apache2_2.2.16-4~bpo50+1_i386.changes is NEW
(new) apache2-dbg_2.2.16-4~bpo50+1_i386.deb extra debug
Apache debugging symbols
This package includes the debugging symbols for Apache 2.
See /usr/share/doc/apache2.2-common/README.backtrace for more information.
(new) apache2-doc_2.2.16-4~bpo50+1_all.deb optional doc
Apache HTTP Server documentation
This package provides the documentation for Apache 2. For more details
see the apache2 package description.
(new) apache2-mpm-event_2.2.16-4~bpo50+1_i386.deb optional httpd
Apache HTTP Server - event driven model
Each Apache Multi-Processing Module provides a different "flavor" of
web server binary, compiled with a different processing model.
.
The event MPM is designed to allow more requests to be served
simultaneously by passing off some processing work to supporting
threads, freeing up the main threads to work on new requests. It is
especially suitable for sites that see extensive KeepAlive traffic.
.
This MPM is experimental and less tested than the worker and prefork MPMs.
(new) apache2-mpm-itk_2.2.16-4~bpo50+1_i386.deb extra httpd
multiuser MPM for Apache 2.2
The ITK Multi-Processing Module (MPM) works in about the same way as the
classical "prefork" module (that is, without threads), except that it allows
you to constrain each individual vhost to a particular system user. This
allows you to run several different web sites on a single server without
worrying that they will be able to read each others' files. This is a
third-party MPM that is not included in the normal Apache httpd.
.
Please note that this MPM is somewhat less tested than the MPMs that come with
Apache itself.
(new) apache2-mpm-prefork_2.2.16-4~bpo50+1_i386.deb optional httpd
Apache HTTP Server - traditional non-threaded model
Each Apache Multi-Processing Module provides a different "flavor" of
web server binary, compiled with a different processing model.
.
The prefork MPM provides a non-threaded, pre-forking implementation
that handles requests in a manner similar to Apache 1.3. It is not as
fast as threaded models, but is considered to be more stable. It is
appropriate for sites that need to maintain compatibility with
non-thread-safe libraries, and is the best MPM for isolating each
request, so that a problem with a single request will not affect any
other.
(new) apache2-mpm-worker_2.2.16-4~bpo50+1_i386.deb optional httpd
Apache HTTP Server - high speed threaded model
Each Apache Multi-Processing Module provides a different "flavor" of
web server binary, compiled with a different processing model.
.
The worker MPM provides the default threaded implementation. It is
recommended especially for high-traffic sites because it is faster
and has a smaller memory footprint than the traditional prefork MPM.
(new) apache2-prefork-dev_2.2.16-4~bpo50+1_i386.deb extra httpd
Apache development headers - non-threaded MPM
This package provides the development headers and apxs2 binary for
apache2-mpm-prefork; see the apache2 package description for more details.
.
This should only be used when you absolutely *must* support a non-threaded
environment (for PHP, for example).
(new) apache2-suexec-custom_2.2.16-4~bpo50+1_i386.deb extra httpd
Configurable suexec program for Apache 2 mod_suexec
Provides a customizable version of the suexec helper program for mod_suexec.
This is not the version from upstream, but can be configured with a
configuration file.
.
If you do not need non-standard document root or userdir settings, it is
recommended that you use the standard suexec helper program from the
apache2-suexec package instead.
(new) apache2-suexec_2.2.16-4~bpo50+1_i386.deb optional httpd
Standard suexec program for Apache 2 mod_suexec
Provides the standard suexec helper program for mod_suexec. This version is
compiled with document root /var/www and userdir suffix public_html. If you
need different settings, use the package apache2-suexec-custom.
(new) apache2-threaded-dev_2.2.16-4~bpo50+1_i386.deb extra httpd
Apache development headers - threaded MPM
This package provides the development headers and apxs2 binary for
threaded versions of apache2; see the apache2 package description
for more details.
