diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:01:31 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:01:31 +0000 |
commit | c9cf025fadfe043f0f2f679e10d1207d8a158bb6 (patch) | |
tree | 3a94effe0bdc0a6814d8134f4ed840d7cc6b6f19 /debian/changelog | |
parent | Adding upstream version 2.4.57. (diff) | |
download | apache2-c9cf025fadfe043f0f2f679e10d1207d8a158bb6.tar.xz apache2-c9cf025fadfe043f0f2f679e10d1207d8a158bb6.zip |
Adding debian version 2.4.57-2.debian/2.4.57-2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 4664 |
1 files changed, 4664 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..a660286 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,4664 @@ +apache2 (2.4.57-2) unstable; urgency=medium + + * Revert debian/* changes (Bookworm freeze) + + -- Yadd <yadd@debian.org> Thu, 13 Apr 2023 07:26:51 +0400 + +apache2 (2.4.57-1) unstable; urgency=medium + + * New upstream version 2.4.57 + * Drop 2.4.56-regression patches + + -- Yadd <yadd@debian.org> Sat, 08 Apr 2023 06:57:16 +0400 + +apache2 (2.4.56-2) unstable; urgency=medium + + * Fix regression in mod_rewrite introduced in version 2.4.56 + (Closes: #1033284) + * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) + + -- Yadd <yadd@debian.org> Sun, 02 Apr 2023 06:54:25 +0400 + +apache2 (2.4.56-1) unstable; urgency=medium + + * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) + + -- Yadd <yadd@debian.org> Wed, 08 Mar 2023 06:44:05 +0400 + +apache2 (2.4.55-1) unstable; urgency=medium + + [ Hendrik Jäger ] + * disable ssl session tickets + * redundant example as already enabled in the default config + * logrotate indentation + * Update example how to prevent access to VCS directories + + [ lintian-brush ] + * Update lintian override info to new format: + + debian/source/lintian-overrides: line 2, 4-5, 8 + + debian/apache2-data.lintian-overrides: line 2-5 + + debian/apache2-bin.lintian-overrides: line 3 + + debian/apache2-doc.lintian-overrides: line 2 + + debian/apache2.lintian-overrides: line 6 + * Set upstream metadata fields: Repository-Browse. + * Update standards version to 4.6.2, no changes needed. + + [ Yadd ] + * New upstream version (Closes: CVE-2006-20001, CVE-2022-36760, + CVE-2022-37436) + + -- Yadd <yadd@debian.org> Wed, 18 Jan 2023 07:41:55 +0400 + +apache2 (2.4.54-5) unstable; urgency=medium + + [ Hendrik Jäger ] + * fix: one oom-killed thread should not take down the whole service + * fix: remove modelines + * fix: update clickjacking protection example + * fix: use tab for indentation, even in commented examples + + [ Yadd ] + * Revert "Fix: confusing and impractical naming" (unbreak squid and haproxy + tests) + + -- Yadd <yadd@debian.org> Tue, 29 Nov 2022 15:56:10 +0100 + +apache2 (2.4.54-4) unstable; urgency=medium + + [ Charles Plessy ] + * Replace mime-support transition package with media-types (Closes: #980275) + + [ Hendrik Jäger ] + * fix mislead safety precautions: don't hide errors when enabling a module. + MR !20 + * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22 + * Fix confusing and impractical naming: rename default-ssl.conf into + 000-default-ssl.conf. MR !23 + * Fix confusing keyword: replace _default_ by *. MR !24 + + -- Yadd <yadd@debian.org> Thu, 24 Nov 2022 10:45:00 +0100 + +apache2 (2.4.54-3) unstable; urgency=medium + + [ Hendrik Jäger ] + * Do not enable global alias /manual + * mention not enabling /manual for the docs in the NEWS + + -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:20:52 +0200 + +apache2 (2.4.54-2) unstable; urgency=medium + + * Move cgid socket into a writeable directory (Closes: #1014056) + * Update lintian overrides + * Declare compliance with policy 4.6.1 + * Install NOTICE in each package + + -- Yadd <yadd@debian.org> Tue, 05 Jul 2022 15:49:58 +0200 + +apache2 (2.4.54-1) unstable; urgency=medium + + [ Simon Deziel ] + * Escape literal "." for BrowserMatch directives in setenvif.conf + * Use non-capturing regex with FilesMatch directive in default-ssl.conf + + [ Ondřej Surý ] + * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813, + CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, + CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) + + [ Yadd ] + * Fix htcacheclean doc (Closes: #1010455) + * New upstream version 2.4.54 + + -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:33:53 +0200 + +apache2 (2.4.53-2) unstable; urgency=medium + + * Clean useless Conflicts/Replace + * apache2-dev: add missing dependency on libpcre2-dev (Closes: #1007254) + + -- Yadd <yadd@debian.org> Tue, 15 Mar 2022 15:27:39 +0100 + +apache2 (2.4.53-1) unstable; urgency=medium + + * New upstream version 2.4.53 (Closes: CVE-2022-22719, + CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) + * Update copyright + * Patches: + + Drop fix-2.4.52-regression.patch, now included in upstream + + Refresh fhs_compliance.patch + + Update and disable child_processes_fail_to_start.patch + * Update test framework + * Back to unstable + + -- Yadd <yadd@debian.org> Mon, 14 Mar 2022 17:10:39 +0100 + +apache2 (2.4.52-3) experimental; urgency=medium + + * Fix autopkgtest with libpcre2 (autopkgtest still fails due to an SSL + error) + * Set hardening=+all instead of hardening=+bindnow + + -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 21:20:05 +0100 + +apache2 (2.4.52-2) experimental; urgency=medium + + * Build with pcre2 (Closes: #1000114) + + -- Yadd <yadd@debian.org> Tue, 28 Dec 2021 20:01:43 +0100 + +apache2 (2.4.52-1) unstable; urgency=medium + + * Refresh suexec-custom.patch + * Update lintian overrides + * Wrap long lines in changelog entries: 2.4.51-2. + * New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790) + * Refresh patches + + -- Yadd <yadd@debian.org> Mon, 20 Dec 2021 18:42:09 +0100 + +apache2 (2.4.51-2) unstable; urgency=medium + + * Add patch to have new macro_ignore_empty and macro_ignore_bad_nesting + parameters + + -- Yadd <yadd@debian.org> Mon, 25 Oct 2021 18:37:03 +0200 + +apache2 (2.4.51-1) unstable; urgency=medium + + * New upstream version 2.4.51 (Closes: CVE-2021-41773, CVE-2021-42013) + * Fix apache2ctl (see https://github.com/oerdnj/deb.sury.org/issues/1659) + + -- Yadd <yadd@debian.org> Thu, 07 Oct 2021 20:35:33 +0200 + +apache2 (2.4.50-1) unstable; urgency=high + + * New upstream version 2.4.50 (Closes: CVE-2021-41773, CVE-2021-41524) + * Remove patches already merged upstream + + -- Ondřej Surý <ondrej@debian.org> Tue, 05 Oct 2021 13:25:23 +0200 + +apache2 (2.4.49-4) unstable; urgency=medium + + [ Ondřej Surý ] + * Add upstream patch to fix crash in 2.4.49 + + -- Yadd <yadd@debian.org> Fri, 01 Oct 2021 11:34:24 +0200 + +apache2 (2.4.49-3) unstable; urgency=medium + + [ Yadd ] + * Re-export upstream signing key without extra signatures. + * Drop transition for old debug package migration. + + [ Moritz Muehlenhoff ] + * Fix CVE-2021-40438 regression + + -- Yadd <yadd@debian.org> Thu, 30 Sep 2021 06:00:06 +0200 + +apache2 (2.4.49-2) unstable; urgency=medium + + [ Michiel Hazelhof ] + * Fix multi instance issue (Closes: #868861) + + [ Philippe Ombredanne ] + * Fix GPL version typo in copyright file + + -- Yadd <yadd@debian.org> Thu, 23 Sep 2021 13:55:55 +0200 + +apache2 (2.4.49-1) unstable; urgency=medium + + * Update upstream GPG keys + * New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798, + CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, + CVE-2021-41773, CVE-2021-42013) + * Refresh patches + + -- Yadd <yadd@debian.org> Thu, 16 Sep 2021 06:22:23 +0200 + +apache2 (2.4.48-4) unstable; urgency=medium + + * Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193) + + -- Yadd <yadd@debian.org> Thu, 12 Aug 2021 11:37:43 +0200 + +apache2 (2.4.48-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Direct init script reload output from logrotate to syslog, to + avoid mail-spamming the local admin (Closes: #990580) + + -- Thorsten Glaser <tg@mirbsd.de> Sat, 10 Jul 2021 23:31:28 +0200 + +apache2 (2.4.48-3) unstable; urgency=medium + + * Fix debian/changelog + + -- Yadd <yadd@debian.org> Sun, 20 Jun 2021 16:39:33 +0200 + +apache2 (2.4.48-2) unstable; urgency=medium + + * Back to unstable: Apache2 will follow upstream changes for Bullseye + + [ Christian Ehrhardt ] + * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068) + + -- Yadd <yadd@debian.org> Sat, 19 Jun 2021 17:50:29 +0200 + +apache2 (2.4.48-1) experimental; urgency=medium + + [ Daniel Lewart ] + * Update apache2.logrotate (Closes: #979813) + + [ Andreas Hasenack ] + * Avoid test suite failure (Closes: #985012) + + [ Yadd ] + * Update lintian overrides + * Re-export upstream signing key without extra signatures. + + [ Ondřej Surý ] + * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938, + CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, + CVE-2021-30641, CVE-2021-31618) + + -- Ondřej Surý <ondrej@debian.org> Tue, 08 Jun 2021 08:29:35 +0200 + +apache2 (2.4.47-1) experimental; urgency=medium + + * Update upstream keys file + * New upstream version 2.4.47 + * Refresh patches + + -- Yadd <yadd@debian.org> Thu, 29 Apr 2021 08:03:33 +0200 + +apache2 (2.4.46-6) unstable; urgency=medium + + * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452, + CVE-2021-26690, CVE-2021-26691, CVE-2021-30641) + + -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 13:40:11 +0200 + +apache2 (2.4.46-5) unstable; urgency=medium + + * Fix "NULL pointer dereference on specially crafted HTTP/2 request" + (Closes: #989562, CVE-2021-31618) + + -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200 + +apache2 (2.4.46-4) unstable; urgency=medium + + * Ignore other random another test failures (Closes: #979664) + + -- Xavier Guimard <yadd@debian.org> Mon, 11 Jan 2021 11:58:23 +0100 + +apache2 (2.4.46-3) unstable; urgency=medium + + * Remove postinst/preinst hooks concerning old versions + * Clean include-binaries + * Enable verbose test output during autopkgtest + * Declare compliance with policy 4.5.1 + * Add debian/gbp.conf + * Disable temporary 3 subtests (Closes: #979664) + + -- Xavier Guimard <yadd@debian.org> Sun, 10 Jan 2021 22:43:21 +0100 + +apache2 (2.4.46-2) unstable; urgency=medium + + [ Jean-Michel Vourgère ] + * Man: Add missing options and see also in a2en*(8) + + [ Xavier Guimard ] + * Bump debhelper compatibility level to 13 + + Set debhelper-compat version in Build-Depends. + * Use dh_installsystemd rather than deprecated dh_systemd_enable + * Add extension .da for danish language in mime.conf (Closes: #972398) + * Automatically deflate application/wasm files (Closes: #972400) + * Use "graceful-stop" in systemd ExecStop (Closes: #974665) + * Re-export upstream signing key without extra signatures. + * Ignore lintian's national-encoding tag in test framework + * Add ${misc:Pre-Depends} in apache2 package + * Update lintian overrides + * Refresh patches + * Fix little spelling errors + + -- Xavier Guimard <yadd@debian.org> Fri, 13 Nov 2020 16:59:01 +0100 + +apache2 (2.4.46-1) unstable; urgency=medium + + [ Xavier Guimard ] + * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md + + [ Timo Tijhof ] + * Compress text/javascript with mod_deflate by default (Closes: #959195) + + [ Xavier Guimard ] + * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md + * Update upstream keys + * New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993, + CVE-2020-9490) + + -- Xavier Guimard <yadd@debian.org> Sat, 08 Aug 2020 08:33:36 +0200 + +apache2 (2.4.43-1) unstable; urgency=medium + + [ Timo Aaltonen ] + * mod_ssl: Add patches to fix TLS 1.3 client cert authentication for POST + requests (Closes: #955348) + + [ Moritz Schlarb ] + * Fix logrotate script for multi-instance (Closes: #914606) + + [ Xavier Guimard ] + * New upstream version 2.4.43 (Closes: CVE-2020-1927, CVE-2020-1934) + * Refresh patches + + -- Xavier Guimard <yadd@debian.org> Tue, 31 Mar 2020 08:02:12 +0200 + +apache2 (2.4.41-5) unstable; urgency=medium + + [ Xavier Guimard ] + * Avoid double mod_dav load (Closes: #951753) + + [ Timo Aaltonen ] + * mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix + AJP with current tomcat. + (Closes: #954201) + + -- Xavier Guimard <yadd@debian.org> Wed, 18 Mar 2020 21:06:49 +0100 + +apache2 (2.4.41-4) unstable; urgency=medium + + * Add gcc in chroot autopkgtest (fixes debci) + + -- Xavier Guimard <yadd@debian.org> Fri, 07 Feb 2020 06:14:33 +0100 + +apache2 (2.4.41-3) unstable; urgency=medium + + * Don't use hardcoded libgcc_s.so.1 path in autopkgtest files. Thanks to + Aurelien Jarno (Closes: #950711) + + -- Xavier Guimard <yadd@debian.org> Wed, 05 Feb 2020 13:18:04 +0100 + +apache2 (2.4.41-2) unstable; urgency=medium + + [ Stefan Fritsch ] + * Add *.load file for mod_socache_redis + + [ Vagrant Cascadian ] + * Embeds path to EGREP in config_vars.mk (Closes: #948757) + * Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759) + + -- Xavier Guimard <yadd@debian.org> Mon, 13 Jan 2020 06:14:45 +0100 + +apache2 (2.4.41-1) unstable; urgency=medium + + * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081, + CVE-2019-10082, CVE-2019-10092, CVE-2019-10098) + * Update lintian overrides + * Remove README in usr/share/apache2 + * Move httxt2dbm manpage in section 8 + * Update test framework + + -- Xavier Guimard <yadd@debian.org> Wed, 14 Aug 2019 06:42:29 +0200 + +apache2 (2.4.39-2) unstable; urgency=medium + + * Fix bad call of dh_link. Thanks to Daniel Baumann (Closes: #934640) + + -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 22:52:47 +0200 + +apache2 (2.4.39-1) unstable; urgency=medium + + [ Helmut Grohne ] + * Do not install /usr/share/apache2/build/config.nice (Closes: #929510) + + [ Xavier Guimard ] + * New upstream version 2.4.39 (Closes: CVE-2019-0196, CVE-2019-0197, + CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220) + * Refresh patches + * Remove patches now included in upstream + * Replace duplicate doc files by links using jdupes + * Add bison in build dependencies + + -- Xavier Guimard <yadd@debian.org> Mon, 12 Aug 2019 21:30:33 +0200 + +apache2 (2.4.38-3) unstable; urgency=high + + [ Marc Deslauriers ] + * SECURITY UPDATE: read-after-free on a string compare in mod_http2 + - debian/patches/CVE-2019-0196.patch: disentangelment of stream and + request method in modules/http2/h2_request.c. + - CVE-2019-0196 + * SECURITY UPDATE: privilege escalation from modules' scripts + - debian/patches/CVE-2019-0211.patch: bind the bucket number of each + child to its slot number in include/scoreboard.h, + server/mpm/event/event.c, server/mpm/prefork/prefork.c, + server/mpm/worker/worker.c. + - CVE-2019-0211 + * SECURITY UPDATE: mod_ssl access control bypass + - debian/patches/CVE-2019-0215.patch: restore SSL verify state after + PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c. + - CVE-2019-0215 + * SECURITY UPDATE: mod_auth_digest access control bypass + - debian/patches/CVE-2019-0217.patch: fix a race condition in + modules/aaa/mod_auth_digest.c. + - CVE-2019-0217 + * SECURITY UPDATE: URL normalization inconsistincy + - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in + the path in include/http_core.h, include/httpd.h, server/core.c, + server/request.c, server/util.c. + - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety + in server/request.c, server/util.c. + - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in + server/util.c. + - CVE-2019-0220 + + [ Stefan Fritsch ] + * Pull security fixes from 2.4.39 via Ubuntu + * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade + + -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200 + +apache2 (2.4.38-2) unstable; urgency=medium + + * Disable "reset" test in allowmethods.t (Closes: #921024) + + -- Xavier Guimard <yadd@debian.org> Thu, 31 Jan 2019 21:54:05 +0100 + +apache2 (2.4.38-1) unstable; urgency=medium + + [ Jelmer Vernooij ] + * Reverted for now: Transition to automatic debug package (from: apache2-dbg) + * Trim trailing whitespace + * Use secure copyright file specification URI + + [ Niels Thykier ] + * Add Rules-Requires-Root: binary-targets + + [ Xavier Guimard ] + * Convert signing-key.pgp into signing-key.asc + * Add http2.conf (Closes: #880993) + * Remove unnecessary greater-than versioned dependency to dpkg-dev, + libbrotli-dev and libapache2-mod-md + * Declare compliance with policy 4.2.1 + * Add spelling errors patch (reported) + * Fix some spelling errors in debian files + * Add myself to uploaders + * Refresh patches + * Bump debhelper compatibility level to 10 + * debian/rules: + - Remove unnecessary dh argument --parallel + - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog + * Add upstream/metadata + * Replace MIT by Expat in debian/copyright + * debian/watch: use https url + * Add documentation links in systemd service files + * Team upload + + [ Cyrille Bollu ] + * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as + it gets automatically de-activated upon apache 'startup when using + mpm_prefork. + * Updated http2.conf to inform user that they may want to change their + LogFormat directives. + + [ Xavier Guimard ] + * New upstream version 2.4.38 (Closes: #920220, #920302, #920303, + CVE-2018-17189, CVE-2018-17199, CVE-2019-0190) + * Refresh patches + * Remove setenvifexpr.diff patch now included in upstream + * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript + * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed + * Declare compliance with policy 4.3.0 + * Fix homepage to https + * Update debian/copyright + + -- Xavier Guimard <yadd@debian.org> Tue, 29 Jan 2019 23:49:49 +0100 + +apache2 (2.4.37-1) unstable; urgency=medium + + * New upstream version + - mod_ssl: Add support for TLSv1.3 + * Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218 + * Update test-framework to r1845652 + * Fix test suite to actually run by creating a test user. It turns out + the test suite refuses to run as root but returns true even in that + case. It seems this has been broken since 2.4.27-4, where the test suite + had been updated and the debci test duration dropped from 15min to + 3min. Also, don't rely on the exit status anymore but parse the test + output. + * Backport a fix from trunk for SetEnvIfExpr. This fixes a test failure. + + -- Stefan Fritsch <sf@debian.org> Sat, 03 Nov 2018 14:26:31 +0100 + +apache2 (2.4.35-1) unstable; urgency=medium + + * New upstream version 2.4.35 + Security fix: + - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS + Closes: #909591 + * Fix lintian warning: Don't force xz in builddeb override. + + -- Stefan Fritsch <sf@debian.org> Sun, 07 Oct 2018 12:54:58 +0200 + +apache2 (2.4.34-1) unstable; urgency=medium + + [ Ondřej Surý ] + * New upstream version 2.4.34 + Security fixes: + - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106 + - CVE-2018-8011: Denial of service in mod_md. Closes: #904107 + * Refresh patches for Apache2 2.4.34 release + * Update the suexec-custom.patch for 2.4.34 release + + [ Stefan Fritsch ] + * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34 + * Remove debian/gbp.conf. Closes: #904641 + * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. + Closes: #904150 + + -- Stefan Fritsch <sf@debian.org> Fri, 27 Jul 2018 21:37:37 +0200 + +apache2 (2.4.33-3) unstable; urgency=medium + + * Add Breaks for libapache2-mod-proxy-uwsgi and libapache2-mod-md, too. + Closes: #894785 + * mod_http2: Avoid high memory usage with large files, causing crashes on + 32bit archs. Closes: #897218 + * Migrate from alioth to salsa. + + -- Stefan Fritsch <sf@debian.org> Sat, 05 May 2018 11:34:47 +0200 + +apache2 (2.4.33-2) unstable; urgency=medium + + * Add Replaces: and transitional packages for libapache2-mod-proxy-uwsgi + and libapache2-mod-md. + Closes: #894760, #894761, #894785 + + -- Stefan Fritsch <sf@debian.org> Sun, 22 Apr 2018 11:14:19 +0200 + +apache2 (2.4.33-1) unstable; urgency=medium + + * New upstream version. + Security fixes: + - CVE-2017-15710 + Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled + - CVE-2018-1283 + mod_session: CGI-like applications that intend to read from mod_session's + 'SessionEnv ON' could be fooled into reading user-supplied data instead. + - CVE-2018-1303 + mod_cache_socache: Fix request headers parsing to avoid a possible crash + with specially crafted input data. + - CVE-2018-1301 + core: Possible crash with excessively long HTTP request headers. + Impractical to exploit with a production build and production LogLevel. + - CVE-2017-15715 + core: Configure the regular expression engine to match '$' to the end of + the input string only, excluding matching the end of any embedded + newline characters. Behavior can be changed with new directive + 'RegexDefaultOptions'. + - CVE-2018-1312 + mod_auth_digest: Fix generation of nonce values to prevent replay + attacks across servers using a common Digest domain. This change + may cause problems if used with round robin load balancers. PR 54637 + - CVE-2018-1302 + mod_http2: Potential crash w/ mod_http2. + + - mod_proxy_uwsgi: New UWSGI proxy submodule. + - mod_md: New experimental module for managing domains across virtual + hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and + renew certificates. + - core: silently ignore a not existent file path when IncludeOptional + is used. Closes: #878920 + - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980 + + * Fix lintian warnings: + - Include SupportApache-small.png in apache2-doc package instead of + linking to apache.org, to avoid privacy issues. + - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE + - Remove deprecated use of autotools_dev with dh. + - Add some overrides + * Bump standards-version to 4.1.2 (no changes) + + -- Stefan Fritsch <sf@debian.org> Fri, 30 Mar 2018 22:53:13 +0200 + +apache2 (2.4.29-2) unstable; urgency=medium + + * Add myself to Uploaders + * Bump required version of apr/apr-util to 1.6.0 (Closes: #879634) + * Run wrap-and-sort -a to canonicalize the debian/ directory + * Add Build-Depends on libbrotli-dev and enable brotli module + + -- Ondřej Surý <ondrej@debian.org> Sun, 14 Jan 2018 11:01:58 +0000 + +apache2 (2.4.29-1) unstable; urgency=medium + + [ Stefan Fritsch ] + * Replace outdated dependency on dh-systemd + + [ Ondřej Surý ] + * New upstream version 2.4.29 + * Refresh quilt patches + * Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343) + * Refresh patches on top of upstream release 2.4.29 + * Fix Apache crash on restarts (ASF Bug 61558) + * Add deconfigure to the list of recognized scripts (Closes: #877524) + + -- Ondřej Surý <ondrej@debian.org> Mon, 23 Oct 2017 14:46:55 +0000 + +apache2 (2.4.27-6) unstable; urgency=high + + * CVE-2017-9798: Don't allow new methods to be registered in .htaccess files + which could result in HTTP OPTIONS method leaking Apache's server memory. + Closes: #876109 + * Fix argument escaping in apachectl. Closes: #876384 + + -- Stefan Fritsch <sf@debian.org> Sun, 24 Sep 2017 00:08:01 +0200 + +apache2 (2.4.27-5) unstable; urgency=medium + + * Upload to unstable. + * Update "Breaks:" for openssl transition. + * Bump Standards-Version to 4.1.0. No changes needed. + + -- Stefan Fritsch <sf@debian.org> Sun, 03 Sep 2017 17:18:57 +0200 + +apache2 (2.4.27-4) experimental; urgency=medium + + * Use 'invoke-rc.d' instead of init script in logrotate script. + Closes: #857607 + * Make the apache-htcacheclean init script actually look into + /etc/default/apache-htcacheclean for its config. LP: #1691495 + * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>. + LP: #1675184 + * Use 'service' instead of init script in monit example config. + * Bump Standards-Version to 4.0.1. Other changes: + - change package priorities from extra to optional + * Use libprotocol-http2-perl in autopkgtest. + * Update test suite to svn r1804214. + * Various tweaks to the test suite autopkgtest to avoid having to skip + any test. + * Also remove -DBUILD_DATETIME and -fdebug-prefix-map from config_vars.mk + to avoid them being used by apxs. + * deflate.conf: Remove mention of MSIE6 + + -- Stefan Fritsch <sf@debian.org> Tue, 08 Aug 2017 21:59:37 +0200 + +apache2 (2.4.27-3) experimental; urgency=medium + + * Switch to openssl 1.1. Again closes: #851094 + * Add versioned breaks for gridsite, libapache2-mod-dacs because of + openssl transition. + * Provide new apache2-api-20120211-openssl1.1 virtual package and make + dh_apache2 generate a dependency on it if there is a build-dep on + apache2-ssl-dev. + + -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:11:07 +0200 + +apache2 (2.4.27-2) unstable; urgency=medium + + * Switch back to openssl 1.0 for now. The transition to 1.1 needs more + work and should go into experimental, first. Reopens: #851094 + + -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 23:01:10 +0200 + +apache2 (2.4.27-1) unstable; urgency=medium + + [ New upstream release ] + * Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection + Closes: #868467 + + [ Stefan Fritsch ] + * Switch to openssl 1.1. Closes: #851094 + + -- Stefan Fritsch <sf@debian.org> Sun, 16 Jul 2017 10:39:15 +0200 + +apache2 (2.4.25-4) unstable; urgency=high + + * Backport security fixes from 2.4.26: + * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw() + * CVE-2017-3169: mod_ssl NULL pointer dereference + * CVE-2017-7668: Buffer overrun in ap_find_token() + * CVE-2017-7679: mod_mime buffer overread + * CVE-2017-7659: mod_http2 NULL pointer dereference + + -- Stefan Fritsch <sf@debian.org> Tue, 20 Jun 2017 21:31:51 +0200 + +apache2 (2.4.25-3) unstable; urgency=medium + + * Fix detection of systemd to fix 'apache2ctl start' on sysv-init. + Closes: #852543 + * Compile mod_bucketeer mod_case_filter mod_case_filter_in for benefit of + the test suite, but don't add *.load files because they don't have any + real-world use. + * Include the upstream test suite and a corresponding autopkgtest. This + is quite a hack but it may help quite a bit with security updates, + especially if stretch gets LTS support, too. + + -- Stefan Fritsch <sf@debian.org> Wed, 25 Jan 2017 23:59:26 +0100 + +apache2 (2.4.25-2) unstable; urgency=medium + + * Activate mod_reqtimeout in new installs and during updates from + before 2.4.25-2. It was wrongly not activated in new installs since + jessie. This made the default installation vulnerable to some DoS + attacks. + * Restart htcacheclean on updates and tighten dependency on apache2-utils + to ensure that apache2-utils cannot be upgraded without apache2. + Closes: #851122 + * When running on systems with systemd, make 'apache2ctl start' invoke + systemctl instead. Otherwise systemd will think apache2 is not running + and ignore further commands like reload. Closes: #839227 + * Avoid segfault in mpm_event if a signal is received too soon after start. + PR 60487 + * Add test for some modules to be enabled. + * Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already + fixed in 2.4.23-2. + + -- Stefan Fritsch <sf@debian.org> Sat, 14 Jan 2017 19:27:34 +0100 + +apache2 (2.4.25-1) unstable; urgency=medium + + [ New upstream release ] + * Security: CVE-2016-0736: + mod_session_crypto: Authenticate the session data/cookie with a MAC to + prevent deciphering or tampering with a padding oracle attack. + * Security: CVE-2016-2161: + mod_auth_digest: Prevent segfaults during client entry allocation when the + shared memory space is exhausted. + * Security: CVE-2016-8740: + mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. + Closes: #847124 + * Security: CVE-2016-8743: + Enforce HTTP request grammar corresponding to RFC7230 for request lines + and request headers, to prevent response splitting and cache pollution by + malicious clients or downstream proxies. + * The stricter HTTP enforcement may cause compatibility problems with + non-conforming clients. Fine-tuning is possible with the new + HttpProtocolOptions directive. + * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926 + * mod_http2: Many fixes and support for early pushes using the new + H2PushResource directive. + + [ Stefan Fritsch ] + * Switch to debhelper compatibility level 9. + + -- Stefan Fritsch <sf@debian.org> Wed, 21 Dec 2016 23:46:06 +0100 + +apache2 (2.4.23-8) unstable; urgency=medium + + * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a + new package apache2-ssl-dev. Packages that interface with openssl + state from mod_ssl must build-depend on this new package. + This will help to disentangle the build-deps in the openssl transition. + Closes: #845033 + + -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100 + +apache2 (2.4.23-7) unstable; urgency=medium + + * Make apache2-dev depend on openssl 1.0, too. Closes: #844160 + * Move DefaultRuntimeDir and pid file for multi-instances to + /var/run/apache2-xxx. Thanks to Horst Platz for the debugging. + Closes: #838932 LP: #1627339 + * Fix systemd unit naming for multi-instances. + * Tweak embedded .tar.gz some more to build reproducibly. + + -- Stefan Fritsch <sf@debian.org> Sun, 13 Nov 2016 13:08:28 +0100 + +apache2 (2.4.23-6) unstable; urgency=medium + + * One more tweak for reproducible build. Thanks to Daniel Shahaf for the + patch. Closes: #839977 + * Avoid building with openssl 1.1 for now. See #828236 + + -- Stefan Fritsch <sf@debian.org> Wed, 09 Nov 2016 23:51:25 +0100 + +apache2 (2.4.23-5) unstable; urgency=low + + * Team upload. + + [ Stefan Fritsch ] + * Tweak creation of .tar.gz embedded in preinst to get reproducible + build. + + [ Raphaël Hertzog ] + * Add systemd unit files. Closes: #798430 + * Improve a2enmod to enable apache-htcacheclean with systemctl and let + it enable 'apache-htcacheclean@instance.service' for multi-instance + support. + * Improve setup-instance to rely on the systemd apache2@instance.service for + multi-instance support. + * Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have + proper native systemd support. + * Modify handling of /etc/init.d/apache-htcacheclean to have a usual + Default-Start value but instead we disable it manually in the postinst. + That way "systemctl enable apache-htcacheclean" works. + * Add some lintian overrides for non-problems (two update-rc.d calls in + postinst, and a .js file with a very long line). + + -- Raphaël Hertzog <hertzog@debian.org> Thu, 29 Sep 2016 12:03:31 +0200 + +apache2 (2.4.23-4) unstable; urgency=medium + + * Fix pre-inst script for new installations. Closes: #834169 + + -- Stefan Fritsch <sf@debian.org> Fri, 12 Aug 2016 21:44:31 +0200 + +apache2 (2.4.23-3) unstable; urgency=low + + * Fix conffiles that may have got the wrong content during upgrade from + wheezy to early jessie versions. Closes: #794933 + * Also restore re-introduced *.load files for mod_ident, mod_imagemap, and + mod_cern_meta. These may have gone missing due to dpkg thinking they still + belong to apache2.2-common. Reported by Markus Waldeck. + * apache2-maintscript-helper: Make apache2_switch_mpm do nothing if the + local admin has disabled the requested mpm manually. + Closes: #827446, #799630 + * Make mod_proxy_html depend on mod_xml2enc. + * dh_apache2: Make versioned recommends on apache2 less strict. There is + no advantage in recommending the current version. Closes: #784290 + + -- Stefan Fritsch <sf@debian.org> Thu, 11 Aug 2016 21:40:35 +0200 + +apache2 (2.4.23-2) unstable; urgency=high + + * CVE-2016-5387: Sets environmental variable based on user supplied Proxy + request header. + Don't pass through HTTP_PROXY in server/util_script.c + + -- Stefan Fritsch <sf@debian.org> Thu, 21 Jul 2016 23:21:37 +0200 + +apache2 (2.4.23-1) unstable; urgency=high + + * New upstream release + - Security: CVE-2016-4979: Fix bypass of TLS client certificate + verification in mod_http2. + - new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck + * Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657 + * Set SHELL=/bin/bash during configure to get reproducible builds regardless + of where /bin/sh points to. + * Use 'Require method' instead of Limit/LimitExcept in userdir.conf. + + -- Stefan Fritsch <sf@debian.org> Tue, 05 Jul 2016 23:57:25 +0200 + +apache2 (2.4.20-2) unstable; urgency=medium + + * Fix crash in ap_get_useragent_host() triggered by mod_perl test. + Closes: #820824 + * Fix race condition and logical error in init script. Thanks to Thomas + Stangner for the patch. Closes: #822144 + * Remove links to manpages.debian.org in default index.html to avoid + broken robots doing a DoS on the site. Closes: #821313 + * Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956 + * Bump Standards-Version (no changes necessary). + * Fix segfault with logresolve -c. Closes: #823259 + + -- Stefan Fritsch <sf@debian.org> Sat, 28 May 2016 16:14:09 +0200 + +apache2 (2.4.20-1) unstable; urgency=medium + + * New upstream release + - mostly bugfixes and HTTP/2 improvements + * Build against lua 5.2 instead of 5.1. Closes: #820243 + * Correct systemd-sysv-generator behavior by customizing some parameters. + This fixes 'systemctl status' returning incorrect results. Thanks to + Pierre-André MOREY for the patch. LP: #1488962 + * On Linux, use pthread mutexes. On kfreebsd/hurd, continue using fctnl + because they lack robust pthred mutexes. LP: #1565744, #1527044 + + -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200 + +apache2 (2.4.18-2) unstable; urgency=low + + * htcacheclean: + - split starting/stopping into separate init script 'apache-htcacheclean' + - move config from /etc/default/apache2 to /etc/default/apache-htcacheclean + - make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk + - start htcacheclean as the apache2 run user/group + * Fix a2query -M not returning output if apache2 config is broken. + Fix missing quotes in apache2-maintscript-helper. Closes: #810500 + * README.backtrace: Note that coredump directory needs to be owned by + www-data. Closes: #806697 + * Remove ssl work-arounds for MSIE. Newer versions of IE work without them + and older versions are no longer supported by MS. Closes: #815852 + * Give a hint about systemd in README.multiple-instances. Closes: #818904 + * Don't treat mod_access_compat as essential. It's essentially broken, + anyway. + * Merge cross-compile tweaks for debian/rules from ubuntu. + * Merge autopkgtests from Ubuntu. Many thanks to Robie Basak. + Closes: #719245 + * Fix duplicate-module-load test and make sure it fails if it cannot execute + apache2ctl. + * Bump Standards-Version (no changes necessary). + + -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200 + +apache2 (2.4.18-1) unstable; urgency=medium + + * New upstream release: + - mostly HTTP/2 improvements + + -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100 + +apache2 (2.4.17-3) unstable; urgency=medium + + * mpm_prefork: Fix segfault if started with -X. Closes: #805737 + + -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100 + +apache2 (2.4.17-2) unstable; urgency=medium + + * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke + lots of web-apps. Closes: #803353 + * Fix secondary-init-script to not source the main init script with 'set -e'. + Closes: #803177 + * mod_http2: Write HTTP/2 into THE_REQUEST and the access log. + + -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100 + +apache2 (2.4.17-1) unstable; urgency=medium + + [ Stefan Fritsch ] + * New upstream release: + - New experimental http2 module + * reproducible build: Make symbol sorting consistent over different locales + * Conflict with apache2.2-common and apache2.2-bin to get the transitional + packages removed. Closes: #768815 + * Don't treat mpm_itk as MPM module in a2query. Closes: #791902 + * Don't treat mpm_itk as MPM module in deferred actions in postinst. + Hopefully really closes: #789914 + * Don't treat mpm_itk as MPM module in a2enmod. + + [ Jean-Michel Vourgère ] + * Updated upstream keyring used to check source authenticity. + + -- Stefan Fritsch <sf@debian.org> Sat, 24 Oct 2015 22:14:32 +0200 + +apache2 (2.4.16-3) unstable; urgency=medium + + [ Jean-Michel Vourgère ] + * Have apache2.postrm removes content of /var/lib/apache2, not the + directory itself. Closes: #793862 + * d/p/reproducible_builds.diff: Sort exported symbols list. + + [ Stefan Fritsch ] + * apxs: Don't pass --silent to libtool. Closes: #795820 + * Remove default /var/www/html/index.html on package purge. + + -- Stefan Fritsch <sf@debian.org> Tue, 18 Aug 2015 13:49:09 +0200 + +apache2 (2.4.16-2) unstable; urgency=medium + + * Make dh_apache2 add a versioned dependency on apache2-bin, for the + new symbols required for the CVE-2015-3185 fix. + + -- Stefan Fritsch <sf@debian.org> Fri, 07 Aug 2015 23:43:16 +0200 + +apache2 (2.4.16-1) unstable; urgency=medium + + [ Stefan Fritsch ] + * New upstream version, fixing the following security issues: + + CVE-2015-3183: Fix chunk header parsing defect. + + CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an + unfixable way. Add a new replacement API ap_some_authn_required() + and ap_force_authn hook. + + [ Jean-Michel Vourgère ] + * Allow "triggers-awaited" and "triggers-pending" states in addition to + "installed" when determining whether to defer actions or process + deferred actions. Thanks Colin Watson. Closes: #787103 + * Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes: + #733979 + * Remove pre-Jessie transition scripts, and remaining breaks. + * Made builds reproducible: d/rules set the date from the changelog in + CPPFLAGS, new reproducible_builds.diff patch to use it. + * Moved bash_completion from /etc to /usr/share/bash_completion. Added + links there for dynamic loading. + * Upgrade security.conf comments to 2.4 auth format. Thanks Werner + Detter. Closes: #789788 + * apache2.postinst: Fixed tests on deferred mpm switch. Closes: + #789914 + + -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200 + +apache2 (2.4.12-2) unstable; urgency=medium + + [ Jean-Michel Nirgal Vourgère ] + * d/control: + + Update Vcs-Browser. + * d/copyright: + + Change d/debhelper/dh_apache2 to dh_apache2.in. + + Drop paragraph about inexistant itk patches. + + [ Stefan Fritsch ] + * Remove all the transitional packages: + apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event, + apache2-mpm-itk, apache2.2-bin, apache2.2-common, + libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec + This also fixes the dependency problems caused by a recent version + of debhelper (see #784803). + + -- Stefan Fritsch <sf@debian.org> Mon, 11 May 2015 22:07:26 +0200 + +apache2 (2.4.12-1) unstable; urgency=medium + + * New upstream version + * Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which + was never shipped in Debian. + * Ship mod_proxy_html's default config file. Closes: #782022 + * Fix typo in dh_apache2 man page. Closes: #781032 + + -- Stefan Fritsch <sf@debian.org> Tue, 28 Apr 2015 22:54:41 +0200 + +apache2 (2.4.10-11) unstable; urgency=medium + + * core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. + This could cause all kinds of strange behavior. PR 56008. PR 57328 + * mpm_event: Fix process deadlock when shutting down a worker. PR 56960 + * mpm_event: Fix crashes due to various race conditions. Closes: #779078 + + -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2015 22:27:16 +0200 + +apache2 (2.4.10-10) unstable; urgency=medium + + * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in + wsupgrade(). + * Fix setup-instance example script to handle a2enconf/a2disconf. + LP: #1430936 + * Tweak mention of mod_access_compat in NEWS.Debian. The module does + not really work in practice. + + -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100 + +apache2 (2.4.10-9) unstable; urgency=medium + + * CVE-2014-8109: mod_lua: Fix handling of the Require line when a + LuaAuthzProvider is used in multiple Require directives with different + arguments. + * Include ask-for-passphrase script from Ubuntu with some tweaks. This + fixes asking for certificate passphrases if started via systemd. + Closes: #773405 + * Fix init script to not wait 20s if passphrase was wrong. + * Also bump debhelper build-depends to get dh_installdeb with support for + symlink_to_dir. Closes: #770421 + + -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100 + +apache2 (2.4.10-8) unstable; urgency=medium + + * Bump dpkg Pre-Depends to version that supports relative symlinks in + dpkg-maintscript-helper's symlink_to_dir. Closes: #769821 + * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi + script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even + though it does not seem to be exploitable. + * mpm_event: Fix use-after-free that may lead to a server crash. + * mod_ssl: Fix memory leak on graceful restart. Closes: #754492 + * mod_ssl: Avoid crashes during startup or graceful restart due to + openssl using a callback to invalid memory. LP: #1366174 + + -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100 + +apache2 (2.4.10-7) unstable; urgency=medium + + * Handle transitions of doc dirs and symlinks correctly during upgrade. + Use dpkg-maintscript-helper for this and remove existing explicit logic. + Closes: #767850 + * Remove obsolete conffiles in apache2.2-common, instead doing this only in + apache2. This partially fixes #768815 + + -- Stefan Fritsch <sf@debian.org> Sun, 09 Nov 2014 19:03:30 +0100 + +apache2 (2.4.10-6) unstable; urgency=medium + + * Disable SSLv3 in default config. Closes: #765347 + * Pull changes from upstream 2.4.x branch up to r1632831 + - Fixes an LDAP regression in 2.4.10 + - mod_cache: Avoid sending 304 responses during failed revalidations. + PR 56881 + - mod_status: Honor client IP address using mod_remoteip. PR 55886 + * Fix typo in package description. Closes: #765500 + + -- Stefan Fritsch <sf@debian.org> Tue, 21 Oct 2014 22:42:06 +0200 + +apache2 (2.4.10-5) unstable; urgency=medium + + * Remove one forgotten instance of ident.load in the preinst. + + -- Stefan Fritsch <sf@debian.org> Fri, 10 Oct 2014 00:20:09 +0200 + +apache2 (2.4.10-4) unstable; urgency=medium + + [ Stefan Fritsch ] + * Make apache2 depend on apache2-utils. This got lost somewhere in the + 2.4 update. + * Fix possible installation failure because of broken preinst script. + Closes: #764498 + * Improve package descriptions. Closes: #763676 + + [ Arno Töll ] + * Add proper return codes to fail() conditions in a2query. Thanks to Ondřej + Surý for providing a patch. + + -- Stefan Fritsch <sf@debian.org> Thu, 09 Oct 2014 22:19:12 +0200 + +apache2 (2.4.10-3) unstable; urgency=medium + + * CVE-2014-3581: Fix a DoS in mod_cache. + * If apache2 is not configured yet, defer actions executed via + apache2-maintscript-helper. This fixes installation failures if a + module package is configured first. Closes: #745834 + * Don't use a2query in preinst, as it may not be available yet. + Closes: #745812 + * Include mod_authnz_fcgi. Closes: #762908 + * Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359 + * Remove misleading sentence in apache2-bin's description. Closes: #762645 + * Remove trailing space in apache2/suexec/www-data. Closes: #719930 + * Add NEWS entry for the logrotate change in 2.4.10-2. + * Bump Standards-version (no changes). + * Fix lintian warning: Tweak licence short names in copyright file. + + -- Stefan Fritsch <sf@debian.org> Sun, 28 Sep 2014 22:37:02 +0200 + +apache2 (2.4.10-2) unstable; urgency=medium + + * Pull changes from upstream 2.4.x branch up to r1626207 + + Security Fix for CVE-2013-5704: HTTP trailers could be used to + replace HTTP headers late during request processing, potentially + undoing or otherwise confusing modules that examined or modified + request headers earlier. + Adds "MergeTrailers" directive to restore legacy behavior. + + * Switch to apache2 providing the httpd and httpd-cgi virtual packages. + The previously providing apache2-bin package lacks the configuration + files. Closes: #756361 + * Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily + logs. The daily graceful restart also has the advantage of regenerating + things like TLS session ticket keys more often. Closes: #759382 + * Clarify description of apache2 package. Closes: #755976 + * In the maintainer script helper, print out Apache's error message if + the config check fails. + * Re-add mod_ident. It has still at least one user. LP: #1333388 + + -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200 + +apache2 (2.4.10-1) unstable; urgency=medium + + [ Arno Töll ] + * New upstream version + + Refresh debian/patches/fhs_compliance.patch + + Security Fixes: + - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash + - CVE-2014-0226 Fix a race condition resulting in a heap overflow in + scoreboard handling + - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the + length and compression ratio of inflated request to mitigate a + possible DoS + - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts + + Fixes SNI with certificate defined in global scope. (Closes: #751361) + * Warn users if they try to disable modules that we consider essential for + operation of the Apache web server (Closes: #709461) + * Drop libcap from our build-dependencies. That was needed for itk which we + gave source out to it's own package again. + * Provide apache2.2-common package to avoid upgrading problems for people + using --purge (apt) or --purge-unused (aptitude) even though that's + clearly discouraged. This caused disappearing of conffiles because we move + them from apache2.2-common to apache2 during the upgrade. Ugh. This was + not a bug in our packaging, but an unfortunately people blame us + nonetheless even though it's not all our fault. This alternative helps + those people, but at the same time means that incompatible modules aren't + force-removed by dpkg during the upgrade. Hopefully we catch all of them + with the Breaks relation coming along (Closes: #716880, #752922, #711925) + + -- Stefan Fritsch <sf@debian.org> Tue, 22 Jul 2014 23:16:20 +0200 + +apache2 (2.4.9-2) unstable; urgency=medium + + * Fix logic in postinst to detect existing index.* files in both + DocumentRoots, the old /var/www and the new /var/www/html. Also + change the compiled in default DocumentRoot to /var/www/html. + Closes: #743915 + * Fix buffer overflows in suexec with very long (unix) usernames. Not + exploitable due to FORTIFY_SOURCE. And creating users usually requires + root privileges, anyway. Thanks to Luca Bruno for the report. + * Remove conflicts of mpm modules with mpm_itk, which isn't an mpm + anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too. + * Remove obsolete warning in a2enmod about mpm-itk. + * Fix lintian warning: Remove image ref to w3.org, which is a privacy + breach. + + -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200 + +apache2 (2.4.9-1) unstable; urgency=medium + + * New upstream version. + Security fixes: + - CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests. + - CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated + cookies. + Notable new features: + - Support named groups and backreferences within the LocationMatch, + DirectoryMatch, FilesMatch and ProxyMatch directives. + - mod_proxy: Added support for unix domain sockets as the backend server + endpoint. + - mod_ssl: Add support for OpenSSL configuration commands by introducing + the SSLOpenSSLConfCmd directive. + - mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm, + mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the + require directives. + - mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, + and IgnoreInherit. + - Bugfix in the build system to avoid problems with patched config.m4 + files as in LP #1251939. + * Make default cipher list in ssl.conf more secure: + - Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because + 'HIGH' does not include MD5. + - Remove the 'Speed-optimized SSL Cipher' configuration example because + it depends on RC4, which is considered insecure. + * Change init script short description to describe the service, not the + script. Closes: #738315 + * Bump Standards-Version (no changes). + + -- Stefan Fritsch <sf@debian.org> Sat, 29 Mar 2014 22:50:32 +0100 + +apache2 (2.4.7-1) unstable; urgency=low + + New upstream version + + [ Stefan Fritsch ] + * In logrotate and init script, don't hardcode path to htcacheclean. + Instead, put sbin directories in PATH. Also fix one missed reference + to disk_cache.load, missed in 2.4.6-3. Really closes: #718909 + * Remove possiblity to override path to apache2 executable via envvars. + This is no longer necessary with MPMs as modules. + * Fix typo in serve-cgi-bin.conf. Closes: #723196 + * Bump Build-Depends. 