summaryrefslogtreecommitdiffstats
path: root/debian/changelog
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/changelog4321
1 files changed, 4321 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..64570c6
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,4321 @@
+apache2 (2.4.38-3+deb10u8) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2022-22719: denial of service in mod_lua via crafted request body.
+ * CVE-2022-22720: HTTP request smuggling.
+ * CVE-2022-22721: integer overflow leading to buffer overflow write.
+ * CVE-2022-23943: heap memory overwrite via crafted data in mod_sed.
+ * CVE-2022-26377: mod_proxy_ajp: Possible request smuggling.
+ * CVE-2022-28614: read beyond bounds via ap_rwrite().
+ * CVE-2022-28615: Read beyond bounds in ap_strcmp_match().
+ * CVE-2022-29404: Denial of service in mod_lua r:parsebody.
+ * CVE-2022-30522: mod_sed denial of service.
+ * CVE-2022-30556: Information Disclosure in mod_lua with websockets.
+ * CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism.
+
+ -- Roberto C. Sánchez <roberto@debian.org> Mon, 20 Jun 2022 15:03:00 -0400
+
+apache2 (2.4.38-3+deb10u7) buster-security; urgency=medium
+
+ * Fix possible NULL dereference or SSRF in forward proxy configurations
+ (CVE-2021-44224)
+ * lua: improve error handling (Closes: CVE-2021-44790)
+ * mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO
+ (relaxes the behaviour introduced by the CVE-2021-36160 fix)
+
+ -- Yadd <yadd@debian.org> Tue, 21 Dec 2021 17:50:43 +0100
+
+apache2 (2.4.38-3+deb10u6) buster-security; urgency=high
+
+ [ Yadd, Moritz Muehlenhoff ]
+ * Initialize the request fields on read failure to avoid NULLs
+ (Closes: CVE-2021-34798)
+ * mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker
+ (Closes: CVE-2021-36160)
+ * Fix ap_escape_quotes with pre-escaped quotes (Closes: CVE-2021-39275)
+ * Sanity checks on the configured UDS path (Closes: CVE-2021-40438)
+
+ -- Yadd <yadd@debian.org> Thu, 30 Sep 2021 05:50:49 +0200
+
+apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium
+
+ * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
+ (Closes: #989562, CVE-2021-31618)
+ * Fix various low security issues (Closes: CVE-2020-35452, CVE-2021-26690,
+ CVE-2021-26691, CVE-2021-30641) and fix related test
+
+ -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 12:13:06 +0200
+
+apache2 (2.4.38-3+deb10u4) buster-security; urgency=high
+
+ * Import http2 modules from 2.4.46 (Closes: CVE-2020-9490, CVE-2020-11993)
+ * Fix error out on HTTP header larger than 16K (Closes: CVE-2020-11984)
+ * Fix bad regexp in mod_rewrite (Closes: CVE-2020-1927)
+ * Fix uninitialized memory when proxying to a malicious FTP server
+ (Closes: CVE-2020-1934)
+
+ -- Xavier Guimard <yadd@debian.org> Tue, 25 Aug 2020 22:08:29 +0200
+
+apache2 (2.4.38-3+deb10u3) buster-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Annoatate patch for CVE-2019-10092: Add missing APLOGNO's in
+ modules/proxy/mod_proxy.c and modules/proxy/mod_proxy_ftp.c
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 15 Oct 2019 21:53:42 +0200
+
+apache2 (2.4.38-3+deb10u2) buster-security; urgency=medium
+
+ * Fix CVE-2019-10092 patch (Closes: #941202)
+
+ -- Xavier Guimard <yadd@debian.org> Sun, 13 Oct 2019 22:23:11 +0200
+
+apache2 (2.4.38-3+deb10u1) buster-security; urgency=high
+
+ * Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092)
+ * Add patch to fix stack buffer overflow and NULL pointer dereference in
+ mod_remoteip (Closes: CVE-2019-10097)
+ * Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082 and
+ CVE-2019-10081
+ * Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098)
+
+ -- Xavier Guimard <yadd@debian.org> Sun, 18 Aug 2019 15:34:20 +0200
+
+apache2 (2.4.38-3) unstable; urgency=high
+
+ [ Marc Deslauriers ]
+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
+ request method in modules/http2/h2_request.c.
+ - CVE-2019-0196
+ * SECURITY UPDATE: privilege escalation from modules' scripts
+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
+ child to its slot number in include/scoreboard.h,
+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
+ server/mpm/worker/worker.c.
+ - CVE-2019-0211
+ * SECURITY UPDATE: mod_ssl access control bypass
+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
+ - CVE-2019-0215
+ * SECURITY UPDATE: mod_auth_digest access control bypass
+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
+ modules/aaa/mod_auth_digest.c.
+ - CVE-2019-0217
+ * SECURITY UPDATE: URL normalization inconsistincy
+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
+ the path in include/http_core.h, include/httpd.h, server/core.c,
+ server/request.c, server/util.c.
+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
+ in server/request.c, server/util.c.
+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
+ server/util.c.
+ - CVE-2019-0220
+
+ [ Stefan Fritsch ]
+ * Pull security fixes from 2.4.39 via Ubuntu
+ * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
+
+apache2 (2.4.38-2) unstable; urgency=medium
+
+ * Disable "reset" test in allowmethods.t (Closes: #921024)
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 31 Jan 2019 21:54:05 +0100
+
+apache2 (2.4.38-1) unstable; urgency=medium
+
+ [ Jelmer Vernooij ]
+ * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
+ * Trim trailing whitespace
+ * Use secure copyright file specification URI
+
+ [ Niels Thykier ]
+ * Add Rules-Requires-Root: binary-targets
+
+ [ Xavier Guimard ]
+ * Convert signing-key.pgp into signing-key.asc
+ * Add http2.conf (Closes: #880993)
+ * Remove unnecessary greater-than versioned dependency to dpkg-dev,
+ libbrotli-dev and libapache2-mod-md
+ * Declare compliance with policy 4.2.1
+ * Add spelling errors patch (reported)
+ * Fix some spelling errors in debian files
+ * Add myself to uploaders
+ * Refresh patches
+ * Bump debhelper compatibility level to 10
+ * debian/rules:
+ - Remove unnecessary dh argument --parallel
+ - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
+ * Add upstream/metadata
+ * Replace MIT by Expat in debian/copyright
+ * debian/watch: use https url
+ * Add documentation links in systemd service files
+ * Team upload
+
+ [ Cyrille Bollu ]
+ * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
+ it gets automatically de-activated upon apache 'startup when using
+ mpm_prefork.
+ * Updated http2.conf to inform user that they may want to change their
+ LogFormat directives.
+
+ [ Xavier Guimard ]
+ * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
+ * Refresh patches
+ * Remove setenvifexpr.diff patch now included in upstream
+ * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
+ * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
+ * Declare compliance with policy 4.3.0
+ * Fix homepage to https
+ * Update debian/copyright
+
+ -- Xavier Guimard <yadd@debian.org> Tue, 29 Jan 2019 23:49:49 +0100
+
+apache2 (2.4.37-1) unstable; urgency=medium
+
+ * New upstream version
+ - mod_ssl: Add support for TLSv1.3
+ * Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218
+ * Update test-framework to r1845652
+ * Fix test suite to actually run by creating a test user. It turns out
+ the test suite refuses to run as root but returns true even in that
+ case. It seems this has been broken since 2.4.27-4, where the test suite
+ had been updated and the debci test duration dropped from 15min to
+ 3min. Also, don't rely on the exit status anymore but parse the test
+ output.
+ * Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 03 Nov 2018 14:26:31 +0100
+
+apache2 (2.4.35-1) unstable; urgency=medium
+
+ * New upstream version 2.4.35
+ Security fix:
+ - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
+ Closes: #909591
+ * Fix lintian warning: Don't force xz in builddeb override.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200
+
+apache2 (2.4.34-1) unstable; urgency=medium
+
+ [ Ondřej Surý ]
+ * New upstream version 2.4.34
+ Security fixes:
+ - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
+ - CVE-2018-8011: Denial of service in mod_md. Closes: #904107
+ * Refresh patches for Apache2 2.4.34 release
+ * Update the suexec-custom.patch for 2.4.34 release
+
+ [ Stefan Fritsch ]
+ * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
+ * Remove debian/gbp.conf. Closes: #904641
+ * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
+ Closes: #904150
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200
+
+apache2 (2.4.33-3) unstable; urgency=medium
+
+ * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too.
+ Closes: #894785
+ * mod_http2: Avoid high memory usage with large files, causing crashes on
+ 32bit archs. Closes: #897218
+ * Migrate from alioth to salsa.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 05 May 2018 11:34:47 +0200
+
+apache2 (2.4.33-2) unstable; urgency=medium
+
+ * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi
+ and libapache2-mod-md.
+ Closes: #894760, #894761, #894785
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 22 Apr 2018 11:14:19 +0200
+
+apache2 (2.4.33-1) unstable; urgency=medium
+
+ * New upstream version.
+ Security fixes:
+ - CVE-2017-15710
+ Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
+ - CVE-2018-1283
+ mod_session: CGI-like applications that intend to read from mod_session's
+ 'SessionEnv ON' could be fooled into reading user-supplied data instead.
+ - CVE-2018-1303
+ mod_cache_socache: Fix request headers parsing to avoid a possible crash
+ with specially crafted input data.
+ - CVE-2018-1301
+ core: Possible crash with excessively long HTTP request headers.
+ Impractical to exploit with a production build and production LogLevel.
+ - CVE-2017-15715
+ core: Configure the regular expression engine to match '$' to the end of
+ the input string only, excluding matching the end of any embedded
+ newline characters. Behavior can be changed with new directive
+ 'RegexDefaultOptions'.
+ - CVE-2018-1312
+ mod_auth_digest: Fix generation of nonce values to prevent replay
+ attacks across servers using a common Digest domain. This change
+ may cause problems if used with round robin load balancers. PR 54637
+ - CVE-2018-1302
+ mod_http2: Potential crash w/ mod_http2.
+
+ - mod_proxy_uwsgi: New UWSGI proxy submodule.
+ - mod_md: New experimental module for managing domains across virtual
+ hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and
+ renew certificates.
+ - core: silently ignore a not existent file path when IncludeOptional
+ is used. Closes: #878920
+ - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980
+
+ * Fix lintian warnings:
+ - Include SupportApache-small.png in apache2-doc package instead of
+ linking to apache.org, to avoid privacy issues.
+ - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE
+ - Remove deprecated use of autotools_dev with dh.
+ - Add some overrides
+ * Bump standards-version to 4.1.2 (no changes)
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 30 Mar 2018 22:53:13 +0200
+
+apache2 (2.4.29-2) unstable; urgency=medium
+
+ * Add myself to Uploaders
+ * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634)
+ * Run wrap-and-sort -a to canonicalize the debian/ directory
+ * Add Build-Depends on libbrotli-dev and enable brotli module
+
+ -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000
+
+apache2 (2.4.29-1) unstable; urgency=medium
+
+ [ Stefan Fritsch ]
+ * Replace outdated dependency on dh-systemd
+
+ [ Ondřej Surý ]
+ * New upstream version 2.4.29
+ * Refresh quilt patches
+ * Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343)
+ * Refresh patches on top of upstream release 2.4.29
+ * Fix Apache crash on restarts (ASF Bug 61558)
+ * Add deconfigure to the list of recognized scripts (Closes: #877524)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 23 Oct 2017 14:46:55 +0000
+
+apache2 (2.4.27-6) unstable; urgency=high
+
+ * CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
+ which could result in HTTP OPTIONS method leaking Apache's server memory.
+ Closes: #876109
+ * Fix argument escaping in apachectl. Closes: #876384
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 24 Sep 2017 00:08:01 +0200
+
+apache2 (2.4.27-5) unstable; urgency=medium
+
+ * Upload to unstable.
+ * Update "Breaks:" for openssl transition.
+ * Bump Standards-Version to 4.1.0. No changes needed.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 03 Sep 2017 17:18:57 +0200
+
+apache2 (2.4.27-4) experimental; urgency=medium
+
+ * Use 'invoke-rc.d' instead of init script in logrotate script.
+ Closes: #857607
+ * Make the apache-htcacheclean init script actually look into
+ /etc/default/apache-htcacheclean for its config. LP: #1691495
+ * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
+ LP: #1675184
+ * Use 'service' instead of init script in monit example config.
+ * Bump Standards-Version to 4.0.1. Other changes:
+ - change package priorities from extra to optional
+ * Use libprotocol-http2-perl in autopkgtest.
+ * Update test suite to svn r1804214.
+ * Various tweaks to the test suite autopkgtest to avoid having to skip
+ any test.
+ * Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk
+ to avoid them being used by apxs.
+ * deflate.conf: Remove mention of MSIE6
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 08 Aug 2017 21:59:37 +0200
+
+apache2 (2.4.27-3) experimental; urgency=medium
+
+ * Switch to openssl 1.1. Again closes: #851094
+ * Add versioned breaks for gridsite, libapache2-mod-dacs because of
+ openssl transition.
+ * Provide new apache2-api-20120211-openssl1.1 virtual package and make
+ dh_apache2 generate a dependency on it if there is a build-dep on
+ apache2-ssl-dev.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200
+
+apache2 (2.4.27-2) unstable; urgency=medium
+
+ * Switch back to openssl 1.0 for now. The transition to 1.1 needs more
+ work and should go into experimental, first. Reopens: #851094
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:01:10 +0200
+
+apache2 (2.4.27-1) unstable; urgency=medium
+
+ [ New upstream release ]
+ * Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
+ Closes: #868467
+
+ [ Stefan Fritsch ]
+ * Switch to openssl 1.1. Closes: #851094
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 10:39:15 +0200
+
+apache2 (2.4.25-4) unstable; urgency=high
+
+ * Backport security fixes from 2.4.26:
+ * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
+ * CVE-2017-3169: mod_ssl NULL pointer dereference
+ * CVE-2017-7668: Buffer overrun in ap_find_token()
+ * CVE-2017-7679: mod_mime buffer overread
+ * CVE-2017-7659: mod_http2 NULL pointer dereference
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200
+
+apache2 (2.4.25-3) unstable; urgency=medium
+
+ * Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
+ Closes: #852543
+ * Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of
+ the test suite, but don't add *.load files because they don't have any
+ real-world use.
+ * Include the upstream test suite and a corresponding autopkgtest. This
+ is quite a hack but it may help quite a bit with security updates,
+ especially if stretch gets LTS support, too.
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 25 Jan 2017 23:59:26 +0100
+
+apache2 (2.4.25-2) unstable; urgency=medium
+
+ * Activate mod_reqtimeout in new installs and during updates from
+ before 2.4.25-2. It was wrongly not activated in new installs since
+ jessie. This made the default installation vulnerable to some DoS
+ attacks.
+ * Restart htcacheclean on updates and tighten dependency on apache2-utils
+ to ensure that apache2-utils cannot be upgraded without apache2.
+ Closes: #851122
+ * When running on systems with systemd, make 'apache2ctl start' invoke
+ systemctl instead. Otherwise systemd will think apache2 is not running
+ and ignore further commands like reload. Closes: #839227
+ * Avoid segfault in mpm_event if a signal is received too soon after start.
+ PR 60487
+ * Add test for some modules to be enabled.
+ * Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
+ fixed in 2.4.23-2.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 14 Jan 2017 19:27:34 +0100
+
+apache2 (2.4.25-1) unstable; urgency=medium
+
+ [ New upstream release ]
+ * Security: CVE-2016-0736:
+ mod_session_crypto: Authenticate the session data/cookie with a MAC to
+ prevent deciphering or tampering with a padding oracle attack.
+ * Security: CVE-2016-2161:
+ mod_auth_digest: Prevent segfaults during client entry allocation when the
+ shared memory space is exhausted.
+ * Security: CVE-2016-8740:
+ mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
+ Closes: #847124
+ * Security: CVE-2016-8743:
+ Enforce HTTP request grammar corresponding to RFC7230 for request lines
+ and request headers, to prevent response splitting and cache pollution by
+ malicious clients or downstream proxies.
+ * The stricter HTTP enforcement may cause compatibility problems with
+ non-conforming clients. Fine-tuning is possible with the new
+ HttpProtocolOptions directive.
+ * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
+ * mod_http2: Many fixes and support for early pushes using the new
+ H2PushResource directive.
+
+ [ Stefan Fritsch ]
+ * Switch to debhelper compatibility level 9.
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100
+
+apache2 (2.4.23-8) unstable; urgency=medium
+
+ * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
+ new package apache2-ssl-dev. Packages that interface with openssl
+ state from mod_ssl must build-depend on this new package.
+ This will help to disentangle the build-deps in the openssl transition.
+ Closes: #845033
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100
+
+apache2 (2.4.23-7) unstable; urgency=medium
+
+ * Make apache2-dev depend on openssl 1.0, too. Closes: #844160
+ * Move DefaultRuntimeDir and pid file for multi-instances to
+ /var/run/apache2-xxx. Thanks to Horst Platz for the debugging.
+ Closes: #838932 LP: #1627339
+ * Fix systemd unit naming for multi-instances.
+ * Tweak embedded .tar.gz some more to build reproducibly.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 13 Nov 2016 13:08:28 +0100
+
+apache2 (2.4.23-6) unstable; urgency=medium
+
+ * One more tweak for reproducible build. Thanks to Daniel Shahaf for the
+ patch. Closes: #839977
+ * Avoid building with openssl 1.1 for now. See #828236
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 09 Nov 2016 23:51:25 +0100
+
+apache2 (2.4.23-5) unstable; urgency=low
+
+ * Team upload.
+
+ [ Stefan Fritsch ]
+ * Tweak creation of .tar.gz embedded in preinst to get reproducible
+ build.
+
+ [ Raphaël Hertzog ]
+ * Add systemd unit files. Closes: #798430
+ * Improve a2enmod to enable apache-htcacheclean with systemctl and let
+ it enable 'apache-htcacheclean@instance.service' for multi-instance
+ support.
+ * Improve setup-instance to rely on the systemd apache2@instance.service for
+ multi-instance support.
+ * Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have
+ proper native systemd support.
+ * Modify handling of /etc/init.d/apache-htcacheclean to have a usual
+ Default-Start value but instead we disable it manually in the postinst.
+ That way "systemctl enable apache-htcacheclean" works.
+ * Add some lintian overrides for non-problems (two update-rc.d calls in
+ postinst, and a .js file with a very long line).
+
+ -- Raphaël Hertzog <hertzog@debian.org> Thu, 29 Sep 2016 12:03:31 +0200
+
+apache2 (2.4.23-4) unstable; urgency=medium
+
+ * Fix pre-inst script for new installations. Closes: #834169
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 12 Aug 2016 21:44:31 +0200
+
+apache2 (2.4.23-3) unstable; urgency=low
+
+ * Fix conffiles that may have got the wrong content during upgrade from
+ wheezy to early jessie versions. Closes: #794933
+ * Also restore re-introduced *.load files for mod_ident, mod_imagemap, and
+ mod_cern_meta. These may have gone missing due to dpkg thinking they still
+ belong to apache2.2-common. Reported by Markus Waldeck.
+ * apache2-maintscript-helper: Make apache2_switch_mpm do nothing if the
+ local admin has disabled the requested mpm manually.
+ Closes: #827446, #799630
+ * Make mod_proxy_html depend on mod_xml2enc.
+ * dh_apache2: Make versioned recommends on apache2 less strict. There is
+ no advantage in recommending the current version. Closes: #784290
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 11 Aug 2016 21:40:35 +0200
+
+apache2 (2.4.23-2) unstable; urgency=high
+
+ * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
+ request header.
+ Don't pass through HTTP_PROXY in server/util_script.c
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 21 Jul 2016 23:21:37 +0200
+
+apache2 (2.4.23-1) unstable; urgency=high
+
+ * New upstream release
+ - Security: CVE-2016-4979: Fix bypass of TLS client certificate
+ verification in mod_http2.
+ - new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck
+ * Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657
+ * Set SHELL=/bin/bash during configure to get reproducible builds regardless
+ of where /bin/sh points to.
+ * Use 'Require method' instead of Limit/LimitExcept in userdir.conf.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 05 Jul 2016 23:57:25 +0200
+
+apache2 (2.4.20-2) unstable; urgency=medium
+
+ * Fix crash in ap_get_useragent_host() triggered by mod_perl test.
+ Closes: #820824
+ * Fix race condition and logical error in init script. Thanks to Thomas
+ Stangner for the patch. Closes: #822144
+ * Remove links to manpages.debian.org in default index.html to avoid
+ broken robots doing a DoS on the site. Closes: #821313
+ * Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956
+ * Bump Standards-Version (no changes necessary).
+ * Fix segfault with logresolve -c. Closes: #823259
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 28 May 2016 16:14:09 +0200
+
+apache2 (2.4.20-1) unstable; urgency=medium
+
+ * New upstream release
+ - mostly bugfixes and HTTP/2 improvements
+ * Build against lua 5.2 instead of 5.1. Closes: #820243
+ * Correct systemd-sysv-generator behavior by customizing some parameters.
+ This fixes 'systemctl status' returning incorrect results. Thanks to
+ Pierre-André MOREY for the patch. LP: #1488962
+ * On Linux, use pthread mutexes. On kfreebsd/hurd, continue using fctnl
+ because they lack robust pthred mutexes. LP: #1565744, #1527044
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200
+
+apache2 (2.4.18-2) unstable; urgency=low
+
+ * htcacheclean:
+ - split starting/stopping into separate init script 'apache-htcacheclean'
+ - move config from /etc/default/apache2 to /etc/default/apache-htcacheclean
+ - make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk
+ - start htcacheclean as the apache2 run user/group
+ * Fix a2query -M not returning output if apache2 config is broken.
+ Fix missing quotes in apache2-maintscript-helper. Closes: #810500
+ * README.backtrace: Note that coredump directory needs to be owned by
+ www-data. Closes: #806697
+ * Remove ssl work-arounds for MSIE. Newer versions of IE work without them
+ and older versions are no longer supported by MS. Closes: #815852
+ * Give a hint about systemd in README.multiple-instances. Closes: #818904
+ * Don't treat mod_access_compat as essential. It's essentially broken,
+ anyway.
+ * Merge cross-compile tweaks for debian/rules from ubuntu.
+ * Merge autopkgtests from Ubuntu. Many thanks to Robie Basak.
+ Closes: #719245
+ * Fix duplicate-module-load test and make sure it fails if it cannot execute
+ apache2ctl.
+ * Bump Standards-Version (no changes necessary).
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200
+
+apache2 (2.4.18-1) unstable; urgency=medium
+
+ * New upstream release:
+ - mostly HTTP/2 improvements
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100
+
+apache2 (2.4.17-3) unstable; urgency=medium
+
+ * mpm_prefork: Fix segfault if started with -X. Closes: #805737
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100
+
+apache2 (2.4.17-2) unstable; urgency=medium
+
+ * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
+ lots of web-apps. Closes: #803353
+ * Fix secondary-init-script to not source the main init script with 'set -e'.
+ Closes: #803177
+ * mod_http2: Write HTTP/2 into THE_REQUEST and the access log.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100
+
+apache2 (2.4.17-1) unstable; urgency=medium
+
+ [ Stefan Fritsch ]
+ * New upstream release:
+ - New experimental http2 module
+ * reproducible build: Make symbol sorting consistent over different locales
+ * Conflict with apache2.2-common and apache2.2-bin to get the transitional
+ packages removed. Closes: #768815
+ * Don't treat mpm_itk as MPM module in a2query. Closes: #791902
+ * Don't treat mpm_itk as MPM module in deferred actions in postinst.
+ Hopefully really closes: #789914
+ * Don't treat mpm_itk as MPM module in a2enmod.
+
+ [ Jean-Michel Vourgère ]
+ * Updated upstream keyring used to check source authenticity.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 24 Oct 2015 22:14:32 +0200
+
+apache2 (2.4.16-3) unstable; urgency=medium
+
+ [ Jean-Michel Vourgère ]
+ * Have apache2.postrm removes content of /var/lib/apache2, not the
+ directory itself. Closes: #793862
+ * d/p/reproducible_builds.diff: Sort exported symbols list.
