Bug#1068412: marked as done (apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)

[Debian Bug Tracking System]

Your message dated Sun, 05 May 2024 19:17:41 +
with message-id 
and subject line Bug#1068412: fixed in apache2 2.4.59-1~deb11u1
has caused the Debian Bug report #1068412,
regarding apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1068412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2024-27316[0]:
https://www.kb.cert.org/vuls/id/421644
https://www.openwall.com/lists/oss-security/2024/04/04/4

CVE-2024-24795[1]:
https://www.openwall.com/lists/oss-security/2024/04/04/5

CVE-2023-38709[2]:
https://www.openwall.com/lists/oss-security/2024/04/04/3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27316
https://www.cve.org/CVERecord?id=CVE-2024-27316
[1] https://security-tracker.debian.org/tracker/CVE-2024-24795
https://www.cve.org/CVERecord?id=CVE-2024-24795
[2] https://security-tracker.debian.org/tracker/CVE-2023-38709
https://www.cve.org/CVERecord?id=CVE-2023-38709

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.59-1~deb11u1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 Apr 2024 16:08:04 +0400
Source: apache2
Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev 
apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym 
apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils 
apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source amd64 all
Version: 2.4.59-1~deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Description:
 apache2- Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for 
mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for 
mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 libapache2-mod-md - transitional package
 libapache2-mod-proxy-uwsgi - transitional package
Closes: 1068412
Changes:
 apache2 (2.4.59-1~deb11u1) bullseye-security; urgency=medium
 .
   * New upstream version 2.4.58
 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802)
   * Drop 2.4.56-regression patches
   * New upstream version 2.4.59
 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
   * Install NOTICE files
   * Update test framework
   * Refresh patches
Checksums-Sha1:
 b0c553ee2f9076ab255d36f6f77a4155e8f5180d 3539 apache2_2.4.59-1~deb11u1.dsc
 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz
 837cdf46898d962c4c05642745566249fc91e52b 833 apache2_2.4.59.orig.tar.gz.asc
 8d3d9c0ec949faa3683bc395b0955584347323a6 895172 
apache2_2.4.59-1~deb11u1.debian.tar.xz
 651b4de4722fb3cf7331e0df7147738b7015bf89 3308712 
apache2-bin-dbgsym_2.4.59-1~deb11u1_amd64.deb
 46176b8ad83ca0e991d575f498d67871b2c2e1d6 1447660 
apache2-bin_2.4.59-1~deb11u1_amd64.deb
 2cd7eef5039ed029710efc9edb1c8b8d3822381b 160212 
apache2-data_2.4.59-1~deb11u1_all.deb
 7ae879f3f9fd07d0b0faff14e40af9d955e11a3d 374820 
apache2-dev_2.4.59-1~deb11u1_amd64

Bug#1068412: marked as done (apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)

[Debian Bug Tracking System]

Your message dated Sun, 05 May 2024 18:47:10 +
with message-id 
and subject line Bug#1068412: fixed in apache2 2.4.59-1~deb12u1
has caused the Debian Bug report #1068412,
regarding apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1068412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2024-27316[0]:
https://www.kb.cert.org/vuls/id/421644
https://www.openwall.com/lists/oss-security/2024/04/04/4

CVE-2024-24795[1]:
https://www.openwall.com/lists/oss-security/2024/04/04/5

CVE-2023-38709[2]:
https://www.openwall.com/lists/oss-security/2024/04/04/3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27316
https://www.cve.org/CVERecord?id=CVE-2024-27316
[1] https://security-tracker.debian.org/tracker/CVE-2024-24795
https://www.cve.org/CVERecord?id=CVE-2024-24795
[2] https://security-tracker.debian.org/tracker/CVE-2023-38709
https://www.cve.org/CVERecord?id=CVE-2023-38709

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.59-1~deb12u1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 Apr 2024 16:02:26 +0400
Source: apache2
Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev 
apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym 
apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils 
apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source amd64 all
Version: 2.4.59-1~deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Description:
 apache2- Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for 
mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for 
mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 libapache2-mod-md - transitional package
 libapache2-mod-proxy-uwsgi - transitional package
Closes: 1068412
Changes:
 apache2 (2.4.59-1~deb12u1) bookworm-security; urgency=medium
 .
   * New upstream version 2.4.58
 (Closes: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802)
   * New upstream version 2.4.59
 (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
   * Refresh patches
   * Update test framework
Checksums-Sha1:
 0ff1bbe49e7266429e3ea5f8df651776b961902e 3520 apache2_2.4.59-1~deb12u1.dsc
 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz
 837cdf46898d962c4c05642745566249fc91e52b 833 apache2_2.4.59.orig.tar.gz.asc
 59cd2b140a3e313345acb675f4792a63ecad7403 820804 
apache2_2.4.59-1~deb12u1.debian.tar.xz
 d854f4e07f350cf3b067caf1ed78edbde3c76031 3734744 
apache2-bin-dbgsym_2.4.59-1~deb12u1_amd64.deb
 f6a264c3f91353e88233eaec66f997d86be150ad 1379912 
apache2-bin_2.4.59-1~deb12u1_amd64.deb
 16d3d3d8aa25fea0c7755efc8b9685e70cc70b21 160264 
apache2-data_2.4.59-1~deb12u1_all.deb
 5b643339c2a9ec14872873e41772a91f73031c3d 312108 
apache2-dev_2.4.59-1~deb12u1_amd64.deb
 4ec40752b1f22964802957e6a59187ec7dce83ea 4022328 
apache2-doc_2.4.

Processed: affects 1069748

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> affects 1069748 + release.debian.org,security.debian.org
Bug #1069748 [apache2] mod_ssl: warning about compilation against OpenSSL 
3.0.13 instead of 3.0.11 on bookworm
Added indication that 1069748 affects release.debian.org and security.debian.org
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1069748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069748
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: dh_apache2: please output reproducible module package pre/post scripts.

[Debian Bug Tracking System]

Processing control commands:

> affects -1 mod-mono
Bug #1069907 [apache2-dev] dh_apache2: please output reproducible module 
package pre/post scripts.
Added indication that 1069907 affects mod-mono

-- 
1069907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069907
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1068412: marked as done (apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)

[Debian Bug Tracking System]

Your message dated Fri, 5 Apr 2024 21:00:46 +0200
with message-id 
and subject line [ftpmas...@ftp-master.debian.org: Accepted apache2 2.4.59-1 
(source) into unstable]
has caused the Debian Bug report #1068412,
regarding apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1068412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2024-27316[0]:
https://www.kb.cert.org/vuls/id/421644
https://www.openwall.com/lists/oss-security/2024/04/04/4

CVE-2024-24795[1]:
https://www.openwall.com/lists/oss-security/2024/04/04/5

CVE-2023-38709[2]:
https://www.openwall.com/lists/oss-security/2024/04/04/3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27316
https://www.cve.org/CVERecord?id=CVE-2024-27316
[1] https://security-tracker.debian.org/tracker/CVE-2024-24795
https://www.cve.org/CVERecord?id=CVE-2024-24795
[2] https://security-tracker.debian.org/tracker/CVE-2023-38709
https://www.cve.org/CVERecord?id=CVE-2023-38709

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.59-1

- Forwarded message from Debian FTP Masters 
 -

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 Apr 2024 08:08:11 +0400
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.59-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1032628 1054564
Changes:
 apache2 (2.4.59-1) unstable; urgency=medium
 .
   [ Stefan Fritsch ]
   * Remove old transitional packages libapache2-mod-md and
 libapache2-mod-proxy-uwsgi. Closes: #1032628
 .
   [ Yadd ]
   * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
   * Refresh patches
   * New upstream version 2.4.59
   * Refresh patches
   * Update patches
   * Update test framework
Checksums-Sha1: 
 f1cf18103ca23c57beaa2985bbbe4eee1e8dff87 3334 apache2_2.4.59-1.dsc
 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz
 837cdf46898d962c4c05642745566249fc91e52b 833 apache2_2.4.59.orig.tar.gz.asc
 3e1cad5ee1fc66d350465c1e81d7e0f88221bc01 820300 apache2_2.4.59-1.debian.tar.xz
Checksums-Sha256: 
 25e6990e65cb685f3172143648806ab0fd263a18cd412155f0d14d7ef9987428 3334 
apache2_2.4.59-1.dsc
 e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f 9843252 
apache2_2.4.59.orig.tar.gz
 0ad3f670b944ebf08c81544bc82fae9496e88d96840cd0612d8cdeaa073eb06d 833 
apache2_2.4.59.orig.tar.gz.asc
 1e869a5024215a2a9b69603daf1395840774640f7b2701ca4b7971452a0641d1 820300 
apache2_2.4.59-1.debian.tar.xz
Files: 
 3f3ee286b583f22ec5cb3efc1f0a5016 3334 httpd optional apache2_2.4.59-1.dsc
 c39d28e0777bc95631cb49958fdb6601 9843252 httpd optional 
apache2_2.4.59.orig.tar.gz
 3c342b3dcc0fe227a1fffdf9997987d0 833 httpd optional 
apache2_2.4.59.orig.tar.gz.asc
 4da024370ede9c5a75a0df725be0cdc5 820300 httpd optional 
apache2_2.4.59-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYPec8ACgkQ9tdMp8mZ
7umCiw//TB1rIA1czwHsUrdeOIT3HG9qERzBJsmsP8nyg+cIrytiGfhlt2eOmLYO
X+Wo19J98VuCmTbJClb6opAfSpvJG2AmNUl/PYAqOBzvDgR+QlEMmVXVgxUp9+Tv
0e0P2H+8U0pO3dE51VIXqYtCLTLQnLaci763ewB0oRlSWuzoVNDDahUS3iJ5e58o
btwUQQwq+2F+RBclRhuXca3dOI93UBZDsv56mxR+p2o0vpo+pQRZjHDv8tzT3bOq
/PyWusXKPDf9MXYZqwY2TgYx8v/YdDVYqzgr6Tj/VXgXEKC22pudzSv9/J5iGfHh
VHmf02Gh+0wNWmxajqK2KlxjMON/Qn6kyoAok9w5vv4HtOXBZimzdq0kDsc8EjJl
QuaBcwIAy+0EATBhjaVY7sHtM9SydJNr1f4DBBD9kEB2DKEE9n7/iFxcFfSMd52Y
xwJ4fPk1fe1ki7k/qn0VULpzf1iM3JDQE19uXyE29cSW4eJhiWvH1v+NZzzxNo+t
NtDhSIEEnUkGZSsYyg2qg5NH3e3PJMadc1nTRY6hVNzGpJlsUrCKnMOZbJsBQM6S
cNCY48ux8ziQmJNowvBVbXf6/+SH9h2+CYFRw9GZagaNe1yfErNglbn78KZqJUHw
YcXIFc96qeznRJ9zRhPdHGGeqa+nETH1lWBp6eitihkKhDjCF48=
=dQDE
-END PGP SIGNATURE-




- End forwarded message  End Message ---

Processed: found 1068412 in 2.4.57-2, found 1068412 in 2.4.56-1~deb11u2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 1068412 2.4.57-2
Bug #1068412 [src:apache2] apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Marked as found in versions apache2/2.4.57-2.
> found 1068412 2.4.56-1~deb11u2
Bug #1068412 [src:apache2] apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Marked as found in versions apache2/2.4.56-1~deb11u2.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1068412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1054564: marked as done (apache2: mod_proxy_connect insecure default server-wide AllowCONNECT value)

[Debian Bug Tracking System]

Your message dated Fri, 05 Apr 2024 04:34:28 +
with message-id 
and subject line Bug#1054564: fixed in apache2 2.4.59-1
has caused the Debian Bug report #1054564,
regarding apache2: mod_proxy_connect insecure default server-wide AllowCONNECT 
value
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.56-1~deb11u2
Severity: normal
X-Debbugs-Cc: raphael.d...@gmail.com

Dear Maintainer,

# Context

For years, one of my SSL vhost (on :443) has been relying mod_proxy_http to 
(safely)
 forward some requests to a backend, acting as a reverse-proxy.
```
# Something like
ProxyRequests   On
SSLProxyEngine  On
RewriteRule ^/.well-known/.*$ "https://gitlab-foobar/%{REQUEST_URI}; [P,L]
```


Recently, I experienced the need to (safely) forward some requests (from 
another server I own)
 through this server (because of some network/geoblocking problem).
I enabled `mod_proxy_connect` and (safely) configured a forward-proxy on :80 
(using `Require valid-user / ip`).
```
# Something like
ProxyRequests On
Authtype Basic
AuthUserFile ...

p  Require valid-user
  Require ip ...

```


# Problem

While this :80 forward-proxy vhost was secure, I later discovered, that 
 the original (and almost forgotten) vhost had incidentally become an 
open-proxy (!)

The reasons are:
- mod_proxy_connect is globally enabled (affects all vhosts)
- AllowCONNECT defaults to "443 563" (affects all vhosts)


Said otherwise, *any* secure reverse-proxy vhost configuration become de-facto
 an insecure open forward-proxy vhost as soon as `mod_proxy_connect` is 
globally enabled.

This sounds contrary to best security practices.
(and I bet more than one server out there is silently affected by this 
insecure-by-default
configuration)


# Proposed solution

I suggest to add a server-wide `AllowCONNECT 0` directive inside
`/etc/apache2/mods-available/proxy_connect.load` (virtually disabling CONNECT)
so that individual vhosts relying on it would have to explicitely set the value 
at the vhost-level.

It would be more logical (scope/side-effects) and avoid holes being punched 
into existing
 (and otherwise secure) reverse-proxy vhosts.


# Additional notes
To cap it all my proxy-enabled vhost was the first one (lexicographically
speaking) making it the destination of all the random internet SSL traffic 
scanners.


Google-friendly list of typical log messages that should raise flags:
> AH00898: Connect to remote machine blocked returned by...
> AH00939: CONNECT: attempt to connect to ...:443 (...) failed
> AH10221: proxy: CONNECT: client flushing failed (-102)
> AH10221: proxy: CONNECT: origin flushing failed (-102)


-- Package-specific info:

-- System Information:
Debian Release: bullseye
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.2.0-35-generic (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.56-1~deb11u2
ii  apache2-data 2.4.56-1~deb11u2
ii  apache2-utils2.4.56-1~deb11u2

Versions of packages apache2 recommends:
pn  ssl-cert  

Versions of packages apache2 suggests:
pn  apache2-doc   
pn  apache2-suexec-pristine | apache2-suexec  

Versions of packages apache2 is related to:
ii  apache2  2.4.56-1~deb11u2
ii  apache2-bin  2.4.56-1~deb11u2

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]

-- no debconf information

-- 
GPG id: 0xF41572CEBD4218F4
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.59-1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archiv

Bug#1032628: marked as done (please drop transitional package libapache2-mod-proxy-uwsgi from src:apache2)

[Debian Bug Tracking System]

Your message dated Fri, 05 Apr 2024 04:34:28 +
with message-id 
and subject line Bug#1032628: fixed in apache2 2.4.59-1
has caused the Debian Bug report #1032628,
regarding please drop transitional package libapache2-mod-proxy-uwsgi from 
src:apache2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1032628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032628
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapache2-mod-proxy-uwsgi
Version: 2.4.56-1
Severity: normal
user: qa.debian@packages.debian.org
usertags: transitional

Please drop the transitional package libapache2-mod-proxy-uwsgi (from the 
source package apache2) after the release of bookworm, it has been released 
with buster and bullseye already...


Description: transitional package
Package: libapache2-mod-proxy-uwsgi
Version: 2.4.38-3+deb10u8
Version: 2.4.54-1~deb11u1
Version: 2.4.56-1

Thanks for maintaining apache2!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Try to imagine a future where paying for your morning coffee involved smashing
an iPhone and burning enough fossil fuels to run your entire household for 60
days. That's the environmental cost of the "revolutionary" technology behind
Bitcoin in a nutshell. https://twitter.com/smdiehl/status/1350869944888664064


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.59-1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1032...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 Apr 2024 08:08:11 +0400
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.59-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1032628 1054564
Changes:
 apache2 (2.4.59-1) unstable; urgency=medium
 .
   [ Stefan Fritsch ]
   * Remove old transitional packages libapache2-mod-md and
 libapache2-mod-proxy-uwsgi. Closes: #1032628
 .
   [ Yadd ]
   * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
   * Refresh patches
   * New upstream version 2.4.59
   * Refresh patches
   * Update patches
   * Update test framework
Checksums-Sha1: 
 f1cf18103ca23c57beaa2985bbbe4eee1e8dff87 3334 apache2_2.4.59-1.dsc
 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz
 837cdf46898d962c4c05642745566249fc91e52b 833 apache2_2.4.59.orig.tar.gz.asc
 3e1cad5ee1fc66d350465c1e81d7e0f88221bc01 820300 apache2_2.4.59-1.debian.tar.xz
Checksums-Sha256: 
 25e6990e65cb685f3172143648806ab0fd263a18cd412155f0d14d7ef9987428 3334 
apache2_2.4.59-1.dsc
 e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f 9843252 
apache2_2.4.59.orig.tar.gz
 0ad3f670b944ebf08c81544bc82fae9496e88d96840cd0612d8cdeaa073eb06d 833 
apache2_2.4.59.orig.tar.gz.asc
 1e869a5024215a2a9b69603daf1395840774640f7b2701ca4b7971452a0641d1 820300 
apache2_2.4.59-1.debian.tar.xz
Files: 
 3f3ee286b583f22ec5cb3efc1f0a5016 3334 httpd optional apache2_2.4.59-1.dsc
 c39d28e0777bc95631cb49958fdb6601 9843252 httpd optional 
apache2_2.4.59.orig.tar.gz
 3c342b3dcc0fe227a1fffdf9997987d0 833 httpd optional 
apache2_2.4.59.orig.tar.gz.asc
 4da024370ede9c5a75a0df725be0cdc5 820300 httpd optional 
apache2_2.4.59-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYPec8ACgkQ9tdMp8mZ
7umCiw//TB1rIA1czwHsUrdeOIT3HG9qERzBJsmsP8nyg+cIrytiGfhlt2eOmLYO
X+Wo19J98VuCmTbJClb6opAfSpvJG2AmNUl/PYAqOBzvDgR+QlEMmVXVgxUp9+Tv
0e0P2H+8U0pO3dE51VIXqYtCLTLQnLaci763ewB0oRlSWuzoVNDDahUS3iJ5e58o
btwUQQwq+2F+RBclRhuXca3dOI93UBZDsv56mxR+p2o0vpo+pQRZjHDv8tzT3bOq
/PyWusXKPDf9MXYZqwY2TgYx8v/YdDVYqzgr6Tj/VXgXEKC22pudzSv9/J5iGfHh
VHmf02Gh+0wNWmxajqK2KlxjMON/Qn6kyoAok9w5vv4HtOXBZimzdq0kDsc8EjJl
QuaBcwIAy+0EATBhjaVY7sHtM9SydJNr1f4DBBD9k

Processed: tagging 1068412

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1068412 + upstream
Bug #1068412 [src:apache2] apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Added tag(s) upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1068412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: found 1068412 in 2.4.58-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 1068412 2.4.58-1
Bug #1068412 [src:apache2] apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Marked as found in versions apache2/2.4.58-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1068412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 1032628

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1032628 + pending
Bug #1032628 [libapache2-mod-proxy-uwsgi] please drop transitional package 
libapache2-mod-proxy-uwsgi from src:apache2
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1032628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032628
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1031034: marked as done (apr: Missing LFS support triggers FTBFS on other packages)

[Debian Bug Tracking System]

Your message dated Tue, 19 Mar 2024 11:28:35 +0100
with message-id 
and subject line Re: Bug#1031034: apr: Missing LFS support triggers FTBFS on 
other packages
has caused the Debian Bug report #1031034,
regarding apr: Missing LFS support triggers FTBFS on other packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1031034: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031034
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: apr
Tags: ftbfs, hppa, lfs
Version: 1.7.2-2

On 32-bit platforms it's necessary to compile programs and libraries
with Large File Support (LFS) in order to allow them to function correctly on
filesystems with > 2GB or 4GB size.
This can be solved by adding "-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" to
the CFLAGS variable when compiling.

apr is currently missing this LFS support and as such it triggers
build-from-source errors in other packages like "subversion" or "devscripts"
on such 32-bit platforms.

There are various possibilities how to add those two defines,
e.g. adding
DEB_BUILD_MAINT_OPTIONS = future=+lfs

or by manually adding the output of
getconf LFS_CFLAGS
to the CFLAGS variable. Please note, on 64-bit platforms the return value
will be empty which is correct as those flags are not needed on 64-bit arches.

Here is one suggested patch for apr from me:

diff -up ./debian/rules.org ./debian/rules
--- ./debian/rules.org  2023-02-10 16:20:07.911340588 +
+++ ./debian/rules  2023-02-10 15:54:17.992511554 +
@@ -11,6 +11,9 @@ DEB_HOST_ARCH_OS?= $(shell dpkg-arch
 DEB_HOST_ARCH_BITS  ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_BITS)
 DEB_HOST_MULTIARCH  ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)

+# Enable Large File Support (LFS) if necessary:  -D_LARGEFILE_SOURCE 
-D_FILE_OFFSET_BITS=64
+CFLAGS := $(shell dpkg-buildflags --get CFLAGS) $(shell getconf LFS_CFLAGS)
+
 # The 'build' target needs special handling because there there is a directory
 # named 'build'.
 .PHONY: build

Please apply this (or another patch) to allow apr to build with LFS support.

