Processed: Bug#955348 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #955348 [apache2-bin] mod_ssl: Backport fix for TLS 1.3 client cert authentication for POST requests Added tag(s) pending. -- 955348: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955348 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Fixed ?
Processing control commands: > tags -1 + moreinfo Bug #910368 [apache2] apache2: Apache does not start reliably after reboot Added tag(s) moreinfo. -- 910368: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910368 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#951753: marked as done (AH01574: module dav_module is already loaded, skipping)
Your message dated Wed, 18 Mar 2020 21:04:40 + with message-id and subject line Bug#951753: fixed in apache2 2.4.41-5 has caused the Debian Bug report #951753, regarding AH01574: module dav_module is already loaded, skipping to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 951753: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951753 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.41-4 Severity: minor File: /etc/apache2/mods-available/dav.load Every time Apache is restarted, I see one or more of these in the logs: AH01574: module dav_module is already loaded, skipping The problem is that both dav.load and dav_svn.load load mod_dav.so, and the second one is not protected against reloading. The cure is to protect it like this: ===File /etc/apache2/mods-available/dav.load LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so as suggested in https://stackoverflow.com/questions/50231086/apache-on-ubuntu-module-dav-module-is-already-loaded -- Francesco Potortì (ricercatore)Voice: +39.050.621.3058 ISTI - Area della ricerca CNR Mobile: +39.348.8283.107 via G. Moruzzi 1, I-56124 Pisa Skype: wnlabisti (gate 20, 1st floor, room C71) Web:http://fly.isti.cnr.it -- Package-specific info: *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (101, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=C:en_GB:en:en_US:it:fr:es (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apache2 depends on: ii apache2-bin2.4.41-4 ii apache2-data 2.4.41-4 ii apache2-utils 2.4.41-4 ii dpkg 1.19.7 ii lsb-base 11.1.0 ii mime-support 3.64 ii perl 5.30.0-9 ii procps 2:3.3.15-2+b1 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: ii apache2-doc 2.4.41-4 ii apache2-suexec-custom 2.4.41-4 ii chromium [www-browser] 79.0.3945.130-2 ii elinks [www-browser]0.13.1-1 ii epiphany-browser [www-browser] 3.34.1-1+b1 ii firefox [www-browser] 73.0.1-1 ii lynx [www-browser] 2.9.0dev.4-1 ii w3m [www-browser] 0.5.3-37+b1 Versions of packages apache2-bin depends on: ii libapr11.6.5-1+b1 ii libaprutil11.6.1-4+b1 ii libaprutil1-dbd-mysql 1.6.1-4+b1 ii libaprutil1-ldap 1.6.1-4+b1 ii libbrotli1 1.0.7-6 ii libc6 2.29-10 ii libcrypt1 1:4.4.10-10 ii libcurl4 7.67.0-2 ii libjansson42.12-1 ii libldap-2.4-2 2.4.49+dfsg-1 ii liblua5.2-05.2.4-1.1+b3 ii libnghttp2-14 1.40.0-1 ii libpcre3 2:8.39-12+b1 ii libssl1.1 1.1.1d-2 ii libxml22.9.4+dfsg1-8 ii perl 5.30.0-9 ii zlib1g 1:1.2.11.dfsg-1.2 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.41-4 ii apache2-suexec-custom 2.4.41-4 ii chromium [www-browser] 79.0.3945.130-2 ii elinks [www-browser]0.13.1-1 ii epiphany-browser [www-browser] 3.34.1-1+b1 ii firefox [www-browser] 73.0.1-1 ii lynx [www-browser] 2.9.0dev.4-1 ii w3m [www-browser] 0.5.3-37+b1 Versions of packages apache2 is related to: ii apache2 2.4.41-4 ii apache2-bin 2.4.41-4 -- Configuration Files: /etc/apache2/apache2.conf changed: DefaultRuntimeDir ${APACHE_RUN_DIR} PidFile ${APACHE_PID_FILE} Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} HostnameLookups On ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn IncludeOptional mods-enabled/*.load IncludeOptional mods
Bug#954201: marked as done (mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication)
Your message dated Wed, 18 Mar 2020 21:04:40 + with message-id and subject line Bug#954201: fixed in apache2 2.4.41-5 has caused the Debian Bug report #954201, regarding mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 954201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954201 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Severity: normal Tags: patch Hi, FreeIPA needs this patch for 2.4 applied, so that AJP works with tomcat 9.0.31: https://svn.apache.org/viewvc?view=revision=1874456 thanks --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.41-5 Done: Xavier Guimard We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 954...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 18 Mar 2020 21:06:49 +0100 Source: apache2 Architecture: source Version: 2.4.41-5 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 951753 954201 Changes: apache2 (2.4.41-5) unstable; urgency=medium . [ Xavier Guimard ] * Avoid double mod_dav load (Closes: #951753) . [ Timo Aaltonen ] * mod_proxy_ajp-add-secret-parameter.diff: Apply a patch from 2.4.x to fix AJP with current tomcat. (Closes: #954201) Checksums-Sha1: 5e2ebb671164227b5bf7e3fa4ef17ea1e761a95c 3498 apache2_2.4.41-5.dsc 3eb564f743ea2d562e138a8f3d7ea9be99d835d6 1017780 apache2_2.4.41-5.debian.tar.xz Checksums-Sha256: 6796bbacb5b6e9e4f3bc001f8b9fd7cabf94ed4b66321ff2839cea8984d5e61a 3498 apache2_2.4.41-5.dsc 345d7bfba2650e32768cf498f2877e4a86802a5cdc6b647c387215faae3877e9 1017780 apache2_2.4.41-5.debian.tar.xz Files: e1b8183d308211fcface87812b499f13 3498 httpd optional apache2_2.4.41-5.dsc d6f71e37ac70c97864cf876a7007964f 1017780 httpd optional apache2_2.4.41-5.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5yhzwACgkQ9tdMp8mZ 7undgQ/+P/KO5Dds2q6GJQzj2N/bi7kOxrk/i6w/I4aysdHakUVfo0SwzbwStW/4 Fct4kse4NW9X8dnF9TNAEZdlAHB1JKbF1VBTwx8jC2CnFdb22ix5QVAziDq8GLDf lF6gSkRdsvIAVnd0RdVSFmKOiegZQFESC0i4/jIClE3NJZujdkKFA+aJYrJ6GSJ4 YyaPGRxq33tf28n9rw8SAV6V9YYVmWqUEO0AXVWwNg2Eo+ONuxFf33yjA04SmdAV VB3XvIHYu1rIqHizeNFOFsTkRS60kDFL69/aSO6Gvu83VJZ0QMI5sE2gvs3ym6sQ +RE4edHlMzwkb6HdAjsxBsWGqLnTBchm85HdPRckiKt3rF7tlP0onD4Wc1slEKN7 l1JGNc5W4AANWxrEeFOcCe3NMnKjLdzqEqJo7URddVv1VktHvJHwPytnWJGJFEuA qjfjYZd23cXakPvi08xqCtzaf0OfUAWJLUcsCo94dbUt9fQ/1Kg07Avz9Ce+aqc7 uw0hH0gC3ugPNxURLH/TjCtmdfgWSiKLgr18IAAfFSdrAlQjtHybI2ac1wK4KnLp nHYcve522nUoYnM/SGkHZHSzqB6plsKR3D89R01onTGyFDEBBRvKb9QmqeUIfXFJ wIcPCA6rC/7G/SzH562OWWfTzTmr0ssht0NmlRzH6cuLXXMF//0= =6rvQ -END PGP SIGNATURE End Message ---
Processed: Bug#954201 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #954201 [src:apache2] mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication Added tag(s) pending. -- 954201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954201 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Bug#951753 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #951753 [apache2] AH01574: module dav_module is already loaded, skipping Added tag(s) pending. -- 951753: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951753 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#950711: marked as done (apache2: autopkgtest use hardcoded libgcc_s.so.1 path)
Your message dated Wed, 05 Feb 2020 12:49:29 + with message-id and subject line Bug#950711: fixed in apache2 2.4.41-3 has caused the Debian Bug report #950711, regarding apache2: autopkgtest use hardcoded libgcc_s.so.1 path to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950711: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950711 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.41-2 Severity: serious apache2 autopkgtest hard codes the patch to libgcc_s.so.1 in debian/tests/chroot: | LIBGCC_S_PATH=/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libgcc_s.so.1 Starting with libgcc1 >= 10, aka libgcc-s1, the file has been moved to /usr/lib/$(DEB_HOST_MULTIARCH)/libgcc_s.so.1, causing the autopkgtest to fail. Here is the full log to the failure: https://ci.debian.net/data/autopkgtest/testing/amd64/a/apache2/4201876/log.gz If you really need to know the path of this library, I suggest to use the following code, with a dependency on gcc: | gcc --print-file-name=libgcc_s.so.1 -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.3.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.41-3 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 05 Feb 2020 13:18:04 +0100 Source: apache2 Architecture: source Version: 2.4.41-3 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 950711 Changes: apache2 (2.4.41-3) unstable; urgency=medium . * Don't use hardcoded libgcc_s.so.1 path in autopkgtest files. Thanks to Aurelien Jarno (Closes: #950711) Checksums-Sha1: 329b87839bc9b41e2bb75b9c9b5ebdfc3a20c14d 3493 apache2_2.4.41-3.dsc a9621b88fc9db2287160002b69a260261adfb05c 1016060 apache2_2.4.41-3.debian.tar.xz Checksums-Sha256: 5e6bf2860ea7f3034ba8c2c42d2439735b2ebea9a8539c09240c5008121d60f8 3493 apache2_2.4.41-3.dsc 23699b7a7f62320a64726b2765baa8222e3f384e33cb767c07d2fb28425fb589 1016060 apache2_2.4.41-3.debian.tar.xz Files: 71ee9b7a0dabc2e126d3d7edb682313b 3493 httpd optional apache2_2.4.41-3.dsc 146e65c2f2d1480dd9286e5e1d784081 1016060 httpd optional apache2_2.4.41-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl46tLsACgkQ9tdMp8mZ 7umXag//dXfbGSVEecOb7Pl6oW55b0tCTBvfFVdU5wg9pJI4xjhlfon5xTYNxsd7 zTlxiRT8G63Jec6F6OopXWcedRiwK0KrxGAvuWX9UB2+bjeGoxoV7ks643Gy114I uv1EpYi4fUXNKi6G8h+3eyiaKnJuOmqB5iLob4Ujuj0sfxEc51auKVCm0jC7lUXf 9lQDDRWiaElo7B8QWEqRAtgTFfGgGr0af0L8JKp3VsFlIt9O7v0suLqPb2frtjV9 BfIkP0DbdKCyM8LYOQhF6tOSjTx5i7sTsVqNYDmihT2K6gWaeUSTlb44e/2jVDpU IGAt5T2GBGttJgArBTcdVgRIbPs7V+iQbVTcbO2CJUTaCEzQdX9ts1lHeHilmFdm dX3J+AvontGMD4n8pu+an9+TmWprFV2iMzrPNkK2MdbLGmylSVtrcU0Ss1JTwqwg 4RKIl4tuQRwzSjvSozqvRzNApk58hdZ2OxQNryOXq4gHsnsi988rJgbvziszowAJ eYPKwlLii35U+EH4atxe8WR4h5XnSkBZXH9fcwBVDZVta26CGRl/tMsEpE9e6cTD g4YO878+jd4/9DKrZ2cie20uQCGVEMHgt5eva1ef2HefxyMGJ+PWmPTXUQJ7A1oV ru9tIG/vU3XNfdrmD5GYSuCfO1qbn8YtkfFCDME2tW1+8T1Thz0= =SsLy -END PGP SIGNATURE End Message ---
Processed: Bug#950711 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #950711 [src:apache2] apache2: autopkgtest use hardcoded libgcc_s.so.1 path Added tag(s) pending. -- 950711: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950711 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 933129 in 2.4.38-3+deb10u3
Processing commands for cont...@bugs.debian.org: > found 933129 2.4.38-3+deb10u3 Bug #933129 [apache2] apache2: OCSP stapling poorly handled, yielding trylater errors in the client Marked as found in versions apache2/2.4.38-3+deb10u3. > thanks Stopping processing here. Please contact me if you need assistance. -- 933129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933129 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: your mail
Processing commands for cont...@bugs.debian.org: > block 936129 by 936128 Bug #936129 [src:apr-util] apr-util: Python2 removal in sid/bullseye 936129 was not blocked by any bugs. 936129 was blocking: 936128 Added blocking bug(s) of 936129: 936128 > thanks Stopping processing here. Please contact me if you need assistance. -- 936129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936129 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed (with 1 error): Re: Bug #936128: apr: Python2 removal in sid/bullseye
Processing control commands: > tags -1 + patches Unknown tag/s: patches. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore. Bug #936128 [src:apr] apr: Python2 removal in sid/bullseye Requested to add no tags; doing nothing. -- 936128: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936128 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#948757: marked as done (apache2: embeds path to EGREP in config_vars.mk)
Your message dated Mon, 13 Jan 2020 06:34:22 + with message-id and subject line Bug#948757: fixed in apache2 2.4.41-2 has caused the Debian Bug report #948757, regarding apache2: embeds path to EGREP in config_vars.mk to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 948757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948757 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.41-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: usrmerge X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org The EGREP variable is stored in config_vars.mk and is derived from the GREP variable, which may get set to /bin/grep or /usr/bin/grep on usrmerge where /bin is a symlink to /usr/bin. The attached patch sets GREP=/bin/grep in the configure phase to work around this issue, since /bin/grep will work correctly on both usrmerge and non-usrmerge systems. Thanks for maintaining apache2! live well, vagrant From 15184b6753b84174535d29360672f9362e288d76 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Sun, 12 Jan 2020 17:44:23 -0800 Subject: [PATCH] Set GREP=/bin/grep during configure for reproducible builds. The EGREP variable is stored in config_vars.mk and is derived from the GREP variable, which may get set to /bin/grep or /usr/bin/grep on usrmerge where /bin is a symlink to /usr/bin. --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index 44cfa8a0..508dde96 100755 --- a/debian/rules +++ b/debian/rules @@ -117,7 +117,7 @@ configure-stamp: prebuild-checks-stamp support/suexec-custom.c --enable-mods-shared="all brotli cgi ident authnz_fcgi imagemap cern_meta proxy_fdpass proxy_http2 bucketeer case_filter case_filter_in" \ --enable-mods-static="unixd logio watchdog version" \ CFLAGS="$(AP2_CFLAGS)" CPPFLAGS="$(AP2_CPPFLAGS)" LDFLAGS="$(AP2_LDFLAGS)" \ - LTFLAGS="$(AP2_LTFLAGS)" SHELL=/bin/bash + LTFLAGS="$(AP2_LTFLAGS)" SHELL=/bin/bash GREP=/bin/grep touch $@ debian/config-dir/apache2.conf: debian/config-dir/apache2.conf.in -- 2.20.1 signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.41-2 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 948...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 13 Jan 2020 06:14:45 +0100 Source: apache2 Architecture: source Version: 2.4.41-2 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 948757 948759 Changes: apache2 (2.4.41-2) unstable; urgency=medium . [ Stefan Fritsch ] * Add *.load file for mod_socache_redis . [ Vagrant Cascadian ] * Embeds path to EGREP in config_vars.mk (Closes: #948757) * Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759) Checksums-Sha1: 544d9e7f01590d3ec95abe66194670f666303015 3493 apache2_2.4.41-2.dsc 6a05bd3add873f7d2cab0c892fa3ad729a52c6fd 1015900 apache2_2.4.41-2.debian.tar.xz Checksums-Sha256: 0ac873426ba8265afb9f5cc4dc86b7c7255a416b27eafefd15018986cef3570e 3493 apache2_2.4.41-2.dsc e58fb4685492ff940673696dfb6c59c6b64bc0a67080716f34617013d38576ed 1015900 apache2_2.4.41-2.debian.tar.xz Files: 45574908a8690bc0a56c878c0da350aa 3493 httpd optional apache2_2.4.41-2.dsc 12693d9a473e85e3b85c427f08153fca 1015900 httpd optional apache2_2.4.41-2.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl4cDBsACgkQ9tdMp8mZ 7ulwOg/9HdKa4XuDgVV2L4qlyyihy8gjo4nVO9VLgn3ExiHh9mi14Mxmn9N/vLhg gBSIn+Rd7ZAWuOMJ5VK0KGt67Gu1/XXymI57nEy83aLO6EaeOKl3DitsbQRJ4wmA oo4WGpmbJc4XIsilPTDTAsdzun8G5oOUR7BlkDI9uNaou8qZ8xQr+TL3/lWpPFMS UrMnI0VDc04FsrWDzJdL5e9VO98mppJCmMbEZQ+AaVnKnt8UTSwmMOfAVwIYXctu aY/irdfRTls2eprscRkzAuF/eP1/RXEvdIz3qXFrmMhpoWL7QlTsip/9
Bug#948759: marked as done (apache2: config_vars.mk contains unsanitized CXXFLAGS/-ffile-prefix-map)
Your message dated Mon, 13 Jan 2020 06:34:22 + with message-id and subject line Bug#948759: fixed in apache2 2.4.41-2 has caused the Debian Bug report #948759, regarding apache2: config_vars.mk contains unsanitized CXXFLAGS/-ffile-prefix-map to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 948759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948759 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.41-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: buildpath environment X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org The CXXFLAGS variable was not getting cleaned in debian/clean_config_vars, which meant that while -fdebug-prefix-map was cleaned from CFLAGS, it was still present in CXXFLAGS. Additionally, support for -ffile-prefix-map was added to GCC and dpkg and is used in the tests.reproducible-builds.org infrastructure when testing unstable and experimental. The attached patch fixes both issues, and I believe should result in apache2 being reproducible again in Debian. Thanks for maintaining apache2! live well, vagrant From 6ef03f7cce3b45999a81485e9bfa178971115d60 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Sun, 12 Jan 2020 18:04:01 -0800 Subject: [PATCH 2/2] Also clean CXXFLAGS and -ffile-prefix-map. --- debian/clean_config_vars | 6 -- debian/rules | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/debian/clean_config_vars b/debian/clean_config_vars index f88ab3ca..90867080 100755 --- a/debian/clean_config_vars +++ b/debian/clean_config_vars @@ -6,6 +6,7 @@ my %FLAGS = { 'CFLAGS' => $ARGV[0], 'CPPFLAGS' => $ARGV[1], 'LDDFLAGS' => $ARGV[2], + 'CXXFLAGS' => $ARGV[3], }; @@ -22,7 +23,8 @@ sub clean_and_deduplicate $return_flags .= "$flag " unless $flag =~ m/PLATFORM/ || $flag =~ m/-DBUILD_DATETIME/ || - $flag =~ m/-fdebug-prefix-map/; + $flag =~ m/-fdebug-prefix-map/ || + $flag =~ m/-ffile-prefix-map/; } return $return_flags; } @@ -36,7 +38,7 @@ open(TMP_CONFIG_VARS, ">", "tmp_config_vars.mk") || die("tmp_config_vars.mk: $1" while(my $line = ) { chomp $line; - unless ($line =~ m/(^|_)(LD|CPP|C)FLAGS/) + unless ($line =~ m/(^|_)(LD|CPP|C|CXX)FLAGS/) { print TMP_CONFIG_VARS "$line\n"; } diff --git a/debian/rules b/debian/rules index 508dde96..954da288 100755 --- a/debian/rules +++ b/debian/rules @@ -74,7 +74,7 @@ clean-config-vars-stamp: debian/tmp/usr/share/apache2/build/config_vars.mk debia # Clean up config_vars.mk so that flags that are only intended for the # compilation of apache2 itself are not used by apxs for compiling # modules. - perl ./debian/clean_config_vars '$(AP2_CFLAGS)' '$(AP2_CPPFLAGS)' '$(AP2_LDFLAGS)' + perl ./debian/clean_config_vars '$(AP2_CFLAGS)' '$(AP2_CPPFLAGS)' '$(AP2_LDFLAGS)' '$(CXXFLAGS)' touch $@ %: %.in -- 2.20.1 signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.41-2 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 948...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 13 Jan 2020 06:14:45 +0100 Source: apache2 Architecture: source Version: 2.4.41-2 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 948757 948759 Changes: apache2 (2.4.41-2) unstable; urgency=medium . [ Stefan Fritsch ] * Add *.load file for mod_socache_redis . [ Vagrant Cascadian ] * Embeds path to EGREP in config_vars.mk (Closes: #948757) * Sanitize CXXFLAGS/-ffile-prefix-map in config_vars.mk (Closes: #948759) Checksums-Sha1: 544d9e7f01590d3ec95abe66194670f666303015 3493 apache2_2.4.41-2.dsc 6a05bd3add873f7d2cab0c892fa3ad729a52c6fd 1015900 apache2_2.4.41-2.debian.tar.xz Checksums-Sha256: 0ac8
Processed: Bug#948759 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #948759 [src:apache2] apache2: config_vars.mk contains unsanitized CXXFLAGS/-ffile-prefix-map Added tag(s) pending. -- 948759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948759 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Bug#948757 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #948757 [src:apache2] apache2: embeds path to EGREP in config_vars.mk Added tag(s) pending. -- 948757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948757 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: cloning 946938, reassign -1 to postgresql-common ...
Processing commands for cont...@bugs.debian.org: > clone 946938 -1 Bug #946938 [ssl-cert] postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade Bug 946938 cloned as bug 946957 > reassign -1 postgresql-common Bug #946957 [ssl-cert] postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade Bug reassigned from package 'ssl-cert' to 'postgresql-common'. Ignoring request to alter found versions of bug #946957 to the same values previously set Ignoring request to alter fixed versions of bug #946957 to the same values previously set > retitle -1 postgresql-common: pg_upgradecluster woe: postgres fails to > restart after upgrade Bug #946957 [postgresql-common] postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade Changed Bug title to 'postgresql-common: pg_upgradecluster woe: postgres fails to restart after upgrade' from 'postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade'. > thanks Stopping processing here. Please contact me if you need assistance. -- 946938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946938 946957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946957 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#946938: postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade
Processing control commands: > reassign -1 ssl-cert Bug #946938 [ssl-cert] postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade Ignoring request to reassign bug #946938 to the same package > affects -1 postgresql-common Bug #946938 [ssl-cert] postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade Ignoring request to set affects of bug 946938 to the same value previously set -- 946938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#946938: postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade
Processing control commands: > reassign -1 ssl-cert Bug #946938 [postgresql-common] postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade Bug reassigned from package 'postgresql-common' to 'ssl-cert'. No longer marked as found in versions postgresql-common/210. Ignoring request to alter fixed versions of bug #946938 to the same values previously set > affects -1 postgresql-common Bug #946938 [ssl-cert] postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade Added indication that 946938 affects postgresql-common -- 946938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output
Processing control commands: > reopen -1 Bug #663530 {Done: "Nael M. Al Homoud" } [apache2-bin] apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output Bug reopened Ignoring request to alter fixed versions of bug #663530 to the same values previously set -- 663530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#663530: marked as done (apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output)
Your message dated Sun, 10 Nov 2019 00:22:16 + with message-id and subject line Investment Proposal has caused the Debian Bug report #663530, regarding apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 663530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2.2-common Version: 2.2.22-1 Severity: minor In the last cron output, I got: /etc/cron.daily/logrotate: [Sun Mar 11 05:00:44 2012] [warn] NameVirtualHost *:80 has no VirtualHosts I suppose that it comes from /etc/logrotate.d/apache2, which contains in my case: /var/log/apache2/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 640 root adm sharedscripts postrotate /etc/init.d/apache2 reload > /dev/null endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript } If I run "/etc/init.d/apache2 reload" manually as root: xvii:/home/vinc17# /etc/init.d/apache2 reload Reloading web server config: apache2. and nothing particuliar in the logs. So, everything seems fine. /etc/apache2/sites-enabled/000-default contains: [...] I don't see why I got the above message in cron/logrotate output, except in case of bug in the reload logic. -- Package-specific info: List of /etc/apache2/mods-enabled/*.load: alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi cgid dav dav_svn deflate dir env mime negotiation perl reqtimeout rewrite setenvif ssl status userdir -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.22-1 ii apache2.2-bin 2.2.22-1 ii lsb-base 3.2+Debian31 ii mime-support 3.52-1 ii perl 5.14.2-9 ii procps 1:3.3.2-3 Versions of packages apache2.2-common recommends: ii ssl-cert 1.0.28 Versions of packages apache2.2-common suggests: ii apache2-doc 2.2.22-1 ii apache2-suexec | apache2-suexec-custom ii chromium [www-browser] 17.0.963.78~r125577-1 ii elinks [www-browser]0.12~pre5-7 ii epiphany-browser [www-browser] 3.2.1-2 ii iceweasel [www-browser] 10.0.2-1 ii links [www-browser] 2.5-1 ii links2 [www-browser]2.5-1 ii lynx-cur [www-browser] 2.8.8dev.12-1 ii midori [www-browser]0.4.3-1 ii uzbl [www-browser] 0.0.0~git.2028-2 ii w3m [www-browser] 0.5.3-5 Versions of packages apache2.2-common is related to: ii apache2-mpm-event ii apache2-mpm-itk ii apache2-mpm-prefork ii apache2-mpm-worker 2.2.22-1 -- Configuration Files: /etc/apache2/mods-available/userdir.conf changed: UserDir public_html UserDir disabled root AllowOverride All Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all -- no debconf information --- End Message --- --- Begin Message --- Good day, My associate from China wants to discuss a business investment deal with you. I awaiting your response to enable us discuss about this business investment Nael M. Al Homoud Executive Director & High Investment Committee Member@ The Arab Investment Co www.taic.com [1] Links: -- [1] http://www.taic.com--- End Message ---
Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)
Your message dated Sat, 19 Oct 2019 12:32:08 + with message-id and subject line Bug#941202: fixed in apache2 2.4.38-3+deb10u2 has caused the Debian Bug report #941202, regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u8 Severity: normal Dear Maintainer, The fix for CVE-2019-10092 results in the following error when attempting to access details of a member in a mod_proxy_balancer http balancer via the balancer-manager web page: "[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid 139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in balancer-manager cross-site access, referer: http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer=http://192.168.13.71=193a3e00-9795-f9bb-6cc2-d7f3ac222b68 " The net effect of this is an inability to dynamically change the status of members in the balancer via the balancer-manager. Raised in Apache httpd-2 bug report 63688: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688 Committed upstream in r1865749: https://svn.apache.org/viewvc?view=revision=1865749 -- Package-specific info: -- System Information: Debian Release: 9.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u8 ii apache2-data 2.4.25-3+deb9u8 ii apache2-utils2.4.25-3+deb9u8 ii dpkg 1.18.25 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: pn ssl-cert Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-11+deb9u4 ii libldap-2.4-22.4.44+dfsg-5+deb9u3 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.18.1-1+deb9u1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2s-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u8 ii apache2-bin 2.4.25-3+deb9u8 -- no debconf information -- --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.38-3+deb10u2 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 941...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 13 Oct 2019 22:23:11 +0200 Source: apache2 Architecture: source Version: 2.4.38-3+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 941202 Changes: apache2 (2.4.38-3+deb10u2) buster-security; urgency=medium . * Fix CVE-2019-10092 patch (Closes: #941202) Chec
Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)
Your message dated Sat, 19 Oct 2019 12:17:35 + with message-id and subject line Bug#941202: fixed in apache2 2.4.25-3+deb9u9 has caused the Debian Bug report #941202, regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u8 Severity: normal Dear Maintainer, The fix for CVE-2019-10092 results in the following error when attempting to access details of a member in a mod_proxy_balancer http balancer via the balancer-manager web page: "[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid 139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in balancer-manager cross-site access, referer: http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer=http://192.168.13.71=193a3e00-9795-f9bb-6cc2-d7f3ac222b68 " The net effect of this is an inability to dynamically change the status of members in the balancer via the balancer-manager. Raised in Apache httpd-2 bug report 63688: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688 Committed upstream in r1865749: https://svn.apache.org/viewvc?view=revision=1865749 -- Package-specific info: -- System Information: Debian Release: 9.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u8 ii apache2-data 2.4.25-3+deb9u8 ii apache2-utils2.4.25-3+deb9u8 ii dpkg 1.18.25 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: pn ssl-cert Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-11+deb9u4 ii libldap-2.4-22.4.44+dfsg-5+deb9u3 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.18.1-1+deb9u1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2s-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u8 ii apache2-bin 2.4.25-3+deb9u8 -- no debconf information -- --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u9 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 941...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 13 Oct 2019 17:43:54 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u9 Distribution: stretch-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch D
Processed: Bug#941202 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #941202 [apache2] apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager Added tag(s) pending. -- 941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 941202 in 2.4.38-3+deb10u1
Processing commands for cont...@bugs.debian.org: > found 941202 2.4.38-3+deb10u1 Bug #941202 [apache2] apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager Marked as found in versions apache2/2.4.38-3+deb10u1. > thanks Stopping processing here. Please contact me if you need assistance. -- 941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#876636: marked as done (apache2: insserv noise)
Your message dated Tue, 1 Oct 2019 22:19:28 +0200 with message-id and subject line Re: apache2: insserv noise has caused the Debian Bug report #876636, regarding apache2: insserv noise to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876636: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876636 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.27-6 During the package upgrade insserv creates two warnings: insserv: warning: current start runlevel(s) (empty) of script `apache-htcacheclean' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `apache-htcacheclean' overrides LSB defaults (0 1 6). --- End Message --- --- Begin Message --- Version: 2.4.23-5 Fixed by https://salsa.debian.org/apache-team/apache2/commit/c5b62eaddedcb3d46d28cddb76c10e8c24612704--- End Message ---
Processed (with 1 error): DSA-4509-1 regression needs to be fixed in subversion
Processing commands for cont...@bugs.debian.org: > reassign 936034 libapache2-mod-svn Bug #936034 [apache2] broken http2 in apache2 2.4.25-3+deb9u8 for mod_dav_svn on stretch? Bug reassigned from package 'apache2' to 'libapache2-mod-svn'. No longer marked as found in versions apache2/2.4.25-3+deb9u8. Ignoring request to alter fixed versions of bug #936034 to the same values previously set > found 936034 1.9.0-1 Bug #936034 [libapache2-mod-svn] broken http2 in apache2 2.4.25-3+deb9u8 for mod_dav_svn on stretch? Marked as found in versions subversion/1.9.0-1. > fixed 1.10.4-1 Unknown command or malformed arguments to command. > affects 936034 apache2 Bug #936034 [libapache2-mod-svn] broken http2 in apache2 2.4.25-3+deb9u8 for mod_dav_svn on stretch? Added indication that 936034 affects apache2 > thanks Stopping processing here. Please contact me if you need assistance. -- 936034: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936034 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: apache2: OCSP stapling poorly handled, yielding trylater errors in the client
Processing control commands: > found -1 2.4.38-3+deb10u1 Bug #933129 [apache2] apache2: OCSP stapling poorly handled, yielding trylater errors in the client Marked as found in versions apache2/2.4.38-3+deb10u1. -- 933129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933129 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: affects 936034
Processing commands for cont...@bugs.debian.org: > affects 936034 + release.debian.org,security.debian.org Bug #936034 [apache2] broken http2 in apache2 2.4.25-3+deb9u8 for mod_dav_svn on stretch? Added indication that 936034 affects release.debian.org and security.debian.org > thanks Stopping processing here. Please contact me if you need assistance. -- 936034: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936034 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: [bts-link] source package apr
Processing commands for cont...@bugs.debian.org: > # > # bts-link upstream status pull for source package apr > # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html > # https://bts-link-team.pages.debian.net/bts-link/ > # > user debian-bts-l...@lists.debian.org Setting user to debian-bts-l...@lists.debian.org (was debian-bts-l...@lists.debian.org). > # remote status report for #489625 (http://bugs.debian.org/489625) > # Bug title: libapr1-dev: please don't ship your own copy of libtool > # * http://issues.apache.org/bugzilla/show_bug.cgi?id=62640 > # * remote status changed: NEEDINFO -> RESOLVED > # * remote resolution changed: (?) -> FIXED > # * closed upstream > tags 489625 + fixed-upstream Bug #489625 [libapr1-dev] libapr1-dev: please don't ship your own copy of libtool Added tag(s) fixed-upstream. > usertags 489625 - status-NEEDINFO Usertags were: status-NEEDINFO. Usertags are now: . > usertags 489625 + status-RESOLVED resolution-FIXED There were no usertags set. Usertags are now: status-RESOLVED resolution-FIXED. > thanks Stopping processing here. Please contact me if you need assistance. -- 489625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489625 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#934640: marked as done (apache2: fails to install, a2enconf missing)
Your message dated Mon, 12 Aug 2019 21:35:01 + with message-id and subject line Bug#934640: fixed in apache2 2.4.39-2 has caused the Debian Bug report #934640, regarding apache2: fails to install, a2enconf missing to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 934640: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934640 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.39-1 Severity: serious Hi, thank you for uploading the new apache version, however, the package fails to install: ---snip--- [...] Enabling module env. Enabling module mime. Enabling module negotiation. Enabling module setenvif. Enabling module filter. Enabling module deflate. Enabling module status. Enabling module reqtimeout. /var/lib/dpkg/info/apache2.postinst: line 66: a2enconf: command not found dpkg: error processing package apache2 (--configure): installed apache2 package post-installation script subprocess returned error exit status 127 Processing triggers for systemd (241-7) ... Errors were encountered while processing: apache2 E: Sub-process /usr/bin/dpkg returned an error code (1) ---snap--- Regards, Daniel --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.39-2 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 934...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 12 Aug 2019 22:52:47 +0200 Source: apache2 Architecture: source Version: 2.4.39-2 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 934640 Changes: apache2 (2.4.39-2) unstable; urgency=medium . * Fix bad call of dh_link. Thanks to Daniel Baumann (Closes: #934640) Checksums-Sha1: 25fa58e13f54071c61e68cdd2388be74625cad2b 3493 apache2_2.4.39-2.dsc c42352d5064f1ce2f6001fe82a80bb9f8add0302 1012268 apache2_2.4.39-2.debian.tar.xz Checksums-Sha256: 618c123b34119d6e02ff30fd7644897dfe0a8bc69acbd1ccbc7a301a88b4fde4 3493 apache2_2.4.39-2.dsc 3b37caf85533b8d09af94d3f9e446d1763d0f84ea51de9f584c61f4d65dd3f1d 1012268 apache2_2.4.39-2.debian.tar.xz Files: 70cdf914fabe0657cbc1c5bc94d43c35 3493 httpd optional apache2_2.4.39-2.dsc 1870b8309f79bc2ccfccd27f7e4e7f31 1012268 httpd optional apache2_2.4.39-2.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl1R10IACgkQ9tdMp8mZ 7umARQ//UUVlW2zvMAvlDcWfU3WWPP//RLHgAAfcBzYrtjxuqhZ6EObU2O/8g8qZ hmuNA7sW+cS7h+9fVL4H/susvMwfh34thTMf9aGA6oxzW8NORZ/bwBoKyVkEE2hd eMyUYM3gMFu5kV5oZXT7h46/sljfcMQ/KmVrh6EeY/AFwRQUAbvKH/3Asx+h2cEq YBOKE/7R9j7j/64JKvm2dtolICWjsA/GdIJvKHaCr8Gx5gyIy+3JLUoUQ7Z8SrBw 6Je61WQLse+ulKbfz9AIp1DFy67V+nAqUiQ/IrpPxTa60+C8dJiMO+F6toUVtUy5 hhICXK05XgGIvJlQIlpYdnABjtJiN8SimAY2RKnsAbi3I0MfzutQWAXMFW9R+4CS sLlu2zZCs9ARRXYfNQW7kee+LScgQFO8twObnvIfYplUCBvWKJZJOclbvX1T8HF+ MdpI9GaiKJnlLvZLQ4zm2WrZmwGGSXSuDZVtukCcdf1u5+SbPWKESilTa4FA9o6s rR9WJpQKA32l48BbX71V6W3JutCOG8G1trPM5bbbBFR2g8YCqnO9RkpAN/3GlJn3 IZknBIdrbyhouTF1R9RqN1soRDEGmZ1rF53c/64eGOCY6eGp3/DFJvjoE8K+PJAb YmW526YYJBXzBFpweTKNFS0vLp674JJFeO6Zbw7UteqW9Vbkvno= =MxrE -END PGP SIGNATURE End Message ---
Processed: Re: apache2: fails to install, a2enconf missing
Processing commands for cont...@bugs.debian.org: > tag 934640 + patch Bug #934640 [apache2] apache2: fails to install, a2enconf missing Added tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. -- 934640: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934640 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#929510: marked as done (apache2-dev: make the build more reproducible)
Your message dated Mon, 12 Aug 2019 19:49:44 + with message-id and subject line Bug#929510: fixed in apache2 2.4.39-1 has caused the Debian Bug report #929510, regarding apache2-dev: make the build more reproducible to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929510: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929510 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2-dev Version: 2.4.38-3 Tags: patch I was looking into apache2-dev, because it cannot satisfy foreign architecture dependencies. While doing so, I noticed that it is not reproducible. I'm submitting a partial fix here. It is to be understood as an incremental improvement. A major reason for not being reproducible is /usr/share/apache2/build/config.nice. It's a convenience script to later configure apache in the same way. Fortunately, nothing uses this file. To verify that, I rebuilt all build-rdeps of apache2-dev and I only encountered one failure: #929506. We can simply drop the file. I also noticed that config_vars.mk embeds AWK=mawk or AWK=gawk. That can be easily canonicalized to AWK=awk. After this patch, I see two issues: * config_vars.mk embeds -fdebug-prefix-map. (reproducible) * config_vars.mk is architecture-dependent and installed to /usr/share (fhs violation). Please just close this bug after applying the patch despite those other issues. Helmut diff --minimal -Nru apache2-2.4.38/debian/apache2-dev.install apache2-2.4.38/debian/apache2-dev.install --- apache2-2.4.38/debian/apache2-dev.install 2019-04-02 21:55:20.0 +0200 +++ apache2-2.4.38/debian/apache2-dev.install 2019-05-25 08:43:23.0 +0200 @@ -1,6 +1,7 @@ /usr/bin/apxs /usr/include/apache2 -/usr/share/apache2/build +/usr/share/apache2/build/*.sh +/usr/share/apache2/build/*.mk debian/debhelper/apache2.pm /usr/share/perl5/Debian/Debhelper/Sequence/ debian/debhelper/dh_apache2/usr/bin debian/debhelper/postinst-apache2 /usr/share/debhelper/autoscripts/ diff --minimal -Nru apache2-2.4.38/debian/changelog apache2-2.4.38/debian/changelog --- apache2-2.4.38/debian/changelog 2019-04-07 20:15:40.0 +0200 +++ apache2-2.4.38/debian/changelog 2019-05-25 08:43:27.0 +0200 @@ -1,3 +1,11 @@ +apache2 (2.4.38-3.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Do not install /usr/share/apache2/build/config.nice. (Closes: #-1) + * Make config_vars.mk reproducible wrt. AWK. + + -- Helmut Grohne Sat, 25 May 2019 08:43:27 +0200 + apache2 (2.4.38-3) unstable; urgency=high [ Marc Deslauriers ] diff --minimal -Nru apache2-2.4.38/debian/rules apache2-2.4.38/debian/rules --- apache2-2.4.38/debian/rules 2019-04-02 21:55:20.0 +0200 +++ apache2-2.4.38/debian/rules 2019-05-25 08:43:27.0 +0200 @@ -103,6 +103,7 @@ override_dh_auto_configure: configure-stamp configure-stamp: prebuild-checks-stamp support/suexec-custom.c + AWK=awk \ ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ --enable-layout=Debian --enable-so --with-program-name=apache2 \ --enable-suexec --with-suexec-caller=www-data \ --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.39-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 929...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 12 Aug 2019 21:30:33 +0200 Source: apache2 Architecture: source Version: 2.4.39-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 929510 Changes: apache2 (2.4.39-1) unstable; urgency=medium . [ Helmut Grohne ] * Do not install /usr/share/apache2/build/config.nice (Closes: #929510) . [ Xavier Guimard ] * New upstream version 2.4.39 * Refresh patches * Remove patches now included in upstream * Replace duplicate doc files by links using
Processed: Re: Bug#913342: libapache2-mod-svn: Lower the severity of the problem from ERROR to WARN in case if config file does not point to one provided by the package
Processing control commands: > reassign -1 apache2 2.4.25-3 Bug #913342 [libapache2-mod-svn] libapache2-mod-svn: Lower the severity of the problem from ERROR to WARN in case if config file does not point to one provided by the package Bug reassigned from package 'libapache2-mod-svn' to 'apache2'. No longer marked as found in versions subversion/1.9.5-1+deb9u2. Ignoring request to alter fixed versions of bug #913342 to the same values previously set Bug #913342 [apache2] libapache2-mod-svn: Lower the severity of the problem from ERROR to WARN in case if config file does not point to one provided by the package Marked as found in versions apache2/2.4.25-3. -- 913342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913342 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: apache2: OCSP stapling poorly handled, yielding trylater errors in the client
Processing commands for cont...@bugs.debian.org: > tags 933129 upstream Bug #933129 [apache2] apache2: OCSP stapling poorly handled, yielding trylater errors in the client Added tag(s) upstream. > End of message, stopping processing here. Please contact me if you need assistance. -- 933129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933129 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#664761: marked as done (apache2/conf.d migration: what should webapp packagers do?)
Your message dated 17 Jun 2019 00:37:55 -0700 with message-id <20190617003755.cdfc6956bd4e8...@hidrocomta.com> and subject line Quotation Inquiry #RFQ170619E - New Supplier has caused the Debian Bug report #664761, regarding apache2/conf.d migration: what should webapp packagers do? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 664761: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664761 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.1-1 Justification: missing documentation X-Debbugs-Cc: debian-weba...@lists.debian.org Hi, Upgrading apache2 to the version in experimental breaks my local gitweb installation. Gitweb ships the following snippet in /etc/apache2/conf.d/gitweb: Alias /gitweb /usr/share/gitweb Options FollowSymLinks +ExecCGI AddHandler cgi-script .cgi DirectoryIndex gitweb.cgi RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^.* /gitweb/gitweb.cgi/$0 [L,PT] which of course is not supposed to work any more, as described in NEWS.Debian.gz. Goals from the gitweb side: - installing gitweb provides a working gitweb installation out of the box. The user should not be required to run an a2enconf command separately. - customizable by the user, user configuration carried over from version to version - upgrades don't silently break it :) In the new world order, as a packager of a webapp, what should I do to bring those goals about? >From the PACKAGING file I get the impression that I should rename the gitweb configuration (with the usual conffile renaming dance) to /etc/apache2/conf-available/gitweb.conf, depend on an updated apache2, run [ -e /usr/share/apache2/apache2-maintscript-helper ] || exit 0 . /usr/share/apache2/apache2-maintscript-helper apache2_invoke enconf gitweb in postinst configure, and ask for a Breaks from the apache2 maintainers. Is that right? This bug report is a request for advice in NEWS.Debian.gz about this, for example by including a pointer to PACKAGERS in the text and mentioning whether packages supporting old and new apache at the same time are possible. Thanks, Jonathan --- End Message --- --- Begin Message --- Hello, Our partners referred your company to us. Regarding your great products. Please see required products, quantity and specifications as attached. Kindly give us your lowest possible prices for FCL shipment. Best Regards, Wanda Rodriguez Purchase Assistant Hidroconta Trading Ltd. Av. de Sta. Catalina, 60, 30012 Murcia, Spain Phone: +34 968 26 77 66 Fax: +34 968 26 77 06--- End Message ---
Processed: apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output
Processing control commands: > reopen -1 Bug #663530 {Done: Hidroconta Trading Ltd. } [apache2-bin] apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output Bug reopened Ignoring request to alter fixed versions of bug #663530 to the same values previously set -- 663530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#758513: marked as done (fails to authenticate if multiple LDAP results match, misleading error message)
Your message dated 17 Jun 2019 00:38:04 -0700 with message-id <20190617003804.c142dfe016d81...@hidrocomta.com> and subject line Quotation Inquiry #RFQ170619E - New Supplier has caused the Debian Bug report #758513, regarding fails to authenticate if multiple LDAP results match, misleading error message to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 758513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758513 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: nagios3 Not sure if this log message comes from Apache or from Nagios, if it is an Apache error then please re-assign to the Apache package. Basically, my Nagios was working fine with Apache LDAP In httpd.conf: AuthType bsic AuthBasicProvider ldap AuthName "test server" AuthLDAPURL "ldap://some-server/dc=example,dc=org; One day, I found I could not log in to the web interface, the password popup would keep appearing Looking at the Apache error log file, I could see lines like this: user daniel not found: /nagios3/cgi-bin/status.cgi Looking in Google, "not found" brings up all kinds of unrelated pages, but I found a few other people with similar messages such as: user nagiosadmin not found: /nagios3/cgi-bin/status.cgi user root not found: /nagios/cgi-bin/status.cgi In my case it turns out that somebody had changed the LDAP configuration and created two users called "daniel", each in different sub-trees, e.g. uid=daniel,dc=test,dc=example,dc=org uid=daniel,dc=production,dc=example,dc=org So the "not found" message is actually quite confusing, in my case, it seems to indicate that two users were found and it didn't know which is correct. By refining my AuthLDAPURL to use dc=production,dc=example,dc=org I got it working again. Other people commented that disabling SELinux or fixing permissions on the htpasswd file made this error go away in other situations. In my case, none of that feedback was relevant. --- End Message --- --- Begin Message --- Hello, Our partners referred your company to us. Regarding your great products. Please see required products, quantity and specifications as attached. Kindly give us your lowest possible prices for FCL shipment. Best Regards, Wanda Rodriguez Purchase Assistant Hidroconta Trading Ltd. Av. de Sta. Catalina, 60, 30012 Murcia, Spain Phone: +34 968 26 77 66 Fax: +34 968 26 77 06--- End Message ---
Bug#663530: marked as done (apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output)
Your message dated 17 Jun 2019 00:38:16 -0700 with message-id <20190617003816.a58a934570546...@hidrocomta.com> and subject line Quotation Inquiry #RFQ170619E - New Supplier has caused the Debian Bug report #663530, regarding apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" in cron/logrotate output to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 663530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2.2-common Version: 2.2.22-1 Severity: minor In the last cron output, I got: /etc/cron.daily/logrotate: [Sun Mar 11 05:00:44 2012] [warn] NameVirtualHost *:80 has no VirtualHosts I suppose that it comes from /etc/logrotate.d/apache2, which contains in my case: /var/log/apache2/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 640 root adm sharedscripts postrotate /etc/init.d/apache2 reload > /dev/null endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript } If I run "/etc/init.d/apache2 reload" manually as root: xvii:/home/vinc17# /etc/init.d/apache2 reload Reloading web server config: apache2. and nothing particuliar in the logs. So, everything seems fine. /etc/apache2/sites-enabled/000-default contains: [...] I don't see why I got the above message in cron/logrotate output, except in case of bug in the reload logic. -- Package-specific info: List of /etc/apache2/mods-enabled/*.load: alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi cgid dav dav_svn deflate dir env mime negotiation perl reqtimeout rewrite setenvif ssl status userdir -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.22-1 ii apache2.2-bin 2.2.22-1 ii lsb-base 3.2+Debian31 ii mime-support 3.52-1 ii perl 5.14.2-9 ii procps 1:3.3.2-3 Versions of packages apache2.2-common recommends: ii ssl-cert 1.0.28 Versions of packages apache2.2-common suggests: ii apache2-doc 2.2.22-1 ii apache2-suexec | apache2-suexec-custom ii chromium [www-browser] 17.0.963.78~r125577-1 ii elinks [www-browser]0.12~pre5-7 ii epiphany-browser [www-browser] 3.2.1-2 ii iceweasel [www-browser] 10.0.2-1 ii links [www-browser] 2.5-1 ii links2 [www-browser]2.5-1 ii lynx-cur [www-browser] 2.8.8dev.12-1 ii midori [www-browser]0.4.3-1 ii uzbl [www-browser] 0.0.0~git.2028-2 ii w3m [www-browser] 0.5.3-5 Versions of packages apache2.2-common is related to: ii apache2-mpm-event ii apache2-mpm-itk ii apache2-mpm-prefork ii apache2-mpm-worker 2.2.22-1 -- Configuration Files: /etc/apache2/mods-available/userdir.conf changed: UserDir public_html UserDir disabled root AllowOverride All Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all -- no debconf information --- End Message --- --- Begin Message --- Hello, Our partners referred your company to us. Regarding your great products. Please see required products, quantity and specifications as attached. Kindly give us your lowest possible prices for FCL shipment. Best Regards, Wanda Rodriguez Purchase Assistant Hidroconta Trading Ltd. Av. de Sta. Catalina, 60, 30012 Murcia, Spain Phone: +34 968 26 77 66 Fax: +34 968 26 77 06--- End Message ---
Processed: Bug#929510 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #929510 [apache2-dev] apache2-dev: make the build more reproducible Added tag(s) pending. -- 929510: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929510 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#924881: postgresql: buster upgrade breaks older postgresql (9.6) and newer postgresql (11) is also inoperative
Processing control commands: > tag -1 - moreinfo Bug #924881 [ssl-cert] postgresql: buster upgrade breaks older postgresql (9.6) and newer postgresql (11) is also inoperative Removed tag(s) moreinfo. -- 924881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924881 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#902657: marked as done (graceful/restart results in segfault if libcap-ng0 is loaded)
Your message dated Mon, 22 Apr 2019 17:01:53 +0200 with message-id <20190422150153.v4e56hjh5m3di...@manul.sfritsch.de> and subject line Bug#902658: graceful/restart results in segfault if libcap-ng0 is loaded has caused the Debian Bug report #902658, regarding graceful/restart results in segfault if libcap-ng0 is loaded to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 902658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902658 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.33-3+b1 Severity: grave Tags: a11y Justification: renders package unusable Dear Maintainer, when i do an "apachectl graceful" or "apachectl restart", i get segfaults. [Fri Jun 29 10:22:38.726688 2018] [mpm_prefork:notice] [pid 31097] AH00163: Apache/2.4.33 (Debian) mpm-itk/2.4.7-04 OpenSSL/1.1.0h mod_perl/2.0.10 Perl/v5.26.2 configured -- resuming normal operations [Fri Jun 29 10:22:38.726720 2018] [core:notice] [pid 31097] AH00094: Command line: '/usr/sbin/apache2' [Fri Jun 29 10:22:49.076807 2018] [mpm_prefork:notice] [pid 31097] AH00171: Graceful restart requested, doing restart [Fri Jun 29 10:22:49.168509 2018] [mpm_prefork:notice] [pid 31097] AH00163: Apache/2.4.33 (Debian) mpm-itk/2.4.7-04 OpenSSL/1.1.0h mod_perl/2.0.10 Perl/v5.26.2 configured -- resuming normal operations [Fri Jun 29 10:22:49.168527 2018] [core:notice] [pid 31097] AH00094: Command line: '/usr/sbin/apache2' [Fri Jun 29 10:22:50.172451 2018] [core:notice] [pid 31097] AH00051: child pid 32163 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176057 2018] [mpm_prefork:warn] [pid 31097] AH00167: long lost child came home! (pid 32163) [Fri Jun 29 10:22:50.176139 2018] [core:notice] [pid 31097] AH00051: child pid 32165 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176158 2018] [core:error] [pid 31097] AH00546: no record of generation 0 of exiting child 32165 [Fri Jun 29 10:22:50.176214 2018] [core:notice] [pid 31097] AH00051: child pid 32167 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176225 2018] [core:error] [pid 31097] AH00546: no record of generation 0 of exiting child 32167 [Fri Jun 29 10:22:50.176272 2018] [core:notice] [pid 31097] AH00051: child pid 32169 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176304 2018] [core:error] [pid 31097] AH00546: no record of generation 0 of exiting child 32169 [Fri Jun 29 10:22:50.176362 2018] [core:notice] [pid 31097] AH00051: child pid 32171 exit signal Segmentation fault (11), possible coredump in /etc/apache2 if i then do a /etc/init.d/apache2 restart, it works normally /etc/init.d/apache2 restart and systemctl restart apache2 do NOT result in a segfault. here's a backtrace of a coredump: coredumpctl gdb 20261 PID: 20261 (/usr/sbin/apach) UID: 0 (root) GID: 0 (root) Signal: 11 (SEGV) Timestamp: Thu 2018-06-28 19:47:53 CEST (4min 18s ago) Command Line: /usr/sbin/apache2 -k start Executable: /usr/sbin/apache2 Control Group: /system.slice/apache2.service Unit: apache2.service Slice: system.slice Boot ID: fb5bb58db2c4417db6cce49bb7b04435 Machine ID: 6eb9f0854f630f342494ccf2000a Hostname: sunnyserver Storage: /var/lib/systemd/coredump/core.\x2fusr\x2fsbin\x2fapach.0.fb5bb58db2c4417db6cce49bb7b04435.20261.153020807300.lz4 Message: Process 20261 (/usr/sbin/apach) of user 0 dumped core. Stack trace of thread 20261: #0 0x7fa235131677 n/a (libcap-ng.so.0) #1 0x7fa2429e2a25 n/a (mod_mpm_prefork.so) #2 0x7fa2429e3a0e n/a (mod_mpm_prefork.so) #3 0x561918c4cb7e ap_run_mpm (apache2) #4 0x561918c4546b main (apache2) #5 0x7fa247386a87 __libc_start_main (libc.so.6) #6 0x561918c4556a _start (apache2) GNU gdb (Debian 7.12-6+b2) 7.12.0.20161007-git Copyright © 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type “show copying” and “show warranty” for details. This GDB was configured as “x86_64-linux-gnu”. Type “show configuration” for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http:
Bug#902658: marked as done (graceful/restart results in segfault if libcap-ng0 is loaded)
Your message dated Mon, 22 Apr 2019 17:01:53 +0200 with message-id <20190422150153.v4e56hjh5m3di...@manul.sfritsch.de> and subject line Bug#902658: graceful/restart results in segfault if libcap-ng0 is loaded has caused the Debian Bug report #902658, regarding graceful/restart results in segfault if libcap-ng0 is loaded to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 902658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902658 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.33-3+b1 Severity: grave Tags: a11y Justification: renders package unusable Dear Maintainer, when i do an "apachectl graceful" or "apachectl restart", i get segfaults. [Fri Jun 29 10:22:38.726688 2018] [mpm_prefork:notice] [pid 31097] AH00163: Apache/2.4.33 (Debian) mpm-itk/2.4.7-04 OpenSSL/1.1.0h mod_perl/2.0.10 Perl/v5.26.2 configured -- resuming normal operations [Fri Jun 29 10:22:38.726720 2018] [core:notice] [pid 31097] AH00094: Command line: '/usr/sbin/apache2' [Fri Jun 29 10:22:49.076807 2018] [mpm_prefork:notice] [pid 31097] AH00171: Graceful restart requested, doing restart [Fri Jun 29 10:22:49.168509 2018] [mpm_prefork:notice] [pid 31097] AH00163: Apache/2.4.33 (Debian) mpm-itk/2.4.7-04 OpenSSL/1.1.0h mod_perl/2.0.10 Perl/v5.26.2 configured -- resuming normal operations [Fri Jun 29 10:22:49.168527 2018] [core:notice] [pid 31097] AH00094: Command line: '/usr/sbin/apache2' [Fri Jun 29 10:22:50.172451 2018] [core:notice] [pid 31097] AH00051: child pid 32163 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176057 2018] [mpm_prefork:warn] [pid 31097] AH00167: long lost child came home! (pid 32163) [Fri Jun 29 10:22:50.176139 2018] [core:notice] [pid 31097] AH00051: child pid 32165 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176158 2018] [core:error] [pid 31097] AH00546: no record of generation 0 of exiting child 32165 [Fri Jun 29 10:22:50.176214 2018] [core:notice] [pid 31097] AH00051: child pid 32167 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176225 2018] [core:error] [pid 31097] AH00546: no record of generation 0 of exiting child 32167 [Fri Jun 29 10:22:50.176272 2018] [core:notice] [pid 31097] AH00051: child pid 32169 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Fri Jun 29 10:22:50.176304 2018] [core:error] [pid 31097] AH00546: no record of generation 0 of exiting child 32169 [Fri Jun 29 10:22:50.176362 2018] [core:notice] [pid 31097] AH00051: child pid 32171 exit signal Segmentation fault (11), possible coredump in /etc/apache2 if i then do a /etc/init.d/apache2 restart, it works normally /etc/init.d/apache2 restart and systemctl restart apache2 do NOT result in a segfault. here's a backtrace: coredumpctl gdb 20261 PID: 20261 (/usr/sbin/apach) UID: 0 (root) GID: 0 (root) Signal: 11 (SEGV) Timestamp: Thu 2018-06-28 19:47:53 CEST (4min 18s ago) Command Line: /usr/sbin/apache2 -k start Executable: /usr/sbin/apache2 Control Group: /system.slice/apache2.service Unit: apache2.service Slice: system.slice Boot ID: fb5bb58db2c4417db6cce49bb7b04435 Machine ID: 6eb9f0854f630f342494ccf2000a Hostname: sunnyserver Storage: /var/lib/systemd/coredump/core.\x2fusr\x2fsbin\x2fapach.0.fb5bb58db2c4417db6cce49bb7b04435.20261.153020807300.lz4 Message: Process 20261 (/usr/sbin/apach) of user 0 dumped core. Stack trace of thread 20261: #0 0x7fa235131677 n/a (libcap-ng.so.0) #1 0x7fa2429e2a25 n/a (mod_mpm_prefork.so) #2 0x7fa2429e3a0e n/a (mod_mpm_prefork.so) #3 0x561918c4cb7e ap_run_mpm (apache2) #4 0x561918c4546b main (apache2) #5 0x7fa247386a87 __libc_start_main (libc.so.6) #6 0x561918c4556a _start (apache2) GNU gdb (Debian 7.12-6+b2) 7.12.0.20161007-git Copyright © 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type “show copying” and “show warranty” for details. This GDB was configured as “x86_64-linux-gnu”. Type “show configuration” for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/
Processed: libapr1-dev: please don't ship your own copy of libtool
Processing commands for cont...@bugs.debian.org: > forwarded 489625 https://bz.apache.org/bugzilla/show_bug.cgi?id=62640 Bug #489625 [libapr1-dev] libapr1-dev: please don't ship your own copy of libtool Set Bug forwarded-to-address to 'https://bz.apache.org/bugzilla/show_bug.cgi?id=62640'. > thanks Stopping processing here. Please contact me if you need assistance. -- 489625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489625 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: severity of 926400 is grave
Processing commands for cont...@bugs.debian.org: > severity 926400 grave Bug #926400 [libaprutil1-dbd-mysql] libapr1-dbd-mysql: apache fails to start if dbd with mysql is used Severity set to 'grave' from 'important' > thanks Stopping processing here. Please contact me if you need assistance. -- 926400: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926400 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#920302: marked as done (apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies)