+
+ [ Stefan Fritsch ]
+ * apxs: Don't pass --silent to libtool. Closes: #795820
+ * Remove default /var/www/html/index.html on package purge.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 18 Aug 2015 13:49:09 +0200
+
+apache2 (2.4.16-2) unstable; urgency=medium
+
+ * Make dh_apache2 add a versioned dependency on apache2-bin, for the
+ new symbols required for the CVE-2015-3185 fix.
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 07 Aug 2015 23:43:16 +0200
+
+apache2 (2.4.16-1) unstable; urgency=medium
+
+ [ Stefan Fritsch ]
+ * New upstream version, fixing the following security issues:
+ + CVE-2015-3183: Fix chunk header parsing defect.
+ + CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
+ unfixable way. Add a new replacement API ap_some_authn_required()
+ and ap_force_authn hook.
+
+ [ Jean-Michel Vourgère ]
+ * Allow "triggers-awaited" and "triggers-pending" states in addition to
+ "installed" when determining whether to defer actions or process
+ deferred actions. Thanks Colin Watson. Closes: #787103
+ * Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes:
+ #733979
+ * Remove pre-Jessie transition scripts, and remaining breaks.
+ * Made builds reproducible: d/rules set the date from the changelog in
+ CPPFLAGS, new reproducible_builds.diff patch to use it.
+ * Moved bash_completion from /etc to /usr/share/bash_completion. Added
+ links there for dynamic loading.
+ * Upgrade security.conf comments to 2.4 auth format. Thanks Werner
+ Detter. Closes: #789788
+ * apache2.postinst: Fixed tests on deferred mpm switch. Closes:
+ #789914
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200
+
+apache2 (2.4.12-2) unstable; urgency=medium
+
+ [ Jean-Michel Nirgal Vourgère ]
+ * d/control:
+ + Update Vcs-Browser.
+ * d/copyright:
+ + Change d/debhelper/dh_apache2 to dh_apache2.in.
+ + Drop paragraph about inexistant itk patches.
+
+ [ Stefan Fritsch ]
+ * Remove all the transitional packages:
+ apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event,
+ apache2-mpm-itk, apache2.2-bin, apache2.2-common,
+ libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec
+ This also fixes the dependency problems caused by a recent version
+ of debhelper (see #784803).
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 11 May 2015 22:07:26 +0200
+
+apache2 (2.4.12-1) unstable; urgency=medium
+
+ * New upstream version
+ * Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which
+ was never shipped in Debian.
+ * Ship mod_proxy_html's default config file. Closes: #782022
+ * Fix typo in dh_apache2 man page. Closes: #781032
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 28 Apr 2015 22:54:41 +0200
+
+apache2 (2.4.10-11) unstable; urgency=medium
+
+ * core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
+ This could cause all kinds of strange behavior. PR 56008. PR 57328
+ * mpm_event: Fix process deadlock when shutting down a worker. PR 56960
+ * mpm_event: Fix crashes due to various race conditions. Closes: #779078
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2015 22:27:16 +0200
+
+apache2 (2.4.10-10) unstable; urgency=medium
+
+ * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
+ wsupgrade().
+ * Fix setup-instance example script to handle a2enconf/a2disconf.
+ LP: #1430936
+ * Tweak mention of mod_access_compat in NEWS.Debian. The module does
+ not really work in practice.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100
+
+apache2 (2.4.10-9) unstable; urgency=medium
+
+ * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
+ LuaAuthzProvider is used in multiple Require directives with different
+ arguments.
+ * Include ask-for-passphrase script from Ubuntu with some tweaks. This
+ fixes asking for certificate passphrases if started via systemd.
+ Closes: #773405
+ * Fix init script to not wait 20s if passphrase was wrong.
+ * Also bump debhelper build-depends to get dh_installdeb with support for
+ symlink_to_dir. Closes: #770421
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100
+
+apache2 (2.4.10-8) unstable; urgency=medium
+
+ * Bump dpkg Pre-Depends to version that supports relative symlinks in
+ dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
+ * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
+ script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
+ though it does not seem to be exploitable.
+ * mpm_event: Fix use-after-free that may lead to a server crash.
+ * mod_ssl: Fix memory leak on graceful restart. Closes: #754492
+ * mod_ssl: Avoid crashes during startup or graceful restart due to
+ openssl using a callback to invalid memory. LP: #1366174
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100
+
+apache2 (2.4.10-7) unstable; urgency=medium
+
+ * Handle transitions of doc dirs and symlinks correctly during upgrade.
+ Use dpkg-maintscript-helper for this and remove existing explicit logic.
+ Closes: #767850
+ * Remove obsolete conffiles in apache2.2-common, instead doing this only in
+ apache2. This partially fixes #768815
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 09 Nov 2014 19:03:30 +0100
+
+apache2 (2.4.10-6) unstable; urgency=medium
+
+ * Disable SSLv3 in default config. Closes: #765347
+ * Pull changes from upstream 2.4.x branch up to r1632831
+ - Fixes an LDAP regression in 2.4.10
+ - mod_cache: Avoid sending 304 responses during failed revalidations.
+ PR 56881
+ - mod_status: Honor client IP address using mod_remoteip. PR 55886
+ * Fix typo in package description. Closes: #765500
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 21 Oct 2014 22:42:06 +0200
+
+apache2 (2.4.10-5) unstable; urgency=medium
+
+ * Remove one forgotten instance of ident.load in the preinst.
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 10 Oct 2014 00:20:09 +0200
+
+apache2 (2.4.10-4) unstable; urgency=medium
+
+ [ Stefan Fritsch ]
+ * Make apache2 depend on apache2-utils. This got lost somewhere in the
+ 2.4 update.
+ * Fix possible installation failure because of broken preinst script.
+ Closes: #764498
+ * Improve package descriptions. Closes: #763676
+
+ [ Arno Töll ]
+ * Add proper return codes to fail() conditions in a2query. Thanks to Ondřej
+ Surý for providing a patch.
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 09 Oct 2014 22:19:12 +0200
+
+apache2 (2.4.10-3) unstable; urgency=medium
+
+ * CVE-2014-3581: Fix a DoS in mod_cache.
+ * If apache2 is not configured yet, defer actions executed via
+ apache2-maintscript-helper. This fixes installation failures if a
+ module package is configured first. Closes: #745834
+ * Don't use a2query in preinst, as it may not be available yet.
+ Closes: #745812
+ * Include mod_authnz_fcgi. Closes: #762908
+ * Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359
+ * Remove misleading sentence in apache2-bin's description. Closes: #762645
+ * Remove trailing space in apache2/suexec/www-data. Closes: #719930
+ * Add NEWS entry for the logrotate change in 2.4.10-2.
+ * Bump Standards-version (no changes).
+ * Fix lintian warning: Tweak licence short names in copyright file.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 28 Sep 2014 22:37:02 +0200
+
+apache2 (2.4.10-2) unstable; urgency=medium
+
+ * Pull changes from upstream 2.4.x branch up to r1626207
+ + Security Fix for CVE-2013-5704: HTTP trailers could be used to
+ replace HTTP headers late during request processing, potentially
+ undoing or otherwise confusing modules that examined or modified
+ request headers earlier.
+ Adds "MergeTrailers" directive to restore legacy behavior.
+
+ * Switch to apache2 providing the httpd and httpd-cgi virtual packages.
+ The previously providing apache2-bin package lacks the configuration
+ files. Closes: #756361
+ * Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily
+ logs. The daily graceful restart also has the advantage of regenerating
+ things like TLS session ticket keys more often. Closes: #759382
+ * Clarify description of apache2 package. Closes: #755976
+ * In the maintainer script helper, print out Apache's error message if
+ the config check fails.
+ * Re-add mod_ident. It has still at least one user. LP: #1333388
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200
+
+apache2 (2.4.10-1) unstable; urgency=medium
+
+ [ Arno Töll ]
+ * New upstream version
+ + Refresh debian/patches/fhs_compliance.patch
+ + Security Fixes:
+ - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
+ - CVE-2014-0226 Fix a race condition resulting in a heap overflow in
+ scoreboard handling
+ - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
+ length and compression ratio of inflated request to mitigate a
+ possible DoS
+ - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
+ + Fixes SNI with certificate defined in global scope. (Closes: #751361)
+ * Warn users if they try to disable modules that we consider essential for
+ operation of the Apache web server (Closes: #709461)
+ * Drop libcap from our build-dependencies. That was needed for itk which we
+ gave source out to it's own package again.
+ * Provide apache2.2-common package to avoid upgrading problems for people
+ using --purge (apt) or --purge-unused (aptitude) even though that's
+ clearly discouraged. This caused disappearing of conffiles because we move
+ them from apache2.2-common to apache2 during the upgrade. Ugh. This was
+ not a bug in our packaging, but an unfortunately people blame us
+ nonetheless even though it's not all our fault. This alternative helps
+ those people, but at the same time means that incompatible modules aren't
+ force-removed by dpkg during the upgrade. Hopefully we catch all of them
+ with the Breaks relation coming along (Closes: #716880, #752922, #711925)
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 22 Jul 2014 23:16:20 +0200
+
+apache2 (2.4.9-2) unstable; urgency=medium
+
+ * Fix logic in postinst to detect existing index.* files in both
+ DocumentRoots, the old /var/www and the new /var/www/html. Also
+ change the compiled in default DocumentRoot to /var/www/html.
+ Closes: #743915
+ * Fix buffer overflows in suexec with very long (unix) usernames. Not
+ exploitable due to FORTIFY_SOURCE. And creating users usually requires
+ root privileges, anyway. Thanks to Luca Bruno for the report.
+ * Remove conflicts of mpm modules with mpm_itk, which isn't an mpm
+ anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too.
+ * Remove obsolete warning in a2enmod about mpm-itk.
+ * Fix lintian warning: Remove image ref to w3.org, which is a privacy
+ breach.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200
+
+apache2 (2.4.9-1) unstable; urgency=medium
+
+ * New upstream version.
+ Security fixes:
+ - CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
+ - CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
+ cookies.
+ Notable new features:
+ - Support named groups and backreferences within the LocationMatch,
+ DirectoryMatch, FilesMatch and ProxyMatch directives.
+ - mod_proxy: Added support for unix domain sockets as the backend server
+ endpoint.
+ - mod_ssl: Add support for OpenSSL configuration commands by introducing
+ the SSLOpenSSLConfCmd directive.
+ - mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
+ mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
+ require directives.
+ - mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
+ and IgnoreInherit.
+ - Bugfix in the build system to avoid problems with patched config.m4
+ files as in LP #1251939.
+ * Make default cipher list in ssl.conf more secure:
+ - Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
+ 'HIGH' does not include MD5.
+ - Remove the 'Speed-optimized SSL Cipher' configuration example because
+ it depends on RC4, which is considered insecure.
+ * Change init script short description to describe the service, not the
+ script. Closes: #738315
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100
+
+apache2 (2.4.7-1) unstable; urgency=low
+
+ New upstream version
+
+ [ Stefan Fritsch ]
+ * In logrotate and init script, don't hardcode path to htcacheclean.
+ Instead, put sbin directories in PATH. Also fix one missed reference
+ to disk_cache.load, missed in 2.4.6-3. Really closes: #718909
+ * Remove possiblity to override path to apache2 executable via envvars.
+ This is no longer necessary with MPMs as modules.
+ * Fix typo in serve-cgi-bin.conf. Closes: #723196
+ * Bump Build-Depends. 2.4.7 requires apr 1.5.
+
+ [ Arno Töll ]
+ * Fix "No default site enabled after fresh install if /etc/apache2
+ exists" by using a condition in preinst which actually works as expected.
+ Thanks to Jean-Michel Vourgère for triaging the issue and providing a
+ patch (Closes: #711493).
+ * Leave a2disconf with rc=0 when purging a configuration which does not
+ exist. (Closes: #718166)
+ * Explicitly express the dependency for mod_access_compat depending on
+ authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes:
+ #710412)
+ * Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693)
+ * Rework the default index.html file. Instead of a blank, minimalistic page
+ give a quick start guide, since nobody seems to read our docs. This site
+ is hopefully explaining the most important questions.
+ * Add a virtual provides line to the itk/worker/event/prefork transitional
+ packages so that people with an unusual (unsupported) Apache setup
+ can upgrade neatless in some corner cases (Closes: #728937)
+ * Drop the Apache ITK patches. The Apache ITK MPM is a standalone package
+ now and will be provided by libapache2-mpm-itk in future. The
+ apache2-mpm-itk package depends on this package from now on. Users of itk
+ are advised to consult the itk manual.
+ This also resolves a build-system problem that caused mod_unixd to be
+ initialized twice. (LP: #1251939)
+ * Remove Steinar H. Gunderson from uploaders, he will continue to support
+ itk in his own package in future. The remaining Apache team thanks Steinar
+ for all the work in the past.
+ * Change the Default Document root directory where files are served from
+ (Closes: #730372).
+ * Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor
+ for this suggestion and for providing a patch (Closes: #732450)
+ * Refresh suexec-custom.patch.
+
+ -- Arno Töll <arno@debian.org> Thu, 02 Jan 2014 00:17:56 -1100
+
+apache2 (2.4.6-3) unstable; urgency=low
+
+ * Fix 'implicit declaration' compiler warnings.
+ * Fix module dependencies in lbmethod_*.load files. Closes: #717910
+ LP: #1205314
+ * Mark apache2-data as Multi-Arch: foreign. Closes: #718387
+ * Backport open_htaccess hook from upstream 2.4.x branch to allow
+ building mpm-itk as separate package.
+ * Improve comment for LogLevel in apache2.conf. Closes: #718677
+ * Fix comment in ports.conf. Closes: #718650
+ * Fix htcacheclean path and function name in init script. Closes: #718909
+ * Enable bindnow hardening compiler option, patch by Felix Geyer.
+ Closes: #714872
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200
+
+apache2 (2.4.6-2) unstable; urgency=low
+
+ [ Stefan Fritsch ]
+ * Fix watch file
+ * Don't pass --silent to libtool, allowing blhc to check the compiler
+ options in the build logs.
+
+ [ Arno Töll ]
+ * Allow third party packages to use triggers if they use them in a
+ maintainer script invoking apache2-maintscript-helper (Closes: #717610)
+
+ -- Arno Töll <arno@debian.org> Tue, 23 Jul 2013 13:25:30 +0200
+
+apache2 (2.4.6-1) unstable; urgency=low
+
+ New upstream release:
+ * CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request
+ (Closes: #717272)
+ * New modules mod_cache_socache, mod_proxy_wstunnel.
+ * mod_ssl: Add support for subjectAltName-based host name checking in proxy
+ mode (SSLProxyCheckPeerName).
+ * mod_lua: Many new functions.
+ * mod_auth_basic: Add a generic mechanism to fake basic authentication
+ using the ap_expr parser (AuthBasicFake).
+ * mod_proxy: New BalancerInherit and ProxyPassInherit options.
+ * mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password.
+
+ [ Arno Töll ]
+ * Document our security model in our NEWS file and highlight we do not allow
+ access to /srv. Thanks to joeyh for pointing this out.
+ * Allow the use of apache2-maintscript-helper from a sub-function. We rely
+ on dpkg's arguments supplied in $1, $2 etc. This clashes with function
+ arguments supplied to to sh sub-function. Allow manual override in such
+ cases.
+ * Mention that the dh_apache2 conditional must be present in postrm too
+ (Closes: #716694)
+ * Fix "dh_apache2 ignores alternative httpd on conf files" by correctly
+ checking the supplied arguments, we were off by one (Closes: #717299).
+ * Reinstall index.html also on upgrades as it is removed during upgrades.
+ * Add mod_macro transitional package as it was promoted to core and does not
+ exist as individual package anymore (Closes: #706962)
+
+ [ Stefan Fritsch ]
+ * Don't fail package upgrade or removal just because the configuration is in
+ an inconsistent state (Closes: #716921, #717343, LP: #1202653).
+ * Improve error output of init script.
+ * Fix broken dependency information in several *.load files.
+ * Add mod_authn_core as dependency of the mod_auth_* modules.
+ (Closes: #717448)
+
+ -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200
+
+apache2 (2.4.4-6) unstable; urgency=low
+
+ * Denote exact versions breaking gnome-user-share now that Gnome maintainers
+ have a fixed version in the works. That makes Gnome installable again.
+ * Update our gbp.conf for our big merge next -> master. The eagle has
+ landed, 2.4 is here.
+ * Push Standards version to 3.9.4 - no changes needed.
+ * Fix spelling errors in man pages.
+ * Update the git VCS pointer to its canonical location for anonymous
+ checkouts.
+ * Boost the description for the LSB init script to appease Lintian.
+ * Fix spurious warnings in the Apache2 bug report script (Closes: #711121,
+ #711480)
+ * Strip off file extensions from arguments to a2(en|dis)(site|conf|mod) so
+ that "a2ensite 000-default.conf" works, as well as "a2ensite 000-default"
+ (Closes: #711494)
+ * Fix "apache2-dev: dh-apache2 does not strip .conf extension" for modules
+ relying on the install heuristic, instead of writing an *.apache2 conf
+ file (Closes: #711483)
+ * Apply patch submitted by Robert Luberda and redirect all output of
+ apache2-maintscript-helper to stderr (Closes: #711478)
+ * Tell about essential operations in the init script (Closes: #711120)
+ * Fix indentation mess in the init script, and add modelines
+ * Make sure /etc/init.d/apache2 reload does not always return. Thanks to
+ Thorsten Glaser for suggesting a patch (Closes: #711117)
+ * Make apache2-maintscript-helper usable when sourced from weird
+ environments (e.g. Perl maintainer scripts). Thanks to Robert Luberda
+ for doing unexpected things, and providing patches for it, and to Axel
+ Beckert for demangling shell specifics (Closes: #711479)
+ * Fix "copyright file missing after upgrade (policy 12.5)" and add these for
+ MPM transitional packages (Closes: #710914)
+ * Fix "apache2.2-bin transitional package (binaries only) should not
+ depend on apache2 package (which runs a system daemon)". This happened by
+ accident added by debhelper since we are linking docs. We do to
+ apache2-bin instead (Closes: #711127)
+ * Refresh "upstream-fixes" patch
+ * Fix "Disabling strtoul violates C89 and C99 and is unnecessary" by
+ removing the symbol override in httpd.h(Closes: #711534)
+
+ -- Arno Töll <arno@debian.org> Fri, 07 Jun 2013 19:14:36 +0200
+
+apache2 (2.4.4-5) unstable; urgency=low
+
+ [ Arno Töll ]
+ * Fix compile issue on kfreebsd.
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 31 May 2013 10:19:18 +0200
+
+apache2 (2.4.4-4) unstable; urgency=low
+
+ [ Stefan Fritsch ]
+ * Upload to unstable.
+ * Fix FTBFS on hurd caused by mpm-itk linking fix.
+ * Fix some lintian warnings:
+ - fix pod error
+ - add overrides for hardening-no-fortify-functions
+ - don't use /lib/init/vars.sh in init script
+ * Add note to README.Debian about CVE-2013-0966 if the document root is
+ on HFS+ or on ZFS with filename normalization.
+ * Add a note to README.Debian about how to change the max file limit.
+ Make apache2ctl print a message pointing to README.Debian if setting
+ the limit fails. (Closes: #706822)
+
+ [ Arno Töll ]
+ * Correct maintainer scripts by removing forgotten left-overs of our Squeeze
+ -> Wheezy renaming
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 30 May 2013 17:25:09 +0200
+
+apache2 (2.4.4-3) experimental; urgency=low
+
+ [ Arno Töll ]
+ * libapache2-mod-proxy-html is included in Apache 2.4 and not packaged
+ separately anymore. Thus, we are using the most recent version available
+ now (Closes: #695482).
+ * Fix "typo in mpm_event.load" by applying the patch provided by Bastian
+ Triller. Thanks (Closes: #704639)
+ * Replace some occurrences of "Squeeze" in our scripts. It's Wheezy time.
+ * Changes in dh_apache2:
+ + Add -e|--noenable option to dh_apache2 (Closes: #681544)
+ + Disable scripts in prerm, not postrm (Closes: #681546)
+ + However, still hook into postrm and purge state when required
+ + Call the postinst code always, not only during configure
+ (Closes: #681545)
+ + Fix "dh_apache2 postinst code needs to reload more" and reload the
+ web-server in postinst when upgrading (Closes: #702929)
+ * Let a2enmod purge state when calling -p for already disabled
+ configurations.
+ * Fix "don't assume apache2 is running 24 hours a day when rotating
+ logs": Only restart the webserver when it was previously running
+ (Closes: #707892)
+ * Properly return the conf/site configuration fragments enabled for Apache
+ when queried from a2query (Closes: #683212)
+ * Fix "/etc/init.d/apache2 start and restart need to wait until really
+ started" (Closes: #645460)
+ * Fix "apxs2 outputs "uninitialized value" warnings" by removing the double
+ declaration of variables in apxs. This problem was harmless, but noisy
+ (Closes: #707109)
+ * Make the DEBIAN_VERSION parsing in debian/rules more robust. Thanks to
+ Ondřej Surý for noticing and providing a patch.
+ * Fix "copyright file missing after upgrade (policy 12.5)" by linking to the
+ apache2 doc-dir when upgrading (Closes: #707795)
+
+ [ Stefan Fritsch ]
+ * Backport various fixes from upstream svn branch '2.4.x'.
+ * Remove paragraph about MaxMemFree in README.Debian. The issue should be
+ fixed in 2.4.
+ * Enable mod_authn_core when upgrading from wheezy (Closes: #702866)
+ * Bump libaprutil1-dev build dependency to get support for bcrypt password
+ hashes.
+ * Fix mod_mpm_itk.so not being linked to libcap.so (Closes: #702475)
+ * Make apache2-dev not depend on apache2.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 28 May 2013 22:47:26 +0200
+
+apache2 (2.4.4-2) experimental; urgency=low
+
+ * The "let's shorten up this discussion" release, and strip changelogs which
+ are not a direct ancestor of the 2.4 branch.
+ * Restart the server on upgrades. We need to make sure the new binary is
+ loading all symbols from the core again to make sure, upgrades don't break
+ the server.
+
+ -- Arno Töll <arno@debian.org> Sat, 09 Mar 2013 02:02:08 +0100
+
+apache2 (2.4.4-1) experimental; urgency=low
+
+ * New upstream release
+ - Fixes mod_log_forensic logging spurious '-' characters. Closes: #693292
+ - Responds with HTTP/1.0 when talking http to https port. Closes: #701117
+ - Fix various XSS flaws in modules (CVE-2012-3499, CVE-2012-4558)
+
+ [ Stefan Fritsch ]
+ * Add examples for X-Content-Type-Options and X-Frame-Options to
+ security.conf.
+ * Make dh_apache2 only accept shell function names as conditional, to avoid
+ problems with shell and sed special characters.
+ * Add Replaces for the old mpm packages to apache2-bin. Closes: #671683
+ * Add transitional package for libapache2-mod-proxy-html. Closes: #666816
+ - Override dh_gencontrol so that the package's version sorts later than
+ the existing version in Wheezy.
+ * Don't ship changelogs in the apache2.2-bin transitional package.
+ * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
+
+ [ Arno Töll ]
+ * Rewrite most parts of the init script to make it more readable and improve
+ visual feedback when fancy output is in use.
+ * Drop the dbmanage tool from apache2-utils. It is mostly unmaintained and
+ outdated. Users of mod_authn_dbm should use htdbm instead.
+ * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
+ with ext3" by changing the default to more moderate values. Note, some file
+ systems have a hard limit of supported subdirectories (Closes: #682840).
+ Ported from our 2.2 tree targeted for Wheezy.
+ * Properly check return code of a2query in the apache2_invoke library
+ function. This caused reverse dependencies to fail for newly installed
+ modules previously.
+ * Implement -q (quiet) option for a2query (Closes: #681541).
+ * Properly honor -p/-N options as understood by debhelper (Closes: 681542).
+ Thanks Russ Allbery for the hint.
+ * Be more careful regarding link attacks when for the the cache disk
+ directory.
+ * Compress the data.tar in binary packages using xz to save some space on
+ installation medias (Debian only).
+ * Fix "invoke-rc.d apache2 status fails" by merging patch of Jean-Michel
+ Vourgère. Thanks! (Closes: #691365)
+ * Fix "copyright file missing after upgrade (policy 12.5)" - add link
+ manually when necessary in postinst (Closes: #691440)
+ * Document APACHE_ARGUMENTS in envvars (ported from our 2.2 branch, reported as #693299)
+ * Don't croak about lacking permissions in apache2ctl when the script is
+ executed as a non-privileged user
+
+ [ Bernhard R. Link ]
+
+ * Rearrane patches: Move all the patches or parts of patches touching non-itk
+ specific files (i.e. those from the upstream tarball) directly in the
+ debian/patches/series series. While this seperates the itk patches into two
+ heaps, it makes both more visible what changes happen to the general code (and
+ thus are also done to the other servers generated)
+
+ -- Arno Töll <arno@debian.org> Thu, 07 Mar 2013 01:24:51 +0100
+
+apache2 (2.4.2-2) experimental; urgency=low
+
+ [ Stefan Fritsch ]
+ * Explicitly enable mod_authz_core on upgrades. It can happen that it is
+ not pulled in by any of the enabled modules, but we need it in any case
+ for apache2.conf. Closes: #669876
+ * Don't ship the changelogs in the apache2-mpm-itk transitional package.
+
+ [ Arno Töll ]
+ * Add mode lines to various configuration files and scripts. Reformat
+ configuration files for consitency.
+ * Fix "Fix typographic errors in configuration file comments": Thanks to Oxan
+ van Leeuwen for providing a patch (Closes: #669269)
+ * Formulate several clarifications in PACKAGING, start versioning this document
+ and add normative read hints. Moreover, document the -m switch for a2enmod.
+ * Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated!
+ * Change various state and run directories used by Apache from
+ /var/run/<basename> to /var/run/apache2/<basename>. This might change again
+ for Wheezy+1 to adopt /run.
+ * Use more exit status codes for a2query which allows to tell apart why a
+ module was disabled, also make its output more readable.
+ * Changes in apache2-maintscript-helper:
+ + Finally apache2_invoke may behave correctly and catch all cases
+ including upgrades from Squeeze.
+ + apache2_invoke: accepts a third argument to override the rc.d-action now
+ + support APACHE2_MAINTSCRIPT_DEBUG: When defined in the environment or in
+ /etc/apache2/envvars, debug output is displayed.
+ * Implement a -r switch for dh_apache2 which allows to force a reload of the
+ web server if required.
+
+ -- Arno Töll <arno@debian.org> Mon, 28 May 2012 17:36:03 +0200
+
+apache2 (2.4.2-1) experimental; urgency=low
+
+ * New upstream release
+
+ [ Arno Töll ]
+ * Drop update-alternative call in postrm. Our prerm script catches them
+ already anyway.
+ * Update my mail address.
+ * Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/"
+ Set directory permissions to 755 by default (Closes: #666875). Thanks Axel
+ Beckert for the hint.
+ * Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to
+ give sites a .conf suffix, add a hint to the NEWS file.
+ * Do stateful configuration handling by remembering who enabled when a
+ particular piece of configuration. That way in can be told under which
+ circumstances for example modules should be re-enabled. Thanks to Filip M.
+ Nowak who was providing a patch where my changes are built upon.
+ * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
+ to override LDFLAGS at compile time by defining LDLAGS in the environment,
+ just like it is possible for CFLAGS. This also means, config_vars.mk now
+ exports hardening build flags by default.
+ * Provide the virtual packages httpd and httpd-cgi again.
+
+
+ [ Stefan Fritsch ]
+ * Change default config to deny access to / in the file system and only
+ allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
+ * Disable MultiViews in the default config.
+ * Update ssl default cipher config, add alternative speed optimized config.
+ Closes: #649020
+ * Move the configuration of /usr/lib/cgi-bin into a separate config file.
+ Closes: #589638
+ * Comment out per-vhost loglevel.
+ * Add section to security.conf that shows how to forbid access to VCS
+ directories. Closes: #548213
+ * Change the compiled in default of DocumentRoot to /var/www by updating
+ fhs_compliance.patch
+ * Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental!
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 20:50:28 +0200
+
+apache2 (2.4.1-3) experimental; urgency=low
+
+ [ Arno Töll ]
+ * apache2-suexec-{custom,pristine}: Fix argument order when removing
+ alternatives, do not remove alternatives on upgrades. Thanks Andreas
+ Beckmann for spotting the issue (Closes: #665002)
+ * Install suexec(8) link to /usr/share/man/man8/...
+ * Enable mod_version statically, drop associated module load file.
+ * Update PACKAGING hints and cope several questions raised among the
+ discussions with packagers. Thus, invocation of apache2-maintscript-helper
+ in maintainer scripts are covered now.
+ * Changes in dh_apache2:
+ + Invoke the maintscript helper postrm action for simple package removals,
+ too.
+ + Fix a bug which accidentally called "en{mod,site,conf}" instead of
+ "di{mod,site,conf}"
+ + Set the default conditional back to "true", now the maintainer script is
+ expected to cope itself with upgrades correctly
+ * Changes in apache2_maintscript_helper
+ + Provide apache2_action_needed, apache2_msg
+ + Parse maintainer script arguments to find out which script called us
+ + Support APACHE2_MAINTSCRIPT_HELPER_QUIET which, when set, omits any
+ visible output
+ + Break APIs: apache2_invoke accepts a single configuration file argument
+ only now. However, other than dh_apache2 no users of this feature were
+ known.
+ * Build the apache2.2-bin transitional package again, without it updates from
+ Squeeze are broken from some use cases
+ * Remove 2.2's postrm script only if we're actually upgrading.
+ This previously didn't have bad side-effects, but caused a disturbing
+ warning.
+
+ [ Stefan Fritsch ]
+ * Import lots of bug fixes from upstream svn: All code changes from branch
+ 2.4.x up to r1307835, plus r1294306 and r1307067 from trunk.
+ * CVE-2012-0216: Remove /usr/share/doc alias from default virtual hosts'
+ configs.
+ * Add 'Multi-Arch: foreign' to apache2-utils
+ * Make a2enconf and a2ensite warn if dependencies are not fullfilled.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 01 Apr 2012 21:11:51 +0200
+
+apache2 (2.4.1-2) experimental; urgency=low
+
+ [ Arno Töll ]
+ * Shift convert_docs script to a arch-indep target only. Debhelper does not
+ build apache2-doc on binary only builds causing a FTBS on binary-only (-B)
+ builds
+ * Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep
+ targets
+
+ [ Stefan Fritsch ]
+ * dh_apache2: Make autoscripts only run on upgrades by default. Bump
+ debhelper dependency of apache2-dev. Escape slashes in conditionals.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 20 Mar 2012 21:32:43 +0100
+
+apache2 (2.4.1-1) experimental; urgency=low
+
+ * Package the coming up 2.4 branch of Apache by packaging the current
+ GA release 2.4.1.
+ + Fix "IndexIgnore only allowes to add in vhost context, not replace"
+ (Closes: #296886)
+ + Fix "mod_status stats are wrong." (Closes: #519322)
+ + Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047)
+ + Fix "apache2-common: there should be a possibility to access the
+ parsed configuration" (Closes: #350285)
+ + Fix "AddOutputFilterByType is deprecated but used in deflate.conf"
+ (Closes: #601033)
+ + Fixes "Renegotiation on POST request fails intermittently"
+ (Closes: #601606)
+ + Allows configuring source address for proxy requests. (Closes: #465283)
+ + Supports CONNECT request through https. (Closes: #307298)
+ + New Upstream (2.4). (Closes: #662115)
+
+ * Refresh patches but leave all hunks unchanged where possible. Give all
+ * patches a ".patch" suffix, drop sequence numbers as they are not needed when
+ * using quilt. Notable changes are.
+ + [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller
+ parts of the patch to build two binaries: suexec-pristine and
+ suexec-custom (see below)
+ + [AT] 201_build_suexec-custom: Patch the makefile to build
+ "suexec-pristine" instead. Aside of that, refresh hunks.
+ + [AT] 010_fhs_compliance: Drop config.layout patches. These have been
+ applied upstream
+ + [JMV] Drop patches:
+ + 004_usr_bin_perl_0wnz_j00: printenv exemple doesn't refer to
+ /usr/local/bin/perl anymore
+ + 008_make_include_safe: Include doesn't support directory anymore.
+ Include dir/*.conf must be used.
+ + 009_apache2_has_dso: Upstream is no longer testing DSO is available. So
+ we don't need to remove that test anymore.
+ + [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches,
+ drop obsolete hunks
+
+ [ Arno Töll ]
+
+ * Rewrite most parts of debian/rules / debhelper configuration.
+ + move cronjob and init script to debhelper configuration files
+ (apache2.cron.daily and apache2.init respectively)
+ + move man pages to debian/manpages
+ + Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu
+ specifics in their own patch set, as it diverges already anyway.
+ + shake-up files installed in different packages
+ + Do not copy the source tree anymore, build package in place.
+ * Push standards version to 3.9.3 - no special changes required
+ * Refactor binary packages, now as things simplified. MPMs are simple
+ modules now, they can be bundled into the same binary package which do not
+ need to conflict with each other. Thus, Apache now primarily consists of the
+ following packages:
+ + apache2 - configuration files and init scripts, Debian specific helper
+ scripts
+ + apache2-bin - binaries and modules
+ + apache2-data - error pages and images
+ * Drop the ITK MPM entirely for now
+ * Consolidate development packages. As MPM packages are gone, we do not need
+ specific development packages either. Thus, drop all MPM specific apache2
+ development packages and provide a single apache2-dev package instead.
+ (Closes: #428095)
+ * Drop debian/source/options again: We do not need to ignore .svn directories
+ anymore since the new package management system is based on git and includes
+ the full source
+ * Rework the suexec mechanism. Now there are two suexec packages providing
+ alternatives through the update-alternatives mechanism. The untouched
+ upstream "suexec" binary is provided by the apache2-suexec-pristine package,
+ whereas the configurable suexec can be found in the apache2-suexec-custom
+ package. Both are providing the "suexec" binary which are managed by the
+ update-alternatives(9) mechanism.
+ This change is transparent to users at runtime and does not need any
+ configuration changes.
+ * Remove obsolete README.source file.
+ * Update doc-base metadata for the apache2-doc package
+ * Changes in the default configuration (not specific modules):
+ + On the head of the apache2.conf configuration file, give a short summary
+ how configuration of the Apache web server works in Debian.
+ + Drop NameVirtualHost entirely. It is deprecated (Closes: #511594)
+ + Remove DefaultType. It is deprecated.
+ + Replace Allow/Deny directives in the default configuration by using the
+ new Require directive. Load mod_access_compat if you rely on the old
+ syntax
+ + Replace LockFile by Mutex which consolidates all lock file
+ synchronization files among modules
+ + Update configuration to use the new IncludeOptional syntax
+ + Enable these modules by default: authz_core authz_host alias cgi dir
+ + Move MPM specific configuration to their respective configuration files.
+ Users can just load and unload MPMs like other modules, enable the worker
+ MPM by default
+ + Move per-site global configuration from conf.d to conf-available and
+ manage it similar to modules and sites. To do so, the new tools
+ "a2enconf" and "a2disconf" are provided. Moreover, such configuration
+ files need to have a .conf suffix now. The following configuration
+ files are enabled by default: charset localized-error-pages
+ other-vhosts-access-log security. These were enabled by default
+ previously, too (Closes: #620347, Closes: #605227).
+ This holds for apache2-doc as well, which is still enabled by default but
+ can be disabled easily anytime by using a2disconf (Closes: #604980).
+ + Give site configuration a .conf suffix, too. For example the default vhost
+ is called default.conf. Moreover, files without .conf suffix are ignored
+ upon startup. Please update your site links and confs. Also rename the
+ default vhost to 000-default.conf and don't do hacky things in a2enmod
+ anymore.
+ * Changes in a2enmod:
+ + Parse "Conflicts: " header to denote conflicts between modules which
+ cannot be loaded into the same Apache server.
+ + Remove dangling "module.conf" files, too. They were forgotten previously
+ if they existed and only the "module.load" file was removed.
+ + Extend the tool to support conf-available/conf-enabled directories (see
+ also configuration changes).
+ + Expect a .conf suffix for sites-enabled/sites-available configurations.
+ + Remove the default vhost special handling. Instead, we expect the default
+ host to be named appropripriately (for example 000-default.conf;
+ Closes: #605535).
+ * The following modules and associated configuration files were removed:
+ + mod_authz_default and mod_authn_default: Please use a proper
+ authentication module instead
+ + mod_mem_cache: Use mod_cache_disk instead
+ * The following modules and associated configuration files are provided (but
+ not enabled by default):
+ access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua
+ proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector
+ remoteip, request, session, session_cookie, session_crypto, session_dbd
+ (Closes: #400881)
+ * Provide a dh_apache2 debhelper which can be used by reverse dependencies to
+ install modules, module configuration files, site configuration files and
+ global configuration files which need to be registered to the Apache web
+ server.
+ Thus, dh_apache2 can be used for Apache web server modules and web
+ applications providing configuration files for Apache.
+ * Write apache2-maintscript-helper which packagers can use to interface in a
+ reliable way with the Apache 2 web server in maintainer scripts
+ * Document programming hints how to interface with the Apache 2 web server for
+ * packagers of web applications and module maintainer in
+ /usr/share/doc/apache2/PACKAGING.gz.
+ * Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the
+ problem.
+ * Update debian/copyright and switch it to the copyright-format 1.0 (formerly
+ known as DEP5)
+
+ [ Stefan Fritsch ]
+
+ * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
+ * Only include conf.d/*.conf, not conf.d/*.
+ * Don't create httpd.conf anymore. Also, do a proper transition of existing
+ httpd.conf files to /etc/apache2/conf-available (Closes: #639383)
+ * Add "AddCharset" for .brf files in default mod_mime config.
+ (Closes: #402567)
+ * Update the README.Debian file
+
+ [ Jean-Michel Vourgère ]
+
+ * Update bash completion functions to reflect the new site setup. (Closes:
+ #657492)
+ * Migrate patches to DEP-3 format. For particular changes see the summary
+ above.
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100
+
+apache2 (2.2.22-3) unstable; urgency=low
+
+ * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch':
+ No such file or directory". Do not use internal rules targets which clash
+ with build target names ... (Closes: #667069)
+ * Drop apache2-dev virtual package. This had virtually no users but breaks our
+ experimental package in some cases (e.g. #666793)
+ * Push Standards version - no further changes
+ * Update my maintainer address
+
+ -- Arno Töll <arno@debian.org> Thu, 05 Apr 2012 13:21:42 +0200
+
+apache2 (2.2.22-2) unstable; urgency=low
+
+ [ Arno Töll ]
+ * Fix "Incorrect debhelper build dependency" by raising the build-dependency
+ of debhelper to 8.9.7 (Closes: #659148)
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100
+
+apache2 (2.2.22-1) unstable; urgency=low
+
+ [ Stefan Fritsch ]
+ * New upstream release, urgency medium due to security fixes:
+ - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
+ - Fix CVE-2012-0031: Unprivileged child process could cause the parent to
+ crash at shutdown
+ - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
+ message.
+ * Move httxt2dbm to apache2-utils
+ * Adjust debian/control to point to new git repository.
+
+ [ Arno Töll ]
+ * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801)
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100
+
+apache2 (2.2.21-5) unstable; urgency=low
+
+ [ Arno Töll ]
+ * Fix build failures introduced as regregression by the previous build. Debian
+ buildds aren't rebuilding arch:all packages which caused problems for our
+ unconditional copying into binary package. I was warned.
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 17:36:41 +0100
+
+apache2 (2.2.21-4) unstable; urgency=low
+
+ [ Stefan Fritsch ]
+
+ * Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
+ ap_pregsub).
+ * Optimize debian/rules again to improve build time by doing most work in a
+ single parallelized "build-%" target.
+
+ [ Arno Töll ]
+
+ * Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType
+ from text/plain to None. This lets the browser guess a proper MIME type
+ instead of being forced to treat a given file according to our default type
+ (Closes: #440058)
+ * Fix "add pre-rotate hook to logrotate script" execute scripts in
+ /etc/logrotate.d/httpd-prerotate if available (Closes: #590096).
+ * Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading
+ to Debian's 3.0/quilt source format also images don't need to be generated
+ at build time anymore. Hence, the icon date can no longer lead to
+ information disclosure (Closes: #649888).
+ * Upgrade package to 3.0/quilt.
+ + Remove uuencoded images, keep them in their binary format in debian/icons
+ + Upgrade to quilt from dpatch and refresh all patches by keeping all hunks
+ unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at
+ build time where needed Move the 200_cp_suexec.dpatch patch and
+ 202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a
+ script, not a patch which is not supported by quilt.
+ * Rewrite debian/rules and base it on dh(1).
+ + use overrides where possible, replace some debhelper calls by our own
+ implementation where needed. That's required since the Apache package is
+ compiled in parts several times for each MPM once.
+ + move some install operations to the their respective .install files
+ + Support dpkg-buildflags now, which also enables by default hardening
+ flags. Thus, remove them from their explicit appearance in debian/rules
+ + Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using
+ dh(1)/dpkg-buildflags(1).
+ * Push debhelper compatibility to 8
+ * Remove unused Lintian overrides for the Debian source package remove and
+ redundant priorities in debian/control.
+ * Add myself to Uploaders
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100
+
+apache2 (2.2.21-3) unstable; urgency=medium
+
+ * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
+ reverse proxy configurations. (Similar to CVE-2011-3368, but different
+ attack vector.)
+ * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
+ via malicious .htaccess.
+ * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
+ * Fix broken link in docs. Closes: #650528
+ * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
+ Thanks for your work in the past.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100
+
+apache2 (2.2.21-2) unstable; urgency=high
+
+ * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
+ reverse proxy configurations by strictly validating the request-URI.
+ * Correctly set permissions of suexec.load even if umask is 0002 during
+ build. LP: #872000
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 11 Oct 2011 22:54:47 +0200
+
+apache2 (2.2.21-1) unstable; urgency=low
+
+ * New upstream release.
+ - Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp
+ if combined with mod_proxy_balancer
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200
+
+apache2 (2.2.20-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fix some regressions related to Range requests caused by the CVE-2011-3192
+ fix. Closes: #639825
+ * Add build-arch and build-indep rules targets to make Lintian happy.
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 04 Sep 2011 21:50:22 +0200
+
+apache2 (2.2.19-2) unstable; urgency=high
+
+ * Fix CVE-2011-3192: DoS by high memory usage for a large number of
+ overlapping ranges.
+ * Reduce default KeepAliveTimeout from 15 to 5 seconds.
+ * Use "linux-any" in build-deps. Closes: #634709
+ * Improve reload message of a2enmod. Closes: #639291
+ * Improve description of the prefork MPM. Closes: #634242
+ * Mention .conf files in a2enmod man page. Closes: #634834
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200
+
+apache2 (2.2.19-1) unstable; urgency=low
+
+ * New upstream release.
+ - Makes apr-md5 the default algorithm for htpasswd, removing the 8
+ character limit of the crypt()-algorithm. Closes: #539246
+ - Fixes merging of IndexOptions. Closes: #394688
+ - Documents why order of ProxyPass and <Proxy> blocks matters in the
+ configuration. See "Workers" section in the mod_proxy documentation.
+ Closes: #560020
+ * For multiple instance setups, correctly determine the config dir in the
+ init script if it is called via a start/stop link. Closes: #627061
+ * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204
+ * Make it clear in README.multiple-instances that the MPMs are shipped
+ in the apache2.2-bin package.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200
+
+apache2 (2.2.17-3) unstable; urgency=low
+
+ * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049
+ * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in
+ htpasswd/htdbm.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2011 20:43:55 +0200
+
+apache2 (2.2.17-2) unstable; urgency=high
+
+ * New mpm_itk upstream version 2.2.17-01:
+ - Fix CVE-2011-1176: If NiceValue was set, the default with no
+ AssignUserID was to run as root:root instead of the default Apache user
+ and group, due to the configuration merger having an incorrect default
+ configuration. Closes: #618857
+ * Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
+ Closes: #613969
+ * Set the default file descriptor limit to 8192 instead of whatever the
+ current limit is (usually 1024). Document how to change it in
+ /etc/apache2/envvars . Closes: #615632
+ * Fix typo in init script. Closes: #615866
+ * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438
+ * Remove some obsolete Depends and Replaces.
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100
+
+apache2 (2.2.17-1) unstable; urgency=low
+
+ * New upstream version
+ * Disable md5 in mod_ssl default cipher suite. Closes: #609126
+ * Fix order of comments in "worker" section in apache2.conf. Closes: #608488
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100
+
+apache2 (2.2.16-6) unstable; urgency=low
+
+ * Also add $named to the secondary-init-script example.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 01 Jan 2011 22:55:15 +0100
+
+apache2 (2.2.16-5) unstable; urgency=medium
+
+ * Add $named to the init script dependency header, since apache depends on
+ DNS in some configurations. Closes: #608437
+ * Update outdated description of /etc/apache2/magic in README.Debian.
+ Closes: #603586
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100
+
+apache2 (2.2.16-4) unstable; urgency=medium
+
+ * Increase the mod_reqtimeout default timeouts to avoid potential problems
+ with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
+ * Remove bogus comment in conf.d/security about default in the "release
+ after Lenny".
+ * Clarify comments in suexec-custom's default config file. LP: #673289
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100
+
+apache2 (2.2.16-3) unstable; urgency=high
+
+ * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
+ * Fix "Could not reliably determine the server's ..." error message in
+ README.Debian, to make it easier to search for it. Closes: #590528
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 09 Oct 2010 20:59:34 +0200
+
+apache2 (2.2.16-2) unstable; urgency=low
+
+ * Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036
+ * Add a note about the new behaviour of SSL/TLS renegotiation and the new
+ directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
+ * Support 'graceful' as alias for 'reload' in the init script.
+ * In README.Debian, suggest an Apache configuration change to get rid of the
+ "Could not reliably determine the server's fully qualified domain name"
+ warning, as alternative to changing DNS or /etc/hosts. Closes: #590528
+ * Add notes to README.Debian on how to reduce memory usage.
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200
+
+apache2 (2.2.16-1) unstable; urgency=medium
+
+ * Urgency medium for security fix.
+ * New upstream release:
+ - CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability
+ due to incorrect handling of requests without a path segment.
+ - mod_dir: add FallbackResource directive, to enable admin to specify
+ an action to happen when a URL maps to no file, without resorting
+ to ErrorDocument or mod_rewrite
+ * Fix mod_ssl header line corruption because of using memcpy for overlapping
+ buffers. PR 45444. LP: #609290, #589611, #595116
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 24 Jul 2010 22:18:43 +0200
+
+apache2 (2.2.15-6) unstable; urgency=low
+
+ * Fix init script not correctly killing htcacheclean. Closes: #580971
+ * Add a separate entry in README.Debian about the need to use apache2ctl
+ for starting instead of calling apache2 directly. Closes: #580445
+ * Fix debug info to allow gdb loading it automatically. Closes: #581514
+ * Fix install target in Makefile created by apxs2 -n. Closes: #588787
+ * Fix ab sending more requests than specified by the -n parameter.
+ Closes: #541158
+ * Add apache2 monit configuration to apache2.2-commons examples dir.
+ Closes: #583127
+ * Build as PIE, since gdb in squeeze now supports it.
+ * Update the postrm script to also purge the version of /var/www/index.html
+ introduced in 2.2.11-7.
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200
+
+apache2 (2.2.15-5) unstable; urgency=low
+
+ * Conflict with apache package as we now include apachectl. Closes: #579065
+ * Remove conflicts with old apache 2.0 modules. The conflicts are not
+ necessary anymore as skipping a stable release is not supported anyway.
+ * Silence the grep in preinst.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 25 Apr 2010 10:46:09 +0200
+
+apache2 (2.2.15-4) unstable; urgency=low
+
+ * Move definition of other_vhosts_access.log to new config file
+ /etc/apache2/conf.d/other-vhosts-access-log, but disable it
+ if it has been disabled by the admin. Closes: #576572. LP: #507616
+ * Comment out the contents of mods-available/proxy.conf, as it just
+ is a nuisance for use of apache2 as a reverse proxy, which is much
+ more common than the use as forward proxy. Extend the comments
+ in the file.
+ * Change defaults or add example configs for some modules:
+ status.conf:
+ - enable ExtendedStatus by default
+ - enable ProxyStatus by default
+ - document SeeRequestTail directive
+ proxy_ftp.conf:
+ - set 'ProxyFtpDirCharset UTF-8' by default
+ ldap.conf:
+ - enable /ldap-status page, allow it from localhost by default
+ proxy_balancer.conf:
+ - add (disabled) example for /balancer-manager page
+ ssl.conf:
+ - document SSLStrictSNIVHostCheck directive
+ * Add symlink from apachectl to apache2ctl to be more compatible with
+ upstream. Apache httpd 1.3 hasn't been in Debian for some time.
+ * Simplify logrotate script. Closes: #576105
+ * Remove empty directory /usr/lib/debug/usr/sbin in mpm packages.
+ Closes: #576089
+ * Fix apxs2 to work with perl 5.12rc3. Closes: #577239
+ * Add source/format file to make lintian happy.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 20 Apr 2010 23:11:09 +0200
+
+apache2 (2.2.15-3) unstable; urgency=low
+
+ * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
+ including a fix for mod_proxy CONNECT requests.
+ * mod_dav_fs: Use correct permissions when creating new files. LP: #540747
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 29 Mar 2010 22:16:24 +0200
+
+apache2 (2.2.15-2) unstable; urgency=low
+
+ * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
+ Satisfy all. Closes: #572075
+ * mod_reqtimeout: Various bug fixes, including:
+ - Don't mess up timeouts of mod_proxy's backend connections.
+ Closes: #573163
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 10 Mar 2010 21:06:06 +0100
+
+apache2 (2.2.15-1) unstable; urgency=low
+
+ * New upstream version:
+ - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
+ - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
+ prefix injection attack.
+ - CVE-2010-0434: mod_headers: Fix potential information leak with threaded
+ MPMs.
+ - mod_reqtimeout: New module limiting the time waiting for receiving
+ a request from the client. This is a (partial) mitigation against
+ slowloris-type resource exhaustion attacks. The module is enabled by
+ default. Closes: #533661
+ - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
+ renegotiation with clients which do not yet support the secure
+ renegotiation protocol. As this requires openssl 0.9.8m, bump
+ build dependency accordingly.
+ * Fix bash completion for a2ensite if the site name contains 'conf' or
+ 'load'. Closes: #572232
+ * Do a configcheck in the init script before doing a non-graceful restart.
+ Closes: #571461
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 07 Mar 2010 23:22:56 +0100
+
+apache2 (2.2.14-7) unstable; urgency=low
+
+ * Fix potential memory leaks related to the usage of apr_brigade_destroy().
+ * Add hints about correct mod_dav_fs configuration to README.Debian.
+ Closes: #257945
+ * Fix error in Polish translation of 404 error page. Closes: #570228
+ * Document ThreadLimit in apache2.conf's comments.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 20 Feb 2010 12:38:30 +0100
+
+apache2 (2.2.14-6) unstable; urgency=low
+
+ * Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and
+ APACHE_LOG_DIR in the default configuration. If you have modified
+ /etc/apache2/envvars, make sure that these variables are set and exported.
+ * Add support for multiple apache2 instances to initscript and apache2ctl.
+ See /usr/share/doc/apache2.2-common/README.multiple-instances for details.
+ Closes: #353450
+ * Set default compiled-in ServerRoot to /etc/apache2 and make paths in
+ apache2.conf relative to ServerRoot.
+ * Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061
+ * Fix symlinks in apache2-dbg package. Closes: #567076
+ * Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383
+ * Add new init script action graceful-stop (LP: #456381)
+ * Add more languages to mime.conf. To limit this to useful entries, we only
+ add those for which a translation of the Debian intaller exists. LP: #217964
+ * Unset $HOME in /etc/apache2/envvars.
+ * Change default config of mod_info and mod_status to use IP addresses
+ instead of hostnames. Otherwise the hostname is sometimes logged even with
+ 'HostnameLookup Off'. Closes: #568409
+ * Add a hook to apache2.2-common's postrm script that may come in handy
+ when upgrading to 2.4.
+ * Make bug script also display php extensions.
+ * Bump Standards-Version (no changes).
+ * Remove Adam Conrad from Uploaders. Thanks for your work in the past.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100
+
+apache2 (2.2.14-5) unstable; urgency=low
+
+ * Security: Further mitigation for the TLS renegotation attack
+ (CVE-2009-3555): Disable keep-alive if parts of the next request have
+ already been received when doing a renegotiation. This defends against
+ some request splicing attacks.
+ * Print a useful error message if 'apache2ctl status' fails. Add a comment
+ to /etc/apache2/envvars on how to change the options for www-browser.
+ Closes: #561496, #272069
+ * Improve function to detect apache2 pid in init-script (closes: #562583).
+ * Add hint README.Debian on how to pass auth info to CGI scripts.
+ Closes: #483219
+ * Re-introduce objcopy magic to avoid dangling symlinks to the debug info
+ in the mpm packages. Closes: #563278
+ * Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178,
+ LP: #500703
+ * Point to README.backtrace in apache2-dbg's description.
+ * Use more debhelper functions to simplify debian/rules.
+ * Add misc-depends to various packages to make lintian happy.
+ * Change build-dep from libcap2-dev to libcap-dev because of package rename.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100
+
+apache2 (2.2.14-4) unstable; urgency=low
+
+ * Disable localized error pages again by default because they break
+ configurations with "<Location /> SetHandler ...". A workaround is
+ described in the comments in /etc/apache2/conf.d/localized-error-pages
+ (closes: #543333).
+ * mod_rewrite: Fix URLs in redirects with literal IPv6 hosts
+ (closes: #557015).
+ * Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234).
+ * Add man page for split-logfile.
+ * Link with -lcrypt where necessary to fix a FTBFS with binutils-gold
+ (closes: #553946).
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 13 Dec 2009 20:05:37 +0100
+
+apache2 (2.2.14-3) unstable; urgency=low
+
+ * Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This
+ includes:
+ - Make PUT replace files atomically (closes: #525137).
+ - Make MOVE not delete the destination if the source file disappeared in
+ the meantime (closes: #273476).
+ NOTE: The format of the DavLockDB has changed. The default DavLockDB will
+ be deleted on upgrade. Non-default DavLockDBs should be deleted manually.
+ * Fix output of "/etc/init.d/apache2 status" (closes: #555687).
+ * Update the comment about SNI in ports.conf (closes: #556932).
+ * Set redirect-carefully for Konqueror/4.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 21 Nov 2009 10:20:54 +0100
+
+apache2 (2.2.14-2) unstable; urgency=medium
+
+ * Security:
+ Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
+ for the TLS renegotiation prefix injection attack (CVE-2009-3555).
+ Any configuration which requires renegotiation for per-directory/location
+ access control is still vulnerable.
+ * Allow RemoveType to override the types from /etc/mime.types. This allows
+ to use .es and .tr for Spanish and Turkish files in mod_negotiation.
+ Closes: #496080
+ * Fix 'CacheEnable disk http://'. Closes: #442266
+ * Fix missing dependency by changing killall to pkill in the init script.
+ LP: #460692
+ * Add X-Interactive header to init script as it may ask for the ssl key
+ passphrase. Closes: #554824
+ * Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too.
+ * Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100
+
+apache2 (2.2.14-1) unstable; urgency=low
+
+ * New upstream version:
+ - new module mod_proxy_scgi
+ * Disable hardening option -pie again, as gdb in Debian does not support
+ it properly and it is broken on mips*.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 29 Sep 2009 20:55:05 +0200
+
+apache2 (2.2.13-2) unstable; urgency=high
+
+ * mod_proxy_ftp security fixes (closes: #545951):
+ - DoS by malicious ftp server (CVE-2009-3094)
+ - missing input sanitization: a user could execute arbitrary ftp commands
+ on the backend ftp server (CVE-2009-3095)
+ * Add entries to NEWS.Debian and README.Debian about Apache being stricter
+ about certain misconfigurations involving name based SSL virtual hosts.
+ Also make Apache print the location of the misconfigured VirtualHost when
+ it complains about a missing SSLCertificateFile statement. Closes: #541607
+ * Add Build-Conflicts: autoconf2.13 (closes: #541536).
+ * Adjust priority of apache2-mpm-itk to extra.
+ * Switch apache2.2-common and the four mpm packages from architecture all to
+ any. This is stupid but makes apache2 binNMUable again (closes: #544509).
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 16 Sep 2009 20:55:02 +0200
+
+apache2 (2.2.13-1) unstable; urgency=low
+
+ * New upstream release:
+ - Fixes segfault with mod_deflate and mod_php (closes: #542623).
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200
+
+apache2 (2.2.12-1) unstable; urgency=low
+
+ * New upstream release:
+ - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
+ (The Debian default configuration will be changed to use SNI in a later
+ version.)
+ - Fixes timefmt config in SSI (closes: #363964).
+ - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
+ to enable stricter checking of remote server certificates.
+ * Make mod_deflate not compress the content for HEAD requests. This is a
+ similar issue as CVE-2009-1891.
+ * Enable hardening compile options.
+ * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
+ sent) (closes: #272476 LP: #255124)
+ * Add the default LANG=C to /etc/apache2/envvars and document it in
+ README.Debian (closes: #511878).
+ * Enable localized error pages by default if the necessary modules are
+ loaded. Move the config for it from apache2.conf to
+ /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
+ required order of the aliases in the comment (closes: #196795).
+ * Change default for ServerTokens to 'OS', to not announce the exact module
+ versions to the world (LP: #205996)
+ * Make a2ensite and friends ignore the same filenames as apache does for
+ included config files, even if LANG is not C.
+ * Merge source packages apache2 and apache2-mpm-itk (current itk version is
+ 2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
+ (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
+ package, which is no longer necessary.
+ * Ship our own version of the magic config file (taken from file 4.17-5etch3)
+ which is still compatible with mod_mime_magic (closes: #483111).
+ * Add ThreadLimit to the default config and put ThreadsPerChild and
+ MaxClients into the correct order so that Apache does not complain
+ (closes: #495656).
+ Also add a configuration block for the event MPM in apache2.conf.
+ * Fix HTTP PUT with mod_dav failing to detect an aborted connection
+ (closes: #451563).
+ * Change references to httpd.conf in apache2-doc to apache2.conf
+ (closes: #465393).
+ * Clarify the recommended permissions for SSL certificates in README.Debian
+ (closes: #512778).
+ * Document in README.Debian how to name files in conf.d to avoid conflicts
+ with packages (closes: #493252)
+ * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
+ * Remove other_vhosts_access.log on package purge.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200
+
+apache2 (2.2.11-7) unstable; urgency=low
+
+ * Security fixes:
+ - CVE-2009-1890: denial of service in mod_proxy
+ - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
+ * Add symlinks for the debug info to the mpm packages.
+ * Be slightly more informative in the default index.html without pointing
+ to Apache or Debian (LP: #89364)
+ * Remove dependency on net-tools, which is no longer necessary
+ (closes: #535849)
+ * Bump Standards-Version (no changes)
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200
+
+apache2 (2.2.11-6) unstable; urgency=high
+
+ * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
+ Side Includes (closes: #530834).
+ * Fix postinst scripts (closes: #532278).
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200
+
+apache2 (2.2.11-5) unstable; urgency=low
+
+ * Move all binaries into a new package apache2.2-bin and make
+ apache2.2-common depend on it. This allows to
+ - run apache as user process only, e.g. with gnome-user-share.
+ Closes: #468690
+ - run multiple instances of apache with different MPMs. This configuration
+ is not supported in any way, though. Closes: #517572
+ * Switch to debhelper compatibility level 7 and remove some code duplication
+ in debian/rules.
+ * Override some Lintian warnings about old autotools helper files and being
+ not binNMUable (apache2 is not binNMUable anyway, because of the
+ apache2 <-> apache2-mpm-itk dependency).
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 22 May 2009 19:30:20 +0200
+
+apache2 (2.2.11-4) unstable; urgency=low
+
+ [ Stefan Fritsch ]
+ * Disable TRACE method by default (closes: #492130).
+ * Compress some more mime types with mod_deflate by default. This may cause
+ problems with MSIE 6, but that browser should now be considered obsolete.
+ Closes: #397526, #521209
+ * Various backports from upstream svn branches/2.2.x:
+ - CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous
+ request which failed to send a request body
+ - Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with
+ server-side-includes PR 45959 (closes: #524474)
+ - Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268)
+ - Fix mod_deflate etag handling PR 45023 (LP: #358314)
+ - Fix mod_ldap segfault if LDAP initialization failed PR 45994
+ * Allow apache2-mpm-itk as alternate dependency in apache2 meta package
+ (closes: #527225).
+ * Fix some misuse of command substitution in the init script. Thanks to
+ Jari Aalto for the patch. (Closes: #523398)
+ * Extend the gnome-vfs DAV workaround to gvfs (closes: #522845).
+ * Add more info to check_forensic man page (closes: #528424).
+ * Make "apache2ctl help" point to help on apache2 args (closes: #528425).
+ * Lintian warnings:
+ - fix spelling error in apache2-utils description
+ - tweak debian/copyright to make lintian not complain about pointers to GPL
+ - bump standards-version (no changes)
+
+ [ Peter Samuelson ]
+ * Adjust sections to match recent ftpmaster overrides.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200
+
+apache2 (2.2.11-3) unstable; urgency=low
+
+ * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
+ (see #521899). This also creates the dependencies on the new external
+ libaprutil1-dbd-* and libaprutil1-ldap packages.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200
+
+apache2 (2.2.11-2) unstable; urgency=low
+
+ * Report an error instead instead of segfaulting when apr_pollset_create
+ fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
+ /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
+ value of MaxClients in the Apache configuration. Closes: #511103
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100
+
+apache2 (2.2.11-1) unstable; urgency=low
+
+ [Thom May]
+ * New Upstream Version (Closes: #508186, LP: #307397)
+ - Contains rewritten shmcb code which should fix alignment problems on
+ alpha (Closes: #419720).
+ - Notable new features: chroot support, mod_proxy improvements.
+
+ [Ryan Niebur]
+ * fix segfault in ab when being verbose on ssl sites (Closes: #495982)
+ * remove trailing slash for DocumentRoot (Closes: #495110)
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100
+
+apache2 (2.2.9-11) unstable; urgency=low
+
+ * Regression fix from upstream svn for mod_proxy:
+ Prevent segmentation faults by correctly adjusting the lifetime of the
+ buckets read from the proxy backend. PR 45792
+ * Fix from upstream svn for mpm_worker:
+ Crosscheck that idle workers are still available before using them and
+ thus preventing an overflow of the worker queue which causes a SegFault.
+ PR 45605
+ * Add a comment to ports.conf to point to NEWS.Debian.gz in case of
+ upgrading problems.
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100
+
+apache2 (2.2.9-10) unstable; urgency=low
+
+ * Regression fix from upstream svn for mod_proxy_http:
+ Don't trigger a retry by the client if a failure to read the response line
+ was the result of a timeout.
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 01 Oct 2008 11:50:18 +0200
+
+apache2 (2.2.9-9) unstable; urgency=medium
+
+ * Revert the attempted fix for #496080 because it did not work due to
+ upstream PR 38330. Instead, document the problem and possible workarounds
+ in README.Debian.
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 12 Sep 2008 11:39:15 +0200
+
+apache2 (2.2.9-8) unstable; urgency=low
+
+ * Fix Spanish language support which was broken by .es being added to
+ /etc/mime.types for application/ecmascript. (Closes: #496080)
+ * Correct description of ServerTokens in /etc/apache2/conf.d/security.
+ (Closes: #497362)
+ * Clarify how to use apache2ctl to pass arbitrary arguments to
+ apache2. (LP: #259363)
+ * Add hints to README.Debian about the messages
+ "NameVirtualHost *:80 has no VirtualHosts" and
+ "File does not exist: /htdocs".
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200
+
+apache2 (2.2.9-7) unstable; urgency=low
+
+ * Fix XSS in mod_proxy_ftp (CVE-2008-2939).
+ * Fix mod_proxy_http losing the query string with noescape (PR 45247).
+ * Make the balancer manager work in Opera and MSIE (PR 45578).
+ * Fix mod_headers "edit" removing multiple headers with the same name (PR
+ 45333).
+ * Also describe how to get a backtrace from a running process in
+ README.backtrace.
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 08 Aug 2008 19:27:40 +0200
+
+apache2 (2.2.9-6) unstable; urgency=high
+
+ * Urgency high for RC bug fix.
+ * Fix SIGBUS on SPARC by preventing gcc from optimizing some memcpy calls
+ away. (Closes: #485525)
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 20 Jul 2008 10:17:19 +0200
+
+apache2 (2.2.9-5) unstable; urgency=medium
+
+ * Urgency medium to get this into testing before the freeze.
+ * Remove IPv6 patch that was necessary for very old kernels but creates
+ problems on systems with current kernels and net.ipv6.bindv6only = 1.
+ Apache will now always create its sockets with IPV6_V6ONLY set to 0.
+ (Closes: #391280)
+
+ -- Stefan Fritsch <sf@debian.org> Mon, 07 Jul 2008 21:20:48 +0200
+
+apache2 (2.2.9-4) unstable; urgency=low
+
+ * Make postinst more quiet. (Closes: #489153)
+ * Add Turkish language support. (Closes: #489224)
+ * Remove duplicate comments in sites-available/default-ssl. (Closes: #489383)
+ * Describe in NEWS.Debian how to revert to the old NameVirtualHost config.
+ (Closes: #489215)
+ * Redirect apache2 bug reports to apache2.2-common, to get useful dependency
+ information.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200
+
+apache2 (2.2.9-3) unstable; urgency=low
+
+ [ Stefan Fritsch ]
+ * Move NameVirtualHost directive to ports.conf and switch from "*" to
+ "*:80". (Closes: #314606, #486286)
+ * Comment out the CacheEnable line in disk_cache.conf. It would have caused
+ problems with Etch to Lenny upgrades.
+ * Change the minimum user id for suexec back to 100, the new value of 1000
+ was too disruptive for existing configurations. (Closes: #488821)
+ * Add a default SSL virtual host. (Closes: #267477)
+ - Use snakeoil certificate by default (if ssl-cert is installed).
+ (Closes: #293524, #446765)
+ - Document this in README.Debian.
+ (Closes: #293469, #293519, #398520, #395823)
+ - Add MSIE workarounds. (Closes: #421802)
+ - Add ssl-cert to Recommends.
+ * Add a new config file /etc/apache2/conf.d/security with some vaguely
+ security related diectives. (Closes: #260063)
+ * Adjust mod_userdir accordingly. Also add "AllowOverride Indexes" for the
+ home directories.
+ * Disable SSLv2 by default. It is insecure. Also only enable ciphers with
+ key lengths of at least 128 bit.
+ * Make the init script complain about a missing $APACHE_PID_FILE during
+ "start", too, and not only during "stop" or "restart". This makes it more
+ obvious that /etc/apache2/envvars has to be updated. (Closes: #473982)
+ * Add hint about the "..., using 127.0.0.1 for ServerName" warning to
+ README.Debian. (Closes: #457708)
+ * Add hint about the "could not create rewrite_log_lock" error message to
+ README.Debian. (Closes: #450831)
+ * Remove empty dir from apache2-doc to fix Lintian warning.
+ * Always pass -g to gcc instead of relying on dpkg-buildpackage to set
+ CFLAGS. We always want the debug info for the apache2-dbg package.
+
+ [ Ryan Niebur ]
+ * Upgraded to policy 3.8.0
+ - added support for noopt in DEB_BUILD_OPTIONS
+ - added a README.source
+ - added support for parallel in DEB_BUILD_OPTIONS
+ * Dropped XS- from the Vcs fields in control
+
+ -- Stefan Fritsch <sf@debian.org> Wed, 02 Jul 2008 10:15:57 +0200
+
+apache2 (2.2.9-2) unstable; urgency=low
+
+ * Make the init script use normal 'stop' instead of 'graceful-stop' again:
+ With graceful-stop, it can take a long time until all child processes have
+ closed their listening sockets and there is no way for the init script to
+ know when it is save to start apache again. This could make the restart of
+ apache fail. (Closes: #486629, #463338)
+ * Improve package descriptions, thanks to Justin B Rye. (Closes: #486855)
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 21 Jun 2008 12:22:17 +0200
+
+apache2 (2.2.9-1) unstable; urgency=low
+
+ * New upstream release. Notable changes:
+ - mod_proxy_http: Better handling of excessive interim responses from
+ origin server to prevent potential denial of service and high memory
+ usage (CVE-2008-2364).
+ - mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
+ (CVE-2007-6420).
+ - Worker / Event MPM: Fix race condition in pool recycling that leads to
+ segmentation faults under load. (Closes: #484800)
+ - mod_proxy: Keep connections to the backend persistent in the HTTPS case.
+ - mod_proxy: Support environment variable interpolation in reverse
+ proxying directives.
+ - mod_headers: Add 'merge' option to avoid duplicate values within the
+ same header.
+ - mod_substitute: The default is now flattening the buckets after each
+ substitution. The newly added 'q' flag allows for the quicker, more
+ efficient bucket-splitting.
+ * Shorten the init script's waiting period during 'restart' from 10 to 4
+ seconds. This should still be plenty to allow the apache processes to
+ close their listening sockets. Make the wait even shorter if apache dies
+ faster. (Closes: #479136)
+ * Fix some lintian warnings:
+ - Add some missing patch descriptions.
+ - Point to /usr/share/common-licenses instead of including the license in
+ the copyright file.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 14 Jun 2008 08:29:41 +0200
+
+apache2 (2.2.8-5) unstable; urgency=low
+
+ * Replace a2{en,dis}{mod,site} by a rewritten version that
+ - supports wildcards (Closes: #373969).
+ - can be influenced with environment variables (Closes: #349716).
+ - checks existing symlinks for correctness (Closes: #409970).
+ - allows to remove dead symlinks (Closes: #480893).
+ * Move suexec suid helper program to a separate package apache2-suexec,
+ which is not installed by default. Provide an alternative version of
+ suexec, which can be customized with a config file. This can be found in
+ the apache2-suexec-custom package. Closes: #312252, #266835
+ * Some more suexec fixes:
+ - Fix race condition when changing directories.
+ - Accept only /var/www/*, and not /var/www*. The same for public_html/*
+ instead of public_html* (CVE-2007-1742).
+ - Raise the minimum userid that suexec may change to from 100 to 1000.
+ * Enable mod_deflate in new installs.
+ * Include config.nice in apache2-src. This hopefully allows apache2-mpm-itk
+ to drop the build-dependency on apache2-prefork-dev.
+ * Mention environment variables in apache2 and apache2ctl man pages and point
+ to README.Debian. (Closes: #475150)
+ * Drop unneeded build-dep on libtool.
+ * Drop obsolete apache2-mpm-perchild package (closes: #477522).
+ * Don't fail in postinst if there is a dangling symlink /var/www/index.html.
+ * Fix typo in bug number in 2.2.8-3 changelog entry.
+ * Use dh_lintian in debian/rules.
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 31 May 2008 17:02:03 +0200
+
+apache2 (2.2.8-4) unstable; urgency=high
+
+ * Urgency high for DoS vulnerability fix.
+ * Fix memory leak in mod_ssl with zlib compression.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 13 May 2008 22:31:37 +0200
+
+apache2 (2.2.8-3) unstable; urgency=low
+
+ * mod_cache: Handle If-Range correctly if the cached resource was stale
+ (closes: #470652).
+ * mod_autodindex: Use UTF-8 as character set for filenames in the default
+ configuration. Change this in autoindex.conf if you are still using
+ ISO-8859-1.
+ * Introduce APACHE_RUN_DIR and APACHE_LOCK_DIR in apache2ctl. Also, make it
+ use APACHE_RUN_USER instead of APACHE2_RUN_USER, to be consistent with
+ apache2.conf.
+ * Add 'status' function to init script (adapted from patch by Dustin
+ Kirkland).
+ * Don't build the modules three times. We are only shipping one set of them,
+ anyway. (Inspired by the Fedora package.)
+ * Remove Fabio M. Di Nitto from the uploaders field (thanks for your work).
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 14 Mar 2008 10:57:19 +0100
+
+apache2 (2.2.8-2) unstable; urgency=low
+
+ * Provide a fallback access log (other_vhosts_access.log) and a suitable
+ LogFormat (vhost_combined) for VirtualHosts that don't define their own
+ log file. (Closes: #313430)
+ * Fix broken symlink to README.Debian.gz and typos in the file
+ (closes: #461462).
+ * Improve generation of password salts in htpasswd (closes: #469271).
+ * Point VCS tags in debian control to trunk, to make them useful with
+ debcheckout.
+ * Add missing ${APACHE_ARGUMENTS} to *) case in apache2ctl.
+ * In upgrades from etch, replace /etc/apache2/default without asking also in
+ the NO_START=1 case, in order to not break piuparts (closes: #466367).
+ * Print file name where "Useless use of AllowOverride" occurred.
+ (Closes: #410334)
+ * Make bugreport script source /etc/apache2/envvars before calling apache2.
+ * Add note about MSIE SSL workaround to README.Debian.
+ * Don't ship empty /var/www/apache2-default in apache2-doc.
+ (Closes: #469145)
+ * mod_autoindex: Use the bomb icon only for the name 'core', not for
+ '*core'. (Closes: #467480)
+ * Include module name in a2enmod error messages (closes: #461341).
+
+ -- Stefan Fritsch <sf@debian.org> Sat, 08 Mar 2008 12:28:14 +0100
+
+apache2 (2.2.8-1) unstable; urgency=low
+
+ * New upstream version:
+ - Fixes cross-site scripting issues in
+ o mod_imagemap (CVE-2007-5000)
+ o mod_status (CVE-2007-6388)
+ o mod_proxy_balancer's balancer manager (CVE-2007-6421)
+ - Fixes a denial of service issue in mod_proxy_balancer's balancer manager
+ (CVE-2007-6422).
+ - Fixes mod_proxy URL encoding in error messages (closes: #337325).
+ - Adds explicit charset to the output of various modules to work around
+ possible cross-site scripting flaws affecting web browsers that do not
+ derive the response character set as required by RFC2616. For
+ mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to
+ specify something else than ISO-8859-1 (CVE-2008-0005).
+ - Adds mod_substitute which performs inline response content pattern
+ matching (including regex) and substitution (like mod_line_edit).
+ - Adds "DefaultType none" option.
+ - Adds new "B" option to RewriteRule to suppress URL unescaping.
+ - Adds an "if" directive for mod_include to test whether an URL is
+ accessible, and if so, conditionally display content.
+ - Adds support for mod_ssl to the event MPM.
+ * Move the configuration of User, Group, and PidFile to
+ /etc/apache2/envvars. This makes it easier to use these settings in
+ scripts. /etc/apache2/envvars can now also be used to influence apache2ctl
+ (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085)
+ * Make apache2ctl check the configuration syntax before trying to restart
+ apache, to match the behaviour documented in the man page.
+ (Closes: #459236)
+ * Convert docs to be directly viewable with a browser (and not use content
+ negotiation).
+ * Add doc-base entry for the documentation. (closes: #311269)
+ * Don't ship default files in /var/www, but copy a sample file to
+ /var/www/index.html on new installs. Also remove the now unneeded
+ RedirectMatch line from sites-available/default.
+ (Closes: #411774, #458093)
+ * Add some information to README.Debian (Apache wiki, default virtual host)
+ * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary
+ dependencies, easing library transitions (closes: #458857).
+ * Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode.
+ Patch by Nicolas Valcárcel. (Closes: #436441)
+ * Add reportbug script to list enabled modules.
+ * Fix some lintian warnings:
+ - Pass --no-start to dh_installinit instead of omitting the debhelper token
+ in various maintainer scripts. Also move the update-rc.d call to
+ apache2.2-common.
+ - Add Short-Description to init script.
+ * Remove unused apache2-mpm-prefork.prerm from source package and clean up
+ debian/rules a bit.
+ * Don't ship NEWS.Debian with apache2-utils, as the contents are only
+ relevant for the server.
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 17 Jan 2008 20:27:56 +0100
+
+apache2 (2.2.6-3) unstable; urgency=low
+
+ * Allocate fewer bucket brigades in case of a flush bucket. This might help
+ with the memory leaks reported in #399776 and #421557.
+ * Escape the HTTP method in error messages to avoid potential cross site
+ scripting vulnerabilities (CVE-2007-6203).
+ * Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition.
+ * Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config
+ (Closes: #450867).
+ * Add icons for .ogg and .ogm (Closes: #255443).
+ * Add comment about how to log X-Forwarded-For (Closes: #425008).
+ * Make mod_proxy_balancer not depend on mod_cache.
+ * Add Homepage field to debian/control.
+ * Add/fix some lintian overrides, fix some warnings.
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 07 Dec 2007 22:38:59 +0100
+
+apache2 (2.2.6-2) unstable; urgency=low
+
+ * Avoid calling apr_pollset_poll() and accept_func() when the listening
+ sockets have already been closed on graceful stop or reload. This
+ hopefully fixes processes not being killed (closes: #445263, #447164)
+ and the "Bad file descriptor: apr_socket_accept: (client socket)"
+ error message (closes: #400918, #443310)
+ * Allow logresolve to process long lines (Closes: #331631)
+ * Remove duplicate config examples (Closes: #294662)
+ * Include README.backtrace describing how to create a backtrace
+ * Add CVE reference to 2.2.6-1 changelog entry
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 18 Oct 2007 19:35:40 +0200
+
+apache2 (2.2.6-1) unstable; urgency=low
+
+ * New upstream release
+ - fixes mod_proxy DoS for threaded MPMs (CVE-2007-3847)
+ - fixes spurious warning for valid wildcard certificates (Closes: #414855)
+ - adds warning that htpasswd is not setuid safe (Closes: #356285)
+ - adds Type and Charset options to IndexOptions directive,
+ allowing a workaround for buggy browsers affected by CVE-2007-4465
+ - adds new ProxyPassMatch directive
+ * Add index.htm to the default DirectoryIndex configuration
+ (Closes: #439375)
+ * Use apache2ctl in init script (Closes: #439027)
+ * make init script less noisy (Closes: #438950)
+ * improve NEWS entry (Closes: #440084)
+
+ -- Stefan Fritsch <sf@debian.org> Thu, 06 Sep 2007 23:54:42 +0200
+
+apache2 (2.2.4-3) unstable; urgency=low
+
+ [ Stefan Fritsch ]
+ * enable default site on new installs again (Closes: #436341)
+ * make mod_authn_dbd depend on mod_dbd
+ * make a2dissite return 0 if a site is already disabled (Closes: #435398)
+ * make a2 scripts print errors to stderr (Closes: #435400)
+ * move TypesConfig directive from apache2.conf to mime.conf
+ (Closes: #434248)
+
+ [ Adam Conrad ]
+ * Special case apache2-dbg magic in debian/rules, so we don't do
+ this on Ubuntu, which has an archive of detached debug packages.
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 07 Aug 2007 20:49:28 +0200
+
+apache2 (2.2.4-2) unstable; urgency=low
+
+ * Modularize config: Move module specific configuration from apache2.conf
+ to mods-available/*conf (Closes: #338472)
+ * Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable
+ apache2. (Closes: #408462, #275561)
+ * Create run and lock directores in apache2ctl to make it work on fresh
+ installations before the first call of the init script. Together with
+ the previous item, this closes: #418499
+ * Disable AddDefaultCharset again (Closes: #397886)
+ * Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles
+ managed by dpkg
+ * Listen on port 443 by default if mod_ssl is loaded (Closes: #404598)
+ * Add logic to start htcacheclean as daemon or cronjob. The configuration
+ is in /etc/default/apache2
+ * Fix security issues:
+ - CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary
+ processes
+ - CVE-2006-5752: XSS in mod_status
+ * Add init.d dependency info from insserv overrides to /etc/init.d/apache2
+ * Replace apachectl with apache2ctl in docs (Closes: #164493)
+ * Add usage message to apache2ctl (Closes: #359008)
+ * Make -dev packages priority extra
+ * Add secure example cipher/protocol configuration to ssl.conf
+ * Update watch file (Closes: #433552)
+ * Bump dh_compat to 5
+ * Add new package apache2-dbg with debugging symbols
+ * Fix mod_cache returning 304 instead of 200 on HEAD requests
+
+ -- Stefan Fritsch <sf@debian.org> Tue, 03 Jul 2007 21:23:40 +0200
+
+apache2 (2.2.4-1) unstable; urgency=medium
+
+ [ Stefan Fritsch ]
+ * Urgency medium for security fix
+ * Fix CVE-2007-1863: DoS in mod_cache
+ * New upstream version (Closes: #427050)
+ - Fixes "proxy: error reading status line from remote server"
+ (Closes: #410331)
+ * Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4)
+ * Change logrotate script to use reload instead of restart.
+ (Closes: #298689)
+ * chmod o-rx /var/log/apache2 (Closes: #291841)
+ * chmod o-x suexec (Closes: #431048)
+ * Update patch for truncated mod_cgi 500 responses from upstream SVN
+ (Closes: #412580)
+ * Don't use AddDefaultCharset for our docs (Closes: #414429)
+ * fix options syntax in sites-available/default (Closes: #419539)
+ * Move conf.d include to the end of apache2.conf (Closes: #305933)
+ * Remove log, cache, and lock files on purge (Closes: #428887)
+ * Ship /usr/lib/cgi-bin (Closes: #415698)
+ * Add note to README.Debian how to read docs (Closes: #350822)
+ * Document pid file name (Closes: #350286)
+ * Update Standards-Version (no changes needed)
+ * Fix some lintian warnings, add some overrides
+ * Start apache when doing a "restart" even if it was not running
+ (Closes: #384682)
+ * reload config in apache2-doc postinst (Closes: #289289)
+ * don't fail in prerm if apache is not running (Closes: #418536)
+ * Suggest apache2-doc and www-browser (Closes: #399056)
+ * Make init script always display a warning if NO_START=1 since
+ VERBOSE=yes is not the default anymore (Closes: #430116)
+ * Replace apache2(8) man page with a more current version
+ * Add httxt2dbm(8) man page
+ * Show -X option in help message (Closes: #391817)
+ * remove sick-hack-to-update-modules
+ * don't depend on procps on hurd (Closes: #431125)
+
+ [ Peter Samuelson ]
+ * Add shlibs:Depends to apache2.2-common.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 01 Jul 2007 19:57:51 +0200
+
+apache2 (2.2.3-5) unstable; urgency=low
+
+ [ Tollef Fog Heen ]
+ * Fix up apache2-src so the .tar.gz contains an apache2 top level
+ directory.
+ * Make apache2 MPMs provide and conflict with apache2-mpm so other
+ packages can provide MPMs too.
+ * Get rid of 2.1 references from descriptions. (Closes: #400981)
+
+ [ Thom May ]
+ * Let the init script cope with multiple pid files correctly. Probably we
+ shouldn't be doing this at all, but we might as well do it properly!
+ (Closes: #396162)
+ * Add a sensible autoindex default config
+ * Add patch from upstream to ensure that mod_cgi 500 responses aren't
+ truncated (Closes: #412580)
+ * Use graceful-stop to shutdown apache to ensure we cope nicely with long
+ running or blocked children
+
+ [ Peter Samuelson ]
+ * Ship apache2 manpage in apache2.2-common. (Closes: #391813)
+ * Rearrange init script so that 'force-reload' is the same as 'reload'.
+ (Closes: #401053)
+ * Add Build-Depends: mawk. (Closes: #403682)
+ * Add a needed <IfModule mod_include.c> guard to apache2.conf.
+ (Closes: #407307)
+ * Stop shipping /var/run/apache2/ as it is created at runtime anyway.
+ * Move the /var/lock/apache2 owner fix from the apache2.2-common
+ postinst to the init script, as /var/lock may not persist across
+ reboots. (Closes: #420101)
+
+ [ Stefan Fritsch ]
+ * Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043)
+ * Add XS-Vcs-* to debian/control
+ * Improve handling of empty $MODNAME in a2enmod (Closes: #422589)
+ * Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602)
+ * Re-add README.Debian and describe
+ - the config dir layout (closes: #419552)
+ - which files are ignored by Include
+ - when and how to change "restart" to "reload" in the logrotate script
+ * When purging, remove {mods,sites}-enabled symlinks and the config files
+ created by postinst (Closes: #397789)
+ * Fix suexec to log after a cgi error (Closes: #312385)
+ * Add watch file
+ * Add AddType for .bz2 (Closes: #416322)
+ * Make init script messages conform better to policy (Closes: #390348)
+ and exit with failure if called with unknown parameter (Closes: #412407)
+ * Fix segfault in mod_proxy_ftp when FTP server sends back no spaces
+ (Closes: #413727)
+ * Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464)
+ * Tell the user when selecting cgid instead of cgi (Closes: #428058)
+ * Add a2ensite/a2dissite man pages (Closes: #322385)
+ * Comment out CacheEnable by default, to prevent filling up /var.
+ Document the problem in README.Debian and NEWS.Debian, point to
+ htcacheclean and give a warning when doing a2enmod disk_cache
+ (Closes: #423653).
+ * Add myself to Uploaders.
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 10 Jun 2007 18:54:29 +0200
+
+apache2 (2.2.3-4) unstable; urgency=high
+
+ * High-urgency upload for RC bugfixes.
+ * Ack NMUs - thanks Andi, Steve.
+ * Add myself to Uploaders.
+ * Refactor apache2.2-common.postinst slightly, to account for sarge
+ upgrades (since it's a new package name, rather than an upgrade).
+ (Closes: #396782, #415775)
+ * If mod_proxy was configured in sarge, add proxy_http and
+ disk_cache modules, which used to be included in the mod_proxy config.
+ (Closes: #407171)
+
+ -- Peter Samuelson <peter@p12n.org> Tue, 27 Mar 2007 07:06:49 -0500
+
+apache2 (2.2.3-3.3) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * High-urgency upload for RC bugfix.
+ * apache2.2-common should depend on procps, since it will fail to create
+ httpd.conf if it's not installed. Closes: #398535.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 5 Feb 2007 01:55:57 -0800
+
+apache2 (2.2.3-3.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * 043_ajp_connection_reuse: Patch from upstream Bugzilla, fixing a critical
+ issue with regard to connection reuse in mod_proxy_ajp.
+ Closes: #396265
+
+ -- Andreas Barth <aba@not.so.argh.org> Sat, 9 Dec 2006 21:05:45 +0000
+
+apache2 (2.2.3-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Enable authz_user by default, fix silent authentication breakage.
+ Closes: #397310
+ * Add default modules if coming from earlier than this version.
+ Closes: #392349, #392352, #392701, #393913, #396678, #395976
+ * Re-Enable modules cern_meta, dumpio and ext_filter. Closes: #391393
+
+ -- Andreas Barth <aba@not.so.argh.org> Fri, 10 Nov 2006 15:44:33 +0100
+
+apache2 (2.2.3-3) unstable; urgency=medium
+
+ [ Peter Samuelson ]
+ * a2dismod: exit 0 if a module exists but is already disabled.
+ * Ship a2enmod.8 and a2dismod.8 again, and expand them a bit.
+ (Closes: #270551)
+
+ [ Tollef Fog Heen ]
+ * Build apache2-src package.
+ * Do not AddDefaultCharset if we are proxying. Closes: #277526
+ * Do not forcefully link against libdb4.3 and other libs.
+ * Enable the same list of modules as we had in 2.0 (by default) and do
+ that for all older versions than 2.2.3-3 to fix upgrade issues people
+ have had. Closes: #392349
+ * Set default IndexWidth to *.
+ * Clean up CPPFLAGS and CFLAGS, including making all of CFLAGS a
+ superset of CPPFLAGS. Also make sure to include -I switches with
+ absolute paths so the apache headers are useful.
+ * Warn when not starting HTTPD due to missing apache binary.
+ Closes: #384128
+ * Provide sample disk and memory cache configurations. Closes: #278564
+ * Provide dir.conf. Closes: #392356
+ * Add alternate dependency from apache to apache2-mpm-event
+ * On reload, make the init script exit 1 with an error message if the
+ configuration is broken. Closes: #316858
+ * Add default deflate.conf compressing text/html, text/plain and
+ text/xml. Closes: #349016
+ * Add { and } around the usage format in the init script to make the
+ init script bash completion happier. Closes: #350606
+
+ [ Adam Conrad ]
+ * Update our php4 and php5 conflicts, to reflect the reality that each
+ were uploaded and built again while apache2.2 was in the new queue.
+ Closes: #392189
+ * Migrate kill symlinks from K91 to K09 (closes: #376503)
+ * Make apache2 depend on the current version of the MPMs, as it used
+ to in the 2.0.x series (and make it binNMU-safe) (closes: #394658)
+ * Make sure that the RedirectMatch in sites-available/default continues
+ to be commented out for Ubuntu, while having it uncommented for Debian.
+
+ [ Thom May ]
+ * Fix permissions on suexec (Closes: #391918)
+ * This is Debian, not Ubuntu (Closes: #393277)
+
+ -- Adam Conrad <adconrad@0c3.net> Sat, 7 Oct 2006 17:57:04 +1000
+
+apache2 (2.2.3-2) unstable; urgency=low
+
+ * Make sure to ship /var/log/apache2 in the apache2.2-common package.
+ Closes: #390786
+ * Install suexec.8 as suexec2.8. Closes: #390774
+ * Make sure that we never ship .svn directories in any binary packages.
+ Closes: #390785
+ * Not only chmod -x /usr/sbin/apache2 in apache2.2-common.preinst, chmod
+ +x it in same's postinst too. Closes: #390794
+ * We now ship htcacheclean in apache2-utils. Closes: #376680
+ * Try to stop old apaches in preinst of the mpms. Closes: #390893
+ * Make apache2-mpm-{worker,prefork} conflict with apache2-mpm-event and
+ apache2-common.
+ * rm -f /var/lib/dpkg/info/apache2-common.postrm. So apache2-common can
+ be purged. Yes, we're on crack. Closes: #390823
+ * Make apache2-utils's Replaces on apache2-common be unversioned.
+ Closes: #391018
+ * Stop shipping cern_meta.load, dumpio.load and ext_filter.load. Thanks
+ to Stephane Chazelas for noticing. Closes: #391393
+
+ -- Tollef Fog Heen <tfheen@debian.org> Tue, 3 Oct 2006 10:03:48 +0200
+
+apache2 (2.2.3-1) unstable; urgency=low
+
+ * Remove mention of AddDefaultCharset from apache2.conf as this is now
+ in /etc/apache2/conf.d/charset.
+ * Rename apache2-common to apache2.2-common. Conflict and replace old
+ version. This is to force modules to be uninstalled until versions
+ compiled against 2.2 are provided.
+ * Remove Daniel Stone from list of uploaders.
+ * We no longer ship 035_HEAD_Content-Length_Fix_From_CVS. Closes: #298143
+ * Don't start the server on reload. Closes: #316321
+ * Install S91/K09 links, not S91/K91, also only support not starting
+ through defaults file to cover upgrades from old
+ installations. Closes: #359977, #349655
+ * Big cleanup by using dh_install properly rather than loads of hacks in
+ debian/rules.
+ * No longer ship compat symlinks for ab, etc. Those are installed as
+ ab, htpasswd and similar.
+ * Remove apache2-mpm-{event,worker}-{prerm,preinst,postinst} in clean,
+ as those are copies of other files.
+ * Add build-depends for libapr1-dev (>= 1.2.7-6) to make sure we get a
+ version which ships a useful apr-config --apr-libtool.
+ * chmod -x /usr/sbin/apache2 on upgrades from before 2.2 to avoid
+ problems stopping apache due to some dpkg bug.
+ * Add Conflicts for broken modules which didn't depend on
+ apache2-common.
+
+ -- Tollef Fog Heen <tfheen@debian.org> Thu, 17 Aug 2006 14:02:58 +0200
+
+apache2 (2.2.3-1~exp.r170) experimental; urgency=low
+
+ [ Jeroen van Wolffelaar ]
+ * Staging upload to experimental of subversion revision r170
+
+ [ Thom May, Tollef Fog Heen, Fabio M. Di Nitto and Adam Conrad ]
+ * New Upstream Release. Closes: #344072
+ http://httpd.apache.org/docs/2.2/new_features_2_2.html has a list of
+ new features and changes.
+ - Fixes LFS support. Closes: #341460, #285337, #241223
+ - Fixes off-by-one error in mod_rewrite ldap schema handling
+ (CVE-2006-3747)
+ - Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352).
+ Closes: #343467.
+ - mpm_perchild no longer exists, so closing bugs for perchild.
+ Closes: #236193, #238586
+ - Fixes PHP POST with SSLVerifyClient. Closes: 353443
+ * Build-depend on lsb-release and pick up the branding from there.
+ * Build-depend on apr-util 1.0 which is now in a separate source
+ package.
+ * Mangle the Debian layout to be more FHS compatible
+ * No longer build-conflict with libgdbm-dev
+ * Use external PCRE
+ * Make apache2-utils stop providing apache2-utils. Also make it stop
+ conflicting with itself.
+ * Rename default site from default-site to just default.
+ * Try to migrate modules which used to be built-in:, alias, mime,
+ authz_host, autoindex, dir, env, negotiation, setenvif, status.
+ * Mod imap has been renamed to imagemap, ditto for auth_ldap =>
+ authnz_ldap. Cope with that in postinst.
+ * Stop globbing in apache2.conf.
+ Closes: #337817, #340955, #348189, #379015, #368497
+ * Don't install CHANGES into the apache2 package. It's just a
+ metapackage.
+ * Add rudimentary rdeps handling to a2dismod. Closes: #273929
+ * Stop providing apache-utils.
+ * Cope with /var/run and /var/lock on tmpfs.
+ * Remove all subdirs in srclib as we are using external libraries for
+ those anyway. Also remove test/zb.c. Closes: 340538
+ * Make ssl.conf not block on /dev/random, but rather use /dev/urandom.
+ * Make apache2-common depend on lsb-base, thanks to Gleb Arshinov
+
+ -- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Tue, 15 Aug 2006 16:17:33 +0200
+
+apache2 (2.0.55-4.1) unstable; urgency=high
+
+ * Non-maintainer upload. Urgency set to high due to security fixes.
+ * Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in
+ mod_rewrite.
+ [CVE-2006-3747]. (Closes: #380182)
+ * Added '053_restore_prefix_fix' to allow rebuilding from source.
+ (Closes: #374160)
+ * Added '054_apr_sendfile' to allow building for Hurd.
+ (Closes: #349416)
+ * Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers.
+ [CVE-2006-3918]. (Closes: #381376)
+ * Added bash-completion script from Guillaume Rousse.
+ (Closes: #299855)
+
+ -- Steve Kemp <skx@debian.org> Sat, 5 Aug 2006 21:35:53 +0000
+
+apache2 (2.2.0-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Fabio M. Di Nitto <fabbione@fabbione.net> Thu, 26 Jan 2006 13:46:08 +0100
+
+apache2 (2.0.55-4) unstable; urgency=low
+
+ * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
+ mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
+ * Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
+ threaded MPMs when making a non-SSL connection to an SSL-enabled port
+ on a server with a custom 400 error document defined; see CVE-2005-3357
+ * Clean up our use of trailing slashes on directories in debian/rules, so
+ the newer, pickier, obviously very improved coreutils doesn't bite us.
+ * Remove some cruft from apache2-common's postinst, dealing with upgrade
+ scenarios from versions older than those released in Sarge or Warty.
+ * Use "SHELL := sh -e" in debian/rules, so the build will stop on shell
+ errors, instead of blundering on to later make targets (closes: #340761)
+ * Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in
+ case the user has /var/run and /var/lock on tmpfs, which is fasionable.
+ * Make our init script a /bin/bash script instead of a /bin/sh script, so
+ we can abuse it with regex globbing (#348189, #347962, #340955, #342008)
+ * Take patch from Adrian Bridgett to output errors from our config test
+ in the init script, but only do so when we're VERBOSE (closes: #339323)
+ * In the spirit of the LSB, make our init script exit 2 when called with
+ incorrect arguments, and exit 4 when asked for status (closes: #330275)
+ * Fix the default site to not mix configuration syntax (closes: #345922)
+ * Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921)
+
+ -- Adam Conrad <adconrad@0c3.net> Sat, 26 Nov 2005 19:06:32 +1100
+
+apache2 (2.0.55-3) unstable; urgency=low
+
+ * Brown paper bag release: Tidy up CFLAGS and APR configure call to make
+ sure that what we link to agrees with what apu-config tells others to do.
+
+ -- Adam Conrad <adconrad@0c3.net> Mon, 24 Oct 2005 13:02:52 +1000
+
+apache2 (2.0.55-2) unstable; urgency=low
+
+ * Mess with 010_more_fhs_compliancy to nail down the compiled default for
+ cgisock to match with the default shipped in the config file, so people
+ don't get confused if they miss including cgid.conf (closes: #316477)
+ * Make the compiled-in PidFile match the config file for similar reasons.
+ * Add 049_apr_tables_HEAD_cleanup, resolving an issue where merging two
+ tables from different resource pools would leave you with the contents
+ of only one, rather than both. This patch also cleans up some broken
+ pointer arithmetic and type casting along the way (closes: #251800)
+ * Specify the DocumentRoot without a trailing slash (closes: #311317)
+ * Fix the manpage to point at proper locations (closes: #307665, #332619)
+
+ -- Adam Conrad <adconrad@0c3.net> Sun, 23 Oct 2005 13:24:39 +1000
+
+apache2 (2.0.55-1) unstable; urgency=low
+
+ * New upstream bugfix and security release, superseding these patches:
+ - Drop 041_util_ldap_fix.patch, util_ldap seems to be unbroken.
+ - Drop 043_ssl_off_by_one_CAN-2005-1268, fixed upstream.
+ - Drop 044_content_length_CAN-2005-2088, fixed upstream.
+ - Drop 045_byterange_CAN-2005-2728, fixed upstream.
+ - Drop 046_verify_client_CAN-2005-2700, fixed upstream.
+ - Resolves a serious memory leak in the worker MPM; see CVE-2005-2970
+ - Add 048_reverse_proxy_fix, to resolve a regression in 2.0.55 with
+ mod_proxy, mod_ssl and HTTP POST requests (upstream bug #37145)
+ * New release builds cleanly with OpenSSL 0.9.8 (closes: #332791, #333363)
+ * Fix up our built-in version of DBS to use find's -{max,min}depth
+ arguments in a way that doesn't make find whine like a spoiled child.
+ * Merge Ubuntu and Debian packaging, bringing in patch 047 (closes: #327269)
+ - Comment out the / -> /apache2-default/ redirect, as user feedback seems
+ to indicate that it's just too bloody confusing for most people.
+ - New installations (only) now get an AddDefaultCharset UTF-8 directive.
+ * Build-depend on lsb-release, and use it in debian/rules to determine which
+ distribution we're building on, dropping the 007_debian_advertising patch.
+ * Drop debconf dependency entirely; we don't even use it (closes: #331741)
+ * Finally support DEB_BUILD_OPTIONS="noopt debug" properly in debian/rules.
+ * Adjust mime_magic.conf to point at the new FHS location of magic.mime.
+ * Drop the apache2-mpm-threadpool transitional package; Sarge is released.
+ * Try a bit harder to find the *CORRECT* PidFile directive in the init
+ script, instead of the old "rgrep and pray" method (closes: #303076)
+ * Make init script to always use apache2ctl consistently (closes: #316303)
+ * Build (and have -dev packages depend on) libdb4.3 instead of libdb4.2.
+
+ -- Adam Conrad <adconrad@0c3.net> Mon, 17 Oct 2005 13:00:13 +1000
+
+apache2 (2.0.54-5ubuntu2) breezy; urgency=low
+
+ * Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request
+ body data to provide a limited but safe fix for the mod_ssl renegotiation
+ vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991)
+
+ -- Adam Conrad <adconrad@ubuntu.com> Tue, 4 Oct 2005 11:53:01 +1000
+
+apache2 (2.0.54-5ubuntu1) breezy; urgency=low
+
+ * Resynchronise with Debian, bringing in several security patches.
+
+ -- Adam Conrad <adconrad@ubuntu.com> Mon, 5 Sep 2005 20:40:31 +1000
+
+apache2 (2.0.54-5) stable-security; urgency=high
+
+ * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL
+ certificate validation; see CAN-2005-1268 (closes: #320048, #320063)
+ * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy
+ where, when a response contains both Transfer-Encoding and Content-Length
+ headers, the connection can be used for HTTP request smuggling and HTTP
+ request spoofing attacks; see CAN-2005-2088 (closes: #316173)
+ * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache
+ when large byte ranges are requested; see CAN-2005-2728 (closes: #326435)
+ * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context
+ of the SSLVerifyClient directive is not honoured within a <Location>
+ nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700
+
+ -- Adam Conrad <adconrad@0c3.net> Fri, 2 Sep 2005 22:26:28 +1000
+
+apache2 (2.0.54-4) unstable; urgency=low
+
+ * Alter 041_util_ldap_fix.patch to revert util_ldap.c to the known
+ good version from 2.0.53 (closes: #308648, and re-fixes #307567)
+
+ -- Adam Conrad <adconrad@0c3.net> Wed, 11 May 2005 20:15:38 -0600
+
+apache2 (2.0.54-3) unstable; urgency=medium
+
+ * Add 042_htdigest_CAN-2005-1344 to fix a buffer overflow in
+ htdigest, which is described in CAN-2005-1344 (closes: #307134)
+ * Add 041_util_ldap_fix.patch from upstream bug #34618 to fix
+ issues with mod_auth_ldap sometimes segfaulting and sometimes
+ locking up and spinning the CPU to oblivion (closes: #307567)
+ * Alter 011_fix_ap-config to make apr-config point us at the system
+ libtool, and make libapr0-dev depend on libtool (closes: #306481)
+ * Alter 008_make_include_safe to prevent apache2 from including dpkg
+ conffile leftovers (.dpkg-old et al) (closes: #304786, #296728)
+
+ -- Adam Conrad <adconrad@0c3.net> Thu, 5 May 2005 03:45:24 -0600
+
+apache2 (2.0.54-2) unstable; urgency=low
+
+ * Set suexec2's ownership properly, so it's actually executable by
+ apache2 with the newly-restrictive permissions (closes: #305242)
+
+ -- Adam Conrad <adconrad@0c3.net> Mon, 18 Apr 2005 22:09:42 -0600
+
+apache2 (2.0.54-1) unstable; urgency=low
+
+ * New upstream bugfix-only release (closes: #305121)
+ * Fix debian/watch file to only look at apache 2.0.x, so we stop being
+ told about the 2.1 beta releases (and I'll notice new 2.0.x releases)
+ * Drop o+rx permissions from suexec2; while it has code in place to
+ make sure the caller is www-data, if that code should be buggy,
+ filesystem permissions will help mitigate fallout (closes: #301045)
+ * Update the 003_build_with_autoconf_2.5 patch to make sure both
+ apr and apr-util have an AC_PREREQ for autoconf 2.50, so we don't get
+ weird autoconf mix-and-match FTBFS issues (closes: #301819)
+
+ -- Adam Conrad <adconrad@0c3.net> Sun, 17 Apr 2005 23:10:18 -0600
+
+apache2 (2.0.53-5ubuntu5) hoary; urgency=low
+
+ * Fix the init script to not exit with an error when asked to
+ stop a daemon that isn't running (Was the root cause of #8374)
+
+ -- Adam Conrad <adconrad@0c3.net> Fri, 1 Apr 2005 16:30:56 +0000
+
+apache2 (2.0.53-5ubuntu4) hoary; urgency=low
+
+ * Make sure package removals don't fail even if the init script
+ doesn't stop apache2 (Ubuntu #8374)
+
+ -- Adam Conrad <adconrad@0c3.net> Fri, 1 Apr 2005 15:07:20 +0000
+
+apache2 (2.0.53-5ubuntu3) hoary; urgency=low
+
+ * Add dependency on lsb-base (>= 1.3-9ubuntu2) to guarantee
+ availability of lsb init functions (Ubuntu #7765)
+
+ -- Adam Conrad <adconrad@0c3.net> Sun, 27 Mar 2005 21:55:41 -0700
+
+apache2 (2.0.53-5ubuntu2) hoary; urgency=low
+
+ * Really remove /etc/apache2/conf.d/charset on purge, rather
+ than just writing about it in the changelog.
+
+ -- Adam Conrad <adconrad@0c3.net> Sun, 27 Mar 2005 08:32:39 -0700
+
+apache2 (2.0.53-5ubuntu1) hoary; urgency=low
+
+ * Resynchronise with Debian, resolving minor conflicts.
+ * Remove /etc/apache2/conf.d/charset on purge.
+
+ -- Adam Conrad <adconrad@0c3.net> Sun, 27 Mar 2005 15:15:44 +0000
+
+apache2 (2.0.53-5) unstable; urgency=high
+
+ * Update 040_link_external_pcre to require autoconf 2.50, so it
+ doesn't fail when autoconf2.13 is installed (closes: #295428)
+ * Further mangle the apache_stop function in the init script so it
+ attempts as hard as possible to make sure apache2 is stopped before
+ it tries to restart. Thanks to Andre Tomt <andre@tomt.net> for
+ the bug and patch this fix was based on (closes: #295915, #281557)
+
+ -- Adam Conrad <adconrad@0c3.net> Fri, 25 Feb 2005 00:51:13 -0700
+
+apache2 (2.0.53-4) unstable; urgency=low
+
+ * Add 040_link_external_pcre to allow us to link to an external libpcre
+ rather than statically compiling the bundled version.
+ * Add --with-external-pcre to the configure flags in debian/rules
+ (closes: #294673, #294675, #282606, #294740)
+ * Stop hardcoding the path to netstat in postinst (closes: #294737)
+
+ -- Adam Conrad <adconrad@loki.0c3.net> Mon, 14 Feb 2005 01:45:08 +0000
+
+apache2 (2.0.53-3) unstable; urgency=medium
+
+ * Drop Andres Salomon's PCRE manglig patch in favour of hand-merging
+ Joe Orton's patch against head to completely internalise apache's
+ copy of PCRE, only exposing a wrapper API. (closes: #294395)
+
+ -- Adam Conrad <adconrad@0c3.net> Wed, 9 Feb 2005 11:30:21 -0700
+
+apache2 (2.0.53-2) unstable; urgency=low
+
+ * Make apache2-threaded-dev and apache2-prefork-dev both arch:any
+ as they contain architecture-dependant defines (closes: #294257)
+
+ -- Adam Conrad <adconrad@0c3.net> Wed, 9 Feb 2005 04:20:07 -0700
+
+apache2 (2.0.53-1) unstable; urgency=low
+
+ * New upstream release
+ - Remove 036_HEAD_CAN-2004-0942, integrated upstream
+ - Remove 037_HEAD_CAN-2004-0885, integrated upstream
+ * Drop support for the threadpool MPM, as it's abandoned upstream.
+ - Make apache2-mpm-threadpool an empty package depending on
+ apache2-mpm-worker, and make worker replace the old threadpool
+ * Make SYSCONFDIR configurable at the top of a2{en,dis}{mod,site}
+ * Drop the build-conflict on gawk, and use ac_cv_prog_AWK=mawk
+ instead (closes: #283396)
+ * Make the apache_stop() function stop trying to do the equivalent
+ of "killall apache2", and instead issue a nasty warning if it can't
+ stop apache2 on its own
+ * Make "restart" an alias for "force-reload" in the init script, as
+ apache2ctl restart doesn't match policy's requirements for restart
+ * Swapping between threaded and unthreaded MPMs could leave one with
+ both mod_cgi and mod_cgid enabled. Fixed the postinsts so that
+ no longer happens
+ * Update 021-pcre_mangle_symbols.patch from Andres Salomon, now also
+ mangling typedefs, which should fix PHP (closes: #280823)
+ * Hardcode a dependency on libgcc1 (>= 1:3.3.5) so pthread_cancel
+ will work correctly with partial upgrades (closes: #287033)
+ * When removing ssl_scache, make sure to remove its db transation logs
+ and other garbage as well (closes: #293831)
+ * Remove duplicate /icons/ from the default site (closes: #291856)
+ * Yank 039_fix_forensic_tmpfiles from Ubuntu's apache2 packages
+ * Split out utils into seperate apache2-utils. This will also
+ supercede the apache-utils package (closes: #285219)
+ * Add split-logfile to apache2-utils (closes: #290814)
+ * Make the MPM postinsts scream loudly, but not fail, if you've
+ deleted cgi{,d}.load before swapping MPMs (closes: #283141)
+
+ -- Adam Conrad <adconrad@0c3.net> Mon, 7 Feb 2005 07:54:12 -0700
+
+apache2 (2.0.52-3) unstable; urgency=high
+
+ * Brown paper bag release to fix apache2-common's postinst, by judiciously
+ sprinkling ||true in a couple of needed places (closes: #280527)
+ * While hunting for unclean uses of VAR=`command` in the package, found
+ the cause of the "can't purge with broken config" bugs and fixed that
+ too with yet another ||true (closes: #263511, #273759, #279875)
+
+ -- Adam Conrad <adconrad@0c3.net> Wed, 10 Nov 2004 01:32:16 -0700
+
+apache2 (2.0.52-2) unstable; urgency=high
+
+ * Include two patches, 036_HEAD_CAN-2004-0942 and 037_HEAD_CAN-2004-0885
+ - CAN-2004-0942: Memory leak in header parsing in server/protocol.c
+ - CAN-2004-0885: Incorrect SSLCipherSuite selection in mod_ssl
+ * Fix up our use of netstat in apache2-common's postinst to clean up some
+ unnecessary output to stderr, as well as detect when netstat believes
+ we don't have AF_INET support. This should allow for installation in
+ chroots where the /proc filesystem isn't mounted (closes: #245487)
+ * Add 035_HEAD_Content-Length_Fix_From_CVS, which should solve problems
+ with Content-Length being set incorrectly on proxied HEAD requests,
+ breaking Windows Update from proxied machines (closes: #277787)
+ * Take out the reload/start magic in the postinst, and just call start in
+ all cases, as we stop the daemon in the prerm (closes: #275175, #222786)
+ * Copy config.guess/config.sub/ltmain.sh in from /usr/share/libtool at
+ build time. (closes: #257228, #263101)
+ * Clean up the clean target in debian/rules to remove some duplicate
+ maintainer scripts from the debian/ directory that we don't need to be
+ shipping in the source package.
+ * Move envvars to /etc/apache2/ and add patch 038_no_LD_LIBRARY_PATH to
+ remove the extraneous LD_LIBRARY_PATH from envvars (closes: #276670)
+
+ -- Adam Conrad <adconrad@0c3.net> Sun, 7 Nov 2004 04:09:46 -0700
+
+apache2 (2.0.52-1) unstable; urgency=high
+
+ * New upstream bugfix/security release:
+ - Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412)
+ * Add '|| true' to a2enmod to stop it from dying when the installed MPM
+ isn't prefork (closes: #273017, #273019, #272865, #273021, #273258)
+ * Touch /var/log/apache2/error.log on new installs to ensure that our log
+ directory isn't removed until the package is purged, so logrotate doesn't
+ complain about its inability to find it (closes: #239571)
+ * Add 032_suexec_is_shared, which makes sure suEXEC is only searched for
+ and enabled when mod_suexec is loaded (closes: #227653)
+ * Use '$APACHE2CTL startssl' consistently in init script to make sure the
+ SSL define doesn't disappear on force-reload (closes: #272531)
+ * Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open
+ and manipulate DB_BTREE databases, while still defaulting to creating
+ DB_HASH databases as before. This should clear up incompatibilities
+ with other applications (such as PHP) which default to DB_BTREE.
+ * Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool.
+ * Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit
+ of munging, to compile a working ab2 with SSL support (closes: #261820)
+
+ -- Adam Conrad <adconrad@0c3.net> Tue, 28 Sep 2004 10:21:20 -0600
+
+apache2 (2.0.51-2) unstable; urgency=high
+
+ * Test for the existence of /usr/sbin/apache2 before we go trying to invoke
+ it to determine what MPM we have installed (closes: #272103, #272207)
+ * Make the default httpd.conf created in apache2-common's postinst contain
+ a fake LoadModule line (commented out), and make apxs2 default to
+ installing modules to /etc/apache2/httpd.conf, so people using apxs2
+ rather than the mods-{enabled,available} directories get the expected
+ behaviour, rather than obscure errors (closes: #167552, #231134)
+ * apxs2 now writes the correct path to modules in httpd.conf, including
+ the mysteriously missing slash (closes: #231450, #167557)
+ * Make apxs2 install modules with mode 644, since 755 makes no sense.
+ * Added a bit of magic to a2{en,dis}site to treat the default site as a
+ special case and add a "000-" priority to the beginning of its symlink.
+ Patches welcome to turn this into something robust, like update-rc.d.
+
+ -- Adam Conrad <adconrad@0c3.net> Sat, 18 Sep 2004 07:12:12 -0600
+
+apache2 (2.0.51-1) unstable; urgency=high
+
+ * New upstream release, including the following security fixes:
+ - CAN-2004-0747: ap_resolve_env buffer overflow
+ - CAN-2004-0786: apr_uri_parse segfault in memcpy
+ - CAN-2004-0809: mod_dav crash/DoS via NULL pointer dereference
+ * Drop the following patches which are now included upstream:
+ - 025_CAN-2004-0748.patch
+ - 026_CAN-2004-0751.patch
+ - 027_autoindex_ignore_bad_files.patch
+ - 028_apr_sticky_bits.patch
+ * Install a properly sanitised config_vars.mk so that apxs2 behaves in
+ a reasonably sane way (closes: #243340, #270768)
+ * Relax www-browser dependency to a Suggests, as the mod_status dump from
+ apache2ctl is a pretty minor (and oft unused) feature (closes: #269309)
+ * init script now allows you to stop (but not start, restart, etc) the web
+ server, even if NO_START is set to 1 (closes: #269398)
+ * Make the apache2 -> apache2-mpm-* dependency tighter, so it does what
+ one expects when installing it (closes: #269580)
+ * Remove the ^/doc/apache2-doc/manual(.*)$ /manual$1 RedirectMatch from
+ the default site which was confusing and useless (closes: #270216)
+ * Add debian/watch file to track upstream versions.
+ * Add some magic to a2enmod to map cgi to cgid if using a threaded MPM.
+ * Add a2ensite and a2dissite which do the same thing as a2{en,dis}mod,
+ but for sites rather than modules (closes: #269251)
+
+ -- Adam Conrad <adconrad@0c3.net> Wed, 15 Sep 2004 00:09:39 -0600
+
+apache2 (2.0.50-12) unstable; urgency=high
+
+ * Build-depend on mawk, and build-conflict with gawk, as we're only
+ guaranteed of having one or the other installed at any given time
+ and GNU awk seems to royally mess up the build with regards to which
+ external symbols get exported by httpd (closes: #268155)
+ * Add myself to the Uploaders field as it seems that, for better or
+ worse, I have become a co-maintainer of apache2.
+ * Drop the :80 from the default site config, so changing ports in
+ ports.conf now Just Works (closes: #253271)
+ * Added 029_docroot_manual.patch, which corrects the links in the start
+ page to point to /manual/ instead of manual/, so the link actually
+ works when apache2-doc is installed (closes: #232954)
+ * Add a postrm to apache2-common, implementing a policy-compliant purge
+ process (closes: #237030, #252254, #197986)
+ * Add a simple RedirectMatch to the "default" site, so that fresh
+ installations see the default start page, rather than a directory
+ listing (closes: #240772, #255974, #264070)
+ * Add 030_www-browser_apachectl.patch, and make apache2-common depend
+ on www-browser, so 'apache2ctl status' works (closes: #266724)
+ * Move apache2's (re)start from the apache2-common postinst to the MPM
+ postinsts, so we're not trying to start the old binary if apache2-common
+ is configured before apache2-mpm-* is unpacked (closes: #268936)
+ * Enable CGI on initial installation, as packages depending on httpd-cgi
+ require it to be running to work (closes: #267547, #263038)
+ * Only enable userdir on upgrades from older versions where it was
+ built-in, or on fresh installs.
+
+ -- Adam Conrad <adconrad@0c3.net> Mon, 30 Aug 2004 17:40:47 -0600
+
+apache2 (2.0.50-11) unstable; urgency=high
+
+ * Add two patches from upstream to address two vulnerabilities in mod_ssl:
+ - CAN-2004-0748 is a potential infinite loop in the SSL input filter
+ which can be triggered by an aborted connection.
+ - CAN-2004-0751 is a potential segfault in the SSL input filter which
+ can be triggered by the response to request which is proxied to a
+ remote SSL server.
+ * Changed the ownership of /var/cache/apache2 to allow mod_proxy to
+ actually cache files (closes: #264622)
+ * Added a patch from upstream to make mod_autoindex skip over files that
+ it can't stat() (closes: #264645)
+ * New installations now get an /etc/default/apache2 file with a moderately
+ informative comment, and the default set sanely (closes: #263515)
+ * Added a patch from upstream to make APR stop creating directories with
+ the sticky bit set (closes: #266198)
+ * Remove the bogus "-e" from the echo that creates httpd.conf, so people
+ installing with ash/dash don't get a broken file (closes: #267693)
+
+ -- Adam Conrad <adconrad@0c3.net> Mon, 23 Aug 2004 19:25:50 -0600
+
+apache2 (2.0.50-10) unstable; urgency=high
+
+ * Roll back the libapr0 ABI changes introduced in 2.0.50-9. We were
+ hopeful that we could hunt down and fix any fallout from this change
+ before release, and we were, apparently, wrong.
+ (closes: #266211, #266145, #266165, #266330, #266230, #266279, #266736)
+
+ -- Adam Conrad <adconrad@0c3.net> Thu, 19 Aug 2004 03:46:11 -0600
+
+apache2 (2.0.50-9) unstable; urgency=medium
+
+ * Enable LFS properly. (Closes: #264645, #244897)
+ - Added 023_largefiles_upstream_fixes which makes the upstream configure
+ script a bit smarter and fixes some misuses of size_t/off_t.
+ - Added 024_largefiles_debian_hacks which adds some hideous hackery to
+ work around a bug in glibc where sendfile64 is used in place of sendfile
+ with no fallback even if the current kernel doesn't support it.
+ - Add note to README.Debian noting that while we can now read, write, and
+ list large files, SERVING large files is kernel-dependant.
+ * Bump libapr0 shlibs to (>= 2.0.50-9), since we're introducing
+ some serious ABI breakage with the above changes.
+ * Fix up the PATH in apache2's init script to list /usr/local, /usr, /
+ in the standard order.
+ * Change misleading return messages for a2{en,dis}mod, to reflect
+ the reality that some modules just won't load/unload properly
+ without a full stop/start server cycle.
+
+ -- Adam Conrad <adconrad@0c3.net> Sun, 15 Aug 2004 07:41:19 -0600
+
+apache2 (2.0.50-8) unstable; urgency=high
+
+ * Ensure we link against the correct version of DB42
+
+ -- Thom May <thom@debian.org> Mon, 9 Aug 2004 14:37:38 +0100
+
+apache2 (2.0.50-7) unstable; urgency=high
+
+ * Fix up linking of apr-util (Closes: #262009)
+
+ -- Thom May <thom@debian.org> Tue, 3 Aug 2004 12:42:53 +0100
+
+apache2 (2.0.50-6) unstable; urgency=high
+
+ * use 'env -i' rather than trying to parse env (Closes: #261558, #258713)
+ * revert to old build process (Closes: #260756, #259693)
+ * Reflect changes in ssl setup - Thanks, Björn Wiberg (Closes: #259414)
+ * Remove userdir config from main config file (Closes: #260058)
+
+ -- Thom May <thom@debian.org> Tue, 27 Jul 2004 10:31:46 +0100
+
+apache2 (2.0.50-5) unstable; urgency=high
+
+ * Add necessary suexec information to central build
+ (Closes: #258453, #258772)
+ * Exclude lines starting with a space from removal from the env
+ (Closes: #258713)
+
+ -- Thom May <thom@debian.org> Mon, 12 Jul 2004 17:30:59 +0100
+
+apache2 (2.0.50-4) unstable; urgency=high
+
+ * Fix dependencies so the MPMs don't conflict with the metapackages *g*
+ Thanks to Adam Conrad for this catch
+
+ -- Thom May <thom@debian.org> Fri, 9 Jul 2004 00:55:19 +0100
+
+apache2 (2.0.50-3) unstable; urgency=high
+
+ * Brown paper bag of epic proportion. Build all mpms with the proper
+ collection of libraries. (Closes: #258217, #258202)
+ * Clean up environment (Closes: #241579)
+ * Clarify prefork description (Closes: #252918)
+ * Make apache2-default/manual DTRT (Closes: #244847)
+ * Note that we don't ship INSTALL or README.platforms (Closes: #232956)
+
+ -- Thom May <thom@debian.org> Thu, 8 Jul 2004 16:04:31 +0100
+
+apache2 (2.0.50-2) unstable; urgency=high
+
+ * Make a2enmod a bit more robust (Closes: #258149, #258145)
+ * Should really be urgency=high to get into testing quick
+
+ -- Thom May <thom@debian.org> Wed, 7 Jul 2004 23:03:36 +0100
+
+apache2 (2.0.50-1) unstable; urgency=medium
+
+ * New upstream release, fixes [CAN-2004-0493] and [CAN-2004-0488]
+ * The "I can't believe you're late to your own raid" release
+ * Check whether verbose is on or off in rcS's config (Closes: #242351)
+ * Add an apache2 metapackage (Closes: #234955)
+ * Specifically disable /~root (Closes: #246139)
+ * Stop the daemon in prerm (Closes: #245488)
+ * Redirect /doc/apache2-doc/manual to /manual so the correct magic happens
+ (Closes: #248038)
+ * Update SSL config to current upstream (Closes: #234591,#231147)
+ * No longer install default cgis - they're already shipped in -doc as
+ examples. (Closes: #231665)
+ * Tighten regex for Include (Closes: #234489)
+ * Remove ext-filter.load since we ship ext_filter.load too (Closes: #249268)
+ * Enable userdir as a shared module (Closes: #251102, #246134)
+ * OSKURO SUCKS (otherwise known as: not a bug) (Closes: #208569)
+ * Create /var/lib/apache2 (Closes: #242169)
+ * Remove 'AddDefaultCharset' line from apache2.conf (Suggestion from Marco
+ D'Itri)
+
+ -- Thom May <thom@debian.org> Tue, 6 Jul 2004 18:45:35 +0100
+
+apache2 (2.0.49-1) unstable; urgency=high
+
+ * New Upstream release. (Closes: #240100)
+ * Add missing $ to init-script (closes: #240301)
+ * Provides: httpd-cgi in reference to #117916
+
+ -- Thom May <thom@debian.org> Sun, 4 Apr 2004 11:32:20 +0100
+
+apache2 (2.0.48-8) unstable; urgency=low
+
+ * Fix typo in debian/rules (closes: #230760)
+ * Added patch 021-pcre_mangle_symbols.patch (closes: #235810)
+ * Fixed typo in the init scripts (closes: #230263)
+ * Changed a bunch of mv's to cp's in rules (closes: #228840)
+ * Change mime_magic to use magic from libmagic1 (closes: #236509)
+ * Disable ssl-cert until it sucks less. related to 230791 (closes: #231726)
+ * update descriptions (closes: #234543, #234538, #234542)
+ * Nuke /etc/vhosts and all associated cruft (closes: #235029)
+
+ -- Thom May <thom@debian.org> Mon, 2 Feb 2004 12:47:10 +0000
+
+apache2 (2.0.48-7) unstable; urgency=low
+
+ * Brown paper bag release. Refix the nonfixed libapr0 which built
+ without linking information.
+
+ -- Tollef Fog Heen <tfheen@debian.org> Fri, 30 Jan 2004 18:25:12 +0100
+
+apache2 (2.0.48-6) unstable; urgency=low
+
+ * Build-Conflict with gdbm (closes: #230226, #230175, #204672)
+
+ -- Tollef Fog Heen <tfheen@debian.org> Fri, 30 Jan 2004 12:24:09 +0100
+
+apache2 (2.0.48-5) unstable; urgency=low
+
+ * (Daniel Stone)
+ - Bump Standards-Version to 3.6.1.0.
+ - init-script: Print a small warning when NO_START=1. (closes: #178431)
+ - default site: Enable FollowSymLinks. (closes: #200829)
+ * (Thom May)
+ - Permanently kill the ErrorLog directive from ssl.conf
+ - Call ssl-cert to generate an SSL cert using debconf (closes: #178322)
+ - Allow /usr/share/doc/ to be viewable from localhost (closes: #222551)
+ - Set the default DocumentRoot to be /var/www (closes: #222552)
+ - Change where the init script is installed to (Closes: #223417)
+ - Upgrade to DB4.2
+ * (Tollef Fog Heen)
+ - handle building out of the SVN checkout.
+
+ -- Tollef Fog Heen <tfheen@debian.org> Wed, 28 Jan 2004 00:13:13 +0100
+
+apache2 (2.0.48-4) unstable; urgency=medium
+
+ * (Daniel Stone)
+ - Change apache2-threaded-dev's Conflicts from apache2-perfork-dev to
+ apache2-prefork-dev. Learn how to type, dude (thanks to Grzegorz
+ Prokopski for spotting this one).
+
+ -- Daniel Stone <daniels@debian.org> Mon, 17 Nov 2003 12:00:11 +1100
+
+apache2 (2.0.48-3) unstable; urgency=medium
+
+ * Grmmp. stuffed the upload
+
+ -- Thom May <thom@debian.org> Wed, 12 Nov 2003 18:18:54 +0000
+
+apache2 (2.0.48-2) unstable; urgency=high
+
+ * (Thom May)
+ - Fix locking busted by NPTL (Closes: #220299)
+ - Fix IPv6 weirdness (thanks to Jordi/Fabio) (Closes: #220334)
+
+ -- Thom May <thom@debian.org> Wed, 12 Nov 2003 13:04:04 +0000
+
+apache2 (2.0.48-1) unstable; urgency=low
+
+ * (Thom May)
+ - New Upstream Release (Closes: #202094)
+ - Fix i18n autonegotiation for the manual (Closes: #201648)
+ - Add deb.{gif,png} (Closes: #199454)
+ - Explicitly link against libdl (Closes: #195968)
+ - Add dependency on ssl-cert (Closes: #177837)
+ - Take preventative action against SCTP
+ - Add apache2-prefork-dev to work around PHP.
+ - Shut Oskuro up - startup time changed to 91 (Closes: #208569)
+ - Install README.etc into apache2-common's doc dir
+ (Closes: #208751,#177941)
+ - Auth_LDAP loads mod_ldap as well. (Closes: #217795)
+ - Make sure /var/lock/apache2 has correct ownership (Closes: #206375)
+ - Fix for SSL enabled virtual hosts (Closes: #202925)
+ - Steal new apr_threads.m4 from upstream to deal with -lpthread better
+ (Closes: #197685)
+ * (Fabio M. Di Nitto)
+ - Fixed init script (Closes: #203093)
+
+ -- Thom May <thom@debian.org> Sat, 16 Aug 2003 00:13:20 +0100
+
+apache2 (2.0.47-2) unstable; urgency=low
+
+ * Move dav.conf to dav_fs.conf (Closes: #201530)
+ * Fix the manual, and only ship it once. (Closes: #201648)
+ * Enable SymLinksIfOwnerMatch for cgi-bin (Closes: #200829)
+
+ -- Thom May <thom@debian.org> Wed, 16 Jul 2003 10:24:28 +0100
+
+apache2 (2.0.47-1) unstable; urgency=high
+
+ * New Upstream Release. Bunch of security fixes (Closes: #200593)
+ * Add asis.load, auth_ldap.load, cache.load, dav_fs.load, disk_cache.load,
+ ext_filter.load, file_cache.load, imap.load, ldap.load, mem_cache.load,
+ include.load (Closes: #197152, #198389, #196115)
+ Note that dav_fs was previously loaded by dav.load, and is now broken out
+ into a seperate file.
+ * Patch apxs2 to use datadir rather than prefix for top_builddir.
+ (Closes: #198607)
+ * Kill a couple of pointless conflicts. (Closes: #197242)
+ * Change suexec docroot from /var/www/apache2-default to /var/www
+ (Closes: #198981)
+ * Make sure we use Expat rather than xmltok (Closes: #197020)
+ * Ship find_ap{r,u}.m4 (per Nuutti Kotivuori)
+
+ -- Thom May <thom@debian.org> Fri, 4 Jul 2003 13:40:37 +0100
+
+apache2 (2.0.46-3) unstable; urgency=low
+
+ * Clean up the proxy config although it's not enabled by default.
+ (Closes: #195187)
+ * Remove all traces of gdbm. (Closes: #196231)
+ * Re-enable ldap support (Closes: #190092)
+ * This changelog should be policy compliant. Any whingers can take a long
+ hike off a short pier.
+ * use printf rather than echo to work round weird shells. (Closes: #196230)
+
+ -- Thom May <thom@debian.org> Thu, 5 Jun 2003 19:26:21 +0100
+
+apache2 (2.0.46-2) unstable; urgency=critical
+
+ * Fix config_vars.mk creation and installation (Closes: #195141, #195190)
+
+ -- Thom May <thom@debian.org> Thu, 29 May 2003 11:47:13 +0100
+
+apache2 (2.0.46-1) unstable; urgency=critical
+
+ * The "David Welton is my hero" release
+ * New upstream release, numerous security vulns fixed.
+ * Oh the pain.
+ * Move ScriptSocket to /var/run/apache2 (Closes: #188655)
+ * Restore mod_include (Closes: #188483)
+ * Move the virtual hosts config to the end of the config file
+ (Closes: #188584)
+ * Add Mod-Ext-Filter (Closes: #182770)
+ * Add actions.load (Closes: #178087, #179571, #181527)
+ * Add a dependency on net-tool (Closes: #190663)
+ * Clean up FHS compliancy and fix up a typo in apachectl (Closes: #187723)
+ * Fix for the apxs -q APR_BINDIR doesn't work problem (Closes: #188278)
+ * Special case the install of special.mk (Closes: #179776)
+ * Make apache2-dev and apache-dev not conflict. (This renames apxs back to
+ apxs2)
+ * Add README for /etc/apache2 written by David.
+ * Add auth_digest.load courtesy of Amelia A Lewis <amyzing@talsever.com>
+ (Closes: #194111)
+
+ -- Thom May <thom@debian.org> Wed, 28 May 2003 14:17:21 +0100
+
+apache2 (2.0.45-3) unstable; urgency=critical
+
+ * another "stupid freaking sasl" release. the series is on!
+
+ -- Thom May <thom@debian.org> Tue, 8 Apr 2003 17:13:09 +0100
+
+apache2 (2.0.45-2) unstable; urgency=critical
+
+ * the "stupid freaking sasl" release.
+ * fix override disparities too.
+ * fix dulpicate dependency on libssl0.9.7 (Closes: #179598)
+
+ -- Thom May <thom@debian.org> Tue, 8 Apr 2003 13:34:44 +0100
+
+apache2 (2.0.45-1) unstable; urgency=critical
+
+ * New upstream release (Closes: #187502)
+ * Fix korean language type, thanks to Donggyoo Lee
+ <donggyoo@kmaritime.ac.kr> (Closes: #179542)
+ * Add explicit dependency to libsasl-dev (Closes: #179674)
+ * Remove ErrorLog from ssl.conf
+ * forward ported patches courtesy of Roberto Moreda <moreda@debian.org>; big
+ thanks!
+
+ -- Thom May <thom@debian.org> Sat, 5 Apr 2003 14:35:58 +0100
+
+apache2 (2.0.44-6) unstable; urgency=low
+
+ * Make APR's postinst idempotent (Closes: #178105, #178141)
+ * Make Apache2-common's postinst non interactive (Closes: #178551)
+ * People filing bugs after they're fixed should be shot (Closes: #178244)
+ * Build Logio into the core, apparently.
+
+ -- Thom May <thom@debian.org> Mon, 27 Jan 2003 20:47:28 +0000
+
+apache2 (2.0.44-5) unstable; urgency=low
+
+ * The "someone should take my compiler away from me" release
+ * Depend on openssl as well. Grrr. (Closes: #177985)
+ * Clean up the last of the section mismatches
+
+ -- Thom May <thom@debian.org> Thu, 23 Jan 2003 15:04:20 +0000
+
+apache2 (2.0.44-4) unstable; urgency=low
+
+ * The "going for broke" release.
+ * Enable Logio, suggested by Roberto Moreda
+ * Stop force loading of cgi modules. (until we can do it cleanly)
+ (Closes: #177876, #177795)
+ * Restore symlink for libapr.so.0 (Closes: #177792)
+ * Apache2-common must depend on libssl0.9.7 (Closes: #177845)
+ * Rename ssl-certificate so we don't conflict with apache-ssl
+ (Closes: #177881)
+ * Only create the certificate if it's not there already (Duh!)
+
+ -- Thom May <thom@debian.org> Wed, 22 Jan 2003 09:59:11 +0000
+
+apache2 (2.0.44-3) unstable; urgency=low
+
+ * The "This one goes out wearing a brown paper bag" release
+ * Fix apxs to correctly return the header locations (Closes: #177729)
+
+ -- Thom May <thom@debian.org> Tue, 21 Jan 2003 16:35:14 +0000
+
+apache2 (2.0.44-2) unstable; urgency=low
+
+ * The "Ooops, I did it again" release
+ * Fixup of sections and priorities.
+ * Add dependency of libldap2-dev to libapr0-dev
+ * Correct dependencies to be db4.1 not db4.0
+
+ -- Thom May <thom@debian.org> Tue, 21 Jan 2003 13:26:57 +0000
+
+apache2 (2.0.44-1) unstable; urgency=low
+
+ * Conform to 10.4 of policy re init scripts, (Closes: #165693)
+ * Be more selective about filenames when doing Include
+ Patch - 008_make_include_safe (Closes: #161512)
+ * Make HTMLTable validate, and add a note recommending its use.
+ (Patch submitted upstream and will be in 2.0.44)
+ Patch - 010_fix_html_table (Closes: #153593)
+ * Make apr have correct library versioning
+ Patch committed upstream
+ Patch - 011_make_apr_versioned (Closes: #162775)
+ * Placed packaging code under subversion change management
+ http://svn.positive-internet.com/svn/apache2/trunk
+ * Changed some bash scripts to use #!/bin/bash rather than #!/bin/sh
+ (Closes: #168338)
+ * Changed apache2-common to merely suggest apache2-doc (Closes: #167595)
+ * Patch from David Kimdon to clean up debian/scripts/*
+ * Rename apxs2 to apxs; conflict with apache-dev (Closes: #167550)
+ * Upstream fix for AllowOverride documentation (Closes: #169431)
+ * Tighter build dependency on debhelper (Closes: #170803)
+ * Only reload in logrotate if apache2 is actually running (Closes: #171095)
+ * Upstream Fix for AddOutputFilterByType documentation (Closes: #172294)
+ * Add robots.txt to apache2-common (Closes: #172592)
+ * Enable cgi in postinst (Closes: #168709)
+ * Create an SSL Certificate on install (Closes: #168109)
+ * Fix a couple of typos in debian/ssl-certificate, with thanks to Nuutti
+ Kotivuori
+ * Change to restart rather than reload in logrotate, to work round a nasty
+ PHP bug (PHP has bugs? *gasp* I thought it was perfect!) with thanks to
+ Adam Conrad for the suggestion
+ * Clarify what needs to be installed for a working system (Thanks to Sean
+ Abrahams)
+ * Support debug DEB_BUILD_OPTIONS setting, thanks to Karl Hegbloom
+ (Closes: #174221)
+ * Add -pipe to the CFLAGS, thanks to Karl Hegbloom
+ * Force apr-util to build against db4
+ * add OSX finder to the list of things that needs to be redirect-carefully'd
+ * s/enabled/disabled in debian/a2-scripts/a2dismod (Closes: #173956)
+ * enable auth-ldap, auth-anon, auth-dbm, auth-digest, and action as shared
+ modules (Closes: #172044, #174583, #172093)
+ * Upgrade to Berkely DB 4.1
+ * Upgrade to OpenSSL 0.9.7
+ * Add patch to ensure DB4.1 --with-unique-names is picked up. (Committed
+ upstream)
+ * Add local apache2 and apache2ctl manpages, since upstream have removed
+ them.
+
+ -- Thom May <thom@debian.org> Mon, 20 Jan 2003 11:14:43 +0000
+
+apache2 (2.0.43-1) unstable; urgency=medium
+
+ * New Upstream Release; Fixes: CVE: CAN-2002-0840 CERT: VU#240329
+ * Add extra config to unfuck perchild. hopefully.
+ * Rejig Proxy Config some. With thanks to: Emmanuel Chantreau (Closes: #163124)
+ * Fix cgi install. Thanks to: Bastian Kleineidam (Closes: #162791)
+ * Fix postinst to check installation type and behave accordingly (Closes: #162627)
+ * Bring product version into line with RFC2616 (Closes: #151384)
+ * Add allow line for ipv6 localhost (Closes: #163533)
+ * Make more of the modules modular.
+ * Set UseCanonicalName off
+ * Added index.xhtml to DirectoryIndex settings
+ * Enabled MultiViews in the default site, and for the manual (Closes: #160367)
+ * Removed Unnecessary cgi.conf (Closes: #163842)
+
+ -- Thom May <thom@debian.org> Fri, 4 Oct 2002 21:47:18 +0100
+
+apache2 (2.0.42-2) unstable; urgency=low
+
+ * Tighten dependencies yet more
+ * Restart in postinst. don't stop in prerm and start in postinst (Closes: #162344, #162350, #162537)
+ * Fix dh_shlibdeps up
+ * PERCHILD IS NOT WORKING IN THIS RELEASE. DON'T EXPECT IT TO. BUGS ABOUT
+ THIS WILL BE CLOSED WITH EXTREME PREJUDICE.
+
+ -- Thom May <thom@debian.org> Fri, 27 Sep 2002 13:06:59 +0100
+
+apache2 (2.0.42-1) unstable; urgency=low
+
+ * "Pretty. What shall we blow up?"
+ * New Upstream Version (Closes: #160364)
+ * Fix man names and sections (Closes: #157113)
+ * Correct the regex for netstat checking of ports, thanks to Matthew Hambley
+ for this.
+ * Correct dependencies for apache2-common. (Closes: #161793)
+ * Applied patch from Stefan Gybas to fix a2enmod (Closes: #159459)
+ * Added BrowserMatch directives for microsoft's bodgy DAV implementations
+ and also for gnome-vfs (Closes: #155097)
+ * Loosened the config for home directories (Closes: #153599)
+ * Updated to latest standards version
+ * Drop priority to extra to bring it in line with libdb4.0
+ * Added logrotate script - Thanks to Phil Edwards for the basic version, and
+ the apache package that I ripped the rest off from (Closes: #155488)
+ * Tighten up what the Include lines load some. This is related to #161512
+ but doesn't completely close it.
+
+ -- Thom May <thom@debian.org> Sat, 21 Sep 2002 22:14:22 +0100
+
+apache2 (2.0.40-1) unstable; urgency=low
+
+ * New Upstream Version
+ * Correct dependencies. (Closes: #156959)
+ * Code to check for something else listening on 80 (Closes: #156129)
+ * correct permissions on suexec2 man page (Closes: #157005)
+ * Make the start and stop targets use apache2 directly rather than
+ apache2ctl.
+ * Check for the existence of apache2 and exit if it's not there (Closes: #156640)
+ * Nuke ssl_scache on startup (Closes: #157445)
+ * patch apxs to not need an mpm installed. Correct dependencies for -dev.
+ Stop messing around with ap_config_auto.h.
+ This hopefully resolves James Troup's objections to apache2. (Closes: #157895)
+ * Add code to check for a 2.2 based kernel and set up the Scoreboard
+ accordingly. (Closes: #156899)
+ * make sure i only have to update one init.d script, rather than 4.
+ * make apxs return a correctly formatted response on queries.
+
+ -- Thom May <thom@debian.org> Wed, 21 Aug 2002 14:21:14 +0100
+
+apache2 (2.0.39+cvs.1028741220-2) unstable; urgency=low
+
+ * Rebuild against new libc6. Grr. (Closes: #155865)
+ * Actually create /etc/apache2/httpd.conf
+ * Propagate init.d changes through the other MPMs.
+
+ -- Thom May <thom@debian.org> Thu, 8 Aug 2002 09:19:49 +0100
+
+apache2 (2.0.39+cvs.1028741220-1) unstable; urgency=low
+
+ * New Upstream Version
+ * Make a versioned depends on libapr0 (Closes: #154879, #155400)
+ * Ensure that /etc/init.d/apache2 is registered properly.
+ * Added a conf.d directory for random conf snippets
+ * Ensure that the /manual/ alias is setup by the correct package (Closes: #155179)
+ * Ensure that DAVLockDB is created in the right directory (Closes: #155096)
+ * Now Building in a pbuilder chroot environment.
+ * Perchild is now pseudo working (Closes: #154148)
+ * Cumulatively (note to Lazarus Long: this means all the things in this
+ changelog added together) (Closes: #155297, #155307, #155317, #155717, #155363, #155719, #155801)
+ * Note that preceeding changelog entry may not be parseable by strict grammar
+ checks. Thanks to Jamie Wilkinson for pointing this out.
+ * Turn MultiViews back on for the default site (Closes: #155450)
+ checks. Thanks to Jamie Wilkinson for pointing this out.
+ * Turn MultiViews back on for the default site (Closes: #155450)
+ * Removed all CVS directories (Closes: #155602, #155393, #155402)
+ * SSI has been fixed upstream (Closes: #151744)
+ * Removed SSLLog directives (Closes: #152940)
+ * Put icons in the right place (Closes: #155178)
+ * Fixed build-dep on libgdbmg1-dev (Closes: #155412)
+ * Get correct information into config_vars.mk (Closes: #151712)
+ * Removed 'ServerName localhost' line (Closes: #155359)
+ * Placed apr-util headers in correct package
+ * Ensured that the init.d script restarts apache properly
+
+ -- Thom May <thom@debian.org> Tue, 30 Jul 2002 22:37:52 +0100
+
+apache2 (2.0.39+cvs.1027964860-1) unstable; urgency=low
+
+ * New Upstream Source
+ * Correct Icons path (Closes: #151314)
+ * Add missing dep on mime-support (Closes: #151848, #152220, #152221, #151772)
+ * Fixup suexec2, thanks to Masahito Omote (Closes: #151422)
+ * Mark Brown
+ - Remove spurious claim that apache2 hasn't been uploaded (Closes: #151433)
+ - Bring apache2 in line with policy on /usr/share/doc/ (Closes: #151459)
+ - Make reload behave the same as force-reload (Closes: #151432)
+ * place the manual in the right place, thanks to Md (Closes: #151766)
+ * David Kimdon
+ - add build depends on zlib1g-dev (Closes: #151286)
+
+ -- Thom May <thom@debian.org> Fri, 29 Jul 2002 19:12:56 +0100
+
+apache2 (2.0.39-1) unstable; urgency=low
+
+ * New Upstream Version, fixing a denial of service attack.
+ * Fix installation of icons and manual.
+ * David Kimdon
+ - fix path for envvars in apxs2
+ - use generalized directives in ssl.conf ( SSLLog -> ErrorLog,
+ SSLLogLevel -> LogLevel ), this allows server to load ssl
+ module
+
+ -- Thom May <thom@debian.org> Fri, 14 Jun 2002 17:29:59 -0700
+
+apache2 (2.0.37-2) unstable; urgency=low
+
+ * Updated Copyright file to actually contain a copy of the various licenses.
+
+ -- Thom May <thom@debian.org> Fri, 14 Jun 2002 15:41:41 +0100
+
+apache2 (2.0.37-1) unstable; urgency=low
+
+ * New upstream version
+
+ -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100
+
+apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100
+
+apache2 (2.0.36-2) unstable; urgency=low
+
+ * debian/control - Correct provides, conflicts and depends, especially for
+ the mpms.
+ * build-dep doesn't work with provides, which makes sense. Need to make a
+ note of this in the policy.
+ * debian/rules - ensure that the mpm specific header file is installed into
+ the right place
+
+ -- Thom May <thom@debian.org> Fri, 31 May 2002 14:54:39 +0100
+
+apache2 (2.0.36-1) unstable; urgency=low
+
+ * The "The obviously begging in a changelog works" release.
+ * New Upstream release
+ * Vpath Builds now work, giving the ability to select which MPM you require
+ * Changed vhost base to only be a Recommends: as I'm not happy that it's
+ currently in a properly releasable state.
+ * New enhost script courtesy of DannyS.
+ * David Kimdon
+ - make apxs2 find envvars properly
+ - use libtool to install apache2 binaries for different mpm's
+ - fix dependancies for apache2-dev (we can't do a versioned 'Provides'
+ so we need to list all the packages that provide apache2 along
+ with their version)
+ * Implemented a long overdue suggestion to only create ports.conf if it's
+ not in existance already, rather than to add a command to listen on 80 iff
+ that didn't exist. The person who suggested it is lost in the mists of my
+ mailbox. If it was you, please email me!
+ * debian/vhost-base/add.d/apache2 - apply patch from "Omniflux"
+ <josh@nebonet.com> to fix some brainos
+
+ -- Thom May <thom@debian.org> Mon, 6 May 2002 16:39:18 +0100
+
+apache2 (2.0.35+cvs.20020420-1) unstable; urgency=low
+
+ * The "finding myself standing on the corner staring into a different world"
+ release. Will someone please give me a job?
+ * Resync with upstream CVS. lots and lots of bug fixes since the last
+ release.
+ * Attempting to build with multiple MPMs, so speedfreaks can have a threaded
+ MPM. (Available MPMs are: prefork, worker, threadpool, and
+ leader/follower).
+ * Now sedding ap{r,u}-config in the install target.
+ * vpath build evilness suggested by Andrew Suffield and others. I hate them
+ all. :)
+
+ -- Thom May <thom@debian.org> Sat, 20 Apr 2002 17:04:46 +0100
+
+apache2 (2.0.35-2) unstable; urgency=low
+
+ * The "Apache2 isn't released, therefore the Bug Tracking System doesn't
+ bloody well work" release
+ * Fixes a bug in add host, due to the change from Port to Listen.
+ (Reported by numerous people, patch more or less from Esteve Fernandez
+ <esteve@sindominio.net>.
+ * Attempt to fix apu-config, suggestion and patch from David Kimdon, if it's
+ wrong, I broke it. (Changed it to apply pre-build, rather than post build.
+ Yes, it's the lazy approach. It's also the right one :) )
+ * THE BUG TRACKING SYSTEM IS NOT THE RIGHT PLACE TO SEND BUG REPORTS FOR
+ APACHE2.
+ * REALLY.
+
+ -- Thom May <thom@debian.org> Sat, 6 Apr 2002 21:04:16 +0100
+
+apache2 (2.0.35-1) unstable; urgency=low
+
+ * WOOOOOOOOOOOHOOOOOOOOO! Apache2's first General Availability release!
+ * Various bug fixes, suggestions and so on.
+ * Built with db3 for the time being.
+
+ -- Thom May <thom@debian.org> Sat, 6 Apr 2002 03:01:24 +0100
+
+apache2 (2.0.34+retag-1) unstable; urgency=low
+
+ * Resync with upstream release.
+ * Fix packaging-fus (Hi Marcello!)
+ * Upstream have fixed cgi probs.
+
+ -- Thom May <thom@debian.org> Mon, 1 Apr 2002 14:50:12 +0100
+
+apache2 (2.0.34-1) unstable; urgency=low
+
+ * New upstream release
+ * added mod_deflate as a shared library
+ * bashed on apache2.conf some.
+
+ -- Thom May <thom@debian.org> Tue, 26 Mar 2002 23:23:09 +0000
+
+apache2 (2.0.33-1) unstable; urgency=low
+
+ * New upstream.
+ * Unfucked all code, include init.d and /etc/vhosts.
+ * FHS'ified, more or less
+ * Some debconf, but not much.
+ * Merged more patches upstream
+
+ -- Thom May <thom@debian.org> Sat, 9 Mar 2002 23:33:09 +0000
+
+apache2 (2.0.32+cvs.20020228-1) unstable; urgency=low
+
+ * The "bathwater, no baby" release.
+ * Submitted patches upstream like crazy.
+ * Tossed the insanely bogus apachectl patch
+ * Debconf not included here. Want to get everything else right, and a
+ release out.
+ * Boom!
+
+ -- Thom May <thom@debian.org> Thu, 28 Feb 2002 21:07:24 +0000
+
+apache2 (2.0.32-1) unstable; urgency=low
+
+ * The "Throwing stuff away like mad and seeing if it still builds" release.
+ * Ditched apache2-modules* on the principle of least surprise - the deb
+ layouts now pretty closely follow apache.
+ * Trying to triage away patches that have been fixed upstream.
+ * Major attack on debconfiscation starts here -> .
+
+ -- Thom May <thom@debian.org> Tue, 19 Feb 2002 20:37:58 +0000
+
+apache2 (2.0.31+cvs.20020217-1) unstable; urgency=low
+
+ * New CVS snapshot from HEAD to benefit Subversion for the impending 0.9
+ release. Enjoy! 81 lines in the last couple of days ... :)
+ * debian/patches/005_more_hardcoded_paths:
+ - Regenerated diff against newer version of mpm_default.h.
+ * debian/patches/008_apr-config_sucks
+ - Regenerated apr-util part of diff against newer version of
+ apu-config.in.
+ * debian/apache2.{config,templates,postinst},
+ debian/vhost-base/add.d/apache2,
+ debian/vhost-base/templates.d/apache2{,.in}, debian/rules:
+ - Debconfage asking which port to run on, and make the vhost-base script
+ only list the current ports; ports stuff moved to
+ /etc/apache2/ports.conf - re-enable dh_installdebconf in debian/rules.
+ - Moved templates.d/apache2 to templates.d/apache2.in so we can do some
+ nifty inplace regexps.
+ * debian/apache2.init.d:
+ - Bail out of the init script if there aren't any sites enabled.
+ * debian/{rules,control}:
+ - Get rid of apache2-modules; move its contents to apache2.
+ * debian/config-mods/cgid.conf:
+ - Get rid of redundant <IfModule> wrapper around ScriptSock, so it
+ actually loads. Thanks to Pieter "Pitr" Jansen for this one.
+
+ -- Daniel Stone <daniel@sfarc.net> Sun, 17 Feb 2002 01:23:43 +1100
+
+apache2 (2.0.31+cvs.20020207-1) unstable; urgency=low
+
+ * The one-big-happy-apache2-bug-squashing-family release.
+ * Update to latest CVS; hopefully this won't mean that piro deadlocks every
+ time dpkg goes to read its database. Hopefully this gets rid of the bugs.
+ Yes, all of them.
+ * debian/patches/004a_srclib_layout_support:
+ - Updated a touch to fit in with .32-dev.
+ * debian/patches/008_stuff_in_sbin_not_bin:
+ - Removed; obsoleted by upstream discovering sanity.
+ * debian/patches/008_apr-config_sucks:
+ - Fix problem whereby @prefix@ would sub to $(prefix), but $(prefix)
+ wouldn't sub to the prefix, or ${prefix}, thus screwing up the running
+ of apr-config ... ditto for apu-config (from apr-util).
+ * debian/patches/009_apxs:
+ - Reworked to make it actually work, and apply cleanly.
+ - Fix libtool breakage once again, thanks David Kimdon.
+ * debian/patches/010_shmget:
+ - Hack to srclib/apr/apr.h.in to make it prefer shmget over everything
+ else, to make it 2.2/non-tmpfs safe. (Thanks Ben Collins).
+ * debian/patches/012_debian_version:
+ - Minor update (include a space in front of "Debian", change it to
+ "Debian GNU/Linux" to clarify things, and before the the Hurd [happy
+ now, you crack junkies?] people complain, it's not released as a Debian
+ port yet, so feh).
+ * debian/vhost-base/add.d/apache2:
+ - Change sites to sites-available, in line with the previous change.
+ * debian/config/mods-available:
+ - Move to debian/config-mods to make life easier with the move to
+ apache2-modules (see below).
+ * debian/config-mods/auth_dbm.load:
+ - New file, in line with introducing mod_auth_dbm; thanks again to David
+ Kimdon.
+ * debian/a2-scripts/a2{en,dis}mod:
+ - Rewritten to be much cleaner and cool. (Thanks to Ben Collins for
+ pointing out that the permissions were screwed).
+ * debian/apache2.postinst:
+ - New file, no #DEBHELPER# token so that we don't care if postinst fails;
+ this way it won't bail if you're already running another web server.
+ Thanks to David Kimdon for pointing out an error.
+ * debian/vhost-base/{enable,disable}.d/apache2:
+ - Fixed! Woot! The code isn't the best you'll see, but now *WORKS*. Whoo!
+ * debian/control:
+ - Extend libapr-dev's Depends to include libapr0 (duh).
+ - Remove apache2-modules-dev as modules are no longer built both shared
+ and static, IMHO this was quite braindead behavior. Upstream's change,
+ not mine.
+ - Remove apache2-support as apxs2 requred apache2 anyway. Chalk one (more)
+ down for "failed experiments".
+ - Removed redundant libssl0.9.6 and libxmltok1 build-deps; we already
+ build-depped on the relevant -dev packages; thanks Ben Collins.
+ * debian/rules:
+ - Modules are no longer built statically as well as dynamically (upstream
+ change), so stop trying to move the files around.
+ - Sort out the libapr0/libapr-dev mess once and for all; thanks to Matt
+ Wilcox and Ben Collins for patiently talking me through it.
+ - Move *contents* of mods-available to apache2-modules, but keep the
+ directory itself as part of apache2, to keep the addons happy; thanks
+ David Kimdon.
+ - s/apache2-support/apache2/, see debian/control entry.
+ - Remove extraneous LICENSE file from the vhost manual.
+ - Remove *.exp files, because they're unneeded.
+ * debian/apache2.docs:
+ - Remove KEYS from the list of docs because this is crap and no longer
+ distributed. w00t!
+
+ -- Daniel Stone <daniel@sfarc.net> Thu, 7 Feb 2002 20:39:44 +1100
+
+apache2 (2.0.28-3) unstable; urgency=low
+
+ * Enabled mod_auth_dbm for Subversion. (thanks David Kimdon).
+
+ -- Daniel Stone <daniel@sfarc.net> Thu, 29 Nov 2001 23:25:53 +1100
+
+apache2 (2.0.28-2) unstable; urgency=low
+
+ * Fixed up a couple of things,
+ /etc/apache2/modules->/etc/apache2/mods-available, etc.
+ * Included mod_dav, so Subversion can be built.
+ * New package: apache2-modules-dev, containing all
+ /usr/lib/apache2/modules/*a. (Thanks Adam Heath).
+ * Moved libapr.so.* symlinks to libapr-dev (Thanks again to doogie).
+
+ -- Daniel Stone <daniel@sfarc.net> Sun, 25 Nov 2001 19:00:19 +1100
+
+apache2 (2.0.28-1) unstable; urgency=low
+
+ * Updated to 2.0.28, which they actually managed to agree on calling a beta.
+ * debian/apache2.init.d:
+ - Stripped of almost all its functionality. Now just touches httpd.conf if
+ we're starting and it doesn't exist, and then calls apache2ctl with all
+ our options, whatever they may be - it can error out if it wants.
+ * Removed patches:
+ - 010_index.html.it_typo - merged upstream.
+ * Updated patches:
+ - 009_apxs: make it actually find libtool. Thanks to David Kimdon.
+ - 002_apache2ctl: really fix apache2ctl graceful.
+
+ -- Daniel Stone <daniel@sfarc.net> Sun, 18 Nov 2001 15:29:43 +1100
+
+apache2 (2.0.26+cvs.20011028-2) unstable; urgency=low
+
+ * Added vhost-base support.
+ - Removed Debconfage and moved all the templates to
+ debian/vhost-base/templates.d (/etc/vhosts/templates.d).
+ Removed apache2.postinst and apache2.config.
+ - Removed a2{dis,en}host.
+ * /usr/lib/cgi-bin will now be /cgi-bin, /var/vhosts/hostname/cgi-bin will be
+ /cgi-local.
+
+ -- Daniel Stone <daniel@sfarc.net> Fri, 9 Nov 2001 21:53:27 +1100
+
+apache2 (2.0.26+cvs.20011028-1) unstable; urgency=low
+
+ * Resync with HEAD (another coming to fix segfaults, but no net connectivity
+ at the moment - 4-11-2001, 2:12pm. Grrr).
+ * New patches:
+ - 011_mod_autoindex-symlink: make icons for symlinks to files and dirs
+ special cases.
+ + Touches modules/generators/mod_autoindex.c
+ + Special cases: ^^SYMDIR^^ and ^^SYMLINK^^.
+ - 012_debian_version: adds "Debian" to the Apache version string.
+ + Touches include/ap_release.h - this patch has *no* context. Please
+ don't give it any, I don't want to have to rediff every version.
+ * debian/config/httpd.conf, debian/config/apache2.conf:
+ - Move main config file to apache2.conf, made it much more bare-bones.
+ + User (or package) config should be done in httpd.conf.
+ * apache2.conf:
+ - s/Port/Listen/ - booya! Finally they cleaned it up.
+ - Add (commented-out) icon entries for ^^SYMDIR^^ and ^^SYMLINK^^.
+ Anyone volunteer to create icons?
+ * debian/apache2.postinst:
+ - Minor cleanups.
+ - And later: Made it just call ap2addhost --default. (and a2enhost).
+ * debian/config/modules/ssl.conf, debian/config/sites/default-443:
+ - Put only generic SSL stuff in ssl.conf, split SSL support out into
+ a new virtual host thingy in accordance with dealing with ports.
+ * debian/config/sites/default, debian/config/sites/default-443,
+ debian/patches/004b_debian_layout:
+ - Add a new alias /cgi-pub/ to /usr/lib/cgi-bin. Packages should put
+ scripts here.
+ * debian/control:
+ - changed the Suggests: on apache2-doc to a Recommends:
+ + otherwise /manual/ will be a broken alias, as it points to
+ /usr/share/doc/apache2-doc/manual.
+ - changed libapr-dev to Architecture: all (from Arch: any) - whoops.
+ * Added support for multiple ports on the one virtual host. At the moment
+ it's one gigantic, ugly, kludge. *sigh*. Format:
+ - /var/vhosts/site.name/htdocs-PORT
+ - /var/vhosts/site.name/logs/(access|error).log-PORT
+ - /var/vhosts/site.name/cgi-bin-PORT
+ * debian/apache2.postinst, debian/config/sites/default, etc:
+ - s#/var/www#/var/vhosts#;
+ - s#htdocs#htdocs-$PORT#;
+ * More Debconfage - it now asks if you want SSL support in the default
+ virtual host, and which port number you want (default 81 so it sits
+ side-by-side with apache).
+ * Major change to postinst, a2addhost, et al:
+ - It's all now done in Perl, and postinst is no longer a special case.
+ The standalones call Debconf for what they need to do, calling it as a
+ standalone. This way, postinst just calls a2addhost, etc, and it also
+ smooths the path for me to do the vhost-base stuff.
+ * No, this migration path probably won't be smooth (between apache2
+ versions). Sorry.
+ * Last release before I make it vhost-base compliant.
+
+ -- Daniel Stone <daniel@sfarc.net> Sun, 28 Oct 2001 20:33:18 +1100
+
+apache2 (2.0.26+cvs.20011023-1) unstable; urgency=low
+
+ * Damnit, resync with HEAD (2_0_26 was unstable).
+
+ -- Daniel Stone <daniel@sfarc.net> Tue, 23 Oct 2001 18:36:42 +1000
+
+apache2 (2.0.26-1) unstable; urgency=low
+
+ * Resync with upstream CVS (but only as far as the APACHE_2_0_26 tag).
+ Essentially, this gives all the coolness of a CVS tree, but all the
+ stability of a release. I may start tracking HEAD later, we'll just
+ have to see.
+ * Changed libapr->libapr0.
+ * Fixed a couple of typo's in index.html.it (thanks Md, via Joey).
+ * 22nd October, 7:51pm: Resync again as they added a couple of files
+ and bumped the tag to fix segfaults.
+
+ -- Daniel Stone <daniel@sfarc.net> Wed, 17 Oct 2001 23:50:39 +1000
+
+apache2 (2.0.25+cvs.20011001-1) unstable; urgency=low
+
+ * More CVS resyncing joy.
+ * Silly stupid evil poo bum hack to apachectl. I don't like this.
+ Please, help.
+ * Got rid of a few lintian warnings.
+ * Install build stuff to /etc/apache2/build, adjust apxs accordingly.
+ * Agreed on policy with madduck. This is a MAJOR CHANGE, people.
+ A lot of stuff has changed around, so you'll need to change your
+ packages.
+ apache2 now treats everything as a virtual host (even when you only
+ have one host). This allows us to skirt around FHS and do our own
+ thing. ("Thpthpthpthpthpthpt, we're using vhosts. FHS doesn't say
+ anything about that.")
+ Please see README.Debian for more details.
+ * More fun with virtual hosts. Migrated their configuration files to
+ /etc/apache2/virtuals/<name>. This will allow for easy adding and
+ removal, via the new tools /usr/sbin/ap2(add|del)vh.
+ apache2's postinst touches /etc/apache2/POSTINST_CONFED, and will refuse
+ to re-run the postinst config stuff if it's there already.
+ * Module fun - /usr/sbin/ap2mod(en|dis). Modules put their loading line in
+ /etc/apache2/modules/foo.load, config in /etc/apache2/modules/foo.conf.
+ Enabled module stuff gets symlinked into /etc/apache2/mods-enabled.
+ * Move APR stuff to /usr/lib, not /usr/lib/libapr. Whoops, should've done
+ this a *long* *time* *ago*.
+ * More silly APR hacks: Move /usr/include/libapr to /usr/include/apache2, as
+ silly things like php4 don't get the fact that APR and apache2 can indeed
+ have different include directories. Grrr.
+ * Juggled script names - it's now a2(en|dis)(host|mod).
+ * I don't care, I'm uploading. No, really (closes: #103471).
+ It's been 93 days since I first did dh_make and ITPed it. :)
+
+ -- Daniel Stone <daniel@sfarc.net> Thu, 4 Oct 2001 20:15:31 +1000
+
+apache2 (2.0.25+cvs.20010923-1) unstable; urgency=low
+
+ * Another resync with upstream CVS; most of the changes below were made
+ between then and now.
+ * Also added apache2-support - everything from support/*, so php4, et al
+ don't need to Build-Depend on apache2 itself.
+
+ -- Daniel Stone <DanielS@esd.nec.com.au> Sun, 23 Sep 2001 13:21:16 +1000
+
+apache2 (2.0.25+cvs.20010908-1) unstable; urgency=low
+
+ * Synched everything with CVS; it works now.
+ * We now build with ./buildconf due to the above; redo all the patches
+ against configure.in. I swear this will be the last change, and that I'll
+ test it.
+ * Removed php4 and modperl-2.0 from the tree. I should keep the changelogs
+ internal, as this is now getting not only very silly, but very embarassing.
+ * I corrected myself in the ITP that it was licensed under the Apache
+ Software License, not GPLed, but forgot to do that in debian/copyright.
+ Whoops. Feel free to LART.
+ * Lintian cleanups:
+ - Remove extra LICENSE files.
+ - Stop stuff calling -rpath.
+ - Change printenv to call /usr/bin/perl, not /usr/local/bin/perl - wtf?
+ - Move manpages to the right directory.
+ * Minor merge from Thom courtesy of some stuff being stored on pandora:~thom.
+ - Use buildprogs.pl to parse stuff like apache2ctl, apxs2, etc.
+ * Hopefully I'm only one CVS sync away from an upload.
+ * Moved some stuff over to /usr/sbin, fixed apache2ctl once and for all.
+ Hopefully.
+
+ -- Daniel Stone <daniel@sfarc.net> Sun, 9 Sep 2001 00:05:03 +1000
+
+apache2 (2.0.24-2) unstable; urgency=low
+
+ * The "Farewell Buddha" Release.
+ * Or, alternatively: The "Darren Milburn is an Idiot for Inciting Crowds"
+ Release.
+ * Yes, it's the height of evil, I know: modperl-2.0 goes into the source
+ tree. (from CVS).
+ Separate tarballs, thanks to DBS, but still, yeah.
+ * Ditto php4.
+ * Still no Thom's laptop; hence no merges, and I'm not going to duplicate
+ work.
+
+ -- Daniel Stone <daniel@sfarc.net> Sun, 2 Sep 2001 21:50:59 +1000
+
+apache2 (2.0.24-1) unstable; urgency=low
+
+ * New upstream version.
+ * Use prefork, not threaded, MPM. (threaded is currently broken).
+ * Update example httpd.conf for mod_ssl and have lines for all the modules.
+ * Build-Depends, all the Build-Depends!
+ * Update maintainer email address (thanks Joey).
+ * Turns out using buildconf was what broke modules. I swear I won't do
+ anything like that again. Promise! (thanks Thom for pointing this out)
+ * Implied by the above, rediff all patches against configure, not
+ configure.in.
+ * Also, don't copy configure.{guess,sub} over anymore, because we don't need
+ them.
+ * More Thom merges:
+ - debian/patches/003_apache2ctl - rewritten apache2ctl to actually work.
+ * Return of debian/patches/006_dont_install_build_crap. GAH!
+
+ -- Daniel Stone <daniel@sfarc.net> Sat, 18 Aug 2001 17:01:19 +1000
+
+apache2 (2.0.23-2) unstable; urgency=low
+ * SSL finally works, and beat instructions on how to get it going out
+ of someone on new-httpd. Moved SSL stuff to apache2-modules.
+ * Disabled TLS, because it's unstable and unnecessary.
+ * Merge from Thom May's tree:
+ 005b_debian_layout - The Debian layout for stuff
+ - Move APR stuff to /usr/lib/libapr and /usr/include/libapr.
+ - Clean up debian/rules, largely thanks to the two new patches.
+ * General cleanups, resulting from running lintian:
+ - Chuck #DEBHELPER# in postinst, which also fixes the /usr/doc
+ and init.d problems (due to debhelper now doing its postinst
+ thing).
+ - Remove LICENSE files from apache2-doc and the default document
+ root.
+ - Remove man/ and build/ top-level dirs, install manpages correctly.
+ - Updated 004_perl_in_usr_bin to include the manual search CGI.
+ * Remove all evil, ugly, patches to configure in debian/patches/*, instead,
+ diff against configure.in, because autoconf gets run in the configure
+ stage every time.
+ * Copy config.{guess,sub} from /usr/share/misc (provided by autotools-dev) at
+ runtime, thus eliminating debian/patches/002_config_guess_and_sub.
+ * Reshuffled patch numbers to cope with the above.
+ * I give up on this DBM crap. Disable mod_auth_dbm for now.
+
+ -- Daniel Stone <daniel@sfarc.net> Wed, 15 Aug 2001 18:27:23 +1000
+
+apache2 (2.0.23-1) unstable; urgency=low
+
+ * New upstream - 2.0.23.
+ * New patches:
+ 004_conffile_in_etc_apache2 - Make an ugly init.d hack unnecessary.
+ 005_perl_in_usr_bin - Make example CGI scripts use /usr/bin/perl.
+ * Fix mime_magic stuff by copying magic to /etc/apache2.
+ * Remove debian/patches/003_cgisock_in_var_log_apache2, instead found a new
+ conffile directive, put this into the default distributed conffile.
+
+ -- Daniel Stone <daniel@sfarc.net> Sun, 12 Aug 2001 18:05:32 +1000
+
+apache2 (2.0.22-2) unstable; urgency=low
+
+ * Aargh, I'm an idiot. Fix a bug in mod_cgid.c that had a hardcoded path.
+ That's now debian/pactches/003*.
+
+ -- Daniel Stone <daniel@sfarc.net> Sat, 11 Aug 2001 08:04:13 +1000
+
+apache2 (2.0.22-1) unstable; urgency=low
+
+ * Updated to 2.0.22, started using a form of DBS.
+ * Merge from Thom May's 2.0.20 tree - new libapr-dev package.
+ * Backed out the old mod_(tls|ssl) hacks, see if 2.0.23 is any better
+ (apparently it is, thank god).
+
+ -- Daniel Stone <daniel@sfarc.net> Wed, 8 Aug 2001 15:13:09 +1000
+
+apache2 (2.0.20-2) unstable; urgency=low
+
+ * New SSL fixes from new-httpd. Apparently, this (generally) works.
+
+ -- Daniel Stone <daniels@yakko.doogie.org> Fri, 13 Jul 2001 07:57:18 -0500
+
+apache2 (2.0.20-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Daniel Stone <daniel@kabuki.sfarc.net> Mon, 9 Jul 2001 18:41:04 +1000
+
+apache2 (2.0.18-1) unstable; urgency=low
+
+ * Initial Release.
+
+ -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000