Thanks,
Helge
--- End Message ---
--- Begin Message ---

version: 1.7.2-3.2

Am 20.06.23 um 20:27 schrieb Stefan Fritsch:
It seems a large transition will be needed for 64bit time_t, anyway. And 
glibc enforces _FILE_OFFSET_BITS=64 if _TIME_BITS=64 is set. apr should 
do both transitions at the same time.


It seems there won't be a transition for i386 but the whole point of 
i386 is running old binaries.


https://wiki.debian.org/ReleaseGoals/64bit-time



This is fixed now as apr has been rebuilt with 64bit time_t, which 
implies 64 bit ino_t.--- End Message ---

Bug#1067035: marked as done (apache2-bin: rebuild for the 64-bit time_t migration is uninstallable)

[Debian Bug Tracking System]

Your message dated Mon, 18 Mar 2024 21:01:39 +0100
with message-id 
and subject line Re: Bug#1067035: apache2-bin: rebuild for the 64-bit time_t 
migration is uninstallable
has caused the Debian Bug report #1067035,
regarding apache2-bin: rebuild for the 64-bit time_t migration is uninstallable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1067035: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067035
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2-bin
Version: 2.4.58-1+b2
Severity: serious
Justification: uninstallable

Dear Maintainer,

Attempting to upgrade apache2-bin from rebuild 2.4.58-1+b1 to
the rebuild 2.4.58-1+b2 leads to the following error:

$ sudo apt upgrade apache2-bin
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 apache2-bin : Depends: libaprutil164 (>= 1.2.7+dfsg) but it is not 
installable
E: Broken packages

libaprutil164 (note the missing 't' for "t64") is not available
in unstable.  The dependency looks typoed and duplicated, as
libaprutil1t64 (>= 1.6.0) is also present as needed in the
Depends field,

Otherwise, have a nice Sunday,  :)
Étienne.


-- Package-specific info:

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.7.9-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2-bin depends on:
ii  libapr1t64 [libapr1]  1.7.2-3.2
ii  libaprutil1-dbd-sqlite3   1.6.3-1.1+b1
ii  libaprutil1-ldap  1.6.3-1.1+b1
ii  libaprutil1t64 [libaprutil1]  1.6.3-1.1+b1
ii  libbrotli11.1.0-2+b3
ii  libc6 2.37-15.1
ii  libcrypt1 1:4.4.36-4
ii  libcurl4t64 [libcurl4]8.6.0-4
ii  libjansson4   2.14-2+b2
ii  libldap-2.5-0 2.5.16+dfsg-2
ii  liblua5.3-0   5.3.6-2+b2
ii  libnghttp2-14 1.59.0-1+b1
ii  libpcre2-8-0  10.42-4+b1
ii  libssl3t64 [libssl3]  3.1.5-1.1
ii  libxml2   2.9.14+dfsg-1.3+b2
ii  perl  5.38.2-3.2
ii  zlib1g1:1.3.dfsg-3.1

apache2-bin recommends no packages.

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  firefox-esr [www-browser]115.8.0esr-1+b1
ii  lynx [www-browser]   2.9.0rel.0-2+b1
ii  surf [www-browser]   2.1+git20221016-6+b1
ii  w3m [www-browser]0.5.3+git20230121-2+b3

Versions of packages apache2 depends on:
ii  apache2-data 2.4.58-1
ii  apache2-utils2.4.58-1+b1
ii  init-system-helpers  1.66
ii  media-types  10.1.0
ii  perl 5.38.2-3.2
ii  procps   2:4.0.4-4

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.2

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  firefox-esr [www-browser]115.8.0esr-1+b1
ii  lynx [www-browser]   2.9.0rel.0-2+b1
ii  surf [www-browser]   2.1+git20221016-6+b1
ii  w3m [www-browser]0.5.3+git20230121-2+b3

Versions of packages apache2-bin is related to:
ii  apache2  2.4.58-1+b1
ii  apache2-bin  2.4.58-1+b1

-- no debconf information

-- 
  .''`.  Étienne Mollier 
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/4, please excuse my verbosity
   `-on air: Antony Kalugin - Key


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---

version: 1.6.3-2

Am 17.03.24 

Processed: tagging 1067035, tagging 1066821

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1067035 + pending
Bug #1067035 [libaprutil1t64] apache2-bin: rebuild for the 64-bit time_t 
migration is uninstallable
Added tag(s) pending.
> tags 1066821 + pending
Bug #1066821 {Done: Stefan Fritsch } [src:apr-util] apr-util: 
FTBFS on arm{el,hf}: /bin/bash: line 3: 3132384 Segmentation fault  
LD_LIBRARY_PATH="`echo 
"../crypto/.libs:../dbm/.libs:../dbd/.libs:../ldap/.libs:$LD_LIBRARY_PATH" | 
sed -e 's/::*$//'`" ./$prog -v
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1066821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066821
1067035: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067035
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1066821: marked as done (apr-util: FTBFS on arm{el,hf}: /bin/bash: line 3: 3132384 Segmentation fault LD_LIBRARY_PATH="`echo "../crypto/.libs:../dbm/.libs:../dbd/.libs:../ldap/.libs:$LD_LIBRA

[Debian Bug Tracking System]

Your message dated Mon, 18 Mar 2024 19:49:13 +
with message-id 
and subject line Bug#1066821: fixed in apr-util 1.6.3-2
has caused the Debian Bug report #1066821,
regarding apr-util: FTBFS on arm{el,hf}: /bin/bash: line 3: 3132384 
Segmentation fault  LD_LIBRARY_PATH="`echo 
"../crypto/.libs:../dbm/.libs:../dbd/.libs:../ldap/.libs:$LD_LIBRARY_PATH" | 
sed -e 's/::*$//'`" ./$prog -v
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1066821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apr-util
Version: 1.6.3-1.1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
X-Debbugs-Cc: sramac...@debian.org

https://buildd.debian.org/status/fetch.php?pkg=apr-util=armhf=1.6.3-1.1=1709086833=0

testldap:  SUCCESS
testdbd :  SUCCESS
testdate:  SUCCESS
testmemcache:  Error 111 occurred attempting to reach memcached on 
localhost:11211.  Skipping apr_memcache tests...
SUCCESS
testredis   :  Error 111 occurred attempting to reach Redis on 
localhost:6379.  Skipping apr_redis tests...
SUCCESS
testxml :  SUCCESS
testxlate   :  SUCCESS
testrmm :  SUCCESS
testdbm :  BDB1565 DB->put: method not permitted before handle's 
open method
/bin/bash: line 3: 3132384 Segmentation fault  LD_LIBRARY_PATH="`echo 
"../crypto/.libs:../dbm/.libs:../dbd/.libs:../ldap/.libs:$LD_LIBRARY_PATH" | 
sed -e 's/::*$//'`" ./$prog -v
Programs failed: testall
make[2]: *** [Makefile:60: check] Error 139

Cheers
-- 
Sebastian Ramacher
--- End Message ---
--- Begin Message ---
Source: apr-util
Source-Version: 1.6.3-2
Done: Stefan Fritsch 

We believe that the bug you reported is fixed in the latest version of
apr-util, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1066...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch  (supplier of updated apr-util package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 18 Mar 2024 20:21:56 +0100
Source: apr-util
Architecture: source
Version: 1.6.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Stefan Fritsch 
Closes: 1066821
Changes:
 apr-util (1.6.3-2) unstable; urgency=medium
 .
   * Incorporate NMU. Thanks to all the 64-bit time_t transition
 people.
   * Bump libapr1-dev Build-Dep to 1.7.2-3.2. Hopefully
 closes: #1066821
   * Add more 64-bit time_t patches from Simon McVittie. Thanks.
 Closes: #1066821
Checksums-Sha1:
 e54da49c48a25eaa47c11c1649122dde4996948d 2790 apr-util_1.6.3-2.dsc
 0a3ba0d15d92ea2a6b4743fa84bcdfcbb9dfb0ac 341028 apr-util_1.6.3-2.debian.tar.xz
 8e751c5f1abc1d5eeb09c253c51e5eca51d74d0d 8920 apr-util_1.6.3-2_source.buildinfo
Checksums-Sha256:
 ec0980c33c48706d28ee3894c543f2f2fe4a6e0f4b7b233f6448205934b2079f 2790 
apr-util_1.6.3-2.dsc
 5dd4abc7e74af270900b953523ee50ebc44bb794fba64a08111f3c1ac9942fb4 341028 
apr-util_1.6.3-2.debian.tar.xz
 0060c54212516ee4f898e3dceff0c339586f6a10f645866b91e28f732a9f1914 8920 
apr-util_1.6.3-2_source.buildinfo
Files:
 2bd4a9312509ac42206b46bbbc4d60ff 2790 libs optional apr-util_1.6.3-2.dsc
 132c383916b36665b64db1820a859540 341028 libs optional 
apr-util_1.6.3-2.debian.tar.xz
 ef4a4a49dd973d32bcce3d1e9f688cbd 8920 libs optional 
apr-util_1.6.3-2_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAmX4lSIACgkQxodfNUHO
/eBDZA//Qc15ucwrvI0uXk3SqY/sywk0Jac/wGxx5nUrnM1gYoU1jK1JIsJ5ade3
DqwzxVrOZs/Q5/OT/B2thDmW07WFvWyud2LZeGMipc0ztBRzkB6mRPH5uonLR1/y
ACTUuDfPdfiDxdNx5i943FRNe4Yiqk121LMdFzrRfFkbtb9ZlGjZdvBbPjN8U1Bf
9rEfRA8UCnemGMyczI2TJY2lOWix6rbBspHAqCoCxOMazLRRdH8QPYbCCfmBal6K
3yP/ZHA/utVENUOU3QfmmqNHY0/Kkekqr7SIJVjAeFJRQUDoABp0k4FkyxZuHA5H
g9iYM71txAsrZ6Cup+ez6WJlbYRcswOGeB23BhCAjlyGza8deLkd8KeFFa2h1fh0
alYIf4WHOtal5dGNPx6LPvK4uWaTUSqqwG7WeoCZA5U43pDPj9P6G6nzzNaX+NPg
7eF4JzZ0w9/8sD9eB4GxoE22sLvgBFeswc7GRG1iOLmZuRPd6csFjsGRPqVwI+o5
Da6W7uNjlcjDIR4t4BA77j3n4

Processed: Re: Bug#1067035: apache2-bin: rebuild for the 64-bit time_t migration is uninstallable

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 libaprutil1t64
Bug #1067035 [apache2-bin] apache2-bin: rebuild for the 64-bit time_t migration 
is uninstallable
Bug reassigned from package 'apache2-bin' to 'libaprutil1t64'.
No longer marked as found in versions apache2/2.4.58-1.
Ignoring request to alter fixed versions of bug #1067035 to the same values 
previously set
> found -1 1.6.3-1.1
Bug #1067035 [libaprutil1t64] apache2-bin: rebuild for the 64-bit time_t 
migration is uninstallable
Marked as found in versions apr-util/1.6.3-1.1.
> affects -1 + apache2-bin
Bug #1067035 [libaprutil1t64] apache2-bin: rebuild for the 64-bit time_t 
migration is uninstallable
Added indication that 1067035 affects apache2-bin
> tags -1 + patch
Bug #1067035 [libaprutil1t64] apache2-bin: rebuild for the 64-bit time_t 
migration is uninstallable
Added tag(s) patch.

-- 
1067035: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067035
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: reassign 1067031 to src:apache2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 1067031 src:apache2
Bug #1067031 [src:apache2-bin] apache2-bin: Probably wrong dependency.
Warning: Unknown package 'src:apache2-bin'
Bug reassigned from package 'src:apache2-bin' to 'src:apache2'.
No longer marked as found in versions apache2-bin/2.4.58-1.
Ignoring request to alter fixed versions of bug #1067031 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1067031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067031
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1064950: marked as done (apache2: (Legacy?) "Depends: apache2-data (= ${source:Version})," in debian/control breaks binNMU builds.)

[Debian Bug Tracking System]

Your message dated Wed, 13 Mar 2024 22:29:55 +0100
with message-id 
and subject line Re: AW: AW: Bug#1064950: apache2: (Legacy?) "Depends: 
apache2-data (= ${source:Version})," in debian/control breaks binNMU builds.
has caused the Debian Bug report #1064950,
regarding apache2: (Legacy?) "Depends: apache2-data (= ${source:Version})," in 
debian/control breaks binNMU builds.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1064950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064950
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: apache2: (Legacy?) "Depends: apache2-data (= ${source:Version})," in 
debian/control breaks binNMU builds.
Source: apache2
X-Debbugs-Cc: christof.warl...@siemens.com
Version: 2.4.57-2
Severity: serious
Justification: fails to build from source (but built successfully in the past)
Tags: patch ftbfs

Dear Maintainer,

(re)building apache2 as binNMU (i.e. with appending "+b to the 
package version")
works, but installation of the resulting apache2 package fails due to the 
following dependency
in debian/control:

Depends: apache2-data (= ${source:Version}),

It causes apt-get to look for the dependency "apache2-data" (= 2.4.57-2) which 
does not exist
in the newly built packages. Instead, the dependency should be satisfied by
"apache2-data (= 2.4.57-2+b)".

The folliwing patch fixes the issue:

diff --git a/debian/control b/debian/control
index 2eddc60..31121fa 100644
--- a/debian/control
+++ b/debian/control
@@ -34,7 +34,7 @@ Rules-Requires-Root: binary-targets
 Package: apache2
 Architecture: any
 Depends: apache2-bin (= ${binary:Version}),
- apache2-data (= ${source:Version}),
+ apache2-data (= ${binary:Version}),
  apache2-utils (= ${binary:Version}),
  lsb-base,
  media-types,

Please consider applying the patch.

Best regards,

Christof Warlich

P.S.: Note that the information below, being produced by "reportbug", is 
irrelevant as I executed "reportbug"
on WSL2 on Windows 10. The actual Debian version is "bookworm".

-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), 
(100, 'jammy-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.102.1-microsoft-standard-WSL2+ (SMP w/16 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On 2024-03-04 12:33:39 +, Warlich, Christof wrote:
> Sebastian Ramacher wrote:
> > Christof Warlich wrote:
> > > If this assumption is true, then why is the Debian build system (i.e. 
> > > dpkg-buildpackage) not smart enough to simply ignore an existing +bX 
> > > extension for Architecture: all binary packages? IMHO, this would 
> > > simplify matters, as it would have avoided the pitfall that I stumbled 
> > > into altogether.
> > 
> > binNMUs are handled a layer above. sbuild will pass the correct options to 
> > dpkg-buildpackage to build binNMUs. If you are interested in having binNMU 
> > builds for your own infrastructure, you'll probably need to take a look at 
> > the sbuild source to see how it is implemented.
> 
> Ok, so I'd better start using sbuild instead. Again, thanks for the valuable 
> info and your time.

Closing this bug.

Cheers
-- 
Sebastian Ramacher--- End Message ---

Processed: Bug#1064950 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1064950 [src:apache2] apache2: (Legacy?) "Depends: apache2-data (= 
${source:Version})," in debian/control breaks binNMU builds.
Added tag(s) pending.

-- 
1064950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064950
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1061893: marked as done (apr-util: NMU diff for 64-bit time_t transition)

[Debian Bug Tracking System]

Your message dated Wed, 28 Feb 2024 02:05:20 +
with message-id 
and subject line Bug#1061893: fixed in apr-util 1.6.3-1.1
has caused the Debian Bug report #1061893,
regarding apr-util: NMU diff for 64-bit time_t transition
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1061893: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061893
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apr-util
Version: 1.6.3-1
Severity: serious
Tags: patch pending
Justification: library ABI skew on upgrade
User: debian-...@lists.debian.org
Usertags: time-t

Dear maintainer,

As part of the 64-bit time_t transition required to support 32-bit
architectures in 2038 and beyond
(https://wiki.debian.org/ReleaseGoals/64bit-time), we have identified
apr-util as a source package shipping runtime libraries whose ABI
either is affected by the change in size of time_t, or could not be
analyzed via abi-compliance-checker (and therefore to be on the safe
side we assume is affected).

To ensure that inconsistent combinations of libraries with their
reverse-dependencies are never installed together, it is necessary to
have a library transition, which is most easily done by renaming the
runtime library package.

Since turning on 64-bit time_t is being handled centrally through a change
to the default dpkg-buildflags (https://bugs.debian.org/1037136), it is
important that libraries affected by this ABI change all be uploaded close
together in time.  Therefore I have prepared a 0-day NMU for apr-util
which will initially be uploaded to experimental if possible, then to
unstable after packages have cleared binary NEW.

Please find the patch for this NMU attached.

If you have any concerns about this patch, please reach out ASAP.  Although
this package will be uploaded to experimental immediately, there will be a
period of several days before we begin uploads to unstable; so if information
becomes available that your package should not be included in the transition,
there is time for us to amend the planned uploads.



-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-14-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru apr-util-1.6.3/debian/changelog apr-util-1.6.3/debian/changelog
--- apr-util-1.6.3/debian/changelog 2023-02-03 20:15:18.0 +
+++ apr-util-1.6.3/debian/changelog 2024-01-30 00:55:31.0 +
@@ -1,3 +1,10 @@
+apr-util (1.6.3-1.1) experimental; urgency=medium
+
+  * Non-maintainer upload.
+  * Rename libraries for 64-bit time_t transition.
+
+ -- Steve Langasek   Tue, 30 Jan 2024 00:55:31 +
+
 apr-util (1.6.3-1) unstable; urgency=medium
 
   [ Stefan Fritsch ]
diff -Nru apr-util-1.6.3/debian/control apr-util-1.6.3/debian/control
--- apr-util-1.6.3/debian/control   2023-02-02 22:42:28.0 +
+++ apr-util-1.6.3/debian/control   2024-01-30 00:55:31.0 +
@@ -22,7 +22,10 @@
 Vcs-Git: https://salsa.debian.org/apache-team/apr-util.git
 Homepage: https://apr.apache.org/
 
-Package: libaprutil1
+Package: libaprutil1t64
+Provides: ${t64:Provides}
+Replaces: libaprutil1
+Breaks: libaprutil1 (<< ${source:Version})
 Architecture: any
 Multi-Arch: same
 Depends: ${shlibs:Depends},
diff -Nru apr-util-1.6.3/debian/libaprutil1.docs 
apr-util-1.6.3/debian/libaprutil1.docs
--- apr-util-1.6.3/debian/libaprutil1.docs  2023-02-01 21:35:51.0 
+
+++ apr-util-1.6.3/debian/libaprutil1.docs  1970-01-01 00:00:00.0 
+
@@ -1 +0,0 @@
-NOTICE
diff -Nru apr-util-1.6.3/debian/libaprutil1.install 
apr-util-1.6.3/debian/libaprutil1.install
--- apr-util-1.6.3/debian/libaprutil1.install   2023-02-01 21:35:51.0 
+
+++ apr-util-1.6.3/debian/libaprutil1.install   1970-01-01 00:00:00.0 
+
@@ -1,3 +0,0 @@
-usr/lib/*/libaprutil-1.so.*
-usr/lib/*/apr-util-1/apr_dbm*.so*
-usr/lib/*/apr-util-1/apr_crypt*.so*
diff -Nru apr-util-1.6.3/debian/libaprutil1.lintian-overrides 
apr-util-1.6.3/debian/libaprutil1.lintian-overrides
--- apr-util-1.6.3/debian/libaprutil1.lintian-overrides 2023-02-01 
21:35:51.0 +
+++ apr-util-1.6.3/debian/libaprutil1.lintian-overrides 1970-01-01 
00:00:00.0 +
@@ -1,2 +0,0 @@
-libaprutil1: symbols-declares-dependency-on-other-package
-libaprutil1: packag

Bug#1061894: marked as done (apr: NMU diff for 64-bit time_t transition)

[Debian Bug Tracking System]

Your message dated Wed, 28 Feb 2024 02:05:09 +
with message-id 
and subject line Bug#1061894: fixed in apr 1.7.2-3.1
has caused the Debian Bug report #1061894,
regarding apr: NMU diff for 64-bit time_t transition
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1061894: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061894
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apr
Version: 1.7.2-3
Severity: serious
Tags: patch pending
Justification: library ABI skew on upgrade
User: debian-...@lists.debian.org
Usertags: time-t

Dear maintainer,

As part of the 64-bit time_t transition required to support 32-bit
architectures in 2038 and beyond
(https://wiki.debian.org/ReleaseGoals/64bit-time), we have identified
apr as a source package shipping runtime libraries whose ABI
either is affected by the change in size of time_t, or could not be
analyzed via abi-compliance-checker (and therefore to be on the safe
side we assume is affected).

To ensure that inconsistent combinations of libraries with their
reverse-dependencies are never installed together, it is necessary to
have a library transition, which is most easily done by renaming the
runtime library package.

Since turning on 64-bit time_t is being handled centrally through a change
to the default dpkg-buildflags (https://bugs.debian.org/1037136), it is
important that libraries affected by this ABI change all be uploaded close
together in time.  Therefore I have prepared a 0-day NMU for apr
which will initially be uploaded to experimental if possible, then to
unstable after packages have cleared binary NEW.

Please find the patch for this NMU attached.

If you have any concerns about this patch, please reach out ASAP.  Although
this package will be uploaded to experimental immediately, there will be a
period of several days before we begin uploads to unstable; so if information
becomes available that your package should not be included in the transition,
there is time for us to amend the planned uploads.



