summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/apache2-utils.ufw.profile14
-rw-r--r--debian/apache2.dirs1
-rw-r--r--debian/apache2.install1
-rw-r--r--debian/apache2.postrm1
-rw-r--r--debian/changelog25
-rw-r--r--debian/control5
-rw-r--r--debian/index.html4
-rw-r--r--debian/patches/fhs_compliance.patch4
-rw-r--r--debian/tests/CVE-2023-25690110
-rw-r--r--debian/tests/control8
-rw-r--r--debian/tests/uwsgi145
11 files changed, 312 insertions, 6 deletions
diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile
new file mode 100644
index 0000000..974a655
--- /dev/null
+++ b/debian/apache2-utils.ufw.profile
@@ -0,0 +1,14 @@
+[Apache]
+title=Web Server
+description=Apache v2 is the next generation of the omnipresent Apache web server.
+ports=80/tcp
+
+[Apache Secure]
+title=Web Server (HTTPS)
+description=Apache v2 is the next generation of the omnipresent Apache web server.
+ports=443/tcp
+
+[Apache Full]
+title=Web Server (HTTP,HTTPS)
+description=Apache v2 is the next generation of the omnipresent Apache web server.
+ports=80,443/tcp
diff --git a/debian/apache2.dirs b/debian/apache2.dirs
index 6089013..1aa6d3c 100644
--- a/debian/apache2.dirs
+++ b/debian/apache2.dirs
@@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk
var/lib/apache2
var/log/apache2
var/www/html
+/etc/ufw/applications.d/apache2
diff --git a/debian/apache2.install b/debian/apache2.install
index b6ad789..92865fc 100644
--- a/debian/apache2.install
+++ b/debian/apache2.install
@@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2
debian/config-dir/envvars /etc/apache2
debian/config-dir/magic /etc/apache2
debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
+debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
diff --git a/debian/apache2.postrm b/debian/apache2.postrm
index a68583c..21d748e 100644
--- a/debian/apache2.postrm
+++ b/debian/apache2.postrm
@@ -33,6 +33,7 @@ is_default_index_html () {
776221a94e5a174dc2396c0f3f6b6a74
c481228d439cbb54bdcedbaec5bbb11a
e2620d4a5a0f8d80dd4b16de59af981f
+ 58d03fa9125ca62b1019ce77c8accaa6
EOF
}
diff --git a/debian/changelog b/debian/changelog
index 8ab6c02..55afdf0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+apache2 (2.4.60-1) unstable; urgency=medium
+
+ [ Bastien Roucariès ]
+ * Forward port CVE-2023-25690 uwsgi tests
+ * Fix depends of uwsgi test
+ * Use python3 uwsgi plugin
+ * Encode bytes for uwsgi test
+
+ [ Bryce Harrington ]
+ * Add UFW profile integration (Closes: #1071705)
+
+ [Chris Murray]
+ * Use https instead of http in doc (LP: #2045055)
+
+ [ Yadd ]
+ * Bump liblua from liblua5.3-dev to liblua5.4-dev (Closes: #1071701)
+ * Update test framework
+ * releasing package apache2 version 2.4.59-1~deb12u1
+ * New upstream version (CLoses: CVE-2024-36387, CVE-2024-38472,
+ CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476,
+ CVE-2024-38477, CVE-2024-39573)
+ * Unfuzz patches
+
+ -- Yadd <yadd@debian.org> Mon, 01 Jul 2024 18:04:08 +0400
+
apache2 (2.4.59-2) unstable; urgency=medium
* Breaks against fossil due to CVE-2024-24795 follows up
diff --git a/debian/control b/debian/control
index a5d33f2..021653c 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,7 @@ Build-Depends: debhelper-compat (= 13),
libapr1-dev,
libaprutil1-dev,
libbrotli-dev,
- liblua5.3-dev,
+ liblua5.4-dev,
libnghttp2-dev,
libpcre2-dev,
libssl-dev,
@@ -43,7 +43,8 @@ Depends: apache2-bin (= ${binary:Version}),
Recommends: ssl-cert
Suggests: apache2-doc,
apache2-suexec-pristine | apache2-suexec-custom,
- www-browser
+ www-browser,
+ ufw
Pre-Depends: ${misc:Pre-Depends}
Provides: httpd,
httpd-cgi
diff --git a/debian/index.html b/debian/index.html
index 766401d..d1415e2 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -326,7 +326,7 @@
<p>
By default, Debian does not allow access through the web browser to
<em>any</em> file apart of those located in <tt>/var/www</tt>,
- <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
+ <a href="https://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
directories (when enabled) and <tt>/usr/share</tt> (for web
applications). If your site is using a web document root
located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
@@ -347,7 +347,7 @@
<p>
Please use the <tt>reportbug</tt> tool to report bugs in the
Apache2 package with Debian. However, check <a
- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
+ href="https://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
rel="nofollow">existing bug reports</a> before reporting a new bug.
</p>
<p>
diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch
index 986d8bc..50755a8 100644
--- a/debian/patches/fhs_compliance.patch
+++ b/debian/patches/fhs_compliance.patch
@@ -6,7 +6,7 @@ Last-Update: 2023-10-19
--- a/configure
+++ b/configure
-@@ -42812,13 +42812,13 @@
+@@ -42844,13 +42844,13 @@
ap_prefix="${ap_cur}"
@@ -25,7 +25,7 @@ Last-Update: 2023-10-19
perlbin=`$ac_aux_dir/PrintPath perl`
--- a/configure.in
+++ b/configure.in
-@@ -928,11 +928,11 @@
+@@ -934,11 +934,11 @@
echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c
APR_EXPAND_VAR(ap_prefix, $prefix)
diff --git a/debian/tests/CVE-2023-25690 b/debian/tests/CVE-2023-25690
new file mode 100644
index 0000000..2aa916f
--- /dev/null
+++ b/debian/tests/CVE-2023-25690
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+# test CVE-2023-25690
+set -eux
+
+RC=0
+fail () {
+ echo "FAIL: $@" >&2
+ RC=1
+}
+
+
+function exit_handler()
+{
+ # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied
+ chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true
+ systemctl status apache2.service || true
+ systemctl stop apache2 || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true
+}
+trap exit_handler EXIT
+
+
+a2enmod proxy
+a2enmod proxy_http
+a2enmod rewrite
+
+rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS"
+rm /var/log/apache2/*
+mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2
+
+tee /etc/apache2/ports.conf <<'EOF'
+Listen 80
+Listen 8080
+EOF
+
+
+tee /etc/apache2/sites-available/000-default.conf <<'EOF'
+<VirtualHost *:8080>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.8080.log
+ CustomLog ${APACHE_LOG_DIR}/access.8080.log combined
+
+ # For most configuration files from conf-available/, which are
+ # enabled or disabled at a global level, it is possible to
+ # include a line for only one particular virtual host. For example the
+ # following line enables the CGI configuration for this host only
+ # after it has been globally disabled with "a2disconf".
