Debian Package Tracker

general

source: apache2 (main)
version: 2.4.41-1
maintainer: Debian Apache Maintainers (archive) (DMD)
uploaders: Stefan Fritsch [DMD] – Arno Töll [DMD] – Ondřej Surý [DMD] – Xavier Guimard [DMD]
arch: all any
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.4.10-10+deb8u12
o-o-sec: 2.4.10-10+deb8u14
oldstable: 2.4.25-3+deb9u7
old-sec: 2.4.25-3+deb9u7
stable: 2.4.38-3
stable-bpo: 2.4.41-1~bpo10+1
testing: 2.4.41-1
unstable: 2.4.41-1

versioned links

2.4.10-10+deb8u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.10-10+deb8u14: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.25-3+deb9u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.41-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.41-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

apache2 (92 bugs: 0, 55, 37, 0)
apache2-bin (38 bugs: 0, 29, 9, 0)
apache2-data (1 bugs: 0, 1, 0, 0)
apache2-dev (3 bugs: 0, 1, 2, 0)
apache2-doc (2 bugs: 0, 1, 1, 0)
apache2-ssl-dev
apache2-suexec-custom (3 bugs: 0, 2, 1, 0)
apache2-suexec-pristine (3 bugs: 0, 1, 2, 0)
apache2-utils (8 bugs: 0, 4, 4, 0)
libapache2-mod-md
libapache2-mod-proxy-uwsgi (1 bugs: 0, 1, 0, 0)

action needed

5 security issues in stretch high

There are 5 open security issues in stretch.

5 important issues:

CVE-2019-10081: HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
CVE-2019-10092:
CVE-2019-10082:
CVE-2019-10098:
CVE-2019-9517: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

Please fix them.

Created: 2019-08-15 Last update: 2019-08-23 08:17

6 security issues in buster high

There are 6 open security issues in buster.

6 important issues:

CVE-2019-10092:
CVE-2019-10098:
CVE-2019-9517: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
CVE-2019-10082:
CVE-2019-10081: HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
CVE-2019-10097:

Please fix them.

Created: 2019-08-15 Last update: 2019-08-23 08:17

5 security issues in jessie high

There are 5 open security issues in jessie.

5 important issues:

CVE-2019-10081: HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
CVE-2019-10092:
CVE-2019-10082:
CVE-2019-10098:
CVE-2019-9517: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

Please fix them.

Created: 2019-08-15 Last update: 2019-08-23 08:17

13 bugs tagged patch in the BTS normal

The BTS contains patches fixing 13 bugs (15 if counting merged bugs), consider including or untagging them.

Created: 2019-04-01 Last update: 2019-08-24 21:38

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

apache2-ssl-dev could be marked Multi-Arch: same
libapache2-mod-md could be marked Multi-Arch: same

Created: 2016-11-23 Last update: 2019-08-23 04:08

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.4.41-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 87db7de4e59683fb03e97900f078d06ef2292748
Author: Stefan Fritsch <sf@sfritsch.de>
Date:   Sun Aug 18 09:49:36 2019 +0200

    add socache_redis.load

Created: 2019-08-18 Last update: 2019-08-19 21:07

RFA: The maintainer wants to pass over package maintainance. normal

The current maintainer is looking for someone who can take over maintenance of this package. If you are interested in this package, please consider taking it over. Alternatively you may want to be co-maintainer in order to help the actual maintainer. Please see bug number #910917 for more information.

Created: 2018-10-13 Last update: 2018-10-13 14:46

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-07-28 Last update: 2018-07-28 20:07

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2019-08-14 15:35

news

[rss feed]

[2019-08-23] Accepted apache2 2.4.41-1~bpo10+1 (source amd64 all) into buster-backports, buster-backports (Xavier Guimard)
[2019-08-16] apache2 2.4.41-1 MIGRATED to testing (Debian testing watch)
[2019-08-14] Accepted apache2 2.4.41-1 (source) into unstable (Xavier Guimard)
[2019-08-12] Accepted apache2 2.4.39-2 (source) into unstable (Xavier Guimard)
[2019-08-12] Accepted apache2 2.4.39-1 (source) into unstable (Xavier Guimard)
[2019-04-10] apache2 2.4.38-3 MIGRATED to testing (Debian testing watch)
[2019-04-07] Accepted apache2 2.4.38-3 (source amd64 all) into unstable (Stefan Fritsch)
[2019-04-05] Accepted apache2 2.4.25-3+deb9u7 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Stefan Fritsch)
[2019-04-03] Accepted apache2 2.4.10-10+deb8u14 (source amd64 all) into oldstable (Jonas Meurer)
[2019-04-03] Accepted apache2 2.4.25-3+deb9u7 (source amd64 all) into stable->embargoed, stable (Stefan Fritsch)
[2019-02-03] apache2 2.4.38-2 MIGRATED to testing (Debian testing watch)
[2019-01-31] Accepted apache2 2.4.38-2 (source) into unstable (Xavier Guimard)
[2019-01-29] Accepted apache2 2.4.38-1 (source) into unstable (Xavier Guimard)
[2019-01-29] Accepted apache2 2.4.10-10+deb8u13 (source amd64 all) into oldstable (Thorsten Alteholz)
[2018-11-06] apache2 2.4.37-1 MIGRATED to testing (Debian testing watch)
[2018-11-04] Accepted apache2 2.4.25-3+deb9u6 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Stefan Fritsch)
[2018-11-03] Accepted apache2 2.4.37-1 (source amd64 all) into unstable (Stefan Fritsch)
[2018-10-28] apache2 2.4.35-1 MIGRATED to testing (Debian testing watch)
[2018-10-07] Accepted apache2 2.4.35-1 (source amd64 all) into unstable (Stefan Fritsch)
[2018-07-30] apache2 2.4.34-1 MIGRATED to testing (Debian testing watch)
[2018-07-30] apache2 2.4.34-1 MIGRATED to testing (Debian testing watch)
[2018-07-27] Accepted apache2 2.4.34-1 (source amd64 all) into unstable (Stefan Fritsch)
[2018-07-02] Accepted apache2 2.4.25-3+deb9u5 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Stefan Fritsch)
[2018-05-30] Accepted apache2 2.2.22-13+deb7u13 (source amd64 all) into oldoldstable (Roberto C. Sanchez)
[2018-05-27] apache2 2.4.33-3 MIGRATED to testing (Debian testing watch)
[2018-05-05] Accepted apache2 2.4.33-3 (source amd64 all) into unstable (Stefan Fritsch)
[2018-04-22] Accepted apache2 2.4.33-2 (source amd64 all) into unstable (Stefan Fritsch)
[2018-04-07] Accepted apache2 2.4.10-10+deb8u12 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Stefan Fritsch)
[2018-04-07] Accepted apache2 2.4.25-3+deb9u4 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Stefan Fritsch)
[2018-04-03] Accepted apache2 2.4.10-10+deb8u12 (source amd64 all) into oldstable->embargoed, oldstable (Stefan Fritsch)

bugs [bug history graph]

all: 162 167
RC: 0
I&N: 108 110
M&W: 54 57
F&P: 0
patch: 13 15

links

homepage
lintian
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.4.41-1ubuntu1
79 bugs (5 patches)
patches for 2.4.41-1ubuntu1