Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: apache2

apache2 (2.4.34-1ubuntu2) cosmic; urgency=medium * SECURITY UPDATE: denial of service in HTTP/2 via large SETTINGS frames - debian/patches/CVE-2018-11763.patch: rework connection IO event handling in modules/http2/h2_session.c, modules/http2/h2_session.h, modules/http2/h2_version.h. - CVE-2018-11763 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 03 Oct 2018 09:57:22 -0400 apache2 (2.4.34-1ubuntu1) cosmic; urgency=medium * Merge with Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace Debian with Ubuntu on default page. + d/source/include-binaries: add Ubuntu icon file - d/t/control, d/t/check-http2: add basic test for http2 support - d/control, d/rules, d/config-dir/mods-available/md.load: don't build libapache2-mod-md, as that makes apache2-bin pull in libcurl4 which cannot be coinstalled with libcurl3. That situation breaks the installation of libapache2-mod-shib2. See https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1770242/comments/1 for details. -- Andreas Hasenack <andreas@canonical.com> Fri, 03 Aug 2018 17:09:27 -0300

Modifications :
  1. Download patch debian/config-dir/mods-available/md.load

    --- 2.4.34-1/debian/config-dir/mods-available/md.load 2018-07-17 18:39:14.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/config-dir/mods-available/md.load 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -LoadModule md_module /usr/lib/apache2/modules/mod_md.so
  2. Download patch debian/tests/control

    --- 2.4.34-1/debian/tests/control 2018-07-17 18:39:14.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/tests/control 2018-08-03 20:09:27.000000000 +0000 @@ -23,6 +23,10 @@ Tests: ssl-passphrase Restrictions: needs-root allow-stderr breaks-testbed Depends: apache2, curl, expect, ssl-cert +Tests: check-http2 +Restrictions: needs-root allow-stderr breaks-testbed +Depends: apache2, curl, ssl-cert, nghttp2-client + Tests: chroot Features: no-build-needed Restrictions: needs-root allow-stderr breaks-testbed
  3. Download patch debian/rules

    --- 2.4.34-1/debian/rules 2018-07-27 19:37:37.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/rules 2018-08-03 20:09:27.000000000 +0000 @@ -113,6 +113,7 @@ configure-stamp: prebuild-checks-stamp s --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config \ --with-pcre=yes \ --enable-pie \ + --disable-md \ --enable-mpms-shared=all \ --enable-mods-shared="all brotli cgi ident authnz_fcgi imagemap cern_meta proxy_fdpass proxy_http2 bucketeer case_filter case_filter_in" \ --enable-mods-static="unixd logio watchdog version" \ @@ -177,7 +178,7 @@ override_dh_installdocs-indep: dh_installdocs -i override_dh_installdocs-arch: - dh_installdocs --link-doc=apache2 -papache2 -papache2-dbg -plibapache2-mod-md -plibapache2-mod-proxy-uwsgi + dh_installdocs --link-doc=apache2 -papache2 -papache2-dbg -plibapache2-mod-proxy-uwsgi dh_installdocs --link-doc=apache2-dev -papache2-ssl-dev dh_installdocs -a
  4. Download patch debian/control

    --- 2.4.34-1/debian/control 2018-07-17 18:39:14.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/control 2018-08-03 20:09:27.000000000 +0000 @@ -1,7 +1,8 @@ Source: apache2 Section: httpd Priority: optional -Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Stefan Fritsch <sf@debian.org>, Arno Töll <arno@debian.org>, Ondřej Surý <ondrej@debian.org> @@ -18,9 +19,7 @@ Build-Depends: debhelper (>= 9.20160709~ libxml2-dev, lsb-release, perl, - zlib1g-dev, - libcurl4-openssl-dev | libcurl4-dev, - libjansson-dev + zlib1g-dev Build-Conflicts: autoconf2.13 Standards-Version: 4.1.2 Vcs-Browser: https://salsa.debian.org/apache-team/apache2 @@ -44,15 +43,14 @@ Provides: httpd, Recommends: ssl-cert Conflicts: apache2.2-bin, apache2.2-common -Breaks: libapache2-mod-md (<< 2.4.33), - libapache2-mod-proxy-uwsgi (<< 2.4.33) +Breaks: libapache2-mod-proxy-uwsgi (<< 2.4.33) Replaces: apache2.2-bin, apache2.2-common, - libapache2-mod-md (<< 2.4.33), libapache2-mod-proxy-uwsgi (<< 2.4.33) Suggests: apache2-doc, apache2-suexec-pristine | apache2-suexec-custom, - www-browser + www-browser, + ufw Description: Apache HTTP Server The Apache HTTP Server Project's goal is to build a secure, efficient and extensible HTTP server as standards-compliant open source software. The @@ -81,10 +79,8 @@ Depends: ${misc:Depends}, Provides: ${apache2:API} Breaks: gridsite (<< 3.0.0~20170225gitd51b2fd-1~), libapache2-mod-dacs (<= 1.4.38a-2), - libapache2-mod-md (<< 2.4.33), libapache2-mod-proxy-uwsgi (<< 2.4.33) -Replaces: libapache2-mod-md (<< 2.4.33), - libapache2-mod-proxy-uwsgi (<< 2.4.33) +Replaces: libapache2-mod-proxy-uwsgi (<< 2.4.33) Suggests: apache2-doc, apache2-suexec-pristine | apache2-suexec-custom, www-browser @@ -210,14 +206,6 @@ Description: Apache debugging symbols crashing server instances and modules. See /usr/share/doc/apache2/README.backtrace for more information. -Package: libapache2-mod-md -Architecture: any -Section: oldlibs -Depends: ${misc:Depends}, apache2 (= ${binary:Version}) -Description: transitional package - This is a transitional package to apache2 for users of libapache2-mod-md. - It can be safely removed after the installation is complete. - Package: libapache2-mod-proxy-uwsgi Architecture: any Section: oldlibs Binary files 2.4.34-1/debian/icons/ubuntu-logo.png and 2.4.34-1ubuntu2/debian/icons/ubuntu-logo.png differ
  5. Download patch debian/apache2-bin.install

    --- 2.4.34-1/debian/apache2-bin.install 2017-09-19 18:56:09.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/apache2-bin.install 2018-08-03 20:09:27.000000000 +0000 @@ -1,2 +1,3 @@ /usr/lib/apache2/modules/ /usr/sbin/apache2 +debian/apache2.py usr/share/apport/package-hooks
  6. Download patch debian/apache2.py

    --- 2.4.34-1/debian/apache2.py 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/apache2.py 2018-08-03 20:09:27.000000000 +0000 @@ -0,0 +1,48 @@ +#!/usr/bin/python + +'''apport hook for apache2 + +(c) 2010 Adam Sommer. +Author: Adam Sommer <asommer@ubuntu.com> + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import os + +SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/' + +def add_info(report, ui): + if os.path.isdir(SITES_ENABLED_DIR): + response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + + elif response == True: + # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d + for conf_file in os.listdir(SITES_ENABLED_DIR): + attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file) + + try: + report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d')) + except OSError: + report['Apache2ConfdDirListing'] = str(False) + + # Attach default config files if changed. + attach_conffiles(report, 'apache2', conffiles=None) + + # Attach the error.log file. + attach_file(report, '/var/log/apache2/error.log', key='error.log') + + # Get loaded modules. + report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES'])
  7. Download patch debian/apache2.dirs

    --- 2.4.34-1/debian/apache2.dirs 2018-07-17 18:39:14.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/apache2.dirs 2018-08-03 20:09:27.000000000 +0000 @@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk var/lib/apache2 var/log/apache2 var/www/html +/etc/ufw/applications.d/apache2
  8. Download patch debian/index.html

    --- 2.4.34-1/debian/index.html 2017-09-19 18:56:09.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/index.html 2018-08-03 20:09:27.000000000 +0000 @@ -1,9 +1,14 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> + <!-- + Modified from the Debian original for Ubuntu + Last updated: 2016-11-16 + See: https://launchpad.net/bugs/1288690 + --> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> - <title>Apache2 Debian Default Page: It works</title> + <title>Apache2 Ubuntu Default Page: It works</title> <style type="text/css" media="screen"> * { margin: 0px 0px 0px 0px; @@ -188,9 +193,9 @@ <body> <div class="main_page"> <div class="page_header floating_element"> - <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/> + <img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/> <span class="floating_element"> - Apache2 Debian Default Page + Apache2 Ubuntu Default Page </span> </div> <!-- <div class="table_of_contents floating_element"> @@ -221,7 +226,9 @@ <div class="content_section_text"> <p> This is the default welcome page used to test the correct - operation of the Apache2 server after installation on Debian systems. + operation of the Apache2 server after installation on Ubuntu systems. + It is based on the equivalent page on Debian, from which the Ubuntu Apache + packaging is derived. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should <b>replace this file</b> (located at <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server. @@ -242,9 +249,9 @@ </div> <div class="content_section_text"> <p> - Debian's Apache2 default configuration is different from the + Ubuntu's Apache2 default configuration is different from the upstream default configuration, and split into several files optimized for - interaction with Debian tools. The configuration system is + interaction with Ubuntu tools. The configuration system is <b>fully documented in /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full documentation. Documentation for the web server itself can be @@ -253,7 +260,7 @@ </p> <p> - The configuration layout for an Apache2 web server installation on Debian systems is as follows: + The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows: </p> <pre> /etc/apache2/ @@ -324,7 +331,7 @@ <div class="content_section_text"> <p> - By default, Debian does not allow access through the web browser to + By default, Ubuntu does not allow access through the web browser to <em>any</em> file apart of those located in <tt>/var/www</tt>, <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> directories (when enabled) and <tt>/usr/share</tt> (for web @@ -333,7 +340,7 @@ document root directory in <tt>/etc/apache2/apache2.conf</tt>. </p> <p> - The default Debian document root is <tt>/var/www/html</tt>. You + The default Ubuntu document root is <tt>/var/www/html</tt>. You can make your own virtual hosts under /var/www. This is different to previous releases which provides better security out of the box. </p> @@ -345,9 +352,9 @@ </div> <div class="content_section_text"> <p> - Please use the <tt>reportbug</tt> tool to report bugs in the - Apache2 package with Debian. However, check <a - href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" + Please use the <tt>ubuntu-bug</tt> tool to report bugs in the + Apache2 package with Ubuntu. However, check <a + href="https://bugs.launchpad.net/ubuntu/+source/apache2" rel="nofollow">existing bug reports</a> before reporting a new bug. </p> <p>
  9. Download patch debian/patches/series

    --- 2.4.34-1/debian/patches/series 2018-07-27 19:37:37.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/patches/series 2018-10-03 13:55:37.000000000 +0000 @@ -9,3 +9,7 @@ reproducible_builds.diff #suexec-custom.patch remove_mod_lbmethod_load_order_dependency.diff + +# Patches added by Ubuntu +086_svn_cross_compiles +CVE-2018-11763.patch
  10. Download patch debian/apache2.install

    --- 2.4.34-1/debian/apache2.install 2018-07-17 18:39:14.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/apache2.install 2018-08-03 20:09:27.000000000 +0000 @@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2 debian/config-dir/envvars /etc/apache2 debian/config-dir/magic /etc/apache2 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/ +debian/apache2-utils.ufw.profile /etc/ufw/applications.d/
  11. Download patch debian/apache2.postrm

    --- 2.4.34-1/debian/apache2.postrm 2018-04-05 18:32:55.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/apache2.postrm 2018-08-03 20:09:27.000000000 +0000 @@ -33,6 +33,7 @@ is_default_index_html () { 776221a94e5a174dc2396c0f3f6b6a74 c481228d439cbb54bdcedbaec5bbb11a e2620d4a5a0f8d80dd4b16de59af981f + 3526531ccd6c6a1d2340574a305a18f8 EOF }
  12. Download patch debian/patches/CVE-2018-11763.patch
  13. Download patch debian/tests/check-http2

    --- 2.4.34-1/debian/tests/check-http2 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/tests/check-http2 2018-08-03 20:09:27.000000000 +0000 @@ -0,0 +1,41 @@ +#!/bin/sh +set -uxe + +# http2 is rather new, check that it at least generally works +# Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +a2enmod http2 +a2enmod ssl +a2ensite default-ssl +# Enable globally +echo "Protocols h2c h2 http/1.1" >> /etc/apache2/apache2.conf +service apache2 restart + +# Use curl here. wget doesn't work on Debian, even with --no-check-certificate +# wget on Debian gives me: +# GnuTLS: A TLS warning alert has been received. +# Unable to establish SSL connection. +# Presumably this is due to the self-signed certificate, but I'm not sure how +# to skip the warning with wget. curl will do for now. +echo "Hello, world!" > /var/www/html/hello.txt + +testapache () { + cmd="${1}" + result=$(${cmd}) + + if [ "$result" != "Hello, world!" ]; then + echo "Unexpected result: ${result}" >&2 + exit 1 + else + echo OK + fi +} + +# https shall not affect http +testapache "curl -s -k http://localhost/hello.txt" +# https shall not affect https +testapache "curl -s -k https://localhost/hello.txt" +#plain http2 +testapache "nghttp --no-verify-peer https://localhost/hello.txt" +#http2 upgrade +testapache "nghttp -u --no-verify-peer http://localhost/hello.txt"
  14. Download patch debian/apache2-utils.ufw.profile

    --- 2.4.34-1/debian/apache2-utils.ufw.profile 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/apache2-utils.ufw.profile 2018-08-03 20:09:27.000000000 +0000 @@ -0,0 +1,14 @@ +[Apache] +title=Web Server +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80/tcp + +[Apache Secure] +title=Web Server (HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=443/tcp + +[Apache Full] +title=Web Server (HTTP,HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80,443/tcp
  15. Download patch debian/source/include-binaries

    --- 2.4.34-1/debian/source/include-binaries 2018-07-17 18:39:14.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/source/include-binaries 2018-08-03 20:09:27.000000000 +0000 @@ -16,6 +16,7 @@ debian/icons/odf6odp-20x22.png debian/icons/odf6otp-20x22.png debian/icons/odf6oth-20x22.png debian/icons/openlogo-75.png +debian/icons/ubuntu-logo.png debian/upstream/signing-key.pgp debian/perl-framework/t/htdocs/apache/acceptpathinfo/index.shtml debian/perl-framework/t/htdocs/apache/acceptpathinfo/info.php
  16. Download patch debian/patches/086_svn_cross_compiles

    --- 2.4.34-1/debian/patches/086_svn_cross_compiles 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.34-1ubuntu2/debian/patches/086_svn_cross_compiles 2018-08-03 20:09:27.000000000 +0000 @@ -0,0 +1,118 @@ +Description: Pull upstream fixes for autotools for cross-compiling +Author: Adam Conrad <adconrad@ubuntu.com> +Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1328445 +Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1327907 +Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1328390 +Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1328714 +Forwarded: not-needed + +Index: apache2-2.4.29/acinclude.m4 +=================================================================== +--- apache2-2.4.29.orig/acinclude.m4 2017-11-10 10:56:51.488205250 -0500 ++++ apache2-2.4.29/acinclude.m4 2017-11-10 10:56:51.484205199 -0500 +@@ -55,6 +55,8 @@ AC_DEFUN([APACHE_GEN_CONFIG_VARS],[ + APACHE_SUBST(CPPFLAGS) + APACHE_SUBST(CFLAGS) + APACHE_SUBST(CXXFLAGS) ++ APACHE_SUBST(CC_FOR_BUILD) ++ APACHE_SUBST(CFLAGS_FOR_BUILD) + APACHE_SUBST(LTFLAGS) + APACHE_SUBST(LDFLAGS) + APACHE_SUBST(LT_LDFLAGS) +@@ -697,7 +699,7 @@ int main(void) + { + return sizeof(void *) < sizeof(long); + }], [ap_cv_void_ptr_lt_long=no], [ap_cv_void_ptr_lt_long=yes], +- [ap_cv_void_ptr_lt_long=yes])]) ++ [ap_cv_void_ptr_lt_long="cross compile - not checked"])]) + + if test "$ap_cv_void_ptr_lt_long" = "yes"; then + AC_MSG_ERROR([Size of "void *" is less than size of "long"]) +Index: apache2-2.4.29/configure +=================================================================== +--- apache2-2.4.29.orig/configure 2017-11-10 10:56:51.488205250 -0500 ++++ apache2-2.4.29/configure 2017-11-10 10:56:51.488205250 -0500 +@@ -662,6 +662,8 @@ HTTPD_LDFLAGS + SH_LDFLAGS + LT_LDFLAGS + LTFLAGS ++CFLAGS_FOR_BUILD ++CC_FOR_BUILD + CXXFLAGS + CXX + other_targets +@@ -6071,6 +6073,12 @@ fi + + + ++if test "x${build_alias}" != "x${host_alias}"; then ++ if test "x${CC_FOR_BUILD}" = "x"; then ++ CC_FOR_BUILD=cc ++ fi ++fi ++ + if test "x${cache_file}" = "x/dev/null"; then + # Likewise, ensure that CC and CPP are passed through to the pcre + # configure script iff caching is disabled (the autoconf 2.5x default). +@@ -7698,7 +7706,7 @@ if ${ap_cv_void_ptr_lt_long+:} false; th + $as_echo_n "(cached) " >&6 + else + if test "$cross_compiling" = yes; then : +- ap_cv_void_ptr_lt_long=yes ++ ap_cv_void_ptr_lt_long="cross compile - not checked" + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ +@@ -37522,6 +37530,14 @@ $as_echo "$as_me: " >&6;} + + + ++ APACHE_VAR_SUBST="$APACHE_VAR_SUBST CC_FOR_BUILD" ++ ++ ++ ++ APACHE_VAR_SUBST="$APACHE_VAR_SUBST CFLAGS_FOR_BUILD" ++ ++ ++ + APACHE_VAR_SUBST="$APACHE_VAR_SUBST LTFLAGS" + + +Index: apache2-2.4.29/configure.in +=================================================================== +--- apache2-2.4.29.orig/configure.in 2017-11-10 10:56:51.488205250 -0500 ++++ apache2-2.4.29/configure.in 2017-11-10 10:56:51.488205250 -0500 +@@ -206,6 +206,14 @@ AC_PROG_CPP + dnl Try to get c99 support for variadic macros + ifdef([AC_PROG_CC_C99], [AC_PROG_CC_C99]) + ++dnl In case of cross compilation we set CC_FOR_BUILD to cc unless ++dnl we got already CC_FOR_BUILD from environment. ++if test "x${build_alias}" != "x${host_alias}"; then ++ if test "x${CC_FOR_BUILD}" = "x"; then ++ CC_FOR_BUILD=cc ++ fi ++fi ++ + if test "x${cache_file}" = "x/dev/null"; then + # Likewise, ensure that CC and CPP are passed through to the pcre + # configure script iff caching is disabled (the autoconf 2.5x default). +Index: apache2-2.4.29/server/Makefile.in +=================================================================== +--- apache2-2.4.29.orig/server/Makefile.in 2017-11-10 10:56:51.488205250 -0500 ++++ apache2-2.4.29/server/Makefile.in 2017-11-10 10:56:51.488205250 -0500 +@@ -24,9 +24,14 @@ TARGETS = delete-exports $(LTLIBRARY_NAM + include $(top_builddir)/build/rules.mk + include $(top_srcdir)/build/library.mk + ++ifdef CC_FOR_BUILD ++gen_test_char: gen_test_char.c ++ $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) -DCROSS_COMPILE -o $@ $< ++else + gen_test_char_OBJECTS = gen_test_char.lo + gen_test_char: $(gen_test_char_OBJECTS) + $(LINK) $(EXTRA_LDFLAGS) $(gen_test_char_OBJECTS) $(EXTRA_LIBS) ++endif + + test_char.h: gen_test_char + ./gen_test_char > test_char.h