-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-14-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru apr-1.7.2/debian/changelog apr-1.7.2/debian/changelog
--- apr-1.7.2/debian/changelog  2023-02-26 20:51:24.0 +
+++ apr-1.7.2/debian/changelog  2024-01-30 00:57:09.0 +
@@ -1,3 +1,10 @@
+apr (1.7.2-3.1) experimental; urgency=medium
+
+  * Non-maintainer upload.
+  * Rename libraries for 64-bit time_t transition.
+
+ -- Steve Langasek   Tue, 30 Jan 2024 00:57:09 +
+
 apr (1.7.2-3) unstable; urgency=medium
 
   * Add more fixes for atomics from upstream, in particular for
diff -Nru apr-1.7.2/debian/control apr-1.7.2/debian/control
--- apr-1.7.2/debian/control2023-02-03 16:18:13.0 +
+++ apr-1.7.2/debian/control2024-01-30 00:57:09.0 +
@@ -19,7 +19,10 @@
 Homepage: https://apr.apache.org/
 Rules-Requires-Root: no
 
-Package: libapr1
+Package: libapr1t64
+Provides: ${t64:Provides}
+Replaces: libapr1
+Breaks: libapr1 (<< ${source:Version})
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Pre-Depends: ${misc:Pre-Depends}
diff -Nru apr-1.7.2/debian/libapr1.docs apr-1.7.2/debian/libapr1.docs
--- apr-1.7.2/debian/libapr1.docs   2023-02-02 21:18:42.0 +
+++ apr-1.7.2/debian/libapr1.docs   1970-01-01 00:00:00.0 +
@@ -1 +0,0 @@
-NOTICE
diff -Nru apr-1.7.2/debian/libapr1.install apr-1.7.2/debian/libapr1.install
--- apr-1.7.2/debian/libapr1.install2023-02-02 21:18:42.0 +
+++ apr-1.7.2/debian/libapr1.install1970-01-01 00:00:00.0 +
@@ -1 +0,0 @@
-usr/lib/*/libapr-1.so.*
diff -Nru apr-1.7.2/debian/libapr1.lintian-overrides 
apr-1.7.2/debian/libapr1.lintian-overrides
--- apr-1.7.2/debian/libapr1.lintian-overrides  2023-02-02 21:18:42.0 
+
+++ apr-1.7.2/debian/libapr1.lintian-overrides  1970-01-01 00:00:00.0 
+
@@ -1 +0,0 @@
-libapr1: package-name-doesnt-match-sonames libapr-1-0
diff -Nru apr-1.7.2/debian/libapr1.symbols apr-1.7.2/debian/libapr1.symbols
--- apr-1.7.2/debian/libapr1.symbols2023-02-02 21:18:42.0 +
+++ apr-1.7.2/debian/libapr1.symbols1970-01-01 00:00:00.0 +
@@ -1,2 +0,0 @@
-here for the purpose of tr

Processed: tagging 1061866, tagging 1061872, tagging 1061873, tagging 1061874, tagging 1061875, tagging 1061878 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1061866 + sid trixie
Bug #1061866 [src:adns] adns: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061872 + sid trixie
Bug #1061872 [src:adolc] adolc: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061873 + sid trixie
Bug #1061873 [src:afflib] afflib: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061874 + sid trixie
Bug #1061874 [src:colpack] colpack: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061875 + sid trixie
Bug #1061875 [src:afterstep] afterstep: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061878 + sid trixie
Bug #1061878 [src:agg] agg: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061881 + sid trixie
Bug #1061881 [src:akonadi-search] akonadi-search: NMU diff for 64-bit time_t 
transition
Added tag(s) trixie and sid.
> tags 1061883 + sid trixie
Bug #1061883 [src:alberta] alberta: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061889 + sid trixie
Bug #1061889 [src:angelscript] angelscript: NMU diff for 64-bit time_t 
transition
Added tag(s) sid and trixie.
> tags 1061890 + sid trixie
Bug #1061890 [src:anthy] anthy: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061891 + sid trixie
Bug #1061891 [src:apbs] apbs: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061892 + sid trixie
Bug #1061892 [src:apophenia] apophenia: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061893 + sid trixie
Bug #1061893 [src:apr-util] apr-util: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061894 + sid trixie
Bug #1061894 [src:apr] apr: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061897 + sid trixie
Bug #1061897 [src:aribb24] aribb24: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061900 + sid trixie
Bug #1061900 [src:comedilib] comedilib: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061901 + sid trixie
Bug #1061901 [src:compiz] compiz: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061903 + sid trixie
Bug #1061903 [src:coolkey] coolkey: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061905 + sid trixie
Bug #1061905 [src:cpp-hocon] cpp-hocon: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061908 + sid trixie
Bug #1061908 [src:cppdb] cppdb: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061909 + sid trixie
Bug #1061909 [src:croaring] croaring: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061911 + sid trixie
Bug #1061911 [src:csmith] csmith: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061913 + sid trixie
Bug #1061913 [src:ctpl] ctpl: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061914 + sid trixie
Bug #1061914 [src:cuneiform] cuneiform: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061915 + sid trixie
Bug #1061915 [src:cups-filters] cups-filters: NMU diff for 64-bit time_t 
transition
Added tag(s) sid and trixie.
> tags 1061921 + sid trixie
Bug #1061921 [src:asl] asl: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061922 + sid trixie
Bug #1061922 [src:astrometry.net] astrometry.net: NMU diff for 64-bit time_t 
transition
Added tag(s) trixie and sid.
> tags 1061928 + sid trixie
Bug #1061928 [src:avro-c] avro-c: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061929 + sid trixie
Bug #1061929 [src:bamf] bamf: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061932 + sid trixie
Bug #1061932 [src:blitz++] blitz++: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061934 + sid trixie
Bug #1061934 [src:boinc] boinc: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061943 + sid trixie
Bug #1061943 [src:forge] forge: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061945 + sid trixie
Bug #1061945 [src:fpgatools] fpgatools: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061953 + sid trixie
Bug #1061953 [src:freewnn] freewnn: NMU diff for 64-bit time_t transition
Added tag(s) sid and trixie.
> tags 1061954 + sid trixie
Bug #1061954 [src:frog] frog: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061955 + sid trixie
Bug #1061955 [src:fsplib] fsplib: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061957 + sid trixie
Bug #1061957 [src:funtools] funtools: NMU diff for 64-bit time_t transition
Added tag(s) trixie and sid.
> tags 1061961 + sid trixie
Bug #1061961 {Done: Bas Couwenberg } [src:fyba] fyba: NMU 
diff for 64-bit 

Processed: found 1057126 2.4.58-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 1057126 2.4.58-1
Bug #1057126 [apache2] "AH03490: scoreboard is full" after nightly maintenance
Marked as found in versions apache2/2.4.58-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1057126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#1054564 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1054564 [apache2] apache2: mod_proxy_connect insecure default server-wide 
AllowCONNECT value
Added tag(s) pending.

-- 
1054564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1050870: marked as done (apache2: Provide dh-sequence-apache2)

[Debian Bug Tracking System]

Your message dated Thu, 19 Oct 2023 11:19:30 +
with message-id 
and subject line Bug#1050870: fixed in apache2 2.4.58-1
has caused the Debian Bug report #1050870,
regarding apache2: Provide dh-sequence-apache2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050870: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.57-2
Severity: normal
Tags: patch

Dear Maintainer,

The apache2-dev package should provide dh-sequence-apache2 to automatically 
enable the sequence instead of using dh --with apache2.

The attached patch adds dh-sequence-apache2 to the Provides of apache2-dev.

Kind Regards,

Bas
diff -Nru apache2-2.4.57/debian/changelog apache2-2.4.57/debian/changelog
--- apache2-2.4.57/debian/changelog 2023-04-13 05:26:51.0 +0200
+++ apache2-2.4.57/debian/changelog 2023-08-30 17:37:55.0 +0200
@@ -1,3 +1,10 @@
+apache2 (2.4.57-2.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Provide dh-sequence-apache2.
+
+ -- Bas Couwenberg   Wed, 30 Aug 2023 17:37:55 +0200
+
 apache2 (2.4.57-2) unstable; urgency=medium
 
   * Revert debian/* changes (Bookworm freeze)
diff -Nru apache2-2.4.57/debian/control apache2-2.4.57/debian/control
--- apache2-2.4.57/debian/control   2023-04-13 05:14:09.0 +0200
+++ apache2-2.4.57/debian/control   2023-08-30 17:37:22.0 +0200
@@ -157,7 +157,8 @@
  openssl,
  ${misc:Depends},
  ${perl:Depends}
-Provides: dh-apache2
+Provides: dh-apache2,
+  dh-sequence-apache2
 Description: Apache HTTP Server (development headers)
  The Apache HTTP Server Project's goal is to build a secure, efficient and
  extensible HTTP server as standards-compliant open source software. The
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.58-1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1050...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 19 Oct 2023 14:56:29 +0400
Source: apache2
Architecture: source
Version: 2.4.58-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1050870
Changes:
 apache2 (2.4.58-1) unstable; urgency=medium
 .
   [ Bas Couwenberg ]
   * Provide dh-sequence-apache2 (Closes: #1050870)
 .
   [ Yadd ]
   * Drop dependency to obsolete lsb-base
   * New upstream version 2.4.58 (Closes: CVE-2023-31122, CVE-2023-43622,
 CVE-2023-45802)
   * Refresh patches
Checksums-Sha1: 
 d4bf1fd9119ed0e22e4ce4c47f09c5834a9ae117 3488 apache2_2.4.58-1.dsc
 cd04721a2d9abfc634c895853cd555ac659b81e8 9825177 apache2_2.4.58.orig.tar.gz
 ca97b8482b73b024c9a245fb41eead6ef76eb4d3 874 apache2_2.4.58.orig.tar.gz.asc
 079551983cbb0dcbab42a059d32d219af50f457b 899684 apache2_2.4.58-1.debian.tar.xz
Checksums-Sha256: 
 8c4fdaef8f9635001ee410654e103b25d659fbd9d8f7d803e36efe73d5262d04 3488 
apache2_2.4.58-1.dsc
 503a7da4a4a27fd496037998b17078dc9fe004db32c657c96cce8356b8aa2eb6 9825177 
apache2_2.4.58.orig.tar.gz
 a6fe3398476f57233f623a083cc6dcc4ee12b1677e18bc592b4450ecb2d450d8 874 
apache2_2.4.58.orig.tar.gz.asc
 66b41a6dbd1fe2e21817b48f54201b2595d0b2142abe43893d624780c44bec1d 899684 
apache2_2.4.58-1.debian.tar.xz
Files: 
 3221aa89040599a3cc8f971415125b01 3488 httpd optional apache2_2.4.58-1.dsc
 2b9283d78fe42070d1385508fb31fbe5 9825177 httpd optional 
apache2_2.4.58.orig.tar.gz
 96fe65789a4b6893dd80005a038816c9 874 httpd optional 
apache2_2.4.58.orig.tar.gz.asc
 25f036eafbfdc0750c4136d89d209479 899684 httpd optional 
apache2_2.4.58-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmUxDKcACgkQ9tdMp8mZ
7un1Lg//VrMIlBfOQlRT7FngYvFjIv76RGJbDUyCeW1gGLNUNAjCigAtxvaWMHJE
ufTCVibQuSN0a1gi0AI5/jXJtL3AClY3x/xYKA24xhY3AnxlTKhc+3eZ5T36xZNl
gkwFmHU5Xlh0G6ESKZCf60vuxY+rkqFMRcX9/A4lGaJh1hREWbPvCrMoXpjeMaNe

Processed: Bug#1050870 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1050870 [src:apache2] apache2: Provide dh-sequence-apache2
Added tag(s) pending.

-- 
1050870: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#837346: marked as done (apache2: FTBFS on kfreebsd-i386: i586-kfreebsd-gnu-ar: command not found)

[Debian Bug Tracking System]

Your message dated Sat, 7 Oct 2023 17:13:41 +0300
with message-id 
and subject line kFreeBSD has been removed from Debian ports
has caused the Debian Bug report #837346,
regarding apache2: FTBFS on kfreebsd-i386: i586-kfreebsd-gnu-ar: command not 
found
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
837346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837346
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.23-4
Severity: important

Hi,

apache2 FTBFS on on kfreebsd-i386:

https://buildd.debian.org/status/fetch.php?pkg=apache2=kfreebsd-i386=2.4.23-4=1471042791

make[4]: Entering directory '/«PKGBUILDDIR»/os/unix'
/usr/share/apr-1.0/build/libtool --no-silent --mode=compile 
i586-kfreebsd-gnu-gcc  -pthread  -pipe -g -O2 
-fdebug-prefix-map=/«PKGBUILDDIR»=. -fstack-protector-strong -Wformat 
-Werror=format-security-D_REENTRANT -D_GNU_SOURCE  -DPLATFORM='"Debian"' 
-DBUILD_DATETIME='"2016-08-12T19:44:31"' -Wdate-time -D_FORTIFY_SOURCE=2   -I. 
-I/«PKGBUILDDIR»/os/unix -I/«PKGBUILDDIR»/include -I/usr/include/apr-1.0 
-I/usr/include -I/«PKGBUILDDIR»/modules/aaa -I/«PKGBUILDDIR»/modules/cache 
-I/«PKGBUILDDIR»/modules/core -I/«PKGBUILDDIR»/modules/database 
-I/«PKGBUILDDIR»/modules/filters -I/«PKGBUILDDIR»/modules/ldap 
-I/«PKGBUILDDIR»/server -I/«PKGBUILDDIR»/modules/loggers 
-I/«PKGBUILDDIR»/modules/lua -I/«PKGBUILDDIR»/modules/proxy 
-I/«PKGBUILDDIR»/modules/session -I/«PKGBUILDDIR»/modules/ssl 
-I/«PKGBUILDDIR»/modules/test -I/«PKGBUILDDIR»/server 
-I/«PKGBUILDDIR»/modules/arch/unix -I/«PKGBUILDDIR»/modules/dav/main 
-I/«PKGBUILDDIR»/modules/generators -I/«PKGBUILD
 DIR»/modules/mappers -fPIE -prefer-non-pic -static -c unixd.c && touch unixd.lo
libtool: compile:  i586-kfreebsd-gnu-gcc -pthread -pipe -g -O2 
-fdebug-prefix-map=/«PKGBUILDDIR»=. -fstack-protector-strong -Wformat 
-Werror=format-security -D_REENTRANT -D_GNU_SOURCE -DPLATFORM=\"Debian\" 
-DBUILD_DATETIME=\"2016-08-12T19:44:31\" -Wdate-time -D_FORTIFY_SOURCE=2 -I. 
-I/«PKGBUILDDIR»/os/unix -I/«PKGBUILDDIR»/include -I/usr/include/apr-1.0 
-I/usr/include -I/«PKGBUILDDIR»/modules/aaa -I/«PKGBUILDDIR»/modules/cache 
-I/«PKGBUILDDIR»/modules/core -I/«PKGBUILDDIR»/modules/database 
-I/«PKGBUILDDIR»/modules/filters -I/«PKGBUILDDIR»/modules/ldap 
-I/«PKGBUILDDIR»/server -I/«PKGBUILDDIR»/modules/loggers 
-I/«PKGBUILDDIR»/modules/lua -I/«PKGBUILDDIR»/modules/proxy 
-I/«PKGBUILDDIR»/modules/session -I/«PKGBUILDDIR»/modules/ssl 
-I/«PKGBUILDDIR»/modules/test -I/«PKGBUILDDIR»/server 
-I/«PKGBUILDDIR»/modules/arch/unix -I/«PKGBUILDDIR»/modules/dav/main 
-I/«PKGBUILDDIR»/modules/generators -I/«PKGBUILDDIR»/modules/mappers -c unixd.c 
-fPIE -o unixd.o
/usr/share/apr-1.0/build/libtool --no-silent --mode=link i586-kfreebsd-gnu-gcc  
-pthread  -pipe -g -O2 -fdebug-prefix-map=/«PKGBUILDDIR»=. 
-fstack-protector-strong -Wformat -Werror=format-security -pie 
-Wl,--as-needed -Wl,-z,relro -Wl,-z,now -o libos.la -static  unixd.lo  
libtool: link: i586-kfreebsd-gnu-ar cru .libs/libos.a  unixd.o
/usr/share/apr-1.0/build/libtool: line 1088: i586-kfreebsd-gnu-ar: command not 
found
/«PKGBUILDDIR»/build/library.mk:22: recipe for target 'libos.la' failed
make[4]: *** [libos.la] Error 127


Andreas
--- End Message ---
--- Begin Message ---
kFreeBSD has been removed from Debian ports:
https://lists.debian.org/debian-bsd/2023/07/msg3.html

cu
Adrian--- End Message ---

Bug#1050458: marked as done (apache2: given is deprecated at /usr/sbin/a2enmod)

[Debian Bug Tracking System]

Your message dated Tue, 29 Aug 2023 08:49:17 +
with message-id 
and subject line Bug#1050458: fixed in apache2 2.4.57-3
has caused the Debian Bug report #1050458,
regarding apache2: given is deprecated at /usr/sbin/a2enmod
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.57-2
Severity: important
Tags: trixie sid
User: debian-p...@lists.debian.org
Usertags: perl-5.38-transition autopkgtest
Control: affects -1 munin

Installing this package spews warnings with Perl 5.38 (currently in 
experimental)
because a2enmod uses the deprecated 'given' and 'when' Perl keywords.

   Setting up apache2 (2.4.57-2) ...
   given is deprecated at /usr/sbin/a2enmod line 577.
   when is deprecated at /usr/sbin/a2enmod line 578.
   when is deprecated at /usr/sbin/a2enmod line 586.
   Enabling module mpm_event.
   given is deprecated at /usr/sbin/a2enmod line 577.
   when is deprecated at /usr/sbin/a2enmod line 578.
   when is deprecated at /usr/sbin/a2enmod line 586.
   [...]

This breaks at least the munin autopkgtest checks as seen at

  https://ci.debian.net/data/autopkgtest/unstable/amd64/m/munin/37098324/log.gz

 429s master-cgi-systemd   FAIL stderr: given is deprecated at 
/usr/sbin/a2enmod line 577.

so filing at 'important' (but feel free to adjust.)
-- 
Niko Tyni   nt...@debian.org
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.57-3
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1050...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 29 Aug 2023 11:39:32 +0400
Source: apache2
Architecture: source
Version: 2.4.57-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1050458
Changes:
 apache2 (2.4.57-3) unstable; urgency=medium
 .
   * Update a2enmod to drop given/when (Closes: #1050458)
   * Restore changes not included in Bookworm (set -e in apache2ctl)
Checksums-Sha1: 
 4ea609f43f6f10666e86b418b280785e3befb7f3 3488 apache2_2.4.57-3.dsc
 98e5d527ad782c7d85967fd84bfec99315d1eaac 899784 apache2_2.4.57-3.debian.tar.xz
Checksums-Sha256: 
 409ea748712decab935ff9d0d4b86d8d6ca168a127b31ad683c93381012fd990 3488 
apache2_2.4.57-3.dsc
 7018c02fa3c2d7bbc8a095460fd7e0095ce153c73830c9fdabb5ed62fc466bde 899784 
apache2_2.4.57-3.debian.tar.xz
Files: 
 b898e9e1d332776e57497e41c6fe8eec 3488 httpd optional apache2_2.4.57-3.dsc
 cf90fac50bae2ce4f3aef890467f2264 899784 httpd optional 
apache2_2.4.57-3.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmTtoZgACgkQ9tdMp8mZ
7ulfDw//fTQQ25XFv07BVK20X00mhxo+lwyf+QZtrptS0za9/BF+X/l2Tp4KWYS9
MUd7ZZJfZnLV1SldqI6YaZOQCNIR91qm9yDQbzNq06OK0oUhI5gSbwVcoinehC4j
JVeJvwim7FG0Yh9idMFklNERrKn8PyJ5sZ9j5FsobUeMYNJ/HO/9mek2LqluPUxI
LBGg7ltag+D7YV5PbIA24tI6BGryjGyvlD5Ug4jk3KVqmV4dTgZU3qBHfj4kmUts
NumPk6jSVMHvnANL4IbczouUYuqNIUBNUTAvEcORngcqQK0+mjRONzFY7wdvhyCh
oa50KUWAy66RmgwqpgCA6ZrDyw1AclaaY0VRPoMvHdoKGRTVHQMsdngTvz95oF7e
UVtpNTKlPXAarZnoy2LsKE0i3PH4XSLop6FrcQdC7I09ZkpFpYGEovLi08/Ug5RF
8uGbrsYtKiGenXN4sWi6vZZF6588skUZO5JcJwpaJKr4Mc31IY9LQhIXSy/KUf/6
IIgrp5jGlLuObIJBxrIVWrkLUriYLlrTDMrO4JbkFvYSjWZjkstHx9qh4k2LliKI
V++TsKzmJzbe6tcRZtp/rBgO6GXUzU+AVDJpzC/1EzSXO3JvqpoZDhhXDt+0JeG1
hcjLppxIwAminmwSL2LaJX06YtoKadlJGt4UdhOCJ7UV9EJpqtI=
=Onyl
-END PGP SIGNATURE End Message ---

Processed: Bug#1050458 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1050458 [apache2] apache2: given is deprecated at /usr/sbin/a2enmod
Added tag(s) pending.

-- 
1050458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: apache2: given is deprecated at /usr/sbin/a2enmod

[Debian Bug Tracking System]

Processing control commands:

> affects -1 munin
Bug #1050458 [apache2] apache2: given is deprecated at /usr/sbin/a2enmod
Added indication that 1050458 affects munin

-- 
1050458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#967010: marked as done (apache2: last debian 10.4 , last apache avail from repo hangs on install (and start phase))

[Debian Bug Tracking System]

Your message dated Sat, 29 Jul 2023 13:45:57 +0200
with message-id <498b57b77752be9de201b362bb64fdf3f641d296.ca...@debian.org>
and subject line Re: apache2: last debian 10.4 , last apache avail from repo 
hangs on install (and start phase)
has caused the Debian Bug report #967010,
regarding apache2: last debian 10.4 , last apache avail from repo hangs on 
install (and start phase)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
967010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967010
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.38-3+deb10u3
Severity: grave
Justification: renders package unusable

Dear Maintainer,


   * What led up to the situation?
package installing
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
apt-get install apache2
   * What was the outcome of this action?
packages did not start
   * What outcome did you expect instead?
packages will start ok


I have fresh debian 10 install, OS after full upgrade with:
`apt-get upgrade` and
`apt-get dist-upgrade`

I want to install apache2 packages, it hang on install (on post-install phase 
when apache starts):

(*my findings why is below)

apt-get install apache2  
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following additional packages will be installed:
  apache2-bin apache2-data apache2-utils libapr1 libaprutil1 
libaprutil1-dbd-sqlite3 libaprutil1-ldap libbrotli1 libjansson4 liblua5.2-0
Suggested packages:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom
The following NEW packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapr1 libaprutil1 
libaprutil1-dbd-sqlite3 libaprutil1-ldap libbrotli1 libjansson4 liblua5.2-0
0 upgraded, 11 newly installed, 0 to remove and 1 not upgraded.
Need to get 0 B/2,606 kB of archives.
After this operation, 8,885 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Selecting previously unselected package libapr1:amd64.
(Reading database ... 85650 files and directories currently installed.)
Preparing to unpack .../00-libapr1_1.6.5-1+b1_amd64.deb ...
Unpacking libapr1:amd64 (1.6.5-1+b1) ...
Selecting previously unselected package libaprutil1:amd64.
Preparing to unpack .../01-libaprutil1_1.6.1-4_amd64.deb ...
Unpacking libaprutil1:amd64 (1.6.1-4) ...
Selecting previously unselected package libaprutil1-dbd-sqlite3:amd64.
Preparing to unpack .../02-libaprutil1-dbd-sqlite3_1.6.1-4_amd64.deb ...
Unpacking libaprutil1-dbd-sqlite3:amd64 (1.6.1-4) ...
Selecting previously unselected package libaprutil1-ldap:amd64.
Preparing to unpack .../03-libaprutil1-ldap_1.6.1-4_amd64.deb ...
Unpacking libaprutil1-ldap:amd64 (1.6.1-4) ...
Selecting previously unselected package libbrotli1:amd64.
Preparing to unpack .../04-libbrotli1_1.0.7-2_amd64.deb ...
Unpacking libbrotli1:amd64 (1.0.7-2) ...
Selecting previously unselected package libjansson4:amd64.
Preparing to unpack .../05-libjansson4_2.12-1_amd64.deb ...
Unpacking libjansson4:amd64 (2.12-1) ...
Selecting previously unselected package liblua5.2-0:amd64.
Preparing to unpack .../06-liblua5.2-0_5.2.4-1.1+b2_amd64.deb ...
Unpacking liblua5.2-0:amd64 (5.2.4-1.1+b2) ...
Selecting previously unselected package apache2-bin.
Preparing to unpack .../07-apache2-bin_2.4.38-3+deb10u3_amd64.deb ...
Unpacking apache2-bin (2.4.38-3+deb10u3) ...
Selecting previously unselected package apache2-data.
Preparing to unpack .../08-apache2-data_2.4.38-3+deb10u3_all.deb ...
Unpacking apache2-data (2.4.38-3+deb10u3) ...
Selecting previously unselected package apache2-utils.
Preparing to unpack .../09-apache2-utils_2.4.38-3+deb10u3_amd64.deb ...
Unpacking apache2-utils (2.4.38-3+deb10u3) ...
Selecting previously unselected package apache2.
Preparing to unpack .../10-apache2_2.4.38-3+deb10u3_amd64.deb ...
Unpacking apache2 (2.4.38-3+deb10u3) ...
Setting up libbrotli1:amd64 (1.0.7-2) ...
Setting up libapr1:amd64 (1.6.5-1+b1) ...
Setting up libjansson4:amd64 (2.12-1) ...
Setting up liblua5.2-0:amd64 (5.2.4-1.1+b2) ...
Setting up apache2-data (2.4.38-3+deb10u3) ...
Setting up libaprutil1:amd64 (1.6.1-4) ...
Setting up libaprutil1-ldap:amd64 (1.6.1-4) ...
Setting up libaprutil1-dbd-sqlite3:amd64 (1.6.1-4) ...
Setting up apache2-utils (2.4.38-3+deb10u3) ...
Setting up apache2-bin (2.4.38-3+deb10u3) ...
Setting up apache2 (2.4.38-3+deb10u3) ...
Enabling module mpm_event.
Enabling module authz_core.
Enabling module authz_host.
Enabling module authn_core.
Enabling module auth_basic.
Enabling 

Processed: reassign 650741 to gnome-session-flashback, reassign 714631 to gnome-session-flashback ...

[Debian Bug Tracking System]

0: seg fault or similar nasty error 
detected in the parent process
Warning: Unknown package 'apache2-mpm-event'
Bug reassigned from package 'apache2-mpm-event' to 'src:apache2'.
No longer marked as found in versions apache2/2.4.10-10+deb8u10.
Ignoring request to alter fixed versions of bug #872036 to the same values 
previously set
Bug #872036 [src:apache2] AH00060: seg fault or similar nasty error detected in 
the parent process
Marked as found in versions apache2/2.4.10-10+deb8u10.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
318432: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=318432
455191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455191
620276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620276
622235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622235
649310: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649310
650741: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650741
654545: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654545
654717: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654717
655583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655583
714631: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714631
717035: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717035
751847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751847
751855: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751855
754147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754147
777595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777595
779986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779986
782101: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782101
797653: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797653
798940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798940
805966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805966
808071: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808071
820550: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820550
823158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823158
872036: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872036
963586: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963586
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1033408: marked as done (apache2: Segmentation fault + 503 on frontpage on 2.4.56-1)

[Debian Bug Tracking System]

Your message dated Sat, 08 Apr 2023 16:17:08 +
with message-id 
and subject line Bug#1033408: fixed in apache2 2.4.56-1~deb11u2
has caused the Debian Bug report #1033408,
regarding apache2: Segmentation fault + 503 on frontpage on 2.4.56-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.56-1~deb11u1
Severity: important
X-Debbugs-Cc: t...@security.debian.org

Unattended-upgrades applied this new version on 22 march @ 6AM. Had
Segmentation faults since then, 503 for customers on websites. Since we
reverted back to 2.4.54, we've no more issues. Couldn't make any sense
of coredump but can provide one if necessary.


-- Package-specific info:

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-18-amd64 (SMP w/32 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.56-1~deb11u1
ii  apache2-data 2.4.56-1~deb11u1
ii  apache2-utils2.4.56-1~deb11u1
ii  dpkg 1.20.12
ii  init-system-helpers  1.60
ii  lsb-base 11.1.0
ii  mime-support 3.66
ii  perl 5.32.1-4+deb11u2
ii  procps   2:3.3.17-5

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0+nmu1

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2-bin depends on:
ii  libapr1  1.7.0-6+deb11u2
ii  libaprutil1  1.6.1-5+deb11u1
ii  libaprutil1-dbd-sqlite3  1.6.1-5+deb11u1
ii  libaprutil1-ldap 1.6.1-5+deb11u1
ii  libbrotli1   1.0.9-2+b2
ii  libc62.31-13+deb11u5
ii  libcrypt11:4.4.18-4
ii  libcurl4 7.74.0-1.3+deb11u7
ii  libjansson4  2.13.1-1.1
ii  libldap-2.4-22.4.57+dfsg-3+deb11u1
ii  liblua5.3-0  5.3.3-1.1+b1
ii  libnghttp2-141.43.0-1
ii  libpcre3 2:8.44-2+0~20210301.9+debian11~1.gbpa278ad
ii  libssl1.11.1.1n-0+deb11u4
ii  libxml2  2.9.14+dfsg-0+0~20220524.12+debian11~1.gbpc5dc45
ii  perl 5.32.1-4+deb11u2
ii  zlib1g   1:1.2.11.dfsg-2+deb11u2

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2 is related to:
ii  apache2  2.4.56-1~deb11u1
ii  apache2-bin  2.4.56-1~deb11u1

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]
/etc/apache2/mods-available/mpm_event.conf changed [not included]
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-1~deb11u2
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 02 Apr 2023 07:06:01 +0400
Source: apache2
Architecture: source
Version: 2.4.56-1~deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1018718 1033284 1033408
Changes:
 apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium
 .
   [ Hendrik Jäger ]
   * Don't

Bug#1033284: marked as done (apache2 2.4.56-1 redirects not normal working appeared %3f)

[Debian Bug Tracking System]

Your message dated Sat, 08 Apr 2023 16:17:08 +
with message-id 
and subject line Bug#1033284: fixed in apache2 2.4.56-1~deb11u2
has caused the Debian Bug report #1033284,
regarding apache2 2.4.56-1 redirects not normal working appeared %3f
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: apache2
Version: 2.4.56-1


Hello.
I used to redirect
RewriteRule ^test\.php$https://www.test.com/? [R=301,L]

Result
test.com/test.php 301 >https://www.test.com/


After upgrading to the 2.4.56-1
Result
test.com/test.php 301 >https://www.test.com/%3f

What is the problem can you fix it?
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-1~deb11u2
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 02 Apr 2023 07:06:01 +0400
Source: apache2
Architecture: source
Version: 2.4.56-1~deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1018718 1033284 1033408
Changes:
 apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium
 .
   [ Hendrik Jäger ]
   * Don't automatically enable apache2-doc.conf (Closes: #1018718)
 .
   [ Yadd ]
   * Fix regression in mod_rewrite introduced in version 2.4.56
  (Closes: #1033284)
   * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
Checksums-Sha1: 
 89d02fe86e3ebc78ff891696d693cf3a14dc33f6 3539 apache2_2.4.56-1~deb11u2.dsc
 29ea0a273a403079320c83888e14b45e5c65c80d 895464 
apache2_2.4.56-1~deb11u2.debian.tar.xz
Checksums-Sha256: 
 b8ac3c048efb9ef96a2a4ab1975b89d202d8d9b0f3683e752df721537dc50cc9 3539 
apache2_2.4.56-1~deb11u2.dsc
 0be84882d86464d4882334f0939411bbec335b64b7062d372e3e898e9033cc0b 895464 
apache2_2.4.56-1~deb11u2.debian.tar.xz
Files: 
 79911bbab259494333aa95609c9eabbd 3539 httpd optional 
apache2_2.4.56-1~deb11u2.dsc
 64fbb75abf882e7de027b5d6abe67c83 895464 httpd optional 
apache2_2.4.56-1~deb11u2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQw2sYACgkQ9tdMp8mZ
7umUuA//a+g5qa6XkJPfTu78dUMFKqoDbxx06ap586Ai4Iy3WOs38BeA7vViNYGb
92XmZDAiDj+2f2To3mLH4eqNELGkhHDBhF+ikxwc1CtVlDHdlqGMiEL3/HEl8GyL
bvosCZTk/8Gg/hMIfAIGBN6XGeyqo2OIibTeNKtU4VD3evxSA7O8e7aTHLWgGeU3
cJwcMtuhtI2ju8PzOl94otqjydmkSIbegdce+OUh2Ytp072nSePHppIrDgWCt8Oq
JjcrUl+TYXZMY/leLxF3sk/Lp2kjegQuaoMTTUeTtxPbqlLqhi2dUp0yAobhriHR
Zgdg+iPoDxB3hVh2qD831nQNM2GvDyD2JMoRWd7FV5+48R+e++P+mWLvIwB/OSFj
RMBUx+jY8Zz9VzmPjpDLe4eTh7KXbg8/7e/Z3HqaF2741RpdRnOdQbK3Zb5jsb7c
MNVLz2ke1LTZ3igfJc13/WuRzjd+Wh1rOx63CU/vRdZMzhQhcBu4DdDXHtTTa8cf
UKBeoI3XYrBBu6oC1QUBGTQQTwe0Ki8uZ/ZfEjElJ6fGfNmD69OZ4irjhjfOskBd
MC3oNmqAgdy/jlNnuniAkof8/XlZO6hmcRha6G0MPMOMAKMnRvZxwx6OjBYs6+9a
GZNLAGZ74E3RkzS8kiPmNc1bubDms/Tq3OiNih7yYsBiMuLSEOc=
=NyVi
-END PGP SIGNATURE End Message ---

Bug#1018718: marked as done (apache2-doc: despite having been disabled, apache2-doc.conf gets rather silently re-enabled automatically)

[Debian Bug Tracking System]

Your message dated Sat, 08 Apr 2023 16:17:08 +
with message-id 
and subject line Bug#1018718: fixed in apache2 2.4.56-1~deb11u2
has caused the Debian Bug report #1018718,
regarding apache2-doc: despite having been disabled, apache2-doc.conf gets 
rather silently re-enabled automatically
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1018718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018718
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2-doc
Version: 2.4.54-1~deb11u1
Severity: important


Hey.

Unfortunately #977014 has been ignored so far, but no I just noted that even
when one explicitly disabled apache2-doc.conf via a2disconf, it still gets
rather silently re-enabled on upgrading the package, which is IMO quite
unfortunate.


Please fix at least that, or even better #977014, in which case this bug here
would become obsolete.

Thanks :-)
Chris.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-1~deb11u2
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1018...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 02 Apr 2023 07:06:01 +0400
Source: apache2
Architecture: source
Version: 2.4.56-1~deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1018718 1033284 1033408
Changes:
 apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium
 .
   [ Hendrik Jäger ]
   * Don't automatically enable apache2-doc.conf (Closes: #1018718)
 .
   [ Yadd ]
   * Fix regression in mod_rewrite introduced in version 2.4.56
  (Closes: #1033284)
   * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
Checksums-Sha1: 
 89d02fe86e3ebc78ff891696d693cf3a14dc33f6 3539 apache2_2.4.56-1~deb11u2.dsc
 29ea0a273a403079320c83888e14b45e5c65c80d 895464 
apache2_2.4.56-1~deb11u2.debian.tar.xz
Checksums-Sha256: 
 b8ac3c048efb9ef96a2a4ab1975b89d202d8d9b0f3683e752df721537dc50cc9 3539 
apache2_2.4.56-1~deb11u2.dsc
 0be84882d86464d4882334f0939411bbec335b64b7062d372e3e898e9033cc0b 895464 
apache2_2.4.56-1~deb11u2.debian.tar.xz
Files: 
 79911bbab259494333aa95609c9eabbd 3539 httpd optional 
apache2_2.4.56-1~deb11u2.dsc
 64fbb75abf882e7de027b5d6abe67c83 895464 httpd optional 
apache2_2.4.56-1~deb11u2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQw2sYACgkQ9tdMp8mZ
7umUuA//a+g5qa6XkJPfTu78dUMFKqoDbxx06ap586Ai4Iy3WOs38BeA7vViNYGb
92XmZDAiDj+2f2To3mLH4eqNELGkhHDBhF+ikxwc1CtVlDHdlqGMiEL3/HEl8GyL
bvosCZTk/8Gg/hMIfAIGBN6XGeyqo2OIibTeNKtU4VD3evxSA7O8e7aTHLWgGeU3
cJwcMtuhtI2ju8PzOl94otqjydmkSIbegdce+OUh2Ytp072nSePHppIrDgWCt8Oq
JjcrUl+TYXZMY/leLxF3sk/Lp2kjegQuaoMTTUeTtxPbqlLqhi2dUp0yAobhriHR
Zgdg+iPoDxB3hVh2qD831nQNM2GvDyD2JMoRWd7FV5+48R+e++P+mWLvIwB/OSFj
RMBUx+jY8Zz9VzmPjpDLe4eTh7KXbg8/7e/Z3HqaF2741RpdRnOdQbK3Zb5jsb7c
MNVLz2ke1LTZ3igfJc13/WuRzjd+Wh1rOx63CU/vRdZMzhQhcBu4DdDXHtTTa8cf
UKBeoI3XYrBBu6oC1QUBGTQQTwe0Ki8uZ/ZfEjElJ6fGfNmD69OZ4irjhjfOskBd
MC3oNmqAgdy/jlNnuniAkof8/XlZO6hmcRha6G0MPMOMAKMnRvZxwx6OjBYs6+9a
GZNLAGZ74E3RkzS8kiPmNc1bubDms/Tq3OiNih7yYsBiMuLSEOc=
=NyVi
-END PGP SIGNATURE End Message ---

Processed: closing 977014

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> close 977014
Bug #977014 [apache2-doc] apache2-doc: please do not enable apache2-doc site 
(or even better: remove it at all)
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
977014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977014
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: fixed 977014 in 2.4.54-3

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> fixed 977014 2.4.54-3
Bug #977014 [apache2-doc] apache2-doc: please do not enable apache2-doc site 
(or even better: remove it at all)
Marked as fixed in versions apache2/2.4.54-3.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
977014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977014
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1033408: marked as done (apache2: Segmentation fault + 503 on frontpage on 2.4.56-1)

[Debian Bug Tracking System]

Your message dated Sun, 02 Apr 2023 03:19:14 +
with message-id 
and subject line Bug#1033408: fixed in apache2 2.4.56-2
has caused the Debian Bug report #1033408,
regarding apache2: Segmentation fault + 503 on frontpage on 2.4.56-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.56-1~deb11u1
Severity: important
X-Debbugs-Cc: t...@security.debian.org

Unattended-upgrades applied this new version on 22 march @ 6AM. Had
Segmentation faults since then, 503 for customers on websites. Since we
reverted back to 2.4.54, we've no more issues. Couldn't make any sense
of coredump but can provide one if necessary.


-- Package-specific info:

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-18-amd64 (SMP w/32 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.56-1~deb11u1
ii  apache2-data 2.4.56-1~deb11u1
ii  apache2-utils2.4.56-1~deb11u1
ii  dpkg 1.20.12
ii  init-system-helpers  1.60
ii  lsb-base 11.1.0
ii  mime-support 3.66
ii  perl 5.32.1-4+deb11u2
ii  procps   2:3.3.17-5

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0+nmu1

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2-bin depends on:
ii  libapr1  1.7.0-6+deb11u2
ii  libaprutil1  1.6.1-5+deb11u1
ii  libaprutil1-dbd-sqlite3  1.6.1-5+deb11u1
ii  libaprutil1-ldap 1.6.1-5+deb11u1
ii  libbrotli1   1.0.9-2+b2
ii  libc62.31-13+deb11u5
ii  libcrypt11:4.4.18-4
ii  libcurl4 7.74.0-1.3+deb11u7
ii  libjansson4  2.13.1-1.1
ii  libldap-2.4-22.4.57+dfsg-3+deb11u1
ii  liblua5.3-0  5.3.3-1.1+b1
ii  libnghttp2-141.43.0-1
ii  libpcre3 2:8.44-2+0~20210301.9+debian11~1.gbpa278ad
ii  libssl1.11.1.1n-0+deb11u4
ii  libxml2  2.9.14+dfsg-0+0~20220524.12+debian11~1.gbpc5dc45
ii  perl 5.32.1-4+deb11u2
ii  zlib1g   1:1.2.11.dfsg-2+deb11u2

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2 is related to:
ii  apache2  2.4.56-1~deb11u1
ii  apache2-bin  2.4.56-1~deb11u1

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]
/etc/apache2/mods-available/mpm_event.conf changed [not included]
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-2
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 02 Apr 2023 06:54:25 +0400
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.56-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1033284 1033408
Changes:
 apache2 (2.4.56-2) unstable; urgency=medium
 .
   * Fix regression in mod_rewrite introduced in version

Bug#1033284: marked as done (apache2 2.4.56-1 redirects not normal working appeared %3f)

[Debian Bug Tracking System]

Your message dated Sun, 02 Apr 2023 03:19:14 +
with message-id 
and subject line Bug#1033284: fixed in apache2 2.4.56-2
has caused the Debian Bug report #1033284,
regarding apache2 2.4.56-1 redirects not normal working appeared %3f
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: apache2
Version: 2.4.56-1


Hello.
I used to redirect
RewriteRule ^test\.php$https://www.test.com/? [R=301,L]

Result
test.com/test.php 301 >https://www.test.com/


After upgrading to the 2.4.56-1
Result
test.com/test.php 301 >https://www.test.com/%3f

What is the problem can you fix it?
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-2
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 02 Apr 2023 06:54:25 +0400
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.56-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1033284 1033408
Changes:
 apache2 (2.4.56-2) unstable; urgency=medium
 .
   * Fix regression in mod_rewrite introduced in version 2.4.56
 (Closes: #1033284)
   * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408)
Checksums-Sha1: 
 4a286e72a3b69731def0c4af16aec5dd0bb21d7c 3488 apache2_2.4.56-2.dsc
 cb1a7fc896f4622212958781c8d5d7dfb82114be 900304 apache2_2.4.56-2.debian.tar.xz
Checksums-Sha256: 
 a9203bc8c91ff3ae1a1e8e52ce257d53e6f22d2d1a5304681aeaa34a78409229 3488 
apache2_2.4.56-2.dsc
 1d37e426e6158f41b1c6e3bc4d50709dc0d717dc7bf0ee2b0b47cbeac059b295 900304 
apache2_2.4.56-2.debian.tar.xz
Files: 
 3bcd284597557bf631e8e5e7da4d9da1 3488 httpd optional apache2_2.4.56-2.dsc
 009e795899f02e5b5ae40b688c84149f 900304 httpd optional 
apache2_2.4.56-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQo798ACgkQ9tdMp8mZ
7umWgQ/+L7o0kYgLVjsXEhQjF4NfVw5cQ/NLntlBGp6LAAfpZKPrlcFroWwOI+A8
9XugZiONV4Oru50M6YTRd9cUNzhvODh2/+Mddv32vuBaPuBJknQTUUhE16FOwXbJ
gQXY/VLR74O/xQPd5/xFUzRpnVUoW9nyM1PQxK/B7zVbrMpfKItjAEi/IWAoivH0
0kagVp9O18kcki2PxAjQMlE3rwt2hfH6S5doSsqCjc66jId0JD1EpSpgSUXfsrpU
2vGKKJBPGPmWmUZBT41JlIt4H7FS9GEnItM6zv7YhNV8xUi62lAl/uhGg/VgzP1c
L8h9s+KCxp2QW7qKMDG4bf7LqwXp5CeMA8QmkyeV1QWUYbL9iv0w26PticDtlucE
BMqpDSX1yHzSEef2GFdzlbSh580CgPeoqWiuHFhms7Op7wOrHkoghdvI725zsr2b
a9MBh2rd5eZG2TAWodORN2q4RE5xwrGdX9U9VXs24IOwuVsSKSPWdLNPQ636Uqm2
LsKVZyBjgc0FV/0bI/qILCy4/8pee1KvfTJNONe2ZZ9Z2su3cALAjOcG98BJnFsi
ubrPL8XScirmTS3RRNPAraoWLaN9chQ8Z/nrzcHU02w3TkgmiQb/q8xz1fUvdwxV
P6UhL58wO1qW3qwJjF9dZ8WobpY6ib6s7flA17ghBjJdDe76EKw=
=e/Zc
-END PGP SIGNATURE End Message ---

Processed: Bug#1033408 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1033408 [apache2] apache2: Segmentation fault + 503 on frontpage on 
2.4.56-1
Added tag(s) pending.

-- 
1033408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#1018718 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1018718 [apache2-doc] apache2-doc: despite having been disabled, 
apache2-doc.conf gets rather silently re-enabled automatically
Added tag(s) pending.

-- 
1018718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018718
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#1033284 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1033284 [apache2] apache2 2.4.56-1 redirects not normal working appeared 
%3f
Ignoring request to alter tags of bug #1033284 to the same tags previously set

-- 
1033284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#1033284 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1033284 [apache2] apache2 2.4.56-1 redirects not normal working appeared 
%3f
Ignoring request to alter tags of bug #1033284 to the same tags previously set

-- 
1033284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#1033284 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1033284 [apache2] apache2 2.4.56-1 redirects not normal working appeared 
%3f
Added tag(s) pending.

-- 
1033284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: severity of 1033408 is serious

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 1033408 serious
Bug #1033408 [apache2] apache2: Segmentation fault + 503 on frontpage on 
2.4.56-1
Severity set to 'serious' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1033408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: affects 1033284

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> affects 1033284 + security.debian.org,release.debian.org
Bug #1033284 [apache2] apache2 2.4.56-1 redirects not normal working appeared 
%3f
Added indication that 1033284 affects security.debian.org and release.debian.org
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1033284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: found 1033408 in 2.4.56-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 1033408 2.4.56-1
Bug #1033408 [apache2] apache2: Segmentation fault + 503 on frontpage on 
2.4.56-1
Marked as found in versions apache2/2.4.56-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1033408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: bug 1033408 is forwarded to https://bz.apache.org/bugzilla/show_bug.cgi?id=66539

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> forwarded 1033408 https://bz.apache.org/bugzilla/show_bug.cgi?id=66539
Bug #1033408 [apache2] apache2: Segmentation fault + 503 on frontpage on 
2.4.56-1
Set Bug forwarded-to-address to 
'https://bz.apache.org/bugzilla/show_bug.cgi?id=66539'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1033408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: affects 1033408

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> affects 1033408 + security.debian.org,release.debian.org
Bug #1033408 [apache2] apache2: Segmentation fault + 503 on frontpage on 
2.4.56-1
Added indication that 1033408 affects security.debian.org and release.debian.org
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1033408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1032476: marked as done (apache2: CVE-2023-25690 CVE-2023-27522)

[Debian Bug Tracking System]

Your message dated Thu, 23 Mar 2023 16:02:08 +
with message-id 
and subject line Bug#1032476: fixed in apache2 2.4.56-1~deb11u1
has caused the Debian Bug report #1032476,
regarding apache2: CVE-2023-25690 CVE-2023-27522
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.55-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerabilities were published for apache2.

CVE-2023-25690[0]:
| Some mod_proxy configurations on Apache HTTP Server versions 2.4.0
| through 2.4.55 allow a HTTP Request Smuggling attack. Configurations
| are affected when mod_proxy is enabled along with some form of
| RewriteRule or ProxyPassMatch in which a non-specific pattern matches
| some portion of the user-supplied request-target (URL) data and is
| then re-inserted into the proxied request-target using variable
| substitution. For example, something like: RewriteEngine on
| RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P]
| ProxyPassReverse /here/ http://example.com:8080/ Request
| splitting/smuggling could result in bypass of access controls in the
| proxy server, proxying unintended URLs to existing origin servers, and
| cache poisoning. Users are recommended to update to at least version
| 2.4.56 of Apache HTTP Server.


CVE-2023-27522[1]:
| HTTP Response Smuggling vulnerability in Apache HTTP Server via
| mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30
| through 2.4.55. Special characters in the origin response header can
| truncate/split the response forwarded to the client.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-25690
https://www.cve.org/CVERecord?id=CVE-2023-25690
[1] https://security-tracker.debian.org/tracker/CVE-2023-27522
https://www.cve.org/CVERecord?id=CVE-2023-27522

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-1~deb11u1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1032...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 08 Mar 2023 07:05:04 +0400
Source: apache2
Architecture: source
Version: 2.4.56-1~deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1032476
Changes:
 apache2 (2.4.56-1~deb11u1) bullseye-security; urgency=medium
 .
   * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
Checksums-Sha1: 
 fa79c57c23aa3b9e8b4dfa4ba78564f1780fb513 3539 apache2_2.4.56-1~deb11u1.dsc
 9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz
 45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc
 0e663e42c1785559e0a0126833f4f194b7213ae7 894512 
apache2_2.4.56-1~deb11u1.debian.tar.xz
Checksums-Sha256: 
 751eea360cd53cc4186c64a621390f9f4fd721d366cc809ff110109bb14a8f1d 3539 
apache2_2.4.56-1~deb11u1.dsc
 db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650 
apache2_2.4.56.orig.tar.gz
 b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833 
apache2_2.4.56.orig.tar.gz.asc
 37fda9dab3acfe683ff88aa472372eafb1c651a31f03dac5882d13c94bb93e32 894512 
apache2_2.4.56-1~deb11u1.debian.tar.xz
Files: 
 bf739573df7d3724a410864fe9223c49 3539 httpd optional 
apache2_2.4.56-1~deb11u1.dsc
 f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional 
apache2_2.4.56.orig.tar.gz
 e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional 
apache2_2.4.56.orig.tar.gz.asc
 077b17fca0897f07268f9f70b007adae 894512 httpd optiona

Processed: Re: apache2-doc: despite having been disabled, apache2-doc.conf gets rather silently re-enabled automatically

[Debian Bug Tracking System]

Processing control commands:

> severity -1 serious
Bug #1018718 [apache2-doc] apache2-doc: despite having been disabled, 
apache2-doc.conf gets rather silently re-enabled automatically
Severity set to 'serious' from 'important'

-- 
1018718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018718
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1032476: marked as done (apache2: CVE-2023-25690 CVE-2023-27522)

[Debian Bug Tracking System]

Your message dated Wed, 08 Mar 2023 03:19:22 +
with message-id 
and subject line Bug#1032476: fixed in apache2 2.4.56-1
has caused the Debian Bug report #1032476,
regarding apache2: CVE-2023-25690 CVE-2023-27522
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.55-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerabilities were published for apache2.

CVE-2023-25690[0]:
| Some mod_proxy configurations on Apache HTTP Server versions 2.4.0
| through 2.4.55 allow a HTTP Request Smuggling attack. Configurations
| are affected when mod_proxy is enabled along with some form of
| RewriteRule or ProxyPassMatch in which a non-specific pattern matches
| some portion of the user-supplied request-target (URL) data and is
| then re-inserted into the proxied request-target using variable
| substitution. For example, something like: RewriteEngine on
| RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P]
| ProxyPassReverse /here/ http://example.com:8080/ Request
| splitting/smuggling could result in bypass of access controls in the
| proxy server, proxying unintended URLs to existing origin servers, and
| cache poisoning. Users are recommended to update to at least version
| 2.4.56 of Apache HTTP Server.


CVE-2023-27522[1]:
| HTTP Response Smuggling vulnerability in Apache HTTP Server via
| mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30
| through 2.4.55. Special characters in the origin response header can
| truncate/split the response forwarded to the client.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-25690
https://www.cve.org/CVERecord?id=CVE-2023-25690
[1] https://security-tracker.debian.org/tracker/CVE-2023-27522
https://www.cve.org/CVERecord?id=CVE-2023-27522

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1032...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 08 Mar 2023 06:44:05 +0400
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.56-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1032476
Changes:
 apache2 (2.4.56-1) unstable; urgency=medium
 .
   * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
Checksums-Sha1: 
 58eb00c009fd93b0985da5ab956de026dbb466e3 3488 apache2_2.4.56-1.dsc
 9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz
 45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc
 d8856bb27ad6485fb9a61f780944d75e683a0cc4 899848 apache2_2.4.56-1.debian.tar.xz
Checksums-Sha256: 
 7d201ab7d4f0047d03bf254c28b5aef12f9b8722bf1741ba9d4ac4ae903dd53a 3488 
apache2_2.4.56-1.dsc
 db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650 
apache2_2.4.56.orig.tar.gz
 b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833 
apache2_2.4.56.orig.tar.gz.asc
 51bd3a570b9cb6df6a78a9c328433847059b0594b32d26e2b708a545ef6088fe 899848 
apache2_2.4.56-1.debian.tar.xz
Files: 
 f84901cc8b922cb9a7b2f6b885726001 3488 httpd optional apache2_2.4.56-1.dsc
 f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional 
apache2_2.4.56.orig.tar.gz
 e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional 
apache2_2.4.56.orig.tar.gz.asc
 7c4c4e6cee0a1e0c3267e6415b365038 899848 httpd optional 
apache2_2.4.56-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

Processed: Bug#1032476 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1032476 [src:apache2] apache2: CVE-2023-25690 CVE-2023-27522
Added tag(s) pending.

-- 
1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: subversion blocked by apr

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 990560 by 1031034
Bug #990560 [subversion] Error message "Value too large for defined data type"
990560 was not blocked by any bugs.
990560 was not blocking any bugs.
Added blocking bug(s) of 990560: 1031034
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
990560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1028435: marked as done (apr-util: please include changes from 1.6.1-5.2 NMU)

[Debian Bug Tracking System]

Your message dated Fri, 03 Feb 2023 21:04:21 +
with message-id 
and subject line Bug#1028435: fixed in apr-util 1.6.3-1
has caused the Debian Bug report #1028435,
regarding apr-util: please include changes from 1.6.1-5.2 NMU
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1028435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028435
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apr-util
Version: 1.6.1-5.1
Severity: normal

Dear Maintainer,

please include the attached changes from my 1.6.1-5.1 NMU.

Thank you for maintaining apr-util!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Smart things make us dumb.
diff -Nru apr-util-1.6.1/debian/changelog apr-util-1.6.1/debian/changelog
--- apr-util-1.6.1/debian/changelog 2020-08-29 11:51:07.0 +0200
+++ apr-util-1.6.1/debian/changelog 2022-12-29 19:37:54.0 +0100
@@ -1,3 +1,11 @@
+apr-util (1.6.1-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload by the Reproducible Builds team.
+  * debian/rules: Remove the build path from apt-1-config, based on a patch by
+Vagrant Cascadian. Closes: #1006865.
+
+ -- Holger Levsen   Thu, 29 Dec 2022 19:37:54 +0100
+
 apr-util (1.6.1-5) unstable; urgency=medium
 
   [ Jelmer Vernooij ]
diff -Nru apr-util-1.6.1/debian/rules apr-util-1.6.1/debian/rules
--- apr-util-1.6.1/debian/rules 2020-08-29 11:24:55.0 +0200
+++ apr-util-1.6.1/debian/rules 2022-12-29 19:29:07.0 +0100
@@ -105,6 +105,8 @@
 override_dh_auto_install:
dh_auto_install --destdir=debian/tmp
perl -p -i -e "s,^dependency_libs=.*,dependency_libs=''," 
debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libaprutil-1.la
+   # Remove the buildpath: https://reproducible-builds.org/docs/build-path/
+   perl -p -i -e "s,$(CURDIR),$(shell basename $(CURDIR))," 
debian/tmp/usr/bin/apu-1-config
 
 override_dh_strip:
dh_strip --dbgsym-migration='libaprutil1-dbg (<= 1.6.1-3)'


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: apr-util
Source-Version: 1.6.3-1
Done: Stefan Fritsch 

We believe that the bug you reported is fixed in the latest version of
apr-util, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1028...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch  (supplier of updated apr-util package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 03 Feb 2023 21:15:18 +0100
Source: apr-util
Architecture: source
Version: 1.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Stefan Fritsch 
Closes: 1028435
Changes:
 apr-util (1.6.3-1) unstable; urgency=medium
 .
   [ Stefan Fritsch ]
   * Incorporate NMUs. Closes: #1028435
   * New upstream version:
 - CVE-2022-25147: Fix Integer Overflow or Wraparound vulnerability
   in apr_base64
   * Bump libapr1-dev Build-Dep to 1.7.2-1
 .
   [ Debian Janitor ]
   * Use secure URI in Homepage field.
   * Set debhelper-compat version in Build-Depends.
   * Drop unnecessary dh arguments: --parallel
   * Rely on pre-initialized dpkg-architecture variables.
   * Remove constraints unnecessary since buster (oldstable):
 + libaprutil1: Drop conflict with removed package libapr1 (<< 1.4.8-2~) in
   Breaks.
 .
   [ Jelmer Vernooij ]
   * Set Repository and Repository-Browse fields in
 debian/upstream/metadata.
   * Drop transition for old debug package migration.
   * Update standards version to 4.6.1, no changes needed.
Checksums-Sha1:
 b8412fd0b99a174c08c39f801504657f59713136 2760 apr-util_1.6.3-1.dsc
 8c6293a787b69986ce43bc49c7c247d4ff5fc828 432692 apr-util_1.6.3.orig.tar.bz2
 2dc47748963f988922fc96e60612a15d42769c48 833 apr-util_1.6.3.orig.tar.bz2.asc
 98bc651682dc6483b39ec435269160d9852e651d 340808 apr-util_1.6.3-1.debian.tar.xz
 54abdaec0572076db1b132fb08ae2b7f788db617 8197 apr-util_1.6.3-1_source.buildinfo
Checksums-Sha256:
 e43ecafbe39a8d47fbe5faee705295435ac753e6b40c9b4c8d483a769a

Processed: Re: apr-util: please include changes from 1.6.1-5.1 NMU

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 apr-util: please include changes from 1.6.1-5.2 NMU
Bug #1028435 [apr-util] apr-util: please include changes from 1.6.1-5.1 NMU
Changed Bug title to 'apr-util: please include changes from 1.6.1-5.2 NMU' from 
'apr-util: please include changes from 1.6.1-5.1 NMU'.

-- 
1028435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028435
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 1023030 to pysha3: CVE-2022-37454, fixed 995961 in 2.4.53-1, notfixed 844351 in 2.4.40 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 1023030 pysha3: CVE-2022-37454
Bug #1023030 {Done: Ben Finney } [src:pysha3] pysha3: 
Affected by CVE-2022-37454, unmaintained, remove from Debian?
Changed Bug title to 'pysha3: CVE-2022-37454' from 'pysha3: Affected by 
CVE-2022-37454, unmaintained, remove from Debian?'.
> fixed 995961 2.4.53-1
Bug #995961 {Done: Hendrik Jäger } [apache2] 
libapache2-mpm-itk: Error "AH00052: child pid exit signal Segmentation fault" 
after update to apache 2.4.51-1~deb11u1
Marked as fixed in versions apache2/2.4.53-1.
> notfixed 844351 2.4.40
Bug #844351 {Done: Hendrik Jäger } [apache2] 
apache2: as a reverse proxy, a 100 continue response is sent prematurely when 
request contains expects continue
There is no source info for the package 'apache2' at version '2.4.40' with 
architecture ''
Unable to make a source version for version '2.4.40'
No longer marked as fixed in versions 2.4.40.
> fixed 844351 2.4.41-1
Bug #844351 {Done: Hendrik Jäger } [apache2] 
apache2: as a reverse proxy, a 100 continue response is sent prematurely when 
request contains expects continue
Marked as fixed in versions apache2/2.4.41-1.
> tags 1028514 + sid bookworm
Bug #1028514 [apper] apper depends on the removed software-properties-kde
Added tag(s) bookworm and sid.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1023030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023030
1028514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028514
844351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844351
995961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1006865: marked as done (apr-util: reproducible-builds: build path embedded in /usr/bin/apu-1-config)

[Debian Bug Tracking System]

Your message dated Sun, 08 Jan 2023 19:34:40 +
with message-id 
and subject line Bug#1006865: fixed in apr-util 1.6.1-5.1
has caused the Debian Bug report #1006865,
regarding apr-util: reproducible-builds: build path embedded in 
/usr/bin/apu-1-config
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1006865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006865
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apr-util
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: buildpath
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The build path is embedded in /usr/bin/apu-1-config:

│ │ │ ├── ./usr/bin/apu-1-config
...
│ │ │ │ -APU_SOURCE_DIR="/tmp/reprotest.jdjFQN/const_build_path"
│ │ │ │ -APU_BUILD_DIR="/tmp/reprotest.jdjFQN/const_build_path/debian/build"
│ │ │ │ +APU_SOURCE_DIR="/tmp/reprotest.jdjFQN/build-experiment-1"
│ │ │ │ +APU_BUILD_DIR="/tmp/reprotest.jdjFQN/build-experiment-1/debian/build"

The attached patch fixes this by replacing the build path with
"BUILDPATH" from debian/rules in the dh_auto_install override.


With this patch applied apr-util should build reproducibly on
tests.reproducible-builds.org!


Thanks for maintaining apr-util!


live well,
  vagrant
From b9630fd99bc03933dae86606a5dd94429ebf9aa1 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian 
Date: Mon, 7 Mar 2022 01:23:37 +
Subject: [PATCH] debian/rules: Remove the build path from apt-1-config.

https://reproducible-builds.org/docs/build-path/
---
 debian/rules | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/rules b/debian/rules
index 6b0ed29..510610c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -105,6 +105,8 @@ endif
 override_dh_auto_install:
 	dh_auto_install --destdir=debian/tmp
 	perl -p -i -e "s,^dependency_libs=.*,dependency_libs=''," debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libaprutil-1.la
+	# Remove the buildpath: https://reproducible-builds.org/docs/build-path/
+	perl -p -i -e "s,$(CURDIR),BUILDPATH," debian/tmp/usr/bin/apu-1-config
 
 override_dh_strip:
 	dh_strip --dbgsym-migration='libaprutil1-dbg (<= 1.6.1-3)'
-- 
2.35.1



signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: apr-util
Source-Version: 1.6.1-5.1
Done: Holger Levsen 

We believe that the bug you reported is fixed in the latest version of
apr-util, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1006...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen  (supplier of updated apr-util package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 29 Dec 2022 19:37:54 +0100
Source: apr-util
Architecture: source
Version: 1.6.1-5.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Holger Levsen 
Closes: 1006865
Changes:
 apr-util (1.6.1-5.1) unstable; urgency=medium
 .
   * Non-maintainer upload by the Reproducible Builds team.
   * debian/rules: Remove the build path from apt-1-config, based on a patch by
 Vagrant Cascadian. Closes: #1006865.
Checksums-Sha1:
 e69ffa6d8ade880ceecd23b7abf8b8933eaa7fb2 2762 apr-util_1.6.1-5.1.dsc
 619ac1190b6ae54b5981cfedfeb8f2de98b35d8c 342204 
apr-util_1.6.1-5.1.debian.tar.xz
 e734d6b831ff55dfc784daf80e1a96be4d895adc 7666 
apr-util_1.6.1-5.1_source.buildinfo
Checksums-Sha256:
 5b130871bb06fd84a821a68b1aaf295f257c549c24cf589446b5eb976803c8a6 2762 
apr-util_1.6.1-5.1.dsc
 0a6e2615eabe0b28f90493efe08643cb11a44ac8960559137c8db7a3cb15fa83 342204 
apr-util_1.6.1-5.1.debian.tar.xz
 dbf4fed8e0d5ff688810c9d77c8836cc9a59d51937270ccc0c6ba38244a60a7b 7666 
apr-util_1.6.1-5.1_source.buildinfo
Files:
 c7183242b9a24d627c1d4ad2deab40e7 2762 libs optional apr-util_1.6.1-5.1.dsc
 c04d7a429fd46eadccfef4fa2e524d7f 342204 libs optional 
apr-util_1.6.1-5.1.debian.tar.xz
 a0c47a1ab73bbf7dd70a2f30903139d9 7666 libs optional 
apr-util_1.6.1-5.1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmOt3vIACgkQCRq4Vgaa
qhyEvA//bRl9x+JiqiLQGyoGbzi6eBQMnJuLgWnRlMwkelDz

Bug#853981: marked as done (apache2-bin: mod_http2 together with mod_ruid2 breaks the server)

[Debian Bug Tracking System]

Your message dated Mon, 19 Dec 2022 23:33:20 +
with message-id 
and subject line Bug#1026363: Removed package(s) from unstable
has caused the Debian Bug report #853981,
regarding apache2-bin: mod_http2 together with mod_ruid2 breaks the server
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
853981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853981
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2-bin, libapache2-mod-ruid2
Version: 2.4.25-3, 0.9.8-3
Severity: normal

I enabled the http2 and ruid2 modules.  I have had the ruid2 module
running fine for ages without a problem, and just tried enabling
http2.  I left http2 switched off by explicitly writing "Protocols
http/1.1" in apache2.conf (the same behaviour happens when I write
"Protocols h2 h2c http/1.1"), and any attempt to connect to my server
yields lots of error messages of the form:

[Thu Feb 02 18:14:44.630796 2017] [core:notice] [pid 3650] AH00052: child pid 
3696 exit signal Aborted (6)

and my site simply fails to load on a browser.

Disabling ruid2 and enabling http2 allows the server to run fine.

I'm not sure which module is at fault.

Best wishes,

   Julian

-- Package-specific info:

-- System Information:
Debian Release: 9.0
  APT prefers jessie
  APT policy: (500, 'jessie'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2-bin depends on:
ii  libapr1  1.5.2-5
ii  libaprutil1  1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap 1.5.4-3
ii  libc62.24-8
ii  libldap-2.4-22.4.44+dfsg-3
ii  liblua5.2-0  5.2.4-1.1+b1
ii  libnghttp2-141.18.1-1
ii  libpcre3 2:8.39-2
ii  libssl1.0.2  1.0.2j-5
ii  libxml2  2.9.4+dfsg1-2.2
pn  perl:any 
ii  zlib1g   1:1.2.8.dfsg-4

apache2-bin recommends no packages.

Versions of packages apache2-bin suggests:
ii  apache2-doc  2.4.25-3
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  elinks [www-browser] 0.12~pre6-12
ii  epiphany-browser [www-browser]   3.22.5-1
ii  firefox-esr [www-browser]45.7.0esr-1
ii  google-chrome-stable [www-browser]   56.0.2924.87-1
ii  links [www-browser]  2.14-2
ii  links2 [www-browser] 2.14-2
ii  lynx [www-browser]   2.8.9dev11-1
ii  w3m [www-browser]0.5.3-34

Versions of packages apache2 depends on:
ii  apache2-data 2.4.25-3
ii  apache2-utils2.4.25-3
ii  dpkg 1.18.18
ii  init-system-helpers  1.47
ii  lsb-base 9.20161125
ii  mime-support 3.60
ii  perl 5.24.1-1
pn  perl:any 
ii  procps   2:3.3.12-3

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.38

Versions of packages apache2 suggests:
ii  apache2-doc  2.4.25-3
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  elinks [www-browser] 0.12~pre6-12
ii  epiphany-browser [www-browser]   3.22.5-1
ii  firefox-esr [www-browser]45.7.0esr-1
ii  google-chrome-stable [www-browser]   56.0.2924.87-1
ii  links [www-browser]  2.14-2
ii  links2 [www-browser] 2.14-2
ii  lynx [www-browser]   2.8.9dev11-1
ii  w3m [www-browser]0.5.3-34

Versions of packages apache2-bin is related to:
ii  apache2  2.4.25-3
ii  apache2-bin  2.4.25-3

-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 0.9.8-4+rm

Dear submitter,

as the package libapache2-mod-ruid2 has just been removed from the Debian 
archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1026363

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the ch

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 528062 upstream
Bug #528062 [apache2] apache2: mod_userdir is broken with respect to suexec 
support. patch included
Added tag(s) upstream.
> tags 967010 buster
Bug #967010 [apache2] apache2: last debian 10.4 , last apache avail from repo 
hangs on install (and start phase)
Added tag(s) buster.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
528062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528062
967010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967010
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: reassign

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 1004275 php
Bug #1004275 [php apache2] php upgrade apache2: After upgrade php install 
apache2 and i have intalled lighttpd
Bug reassigned from package 'php apache2' to 'php'.
Ignoring request to alter found versions of bug #1004275 to the same values 
previously set
Ignoring request to alter fixed versions of bug #1004275 to the same values 
previously set
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
1004275: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#951067: marked as done (apache2: unable to disable TLSv1)

[Debian Bug Tracking System]

Your message dated Fri, 2 Dec 2022 22:46:35 +0100
with message-id <20221202224635.17fcf...@frustcomp.hnjs.home.arpa>
and subject line Closed due to incorrect use of the option
has caused the Debian Bug report #951067,
regarding apache2: unable to disable TLSv1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
951067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.38-3+deb10u3
Severity: important

Dear Maintainer,

it is not possible to get rid of TLS v1. This is no duplicate of #925061, I 
think.

What I tried:

removed /etc/letsencrypt/options-ssl-apache.conf, see #950735
edited /etc/apache2/mods-enabled/ssl.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2"
edited etc/apache2/conf-enabled/local.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2"

Result:
# apache2ctl -t -D DUMP_CONFIG|grep SSLProtocol
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLProtocol -all +TLSv1.3 +TLSv1.2
  SSLProtocol all -SSLv2 -SSLv3
Syntax OK

=> something is enabling TLSv1 again after all config files were parsed. So...

# find /etc/apache2/ | xargs grep SSLProtocol
grep: /etc/apache2/: Is a directory
grep: /etc/apache2/mods-enabled: Is a directory
/etc/apache2/mods-enabled/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/sites-enabled: Is a directory
grep: /etc/apache2/conf-available: Is a directory
/etc/apache2/conf-available/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/mods-available: Is a directory
/etc/apache2/mods-available/ssl.conf:   SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/sites-available: Is a directory
grep: /etc/apache2/conf-enabled: Is a directory
/etc/apache2/conf-enabled/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2

=> TLSv1 is re-enabled no matter what the config files say.



-- Package-specific info:

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin2.4.38-3+deb10u3
ii  apache2-data   2.4.38-3+deb10u3
ii  apache2-utils  2.4.38-3+deb10u3
ii  dpkg   1.19.7
ii  lsb-base   10.2019051400
ii  mime-support   3.62
ii  perl   5.28.1-6
ii  procps 2:3.3.15-2

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2-bin depends on:
ii  libapr1  1.6.5-1+b1
ii  libaprutil1  1.6.1-4
ii  libaprutil1-dbd-sqlite3  1.6.1-4
ii  libaprutil1-ldap 1.6.1-4
ii  libbrotli1   1.0.7-2
ii  libc62.28-10
ii  libcurl4 7.64.0-4
ii  libjansson4  2.12-1
ii  libldap-2.4-22.4.47+dfsg-3+deb10u1
ii  liblua5.2-0  5.2.4-1.1+b2
ii  libnghttp2-141.36.0-2+deb10u1
ii  libpcre3 2:8.39-12
ii  libssl1.11.1.1d-0+deb10u2
ii  libxml2  2.9.4+dfsg1-7+b3
ii  perl 5.28.1-6
ii  zlib1g   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2 is related to:
ii  apache2  2.4.38-3+deb10u3
ii  apache2-bin  2.4.38-3+deb10u3

-- Configuration Files:
/etc/apache2/conf-available/security.conf changed:
ServerTokens Prod
ServerSignature Off
TraceEnable Off

/etc/apache2/mods-available/ssl.conf changed:

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device w

Processed: Re: Bug#1000627: apache2: missing dependency setting

[Debian Bug Tracking System]

Processing control commands:

> tags -1 upstream
Bug #1000627 [apache2] apache2: missing dependency setting
Added tag(s) upstream.

-- 
1000627: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000627
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed (with 1 error): Re: php upgrade apache2: After upgrade php install apache2 and i have intalled lighttpd

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #1004275 [php apache2] php upgrade apache2: After upgrade php install 
apache2 and i have intalled lighttpd
Added tag(s) moreinfo.
> reassign php
Unknown command or malformed arguments to command.


-- 
1004275: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: please retest

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -fixed-upstream
Bug #745605 [apache2] Please enable AddDefaultCharset for javascript
Removed tag(s) fixed-upstream.

-- 
745605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745605
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: default-ssl.conf should also be prefixed with 000- to be sure to be first ssl virtualhost

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 default-ssl.conf should also be prefixed with 000- to be sure to 
> be first ssl virtualhost
Bug #714083 [apache2] apache2.2-common: a2enmod does not prefix 000- to 
default-ssl site
Changed Bug title to 'default-ssl.conf should also be prefixed with 000- to be 
sure to be first ssl virtualhost' from 'apache2.2-common: a2enmod does not 
prefix 000- to default-ssl site'.
> severity -1 normal
Bug #714083 [apache2] default-ssl.conf should also be prefixed with 000- to be 
sure to be first ssl virtualhost
Severity set to 'normal' from 'minor'
> tags -1 help
Bug #714083 [apache2] default-ssl.conf should also be prefixed with 000- to be 
sure to be first ssl virtualhost
Added tag(s) help.

-- 
714083: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714083
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: please retest

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -fixed-upstream
Bug #393646 [apache2] PATH_TRANSLATED: 'redirect:/~jablko/gallery2/main.php'
Removed tag(s) fixed-upstream.

-- 
393646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393646
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> notfound 925061 apache2/2.4.38-2
Bug #925061 {Done: Hendrik Jäger } [apache2] 
apache2: Cannot disabled old TLS Versions (prior to TLS1.2)
No longer marked as found in versions apache2/2.4.38-2.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
925061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> fixed 844351 2.4.40
Bug #844351 {Done: Hendrik Jäger } [apache2] 
apache2: as a reverse proxy, a 100 continue response is sent prematurely when 
request contains expects continue
There is no source info for the package 'apache2' at version '2.4.40' with 
architecture ''
Unable to make a source version for version '2.4.40'
Marked as fixed in versions 2.4.40.
> fixed 925061 2.4.38-2
Bug #925061 {Done: Hendrik Jäger } [apache2] 
apache2: Cannot disabled old TLS Versions (prior to TLS1.2)
Marked as fixed in versions apache2/2.4.38-2.
> tags 986537 wontfix
Bug #986537 {Done: Hendrik Jäger } [apache2] 
apache2: Reinstall fails due to missing conf files
Added tag(s) wontfix.
> fixed 995961 2.4.52-1~deb11u2
Bug #995961 {Done: Hendrik Jäger } [apache2] 
libapache2-mpm-itk: Error "AH00052: child pid exit signal Segmentation fault" 
after update to apache 2.4.51-1~deb11u1
Marked as fixed in versions apache2/2.4.52-1~deb11u2.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
844351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844351
925061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925061
986537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986537
995961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#995961: marked as done (libapache2-mpm-itk: Error "AH00052: child pid exit signal Segmentation fault" after update to apache 2.4.51-1~deb11u1)

[Debian Bug Tracking System]

Your message dated Fri, 2 Dec 2022 14:56:52 +0100
with message-id <20221202145652.263cb...@frustcomp.hnjs.home.arpa>
and subject line 
has caused the Debian Bug report #995961,
regarding libapache2-mpm-itk: Error "AH00052: child pid exit signal 
Segmentation fault" after update to apache 2.4.51-1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
995961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapache2-mpm-itk
Version: 2.4.7-04-1+b1
Severity: important

Dear Maintainer,

After installing the 2.4.51-1~deb11u1 security update the error log
starts to get flilled with lines like:
[core:notice] [pid 3115298] AH00052: child pid 3133160 exit signal
Segmentation fault (11)

Downgrading back to 2.4.48-3.1 made the errors disappear again.
Disabling mpm_itk on 2.4.51-1~deb11u1 also stops the errors.

The issue normally does not prevent pages from being loaded and they
are still assigned the correct uid/gid.

The problematic part lies in that it seems to cause issues with properly
closing the connections. This lead to mod_qos limits being hit in my
case, but I suspect it may also lead to hitting worker or thread pool
limits in other cases.


-- System Information:
Debian Release: 11.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/24 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libapache2-mpm-itk depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.48-3.1
ii  libc6   2.31-13
ii  libcap2 1:2.44-1

libapache2-mpm-itk recommends no packages.

libapache2-mpm-itk suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Control: -1 fixed 2.4.52-1~deb11u2--- End Message ---

Bug#986537: marked as done (apache2: Reinstall fails due to missing conf files)

[Debian Bug Tracking System]

Your message dated Fri, 2 Dec 2022 14:53:19 +0100
with message-id <20221202145319.0185b...@frustcomp.hnjs.home.arpa>
and subject line 
has caused the Debian Bug report #986537,
regarding apache2: Reinstall fails due to missing conf files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
986537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986537
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.46-4
Severity: important
X-Debbugs-Cc: patrickjrdunf...@gmail.com

Description: If apache2 is uninstalled and then reinstalled, the reinstallation 
will fail if the
user has removed conf files in /etc/apache2 directory. The script does not copy 
these files for
reinstallation in the same way as it does for first time installation. 
Therefore it is nearly
impossible for a user to perform a clean reinstallation of apache2 using the 
package installer.

Steps to reproduce:
apt install apache2
apt remove apache2
cd /etc/apache2
rm -rf *
apt install apache2

The installation fails when apache2.service is unable to start due to missing 
apache2.conf file in
/etc/apache2. A check of this directory reveals the reinstallation only copied 
in some of the files
that are present in a full installation.


-- Package-specific info:

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-5-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.46-4
ii  apache2-data 2.4.46-4
ii  apache2-utils2.4.46-4
ii  dpkg 1.20.7.1
ii  init-system-helpers  1.60
ii  lsb-base 11.1.0
ii  mime-support 3.66
ii  perl 5.32.1-3
ii  procps   2:3.3.17-4

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  firefox-esr [www-browser]78.9.0esr-1
ii  konqueror [www-browser]  4:20.12.0-4

Versions of packages apache2-bin depends on:
ii  libapr1  1.7.0-6
ii  libaprutil1  1.6.1-5
ii  libaprutil1-dbd-sqlite3  1.6.1-5
ii  libaprutil1-ldap 1.6.1-5
ii  libbrotli1   1.0.9-2+b2
ii  libc62.31-11
ii  libcrypt11:4.4.17-1
ii  libcurl4 7.74.0-1.1
ii  libjansson4  2.13.1-1.1
ii  libldap-2.4-22.4.57+dfsg-2
ii  liblua5.3-0  5.3.3-1.1+b1
ii  libnghttp2-141.43.0-1
ii  libpcre3 2:8.39-13
ii  libssl1.11.1.1k-1
ii  libxml2  2.9.10+dfsg-6.3+b1
ii  perl 5.32.1-3
ii  zlib1g   1:1.2.11.dfsg-2

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  firefox-esr [www-browser]78.9.0esr-1
ii  konqueror [www-browser]  4:20.12.0-4

Versions of packages apache2 is related to:
ii  apache2  2.4.46-4
ii  apache2-bin  2.4.46-4

-- no debconf information
--- End Message ---
--- Begin Message ---
Control: -1 tags wontfix--- End Message ---

Bug#925061: marked as done (apache2: Cannot disabled old TLS Versions (prior to TLS1.2))

[Debian Bug Tracking System]

Your message dated Fri, 2 Dec 2022 14:48:05 +0100
with message-id <20221202144805.523e3...@frustcomp.hnjs.home.arpa>
and subject line 
has caused the Debian Bug report #925061,
regarding apache2: Cannot disabled old TLS Versions (prior to TLS1.2)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
925061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.38-2
Severity: important

Dear Maintainer,

I wanted to get an A+ rating on ssllabs.com so I tried to disable all 
SSLProtocols except for TLS1.2

Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it states 
"SSLProtocol TLSv1.2", which should disable all SSLProtocols except for TLS1.2, 
but TLS1.0 und TLS1.1 are still active, as seen with nmap:

# nmap --script ssl-enum-ciphers -p 443 127.0.0.1 | grep TLSv
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:


On Apache Bugtracker it appears that apache itself does not have that problem 
but it has something to do with the deb-Package for Debian and Ubuntu: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

Tried with stretch-stable first, updated to testing because reportbug told me 
there is a newer version.

I would really appreciate it if someone else is able to reproduce this problem 
and figure out what is going on.

Best,
Thomas

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-8-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin2.4.38-2
ii  apache2-data   2.4.38-2
ii  apache2-utils  2.4.38-2
ii  dpkg   1.18.25
ii  lsb-base   10.2019031300
ii  mime-support   3.62
ii  perl   5.24.1-3+deb9u5
ii  procps 2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  w3m [www-browser]0.5.3-34+deb9u1

Versions of packages apache2-bin depends on:
ii  libapr1  1.6.5-1+b1
ii  libaprutil1  1.6.1-3+b2
ii  libaprutil1-dbd-sqlite3  1.6.1-3+b2
ii  libaprutil1-ldap 1.6.1-3+b2
ii  libbrotli1   1.0.7-2
ii  libc62.28-8
ii  libcurl4 7.64.0-1
ii  libjansson4  2.12-1
ii  libldap-2.4-22.4.47+dfsg-3
ii  liblua5.2-0  5.2.4-1.1+b2
ii  libnghttp2-141.36.0-2
ii  libpcre3 2:8.39-12
ii  libssl1.11.1.1b-1
ii  libxml2  2.9.4+dfsg1-2.2+deb9u2
ii  perl 5.24.1-3+deb9u5
ii  zlib1g   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  w3m [www-browser]0.5.3-34+deb9u1

Versions of packages apache2 is related to:
ii  apache2  2.4.38-2
ii  apache2-bin  2.4.38-2

-- Configuration Files:
/etc/apache2/mods-available/ssl.conf changed:

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##
#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x

Bug#844351: marked as done (apache2: as a reverse proxy, a 100 continue response is sent prematurely when request contains expects continue)

[Debian Bug Tracking System]

Your message dated Fri, 2 Dec 2022 14:40:23 +0100
with message-id <20221202144023.4d9b4...@frustcomp.hnjs.home.arpa>
and subject line 
has caused the Debian Bug report #844351,
regarding apache2: as a reverse proxy, a 100 continue response is sent 
prematurely when request contains expects continue
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
844351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.10-10+deb8u7
Severity: important
Tags: upstream

Dear Maintainer,

  * What led up to the situation?

a backend with correct 100 continue support and a web client which expects 
100-continue

  * What exactly did you do (or not do) that was effective (or
ineffective)?

Reverse Proxy a backend.

  * What was the outcome of this action?

Premature 100-continue response from apache, before backend responds.

  * What outcome did you expect instead?

No 100-continue unless backend responds with 100-continue


https://bz.apache.org/bugzilla/show_bug.cgi?id=60330

As a reverse proxy, a 100 continue response is sent prematurely when a request 
contains expects: 100-continue. This causes the requesting client to send a 
body. The apache httpd proxy will then read the body and attempt to send it to 
the backend, but the backend already sent an error and should be allowed to NOT 
read the remaining request body, which never should have existed. When the 
backend does not read the request body mod_proxy_http errors and returns a 500 
error to the client. The client never receives the correct error message.



-- Package-specific info:

-- System Information:
Debian Release: 8.6
 APT prefers stable
 APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-45-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin2.4.10-10+deb8u7
ii  apache2-data   2.4.10-10+deb8u7
ii  apache2-utils  2.4.10-10+deb8u7
ii  dpkg   1.17.27
ii  lsb-base   4.1+Debian13+nmu1
ii  mime-support   3.58
ii  perl   5.20.2-3+deb8u6
ii  procps 2:3.3.9-9

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.35

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2-bin depends on:
ii  libapr1  1.5.1-3
ii  libaprutil1  1.5.4-1
ii  libaprutil1-dbd-sqlite3  1.5.4-1
ii  libaprutil1-ldap 1.5.4-1
ii  libc62.19-18+deb8u6
ii  libldap-2.4-22.4.40+dfsg-1+deb8u2
ii  liblua5.1-0  5.1.5-7.1
ii  libpcre3 2:8.35-3.3+deb8u4
ii  libssl1.0.0  1.0.1t-1+deb8u3
ii  libxml2  2.9.1+dfsg1-5+deb8u3
ii  perl 5.20.2-3+deb8u6
ii  zlib1g   1:1.2.8.dfsg-2+b1

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2 is related to:
ii  apache2  2.4.10-10+deb8u7
ii  apache2-bin  2.4.10-10+deb8u7

-- no debconf information
--- End Message ---
--- Begin Message ---
Control: -1 fixed 2.4.40--- End Message ---

Bug#807120: marked as done (Deprecate mod_rpaf, transition to mod_remoteip)

[Debian Bug Tracking System]

Your message dated Fri, 2 Dec 2022 14:33:06 +0100
with message-id <20221202143306.10f59...@frustcomp.hnjs.home.arpa>
and subject line 
has caused the Debian Bug report #807120,
regarding Deprecate mod_rpaf, transition to mod_remoteip
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807120: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807120
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Severity: important

mod_rpaf module has dead upstream (there are alternative
at https://github.com/gnif/mod_rpaf/) and has a good
candidate for replacement in the core modules:
http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

Probably, we must coordinate transition from mod_rpaf
to mod_remoteip and then remove mod_rpaf.