2.4.7 requires apr 1.5. + + [ Arno Töll ] + * Fix "No default site enabled after fresh install if /etc/apache2 + exists" by using a condition in preinst which actually works as expected. + Thanks to Jean-Michel Vourgère for triaging the issue and providing a + patch (Closes: #711493). + * Leave a2disconf with rc=0 when purging a configuration which does not + exist. (Closes: #718166) + * Explicitly express the dependency for mod_access_compat depending on + authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes: + #710412) + * Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693) + * Rework the default index.html file. Instead of a blank, minimalistic page + give a quick start guide, since nobody seems to read our docs. This site + is hopefully explaining the most important questions. + * Add a virtual provides line to the itk/worker/event/prefork transitional + packages so that people with an unusual (unsupported) Apache setup + can upgrade neatless in some corner cases (Closes: #728937) + * Drop the Apache ITK patches. The Apache ITK MPM is a standalone package + now and will be provided by libapache2-mpm-itk in future. The + apache2-mpm-itk package depends on this package from now on. Users of itk + are advised to consult the itk manual. + This also resolves a build-system problem that caused mod_unixd to be + initialized twice. (LP: #1251939) + * Remove Steinar H. Gunderson from uploaders, he will continue to support + itk in his own package in future. The remaining Apache team thanks Steinar + for all the work in the past. + * Change the Default Document root directory where files are served from + (Closes: #730372). + * Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor + for this suggestion and for providing a patch (Closes: #732450) + * Refresh suexec-custom.patch. + + -- Arno Töll <arno@debian.org> Thu, 02 Jan 2014 00:17:56 -1100 + +apache2 (2.4.6-3) unstable; urgency=low + + * Fix 'implicit declaration' compiler warnings. + * Fix module dependencies in lbmethod_*.load files. Closes: #717910 + LP: #1205314 + * Mark apache2-data as Multi-Arch: foreign. Closes: #718387 + * Backport open_htaccess hook from upstream 2.4.x branch to allow + building mpm-itk as separate package. + * Improve comment for LogLevel in apache2.conf. Closes: #718677 + * Fix comment in ports.conf. Closes: #718650 + * Fix htcacheclean path and function name in init script. Closes: #718909 + * Enable bindnow hardening compiler option, patch by Felix Geyer. + Closes: #714872 + + -- Stefan Fritsch <sf@debian.org> Mon, 12 Aug 2013 20:15:38 +0200 + +apache2 (2.4.6-2) unstable; urgency=low + + [ Stefan Fritsch ] + * Fix watch file + * Don't pass --silent to libtool, allowing blhc to check the compiler + options in the build logs. + + [ Arno Töll ] + * Allow third party packages to use triggers if they use them in a + maintainer script invoking apache2-maintscript-helper (Closes: #717610) + + -- Arno Töll <arno@debian.org> Tue, 23 Jul 2013 13:25:30 +0200 + +apache2 (2.4.6-1) unstable; urgency=low + + New upstream release: + * CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request + (Closes: #717272) + * New modules mod_cache_socache, mod_proxy_wstunnel. + * mod_ssl: Add support for subjectAltName-based host name checking in proxy + mode (SSLProxyCheckPeerName). + * mod_lua: Many new functions. + * mod_auth_basic: Add a generic mechanism to fake basic authentication + using the ap_expr parser (AuthBasicFake). + * mod_proxy: New BalancerInherit and ProxyPassInherit options. + * mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password. + + [ Arno Töll ] + * Document our security model in our NEWS file and highlight we do not allow + access to /srv. Thanks to joeyh for pointing this out. + * Allow the use of apache2-maintscript-helper from a sub-function. We rely + on dpkg's arguments supplied in $1, $2 etc. This clashes with function + arguments supplied to to sh sub-function. Allow manual override in such + cases. + * Mention that the dh_apache2 conditional must be present in postrm too + (Closes: #716694) + * Fix "dh_apache2 ignores alternative httpd on conf files" by correctly + checking the supplied arguments, we were off by one (Closes: #717299). + * Reinstall index.html also on upgrades as it is removed during upgrades. + * Add mod_macro transitional package as it was promoted to core and does not + exist as individual package anymore (Closes: #706962) + + [ Stefan Fritsch ] + * Don't fail package upgrade or removal just because the configuration is in + an inconsistent state (Closes: #716921, #717343, LP: #1202653). + * Improve error output of init script. + * Fix broken dependency information in several *.load files. + * Add mod_authn_core as dependency of the mod_auth_* modules. + (Closes: #717448) + + -- Arno Töll <arno@debian.org> Sun, 21 Jul 2013 18:44:42 +0200 + +apache2 (2.4.4-6) unstable; urgency=low + + * Denote exact versions breaking gnome-user-share now that Gnome maintainers + have a fixed version in the works. That makes Gnome installable again. + * Update our gbp.conf for our big merge next -> master. The eagle has + landed, 2.4 is here. + * Push Standards version to 3.9.4 - no changes needed. + * Fix spelling errors in man pages. + * Update the git VCS pointer to its canonical location for anonymous + checkouts. + * Boost the description for the LSB init script to appease Lintian. + * Fix spurious warnings in the Apache2 bug report script (Closes: #711121, + #711480) + * Strip off file extensions from arguments to a2(en|dis)(site|conf|mod) so + that "a2ensite 000-default.conf" works, as well as "a2ensite 000-default" + (Closes: #711494) + * Fix "apache2-dev: dh-apache2 does not strip .conf extension" for modules + relying on the install heuristic, instead of writing an *.apache2 conf + file (Closes: #711483) + * Apply patch submitted by Robert Luberda and redirect all output of + apache2-maintscript-helper to stderr (Closes: #711478) + * Tell about essential operations in the init script (Closes: #711120) + * Fix indentation mess in the init script, and add modelines + * Make sure /etc/init.d/apache2 reload does not always return. Thanks to + Thorsten Glaser for suggesting a patch (Closes: #711117) + * Make apache2-maintscript-helper usable when sourced from weird + environments (e.g. Perl maintainer scripts). Thanks to Robert Luberda + for doing unexpected things, and providing patches for it, and to Axel + Beckert for demangling shell specifics (Closes: #711479) + * Fix "copyright file missing after upgrade (policy 12.5)" and add these for + MPM transitional packages (Closes: #710914) + * Fix "apache2.2-bin transitional package (binaries only) should not + depend on apache2 package (which runs a system daemon)". This happened by + accident added by debhelper since we are linking docs. We do to + apache2-bin instead (Closes: #711127) + * Refresh "upstream-fixes" patch + * Fix "Disabling strtoul violates C89 and C99 and is unnecessary" by + removing the symbol override in httpd.h(Closes: #711534) + + -- Arno Töll <arno@debian.org> Fri, 07 Jun 2013 19:14:36 +0200 + +apache2 (2.4.4-5) unstable; urgency=low + + [ Arno Töll ] + * Fix compile issue on kfreebsd. + + -- Stefan Fritsch <sf@debian.org> Fri, 31 May 2013 10:19:18 +0200 + +apache2 (2.4.4-4) unstable; urgency=low + + [ Stefan Fritsch ] + * Upload to unstable. + * Fix FTBFS on hurd caused by mpm-itk linking fix. + * Fix some lintian warnings: + - fix pod error + - add overrides for hardening-no-fortify-functions + - don't use /lib/init/vars.sh in init script + * Add note to README.Debian about CVE-2013-0966 if the document root is + on HFS+ or on ZFS with filename normalization. + * Add a note to README.Debian about how to change the max file limit. + Make apache2ctl print a message pointing to README.Debian if setting + the limit fails. (Closes: #706822) + + [ Arno Töll ] + * Correct maintainer scripts by removing forgotten left-overs of our Squeeze + -> Wheezy renaming + + -- Stefan Fritsch <sf@debian.org> Thu, 30 May 2013 17:25:09 +0200 + +apache2 (2.4.4-3) experimental; urgency=low + + [ Arno Töll ] + * libapache2-mod-proxy-html is included in Apache 2.4 and not packaged + separately anymore. Thus, we are using the most recent version available + now (Closes: #695482). + * Fix "typo in mpm_event.load" by applying the patch provided by Bastian + Triller. Thanks (Closes: #704639) + * Replace some occurrences of "Squeeze" in our scripts. It's Wheezy time. + * Changes in dh_apache2: + + Add -e|--noenable option to dh_apache2 (Closes: #681544) + + Disable scripts in prerm, not postrm (Closes: #681546) + + However, still hook into postrm and purge state when required + + Call the postinst code always, not only during configure + (Closes: #681545) + + Fix "dh_apache2 postinst code needs to reload more" and reload the + web-server in postinst when upgrading (Closes: #702929) + * Let a2enmod purge state when calling -p for already disabled + configurations. + * Fix "don't assume apache2 is running 24 hours a day when rotating + logs": Only restart the webserver when it was previously running + (Closes: #707892) + * Properly return the conf/site configuration fragments enabled for Apache + when queried from a2query (Closes: #683212) + * Fix "/etc/init.d/apache2 start and restart need to wait until really + started" (Closes: #645460) + * Fix "apxs2 outputs "uninitialized value" warnings" by removing the double + declaration of variables in apxs. This problem was harmless, but noisy + (Closes: #707109) + * Make the DEBIAN_VERSION parsing in debian/rules more robust. Thanks to + Ondřej Surý for noticing and providing a patch. + * Fix "copyright file missing after upgrade (policy 12.5)" by linking to the + apache2 doc-dir when upgrading (Closes: #707795) + + [ Stefan Fritsch ] + * Backport various fixes from upstream svn branch '2.4.x'. + * Remove paragraph about MaxMemFree in README.Debian. The issue should be + fixed in 2.4. + * Enable mod_authn_core when upgrading from wheezy (Closes: #702866) + * Bump libaprutil1-dev build dependency to get support for bcrypt password + hashes. + * Fix mod_mpm_itk.so not being linked to libcap.so (Closes: #702475) + * Make apache2-dev not depend on apache2. + + -- Stefan Fritsch <sf@debian.org> Tue, 28 May 2013 22:47:26 +0200 + +apache2 (2.4.4-2) experimental; urgency=low + + * The "let's shorten up this discussion" release, and strip changelogs which + are not a direct ancestor of the 2.4 branch. + * Restart the server on upgrades. We need to make sure the new binary is + loading all symbols from the core again to make sure, upgrades don't break + the server. + + -- Arno Töll <arno@debian.org> Sat, 09 Mar 2013 02:02:08 +0100 + +apache2 (2.4.4-1) experimental; urgency=low + + * New upstream release + - Fixes mod_log_forensic logging spurious '-' characters. Closes: #693292 + - Responds with HTTP/1.0 when talking http to https port. Closes: #701117 + - Fix various XSS flaws in modules (CVE-2012-3499, CVE-2012-4558) + + [ Stefan Fritsch ] + * Add examples for X-Content-Type-Options and X-Frame-Options to + security.conf. + * Make dh_apache2 only accept shell function names as conditional, to avoid + problems with shell and sed special characters. + * Add Replaces for the old mpm packages to apache2-bin. Closes: #671683 + * Add transitional package for libapache2-mod-proxy-html. Closes: #666816 + - Override dh_gencontrol so that the package's version sorts later than + the existing version in Wheezy. + * Don't ship changelogs in the apache2.2-bin transitional package. + * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 + + [ Arno Töll ] + * Rewrite most parts of the init script to make it more readable and improve + visual feedback when fancy output is in use. + * Drop the dbmanage tool from apache2-utils. It is mostly unmaintained and + outdated. Users of mod_authn_dbm should use htdbm instead. + * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible + with ext3" by changing the default to more moderate values. Note, some file + systems have a hard limit of supported subdirectories (Closes: #682840). + Ported from our 2.2 tree targeted for Wheezy. + * Properly check return code of a2query in the apache2_invoke library + function. This caused reverse dependencies to fail for newly installed + modules previously. + * Implement -q (quiet) option for a2query (Closes: #681541). + * Properly honor -p/-N options as understood by debhelper (Closes: 681542). + Thanks Russ Allbery for the hint. + * Be more careful regarding link attacks when for the the cache disk + directory. + * Compress the data.tar in binary packages using xz to save some space on + installation medias (Debian only). + * Fix "invoke-rc.d apache2 status fails" by merging patch of Jean-Michel + Vourgère. Thanks! (Closes: #691365) + * Fix "copyright file missing after upgrade (policy 12.5)" - add link + manually when necessary in postinst (Closes: #691440) + * Document APACHE_ARGUMENTS in envvars (ported from our 2.2 branch, reported as #693299) + * Don't croak about lacking permissions in apache2ctl when the script is + executed as a non-privileged user + + [ Bernhard R. Link ] + + * Rearrane patches: Move all the patches or parts of patches touching non-itk + specific files (i.e. those from the upstream tarball) directly in the + debian/patches/series series. While this seperates the itk patches into two + heaps, it makes both more visible what changes happen to the general code (and + thus are also done to the other servers generated) + + -- Arno Töll <arno@debian.org> Thu, 07 Mar 2013 01:24:51 +0100 + +apache2 (2.4.2-2) experimental; urgency=low + + [ Stefan Fritsch ] + * Explicitly enable mod_authz_core on upgrades. It can happen that it is + not pulled in by any of the enabled modules, but we need it in any case + for apache2.conf. Closes: #669876 + * Don't ship the changelogs in the apache2-mpm-itk transitional package. + + [ Arno Töll ] + * Add mode lines to various configuration files and scripts. Reformat + configuration files for consitency. + * Fix "Fix typographic errors in configuration file comments": Thanks to Oxan + van Leeuwen for providing a patch (Closes: #669269) + * Formulate several clarifications in PACKAGING, start versioning this document + and add normative read hints. Moreover, document the -m switch for a2enmod. + * Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated! + * Change various state and run directories used by Apache from + /var/run/<basename> to /var/run/apache2/<basename>. This might change again + for Wheezy+1 to adopt /run. + * Use more exit status codes for a2query which allows to tell apart why a + module was disabled, also make its output more readable. + * Changes in apache2-maintscript-helper: + + Finally apache2_invoke may behave correctly and catch all cases + including upgrades from Squeeze. + + apache2_invoke: accepts a third argument to override the rc.d-action now + + support APACHE2_MAINTSCRIPT_DEBUG: When defined in the environment or in + /etc/apache2/envvars, debug output is displayed. + * Implement a -r switch for dh_apache2 which allows to force a reload of the + web server if required. + + -- Arno Töll <arno@debian.org> Mon, 28 May 2012 17:36:03 +0200 + +apache2 (2.4.2-1) experimental; urgency=low + + * New upstream release + + [ Arno Töll ] + * Drop update-alternative call in postrm. Our prerm script catches them + already anyway. + * Update my mail address. + * Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/" + Set directory permissions to 755 by default (Closes: #666875). Thanks Axel + Beckert for the hint. + * Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to + give sites a .conf suffix, add a hint to the NEWS file. + * Do stateful configuration handling by remembering who enabled when a + particular piece of configuration. That way in can be told under which + circumstances for example modules should be re-enabled. Thanks to Filip M. + Nowak who was providing a patch where my changes are built upon. + * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible + to override LDFLAGS at compile time by defining LDLAGS in the environment, + just like it is possible for CFLAGS. This also means, config_vars.mk now + exports hardening build flags by default. + * Provide the virtual packages httpd and httpd-cgi again. + + + [ Stefan Fritsch ] + * Change default config to deny access to / in the file system and only + allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022 + * Disable MultiViews in the default config. + * Update ssl default cipher config, add alternative speed optimized config. + Closes: #649020 + * Move the configuration of /usr/lib/cgi-bin into a separate config file. + Closes: #589638 + * Comment out per-vhost loglevel. + * Add section to security.conf that shows how to forbid access to VCS + directories. Closes: #548213 + * Change the compiled in default of DocumentRoot to /var/www by updating + fhs_compliance.patch + * Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental! + + -- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 20:50:28 +0200 + +apache2 (2.4.1-3) experimental; urgency=low + + [ Arno Töll ] + * apache2-suexec-{custom,pristine}: Fix argument order when removing + alternatives, do not remove alternatives on upgrades. Thanks Andreas + Beckmann for spotting the issue (Closes: #665002) + * Install suexec(8) link to /usr/share/man/man8/... + * Enable mod_version statically, drop associated module load file. + * Update PACKAGING hints and cope several questions raised among the + discussions with packagers. Thus, invocation of apache2-maintscript-helper + in maintainer scripts are covered now. + * Changes in dh_apache2: + + Invoke the maintscript helper postrm action for simple package removals, + too. + + Fix a bug which accidentally called "en{mod,site,conf}" instead of + "di{mod,site,conf}" + + Set the default conditional back to "true", now the maintainer script is + expected to cope itself with upgrades correctly + * Changes in apache2_maintscript_helper + + Provide apache2_action_needed, apache2_msg + + Parse maintainer script arguments to find out which script called us + + Support APACHE2_MAINTSCRIPT_HELPER_QUIET which, when set, omits any + visible output + + Break APIs: apache2_invoke accepts a single configuration file argument + only now. However, other than dh_apache2 no users of this feature were + known. + * Build the apache2.2-bin transitional package again, without it updates from + Squeeze are broken from some use cases + * Remove 2.2's postrm script only if we're actually upgrading. + This previously didn't have bad side-effects, but caused a disturbing + warning. + + [ Stefan Fritsch ] + * Import lots of bug fixes from upstream svn: All code changes from branch + 2.4.x up to r1307835, plus r1294306 and r1307067 from trunk. + * CVE-2012-0216: Remove /usr/share/doc alias from default virtual hosts' + configs. + * Add 'Multi-Arch: foreign' to apache2-utils + * Make a2enconf and a2ensite warn if dependencies are not fullfilled. + + -- Stefan Fritsch <sf@debian.org> Sun, 01 Apr 2012 21:11:51 +0200 + +apache2 (2.4.1-2) experimental; urgency=low + + [ Arno Töll ] + * Shift convert_docs script to a arch-indep target only. Debhelper does not + build apache2-doc on binary only builds causing a FTBS on binary-only (-B) + builds + * Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep + targets + + [ Stefan Fritsch ] + * dh_apache2: Make autoscripts only run on upgrades by default. Bump + debhelper dependency of apache2-dev. Escape slashes in conditionals. + + -- Stefan Fritsch <sf@debian.org> Tue, 20 Mar 2012 21:32:43 +0100 + +apache2 (2.4.1-1) experimental; urgency=low + + * Package the coming up 2.4 branch of Apache by packaging the current + GA release 2.4.1. + + Fix "IndexIgnore only allowes to add in vhost context, not replace" + (Closes: #296886) + + Fix "mod_status stats are wrong." (Closes: #519322) + + Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047) + + Fix "apache2-common: there should be a possibility to access the + parsed configuration" (Closes: #350285) + + Fix "AddOutputFilterByType is deprecated but used in deflate.conf" + (Closes: #601033) + + Fixes "Renegotiation on POST request fails intermittently" + (Closes: #601606) + + Allows configuring source address for proxy requests. (Closes: #465283) + + Supports CONNECT request through https. (Closes: #307298) + + New Upstream (2.4). (Closes: #662115) + + * Refresh patches but leave all hunks unchanged where possible. Give all + * patches a ".patch" suffix, drop sequence numbers as they are not needed when + * using quilt. Notable changes are. + + [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller + parts of the patch to build two binaries: suexec-pristine and + suexec-custom (see below) + + [AT] 201_build_suexec-custom: Patch the makefile to build + "suexec-pristine" instead. Aside of that, refresh hunks. + + [AT] 010_fhs_compliance: Drop config.layout patches. These have been + applied upstream + + [JMV] Drop patches: + + 004_usr_bin_perl_0wnz_j00: printenv exemple doesn't refer to + /usr/local/bin/perl anymore + + 008_make_include_safe: Include doesn't support directory anymore. + Include dir/*.conf must be used. + + 009_apache2_has_dso: Upstream is no longer testing DSO is available. So + we don't need to remove that test anymore. + + [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches, + drop obsolete hunks + + [ Arno Töll ] + + * Rewrite most parts of debian/rules / debhelper configuration. + + move cronjob and init script to debhelper configuration files + (apache2.cron.daily and apache2.init respectively) + + move man pages to debian/manpages + + Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu + specifics in their own patch set, as it diverges already anyway. + + shake-up files installed in different packages + + Do not copy the source tree anymore, build package in place. + * Push standards version to 3.9.3 - no special changes required + * Refactor binary packages, now as things simplified. MPMs are simple + modules now, they can be bundled into the same binary package which do not + need to conflict with each other. Thus, Apache now primarily consists of the + following packages: + + apache2 - configuration files and init scripts, Debian specific helper + scripts + + apache2-bin - binaries and modules + + apache2-data - error pages and images + * Drop the ITK MPM entirely for now + * Consolidate development packages. As MPM packages are gone, we do not need + specific development packages either. Thus, drop all MPM specific apache2 + development packages and provide a single apache2-dev package instead. + (Closes: #428095) + * Drop debian/source/options again: We do not need to ignore .svn directories + anymore since the new package management system is based on git and includes + the full source + * Rework the suexec mechanism. Now there are two suexec packages providing + alternatives through the update-alternatives mechanism. The untouched + upstream "suexec" binary is provided by the apache2-suexec-pristine package, + whereas the configurable suexec can be found in the apache2-suexec-custom + package. Both are providing the "suexec" binary which are managed by the + update-alternatives(9) mechanism. + This change is transparent to users at runtime and does not need any + configuration changes. + * Remove obsolete README.source file. + * Update doc-base metadata for the apache2-doc package + * Changes in the default configuration (not specific modules): + + On the head of the apache2.conf configuration file, give a short summary + how configuration of the Apache web server works in Debian. + + Drop NameVirtualHost entirely. It is deprecated (Closes: #511594) + + Remove DefaultType. It is deprecated. + + Replace Allow/Deny directives in the default configuration by using the + new Require directive. Load mod_access_compat if you rely on the old + syntax + + Replace LockFile by Mutex which consolidates all lock file + synchronization files among modules + + Update configuration to use the new IncludeOptional syntax + + Enable these modules by default: authz_core authz_host alias cgi dir + + Move MPM specific configuration to their respective configuration files. + Users can just load and unload MPMs like other modules, enable the worker + MPM by default + + Move per-site global configuration from conf.d to conf-available and + manage it similar to modules and sites. To do so, the new tools + "a2enconf" and "a2disconf" are provided. Moreover, such configuration + files need to have a .conf suffix now. The following configuration + files are enabled by default: charset localized-error-pages + other-vhosts-access-log security. These were enabled by default + previously, too (Closes: #620347, Closes: #605227). + This holds for apache2-doc as well, which is still enabled by default but + can be disabled easily anytime by using a2disconf (Closes: #604980). + + Give site configuration a .conf suffix, too. For example the default vhost + is called default.conf. Moreover, files without .conf suffix are ignored + upon startup. Please update your site links and confs. Also rename the + default vhost to 000-default.conf and don't do hacky things in a2enmod + anymore. + * Changes in a2enmod: + + Parse "Conflicts: " header to denote conflicts between modules which + cannot be loaded into the same Apache server. + + Remove dangling "module.conf" files, too. They were forgotten previously + if they existed and only the "module.load" file was removed. + + Extend the tool to support conf-available/conf-enabled directories (see + also configuration changes). + + Expect a .conf suffix for sites-enabled/sites-available configurations. + + Remove the default vhost special handling. Instead, we expect the default + host to be named appropripriately (for example 000-default.conf; + Closes: #605535). + * The following modules and associated configuration files were removed: + + mod_authz_default and mod_authn_default: Please use a proper + authentication module instead + + mod_mem_cache: Use mod_cache_disk instead + * The following modules and associated configuration files are provided (but + not enabled by default): + access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua + proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector + remoteip, request, session, session_cookie, session_crypto, session_dbd + (Closes: #400881) + * Provide a dh_apache2 debhelper which can be used by reverse dependencies to + install modules, module configuration files, site configuration files and + global configuration files which need to be registered to the Apache web + server. + Thus, dh_apache2 can be used for Apache web server modules and web + applications providing configuration files for Apache. + * Write apache2-maintscript-helper which packagers can use to interface in a + reliable way with the Apache 2 web server in maintainer scripts + * Document programming hints how to interface with the Apache 2 web server for + * packagers of web applications and module maintainer in + /usr/share/doc/apache2/PACKAGING.gz. + * Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the + problem. + * Update debian/copyright and switch it to the copyright-format 1.0 (formerly + known as DEP5) + + [ Stefan Fritsch ] + + * Use "dh --with autotools_dev" instead of patching config.sub/config.guess. + * Only include conf.d/*.conf, not