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libapache2-mod-auth-pgsql

libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu1) artful; urgency=medium * d/p/crypt-check-null-1698758.patch: check for a NULL return from crypt(3) (LP: #1698758) -- Andreas Hasenack <andreas@canonical.com> Thu, 22 Jun 2017 14:34:03 -0300

Modifications :
  1. Download patch debian/patches/crypt-check-null-1698758.patch

    --- 2.0.3-6.1/debian/patches/crypt-check-null-1698758.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.3-6.1ubuntu1/debian/patches/crypt-check-null-1698758.patch 2017-06-22 17:34:03.000000000 +0000 @@ -0,0 +1,25 @@ +Description: check for a NULL return from crypt(3) + crypt(3) will return NULL in the case of errors, like if an + unsupported hash algorithm is used, or incorrect salt options + are passed. +Author: Andreas Hasenack <andreas@canonical.com> +Bug-Debian: https://bugs.debian.org/865553 +Bug-Ubuntu: https://launchpad.net/bugs/1698758 +Forwarded: yes (emailed Giuseppe Tanzilli <info@giuseppetanzilli.it>) +Last-Update: 2017-07-13 + +--- libapache2-mod-auth-pgsql-2.0.3.orig/mod_auth_pgsql.c ++++ libapache2-mod-auth-pgsql-2.0.3/mod_auth_pgsql.c +@@ -868,6 +868,12 @@ static authn_status check_password(reque + break; + case AUTH_PG_HASH_TYPE_CRYPT: + sent_pw = (char *) crypt(sent_pw, real_pw); ++ if (!sent_pw) { ++ apr_snprintf(pg_errstr, MAX_STRING_LEN, ++ "PG user %s: unsupported CRYPT format", user); ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ++ return AUTH_DENIED; ++ } + break; + case AUTH_PG_HASH_TYPE_BASE64: + sent_pw = auth_pg_base64(sent_pw);
  2. Download patch debian/control

    --- 2.0.3-6.1/debian/control 2013-08-10 17:22:37.000000000 +0000 +++ 2.0.3-6.1ubuntu1/debian/control 2017-06-22 17:34:03.000000000 +0000 @@ -1,5 +1,6 @@ Source: libapache2-mod-auth-pgsql -Maintainer: Marco Nenciarini <mnencia@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Marco Nenciarini <mnencia@debian.org> Section: httpd Priority: extra Standards-Version: 3.9.4
  3. Download patch .pc/applied-patches

    --- 2.0.3-6.1/.pc/applied-patches 2017-07-13 16:20:47.047285863 +0000 +++ 2.0.3-6.1ubuntu1/.pc/applied-patches 2017-07-13 16:20:47.275292089 +0000 @@ -3,3 +3,4 @@ documentation.patch encoding.patch apache-2.4.patch fixdoublefree.patch +crypt-check-null-1698758.patch
  4. Download patch debian/patches/series

    --- 2.0.3-6.1/debian/patches/series 2015-01-17 13:04:26.000000000 +0000 +++ 2.0.3-6.1ubuntu1/debian/patches/series 2017-06-22 17:34:03.000000000 +0000 @@ -3,3 +3,4 @@ documentation.patch encoding.patch apache-2.4.patch fixdoublefree.patch +crypt-check-null-1698758.patch
  5. Download patch mod_auth_pgsql.c

    --- 2.0.3-6.1/mod_auth_pgsql.c 2017-07-13 16:20:47.000000000 +0000 +++ 2.0.3-6.1ubuntu1/mod_auth_pgsql.c 2017-07-13 16:20:47.000000000 +0000 @@ -868,6 +868,12 @@ static authn_status check_password(reque break; case AUTH_PG_HASH_TYPE_CRYPT: sent_pw = (char *) crypt(sent_pw, real_pw); + if (!sent_pw) { + apr_snprintf(pg_errstr, MAX_STRING_LEN, + "PG user %s: unsupported CRYPT format", user); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); + return AUTH_DENIED; + } break; case AUTH_PG_HASH_TYPE_BASE64: sent_pw = auth_pg_base64(sent_pw);
  6. Download patch .pc/crypt-check-null-1698758.patch/mod_auth_pgsql.c

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libapache2-mod-defensible

libapache2-mod-defensible (1.4-3.1ubuntu2) trusty; urgency=medium * Use dh-autoreconf instead of autotools-dev to also fix FTBFS on ppc64el by getting new libtool macros (still updates config.{sub,guess}). * Use automake's "foreign" option to fix FTBFS while autoreconfing. -- Logan Rosen <logan@ubuntu.com> Wed, 01 Jan 2014 00:39:44 -0500 libapache2-mod-defensible (1.4-3.1ubuntu1) saucy; urgency=low * Use dh_autotools-dev to update config.{sub,guess} for new ports. -- Adam Conrad <adconrad@ubuntu.com> Tue, 15 Oct 2013 21:25:12 +0100

Modifications :
  1. Download patch .pc/automake-foreign.patch/configure.in

    --- 1.4-3.1/.pc/automake-foreign.patch/configure.in 1970-01-01 00:00:00.000000000 +0000 +++ 1.4-3.1ubuntu2/.pc/automake-foreign.patch/configure.in 2007-01-19 17:19:55.000000000 +0000 @@ -0,0 +1,25 @@ +# configure.in for mod_defensible +# © 2007 Julien Danjou <julien@danjou.info> + +AC_INIT(mod_defensible) +AM_INIT_AUTOMAKE(mod_defensible, 1.2) + +AC_CONFIG_SRCDIR(mod_defensible.c) + +AC_PROG_CC +AM_PROG_LIBTOOL + +# check for apxs tool +AC_PATH_PROG(APXS2, [apxs2]) + +AC_ARG_WITH(udns, + [ --with-udns use udns library to resolve (better performance)], + [AC_CHECK_LIB([udns], [dns_init], + , + AC_MSG_ERROR([udns not found])) + ], +) +AC_SUBST(UDNS_LIBS) + +AC_CONFIG_HEADER(config.h) +AC_OUTPUT(Makefile)
  2. Download patch debian/rules

    --- 1.4-3.1/debian/rules 2013-07-08 15:30:33.000000000 +0000 +++ 1.4-3.1ubuntu2/debian/rules 2014-01-01 05:38:52.000000000 +0000 @@ -5,6 +5,7 @@ config.status: dh_testdir + dh_autoreconf ./configure build: build-stamp @@ -20,6 +21,7 @@ clean: dh_testroot rm -f build-stamp config.log [ ! -f Makefile ] || $(MAKE) distclean + dh_autoreconf_clean dh_clean install: build
  3. Download patch debian/patches/automake-foreign.patch

    --- 1.4-3.1/debian/patches/automake-foreign.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.4-3.1ubuntu2/debian/patches/automake-foreign.patch 2014-01-01 05:45:51.000000000 +0000 @@ -0,0 +1,13 @@ +--- a/configure.in ++++ b/configure.in +@@ -1,8 +1,8 @@ + # configure.in for mod_defensible + # © 2007 Julien Danjou <julien@danjou.info> + +-AC_INIT(mod_defensible) +-AM_INIT_AUTOMAKE(mod_defensible, 1.2) ++AC_INIT([mod_defensible], [1.2]) ++AM_INIT_AUTOMAKE([foreign]) + + AC_CONFIG_SRCDIR(mod_defensible.c) +
  4. Download patch debian/control

    --- 1.4-3.1/debian/control 2013-07-08 15:30:27.000000000 +0000 +++ 1.4-3.1ubuntu2/debian/control 2014-01-01 05:39:02.000000000 +0000 @@ -1,9 +1,10 @@ Source: libapache2-mod-defensible -Maintainer: Julien Danjou <acid@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Julien Danjou <acid@debian.org> Section: web Priority: extra Standards-Version: 3.8.0 -Build-Depends: debhelper (>= 5.0.0), dh-apache2, apache2-dev (>= 2.2.3-2) +Build-Depends: debhelper (>= 5.0.0), dh-apache2, apache2-dev (>= 2.2.3-2), dh-autoreconf Package: libapache2-mod-defensible Architecture: any
  5. Download patch .pc/applied-patches

    --- 1.4-3.1/.pc/applied-patches 2014-01-01 07:06:55.190698180 +0000 +++ 1.4-3.1ubuntu2/.pc/applied-patches 2014-01-01 07:06:55.406703890 +0000 @@ -2,3 +2,4 @@ apxs-cppflags.patch aplog-use-module.patch server-banner.patch conn-rec-remote-ip.patch +automake-foreign.patch
  6. Download patch debian/patches/series

    --- 1.4-3.1/debian/patches/series 2013-07-08 15:41:46.000000000 +0000 +++ 1.4-3.1ubuntu2/debian/patches/series 2014-01-01 05:39:21.000000000 +0000 @@ -2,3 +2,4 @@ apxs-cppflags.patch aplog-use-module.patch server-banner.patch conn-rec-remote-ip.patch +automake-foreign.patch
  7. Download patch configure.in

    --- 1.4-3.1/configure.in 2007-01-19 17:19:55.000000000 +0000 +++ 1.4-3.1ubuntu2/configure.in 2014-01-01 07:06:55.000000000 +0000 @@ -1,8 +1,8 @@ # configure.in for mod_defensible # © 2007 Julien Danjou <julien@danjou.info> -AC_INIT(mod_defensible) -AM_INIT_AUTOMAKE(mod_defensible, 1.2) +AC_INIT([mod_defensible], [1.2]) +AM_INIT_AUTOMAKE([foreign]) AC_CONFIG_SRCDIR(mod_defensible.c)

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libapache2-mod-perl2

libapache2-mod-perl2 (2.0.10-2ubuntu5) disco; urgency=medium * SECURITY UPDATE: arbitrary perl code execution via .htaccess file - debian/patches/CVE-2011-2767.patch: only allow perl and pod sections in server configuration and not per directory in src/modules/perl/mod_perl.c. - CVE-2011-2767 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 15 Nov 2018 08:55:38 -0500 libapache2-mod-perl2 (2.0.10-2ubuntu4) disco; urgency=medium * No-change rebuild for the perl 5.28 transition. -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Nov 2018 19:45:30 -0600 libapache2-mod-perl2 (2.0.10-2ubuntu3) bionic; urgency=medium * No-change rebuild against perlapi-5.26.1 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 02 Nov 2017 05:39:04 +0000 libapache2-mod-perl2 (2.0.10-2ubuntu2) artful; urgency=medium * No-change rebuild for perl 5.26.0 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 26 Jul 2017 17:07:10 -0700 libapache2-mod-perl2 (2.0.10-2ubuntu1) zesty; urgency=medium * Merge from Debian unstable (LP: #1663425). Remaining changes: - Change locales-all to locales. - Drop dwww from a recommends to a suggests to avoid pulling this into main. -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 13:42:32 -0800

Modifications :
  1. Download patch debian/control

    --- 2.0.10-2/debian/control 2016-10-06 21:12:13.000000000 +0000 +++ 2.0.10-2ubuntu5/debian/control 2017-02-10 21:42:32.000000000 +0000 @@ -1,7 +1,8 @@ Source: libapache2-mod-perl2 Section: httpd Priority: optional -Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Uploaders: Damyan Ivanov <dmn@debian.org>, Niko Tyni <ntyni@debian.org>, gregor herrmann <gregoa@debian.org>, Dominic Hargreaves <dom@earth.li>, @@ -23,7 +24,7 @@ Build-Depends: perl, libperl-dev, libreadonly-perl, libwww-perl, - locales-all, + locales, netbase, rename, Build-Conflicts: apache2-mpm-event @@ -66,7 +67,7 @@ Package: libapache2-mod-perl2-doc Architecture: all Section: doc Depends: ${misc:Depends} -Recommends: dwww +Suggests: dwww Description: Integration of perl with the Apache2 web server - documentation mod_perl allows the use of Perl for just about anything Apache-related, including <Perl> sections in the config
  2. Download patch debian/patches/CVE-2011-2767.patch

    --- 2.0.10-2/debian/patches/CVE-2011-2767.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.10-2ubuntu5/debian/patches/CVE-2011-2767.patch 2018-11-15 13:55:35.000000000 +0000 @@ -0,0 +1,41 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 18 Sep 2018 19:03:15 +0200 +Subject: CVE-2011-2767 + +Original patch by Jan Ingvoldstad. + +Bug-Debian: https://bugs.debian.org/644169 +Origin: https://bugs.debian.org/644169#19 +--- + src/modules/perl/mod_perl.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +Index: libapache2-mod-perl2-2.0.10/src/modules/perl/mod_perl.c +=================================================================== +--- libapache2-mod-perl2-2.0.10.orig/src/modules/perl/mod_perl.c 2018-11-15 08:50:35.115829827 -0500 ++++ libapache2-mod-perl2-2.0.10/src/modules/perl/mod_perl.c 2018-11-15 08:50:35.111829817 -0500 +@@ -939,18 +939,18 @@ static const command_rec modperl_cmds[] + MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"), + MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"), + MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"), +- MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"), ++ MP_CMD_SRV_RAW_ARGS("Perl", perldo, "Perl Code"), + + MP_CMD_DIR_TAKE1("PerlSetInputFilter", set_input_filter, + "filter[;filter]"), + MP_CMD_DIR_TAKE1("PerlSetOutputFilter", set_output_filter, + "filter[;filter]"), + +- MP_CMD_DIR_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("=back", pod, "End of =over"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("=back", pod, "End of =over"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"), + + MP_CMD_SRV_RAW_ARGS("PerlLoadModule", load_module, "A Perl module"), + #ifdef MP_TRACE
  3. Download patch debian/patches/series

    --- 2.0.10-2/debian/patches/series 2016-12-24 21:45:42.000000000 +0000 +++ 2.0.10-2ubuntu5/debian/patches/series 2018-11-15 13:55:35.000000000 +0000 @@ -15,3 +15,4 @@ avoid-db-linkage.patch honour-env-LDFLAGS.patch 370_http_syntax.patch 380_inject_header_line_terminators.patch +CVE-2011-2767.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libapache2-mod-python

libapache2-mod-python (3.3.1-11ubuntu2) trusty; urgency=medium * d/tests/smoke: use new default Apache DocumentRoot /var/www/html. -- Robie Basak <robie.basak@ubuntu.com> Wed, 15 Jan 2014 00:30:23 +0000 libapache2-mod-python (3.3.1-11ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: none. * Drop all previous changes; adopted in Debian: - Switch to dh_python2. (LP: #788514) - FTBFS: switch configure.in to pkg-config to configure Python. This fixes discovery with multiarch Python (LP: #1098597). * d/tests/smoke: add dep8 test. -- Robie Basak <robie.basak@ubuntu.com> Mon, 08 Jul 2013 18:56:19 +0000

Modifications :
  1. Download patch debian/tests/control

    --- 3.3.1-11/debian/tests/control 1970-01-01 00:00:00.000000000 +0000 +++ 3.3.1-11ubuntu2/debian/tests/control 2014-01-15 00:30:19.000000000 +0000 @@ -0,0 +1,3 @@ +Tests: smoke +Restrictions: needs-root +Depends: libapache2-mod-python, wget, apache2
  2. Download patch debian/control

    --- 3.3.1-11/debian/control 2013-05-26 21:09:52.000000000 +0000 +++ 3.3.1-11ubuntu2/debian/control 2013-07-08 13:30:22.000000000 +0000 @@ -1,7 +1,8 @@ Source: libapache2-mod-python Section: httpd Priority: optional -Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Uploaders: Robert S. Edmonds <edmonds@debian.org> Build-Depends: debhelper (>= 9), dh-autoreconf, python-dev (>= 2.6.6-3~), dh-apache2, apache2-dev (>> 2.4~) @@ -10,6 +11,7 @@ Vcs-Svn: svn://anonscm.debian.org/python Vcs-Browser: http://anonscm.debian.org/viewvc/python-modules/packages/libapache2-mod-python/trunk/ Homepage: http://www.modpython.org/ Standards-Version: 3.9.4 +XS-Testsuite: autopkgtest Package: libapache2-mod-python Architecture: any
  3. Download patch debian/tests/smoke

    --- 3.3.1-11/debian/tests/smoke 1970-01-01 00:00:00.000000000 +0000 +++ 3.3.1-11ubuntu2/debian/tests/smoke 2014-01-15 00:29:49.000000000 +0000 @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +cat >> /etc/apache2/apache2.conf <<EOT +<Directory /var/www/html/python/> + SetHandler mod_python + PythonHandler mod_python.publisher +</Directory> +EOT + +mkdir /var/www/html/python +cat > /var/www/html/python/hello.py <<EOT +#!/usr/bin/python + +def index(): + return "Hello, world!\n" +EOT + +a2enmod python +service apache2 reload + +output=`wget -O- http://localhost/python/hello.py 2>/dev/null` +test "$output" = "Hello, world!"
  1. apache2
  2. libapache2-mod-auth-pgsql
  3. libapache2-mod-defensible
  4. libapache2-mod-perl2
  5. libapache2-mod-python