Your message dated Fri, 05 Apr 2019 05:32:08 + with message-id and subject line Bug#920302: fixed in apache2 2.4.25-3+deb9u7 has caused the Debian Bug report #920302, regarding apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920302 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17189[0]: mod_http2, DoS via slow, unneeded request bodies If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189 [1] https://www.openwall.com/lists/oss-security/2019/01/22/2 Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u7 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 02 Apr 2019 21:05:13 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u7 Distribution: stretch-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Closes: 904150 915103 920302 920303 Changes: apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium . [ Xavier Guimard ] * CVE-2018-17199: mode_session: Fix missing check for session expiry time. Closes: #920303 . [ Stefan Fritsch ] * mod_http2: Fix keepalive timeout behavior. This fixes a regression with Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. Closes: #920302 * CVE-2019-0196: mod_http2: Fix read after free * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. * CVE-2019-0217: mod_auth_digest: Access control bypass * CVE-2019-0220: URL normalization inconsistincy. Consecutive slashes in URL's are now merged before use in LocationMatch and RewriteRule. The old behavior can be restored with the new directive "MergeSlashes off". Checksums-Sha1: ad40893da9251264e64dd34b862d4ac6ac0b1b64 2986 apache2_2.4.25-3+deb9u7.dsc 0eafb26fd945d2c39e54e54b8dd7616428984b56 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz 1cf9ffe32d5e58e3d0cda2cb9c0798257e1948ed 1187486 apache2-bin_2.4.25-3+deb9u7_amd64.deb abebbface5e521553163d3a962c0705577f3a169 162062 apache2-data_2.4.25-3+deb9u7_all.deb 8869d0ea4b289825bb2fbb606faa6ba9cda8d007 4019618 apache2-dbg_2.4.25-3+deb9u7_amd64.deb f12e86b88c1a9c39632dd68e9448b5c90166d069 314496 apache2-dev_2.4.25-3+deb9u7_amd64.deb d999ab5602672930da5ec5e29f5f813636231b7e 3771360 apache
Bug#920303: marked as done (apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time)
Your message dated Fri, 05 Apr 2019 05:32:09 + with message-id and subject line Bug#920303: fixed in apache2 2.4.25-3+deb9u7 has caused the Debian Bug report #920303, regarding apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17199[0]: mod_session_cookie does not respect expiry time If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199 [1] https://www.openwall.com/lists/oss-security/2019/01/22/3 Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u7 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 02 Apr 2019 21:05:13 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u7 Distribution: stretch-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Closes: 904150 915103 920302 920303 Changes: apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium . [ Xavier Guimard ] * CVE-2018-17199: mode_session: Fix missing check for session expiry time. Closes: #920303 . [ Stefan Fritsch ] * mod_http2: Fix keepalive timeout behavior. This fixes a regression with Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. Closes: #920302 * CVE-2019-0196: mod_http2: Fix read after free * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. * CVE-2019-0217: mod_auth_digest: Access control bypass * CVE-2019-0220: URL normalization inconsistincy. Consecutive slashes in URL's are now merged before use in LocationMatch and RewriteRule. The old behavior can be restored with the new directive "MergeSlashes off". Checksums-Sha1: ad40893da9251264e64dd34b862d4ac6ac0b1b64 2986 apache2_2.4.25-3+deb9u7.dsc 0eafb26fd945d2c39e54e54b8dd7616428984b56 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz 1cf9ffe32d5e58e3d0cda2cb9c0798257e1948ed 1187486 apache2-bin_2.4.25-3+deb9u7_amd64.deb abebbface5e521553163d3a962c0705577f3a169 162062 apache2-data_2.4.25-3+deb9u7_all.deb 8869d0ea4b289825bb2fbb606faa6ba9cda8d007 4019618 apache2-dbg_2.4.25-3+deb9u7_amd64.deb f12e86b88c1a9c39632dd68e9448b5c90166d069 314496 apache2-dev_2.4.25-3+deb9u7_amd64.deb d999ab5602672930da5ec5e29f5f813636231b7e 3771360 apache
Bug#915103: marked as done (Apache2 HTTP/2 connection problems with Safari clients)
Your message dated Fri, 05 Apr 2019 05:32:08 + with message-id and subject line Bug#915103: fixed in apache2 2.4.25-3+deb9u7 has caused the Debian Bug report #915103, regarding Apache2 HTTP/2 connection problems with Safari clients to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 915103: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915103 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u6 When i load a picture using safari from an apache webserver with HTTP/2 enabled and repeat that multiple times in a row (F5), at least each 3rd request fails with "Failed to load resource: The network connection was lost." This happens regardless of the device (Mac, iPad) and regardless of the ISP or the provider or hardware of the webserver in the datacenter. The user experience when surfing on an affected webserver is really bad with Safari. This does not happen after downgrading to version 2.4.25-3+deb9u5 The new HTTP/2 Anti-DoS patches should be optimized to work with Safari clients. We are using Debian GNU/Linux 9, Kernel 4.9.0-8-amd64. --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u7 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 915...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 02 Apr 2019 21:05:13 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u7 Distribution: stretch-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Closes: 904150 915103 920302 920303 Changes: apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium . [ Xavier Guimard ] * CVE-2018-17199: mode_session: Fix missing check for session expiry time. Closes: #920303 . [ Stefan Fritsch ] * mod_http2: Fix keepalive timeout behavior. This fixes a regression with Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. Closes: #920302 * CVE-2019-0196: mod_http2: Fix read after free * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. * CVE-2019-0217: mod_auth_digest: Access control bypass * CVE-2019-0220: URL normalization inconsistincy. Consecutive slashes in URL's are now merged before use in LocationMatch and RewriteRule. The old behavior can be restored with the new directive "MergeSlashes off". Checksums-Sha1: ad40893da9251264e64dd34b862d4ac6ac0b1b64 2986 apache2_2.4.25-3+deb9u7.dsc 0eafb26fd945d2c39e54e54b8dd7616428984b56 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz 1cf9ffe32d5e58e3d0cda2cb9c0798257e1948ed 1187486 apache2-bin_2.4.25-3+deb9u7_amd64.deb abebbface5e521553163d3a962c0705577f3a169 162062 apache2-data_2.4.25-3+deb9u7_all.deb 8869d0ea4b289825bb2fbb606faa6ba9cda8d007 4019618 apache2-dbg_2.4.25-3+deb9u7_amd64.deb f12e86b88c1a9c39632dd68e9448b5c90166d069 314496 apache2-dev_2.4.25-3+deb9u7_amd64.deb d999ab5602672930da5ec5e29f5f
Bug#904150: marked as done (apache2: typo in maintainer script)
Your message dated Fri, 05 Apr 2019 05:32:08 + with message-id and subject line Bug#904150: fixed in apache2 2.4.25-3+deb9u7 has caused the Debian Bug report #904150, regarding apache2: typo in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 904150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904150 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.33-3 Severity: normal Dear Maintainer, Tim Bishop filed this bug in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1782806 showing what appears to be a typo in a maintainer script: https://salsa.debian.org/apache-team/apache2/blob/master/debian/debhelper/apache2-maintscript-helper#L290 a2query -m "$mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$? The argument to -m was probably meant to be "mpm_$MPM", as the shell function where this statement lives explicitly requests that the mpm module name should not have a "mpm_" prefix. The fix should be as simple as this: --- a/debian/debhelper/apache2-maintscript-helper +++ b/debian/debhelper/apache2-maintscript-helper @@ -287,7 +287,7 @@ apache2_switch_mpm() fi local a2query_ret=0 - a2query -m "$mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$? + a2query -m "mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$? case $a2query_ret in 0) Thanks! --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u7 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 904...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 02 Apr 2019 21:05:13 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u7 Distribution: stretch-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Closes: 904150 915103 920302 920303 Changes: apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium . [ Xavier Guimard ] * CVE-2018-17199: mode_session: Fix missing check for session expiry time. Closes: #920303 . [ Stefan Fritsch ] * mod_http2: Fix keepalive timeout behavior. This fixes a regression with Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. Closes: #920302 * CVE-2019-0196: mod_http2: Fix read after free * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. * CVE-2019-0217: mod_auth_digest: Access control bypass * CVE-2019-0220: URL normalization inconsistincy. Consecutive slashes in URL's are now merged before use in LocationMatch and RewriteRule. The old behavior can be restored with the new directive "MergeSlashes off". Checksums-Sha1: ad40893da9251264e64dd34b862d4ac6ac0b1b64 2986 apache2_2.4.25-3+deb9u7.dsc 0eafb26fd945d2c39e54e54b8dd7616428984b56 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz 1cf9ffe32d5e58e3d0cda2cb9c0798257e1948ed 1187486 apach
Processed: apache2: AuthLDAPBindPassword with exec: variant: child processes not properly destroyed
Processing control commands: > found -1 2.4.25-3 Bug #925472 [src:apache2] apache2: AuthLDAPBindPassword with exec: variant: child processes not properly destroyed Marked as found in versions apache2/2.4.25-3. -- 925472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925472 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#924881: postgresql: buster upgrade breaks older postgresql (9.6) and newer postgresql (11) is also inoperative
Processing control commands: > reassign -1 ssl-cert Bug #924881 [postgresql] postgresql: buster upgrade breaks older postgresql (9.6) and newer postgresql (11) is also inoperative Bug reassigned from package 'postgresql' to 'ssl-cert'. No longer marked as found in versions postgresql-common/200. Ignoring request to alter fixed versions of bug #924881 to the same values previously set -- 924881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924881 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: unarchiving 920303, unarchiving 920302
Processing commands for cont...@bugs.debian.org: > unarchive 920303 Bug #920303 {Done: Xavier Guimard } [src:apache2] apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Unarchived Bug 920303 > unarchive 920302 Bug #920302 {Done: Xavier Guimard } [src:apache2] apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Unarchived Bug 920302 > thanks Stopping processing here. Please contact me if you need assistance. -- 920302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920302 920303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: apache2 setup-instance (apache-multi) logrotation (#914606)
Processing control commands: > tags -1 + patch Bug #914606 [apache2] apache2 setup-instance (apache-multi) logrotation Added tag(s) patch. -- 914606: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914606 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 915103
Processing commands for cont...@bugs.debian.org: > tags 915103 + pending Bug #915103 [apache2] Apache2 HTTP/2 connection problems with Safari clients Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 915103: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915103 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 918014, severity of 918014 is important
Processing commands for cont...@bugs.debian.org: > tags 918014 + moreinfo Bug #918014 [apache2] apache2: Segfault in mod_filter only wehen started by systemd Added tag(s) moreinfo. > severity 918014 important Bug #918014 [apache2] apache2: Segfault in mod_filter only wehen started by systemd Severity set to 'important' from 'grave' > thanks Stopping processing here. Please contact me if you need assistance. -- 918014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918014 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#920303: marked as done (apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time)
Your message dated Tue, 29 Jan 2019 23:19:31 + with message-id and subject line Bug#920303: fixed in apache2 2.4.38-1 has caused the Debian Bug report #920303, regarding apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17199[0]: mod_session_cookie does not respect expiry time If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199 [1] https://www.openwall.com/lists/oss-security/2019/01/22/3 Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.38-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 29 Jan 2019 23:49:49 +0100 Source: apache2 Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source Version: 2.4.38-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 880993 920220 920302 920303 Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Changes: apache2 (2.4.38-1) unstable; urgency=medium . [ Jelmer Vernooij ] * Reverted for now: Transition to automatic debug package (from: apache2-dbg) * Trim trailing whitespace * Use secure copyright file specification URI . [ Niels Thykier ] * Add Rules-Requires-Root: binary-targets . [ Xavier Guimard ] * Convert signing-key.pgp into signing-key.asc * Add http2.conf (Closes: #880993) * Remove unnecessary greater-than versioned dependency to dpkg-dev, libbrotli-dev and libapache2-mod-md * Declare compliance with policy 4.2.1 * Add spelling errors patch (reported) * Fix some spelling errors in debian files * Add myself to uploaders * Refresh patches * Bump debhelper compatibility level to 10 * debian/rules: - Remove unnecessary dh argument --parallel - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog * Add upstream/metadata * Replace MIT by Expat in debian/copyright * debian/watch: use https url * Add documentation links in systemd service files * Team upload . [ Cyrille Bollu ] * Put HTTP2 configuration within tags as it gets automatically de-activated upon apache 'startup when using mpm_prefork. * Updated http2.conf to inform user that they may want to change their LogFormat directives. . [ Xavier Guimard ] * New upstream version 2.4.38 (Closes: #920220, #920302, #92
Bug#920220: marked as done (apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1)
Your message dated Tue, 29 Jan 2019 23:19:31 + with message-id and subject line Bug#920220: fixed in apache2 2.4.38-1 has caused the Debian Bug report #920220, regarding apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920220 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.37-1 Severity: grave Tags: patch security upstream Hi (Stefan), I agree the severity is not the best choosen one for this issue, it is more to ensure we could release buster with an appropriate fix already before the release. If you disagree, please do downgrade. The following vulnerability was published for apache2. CVE-2019-0190[0]: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-0190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190 [1] https://marc.info/?l=oss-security=154817901921421=2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.38-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 29 Jan 2019 23:49:49 +0100 Source: apache2 Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source Version: 2.4.38-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 880993 920220 920302 920303 Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Changes: apache2 (2.4.38-1) unstable; urgency=medium . [ Jelmer Vernooij ] * Reverted for now: Transition to automatic debug package (from: apache2-dbg) * Trim trailing whitespace * Use secure copyright file specification URI . [ Niels Thykier ] * Add Rules-Requires-Root: binary-targets . [ Xavier Guimard ] * Convert signing-key.pgp into signing-key.asc * Add http2.conf (Closes: #880993) * Remove unnecessary greater-than versioned dependency to dpkg-dev, libbrotli-dev and libapache2-mod-md * Declare compliance with policy 4.2.1 * Add spelling errors patch (reported) * Fix some spelling errors in debian files * Add myself to uploaders * Refresh patches * Bump debhelper compatibility level to 10 * debian/rules: - Remove unnecessary dh argument --parallel - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog * Add upstream/metadata * Replace MIT by Expat in debian/copyright * debian/watch: use https url * Add documentation links in systemd service files * Team upload . [ Cyrille Bollu ] * Put HTTP2 configuration within tags as it gets automatically de-activated upon apache 'startup when using mpm_pre
Bug#920302: marked as done (apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies)
