diff options
Diffstat (limited to 'debian/apache2.NEWS')
-rw-r--r-- | debian/apache2.NEWS | 246 |
1 files changed, 246 insertions, 0 deletions
diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS new file mode 100644 index 0000000..6b28c83 --- /dev/null +++ b/debian/apache2.NEWS @@ -0,0 +1,246 @@ +apache2 (2.4.10-2) unstable; urgency=low + + The default period for which rotated log files are kept has been + reduced from one year to 14 days. + + -- Stefan Fritsch <sf@debian.org> Tue, 23 Sep 2014 22:25:06 +0200 + +apache2 (2.4.1-1) unstable; urgency=low + + This package introduces a new major release of the Apache HTTP server. It is + likely the site configuration needs changes to work with this release. + Notable changes which need special care are: + + The module interface (ABI) has changed. If you have any locally compiled + modules, you have to re-compile them for apache2 2.4. + + The authorization and authentication system has changed. Existing + configurations using deprecated Order/Allow/Deny directives need to be + upgraded to the new system. Please review upstream's "Authentication, + Authorization and Access Control Howto" [1]. There is a new module + "mod_access_compat", which is supposed to provide backward compatibility, + but it does not work well in practice. + + Furthermore, MPMs are simple modules now. Thus, the MPM can be changed + at any time by (un-)loading a specific module. Be careful when upgrading. An + example of changing the MPM is given below: + + a2dismod mpm_worker + a2enmod mpm_prefork + + MPM ITK users should be advised, that ITK is not a MPM anymore. Instead, it + is a simple Apache module, expanding functionality of the prefork MPM. Thus, + users should switch to the prefork MPM and enable ITK as a module. The + upgrade scripts ensure this for the upgrade from Debian Wheezy. + + We did change the security model for Apache in our default configuration. We + do not allow access to the file system outside /var/www and /usr/share. + If you are running virtual hosts or scripts outside these directories, you + need to whitelist them in your configuration to grant access through HTTP. + Special care must be taken if you are using a sub-directory in /srv to serve + your content as recommended by the File Hierarchy Standard (FHS). You must + allow access to your served directory explicity in the corresponding virtual + host, or by allowing access in apache2.conf as proposed. + + Along the security model, we did also change the default Document Root, files + are served from. Previous releases served /var/www by default when no other + virtual host matched the request. Starting with this release, we changed the + default document root to /var/www/html, so that sensitive files from other + virtual hosts wich are typically put into some directory below /var/www are + not exposed by the default virtual host. This change further improves the out + of box security. + + Moreover, the configuration mechanism in Debian has changed. All + configurations in sites-enabled and conf-enabled need a ".conf" suffix now. + The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is + not supported any more) and works just like {sites,mods}-{available,enabled} + via the "a2enconf" tool. The upgrade tries to migrate known configuration + files from /etc/apache2/conf.d/ to /etc/apache2/conf-available/ - please + review these changes. + + Note this means all existing sites are ignored until they get a ".conf" + suffix and are re-enabled by the use of a2ensite. The script in [3] can + automate that for simple cases. This change also includes Debian default + sites, so the default site has been renamed to 000-default to avoid naming + confusions. The rename of the config files to *.conf makes the special + handling inside apache2 to ignore *.dpkg-* backup files obsolete. This + special handling has been removed. + + Users of mod_authn_dbm should switch to htdbm to manage their DBM user + databases. The pure-perl management utility "dbmmanage" was removed as it was + outdated and orphaned upstream. + + Packagers are advised to review whether their packages comply with this + new version. Please see [2] for detailed documentation and instructions. + + [1] http://httpd.apache.org/docs/2.4/howto/auth.html + [2] </usr/share/doc/apache2/PACKAGING> + [3] </usr/share/doc/apache2/migrate-sites.pl> + + -- Arno Töll <arno@debian.org> Fri, 23 July 2012 23:50:13 +0200 + +apache2 (2.2.15-4) unstable; urgency=low + + * Note to people using mod_proxy as forward proxy, i.e. with + 'ProxyRequests on': + This release disables the configuration in mods-available/proxy.conf + by default. You should verify that access control for proxy access + still works as intended. This is especially important if you have + your forward proxy configuration in a different configuration file + than proxy.conf. + + -- Stefan Fritsch <sf@debian.org> Mon, 19 Apr 2010 22:36:57 +0200 + +apache2 (2.2.15-1) unstable; urgency=low + + * To fix a security vulnerability in the design of the SSL/TLS protocol + (CVE-2009-3555), the protocol had to be extended (RFC 5746). By default, + session renegotiation is no longer supported with old clients that do not + implement this extension. This breaks certain configurations with client + certificate authentication. If you still need to support old clients, you + may restore the old (insecure) behaviour by uncommenting the + + SSLInsecureRenegotiation on + + line in /etc/apache2/mods-available/ssl.conf + + * This release adds and enables mod_reqtimeout, which limits the time + Apache waits for a client to send a complete request. This helps to + mitigate against certain denial of service attacks. In case of problems + with slow clients, the timeout values can be adjusted in + /etc/apache2/mods-available/reqtimeout.conf , or the module can be + disabled with "a2dismod reqtimeout". + + -- Stefan Fritsch <sf@debian.org> Sat, 28 Aug 2010 20:49:30 +0100 + +apache2 (2.2.14-6) unstable; urgency=low + + * Apache now uses the environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, + and APACHE_LOG_DIR in the default configuration. If you have modified + /etc/apache2/envvars, make sure that these variables are set and exported. + * There is now some support for running multiple instances of Apache on the + same machine. See the documentation in /usr/share/doc/apache2.2-common for + details. + + -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 13:56:59 +0100 + +apache2 (2.2.13-2) unstable; urgency=high + + * The new support for TLS Server Name Indication added in 2.2.12 causes + Apache to be stricter about certain misconfigurations involving name + based SSL virtual hosts. This may result in Apache refusing to start + with the logged error message: + + Server should be SSL-aware but has no certificate configured + [Hint: SSLCertificateFile] + + Up to 2.2.11, Apache accepted configurations where the necessary SSL + configuration statements were included in the first (default) + <Virtualhost *:443> block but not in subsequent <Virtualhost *:443> + blocks. Starting with 2.2.12, every VirtualHost block used with SSL must + contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile + directives (SSLCertificateKeyFile is optional in some cases). + + When you encounter the above problem, the output of the command + + egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \ + /etc/apache2/*conf* /etc/apache2/*enabled + + may be useful to determine which VirtualHost sections need to be changed. + + Also, formerly accidentially working constructs like + + <VirtualHost *:80 *:443> + + where one virtual host definition is used for both a non-ssl and a ssl + virtual host do not work anymore. You can achieve a similar effect with + + <VirtualHost *:80> + Include /.../vhost.include + </VirtualHost> + <VirtualHost *:443> + SSLEngine on + SSLCertificateFile ... + Include /.../vhost.include + </VirtualHost> + + -- Stefan Fritsch <sf@debian.org> Wed, 16 Sep 2009 20:14:59 +0200 + +apache2 (2.2.9-3) unstable; urgency=low + + * The directive "NameVirtualHost *" has been changed to "NameVirtualHost + *:80". It has also been moved from sites-available/default to ports.conf. + This allows to ship a proper SSL default virtual host config in + sites-available/default-ssl, but it means that if you use several name + based virtual hosts: + + - you will have to change <VirtualHost *> to <VirtualHost *:80> in your + name based virtual hosts + + - you need to add more NameVirtualHost directives if you use other ports + than 80 with name based virtual hosts. You may also have to add these + ports to the default virtual host in /etc/apache2/sites-available/default + (like this: "<VirtualHost *:80 *:81>"). + + If you prefer to revert to the old setup instead (and don't need the + default-ssl host), just change "NameVirtualHost *:80" back to + "NameVirtualHost *" in ports.conf and "<VirtualHost *:80>" to + "<VirtualHost *>" in sites-available/default. + + * For mod_disk_cache, caching is again disabled in disk_cache.conf by + default. It usually makes more sense to enable this on a per-virtual host + basis. + + -- Stefan Fritsch <sf@debian.org> Mon, 30 Jun 2008 19:47:52 +0200 + +apache2 (2.2.8-5) unstable; urgency=low + + * The suexec helper program needed for mod_suexec is now shipped in a + separate package, apache2-suexec, which is not installed by default. + You need to install this package manually if you are using mod_suexec. + + There is now also the apache2-suexec-custom package, which contains a + customizable version of suexec which can be used with different document + roots than /var/www. + + -- Stefan Fritsch <sf@debian.org> Sun, 04 May 2008 20:24:00 +0200 + +apache2 (2.2.8-1) unstable; urgency=low + + * The Apache User and Group and the PidFile path are now configured in + /etc/apache2/envvars, to make it easier to use them in scripts + (like the init and logrotate scripts, and apache2ctl). + If you have changed these settings from their default values, you need to + adjust /etc/apache2/envvars. + This also means that starting apache2 with "apache2 -k start" is no longer + possible, you have to use /etc/init.d/apache2 or apache2ctl. + + -- Stefan Fritsch <sf@debian.org> Tue, 15 Jan 2008 21:41:23 +0100 + +apache2 (2.2.4-2) unstable; urgency=low + + * This version introduces some changes in the configuration layout and + defaults. You will probably have to adjust your configuration accordingly. + + - Module specific configuration has been moved from + /etc/apache2/apache2.conf to /etc/apache2/mods-available/*.conf for the + following modules: + actions alias autoindex + info mime negotiation + setenvif status + + - AddDefaultCharset is again disabled by default. See + /etc/apache2/conf.d/charset + + - "Listen 443" is automatically enabled in /etc/apache2/ports.conf if + mod_ssl is enabled. + + * The NO_START functionality from /etc/default/apache2 has been removed. If + you don't want to start apache2 on boot, rename the S*apache2 start + symlinks as usual. + + * To ensure that the disk cache does not grow indefinitely, htcacheclean is + now started when mod_disk_cache is enabled. The details can be configured + in /etc/default/apache2 . + + -- Stefan Fritsch <sf@debian.org> Mon, 09 Jul 2007 21:50:58 +0200 |