(new) apache2-utils_2.2.16-4~bpo50+1_i386.deb optional httpd
utility programs for webservers
Provides some add-on programs useful for any webserver. These include:
- ab (Apache benchmark tool)
- logresolve (Resolve IP addresses to hostname in logfiles)
- htpasswd (Manipulate basic authentication files)
- htdigest (Manipulate digest authentication files)
- dbmmanage (Manipulate basic authentication files in DBM format, using perl)
- htdbm (Manipulate basic authentication files in DBM format, using APR)
- rotatelogs (Periodically stop writing to a logfile and open a new one)
- split-logfile (Split a single log including multiple vhosts)
- checkgid (Checks whether the caller can setgid to the specified group)
- check_forensic (Extract mod_log_forensic output from Apache log files)
(new) apache2.2-bin_2.2.16-4~bpo50+1_i386.deb optional httpd
Apache HTTP Server common binary files
The Apache Software Foundation's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains all binaries but no configuration or support scripts.
To get a stand-alone server, you need to install one of the apache2-mpm-*
packages, such as worker or prefork. Other packages like gnome-user-share
may bring their own Apache configuration, though.
(new) apache2.2-common_2.2.16-4~bpo50+1_i386.deb optional httpd
Apache HTTP Server common files
The Apache Software Foundation's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains the configuration and support scripts.
However, it does *not* include the server itself; for this you need to
install one of the apache2-mpm-* packages, such as worker or prefork.
(new) apache2_2.2.16-4~bpo50+1.diff.gz optional httpd
(new) apache2_2.2.16-4~bpo50+1.dsc optional httpd
(new) apache2_2.2.16-4~bpo50+1_i386.deb optional httpd
Apache HTTP Server metapackage
The Apache Software Foundation's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
It features support for HTTPS, virtual hosting, CGI, SSI, IPv6, easy
scripting and database integration, request/response filtering, many
flexible authentication schemes, and more.
(new) apache2_2.2.16.orig.tar.gz optional httpd
Changes: apache2 (2.2.16-4~bpo50+1) lenny-backports; urgency=low
.
* Rebuild for lenny-backports.
* Add myself as an uploader.
.
apache2 (2.2.16-4) unstable; urgency=medium
.
* Increase the mod_reqtimeout default timeouts to avoid potential problems
with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
* Remove bogus comment in conf.d/security about default in the "release
after Lenny".
* Clarify comments in suexec-custom's default config file. LP: #673289
.
apache2 (2.2.16-3) unstable; urgency=high
.
* CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
* Fix "Could not reliably determine the server's ..." error message in
README.Debian, to make it easier to search for it. Closes: #590528
.
apache2 (2.2.16-2) unstable; urgency=low
.
* Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036
* Add a note about the new behaviour of SSL/TLS renegotiation and the new
directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
* Support 'graceful' as alias for 'reload' in the init script.
* In README.Debian, suggest an Apache configuration change to get rid of the
"Could not reliably determine the server's fully qualified domain name"
warning, as alternative to changing DNS or /etc/hosts. Closes: #590528
* Add notes to README.Debian on how to reduce memory usage.
* Bump Standards-Version (no changes).
.
apache2 (2.2.16-1) unstable; urgency=medium
.
* Urgency medium for security fix.
* New upstream release:
- CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability
due to incorrect handling of requests without a path segment.
- mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite
* Fix mod_ssl header line corruption because of using memcpy for overlapping
buffers. PR 45444. LP: #609290, #589611, #595116
.
apache2 (2.2.15-6) unstable; urgency=low
.
* Fix init script not correctly killing htcacheclean. Closes: #580971
* Add a separate entry in README.Debian about the need to use apache2ctl
for starting instead of calling apache2 directly. Closes: #580445
* Fix debug info to allow gdb loading it automatically. Closes: #581514
* Fix install target in Makefile created by apxs2 -n. Closes: #588787
* Fix ab sending more requests than specified by the -n parameter.
Closes: #541158
* Add apache2 monit configuration to apache2.2-commons examples dir.
Closes: #583127
* Build as PIE, since gdb in squeeze now supports it.
* Update the postrm script to also purge the version of /var/www/index.html
introduced in 2.2.11-7.
* Bump Standards-Version (no changes).
.
apache2 (2.2.15-5) unstable; urgency=low
.
* Conflict with apache package as we now include apachectl. Closes: #579065
* Remove conflicts with old apache 2.0 modules. The conflicts are not
necessary anymore as skipping a stable release is not supported anyway.
* Silence the grep in preinst.
