-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 30 Mar 2018 22:53:13 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.33-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Stefan Fritsch <sf@debian.org> Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Closes: 814980 878920 Changes: apache2 (2.4.33-1) unstable; urgency=medium . * New upstream version. Security fixes: - CVE-2017-15710 Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled - CVE-2018-1283 mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. - CVE-2018-1303 mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. - CVE-2018-1301 core: Possible crash with excessively long HTTP request headers. Impractical to exploit with a production build and production LogLevel. - CVE-2017-15715 core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. - CVE-2018-1312 mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain. This change may cause problems if used with round robin load balancers. PR 54637 - CVE-2018-1302 mod_http2: Potential crash w/ mod_http2. . - mod_proxy_uwsgi: New UWSGI proxy submodule. - mod_md: New experimental module for managing domains across virtual hosts, implementing the Let's Encrypt ACMEv1 protocol to signup and renew certificates. - core: silently ignore a not existent file path when IncludeOptional is used. Closes: #878920 - mod_ldap: Avoid possible crashes, hangs, and busy loops. Closes: #814980 . * Fix lintian warnings: - Include SupportApache-small.png in apache2-doc package instead of linking to apache.org, to avoid privacy issues. - Use /usr/share/dpkg/architecture.mk instead of setting DEB_*_GNU_TYPE - Remove deprecated use of autotools_dev with dh. - Add some overrides * Bump standards-version to 4.1.2 (no changes) Checksums-Sha1: 57b59318d33630fcbd29e4438c1e7d6b6ffcc55d 3374 apache2_2.4.33-1.dsc 9e56042515793a6992adc4b9f3a0345a0cb98176 6934765 apache2_2.4.33.orig.tar.bz2 690c549eb7c94d7ff34549b73c310900b4b9b6ea 473 apache2_2.4.33.orig.tar.bz2.asc 3d16bffcf594c73c59f86c51315ddf6236e86c5c 785632 apache2_2.4.33-1.debian.tar.xz 65c3c4df59c4a213e3969111e3dd757d937de8c4 1302416 apache2-bin_2.4.33-1_amd64.deb 9d861182f689fafc736307107c62b53c96528805 161260 apache2-data_2.4.33-1_all.deb 9cd4158dcf879d71173c25d31ea7b7d76b614ec8 4241860 apache2-dbg_2.4.33-1_amd64.deb 37041f703e557d5eb7eaa8a31fbe788470e6cb01 323444 apache2-dev_2.4.33-1_amd64.deb d96bf11f3b7fb302a0e12c6cbe0b84652fc0f799 3939036 apache2-doc_2.4.33-1_all.deb f5e4739892ac0d9fe3c3e547f1915ef8e8cfd2d6 2344 apache2-ssl-dev_2.4.33-1_amd64.deb 2b1e0719018ccc91d039cd944974859c1d878de5 164692 apache2-suexec-custom_2.4.33-1_amd64.deb 62f1c8b5fc6dc9c81c7e21760d38afacede18d11 163192 apache2-suexec-pristine_2.4.33-1_amd64.deb 7b65c0c93525d47f087c9e1c956c406b678aae46 228452 apache2-utils_2.4.33-1_amd64.deb 7e47554722a60475d77fed294acec9d6859e79c8 10106 apache2_2.4.33-1_amd64.buildinfo 69f1c3844b42b9632bac46aede7d1a77fa07f94d 244292 apache2_2.4.33-1_amd64.deb Checksums-Sha256: 4d07b2a9dd01e9bc855f60e008812e1f6f92a6b6450403e7688479209d8459a2 3374 apache2_2.4.33-1.dsc de02511859b00d17845b9abdd1f975d5ccb5d0b280c567da5bf2ad4b70846f05 6934765 apache2_2.4.33.orig.tar.bz2 992f2929e0e4a4e353601abaa1fec016a75af2ee8e06740e41ae4b7924b70bbd 473 apache2_2.4.33.orig.tar.bz2.asc 2bcd0783ca1853a43b569e96c200c355b7236af8a57fb3fb529b56bd9cf4e199 785632 apache2_2.4.33-1.debian.tar.xz 6feee444ca8cd6af17b5ad848d85b6fdbf8dfc006306adb0904035235472bace 1302416 apache2-bin_2.4.33-1_amd64.deb 5fbbe2420d40dae6089c9e3ee2239764d952100fed9fe0c37695291edec0e3d7 161260 apache2-data_2.4.33-1_all.deb ba3a8491c60762996be21e39c9c320a41353859fe3a986d457b21634f22f0fed 4241860 apache2-dbg_2.4.33-1_amd64.deb e7dde1e36568234e536323ea49895ddef83857f1d9e952c48113eab771829e80 323444 apache2-dev_2.4.33-1_amd64.deb 4ed63d8c15e0404bac5c2f74e83d32523eb99b0f2c38c63e05170a220ac23cf1 3939036 apache2-doc_2.4.33-1_all.deb 42e0993bf43fc97e3c6f3fc3ee6baf6a7d081a6a07366980930325c9dde866ad 2344 apache2-ssl-dev_2.4.33-1_amd64.deb 5799d515af5466db1d18e7264b0d75c4b9e0cce15b8547ad92cd84350f4cc111 164692 apache2-suexec-custom_2.4.33-1_amd64.deb 9063a06eeb1af682aa6402b03f82c6461623e00d72c878fed46f1235e192b624 163192 apache2-suexec-pristine_2.4.33-1_amd64.deb c34d9c8cd77e6a7363268ddef0adb4ade7c87108e54907be892698fa941cfdc3 228452 apache2-utils_2.4.33-1_amd64.deb 99bc9e1747a526f9e86972b7a4fd087123a6c50e487cb94bcf8ef8ec6607ee11 10106 apache2_2.4.33-1_amd64.buildinfo eeb21e5b225fbe698e2eabaf85d8e3f44087df5b09549569085998c0113bcf33 244292 apache2_2.4.33-1_amd64.deb Files: 47f0aaee452d6a4c8b42ff8324072c9e 3374 httpd optional apache2_2.4.33-1.dsc 6ef469d3f16fffeb688bc6e0346823e5 6934765 httpd optional apache2_2.4.33.orig.tar.bz2 d272385c5fc3961f7a01b61894dd9942 473 httpd optional apache2_2.4.33.orig.tar.bz2.asc 0079b04636ffb87a3e0abff665763f48 785632 httpd optional apache2_2.4.33-1.debian.tar.xz 0aa85823acd2e93b7a82feb343d36e3b 1302416 httpd optional apache2-bin_2.4.33-1_amd64.deb f6d6ab2a636e4bb7f510754912ec6bf0 161260 httpd optional apache2-data_2.4.33-1_all.deb 916c6bc1ccd9d4cbbe47a9f224fd2e05 4241860 debug optional apache2-dbg_2.4.33-1_amd64.deb 24e17082ed2444087e9b5de78a3fcfe0 323444 httpd optional apache2-dev_2.4.33-1_amd64.deb 8f4468624754028ea73fdbd088d10287 3939036 doc optional apache2-doc_2.4.33-1_all.deb 774cb1ad0838512bcd2d1f527f06065b 2344 httpd optional apache2-ssl-dev_2.4.33-1_amd64.deb 1a297bd36cb541e0e3bb885f74fcc5d6 164692 httpd optional apache2-suexec-custom_2.4.33-1_amd64.deb 78112460051747d7e3aa8c2e7a6bbaf8 163192 httpd optional apache2-suexec-pristine_2.4.33-1_amd64.deb 9d2d174b29cd87923674e7d107ee2854 228452 httpd optional apache2-utils_2.4.33-1_amd64.deb a743f245852337dfa5c9cef3ff2eb685 10106 httpd optional apache2_2.4.33-1_amd64.buildinfo 69e6dfce4d392c5d99540efff5fe910f 244292 httpd optional apache2_2.4.33-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlq+pVsACgkQxodfNUHO /eCqCg/+PWqa4chm3Gm+9zvn8cpeHD3Z+Ou3otPGJZC9knv9PR2rmM/wgiEixgR8 HWgW5ASgoDzRFQtOoa4osG5/DnOpkhoywxpqwyFhtFNDrxaQX3/je6rCYyUIXEjg kjG/KbosAga04xu5OjWpYrGSLezIpM6O+hRwiX0TNCuXAQjFj21IC+53HK1NyatL 6fNQ75go83fB0gJHQMeX6OalryX3DukX6w4jRJtfExaJ1fVxp94M7aZkPoyaPxHG mADRn5J3wCKAKLZEiGJ+pv5LVfnfnjZYr4+UJsKgKRGVefhivmC1igHMwXI+SKcO 139QBsJlPSIXfafQyMZSXUsxLJfVw+2HAQgvxWgcAV83C5gvDM9/4hXVMWw1jYtZ FyN8QFNtgBdYtS+r91jHnXuq5O54ofWEUu7zVyOQ2C6mfTwL98+EhbPVEdmxhvDO cyziIwjY/Q2d5jD78YLtq1QxT4GCjpcf5oS5pQJgNzfOkFzuaFOJayxr/ckGixCd ERXIcHPP/we7nUhVzkJghlfV5LQJszhvmOQqsaRNAuUCoxFFvPXnBgtg/kqlvhZt /ar38333m5+CTxk78k8x15EyDmJEY2imo+MUiBDw7zKPkW//f5Few8CVG15R4WRU uXauppAbtrZ9aWwRspBM1EAS57S5q7mg+v8IpA1MhaotAxyU1/g= =PMYJ -----END PGP SIGNATURE-----