+ #Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+<VirtualHost *:80>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+ LogLevel alert rewrite:trace6
+ LogLevel error proxy:trace6
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P]
+ ProxyPassReverse "/here/" "http://localhost:8080/"
+</VirtualHost>
+EOF
+
+systemctl restart apache2
+
+CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1"
+wget -S -q --output-document - "$CHOKEURL" || true
+(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true)
+(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] '
+
+cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1
+
+exit 0
+
diff --git a/debian/tests/control b/debian/tests/control
index 2453137..1298110 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -27,3 +27,11 @@ Tests: chroot
Features: no-build-needed
Restrictions: needs-root allow-stderr breaks-testbed
Depends: apache2, wget, dpkg-dev, gcc
+
+Tests: uwsgi
+Restrictions: allow-stderr, needs-root
+Depends: apache2, uwsgi, wget, uwsgi-plugin-python3, rsync, netcat-openbsd | netcat-traditional
+
+Tests: CVE-2023-25690
+Restrictions: allow-stderr, needs-root, isolation-container
+Depends: apache2, rsync, curl, wget
diff --git a/debian/tests/uwsgi b/debian/tests/uwsgi
new file mode 100644
index 0000000..3350144
--- /dev/null
+++ b/debian/tests/uwsgi
@@ -0,0 +1,145 @@
+#!/bin/bash
+set -eux
+
+RC=0
+fail () {
+ echo "FAIL: $@" >&2
+ RC=1
+}
+
+
+function exit_handler()
+{
+ systemctl stop apache2 || true
+ if test -f /run/uwsgi/uwsgi.pid; then
+ kill -TERM $(cat /run/uwsgi/uwsgi.pid)
+ fi
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.error.log || true
+}
+trap exit_handler EXIT
+
+
+a2enmod proxy
+a2enmod proxy_uwsgi
+
+rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS"
+rm /var/log/apache2/*
+mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2
+
+tee /etc/apache2/sites-available/000-default.conf <<'EOF'
+<VirtualHost *:80>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ # For most configuration files from conf-available/, which are
+ # enabled or disabled at a global level, it is possible to
+ # include a line for only one particular virtual host. For example the
+ # following line enables the CGI configuration for this host only
+ # after it has been globally disabled with "a2disconf".
+ #Include conf-available/serve-cgi-bin.conf
+ ProxyPass "/uwsgi" "unix:/run/uwsgi/test.socket|uwsgi://localhost"
+</VirtualHost>
+EOF
+
+systemctl restart apache2
+
+test -d /etc/uwsgi/ || mkdir /etc/uwsgi
+
+
+
+tee /etc/systemd/system/uwsgi-app@.socket <<EOF
+[Unit]
+Description=Socket for uWSGI app %i
+
+[Socket]
+ListenStream=/run/uwsgi/%i.socket
+SocketUser=www-%i
+SocketGroup=www-data
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
+EOF
+
+tee /etc/systemd/system/uwsgi-app@.service <<EOF
+[Unit]
+Description=%i uWSGI app
+After=syslog.target
+
+[Service]
+ExecStart=/usr/bin/uwsgi \
+ --ini /etc/uwsgi/apps-available/%i.ini \
+ --socket /run/uwsgi/%i.socket
+User=www-%i
+Group=www-data
+Restart=on-failure
+KillSignal=SIGQUIT
+Type=notify
+StandardError=file:/var/log/apache2/uwsgi.error.log
+StandardOutput=file:/var/log/apache2/uwsgi.log
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+
+useradd uwsgi_test
+useradd www-test
+
+tee /etc/uwsgi/apps-available/test.ini <<EOF
+[uwsgi]
+chdir=/tmp
+master=True
+cheap=True
+die-on-idle=True
+manage-script-name=True
+plugin=python3
+wsgi-file=/tmp/uwsgi.py
+EOF
+
+
+tee /tmp/uwsgi.py <<'EOF'
+import wsgiref.headers as h
+def application(env, start_response):
+ buggy_header=('buggy','buggy#\r\nbuggy2:buggy2')
+ start_response('200 OK', [('Content-Type','text/html'),buggy_header])
+ ret = "Hello World Headers {}".format(env).encode()
+ return [ret]
+EOF
+chown 'www-test:www-test' /tmp/uwsgi.py
+chmod +x /tmp/uwsgi.py
+
+systemctl enable uwsgi-app@test.socket
+systemctl enable uwsgi-app@test.service
+systemctl start uwsgi-app@test.socket
+systemctl restart apache2
+
+
+wget -S -q --output-document - http://localhost/uwsgi
+wget -q --output-document - http://localhost/uwsgi | grep "^Hello World"
+
+exit $RC
+-