Your message dated Tue, 29 Jan 2019 23:19:31 + with message-id and subject line Bug#920302: fixed in apache2 2.4.38-1 has caused the Debian Bug report #920302, regarding apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920302 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17189[0]: mod_http2, DoS via slow, unneeded request bodies If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189 [1] https://www.openwall.com/lists/oss-security/2019/01/22/2 Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.38-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 29 Jan 2019 23:49:49 +0100 Source: apache2 Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source Version: 2.4.38-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 880993 920220 920302 920303 Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Changes: apache2 (2.4.38-1) unstable; urgency=medium . [ Jelmer Vernooij ] * Reverted for now: Transition to automatic debug package (from: apache2-dbg) * Trim trailing whitespace * Use secure copyright file specification URI . [ Niels Thykier ] * Add Rules-Requires-Root: binary-targets . [ Xavier Guimard ] * Convert signing-key.pgp into signing-key.asc * Add http2.conf (Closes: #880993) * Remove unnecessary greater-than versioned dependency to dpkg-dev, libbrotli-dev and libapache2-mod-md * Declare compliance with policy 4.2.1 * Add spelling errors patch (reported) * Fix some spelling errors in debian files * Add myself to uploaders * Refresh patches * Bump debhelper compatibility level to 10 * debian/rules: - Remove unnecessary dh argument --parallel - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog * Add upstream/metadata * Replace MIT by Expat in debian/copyright * debian/watch: use https url * Add documentation links in systemd service files * Team upload . [ Cyrille Bollu ] * Put HTTP2 configuration within tags as it gets automatically de-activated upon apache 'startup when using mpm_prefork. * Updated http2.conf to inform user that they may want to change their LogFormat directives. . [ Xavier Guimard ] * New upstream version 2.4.38 (Closes: #920220, #920302, #92
Bug#880993: marked as done (enable http2 protocol when http2 module is enabled)
Your message dated Tue, 29 Jan 2019 23:19:31 + with message-id and subject line Bug#880993: fixed in apache2 2.4.38-1 has caused the Debian Bug report #880993, regarding enable http2 protocol when http2 module is enabled to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880993: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880993 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.25-3+deb9u3 Severity: wishlist It's unclear to me why the http2 module in the Apache2 debian package doesn't *actually* enable the http2 *protocol*. Maybe I don't understand this right, but it seems to me that to enable http2 in apache/Debian, you need to do the following: a2enmod http2 But then also add some configuration blurb like this somewhere: Protocols h2 h2c http/1.1 The above configuration will enable HTTP/2 over TLS (h2) and HTTP/2 over TCP (h2c, cleartext) then keep the http/1.1 as a backwards-compatibility option. Why isn't this part of /etc/apache2/mods-available/http2.conf? It seems to me if you want to enable HTTP2 on the server, you'd expect this to just turn on as well. I can imagine that people may want to enable only on *some* virtual hosts, but then that config can be commented out or disabled and added to virtual host as needed. Or it can be disabled in the relevant vhosts as well. It could also be a good place to have, commented out, sample H2Push configurations as well... e.g. # # HTTP/2 push configuration # # H2Push on # # # Default Priority Rule # # H2PushPriority * After 16 # # # More complex ruleset: # # H2PushPriority * after # H2PushPriority text/cssbefore # H2PushPriority image/jpeg after 32 # H2PushPriority image/png after 32 # H2PushPriority application/javascript interleaved # # # Configure some stylesheet and script to be pushed by the webserver # # # Header add Link "; rel=preload; as=style" # Header add Link "; rel=preload; as=script" # More sample configs are here: https://httpd.apache.org/docs/2.4/mod/mod_http2.html#h2pushpriority What do you think? -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.38-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 880...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 29 Jan 2019 23:49:49 +0100 Source: apache2 Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source Version: 2.4.38-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 880993 920220 920302 920303 Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional pac
Processed: Re: Bug#920235: Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell
Processing control commands: > fixed 920235 apache2/2.4.23-4 Bug #920235 [apache2] Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell Marked as fixed in versions apache2/2.4.23-4. > found 920235 apache2/2.4.23-5 Bug #920235 [apache2] Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell Marked as found in versions apache2/2.4.23-5. > found 920235 apache2/2.4.37-1 Bug #920235 [apache2] Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell Marked as found in versions apache2/2.4.37-1. -- 920235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920235 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#920235: Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell
Processing control commands: > fixed 920235 apache2/2.4.23-4 Bug #920235 [apache2] Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell Marked as fixed in versions apache2/2.4.23-4; no longer marked as fixed in versions apache2/2.4.23-4. > found 920235 apache2/2.4.23-5 Bug #920235 [apache2] Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell Ignoring request to alter found versions of bug #920235 to the same values previously set > found 920235 apache2/2.4.37-1 Bug #920235 [apache2] Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell Ignoring request to alter found versions of bug #920235 to the same values previously set -- 920235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920235 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: 882395
Processing commands for cont...@bugs.debian.org: > reassign 882395 certbot 0.28.0-1 Bug #882395 [apache2] Apache2 doesn't update SSLCipherSuites and SSLProtocol Bug reassigned from package 'apache2' to 'certbot'. No longer marked as found in versions 2.4.17. Ignoring request to alter fixed versions of bug #882395 to the same values previously set Bug #882395 [certbot] Apache2 doesn't update SSLCipherSuites and SSLProtocol Marked as found in versions python-certbot/0.28.0-1. > retitle 882395 certbot silently overrides apache's SSL configs Bug #882395 [certbot] Apache2 doesn't update SSLCipherSuites and SSLProtocol Changed Bug title to 'certbot silently overrides apache's SSL configs' from 'Apache2 doesn't update SSLCipherSuites and SSLProtocol'. > End of message, stopping processing here. Please contact me if you need assistance. -- 882395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882395 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
Processing control commands: > found -1 2.4.25-3+deb9u6 Bug #920303 [src:apache2] apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Marked as found in versions apache2/2.4.25-3+deb9u6. > found -1 2.4.25-3 Bug #920303 [src:apache2] apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Marked as found in versions apache2/2.4.25-3. -- 920303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies
Processing control commands: > found -1 2.4.25-3+deb9u6 Bug #920302 [src:apache2] apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Marked as found in versions apache2/2.4.25-3+deb9u6. > found -1 2.4.25-3 Bug #920302 [src:apache2] apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Marked as found in versions apache2/2.4.25-3. -- 920302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920302 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#916375: apache2: Segmentation fault when mod_perl.so is loaded
Processing control commands: > reassign -1 libmariadbclient18 10.1.37-0+deb9u1 Bug #916375 [apache2] apache2: Segmentation fault when mod_perl.so is enabled Bug reassigned from package 'apache2' to 'libmariadbclient18'. No longer marked as found in versions apache2/2.4.25-3+deb9u6. Ignoring request to alter fixed versions of bug #916375 to the same values previously set Bug #916375 [libmariadbclient18] apache2: Segmentation fault when mod_perl.so is enabled Marked as found in versions mariadb-10.1/10.1.37-0+deb9u1. -- 916375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916375 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: forcibly merging 904808 915642
Processing commands for cont...@bugs.debian.org: > forcemerge 904808 915642 Bug #904808 [libcap-ng0] libcap-ng0: libcap-ng's use of pthread_atfork causes segfaults Bug #914565 [libcap-ng0] php7.3-intl: Segfaults after apache2 graceful restart Bug #915642 [libcap-ng0] AuthBasicProvider PAM crashes apache Set Bug forwarded-to-address to 'https://github.com/stevegrubb/libcap-ng/issues/5'. 902658 was blocked by: 904808 914565 902658 was not blocking any bugs. Added blocking bug(s) of 902658: 915642 902657 was blocked by: 904808 914565 902657 was not blocking any bugs. Added blocking bug(s) of 902657: 915642 902657 was blocked by: 904808 915642 914565 902657 was not blocking any bugs. Ignoring request to alter blocking bugs of bug #902657 to the same blocks previously set 902658 was blocked by: 904808 915642 914565 902658 was not blocking any bugs. Ignoring request to alter blocking bugs of bug #902658 to the same blocks previously set Removed indication that 915642 affects libapache2-mod-authnz-pam Added indication that 915642 affects libapache2-mod-authnz-pam,php7.3-intl Added tag(s) patch. Bug #914565 [libcap-ng0] php7.3-intl: Segfaults after apache2 graceful restart Merged 904808 914565 915642 > thanks Stopping processing here. Please contact me if you need assistance. -- 902657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902657 902658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902658 904808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904808 914565: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914565 915642: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915642 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: reassign 916829 to src:apr, found 916829 in 1.6.5-1
Processing commands for cont...@bugs.debian.org: > reassign 916829 src:apr Bug #916829 [release.debian.org] libapr1-dev is broken on unmerged /usr Bug reassigned from package 'release.debian.org' to 'src:apr'. Ignoring request to alter found versions of bug #916829 to the same values previously set Ignoring request to alter fixed versions of bug #916829 to the same values previously set > found 916829 1.6.5-1 Bug #916829 [src:apr] libapr1-dev is broken on unmerged /usr Marked as found in versions apr/1.6.5-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 916829: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916829 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: libapr1-dev is broken on unmerged /usr
Processing control commands: > affects -1 + src:apr-util Bug #916829 [libapr1-dev] libapr1-dev is broken on unmerged /usr Added indication that 916829 affects src:apr-util -- 916829: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916829 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: reassign 914297 to systemd, affects 914297
Processing commands for cont...@bugs.debian.org: > reassign 914297 systemd Bug #914297 [apache2] apache2: getrandom call blocks on first startup, systemd kills with timeout Bug reassigned from package 'apache2' to 'systemd'. No longer marked as found in versions apache2/2.4.37-1. Ignoring request to alter fixed versions of bug #914297 to the same values previously set > affects 914297 apache2 Bug #914297 [systemd] apache2: getrandom call blocks on first startup, systemd kills with timeout Added indication that 914297 affects apache2 > thanks Stopping processing here. Please contact me if you need assistance. -- 914297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914297 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Merge duplicates
Processing commands for cont...@bugs.debian.org: > reassign 914565 libcap-ng0 Bug #914565 [libcap-ng] php7.3-intl: Segfaults after apache2 graceful restart Bug reassigned from package 'libcap-ng' to 'libcap-ng0'. No longer marked as found in versions 0.7.9-1. Ignoring request to alter fixed versions of bug #914565 to the same values previously set > forcemerge 904808 914565 Bug #904808 [libcap-ng0] libcap-ng0: libcap-ng's use of pthread_atfork causes segfaults Bug #914565 [libcap-ng0] php7.3-intl: Segfaults after apache2 graceful restart Set Bug forwarded-to-address to 'https://github.com/stevegrubb/libcap-ng/issues/5'. Severity set to 'grave' from 'serious' 902657 was blocked by: 904808 902657 was not blocking any bugs. Added blocking bug(s) of 902657: 914565 902658 was blocked by: 904808 902658 was not blocking any bugs. Added blocking bug(s) of 902658: 914565 902658 was blocked by: 904808 914565 902658 was not blocking any bugs. Ignoring request to alter blocking bugs of bug #902658 to the same blocks previously set 902657 was blocked by: 904808 914565 902657 was not blocking any bugs. Ignoring request to alter blocking bugs of bug #902657 to the same blocks previously set Marked as found in versions libcap-ng/0.7.9-1. Merged 904808 914565 > affects 904808 php7.3-intl Bug #904808 [libcap-ng0] libcap-ng0: libcap-ng's use of pthread_atfork causes segfaults Bug #914565 [libcap-ng0] php7.3-intl: Segfaults after apache2 graceful restart Added indication that 904808 affects php7.3-intl Added indication that 914565 affects php7.3-intl > thanks Stopping processing here. Please contact me if you need assistance. -- 902657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902657 902658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902658 904808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904808 914565: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914565 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: retitle 916375 apache2: Segmentation fault when mod_perl.so is enabled
Processing commands for cont...@bugs.debian.org: > retitle 916375 apache2: Segmentation fault when mod_perl.so is enabled Bug #916375 [apache2] apache2: Segmentation fault when mod_perl.so is loaded Changed Bug title to 'apache2: Segmentation fault when mod_perl.so is enabled' from 'apache2: Segmentation fault when mod_perl.so is loaded'. > End of message, stopping processing here. Please contact me if you need assistance. -- 916375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916375 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: severity of 914297 is serious
Processing commands for cont...@bugs.debian.org: > severity 914297 serious Bug #914297 [apache2] apache2: getrandom call blocks on first startup, systemd kills with timeout Severity set to 'serious' from 'important' > thanks Stopping processing here. Please contact me if you need assistance. -- 914297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914297 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: unarchiving 904150, found 904150 in 2.4.25-3
Processing commands for cont...@bugs.debian.org: > unarchive 904150 Bug #904150 {Done: Stefan Fritsch } [apache2] apache2: typo in maintainer script Unarchived Bug 904150 > found 904150 2.4.25-3 Bug #904150 {Done: Stefan Fritsch } [apache2] apache2: typo in maintainer script Marked as found in versions apache2/2.4.25-3. > thanks Stopping processing here. Please contact me if you need assistance. -- 904150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904150 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: affects 902658
Processing commands for cont...@bugs.debian.org: > affects 902658 src:debian-edu Bug #902658 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded Bug #902657 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded Added indication that 902658 affects src:debian-edu Added indication that 902657 affects src:debian-edu > thanks Stopping processing here. Please contact me if you need assistance. -- 902657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902657 902658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902658 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: [bts-link] source package apache2
Processing commands for cont...@bugs.debian.org: > # > # bts-link upstream status pull for source package apache2 > # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html > # https://bts-link-team.pages.debian.net/bts-link/ > # > user debian-bts-l...@lists.debian.org Setting user to debian-bts-l...@lists.debian.org (was debian-bts-l...@lists.debian.org). > # remote status report for #268569 (http://bugs.debian.org/268569) > # Bug title: suexec to use PAM > # * http://issues.apache.org/bugzilla/show_bug.cgi?id=18325 > # * remote status changed: NEW -> RESOLVED > # * remote resolution changed: (?) -> LATER > # * closed upstream > tags 268569 + fixed-upstream Bug #268569 [apache2] suexec to use PAM Added tag(s) fixed-upstream. > usertags 268569 - status-NEW Usertags were: status-NEW. Usertags are now: . > usertags 268569 + status-RESOLVED resolution-LATER There were no usertags set. Usertags are now: resolution-LATER status-RESOLVED. > # remote status report for #393646 (http://bugs.debian.org/393646) > # Bug title: PATH_TRANSLATED: 'redirect:/~jablko/gallery2/main.php' > # * http://issues.apache.org/bugzilla/show_bug.cgi?id=40781 > # * remote status changed: NEW -> RESOLVED > # * remote resolution changed: (?) -> LATER > # * closed upstream > tags 393646 + fixed-upstream Bug #393646 [apache2] PATH_TRANSLATED: 'redirect:/~jablko/gallery2/main.php' Added tag(s) fixed-upstream. > usertags 393646 - status-NEW Usertags were: status-NEW. Usertags are now: . > usertags 393646 + status-RESOLVED resolution-LATER There were no usertags set. Usertags are now: status-RESOLVED resolution-LATER. > # remote status report for #528062 (http://bugs.debian.org/528062) > # Bug title: apache2: mod_userdir is broken with respect to suexec support. > patch included > # * http://issues.apache.org/bugzilla/show_bug.cgi?id=49439 > # * remote status changed: NEW -> RESOLVED > # * remote resolution changed: (?) -> LATER > # * closed upstream > tags 528062 + fixed-upstream Bug #528062 [apache2] apache2: mod_userdir is broken with respect to suexec support. patch included Added tag(s) fixed-upstream. > usertags 528062 - status-NEW Usertags were: status-NEW. Usertags are now: . > usertags 528062 + status-RESOLVED resolution-LATER There were no usertags set. Usertags are now: status-RESOLVED resolution-LATER. > # remote status report for #745605 (http://bugs.debian.org/745605) > # Bug title: Please enable AddDefaultCharset for javascript > # * http://issues.apache.org/bugzilla/show_bug.cgi?id=35049 > # * remote status changed: NEW -> RESOLVED > # * remote resolution changed: (?) -> LATER > # * closed upstream > tags 745605 + fixed-upstream Bug #745605 [apache2] Please enable AddDefaultCharset for javascript Added tag(s) fixed-upstream. > usertags 745605 - status-NEW Usertags were: status-NEW. Usertags are now: . > usertags 745605 + status-RESOLVED resolution-LATER There were no usertags set. Usertags are now: status-RESOLVED resolution-LATER. > thanks Stopping processing here. Please contact me if you need assistance. -- 268569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=268569 393646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393646 528062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528062 745605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745605 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#902906: marked as done (apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if an environment variable value is null)
Your message dated Sun, 04 Nov 2018 11:47:09 + with message-id and subject line Bug#902906: fixed in apache2 2.4.25-3+deb9u6 has caused the Debian Bug report #902906, regarding apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if an environment variable value is null to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 902906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2-bin Version: 2.4.25-3+deb9u4 Severity: important Tags: patch upstream Dear Maintainer, We got a lot of such segfaults in error.log, provoked by mod_proxy_fcgi: [core:notice] [pid 43086:tid 139897736885440] AH00051: child pid 43114 exit signal Segmentation fault (11) As recommended on https://wiki.apache.org/httpd/PHP-FPM, we use the following PHP-FPM invocation with SetHandler (running mpm_event): ``` SetHandler "proxy:unix:/run/fpm-pool-web999-php72.socket|fcgi://localhost" ``` Analyzing coredump: ``` $ gdb /usr/sbin/apache2 /tmp/coredump-apache2-11-33-33-43114-1530368206 (...) [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/sbin/apache2 -k start'. Program terminated with signal SIGSEGV, Segmentation fault. #0 strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. [Current thread is 1 (Thread 0x7f3c54ff9700 (LWP 43741))] (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x55b25cef8e57 in ap_fcgi_encoded_env_len (env=, maxlen=maxlen@entry=16384, starting_elem=starting_elem@entry=0x7f3c54ff8ae0) at util_fcgi.c:156 #2 0x7f3c74f4871d in send_environment (request_id=1, temp_pool=0x7f3c49e1c028, r=0x7f3c49e196c0, conn=0x7f3c72bbb0a0) at mod_proxy_fcgi.c:321 #3 fcgi_do_request (p=, origin=0x0, uri=, url=, server_portstr=0x7f3c54ff8b40 "", conf=0x7f3c7ae24490, conn=0x7f3c72bbb0a0, r=0x7f3c49e196c0) at mod_proxy_fcgi.c:848 #4 proxy_fcgi_handler (r=0x7f3c49e196c0, worker=, conf=, url=, proxyname=, proxyport=) at mod_proxy_fcgi.c:968 #5 0x7f3c751562bc in proxy_run_scheme_handler (r=r@entry=0x7f3c49e196c0, worker=0x7f3c7ad7abf0, conf=conf@entry=0x7f3c7ae2bdd0, url=0x7f3c49e13b08 "fcgi://localhost/var/www/shared/error_docs/400.php", proxyhost=proxyhost@entry=0x0, proxyport=proxyport@entry=0) at mod_proxy.c:2880 #6 0x7f3c75157231 in proxy_handler (r=0x7f3c49e196c0) at mod_proxy.c:1230 #7 0x55b25cef1c40 in ap_run_handler (r=r@entry=0x7f3c49e196c0) at config.c:170 #8 0x55b25cef21d6 in ap_invoke_handler (r=r@entry=0x7f3c49e196c0) at config.c:434 #9 0x55b25cf090bc in ap_internal_redirect (new_uri=, r=) at http_request.c:765 #10 0x55b25cedc5b5 in ap_read_request (conn=conn@entry=0x7f3c49e28348) at protocol.c:1285 #11 0x55b25cf0604d in ap_process_http_async_connection (c=0x7f3c49e28348) at http_core.c:146 #12 ap_process_http_connection (c=0x7f3c49e28348) at http_core.c:248 #13 0x55b25cefba70 in ap_run_process_connection (c=c@entry=0x7f3c49e28348) at connection.c:42 #14 0x7f3c755786e8 in process_socket (my_thread_num=, my_child_num=, cs=0x7f3c49e282b8, sock=, p=0x7f3c49e28028, thd=) at event.c:1099 #15 worker_thread (thd=, dummy=) at event.c:2003 #16 0x7f3c7a3a4494 in start_thread (arg=0x7f3c54ff9700) at pthread_create.c:333 #17 0x7f3c7a0e6acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 ``` The issue was reported upstream, Apache Bug 60275, including a patch: https://bz.apache.org/bugzilla/show_bug.cgi?id=60275 The patch made it into upstream Apache 2.4.26 (see https://www.apache.org/dist/httpd/CHANGES_2.4): *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when modules add empty environment variables to the request. PR 60275. [] I have applied the provided patch on apache2_2.4.25-3+deb9u4_amd64 and installed apache2-bin. This resolved the issue 100% (Apache was previously crashing on avg 15 times/h over months, since installing patched apache2-bin no more single segfault!). apache2-2.4.25-pr60275.patch: ```diff diff -ur apache2-2.4.25/server/util_fcgi.c apache2-2.4.25-patched/server/util_fcgi.c --- apache2-2.4.25/server/util_fcgi.c 2015-07-20 12:28:13.0 +0200 +++ apache2-2.4.25-patched/server/util_fcgi.c 2018-07-01 09:16:08.122664970 +0200 @@ -153,7 +153,11 @@ envlen += keylen; -vallen = strlen(elts[i].val); + if (!elts[i].val)
Bug#909591: marked as done (apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames)
Your message dated Sun, 04 Nov 2018 11:47:09 + with message-id and subject line Bug#909591: fixed in apache2 2.4.25-3+deb9u6 has caused the Debian Bug report #909591, regarding apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 909591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909591 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.25-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-11763[0]: mod_http2, DoS via continuous SETTINGS frames If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-11763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763 [1] https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u6 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 909...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 03 Nov 2018 19:46:19 +0100 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u6 Distribution: stretch Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Closes: 902906 904106 909591 Changes: apache2 (2.4.25-3+deb9u6) stretch; urgency=medium . * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106 * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS. Closes: #909591 * mod_proxy_fcgi: Fix segfault. Closes: #902906 Checksums-Sha1: c3590ec3ab4fb75affb8b238a711a5ce17ab27d9 2986 apache2_2.4.25-3+deb9u6.dsc ed7c894bcf537c64e69ae288a02977b7d6f6352a 790172 apache2_2.4.25-3+deb9u6.debian.tar.xz eeb4ed3ae730ad36c22eed16b8c1bbc057ebd5d5 1186420 apache2-bin_2.4.25-3+deb9u6_amd64.deb f8c7f84f2fa3e57dc5367738a976951b185af26c 162112 apache2-data_2.4.25-3+deb9u6_all.deb 356bd128d69835a7dab11f9cab5a18e3f54b3b64 4017542 apache2-dbg_2.4.25-3+deb9u6_amd64.deb 6f01daf4d7b79da8edfea8eccc6b7b018d5a261c 313942 apache2-dev_2.4.25-3+deb9u6_amd64.deb d8d7f824aef5eb4bd5a5c8be2d204686122ec2df 3770774 apache2-doc_2.4.25-3+deb9u6_all.deb 4068de545c6fa1356e70a144062b6372b2313a50 2268 apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb 55ebadbf1dc57bfb400bec5a6768d790d3600966 155210 apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb d0d29a6e4142c9749bbd5608bb64262eb3d9e76b 153732 apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb c945f226d0b62fc36ac1f2f0cc1050534f456f4f 217058 apache2-utils_2.4.25-3+deb9u6_amd64.deb fb61405e424a0c0770fd7de0df872f7e74a0ae6e 10163 apache2_2.4.25-3+deb9u6_amd64.buildinfo 1f45b6c2a344a0745f4fb267f4b0ca8bc7435b59 235974 apache2_2.4.25-3+deb9u6_amd64.deb Checksums-Sha256: b0bc6bc5c1daf4d542e2016f36e3c19d1a839d73543c025f7bafa9920ab371b5 2986 apache2_2.4.25-3+deb9u6
Bug#910218: marked as done (libapache2-mod-proxy-uwsgi: copyright file missing after upgrade (policy 12.5))
Your message dated Sat, 03 Nov 2018 14:53:37 + with message-id and subject line Bug#910218: fixed in apache2 2.4.37-1 has caused the Debian Bug report #910218, regarding libapache2-mod-proxy-uwsgi: copyright file missing after upgrade (policy 12.5) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 910218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910218 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libapache2-mod-proxy-uwsgi Version: 2.4.34-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, a test with piuparts revealed that your package misses the copyright file after an upgrade, which is a violation of Policy 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information After the upgrade /usr/share/doc/$PACKAGE/ is just an empty directory. This was observed on the following upgrade paths: stretch -> buster >From the attached log (scroll to the bottom...): 0m43.3s ERROR: WARN: Inadequate results from running adequate! libapache2-mod-proxy-uwsgi: missing-copyright-file /usr/share/doc/libapache2-mod-proxy-uwsgi/copyright MISSING COPYRIGHT FILE: /usr/share/doc/libapache2-mod-proxy-uwsgi/copyright # ls -lad /usr/share/doc/libapache2-mod-proxy-uwsgi drwxr-xr-x 2 root root 40 Aug 2 15:26 /usr/share/doc/libapache2-mod-proxy-uwsgi # ls -la /usr/share/doc/libapache2-mod-proxy-uwsgi/ total 0 drwxr-xr-x 2 root root 40 Aug 2 15:26 . drwxr-xr-x 140 root root 2940 Aug 2 15:26 .. Additional info may be available here: https://wiki.debian.org/MissingCopyrightFile Note that dpkg intentionally does not replace directories with symlinks and vice versa, you need the maintainer scripts to do this. See in particular the end of point 4 in https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#details-of-unpack-phase-of-installation-or-upgrade It is recommended to use the dpkg-maintscript-helper commands 'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14) to perform the conversion, ideally using d/$PACKAGE.maintscript. Do not forget to add 'Pre-Depends: ${misc:Pre-Depends}' in d/control. See dpkg-maintscript-helper(1) and dh_installdeb(1) for details. cheers, Andreas libapache2-mod-proxy-uwsgi_2.4.34-1.log.gz Description: application/gzip --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.37-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 910...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 03 Nov 2018 14:26:31 +0100 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source amd64 all Version: 2.4.37-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Closes: 910218 Changes: apache2 (2.4.37-1) unstable; urgency=medium . * New upstream version - mod_ssl: Add support for TLSv1.3 * Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218 * Update test-framework to r1845652 * Fix test suite to actual
Bug#910979: marked as done (libapache2-mod-proxy-uwsgi: copyright file missing after upgrade (policy 12.5))
Your message dated Sat, 03 Nov 2018 14:53:37 + with message-id and subject line Bug#910218: fixed in apache2 2.4.37-1 has caused the Debian Bug report #910218, regarding libapache2-mod-proxy-uwsgi: copyright file missing after upgrade (policy 12.5) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 910218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910218 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libapache2-mod-proxy-uwsgi Version: 2.4.34-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, a test with piuparts revealed that your package misses the copyright file after an upgrade, which is a violation of Policy 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information After the upgrade /usr/share/doc/$PACKAGE/ is just an empty directory. This was observed on the following upgrade paths: stretch -> buster >From the attached log (scroll to the bottom...): 0m43.3s ERROR: WARN: Inadequate results from running adequate! libapache2-mod-proxy-uwsgi: missing-copyright-file /usr/share/doc/libapache2-mod-proxy-uwsgi/copyright MISSING COPYRIGHT FILE: /usr/share/doc/libapache2-mod-proxy-uwsgi/copyright # ls -lad /usr/share/doc/libapache2-mod-proxy-uwsgi drwxr-xr-x 2 root root 40 Aug 2 15:26 /usr/share/doc/libapache2-mod-proxy-uwsgi # ls -la /usr/share/doc/libapache2-mod-proxy-uwsgi/ total 0 drwxr-xr-x 2 root root 40 Aug 2 15:26 . drwxr-xr-x 140 root root 2940 Aug 2 15:26 .. Additional info may be available here: https://wiki.debian.org/MissingCopyrightFile Note that dpkg intentionally does not replace directories with symlinks and vice versa, you need the maintainer scripts to do this. See in particular the end of point 4 in https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#details-of-unpack-phase-of-installation-or-upgrade It is recommended to use the dpkg-maintscript-helper commands 'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14) to perform the conversion, ideally using d/$PACKAGE.maintscript. Do not forget to add 'Pre-Depends: ${misc:Pre-Depends}' in d/control. See dpkg-maintscript-helper(1) and dh_installdeb(1) for details. cheers, Andreas libapache2-mod-proxy-uwsgi_2.4.34-1.log.gz Description: application/gzip --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.37-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 910...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 03 Nov 2018 14:26:31 +0100 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source amd64 all Version: 2.4.37-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Closes: 910218 Changes: apache2 (2.4.37-1) unstable; urgency=medium . * New upstream version - mod_ssl: Add support for TLSv1.3 * Add docs symlink for libapache2-mod-proxy-uwsgi. Closes: #910218 * Update test-framework to r1845652 * Fix test suite to actual
Processed: tagging 910218
Processing commands for cont...@bugs.debian.org: > tags 910218 + pending Bug #910218 [libapache2-mod-proxy-uwsgi] libapache2-mod-proxy-uwsgi: copyright file missing after upgrade (policy 12.5) Bug #910979 [libapache2-mod-proxy-uwsgi] libapache2-mod-proxy-uwsgi: copyright file missing after upgrade (policy 12.5) Added tag(s) pending. Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 910218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910218 910979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910979 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 902906
Processing commands for cont...@bugs.debian.org: > tags 902906 + pending Bug #902906 [apache2-bin] apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if an environment variable value is null Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 902906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: notfound 811308 in 8:6.8.9.9-7, found 811308 in 8:6.8.9.9-7, tagging 842316 ..., fixed 849748 in 234
bin/bugreport.cgi?bug=904663 904950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904950 904991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904991 905016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905016 905199: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905199 905253: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905253 905664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905664 907784: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907784 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#911144: marked as done (apache2: Apache2 not working with CGI enabled)
Your message dated Tue, 16 Oct 2018 14:13:11 +0200 with message-id <150e70a5-d57f-4958-a946-e0e7457f0...@sury.org> and subject line Re: Bug#911144: apache2: Apache2 not working with CGI enabled has caused the Debian Bug report #911144, regarding apache2: Apache2 not working with CGI enabled to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 911144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911144 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u5 Severity: important Dear Maintainer, This is a fresh Raspbian install with a brand new install of apache 2.4.25. Everything was working fine until I enabled CGI by entering `a2enmod cgi`. Now I cannot even run a raw html page, because apache is expectig it to be a script: [Mon Oct 15 09:02:02.196180 2018] [cgid:error] [pid 17010:tid 1995407360] (8)Exec format error: AH01241: exec of '/usr/lib/cgi-bin/Thermostat/index.html' failed [Mon Oct 15 09:02:02.198189 2018] [cgid:error] [pid 16450:tid 1945105456] [client 192.168.1.21:59329] End of script output before headers: index.html What is far worse, I can't get any script to run if it generates any html code. The system complains of a bad header, or in some cases invalid characters in the header. I have tried every header of which I can think: http://www.w3.org/TR/html4/loose.dtd;> http://www.w3.org/TR/html4/strict.dtd;> -- Package-specific info: -- System Information: Distributor ID: Raspbian Description: Raspbian GNU/Linux 9.4 (stretch) Release: 9.4 Codename: stretch Architecture: armv7l Kernel: Linux 4.14.50-v7+ (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u5 ii apache2-data 2.4.25-3+deb9u5 ii apache2-utils 2.4.25-3+deb9u5 ii dpkg 1.18.24 ii init-system-helpers 1.48 ii lsb-base 9.20161125+rpi1 ii mime-support 3.60 ii perl 5.24.1-3+deb9u4 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc6 2.24-11+deb9u3 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u1 ii liblua5.2-0 5.2.4-1.1 ii libnghttp2-14 1.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u4 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u5 ii apache2-bin 2.4.25-3+deb9u5 -- no debconf information --- End Message --- --- Begin Message --- CGI Scripts are executable scripts that generate HTTP Headers and a web page content. You cannot simply dump a HTML file in /usr/lib/cgi-bin/ and expect it to work. I don’t think this is a bug in the apache2 package. Ondrej -- Ondřej Surý ond...@sury.org > On 16 Oct 2018, at 13:00, Leslie Rhorer wrote: > > Package: apache2 > Version: 2.4.25-3+deb9u5 > Severity: important > > Dear Maintainer, > > This is a fresh Raspbian install with a brand new install of apache > 2.4.25. Everything was working fine until I enabled CGI by entering > `a2enmod cgi`. Now I cannot even run a raw html page, because apache is > expectig it to be a script: > > [Mon Oct 15 09:02:02.196180 2018] [cgid:error] [pid 17010:tid > 1995407360] (8)Exec format error: AH01241: exec of > '/usr/lib/cgi-bin/Thermostat/index.html' failed > [Mon Oct 15 09:02:02.198189 2018] [cgid:error] [pid 16450:tid > 1945105456] [client 192.168.1.21:59329] End of script output before > headers: index.html > > What is far worse, I can't get any script to run if it generates any ht
Bug#909591: marked as done (apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames)
Your message dated Sun, 07 Oct 2018 11:34:26 + with message-id and subject line Bug#909591: fixed in apache2 2.4.35-1 has caused the Debian Bug report #909591, regarding apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 909591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909591 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.25-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-11763[0]: mod_http2, DoS via continuous SETTINGS frames If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-11763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763 [1] https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.35-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 909...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 07 Oct 2018 12:54:58 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source amd64 all Version: 2.4.35-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Closes: 909591 Changes: apache2 (2.4.35-1) unstable; urgency=medium . * New upstream version 2.4.35 Security fix: - CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS Closes: #909591 * Fix lintian warning: Don't force xz in builddeb override. Checksums-Sha1: d1f3d0fa2caeae90d9e1d862337248217e5f2329 3518 apache2_2.4.35-1.dsc 2602f2b5b22d290dceea03fd27b6f998d12d9d73 7044336 apache2_2.4.35.orig.tar.bz2 12c12eee0706a1fb21a707611c602b8217df89d3 473 apache2_2.4.35.orig.tar.bz2.asc 6b799b61b15411a6d0fa20d63336a83be2961539 785996 apache2_2.4.35-1.debian.tar.xz 81f49174e6a04209972f7b7c693a2f2316f43308 1311168 apache2-bin_2.4.35-1_amd64.deb e82f372e10364c2a9b190f4e3865e439b56d946d 164944 apache2-data_2.4.35-1_all.deb 91a797d9825dd2971f28c9641ea867c319c9e058 4871928 apache2-dbg_2.4.35-1_amd64.deb 5afd85acf4b654caed647f743b8b70287858c3e3 327044 apache2-dev_2.4.35-1_amd64.deb f453823d19182f68f0043191fb9c323a889d543a 3988160 apache2-doc_2.4.35-1_all.deb f34e3db2f7a86a64ab7d25569336995c37f437c2 2340 apache2-ssl-dev_2.4.35-1_amd64.deb e8235b3bd9f1c365c972c359eb17187bba33d1a0 167788 apache2-suexec-custom_2.4.35-1_amd64.deb 13d01843fdf040e5aa96b0d2e650873dacd807f2 166200 apache2-suexec-pristine_2.4.35-1_amd64.deb 05df06e4733f029eb6d0d212d00623442cd28c21 232200 apache2-utils_2.4.35-1_amd64.deb 277da0d49711ce23eb11668ad6b9e1dccb1b0cb9 11453 apache2_2.4.35-1_amd64.buildinfo 6884e203344b60226f2c5b58b4119ca07afa29bc 247176 apache2_2.4.35-1_amd64
Bug#889750: marked as done (apr-util: Runs testuite during building even when "nocheck" is set)
Your message dated Tue, 18 Sep 2018 21:13:09 +0200 with message-id <3628648.s5Na89E8FR@k> and subject line Re: Bug#889750: apr-util: Runs testuite during building even when "nocheck" is set has caused the Debian Bug report #889750, regarding apr-util: Runs testuite during building even when "nocheck" is set to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 889750: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889750 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apr-util Version: 1.6.1-1 Severity: normal Hi! I just tried building src:apr-util manually with "nocheck" added to DEB_BUILD_OPTIONS. However, the testsuite is still run anyway meaning that the check for "nocheck" in DEB_BUILD_OPTIONS in debian/rules does not work. Thanks, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 --- End Message --- --- Begin Message --- On Tuesday, 6 February 2018 20:37:08 CEST John Paul Adrian Glaubitz wrote: > I just tried building src:apr-util manually with "nocheck" added > to DEB_BUILD_OPTIONS. However, the testsuite is still run anyway > meaning that the check for "nocheck" in DEB_BUILD_OPTIONS in > debian/rules does not work. This works for me with 1.6.1-2. Maybe you forgot to export the variable? Or it was fixed by some of the debhelper changes in 1.6.1-2. Closing the bug--- End Message ---
Processed: tagging 902906
Processing commands for cont...@bugs.debian.org: > tags 902906 + stretch Bug #902906 [apache2-bin] apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if an environment variable value is null Added tag(s) stretch. > thanks Stopping processing here. Please contact me if you need assistance. -- 902906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 904150
Processing commands for cont...@bugs.debian.org: > tags 904150 + stretch Bug #904150 {Done: Stefan Fritsch } [apache2] apache2: typo in maintainer script Added tag(s) stretch. > thanks Stopping processing here. Please contact me if you need assistance. -- 904150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904150 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 902657
Processing commands for cont...@bugs.debian.org: > tags 902657 - a11y Bug #902657 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded Bug #902658 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded Removed tag(s) a11y. Removed tag(s) a11y. > thanks Stopping processing here. Please contact me if you need assistance. -- 902657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902657 902658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902658 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Segfault is caused by libcap-ng0 0.7.9
Processing commands for cont...@bugs.debian.org: > retitle 902657 graceful/restart results in segfault if libcap-ng0 is loaded Bug #902657 [apache2] apache2: apachectl graceful/restart results in segfault Bug #902658 [apache2] apache2: apachectl graceful/restart results in segfault Changed Bug title to 'graceful/restart results in segfault if libcap-ng0 is loaded' from 'apache2: apachectl graceful/restart results in segfault'. Changed Bug title to 'graceful/restart results in segfault if libcap-ng0 is loaded' from 'apache2: apachectl graceful/restart results in segfault'. > severity 902657 important Bug #902657 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded Bug #902658 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded Severity set to 'important' from 'grave' Severity set to 'important' from 'grave' > block 902657 by 904808 Bug #902657 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded Bug #902658 [apache2] graceful/restart results in segfault if libcap-ng0 is loaded 902657 was not blocked by any bugs. 902657 was not blocking any bugs. Added blocking bug(s) of 902657: 904808 902658 was not blocked by any bugs. 902658 was not blocking any bugs. Added blocking bug(s) of 902658: 904808 > thanks Stopping processing here. Please contact me if you need assistance. -- 902657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902657 902658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902658 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#904106: marked as done (apache2: CVE-2018-1333: DoS for HTTP/2 connections by crafted requests)
Your message dated Fri, 27 Jul 2018 20:38:08 + with message-id and subject line Bug#904106: fixed in apache2 2.4.34-1 has caused the Debian Bug report #904106, regarding apache2: CVE-2018-1333: DoS for HTTP/2 connections by crafted requests to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 904106: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904106 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.18-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-1333[0]: | By specially crafting HTTP/2 requests, workers would be allocated 60 | seconds longer than necessary, leading to worker exhaustion and a | denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected | 2.4.18-2.4.30,2.4.33). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1333 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1333 [1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333 Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.34-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 904...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 27 Jul 2018 21:37:37 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source amd64 all Version: 2.4.34-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Closes: 904106 904107 904150 904641 Changes: apache2 (2.4.34-1) unstable; urgency=medium . [ Ondřej Surý ] * New upstream version 2.4.34 Security fixes: - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106 - CVE-2018-8011: Denial of service in mod_md. Closes: #904107 * Refresh patches for Apache2 2.4.34 release * Update the suexec-custom.patch for 2.4.34 release . [ Stefan Fritsch ] * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34 * Remove debian/gbp.conf. Closes: #904641 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 Checksums-Sha1: 25d293cf60a153ba5cc1106c99f6573e0400c5c0 3518 apache2_2.4.34-1.dsc 94d6e274273903ed153479c7701fa03761abf93d 6942969 apache2_2.4.34.orig.tar.bz2 acb8e31638e8ced866c6c49be49284c851feb20d 833 apache2_2.4.34.orig.tar.bz2.asc 51aad42cb6910d72d960f110494994a5531ee59c 787912 apache2_2.4.34-1.debian.tar.xz 20a88d3706732ef8b4da6fc7b3c84a8a764c2296 1308608 apache2-bin_2.4.34-1_amd64.deb 33a968c6e049321c1a4dfe49657bb6157f9a21a7 164948 apache2-data_2.4.34-1_all.deb 2338177074f73f71814f45b83f16669959e22417 4866084 apache2-dbg_2.4.34-1_amd64.deb 35283c7e0fdb6050fcb8fb61759c26017bbf9fd0 326276 apache2-dev_2.4.34-1_amd64.deb 4836b89cdcac03e1871f12ba877541ea363e5734 3952652 apache2-doc_2.4.34-1_all
Bug#904107: marked as done (apache2: CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requests)
Your message dated Fri, 27 Jul 2018 20:38:08 + with message-id and subject line Bug#904107: fixed in apache2 2.4.34-1 has caused the Debian Bug report #904107, regarding apache2: CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requests to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 904107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904107 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.33-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-8011[0]: | By specially crafting HTTP requests, the mod_md challenge handler | would dereference a NULL pointer and cause the child process to | segfault. This could be used to DoS the server. Fixed in Apache HTTP | Server 2.4.34 (Affected 2.4.33). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-8011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011 [1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.34-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 904...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 27 Jul 2018 21:37:37 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source amd64 all Version: 2.4.34-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Closes: 904106 904107 904150 904641 Changes: apache2 (2.4.34-1) unstable; urgency=medium . [ Ondřej Surý ] * New upstream version 2.4.34 Security fixes: - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106 - CVE-2018-8011: Denial of service in mod_md. Closes: #904107 * Refresh patches for Apache2 2.4.34 release * Update the suexec-custom.patch for 2.4.34 release . [ Stefan Fritsch ] * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34 * Remove debian/gbp.conf. Closes: #904641 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 Checksums-Sha1: 25d293cf60a153ba5cc1106c99f6573e0400c5c0 3518 apache2_2.4.34-1.dsc 94d6e274273903ed153479c7701fa03761abf93d 6942969 apache2_2.4.34.orig.tar.bz2 acb8e31638e8ced866c6c49be49284c851feb20d 833 apache2_2.4.34.orig.tar.bz2.asc 51aad42cb6910d72d960f110494994a5531ee59c 787912 apache2_2.4.34-1.debian.tar.xz 20a88d3706732ef8b4da6fc7b3c84a8a764c2296 1308608 apache2-bin_2.4.34-1_amd64.deb 33a968c6e049321c1a4dfe49657bb6157f9a21a7 164948 apache2-data_2.4.34-1_all.deb 2338177074f73f71814f45b83f16669959e22417 4866084 apache2-dbg_2.4.34-1_amd64.deb 35283c7e0fdb6050fcb8fb61759c26017bbf9fd0 326276 apache2-dev_2.4.34-1_amd64
Bug#904150: marked as done (apache2: typo in maintainer script)
Your message dated Fri, 27 Jul 2018 20:38:08 + with message-id and subject line Bug#904150: fixed in apache2 2.4.34-1 has caused the Debian Bug report #904150, regarding apache2: typo in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 904150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904150 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.33-3 Severity: normal Dear Maintainer, Tim Bishop filed this bug in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1782806 showing what appears to be a typo in a maintainer script: https://salsa.debian.org/apache-team/apache2/blob/master/debian/debhelper/apache2-maintscript-helper#L290 a2query -m "$mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$? The argument to -m was probably meant to be "mpm_$MPM", as the shell function where this statement lives explicitly requests that the mpm module name should not have a "mpm_" prefix. The fix should be as simple as this: --- a/debian/debhelper/apache2-maintscript-helper +++ b/debian/debhelper/apache2-maintscript-helper @@ -287,7 +287,7 @@ apache2_switch_mpm() fi local a2query_ret=0 - a2query -m "$mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$? + a2query -m "mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$? case $a2query_ret in 0) Thanks! --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.34-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 904...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 27 Jul 2018 21:37:37 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: source amd64 all Version: 2.4.34-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Closes: 904106 904107 904150 904641 Changes: apache2 (2.4.34-1) unstable; urgency=medium . [ Ondřej Surý ] * New upstream version 2.4.34 Security fixes: - CVE-2018-1333: Denial of service in mod_http2. Closes: #904106 - CVE-2018-8011: Denial of service in mod_md. Closes: #904107 * Refresh patches for Apache2 2.4.34 release * Update the suexec-custom.patch for 2.4.34 release . [ Stefan Fritsch ] * Remove load order dependency introduced in mod_lbmethod_* in 2.4.34 * Remove debian/gbp.conf. Closes: #904641 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 Checksums-Sha1: 25d293cf60a153ba5cc1106c99f6573e0400c5c0 3518 apache2_2.4.34-1.dsc 94d6e274273903ed153479c7701fa03761abf93d 6942969 apache2_2.4.34.orig.tar.bz2 acb8e31638e8ced866c6c49be49284c851feb20d 833 apache2_2.4.34.orig.tar.bz2.asc 51aad42cb6910d72d960f110494994a5531ee59c 787912 apache2_2.4.34-1.debian.tar.xz 20a88d3706732ef8b4da6fc7b3c84a8a764c2296 1308608 apache2-bin_2.4.34-1_amd64.deb 33a968c6e049321c1a4dfe49657bb6157f9a21a7 164948 apache2-data_2.4.34-1_all.deb
Bug#897705: marked as done (apr: ftbfs with GCC-8)
Your message dated Tue, 17 Jul 2018 19:49:14 + with message-id and subject line Bug#897705: fixed in apr 1.6.3-3 has caused the Debian Bug report #897705, regarding apr: ftbfs with GCC-8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 897705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897705 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: src:apr Version: 1.6.3-2 Severity: normal Tags: sid buster User: debian-...@lists.debian.org Usertags: ftbfs-gcc-8 Please keep this issue open in the bug tracker for the package it was filed for. If a fix in another package is required, please file a bug for the other package (or clone), and add a block in this package. Please keep the issue open until the package can be built in a follow-up test rebuild. The package fails to build in a test rebuild on at least amd64 with gcc-8/g++-8, but succeeds to build with gcc-7/g++-7. The severity of this report will be raised before the buster release. The full build log can be found at: http://aws-logs.debian.net/2018/05/01/gcc8/apr_1.6.3-2_unstable_gcc8.log.gz The last lines of the build log are at the end of this report. To build with GCC 8, either set CC=gcc-8 CXX=g++-8 explicitly, or install the gcc, g++, gfortran, ... packages from experimental. apt-get -t=experimental install g++ Common build failures are new warnings resulting in build failures with -Werror turned on, or new/dropped symbols in Debian symbols files. For other C/C++ related build failures see the porting guide at http://gcc.gnu.org/gcc-8/porting_to.html [...] testpools : SUCCESS testproc: SUCCESS testprocmutex : SUCCESS testrand: SUCCESS testsleep : SUCCESS testshm : SUCCESS testsockopt : SUCCESS teststr : E: Build killed with signal TERM after 150 minutes of inactivity Build finished at 2018-05-02T12:34:43Z Finished +--+ | Cleanup | +--+ Purging /<> Not cleaning session: cloned chroot in use E: Build failure (dpkg-buildpackage died) +--+ | Summary | +--+ Build Architecture: amd64 Build Type: any Build-Space: 36324 Build-Time: 9100 Distribution: unstable Fail-Stage: build Host Architecture: amd64 Install-Time: 13 Job: apr_1.6.3-2 Machine Architecture: amd64 Package: apr Package-Time: 9142 Source-Version: 1.6.3-2 Space: 36324 Status: attempted Version: 1.6.3-2 Finished at 2018-05-02T12:34:43Z Build needed 02:32:22, 36324k disk space E: Build failure (dpkg-buildpackage died) DC-Status: Failed 9142.619472132s DC-Time-Estimation: 9142.619472132 versus expected 128 (r/m: 70.42671462603126 ; m: 128.0) --- End Message --- --- Begin Message --- Source: apr Source-Version: 1.6.3-3 We believe that the bug you reported is fixed in the latest version of apr, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 897...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 17 Jul 2018 21:17:00 +0200 Source: apr Binary: libapr1 libapr1-dev libapr1-dbg Architecture: source amd64 Version: 1.6.3-3 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: libapr1- Apache Portable Runtime Library libapr1-dbg - Apache Portable Runtime Library - Debugging Symbols libapr1-dev - Apache Portable Runtime Library - Development Headers Closes: 897705 Changes: apr (1.6.3-3) unstable; u
Bug#887889: marked as done (Can't open debian/tmp/usr/lib/x86_64-linux-gnu/libapr-1.la: No such file or directory.)
Your message dated Tue, 17 Jul 2018 21:16:15 +0200 with message-id <1689521.dmhZi94sub@k> and subject line Can't open debian/tmp/usr/lib/x86_64-linux-gnu/libapr-1.la: No such file or directory. has caused the Debian Bug report #887889, regarding Can't open debian/tmp/usr/lib/x86_64-linux-gnu/libapr-1.la: No such file or directory. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 887889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887889 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apr Version: 1.6.3-1 Building apr in a sid chroot as non-root with: dpkg-buildpackage --no-sign --build=binary leads to: dpkg-buildpackage: info: source package apr dpkg-buildpackage: info: source version 1.6.3-1+9.3 dpkg-buildpackage: info: source distribution stable dpkg-buildpackage: info: host architecture amd64 dpkg-source --before-build apr-1.6.3-1 fakeroot debian/rules clean dh clean -Bdebian/build --parallel --with autotools_dev dh: The autotools-dev sequence is deprecated and replaced by dh in debhelper (>= 9.20160115) dh: This feature will be removed in compat 12. dh_testdir -O-Bdebian/build -O--parallel debian/rules override_dh_auto_clean make[1]: Entering directory '/home/actionmystique/src/Apr/apr-1.6.3-1' dh_auto_clean rm -rf debian/build for f in configure build/libtool.m4 build/ltmain.sh ; do [ ! -e $f.dr-orig ] || mv $f.dr-orig $f ; done make[1]: Leaving directory '/home/actionmystique/src/Apr/apr-1.6.3-1' dh_autotools-dev_restoreconfig -O-Bdebian/build -O--parallel dh_autotools-dev_restoreconfig: dh_autotools-dev_restoreconfig is deprecated; please see dh_autotools-dev_restoreconfig(1) for a replacement dh_autotools-dev_restoreconfig: This feature will be removed in compat 12. dh_clean -O-Bdebian/build -O--parallel debian/rules build make: Nothing to be done for 'build'. fakeroot debian/rules binary dh binary -Bdebian/build --parallel --with autotools_dev dh: The autotools-dev sequence is deprecated and replaced by dh in debhelper (>= 9.20160115) dh: This feature will be removed in compat 12. debian/rules build make[1]: Entering directory '/home/actionmystique/src/Apr/apr-1.6.3-1' make[1]: Nothing to be done for 'build'. make[1]: Leaving directory '/home/actionmystique/src/Apr/apr-1.6.3-1' dh_testroot -O-Bdebian/build -O--parallel dh_prep -O-Bdebian/build -O--parallel dh_installdirs -O-Bdebian/build -O--parallel debian/rules override_dh_auto_install make[1]: Entering directory '/home/actionmystique/src/Apr/apr-1.6.3-1' dh_auto_install --destdir=debian/tmp perl -p -i -e "s,^dependency_libs=.*,dependency_libs=''," debian/tmp/usr/lib/x86_64-linux-gnu/libapr-1.la Can't open debian/tmp/usr/lib/x86_64-linux-gnu/libapr-1.la: No such file or directory. # Remove hostname to make build reproducible perl -p -i -e 's/Libtool was configured on host.*//' debian/tmp/usr/share/apr-1.0/build/libtool Can't open debian/tmp/usr/share/apr-1.0/build/libtool: No such file or directory. if ! head -n 1 debian/tmp/usr/share/apr-1.0/build/libtool | grep -q /bin/bash ; then \ echo ERROR: The built libtool uses /bin/sh instead of /bin/bash ; \ exit 1 ; \ fi head: cannot open 'debian/tmp/usr/share/apr-1.0/build/libtool' for reading: No such file or directory ERROR: The built libtool uses /bin/sh instead of /bin/bash debian/rules:139: recipe for target 'override_dh_auto_install' failed make[1]: *** [override_dh_auto_install] Error 1 make[1]: Leaving directory '/home/actionmystique/src/Apr/apr-1.6.3-1' debian/rules:18: recipe for target 'binary' failed make: *** [binary] Error 2 dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2 -- Jean-Christophe Manciot --- End Message --- --- Begin Message --- version: 1.6.3-2 It seems this was the same bug as [1] and has been fixed in 1.6.3-2 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888593--- End Message ---
Processed: raising severity of GCC 8 issues (https://lists.debian.org/debian-devel/2018/07/msg00252.html)
bian.org/cgi-bin/bugreport.cgi?bug=897796 897797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897797 897798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897798 897800: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897800 897801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897801 897802: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897802 897803: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897803 897804: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897804 897805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897805 897806: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897806 897807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897807 897808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897808 897810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897810 897811: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897811 897812: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897812 897813: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897813 897814: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897814 897816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897816 897817: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897817 897819: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897819 897820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897820 897821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897821 897822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897822 897823: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897823 897824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897824 897826: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897826 897831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897831 897832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897832 897834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897834 897835: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897835 897836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897836 897838: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897838 897839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897839 897840: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897840 897841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897841 897843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897843 897844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897844 897845: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897845 897846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897846 897847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897847 897848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897848 897849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897849 897850: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897850 897851: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897851 897852: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897852 897853: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897853 897854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897854 897855: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897855 897856: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897856 897857: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897857 897860: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897860 897861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897861 897862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897862 897865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897865 897866: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897866 897867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897867 897868: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897868 897869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897869 897872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897872 897873: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897873 897874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897874 897875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897875 897876: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897876 897877: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897877 897878: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897878 897879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897879 897880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897880 897881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897881 897882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897882 897883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897883 897884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897884 897885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897885 897886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897886 897889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897889 897890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897890 897892: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#898563: marked as done (apache2: htcacheclean init script does not read /etc/default/apache-htcacheclean)
Your message dated Mon, 02 Jul 2018 16:47:10 + with message-id and subject line Bug#898563: fixed in apache2 2.4.25-3+deb9u5 has caused the Debian Bug report #898563, regarding apache2: htcacheclean init script does not read /etc/default/apache-htcacheclean to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 898563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898563 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u4 Severity: normal While /etc/init.d/apache-htcacheclean contains this comment # Default values. Edit /etc/default/apache-htcacheclean$DIR_SUFFIX to # change these it does not actually read that file. This has been fixed in sid in 2.4.27-4 . --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u5 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 898...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 02 Jun 2018 10:01:13 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u5 Distribution: stretch Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: apache2- Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Closes: 850947 873945 897218 898563 Changes: apache2 (2.4.25-3+deb9u5) stretch; urgency=medium . * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This fixes - CVE-2018-1302: mod_http2: Potential crash w/ mod_http2 - Segfaults in mod_http2 (Closes: #873945) - mod_http2 issue with option "Indexes" and directive "HeaderName" (Closes: #850947) Unfortunately, this also removes support for http2 when running on mpm_prefork. * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. Closes: #897218 * Make the apache-htcacheclean init script actually look into /etc/default/apache-htcacheclean for its config. Closes: #898563 Checksums-Sha1: fdac535212c1cf95c335c058966b09341cca546f 2986 apache2_2.4.25-3+deb9u5.dsc 222669e18a9027b65e7d49c5addb58670a627449 786444 apache2_2.4.25-3+deb9u5.debian.tar.xz 42daafa1a07e6af45f9db52c94b318ffc5504bbf 1185526 apache2-bin_2.4.25-3+deb9u5_amd64.deb faf46c716f49448978c8999f3155ec64b6ce8a93 162430 apache2-data_2.4.25-3+deb9u5_all.deb 37fb8923ae00f527086924e9b1eb5b2e1c29635d 4016942 apache2-dbg_2.4.25-3+deb9u5_amd64.deb 33d6b7816874b12fea0dcb09e9563128ac74931c 313898 apache2-dev_2.4.25-3+deb9u5_amd64.deb 24e76f8ba471f18899735f371c9f4dc442ef8876 3770868 apache2-doc_2.4.25-3+deb9u5_all.deb d4b76295607383d06d970252fb6f514cec41cf94 2264 apache2-ssl-dev_2.4.25-3+deb9u5_amd64.deb d745709ad9f29b3fa48cb7a08a8a41015d19abc8 155174 apache2-suexec-custom_2.4.25-3+deb9u5_amd64.deb ec4471ee41e7fa3bd0afcaca8bc7b7a365fcafe0 153704 apache2-suexec-pristine_2.4.25-3+deb9u5_amd64.deb 0568111f1c2eaa209919ae4e94beeac4f3bc4419 217066 apache2-utils_2.4.25-3+deb9u5_amd64.deb a81e796710a4c0974fd6ba013d6d772df666eb09 10102 apache2_2.4.25-3+deb9u5_amd64.buildinfo fe3bd51275b977b519ffcc9a70d84996106dc92d 235980 apache2_2.4.25-3+deb9u5_amd64.deb Checksums-Sha256: 89f87b98db2629bb298e83a27bfc8078a141e6001303b55cc
Bug#897218: marked as done (apache2: mod_http2 (32-bit, i386) segmentation fault while delivering large (2+ GiB) file)
Your message dated Mon, 02 Jul 2018 16:47:10 + with message-id and subject line Bug#897218: fixed in apache2 2.4.25-3+deb9u5 has caused the Debian Bug report #897218, regarding apache2: mod_http2 (32-bit, i386) segmentation fault while delivering large (2+ GiB) file to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 897218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897218 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u4 Severity: normal Tags: patch upstream While downloading a large (2200 MiB) file via HTTP/2.0, apache2 2.4.33 (Debian unstable) reproducibly segfaults after delivering ~89% (1975 MiB) on 32-bit i386. apache2 2.4.25-3+deb9u4 (Debian stable) exhibits a slightly different failure mode, which is however assumed to originate in the same upstream bug. Steps to reproduce: - Install Debian unstable i386 in the "webserver" configuration, which installs apache2 2.4.33. Install curl. (Firefox or Chrome works as well.) - Enable SSL: * a2enmod ssl * a2ensite default-ssl - Enable HTTP/2.0: * echo 'Protocols h2 h2c http/1.1' > /etc/apache2/mods-available/http2.conf * a2enmod http2 - Restart Apache: systemctl restart apache2 - Create test file in /var/www/html: * dd if=/dev/zero of=/var/www/html/2200Mfile bs=1M count=2200 - Download the test file via curl (--http2 is redundant because curl uses HTTP/2.0 anyways if it's available; --insecure is necessary because the above steps do not install a proper SSL cert): * curl --http2 --insecure -o /dev/null https://localhost/2200Mfile % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 89 2200M 89 1975M0 0 22.2M 0 0:01:38 0:01:28 0:00:10 25.8M curl: (56) Unexpected EOF - Apache's error.log: [Wed Apr 25 11:17:05.749002 2018] [core:notice] [pid 398:tid 3082986688] AH00052: child pid 646 exit signal Segmentation fault (11) Side note: On 64-bit, everything works as expected. This seems to be a 32-bit related bug. This bug has been reported upstream, where Stefan Eissing already landed a fix in apache2 trunk and suggested a backport to apache2 2.4.x: https://bz.apache.org/bugzilla/show_bug.cgi?id=62325 -- Package-specific info: -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.9.0-6-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u4 ii apache2-data 2.4.25-3+deb9u4 ii apache2-utils2.4.25-3+deb9u4 ii dpkg 1.18.24 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u3 ii procps 2:3.3.12-3 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: ii apache2-doc 2.4.25-3+deb9u4 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.8.9dev11-1 ii w3m [www-browser]0.5.3-34+deb9u1 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-11+deb9u3 ii libldap-2.4-22.4.44+dfsg-5+deb9u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u3 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.25-3+deb9u4 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.8.9dev11-1 ii w3m [www-browser]0.5.3-34+deb9u1 Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u4 ii apache2-bin 2.4.25-3+deb9u4 -- Configuration Files: /etc/apache2/apache2.conf changed [not included] /etc/apache2/conf-available/security
Bug#850947: marked as done (apache2: mod_http2 issue with option "Indexes" and directive "HeaderName")
Your message dated Mon, 02 Jul 2018 16:47:10 + with message-id and subject line Bug#850947: fixed in apache2 2.4.25-3+deb9u5 has caused the Debian Bug report #850947, regarding apache2: mod_http2 issue with option "Indexes" and directive "HeaderName" to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 850947: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850947 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-1 Severity: normal Dear Maintainer, please read the issue from https://github.com/icing/mod_h2/issues/126 which also affects the version below. Thanks. -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-042stab120.5 (SMP w/4 CPU cores) Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to de_DE@euro) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-1 ii apache2-data 2.4.25-1 ii apache2-utils2.4.25-1 ii dpkg 1.18.18 ii init-system-helpers 1.46 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1~rc4-1 pn perl:any ii procps 2:3.3.12-3 Versions of packages apache2 recommends: ii ssl-cert 1.0.38 Versions of packages apache2 suggests: ii apache2-doc 2.4.25-1 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.8.9dev11-1 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-8 ii libldap-2.4-22.4.44+dfsg-2 ii liblua5.2-0 5.2.4-1.1+b1 ii libnghttp2-141.17.0-1 ii libpcre3 2:8.39-2 ii libssl1.0.2 1.0.2j-4 ii libxml2 2.9.4+dfsg1-2.1 pn perl:any ii zlib1g 1:1.2.8.dfsg-4 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.25-1 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.8.9dev11-1 Versions of packages apache2 is related to: ii apache2 2.4.25-1 ii apache2-bin 2.4.25-1 -- Configuration Files: /etc/apache2/apache2.conf changed [not included] /etc/apache2/conf-available/other-vhosts-access-log.conf changed [not included] /etc/apache2/conf-available/security.conf changed [not included] /etc/apache2/magic changed [not included] /etc/apache2/mods-available/alias.conf changed [not included] /etc/apache2/mods-available/autoindex.conf changed [not included] /etc/apache2/mods-available/deflate.conf changed [not included] /etc/apache2/mods-available/dir.conf changed [not included] /etc/apache2/mods-available/info.conf changed [not included] /etc/apache2/mods-available/ldap.conf changed [not included] /etc/apache2/mods-available/mime.conf changed [not included] /etc/apache2/mods-available/negotiation.conf changed [not included] /etc/apache2/mods-available/proxy.conf changed [not included] /etc/apache2/mods-available/setenvif.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/mods-available/status.conf changed [not included] /etc/apache2/mods-available/userdir.conf changed [not included] /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/apache2/sites-available/default-ssl.conf changed [not included] /etc/cron.daily/apache2 changed [not included] /etc/logrotate.d/apache2 changed [not included] -- no debconf information --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u5 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 850...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was gen
Bug#894785: marked as done (apache2: File conflict with libapache2-mod-proxy-uwsgi)
Your message dated Tue, 15 May 2018 10:00:17 + with message-id <e1fiwkj-0009ki...@fasolo.debian.org> and subject line Bug#894785: fixed in uwsgi 2.0.15-11 has caused the Debian Bug report #894785, regarding apache2: File conflict with libapache2-mod-proxy-uwsgi to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894785 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.33-1 Severity: important Dear Maintainer, 2.4.30 introduced the mod_proxy_uwsgi, which is currently also available from the uwsgi source package (libapache2-mod-proxy-uwsgi). Packaging should probably reflect that mod_proxy_uwsgi is now provided directly through apache2 packages. Preparing to unpack .../apache2_2.4.33-1_amd64.deb ... Unpacking apache2 (2.4.33-1) over (2.4.29-2) ... dpkg: error processing archive /var/cache/apt/archives/apache2_2.4.33-1_amd64.deb (--unpack): trying to overwrite '/etc/apache2/mods-available/proxy_uwsgi.load', which is also in package libapache2-mod-proxy-uwsgi 2.0.15-10.4 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) Preparing to unpack .../apache2-bin_2.4.33-1_amd64.deb ... Unpacking apache2-bin (2.4.33-1) over (2.4.29-2) ... dpkg: error processing archive /var/cache/apt/archives/apache2-bin_2.4.33-1_amd64.deb (--unpack): trying to overwrite '/usr/lib/apache2/modules/mod_proxy_uwsgi.so', which is also in package libapache2-mod-proxy-uwsgi 2.0.15-10.4 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) Errors were encountered while processing: /var/cache/apt/archives/apache2_2.4.33-1_amd64.deb /var/cache/apt/archives/apache2-bin_2.4.33-1_amd64.deb -- Package-specific info: -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apache2 depends on: ii apache2-bin2.4.29-2 iu apache2-data 2.4.33-1 iu apache2-utils 2.4.33-1 ii dpkg 1.19.0.5 ii lsb-base 9.20170808 it mime-support 3.60 ii perl 5.26.1-5 ii procps 2:3.3.12-4 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii w3m [www-browser]0.5.3-36 Versions of packages apache2-bin depends on: ii libapr1 1.6.3-2 ii libaprutil1 1.6.1-2 ii libaprutil1-dbd-sqlite3 1.6.1-2 ii libaprutil1-ldap 1.6.1-2 ii libbrotli1 1.0.3-1 ii libc62.27-3 ii libldap-2.4-22.4.45+dfsg-1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.31.0-1 ii libpcre3 2:8.39-9 ii libssl1.11.1.0h-2 ii libxml2 2.9.4+dfsg1-6.1 ii perl 5.26.1-5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii w3m [www-browser]0.5.3-36 Versions of packages apache2 is related to: ii apache2 2.4.29-2 ii apache2-bin 2.4.29-2 -- Configuration Files: /etc/apache2/mods-available/mpm_prefork.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/mods-available/status.conf changed [not included] /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] -- no debconf information --- End Message --- --- Begin Message --- Source: uwsgi Source-Version: 2.0.15-11 We believe that the bug you reported is fixed in the latest version of uwsgi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated uwsgi package) (
Bug#897218: marked as done (apache2: mod_http2 (32-bit, i386) segmentation fault while delivering large (2+ GiB) file)
Your message dated Sat, 05 May 2018 10:04:56 + with message-id <e1feu3k-000e1r...@fasolo.debian.org> and subject line Bug#897218: fixed in apache2 2.4.33-3 has caused the Debian Bug report #897218, regarding apache2: mod_http2 (32-bit, i386) segmentation fault while delivering large (2+ GiB) file to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 897218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897218 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u4 Severity: normal Tags: patch upstream While downloading a large (2200 MiB) file via HTTP/2.0, apache2 2.4.33 (Debian unstable) reproducibly segfaults after delivering ~89% (1975 MiB) on 32-bit i386. apache2 2.4.25-3+deb9u4 (Debian stable) exhibits a slightly different failure mode, which is however assumed to originate in the same upstream bug. Steps to reproduce: - Install Debian unstable i386 in the "webserver" configuration, which installs apache2 2.4.33. Install curl. (Firefox or Chrome works as well.) - Enable SSL: * a2enmod ssl * a2ensite default-ssl - Enable HTTP/2.0: * echo 'Protocols h2 h2c http/1.1' > /etc/apache2/mods-available/http2.conf * a2enmod http2 - Restart Apache: systemctl restart apache2 - Create test file in /var/www/html: * dd if=/dev/zero of=/var/www/html/2200Mfile bs=1M count=2200 - Download the test file via curl (--http2 is redundant because curl uses HTTP/2.0 anyways if it's available; --insecure is necessary because the above steps do not install a proper SSL cert): * curl --http2 --insecure -o /dev/null https://localhost/2200Mfile % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 89 2200M 89 1975M0 0 22.2M 0 0:01:38 0:01:28 0:00:10 25.8M curl: (56) Unexpected EOF - Apache's error.log: [Wed Apr 25 11:17:05.749002 2018] [core:notice] [pid 398:tid 3082986688] AH00052: child pid 646 exit signal Segmentation fault (11) Side note: On 64-bit, everything works as expected. This seems to be a 32-bit related bug. This bug has been reported upstream, where Stefan Eissing already landed a fix in apache2 trunk and suggested a backport to apache2 2.4.x: https://bz.apache.org/bugzilla/show_bug.cgi?id=62325 -- Package-specific info: -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.9.0-6-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u4 ii apache2-data 2.4.25-3+deb9u4 ii apache2-utils2.4.25-3+deb9u4 ii dpkg 1.18.24 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u3 ii procps 2:3.3.12-3 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: ii apache2-doc 2.4.25-3+deb9u4 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.8.9dev11-1 ii w3m [www-browser]0.5.3-34+deb9u1 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-11+deb9u3 ii libldap-2.4-22.4.44+dfsg-5+deb9u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u3 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.25-3+deb9u4 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.8.9dev11-1 ii w3m [www-browser]0.5.3-34+deb9u1 Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u4 ii apache2-bin 2.4.25-3+deb9u4 -- Configuration Files: /etc/apache2/apache2.conf changed [not included
Bug#894785: marked as done (apache2: File conflict with libapache2-mod-proxy-uwsgi)
Your message dated Sat, 05 May 2018 10:04:56 + with message-id <e1feu3k-000e1l...@fasolo.debian.org> and subject line Bug#894785: fixed in apache2 2.4.33-3 has caused the Debian Bug report #894785, regarding apache2: File conflict with libapache2-mod-proxy-uwsgi to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894785 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.33-1 Severity: important Dear Maintainer, 2.4.30 introduced the mod_proxy_uwsgi, which is currently also available from the uwsgi source package (libapache2-mod-proxy-uwsgi). Packaging should probably reflect that mod_proxy_uwsgi is now provided directly through apache2 packages. Preparing to unpack .../apache2_2.4.33-1_amd64.deb ... Unpacking apache2 (2.4.33-1) over (2.4.29-2) ... dpkg: error processing archive /var/cache/apt/archives/apache2_2.4.33-1_amd64.deb (--unpack): trying to overwrite '/etc/apache2/mods-available/proxy_uwsgi.load', which is also in package libapache2-mod-proxy-uwsgi 2.0.15-10.4 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) Preparing to unpack .../apache2-bin_2.4.33-1_amd64.deb ... Unpacking apache2-bin (2.4.33-1) over (2.4.29-2) ... dpkg: error processing archive /var/cache/apt/archives/apache2-bin_2.4.33-1_amd64.deb (--unpack): trying to overwrite '/usr/lib/apache2/modules/mod_proxy_uwsgi.so', which is also in package libapache2-mod-proxy-uwsgi 2.0.15-10.4 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) Errors were encountered while processing: /var/cache/apt/archives/apache2_2.4.33-1_amd64.deb /var/cache/apt/archives/apache2-bin_2.4.33-1_amd64.deb -- Package-specific info: -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apache2 depends on: ii apache2-bin2.4.29-2 iu apache2-data 2.4.33-1 iu apache2-utils 2.4.33-1 ii dpkg 1.19.0.5 ii lsb-base 9.20170808 it mime-support 3.60 ii perl 5.26.1-5 ii procps 2:3.3.12-4 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii w3m [www-browser]0.5.3-36 Versions of packages apache2-bin depends on: ii libapr1 1.6.3-2 ii libaprutil1 1.6.1-2 ii libaprutil1-dbd-sqlite3 1.6.1-2 ii libaprutil1-ldap 1.6.1-2 ii libbrotli1 1.0.3-1 ii libc62.27-3 ii libldap-2.4-22.4.45+dfsg-1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.31.0-1 ii libpcre3 2:8.39-9 ii libssl1.11.1.0h-2 ii libxml2 2.9.4+dfsg1-6.1 ii perl 5.26.1-5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii w3m [www-browser]0.5.3-36 Versions of packages apache2 is related to: ii apache2 2.4.29-2 ii apache2-bin 2.4.29-2 -- Configuration Files: /etc/apache2/mods-available/mpm_prefork.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/mods-available/status.conf changed [not included] /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] -- no debconf information --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.33-3 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch <s...@debian.org> (supplier of updated apa