
|
Up to 2.2.11, Apache accepted configurations where the necessary SSL
|
|
configuration statements were included in the first (default)
|
|
<Virtualhost *:443> block but not in subsequent <Virtualhost *:443>
|
|
blocks. Starting with 2.2.12, every VirtualHost block used with SSL must
|
|
contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile
|
|
directives (SSLCertificateKeyFile is optional in some cases).
|
|
|
|
When you encounter the above problem, the output of the command
|
|
|
|
egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \
|
|
/etc/apache2/*conf* /etc/apache2/*enabled
|
|
|
|
may be useful to determine which VirtualHost sections need to be changed.
|
|
|
|
Also, formerly accidentially working constructs like
|
|
|
|
<VirtualHost *:80 *:443>
|
|
|
|
where one virtual host definition is used for both a non-ssl and a ssl
|
|
virtual host do not work anymore. You can achieve a similar effect with
|
|
|
|
<VirtualHost *:80>
|
|
Include /.../vhost.include
|
|
</VirtualHost>
|
|
<VirtualHost *:443>
|
|
SSLEngine on
|
|
SSLCertificateFile ...
|
|
Include /.../vhost.include
|
|
</VirtualHost>
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Wed, 16 Sep 2009 20:14:59 +0200
|
|
|
|
apache2 (2.2.9-3) unstable; urgency=low
|
|
|
|
* The directive "NameVirtualHost *" has been changed to "NameVirtualHost
|
|
*:80". It has also been moved from sites-available/default to ports.conf.
|
|
This allows to ship a proper SSL default virtual host config in
|
|
sites-available/default-ssl, but it means that if you use several name
|
|
based virtual hosts:
|
|
|
|
- you will have to change <VirtualHost *> to <VirtualHost *:80> in your
|
|
name based virtual hosts
|
|
|
|
- you need to add more NameVirtualHost directives if you use other ports
|
|
than 80 with name based virtual hosts. You may also have to add these
|
|
ports to the default virtual host in /etc/apache2/sites-available/default
|
|
(like this: "<VirtualHost *:80 *:81>").
|
|
|
|
If you prefer to revert to the old setup instead (and don't need the
|
|
default-ssl host), just change "NameVirtualHost *:80" back to
|
|
"NameVirtualHost *" in ports.conf and "<VirtualHost *:80>" to
|
|
"<VirtualHost *>" in sites-available/default.
|
|
|
|
* For mod_disk_cache, caching is again disabled in disk_cache.conf by
|
|
default. It usually makes more sense to enable this on a per-virtual host
|
|
basis.
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Mon, 30 Jun 2008 19:47:52 +0200
|
|
|
|
apache2 (2.2.8-5) unstable; urgency=low
|
|
|
|
* The suexec helper program needed for mod_suexec is now shipped in a
|
|
separate package, apache2-suexec, which is not installed by default.
|
|
You need to install this package manually if you are using mod_suexec.
|
|
|
|
There is now also the apache2-suexec-custom package, which contains a
|
|
customizable version of suexec which can be used with different document
|
|
roots than /var/www.
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Sun, 04 May 2008 20:24:00 +0200
|
|
|
|
apache2 (2.2.8-1) unstable; urgency=low
|
|
|
|
* The Apache User and Group and the PidFile path are now configured in
|
|
/etc/apache2/envvars, to make it easier to use them in scripts
|
|
(like the init and logrotate scripts, and apache2ctl).
|
|
If you have changed these settings from their default values, you need to
|
|
adjust /etc/apache2/envvars.
|
|
This also means that starting apache2 with "apache2 -k start" is no longer
|
|
possible, you have to use /etc/init.d/apache2 or apache2ctl.
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Tue, 15 Jan 2008 21:41:23 +0100
|
|
|
|
apache2 (2.2.4-2) unstable; urgency=low
|
|
|
|
* This version introduces some changes in the configuration layout and
|
|
defaults. You will probably have to adjust your configuration accordingly.
|
|
|
|
- Module specific configuration has been moved from
|
|
/etc/apache2/apache2.conf to /etc/apache2/mods-available/*.conf for the
|
|
following modules:
|
|
actions alias autoindex
|
|
info mime negotiation
|
|
setenvif status
|
|
|
|
- AddDefaultCharset is again disabled by default. See
|
|
/etc/apache2/conf.d/charset
|
|
|
|
- "Listen 443" is automatically enabled in /etc/apache2/ports.conf if
|
|
mod_ssl is enabled.
|
|
|
|
* The NO_START functionality from /etc/default/apache2 has been removed. If
|
|
you don't want to start apache2 on boot, rename the S*apache2 start
|
|
symlinks as usual.
|
|
|
|
* To ensure that the disk cache does not grow indefinitely, htcacheclean is
|
|
now started when mod_disk_cache is enabled. The details can be configured
|
|
in /etc/default/apache2 .
|
|
|
|
-- Stefan Fritsch <sf@debian.org> Mon, 09 Jul 2007 21:50:58 +0200
|