Debian Package Tracker
Register | Log in
Subscribe

apache2

Apache HTTP Server

Choose email to subscribe with

general
  • source: apache2 (main)
  • version: 2.4.56-1
  • maintainer: Debian Apache Maintainers (archive) (DMD)
  • uploaders: Ondřej Surý [DMD] – Yadd [DMD] – Arno Töll [DMD] – Stefan Fritsch [DMD]
  • arch: all any
  • std-ver: 4.6.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.4.25-3+deb9u9
  • o-o-sec: 2.4.25-3+deb9u13
  • o-o-bpo-sl: 2.4.46-1~bpo9+1
  • oldstable: 2.4.38-3+deb10u8
  • old-sec: 2.4.38-3+deb10u9
  • old-bpo: 2.4.52-1~bpo10+1
  • stable: 2.4.54-1~deb11u1
  • stable-sec: 2.4.56-1~deb11u1
  • testing: 2.4.56-1
  • unstable: 2.4.56-1
versioned links
  • 2.4.25-3+deb9u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.25-3+deb9u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.38-3+deb10u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.38-3+deb10u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.46-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.52-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.54-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.56-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.56-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • apache2 (114 bugs: 1, 75, 38, 0)
  • apache2-bin (40 bugs: 0, 31, 9, 0)
  • apache2-data
  • apache2-dev (4 bugs: 0, 2, 2, 0)
  • apache2-doc (5 bugs: 1, 2, 2, 0)
  • apache2-ssl-dev
  • apache2-suexec-custom (3 bugs: 0, 2, 1, 0)
  • apache2-suexec-pristine (3 bugs: 0, 1, 2, 0)
  • apache2-utils (8 bugs: 0, 4, 4, 0)
  • libapache2-mod-md (1 bugs: 0, 1, 0, 0)
  • libapache2-mod-proxy-uwsgi (2 bugs: 0, 2, 0, 0)
action needed
3 security issues in buster high

There are 3 open security issues in buster.

2 important issues:
  • CVE-2023-25690: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
  • CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.
1 ignored issue:
  • CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
Created: 2023-03-07 Last update: 2023-03-20 20:00
lintian reports 1 error and 10 warnings high
Lintian reports 1 error and 10 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2023-01-18 Last update: 2023-03-08 17:02
1 bug tagged help in the BTS normal
The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.
Created: 2022-12-02 Last update: 2023-03-22 16:30
16 bugs tagged patch in the BTS normal
The BTS contains patches fixing 16 bugs (18 if counting merged bugs), consider including or untagging them.
Created: 2022-07-27 Last update: 2023-03-22 16:30
5 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit ceee84ba522c21b2738fd582acb19a645835de5f
Merge: 8cc81186 f18873f3
Author: Yadd <yadd@debian.org>
Date:   Wed Mar 15 08:29:11 2023 +0400

    Merge remote-tracking branch 'origin/master'

commit f18873f35d40c23403b357bcbd73d36e54bb8717
Author: Hendrik Jäger <gitcommit@henk.geekmail.org>
Date:   Sun Jan 29 13:11:17 2023 +0100

    fix: check for existence before trying to remove

commit a79b00bb99bec1c21d20df33640936152b616e41
Author: Hendrik Jäger <gitcommit@henk.geekmail.org>
Date:   Thu Nov 24 11:40:07 2022 +0100

    fix: exit if any command in the script fails

commit 41a2f2fd05619796274f4420917fcda67e981d70
Author: MichaIng <micha@dietpi.com>
Date:   Mon Jan 23 12:48:47 2023 +0000

    Drop dependency of mod_ssl on mod_setenvif
    
    This was only left because of a comment in defaul-ssl.conf containing
    the BrowserMatch directive. However, this comment was
    referring to MSIE 2-6 and is hence removed.
    
    Solves: #987156
    
    Signed-off-by: MichaIng <micha@dietpi.com>

commit 6e250831bcf4fdf099c4367cae272782bc82c321
Author: MichaIng <micha@dietpi.com>
Date:   Mon Jan 23 12:45:15 2023 +0000

    Remove obsolete MSIE 2-6 comment
    
    Signed-off-by: MichaIng <micha@dietpi.com>
Created: 2023-01-23 Last update: 2023-03-15 06:06
RFH: The maintainer is looking for help with this package. normal
The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #910917 for more information.
Created: 2018-10-13 Last update: 2020-01-27 22:50
debian/patches: 2 patches to forward upstream low

Among the 7 debian patches available in version 2.4.56-1 of the package, we noticed the following issues:

  • 2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2023-03-08 12:42
Build log checks report 1 warning low
Build log checks report 1 warning
Created: 2018-07-28 Last update: 2018-07-28 20:07
testing migrations
  • This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2023-03-20] Accepted apache2 2.4.56-1~deb11u1 (source) into stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2023-03-19] apache2 2.4.56-1 MIGRATED to testing (Debian testing watch)
  • [2023-03-08] Accepted apache2 2.4.56-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2023-03-02] Accepted apache2 2.4.38-3+deb10u9 (source) into oldstable (Lee Garrett) (signed by: Mark Lee Garrett)
  • [2023-01-23] apache2 2.4.55-1 MIGRATED to testing (Debian testing watch)
  • [2023-01-18] Accepted apache2 2.4.55-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-12-05] apache2 2.4.54-5 MIGRATED to testing (Debian testing watch)
  • [2022-11-29] Accepted apache2 2.4.54-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-11-24] Accepted apache2 2.4.54-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-10-18] apache2 2.4.54-3 MIGRATED to testing (Debian testing watch)
  • [2022-10-12] Accepted apache2 2.4.54-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-08-02] Accepted apache2 2.4.38-3+deb10u8 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Roberto C. Sanchez)
  • [2022-07-10] apache2 2.4.54-2 MIGRATED to testing (Debian testing watch)
  • [2022-07-08] Accepted apache2 2.4.54-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-07-02] Accepted apache2 2.4.54-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-06-11] apache2 2.4.54-1 MIGRATED to testing (Debian testing watch)
  • [2022-06-09] Accepted apache2 2.4.54-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-05-07] Accepted apache2 2.4.53-2~bpo10+1 (source amd64 all) into oldstable-backports-sloppy->backports-policy, oldstable-backports-sloppy (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-03-22] Accepted apache2 2.4.25-3+deb9u13 (source) into oldoldstable (Emilio Pozuelo Monfort)
  • [2022-03-19] Accepted apache2 2.4.53-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-03-18] apache2 2.4.53-2 MIGRATED to testing (Debian testing watch)
  • [2022-03-15] Accepted apache2 2.4.53-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-03-14] Accepted apache2 2.4.53-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-02-08] Accepted apache2 2.4.52-1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-02-01] Accepted apache2 2.4.25-3+deb9u12 (source) into oldoldstable (Anton Gladky)
  • [2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
  • [2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
  • 1
  • 2
bugs [bug history graph]
  • all: 194 199
  • RC: 2
  • I&N: 135 137
  • M&W: 56 59
  • F&P: 1
  • patch: 16 18
  • help: 1
links
  • homepage
  • lintian (1, 10)
  • buildd: logs, checks, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.4.55-1ubuntu2
  • 62 bugs (4 patches)
  • patches for 2.4.55-1ubuntu2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing