apache2 - Debian Package Tracker

general

source: apache2 (main)
version: 2.4.56-1
maintainer: Debian Apache Maintainers (archive) (DMD)
uploaders: Ondřej Surý [DMD] – Yadd [DMD] – Arno Töll [DMD] – Stefan Fritsch [DMD]
arch: all any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.4.25-3+deb9u9
o-o-sec: 2.4.25-3+deb9u13
o-o-bpo-sl: 2.4.46-1~bpo9+1
oldstable: 2.4.38-3+deb10u8
old-sec: 2.4.38-3+deb10u9
old-bpo: 2.4.52-1~bpo10+1
stable: 2.4.54-1~deb11u1
stable-sec: 2.4.56-1~deb11u1
testing: 2.4.56-1
unstable: 2.4.56-1

versioned links

2.4.25-3+deb9u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.25-3+deb9u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3+deb10u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3+deb10u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.46-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.52-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.54-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.56-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.56-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

apache2 (114 bugs: 1, 75, 38, 0)
apache2-bin (40 bugs: 0, 31, 9, 0)
apache2-data
apache2-dev (4 bugs: 0, 2, 2, 0)
apache2-doc (5 bugs: 1, 2, 2, 0)
apache2-ssl-dev
apache2-suexec-custom (3 bugs: 0, 2, 1, 0)
apache2-suexec-pristine (3 bugs: 0, 1, 2, 0)
apache2-utils (8 bugs: 0, 4, 4, 0)
libapache2-mod-md (1 bugs: 0, 1, 0, 0)
libapache2-mod-proxy-uwsgi (2 bugs: 0, 2, 0, 0)

action needed

3 security issues in buster high

There are 3 open security issues in buster.

2 important issues:

CVE-2023-25690: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.

1 ignored issue:

CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Created: 2023-03-07 Last update: 2023-03-20 20:00

lintian reports 1 error and 10 warnings high

Lintian reports 1 error and 10 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-01-18 Last update: 2023-03-08 17:02

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2022-12-02 Last update: 2023-03-22 16:30

16 bugs tagged patch in the BTS normal

The BTS contains patches fixing 16 bugs (18 if counting merged bugs), consider including or untagging them.

Created: 2022-07-27 Last update: 2023-03-22 16:30

5 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit ceee84ba522c21b2738fd582acb19a645835de5f
Merge: 8cc81186 f18873f3
Author: Yadd <yadd@debian.org>
Date:   Wed Mar 15 08:29:11 2023 +0400

    Merge remote-tracking branch 'origin/master'

commit f18873f35d40c23403b357bcbd73d36e54bb8717
Author: Hendrik Jäger <gitcommit@henk.geekmail.org>
Date:   Sun Jan 29 13:11:17 2023 +0100

    fix: check for existence before trying to remove

commit a79b00bb99bec1c21d20df33640936152b616e41
Author: Hendrik Jäger <gitcommit@henk.geekmail.org>
Date:   Thu Nov 24 11:40:07 2022 +0100

    fix: exit if any command in the script fails

commit 41a2f2fd05619796274f4420917fcda67e981d70
Author: MichaIng <micha@dietpi.com>
Date:   Mon Jan 23 12:48:47 2023 +0000

    Drop dependency of mod_ssl on mod_setenvif
    
    This was only left because of a comment in defaul-ssl.conf containing
    the BrowserMatch directive. However, this comment was
    referring to MSIE 2-6 and is hence removed.
    
    Solves: #987156
    
    Signed-off-by: MichaIng <micha@dietpi.com>

commit 6e250831bcf4fdf099c4367cae272782bc82c321
Author: MichaIng <micha@dietpi.com>
Date:   Mon Jan 23 12:45:15 2023 +0000

    Remove obsolete MSIE 2-6 comment
    
    Signed-off-by: MichaIng <micha@dietpi.com>

Created: 2023-01-23 Last update: 2023-03-15 06:06

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #910917 for more information.

Created: 2018-10-13 Last update: 2020-01-27 22:50

debian/patches: 2 patches to forward upstream low

Among the 7 debian patches available in version 2.4.56-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-03-08 12:42

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-07-28 Last update: 2018-07-28 20:07

testing migrations

This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2023-03-20] Accepted apache2 2.4.56-1~deb11u1 (source) into stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-03-19] apache2 2.4.56-1 MIGRATED to testing (Debian testing watch)
[2023-03-08] Accepted apache2 2.4.56-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-03-02] Accepted apache2 2.4.38-3+deb10u9 (source) into oldstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2023-01-23] apache2 2.4.55-1 MIGRATED to testing (Debian testing watch)
[2023-01-18] Accepted apache2 2.4.55-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-05] apache2 2.4.54-5 MIGRATED to testing (Debian testing watch)
[2022-11-29] Accepted apache2 2.4.54-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-24] Accepted apache2 2.4.54-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-10-18] apache2 2.4.54-3 MIGRATED to testing (Debian testing watch)
[2022-10-12] Accepted apache2 2.4.54-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-08-02] Accepted apache2 2.4.38-3+deb10u8 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Roberto C. Sanchez)
[2022-07-10] apache2 2.4.54-2 MIGRATED to testing (Debian testing watch)
[2022-07-08] Accepted apache2 2.4.54-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-07-02] Accepted apache2 2.4.54-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-06-11] apache2 2.4.54-1 MIGRATED to testing (Debian testing watch)
[2022-06-09] Accepted apache2 2.4.54-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-05-07] Accepted apache2 2.4.53-2~bpo10+1 (source amd64 all) into oldstable-backports-sloppy->backports-policy, oldstable-backports-sloppy (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-03-22] Accepted apache2 2.4.25-3+deb9u13 (source) into oldoldstable (Emilio Pozuelo Monfort)
[2022-03-19] Accepted apache2 2.4.53-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-03-18] apache2 2.4.53-2 MIGRATED to testing (Debian testing watch)
[2022-03-15] Accepted apache2 2.4.53-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-03-14] Accepted apache2 2.4.53-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-02-08] Accepted apache2 2.4.52-1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-02-01] Accepted apache2 2.4.25-3+deb9u12 (source) into oldoldstable (Anton Gladky)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 194 199
RC: 2
I&N: 135 137
M&W: 56 59
F&P: 1
patch: 16 18
help: 1

links

homepage
lintian (1, 10)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.4.55-1ubuntu2
62 bugs (4 patches)
patches for 2.4.55-1ubuntu2