Default rpaf.conf could be replaced with:

  RemoteIPHeader X-Forwarded-For
  RemoteIPTrustedProxy 127.0.0.1

In general, this mapping should work:
  RPAFheader <-> RemoteIPHeader
  RPAFproxy_ips <-> RemoteIPTrustedProxy

To get CLF-type logs with proper client addresses we should use %a
instead of %h.  Could we alter the default common log format entry?
--- End Message ---
--- Begin Message ---
Control: tag -1 fixed-upstream

mod_rpaf is in a separate package and current apache2 packages contain 
mod_remoteip.
The bug in the logformat hostname has been fixed upstream.
Therefore this bug is considered fixed.--- End Message ---

Processed: Re: apache2: improve apache2 OOM handling w/systemd

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> close 1022822 2.4.54-5
Bug #1022822 [apache2] apache2: improve apache2 OOM handling w/systemd
Marked as fixed in versions apache2/2.4.54-5.
Bug #1022822 [apache2] apache2: improve apache2 OOM handling w/systemd
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1022822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022822
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#980275: marked as done (Please depend on media-types instead of mime-support)

[Debian Bug Tracking System]

Your message dated Thu, 24 Nov 2022 10:04:29 +
with message-id 
and subject line Bug#980275: fixed in apache2 2.4.54-4
has caused the Debian Bug report #980275,
regarding Please depend on media-types instead of mime-support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
980275: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2

Dear apache2 maintainers,

I have recently split the `mime-support` package into two: `mailcap` for
the mailcap system, and `media-types` for providing `/etc/mime.types`.
The goal is to allow minimal systems without `mailcap`.

`mime-support` is now a transitional package, and it would be great if
users could be able to remove it after the _Bookworm_ release.

Please Depend on `media-types` instead of `mime-support` if you only
need the `/etc/mime.types` file.

Have a nice week-end,

Charles

-- 
Charles Plessy Nagahama, Yomitan, Okinawa, Japan
Tooting from work,   https://mastodon.technology/@charles_plessy
Tooting from home, https://framapiaf.org/@charles_plessy
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-4
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 980...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 24 Nov 2022 10:45:00 +0100
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.54-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 980275
Changes:
 apache2 (2.4.54-4) unstable; urgency=medium
 .
   [ Charles Plessy ]
   * Replace mime-support transition package with media-types (Closes: #980275)
 .
   [ Hendrik Jäger ]
   * fix mislead safety precautions: don't hide errors when enabling a module.
 MR !20
   * fix trailing spaces and indentation inconsistencies. MR !19 !21 !22
   * Fix confusing and impractical naming: rename default-ssl.conf into
 000-default-ssl.conf. MR !23
   * Fix confusing keyword: replace _default_ by *. MR !24
Checksums-Sha1: 
 1cc112119c9e7b70b4405310b7ff241be9352bfe 3488 apache2_2.4.54-4.dsc
 ef078164fa31bbab23d077b60ed80872ffe93f1e 899572 apache2_2.4.54-4.debian.tar.xz
Checksums-Sha256: 
 2ef2ed0c4996b0e70c85c379755a62a62f40840f9e8dd0a1c4c6d2c2b0ec535c 3488 
apache2_2.4.54-4.dsc
 496535ffef8af4776b2dba0c09d1c5472efbbb45f0f8d5a93bce655293b5e865 899572 
apache2_2.4.54-4.debian.tar.xz
Files: 
 f371660a0e5542a176d3e3c2bf7cd4fd 3488 httpd optional apache2_2.4.54-4.dsc
 9b769ac142ee552b09fe83cc48cbcfdc 899572 httpd optional 
apache2_2.4.54-4.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmN/PhYACgkQ9tdMp8mZ
7umqFRAAjAvYVcR996xz1Oj4v3UK5Ml55eoE17dXIYr9ZhqR1kCUcHtXymUV6mKO
jeLZMssHQBhsdzkigoKtTA5NuYtJEt1cmLU0c/xwx5nybWpiCHaTJuHdgROS9Q9u
Di7iEP4r9iyF5h6nVOVDktblfxcQP4TlTOW2HkhbArEXRCNKMtVq7jRpUVkWRGcL
Y3tac9y9sKjyI6YqlcMxznnhBWPoGgNyC7n0jYMkgtW426vED2RF3oeGVkK/hC/I
6U3nZyTi034BEsAsfjrbA+sealGXOKStxOiMupw5LZPyT5ukg7jFa2cK8Hmkxv2T
RKSc+4unHtOX4NDfJzFf3QXrfj7iNpq5G9sUxcSdU2KwPznWxtTlx0EFnZuVw0e9
7My6z8bDxoCqSyvNVX10MrQYfaGrm1r1yHVfdKKZ7E9hko5SxoE23z8B3dPNFdAq
9szEvzsOOaH60Y56yy/prcJWphjSzTcA9IswuupdW4/nv4GTRgqyRWkpSmXd/DyL
f9pDpuOa2NTIC5xePxhcgOhmszuYqhxCImFt7nzuIbCl1iybA6grXyvCiJWmkeFr
0gaI3vvVoxLrx90BGmeCIDXkJqrA0TQihy4quq9qA/XNialzKgBW29FYvmopNOq6
hu/esYTJCd77QGVnzhvftSH317s3RgsS3oKEzOsTIkhCsD9stIA=
=Q1jv
-END PGP SIGNATURE End Message ---

Processed: Bug#980275 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #980275 [apache2] Please depend on media-types instead of mime-support
Added tag(s) pending.

-- 
980275: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1014056: marked as done (apache2: /var/run/apache2 permissions too narrow for cgid)

[Debian Bug Tracking System]

Your message dated Fri, 08 Jul 2022 07:04:02 +
with message-id 
and subject line Bug#1014056: fixed in apache2 2.4.54-2
has caused the Debian Bug report #1014056,
regarding apache2: /var/run/apache2 permissions too narrow for cgid
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1014056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.53-1~deb11u1
Severity: minor


Dear Maintainer,


*** Reporter, please consider answering these questions, where appropriate ***


Enabling cgid in apache2 (with a2enmod cgid) results in an error when using 
mpm_event:
    [cgid:error] [pid 8943:tid 140189712234240] (22)Invalid argument: [client 
x.x.x.x:49364] AH01257: unable to connect to cgi daemon after multiple tries: 
/usr/lib/cgi-bin/xx
Meanwhile, the user receives a 503 HTTP error, rather than the CGI content.

Upon launch, Apache creates /var/run/apache2/cgisock.PID (where PID is the PID 
in question), however it does that as the www-data user and root group, who 
does not have write access to /var/run/apache2 (where only the root user has 
write permission).

To fix this, chmod g+rwx /var/run/apache2 fixes the issue.  Since we're only 
adding the root group, this likely has a minimal security effect.

Alternately, the default directive of
    /etc/apache2/mods-available/cgid.conf:    ScriptSock 
${APACHE_RUN_DIR}/cgisock
Should not point to a folder that does not have write access by www-data user 
and a subfolder with more open permission should be created.

-- Package-specific info:


-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)


Kernel: Linux 5.10.0-15-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled


Versions of packages apache2 depends on:
ii  apache2-bin          2.4.53-1~deb11u1
ii  apache2-data         2.4.53-1~deb11u1
ii  apache2-utils        2.4.53-1~deb11u1
ii  dpkg                 1.20.10
ii  init-system-helpers  1.60
ii  lsb-base             11.1.0
ii  mime-support         3.66
ii  perl                 5.32.1-4+deb11u2
ii  procps               2:3.3.17-5


Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0+nmu1


Versions of packages apache2 suggests:
pn  apache2-doc                                      
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser                                      


Versions of packages apache2-bin depends on:
ii  libapr1                  1.7.0-6+deb11u1
ii  libaprutil1              1.6.1-5
ii  libaprutil1-dbd-sqlite3  1.6.1-5
ii  libaprutil1-ldap         1.6.1-5
ii  libbrotli1               1.0.9-2+b2
ii  libc6                    2.31-13+deb11u3
ii  libcrypt1                1:4.4.18-4
ii  libcurl4                 7.74.0-1.3+deb11u1
ii  libjansson4              2.13.1-1.1
ii  libldap-2.4-2            2.4.57+dfsg-3+deb11u1
ii  liblua5.3-0              5.3.3-1.1+b1
ii  libnghttp2-14            1.43.0-1
ii  libpcre3                 2:8.39-13
ii  libssl1.1                1.1.1n-0+deb11u3
ii  libxml2                  2.9.10+dfsg-6.7+deb11u2
ii  perl                     5.32.1-4+deb11u2
ii  zlib1g                   1:1.2.11.dfsg-2+deb11u1


Versions of packages apache2-bin suggests:
pn  apache2-doc                                      
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser                                      


Versions of packages apache2 is related to:
ii  apache2      2.4.53-1~deb11u1
ii  apache2-bin  2.4.53-1~deb11u1


-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-2
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas

Processed: found 1014056 in 2.4.54-1, fixed 1014056 in 2.4.54-3

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 1014056 2.4.54-1
Bug #1014056 [apache2] apache2: /var/run/apache2 permissions too narrow for cgid
Marked as found in versions apache2/2.4.54-1.
> fixed 1014056 2.4.54-3
Bug #1014056 [apache2] apache2: /var/run/apache2 permissions too narrow for cgid
There is no source info for the package 'apache2' at version '2.4.54-3' with 
architecture ''
Unable to make a source version for version '2.4.54-3'
Marked as fixed in versions 2.4.54-3.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1014056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1012513: marked as done (apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556)

[Debian Bug Tracking System]

Your message dated Sat, 02 Jul 2022 17:17:07 +
with message-id 
and subject line Bug#1012513: fixed in apache2 2.4.54-1~deb11u1
has caused the Debian Bug report #1012513,
regarding apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 
CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2022-31813[0]:
| Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
| headers to the origin server based on client side Connection header
| hop-by-hop mechanism. This may be used to bypass IP based
| authentication on the origin server/application.

CVE-2022-26377[1]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request
| Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
| allows an attacker to smuggle requests to the AJP server it forwards
| requests to. This issue affects Apache HTTP Server Apache HTTP Server
| 2.4 version 2.4.53 and prior versions.

CVE-2022-28614[2]:
| The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
| read unintended memory if an attacker can cause the server to reflect
| very large input using ap_rwrite() or ap_rputs(), such as with
| mod_luas r:puts() function.

CVE-2022-28615[3]:
| Apache HTTP Server 2.4.53 and earlier may crash or disclose
| information due to a read beyond bounds in ap_strcmp_match() when
| provided with an extremely large input buffer. While no code
| distributed with the server can be coerced into such a call, third-
| party modules or lua scripts that use ap_strcmp_match() may
| hypothetically be affected.

CVE-2022-29404[4]:
| In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
| script that calls r:parsebody(0) may cause a denial of service due to
| no default limit on possible input size.

CVE-2022-30522[5]:
| If Apache HTTP Server 2.4.53 is configured to do transformations with
| mod_sed in contexts where the input to mod_sed may be very large,
| mod_sed may make excessively large memory allocations and trigger an
| abort.

CVE-2022-30556[6]:
| Apache HTTP Server 2.4.53 and earlier may return lengths to
| applications calling r:wsread() that point past the end of the storage
| allocated for the buffer.

As usual Apache fails to directly identify fixing commits at
https://httpd.apache.org/security/vulnerabilities_24.html

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
[1] https://security-tracker.debian.org/tracker/CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
[2] https://security-tracker.debian.org/tracker/CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
[3] https://security-tracker.debian.org/tracker/CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
[4] https://security-tracker.debian.org/tracker/CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
[5] https://security-tracker.debian.org/tracker/CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
[6] https://security-tracker.debian.org/tracker/CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-1~deb11u1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SI

Bug#1010455: marked as done (Should apache2.README.Debian refer to apache-htcacheclean ?)

[Debian Bug Tracking System]

Your message dated Sat, 02 Jul 2022 17:17:07 +
with message-id 
and subject line Bug#1010455: fixed in apache2 2.4.54-1~deb11u1
has caused the Debian Bug report #1010455,
regarding Should apache2.README.Debian refer to apache-htcacheclean ?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1010455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010455
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.53-2
Tags: patch
Severity: minor

Sort of a patch. Refering to 
https://salsa.debian.org/apache-team/apache2/-/blob/master/debian/apache2.README.Debian

Line 193 refers to '/etc/default/apache2'.
Shouldn't that be '/etc/default/apache-htcacheclean' ?

The context is the configuration file for using mod_cache_disk.

--
u34
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-1~deb11u1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 09 Jun 2022 06:26:43 +0200
Source: apache2
Architecture: source
Version: 2.4.54-1~deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1010455 1012513
Changes:
 apache2 (2.4.54-1~deb11u1) bullseye; urgency=medium
 .
   [ Yadd ]
   * Fix htcacheclean doc (Closes: #1010455)
 .
   [ Yadd ]
   * New upstream version 2.4.54 (closes: #1012513, CVE-2022-31813,
 CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
 CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
Checksums-Sha1: 
 a9b12eda05896c39650d6bf2e13a2738c2b118d9 3539 apache2_2.4.54-1~deb11u1.dsc
 5121eed65951d525db5bde8c8997dffa6daa613a 9743277 apache2_2.4.54.orig.tar.gz
 f8c7a962998549f4816a18889555f8fa8b7f771a 874 apache2_2.4.54.orig.tar.gz.asc
 5957f685697fbaebbfa077ad2ae176923240d26b 894208 
apache2_2.4.54-1~deb11u1.debian.tar.xz
Checksums-Sha256: 
 a019ec1ca8130e8fdbde9ee198ed551a114961a32a37b9775d944659bfeaaae5 3539 
apache2_2.4.54-1~deb11u1.dsc
 c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 9743277 
apache2_2.4.54.orig.tar.gz
 d3855dc59d3e6ceaddd6d224aa9a33eef554c2706ccee5894e54f2b229ee800a 874 
apache2_2.4.54.orig.tar.gz.asc
 89189e18b964f58a7943024bb40af782fce654149d11c3be872af6ca73388117 894208 
apache2_2.4.54-1~deb11u1.debian.tar.xz
Files: 
 5648326c781d60301f7c8b6a231538d9 3539 httpd optional 
apache2_2.4.54-1~deb11u1.dsc
 5830f69aeed1f4a00a563862aaf2c67d 9743277 httpd optional 
apache2_2.4.54.orig.tar.gz
 35861f1b441ce88c67ee109b63106ef7 874 httpd optional 
apache2_2.4.54.orig.tar.gz.asc
 7da218147f56f14894ab220f4a8f7f4a 894208 httpd optional 
apache2_2.4.54-1~deb11u1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmK/RAcACgkQ9tdMp8mZ
7ukoBxAAiL67H3JqzhKPohCjNgMKrL2kBmWrOt7kb7H7pxUSbU4IjQqWbMOIRvck
Ec6yPDiZN3dfeI8DpR0Hb2tuuloa5VOfXpm0XSWMXtpyCSF5dw7xgNv28JvOgL6v
wvA8CShBrakOXp8kmnYlBzK1V1VI2Sn7ZsborbQnSEuBEH9jUXm/CoRjhB96/LAw
Dd6QUs26PergZpjgeM6OJwFIsN2PX4/JFP44Apfsv0rBFyuuuK8TrB/rGqvFL/N+
n5cJNWUq56b700OdzGHcR/1pTj2cVEnr6qbAo5gX94f2ttiYnt1MAB0AbKb2H5tm
iBTcvnPVRHhKuUi4etlEMpwOP4sQIIQ8W2fBMnQL0VBqd/0nmPsETQwgFZDRcLfu
UGu8a1uX0TyAm2RgZRgvLYnKcOlY79bLPjg/FWs7A/2zjHmjl9RT3GD6WuoAWGjh
cMZkl3AKW6ejwTeyuZ4/jkH/WWEuZlrk3lgLJrSaHG4AVRO6Ta4vN12oFGLWlmtb
aGjSJ0g+sGes9fEGlIITacZL1h03St5lDikRKxQaPVXVli+tdovzd04QhUtffcWQ
6bLncrfNv4hDUdPD7A2HrvbAGOa/JIXzntpmOocNWViWnNq+t/qYX8fcC4TMm4Z7
93FiwlzXI5cF1fR9HjlBAc5EX7m+lkrdOrIaUM1EHo2KfdJ2a8Y=
=Bmzf
-END PGP SIGNATURE End Message ---

Bug#1010455: marked as done (Should apache2.README.Debian refer to apache-htcacheclean ?)

[Debian Bug Tracking System]

Your message dated Thu, 09 Jun 2022 05:03:55 +
with message-id 
and subject line Bug#1010455: fixed in apache2 2.4.54-1
has caused the Debian Bug report #1010455,
regarding Should apache2.README.Debian refer to apache-htcacheclean ?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1010455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010455
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.53-2
Tags: patch
Severity: minor

Sort of a patch. Refering to 
https://salsa.debian.org/apache-team/apache2/-/blob/master/debian/apache2.README.Debian

Line 193 refers to '/etc/default/apache2'.
Shouldn't that be '/etc/default/apache-htcacheclean' ?

The context is the configuration file for using mod_cache_disk.

--
u34
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 09 Jun 2022 06:33:53 +0200
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.54-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1010455 1012513
Changes:
 apache2 (2.4.54-1) unstable; urgency=medium
 .
   [ Simon Deziel ]
   * Escape literal "." for BrowserMatch directives in setenvif.conf
   * Use non-capturing regex with FilesMatch directive in default-ssl.conf
 .
   [ Ondřej Surý ]
   * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813,
 CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
 CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
 .
   [ Yadd ]
   * Fix htcacheclean doc (Closes: #1010455)
   * New upstream version 2.4.54
Checksums-Sha1: 
 ab83430595284de35a09b4925ff02d25f0c59836 3488 apache2_2.4.54-1.dsc
 5121eed65951d525db5bde8c8997dffa6daa613a 9743277 apache2_2.4.54.orig.tar.gz
 f8c7a962998549f4816a18889555f8fa8b7f771a 874 apache2_2.4.54.orig.tar.gz.asc
 c3d54fc0133d051edc03cfd9366022c62e41208e 899680 apache2_2.4.54-1.debian.tar.xz
Checksums-Sha256: 
 6638ab251c44e19013fbeef8616adf60fd82e71fc62b59ed950e4920e4dfcafd 3488 
apache2_2.4.54-1.dsc
 c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 9743277 
apache2_2.4.54.orig.tar.gz
 d3855dc59d3e6ceaddd6d224aa9a33eef554c2706ccee5894e54f2b229ee800a 874 
apache2_2.4.54.orig.tar.gz.asc
 a9b19fbb49ba9540dc5004a537cad3c70eb05448076f55544592844a7d6e0cfd 899680 
apache2_2.4.54-1.debian.tar.xz
Files: 
 71f12c8f92422781eaefc68f56367ea0 3488 httpd optional apache2_2.4.54-1.dsc
 5830f69aeed1f4a00a563862aaf2c67d 9743277 httpd optional 
apache2_2.4.54.orig.tar.gz
 35861f1b441ce88c67ee109b63106ef7 874 httpd optional 
apache2_2.4.54.orig.tar.gz.asc
 f13ba4968c990a764664cdfd2a69a808 899680 httpd optional 
apache2_2.4.54-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmKheQwACgkQ9tdMp8mZ
7unuEQ//Uc6nlVALQPXVfl4TbGDfnBV6/tphfDz6BVWXwtXgoors/LCEIz0wqJCf
nqmFmttTbqWp9zz65SFjN1nYcs2m8AhMDQBjEYkHvfi2hcsGmfBSBjVGCJzPi2Cg
qKtx70i8v9Psm5Y6+UV/4LNlnCX+wCHFtLAeTFE8H9/3m8xsPc7kRsbK/pJYcit5
Fo7XZ3djflWTR2cUUAGToHZTb23dVNhEZQFcpBpMdxo3wAgJm+3rMSamb0e070jm
vsJiifY0QY/a3uRVeJeiZq5zykfQxr6FBoQ97Q79/FIGV0YI+tg96Fxph/vISJ3B
/fS8JgoeIOy5SI5+tOF4/D+/bRhvskwL7swL7Lk8n/Jff6ruFafAL2x+//IMunOq
Xdpixj5PdgwXq80fmwH/EWzFl77iSjosGTITgVkp9r1SdtumoxM1pkM3GukaZ/ev
0D8Q7iAXXejYQHD6Q7fv7InYdQLa9IjhUuqzCi7u6sIr+d0kuw6mb+A5CSz4toQd
SUkHozlF7gzU7m3u4afbBLDAR1WCqZKjRWmcDIsc+wJVRWDkpIzmEHqPqE05dn4f
tSqA5p5WKGdOJd4CXxMrpx654a7itmYllK1AgqSH0fykUciDKYyWP61AAL2oinP2
UDSE8GSjA2MK7z+Zg/WEL7eKJlqBkTltDByFpH6xMluPiZTUQRY=
=pJbP
-END PGP SIGNATURE End Message ---

Bug#1012513: marked as done (apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556)

[Debian Bug Tracking System]

Your message dated Thu, 09 Jun 2022 05:03:55 +
with message-id 
and subject line Bug#1012513: fixed in apache2 2.4.54-1
has caused the Debian Bug report #1012513,
regarding apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 
CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2022-31813[0]:
| Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
| headers to the origin server based on client side Connection header
| hop-by-hop mechanism. This may be used to bypass IP based
| authentication on the origin server/application.

CVE-2022-26377[1]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request
| Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
| allows an attacker to smuggle requests to the AJP server it forwards
| requests to. This issue affects Apache HTTP Server Apache HTTP Server
| 2.4 version 2.4.53 and prior versions.

CVE-2022-28614[2]:
| The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
| read unintended memory if an attacker can cause the server to reflect
| very large input using ap_rwrite() or ap_rputs(), such as with
| mod_luas r:puts() function.

CVE-2022-28615[3]:
| Apache HTTP Server 2.4.53 and earlier may crash or disclose
| information due to a read beyond bounds in ap_strcmp_match() when
| provided with an extremely large input buffer. While no code
| distributed with the server can be coerced into such a call, third-
| party modules or lua scripts that use ap_strcmp_match() may
| hypothetically be affected.

CVE-2022-29404[4]:
| In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
| script that calls r:parsebody(0) may cause a denial of service due to
| no default limit on possible input size.

CVE-2022-30522[5]:
| If Apache HTTP Server 2.4.53 is configured to do transformations with
| mod_sed in contexts where the input to mod_sed may be very large,
| mod_sed may make excessively large memory allocations and trigger an
| abort.

CVE-2022-30556[6]:
| Apache HTTP Server 2.4.53 and earlier may return lengths to
| applications calling r:wsread() that point past the end of the storage
| allocated for the buffer.

As usual Apache fails to directly identify fixing commits at
https://httpd.apache.org/security/vulnerabilities_24.html

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
[1] https://security-tracker.debian.org/tracker/CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
[2] https://security-tracker.debian.org/tracker/CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
[3] https://security-tracker.debian.org/tracker/CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
[4] https://security-tracker.debian.org/tracker/CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
[5] https://security-tracker.debian.org/tracker/CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
[6] https://security-tracker.debian.org/tracker/CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-1
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-

Processed: tagging 1012513, found 1012513 in 2.4.53-2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1012513 + upstream
Bug #1012513 [src:apache2] apache2: CVE-2022-31813 CVE-2022-26377 
CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
Added tag(s) upstream.
> found 1012513 2.4.53-2
Bug #1012513 [src:apache2] apache2: CVE-2022-31813 CVE-2022-26377 
CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
Marked as found in versions apache2/2.4.53-2.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1007254: marked as done (apache2-dev: Missing dependency on libpcre2-dev for apxs2)

[Debian Bug Tracking System]

Your message dated Tue, 15 Mar 2022 14:45:14 +
with message-id 
and subject line Bug#1007254: fixed in apache2 2.4.53-2
has caused the Debian Bug report #1007254,
regarding apache2-dev: Missing dependency on libpcre2-dev for apxs2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1007254: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007254
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2-dev
Version: 2.4.53-1
Severity: serious
Tags: ftbfs
Control: affects -1 src:mod-vhost-ldap

https://buildd.debian.org/status/logs.php?pkg=mod-vhost-ldap=2.4.0-1%2Bb3

...
make[1]: Entering directory '/<>'
# Try building with per request document root and if it fails, do the normal 
build (kinda ugly, but should work)
apxs2 -Wc,-Wall -Wc,-Werror -Wc,-g -Wc,-DDEBUG 
-Wc,-DMOD_VHOST_LDAP_VERSION=\\\"mod_vhost_ldap/2.4.0\\\" 
-Wc,-DHAS_PER_REQUEST_DOCUMENT_ROOT -c -lldap_r mod_vhost_ldap.c || \
apxs2 -Wc,-Wall -Wc,-Werror -Wc,-g -Wc,-DDEBUG 
-Wc,-DMOD_VHOST_LDAP_VERSION=\\\"mod_vhost_ldap/2.4.0\\\" -c -lldap_r 
mod_vhost_ldap.c
/usr/share/apr-1.0/build/libtool  --mode=compile --tag=disable-static 
x86_64-linux-gnu-gcc -prefer-pic -pipe -g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security  -Wdate-time -D_FORTIFY_SOURCE=2   -DLINUX -D_REENTRANT 
-D_GNU_SOURCE  -pthread  -I/usr/include/apache2  -I/usr/include/apr-1.0   
-I/usr/include/apr-1.0 -I/usr/include -Wall -Werror -g -DDEBUG 
-DMOD_VHOST_LDAP_VERSION=\"mod_vhost_ldap/2.4.0\" 
-DHAS_PER_REQUEST_DOCUMENT_ROOT  -c -o mod_vhost_ldap.lo mod_vhost_ldap.c && 
touch mod_vhost_ldap.slo
libtool: compile:  x86_64-linux-gnu-gcc -pipe -g -O2 -fstack-protector-strong 
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -DLINUX 
-D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apache2 
-I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -I/usr/include -Wall -Werror -g 
-DDEBUG -DMOD_VHOST_LDAP_VERSION=\"mod_vhost_ldap/2.4.0\" 
-DHAS_PER_REQUEST_DOCUMENT_ROOT -c mod_vhost_ldap.c  -fPIC -DPIC -o 
.libs/mod_vhost_ldap.o
/usr/share/apr-1.0/build/libtool  --mode=link --tag=disable-static 
x86_64-linux-gnu-gcc -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -lpcre2-8 
-L/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0-o mod_vhost_ldap.la  -lldap_r 
-rpath /usr/lib/apache2/modules -module -avoid-versionmod_vhost_ldap.lo
libtool: link: x86_64-linux-gnu-gcc -shared  -fPIC -DPIC  
.libs/mod_vhost_ldap.o   -lpcre2-8 -L/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 
-lldap_r  -Wl,--as-needed -Wl,-z -Wl,relro -Wl,-z -Wl,now   -Wl,-soname 
-Wl,mod_vhost_ldap.so -o .libs/mod_vhost_ldap.so
/usr/bin/ld: cannot find -lpcre2-8: No such file or directory
collect2: error: ld returned 1 exit status
apxs:Error: Command failed with rc=65536
.
/usr/share/apr-1.0/build/libtool  --mode=compile --tag=disable-static 
x86_64-linux-gnu-gcc -prefer-pic -pipe -g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security  -Wdate-time -D_FORTIFY_SOURCE=2   -DLINUX -D_REENTRANT 
-D_GNU_SOURCE  -pthread  -I/usr/include/apache2  -I/usr/include/apr-1.0   
-I/usr/include/apr-1.0 -I/usr/include -Wall -Werror -g -DDEBUG 
-DMOD_VHOST_LDAP_VERSION=\"mod_vhost_ldap/2.4.0\"  -c -o mod_vhost_ldap.lo 
mod_vhost_ldap.c && touch mod_vhost_ldap.slo
libtool: compile:  x86_64-linux-gnu-gcc -pipe -g -O2 -fstack-protector-strong 
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -DLINUX 
-D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apache2 
-I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -I/usr/include -Wall -Werror -g 
-DDEBUG -DMOD_VHOST_LDAP_VERSION=\"mod_vhost_ldap/2.4.0\" -c mod_vhost_ldap.c  
-fPIC -DPIC -o .libs/mod_vhost_ldap.o
/usr/share/apr-1.0/build/libtool  --mode=link --tag=disable-static 
x86_64-linux-gnu-gcc -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -lpcre2-8 
-L/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0-o mod_vhost_ldap.la  -lldap_r 
-rpath /usr/lib/apache2/modules -module -avoid-versionmod_vhost_ldap.lo
libtool: link: x86_64-linux-gnu-gcc -shared  -fPIC -DPIC  
.libs/mod_vhost_ldap.o   -lpcre2-8 -L/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 
-lldap_r  -Wl,--as-needed -Wl,-z -Wl,relro -Wl,-z -Wl,now   -Wl,-soname 
-Wl,mod_vhost_ldap.so -o .libs/mod_vhost_ldap.so
/usr/bin/ld: cannot find -lpcre2-8: No such file or directory
collect2: error: ld returned 1 exit status
apxs:Error: Command failed with rc=65536
.
make[1]: *** [Makefile:22: mod_vhost_ldap.o] Error 1
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.53-2
Done: Yadd 

We believe

Processed: Bug#1007254 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1007254 [apache2-dev] apache2-dev: Missing dependency on libpcre2-dev for 
apxs2
Ignoring request to alter tags of bug #1007254 to the same tags previously set

-- 
1007254: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007254
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#1007254 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1007254 [apache2-dev] apache2-dev: Missing dependency on libpcre2-dev for 
apxs2
Added tag(s) pending.

-- 
1007254: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007254
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: apache2-dev: Missing dependency on libpcre2-dev for apxs2

[Debian Bug Tracking System]

Processing control commands:

> affects -1 src:mod-vhost-ldap
Bug #1007254 [apache2-dev] apache2-dev: Missing dependency on libpcre2-dev for 
apxs2
Added indication that 1007254 affects src:mod-vhost-ldap

-- 
1007254: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007254
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: fixed 663530 in 2.4.2-2, found 663530 in 2.2.22-4, notfound 876636 in 2.4.27-6

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> fixed 663530 2.4.2-2
Bug #663530 {Done: Vincent Lefevre } [apache2-bin] 
apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" 
in cron/logrotate output
Marked as fixed in versions apache2/2.4.2-2.
> found 663530 2.2.22-4
Bug #663530 {Done: Vincent Lefevre } [apache2-bin] 
apache2.2-common: Spurious warning "NameVirtualHost *:80 has no VirtualHosts" 
in cron/logrotate output
There is no source info for the package 'apache2-bin' at version '2.2.22-4' 
with architecture ''
Unable to make a source version for version '2.2.22-4'
Marked as found in versions 2.2.22-4.
> notfound 876636 2.4.27-6
Bug #876636 {Done: Christian Göttsche } [apache2] 
apache2: insserv noise
No longer marked as found in versions apache2/2.4.27-6.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
663530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663530
876636: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876636
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1000114: marked as done (apache2: depends on obsolete pcre3 library)

[Debian Bug Tracking System]

Your message dated Tue, 28 Dec 2021 19:33:34 +
with message-id 
and subject line Bug#1000114: fixed in apache2 2.4.52-2
has caused the Debian Bug report #1000114,
regarding apache2: depends on obsolete pcre3 library
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1000114: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Severity: important
User: matthew-pcre...@debian.org
Usertags: obsolete-pcre3

Dear maintainer,

Your package still depends on the old, obsolete PCRE3[0] libraries
(i.e. libpcre3-dev). This has been end of life for a while now, and
upstream do not intend to fix any further bugs in it. Accordingly, I
would like to remove the pcre3 libraries from Debian, preferably in
time for the release of Bookworm.

The newer PCRE2 library was first released in 2015, and has been in
Debian since stretch. Upstream's documentation for PCRE2 is available
here: https://pcre.org/current/doc/html/

Many large projects that use PCRE have made the switch now (e.g. git,
php); it does involve some work, but we are now at the stage where
PCRE3 should not be used, particularly if it might ever be exposed to
untrusted input.

This mass bug filing was discussed on debian-devel@ in
https://lists.debian.org/debian-devel/2021/11/msg00176.html

Regards,

Matthew [0] Historical reasons mean that old PCRE is packaged as
pcre3 in Debian 
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.52-2
Done: Yadd 

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1000...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 28 Dec 2021 20:01:43 +0100
Source: apache2
Architecture: source
Version: 2.4.52-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Yadd 
Closes: 1000114
Changes:
 apache2 (2.4.52-2) experimental; urgency=medium
 .
   * Build with pcre2 (Closes: #1000114)
Checksums-Sha1: 
 24df80aeb69c3b262702491e5cdadadf6ce8fada 3474 apache2_2.4.52-2.dsc
 86a53e3b3c7cd215261ac14bca7558c2e173a46f 890768 apache2_2.4.52-2.debian.tar.xz
Checksums-Sha256: 
 8caf78d4eb34ea4bde694e48fc470ca2ab9f96768cf02d46ef221c9b05c0028c 3474 
apache2_2.4.52-2.dsc
 d00120b36fd572212e2ed886137d32904cae9308a7d624f1033bf31cc411dc92 890768 
apache2_2.4.52-2.debian.tar.xz
Files: 
 81b813a6c33850dc6dc8c96a70a51bbe 3474 httpd optional apache2_2.4.52-2.dsc
 41180a6b3549d15dd7d275e3ee8b1f83 890768 httpd optional 
apache2_2.4.52-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmHLYSwACgkQ9tdMp8mZ
7ungwRAAkqqXAiFfj2jeNkvPJKil0to/qbklSOggYQBkGcWoBbLGyoW6rRHcssDY
t1iMcVaLyODfy4gwKyqST4NCVblnzogbzv8DMuRnL9z2C5YCvQ+WrC0zGo8HqBEU
aGtBGHxk86JL/WgqVZLTUlHySo2466B93RlklOiTrgFn+KGvtvNAYDEwjl85O877
p37cDwNr1mbd0804Rsd0mA6fNXpIig9TCLOn4asi2CiBN0fQTn6rybfyXQlouqlc
X9Ycb0EZEgUKm4zMCZUr2bantN1kUszgZhXwqYIQRTx8tpH5aY5cSgxGte1aFB8A
uJyRIoLwoKIuH9jF+Yvz/iUAf3gJq5AR6gY0lXkc6gt5R+TioI9zn4n+C1zD1cpR
dDRADZJCuUE8qYiuORMuqwiMnAHiSOqzv0pYLo3B34CW7mH1A9P62kU6QRZaEkdv
n19GL7HwbMP29PsX6/JMNPzijyfDx7YYlkckoVUTRpCpwiAlUIfeZUIg2cEYyLF+
cCLllzdhsq9cDBq9X351Qfjx/NmggVWFT1jC6T7uzfbxbZUbmZ4wt7VQSTMK7FLC
CubijlqwhZOY9L3NpeqOxiGmuZRlJYKpPnMqPtuiwe9BSmSvQ7ovnlgAoVY0BY97
VuYnP+KXk0o2mPcUBZkWcDwJpXHn0iCl7nJgfR3BcPU+lv64/BA=
=Ew5p
-END PGP SIGNATURE End Message ---

Processed: Bug#1000114 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1000114 [src:apache2] apache2: depends on obsolete pcre3 library
Ignoring request to alter tags of bug #1000114 to the same tags previously set

-- 
1000114: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 489625

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 489625 - fixed-upstream
Bug #489625 [libapr1-dev] libapr1-dev: please don't ship your own copy of 
libtool
Removed tag(s) fixed-upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
489625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489625
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#1000114: apache2: depends on obsolete pcre3 library

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #1000114 [src:apache2] apache2: depends on obsolete pcre3 library
Added tag(s) moreinfo.

-- 
1000114: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#1000114 marked as pending in apache2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1000114 [src:apache2] apache2: depends on obsolete pcre3 library
Added tag(s) pending.

-- 
1000114: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#996570: marked as done (libapache2-mod-proxy-uwsgi: ProxyPass sends wrong PATH_INFO to uwsgi)

[Debian Bug Tracking System]

Your message dated Mon, 15 Nov 2021 11:02:54 +0100
with message-id 
and subject line Re: Bug#996570: Acknowledgement (libapache2-mod-proxy-uwsgi: 
ProxyPass sends wrong PATH_INFO to uwsgi)
has caused the Debian Bug report #996570,
regarding libapache2-mod-proxy-uwsgi: ProxyPass sends wrong PATH_INFO to uwsgi
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
996570: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996570
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapache2-mod-proxy-uwsgi
Version: 2.4.38-3+deb10u6
Severity: important

Dear Maintainer,

after installing version 2.4.38-3+deb10u6 our uwsgi webservice did not
work anymore. The apache2 config contains the line

 ProxyPass /networks/v1/ 
unix:/var/run/uwsgi/networks-api.socket|uwsgi://networks/v1/ retry=0

A request to

 https://server.uni-paderborn.de/networks/v1/name/imt_infra_ntp

used to result in PATH_INFO set to "/name/imt_infra_ntp", so stripping
off the first two directories "/networks/v1/" as set in the config.

Version 2.4.38-3+deb10u6 contains a security fix for setting PATH_INFO,
but it seems to get confused with directories: In our case PATH_INFO
is set to "/v1/name/imt_infra_ntp" which renders our uwsgi webservice
useless.

Thanks for fixing,

Christopher

-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libapache2-mod-proxy-uwsgi depends on:
ii  apache2  2.4.38-3+deb10u5

libapache2-mod-proxy-uwsgi recommends no packages.

libapache2-mod-proxy-uwsgi suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---


Hi,

this was not a bug but only a configuration problem or a 
misunderstanding of how to configure the module.


For clearance:

Actually the proxy worker/backend is solely identified by the uwsgi URL, 
the unix socket part is completely ignored at init time (when the 
backend URL is registered) and thus when the request URL is mapped to a 
registered backend URL (to determine which backend backend parameters 
apply, like timeout or ... connections reuse).


The hostname part of the uwsgi URL is not used for DNS resolution since 
the endpoint is the unix socket path.


So if you want to run two or more different services on the same host 
which would result in identical uwsgi URLs, just use different (virtual) 
hostnames to make them distinguishable.


Thanks,

Christopher

--
==
Dipl.-Ing. Christopher Odenbach
Zentrum fuer Informations- und Medientechnologien
Universitaet Paderborn
Raum N5.314
odenb...@uni-paderborn.de
Tel.: +49 5251 60 5315
==



OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#990228: marked as done (openssl: breaks ssl-cert installation: 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/de

[Debian Bug Tracking System]

Your message dated Sun, 07 Nov 2021 17:05:52 +
with message-id 
and subject line Bug#990228: fixed in ssl-cert 1.1.1
has caused the Debian Bug report #990228,
regarding openssl: breaks ssl-cert installation: 
8022CB35777F:error:127A:random number generator:RAND_write_file:Not a 
regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990228
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openssl
Version: 3.0.0~~alpha16-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package causes other package
to fail installation/upgrading.

>From the attached log (scroll to the bottom...):

...
  Setting up openssl (3.0.0~~alpha16-1) ...
  Setting up libbsd0:amd64 (0.11.3-1) ...
  Setting up readline-common (8.1-2) ...
  Setting up libxml2:amd64 (2.9.10+dfsg-6.7) ...
  Setting up libgdbm6:amd64 (1.19-2) ...
  Setting up postgresql-client-common (226) ...
  Setting up libedit2:amd64 (3.1-20210522-1~exp1) ...
  Setting up libreadline8:amd64 (8.1-2) ...
  Setting up libldap-2.4-2:amd64 (2.4.57+dfsg-3) ...
  Setting up libllvm11:amd64 (1:11.0.1-2) ...
  Setting up ssl-cert (1.1.0+nmu1) ...
  Could not create certificate. Openssl output was:
  Generating a RSA private key
  
..+..+..+...+.+...+.+...+...+..+...+.+..+...+.+...+...+..+.+.+...+...+.+..++..+..+*.+*..+..++...+.+..+...++..+.++..++...++..+.+...+..+...+...+.+..+...+.++.+++.+..+.+.+..+..+.+...+.+.+.++.+.+.++++...+
  
..+.++...+...+...+..+..+.+...+.++...+.+..+..+..+*+...++..+...+..+...+..+.+..+*+..+...++..++..++.+..+...++.+.+..+.+.+..+.+..+..+..+.+++.++..+...+.+...+...+...+...+..++...+..+.+
  Writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
  -
  Warning: No -copy_extensions given; ignoring any extensions in the request
  Cannot write random bytes:
  8022CB35777F:error:127A:random number generator:RAND_write_file:Not a 
regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
  dpkg: error processing package ssl-cert (--configure):
   installed ssl-cert package post-installation script subprocess returned 
error exit status 1
  dpkg: dependency problems prevent configuration of postgresql-common:
   postgresql-common depends on ssl-cert (>= 1.0.11); however:
Package ssl-cert is not configured yet.
...

Hmm, well, yes, /dev/urandom is not a regular file. It's a character device 
node.


cheers,

Andreas


postgresql-14_14~beta1-1.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: ssl-cert
Source-Version: 1.1.1
Done: Stefan Fritsch 

We believe that the bug you reported is fixed in the latest version of
ssl-cert, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch  (supplier of updated ssl-cert package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 07 Nov 2021 17:33:48 +0100
Source: ssl-cert
Architecture: source
Version: 1.1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian 

Processed: tagging 990228

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 990228 + pending
Bug #990228 [ssl-cert] openssl: breaks ssl-cert installation: 
8022CB35777F:error:127A:random number generator:RAND_write_file:Not a 
regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
990228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990228
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: affects 996570

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> affects 996570 + security.debian.org,release.debian.org
Bug #996570 [libapache2-mod-proxy-uwsgi] libapache2-mod-proxy-uwsgi: ProxyPass 
sends wrong PATH_INFO to uwsgi
Added indication that 996570 affects security.debian.org and release.debian.org
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
996570: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996570
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#995961: libapache2-mpm-itk: Error "AH00052: child pid exit signal Segmentation fault" after update to apache 2.4.51-1~deb11u1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 995961 apache2
Bug #995961 [libapache2-mpm-itk] libapache2-mpm-itk: Error "AH00052: child pid 
exit signal Segmentation fault" after update to apache 2.4.51-1~deb11u1
Bug reassigned from package 'libapache2-mpm-itk' to 'apache2'.
No longer marked as found in versions mpm-itk/2.4.7-04-1.
Ignoring request to alter fixed versions of bug #995961 to the same values 
previously set
> found 995961 2.4.51-1~deb11u1
Bug #995961 [apache2] libapache2-mpm-itk: Error "AH00052: child pid exit signal 
Segmentation fault" after update to apache 2.4.51-1~deb11u1
Marked as found in versions apache2/2.4.51-1~deb11u1.
> found 995961 2.4.51-1
Bug #995961 [apache2] libapache2-mpm-itk: Error "AH00052: child pid exit signal 
Segmentation fault" after update to apache 2.4.51-1~deb11u1
Marked as found in versions apache2/2.4.51-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
995961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: libapache2-mod-proxy-uwsgi 2.0.14+20161117-3+deb9u4 - duplicated request path

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 995368 uwsgi
Bug #995368 [libapache2-mod-proxy-uwsgi] Bug in Package: 
libapache2-mod-proxy-uwsgi
Bug reassigned from package 'libapache2-mod-proxy-uwsgi' to 'uwsgi'.
Ignoring request to alter found versions of bug #995368 to the same values 
previously set
Ignoring request to alter fixed versions of bug #995368 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
995368: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995368
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems