1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
apache2 (2.4.10-2) unstable; urgency=low
The default period for which rotated log files are kept has been
reduced from one year to 14 days.
-- Stefan Fritsch <sf@debian.org> Tue, 23 Sep 2014 22:25:06 +0200
apache2 (2.4.1-1) unstable; urgency=low
This package introduces a new major release of the Apache HTTP server. It is
likely the site configuration needs changes to work with this release.
Notable changes which need special care are:
The module interface (ABI) has changed. If you have any locally compiled
modules, you have to re-compile them for apache2 2.4.
The authorization and authentication system has changed. Existing
configurations using deprecated Order/Allow/Deny directives need to be
upgraded to the new system. Please review upstream's "Authentication,
Authorization and Access Control Howto" [1]. There is a new module
"mod_access_compat", which is supposed to provide backward compatibility,
but it does not work well in practice.
Furthermore, MPMs are simple modules now. Thus, the MPM can be changed
at any time by (un-)loading a specific module. Be careful when upgrading. An
example of changing the MPM is given below:
a2dismod mpm_worker
a2enmod mpm_prefork
MPM ITK users should be advised, that ITK is not a MPM anymore. Instead, it
is a simple Apache module, expanding functionality of the prefork MPM. Thus,
users should switch to the prefork MPM and enable ITK as a module. The
upgrade scripts ensure this for the upgrade from Debian Wheezy.
We did change the security model for Apache in our default configuration. We
do not allow access to the file system outside /var/www and /usr/share.
If you are running virtual hosts or scripts outside these directories, you
need to whitelist them in your configuration to grant access through HTTP.
Special care must be taken if you are using a sub-directory in /srv to serve
your content as recommended by the File Hierarchy Standard (FHS). You must
allow access to your served directory explicity in the corresponding virtual
host, or by allowing access in apache2.conf as proposed.
Along the security model, we did also change the default Document Root, files
are served from. Previous releases served /var/www by default when no other
virtual host matched the request. Starting with this release, we changed the
default document root to /var/www/html, so that sensitive files from other
virtual hosts wich are typically put into some directory below /var/www are
not exposed by the default virtual host. This change further improves the out
of box security.
Moreover, the configuration mechanism in Debian has changed. All
configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is
not supported any more) and works just like {sites,mods}-{available,enabled}
via the "a2enconf" tool. The upgrade tries to migrate known configuration
files from /etc/apache2/conf.d/ to /etc/apache2/conf-available/ - please
review these changes.
Note this means all existing sites are ignored until they get a ".conf"
suffix and are re-enabled by the use of a2ensite. The script in [3] can
automate that for simple cases. This change also includes Debian default
sites, so the default site has been renamed to 000-default to avoid naming
confusions. The rename of the config files to *.conf makes the special
handling inside apache2 to ignore *.dpkg-* backup files obsolete. This
special handling has been removed.
Users of mod_authn_dbm should switch to htdbm to manage their DBM user
databases. The pure-perl management utility "dbmmanage" was removed as it was
outdated and orphaned upstream.
Packagers are advised to review whether their packages comply with this
new version. Please see [2] for detailed documentation and instructions.
[1] http://httpd.apache.org/docs/2.4/howto/auth.html
[2] </usr/share/doc/apache2/PACKAGING>
[3] </usr/share/doc/apache2/migrate-sites.pl>
-- Arno Töll <arno@debian.org> Fri, 23 July 2012 23:50:13 +0200
apache2 (2.2.15-4) unstable; urgency=low
* Note to people using mod_proxy as forward proxy, i.e. with
'ProxyRequests on':
This release disables the configuration in mods-available/proxy.conf
by default. You should verify that access control for proxy access
still works as intended. This is especially important if you have
your forward proxy configuration in a different configuration file
than proxy.conf.
-- Stefan Fritsch <sf@debian.org> Mon, 19 Apr 2010 22:36:57 +0200
apache2 (2.2.15-1) unstable; urgency=low
* To fix a security vulnerability in the design of the SSL/TLS protocol
(CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
session renegotiation is no longer supported with old clients that do not
implement this extension. This breaks certain configurations with client
certificate authentication. If you still need to support old clients, you
may restore the old (insecure) behaviour by uncommenting the
SSLInsecureRenegotiation on
line in /etc/apache2/mods-available/ssl.conf
* This release adds and enables mod_reqtimeout, which limits the time
Apache waits for a client to send a complete request. This helps to
mitigate against certain denial of service attacks. In case of problems
with slow clients, the timeout values can be adjusted in
/etc/apache2/mods-available/reqtimeout.conf , or the module can be
disabled with "a2dismod reqtimeout".
-- Stefan Fritsch <sf@debian.org> Sat, 28 Aug 2010 20:49:30 +0100
apache2 (2.2.14-6) unstable; urgency=low
* Apache now uses the environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR,
and APACHE_LOG_DIR in the default configuration. If you have modified
/etc/apache2/envvars, make sure that these variables are set and exported.
* There is now some support for running multiple instances of Apache on the
same machine. See the documentation in /usr/share/doc/apache2.2-common for
details.
-- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 13:56:59 +0100
apache2 (2.2.13-2) unstable; urgency=high
* The new support for TLS Server Name Indication added in 2.2.12 causes
Apache to be stricter about certain misconfigurations involving name
based SSL virtual hosts. This may result in Apache refusing to start
with the logged error message:
Server should be SSL-aware but has no certificate configured
[Hint: SSLCertificateFile]
Up to 2.2.11, Apache accepted configurations where the necessary SSL
configuration statements were included in the first (default)
<Virtualhost *:443> block but not in subsequent <Virtualhost *:443>
blocks. Starting with 2.2.12, every VirtualHost block used with SSL must
contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile
directives (SSLCertificateKeyFile is optional in some cases).
When you encounter the above problem, the output of the command
egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \
/etc/apache2/*conf* /etc/apache2/*enabled
may be useful to determine which VirtualHost sections need to be changed.
Also, formerly accidentially working constructs like
<VirtualHost *:80 *:443>
where one virtual host definition is used for both a non-ssl and a ssl
virtual host do not work anymore. You can achieve a similar effect with
<VirtualHost *:80>
Include /.../vhost.include
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile ...
Include /.../vhost.include
</VirtualHost>
-- Stefan Fritsch <sf@debian.org> Wed, 16 Sep 2009 20:14:59 +0200
apache2 (2.2.9-3) unstable; urgency=low
* The directive "NameVirtualHost *" has been changed to "NameVirtualHost
*:80". It has also been moved from sites-available/default to ports.conf.
This allows to ship a proper SSL default virtual host config in
sites-available/default-ssl, but it means that if you use several name
based virtual hosts:
- you will have to change <VirtualHost *> to <VirtualHost *:80> in your
name based virtual hosts
- you need to add more NameVirtualHost directives if you use other ports
than 80 with name based virtual hosts. You may also have to add these
ports to the default virtual host in /etc/apache2/sites-available/default
(like this: "<VirtualHost *:80 *:81>").
If you prefer to revert to the old setup instead (and don't need the
default-ssl host), just change "NameVirtualHost *:80" back to
"NameVirtualHost *" in ports.conf and "<VirtualHost *:80>" to
"<VirtualHost *>" in sites-available/default.
* For mod_disk_cache, caching is again disabled in disk_cache.conf by
default. It usually makes more sense to enable this on a per-virtual host
basis.
-- Stefan Fritsch <sf@debian.org> Mon, 30 Jun 2008 19:47:52 +0200
apache2 (2.2.8-5) unstable; urgency=low
* The suexec helper program needed for mod_suexec is now shipped in a
separate package, apache2-suexec, which is not installed by default.
You need to install this package manually if you are using mod_suexec.
There is now also the apache2-suexec-custom package, which contains a
customizable version of suexec which can be used with different document
roots than /var/www.
-- Stefan Fritsch <sf@debian.org> Sun, 04 May 2008 20:24:00 +0200
apache2 (2.2.8-1) unstable; urgency=low
* The Apache User and Group and the PidFile path are now configured in
/etc/apache2/envvars, to make it easier to use them in scripts
(like the init and logrotate scripts, and apache2ctl).
If you have changed these settings from their default values, you need to
adjust /etc/apache2/envvars.
This also means that starting apache2 with "apache2 -k start" is no longer
possible, you have to use /etc/init.d/apache2 or apache2ctl.
-- Stefan Fritsch <sf@debian.org> Tue, 15 Jan 2008 21:41:23 +0100
apache2 (2.2.4-2) unstable; urgency=low
* This version introduces some changes in the configuration layout and
defaults. You will probably have to adjust your configuration accordingly.
- Module specific configuration has been moved from
/etc/apache2/apache2.conf to /etc/apache2/mods-available/*.conf for the
following modules:
actions alias autoindex
info mime negotiation
setenvif status
- AddDefaultCharset is again disabled by default. See
/etc/apache2/conf.d/charset
- "Listen 443" is automatically enabled in /etc/apache2/ports.conf if
mod_ssl is enabled.
* The NO_START functionality from /etc/default/apache2 has been removed. If
you don't want to start apache2 on boot, rename the S*apache2 start
symlinks as usual.
* To ensure that the disk cache does not grow indefinitely, htcacheclean is
now started when mod_disk_cache is enabled. The details can be configured
in /etc/default/apache2 .
-- Stefan Fritsch <sf@debian.org> Mon, 09 Jul 2007 21:50:58 +0200
|