conf.d/*. + * Don't create httpd.conf anymore. Also, do a proper transition of existing + httpd.conf files to /etc/apache2/conf-available (Closes: #639383) + * Add "AddCharset" for .brf files in default mod_mime config. + (Closes: #402567) + * Update the README.Debian file + + [ Jean-Michel Vourgère ] + + * Update bash completion functions to reflect the new site setup. (Closes: + #657492) + * Migrate patches to DEP-3 format. For particular changes see the summary + above. + + -- Stefan Fritsch <sf@debian.org> Mon, 19 Mar 2012 10:46:02 +0100 + +apache2 (2.2.22-3) unstable; urgency=low + + * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch': + No such file or directory". Do not use internal rules targets which clash + with build target names ... (Closes: #667069) + * Drop apache2-dev virtual package. This had virtually no users but breaks our + experimental package in some cases (e.g. #666793) + * Push Standards version - no further changes + * Update my maintainer address + + -- Arno Töll <arno@debian.org> Thu, 05 Apr 2012 13:21:42 +0200 + +apache2 (2.2.22-2) unstable; urgency=low + + [ Arno Töll ] + * Fix "Incorrect debhelper build dependency" by raising the build-dependency + of debhelper to 8.9.7 (Closes: #659148) + + -- Stefan Fritsch <sf@debian.org> Thu, 15 Mar 2012 00:02:31 +0100 + +apache2 (2.2.22-1) unstable; urgency=low + + [ Stefan Fritsch ] + * New upstream release, urgency medium due to security fixes: + - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format + - Fix CVE-2012-0031: Unprivileged child process could cause the parent to + crash at shutdown + - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error + message. + * Move httxt2dbm to apache2-utils + * Adjust debian/control to point to new git repository. + + [ Arno Töll ] + * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801) + + -- Stefan Fritsch <sf@debian.org> Wed, 01 Feb 2012 21:49:04 +0100 + +apache2 (2.2.21-5) unstable; urgency=low + + [ Arno Töll ] + * Fix build failures introduced as regregression by the previous build. Debian + buildds aren't rebuilding arch:all packages which caused problems for our + unconditional copying into binary package. I was warned. + + -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 17:36:41 +0100 + +apache2 (2.2.21-4) unstable; urgency=low + + [ Stefan Fritsch ] + + * Security: Fix broken patch for CVE-2011-3607 (Integer overflow in + ap_pregsub). + * Optimize debian/rules again to improve build time by doing most work in a + single parallelized "build-%" target. + + [ Arno Töll ] + + * Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType + from text/plain to None. This lets the browser guess a proper MIME type + instead of being forced to treat a given file according to our default type + (Closes: #440058) + * Fix "add pre-rotate hook to logrotate script" execute scripts in + /etc/logrotate.d/httpd-prerotate if available (Closes: #590096). + * Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading + to Debian's 3.0/quilt source format also images don't need to be generated + at build time anymore. Hence, the icon date can no longer lead to + information disclosure (Closes: #649888). + * Upgrade package to 3.0/quilt. + + Remove uuencoded images, keep them in their binary format in debian/icons + + Upgrade to quilt from dpatch and refresh all patches by keeping all hunks + unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at + build time where needed Move the 200_cp_suexec.dpatch patch and + 202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a + script, not a patch which is not supported by quilt. + * Rewrite debian/rules and base it on dh(1). + + use overrides where possible, replace some debhelper calls by our own + implementation where needed. That's required since the Apache package is + compiled in parts several times for each MPM once. + + move some install operations to the their respective .install files + + Support dpkg-buildflags now, which also enables by default hardening + flags. Thus, remove them from their explicit appearance in debian/rules + + Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using + dh(1)/dpkg-buildflags(1). + * Push debhelper compatibility to 8 + * Remove unused Lintian overrides for the Debian source package remove and + redundant priorities in debian/control. + * Add myself to Uploaders + + -- Stefan Fritsch <sf@debian.org> Thu, 29 Dec 2011 12:09:14 +0100 + +apache2 (2.2.21-3) unstable; urgency=medium + + * Fix CVE-2011-4317: Prevent unintended pattern expansion in some + reverse proxy configurations. (Similar to CVE-2011-3368, but different + attack vector.) + * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault + via malicious .htaccess. + * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120 + * Fix broken link in docs. Closes: #650528 + * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders. + Thanks for your work in the past. + + -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:54:03 +0100 + +apache2 (2.2.21-2) unstable; urgency=high + + * Fix CVE-2011-3368: Prevent unintended pattern expansion in some + reverse proxy configurations by strictly validating the request-URI. + * Correctly set permissions of suexec.load even if umask is 0002 during + build. LP: #872000 + + -- Stefan Fritsch <sf@debian.org> Tue, 11 Oct 2011 22:54:47 +0200 + +apache2 (2.2.21-1) unstable; urgency=low + + * New upstream release. + - Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp + if combined with mod_proxy_balancer + + -- Stefan Fritsch <sf@debian.org> Mon, 26 Sep 2011 18:16:11 +0200 + +apache2 (2.2.20-1) unstable; urgency=low + + * New upstream release. + * Fix some regressions related to Range requests caused by the CVE-2011-3192 + fix. Closes: #639825 + * Add build-arch and build-indep rules targets to make Lintian happy. + * Bump Standards-Version (no changes). + + -- Stefan Fritsch <sf@debian.org> Sun, 04 Sep 2011 21:50:22 +0200 + +apache2 (2.2.19-2) unstable; urgency=high + + * Fix CVE-2011-3192: DoS by high memory usage for a large number of + overlapping ranges. + * Reduce default KeepAliveTimeout from 15 to 5 seconds. + * Use "linux-any" in build-deps. Closes: #634709 + * Improve reload message of a2enmod. Closes: #639291 + * Improve description of the prefork MPM. Closes: #634242 + * Mention .conf files in a2enmod man page. Closes: #634834 + + -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200 + +apache2 (2.2.19-1) unstable; urgency=low + + * New upstream release. + - Makes apr-md5 the default algorithm for htpasswd, removing the 8 + character limit of the crypt()-algorithm. Closes: #539246 + - Fixes merging of IndexOptions. Closes: #394688 + - Documents why order of ProxyPass and <Proxy> blocks matters in the + configuration. See "Workers" section in the mod_proxy documentation. + Closes: #560020 + * For multiple instance setups, correctly determine the config dir in the + init script if it is called via a start/stop link. Closes: #627061 + * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204 + * Make it clear in README.multiple-instances that the MPMs are shipped + in the apache2.2-bin package. + + -- Stefan Fritsch <sf@debian.org> Sun, 22 May 2011 10:21:21 +0200 + +apache2 (2.2.17-3) unstable; urgency=low + + * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049 + * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in + htpasswd/htdbm. + + -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2011 20:43:55 +0200 + +apache2 (2.2.17-2) unstable; urgency=high + + * New mpm_itk upstream version 2.2.17-01: + - Fix CVE-2011-1176: If NiceValue was set, the default with no + AssignUserID was to run as root:root instead of the default Apache user + and group, due to the configuration merger having an incorrect default + configuration. Closes: #618857 + * Make exit code of '/etc/init.d/apache2 status' more LSB compatible. + Closes: #613969 + * Set the default file descriptor limit to 8192 instead of whatever the + current limit is (usually 1024). Document how to change it in + /etc/apache2/envvars . Closes: #615632 + * Fix typo in init script. Closes: #615866 + * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438 + * Remove some obsolete Depends and Replaces. + + -- Stefan Fritsch <sf@debian.org> Mon, 21 Mar 2011 23:01:17 +0100 + +apache2 (2.2.17-1) unstable; urgency=low + + * New upstream version + * Disable md5 in mod_ssl default cipher suite. Closes: #609126 + * Fix order of comments in "worker" section in apache2.conf. Closes: #608488 + + -- Stefan Fritsch <sf@debian.org> Tue, 15 Feb 2011 23:30:18 +0100 + +apache2 (2.2.16-6) unstable; urgency=low + + * Also add $named to the secondary-init-script example. + + -- Stefan Fritsch <sf@debian.org> Sat, 01 Jan 2011 22:55:15 +0100 + +apache2 (2.2.16-5) unstable; urgency=medium + + * Add $named to the init script dependency header, since apache depends on + DNS in some configurations. Closes: #608437 + * Update outdated description of /etc/apache2/magic in README.Debian. + Closes: #603586 + + -- Stefan Fritsch <sf@debian.org> Fri, 31 Dec 2010 01:22:19 +0100 + +apache2 (2.2.16-4) unstable; urgency=medium + + * Increase the mod_reqtimeout default timeouts to avoid potential problems + with CRL-requesting browsers. Also extend the comments in reqtimeout.conf. + * Remove bogus comment in conf.d/security about default in the "release + after Lenny". + * Clarify comments in suexec-custom's default config file. LP: #673289 + + -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 19:05:55 +0100 + +apache2 (2.2.16-3) unstable; urgency=high + + * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage. + * Fix "Could not reliably determine the server's ..." error message in + README.Debian, to make it easier to search for it. Closes: #590528 + + -- Stefan Fritsch <sf@debian.org> Sat, 09 Oct 2010 20:59:34 +0200 + +apache2 (2.2.16-2) unstable; urgency=low + + * Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036 + * Add a note about the new behaviour of SSL/TLS renegotiation and the new + directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334 + * Support 'graceful' as alias for 'reload' in the init script. + * In README.Debian, suggest an Apache configuration change to get rid of the + "Could not reliably determine the server's fully qualified domain name" + warning, as alternative to changing DNS or /etc/hosts. Closes: #590528 + * Add notes to README.Debian on how to reduce memory usage. + * Bump Standards-Version (no changes). + + -- Stefan Fritsch <sf@debian.org> Sun, 29 Aug 2010 15:29:21 +0200 + +apache2 (2.2.16-1) unstable; urgency=medium + + * Urgency medium for security fix. + * New upstream release: + - CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability + due to incorrect handling of requests without a path segment. + - mod_dir: add FallbackResource directive, to enable admin to specify + an action to happen when a URL maps to no file, without resorting + to ErrorDocument or mod_rewrite + * Fix mod_ssl header line corruption because of using memcpy for overlapping + buffers. PR 45444. LP: #609290, #589611, #595116 + + -- Stefan Fritsch <sf@debian.org> Sat, 24 Jul 2010 22:18:43 +0200 + +apache2 (2.2.15-6) unstable; urgency=low + + * Fix init script not correctly killing htcacheclean. Closes: #580971 + * Add a separate entry in README.Debian about the need to use apache2ctl + for starting instead of calling apache2 directly. Closes: #580445 + * Fix debug info to allow gdb loading it automatically. Closes: #581514 + * Fix install target in Makefile created by apxs2 -n. Closes: #588787 + * Fix ab sending more requests than specified by the -n parameter. + Closes: #541158 + * Add apache2 monit configuration to apache2.2-commons examples dir. + Closes: #583127 + * Build as PIE, since gdb in squeeze now supports it. + * Update the postrm script to also purge the version of /var/www/index.html + introduced in 2.2.11-7. + * Bump Standards-Version (no changes). + + -- Stefan Fritsch <sf@debian.org> Fri, 16 Jul 2010 23:41:08 +0200 + +apache2 (2.2.15-5) unstable; urgency=low + + * Conflict with apache package as we now include apachectl. Closes: #579065 + * Remove conflicts with old apache 2.0 modules. The conflicts are not + necessary anymore as skipping a stable release is not supported anyway. + * Silence the grep in preinst. + + -- Stefan Fritsch <sf@debian.org> Sun, 25 Apr 2010 10:46:09 +0200 + +apache2 (2.2.15-4) unstable; urgency=low + + * Move definition of other_vhosts_access.log to new config file + /etc/apache2/conf.d/other-vhosts-access-log, but disable it + if it has been disabled by the admin. Closes: #576572. LP: #507616 + * Comment out the contents of mods-available/proxy.conf, as it just + is a nuisance for use of apache2 as a reverse proxy, which is much + more common than the use as forward proxy. Extend the comments + in the file. + * Change defaults or add example configs for some modules: + status.conf: + - enable ExtendedStatus by default + - enable ProxyStatus by default + - document SeeRequestTail directive + proxy_ftp.conf: + - set 'ProxyFtpDirCharset UTF-8' by default + ldap.conf: + - enable /ldap-status page, allow it from localhost by default + proxy_balancer.conf: + - add (disabled) example for /balancer-manager page + ssl.conf: + - document SSLStrictSNIVHostCheck directive + * Add symlink from apachectl to apache2ctl to be more compatible with + upstream. Apache httpd 1.3 hasn't been in Debian for some time. + * Simplify logrotate script. Closes: #576105 + * Remove empty directory /usr/lib/debug/usr/sbin in mpm packages. + Closes: #576089 + * Fix apxs2 to work with perl 5.12rc3. Closes: #577239 + * Add source/format file to make lintian happy. + + -- Stefan Fritsch <sf@debian.org> Tue, 20 Apr 2010 23:11:09 +0200 + +apache2 (2.2.15-3) unstable; urgency=low + + * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881, + including a fix for mod_proxy CONNECT requests. + * mod_dav_fs: Use correct permissions when creating new files. LP: #540747 + + -- Stefan Fritsch <sf@debian.org> Mon, 29 Mar 2010 22:16:24 +0200 + +apache2 (2.2.15-2) unstable; urgency=low + + * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding + Satisfy all. Closes: #572075 + * mod_reqtimeout: Various bug fixes, including: + - Don't mess up timeouts of mod_proxy's backend connections. + Closes: #573163 + + -- Stefan Fritsch <sf@debian.org> Wed, 10 Mar 2010 21:06:06 +0100 + +apache2 (2.2.15-1) unstable; urgency=low + + * New upstream version: + - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability + - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol + prefix injection attack. + - CVE-2010-0434: mod_headers: Fix potential information leak with threaded + MPMs. + - mod_reqtimeout: New module limiting the time waiting for receiving + a request from the client. This is a (partial) mitigation against + slowloris-type resource exhaustion attacks. The module is enabled by + default. Closes: #533661 + - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure + renegotiation with clients which do not yet support the secure + renegotiation protocol. As this requires openssl 0.9.8m, bump + build dependency accordingly. + * Fix bash completion for a2ensite if the site name contains 'conf' or + 'load'. Closes: #572232 + * Do a configcheck in the init script before doing a non-graceful restart. + Closes: #571461 + + -- Stefan Fritsch <sf@debian.org> Sun, 07 Mar 2010 23:22:56 +0100 + +apache2 (2.2.14-7) unstable; urgency=low + + * Fix potential memory leaks related to the usage of apr_brigade_destroy(). + * Add hints about correct mod_dav_fs configuration to README.Debian. + Closes: #257945 + * Fix error in Polish translation of 404 error page. Closes: #570228 + * Document ThreadLimit in apache2.conf's comments. + + -- Stefan Fritsch <sf@debian.org> Sat, 20 Feb 2010 12:38:30 +0100 + +apache2 (2.2.14-6) unstable; urgency=low + + * Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and + APACHE_LOG_DIR in the default configuration. If you have modified + /etc/apache2/envvars, make sure that these variables are set and exported. + * Add support for multiple apache2 instances to initscript and apache2ctl. + See /usr/share/doc/apache2.2-common/README.multiple-instances for details. + Closes: #353450 + * Set default compiled-in ServerRoot to /etc/apache2 and make paths in + apache2.conf relative to ServerRoot. + * Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061 + * Fix symlinks in apache2-dbg package. Closes: #567076 + * Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383 + * Add new init script action graceful-stop (LP: #456381) + * Add more languages to mime.conf. To limit this to useful entries, we only + add those for which a translation of the Debian intaller exists. LP: #217964 + * Unset $HOME in /etc/apache2/envvars. + * Change default config of mod_info and mod_status to use IP addresses + instead of hostnames. Otherwise the hostname is sometimes logged even with + 'HostnameLookup Off'. Closes: #568409 + * Add a hook to apache2.2-common's postrm script that may come in handy + when upgrading to 2.4. + * Make bug script also display php extensions. + * Bump Standards-Version (no changes). + * Remove Adam Conrad from Uploaders. Thanks for your work in the past. + + -- Stefan Fritsch <sf@debian.org> Sun, 07 Feb 2010 17:29:45 +0100 + +apache2 (2.2.14-5) unstable; urgency=low + + * Security: Further mitigation for the TLS renegotation attack + (CVE-2009-3555): Disable keep-alive if parts of the next request have + already been received when doing a renegotiation. This defends against + some request splicing attacks. + * Print a useful error message if 'apache2ctl status' fails. Add a comment + to /etc/apache2/envvars on how to change the options for www-browser. + Closes: #561496, #272069 + * Improve function to detect apache2 pid in init-script (closes: #562583). + * Add hint README.Debian on how to pass auth info to CGI scripts. + Closes: #483219 + * Re-introduce objcopy magic to avoid dangling symlinks to the debug info + in the mpm packages. Closes: #563278 + * Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178, + LP: #500703 + * Point to README.backtrace in apache2-dbg's description. + * Use more debhelper functions to simplify debian/rules. + * Add misc-depends to various packages to make lintian happy. + * Change build-dep from libcap2-dev to libcap-dev because of package rename. + + -- Stefan Fritsch <sf@debian.org> Sat, 02 Jan 2010 22:44:15 +0100 + +apache2 (2.2.14-4) unstable; urgency=low + + * Disable localized error pages again by default because they break + configurations with "<Location /> SetHandler ...". A workaround is + described in the comments in /etc/apache2/conf.d/localized-error-pages + (closes: #543333). + * mod_rewrite: Fix URLs in redirects with literal IPv6 hosts + (closes: #557015). + * Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234). + * Add man page for split-logfile. + * Link with -lcrypt where necessary to fix a FTBFS with binutils-gold + (closes: #553946). + + -- Stefan Fritsch <sf@debian.org> Sun, 13 Dec 2009 20:05:37 +0100 + +apache2 (2.2.14-3) unstable; urgency=low + + * Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This + includes: + - Make PUT replace files atomically (closes: #525137). + - Make MOVE not delete the destination if the source file disappeared in + the meantime (closes: #273476). + NOTE: The format of the DavLockDB has changed. The default DavLockDB will + be deleted on upgrade. Non-default DavLockDBs should be deleted manually. + * Fix output of "/etc/init.d/apache2 status" (closes: #555687). + * Update the comment about SNI in ports.conf (closes: #556932). + * Set redirect-carefully for Konqueror/4. + + -- Stefan Fritsch <sf@debian.org> Sat, 21 Nov 2009 10:20:54 +0100 + +apache2 (2.2.14-2) unstable; urgency=medium + + * Security: + Reject any client-initiated SSL/TLS renegotiations. This is a partial fix + for the TLS renegotiation prefix injection attack (CVE-2009-3555). + Any configuration which requires renegotiation for per-directory/location + access control is still vulnerable. + * Allow RemoveType to override the types from /etc/mime.types. This allows + to use .es and .tr for Spanish and Turkish files in mod_negotiation. + Closes: #496080 + * Fix 'CacheEnable disk http://'. Closes: #442266 + * Fix missing dependency by changing killall to pkill in the init script. + LP: #460692 + * Add X-Interactive header to init script as it may ask for the ssl key + passphrase. Closes: #554824 + * Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too. + * Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian + + -- Stefan Fritsch <sf@debian.org> Sat, 07 Nov 2009 14:37:37 +0100 + +apache2 (2.2.14-1) unstable; urgency=low + + * New upstream version: + - new module mod_proxy_scgi + * Disable hardening option -pie again, as gdb in Debian does not support + it properly and it is broken on mips*. + + -- Stefan Fritsch <sf@debian.org> Tue, 29 Sep 2009 20:55:05 +0200 + +apache2 (2.2.13-2) unstable; urgency=high + + * mod_proxy_ftp security fixes (closes: #545951): + - DoS by malicious ftp server (CVE-2009-3094) + - missing input sanitization: a user could execute arbitrary ftp commands + on the backend ftp server (CVE-2009-3095) + * Add entries to NEWS.Debian and README.Debian about Apache being stricter + about certain misconfigurations involving name based SSL virtual hosts. + Also make Apache print the location of the misconfigured VirtualHost when + it complains about a missing SSLCertificateFile statement. Closes: #541607 + * Add Build-Conflicts: autoconf2.13 (closes: #541536). + * Adjust priority of apache2-mpm-itk to extra. + * Switch apache2.2-common and the four mpm packages from architecture all to + any. This is stupid but makes apache2 binNMUable again (closes: #544509). + * Bump Standards-Version (no changes). + + -- Stefan Fritsch <sf@debian.org> Wed, 16 Sep 2009 20:55:02 +0200 + +apache2 (2.2.13-1) unstable; urgency=low + + * New upstream release: + - Fixes segfault with mod_deflate and mod_php (closes: #542623). + + -- Stefan Fritsch <sf@debian.org> Mon, 31 Aug 2009 20:28:56 +0200 + +apache2 (2.2.12-1) unstable; urgency=low + + * New upstream release: + - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131). + (The Debian default configuration will be changed to use SNI in a later + version.) + - Fixes timefmt config in SSI (closes: #363964). + - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives + to enable stricter checking of remote server certificates. + * Make mod_deflate not compress the content for HEAD requests. This is a + similar issue as CVE-2009-1891. + * Enable hardening compile options. + * Switch default LogFormat from %b (size of file sent) to %O (bytes actually + sent) (closes: #272476 LP: #255124) + * Add the default LANG=C to /etc/apache2/envvars and document it in + README.Debian (closes: #511878). + * Enable localized error pages by default if the necessary modules are + loaded. Move the config for it from apache2.conf to + /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the + required order of the aliases in the comment (closes: #196795). + * Change default for ServerTokens to 'OS', to not announce the exact module + versions to the world (LP: #205996) + * Make a2ensite and friends ignore the same filenames as apache does for + included config files, even if LANG is not C. + * Merge source packages apache2 and apache2-mpm-itk (current itk version is + 2.2.11-02). This removes the binNMU mess necessary for every apache2 upload + (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src + package, which is no longer necessary. + * Ship our own version of the magic config file (taken from file 4.17-5etch3) + which is still compatible with mod_mime_magic (closes: #483111). + * Add ThreadLimit to the default config and put ThreadsPerChild and + MaxClients into the correct order so that Apache does not complain + (closes: #495656). + Also add a configuration block for the event MPM in apache2.conf. + * Fix HTTP PUT with mod_dav failing to detect an aborted connection + (closes: #451563). + * Change references to httpd.conf in apache2-doc to apache2.conf + (closes: #465393). + * Clarify the recommended permissions for SSL certificates in README.Debian + (closes: #512778). + * Document in README.Debian how to name files in conf.d to avoid conflicts + with packages (closes: #493252) + * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts. + * Remove other_vhosts_access.log on package purge. + + -- Stefan Fritsch <sf@debian.org> Tue, 04 Aug 2009 11:02:34 +0200 + +apache2 (2.2.11-7) unstable; urgency=low + + * Security fixes: + - CVE-2009-1890: denial of service in mod_proxy + - CVE-2009-1891: denial of service in mod_deflate (closes: #534712) + * Add symlinks for the debug info to the mpm packages. + * Be slightly more informative in the default index.html without pointing + to Apache or Debian (LP: #89364) + * Remove dependency on net-tools, which is no longer necessary + (closes: #535849) + * Bump Standards-Version (no changes) + + -- Stefan Fritsch <sf@debian.org> Fri, 10 Jul 2009 22:42:57 +0200 + +apache2 (2.2.11-6) unstable; urgency=high + + * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server + Side Includes (closes: #530834). + * Fix postinst scripts (closes: #532278). + + -- Stefan Fritsch <sf@debian.org> Mon, 08 Jun 2009 19:22:58 +0200 + +apache2 (2.2.11-5) unstable; urgency=low + + * Move all binaries into a new package apache2.2-bin and make + apache2.2-common depend on it. This allows to + - run apache as user process only, e.g. with gnome-user-share. + Closes: #468690 + - run multiple instances of apache with different MPMs. This configuration + is not supported in any way, though. Closes: #517572 + * Switch to debhelper compatibility level 7 and remove some code duplication + in debian/rules. + * Override some Lintian warnings about old autotools helper files and being + not binNMUable (apache2 is not binNMUable anyway, because of the + apache2 <-> apache2-mpm-itk dependency). + + -- Stefan Fritsch <sf@debian.org> Fri, 22 May 2009 19:30:20 +0200 + +apache2 (2.2.11-4) unstable; urgency=low + + [ Stefan Fritsch ] + * Disable TRACE method by default (closes: #492130). + * Compress some more mime types with mod_deflate by default. This may cause + problems with MSIE 6, but that browser should now be considered obsolete. + Closes: #397526, #521209 + * Various backports from upstream svn branches/2.2.x: + - CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous + request which failed to send a request body + - Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with + server-side-includes PR 45959 (closes: #524474) + - Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268) + - Fix mod_deflate etag handling PR 45023 (LP: #358314) + - Fix mod_ldap segfault if LDAP initialization failed PR 45994 + * Allow apache2-mpm-itk as alternate dependency in apache2 meta package + (closes: #527225). + * Fix some misuse of command substitution in the init script. Thanks to + Jari Aalto for the patch. (Closes: #523398) + * Extend the gnome-vfs DAV workaround to gvfs (closes: #522845). + * Add more info to check_forensic man page (closes: #528424). + * Make "apache2ctl help" point to help on apache2 args (closes: #528425). + * Lintian warnings: + - fix spelling error in apache2-utils description + - tweak debian/copyright to make lintian not complain about pointers to GPL + - bump standards-version (no changes) + + [ Peter Samuelson ] + * Adjust sections to match recent ftpmaster overrides. + + -- Stefan Fritsch <sf@debian.org> Tue, 19 May 2009 22:55:27 +0200 + +apache2 (2.2.11-3) unstable; urgency=low + + * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap + (see #521899). This also creates the dependencies on the new external + libaprutil1-dbd-* and libaprutil1-ldap packages. + + -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2009 21:07:26 +0200 + +apache2 (2.2.11-2) unstable; urgency=low + + * Report an error instead instead of segfaulting when apr_pollset_create + fails (PR 46467). On Linux kernels since 2.6.27.8, the value in + /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the + value of MaxClients in the Apache configuration. Closes: #511103 + + -- Stefan Fritsch <sf@debian.org> Fri, 16 Jan 2009 19:01:59 +0100 + +apache2 (2.2.11-1) unstable; urgency=low + + [Thom May] + * New Upstream Version (Closes: #508186, LP: #307397) + - Contains rewritten shmcb code which should fix alignment problems on + alpha (Closes: #419720). + - Notable new features: chroot support, mod_proxy improvements. + + [Ryan Niebur] + * fix segfault in ab when being verbose on ssl sites (Closes: #495982) + * remove trailing slash for DocumentRoot (Closes: #495110) + + -- Stefan Fritsch <sf@debian.org> Sun, 14 Dec 2008 09:34:24 +0100 + +apache2 (2.2.9-11) unstable; urgency=low + + * Regression fix from upstream svn for mod_proxy: + Prevent segmentation faults by correctly adjusting the lifetime of the + buckets read from the proxy backend. PR 45792 + * Fix from upstream svn for mpm_worker: + Crosscheck that idle workers are still available before using them and + thus preventing an overflow of the worker queue which causes a SegFault. + PR 45605 + * Add a comment to ports.conf to point to NEWS.Debian.gz in case of + upgrading problems. + + -- Stefan Fritsch <sf@debian.org> Wed, 26 Nov 2008 23:10:22 +0100 + +apache2 (2.2.9-10) unstable; urgency=low + + * Regression fix from upstream svn for mod_proxy_http: + Don't trigger a retry by the client if a failure to read the response line + was the result of a timeout. + + -- Stefan Fritsch <sf@debian.org> Wed, 01 Oct 2008 11:50:18 +0200 + +apache2 (2.2.9-9) unstable; urgency=medium + + * Revert the attempted fix for #496080 because it did not work due to + upstream PR 38330. Instead, document the problem and possible workarounds + in README.Debian. + + -- Stefan Fritsch <sf@debian.org> Fri, 12 Sep 2008 11:39:15 +0200 + +apache2 (2.2.9-8) unstable; urgency=low + + * Fix Spanish language support which was broken by .es being added to + /etc/mime.types for application/ecmascript. (Closes: #496080) + * Correct description of ServerTokens in /etc/apache2/conf.d/security. + (Closes: #497362) + * Clarify how to use apache2ctl to pass arbitrary arguments to + apache2. (LP: #259363) + * Add hints to README.Debian about the messages + "NameVirtualHost *:80 has no VirtualHosts" and + "File does not exist: /htdocs". + + -- Stefan Fritsch <sf@debian.org> Thu, 11 Sep 2008 09:17:33 +0200 + +apache2 (2.2.9-7) unstable; urgency=low + + * Fix XSS in mod_proxy_ftp (CVE-2008-2939). + * Fix mod_proxy_http losing the query string with noescape (PR 45247). + * Make the balancer manager work in Opera and MSIE (PR 45578). + * Fix mod_headers "edit" removing multiple headers with the same name (PR + 45333). + * Also describe how to get a backtrace from a running process in + README.backtrace. + + -- Stefan Fritsch <sf@debian.org> Fri, 08 Aug 2008 19:27:40 +0200 + +apache2 (2.2.9-6) unstable; urgency=high + + * Urgency high for RC bug fix. + * Fix SIGBUS on SPARC by preventing gcc from optimizing some memcpy calls + away. (Closes: #485525) + + -- Stefan Fritsch <sf@debian.org> Sun, 20 Jul 2008 10:17:19 +0200 + +apache2 (2.2.9-5) unstable; urgency=medium + + * Urgency medium to get this into testing before the freeze. + * Remove IPv6 patch that was necessary for very old kernels but creates + problems on systems with current kernels and net.ipv6.bindv6only = 1. + Apache will now always create its sockets with IPV6_V6ONLY set to 0. + (Closes: #391280) + + -- Stefan Fritsch <sf@debian.org> Mon, 07 Jul 2008 21:20:48 +0200 + +apache2 (2.2.9-4) unstable; urgency=low + + * Make postinst more quiet. (Closes: #489153) + * Add Turkish language support. (Closes: #489224) + * Remove duplicate comments in sites-available/default-ssl. (Closes: #489383) + * Describe in NEWS.Debian how to revert to the old NameVirtualHost config. + (Closes: #489215) + * Redirect apache2 bug reports to apache2.2-common, to get useful dependency + information. + + -- Stefan Fritsch <sf@debian.org> Sun, 06 Jul 2008 10:38:37 +0200 + +apache2 (2.2.9-3) unstable; urgency=low + + [ Stefan Fritsch ] + * Move NameVirtualHost directive to ports.conf and switch from "*" to + "*:80". (Closes: #314606, #486286) + * Comment out the CacheEnable line in disk_cache.conf. It would have caused + problems with Etch to Lenny upgrades. + * Change the minimum user id for suexec back to 100, the new value of 1000 + was too disruptive for existing configurations. (Closes: #488821) + * Add a default SSL virtual host. (Closes: #267477) + - Use snakeoil certificate by default (if ssl-cert is installed). + (Closes: #293524, #446765) + - Document this in README.Debian. + (Closes: #293469, #293519, #398520, #395823) + - Add MSIE workarounds. (Closes: #421802) + - Add ssl-cert to Recommends. + * Add a new config file /etc/apache2/conf.d/security with some vaguely + security related diectives. (Closes: #260063) + * Adjust mod_userdir accordingly. Also add "AllowOverride Indexes" for the + home directories. + * Disable SSLv2 by default. It is insecure. Also only enable ciphers with + key lengths of at least 128 bit. + * Make the init script complain about a missing $APACHE_PID_FILE during + "start", too, and not only during "stop" or "restart". This makes it more + obvious that /etc/apache2/envvars has to be updated. (Closes: #473982) + * Add hint about the "..., using 127.0.0.1 for ServerName" warning to + README.Debian. (Closes: #457708) + * Add hint about the "could not create rewrite_log_lock" error message to + README.Debian. (Closes: #450831) + * Remove empty dir from apache2-doc to fix Lintian warning. + * Always pass -g to gcc instead of relying on dpkg-buildpackage to set + CFLAGS. We always want the debug info for the apache2-dbg package. + + [ Ryan Niebur ] + * Upgraded to policy 3.8.0 + - added support for noopt in DEB_BUILD_OPTIONS + - added a README.source + - added support for parallel in DEB_BUILD_OPTIONS + * Dropped XS- from the Vcs fields in control + + -- Stefan Fritsch <sf@debian.org> Wed, 02 Jul 2008 10:15:57 +0200 + +apache2 (2.2.9-2) unstable; urgency=low + + * Make the init script use normal 'stop' instead of 'graceful-stop' again: + With graceful-stop, it can take a long time until all child processes have + closed their listening sockets and there is no way for the init script to + know when it is save to start apache again. This could make the restart of + apache fail. (Closes: #486629, #463338) + * Improve package descriptions, thanks to Justin B Rye. (Closes: #486855) + + -- Stefan Fritsch <sf@debian.org> Sat, 21 Jun 2008 12:22:17 +0200 + +apache2 (2.2.9-1) unstable; urgency=low + + * New upstream release. Notable changes: + - mod_proxy_http: Better handling of excessive interim responses from + origin server to prevent potential denial of service and high memory + usage (CVE-2008-2364). + - mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager + (CVE-2007-6420). + - Worker / Event MPM: Fix race condition in pool recycling that leads to + segmentation faults under load. (Closes: #484800) + - mod_proxy: Keep connections to the backend persistent in the HTTPS case. + - mod_proxy: Support environment variable interpolation in reverse + proxying directives. + - mod_headers: Add 'merge' option to avoid duplicate values within the + same header. + - mod_substitute: The default is now flattening the buckets after each + substitution. The newly added 'q' flag allows for the quicker, more + efficient bucket-splitting. + * Shorten the init script's waiting period during 'restart' from 10 to 4 + seconds. This should still be plenty to allow the apache processes to + close their listening sockets. Make the wait even shorter if apache dies + faster. (Closes: #479136) + * Fix some lintian warnings: + - Add some missing patch descriptions. + - Point to /usr/share/common-licenses instead of including the license in + the copyright file. + + -- Stefan Fritsch <sf@debian.org> Sat, 14 Jun 2008 08:29:41 +0200 + +apache2 (2.2.8-5) unstable; urgency=low + + * Replace a2{en,dis}{mod,site} by a rewritten version that + - supports wildcards (Closes: #373969). + - can be influenced with environment variables (Closes: #349716). + - checks existing symlinks for correctness (Closes: #409970). + - allows to remove dead symlinks (Closes: #480893). + * Move suexec suid helper program to a separate package apache2-suexec, + which is not installed by default. Provide an alternative version of + suexec, which can be customized with a config file. This can be found in + the apache2-suexec-custom package. Closes: #312252, #266835 + * Some more suexec fixes: + - Fix race condition when changing directories. + - Accept only /var/www/*, and not /var/www*. The same for public_html/* + instead of public_html* (CVE-2007-1742). + - Raise the minimum userid that suexec may change to from 100 to 1000. + * Enable mod_deflate in new installs. + * Include config.nice in apache2-src. This hopefully allows apache2-mpm-itk + to drop the build-dependency on apache2-prefork-dev. + * Mention environment variables in apache2 and apache2ctl man pages and point + to README.Debian. (Closes: #475150) + * Drop unneeded build-dep on libtool. + * Drop obsolete apache2-mpm-perchild package (closes: #477522). + * Don't fail in postinst if there is a dangling symlink /var/www/index.html. + * Fix typo in bug number in 2.2.8-3 changelog entry. + * Use dh_lintian in debian/rules. + + -- Stefan Fritsch <sf@debian.org> Sat, 31 May 2008 17:02:03 +0200 + +apache2 (2.2.8-4) unstable; urgency=high + + * Urgency high for DoS vulnerability fix. + * Fix memory leak in mod_ssl with zlib compression. + + -- Stefan Fritsch <sf@debian.org> Tue, 13 May 2008 22:31:37 +0200 + +apache2 (2.2.8-3) unstable; urgency=low + + * mod_cache: Handle If-Range correctly if the cached resource was stale + (closes: #470652). + * mod_autodindex: Use UTF-8 as character set for filenames in the default + configuration. Change this in autoindex.conf if you are still using + ISO-8859-1. + * Introduce APACHE_RUN_DIR and APACHE_LOCK_DIR in apache2ctl. Also, make it + use APACHE_RUN_USER instead of APACHE2_RUN_USER, to be consistent with + apache2.conf. + * Add 'status' function to init script (adapted from patch by Dustin + Kirkland). + * Don't build the modules three times. We are only shipping one set of them, + anyway. (Inspired by the Fedora package.) + * Remove Fabio M. Di Nitto from the uploaders field (thanks for your work). + + -- Stefan Fritsch <sf@debian.org> Fri, 14 Mar 2008 10:57:19 +0100 + +apache2 (2.2.8-2) unstable; urgency=low + + * Provide a fallback access log (other_vhosts_access.log) and a suitable + LogFormat (vhost_combined) for VirtualHosts that don't define their own + log file. (Closes: #313430) + * Fix broken symlink to README.Debian.gz and typos in the file + (closes: #461462). + * Improve generation of password salts in htpasswd (closes: #469271). + * Point VCS tags in debian control to trunk, to make them useful with + debcheckout. + * Add missing ${APACHE_ARGUMENTS} to *) case in apache2ctl. + * In upgrades from etch, replace /etc/apache2/default without asking also in + the NO_START=1 case, in order to not break piuparts (closes: #466367). + * Print file name where "Useless use of AllowOverride" occurred. + (Closes: #410334) + * Make bugreport script source /etc/apache2/envvars before calling apache2. + * Add note about MSIE SSL workaround to README.Debian. + * Don't ship empty /var/www/apache2-default in apache2-doc. + (Closes: #469145) + * mod_autoindex: Use the bomb icon only for the name 'core', not for + '*core'. (Closes: #467480) + * Include module name in a2enmod error messages (closes: #461341). + + -- Stefan Fritsch <sf@debian.org> Sat, 08 Mar 2008 12:28:14 +0100 + +apache2 (2.2.8-1) unstable; urgency=low + + * New upstream version: + - Fixes cross-site scripting issues in + o mod_imagemap (CVE-2007-5000) + o mod_status (CVE-2007-6388) + o mod_proxy_balancer's balancer manager (CVE-2007-6421) + - Fixes a denial of service issue in mod_proxy_balancer's balancer manager + (CVE-2007-6422). + - Fixes mod_proxy URL encoding in error messages (closes: #337325). + - Adds explicit charset to the output of various modules to work around + possible cross-site scripting flaws affecting web browsers that do not + derive the response character set as required by RFC2616. For + mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to + specify something else than ISO-8859-1 (CVE-2008-0005). + - Adds mod_substitute which performs inline response content pattern + matching (including regex) and substitution (like mod_line_edit). + - Adds "DefaultType none" option. + - Adds new "B" option to RewriteRule to suppress URL unescaping. + - Adds an "if" directive for mod_include to test whether an URL is + accessible, and if so, conditionally display content. + - Adds support for mod_ssl to the event MPM. + * Move the configuration of User, Group, and PidFile to + /etc/apache2/envvars. This makes it easier to use these settings in + scripts. /etc/apache2/envvars can now also be used to influence apache2ctl + (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085) + * Make apache2ctl check the configuration syntax before trying to restart + apache, to match the behaviour documented in the man page. + (Closes: #459236) + * Convert docs to be directly viewable with a browser (and not use content + negotiation). + * Add doc-base entry for the documentation. (closes: #311269) + * Don't ship default files in /var/www, but copy a sample file to + /var/www/index.html on new installs. Also remove the now unneeded + RedirectMatch line from sites-available/default. + (Closes: #411774, #458093) + * Add some information to README.Debian (Apache wiki, default virtual host) + * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary + dependencies, easing library transitions (closes: #458857). + * Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode. + Patch by Nicolas Valcárcel. (Closes: #436441) + * Add reportbug script to list enabled modules. + * Fix some lintian warnings: + - Pass --no-start to dh_installinit instead of omitting the debhelper token + in various maintainer scripts. Also move the update-rc.d call to + apache2.2-common. + - Add Short-Description to init script. + * Remove unused apache2-mpm-prefork.prerm from source package and clean up + debian/rules a bit. + * Don't ship NEWS.Debian with apache2-utils, as the contents are only + relevant for the server. + + -- Stefan Fritsch <sf@debian.org> Thu, 17 Jan 2008 20:27:56 +0100 + +apache2 (2.2.6-3) unstable; urgency=low + + * Allocate fewer bucket brigades in case of a flush bucket. This might help + with the memory leaks reported in #399776 and #421557. + * Escape the HTTP method in error messages to avoid potential cross site + scripting vulnerabilities (CVE-2007-6203). + * Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition. + * Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config + (Closes: #450867). + * Add icons for .ogg and .ogm (Closes: #255443). + * Add comment about how to log X-Forwarded-For (Closes: #425008). + * Make mod_proxy_balancer not depend on mod_cache. + * Add Homepage field to debian/control. + * Add/fix some lintian overrides, fix some warnings. + * Bump Standards-Version (no changes). + + -- Stefan Fritsch <sf@debian.org> Fri, 07 Dec 2007 22:38:59 +0100 + +apache2 (2.2.6-2) unstable; urgency=low + + * Avoid calling apr_pollset_poll() and accept_func() when the listening + sockets have already been closed on graceful stop or reload. This + hopefully fixes processes not being killed (closes: #445263, #447164) + and the "Bad file descriptor: apr_socket_accept: (client socket)" + error message (closes: #400918, #443310) + * Allow logresolve to process long lines (Closes: #331631) + * Remove duplicate config examples (Closes: #294662) + * Include README.backtrace describing how to create a backtrace + * Add CVE reference to 2.2.6-1 changelog entry + + -- Stefan Fritsch <sf@debian.org> Thu, 18 Oct 2007 19:35:40 +0200 + +apache2 (2.2.6-1) unstable; urgency=low + + * New upstream release + - fixes mod_proxy DoS for threaded MPMs (CVE-2007-3847) + - fixes spurious warning for valid wildcard certificates (Closes: #414855) + - adds warning that htpasswd is not setuid safe (Closes: #356285) + - adds Type and Charset options to IndexOptions directive, + allowing a workaround for buggy browsers affected by CVE-2007-4465 + - adds new ProxyPassMatch directive + * Add index.htm to the default DirectoryIndex configuration + (Closes: #439375) + * Use apache2ctl in init script (Closes: #439027) + * make init script less noisy (Closes: #438950) + * improve NEWS entry (Closes: #440084) + + -- Stefan Fritsch <sf@debian.org> Thu, 06 Sep 2007 23:54:42 +0200 + +apache2 (2.2.4-3) unstable; urgency=low + + [ Stefan Fritsch ] + * enable default site on new installs again (Closes: #436341) + * make mod_authn_dbd depend on mod_dbd + * make a2dissite return 0 if a site is already disabled (Closes: #435398) + * make a2 scripts print errors to stderr (Closes: #435400) + * move TypesConfig directive from apache2.conf to mime.conf + (Closes: #434248) + + [ Adam Conrad ] + * Special case apache2-dbg magic in debian/rules, so we don't do + this on Ubuntu, which has an archive of detached debug packages. + + -- Stefan Fritsch <sf@debian.org> Tue, 07 Aug 2007 20:49:28 +0200 + +apache2 (2.2.4-2) unstable; urgency=low + + * Modularize config: Move module specific configuration from apache2.conf + to mods-available/*conf (Closes: #338472) + * Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable + apache2. (Closes: #408462, #275561) + * Create run and lock directores in apache2ctl to make it work on fresh + installations before the first call of the init script. Together with + the previous item, this closes: #418499 + * Disable AddDefaultCharset again (Closes: #397886) + * Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles + managed by dpkg + * Listen on port 443 by default if mod_ssl is loaded (Closes: #404598) + * Add logic to start htcacheclean as daemon or cronjob. The configuration + is in /etc/default/apache2 + * Fix security issues: + - CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary + processes + - CVE-2006-5752: XSS in mod_status + * Add init.d dependency info from insserv overrides to /etc/init.d/apache2 + * Replace apachectl with apache2ctl in docs (Closes: #164493) + * Add usage message to apache2ctl (Closes: #359008) + * Make -dev packages priority extra + * Add secure example cipher/protocol configuration to ssl.conf + * Update watch file (Closes: #433552) + * Bump dh_compat to 5 + * Add new package apache2-dbg with debugging symbols + * Fix mod_cache returning 304 instead of 200 on HEAD requests + + -- Stefan Fritsch <sf@debian.org> Tue, 03 Jul 2007 21:23:40 +0200 + +apache2 (2.2.4-1) unstable; urgency=medium + + [ Stefan Fritsch ] + * Urgency medium for security fix + * Fix CVE-2007-1863: DoS in mod_cache + * New upstream version (Closes: #427050) + - Fixes "proxy: error reading status line from remote server" + (Closes: #410331) + * Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4) + * Change logrotate script to use reload instead of restart. + (Closes: #298689) + * chmod o-rx /var/log/apache2 (Closes: #291841) + * chmod o-x suexec (Closes: #431048) + * Update patch for truncated mod_cgi 500 responses from upstream SVN + (Closes: #412580) + * Don't use AddDefaultCharset for our docs (Closes: #414429) + * fix options syntax in sites-available/default (Closes: #419539) + * Move conf.d include to the end of apache2.conf (Closes: #305933) + * Remove log, cache, and lock files on purge (Closes: #428887) + * Ship /usr/lib/cgi-bin (Closes: #415698) + * Add note to README.Debian how to read docs (Closes: #350822) + * Document pid file name (Closes: #350286) + * Update Standards-Version (no changes needed) + * Fix some lintian warnings, add some overrides + * Start apache when doing a "restart" even if it was not running + (Closes: #384682) + * reload config in apache2-doc postinst (Closes: #289289) + * don't fail in prerm if apache is not running (Closes: #418536) + * Suggest apache2-doc and www-browser (Closes: #399056) + * Make init script always display a warning if NO_START=1 since + VERBOSE=yes is not the default anymore (Closes: #430116) + * Replace apache2(8) man page with a more current version + * Add httxt2dbm(8) man page + * Show -X option in help message (Closes: #391817) + * remove sick-hack-to-update-modules + * don't depend on procps on hurd (Closes: #431125) + + [ Peter Samuelson ] + * Add shlibs:Depends to apache2.2-common. + + -- Stefan Fritsch <sf@debian.org> Sun, 01 Jul 2007 19:57:51 +0200 + +apache2 (2.2.3-5) unstable; urgency=low + + [ Tollef Fog Heen ] + * Fix up apache2-src so the .tar.gz contains an apache2 top level + directory. + * Make apache2 MPMs provide and conflict with apache2-mpm so other + packages can provide MPMs too. + * Get rid of 2.1 references from descriptions. (Closes: #400981) + + [ Thom May ] + * Let the init script cope with multiple pid files correctly. Probably we + shouldn't be doing this at all, but we might as well do it properly! + (Closes: #396162) + * Add a sensible autoindex default config + * Add patch from upstream to ensure that mod_cgi 500 responses aren't + truncated (Closes: #412580) + * Use graceful-stop to shutdown apache to ensure we cope nicely with long + running or blocked children + + [ Peter Samuelson ] + * Ship apache2 manpage in apache2.2-common. (Closes: #391813) + * Rearrange init script so that 'force-reload' is the same as 'reload'. + (Closes: #401053) + * Add Build-Depends: mawk. (Closes: #403682) + * Add a needed <IfModule mod_include.c> guard to apache2.conf. + (Closes: #407307) + * Stop shipping /var/run/apache2/ as it is created at runtime anyway. + * Move the /var/lock/apache2 owner fix from the apache2.2-common + postinst to the init script, as /var/lock may not persist across + reboots. (Closes: #420101) + + [ Stefan Fritsch ] + * Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043) + * Add XS-Vcs-* to debian/control + * Improve handling of empty $MODNAME in a2enmod (Closes: #422589) + * Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602) + * Re-add README.Debian and describe + - the config dir layout (closes: #419552) + - which files are ignored by Include + - when and how to change "restart" to "reload" in the logrotate script + * When purging, remove {mods,sites}-enabled symlinks and the config files + created by postinst (Closes: #397789) + * Fix suexec to log after a cgi error (Closes: #312385) + * Add watch file + * Add AddType for .bz2 (Closes: #416322) + * Make init script messages conform better to policy (Closes: #390348) + and exit with failure if called with unknown parameter (Closes: #412407) + * Fix segfault in mod_proxy_ftp when FTP server sends back no spaces + (Closes: #413727) + * Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464) + * Tell the user when selecting cgid instead of cgi (Closes: #428058) + * Add a2ensite/a2dissite man pages (Closes: #322385) + * Comment out CacheEnable by default, to prevent filling up /var. + Document the problem in README.Debian and NEWS.Debian, point to + htcacheclean and give a warning when doing a2enmod disk_cache + (Closes: #423653). + * Add myself to Uploaders. + + -- Stefan Fritsch <sf@debian.org> Sun, 10 Jun 2007 18:54:29 +0200 + +apache2 (2.2.3-4) unstable; urgency=high + + * High-urgency upload for RC bugfixes. + * Ack NMUs - thanks Andi, Steve. + * Add myself to Uploaders. + * Refactor apache2.2-common.postinst slightly, to account for sarge + upgrades (since it's a new package name, rather than an upgrade). + (Closes: #396782, #415775) + * If mod_proxy was configured in sarge, add proxy_http and + disk_cache modules, which used to be included in the mod_proxy config. + (Closes: #407171) + + -- Peter Samuelson <peter@p12n.org> Tue, 27 Mar 2007 07:06:49 -0500 + +apache2 (2.2.3-3.3) unstable; urgency=high + + * Non-maintainer upload. + * High-urgency upload for RC bugfix. + * apache2.2-common should depend on procps, since it will fail to create + httpd.conf if it's not installed. Closes: #398535. + + -- Steve Langasek <vorlon@debian.org> Mon, 5 Feb 2007 01:55:57 -0800 + +apache2 (2.2.3-3.2) unstable; urgency=high + + * Non-maintainer upload. + * 043_ajp_connection_reuse: Patch from upstream Bugzilla, fixing a critical + issue with regard to connection reuse in mod_proxy_ajp. + Closes: #396265 + + -- Andreas Barth <aba@not.so.argh.org> Sat, 9 Dec 2006 21:05:45 +0000 + +apache2 (2.2.3-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Enable authz_user by default, fix silent authentication breakage. + Closes: #397310 + * Add default modules if coming from earlier than this version. + Closes: #392349, #392352, #392701, #393913, #396678, #395976 + * Re-Enable modules cern_meta, dumpio and ext_filter. Closes: #391393 + + -- Andreas Barth <aba@not.so.argh.org> Fri, 10 Nov 2006 15:44:33 +0100 + +apache2 (2.2.3-3) unstable; urgency=medium + + [ Peter Samuelson ] + * a2dismod: exit 0 if a module exists but is already disabled. + * Ship a2enmod.8 and a2dismod.8 again, and expand them a bit. + (Closes: #270551) + + [ Tollef Fog Heen ] + * Build apache2-src package. + * Do not AddDefaultCharset if we are proxying. Closes: #277526 + * Do not forcefully link against libdb4.3 and other libs. + * Enable the same list of modules as we had in 2.0 (by default) and do + that for all older versions than 2.2.3-3 to fix upgrade issues people + have had. Closes: #392349 + * Set default IndexWidth to *. + * Clean up CPPFLAGS and CFLAGS, including making all of CFLAGS a + superset of CPPFLAGS. Also make sure to include -I switches with + absolute paths so the apache headers are useful. + * Warn when not starting HTTPD due to missing apache binary. + Closes: #384128 + * Provide sample disk and memory cache configurations. Closes: #278564 + * Provide dir.conf. Closes: #392356 + * Add alternate dependency from apache to apache2-mpm-event + * On reload, make the init script exit 1 with an error message if the + configuration is broken. Closes: #316858 + * Add default deflate.conf compressing text/html, text/plain and + text/xml. Closes: #349016 + * Add { and } around the usage format in the init script to make the + init script bash completion happier. Closes: #350606 + + [ Adam Conrad ] + * Update our php4 and php5 conflicts, to reflect the reality that each + were uploaded and built again while apache2.2 was in the new queue. + Closes: #392189 + * Migrate kill symlinks from K91 to K09 (closes: #376503) + * Make apache2 depend on the current version of the MPMs, as it used + to in the 2.0.x series (and make it binNMU-safe) (closes: #394658) + * Make sure that the RedirectMatch in sites-available/default continues + to be commented out for Ubuntu, while having it uncommented for Debian. + + [ Thom May ] + * Fix permissions on suexec (Closes: #391918) + * This is Debian, not Ubuntu (Closes: #393277) + + -- Adam Conrad <adconrad@0c3.net> Sat, 7 Oct 2006 17:57:04 +1000 + +apache2 (2.2.3-2) unstable; urgency=low + + * Make sure to ship /var/log/apache2 in the apache2.2-common package. + Closes: #390786 + * Install suexec.8 as suexec2.8. Closes: #390774 + * Make sure that we never ship .svn directories in any binary packages. + Closes: #390785 + * Not only chmod -x /usr/sbin/apache2 in apache2.2-common.preinst, chmod + +x it in same's postinst too. Closes: #390794 + * We now ship htcacheclean in apache2-utils. Closes: #376680 + * Try to stop old apaches in preinst of the mpms. Closes: #390893 + * Make apache2-mpm-{worker,prefork} conflict with apache2-mpm-event and + apache2-common. + * rm -f /var/lib/dpkg/info/apache2-common.postrm. So apache2-common can + be purged. Yes, we're on crack. Closes: #390823 + * Make apache2-utils's Replaces on apache2-common be unversioned. + Closes: #391018 + * Stop shipping cern_meta.load, dumpio.load and ext_filter.load. Thanks + to Stephane Chazelas for noticing. Closes: #391393 + + -- Tollef Fog Heen <tfheen@debian.org> Tue, 3 Oct 2006 10:03:48 +0200 + +apache2 (2.2.3-1) unstable; urgency=low + + * Remove mention of AddDefaultCharset from apache2.conf as this is now + in /etc/apache2/conf.d/charset. + * Rename apache2-common to apache2.2-common. Conflict and replace old + version. This is to force modules to be uninstalled until versions + compiled against 2.2 are provided. + * Remove Daniel Stone from list of uploaders. + * We no longer ship 035_HEAD_Content-Length_Fix_From_CVS. Closes: #298143 + * Don't start the server on reload. Closes: #316321 + * Install S91/K09 links, not S91/K91, also only support not starting + through defaults file to cover upgrades from old + installations. Closes: #359977, #349655 + * Big cleanup by using dh_install properly rather than loads of hacks in + debian/rules. + * No longer ship compat symlinks for ab, etc. Those are installed as + ab, htpasswd and similar. + * Remove apache2-mpm-{event,worker}-{prerm,preinst,postinst} in clean, + as those are copies of other files. + * Add build-depends for libapr1-dev (>= 1.2.7-6) to make sure we get a + version which ships a useful apr-config --apr-libtool. + * chmod -x /usr/sbin/apache2 on upgrades from before 2.2 to avoid + problems stopping apache due to some dpkg bug. + * Add Conflicts for broken modules which didn't depend on + apache2-common. + + -- Tollef Fog Heen <tfheen@debian.org> Thu, 17 Aug 2006 14:02:58 +0200 + +apache2 (2.2.3-1~exp.r170) experimental; urgency=low + + [ Jeroen van Wolffelaar ] + * Staging upload to experimental of subversion revision r170 + + [ Thom May, Tollef Fog Heen, Fabio M. Di Nitto and Adam Conrad ] + * New Upstream Release. Closes: #344072 + http://httpd.apache.org/docs/2.2/new_features_2_2.html has a list of + new features and changes. + - Fixes LFS support. Closes: #341460, #285337, #241223 + - Fixes off-by-one error in mod_rewrite ldap schema handling + (CVE-2006-3747) + - Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352). + Closes: #343467. + - mpm_perchild no longer exists, so closing bugs for perchild. + Closes: #236193, #238586 + - Fixes PHP POST with SSLVerifyClient. Closes: 353443 + * Build-depend on lsb-release and pick up the branding from there. + * Build-depend on apr-util 1.0 which is now in a separate source + package. + * Mangle the Debian layout to be more FHS compatible + * No longer build-conflict with libgdbm-dev + * Use external PCRE + * Make apache2-utils stop providing apache2-utils. Also make it stop + conflicting with itself. + * Rename default site from default-site to just default. + * Try to migrate modules which used to be built-in:, alias, mime, + authz_host, autoindex, dir, env, negotiation, setenvif, status. + * Mod imap has been renamed to imagemap, ditto for auth_ldap => + authnz_ldap. Cope with that in postinst. + * Stop globbing in apache2.conf. + Closes: #337817, #340955, #348189, #379015, #368497 + * Don't install CHANGES into the apache2 package. It's just a + metapackage. + * Add rudimentary rdeps handling to a2dismod. Closes: #273929 + * Stop providing apache-utils. + * Cope with /var/run and /var/lock on tmpfs. + * Remove all subdirs in srclib as we are using external libraries for + those anyway. Also remove test/zb.c. Closes: 340538 + * Make ssl.conf not block on /dev/random, but rather use /dev/urandom. + * Make apache2-common depend on lsb-base, thanks to Gleb Arshinov + + -- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Tue, 15 Aug 2006 16:17:33 +0200 + +apache2 (2.0.55-4.1) unstable; urgency=high + + * Non-maintainer upload. Urgency set to high due to security fixes. + * Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in + mod_rewrite. + [CVE-2006-3747]. (Closes: #380182) + * Added '053_restore_prefix_fix' to allow rebuilding from source. + (Closes: #374160) + * Added '054_apr_sendfile' to allow building for Hurd. + (Closes: #349416) + * Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers. + [CVE-2006-3918]. (Closes: #381376) + * Added bash-completion script from Guillaume Rousse. + (Closes: #299855) + + -- Steve Kemp <skx@debian.org> Sat, 5 Aug 2006 21:35:53 +0000 + +apache2 (2.2.0-1) UNRELEASED; urgency=low + + * New upstream release. + + -- Fabio M. Di Nitto <fabbione@fabbione.net> Thu, 26 Jan 2006 13:46:08 +0100 + +apache2 (2.0.55-4) unstable; urgency=low + + * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in + mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 + * Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in + threaded MPMs when making a non-SSL connection to an SSL-enabled port + on a server with a custom 400 error document defined; see CVE-2005-3357 + * Clean up our use of trailing slashes on directories in debian/rules, so + the newer, pickier, obviously very improved coreutils doesn't bite us. + * Remove some cruft from apache2-common's postinst, dealing with upgrade + scenarios from versions older than those released in Sarge or Warty. + * Use "SHELL := sh -e" in debian/rules, so the build will stop on shell + errors, instead of blundering on to later make targets (closes: #340761) + * Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in + case the user has /var/run and /var/lock on tmpfs, which is fasionable. + * Make our init script a /bin/bash script instead of a /bin/sh script, so + we can abuse it with regex globbing (#348189, #347962, #340955, #342008) + * Take patch from Adrian Bridgett to output errors from our config test + in the init script, but only do so when we're VERBOSE (closes: #339323) + * In the spirit of the LSB, make our init script exit 2 when called with + incorrect arguments, and exit 4 when asked for status (closes: #330275) + * Fix the default site to not mix configuration syntax (closes: #345922) + * Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921) + + -- Adam Conrad <adconrad@0c3.net> Sat, 26 Nov 2005 19:06:32 +1100 + +apache2 (2.0.55-3) unstable; urgency=low + + * Brown paper bag release: Tidy up CFLAGS and APR configure call to make + sure that what we link to agrees with what apu-config tells others to do. + + -- Adam Conrad <adconrad@0c3.net> Mon, 24 Oct 2005 13:02:52 +1000 + +apache2 (2.0.55-2) unstable; urgency=low + + * Mess with 010_more_fhs_compliancy to nail down the compiled default for + cgisock to match with the default shipped in the config file, so people + don't get confused if they miss including cgid.conf (closes: #316477) + * Make the compiled-in PidFile match the config file for similar reasons. + * Add 049_apr_tables_HEAD_cleanup, resolving an issue where merging two + tables from different resource pools would leave you with the contents + of only one, rather than both. This patch also cleans up some broken + pointer arithmetic and type casting along the way (closes: #251800) + * Specify the DocumentRoot without a trailing slash (closes: #311317) + * Fix the manpage to point at proper locations (closes: #307665, #332619) + + -- Adam Conrad <adconrad@0c3.net> Sun, 23 Oct 2005 13:24:39 +1000 + +apache2 (2.0.55-1) unstable; urgency=low + + * New upstream bugfix and security release, superseding these patches: + - Drop 041_util_ldap_fix.patch, util_ldap seems to be unbroken. + - Drop 043_ssl_off_by_one_CAN-2005-1268, fixed upstream. + - Drop 044_content_length_CAN-2005-2088, fixed upstream. + - Drop 045_byterange_CAN-2005-2728, fixed upstream. + - Drop 046_verify_client_CAN-2005-2700, fixed upstream. + - Resolves a serious memory leak in the worker MPM; see CVE-2005-2970 + - Add 048_reverse_proxy_fix, to resolve a regression in 2.0.55 with + mod_proxy, mod_ssl and HTTP POST requests (upstream bug #37145) + * New release builds cleanly with OpenSSL 0.9.8 (closes: #332791, #333363) + * Fix up our built-in version of DBS to use find's -{max,min}depth + arguments in a way that doesn't make find whine like a spoiled child. + * Merge Ubuntu and Debian packaging, bringing in patch 047 (closes: #327269) + - Comment out the / -> /apache2-default/ redirect, as user feedback seems + to indicate that it's just too bloody confusing for most people. + - New installations (only) now get an AddDefaultCharset UTF-8 directive. + * Build-depend on lsb-release, and use it in debian/rules to determine which + distribution we're building on, dropping the 007_debian_advertising patch. + * Drop debconf dependency entirely; we don't even use it (closes: #331741) + * Finally support DEB_BUILD_OPTIONS="noopt debug" properly in debian/rules. + * Adjust mime_magic.conf to point at the new FHS location of magic.mime. + * Drop the apache2-mpm-threadpool transitional package; Sarge is released. + * Try a bit harder to find the *CORRECT* PidFile directive in the init + script, instead of the old "rgrep and pray" method (closes: #303076) + * Make init script to always use apache2ctl consistently (closes: #316303) + * Build (and have -dev packages depend on) libdb4.3 instead of libdb4.2. + + -- Adam Conrad <adconrad@0c3.net> Mon, 17 Oct 2005 13:00:13 +1000 + +apache2 (2.0.54-5ubuntu2) breezy; urgency=low + + * Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request + body data to provide a limited but safe fix for the mod_ssl renegotiation + vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991) + + -- Adam Conrad <adconrad@ubuntu.com> Tue, 4 Oct 2005 11:53:01 +1000 + +apache2 (2.0.54-5ubuntu1) breezy; urgency=low + + * Resynchronise with Debian, bringing in several security patches. + + -- Adam Conrad <adconrad@ubuntu.com> Mon, 5 Sep 2005 20:40:31 +1000 + +apache2 (2.0.54-5) stable-security; urgency=high + + * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL + certificate validation; see CAN-2005-1268 (closes: #320048, #320063) + * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy + where, when a response contains both Transfer-Encoding and Content-Length + headers, the connection can be used for HTTP request smuggling and HTTP + request spoofing attacks; see CAN-2005-2088 (closes: #316173) + * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache + when large byte ranges are requested; see CAN-2005-2728 (closes: #326435) + * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context + of the SSLVerifyClient directive is not honoured within a <Location> + nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700 + + -- Adam Conrad <adconrad@0c3.net> Fri, 2 Sep 2005 22:26:28 +1000 + +apache2 (2.0.54-4) unstable; urgency=low + + * Alter 041_util_ldap_fix.patch to revert util_ldap.c to the known + good version from 2.0.53 (closes: #308648, and re-fixes #307567) + + -- Adam Conrad <adconrad@0c3.net> Wed, 11 May 2005 20:15:38 -0600 + +apache2 (2.0.54-3) unstable; urgency=medium + + * Add 042_htdigest_CAN-2005-1344 to fix a buffer overflow in + htdigest, which is described in CAN-2005-1344 (closes: #307134) + * Add 041_util_ldap_fix.patch from upstream bug #34618 to fix + issues with mod_auth_ldap sometimes segfaulting and sometimes + locking up and spinning the CPU to oblivion (closes: #307567) + * Alter 011_fix_ap-config to make apr-config point us at the system + libtool, and make libapr0-dev depend on libtool (closes: #306481) + * Alter 008_make_include_safe to prevent apache2 from including dpkg + conffile leftovers (.dpkg-old et al) (closes: #304786, #296728) + + -- Adam Conrad <adconrad@0c3.net> Thu, 5 May 2005 03:45:24 -0600 + +apache2 (2.0.54-2) unstable; urgency=low + + * Set suexec2's ownership properly, so it's actually executable by + apache2 with the newly-restrictive permissions (closes: #305242) + + -- Adam Conrad <adconrad@0c3.net> Mon, 18 Apr 2005 22:09:42 -0600 + +apache2 (2.0.54-1) unstable; urgency=low + + * New upstream bugfix-only release (closes: #305121) + * Fix debian/watch file to only look at apache 2.0.x, so we stop being + told about the 2.1 beta releases (and I'll notice new 2.0.x releases) + * Drop o+rx permissions from suexec2; while it has code in place to + make sure the caller is www-data, if that code should be buggy, + filesystem permissions will help mitigate fallout (closes: #301045) + * Update the 003_build_with_autoconf_2.5 patch to make sure both + apr and apr-util have an AC_PREREQ for autoconf 2.50, so we don't get + weird autoconf mix-and-match FTBFS issues (closes: #301819) + + -- Adam Conrad <adconrad@0c3.net> Sun, 17 Apr 2005 23:10:18 -0600 + +apache2 (2.0.53-5ubuntu5) hoary; urgency=low + + * Fix the init script to not exit with an error when asked to + stop a daemon that isn't running (Was the root cause of #8374) + + -- Adam Conrad <adconrad@0c3.net> Fri, 1 Apr 2005 16:30:56 +0000 + +apache2 (2.0.53-5ubuntu4) hoary; urgency=low + + * Make sure package removals don't fail even if the init script + doesn't stop apache2 (Ubuntu #8374) + + -- Adam Conrad <adconrad@0c3.net> Fri, 1 Apr 2005 15:07:20 +0000 + +apache2 (2.0.53-5ubuntu3) hoary; urgency=low + + * Add dependency on lsb-base (>= 1.3-9ubuntu2) to guarantee + availability of lsb init functions (Ubuntu #7765) + + -- Adam Conrad <adconrad@0c3.net> Sun, 27 Mar 2005 21:55:41 -0700 + +apache2 (2.0.53-5ubuntu2) hoary; urgency=low + + * Really remove /etc/apache2/conf.d/charset on purge, rather + than just writing about it in the changelog. + + -- Adam Conrad <adconrad@0c3.net> Sun, 27 Mar 2005 08:32:39 -0700 + +apache2 (2.0.53-5ubuntu1) hoary; urgency=low + + * Resynchronise with Debian, resolving minor conflicts. + * Remove /etc/apache2/conf.d/charset on purge. + + -- Adam Conrad <adconrad@0c3.net> Sun, 27 Mar 2005 15:15:44 +0000 + +apache2 (2.0.53-5) unstable; urgency=high + + * Update 040_link_external_pcre to require autoconf 2.50, so it + doesn't fail when autoconf2.13 is installed (closes: #295428) + * Further mangle the apache_stop function in the init script so it + attempts as hard as possible to make sure apache2 is stopped before + it tries to restart. Thanks to Andre Tomt <andre@tomt.net> for + the bug and patch this fix was based on (closes: #295915, #281557) + + -- Adam Conrad <adconrad@0c3.net> Fri, 25 Feb 2005 00:51:13 -0700 + +apache2 (2.0.53-4) unstable; urgency=low + + * Add 040_link_external_pcre to allow us to link to an external libpcre + rather than statically compiling the bundled version. + * Add --with-external-pcre to the configure flags in debian/rules + (closes: #294673, #294675, #282606, #294740) + * Stop hardcoding the path to netstat in postinst (closes: #294737) + + -- Adam Conrad <adconrad@loki.0c3.net> Mon, 14 Feb 2005 01:45:08 +0000 + +apache2 (2.0.53-3) unstable; urgency=medium + + * Drop Andres Salomon's PCRE manglig patch in favour of hand-merging + Joe Orton's patch against head to completely internalise apache's + copy of PCRE, only exposing a wrapper API. (closes: #294395) + + -- Adam Conrad <adconrad@0c3.net> Wed, 9 Feb 2005 11:30:21 -0700 + +apache2 (2.0.53-2) unstable; urgency=low + + * Make apache2-threaded-dev and apache2-prefork-dev both arch:any + as they contain architecture-dependant defines (closes: #294257) + + -- Adam Conrad <adconrad@0c3.net> Wed, 9 Feb 2005 04:20:07 -0700 + +apache2 (2.0.53-1) unstable; urgency=low + + * New upstream release + - Remove 036_HEAD_CAN-2004-0942, integrated upstream + - Remove 037_HEAD_CAN-2004-0885, integrated upstream + * Drop support for the threadpool MPM, as it's abandoned upstream. + - Make apache2-mpm-threadpool an empty package depending on + apache2-mpm-worker, and make worker replace the old threadpool + * Make SYSCONFDIR configurable at the top of a2{en,dis}{mod,site} + * Drop the build-conflict on gawk, and use ac_cv_prog_AWK=mawk + instead (closes: #283396) + * Make the apache_stop() function stop trying to do the equivalent + of "killall apache2", and instead issue a nasty warning if it can't + stop apache2 on its own + * Make "restart" an alias for "force-reload" in the init script, as + apache2ctl restart doesn't match policy's requirements for restart + * Swapping between threaded and unthreaded MPMs could leave one with + both mod_cgi and mod_cgid enabled. Fixed the postinsts so that + no longer happens + * Update 021-pcre_mangle_symbols.patch from Andres Salomon, now also + mangling typedefs, which should fix PHP (closes: #280823) + * Hardcode a dependency on libgcc1 (>= 1:3.3.5) so pthread_cancel + will work correctly with partial upgrades (closes: #287033) + * When removing ssl_scache, make sure to remove its db transation logs + and other garbage as well (closes: #293831) + * Remove duplicate /icons/ from the default site (closes: #291856) + * Yank 039_fix_forensic_tmpfiles from Ubuntu's apache2 packages + * Split out utils into seperate apache2-utils. This will also + supercede the apache-utils package (closes: #285219) + * Add split-logfile to apache2-utils (closes: #290814) + * Make the MPM postinsts scream loudly, but not fail, if you've + deleted cgi{,d}.load before swapping MPMs (closes: #283141) + + -- Adam Conrad <adconrad@0c3.net> Mon, 7 Feb 2005 07:54:12 -0700 + +apache2 (2.0.52-3) unstable; urgency=high + + * Brown paper bag release to fix apache2-common's postinst, by judiciously + sprinkling ||true in a couple of needed places (closes: #280527) + * While hunting for unclean uses of VAR=`command` in the package, found + the cause of the "can't purge with broken config" bugs and fixed that + too with yet another ||true (closes: #263511, #273759, #279875) + + -- Adam Conrad <adconrad@0c3.net> Wed, 10 Nov 2004 01:32:16 -0700 + +apache2 (2.0.52-2) unstable; urgency=high + + * Include two patches, 036_HEAD_CAN-2004-0942 and 037_HEAD_CAN-2004-0885 + - CAN-2004-0942: Memory leak in header parsing in server/protocol.c + - CAN-2004-0885: Incorrect SSLCipherSuite selection in mod_ssl + * Fix up our use of netstat in apache2-common's postinst to clean up some + unnecessary output to stderr, as well as detect when netstat believes + we don't have AF_INET support. This should allow for installation in + chroots where the /proc filesystem isn't mounted (closes: #245487) + * Add 035_HEAD_Content-Length_Fix_From_CVS, which should solve problems + with Content-Length being set incorrectly on proxied HEAD requests, + breaking Windows Update from proxied machines (closes: #277787) + * Take out the reload/start magic in the postinst, and just call start in + all cases, as we stop the daemon in the prerm (closes: #275175, #222786) + * Copy config.guess/config.sub/ltmain.sh in from /usr/share/libtool at + build time. (closes: #257228, #263101) + * Clean up the clean target in debian/rules to remove some duplicate + maintainer scripts from the debian/ directory that we don't need to be + shipping in the source package. + * Move envvars to /etc/apache2/ and add patch 038_no_LD_LIBRARY_PATH to + remove the extraneous LD_LIBRARY_PATH from envvars (closes: #276670) + + -- Adam Conrad <adconrad@0c3.net> Sun, 7 Nov 2004 04:09:46 -0700 + +apache2 (2.0.52-1) unstable; urgency=high + + * New upstream bugfix/security release: + - Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412) + * Add '|| true' to a2enmod to stop it from dying when the installed MPM + isn't prefork (closes: #273017, #273019, #272865, #273021, #273258) + * Touch /var/log/apache2/error.log on new installs to ensure that our log + directory isn't removed until the package is purged, so logrotate doesn't + complain about its inability to find it (closes: #239571) + * Add 032_suexec_is_shared, which makes sure suEXEC is only searched for + and enabled when mod_suexec is loaded (closes: #227653) + * Use '$APACHE2CTL startssl' consistently in init script to make sure the + SSL define doesn't disappear on force-reload (closes: #272531) + * Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open + and manipulate DB_BTREE databases, while still defaulting to creating + DB_HASH databases as before. This should clear up incompatibilities + with other applications (such as PHP) which default to DB_BTREE. + * Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool. + * Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit + of munging, to compile a working ab2 with SSL support (closes: #261820) + + -- Adam Conrad <adconrad@0c3.net> Tue, 28 Sep 2004 10:21:20 -0600 + +apache2 (2.0.51-2) unstable; urgency=high + + * Test for the existence of /usr/sbin/apache2 before we go trying to invoke + it to determine what MPM we have installed (closes: #272103, #272207) + * Make the default httpd.conf created in apache2-common's postinst contain + a fake LoadModule line (commented out), and make apxs2 default to + installing modules to /etc/apache2/httpd.conf, so people using apxs2 + rather than the mods-{enabled,available} directories get the expected + behaviour, rather than obscure errors (closes: #167552, #231134) + * apxs2 now writes the correct path to modules in httpd.conf, including + the mysteriously missing slash (closes: #231450, #167557) + * Make apxs2 install modules with mode 644, since 755 makes no sense. + * Added a bit of magic to a2{en,dis}site to treat the default site as a + special case and add a "000-" priority to the beginning of its symlink. + Patches welcome to turn this into something robust, like update-rc.d. + + -- Adam Conrad <adconrad@0c3.net> Sat, 18 Sep 2004 07:12:12 -0600 + +apache2 (2.0.51-1) unstable; urgency=high + + * New upstream release, including the following security fixes: + - CAN-2004-0747: ap_resolve_env buffer overflow + - CAN-2004-0786: apr_uri_parse segfault in memcpy + - CAN-2004-0809: mod_dav crash/DoS via NULL pointer dereference + * Drop the following patches which are now included upstream: + - 025_CAN-2004-0748.patch + - 026_CAN-2004-0751.patch + - 027_autoindex_ignore_bad_files.patch + - 028_apr_sticky_bits.patch + * Install a properly sanitised config_vars.mk so that apxs2 behaves in + a reasonably sane way (closes: #243340, #270768) + * Relax www-browser dependency to a Suggests, as the mod_status dump from + apache2ctl is a pretty minor (and oft unused) feature (closes: #269309) + * init script now allows you to stop (but not start, restart, etc) the web + server, even if NO_START is set to 1 (closes: #269398) + * Make the apache2 -> apache2-mpm-* dependency tighter, so it does what + one expects when installing it (closes: #269580) + * Remove the ^/doc/apache2-doc/manual(.*)$ /manual$1 RedirectMatch from + the default site which was confusing and useless (closes: #270216) + * Add debian/watch file to track upstream versions. + * Add some magic to a2enmod to map cgi to cgid if using a threaded MPM. + * Add a2ensite and a2dissite which do the same thing as a2{en,dis}mod, + but for sites rather than modules (closes: #269251) + + -- Adam Conrad <adconrad@0c3.net> Wed, 15 Sep 2004 00:09:39 -0600 + +apache2 (2.0.50-12) unstable; urgency=high + + * Build-depend on mawk, and build-conflict with gawk, as we're only + guaranteed of having one or the other installed at any given time + and GNU awk seems to royally mess up the build with regards to which + external symbols get exported by httpd (closes: #268155) + * Add myself to the Uploaders field as it seems that, for better or + worse, I have become a co-maintainer of apache2. + * Drop the :80 from the default site config, so changing ports in + ports.conf now Just Works (closes: #253271) + * Added 029_docroot_manual.patch, which corrects the links in the start + page to point to /manual/ instead of manual/, so the link actually + works when apache2-doc is installed (closes: #232954) + * Add a postrm to apache2-common, implementing a policy-compliant purge + process (closes: #237030, #252254, #197986) + * Add a simple RedirectMatch to the "default" site, so that fresh + installations see the default start page, rather than a directory + listing (closes: #240772, #255974, #264070) + * Add 030_www-browser_apachectl.patch, and make apache2-common depend + on www-browser, so 'apache2ctl status' works (closes: #266724) + * Move apache2's (re)start from the apache2-common postinst to the MPM + postinsts, so we're not trying to start the old binary if apache2-common + is configured before apache2-mpm-* is unpacked (closes: #268936) + * Enable CGI on initial installation, as packages depending on httpd-cgi + require it to be running to work (closes: #267547, #263038) + * Only enable userdir on upgrades from older versions where it was + built-in, or on fresh installs. + + -- Adam Conrad <adconrad@0c3.net> Mon, 30 Aug 2004 17:40:47 -0600 + +apache2 (2.0.50-11) unstable; urgency=high + + * Add two patches from upstream to address two vulnerabilities in mod_ssl: + - CAN-2004-0748 is a potential infinite loop in the SSL input filter + which can be triggered by an aborted connection. + - CAN-2004-0751 is a potential segfault in the SSL input filter which + can be triggered by the response to request which is proxied to a + remote SSL server. + * Changed the ownership of /var/cache/apache2 to allow mod_proxy to + actually cache files (closes: #264622) + * Added a patch from upstream to make mod_autoindex skip over files that + it can't stat() (closes: #264645) + * New installations now get an /etc/default/apache2 file with a moderately + informative comment, and the default set sanely (closes: #263515) + * Added a patch from upstream to make APR stop creating directories with + the sticky bit set (closes: #266198) + * Remove the bogus "-e" from the echo that creates httpd.conf, so people + installing with ash/dash don't get a broken file (closes: #267693) + + -- Adam Conrad <adconrad@0c3.net> Mon, 23 Aug 2004 19:25:50 -0600 + +apache2 (2.0.50-10) unstable; urgency=high + + * Roll back the libapr0 ABI changes introduced in 2.0.50-9. We were + hopeful that we could hunt down and fix any fallout from this change + before release, and we were, apparently, wrong. + (closes: #266211, #266145, #266165, #266330, #266230, #266279, #266736) + + -- Adam Conrad <adconrad@0c3.net> Thu, 19 Aug 2004 03:46:11 -0600 + +apache2 (2.0.50-9) unstable; urgency=medium + + * Enable LFS properly. (Closes: #264645, #244897) + - Added 023_largefiles_upstream_fixes which makes the upstream configure + script a bit smarter and fixes some misuses of size_t/off_t. + - Added 024_largefiles_debian_hacks which adds some hideous hackery to + work around a bug in glibc where sendfile64 is used in place of sendfile + with no fallback even if the current kernel doesn't support it. + - Add note to README.Debian noting that while we can now read, write, and + list large files, SERVING large files is kernel-dependant. + * Bump libapr0 shlibs to (>= 2.0.50-9), since we're introducing + some serious ABI breakage with the above changes. + * Fix up the PATH in apache2's init script to list /usr/local, /usr, / + in the standard order. + * Change misleading return messages for a2{en,dis}mod, to reflect + the reality that some modules just won't load/unload properly + without a full stop/start server cycle. + + -- Adam Conrad <adconrad@0c3.net> Sun, 15 Aug 2004 07:41:19 -0600 + +apache2 (2.0.50-8) unstable; urgency=high + + * Ensure we link against the correct version of DB42 + + -- Thom May <thom@debian.org> Mon, 9 Aug 2004 14:37:38 +0100 + +apache2 (2.0.50-7) unstable; urgency=high + + * Fix up linking of apr-util (Closes: #262009) + + -- Thom May <thom@debian.org> Tue, 3 Aug 2004 12:42:53 +0100 + +apache2 (2.0.50-6) unstable; urgency=high + + * use 'env -i' rather than trying to parse env (Closes: #261558, #258713) + * revert to old build process (Closes: #260756, #259693) + * Reflect changes in ssl setup - Thanks, Björn Wiberg (Closes: #259414) + * Remove userdir config from main config file (Closes: #260058) + + -- Thom May <thom@debian.org> Tue, 27 Jul 2004 10:31:46 +0100 + +apache2 (2.0.50-5) unstable; urgency=high + + * Add necessary suexec information to central build + (Closes: #258453, #258772) + * Exclude lines starting with a space from removal from the env + (Closes: #258713) + + -- Thom May <thom@debian.org> Mon, 12 Jul 2004 17:30:59 +0100 + +apache2 (2.0.50-4) unstable; urgency=high + + * Fix dependencies so the MPMs don't conflict with the metapackages *g* + Thanks to Adam Conrad for this catch + + -- Thom May <thom@debian.org> Fri, 9 Jul 2004 00:55:19 +0100 + +apache2 (2.0.50-3) unstable; urgency=high + + * Brown paper bag of epic proportion. Build all mpms with the proper + collection of libraries. (Closes: #258217, #258202) + * Clean up environment (Closes: #241579) + * Clarify prefork description (Closes: #252918) + * Make apache2-default/manual DTRT (Closes: #244847) + * Note that we don't ship INSTALL or README.platforms (Closes: #232956) + + -- Thom May <thom@debian.org> Thu, 8 Jul 2004 16:04:31 +0100 + +apache2 (2.0.50-2) unstable; urgency=high + + * Make a2enmod a bit more robust (Closes: #258149, #258145) + * Should really be urgency=high to get into testing quick + + -- Thom May <thom@debian.org> Wed, 7 Jul 2004 23:03:36 +0100 + +apache2 (2.0.50-1) unstable; urgency=medium + + * New upstream release, fixes [CAN-2004-0493] and [CAN-2004-0488] + * The "I can't believe you're late to your own raid" release + * Check whether verbose is on or off in rcS's config (Closes: #242351) + * Add an apache2 metapackage (Closes: #234955) + * Specifically disable /~root (Closes: #246139) + * Stop the daemon in prerm (Closes: #245488) + * Redirect /doc/apache2-doc/manual to /manual so the correct magic happens + (Closes: #248038) + * Update SSL config to current upstream (Closes: #234591,#231147) + * No longer install default cgis - they're already shipped in -doc as + examples. (Closes: #231665) + * Tighten regex for Include (Closes: #234489) + * Remove ext-filter.load since we ship ext_filter.load too (Closes: #249268) + * Enable userdir as a shared module (Closes: #251102, #246134) + * OSKURO SUCKS (otherwise known as: not a bug) (Closes: #208569) + * Create /var/lib/apache2 (Closes: #242169) + * Remove 'AddDefaultCharset' line from apache2.conf (Suggestion from Marco + D'Itri) + + -- Thom May <thom@debian.org> Tue, 6 Jul 2004 18:45:35 +0100 + +apache2 (2.0.49-1) unstable; urgency=high + + * New Upstream release. (Closes: #240100) + * Add missing $ to init-script (closes: #240301) + * Provides: httpd-cgi in reference to #117916 + + -- Thom May <thom@debian.org> Sun, 4 Apr 2004 11:32:20 +0100 + +apache2 (2.0.48-8) unstable; urgency=low + + * Fix typo in debian/rules (closes: #230760) + * Added patch 021-pcre_mangle_symbols.patch (closes: #235810) + * Fixed typo in the init scripts (closes: #230263) + * Changed a bunch of mv's to cp's in rules (closes: #228840) + * Change mime_magic to use magic from libmagic1 (closes: #236509) + * Disable ssl-cert until it sucks less. related to 230791 (closes: #231726) + * update descriptions (closes: #234543, #234538, #234542) + * Nuke /etc/vhosts and all associated cruft (closes: #235029) + + -- Thom May <thom@debian.org> Mon, 2 Feb 2004 12:47:10 +0000 + +apache2 (2.0.48-7) unstable; urgency=low + + * Brown paper bag release. Refix the nonfixed libapr0 which built + without linking information. + + -- Tollef Fog Heen <tfheen@debian.org> Fri, 30 Jan 2004 18:25:12 +0100 + +apache2 (2.0.48-6) unstable; urgency=low + + * Build-Conflict with gdbm (closes: #230226, #230175, #204672) + + -- Tollef Fog Heen <tfheen@debian.org> Fri, 30 Jan 2004 12:24:09 +0100 + +apache2 (2.0.48-5) unstable; urgency=low + + * (Daniel Stone) + - Bump Standards-Version to 3.6.1.0. + - init-script: Print a small warning when NO_START=1. (closes: #178431) + - default site: Enable FollowSymLinks. (closes: #200829) + * (Thom May) + - Permanently kill the ErrorLog directive from ssl.conf + - Call ssl-cert to generate an SSL cert using debconf (closes: #178322) + - Allow /usr/share/doc/ to be viewable from localhost (closes: #222551) + - Set the default DocumentRoot to be /var/www (closes: #222552) + - Change where the init script is installed to (Closes: #223417) + - Upgrade to DB4.2 + * (Tollef Fog Heen) + - handle building out of the SVN checkout. + + -- Tollef Fog Heen <tfheen@debian.org> Wed, 28 Jan 2004 00:13:13 +0100 + +apache2 (2.0.48-4) unstable; urgency=medium + + * (Daniel Stone) + - Change apache2-threaded-dev's Conflicts from apache2-perfork-dev to + apache2-prefork-dev. Learn how to type, dude (thanks to Grzegorz + Prokopski for spotting this one). + + -- Daniel Stone <daniels@debian.org> Mon, 17 Nov 2003 12:00:11 +1100 + +apache2 (2.0.48-3) unstable; urgency=medium + + * Grmmp. stuffed the upload + + -- Thom May <thom@debian.org> Wed, 12 Nov 2003 18:18:54 +0000 + +apache2 (2.0.48-2) unstable; urgency=high + + * (Thom May) + - Fix locking busted by NPTL (Closes: #220299) + - Fix IPv6 weirdness (thanks to Jordi/Fabio) (Closes: #220334) + + -- Thom May <thom@debian.org> Wed, 12 Nov 2003 13:04:04 +0000 + +apache2 (2.0.48-1) unstable; urgency=low + + * (Thom May) + - New Upstream Release (Closes: #202094) + - Fix i18n autonegotiation for the manual (Closes: #201648) + - Add deb.{gif,png} (Closes: #199454) + - Explicitly link against libdl (Closes: #195968) + - Add dependency on ssl-cert (Closes: #177837) + - Take preventative action against SCTP + - Add apache2-prefork-dev to work around PHP. + - Shut Oskuro up - startup time changed to 91 (Closes: #208569) + - Install README.etc into apache2-common's doc dir + (Closes: #208751,#177941) + - Auth_LDAP loads mod_ldap as well. (Closes: #217795) + - Make sure /var/lock/apache2 has correct ownership (Closes: #206375) + - Fix for SSL enabled virtual hosts (Closes: #202925) + - Steal new apr_threads.m4 from upstream to deal with -lpthread better + (Closes: #197685) + * (Fabio M. Di Nitto) + - Fixed init script (Closes: #203093) + + -- Thom May <thom@debian.org> Sat, 16 Aug 2003 00:13:20 +0100 + +apache2 (2.0.47-2) unstable; urgency=low + + * Move dav.conf to dav_fs.conf (Closes: #201530) + * Fix the manual, and only ship it once. (Closes: #201648) + * Enable SymLinksIfOwnerMatch for cgi-bin (Closes: #200829) + + -- Thom May <thom@debian.org> Wed, 16 Jul 2003 10:24:28 +0100 + +apache2 (2.0.47-1) unstable; urgency=high + + * New Upstream Release. Bunch of security fixes (Closes: #200593) + * Add asis.load, auth_ldap.load, cache.load, dav_fs.load, disk_cache.load, + ext_filter.load, file_cache.load, imap.load, ldap.load, mem_cache.load, + include.load (Closes: #197152, #198389, #196115) + Note that dav_fs was previously loaded by dav.load, and is now broken out + into a seperate file. + * Patch apxs2 to use datadir rather than prefix for top_builddir. + (Closes: #198607) + * Kill a couple of pointless conflicts. (Closes: #197242) + * Change suexec docroot from /var/www/apache2-default to /var/www + (Closes: #198981) + * Make sure we use Expat rather than xmltok (Closes: #197020) + * Ship find_ap{r,u}.m4 (per Nuutti Kotivuori) + + -- Thom May <thom@debian.org> Fri, 4 Jul 2003 13:40:37 +0100 + +apache2 (2.0.46-3) unstable; urgency=low + + * Clean up the proxy config although it's not enabled by default. + (Closes: #195187) + * Remove all traces of gdbm. (Closes: #196231) + * Re-enable ldap support (Closes: #190092) + * This changelog should be policy compliant. Any whingers can take a long + hike off a short pier. + * use printf rather than echo to work round weird shells. (Closes: #196230) + + -- Thom May <thom@debian.org> Thu, 5 Jun 2003 19:26:21 +0100 + +apache2 (2.0.46-2) unstable; urgency=critical + + * Fix config_vars.mk creation and installation (Closes: #195141, #195190) + + -- Thom May <thom@debian.org> Thu, 29 May 2003 11:47:13 +0100 + +apache2 (2.0.46-1) unstable; urgency=critical + + * The "David Welton is my hero" release + * New upstream release, numerous security vulns fixed. + * Oh the pain. + * Move ScriptSocket to /var/run/apache2 (Closes: #188655) + * Restore mod_include (Closes: #188483) + * Move the virtual hosts config to the end of the config file + (Closes: #188584) + * Add Mod-Ext-Filter (Closes: #182770) + * Add actions.load (Closes: #178087, #179571, #181527) + * Add a dependency on net-tool (Closes: #190663) + * Clean up FHS compliancy and fix up a typo in apachectl (Closes: #187723) + * Fix for the apxs -q APR_BINDIR doesn't work problem (Closes: #188278) + * Special case the install of special.mk (Closes: #179776) + * Make apache2-dev and apache-dev not conflict. (This renames apxs back to + apxs2) + * Add README for /etc/apache2 written by David. + * Add auth_digest.load courtesy of Amelia A Lewis <amyzing@talsever.com> + (Closes: #194111) + + -- Thom May <thom@debian.org> Wed, 28 May 2003 14:17:21 +0100 + +apache2 (2.0.45-3) unstable; urgency=critical + + * another "stupid freaking sasl" release. the series is on! + + -- Thom May <thom@debian.org> Tue, 8 Apr 2003 17:13:09 +0100 + +apache2 (2.0.45-2) unstable; urgency=critical + + * the "stupid freaking sasl" release. + * fix override disparities too. + * fix dulpicate dependency on libssl0.9.7 (Closes: #179598) + + -- Thom May <thom@debian.org> Tue, 8 Apr 2003 13:34:44 +0100 + +apache2 (2.0.45-1) unstable; urgency=critical + + * New upstream release (Closes: #187502) + * Fix korean language type, thanks to Donggyoo Lee + <donggyoo@kmaritime.ac.kr> (Closes: #179542) + * Add explicit dependency to libsasl-dev (Closes: #179674) + * Remove ErrorLog from ssl.conf + * forward ported patches courtesy of Roberto Moreda <moreda@debian.org>; big + thanks! + + -- Thom May <thom@debian.org> Sat, 5 Apr 2003 14:35:58 +0100 + +apache2 (2.0.44-6) unstable; urgency=low + + * Make APR's postinst idempotent (Closes: #178105, #178141) + * Make Apache2-common's postinst non interactive (Closes: #178551) + * People filing bugs after they're fixed should be shot (Closes: #178244) + * Build Logio into the core, apparently. + + -- Thom May <thom@debian.org> Mon, 27 Jan 2003 20:47:28 +0000 + +apache2 (2.0.44-5) unstable; urgency=low + + * The "someone should take my compiler away from me" release + * Depend on openssl as well. Grrr. (Closes: #177985) + * Clean up the last of the section mismatches + + -- Thom May <thom@debian.org> Thu, 23 Jan 2003 15:04:20 +0000 + +apache2 (2.0.44-4) unstable; urgency=low + + * The "going for broke" release. + * Enable Logio, suggested by Roberto Moreda + * Stop force loading of cgi modules. (until we can do it cleanly) + (Closes: #177876, #177795) + * Restore symlink for libapr.so.0 (Closes: #177792) + * Apache2-common must depend on libssl0.9.7 (Closes: #177845) + * Rename ssl-certificate so we don't conflict with apache-ssl + (Closes: #177881) + * Only create the certificate if it's not there already (Duh!) + + -- Thom May <thom@debian.org> Wed, 22 Jan 2003 09:59:11 +0000 + +apache2 (2.0.44-3) unstable; urgency=low + + * The "This one goes out wearing a brown paper bag" release + * Fix apxs to correctly return the header locations (Closes: #177729) + + -- Thom May <thom@debian.org> Tue, 21 Jan 2003 16:35:14 +0000 + +apache2 (2.0.44-2) unstable; urgency=low + + * The "Ooops, I did it again" release + * Fixup of sections and priorities. + * Add dependency of libldap2-dev to libapr0-dev + * Correct dependencies to be db4.1 not db4.0 + + -- Thom May <thom@debian.org> Tue, 21 Jan 2003 13:26:57 +0000 + +apache2 (2.0.44-1) unstable; urgency=low + + * Conform to 10.4 of policy re init scripts, (Closes: #165693) + * Be more selective about filenames when doing Include + Patch - 008_make_include_safe (Closes: #161512) + * Make HTMLTable validate, and add a note recommending its use. + (Patch submitted upstream and will be in 2.0.44) + Patch - 010_fix_html_table (Closes: #153593) + * Make apr have correct library versioning + Patch committed upstream + Patch - 011_make_apr_versioned (Closes: #162775) + * Placed packaging code under subversion change management + http://svn.positive-internet.com/svn/apache2/trunk + * Changed some bash scripts to use #!/bin/bash rather than #!/bin/sh + (Closes: #168338) + * Changed apache2-common to merely suggest apache2-doc (Closes: #167595) + * Patch from David Kimdon to clean up debian/scripts/* + * Rename apxs2 to apxs; conflict with apache-dev (Closes: #167550) + * Upstream fix for AllowOverride documentation (Closes: #169431) + * Tighter build dependency on debhelper (Closes: #170803) + * Only reload in logrotate if apache2 is actually running (Closes: #171095) + * Upstream Fix for AddOutputFilterByType documentation (Closes: #172294) + * Add robots.txt to apache2-common (Closes: #172592) + * Enable cgi in postinst (Closes: #168709) + * Create an SSL Certificate on install (Closes: #168109) + * Fix a couple of typos in debian/ssl-certificate, with thanks to Nuutti + Kotivuori + * Change to restart rather than reload in logrotate, to work round a nasty + PHP bug (PHP has bugs? *gasp* I thought it was perfect!) with thanks to + Adam Conrad for the suggestion + * Clarify what needs to be installed for a working system (Thanks to Sean + Abrahams) + * Support debug DEB_BUILD_OPTIONS setting, thanks to Karl Hegbloom + (Closes: #174221) + * Add -pipe to the CFLAGS, thanks to Karl Hegbloom + * Force apr-util to build against db4 + * add OSX finder to the list of things that needs to be redirect-carefully'd + * s/enabled/disabled in debian/a2-scripts/a2dismod (Closes: #173956) + * enable auth-ldap, auth-anon, auth-dbm, auth-digest, and action as shared + modules (Closes: #172044, #174583, #172093) + * Upgrade to Berkely DB 4.1 + * Upgrade to OpenSSL 0.9.7 + * Add patch to ensure DB4.1 --with-unique-names is picked up. (Committed + upstream) + * Add local apache2 and apache2ctl manpages, since upstream have removed + them. + + -- Thom May <thom@debian.org> Mon, 20 Jan 2003 11:14:43 +0000 + +apache2 (2.0.43-1) unstable; urgency=medium + + * New Upstream Release; Fixes: CVE: CAN-2002-0840 CERT: VU#240329 + * Add extra config to unfuck perchild. hopefully. + * Rejig Proxy Config some. With thanks to: Emmanuel Chantreau (Closes: #163124) + * Fix cgi install. Thanks to: Bastian Kleineidam (Closes: #162791) + * Fix postinst to check installation type and behave accordingly (Closes: #162627) + * Bring product version into line with RFC2616 (Closes: #151384) + * Add allow line for ipv6 localhost (Closes: #163533) + * Make more of the modules modular. + * Set UseCanonicalName off + * Added index.xhtml to DirectoryIndex settings + * Enabled MultiViews in the default site, and for the manual (Closes: #160367) + * Removed Unnecessary cgi.conf (Closes: #163842) + + -- Thom May <thom@debian.org> Fri, 4 Oct 2002 21:47:18 +0100 + +apache2 (2.0.42-2) unstable; urgency=low + + * Tighten dependencies yet more + * Restart in postinst. don't stop in prerm and start in postinst (Closes: #162344, #162350, #162537) + * Fix dh_shlibdeps up + * PERCHILD IS NOT WORKING IN THIS RELEASE. DON'T EXPECT IT TO. BUGS ABOUT + THIS WILL BE CLOSED WITH EXTREME PREJUDICE. + + -- Thom May <thom@debian.org> Fri, 27 Sep 2002 13:06:59 +0100 + +apache2 (2.0.42-1) unstable; urgency=low + + * "Pretty. What shall we blow up?" + * New Upstream Version (Closes: #160364) + * Fix man names and sections (Closes: #157113) + * Correct the regex for netstat checking of ports, thanks to Matthew Hambley + for this. + * Correct dependencies for apache2-common. (Closes: #161793) + * Applied patch from Stefan Gybas to fix a2enmod (Closes: #159459) + * Added BrowserMatch directives for microsoft's bodgy DAV implementations + and also for gnome-vfs (Closes: #155097) + * Loosened the config for home directories (Closes: #153599) + * Updated to latest standards version + * Drop priority to extra to bring it in line with libdb4.0 + * Added logrotate script - Thanks to Phil Edwards for the basic version, and + the apache package that I ripped the rest off from (Closes: #155488) + * Tighten up what the Include lines load some. This is related to #161512 + but doesn't completely close it. + + -- Thom May <thom@debian.org> Sat, 21 Sep 2002 22:14:22 +0100 + +apache2 (2.0.40-1) unstable; urgency=low + + * New Upstream Version + * Correct dependencies. (Closes: #156959) + * Code to check for something else listening on 80 (Closes: #156129) + * correct permissions on suexec2 man page (Closes: #157005) + * Make the start and stop targets use apache2 directly rather than + apache2ctl. + * Check for the existence of apache2 and exit if it's not there (Closes: #156640) + * Nuke ssl_scache on startup (Closes: #157445) + * patch apxs to not need an mpm installed. Correct dependencies for -dev. + Stop messing around with ap_config_auto.h. + This hopefully resolves James Troup's objections to apache2. (Closes: #157895) + * Add code to check for a 2.2 based kernel and set up the Scoreboard + accordingly. (Closes: #156899) + * make sure i only have to update one init.d script, rather than 4. + * make apxs return a correctly formatted response on queries. + + -- Thom May <thom@debian.org> Wed, 21 Aug 2002 14:21:14 +0100 + +apache2 (2.0.39+cvs.1028741220-2) unstable; urgency=low + + * Rebuild against new libc6. Grr. (Closes: #155865) + * Actually create /etc/apache2/httpd.conf + * Propagate init.d changes through the other MPMs. + + -- Thom May <thom@debian.org> Thu, 8 Aug 2002 09:19:49 +0100 + +apache2 (2.0.39+cvs.1028741220-1) unstable; urgency=low + + * New Upstream Version + * Make a versioned depends on libapr0 (Closes: #154879, #155400) + * Ensure that /etc/init.d/apache2 is registered properly. + * Added a conf.d directory for random conf snippets + * Ensure that the /manual/ alias is setup by the correct package (Closes: #155179) + * Ensure that DAVLockDB is created in the right directory (Closes: #155096) + * Now Building in a pbuilder chroot environment. + * Perchild is now pseudo working (Closes: #154148) + * Cumulatively (note to Lazarus Long: this means all the things in this + changelog added together) (Closes: #155297, #155307, #155317, #155717, #155363, #155719, #155801) + * Note that preceeding changelog entry may not be parseable by strict grammar + checks. Thanks to Jamie Wilkinson for pointing this out. + * Turn MultiViews back on for the default site (Closes: #155450) + checks. Thanks to Jamie Wilkinson for pointing this out. + * Turn MultiViews back on for the default site (Closes: #155450) + * Removed all CVS directories (Closes: #155602, #155393, #155402) + * SSI has been fixed upstream (Closes: #151744) + * Removed SSLLog directives (Closes: #152940) + * Put icons in the right place (Closes: #155178) + * Fixed build-dep on libgdbmg1-dev (Closes: #155412) + * Get correct information into config_vars.mk (Closes: #151712) + * Removed 'ServerName localhost' line (Closes: #155359) + * Placed apr-util headers in correct package + * Ensured that the init.d script restarts apache properly + + -- Thom May <thom@debian.org> Tue, 30 Jul 2002 22:37:52 +0100 + +apache2 (2.0.39+cvs.1027964860-1) unstable; urgency=low + + * New Upstream Source + * Correct Icons path (Closes: #151314) + * Add missing dep on mime-support (Closes: #151848, #152220, #152221, #151772) + * Fixup suexec2, thanks to Masahito Omote (Closes: #151422) + * Mark Brown + - Remove spurious claim that apache2 hasn't been uploaded (Closes: #151433) + - Bring apache2 in line with policy on /usr/share/doc/ (Closes: #151459) + - Make reload behave the same as force-reload (Closes: #151432) + * place the manual in the right place, thanks to Md (Closes: #151766) + * David Kimdon + - add build depends on zlib1g-dev (Closes: #151286) + + -- Thom May <thom@debian.org> Mon, 29 Jul 2002 19:12:56 +0100 + +apache2 (2.0.39-1) unstable; urgency=low + + * New Upstream Version, fixing a denial of service attack. + * Fix installation of icons and manual. + * David Kimdon + - fix path for envvars in apxs2 + - use generalized directives in ssl.conf ( SSLLog -> ErrorLog, + SSLLogLevel -> LogLevel ), this allows server to load ssl + module + + -- Thom May <thom@debian.org> Fri, 14 Jun 2002 17:29:59 -0700 + +apache2 (2.0.37-2) unstable; urgency=low + + * Updated Copyright file to actually contain a copy of the various licenses. + + -- Thom May <thom@debian.org> Fri, 14 Jun 2002 15:41:41 +0100 + +apache2 (2.0.37-1) unstable; urgency=low + + * New upstream version + + -- Thom May <thom@debian.org> Thu, 13 Jun 2002 17:47:12 +0100 + +apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low + + * New upstream release + + -- Thom May <thom@debian.org> Wed, 5 Jun 2002 12:42:34 +0100 + +apache2 (2.0.36-2) unstable; urgency=low + + * debian/control - Correct provides, conflicts and depends, especially for + the mpms. + * build-dep doesn't work with provides, which makes sense. Need to make a + note of this in the policy. + * debian/rules - ensure that the mpm specific header file is installed into + the right place + + -- Thom May <thom@debian.org> Fri, 31 May 2002 14:54:39 +0100 + +apache2 (2.0.36-1) unstable; urgency=low + + * The "The obviously begging in a changelog works" release. + * New Upstream release + * Vpath Builds now work, giving the ability to select which MPM you require + * Changed vhost base to only be a Recommends: as I'm not happy that it's + currently in a properly releasable state. + * New enhost script courtesy of DannyS. + * David Kimdon + - make apxs2 find envvars properly + - use libtool to install apache2 binaries for different mpm's + - fix dependancies for apache2-dev (we can't do a versioned 'Provides' + so we need to list all the packages that provide apache2 along + with their version) + * Implemented a long overdue suggestion to only create ports.conf if it's + not in existance already, rather than to add a command to listen on 80 iff + that didn't exist. The person who suggested it is lost in the mists of my + mailbox. If it was you, please email me! + * debian/vhost-base/add.d/apache2 - apply patch from "Omniflux" + <josh@nebonet.com> to fix some brainos + + -- Thom May <thom@debian.org> Mon, 6 May 2002 16:39:18 +0100 + +apache2 (2.0.35+cvs.20020420-1) unstable; urgency=low + + * The "finding myself standing on the corner staring into a different world" + release. Will someone please give me a job? + * Resync with upstream CVS. lots and lots of bug fixes since the last + release. + * Attempting to build with multiple MPMs, so speedfreaks can have a threaded + MPM. (Available MPMs are: prefork, worker, threadpool, and + leader/follower). + * Now sedding ap{r,u}-config in the install target. + * vpath build evilness suggested by Andrew Suffield and others. I hate them + all. :) + + -- Thom May <thom@debian.org> Sat, 20 Apr 2002 17:04:46 +0100 + +apache2 (2.0.35-2) unstable; urgency=low + + * The "Apache2 isn't released, therefore the Bug Tracking System doesn't + bloody well work" release + * Fixes a bug in add host, due to the change from Port to Listen. + (Reported by numerous people, patch more or less from Esteve Fernandez + <esteve@sindominio.net>. + * Attempt to fix apu-config, suggestion and patch from David Kimdon, if it's + wrong, I broke it. (Changed it to apply pre-build, rather than post build. + Yes, it's the lazy approach. It's also the right one :) ) + * THE BUG TRACKING SYSTEM IS NOT THE RIGHT PLACE TO SEND BUG REPORTS FOR + APACHE2. + * REALLY. + + -- Thom May <thom@debian.org> Sat, 6 Apr 2002 21:04:16 +0100 + +apache2 (2.0.35-1) unstable; urgency=low + + * WOOOOOOOOOOOHOOOOOOOOO! Apache2's first General Availability release! + * Various bug fixes, suggestions and so on. + * Built with db3 for the time being. + + -- Thom May <thom@debian.org> Sat, 6 Apr 2002 03:01:24 +0100 + +apache2 (2.0.34+retag-1) unstable; urgency=low + + * Resync with upstream release. + * Fix packaging-fus (Hi Marcello!) + * Upstream have fixed cgi probs. + + -- Thom May <thom@debian.org> Mon, 1 Apr 2002 14:50:12 +0100 + +apache2 (2.0.34-1) unstable; urgency=low + + * New upstream release + * added mod_deflate as a shared library + * bashed on apache2.conf some. + + -- Thom May <thom@debian.org> Tue, 26 Mar 2002 23:23:09 +0000 + +apache2 (2.0.33-1) unstable; urgency=low + + * New upstream. + * Unfucked all code, include init.d and /etc/vhosts. + * FHS'ified, more or less + * Some debconf, but not much. + * Merged more patches upstream + + -- Thom May <thom@debian.org> Sat, 9 Mar 2002 23:33:09 +0000 + +apache2 (2.0.32+cvs.20020228-1) unstable; urgency=low + + * The "bathwater, no baby" release. + * Submitted patches upstream like crazy. + * Tossed the insanely bogus apachectl patch + * Debconf not included here. Want to get everything else right, and a + release out. + * Boom! + + -- Thom May <thom@debian.org> Thu, 28 Feb 2002 21:07:24 +0000 + +apache2 (2.0.32-1) unstable; urgency=low + + * The "Throwing stuff away like mad and seeing if it still builds" release. + * Ditched apache2-modules* on the principle of least surprise - the deb + layouts now pretty closely follow apache. + * Trying to triage away patches that have been fixed upstream. + * Major attack on debconfiscation starts here -> . + + -- Thom May <thom@debian.org> Tue, 19 Feb 2002 20:37:58 +0000 + +apache2 (2.0.31+cvs.20020217-1) unstable; urgency=low + + * New CVS snapshot from HEAD to benefit Subversion for the impending 0.9 + release. Enjoy! 81 lines in the last couple of days ... :) + * debian/patches/005_more_hardcoded_paths: + - Regenerated diff against newer version of mpm_default.h. + * debian/patches/008_apr-config_sucks + - Regenerated apr-util part of diff against newer version of + apu-config.in. + * debian/apache2.{config,templates,postinst}, + debian/vhost-base/add.d/apache2, + debian/vhost-base/templates.d/apache2{,.in}, debian/rules: + - Debconfage asking which port to run on, and make the vhost-base script + only list the current ports; ports stuff moved to + /etc/apache2/ports.conf - re-enable dh_installdebconf in debian/rules. + - Moved templates.d/apache2 to templates.d/apache2.in so we can do some + nifty inplace regexps. + * debian/apache2.init.d: + - Bail out of the init script if there aren't any sites enabled. + * debian/{rules,control}: + - Get rid of apache2-modules; move its contents to apache2. + * debian/config-mods/cgid.conf: + - Get rid of redundant <IfModule> wrapper around ScriptSock, so it + actually loads. Thanks to Pieter "Pitr" Jansen for this one. + + -- Daniel Stone <daniel@sfarc.net> Sun, 17 Feb 2002 01:23:43 +1100 + +apache2 (2.0.31+cvs.20020207-1) unstable; urgency=low + + * The one-big-happy-apache2-bug-squashing-family release. + * Update to latest CVS; hopefully this won't mean that piro deadlocks every + time dpkg goes to read its database. Hopefully this gets rid of the bugs. + Yes, all of them. + * debian/patches/004a_srclib_layout_support: + - Updated a touch to fit in with .32-dev. + * debian/patches/008_stuff_in_sbin_not_bin: + - Removed; obsoleted by upstream discovering sanity. + * debian/patches/008_apr-config_sucks: + - Fix problem whereby @prefix@ would sub to $(prefix), but $(prefix) + wouldn't sub to the prefix, or ${prefix}, thus screwing up the running + of apr-config ... ditto for apu-config (from apr-util). + * debian/patches/009_apxs: + - Reworked to make it actually work, and apply cleanly. + - Fix libtool breakage once again, thanks David Kimdon. + * debian/patches/010_shmget: + - Hack to srclib/apr/apr.h.in to make it prefer shmget over everything + else, to make it 2.2/non-tmpfs safe. (Thanks Ben Collins). + * debian/patches/012_debian_version: + - Minor update (include a space in front of "Debian", change it to + "Debian GNU/Linux" to clarify things, and before the the Hurd [happy + now, you crack junkies?] people complain, it's not released as a Debian + port yet, so feh). + * debian/vhost-base/add.d/apache2: + - Change sites to sites-available, in line with the previous change. + * debian/config/mods-available: + - Move to debian/config-mods to make life easier with the move to + apache2-modules (see below). + * debian/config-mods/auth_dbm.load: + - New file, in line with introducing mod_auth_dbm; thanks again to David + Kimdon. + * debian/a2-scripts/a2{en,dis}mod: + - Rewritten to be much cleaner and cool. (Thanks to Ben Collins for + pointing out that the permissions were screwed). + * debian/apache2.postinst: + - New file, no #DEBHELPER# token so that we don't care if postinst fails; + this way it won't bail if you're already running another web server. + Thanks to David Kimdon for pointing out an error. + * debian/vhost-base/{enable,disable}.d/apache2: + - Fixed! Woot! The code isn't the best you'll see, but now *WORKS*. Whoo! + * debian/control: + - Extend libapr-dev's Depends to include libapr0 (duh). + - Remove apache2-modules-dev as modules are no longer built both shared + and static, IMHO this was quite braindead behavior. Upstream's change, + not mine. + - Remove apache2-support as apxs2 requred apache2 anyway. Chalk one (more) + down for "failed experiments". + - Removed redundant libssl0.9.6 and libxmltok1 build-deps; we already + build-depped on the relevant -dev packages; thanks Ben Collins. + * debian/rules: + - Modules are no longer built statically as well as dynamically (upstream + change), so stop trying to move the files around. + - Sort out the libapr0/libapr-dev mess once and for all; thanks to Matt + Wilcox and Ben Collins for patiently talking me through it. + - Move *contents* of mods-available to apache2-modules, but keep the + directory itself as part of apache2, to keep the addons happy; thanks + David Kimdon. + - s/apache2-support/apache2/, see debian/control entry. + - Remove extraneous LICENSE file from the vhost manual. + - Remove *.exp files, because they're unneeded. + * debian/apache2.docs: + - Remove KEYS from the list of docs because this is crap and no longer + distributed. w00t! + + -- Daniel Stone <daniel@sfarc.net> Thu, 7 Feb 2002 20:39:44 +1100 + +apache2 (2.0.28-3) unstable; urgency=low + + * Enabled mod_auth_dbm for Subversion. (thanks David Kimdon). + + -- Daniel Stone <daniel@sfarc.net> Thu, 29 Nov 2001 23:25:53 +1100 + +apache2 (2.0.28-2) unstable; urgency=low + + * Fixed up a couple of things, + /etc/apache2/modules->/etc/apache2/mods-available, etc. + * Included mod_dav, so Subversion can be built. + * New package: apache2-modules-dev, containing all + /usr/lib/apache2/modules/*a. (Thanks Adam Heath). + * Moved libapr.so.* symlinks to libapr-dev (Thanks again to doogie). + + -- Daniel Stone <daniel@sfarc.net> Sun, 25 Nov 2001 19:00:19 +1100 + +apache2 (2.0.28-1) unstable; urgency=low + + * Updated to 2.0.28, which they actually managed to agree on calling a beta. + * debian/apache2.init.d: + - Stripped of almost all its functionality. Now just touches httpd.conf if + we're starting and it doesn't exist, and then calls apache2ctl with all + our options, whatever they may be - it can error out if it wants. + * Removed patches: + - 010_index.html.it_typo - merged upstream. + * Updated patches: + - 009_apxs: make it actually find libtool. Thanks to David Kimdon. + - 002_apache2ctl: really fix apache2ctl graceful. + + -- Daniel Stone <daniel@sfarc.net> Sun, 18 Nov 2001 15:29:43 +1100 + +apache2 (2.0.26+cvs.20011028-2) unstable; urgency=low + + * Added vhost-base support. + - Removed Debconfage and moved all the templates to + debian/vhost-base/templates.d (/etc/vhosts/templates.d). + Removed apache2.postinst and apache2.config. + - Removed a2{dis,en}host. + * /usr/lib/cgi-bin will now be /cgi-bin, /var/vhosts/hostname/cgi-bin will be + /cgi-local. + + -- Daniel Stone <daniel@sfarc.net> Fri, 9 Nov 2001 21:53:27 +1100 + +apache2 (2.0.26+cvs.20011028-1) unstable; urgency=low + + * Resync with HEAD (another coming to fix segfaults, but no net connectivity + at the moment - 4-11-2001, 2:12pm. Grrr). + * New patches: + - 011_mod_autoindex-symlink: make icons for symlinks to files and dirs + special cases. + + Touches modules/generators/mod_autoindex.c + + Special cases: ^^SYMDIR^^ and ^^SYMLINK^^. + - 012_debian_version: adds "Debian" to the Apache version string. + + Touches include/ap_release.h - this patch has *no* context. Please + don't give it any, I don't want to have to rediff every version. + * debian/config/httpd.conf, debian/config/apache2.conf: + - Move main config file to apache2.conf, made it much more bare-bones. + + User (or package) config should be done in httpd.conf. + * apache2.conf: + - s/Port/Listen/ - booya! Finally they cleaned it up. + - Add (commented-out) icon entries for ^^SYMDIR^^ and ^^SYMLINK^^. + Anyone volunteer to create icons? + * debian/apache2.postinst: + - Minor cleanups. + - And later: Made it just call ap2addhost --default. (and a2enhost). + * debian/config/modules/ssl.conf, debian/config/sites/default-443: + - Put only generic SSL stuff in ssl.conf, split SSL support out into + a new virtual host thingy in accordance with dealing with ports. + * debian/config/sites/default, debian/config/sites/default-443, + debian/patches/004b_debian_layout: + - Add a new alias /cgi-pub/ to /usr/lib/cgi-bin. Packages should put + scripts here. + * debian/control: + - changed the Suggests: on apache2-doc to a Recommends: + + otherwise /manual/ will be a broken alias, as it points to + /usr/share/doc/apache2-doc/manual. + - changed libapr-dev to Architecture: all (from Arch: any) - whoops. + * Added support for multiple ports on the one virtual host. At the moment + it's one gigantic, ugly, kludge. *sigh*. Format: + - /var/vhosts/site.name/htdocs-PORT + - /var/vhosts/site.name/logs/(access|error).log-PORT + - /var/vhosts/site.name/cgi-bin-PORT + * debian/apache2.postinst, debian/config/sites/default, etc: + - s#/var/www#/var/vhosts#; + - s#htdocs#htdocs-$PORT#; + * More Debconfage - it now asks if you want SSL support in the default + virtual host, and which port number you want (default 81 so it sits + side-by-side with apache). + * Major change to postinst, a2addhost, et al: + - It's all now done in Perl, and postinst is no longer a special case. + The standalones call Debconf for what they need to do, calling it as a + standalone. This way, postinst just calls a2addhost, etc, and it also + smooths the path for me to do the vhost-base stuff. + * No, this migration path probably won't be smooth (between apache2 + versions). Sorry. + * Last release before I make it vhost-base compliant. + + -- Daniel Stone <daniel@sfarc.net> Sun, 28 Oct 2001 20:33:18 +1100 + +apache2 (2.0.26+cvs.20011023-1) unstable; urgency=low + + * Damnit, resync with HEAD (2_0_26 was unstable). + + -- Daniel Stone <daniel@sfarc.net> Tue, 23 Oct 2001 18:36:42 +1000 + +apache2 (2.0.26-1) unstable; urgency=low + + * Resync with upstream CVS (but only as far as the APACHE_2_0_26 tag). + Essentially, this gives all the coolness of a CVS tree, but all the + stability of a release. I may start tracking HEAD later, we'll just + have to see. + * Changed libapr->libapr0. + * Fixed a couple of typo's in index.html.it (thanks Md, via Joey). + * 22nd October, 7:51pm: Resync again as they added a couple of files + and bumped the tag to fix segfaults. + + -- Daniel Stone <daniel@sfarc.net> Wed, 17 Oct 2001 23:50:39 +1000 + +apache2 (2.0.25+cvs.20011001-1) unstable; urgency=low + + * More CVS resyncing joy. + * Silly stupid evil poo bum hack to apachectl. I don't like this. + Please, help. + * Got rid of a few lintian warnings. + * Install build stuff to /etc/apache2/build, adjust apxs accordingly. + * Agreed on policy with madduck. This is a MAJOR CHANGE, people. + A lot of stuff has changed around, so you'll need to change your + packages. + apache2 now treats everything as a virtual host (even when you only + have one host). This allows us to skirt around FHS and do our own + thing. ("Thpthpthpthpthpthpt, we're using vhosts. FHS doesn't say + anything about that.") + Please see README.Debian for more details. + * More fun with virtual hosts. Migrated their configuration files to + /etc/apache2/virtuals/<name>. This will allow for easy adding and + removal, via the new tools /usr/sbin/ap2(add|del)vh. + apache2's postinst touches /etc/apache2/POSTINST_CONFED, and will refuse + to re-run the postinst config stuff if it's there already. + * Module fun - /usr/sbin/ap2mod(en|dis). Modules put their loading line in + /etc/apache2/modules/foo.load, config in /etc/apache2/modules/foo.conf. + Enabled module stuff gets symlinked into /etc/apache2/mods-enabled. + * Move APR stuff to /usr/lib, not /usr/lib/libapr. Whoops, should've done + this a *long* *time* *ago*. + * More silly APR hacks: Move /usr/include/libapr to /usr/include/apache2, as + silly things like php4 don't get the fact that APR and apache2 can indeed + have different include directories. Grrr. + * Juggled script names - it's now a2(en|dis)(host|mod). + * I don't care, I'm uploading. No, really (closes: #103471). + It's been 93 days since I first did dh_make and ITPed it. :) + + -- Daniel Stone <daniel@sfarc.net> Thu, 4 Oct 2001 20:15:31 +1000 + +apache2 (2.0.25+cvs.20010923-1) unstable; urgency=low + + * Another resync with upstream CVS; most of the changes below were made + between then and now. + * Also added apache2-support - everything from support/*, so php4, et al + don't need to Build-Depend on apache2 itself. + + -- Daniel Stone <DanielS@esd.nec.com.au> Sun, 23 Sep 2001 13:21:16 +1000 + +apache2 (2.0.25+cvs.20010908-1) unstable; urgency=low + + * Synched everything with CVS; it works now. + * We now build with ./buildconf due to the above; redo all the patches + against configure.in. I swear this will be the last change, and that I'll + test it. + * Removed php4 and modperl-2.0 from the tree. I should keep the changelogs + internal, as this is now getting not only very silly, but very embarassing. + * I corrected myself in the ITP that it was licensed under the Apache + Software License, not GPLed, but forgot to do that in debian/copyright. + Whoops. Feel free to LART. + * Lintian cleanups: + - Remove extra LICENSE files. + - Stop stuff calling -rpath. + - Change printenv to call /usr/bin/perl, not /usr/local/bin/perl - wtf? + - Move manpages to the right directory. + * Minor merge from Thom courtesy of some stuff being stored on pandora:~thom. + - Use buildprogs.pl to parse stuff like apache2ctl, apxs2, etc. + * Hopefully I'm only one CVS sync away from an upload. + * Moved some stuff over to /usr/sbin, fixed apache2ctl once and for all. + Hopefully. + + -- Daniel Stone <daniel@sfarc.net> Sun, 9 Sep 2001 00:05:03 +1000 + +apache2 (2.0.24-2) unstable; urgency=low + + * The "Farewell Buddha" Release. + * Or, alternatively: The "Darren Milburn is an Idiot for Inciting Crowds" + Release. + * Yes, it's the height of evil, I know: modperl-2.0 goes into the source + tree. (from CVS). + Separate tarballs, thanks to DBS, but still, yeah. + * Ditto php4. + * Still no Thom's laptop; hence no merges, and I'm not going to duplicate + work. + + -- Daniel Stone <daniel@sfarc.net> Sun, 2 Sep 2001 21:50:59 +1000 + +apache2 (2.0.24-1) unstable; urgency=low + + * New upstream version. + * Use prefork, not threaded, MPM. (threaded is currently broken). + * Update example httpd.conf for mod_ssl and have lines for all the modules. + * Build-Depends, all the Build-Depends! + * Update maintainer email address (thanks Joey). + * Turns out using buildconf was what broke modules. I swear I won't do + anything like that again. Promise! (thanks Thom for pointing this out) + * Implied by the above, rediff all patches against configure, not + configure.in. + * Also, don't copy configure.{guess,sub} over anymore, because we don't need + them. + * More Thom merges: + - debian/patches/003_apache2ctl - rewritten apache2ctl to actually work. + * Return of debian/patches/006_dont_install_build_crap. GAH! + + -- Daniel Stone <daniel@sfarc.net> Sat, 18 Aug 2001 17:01:19 +1000 + +apache2 (2.0.23-2) unstable; urgency=low + * SSL finally works, and beat instructions on how to get it going out + of someone on new-httpd. Moved SSL stuff to apache2-modules. + * Disabled TLS, because it's unstable and unnecessary. + * Merge from Thom May's tree: + 005b_debian_layout - The Debian layout for stuff + - Move APR stuff to /usr/lib/libapr and /usr/include/libapr. + - Clean up debian/rules, largely thanks to the two new patches. + * General cleanups, resulting from running lintian: + - Chuck #DEBHELPER# in postinst, which also fixes the /usr/doc + and init.d problems (due to debhelper now doing its postinst + thing). + - Remove LICENSE files from apache2-doc and the default document + root. + - Remove man/ and build/ top-level dirs, install manpages correctly. + - Updated 004_perl_in_usr_bin to include the manual search CGI. + * Remove all evil, ugly, patches to configure in debian/patches/*, instead, + diff against configure.in, because autoconf gets run in the configure + stage every time. + * Copy config.{guess,sub} from /usr/share/misc (provided by autotools-dev) at + runtime, thus eliminating debian/patches/002_config_guess_and_sub. + * Reshuffled patch numbers to cope with the above. + * I give up on this DBM crap. Disable mod_auth_dbm for now. + + -- Daniel Stone <daniel@sfarc.net> Wed, 15 Aug 2001 18:27:23 +1000 + +apache2 (2.0.23-1) unstable; urgency=low + + * New upstream - 2.0.23. + * New patches: + 004_conffile_in_etc_apache2 - Make an ugly init.d hack unnecessary. + 005_perl_in_usr_bin - Make example CGI scripts use /usr/bin/perl. + * Fix mime_magic stuff by copying magic to /etc/apache2. + * Remove debian/patches/003_cgisock_in_var_log_apache2, instead found a new + conffile directive, put this into the default distributed conffile. + + -- Daniel Stone <daniel@sfarc.net> Sun, 12 Aug 2001 18:05:32 +1000 + +apache2 (2.0.22-2) unstable; urgency=low + + * Aargh, I'm an idiot. Fix a bug in mod_cgid.c that had a hardcoded path. + That's now debian/pactches/003*. + + -- Daniel Stone <daniel@sfarc.net> Sat, 11 Aug 2001 08:04:13 +1000 + +apache2 (2.0.22-1) unstable; urgency=low + + * Updated to 2.0.22, started using a form of DBS. + * Merge from Thom May's 2.0.20 tree - new libapr-dev package. + * Backed out the old mod_(tls|ssl) hacks, see if 2.0.23 is any better + (apparently it is, thank god). + + -- Daniel Stone <daniel@sfarc.net> Wed, 8 Aug 2001 15:13:09 +1000 + +apache2 (2.0.20-2) unstable; urgency=low + + * New SSL fixes from new-httpd. Apparently, this (generally) works. + + -- Daniel Stone <daniels@yakko.doogie.org> Fri, 13 Jul 2001 07:57:18 -0500 + +apache2 (2.0.20-1) unstable; urgency=low + + * New upstream release + + -- Daniel Stone <daniel@kabuki.sfarc.net> Mon, 9 Jul 2001 18:41:04 +1000 + +apache2 (2.0.18-1) unstable; urgency=low + + * Initial Release. + + -- Daniel Stone <daniel@sfarc.net> Wed, 4 Jul 2001 21:29:29 +1000 |