.
apache2 (2.2.15-4) unstable; urgency=low
.
* Move definition of other_vhosts_access.log to new config file
/etc/apache2/conf.d/other-vhosts-access-log, but disable it
if it has been disabled by the admin. Closes: #576572. LP: #507616
* Comment out the contents of mods-available/proxy.conf, as it just
is a nuisance for use of apache2 as a reverse proxy, which is much
more common than the use as forward proxy. Extend the comments
in the file.
* Change defaults or add example configs for some modules:
status.conf:
- enable ExtendedStatus by default
- enable ProxyStatus by default
- document SeeRequestTail directive
proxy_ftp.conf:
- set 'ProxyFtpDirCharset UTF-8' by default
ldap.conf:
- enable /ldap-status page, allow it from localhost by default
proxy_balancer.conf:
- add (disabled) example for /balancer-manager page
ssl.conf:
- document SSLStrictSNIVHostCheck directive
* Add symlink from apachectl to apache2ctl to be more compatible with
upstream. Apache httpd 1.3 hasn't been in Debian for some time.
* Simplify logrotate script. Closes: #576105
* Remove empty directory /usr/lib/debug/usr/sbin in mpm packages.
Closes: #576089
* Fix apxs2 to work with perl 5.12rc3. Closes: #577239
* Add source/format file to make lintian happy.
.
apache2 (2.2.15-3) unstable; urgency=low
.
* mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
including a fix for mod_proxy CONNECT requests.
* mod_dav_fs: Use correct permissions when creating new files. LP: #540747
.
apache2 (2.2.15-2) unstable; urgency=low
.
* Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
Satisfy all. Closes: #572075
* mod_reqtimeout: Various bug fixes, including:
- Don't mess up timeouts of mod_proxy's backend connections.
Closes: #573163
.
apache2 (2.2.15-1) unstable; urgency=low
.
* New upstream version:
- CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
- CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
prefix injection attack.
- CVE-2010-0434: mod_headers: Fix potential information leak with threaded
MPMs.
- mod_reqtimeout: New module limiting the time waiting for receiving
a request from the client. This is a (partial) mitigation against
slowloris-type resource exhaustion attacks. The module is enabled by
default. Closes: #533661
- mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
renegotiation with clients which do not yet support the secure
renegotiation protocol. As this requires openssl 0.9.8m, bump
build dependency accordingly.
* Fix bash completion for a2ensite if the site name contains 'conf' or
'load'. Closes: #572232
* Do a configcheck in the init script before doing a non-graceful restart.
Closes: #571461
.
apache2 (2.2.14-7) unstable; urgency=low
.
* Fix potential memory leaks related to the usage of apr_brigade_destroy().
* Add hints about correct mod_dav_fs configuration to README.Debian.
Closes: #257945
* Fix error in Polish translation of 404 error page. Closes: #570228
* Document ThreadLimit in apache2.conf's comments.
.
apache2 (2.2.14-6) unstable; urgency=low
.
* Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and
APACHE_LOG_DIR in the default configuration. If you have modified
/etc/apache2/envvars, make sure that these variables are set and exported.
* Add support for multiple apache2 instances to initscript and apache2ctl.
See /usr/share/doc/apache2.2-common/README.multiple-instances for details.
Closes: #353450
* Set default compiled-in ServerRoot to /etc/apache2 and make paths in
apache2.conf relative to ServerRoot.
* Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061
* Fix symlinks in apache2-dbg package. Closes: #567076
* Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383
* Add new init script action graceful-stop (LP: #456381)
* Add more languages to mime.conf. To limit this to useful entries, we only
add those for which a translation of the Debian intaller exists. LP: #217964
* Unset $HOME in /etc/apache2/envvars.
* Change default config of mod_info and mod_status to use IP addresses
instead of hostnames. Otherwise the hostname is sometimes logged even with
'HostnameLookup Off'. Closes: #568409
* Add a hook to apache2.2-common's postrm script that may come in handy
when upgrading to 2.4.
* Make bug script also display php extensions.
* Bump Standards-Version (no changes).
* Remove Adam Conrad from Uploaders. Thanks for your work in the past.
.
apache2 (2.2.14-5) unstable; urgency=low
.
* Security: Further mitigation for the TLS renegotation attack
(CVE-2009-3555): Disable keep-alive if parts of the next request have
already been received when doing a renegotiation. This defends against
some request splicing attacks.
* Print a useful error message if 'apache2ctl status' fails. Add a comment
to /etc/apache2/envvars on how to change the options for www-browser.
Closes: #561496, #272069
* Improve function to detect apache2 pid in init-script (closes: #562583).
* Add hint README.Debian on how to pass auth info to CGI scripts.
Closes: #483219
* Re-introduce objcopy magic to avoid dangling symlinks to the debug info
in the mpm packages. Closes: #563278
* Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178,
LP: #500703
* Point to README.backtrace in apache2-dbg's description.
* Use more debhelper functions to simplify debian/rules.
* Add misc-depends to various packages to make lintian happy.
* Change build-dep from libcap2-dev to libcap-dev because of package rename.
.
apache2 (2.2.14-4) unstable; urgency=low
.
* Disable localized error pages again by default because they break
configurations with "<Location /> SetHandler ...". A workaround is
described in the comments in /etc/apache2/conf.d/localized-error-pages
(closes: #543333).
* mod_rewrite: Fix URLs in redirects with literal IPv6 hosts
(closes: #557015).
* Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234).
* Add man page for split-logfile.
* Link with -lcrypt where necessary to fix a FTBFS with binutils-gold
(closes: #553946).
.
apache2 (2.2.14-3) unstable; urgency=low
.
* Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This
includes:
- Make PUT replace files atomically (closes: #525137).
- Make MOVE not delete the destination if the source file disappeared in
the meantime (closes: #273476).
NOTE: The format of the DavLockDB has changed. The default DavLockDB will
be deleted on upgrade. Non-default DavLockDBs should be deleted manually.
* Fix output of "/etc/init.d/apache2 status" (closes: #555687).
* Update the comment about SNI in ports.conf (closes: #556932).
* Set redirect-carefully for Konqueror/4.
.
apache2 (2.2.14-2) unstable; urgency=medium
.
* Security:
Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
Any configuration which requires renegotiation for per-directory/location
access control is still vulnerable.
* Allow RemoveType to override the types from /etc/mime.types. This allows
to use .es and .tr for Spanish and Turkish files in mod_negotiation.
Closes: #496080
* Fix 'CacheEnable disk http://'. Closes: #442266
* Fix missing dependency by changing killall to pkill in the init script.
LP: #460692
* Add X-Interactive header to init script as it may ask for the ssl key
passphrase. Closes: #554824
* Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too.
* Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian
.
apache2 (2.2.14-1) unstable; urgency=low
.
* New upstream version:
- new module mod_proxy_scgi
* Disable hardening option -pie again, as gdb in Debian does not support
it properly and it is broken on mips*.
.
apache2 (2.2.13-2) unstable; urgency=high
.
* mod_proxy_ftp security fixes (closes: #545951):
- DoS by malicious ftp server (CVE-2009-3094)
- missing input sanitization: a user could execute arbitrary ftp commands
on the backend ftp server (CVE-2009-3095)
* Add entries to NEWS.Debian and README.Debian about Apache being stricter
about certain misconfigurations involving name based SSL virtual hosts.
Also make Apache print the location of the misconfigured VirtualHost when
it complains about a missing SSLCertificateFile statement. Closes: #541607
* Add Build-Conflicts: autoconf2.13 (closes: #541536).
* Adjust priority of apache2-mpm-itk to extra.
* Switch apache2.2-common and the four mpm packages from architecture all to
any. This is stupid but makes apache2 binNMUable again (closes: #544509).
* Bump Standards-Version (no changes).
.
apache2 (2.2.13-1) unstable; urgency=low
.
* New upstream release:
- Fixes segfault with mod_deflate and mod_php (closes: #542623).
.
apache2 (2.2.12-1) unstable; urgency=low
.
* New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
(The Debian default configuration will be changed to use SNI in a later
version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
* Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
* Enable hardening compile options.
* Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
* Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
* Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
* Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
* Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
* Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
* Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
* Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
* Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
* Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
* Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
* Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
* Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
* Remove other_vhosts_access.log on package purge.
.
apache2 (2.2.11-7) unstable; urgency=low
.
* Security fixes:
- CVE-2009-1890: denial of service in mod_proxy
- CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
* Add symlinks for the debug info to the mpm packages.
* Be slightly more informative in the default index.html without pointing
to Apache or Debian (LP: #89364)
* Remove dependency on net-tools, which is no longer necessary
(closes: #535849)
* Bump Standards-Version (no changes)
.
apache2 (2.2.11-6) unstable; urgency=high
.
* CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
Side Includes (closes: #530834).
* Fix postinst scripts (closes: #532278).
.
apache2 (2.2.11-5) unstable; urgency=low
.
* Move all binaries into a new package apache2.2-bin and make
apache2.2-common depend on it. This allows to
- run apache as user process only, e.g. with gnome-user-share.
Closes: #468690
- run multiple instances of apache with different MPMs. This configuration
is not supported in any way, though. Closes: #517572
* Switch to debhelper compatibility level 7 and remove some code duplication
in debian/rules.
* Override some Lintian warnings about old autotools helper files and being
not binNMUable (apache2 is not binNMUable anyway, because of the
apache2 <-> apache2-mpm-itk dependency).
.
apache2 (2.2.11-4) unstable; urgency=low
.
[ Stefan Fritsch ]
* Disable TRACE method by default (closes: #492130).
* Compress some more mime types with mod_deflate by default. This may cause
problems with MSIE 6, but that browser should now be considered obsolete.
Closes: #397526, #521209
* Various backports from upstream svn branches/2.2.x:
- CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous
request which failed to send a request body
- Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with
server-side-includes PR 45959 (closes: #524474)
- Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268)
- Fix mod_deflate etag handling PR 45023 (LP: #358314)
- Fix mod_ldap segfault if LDAP initialization failed PR 45994
* Allow apache2-mpm-itk as alternate dependency in apache2 meta package
(closes: #527225).
* Fix some misuse of command substitution in the init script. Thanks to
Jari Aalto for the patch. (Closes: #523398)
* Extend the gnome-vfs DAV workaround to gvfs (closes: #522845).
* Add more info to check_forensic man page (closes: #528424).
* Make "apache2ctl help" point to help on apache2 args (closes: #528425).
* Lintian warnings:
- fix spelling error in apache2-utils description
- tweak debian/copyright to make lintian not complain about pointers to GPL
- bump standards-version (no changes)
.
[ Peter Samuelson ]
* Adjust sections to match recent ftpmaster overrides.
.
apache2 (2.2.11-3) unstable; urgency=low
.
* Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap
(see #521899). This also creates the dependencies on the new external
libaprutil1-dbd-* and libaprutil1-ldap packages.
.
apache2 (2.2.11-2) unstable; urgency=low
.
* Report an error instead instead of segfaulting when apr_pollset_create
fails (PR 46467). On Linux kernels since 2.6.27.8, the value in
/proc/sys/fs/epoll/max_user_instances needs to be larger than twice the
value of MaxClients in the Apache configuration. Closes: #511103
.
apache2 (2.2.11-1) unstable; urgency=low
.
[Thom May]
* New Upstream Version (Closes: #508186, LP: #307397)
- Contains rewritten shmcb code which should fix alignment problems on
alpha (Closes: #419720).
- Notable new features: chroot support, mod_proxy improvements.
.
[Ryan Niebur]
* fix segfault in ab when being verbose on ssl sites (Closes: #495982)
* remove trailing slash for DocumentRoot (Closes: #495110)
.
apache2 (2.2.9-11) unstable; urgency=low
.
* Regression fix from upstream svn for mod_proxy:
Prevent segmentation faults by correctly adjusting the lifetime of the
buckets read from the proxy backend. PR 45792
* Fix from upstream svn for mpm_worker:
Crosscheck that idle workers are still available before using them and
thus preventing an overflow of the worker queue which causes a SegFault.
PR 45605
* Add a comment to ports.conf to point to NEWS.Debian.gz in case of
upgrading problems.
Override entries for your package:
Announcing to debian-backports-changes@lists.debian.org
Your package contains new components which requires manual editing of
the override file. It is ok otherwise, so please be patient. New
packages are usually added to the override file about once a week.
You may have gotten the distribution wrong. You'll get warnings above
if files already exist in other distributions.
n other distributions.
Reply to: