debian/0000755000000000000000000000000013451146200007162 5ustar debian/apache2-mpm.postinst.in0000644000000000000000000000256713376761111013512 0ustar #! /bin/bash # postinst script for apache2-mpm-__TYPE__ # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) if [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.4.4-4" ; then if [ -d /usr/share/doc/apache2-mpm-__TYPE__ ] ; then RET=0 rmdir /usr/share/doc/apache2-mpm-__TYPE__ > /dev/null 2>&1|| RET=$? if [ $RET = 0 ] ; then ln -s /usr/share/doc/apache2 /usr/share/doc/apache2-mpm-__TYPE__ fi fi fi ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/config-dir/0000755000000000000000000000000013376761111011215 5ustar debian/config-dir/sites-available/0000755000000000000000000000000013376761111014262 5ustar debian/config-dir/sites-available/default-ssl.conf0000644000000000000000000001444513376761111017364 0ustar ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLOptions +StdEnvVars SSLOptions +StdEnvVars # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/sites-available/000-default.conf0000644000000000000000000000246413376761111017060 0ustar # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/0000755000000000000000000000000013376761111014075 5ustar debian/config-dir/mods-available/authn_dbd.load0000644000000000000000000000012513376761111016664 0ustar # Depends: dbd LoadModule authn_dbd_module /usr/lib/apache2/modules/mod_authn_dbd.so debian/config-dir/mods-available/include.load0000644000000000000000000000012213376761111016354 0ustar # Depends: mime LoadModule include_module /usr/lib/apache2/modules/mod_include.so debian/config-dir/mods-available/mpm_prefork.conf0000644000000000000000000000107313376761111017266 0ustar # prefork MPM # StartServers: number of server processes to start # MinSpareServers: minimum number of server processes which are kept spare # MaxSpareServers: maximum number of server processes which are kept spare # MaxRequestWorkers: maximum number of server processes allowed to start # MaxConnectionsPerChild: maximum number of requests a server process serves StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxRequestWorkers 150 MaxConnectionsPerChild 0 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/lbmethod_heartbeat.load0000644000000000000000000000016213376761111020552 0ustar # Depends: proxy_balancer LoadModule lbmethod_heartbeat_module /usr/lib/apache2/modules/mod_lbmethod_heartbeat.so debian/config-dir/mods-available/cgid.conf0000644000000000000000000000016313376761111015652 0ustar # Socket for cgid communication ScriptSock ${APACHE_RUN_DIR}/cgisock # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/status.load0000644000000000000000000000010013376761111016250 0ustar LoadModule status_module /usr/lib/apache2/modules/mod_status.so debian/config-dir/mods-available/deflate.conf0000644000000000000000000000101213376761111016342 0ustar # these are known to be safe with MSIE 6 AddOutputFilterByType DEFLATE text/html text/plain text/xml # everything else may cause problems with MSIE 6 AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/xml # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/dav_fs.load0000644000000000000000000000011713376761111016177 0ustar # Depends: dav LoadModule dav_fs_module /usr/lib/apache2/modules/mod_dav_fs.so debian/config-dir/mods-available/info.load0000644000000000000000000000007413376761111015672 0ustar LoadModule info_module /usr/lib/apache2/modules/mod_info.so debian/config-dir/mods-available/negotiation.conf0000644000000000000000000000132413376761111017264 0ustar # LanguagePriority allows you to give precedence to some languages # in case of a tie during content negotiation. # # Just list the languages in decreasing order of preference. We have # more or less alphabetized them here. You probably want to change this. # LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW # # ForceLanguagePriority allows you to serve a result page rather than # MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) # [in case no accepted languages matched the available variants] # ForceLanguagePriority Prefer Fallback # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/dir.load0000644000000000000000000000007213376761111015513 0ustar LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so debian/config-dir/mods-available/negotiation.load0000644000000000000000000000011213376761111017250 0ustar LoadModule negotiation_module /usr/lib/apache2/modules/mod_negotiation.so debian/config-dir/mods-available/substitute.load0000644000000000000000000000011013376761111017141 0ustar LoadModule substitute_module /usr/lib/apache2/modules/mod_substitute.so debian/config-dir/mods-available/authz_host.load0000644000000000000000000000013613376761111017126 0ustar # Depends: authz_core LoadModule authz_host_module /usr/lib/apache2/modules/mod_authz_host.so debian/config-dir/mods-available/echo.load0000644000000000000000000000007413376761111015655 0ustar LoadModule echo_module /usr/lib/apache2/modules/mod_echo.so debian/config-dir/mods-available/request.load0000644000000000000000000000010213376761111016417 0ustar LoadModule request_module /usr/lib/apache2/modules/mod_request.so debian/config-dir/mods-available/ldap.load0000644000000000000000000000007413376761111015657 0ustar LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so debian/config-dir/mods-available/authn_file.load0000644000000000000000000000011013376761111017044 0ustar LoadModule authn_file_module /usr/lib/apache2/modules/mod_authn_file.so debian/config-dir/mods-available/ssl.load0000644000000000000000000000014113376761111015533 0ustar # Depends: setenvif mime socache_shmcb LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so debian/config-dir/mods-available/expires.load0000644000000000000000000000010213376761111016406 0ustar LoadModule expires_module /usr/lib/apache2/modules/mod_expires.so debian/config-dir/mods-available/access_compat.load0000644000000000000000000000014413376761111017541 0ustar # Depends: authn_core LoadModule access_compat_module /usr/lib/apache2/modules/mod_access_compat.so debian/config-dir/mods-available/reqtimeout.load0000644000000000000000000000011013376761111017124 0ustar LoadModule reqtimeout_module /usr/lib/apache2/modules/mod_reqtimeout.so debian/config-dir/mods-available/xml2enc.load0000644000000000000000000000010213376761111016277 0ustar LoadModule xml2enc_module /usr/lib/apache2/modules/mod_xml2enc.so debian/config-dir/mods-available/userdir.load0000644000000000000000000000010213376761111016404 0ustar LoadModule userdir_module /usr/lib/apache2/modules/mod_userdir.so debian/config-dir/mods-available/rewrite.load0000644000000000000000000000010213376761111016410 0ustar LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so debian/config-dir/mods-available/session_cookie.load0000644000000000000000000000014313376761111017750 0ustar # Depends: session LoadModule session_cookie_module /usr/lib/apache2/modules/mod_session_cookie.so debian/config-dir/mods-available/sed.load0000644000000000000000000000007213376761111015510 0ustar LoadModule sed_module /usr/lib/apache2/modules/mod_sed.so debian/config-dir/mods-available/mpm_worker.conf0000644000000000000000000000150413376761111017126 0ustar # worker MPM # StartServers: initial number of server processes to start # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadLimit: ThreadsPerChild can be changed to this maximum value during a # graceful restart. ThreadLimit can only be changed by stopping # and starting Apache. # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestWorkers: maximum number of threads # MaxConnectionsPerChild: maximum number of requests a server process serves StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxRequestWorkers 150 MaxConnectionsPerChild 0 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/auth_digest.load0000644000000000000000000000014013376761111017231 0ustar # Depends: authn_core LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so debian/config-dir/mods-available/proxy_ftp.conf0000644000000000000000000000027513376761111017002 0ustar # Define the character set for proxied FTP listings. Default is ISO-8859-1 ProxyFtpDirCharset UTF-8 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/proxy_ajp.load0000644000000000000000000000012713376761111016751 0ustar # Depends: proxy LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so debian/config-dir/mods-available/mime.conf0000644000000000000000000001672713376761111015710 0ustar # # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. # TypesConfig /etc/mime.types # # AddType allows you to add to or override the MIME configuration # file mime.types for specific file types. # #AddType application/x-gzip .tgz # # AddEncoding allows you to have certain browsers uncompress # information on the fly. Note: Not all browsers support this. # Despite the name similarity, the following Add* directives have # nothing to do with the FancyIndexing customization directives above. # #AddEncoding x-compress .Z #AddEncoding x-gzip .gz .tgz #AddEncoding x-bzip2 .bz2 # # If the AddEncoding directives above are commented-out, then you # probably should define those extensions to indicate media types: # AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-bzip2 .bz2 # # DefaultLanguage and AddLanguage allows you to specify the language of # a document. You can then use content negotiation to give a browser a # file in a language the user can understand. # # Specify a default language. This means that all data # going out without a specific language tag (see below) will # be marked with this one. You probably do NOT want to set # this unless you are sure it is correct for all cases. # # * It is generally better to not mark a page as # * being a certain language than marking it with the wrong # * language! # # DefaultLanguage nl # # Note 1: The suffix does not have to be the same as the language # keyword --- those with documents in Polish (whose net-standard # language code is pl) may wish to use "AddLanguage pl .po" to # avoid the ambiguity with the common suffix for perl scripts. # # Note 2: The example entries below illustrate that in some cases # the two character 'Language' abbreviation is not identical to # the two character 'Country' code for its country, # E.g. 'Danmark/dk' versus 'Danish/da'. # # Note 3: In the case of 'ltz' we violate the RFC by using a three char # specifier. There is 'work in progress' to fix this and get # the reference data for rfc1766 cleaned up. # # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) # Norwegian (no) - Polish (pl) - Portugese (pt) # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) # AddLanguage am .amh AddLanguage ar .ara AddLanguage be .be AddLanguage bg .bg AddLanguage bn .bn AddLanguage br .br AddLanguage bs .bs AddLanguage ca .ca AddLanguage cs .cz .cs AddLanguage cy .cy AddLanguage da .dk AddLanguage de .de AddLanguage dz .dz AddLanguage el .el AddLanguage en .en AddLanguage eo .eo # es is ecmascript in /etc/mime.types RemoveType es AddLanguage es .es AddLanguage et .et AddLanguage eu .eu AddLanguage fa .fa AddLanguage fi .fi AddLanguage fr .fr AddLanguage ga .ga AddLanguage gl .glg AddLanguage gu .gu AddLanguage he .he AddLanguage hi .hi AddLanguage hr .hr AddLanguage hu .hu AddLanguage hy .hy AddLanguage id .id AddLanguage is .is AddLanguage it .it AddLanguage ja .ja AddLanguage ka .ka AddLanguage kk .kk AddLanguage km .km AddLanguage kn .kn AddLanguage ko .ko AddLanguage ku .ku AddLanguage lo .lo AddLanguage lt .lt AddLanguage ltz .ltz AddLanguage lv .lv AddLanguage mg .mg AddLanguage mk .mk AddLanguage ml .ml AddLanguage mr .mr AddLanguage ms .msa AddLanguage nb .nob AddLanguage ne .ne AddLanguage nl .nl AddLanguage nn .nn AddLanguage no .no AddLanguage pa .pa AddLanguage pl .po AddLanguage pt-BR .pt-br AddLanguage pt .pt AddLanguage ro .ro AddLanguage ru .ru AddLanguage sa .sa AddLanguage se .se AddLanguage si .si AddLanguage sk .sk AddLanguage sl .sl AddLanguage sq .sq AddLanguage sr .sr AddLanguage sv .sv AddLanguage ta .ta AddLanguage te .te AddLanguage th .th AddLanguage tl .tl RemoveType tr # tr is troff in /etc/mime.types AddLanguage tr .tr AddLanguage uk .uk AddLanguage ur .ur AddLanguage vi .vi AddLanguage wo .wo AddLanguage xh .xh AddLanguage zh-CN .zh-cn AddLanguage zh-TW .zh-tw # # Commonly used filename extensions to character sets. You probably # want to avoid clashes with the language extensions, unless you # are good at carefully testing your setup after each change. # See http://www.iana.org/assignments/character-sets for the # official list of charset names and their respective RFCs. # AddCharset us-ascii .ascii .us-ascii AddCharset ISO-8859-1 .iso8859-1 .latin1 AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen AddCharset ISO-8859-3 .iso8859-3 .latin3 AddCharset ISO-8859-4 .iso8859-4 .latin4 AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru AddCharset ISO-8859-6 .iso8859-6 .arb .arabic AddCharset ISO-8859-7 .iso8859-7 .grk .greek AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk AddCharset ISO-8859-10 .iso8859-10 .latin6 AddCharset ISO-8859-13 .iso8859-13 AddCharset ISO-8859-14 .iso8859-14 .latin8 AddCharset ISO-8859-15 .iso8859-15 .latin9 AddCharset ISO-8859-16 .iso8859-16 .latin10 AddCharset ISO-2022-JP .iso2022-jp .jis AddCharset ISO-2022-KR .iso2022-kr .kis AddCharset ISO-2022-CN .iso2022-cn .cis AddCharset Big5 .Big5 .big5 .b5 AddCharset cn-Big5 .cn-big5 # For russian, more than one charset is used (depends on client, mostly): AddCharset WINDOWS-1251 .cp-1251 .win-1251 AddCharset CP866 .cp866 AddCharset KOI8 .koi8 AddCharset KOI8-E .koi8-e AddCharset KOI8-r .koi8-r .koi8-ru AddCharset KOI8-U .koi8-u AddCharset KOI8-ru .koi8-uk .ua AddCharset ISO-10646-UCS-2 .ucs2 AddCharset ISO-10646-UCS-4 .ucs4 AddCharset UTF-7 .utf7 AddCharset UTF-8 .utf8 AddCharset UTF-16 .utf16 AddCharset UTF-16BE .utf16be AddCharset UTF-16LE .utf16le AddCharset UTF-32 .utf32 AddCharset UTF-32BE .utf32be AddCharset UTF-32LE .utf32le AddCharset euc-cn .euc-cn AddCharset euc-gb .euc-gb AddCharset euc-jp .euc-jp AddCharset euc-kr .euc-kr #Not sure how euc-tw got in - IANA doesn't list it??? AddCharset EUC-TW .euc-tw AddCharset gb2312 .gb2312 .gb AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2 AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4 AddCharset shift_jis .shift_jis .sjis AddCharset BRF .brf # # AddHandler allows you to map certain file extensions to "handlers": # actions unrelated to filetype. These can be either built into the server # or added with the Action directive (see below) # # To use CGI scripts outside of ScriptAliased directories: # (You will also need to add "ExecCGI" to the "Options" directive.) # #AddHandler cgi-script .cgi # # For files that include their own HTTP headers: # #AddHandler send-as-is asis # # For server-parsed imagemap files: # #AddHandler imap-file map # # For type maps (negotiated resources): # (This is enabled by default to allow the Apache "It Worked" page # to be distributed in multiple languages.) # AddHandler type-map var # # Filters allow you to process content before it is sent to the client. # # To parse .shtml files for server-side includes (SSI): # (You will also need to add "Includes" to the "Options" directive.) # AddType text/html .shtml AddOutputFilter INCLUDES .shtml # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/actions.load0000644000000000000000000000010213376761111016367 0ustar LoadModule actions_module /usr/lib/apache2/modules/mod_actions.so debian/config-dir/mods-available/filter.load0000644000000000000000000000010013376761111016212 0ustar LoadModule filter_module /usr/lib/apache2/modules/mod_filter.so debian/config-dir/mods-available/allowmethods.load0000644000000000000000000000011413376761111017434 0ustar LoadModule allowmethods_module /usr/lib/apache2/modules/mod_allowmethods.so debian/config-dir/mods-available/session.load0000644000000000000000000000010213376761111016412 0ustar LoadModule session_module /usr/lib/apache2/modules/mod_session.so debian/config-dir/mods-available/heartbeat.load0000644000000000000000000000026013376761111016673 0ustar # This module depends on mod_watchdog to be loaded before. In Debian, this # module is statically linked. LoadModule heartbeat_module /usr/lib/apache2/modules/mod_heartbeat.so debian/config-dir/mods-available/ssl.conf0000644000000000000000000000651413376761111015553 0ustar # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), # you might want to force clients to specific, performance # optimized ciphers. In this case, prepend those ciphers # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. # Caveat: by giving precedence to RC4-SHA and AES128-SHA # (as in the example below), most connections will no longer # have perfect forward secrecy - if the server's key is # compromised, captures of past or future traffic must be # considered compromised, too. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 #SSLHonorCipherOrder on # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol all # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/setenvif.load0000644000000000000000000000010413376761111016554 0ustar LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so debian/config-dir/mods-available/actions.conf0000644000000000000000000000057113376761111016407 0ustar # a2enmod-note: needs-configuration # # Action lets you define media types that will execute a script whenever # a matching file is called. This eliminates the need for repeated URL # pathnames for oft-used CGI file processors. # Format: Action media/type /cgi-script/location # Format: Action handler-name /cgi-script/location # # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/authn_dbm.load0000644000000000000000000000010613376761111016674 0ustar LoadModule authn_dbm_module /usr/lib/apache2/modules/mod_authn_dbm.so debian/config-dir/mods-available/session_dbd.load0000644000000000000000000000013513376761111017231 0ustar # Depends: session LoadModule session_dbd_module /usr/lib/apache2/modules/mod_session_dbd.so debian/config-dir/mods-available/cgid.load0000644000000000000000000000007413376761111015645 0ustar LoadModule cgid_module /usr/lib/apache2/modules/mod_cgid.so debian/config-dir/mods-available/proxy_fcgi.load0000644000000000000000000000013113376761111017102 0ustar # Depends: proxy LoadModule proxy_fcgi_module /usr/lib/apache2/modules/mod_proxy_fcgi.so debian/config-dir/mods-available/proxy_balancer.load0000644000000000000000000000016313376761111017746 0ustar # Depends: proxy alias slotmem_shm LoadModule proxy_balancer_module /usr/lib/apache2/modules/mod_proxy_balancer.so debian/config-dir/mods-available/cgi.load0000644000000000000000000000007213376761111015477 0ustar LoadModule cgi_module /usr/lib/apache2/modules/mod_cgi.so debian/config-dir/mods-available/authz_user.load0000644000000000000000000000013613376761111017127 0ustar # Depends: authz_core LoadModule authz_user_module /usr/lib/apache2/modules/mod_authz_user.so debian/config-dir/mods-available/auth_basic.load0000644000000000000000000000013613376761111017040 0ustar # Depends: authn_core LoadModule auth_basic_module /usr/lib/apache2/modules/mod_auth_basic.so debian/config-dir/mods-available/dump_io.load0000644000000000000000000000010013376761111016361 0ustar LoadModule dumpio_module /usr/lib/apache2/modules/mod_dumpio.so debian/config-dir/mods-available/socache_memcache.load0000644000000000000000000000012413376761111020162 0ustar LoadModule socache_memcache_module /usr/lib/apache2/modules/mod_socache_memcache.so debian/config-dir/mods-available/info.conf0000644000000000000000000000062213376761111015677 0ustar # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. # SetHandler server-info Require local #Require ip 192.0.2.0/24 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/slotmem_plain.load0000644000000000000000000000011613376761111017577 0ustar LoadModule slotmem_plain_module /usr/lib/apache2/modules/mod_slotmem_plain.so debian/config-dir/mods-available/unique_id.load0000644000000000000000000000010613376761111016715 0ustar LoadModule unique_id_module /usr/lib/apache2/modules/mod_unique_id.so debian/config-dir/mods-available/ext_filter.load0000644000000000000000000000011013376761111017073 0ustar LoadModule ext_filter_module /usr/lib/apache2/modules/mod_ext_filter.so debian/config-dir/mods-available/lua.load0000644000000000000000000000007213376761111015516 0ustar LoadModule lua_module /usr/lib/apache2/modules/mod_lua.so debian/config-dir/mods-available/mime_magic.conf0000644000000000000000000000017013376761111017031 0ustar MIMEMagicFile /etc/apache2/magic # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/dav_lock.load0000644000000000000000000000010413376761111016513 0ustar LoadModule dav_lock_module /usr/lib/apache2/modules/mod_dav_lock.so debian/config-dir/mods-available/proxy_ftp.load0000644000000000000000000000012713376761111016770 0ustar # Depends: proxy LoadModule proxy_ftp_module /usr/lib/apache2/modules/mod_proxy_ftp.so debian/config-dir/mods-available/mpm_worker.load0000644000000000000000000000015313376761111017117 0ustar # Conflicts: mpm_event mpm_prefork LoadModule mpm_worker_module /usr/lib/apache2/modules/mod_mpm_worker.so debian/config-dir/mods-available/log_forensic.load0000644000000000000000000000011413376761111017403 0ustar LoadModule log_forensic_module /usr/lib/apache2/modules/mod_log_forensic.so debian/config-dir/mods-available/ldap.conf0000644000000000000000000000017113376761111015663 0ustar SetHandler ldap-status Require local # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/dav_fs.conf0000644000000000000000000000012313376761111016202 0ustar DAVLockDB ${APACHE_LOCK_DIR}/DAVLock # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/socache_dbm.load0000644000000000000000000000011213376761111017157 0ustar LoadModule socache_dbm_module /usr/lib/apache2/modules/mod_socache_dbm.so debian/config-dir/mods-available/alias.conf0000644000000000000000000000151313376761111016035 0ustar # Aliases: Add here as many aliases as you need (with no limit). The format is # Alias fakename realname # # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this # example, only "/icons/". If the fakename is slash-terminated, then the # realname must also be slash terminated, and if the fakename omits the # trailing slash, the realname must also omit it. # # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. Alias /icons/ "/usr/share/apache2/icons/" Options FollowSymlinks AllowOverride None Require all granted # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/autoindex.conf0000644000000000000000000000645613376761111016757 0ustar # Directives controlling the display of server-generated directory listings. # # IndexOptions: Controls the appearance of server-generated directory # listings. # Remove/replace the "Charset=UTF-8" if you don't use UTF-8 for your filenames. IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 # # AddIcon* directives tell the server which icon to show for different # files or filename extensions. These are only displayed for # FancyIndexed directories. AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2 AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex # It's a suffix rule, so simply matching "core" matches "score" as well ! AddIcon /icons/bomb.gif /core AddIcon (SND,/icons/sound2.gif) .ogg AddIcon (VID,/icons/movie.gif) .ogm AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ # Default icons for OpenDocument format AddIcon /icons/odf6odt-20x22.png .odt AddIcon /icons/odf6ods-20x22.png .ods AddIcon /icons/odf6odp-20x22.png .odp AddIcon /icons/odf6odg-20x22.png .odg AddIcon /icons/odf6odc-20x22.png .odc AddIcon /icons/odf6odf-20x22.png .odf AddIcon /icons/odf6odb-20x22.png .odb AddIcon /icons/odf6odi-20x22.png .odi AddIcon /icons/odf6odm-20x22.png .odm AddIcon /icons/odf6ott-20x22.png .ott AddIcon /icons/odf6ots-20x22.png .ots AddIcon /icons/odf6otp-20x22.png .otp AddIcon /icons/odf6otg-20x22.png .otg AddIcon /icons/odf6otc-20x22.png .otc AddIcon /icons/odf6otf-20x22.png .otf AddIcon /icons/odf6oti-20x22.png .oti AddIcon /icons/odf6oth-20x22.png .oth # # DefaultIcon is which icon to show for files which do not have an icon # explicitly set. DefaultIcon /icons/unknown.gif # # AddDescription allows you to place a short description after a file in # server-generated indexes. These are only displayed for FancyIndexed # directories. # Format: AddDescription "description" filename #AddDescription "GZIP compressed document" .gz #AddDescription "tar archive" .tar #AddDescription "GZIP compressed tar archive" .tgz # # ReadmeName is the name of the README file the server will look for by # default, and append to directory listings. # # HeaderName is the name of a file which should be prepended to # directory indexes ReadmeName README.html HeaderName HEADER.html # # IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. IndexIgnore .??* *~ *# RCS CVS *,v *,t # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/dav.load0000644000000000000000000000007213376761111015507 0ustar LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so debian/config-dir/mods-available/asis.load0000644000000000000000000000011413376761111015671 0ustar # Depends: mime LoadModule asis_module /usr/lib/apache2/modules/mod_asis.so debian/config-dir/mods-available/authz_core.load0000644000000000000000000000011013376761111017071 0ustar LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so debian/config-dir/mods-available/reqtimeout.conf0000644000000000000000000000224613376761111017146 0ustar # mod_reqtimeout limits the time waiting on the client to prevent an # attacker from causing a denial of service by opening many connections # but not sending requests. This file tries to give a sensible default # configuration, but it may be necessary to tune the timeout values to # the actual situation. Note that it is also possible to configure # mod_reqtimeout per virtual host. # Wait max 20 seconds for the first byte of the request line+headers # From then, require a minimum data rate of 500 bytes/s, but don't # wait longer than 40 seconds in total. # Note: Lower timeouts may make sense on non-ssl virtual hosts but can # cause problem with ssl enabled virtual hosts: This timeout includes # the time a browser may need to fetch the CRL for the certificate. If # the CRL server is not reachable, it may take more than 10 seconds # until the browser gives up. RequestReadTimeout header=20-40,minrate=500 # Wait max 10 seconds for the first byte of the request body (if any) # From then, require a minimum data rate of 500 bytes/s RequestReadTimeout body=10,minrate=500 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/buffer.load0000644000000000000000000000010013376761111016176 0ustar LoadModule buffer_module /usr/lib/apache2/modules/mod_buffer.so debian/config-dir/mods-available/authz_dbd.load0000644000000000000000000000014013376761111016675 0ustar # Depends: dbd authz_core LoadModule authz_dbd_module /usr/lib/apache2/modules/mod_authz_dbd.so debian/config-dir/mods-available/authnz_ldap.load0000644000000000000000000000013213376761111017243 0ustar # Depends: ldap LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so debian/config-dir/mods-available/lbmethod_byrequests.load0000644000000000000000000000016413376761111021023 0ustar # Depends: proxy_balancer LoadModule lbmethod_byrequests_module /usr/lib/apache2/modules/mod_lbmethod_byrequests.so debian/config-dir/mods-available/mpm_event.load0000644000000000000000000000015213376761111016726 0ustar # Conflicts: mpm_worker mpm_prefork LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so debian/config-dir/mods-available/status.conf0000644000000000000000000000135513376761111016273 0ustar # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. SetHandler server-status Require local #Require ip 192.0.2.0/24 # Keep track of extended status information for each request ExtendedStatus On # Determine if mod_status displays the first 63 characters of a request or # the last 63, assuming the request itself is greater than 63 chars. # Default: Off #SeeRequestTail On # Show Proxy LoadBalancer status in mod_status ProxyStatus On # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/lbmethod_bytraffic.load0000644000000000000000000000016213376761111020564 0ustar # Depends: proxy_balancer LoadModule lbmethod_bytraffic_module /usr/lib/apache2/modules/mod_lbmethod_bytraffic.so debian/config-dir/mods-available/slotmem_shm.load0000644000000000000000000000011213376761111017257 0ustar LoadModule slotmem_shm_module /usr/lib/apache2/modules/mod_slotmem_shm.so debian/config-dir/mods-available/cache.load0000644000000000000000000000007613376761111016004 0ustar LoadModule cache_module /usr/lib/apache2/modules/mod_cache.so debian/config-dir/mods-available/proxy_connect.load0000644000000000000000000000013713376761111017631 0ustar # Depends: proxy LoadModule proxy_connect_module /usr/lib/apache2/modules/mod_proxy_connect.so debian/config-dir/mods-available/lbmethod_bybusyness.load0000644000000000000000000000016413376761111021023 0ustar # Depends: proxy_balancer LoadModule lbmethod_bybusyness_module /usr/lib/apache2/modules/mod_lbmethod_bybusyness.so debian/config-dir/mods-available/authz_groupfile.load0000644000000000000000000000015013376761111020141 0ustar # Depends: authz_core LoadModule authz_groupfile_module /usr/lib/apache2/modules/mod_authz_groupfile.so debian/config-dir/mods-available/autoindex.load0000644000000000000000000000010613376761111016733 0ustar LoadModule autoindex_module /usr/lib/apache2/modules/mod_autoindex.so debian/config-dir/mods-available/env.load0000644000000000000000000000007213376761111015525 0ustar LoadModule env_module /usr/lib/apache2/modules/mod_env.so debian/config-dir/mods-available/userdir.conf0000644000000000000000000000064713376761111016430 0ustar UserDir public_html UserDir disabled root AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require all granted Require all denied # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/mpm_prefork.load0000644000000000000000000000015413376761111017257 0ustar # Conflicts: mpm_event mpm_worker LoadModule mpm_prefork_module /usr/lib/apache2/modules/mod_mpm_prefork.so debian/config-dir/mods-available/ratelimit.load0000644000000000000000000000012513376761111016726 0ustar # Depends: env LoadModule ratelimit_module /usr/lib/apache2/modules/mod_ratelimit.so debian/config-dir/mods-available/mpm_event.conf0000644000000000000000000000123413376761111016736 0ustar # event MPM # StartServers: initial number of server processes to start # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestWorkers: maximum number of worker threads # MaxConnectionsPerChild: maximum number of requests a server process serves StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxRequestWorkers 150 MaxConnectionsPerChild 0 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/deflate.load0000644000000000000000000000012413376761111016337 0ustar # Depends: filter LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so debian/config-dir/mods-available/dbd.load0000644000000000000000000000007213376761111015466 0ustar LoadModule dbd_module /usr/lib/apache2/modules/mod_dbd.so debian/config-dir/mods-available/mime.load0000644000000000000000000000007413376761111015666 0ustar LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so debian/config-dir/mods-available/proxy_balancer.conf0000644000000000000000000000053313376761111017755 0ustar # Balancer manager enables dynamic update of balancer members # (needs mod_status). Uncomment to enable. # # # # SetHandler balancer-manager # Require local # # # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/proxy.load0000644000000000000000000000007613376761111016122 0ustar LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so debian/config-dir/mods-available/log_debug.load0000644000000000000000000000010613376761111016662 0ustar LoadModule log_debug_module /usr/lib/apache2/modules/mod_log_debug.so debian/config-dir/mods-available/proxy_scgi.load0000644000000000000000000000013113376761111017117 0ustar # Depends: proxy LoadModule proxy_scgi_module /usr/lib/apache2/modules/mod_proxy_scgi.so debian/config-dir/mods-available/data.load0000644000000000000000000000007413376761111015650 0ustar LoadModule data_module /usr/lib/apache2/modules/mod_data.so debian/config-dir/mods-available/heartmonitor.load0000644000000000000000000000026613376761111017455 0ustar # This module depends on mod_watchdog to be loaded before. In Debian, this # module is statically linked. LoadModule heartmonitor_module /usr/lib/apache2/modules/mod_heartmonitor.so debian/config-dir/mods-available/usertrack.load0000644000000000000000000000010613376761111016736 0ustar LoadModule usertrack_module /usr/lib/apache2/modules/mod_usertrack.so debian/config-dir/mods-available/remoteip.load0000644000000000000000000000010413376761111016555 0ustar LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so debian/config-dir/mods-available/authn_anon.load0000644000000000000000000000011013376761111017060 0ustar LoadModule authn_anon_module /usr/lib/apache2/modules/mod_authn_anon.so debian/config-dir/mods-available/macro.load0000644000000000000000000000007613376761111016042 0ustar LoadModule macro_module /usr/lib/apache2/modules/mod_macro.so debian/config-dir/mods-available/setenvif.conf0000644000000000000000000000240013376761111016563 0ustar # # The following directives modify normal HTTP response behavior to # handle known problems with browser implementations. # BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 # # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. # BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully BrowserMatch "^gnome-vfs/1.0" redirect-carefully BrowserMatch "^gvfs/1" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully BrowserMatch " Konqueror/4" redirect-carefully # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/proxy_wstunnel.load0000644000000000000000000000014113376761111020052 0ustar # Depends: proxy LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so debian/config-dir/mods-available/authz_dbm.load0000644000000000000000000000013413376761111016711 0ustar # Depends: authz_core LoadModule authz_dbm_module /usr/lib/apache2/modules/mod_authz_dbm.so debian/config-dir/mods-available/cache_socache.load0000644000000000000000000000013713376761111017467 0ustar # Depends: cache LoadModule cache_socache_module /usr/lib/apache2/modules/mod_cache_socache.so debian/config-dir/mods-available/proxy_fdpass.load0000644000000000000000000000013513376761111017456 0ustar # Depends: proxy LoadModule proxy_fdpass_module /usr/lib/apache2/modules/mod_proxy_fdpass.so debian/config-dir/mods-available/cache_disk.conf0000644000000000000000000000157113376761111017025 0ustar # cache cleaning is done by htcacheclean, which can be configured in # /etc/default/apache2 # # For further information, see the comments in that file, # /usr/share/doc/apache2/README.Debian, and the htcacheclean(8) # man page. # This path must be the same as the one in /etc/default/apache2 CacheRoot /var/cache/apache2/mod_cache_disk # This will also cache local documents. It usually makes more sense to # put this into the configuration for just one virtual host. #CacheEnable disk / # The result of CacheDirLevels * CacheDirLength must not be higher than # 20. Moreover, pay attention on file system limits. Some file systems # do not support more than a certain number of inodes and # subdirectories (e.g. 32000 for ext3) CacheDirLevels 2 CacheDirLength 1 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/reflector.load0000644000000000000000000000010613376761111016720 0ustar LoadModule reflector_module /usr/lib/apache2/modules/mod_reflector.so debian/config-dir/mods-available/vhost_alias.load0000644000000000000000000000011213376761111017244 0ustar LoadModule vhost_alias_module /usr/lib/apache2/modules/mod_vhost_alias.so debian/config-dir/mods-available/cache_disk.load0000644000000000000000000000013113376761111017006 0ustar # Depends: cache LoadModule cache_disk_module /usr/lib/apache2/modules/mod_cache_disk.so debian/config-dir/mods-available/suexec.load0000644000000000000000000000010013376761111016221 0ustar LoadModule suexec_module /usr/lib/apache2/modules/mod_suexec.so debian/config-dir/mods-available/charset_lite.load0000644000000000000000000000011413376761111017400 0ustar LoadModule charset_lite_module /usr/lib/apache2/modules/mod_charset_lite.so debian/config-dir/mods-available/authz_owner.load0000644000000000000000000000011213376761111017275 0ustar LoadModule authz_owner_module /usr/lib/apache2/modules/mod_authz_owner.so debian/config-dir/mods-available/speling.load0000644000000000000000000000010213376761111016370 0ustar LoadModule speling_module /usr/lib/apache2/modules/mod_speling.so debian/config-dir/mods-available/headers.load0000644000000000000000000000010213376761111016342 0ustar LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so debian/config-dir/mods-available/session_crypto.load0000644000000000000000000000014313376761111020017 0ustar # Depends: session LoadModule session_crypto_module /usr/lib/apache2/modules/mod_session_crypto.so debian/config-dir/mods-available/proxy_html.load0000644000000000000000000000013113376761111017136 0ustar # Depends: proxy LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so debian/config-dir/mods-available/authn_socache.load0000644000000000000000000000011613376761111017540 0ustar LoadModule authn_socache_module /usr/lib/apache2/modules/mod_authn_socache.so debian/config-dir/mods-available/dir.conf0000644000000000000000000000023513376761111015522 0ustar DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/socache_shmcb.load0000644000000000000000000000011613376761111017515 0ustar LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so debian/config-dir/mods-available/proxy_http.load0000644000000000000000000000013113376761111017151 0ustar # Depends: proxy LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so debian/config-dir/mods-available/proxy.conf0000644000000000000000000000146613376761111016134 0ustar # If you want to use apache2 as a forward proxy, uncomment the # 'ProxyRequests On' line and the block below. # WARNING: Be careful to restrict access inside the block. # Open proxy servers are dangerous both to your network and to the # Internet at large. # # If you only want to use apache2 as a reverse proxy/gateway in # front of some web application server, you DON'T need # 'ProxyRequests On'. #ProxyRequests On # # AddDefaultCharset off # Require all denied # #Require local # # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block #ProxyVia Off # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/mods-available/alias.load0000644000000000000000000000007613376761111016032 0ustar LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so debian/config-dir/mods-available/dialup.load0000644000000000000000000000010013376761111016203 0ustar LoadModule dialup_module /usr/lib/apache2/modules/mod_dialup.so debian/config-dir/mods-available/file_cache.load0000644000000000000000000000013113376761111016773 0ustar # Depends: cache LoadModule file_cache_module /usr/lib/apache2/modules/mod_file_cache.so debian/config-dir/mods-available/auth_form.load0000644000000000000000000000014413376761111016721 0ustar # Depends: session authn_core LoadModule auth_form_module /usr/lib/apache2/modules/mod_auth_form.so debian/config-dir/mods-available/authn_core.load0000644000000000000000000000011013376761111017055 0ustar LoadModule authn_core_module /usr/lib/apache2/modules/mod_authn_core.so debian/config-dir/mods-available/proxy_express.load0000644000000000000000000000013713376761111017671 0ustar # Depends: proxy LoadModule proxy_express_module /usr/lib/apache2/modules/mod_proxy_express.so debian/config-dir/mods-available/mime_magic.load0000644000000000000000000000011013376761111017015 0ustar LoadModule mime_magic_module /usr/lib/apache2/modules/mod_mime_magic.so debian/config-dir/ports.conf0000644000000000000000000000050013376761111013226 0ustar # If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf Listen 80 Listen 443 Listen 443 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/envvars0000644000000000000000000000336613376761111012634 0ustar # envvars - default environment variables for apache2ctl # this won't be correct after changing uid unset HOME # for supporting multiple apache2 instances if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" else SUFFIX= fi # Since there is no sane way to get the parsed apache2 config in scripts, some # settings are defined via environment variables and then used in apache2ctl, # /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data # temporary state file location. This might be changed to /run in Wheezy+1 export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid export APACHE_RUN_DIR=/var/run/apache2$SUFFIX export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX # Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. export APACHE_LOG_DIR=/var/log/apache2$SUFFIX ## The locale used by some modules like mod_dav export LANG=C ## Uncomment the following line to use the system default locale instead: #. /etc/default/locale export LANG ## The command to get the status for 'apache2ctl status'. ## Some packages providing 'www-browser' need '--dump' instead of '-dump'. #export APACHE_LYNX='www-browser -dump' ## If you need a higher file descriptor limit, uncomment and adjust the ## following line (default is 8192): #APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' ## If you would like to pass arguments to the web server, add them below ## to the APACHE_ARGUMENTS environment. #export APACHE_ARGUMENTS='' ## Enable the debug mode for maintainer scripts. ## This will produce a verbose output on package installations of web server modules and web application ## installations which interact with Apache #export APACHE2_MAINTSCRIPT_DEBUG=1 debian/config-dir/apache2.conf0000644000000000000000000001571313376761111013376 0ustar # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See http://httpd.apache.org/docs/2.4/ for detailed information about # the directives and /usr/share/doc/apache2/README.Debian about Debian specific # hints. # # # Summary of how the Apache 2 configuration works in Debian: # The Apache 2 web server configuration in Debian is quite different to # upstream's suggested way to configure the web server. This is because Debian's # default Apache2 installation attempts to make adding and removing modules, # virtual hosts, and extra configuration directives as flexible as possible, in # order to make automating the changes and administering the server as easy as # possible. # It is split into several files forming the configuration hierarchy outlined # below, all located in the /etc/apache2/ directory: # # /etc/apache2/ # |-- apache2.conf # | `-- ports.conf # |-- mods-enabled # | |-- *.load # | `-- *.conf # |-- conf-enabled # | `-- *.conf # `-- sites-enabled # `-- *.conf # # # * apache2.conf is the main configuration file (this file). It puts the pieces # together by including all remaining configuration files when starting up the # web server. # # * ports.conf is always included from the main configuration file. It is # supposed to determine listening ports for incoming connections which can be # customized anytime. # # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ # directories contain particular configuration snippets which manage modules, # global configuration fragments, or virtual host configurations, # respectively. # # They are activated by symlinking available configuration files from their # respective *-available/ counterparts. These should be managed by using our # helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See # their respective man pages for detailed information. # # * The binary is called apache2. Due to the use of environment variables, in # the default configuration, apache2 needs to be started/stopped with # /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not # work with the default configuration. # Global configuration # # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the Mutex documentation (available # at ); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # #ServerRoot "/etc/apache2" # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # Mutex file:${APACHE_LOCK_DIR} default # # PidFile: The file in which the server should record its process # identification number when it starts. # This needs to be set in /etc/apache2/envvars # PidFile ${APACHE_PID_FILE} # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 100 # # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 5 # These need to be set in /etc/apache2/envvars User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} # # HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # HostnameLookups Off # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a # container, that host's errors will be logged there and not here. # ErrorLog ${APACHE_LOG_DIR}/error.log # # LogLevel: Control the severity of messages logged to the error_log. # Available values: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the log level for particular modules, e.g. # "LogLevel info ssl:warn" # LogLevel warn # Include module configuration: IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf # Include list of ports to listen on Include ports.conf # Sets the default security model of the Apache2 HTTPD server. It does # not allow access to the root filesystem outside of /usr/share and /var/www. # The former is used by web applications packaged in Debian, # the latter may be used for local directories served by the web server. If # your system is serving content from a sub-directory in /srv you must allow # access here, or in any related virtual host. Options FollowSymLinks AllowOverride None Require all denied AllowOverride None Require all granted Options Indexes FollowSymLinks AllowOverride None Require all granted # # Options Indexes FollowSymLinks # AllowOverride None # Require all granted # # AccessFileName: The name of the file to look for in each directory # for additional configuration directives. See also the AllowOverride # directive. # AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Require all denied # # The following directives define some format nicknames for use with # a CustomLog directive. # # These deviate from the Common Log Format definitions in that they use %O # (the actual bytes sent including headers) instead of %b (the size of the # requested file), because the latter makes it impossible to detect partial # requests. # # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. # Use mod_remoteip instead. # LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # Include of directories ignores editors' and dpkg's backup files, # see README.Debian for details. # Include generic snippets of statements IncludeOptional conf-enabled/*.conf # Include the virtual host configurations: IncludeOptional sites-enabled/*.conf # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/conf-available/0000755000000000000000000000000013376761111014060 5ustar debian/config-dir/conf-available/other-vhosts-access-log.conf0000644000000000000000000000027513376761111021416 0ustar # Define an access log for VirtualHosts that don't define their own logfile CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/conf-available/security.conf0000644000000000000000000000421613376761111016601 0ustar # # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application # Debian packages. # # # AllowOverride None # Order Deny,Allow # Deny from all # # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. #ServerTokens Minimal ServerTokens OS #ServerTokens Full # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail #ServerSignature Off ServerSignature On # # Allow TRACE method # # Set to "extended" to also reflect the request body (only for testing and # diagnostic purposes). # # Set to one of: On | Off | extended TraceEnable Off #TraceEnable On # # Forbid access to version control directories # # If you use version control systems in your document root, you should # probably deny access to their directories. For example, for subversion: # # # Require all denied # # # Setting this header will prevent MSIE from interpreting files as something # else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled. # #Header set X-Content-Type-Options: "nosniff" # # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # #Header set X-Frame-Options: "sameorigin" # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/conf-available/charset.conf0000644000000000000000000000047313376761111016364 0ustar # Read the documentation before enabling AddDefaultCharset. # In general, it is only a good idea if you know that all your files # have this encoding. It will override any encoding given in the files # in meta http-equiv or xml encoding tags. #AddDefaultCharset UTF-8 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/conf-available/localized-error-pages.conf0000644000000000000000000000623013376761111021122 0ustar # Customizable error responses come in three flavors: # 1) plain text # 2) local redirects # 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # # # Putting this all together, we can internationalize error responses. # # We use Alias to redirect any /error/HTTP_.html.var response to # our collection of by-error message multi-language collections. We use # includes to substitute the appropriate text. # # You can modify the messages' appearance without changing any of the # default HTTP_.html.var files by adding the line: # #Alias /error/include/ "/your/include/path/" # # which allows you to create your own set of files by starting with the # /usr/share/apache2/error/include/ files and copying them to /your/include/path/, # even on a per-VirtualHost basis. If you include the Alias in the global server # context, is has to come _before_ the 'Alias /error/ ...' line. # # The default include files will display your Apache version number and your # ServerAdmin email address regardless of the setting of ServerSignature. # # WARNING: The configuration below will NOT work out of the box if you have a # SetHandler directive in a context somewhere. Adding # the following three lines AFTER the context should # make it work in most cases: # # SetHandler none # # # The internationalized error documents require mod_alias, mod_include # and mod_negotiation. To activate them, uncomment the following 37 lines. # # # # # Alias /error/ "/usr/share/apache2/error/" # # # Options IncludesNoExec # AddOutputFilter Includes html # AddHandler type-map var # Order allow,deny # Allow from all # LanguagePriority en cs de es fr it nl sv pt-br ro # ForceLanguagePriority Prefer Fallback # # # ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var # ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var # ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var # ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var # ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var # ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var # ErrorDocument 410 /error/HTTP_GONE.html.var # ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var # ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var # ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var # ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var # ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var # ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var # ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var # ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var # ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var # ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var # # # # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/conf-available/serve-cgi-bin.conf0000644000000000000000000000070713376761111017365 0ustar Define ENABLE_USR_LIB_CGI_BIN Define ENABLE_USR_LIB_CGI_BIN ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted # vim: syntax=apache ts=4 sw=4 sts=4 sr noet debian/config-dir/magic0000644000000000000000000007452713376761111012237 0ustar # Magic data for mod_mime_magic (originally for file(1) command) # # The format is 4-5 columns: # Column #1: byte number to begin checking from, ">" indicates continuation # Column #2: type of data to match # Column #3: contents of data to match # Column #4: MIME type of result # Column #5: MIME encoding of result (optional) #------------------------------------------------------------------------------ # Localstuff: file(1) magic for locally observed files # Add any locally observed files here. # Real Audio (Magic .ra\0375) 0 belong 0x2e7261fd audio/x-pn-realaudio 0 string .RMF application/vnd.rn-realmedia #video/x-pn-realvideo #video/vnd.rn-realvideo #application/vnd.rn-realmedia # sigh, there are many mimes for that but the above are the most common. # Taken from magic, converted to magic.mime # mime types according to http://www.geocities.com/nevilo/mod.htm: # audio/it .it # audio/x-zipped-it .itz # audio/xm fasttracker modules # audio/x-s3m screamtracker modules # audio/s3m screamtracker modules # audio/x-zipped-mod mdz # audio/mod mod # audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) # Taken from loader code from mikmod version 2.14 # by Steve McIntyre (stevem@chiark.greenend.org.uk) # added title printing on 2003-06-24 0 string MAS_UTrack_V00 >14 string >/0 audio/x-mod #audio/x-tracker-module #0 string UN05 MikMod UNI format module sound data 0 string Extended\ Module: audio/x-mod #audio/x-tracker-module ##>17 string >\0 Title: "%s" 21 string/c \!SCREAM! audio/x-mod #audio/x-screamtracker-module 21 string BMOD2STM audio/x-mod #audio/x-screamtracker-module 1080 string M.K. audio/x-mod #audio/x-protracker-module #>0 string >\0 Title: "%s" 1080 string M!K! audio/x-mod #audio/x-protracker-module #>0 string >\0 Title: "%s" 1080 string FLT4 audio/x-mod #audio/x-startracker-module #>0 string >\0 Title: "%s" 1080 string FLT8 audio/x-mod #audio/x-startracker-module #>0 string >\0 Title: "%s" 1080 string 4CHN audio/x-mod #audio/x-fasttracker-module #>0 string >\0 Title: "%s" 1080 string 6CHN audio/x-mod #audio/x-fasttracker-module #>0 string >\0 Title: "%s" 1080 string 8CHN audio/x-mod #audio/x-fasttracker-module #>0 string >\0 Title: "%s" 1080 string CD81 audio/x-mod #audio/x-oktalyzer-tracker-module #>0 string >\0 Title: "%s" 1080 string OKTA audio/x-mod #audio/x-oktalyzer-tracker-module #>0 string >\0 Title: "%s" # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data 1080 string 16CN audio/x-mod #audio/x-taketracker-module #>0 string >\0 Title: "%s" 1080 string 32CN audio/x-mod #audio/x-taketracker-module #>0 string >\0 Title: "%s" # Impuse tracker module (it) 0 string IMPM audio/x-mod #>4 string >\0 "%s" #>40 leshort !0 compatible w/ITv%x #>42 leshort !0 created w/ITv%x #------------------------------------------------------------------------------ # end local stuff #------------------------------------------------------------------------------ # xml based formats! # svg 0 string \38 string \<\!DOCTYPE\040svg image/svg+xml # xml 0 string \2 short 0xbabe application/java #------------------------------------------------------------------------------ # audio: file(1) magic for sound formats # # from Jan Nicolai Langfeldt , # # Sun/NeXT audio data 0 string .snd >12 belong 1 audio/basic >12 belong 2 audio/basic >12 belong 3 audio/basic >12 belong 4 audio/basic >12 belong 5 audio/basic >12 belong 6 audio/basic >12 belong 7 audio/basic >12 belong 23 audio/x-adpcm # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format # that uses little-endian encoding and has a different magic number # (0x0064732E in little-endian encoding). 0 lelong 0x0064732E >12 lelong 1 audio/x-dec-basic >12 lelong 2 audio/x-dec-basic >12 lelong 3 audio/x-dec-basic >12 lelong 4 audio/x-dec-basic >12 lelong 5 audio/x-dec-basic >12 lelong 6 audio/x-dec-basic >12 lelong 7 audio/x-dec-basic # compressed (G.721 ADPCM) >12 lelong 23 audio/x-dec-adpcm # Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM" # AIFF audio data 8 string AIFF audio/x-aiff # AIFF-C audio data 8 string AIFC audio/x-aiff # IFF/8SVX audio data 8 string 8SVX audio/x-aiff # Creative Labs AUDIO stuff # Standard MIDI data 0 string MThd audio/unknown #>9 byte >0 (format %d) #>11 byte >1 using %d channels # Creative Music (CMF) data 0 string CTMF audio/unknown # SoundBlaster instrument data 0 string SBI audio/unknown # Creative Labs voice data 0 string Creative\ Voice\ File audio/unknown ## is this next line right? it came this way... #>19 byte 0x1A #>23 byte >0 - version %d #>22 byte >0 \b.%d # [GRR 950115: is this also Creative Labs? Guessing that first line # should be string instead of unknown-endian long...] #0 long 0x4e54524b MultiTrack sound data #0 string NTRK MultiTrack sound data #>4 long x - version %ld # Microsoft WAVE format (*.wav) # [GRR 950115: probably all of the shorts and longs should be leshort/lelong] # Microsoft RIFF 0 string RIFF # - WAVE format >8 string WAVE audio/x-wav >8 string/B AVI video/x-msvideo # >8 string CDRA image/x-coreldraw # AAC (aka MPEG-2 NBC) 0 beshort&0xfff6 0xfff0 audio/X-HX-AAC-ADTS 0 string ADIF audio/X-HX-AAC-ADIF 0 beshort&0xffe0 0x56e0 audio/MP4A-LATM 0 beshort 0x4De1 audio/MP4A-LATM # MPEG Layer 3 sound files 0 beshort&0xfffe =0xfffa audio/mpeg #MP3 with ID3 tag 0 string ID3 audio/mpeg # Ogg/Vorbis 0 string OggS application/ogg #------------------------------------------------------------------------------ # c-lang: file(1) magic for C programs or various scripts # # XPM icons (Greg Roelofs, newt@uchicago.edu) # ideally should go into "images", but entries below would tag XPM as C source 0 string /*\ XPM image/x-xpmi 7bit # 3DS (3d Studio files) #16 beshort 0x3d3d image/x-3ds # this first will upset you if you're a PL/1 shop... (are there any left?) # in which case rm it; ascmagic will catch real C programs # C or REXX program text #0 string /* text/x-c # C++ program text #0 string // text/x-c++ #------------------------------------------------------------------------------ # commands: file(1) magic for various shells and interpreters # #0 string :\ shell archive or commands for antique kernel text 0 string #!/bin/sh application/x-shellscript 0 string #!\ /bin/sh application/x-shellscript 0 string #!/bin/csh application/x-shellscript 0 string #!\ /bin/csh application/x-shellscript # korn shell magic, sent by George Wu, gwu@clyde.att.com 0 string #!/bin/ksh application/x-shellscript 0 string #!\ /bin/ksh application/x-shellscript 0 string #!/bin/tcsh application/x-shellscript 0 string #!\ /bin/tcsh application/x-shellscript 0 string #!/usr/local/tcsh application/x-shellscript 0 string #!\ /usr/local/tcsh application/x-shellscript 0 string #!/usr/local/bin/tcsh application/x-shellscript 0 string #!\ /usr/local/bin/tcsh application/x-shellscript # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string #!/bin/bash application/x-shellscript 0 string #!\ /bin/bash application/x-shellscript 0 string #!/usr/local/bin/bash application/x-shellscript 0 string #!\ /usr/local/bin/bash application/x-shellscript # # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) 0 string #!/bin/zsh application/x-shellscript 0 string #!/usr/bin/zsh application/x-shellscript 0 string #!/usr/local/bin/zsh application/x-shellscript 0 string #!\ /usr/local/bin/zsh application/x-shellscript 0 string #!/usr/local/bin/ash application/x-shellscript 0 string #!\ /usr/local/bin/ash application/x-shellscript #0 string #!/usr/local/bin/ae Neil Brown's ae #0 string #!\ /usr/local/bin/ae Neil Brown's ae 0 string #!/bin/nawk application/x-nawk 0 string #!\ /bin/nawk application/x-nawk 0 string #!/usr/bin/nawk application/x-nawk 0 string #!\ /usr/bin/nawk application/x-nawk 0 string #!/usr/local/bin/nawk application/x-nawk 0 string #!\ /usr/local/bin/nawk application/x-nawk 0 string #!/bin/gawk application/x-gawk 0 string #!\ /bin/gawk application/x-gawk 0 string #!/usr/bin/gawk application/x-gawk 0 string #!\ /usr/bin/gawk application/x-gawk 0 string #!/usr/local/bin/gawk application/x-gawk 0 string #!\ /usr/local/bin/gawk application/x-gawk # 0 string #!/bin/awk application/x-awk 0 string #!\ /bin/awk application/x-awk 0 string #!/usr/bin/awk application/x-awk 0 string #!\ /usr/bin/awk application/x-awk # update to distinguish from *.vcf files by Joerg Jenderek: joerg dot jenderek at web dot de #0 regex BEGIN[[:space:]]*[{] application/x-awk # For Larry Wall's perl language. The ``eval'' line recognizes an # outrageously clever hack for USG systems. # Keith Waclena 0 string #!/bin/perl application/x-perl 0 string #!\ /bin/perl application/x-perl 0 string eval\ "exec\ /bin/perl application/x-perl 0 string #!/usr/bin/perl application/x-perl 0 string #!\ /usr/bin/perl application/x-perl 0 string eval\ "exec\ /usr/bin/perl application/x-perl 0 string #!/usr/local/bin/perl application/x-perl 0 string #!\ /usr/local/bin/perl application/x-perl 0 string eval\ "exec\ /usr/local/bin/perl application/x-perl #------------------------------------------------------------------------------ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc. # # Formats for various forms of compressed data # Formats for "compress" proper have been moved into "compress.c", # because it tries to uncompress it to figure out what's inside. # standard unix compress #0 string \037\235 application/x-compress # gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver) #0 string \037\213 application/x-gzip 0 string PK\003\004 application/x-zip # RAR archiver (Greg Roelofs, newt@uchicago.edu) 0 string Rar! application/x-rar # According to gzip.h, this is the correct byte order for packed data. 0 string \037\036 application/octet-stream # # This magic number is byte-order-independent. # 0 short 017437 application/octet-stream # XXX - why *two* entries for "compacted data", one of which is # byte-order independent, and one of which is byte-order dependent? # # compacted data 0 short 0x1fff application/octet-stream 0 string \377\037 application/octet-stream # huf output 0 short 0145405 application/octet-stream # Squeeze and Crunch... # These numbers were gleaned from the Unix versions of the programs to # handle these formats. Note that I can only uncrunch, not crunch, and # I didn't have a crunched file handy, so the crunch number is untested. # Keith Waclena #0 leshort 0x76FF squeezed data (CP/M, DOS) #0 leshort 0x76FE crunched data (CP/M, DOS) # Freeze #0 string \037\237 Frozen file 2.1 #0 string \037\236 Frozen file 1.0 (or gzip 0.5) # lzh? #0 string \037\240 LZH compressed data 257 string ustar\0 application/x-tar posix 257 string ustar\040\040\0 application/x-tar gnu 0 short 070707 application/x-cpio 0 short 0143561 application/x-cpio swapped 0 string = application/x-archive 0 string \! application/x-archive >8 string debian application/x-debian-package #------------------------------------------------------------------------------ # # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) # 0 beshort 0xedab >2 beshort 0xeedb application/x-rpm 0 lelong&0x8080ffff 0x0000081a application/x-arc lzw 0 lelong&0x8080ffff 0x0000091a application/x-arc squashed 0 lelong&0x8080ffff 0x0000021a application/x-arc uncompressed 0 lelong&0x8080ffff 0x0000031a application/x-arc packed 0 lelong&0x8080ffff 0x0000041a application/x-arc squeezed 0 lelong&0x8080ffff 0x0000061a application/x-arc crunched 0 leshort 0xea60 application/x-arj # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 2 string -lh0- application/x-lharc lh0 2 string -lh1- application/x-lharc lh1 2 string -lz4- application/x-lharc lz4 2 string -lz5- application/x-lharc lz5 # [never seen any but the last; -lh4- reported in comp.compression:] 2 string -lzs- application/x-lha lzs 2 string -lh\ - application/x-lha lh 2 string -lhd- application/x-lha lhd 2 string -lh2- application/x-lha lh2 2 string -lh3- application/x-lha lh3 2 string -lh4- application/x-lha lh4 2 string -lh5- application/x-lha lh5 2 string -lh6- application/x-lha lh6 2 string -lh7- application/x-lha lh7 # Shell archives 10 string #\ This\ is\ a\ shell\ archive application/octet-stream x-shell #------------------------------------------------------------------------------ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is # copyright, but this file is "published" as witness the following: # 0 string \ # 0 string/cB \14 byte 12 (OS/2 1.x format) #>14 byte 64 (OS/2 2.x format) #>14 byte 40 (Windows 3.x format) #0 string IC icon #0 string PI pointer #0 string CI color icon #0 string CP color pointer #0 string BA bitmap array # CDROM Filesystems 32769 string CD001 application/x-iso9660 # Newer StuffIt archives (grant@netbsd.org) 0 string StuffIt application/x-stuffit #>162 string >0 : %s # BinHex is the Macintosh ASCII-encoded file format (see also "apple") # Daniel Quinlan, quinlan@yggdrasil.com 11 string must\ be\ converted\ with\ BinHex\ 4 application/mac-binhex40 ##>41 string x \b, version %.3s #------------------------------------------------------------------------------ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) 0 string ;; text/plain 8bit # Emacs 18 - this is always correct, but not very magical. 0 string \012( application/x-elc # Emacs 19 0 string ;ELC\023\000\000\000 application/x-elc #------------------------------------------------------------------------------ # mail.news: file(1) magic for mail and news # # There are tests to ascmagic.c to cope with mail and news. 0 string Relay-Version: message/rfc822 7bit 0 string #!\ rnews message/rfc822 7bit 0 string N#!\ rnews message/rfc822 7bit 0 string Forward\ to message/rfc822 7bit 0 string Pipe\ to message/rfc822 7bit 0 string Return-Path: message/rfc822 7bit 0 string Received: message/rfc822 0 string Path: message/news 8bit 0 string Xref: message/news 8bit 0 string From: message/rfc822 7bit 0 string Article message/news 8bit #------------------------------------------------------------------------------ # msword: file(1) magic for MS Word files # # Contributor claims: # Reversed-engineered MS Word magic numbers # 0 string \376\067\0\043 application/msword 0 string \320\317\021\340\241\261 application/msword 0 string \333\245-\0\0\0 application/msword #------------------------------------------------------------------------------ # printer: file(1) magic for printer-formatted files # # PostScript 0 string %! application/postscript 0 string \004%! application/postscript # Acrobat # (due to clamen@cs.cmu.edu) 0 string %PDF- application/pdf #------------------------------------------------------------------------------ # sc: file(1) magic for "sc" spreadsheet # 38 string Spreadsheet application/x-sc #------------------------------------------------------------------------------ # tex: file(1) magic for TeX files # # XXX - needs byte-endian stuff (big-endian and little-endian DVI?) # # From # Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] 0 string \367\002 application/x-dvi #0 string \367\203 TeX generic font data #0 string \367\131 TeX packed font data #0 string \367\312 TeX virtual font data #0 string This\ is\ TeX, TeX transcript text #0 string This\ is\ METAFONT, METAFONT transcript text # There is no way to detect TeX Font Metric (*.tfm) files without # breaking them apart and reading the data. The following patterns # match most *.tfm files generated by METAFONT or afm2tfm. 2 string \000\021 application/x-tex-tfm 2 string \000\022 application/x-tex-tfm #>34 string >\0 (%s) # Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) 0 string \\input\ texinfo text/x-texinfo 0 string This\ is\ Info\ file text/x-info # correct TeX magic for Linux (and maybe more) # from Peter Tobias (tobias@server.et-inf.fho-emden.de) # 0 leshort 0x02f7 application/x-dvi # RTF - Rich Text Format 0 string {\\rtf text/rtf #------------------------------------------------------------------------------ # animation: file(1) magic for animation/movie formats # # animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8) # MPEG file # MPEG sequences 0 belong 0x000001BA >4 byte &0x40 video/mp2p >4 byte ^0x40 video/mpeg 0 belong 0x000001BB video/mpeg 0 belong 0x000001B0 video/mp4v-es 0 belong 0x000001B5 video/mp4v-es 0 belong 0x000001B3 video/mpv 0 belong&0xFF5FFF1F 0x47400010 video/mp2t 0 belong 0x00000001 >4 byte&0x1F 0x07 video/h264 # FLI animation format 0 leshort 0xAF11 video/fli # FLC animation format 0 leshort 0xAF12 video/flc # # SGI and Apple formats # Added ISO mimes 0 string MOVI video/sgi 4 string moov video/quicktime 4 string mdat video/quicktime 4 string wide video/quicktime 4 string skip video/quicktime 4 string free video/quicktime 4 string idsc image/x-quicktime 4 string idat image/x-quicktime 4 string pckg application/x-quicktime 4 string/B jP image/jp2 4 string ftyp >8 string isom video/mp4 >8 string mp41 video/mp4 >8 string mp42 video/mp4 >8 string/B jp2 image/jp2 >8 string 3gp video/3gpp >8 string avc1 video/3gpp >8 string mmp4 video/mp4 >8 string/B M4A audio/mp4 >8 string/B qt video/quicktime # The contributor claims: # I couldn't find a real magic number for these, however, this # -appears- to work. Note that it might catch other files, too, # so BE CAREFUL! # # Note that title and author appear in the two 20-byte chunks # at decimal offsets 2 and 22, respectively, but they are XOR'ed with # 255 (hex FF)! DL format SUCKS BIG ROCKS. # # DL file version 1 , medium format (160x100, 4 images/screen) 0 byte 1 video/unknown 0 byte 2 video/unknown # # Databases # # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # 0 belong 0x13579ace application/x-gdbm 0 lelong 0x13579ace application/x-gdbm 0 string GDBM application/x-gdbm # 0 belong 0x061561 application/x-dbm # # Executables # 0 string \177ELF >16 leshort 0 application/octet-stream >16 leshort 1 application/x-object >16 leshort 2 application/x-executable >16 leshort 3 application/x-sharedlib >16 leshort 4 application/x-coredump >16 beshort 0 application/octet-stream >16 beshort 1 application/x-object >16 beshort 2 application/x-executable >16 beshort 3 application/x-sharedlib >16 beshort 4 application/x-coredump # # DOS 0 string MZ application/x-dosexec # # KDE 0 string [KDE\ Desktop\ Entry] application/x-kdelnk 0 string \#\ KDE\ Config\ File application/x-kdelnk # xmcd database file for kscd 0 string \#\ xmcd text/xmcd #------------------------------------------------------------------------------ # pkgadd: file(1) magic for SysV R4 PKG Datastreams # 0 string #\ PaCkAgE\ DaTaStReAm application/x-svr4-package #PNG Image Format 0 string \x89PNG image/png # MNG Video Format, 0 string \x8aMNG video/x-mng 0 string \x8aJNG video/x-jng #------------------------------------------------------------------------------ # Hierarchical Data Format, used to facilitate scientific data exchange # specifications at http://hdf.ncsa.uiuc.edu/ #Hierarchical Data Format (version 4) data 0 belong 0x0e031301 application/x-hdf #Hierarchical Data Format (version 5) data 0 string \211HDF\r\n\032 application/x-hdf # Adobe Photoshop 0 string 8BPS image/x-photoshop # Felix von Leitner 0 string d8:announce application/x-bittorrent # lotus 1-2-3 document 0 belong 0x00001a00 application/x-123 0 belong 0x00000200 application/x-123 # MS Access database 4 string Standard\ Jet\ DB application/msaccess ## magic for XBase files #0 byte 0x02 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x03 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x04 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x05 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x30 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x43 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x7b #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x83 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x8b #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0x8e #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0xb3 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 byte 0xf5 #>8 leshort >0 #>>12 leshort 0 application/x-dbf # #0 leshort 0x0006 application/x-dbt # Debian has entries for the old PGP formats: # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html #text/PGP key public ring 0 beshort 0x9900 application/pgp #text/PGP key security ring 0 beshort 0x9501 application/pgp #text/PGP key security ring 0 beshort 0x9500 application/pgp #text/PGP encrypted data 0 beshort 0xa600 application/pgp-encrypted #text/PGP armored data ##public key block 2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- application/pgp-keys 0 string -----BEGIN\040PGP\40MESSAGE- application/pgp 0 string -----BEGIN\040PGP\40SIGNATURE- application/pgp-signature # # GnuPG Magic: # # #text/GnuPG key public ring 0 beshort 0x9901 application/pgp #text/OpenPGP data 0 beshort 0x8501 application/pgp-encrypted # flash: file(1) magic for Macromedia Flash file format # # See # # http://www.macromedia.com/software/flash/open/ # 0 string FWS >3 byte x application/x-shockwave-flash # The following paramaters are created for Namazu. # # # 1999/08/13 #0 string \ Apache2 Ubuntu Default Page: It works
Ubuntu Logo Apache2 Ubuntu Default Page
It works!

This is the default welcome page used to test the correct operation of the Apache2 server after installation on Ubuntu systems. It is based on the equivalent page on Debian, from which the Ubuntu Apache packaging is derived. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should replace this file (located at /var/www/html/index.html) before continuing to operate your HTTP server.

If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator.

Configuration Overview

Ubuntu's Apache2 default configuration is different from the upstream default configuration, and split into several files optimized for interaction with Ubuntu tools. The configuration system is fully documented in /usr/share/doc/apache2/README.Debian.gz. Refer to this for the full documentation. Documentation for the web server itself can be found by accessing the manual if the apache2-doc package was installed on this server.

The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows: 

/etc/apache2/
|-- apache2.conf
|       `--  ports.conf
|-- mods-enabled
|       |-- *.load
|       `-- *.conf
|-- conf-enabled
|       `-- *.conf
|-- sites-enabled
|       `-- *.conf
  • apache2.conf is the main configuration file. It puts the pieces together by including all remaining configuration files when starting up the web server.
  • ports.conf is always included from the main configuration file. It is used to determine the listening ports for incoming connections, and this file can be customized anytime.
  • Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ directories contain particular configuration snippets which manage modules, global configuration fragments, or virtual host configurations, respectively.
  • They are activated by symlinking available configuration files from their respective *-available/ counterparts. These should be managed by using our helpers a2enmod, a2dismod, a2ensite, a2dissite, and a2enconf, a2disconf . See their respective man pages for detailed information.
  • The binary is called apache2. Due to the use of environment variables, in the default configuration, apache2 needs to be started/stopped with /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not work with the default configuration.
Document Roots

By default, Ubuntu does not allow access through the web browser to any file apart of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications). If your site is using a web document root located elsewhere (such as in /srv) you may need to whitelist your document root directory in /etc/apache2/apache2.conf.

The default Ubuntu document root is /var/www/html. You can make your own virtual hosts under /var/www. This is different to previous releases which provides better security out of the box.

Reporting Problems

Please use the ubuntu-bug tool to report bugs in the Apache2 package with Ubuntu. However, check existing bug reports before reporting a new bug.

Please report bugs specific to modules (such as PHP and others) to respective packages, not to the web server itself.

Valid XHTML 1.0 Transitional

debian/apache2.default0000644000000000000000000000117513376761111012051 0ustar ### htcacheclean settings ### ## run htcacheclean: yes, no, auto ## auto means run if /etc/apache2/mods-enabled/cache_disk.load exists ## default: auto HTCACHECLEAN_RUN=auto ## run mode: cron, daemon ## run in daemon mode or as daily cron job ## default: daemon HTCACHECLEAN_MODE=daemon ## cache size HTCACHECLEAN_SIZE=300M ## interval: if in daemon mode, clean cache every x minutes HTCACHECLEAN_DAEMON_INTERVAL=120 ## path to cache ## must be the same as in CacheRoot directive HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk ## additional options: ## -n : be nice ## -t : remove empty directories HTCACHECLEAN_OPTIONS="-n" debian/apache2.init0000755000000000000000000002336613376761111011401 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: apache2 # Required-Start: $local_fs $remote_fs $network $syslog $named # Required-Stop: $local_fs $remote_fs $network $syslog $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Start/stop apache2 web server # Description: Start the web server and associated helpers # This script will start apache2, and possibly all associated instances. # Moreover, it will set-up temporary directories and helper tools such as # htcacheclean when required by the configuration. ### END INIT INFO DESC="web server" NAME=apache2 DAEMON=/usr/sbin/$NAME SCRIPTNAME="${0##*/}" SCRIPTNAME="${SCRIPTNAME##[KS][0-9][0-9]}" if [ -n "$APACHE_CONFDIR" ] ; then if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then DIR_SUFFIX="${APACHE_CONFDIR##/etc/apache2-}" else DIR_SUFFIX= fi elif [ "${SCRIPTNAME##apache2-}" != "$SCRIPTNAME" ] ; then DIR_SUFFIX="-${SCRIPTNAME##apache2-}" APACHE_CONFDIR=/etc/apache2$DIR_SUFFIX else DIR_SUFFIX= APACHE_CONFDIR=/etc/apache2 fi if [ -z "$APACHE_ENVVARS" ] ; then APACHE_ENVVARS=$APACHE_CONFDIR/envvars fi export APACHE_CONFDIR APACHE_ENVVARS ENV="env -i LANG=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" if [ "$APACHE_CONFDIR" != /etc/apache2 ] ; then ENV="$ENV APACHE_CONFDIR=$APACHE_CONFDIR" fi if [ "$APACHE_ENVVARS" != "$APACHE_CONFDIR/envvars" ] ; then ENV="$ENV APACHE_ENVVARS=$APACHE_ENVVARS" fi #edit /etc/default/apache2 to change this. HTCACHECLEAN_RUN=auto HTCACHECLEAN_MODE=daemon HTCACHECLEAN_SIZE=300M HTCACHECLEAN_DAEMON_INTERVAL=120 HTCACHECLEAN_PATH=/var/cache/apache2$DIR_SUFFIX/mod_cache_disk HTCACHECLEAN_OPTIONS="" # Read configuration variable file if it is present if [ -f /etc/default/apache2$DIR_SUFFIX ] ; then . /etc/default/apache2$DIR_SUFFIX elif [ -f /etc/default/apache2 ] ; then . /etc/default/apache2 fi PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE) VERBOSE=no if [ -f /etc/default/rcS ]; then . /etc/default/rcS fi . /lib/lsb/init-functions # Now, set defaults: APACHE2CTL="$ENV apache2ctl" HTCACHECLEAN="$ENV htcacheclean" PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE) APACHE2_INIT_MESSAGE="" CONFTEST_OUTFILE= cleanup() { if [ -n "$CONFTEST_OUTFILE" ] ; then rm -f "$CONFTEST_OUTFILE" fi } trap cleanup 0 # "0" means "EXIT", but "EXIT" is not portable apache_conftest() { [ -z "$CONFTEST_OUTFILE" ] || rm -f "$CONFTEST_OUTFILE" CONFTEST_OUTFILE=$(mktemp) if ! $APACHE2CTL configtest > "$CONFTEST_OUTFILE" 2>&1 ; then return 1 else rm -f "$CONFTEST_OUTFILE" CONFTEST_OUTFILE= return 0 fi } clear_error_msg() { [ -z "$CONFTEST_OUTFILE" ] || rm -f "$CONFTEST_OUTFILE" CONFTEST_OUTFILE= APACHE2_INIT_MESSAGE= } print_error_msg() { [ -z "$APACHE2_INIT_MESSAGE" ] || log_warning_msg "$APACHE2_INIT_MESSAGE" if [ -n "$CONFTEST_OUTFILE" ] ; then echo "Output of config test was:" >&2 cat "$CONFTEST_OUTFILE" >&2 rm -f "$CONFTEST_OUTFILE" CONFTEST_OUTFILE= fi } apache_wait_start() { local STATUS=$1 local i=0 while : ; do PIDTMP=$(pidofproc -p $PIDFILE $DAEMON) if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then return $STATUS fi if [ $i = "20" ] ; then APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX instance did not start within 20 seconds. Please read the log files to discover problems" return 2 fi [ "$VERBOSE" != no ] && log_progress_msg "." sleep 1 i=$(($i+1)) done } apache_wait_stop() { local STATUS=$1 PIDTMP=$(pidofproc -p $PIDFILE $DAEMON) if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then local i=0 while kill -0 "${PIDTMP:-}" 2> /dev/null; do if [ $i = '60' ]; then break STATUS=2 fi [ "$VERBOSE" != no ] && log_progress_msg "." sleep 1 i=$(($i+1)) done return $STATUS else return $STATUS fi } # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started if pidofproc -p $PIDFILE "$DAEMON" > /dev/null 2>&1 ; then return 1 fi if apache_conftest ; then $APACHE2CTL start apache_wait_start $? return $? else APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX configtest failed." return 2 fi } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred # either "stop" or "graceful-stop" local STOP=$1 # can't use pidofproc from LSB here local AP_RET=0 if pidof $DAEMON > /dev/null 2>&1 ; then if [ -e $PIDFILE ] && pidof $DAEMON | tr ' ' '\n' | grep -w $(cat $PIDFILE) > /dev/null 2>&1 ; then AP_RET=2 else AP_RET=1 fi else AP_RET=0 fi # AP_RET is: # 0 if Apache (whichever) is not running # 1 if Apache (whichever) is running # 2 if Apache from the PIDFILE is running if [ $AP_RET = 0 ] ; then return 1 fi if [ $AP_RET = 2 ] && apache_conftest ; then $APACHE2CTL $STOP > /dev/null 2>&1 apache_wait_stop $? return $? else if [ $AP_RET = 2 ]; then clear_error_msg APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX configtest failed, so we are trying to kill it manually. This is almost certainly suboptimal, so please make sure your system is working as you'd expect now!" killproc -p $PIDFILE $DAEMON apache_wait_stop $? return $? elif [ $AP_RET = 1 ] ; then APACHE2_INIT_MESSAGE="There are processes named 'apache2' running which do not match your pid file which are left untouched in the name of safety, Please review the situation by hand". return 2 fi fi } # # Function that sends a SIGHUP to the daemon/service # do_reload() { if apache_conftest; then if ! pidofproc -p $PIDFILE "$DAEMON" > /dev/null 2>&1 ; then APACHE2_INIT_MESSAGE="Apache2 is not running" return 2 fi $APACHE2CTL graceful > /dev/null 2>&1 return $? else APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX configtest failed. Not doing anything." return 2 fi } check_htcacheclean() { [ "$HTCACHECLEAN_MODE" = "daemon" ] || return 1 [ "$HTCACHECLEAN_RUN" = "yes" ] && return 0 MODSDIR=$(. $APACHE_ENVVARS && echo $APACHE_MODS_ENABLED) [ "$HTCACHECLEAN_RUN" = "auto" \ -a -e ${MODSDIR:-$APACHE_CONFDIR/mods-enabled}/cache_disk.load ] && \ return 0 return 1 } start_htcacheclean() { $HTCACHECLEAN $HTCACHECLEAN_OPTIONS -d$HTCACHECLEAN_DAEMON_INTERVAL \ -i -p$HTCACHECLEAN_PATH -l$HTCACHECLEAN_SIZE } stop_htcacheclean() { pkill -P 1 -f "htcacheclean.* -p$HTCACHECLEAN_PATH " 2> /dev/null || return 1 } # Sanity checks. They need to occur after function declarations [ -x $DAEMON ] || exit 0 if [ ! -x $DAEMON ] ; then echo "No apache-bin package installed" exit 0 fi if [ -z "$PIDFILE" ] ; then echo ERROR: APACHE_PID_FILE needs to be defined in $APACHE_ENVVARS >&2 exit 2 fi if check_htcacheclean ; then if [ ! -d "$HTCACHECLEAN_PATH" ] ; then echo "htcacheclean is configured, but directory $HTCACHECLEAN_PATH does not exist!" >&2 exit 2 fi fi case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" do_start RET_STATUS=$? case "$RET_STATUS" in 0|1) log_success_msg [ "$VERBOSE" != no ] && [ $RET_STATUS = 1 ] && log_warning_msg "Server was already running" if check_htcacheclean ; then [ "$VERBOSE" != no ] && log_daemon_msg "Starting HTTP cache cleaning daemon" "htcacheclean" start_htcacheclean [ "$VERBOSE" != no ] && log_end_msg $? fi ;; 2) log_failure_msg print_error_msg exit 1 ;; esac ;; stop|graceful-stop) log_daemon_msg "Stopping $DESC" "$NAME" do_stop "$1" RET_STATUS=$? case "$RET_STATUS" in 0|1) log_success_msg [ "$VERBOSE" != no ] && [ $RET_STATUS = 1 ] && log_warning_msg "Server was not running" ;; 2) log_failure_msg print_error_msg exit 1 ;; esac print_error_msg if check_htcacheclean ; then [ "$VERBOSE" != no ] && log_daemon_msg "Stopping HTTP cache cleaning daemon" "htcacheclean" stop_htcacheclean [ "$VERBOSE" != no ] && log_end_msg $? fi ;; status) status_of_proc -p $PIDFILE "apache2" "$NAME" exit $? ;; reload|force-reload|graceful) log_daemon_msg "Reloading $DESC" "$NAME" do_reload RET_STATUS=$? case "$RET_STATUS" in 0|1) log_success_msg [ "$VERBOSE" != no ] && [ $RET_STATUS = 1 ] && log_warning_msg "Server was already running" ;; 2) log_failure_msg print_error_msg exit 1 ;; esac print_error_msg ;; restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1|*) log_end_msg 1 # Old process is still or failed to running print_error_msg exit 1 ;; esac ;; *) # Failed to stop log_end_msg 1 print_error_msg exit 1 ;; esac ;; start-htcacheclean) log_daemon_msg "Starting htcacheclean" start_htcacheclean log_end_msg $? exit $? ;; stop-htcacheclean) log_daemon_msg "Stopping htcacheclean" stop_htcacheclean log_end_msg $? exit $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|graceful-stop|restart|reload|force-reload|start-htcacheclean|stop-htcacheclean}" >&2 exit 3 ;; esac exit 0 # vim: syntax=sh ts=4 sw=4 sts=4 sr noet debian/apache2-doc.postinst0000644000000000000000000000055013376761111013047 0ustar #! /bin/sh set -e # conffiles must be moved before invoking rc.d #DEBHELPER# # This code should use dh_apache2 once it is available as build dependency if [ "$1" = "configure" ] ; then if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then . /usr/share/apache2/apache2-maintscript-helper apache2_invoke enconf apache2-doc || true fi fi exit debian/apache2.cron.daily0000644000000000000000000000116113376761111012462 0ustar #!/bin/sh # run htcacheclean set -e set -u type htcacheclean > /dev/null 2>&1 || exit 0 [ -e /etc/default/apache2 ] || exit 0 # edit /etc/default/apache2 to change this HTCACHECLEAN_MODE=daemon HTCACHECLEAN_RUN=auto HTCACHECLEAN_SIZE=300M HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk HTCACHECLEAN_OPTIONS="" . /etc/default/apache2 [ "$HTCACHECLEAN_MODE" = "cron" ] || exit 0 [ "$HTCACHECLEAN_RUN" = "yes" ] || ( [ "$HTCACHECLEAN_RUN" = "auto" ] && \ [ -e /etc/apache2/mods-enabled/cache_disk.load ] ) || exit 0 htcacheclean ${HTCACHECLEAN_OPTIONS} \ -p${HTCACHECLEAN_PATH} \ -l${HTCACHECLEAN_SIZE} debian/apache2-suexec.postinst.in0000755000000000000000000000103713376761111014207 0ustar #! /bin/sh # postinst script for apache2-suexec-__TYPE__ set -e case "$1" in configure) update-alternatives --install /usr/lib/apache2/suexec suexec /usr/lib/apache2/suexec-__TYPE__ 10 \ --slave /usr/share/man/man8/suexec.8.gz suexec.8.gz /usr/share/man/man8/suexec-__TYPE__.8.gz ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/apache2-doc.examples0000644000000000000000000000003013376761111012773 0ustar debian/tmp/etc/apache2/ debian/apache2-utils.ufw.profile0000644000000000000000000000062613376761111014023 0ustar [Apache] title=Web Server description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80/tcp [Apache Secure] title=Web Server (HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=443/tcp [Apache Full] title=Web Server (HTTP,HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80,443/tcp debian/apache2-suexec-custom.install0000644000000000000000000000013313376761111014666 0ustar /usr/sbin/suexec-custom /usr/lib/apache2/ debian/suexec-config-dir/* /etc/apache2/suexec/ debian/gbp.conf0000644000000000000000000000020413376761111010607 0ustar [DEFAULT] pristine-tar = True builder=dpkg-buildpackage -i\.git -I.git #cleaner=true upstream-branch=upstream debian-branch=master debian/apache2-dev.dirs0000644000000000000000000000005413376761111012135 0ustar usr/include/apache2 usr/share/apache2/build debian/patches/0000755000000000000000000000000013451146021010612 5ustar debian/patches/hostnames_with_underscores.diff0000644000000000000000000000073713376761111017134 0ustar Description: relax hostname restrictions Origin: stolen from Debian Jessie update. Thanks! --- apache2.orig/server/vhost.c +++ apache2/server/vhost.c @@ -758,7 +758,7 @@ static apr_status_t strict_hostname_chec if (!apr_isascii(*ch)) { goto bad; } - else if (apr_isalpha(*ch) || *ch == '-') { + else if (apr_isalpha(*ch) || *ch == '-' || *ch == '_') { is_dotted_decimal = 0; } else if (ch[0] == '.') { debian/patches/CVE-2017-9798.patch0000644000000000000000000000222013376761111013262 0ustar Description: fix optionsbleed information leak Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1807754 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876109 Index: apache2-2.4.7/server/core.c =================================================================== --- apache2-2.4.7.orig/server/core.c 2017-09-18 11:09:35.156944672 -0400 +++ apache2-2.4.7/server/core.c 2017-09-18 11:09:35.156944672 -0400 @@ -2055,6 +2055,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_ /* method has not been registered yet, but resorce restriction * is always checked before method handling, so register it. */ + if (cmd->pool == cmd->temp_pool) { + /* In .htaccess, we can't globally register new methods. */ + return apr_psprintf(cmd->pool, "Could not register method '%s' " + "for %s from .htaccess configuration", + method, cmd->cmd->name); + } methnum = ap_method_register(cmd->pool, apr_pstrdup(cmd->pool, method)); } debian/patches/fix-proxy-error-overwrite-timeout.patch0000644000000000000000000000453613376761111020460 0ustar Description: Fix Proxy responses with error status and "ProxyErrorOverride On" PR53420: Proxy responses with error status and "ProxyErrorOverride On" hang until proxy timeout. Regression from 2.2. It was introduced by r912063 in order to fix PR41646. Switch preference for headers, Transfer-Encoding first, Content-Length second. Author: Jim Jagielski Reviewed-by: Christian Ehrhardt Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1621601 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=53420 Bug-Ubuntu: https://launchpad.net/bugs/1495988 Index: apache2-2.4.7/CHANGES =================================================================== --- apache2-2.4.7.orig/CHANGES +++ apache2-2.4.7/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.4.7 + *) mod_proxy_http: Proxy responses with error status and + "ProxyErrorOverride On" hang until proxy timeout. + PR53420 [Rainer Jung] + *) mod_proxy_wstunnel: Don't pool backend websockets connections, because we need to handshake every time. PR 55890. [Eric Covener] Index: apache2-2.4.7/modules/proxy/mod_proxy_http.c =================================================================== --- apache2-2.4.7.orig/modules/proxy/mod_proxy_http.c +++ apache2-2.4.7/modules/proxy/mod_proxy_http.c @@ -1635,6 +1635,18 @@ apr_status_t ap_proxy_http_process_respo if (!r->header_only && /* not HEAD request */ (proxy_status != HTTP_NO_CONTENT) && /* not 204 */ (proxy_status != HTTP_NOT_MODIFIED)) { /* not 304 */ + const char *tmp; + /* Add minimal headers needed to allow http_in filter + * detecting end of body without waiting for a timeout. */ + if ((tmp = apr_table_get(r->headers_out, "Transfer-Encoding"))) { + apr_table_set(backend->r->headers_in, "Transfer-Encoding", tmp); + } + else if ((tmp = apr_table_get(r->headers_out, "Content-Length"))) { + apr_table_set(backend->r->headers_in, "Content-Length", tmp); + } + else if (te) { + apr_table_set(backend->r->headers_in, "Transfer-Encoding", te); + } ap_discard_request_body(backend->r); } return proxy_status; debian/patches/CVE-2018-17199-pre1.patch0000644000000000000000000000641413451141470014205 0ustar From a56a47449fe2edf7f6371cd43e249b8cb77f2ac7 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Fri, 24 Jan 2014 13:25:27 +0000 Subject: [PATCH] Merge r1560977 from trunk: mod_session: When we have a session we were unable to decode, behave as if there was no session at all. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1560991 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 6 ------ modules/session/mod_session.c | 30 ++++++++++++++++++------------ 3 files changed, 22 insertions(+), 18 deletions(-) #diff --git a/CHANGES b/CHANGES #index f86369648cb..cc899c5e2a0 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -2,6 +2,10 @@ # # Changes with Apache 2.4.8 # #+ *) mod_session: When we have a session we were unable to decode, #+ behave as if there was no session at all. [Thomas Eckert #+ ] #+ # *) mod_session: Fix problems interpreting the SessionInclude and # SessionExclude configuration. PR 56038. [Erik Pearson # ] #diff --git a/STATUS b/STATUS #index 693174a6503..bbc6e1168a4 100644 #--- a/STATUS #+++ b/STATUS #@@ -98,12 +98,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- * mod_session: When we have a session we were unable to decode, behave as if #- there was no session at all. #- trunk patch: http://svn.apache.org/r1560977 #- 2.4.x patch: trunk works (modulo changes) #- +1: minfrin, trawick, jim #- # # # PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c index 48475c0725c..0b472a240e0 100644 --- a/modules/session/mod_session.c +++ b/modules/session/mod_session.c @@ -126,22 +126,28 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z) /* found a session that hasn't expired? */ now = apr_time_now(); - if (!zz || (zz->expiry && zz->expiry < now)) { + if (zz) { + if (zz->expiry && zz->expiry < now) { + zz = NULL; + } + else { + /* having a session we cannot decode is just as good as having + none at all */ + rv = ap_run_session_decode(r, zz); + if (OK != rv) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817) + "error while decoding the session, " + "session not loaded: %s", r->uri); + zz = NULL; + } + } + } - /* no luck, create a blank session */ + /* no luck, create a blank session */ + if (!zz) { zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec)); zz->pool = r->pool; zz->entries = apr_table_make(zz->pool, 10); - - } - else { - rv = ap_run_session_decode(r, zz); - if (OK != rv) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817) - "error while decoding the session, " - "session not loaded: %s", r->uri); - return rv; - } } /* make sure the expiry and maxage are set, if present */ debian/patches/CVE-2016-8743.patch0000644000000000000000000023566013376761111013266 0ustar Description: fix response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing Origin: backport, https://svn.apache.org/r1668879 Origin: backport, https://svn.apache.org/r1743516 Origin: backport, https://svn.apache.org/r1773801 Origin: backport, https://svn.apache.org/r1772678 Origin: backport, https://svn.apache.org/r1773802 Origin: backport, https://svn.apache.org/r1773803 Origin: backport, https://svn.apache.org/r1773995 Origin: backport, https://svn.apache.org/r1774429 Origin: backport, https://svn.apache.org/r1778052 Index: apache2-2.4.7/include/http_core.h =================================================================== --- apache2-2.4.7.orig/include/http_core.h 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/include/http_core.h 2017-05-05 13:47:47.212540661 -0400 @@ -668,6 +668,21 @@ typedef struct { #define AP_MERGE_TRAILERS_DISABLE 2 int merge_trailers; +#define AP_HTTP09_UNSET 0 +#define AP_HTTP09_ENABLE 1 +#define AP_HTTP09_DISABLE 2 + char http09_enable; + +#define AP_HTTP_CONFORMANCE_UNSET 0 +#define AP_HTTP_CONFORMANCE_UNSAFE 1 +#define AP_HTTP_CONFORMANCE_STRICT 2 + char http_conformance; + +#define AP_HTTP_METHODS_UNSET 0 +#define AP_HTTP_METHODS_LENIENT 1 +#define AP_HTTP_METHODS_REGISTERED 2 + char http_methods; + } core_server_config; /* for AddOutputFiltersByType in core.c */ Index: apache2-2.4.7/include/http_protocol.h =================================================================== --- apache2-2.4.7.orig/include/http_protocol.h 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/include/http_protocol.h 2017-05-05 13:47:47.220540741 -0400 @@ -565,17 +565,22 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req */ AP_CORE_DECLARE(void) ap_parse_uri(request_rec *r, const char *uri); +#define AP_GETLINE_FOLD 1 /* Whether to merge continuation lines */ +#define AP_GETLINE_CRLF 2 /*Whether line ends must be in the form CR LF */ + /** * Get the next line of input for the request * @param s The buffer into which to read the line * @param n The size of the buffer * @param r The request - * @param fold Whether to merge continuation lines + * @param flags Bit flag of multiple parsing options + * AP_GETLINE_FOLD Whether to merge continuation lines + * AP_GETLINE_CRLF Whether line ends must be in the form CR LF * @return The length of the line, if successful * n, if the line is too big to fit in the buffer * -1 for miscellaneous errors */ -AP_DECLARE(int) ap_getline(char *s, int n, request_rec *r, int fold); +AP_DECLARE(int) ap_getline(char *s, int n, request_rec *r, int flags); /** * Get the next line of input for the request @@ -593,7 +598,9 @@ AP_DECLARE(int) ap_getline(char *s, int * @param n The size of the buffer * @param read The length of the line. * @param r The request - * @param fold Whether to merge continuation lines + * @param flags Bit flag of multiple parsing options + * AP_GETLINE_FOLD Whether to merge continuation lines + * AP_GETLINE_CRLF Whether line ends must be in the form CR LF * @param bb Working brigade to use when reading buckets * @return APR_SUCCESS, if successful * APR_ENOSPC, if the line is too big to fit in the buffer @@ -602,7 +609,7 @@ AP_DECLARE(int) ap_getline(char *s, int #if APR_CHARSET_EBCDIC AP_DECLARE(apr_status_t) ap_rgetline(char **s, apr_size_t n, apr_size_t *read, - request_rec *r, int fold, + request_rec *r, int flags, apr_bucket_brigade *bb); #else /* ASCII box */ #define ap_rgetline(s, n, read, r, fold, bb) \ @@ -612,7 +619,7 @@ AP_DECLARE(apr_status_t) ap_rgetline(cha /** @see ap_rgetline */ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n, apr_size_t *read, - request_rec *r, int fold, + request_rec *r, int flags, apr_bucket_brigade *bb); /** Index: apache2-2.4.7/include/httpd.h =================================================================== --- apache2-2.4.7.orig/include/httpd.h 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/include/httpd.h 2017-05-05 13:47:47.224540781 -0400 @@ -1552,6 +1552,28 @@ AP_DECLARE(int) ap_find_etag_strong(apr_ */ AP_DECLARE(char *) ap_get_token(apr_pool_t *p, const char **accept_line, int accept_white); +/* Scan a string for field content chars, as defined by RFC7230 section 3.2 + * including VCHAR/obs-text, as well as HT and SP + * @param ptr The string to scan + * @return A pointer to the first (non-HT) ASCII ctrl character. + * @note lws and trailing whitespace are scanned, the caller is responsible + * for trimming leading and trailing whitespace + */ +AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr); + +/* Scan a string for token characters, as defined by RFC7230 section 3.2.6 + * @param ptr The string to scan + * @return A pointer to the first non-token character. + */ +AP_DECLARE(const char *) ap_scan_http_token(const char *ptr); + +/* Scan a string for visible ASCII (0x21-0x7E) or obstext (0x80+) + * and return a pointer to the first SP/CTL/NUL character encountered. + * @param ptr The string to scan + * @return A pointer to the first SP/CTL character. + */ +AP_DECLARE(const char *) ap_scan_vchar_obstext(const char *ptr); + /** * Find http tokens, see the definition of token from RFC2068 * @param p The pool to allocate from Index: apache2-2.4.7/modules/http/http_filters.c =================================================================== --- apache2-2.4.7.orig/modules/http/http_filters.c 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/modules/http/http_filters.c 2017-05-05 13:48:14.248809888 -0400 @@ -109,14 +109,15 @@ static apr_status_t bail_out_on_error(ht /** * Parse a chunk line with optional extension, detect overflow. - * There are two error cases: - * 1) If the conversion would require too many bits, APR_EGENERAL is returned. - * 2) If the conversion used the correct number of bits, but an overflow + * There are several error cases: + * 1) If the chunk link is misformatted, APR_EINVAL is returned. + * 2) If the conversion would require too many bits, APR_EGENERAL is returned. + * 3) If the conversion used the correct number of bits, but an overflow * caused only the sign bit to flip, then APR_ENOSPC is returned. - * In general, any negative number can be considered an overflow error. + * A negative chunk length always indicates an overflow error. */ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer, - apr_size_t len, int linelimit) + apr_size_t len, int linelimit, int strict) { apr_size_t i = 0; @@ -129,6 +130,12 @@ static apr_status_t parse_chunk_size(htt if (ctx->state == BODY_CHUNK_END || ctx->state == BODY_CHUNK_END_LF) { if (c == LF) { + if (strict && (ctx->state != BODY_CHUNK_END_LF)) { + /* + * CR missing before LF. + */ + return APR_EINVAL; + } ctx->state = BODY_CHUNK; } else if (c == CR && ctx->state == BODY_CHUNK_END) { @@ -136,7 +143,7 @@ static apr_status_t parse_chunk_size(htt } else { /* - * LF expected. + * CRLF expected. */ return APR_EINVAL; } @@ -163,6 +170,12 @@ static apr_status_t parse_chunk_size(htt } if (c == LF) { + if (strict && (ctx->state != BODY_CHUNK_LF)) { + /* + * CR missing before LF. + */ + return APR_EINVAL; + } if (ctx->remaining) { ctx->state = BODY_CHUNK_DATA; } @@ -184,14 +197,17 @@ static apr_status_t parse_chunk_size(htt } else if (ctx->state == BODY_CHUNK_EXT) { /* - * Control chars (but tabs) are invalid. + * Control chars (excluding tabs) are invalid. + * TODO: more precisely limit input */ if (c != '\t' && apr_iscntrl(c)) { return APR_EINVAL; } } else if (c == ' ' || c == '\t') { - /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3). + /* Be lenient up to 10 implied *LWS, a legacy of RFC 2616, + * and noted as errata to RFC7230; + * https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4667 */ ctx->state = BODY_CHUNK_CR; if (++ctx->chunk_bws > 10) { @@ -307,7 +323,10 @@ apr_status_t ap_http_filter(ap_filter_t ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes) { - core_server_config *conf; + core_server_config *conf = + (core_server_config *) ap_get_module_config(f->r->server->module_config, + &core_module); + int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; @@ -315,9 +334,6 @@ apr_status_t ap_http_filter(ap_filter_t apr_bucket_brigade *bb; int again; - conf = (core_server_config *) - ap_get_module_config(f->r->server->module_config, &core_module); - /* just get out of the way of things we don't want. */ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { return ap_get_brigade(f->next, b, mode, block, readbytes); @@ -498,7 +514,7 @@ apr_status_t ap_http_filter(ap_filter_t if (rv == APR_SUCCESS) { parsing = 1; rv = parse_chunk_size(ctx, buffer, len, - f->r->server->limit_req_fieldsize); + f->r->server->limit_req_fieldsize, strict); } if (rv != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r, APLOGNO(01590) @@ -641,14 +657,121 @@ apr_status_t ap_http_filter(ap_filter_t return APR_SUCCESS; } +struct check_header_ctx { + request_rec *r; + int strict; +}; + +/* check a single header, to be used with apr_table_do() */ +static int check_header(struct check_header_ctx *ctx, + const char *name, const char **val) +{ + const char *pos, *end; + char *dst = NULL; + + if (name[0] == '\0') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02428) + "Empty response header name, aborting request"); + return 0; + } + + if (ctx->strict) { + end = ap_scan_http_token(name); + } + else { + end = ap_scan_vchar_obstext(name); + } + if (*end) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429) + "Response header name '%s' contains invalid " + "characters, aborting request", + name); + return 0; + } + + for (pos = *val; *pos; pos = end) { + end = ap_scan_http_field_content(pos); + if (*end) { + if (end[0] != CR || end[1] != LF || (end[2] != ' ' && + end[2] != '\t')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02430) + "Response header '%s' value of '%s' contains " + "invalid characters, aborting request", + name, pos); + return 0; + } + if (!dst) { + *val = dst = apr_palloc(ctx->r->pool, strlen(*val) + 1); + } + } + if (dst) { + memcpy(dst, pos, end - pos); + dst += end - pos; + if (*end) { + /* skip folding and replace with a single space */ + end += 3 + strspn(end + 3, "\t "); + *dst++ = ' '; + } + } + } + if (dst) { + *dst = '\0'; + } + return 1; +} + +static int check_headers_table(apr_table_t *t, struct check_header_ctx *ctx) +{ + const apr_array_header_t *headers = apr_table_elts(t); + apr_table_entry_t *header; + int i; + + for (i = 0; i < headers->nelts; ++i) { + header = &APR_ARRAY_IDX(headers, i, apr_table_entry_t); + if (!header->key) { + continue; + } + if (!check_header(ctx, header->key, (const char **)&header->val)) { + return 0; + } + } + return 1; +} + +/** + * Check headers for HTTP conformance + * @return 1 if ok, 0 if bad + */ +static APR_INLINE int check_headers(request_rec *r) +{ + struct check_header_ctx ctx; + core_server_config *conf = + ap_get_core_module_config(r->server->module_config); + + ctx.r = r; + ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); + return check_headers_table(r->headers_out, &ctx) && + check_headers_table(r->err_headers_out, &ctx); +} + +static int check_headers_recursion(request_rec *r) +{ + void *check = NULL; + apr_pool_userdata_get(&check, "check_headers_recursion", r->pool); + if (check) { + return 1; + } + apr_pool_userdata_setn("true", "check_headers_recursion", NULL, r->pool); + return 0; +} + typedef struct header_struct { apr_pool_t *pool; apr_bucket_brigade *bb; } header_struct; /* Send a single HTTP header field to the client. Note that this function - * is used in calls to table_do(), so their interfaces are co-dependent. - * In other words, don't change this one without checking table_do in alloc.c. + * is used in calls to apr_table_do(), so don't change its interface. * It returns true unless there was a write error of some kind. */ static int form_header_field(header_struct *h, @@ -1133,6 +1256,7 @@ AP_DECLARE_NONSTD(int) ap_send_http_trac typedef struct header_filter_ctx { int headers_sent; + int headers_error; } header_filter_ctx; AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, @@ -1148,19 +1272,24 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ header_filter_ctx *ctx = f->ctx; const char *ctype; ap_bucket_error *eb = NULL; + apr_bucket *eos = NULL; AP_DEBUG_ASSERT(!r->main); - if (r->header_only) { - if (!ctx) { - ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); - } - else if (ctx->headers_sent) { + if (!ctx) { + ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); + } + if (ctx->headers_sent) { + /* Eat body if response must not have one. */ + if (r->header_only || r->status == HTTP_NO_CONTENT) { apr_brigade_cleanup(b); - return OK; + return APR_SUCCESS; } } + else if (!ctx->headers_error && !check_headers(r)) { + ctx->headers_error = 1; + } for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = APR_BUCKET_NEXT(e)) @@ -1177,10 +1306,44 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ ap_remove_output_filter(f); return ap_pass_brigade(f->next, b); } + if (ctx->headers_error && APR_BUCKET_IS_EOS(e)) { + eos = e; + } } - if (eb) { - int status; + if (ctx->headers_error) { + if (!eos) { + /* Eat body until EOS */ + apr_brigade_cleanup(b); + return APR_SUCCESS; + } + /* We may come back here from ap_die() below, + * so clear anything from this response. + */ + ctx->headers_error = 0; + apr_table_clear(r->headers_out); + apr_table_clear(r->err_headers_out); + + /* Don't recall ap_die() if we come back here (from its own internal + * redirect or error response), otherwise we can end up in infinite + * recursion; better fall through with 500, minimal headers and an + * empty body (EOS only). + */ + if (!check_headers_recursion(r)) { + apr_brigade_cleanup(b); + ap_die(HTTP_INTERNAL_SERVER_ERROR, r); + return AP_FILTER_ERROR; + } + APR_BUCKET_REMOVE(eos); + apr_brigade_cleanup(b); + APR_BRIGADE_INSERT_TAIL(b, eos); + r->status = HTTP_INTERNAL_SERVER_ERROR; + r->content_type = r->content_encoding = NULL; + r->content_languages = NULL; + ap_set_content_length(r, 0); + } + else if (eb) { + int status; status = eb->status; apr_brigade_cleanup(b); ap_die(status, r); @@ -1237,6 +1400,10 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ apr_table_unset(r->headers_out, "Content-Length"); } + if (r->status == HTTP_NO_CONTENT) { + apr_table_unset(r->headers_out, "Content-Length"); + } + ctype = ap_make_content_type(r, r->content_type); if (ctype) { apr_table_setn(r->headers_out, "Content-Type", ctype); @@ -1325,11 +1492,11 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ terminate_header(b2); ap_pass_brigade(f->next, b2); + ctx->headers_sent = 1; - if (r->header_only) { + if (r->header_only || r->status == HTTP_NO_CONTENT) { apr_brigade_cleanup(b); - ctx->headers_sent = 1; - return OK; + return APR_SUCCESS; } r->sent_bodyct = 1; /* Whatever follows is real body stuff... */ Index: apache2-2.4.7/server/core.c =================================================================== --- apache2-2.4.7.orig/server/core.c 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/server/core.c 2017-05-05 13:47:47.244540980 -0400 @@ -502,6 +502,15 @@ static void *merge_core_server_configs(a if (virt->trace_enable != AP_TRACE_UNSET) conf->trace_enable = virt->trace_enable; + if (virt->http09_enable != AP_HTTP09_UNSET) + conf->http09_enable = virt->http09_enable; + + if (virt->http_conformance != AP_HTTP_CONFORMANCE_UNSET) + conf->http_conformance = virt->http_conformance; + + if (virt->http_methods != AP_HTTP_METHODS_UNSET) + conf->http_methods = virt->http_methods; + /* no action for virt->accf_map, not allowed per-vhost */ if (virt->protocol) @@ -3619,6 +3628,57 @@ static const char *set_trace_enable(cmd_ return NULL; } +static const char *set_http_protocol_options(cmd_parms *cmd, void *dummy, + const char *arg) +{ + core_server_config *conf = + ap_get_core_module_config(cmd->server->module_config); + + if (strcasecmp(arg, "allow0.9") == 0) + conf->http09_enable |= AP_HTTP09_ENABLE; + else if (strcasecmp(arg, "require1.0") == 0) + conf->http09_enable |= AP_HTTP09_DISABLE; + else if (strcasecmp(arg, "strict") == 0) + conf->http_conformance |= AP_HTTP_CONFORMANCE_STRICT; + else if (strcasecmp(arg, "unsafe") == 0) + conf->http_conformance |= AP_HTTP_CONFORMANCE_UNSAFE; + else if (strcasecmp(arg, "registeredmethods") == 0) + conf->http_methods |= AP_HTTP_METHODS_REGISTERED; + else if (strcasecmp(arg, "lenientmethods") == 0) + conf->http_methods |= AP_HTTP_METHODS_LENIENT; + else + return "HttpProtocolOptions accepts " + "'Unsafe' or 'Strict' (default), " + "'RegisteredMethods' or 'LenientMethods' (default), and " + "'Require1.0' or 'Allow0.9' (default)"; + + if ((conf->http09_enable & AP_HTTP09_ENABLE) + && (conf->http09_enable & AP_HTTP09_DISABLE)) + return "HttpProtocolOptions 'Allow0.9' and 'Require1.0'" + " are mutually exclusive"; + + if ((conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT) + && (conf->http_conformance & AP_HTTP_CONFORMANCE_UNSAFE)) + return "HttpProtocolOptions 'Strict' and 'Unsafe'" + " are mutually exclusive"; + + if ((conf->http_methods & AP_HTTP_METHODS_REGISTERED) + && (conf->http_methods & AP_HTTP_METHODS_LENIENT)) + return "HttpProtocolOptions 'RegisteredMethods' and 'LenientMethods'" + " are mutually exclusive"; + + return NULL; +} + +static const char *set_http_method(cmd_parms *cmd, void *conf, const char *arg) +{ + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err != NULL) + return err; + ap_method_register(cmd->pool, arg); + return NULL; +} + static apr_hash_t *errorlog_hash; static int log_constant_item(const ap_errorlog_info *info, const char *arg, @@ -4130,6 +4190,12 @@ AP_INIT_TAKE1("TraceEnable", set_trace_e "'on' (default), 'off' or 'extended' to trace request body content"), AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF, "merge request trailers into request headers or not"), +AP_INIT_ITERATE("HttpProtocolOptions", set_http_protocol_options, NULL, RSRC_CONF, + "'Allow0.9' or 'Require1.0' (default); " + "'RegisteredMethods' or 'LenientMethods' (default); " + "'Unsafe' or 'Strict' (default). Sets HTTP acceptance rules"), +AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF, + "Registers non-standard HTTP methods"), { NULL } }; Index: apache2-2.4.7/server/gen_test_char.c =================================================================== --- apache2-2.4.7.orig/server/gen_test_char.c 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/server/gen_test_char.c 2017-05-05 13:47:47.248541020 -0400 @@ -16,11 +16,11 @@ #ifdef CROSS_COMPILE +#include #define apr_isalnum(c) (isalnum(((unsigned char)(c)))) #define apr_isalpha(c) (isalpha(((unsigned char)(c)))) #define apr_iscntrl(c) (iscntrl(((unsigned char)(c)))) #define apr_isprint(c) (isprint(((unsigned char)(c)))) -#include #define APR_HAVE_STDIO_H 1 #define APR_HAVE_STRING_H 1 @@ -52,11 +52,13 @@ #define T_ESCAPE_LOGITEM (0x10) #define T_ESCAPE_FORENSIC (0x20) #define T_ESCAPE_URLENCODED (0x40) +#define T_HTTP_CTRLS (0x80) +#define T_VCHAR_OBSTEXT (0x100) int main(int argc, char *argv[]) { unsigned c; - unsigned char flags; + unsigned short flags; printf("/* this file is automatically generated by gen_test_char, " "do not edit */\n" @@ -67,19 +69,23 @@ int main(int argc, char *argv[]) "#define T_ESCAPE_LOGITEM (%u)\n" "#define T_ESCAPE_FORENSIC (%u)\n" "#define T_ESCAPE_URLENCODED (%u)\n" + "#define T_HTTP_CTRLS (%u)\n" + "#define T_VCHAR_OBSTEXT (%u)\n" "\n" - "static const unsigned char test_char_table[256] = {", + "static const unsigned short test_char_table[256] = {", T_ESCAPE_SHELL_CMD, T_ESCAPE_PATH_SEGMENT, T_OS_ESCAPE_PATH, T_HTTP_TOKEN_STOP, T_ESCAPE_LOGITEM, T_ESCAPE_FORENSIC, - T_ESCAPE_URLENCODED); + T_ESCAPE_URLENCODED, + T_HTTP_CTRLS, + T_VCHAR_OBSTEXT); for (c = 0; c < 256; ++c) { flags = 0; - if (c % 20 == 0) + if (c % 8 == 0) printf("\n "); /* escape_shell_cmd */ @@ -107,7 +113,7 @@ int main(int argc, char *argv[]) flags |= T_ESCAPE_PATH_SEGMENT; } - if (!apr_isalnum(c) && !strchr("$-_.+!*'(),:@&=/~", c)) { + if (!apr_isalnum(c) && !strchr("$-_.+!*'(),:;@&=/~", c)) { flags |= T_OS_ESCAPE_PATH; } @@ -115,11 +121,32 @@ int main(int argc, char *argv[]) flags |= T_ESCAPE_URLENCODED; } - /* these are the "tspecials" (RFC2068) or "separators" (RFC2616) */ - if (c && (apr_iscntrl(c) || strchr(" \t()<>@,;:\\\"/[]?={}", c))) { + /* Stop for any non-'token' character, including ctrls, obs-text, + * and "tspecials" (RFC2068) a.k.a. "separators" (RFC2616), which + * is easer to express as characters remaining in the ASCII token set + */ + if (!c || !(apr_isalnum(c) || strchr("!#$%&'*+-.^_`|~", c))) { flags |= T_HTTP_TOKEN_STOP; } + /* Catch CTRLs other than VCHAR, HT and SP, and obs-text (RFC7230 3.2) + * This includes only the C0 plane, not C1 (which is obs-text itself.) + * XXX: We should verify that all ASCII C0 ctrls/DEL corresponding to + * the current EBCDIC translation are captured, and ASCII C1 ctrls + * corresponding are all permitted (as they fall under obs-text rule) + */ + if (!c || (apr_iscntrl(c) && c != '\t')) { + flags |= T_HTTP_CTRLS; + } + + /* From RFC3986, the specific sets of gen-delims, sub-delims (2.2), + * and unreserved (2.3) that are possible somewhere within a URI. + * Spec requires all others to be %XX encoded, including obs-text. + */ + if (c && !apr_iscntrl(c) && c != ' ') { + flags |= T_VCHAR_OBSTEXT; + } + /* For logging, escape all control characters, * double quotes (because they delimit the request in the log file) * backslashes (because we use backslash for escaping) @@ -137,7 +164,7 @@ int main(int argc, char *argv[]) flags |= T_ESCAPE_FORENSIC; } - printf("%u%c", flags, (c < 255) ? ',' : ' '); + printf("0x%03x%c", flags, (c < 255) ? ',' : ' '); } printf("\n};\n"); Index: apache2-2.4.7/server/protocol.c =================================================================== --- apache2-2.4.7.orig/server/protocol.c 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/server/protocol.c 2017-05-05 13:48:14.248809888 -0400 @@ -188,6 +188,10 @@ AP_DECLARE(apr_time_t) ap_rationalize_mt /* Get a line of protocol input, including any continuation lines * caused by MIME folding (or broken clients) if fold != 0, and place it * in the buffer s, of size n bytes, without the ending newline. + * + * Pulls from r->proto_input_filters instead of r->input_filters for + * stricter protocol adherence and better input filter behavior during + * chunked trailer processing (for http). * * If s is NULL, ap_rgetline_core will allocate necessary memory from r->pool. * @@ -197,7 +201,7 @@ AP_DECLARE(apr_time_t) ap_rationalize_mt * APR_ENOSPC is returned if there is not enough buffer space. * Other errors may be returned on other errors. * - * The LF is *not* returned in the buffer. Therefore, a *read of 0 + * The [CR]LF are *not* returned in the buffer. Therefore, a *read of 0 * indicates that an empty line was read. * * Notes: Because the buffer uses 1 char for NUL, the most we can return is @@ -208,13 +212,15 @@ AP_DECLARE(apr_time_t) ap_rationalize_mt */ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n, apr_size_t *read, request_rec *r, - int fold, apr_bucket_brigade *bb) + int flags, apr_bucket_brigade *bb) { apr_status_t rv; apr_bucket *e; apr_size_t bytes_handled = 0, current_alloc = 0; char *pos, *last_char = *s; int do_alloc = (*s == NULL), saw_eos = 0; + int fold = flags & AP_GETLINE_FOLD; + int crlf = flags & AP_GETLINE_CRLF; /* * Initialize last_char as otherwise a random value will be compared @@ -226,13 +232,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor for (;;) { apr_brigade_cleanup(bb); - rv = ap_get_brigade(r->input_filters, bb, AP_MODE_GETLINE, + rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_GETLINE, APR_BLOCK_READ, 0); if (rv != APR_SUCCESS) { return rv; } - /* Something horribly wrong happened. Someone didn't block! */ + /* Something horribly wrong happened. Someone didn't block! + * (this also happens at the end of each keepalive connection) + */ if (APR_BRIGADE_EMPTY(bb)) { return APR_EGENERAL; } @@ -318,6 +326,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor } } + if (crlf && (last_char <= *s || last_char[-1] != APR_ASCII_CR)) { + *last_char = '\0'; + bytes_handled = last_char - *s; + *read = bytes_handled; + return APR_EINVAL; + } + /* Now NUL-terminate the string at the end of the line; * if the last-but-one character is a CR, terminate there */ if (last_char > *s && last_char[-1] == APR_ASCII_CR) { @@ -340,7 +355,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor apr_brigade_cleanup(bb); /* We only care about the first byte. */ - rv = ap_get_brigade(r->input_filters, bb, AP_MODE_SPECULATIVE, + rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_SPECULATIVE, APR_BLOCK_READ, 1); if (rv != APR_SUCCESS) { return rv; @@ -391,7 +406,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor */ if (do_alloc) { tmp = NULL; - } else { + } + else { /* We're null terminated. */ tmp = last_char; } @@ -461,7 +477,7 @@ AP_DECLARE(apr_status_t) ap_rgetline(cha } #endif -AP_DECLARE(int) ap_getline(char *s, int n, request_rec *r, int fold) +AP_DECLARE(int) ap_getline(char *s, int n, request_rec *r, int flags) { char *tmp_s = s; apr_status_t rv; @@ -469,7 +485,7 @@ AP_DECLARE(int) ap_getline(char *s, int apr_bucket_brigade *tmp_bb; tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); - rv = ap_rgetline(&tmp_s, n, &len, r, fold, tmp_bb); + rv = ap_rgetline(&tmp_s, n, &len, r, flags, tmp_bb); apr_brigade_destroy(tmp_bb); /* Map the out-of-space condition to the old API. */ @@ -549,17 +565,30 @@ AP_CORE_DECLARE(void) ap_parse_uri(reque } } -static int read_request_line(request_rec *r, apr_bucket_brigade *bb) +/* get the length of the field name for logging, but no more than 80 bytes */ +#define LOG_NAME_MAX_LEN 80 +static int field_name_len(const char *field) { - const char *ll; - const char *uri; - const char *pro; + const char *end = ap_strchr_c(field, ':'); + if (end == NULL || end - field > LOG_NAME_MAX_LEN) + return LOG_NAME_MAX_LEN; + return end - field; +} - int major = 1, minor = 0; /* Assume HTTP/1.0 if non-"HTTP" protocol */ - char http[5]; +static int read_request_line(request_rec *r, apr_bucket_brigade *bb) +{ + enum { + rrl_none, rrl_badmethod, rrl_badwhitespace, rrl_excesswhitespace, + rrl_missinguri, rrl_baduri, rrl_badprotocol, rrl_trailingtext, + rrl_badmethod09, rrl_reject09 + } deferred_error = rrl_none; + char *ll; + char *uri; apr_size_t len; int num_blank_lines = 0; int max_blank_lines = r->server->limit_req_fields; + core_server_config *conf = ap_get_core_module_config(r->server->module_config); + int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); if (max_blank_lines <= 0) { max_blank_lines = DEFAULT_LIMIT_REQUEST_FIELDS; @@ -588,7 +617,7 @@ static int read_request_line(request_rec */ r->the_request = NULL; rv = ap_rgetline(&(r->the_request), (apr_size_t)(r->server->limit_req_line + 2), - &len, r, 0, bb); + &len, r, strict ? AP_GETLINE_CRLF : 0, bb); if (rv != APR_SUCCESS) { r->request_time = apr_time_now(); @@ -599,8 +628,6 @@ static int read_request_line(request_rec */ if (APR_STATUS_IS_ENOSPC(rv)) { r->status = HTTP_REQUEST_URI_TOO_LARGE; - r->proto_num = HTTP_VERSION(1,0); - r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); } else if (APR_STATUS_IS_TIMEUP(rv)) { r->status = HTTP_REQUEST_TIME_OUT; @@ -608,6 +635,8 @@ static int read_request_line(request_rec else if (APR_STATUS_IS_EINVAL(rv)) { r->status = HTTP_BAD_REQUEST; } + r->proto_num = HTTP_VERSION(1,0); + r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); return 0; } } while ((len <= 0) && (++num_blank_lines < max_blank_lines)); @@ -619,46 +648,263 @@ static int read_request_line(request_rec } r->request_time = apr_time_now(); - ll = r->the_request; - r->method = ap_getword_white(r->pool, &ll); + r->method = r->the_request; - uri = ap_getword_white(r->pool, &ll); + /* If there is whitespace before a method, skip it and mark in error */ + if (apr_isspace(*r->method)) { + deferred_error = rrl_badwhitespace; + for ( ; apr_isspace(*r->method); ++r->method) + ; + } - /* Provide quick information about the request method as soon as known */ + /* Scan the method up to the next whitespace, ensure it contains only + * valid http-token characters, otherwise mark in error + */ + if (strict) { + ll = (char*) ap_scan_http_token(r->method); + } + else { + ll = (char*) ap_scan_vchar_obstext(r->method); + } - r->method_number = ap_method_number_of(r->method); - if (r->method_number == M_GET && r->method[0] == 'H') { - r->header_only = 1; + if (((ll == r->method) || (*ll && !apr_isspace(*ll))) + && deferred_error == rrl_none) { + deferred_error = rrl_badmethod; + ll = strpbrk(ll, "\t\n\v\f\r "); } - ap_parse_uri(r, uri); + /* Verify method terminated with a single SP, or mark as specific error */ + if (!ll) { + if (deferred_error == rrl_none) + deferred_error = rrl_missinguri; + r->protocol = uri = ""; + len = 0; + goto rrl_done; + } + else if (strict && ll[0] && apr_isspace(ll[1]) + && deferred_error == rrl_none) { + deferred_error = rrl_excesswhitespace; + } + /* Advance uri pointer over leading whitespace, NUL terminate the method + * If non-SP whitespace is encountered, mark as specific error + */ + for (uri = ll; apr_isspace(*uri); ++uri) + if (*uri != ' ' && deferred_error == rrl_none) + deferred_error = rrl_badwhitespace; + *ll = '\0'; + + if (!*uri && deferred_error == rrl_none) + deferred_error = rrl_missinguri; - if (ll[0]) { + /* Scan the URI up to the next whitespace, ensure it contains no raw + * control characters, otherwise mark in error + */ + ll = (char*) ap_scan_vchar_obstext(uri); + if (ll == uri || (*ll && !apr_isspace(*ll))) { + deferred_error = rrl_baduri; + ll = strpbrk(ll, "\t\n\v\f\r "); + } + + /* Verify URI terminated with a single SP, or mark as specific error */ + if (!ll) { + r->protocol = ""; + len = 0; + goto rrl_done; + } + else if (strict && ll[0] && apr_isspace(ll[1]) + && deferred_error == rrl_none) { + deferred_error = rrl_excesswhitespace; + } + + /* Advance protocol pointer over leading whitespace, NUL terminate the uri + * If non-SP whitespace is encountered, mark as specific error + */ + for (r->protocol = ll; apr_isspace(*r->protocol); ++r->protocol) + if (*r->protocol != ' ' && deferred_error == rrl_none) + deferred_error = rrl_badwhitespace; + *ll = '\0'; + + /* Scan the protocol up to the next whitespace, validation comes later */ + if (!(ll = (char*) ap_scan_vchar_obstext(r->protocol))) { + len = strlen(r->protocol); + goto rrl_done; + } + len = ll - r->protocol; + + /* Advance over trailing whitespace, if found mark in error, + * determine if trailing text is found, unconditionally mark in error, + * finally NUL terminate the protocol string + */ + if (*ll && !apr_isspace(*ll)) { + deferred_error = rrl_badprotocol; + } + else if (strict && *ll) { + deferred_error = rrl_excesswhitespace; + } + else { + for ( ; apr_isspace(*ll); ++ll) + if (*ll != ' ' && deferred_error == rrl_none) + deferred_error = rrl_badwhitespace; + if (*ll && deferred_error == rrl_none) + deferred_error = rrl_trailingtext; + } + *((char *)r->protocol + len) = '\0'; + +rrl_done: + /* For internal integrety and palloc efficiency, reconstruct the_request + * in one palloc, using only single SP characters, per spec. + */ + r->the_request = apr_pstrcat(r->pool, r->method, *uri ? " " : NULL, uri, + *r->protocol ? " " : NULL, r->protocol, NULL); + + if (len == 8 + && r->protocol[0] == 'H' && r->protocol[1] == 'T' + && r->protocol[2] == 'T' && r->protocol[3] == 'P' + && r->protocol[4] == '/' && apr_isdigit(r->protocol[5]) + && r->protocol[6] == '.' && apr_isdigit(r->protocol[7]) + && r->protocol[5] != '0') { r->assbackwards = 0; - pro = ll; - len = strlen(ll); - } else { + r->proto_num = HTTP_VERSION(r->protocol[5] - '0', r->protocol[7] - '0'); + } + else if (len == 8 + && (r->protocol[0] == 'H' || r->protocol[0] == 'h') + && (r->protocol[1] == 'T' || r->protocol[1] == 't') + && (r->protocol[2] == 'T' || r->protocol[2] == 't') + && (r->protocol[3] == 'P' || r->protocol[3] == 'p') + && r->protocol[4] == '/' && apr_isdigit(r->protocol[5]) + && r->protocol[6] == '.' && apr_isdigit(r->protocol[7]) + && r->protocol[5] != '0') { + r->assbackwards = 0; + r->proto_num = HTTP_VERSION(r->protocol[5] - '0', r->protocol[7] - '0'); + if (strict && deferred_error == rrl_none) + deferred_error = rrl_badprotocol; + else + memcpy((char*)r->protocol, "HTTP", 4); + } + else if (r->protocol[0]) { + r->proto_num = HTTP_VERSION(0, 9); + /* Defer setting the r->protocol string till error msg is composed */ + if (deferred_error == rrl_none) + deferred_error = rrl_badprotocol; + } + else { r->assbackwards = 1; - pro = "HTTP/0.9"; - len = 8; + r->protocol = apr_pstrdup(r->pool, "HTTP/0.9"); + r->proto_num = HTTP_VERSION(0, 9); } - r->protocol = apr_pstrmemdup(r->pool, pro, len); - /* Avoid sscanf in the common case */ - if (len == 8 - && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P' - && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.' - && apr_isdigit(pro[7])) { - r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0'); - } - else if (3 == sscanf(r->protocol, "%4s/%u.%u", http, &major, &minor) - && (strcasecmp("http", http) == 0) - && (minor < HTTP_VERSION(1, 0)) ) /* don't allow HTTP/0.1000 */ - r->proto_num = HTTP_VERSION(major, minor); - else - r->proto_num = HTTP_VERSION(1, 0); + /* Determine the method_number and parse the uri prior to invoking error + * handling, such that these fields are available for subsitution + */ + r->method_number = ap_method_number_of(r->method); + if (r->method_number == M_GET && r->method[0] == 'H') + r->header_only = 1; + + ap_parse_uri(r, uri); + + /* With the request understood, we can consider HTTP/0.9 specific errors */ + if (r->proto_num == HTTP_VERSION(0, 9) && deferred_error == rrl_none) { + if (conf->http09_enable == AP_HTTP09_DISABLE) + deferred_error = rrl_reject09; + else if (strict && (r->method_number != M_GET || r->header_only)) + deferred_error = rrl_badmethod09; + } + + /* Now that the method, uri and protocol are all processed, + * we can safely resume any deferred error reporting + */ + if (deferred_error != rrl_none) { + if (deferred_error == rrl_badmethod) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03445) + "HTTP Request Line; Invalid method token: '%.*s'", + field_name_len(r->method), r->method); + else if (deferred_error == rrl_badmethod09) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03444) + "HTTP Request Line; Invalid method token: '%.*s'" + " (only GET is allowed for HTTP/0.9 requests)", + field_name_len(r->method), r->method); + else if (deferred_error == rrl_missinguri) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03446) + "HTTP Request Line; Missing URI"); + else if (deferred_error == rrl_baduri) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03454) + "HTTP Request Line; URI incorrectly encoded: '%.*s'", + field_name_len(r->uri), r->uri); + else if (deferred_error == rrl_badwhitespace) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03447) + "HTTP Request Line; Invalid whitespace"); + else if (deferred_error == rrl_excesswhitespace) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03448) + "HTTP Request Line; Excess whitespace " + "(disallowed by HttpProtocolOptions Strict"); + else if (deferred_error == rrl_trailingtext) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03449) + "HTTP Request Line; Extraneous text found '%.*s' " + "(perhaps whitespace was injected?)", + field_name_len(ll), ll); + else if (deferred_error == rrl_reject09) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02401) + "HTTP Request Line; Rejected HTTP/0.9 request"); + else if (deferred_error == rrl_badprotocol) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02418) + "HTTP Request Line; Unrecognized protocol '%.*s' " + "(perhaps whitespace was injected?)", + field_name_len(r->protocol), r->protocol); + r->status = HTTP_BAD_REQUEST; + goto rrl_failed; + } + + if (conf->http_methods == AP_HTTP_METHODS_REGISTERED + && r->method_number == M_INVALID) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02423) + "HTTP Request Line; Unrecognized HTTP method: '%.*s' " + "(disallowed by RegisteredMethods)", + field_name_len(r->method), r->method); + r->status = HTTP_NOT_IMPLEMENTED; + /* This can't happen in an HTTP/0.9 request, we verified GET above */ + return 0; + } + + if (r->status != HTTP_OK) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03450) + "HTTP Request Line; Unable to parse URI: '%.*s'", + field_name_len(r->uri), r->uri); + goto rrl_failed; + } + if (strict) { + if (r->parsed_uri.fragment) { + /* RFC3986 3.5: no fragment */ + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02421) + "HTTP Request Line; URI must not contain a fragment"); + r->status = HTTP_BAD_REQUEST; + goto rrl_failed; + } + if (r->parsed_uri.user || r->parsed_uri.password) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02422) + "HTTP Request Line; URI must not contain a " + "username/password"); + r->status = HTTP_BAD_REQUEST; + goto rrl_failed; + } + } return 1; + +rrl_failed: + if (r->proto_num == HTTP_VERSION(0, 9)) { + /* Send all parsing and protocol error response with 1.x behavior, + * and reserve 505 errors for actual HTTP protocols presented. + * As called out in RFC7230 3.5, any errors parsing the protocol + * from the request line are nearly always misencoded HTTP/1.x + * requests. Only a valid 0.9 request with no parsing errors + * at all may be treated as a simple request, if allowed. + */ + r->assbackwards = 0; + r->connection->keepalive = AP_CONN_CLOSE; + r->proto_num = HTTP_VERSION(1, 0); + r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); + } + return 0; } static int table_do_fn_check_lengths(void *r_, const char *key, @@ -670,26 +916,13 @@ static int table_do_fn_check_lengths(voi r->status = HTTP_BAD_REQUEST; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, "Size of a request header field " - "after merging exceeds server limit.
" - "\n
\n",
-                               ap_escape_html(r->pool, key),
-                               "
\n", NULL)); - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00560) "Request header " - "exceeds LimitRequestFieldSize after merging: %s", key); + "Size of a request header field exceeds server limit."); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00560) "Request " + "header exceeds LimitRequestFieldSize after merging: %.*s", + field_name_len(key), key); return 0; } -/* get the length of the field name for logging, but no more than 80 bytes */ -#define LOG_NAME_MAX_LEN 80 -static int field_name_len(const char *field) -{ - const char *end = ap_strchr_c(field, ':'); - if (end == NULL || end - field > LOG_NAME_MAX_LEN) - return LOG_NAME_MAX_LEN; - return end - field; -} - AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) { char *last_field = NULL; @@ -700,6 +933,8 @@ AP_DECLARE(void) ap_get_mime_headers_cor apr_size_t len; int fields_read = 0; char *tmp_field; + core_server_config *conf = ap_get_core_module_config(r->server->module_config); + int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); /* * Read header lines until we get the empty separator line, a read error, @@ -707,11 +942,10 @@ AP_DECLARE(void) ap_get_mime_headers_cor */ while(1) { apr_status_t rv; - int folded = 0; field = NULL; rv = ap_rgetline(&field, r->server->limit_req_fieldsize + 2, - &len, r, 0, bb); + &len, r, strict ? AP_GETLINE_CRLF : 0, bb); if (rv != APR_SUCCESS) { if (APR_STATUS_IS_TIMEUP(rv)) { @@ -728,153 +962,217 @@ AP_DECLARE(void) ap_get_mime_headers_cor * exceeds the configured limit for a field size. */ if (rv == APR_ENOSPC) { - const char *field_escaped; - if (field) { - /* ensure ap_escape_html will terminate correctly */ - field[len - 1] = '\0'; - field_escaped = ap_escape_html(r->pool, field); - } - else { - field_escaped = field = ""; - } - apr_table_setn(r->notes, "error-notes", - apr_psprintf(r->pool, - "Size of a request header field " - "exceeds server limit.
\n" - "
\n%.*s\n
\n", - field_name_len(field_escaped), - field_escaped)); + "Size of a request header field " + "exceeds server limit."); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00561) "Request header exceeds LimitRequestFieldSize%s" "%.*s", - *field ? ": " : "", - field_name_len(field), field); + (field && *field) ? ": " : "", + (field) ? field_name_len(field) : 0, + (field) ? field : ""); } return; } - if (last_field != NULL) { - if ((len > 0) && ((*field == '\t') || *field == ' ')) { - /* This line is a continuation of the preceding line(s), - * so append it to the line that we've set aside. - * Note: this uses a power-of-two allocator to avoid - * doing O(n) allocs and using O(n^2) space for - * continuations that span many many lines. - */ - apr_size_t fold_len = last_len + len + 1; /* trailing null */ + /* For all header values, and all obs-fold lines, the presence of + * additional whitespace is a no-op, so collapse trailing whitespace + * to save buffer allocation and optimize copy operations. + * Do not remove the last single whitespace under any condition. + */ + while (len > 1 && (field[len-1] == '\t' || field[len-1] == ' ')) { + field[--len] = '\0'; + } + + if (*field == '\t' || *field == ' ') { + /* Append any newly-read obs-fold line onto the preceding + * last_field line we are processing + */ + apr_size_t fold_len; - if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) { - r->status = HTTP_BAD_REQUEST; - /* report what we have accumulated so far before the - * overflow (last_field) as the field with the problem - */ - apr_table_setn(r->notes, "error-notes", - apr_psprintf(r->pool, - "Size of a request header field " - "after folding " - "exceeds server limit.
\n" - "
\n%.*s\n
\n", - field_name_len(last_field), - ap_escape_html(r->pool, last_field))); - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562) - "Request header exceeds LimitRequestFieldSize " - "after folding: %.*s", - field_name_len(last_field), last_field); - return; - } + if (last_field == NULL) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03442) + "Line folding encountered before first" + " header line"); + return; + } + + if (field[1] == '\0') { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03443) + "Empty folded line encountered"); + return; + } + + /* Leading whitespace on an obs-fold line can be + * similarly discarded */ + while (field[1] == '\t' || field[1] == ' ') { + ++field; --len; + } + + /* This line is a continuation of the preceding line(s), + * so append it to the line that we've set aside. + * Note: this uses a power-of-two allocator to avoid + * doing O(n) allocs and using O(n^2) space for + * continuations that span many many lines. + */ + fold_len = last_len + len + 1; /* trailing null */ + if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) { + r->status = HTTP_BAD_REQUEST; + /* report what we have accumulated so far before the + * overflow (last_field) as the field with the problem + */ + apr_table_setn(r->notes, "error-notes", + "Size of a request header field " + "exceeds server limit."); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562) + "Request header exceeds LimitRequestFieldSize " + "after folding: %.*s", + field_name_len(last_field), last_field); + return; + } + + if (fold_len > alloc_len) { + char *fold_buf; + alloc_len += alloc_len; if (fold_len > alloc_len) { - char *fold_buf; - alloc_len += alloc_len; - if (fold_len > alloc_len) { - alloc_len = fold_len; - } - fold_buf = (char *)apr_palloc(r->pool, alloc_len); - memcpy(fold_buf, last_field, last_len); - last_field = fold_buf; + alloc_len = fold_len; } - memcpy(last_field + last_len, field, len +1); /* +1 for nul */ - last_len += len; - folded = 1; - } - else /* not a continuation line */ { + fold_buf = (char *)apr_palloc(r->pool, alloc_len); + memcpy(fold_buf, last_field, last_len); + last_field = fold_buf; + } + memcpy(last_field + last_len, field, len +1); /* +1 for nul */ + /* Replace obs-fold w/ SP per RFC 7230 3.2.4 */ + last_field[last_len] = ' '; + last_len += len; + + /* We've appended this obs-fold line to last_len, proceed to + * read the next input line + */ + continue; + } + else if (last_field != NULL) { - if (r->server->limit_req_fields + /* Process the previous last_field header line with all obs-folded + * segments already concatinated (this is not operating on the + * most recently read input line). + */ + + if (r->server->limit_req_fields && (++fields_read > r->server->limit_req_fields)) { - r->status = HTTP_BAD_REQUEST; - apr_table_setn(r->notes, "error-notes", - "The number of request header fields " - "exceeds this server's limit."); - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00563) - "Number of request headers exceeds " - "LimitRequestFields"); - return; - } + r->status = HTTP_BAD_REQUEST; + apr_table_setn(r->notes, "error-notes", + "The number of request header fields " + "exceeds this server's limit."); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00563) + "Number of request headers exceeds " + "LimitRequestFields"); + return; + } - if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ - r->status = HTTP_BAD_REQUEST; /* abort bad request */ - apr_table_setn(r->notes, "error-notes", - apr_psprintf(r->pool, - "Request header field is " - "missing ':' separator.
\n" - "
\n%.*s
\n", - (int)LOG_NAME_MAX_LEN, - ap_escape_html(r->pool, - last_field))); - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00564) + if (!strict) + { + /* Not Strict ('Unsafe' mode), using the legacy parser */ + + if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ + r->status = HTTP_BAD_REQUEST; /* abort bad request */ + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00564) "Request header field is missing ':' " "separator: %.*s", (int)LOG_NAME_MAX_LEN, last_field); return; } - tmp_field = value - 1; /* last character of field-name */ + /* last character of field-name */ + tmp_field = value - (value > last_field ? 1 : 0); *value++ = '\0'; /* NUL-terminate at colon */ + if (strpbrk(last_field, "\t\n\v\f\r ")) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03452) + "Request header field name presented" + " invalid whitespace"); + return; + } + while (*value == ' ' || *value == '\t') { - ++value; /* Skip to start of value */ + ++value; /* Skip to start of value */ } - /* Strip LWS after field-name: */ - while (tmp_field > last_field - && (*tmp_field == ' ' || *tmp_field == '\t')) { - *tmp_field-- = '\0'; + if (strpbrk(value, "\n\v\f\r")) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03451) + "Request header field value presented" + " bad whitespace"); + return; } - /* Strip LWS after field-value: */ - tmp_field = last_field + last_len - 1; - while (tmp_field > value - && (*tmp_field == ' ' || *tmp_field == '\t')) { - *tmp_field-- = '\0'; + if (tmp_field == last_field) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03453) + "Request header field name was empty"); + return; + } + } + else /* Using strict RFC7230 parsing */ + { + /* Ensure valid token chars before ':' per RFC 7230 3.2.4 */ + value = (char *)ap_scan_http_token(last_field); + if ((value == last_field) || *value != ':') { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02426) + "Request header field name is malformed: " + "%.*s", (int)LOG_NAME_MAX_LEN, last_field); + return; + } + + *value++ = '\0'; /* NUL-terminate last_field name at ':' */ + + while (*value == ' ' || *value == '\t') { + ++value; /* Skip LWS of value */ } - apr_table_addn(r->headers_in, last_field, value); + /* Find invalid, non-HT ctrl char, or the trailing NULL */ + tmp_field = (char *)ap_scan_http_field_content(value); - /* reset the alloc_len so that we'll allocate a new - * buffer if we have to do any more folding: we can't - * use the previous buffer because its contents are - * now part of r->headers_in + /* Reject value for all garbage input (CTRLs excluding HT) + * e.g. only VCHAR / SP / HT / obs-text are allowed per + * RFC7230 3.2.6 - leave all more explicit rule enforcement + * for specific header handler logic later in the cycle */ - alloc_len = 0; + if (*tmp_field != '\0') { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02427) + "Request header value is malformed: " + "%.*s", (int)LOG_NAME_MAX_LEN, value); + return; + } + } - } /* end if current line is not a continuation starting with tab */ + apr_table_addn(r->headers_in, last_field, value); + + /* This last_field header is now stored in headers_in, + * resume processing of the current input line. + */ } - /* Found a blank line, stop. */ + /* Found the terminating empty end-of-headers line, stop. */ if (len == 0) { break; } - /* Keep track of this line so that we can parse it on - * the next loop iteration. (In the folded case, last_field - * has been updated already.) + /* Keep track of this new header line so that we can extend it across + * any obs-fold or parse it on the next loop iteration. We referenced + * our previously allocated buffer in r->headers_in, + * so allocate a fresh buffer if required. */ - if (!folded) { - last_field = field; - last_len = len; - } + alloc_len = 0; + last_field = field; + last_len = len; } /* Combine multiple message-header fields with the same @@ -899,7 +1197,7 @@ request_rec *ap_read_request(conn_rec *c request_rec *r; apr_pool_t *p; const char *expect; - int access_status = HTTP_OK; + int access_status; apr_bucket_brigade *tmp_bb; apr_socket_t *csd; apr_interval_time_t cur_timeout; @@ -958,35 +1256,36 @@ request_rec *ap_read_request(conn_rec *c /* Get the request... */ if (!read_request_line(r, tmp_bb)) { - if (r->status == HTTP_REQUEST_URI_TOO_LARGE - || r->status == HTTP_BAD_REQUEST) { + switch (r->status) { + case HTTP_REQUEST_URI_TOO_LARGE: + case HTTP_BAD_REQUEST: + case HTTP_VERSION_NOT_SUPPORTED: + case HTTP_NOT_IMPLEMENTED: if (r->status == HTTP_REQUEST_URI_TOO_LARGE) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00565) "request failed: client's request-line exceeds LimitRequestLine (longer than %d)", r->server->limit_req_line); } else if (r->method == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00566) - "request failed: invalid characters in URI"); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00566) + "request failed: malformed request line"); } ap_send_error_response(r, 0); ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); ap_run_log_transaction(r); apr_brigade_destroy(tmp_bb); goto traceout; - } - else if (r->status == HTTP_REQUEST_TIME_OUT) { - ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); - if (!r->connection->keepalives) { + case HTTP_REQUEST_TIME_OUT: + ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, NULL); + if (!r->connection->keepalives) ap_run_log_transaction(r); - } apr_brigade_destroy(tmp_bb); goto traceout; + default: + apr_brigade_destroy(tmp_bb); + r = NULL; + goto traceout; } - - apr_brigade_destroy(tmp_bb); - r = NULL; - goto traceout; } /* We may have been in keep_alive_timeout mode, so toggle back @@ -1003,7 +1302,7 @@ request_rec *ap_read_request(conn_rec *c if (!r->assbackwards) { ap_get_mime_headers_core(r, tmp_bb); if (r->status != HTTP_OK) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00567) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00567) "request failed: error reading the headers"); ap_send_error_response(r, 0); ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); @@ -1021,25 +1320,6 @@ request_rec *ap_read_request(conn_rec *c apr_table_unset(r->headers_in, "Content-Length"); } } - else { - if (r->header_only) { - /* - * Client asked for headers only with HTTP/0.9, which doesn't send - * headers! Have to dink things just to make sure the error message - * comes through... - */ - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00568) - "client sent invalid HTTP/0.9 request: HEAD %s", - r->uri); - r->header_only = 0; - r->status = HTTP_BAD_REQUEST; - ap_send_error_response(r, 0); - ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); - ap_run_log_transaction(r); - apr_brigade_destroy(tmp_bb); - goto traceout; - } - } apr_brigade_destroy(tmp_bb); @@ -1047,6 +1327,7 @@ request_rec *ap_read_request(conn_rec *c * now read. may update status. */ ap_update_vhost_from_headers(r); + access_status = r->status; /* Toggle to the Host:-based vhost's timeout mode to fetch the * request body and send the response body, if needed. @@ -1070,7 +1351,7 @@ request_rec *ap_read_request(conn_rec *c * a Host: header, and the server MUST respond with 400 if it doesn't. */ access_status = HTTP_BAD_REQUEST; - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00569) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00569) "client sent HTTP/1.1 request without hostname " "(see RFC2616 section 14.23): %s", r->uri); } Index: apache2-2.4.7/server/util.c =================================================================== --- apache2-2.4.7.orig/server/util.c 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/server/util.c 2017-05-05 13:47:47.260541140 -0400 @@ -79,7 +79,7 @@ * char in here and get it to work, because if char is signed then it * will first be sign extended. */ -#define TEST_CHAR(c, f) (test_char_table[(unsigned)(c)] & (f)) +#define TEST_CHAR(c, f) (test_char_table[(unsigned char)(c)] & (f)) /* Win32/NetWare/OS2 need to check for both forward and back slashes * in ap_getparents() and ap_escape_url. @@ -1449,6 +1449,37 @@ AP_DECLARE(int) ap_find_etag_weak(apr_po return find_list_item(p, line, tok, AP_ETAG_WEAK); } +/* Scan a string for HTTP VCHAR/obs-text characters including HT and SP + * (as used in header values, for example, in RFC 7230 section 3.2) + * returning the pointer to the first non-HT ASCII ctrl character. + */ +AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr) +{ + for ( ; !TEST_CHAR(*ptr, T_HTTP_CTRLS); ++ptr) ; + + return ptr; +} + +/* Scan a string for HTTP token characters, returning the pointer to + * the first non-token character. + */ +AP_DECLARE(const char *) ap_scan_http_token(const char *ptr) +{ + for ( ; !TEST_CHAR(*ptr, T_HTTP_TOKEN_STOP); ++ptr) ; + + return ptr; +} + +/* Scan a string for visible ASCII (0x21-0x7E) or obstext (0x80+) + * and return a pointer to the first ctrl/space character encountered. + */ +AP_DECLARE(const char *) ap_scan_vchar_obstext(const char *ptr) +{ + for ( ; TEST_CHAR(*ptr, T_VCHAR_OBSTEXT); ++ptr) ; + + return ptr; +} + /* Retrieve a token, spacing over it and returning a pointer to * the first non-white byte afterwards. Note that these tokens * are delimited by semis and commas; and can also be delimited Index: apache2-2.4.7/server/vhost.c =================================================================== --- apache2-2.4.7.orig/server/vhost.c 2017-05-05 13:47:47.276541299 -0400 +++ apache2-2.4.7/server/vhost.c 2017-05-05 13:47:47.264541179 -0400 @@ -685,6 +685,116 @@ static int vhost_check_config(apr_pool_t * run-time vhost matching functions */ +static apr_status_t fix_hostname_v6_literal(request_rec *r, char *host) +{ + char *dst; + int double_colon = 0; + + for (dst = host; *dst; dst++) { + if (apr_isxdigit(*dst)) { + if (apr_isupper(*dst)) { + *dst = apr_tolower(*dst); + } + } + else if (*dst == ':') { + if (*(dst + 1) == ':') { + if (double_colon) + return APR_EINVAL; + double_colon = 1; + } + else if (*(dst + 1) == '.') { + return APR_EINVAL; + } + } + else if (*dst == '.') { + /* For IPv4-mapped IPv6 addresses like ::FFFF:129.144.52.38 */ + if (*(dst + 1) == ':' || *(dst + 1) == '.') + return APR_EINVAL; + } + else { + return APR_EINVAL; + } + } + return APR_SUCCESS; +} + +static apr_status_t fix_hostname_non_v6(request_rec *r, char *host) +{ + char *dst; + + for (dst = host; *dst; dst++) { + if (apr_islower(*dst)) { + /* leave char unchanged */ + } + else if (*dst == '.') { + if (*(dst + 1) == '.') { + return APR_EINVAL; + } + } + else if (apr_isupper(*dst)) { + *dst = apr_tolower(*dst); + } + else if (*dst == '/' || *dst == '\\') { + return APR_EINVAL; + } + } + /* strip trailing gubbins */ + if (dst > host && dst[-1] == '.') { + dst[-1] = '\0'; + } + return APR_SUCCESS; +} + +/* + * If strict mode ever becomes the default, this should be folded into + * fix_hostname_non_v6() + */ +static apr_status_t strict_hostname_check(request_rec *r, char *host) +{ + char *ch; + int is_dotted_decimal = 1, leading_zeroes = 0, dots = 0; + + for (ch = host; *ch; ch++) { + if (!apr_isascii(*ch)) { + goto bad; + } + else if (apr_isalpha(*ch) || *ch == '-') { + is_dotted_decimal = 0; + } + else if (ch[0] == '.') { + dots++; + if (ch[1] == '0' && apr_isdigit(ch[2])) + leading_zeroes = 1; + } + else if (!apr_isdigit(*ch)) { + /* also takes care of multiple Host headers by denying commas */ + goto bad; + } + } + if (is_dotted_decimal) { + if (host[0] == '.' || (host[0] == '0' && apr_isdigit(host[1]))) + leading_zeroes = 1; + if (leading_zeroes || dots != 3) { + /* RFC 3986 7.4 */ + goto bad; + } + } + else { + /* The top-level domain must start with a letter (RFC 1123 2.1) */ + while (ch > host && *ch != '.') + ch--; + if (ch[0] == '.' && ch[1] != '\0' && !apr_isalpha(ch[1])) + goto bad; + } + return APR_SUCCESS; + +bad: + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02415) + "[strict] Invalid host name '%s'%s%.6s", + host, *ch ? ", problem near: " : "", ch); + return APR_EINVAL; +} + /* Lowercase and remove any trailing dot and/or :port from the hostname, * and check that it is sane. * @@ -698,79 +808,90 @@ static int vhost_check_config(apr_pool_t * Instead we just check for filesystem metacharacters: directory * separators / and \ and sequences of more than one dot. */ -static void fix_hostname(request_rec *r) +static int fix_hostname(request_rec *r, const char *host_header, + unsigned http_conformance) { + const char *src; char *host, *scope_id; - char *dst; apr_port_t port; apr_status_t rv; const char *c; + int is_v6literal = 0; + int strict = (http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); - /* According to RFC 2616, Host header field CAN be blank. */ - if (!*r->hostname) { - return; + src = host_header ? host_header : r->hostname; + + /* According to RFC 2616, Host header field CAN be blank */ + if (!*src) { + return is_v6literal; } /* apr_parse_addr_port will interpret a bare integer as a port * which is incorrect in this context. So treat it separately. */ - for (c = r->hostname; apr_isdigit(*c); ++c); - if (!*c) { /* pure integer */ - return; + for (c = src; apr_isdigit(*c); ++c); + if (!*c) { + /* pure integer */ + if (strict) { + /* RFC 3986 7.4 */ + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02416) + "[strict] purely numeric host names not allowed: %s", + src); + goto bad_nolog; + } + r->hostname = src; + return is_v6literal; + } + + if (host_header) { + rv = apr_parse_addr_port(&host, &scope_id, &port, src, r->pool); + if (rv != APR_SUCCESS || scope_id) + goto bad; + if (port) { + /* Don't throw the Host: header's port number away: + save it in parsed_uri -- ap_get_server_port() needs it! */ + /* @@@ XXX there should be a better way to pass the port. + * Like r->hostname, there should be a r->portno + */ + r->parsed_uri.port = port; + r->parsed_uri.port_str = apr_itoa(r->pool, (int)port); + } + if (host_header[0] == '[') + is_v6literal = 1; + } + else { + /* + * Already parsed, surrounding [ ] (if IPv6 literal) and :port have + * already been removed. + */ + host = apr_pstrdup(r->pool, r->hostname); + if (ap_strchr(host, ':') != NULL) + is_v6literal = 1; } - rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); - if (rv != APR_SUCCESS || scope_id) { - goto bad; + if (is_v6literal) { + rv = fix_hostname_v6_literal(r, host); } - - if (port) { - /* Don't throw the Host: header's port number away: - save it in parsed_uri -- ap_get_server_port() needs it! */ - /* @@@ XXX there should be a better way to pass the port. - * Like r->hostname, there should be a r->portno - */ - r->parsed_uri.port = port; - r->parsed_uri.port_str = apr_itoa(r->pool, (int)port); + else { + rv = fix_hostname_non_v6(r, host); + if (strict && rv == APR_SUCCESS) + rv = strict_hostname_check(r, host); } + if (rv != APR_SUCCESS) + goto bad; - /* if the hostname is an IPv6 numeric address string, it was validated - * already; otherwise, further validation is needed - */ - if (r->hostname[0] != '[') { - for (dst = host; *dst; dst++) { - if (apr_islower(*dst)) { - /* leave char unchanged */ - } - else if (*dst == '.') { - if (*(dst + 1) == '.') { - goto bad; - } - } - else if (apr_isupper(*dst)) { - *dst = apr_tolower(*dst); - } - else if (*dst == '/' || *dst == '\\') { - goto bad; - } - } - /* strip trailing gubbins */ - if (dst > host && dst[-1] == '.') { - dst[-1] = '\0'; - } - } r->hostname = host; - return; + return is_v6literal; bad: - r->status = HTTP_BAD_REQUEST; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00550) "Client sent malformed Host header: %s", - r->hostname); - return; + src); +bad_nolog: + r->status = HTTP_BAD_REQUEST; + return is_v6literal; } - /* return 1 if host matches ServerName or ServerAliases */ static int matches_aliases(server_rec *s, const char *host) { @@ -980,15 +1101,76 @@ static void check_serverpath(request_rec } } +static APR_INLINE const char *construct_host_header(request_rec *r, + int is_v6literal) +{ + struct iovec iov[5]; + apr_size_t nvec = 0; + /* + * We cannot use ap_get_server_name/port here, because we must + * ignore UseCanonicalName/Port. + */ + if (is_v6literal) { + iov[nvec].iov_base = "["; + iov[nvec].iov_len = 1; + nvec++; + } + iov[nvec].iov_base = (void *)r->hostname; + iov[nvec].iov_len = strlen(r->hostname); + nvec++; + if (is_v6literal) { + iov[nvec].iov_base = "]"; + iov[nvec].iov_len = 1; + nvec++; + } + if (r->parsed_uri.port_str) { + iov[nvec].iov_base = ":"; + iov[nvec].iov_len = 1; + nvec++; + iov[nvec].iov_base = r->parsed_uri.port_str; + iov[nvec].iov_len = strlen(r->parsed_uri.port_str); + nvec++; + } + return apr_pstrcatv(r->pool, iov, nvec, NULL); +} AP_DECLARE(void) ap_update_vhost_from_headers(request_rec *r) { - /* must set this for HTTP/1.1 support */ - if (r->hostname || (r->hostname = apr_table_get(r->headers_in, "Host"))) { - fix_hostname(r); - if (r->status != HTTP_OK) - return; + core_server_config *conf = ap_get_core_module_config(r->server->module_config); + const char *host_header = apr_table_get(r->headers_in, "Host"); + int is_v6literal = 0; + int have_hostname_from_url = 0; + + if (r->hostname) { + /* + * If there was a host part in the Request-URI, ignore the 'Host' + * header. + */ + have_hostname_from_url = 1; + is_v6literal = fix_hostname(r, NULL, conf->http_conformance); + } + else if (host_header != NULL) { + is_v6literal = fix_hostname(r, host_header, conf->http_conformance); + } + if (r->status != HTTP_OK) + return; + + if (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE) { + /* + * If we have both hostname from an absoluteURI and a Host header, + * we must ignore the Host header (RFC 2616 5.2). + * To enforce this, we reset the Host header to the value from the + * request line. + */ + if (have_hostname_from_url && host_header != NULL) { + const char *repl = construct_host_header(r, is_v6literal); + apr_table_set(r->headers_in, "Host", repl); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02417) + "Replacing host header '%s' with host '%s' given " + "in the request uri", host_header, repl); + } } + /* check if we tucked away a name_chain */ if (r->connection->vhost_lookup_data) { if (r->hostname) debian/patches/fix_rewrite_rule.patch0000644000000000000000000000633713376761111015233 0ustar Description: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping execution when handler is already set. Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1394403 Origin: upstream, https://github.com/apache/httpd/commit/f0529e54b8d889322b5113eb623e263556bfa28e Last-Update: 2015-08-18 Index: apache2-2.4.7/modules/mappers/mod_dir.c =================================================================== --- apache2-2.4.7.orig/modules/mappers/mod_dir.c +++ apache2-2.4.7/modules/mappers/mod_dir.c @@ -33,17 +33,18 @@ module AP_MODULE_DECLARE_DATA dir_module; typedef enum { - SLASH_OFF = 0, - SLASH_ON, - SLASH_UNSET -} slash_cfg; + MODDIR_OFF = 0, + MODDIR_ON, + MODDIR_UNSET +} moddir_cfg; #define REDIRECT_OFF 0 #define REDIRECT_UNSET 1 typedef struct dir_config_struct { apr_array_header_t *index_names; - slash_cfg do_slash; + moddir_cfg do_slash; + moddir_cfg checkhandler; int redirect_index; const char *dflt; } dir_config_rec; @@ -83,7 +84,14 @@ static const char *configure_slash(cmd_p { dir_config_rec *d = d_; - d->do_slash = arg ? SLASH_ON : SLASH_OFF; + d->do_slash = arg ? MODDIR_ON : MODDIR_OFF; + return NULL; +} +static const char *configure_checkhandler(cmd_parms *cmd, void *d_, int arg) +{ + dir_config_rec *d = d_; + + d->checkhandler = arg ? MODDIR_ON : MODDIR_OFF; return NULL; } static const char *configure_redirect(cmd_parms *cmd, void *d_, const char *arg1) @@ -123,6 +131,8 @@ static const command_rec dir_cmds[] = "a list of file names"), AP_INIT_FLAG("DirectorySlash", configure_slash, NULL, DIR_CMD_PERMS, "On or Off"), + AP_INIT_FLAG("DirectoryCheckHandler", configure_checkhandler, NULL, DIR_CMD_PERMS, + "On or Off"), AP_INIT_TAKE1("DirectoryIndexRedirect", configure_redirect, NULL, DIR_CMD_PERMS, "On, Off, or a 3xx status code."), @@ -134,7 +144,8 @@ static void *create_dir_config(apr_pool_ dir_config_rec *new = apr_pcalloc(p, sizeof(dir_config_rec)); new->index_names = NULL; - new->do_slash = SLASH_UNSET; + new->do_slash = MODDIR_UNSET; + new->checkhandler = MODDIR_UNSET; new->redirect_index = REDIRECT_UNSET; return (void *) new; } @@ -147,7 +158,9 @@ static void *merge_dir_configs(apr_pool_ new->index_names = add->index_names ? add->index_names : base->index_names; new->do_slash = - (add->do_slash == SLASH_UNSET) ? base->do_slash : add->do_slash; + (add->do_slash == MODDIR_UNSET) ? base->do_slash : add->do_slash; + new->checkhandler = + (add->checkhandler == MODDIR_UNSET) ? base->checkhandler : add->checkhandler; new->redirect_index= (add->redirect_index == REDIRECT_UNSET) ? base->redirect_index : add->redirect_index; new->dflt = add->dflt ? add->dflt : base->dflt; @@ -260,6 +273,10 @@ static int fixup_dir(request_rec *r) return HTTP_MOVED_PERMANENTLY; } + if (d->checkhandler == MODDIR_ON && strcmp(r->handler, DIR_MAGIC_TYPE)) { + return DECLINED; + } + if (d->index_names) { names_ptr = (char **)d->index_names->elts; num_names = d->index_names->nelts; debian/patches/ignore-quilt-dir0000644000000000000000000000202713376761111013742 0ustar commit 60f2545f1858415d31dcf0bb625262216c7821cd Author: Stefan Fritsch Date: Sat Nov 16 23:49:04 2013 +0000 Explicitly list in which directories to look for config*.m4 files. If some distributor patches a config*.m4 file with quilt, that will place a copy of the original file in .pc/ . Doing a naive "find ." will then cause both the original and the patched m4 file to be included, causing havoc later on. PR: 55787 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1542615 13f79535-47bb-0310-9956-ffa450edef68 Index: apache2/build/config-stubs =================================================================== --- apache2.orig/build/config-stubs +++ apache2/build/config-stubs @@ -15,7 +15,7 @@ # config files without a number are sorted before those with a number. # -configfiles=`find . -name "config*.m4" | \ +configfiles=`find os server modules support -name "config*.m4" | \ sed 's#\(.*/config\)\(.*\).m4#\20 \1\2.m4#' | \ sort | \ sed 's#.* ##'` debian/patches/series0000644000000000000000000000230013451142473012031 0ustar fhs_compliance.patch no_LD_LIBRARY_PATH.patch suexec-CVE-2007-1742.patch customize_apxs.patch build_suexec-custom.patch # This patch is applied manually #suexec-custom.patch # Patches added by Ubuntu 086_svn_cross_compiles ignore-quilt-dir CVE-2013-6438.patch CVE-2014-0098.patch split-logfile.patch CVE-2014-0117.patch CVE-2014-0118.patch CVE-2014-0226.patch CVE-2014-0231.patch ocsp-stapling-memory-corruption.patch CVE-2013-5704.patch CVE-2014-3581.patch CVE-2015-3183.patch CVE-2015-3185.patch fix_rewrite_rule.patch wstunnel-ssl.patch server_config_defines.patch fix_mod_proxy_wstunnel.patch fix-proxy-error-overwrite-timeout.patch CVE-2016-5387.patch CVE-2016-0736.patch CVE-2016-2161.patch CVE-2016-8743.patch hostnames_with_underscores.diff CVE-2017-3167.patch CVE-2017-3169.patch CVE-2017-7668.patch CVE-2017-7679.patch CVE-2017-9788.patch CVE-2017-9798.patch util_ldap_cache_lock_fix.patch CVE-2017-15710.patch CVE-2017-15715-pre.patch CVE-2017-15715.patch CVE-2018-1283.patch CVE-2018-1301.patch CVE-2018-1303.patch CVE-2018-1312.patch AuthzProviderAlias-visibility.patch CVE-2018-17199-pre1.patch CVE-2018-17199.patch CVE-2019-0217.patch CVE-2019-0220-1.patch CVE-2019-0220-2.patch CVE-2019-0220-3.patch debian/patches/fhs_compliance.patch0000644000000000000000000000374013376761111014622 0ustar Description: Fix up FHS file locations for apache2 droppings. Forwarded: not-needed Author: Adam Conrad Last-Update: 2012-02-25 --- a/configure +++ b/configure @@ -32725,17 +32725,17 @@ cat >>confdefs.h <<_ACEOF -#define HTTPD_ROOT "${ap_prefix}" +#define HTTPD_ROOT "/etc/apache2" _ACEOF cat >>confdefs.h <<_ACEOF -#define SERVER_CONFIG_FILE "${rel_sysconfdir}/${progname}.conf" +#define SERVER_CONFIG_FILE "${progname}.conf" _ACEOF cat >>confdefs.h <<_ACEOF -#define AP_TYPES_CONFIG_FILE "${rel_sysconfdir}/mime.types" +#define AP_TYPES_CONFIG_FILE "mime.types" _ACEOF --- a/configure.in +++ b/configure.in @@ -823,11 +823,11 @@ echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c APR_EXPAND_VAR(ap_prefix, $prefix) -AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_prefix}", +AC_DEFINE_UNQUOTED(HTTPD_ROOT, "/etc/apache2", [Root directory of the Apache install area]) -AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", +AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${progname}.conf", [Location of the config file, relative to the Apache root directory]) -AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types", +AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "mime.types", [Location of the MIME types config file, relative to the Apache root directory]) perlbin=`$ac_aux_dir/PrintPath perl` --- a/include/ap_config_layout.h.in +++ b/include/ap_config_layout.h.in @@ -60,5 +60,6 @@ #define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@" #define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@" #define DEFAULT_REL_PROXYCACHEDIR "@rel_proxycachedir@" +#define DEFAULT_PIDLOG "/var/run/apache2.pid" #endif /* AP_CONFIG_LAYOUT_H */ --- a/include/httpd.h +++ b/include/httpd.h @@ -109,7 +109,7 @@ #define DOCUMENT_LOCATION HTTPD_ROOT "/docs" #else /* Set default for non OS/2 file system */ -#define DOCUMENT_LOCATION HTTPD_ROOT "/htdocs" +#define DOCUMENT_LOCATION "/var/www" #endif #endif /* DOCUMENT_LOCATION */ debian/patches/suexec-CVE-2007-1742.patch0000644000000000000000000000360513376761111014540 0ustar Description: Fix race condition with chdir Fix /var/www* being accepted as docroot instead of /var/www/* (the same for public_html* instead of public_html/* ) Author: Stefan Fritsch Last-Update: 2012-02-25 Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 --- a/support/suexec.c +++ b/support/suexec.c @@ -42,6 +42,7 @@ #if APR_HAVE_UNISTD_H #include #endif +#include #include #include @@ -261,6 +262,7 @@ struct group *gr; /* group entry holder */ struct stat dir_info; /* directory info holder */ struct stat prg_info; /* program info holder */ + int cwdh; /* handle to cwd */ /* * Start with a "clean" environment @@ -502,11 +504,16 @@ exit(111); } + if ( (cwdh = open(".", O_RDONLY)) == -1 ) { + log_err("cannot open current working directory\n"); + exit(111); + } + if (userdir) { if (((chdir(target_homedir)) != 0) || ((chdir(AP_USERDIR_SUFFIX)) != 0) || ((getcwd(dwd, AP_MAXPATH)) == NULL) || - ((chdir(cwd)) != 0)) { + ((fchdir(cwdh)) != 0)) { log_err("cannot get docroot information (%s)\n", target_homedir); exit(112); } @@ -514,12 +521,18 @@ else { if (((chdir(AP_DOC_ROOT)) != 0) || ((getcwd(dwd, AP_MAXPATH)) == NULL) || - ((chdir(cwd)) != 0)) { + ((fchdir(cwdh)) != 0)) { log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT); exit(113); } } + close(cwdh); + + if (strlen(cwd) > strlen(dwd)) { + strncat(dwd, "/", AP_MAXPATH); + dwd[AP_MAXPATH-1] = '\0'; + } if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { log_err("command not in docroot (%s/%s)\n", cwd, cmd); exit(114); debian/patches/CVE-2014-0117.patch0000644000000000000000000000115713376761111013237 0ustar Description: fix denial of service in mod_proxy Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1610737 Index: apache2-2.4.7/modules/proxy/proxy_util.c =================================================================== --- apache2-2.4.7.orig/modules/proxy/proxy_util.c 2013-09-14 10:12:54.000000000 -0400 +++ apache2-2.4.7/modules/proxy/proxy_util.c 2014-07-21 15:34:22.764089817 -0400 @@ -2869,7 +2869,7 @@ const char *name; do { - while (*val == ',') { + while (*val == ',' || *val == ';') { val++; } name = ap_get_token(x->pool, &val, 0); debian/patches/CVE-2016-2161.patch0000644000000000000000000001126313376761111013241 0ustar Description: fix denial of service via malicious mod_auth_digest input Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1773069 Index: apache2-2.4.18/modules/aaa/mod_auth_digest.c =================================================================== --- apache2-2.4.18.orig/modules/aaa/mod_auth_digest.c 2013-09-17 14:47:19.000000000 -0400 +++ apache2-2.4.18/modules/aaa/mod_auth_digest.c 2017-05-05 11:26:33.462970468 -0400 @@ -261,6 +261,26 @@ static void log_error_and_cleanup(char * cleanup_tables(NULL); } +/* RMM helper functions that behave like single-step malloc/free. */ + +static void *rmm_malloc(apr_rmm_t *rmm, apr_size_t size) +{ + apr_rmm_off_t offset = apr_rmm_malloc(rmm, size); + + if (!offset) { + return NULL; + } + + return apr_rmm_addr_get(rmm, offset); +} + +static apr_status_t rmm_free(apr_rmm_t *rmm, void *alloc) +{ + apr_rmm_off_t offset = apr_rmm_offset_get(rmm, alloc); + + return apr_rmm_free(rmm, offset); +} + #if APR_HAS_SHARED_MEMORY static int initialize_tables(server_rec *s, apr_pool_t *ctx) @@ -299,8 +319,8 @@ static int initialize_tables(server_rec return !OK; } - client_list = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*client_list) + - sizeof(client_entry*)*num_buckets)); + client_list = rmm_malloc(client_rmm, sizeof(*client_list) + + sizeof(client_entry *) * num_buckets); if (!client_list) { log_error_and_cleanup("failed to allocate shared memory", -1, s); return !OK; @@ -322,7 +342,7 @@ static int initialize_tables(server_rec /* setup opaque */ - opaque_cntr = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*opaque_cntr))); + opaque_cntr = rmm_malloc(client_rmm, sizeof(*opaque_cntr)); if (opaque_cntr == NULL) { log_error_and_cleanup("failed to allocate shared memory", -1, s); return !OK; @@ -339,7 +359,7 @@ static int initialize_tables(server_rec /* setup one-time-nonce counter */ - otn_counter = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*otn_counter))); + otn_counter = rmm_malloc(client_rmm, sizeof(*otn_counter)); if (otn_counter == NULL) { log_error_and_cleanup("failed to allocate shared memory", -1, s); return !OK; @@ -779,7 +799,7 @@ static client_entry *get_client(unsigned * last entry in each bucket and updates the counters. Returns the * number of removed entries. */ -static long gc(void) +static long gc(server_rec *s) { client_entry *entry, *prev; unsigned long num_removed = 0, idx; @@ -789,6 +809,12 @@ static long gc(void) for (idx = 0; idx < client_list->tbl_len; idx++) { entry = client_list->table[idx]; prev = NULL; + + if (!entry) { + /* This bucket is empty. */ + continue; + } + while (entry->next) { /* find last entry */ prev = entry; entry = entry->next; @@ -800,8 +826,16 @@ static long gc(void) client_list->table[idx] = NULL; } if (entry) { /* remove entry */ - apr_rmm_free(client_rmm, apr_rmm_offset_get(client_rmm, entry)); + apr_status_t err; + + err = rmm_free(client_rmm, entry); num_removed++; + + if (err) { + /* Nothing we can really do but log... */ + ap_log_error(APLOG_MARK, APLOG_ERR, err, s, APLOGNO() + "Failed to free auth_digest client allocation"); + } } } @@ -835,16 +869,16 @@ static client_entry *add_client(unsigned /* try to allocate a new entry */ - entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry))); + entry = rmm_malloc(client_rmm, sizeof(client_entry)); if (!entry) { - long num_removed = gc(); + long num_removed = gc(s); ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01766) "gc'd %ld client entries. Total new clients: " "%ld; Total removed clients: %ld; Total renewed clients: " "%ld", num_removed, client_list->num_created - client_list->num_renewed, client_list->num_removed, client_list->num_renewed); - entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry))); + entry = rmm_malloc(client_rmm, sizeof(client_entry)); if (!entry) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01767) "unable to allocate new auth_digest client"); debian/patches/CVE-2014-0226.patch0000644000000000000000000001145713376761111013244 0ustar Description: fix denial of service via race in mod_status Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1610499 Index: apache2-2.4.7/include/scoreboard.h =================================================================== --- apache2-2.4.7.orig/include/scoreboard.h 2012-08-14 19:59:24.000000000 -0400 +++ apache2-2.4.7/include/scoreboard.h 2014-07-21 15:44:55.752113457 -0400 @@ -183,8 +183,25 @@ AP_DECLARE(void) ap_time_process_request(ap_sb_handle_t *sbh, int status); AP_DECLARE(worker_score *) ap_get_scoreboard_worker(ap_sb_handle_t *sbh); + +/** Return a pointer to the worker_score for a given child, thread pair. + * @param child_num The child number. + * @param thread_num The thread number. + * @return A pointer to the worker_score structure. + * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. */ AP_DECLARE(worker_score *) ap_get_scoreboard_worker_from_indexes(int child_num, int thread_num); + +/** Copy the contents of a worker scoreboard entry. The contents of + * the worker_score structure are copied verbatim into the dest + * structure. + * @param dest Output parameter. + * @param child_num The child number. + * @param thread_num The thread number. + */ +AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, + int child_num, int thread_num); + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x); AP_DECLARE(global_score *) ap_get_scoreboard_global(void); Index: apache2-2.4.7/modules/generators/mod_status.c =================================================================== --- apache2-2.4.7.orig/modules/generators/mod_status.c 2013-03-11 12:38:39.000000000 -0400 +++ apache2-2.4.7/modules/generators/mod_status.c 2014-07-21 15:44:58.896113574 -0400 @@ -194,7 +194,7 @@ long req_time; int short_report; int no_table_report; - worker_score *ws_record; + worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record); process_score *ps_record; char *stat_buffer; pid_t *pid_buffer, worker_pid; @@ -306,7 +306,7 @@ for (j = 0; j < thread_limit; ++j) { int indx = (i * thread_limit) + j; - ws_record = ap_get_scoreboard_worker_from_indexes(i, j); + ap_copy_scoreboard_worker(ws_record, i, j); res = ws_record->status; if ((i >= max_servers || j >= threads_per_child) @@ -637,7 +637,7 @@ for (i = 0; i < server_limit; ++i) { for (j = 0; j < thread_limit; ++j) { - ws_record = ap_get_scoreboard_worker_from_indexes(i, j); + ap_copy_scoreboard_worker(ws_record, i, j); if (ws_record->access_count == 0 && (ws_record->status == SERVER_READY || Index: apache2-2.4.7/modules/lua/lua_request.c =================================================================== --- apache2-2.4.7.orig/modules/lua/lua_request.c 2013-09-18 04:08:58.000000000 -0400 +++ apache2-2.4.7/modules/lua/lua_request.c 2014-07-21 15:45:01.804113683 -0400 @@ -1145,16 +1145,22 @@ */ static int lua_ap_scoreboard_worker(lua_State *L) { - int i, - j; - worker_score *ws_record; + int i, j; + worker_score *ws_record = NULL; + request_rec *r = NULL; luaL_checktype(L, 1, LUA_TUSERDATA); luaL_checktype(L, 2, LUA_TNUMBER); luaL_checktype(L, 3, LUA_TNUMBER); + + r = ap_lua_check_request_rec(L, 1); + if (!r) return 0; + i = lua_tointeger(L, 2); j = lua_tointeger(L, 3); - ws_record = ap_get_scoreboard_worker_from_indexes(i, j); + ws_record = apr_palloc(r->pool, sizeof *ws_record); + + ap_copy_scoreboard_worker(ws_record, i, j); if (ws_record) { lua_newtable(L); Index: apache2-2.4.7/server/scoreboard.c =================================================================== --- apache2-2.4.7.orig/server/scoreboard.c 2013-08-07 07:44:33.000000000 -0400 +++ apache2-2.4.7/server/scoreboard.c 2014-07-21 15:45:05.100113806 -0400 @@ -579,6 +579,21 @@ sbh->thread_num); } +AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, + int child_num, + int thread_num) +{ + worker_score *ws = ap_get_scoreboard_worker_from_indexes(child_num, thread_num); + + memcpy(dest, ws, sizeof *ws); + + /* For extra safety, NUL-terminate the strings returned, though it + * should be true those last bytes are always zero anyway. */ + dest->client[sizeof(dest->client) - 1] = '\0'; + dest->request[sizeof(dest->request) - 1] = '\0'; + dest->vhost[sizeof(dest->vhost) - 1] = '\0'; +} + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x) { if ((x < 0) || (x >= server_limit)) { debian/patches/CVE-2019-0220-2.patch0000644000000000000000000000332513451146021013364 0ustar Backport of: From c4ef468b25718a26f2b92cbea3ca093729b79331 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 18 Mar 2019 12:10:15 +0000 Subject: [PATCH] merge 1855743,1855744 ^/httpd/httpd/trunk . r->parsed_uri.path safety in recent backport *) core: fix SEGFAULT in CONNECT with recent change 2.4.x: svn merge -c 1855743,1855744 ^/httpd/httpd/trunk . +1: rpluem, icing, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855751 13f79535-47bb-0310-9956-ffa450edef68 --- server/request.c | 4 +++- server/util.c | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) Index: apache2-2.4.7/server/request.c =================================================================== --- apache2-2.4.7.orig/server/request.c 2019-04-03 11:06:40.260185865 -0400 +++ apache2-2.4.7/server/request.c 2019-04-03 11:06:40.256186182 -0400 @@ -195,7 +195,9 @@ AP_DECLARE(int) ap_process_request_inter ap_getparents(r->uri); /* OK --- shrinking transformations... */ if (sconf->merge_slashes != 0) { ap_no2slash(r->uri); - ap_no2slash(r->parsed_uri.path); + if (r->parsed_uri.path) { + ap_no2slash(r->parsed_uri.path); + } } /* All file subrequests are a huge pain... they cannot bubble through the Index: apache2-2.4.7/server/util.c =================================================================== --- apache2-2.4.7.orig/server/util.c 2019-04-03 11:06:40.260185865 -0400 +++ apache2-2.4.7/server/util.c 2019-04-03 11:06:40.256186182 -0400 @@ -566,6 +566,10 @@ AP_DECLARE(void) ap_no2slash_ex(char *na char *d, *s; + if (!name || !*name) { + return; + } + s = d = name; #ifdef HAVE_UNC_PATHS debian/patches/CVE-2013-5704.patch0000644000000000000000000003627113376761111013252 0ustar From 6688f9d102ad29d6bb4167d690ee495d709e47b6 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Fri, 22 Aug 2014 18:18:08 +0000 Subject: [PATCH] SECURITY: CVE-2013-5704 (cve.mitre.org) core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds "MergeTrailers" directive to restore legacy behavior. Submitted by: Edward Lu, Yann Ylavic, Joe Orton, Eric Covener Backports: r1610814 Reviewed by: covener, wrowe, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1619884 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 8 ++++- docs/manual/mod/core.xml | 19 +++++++++++ docs/manual/mod/mod_log_config.xml | 8 +++++ include/ap_mmn.h | 3 +- include/http_core.h | 4 +++ include/httpd.h | 5 +++ modules/http/http_filters.c | 65 ++++++++++++++++++++++++++++++-------- modules/http/http_request.c | 4 +++ modules/loggers/mod_log_config.c | 29 +++++++++++++++-- modules/proxy/mod_proxy_http.c | 18 +++++++++++ server/core.c | 17 +++++++++- server/protocol.c | 6 ++++ 12 files changed, 166 insertions(+), 20 deletions(-) Index: apache2-2.4.7/include/http_core.h =================================================================== --- apache2-2.4.7.orig/include/http_core.h 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/include/http_core.h 2015-03-05 12:29:19.557674382 -0500 @@ -663,6 +663,10 @@ #define AP_TRACE_ENABLE 1 #define AP_TRACE_EXTENDED 2 int trace_enable; +#define AP_MERGE_TRAILERS_UNSET 0 +#define AP_MERGE_TRAILERS_ENABLE 1 +#define AP_MERGE_TRAILERS_DISABLE 2 + int merge_trailers; } core_server_config; Index: apache2-2.4.7/include/httpd.h =================================================================== --- apache2-2.4.7.orig/include/httpd.h 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/include/httpd.h 2015-03-05 12:29:19.557674382 -0500 @@ -1032,6 +1032,11 @@ */ apr_sockaddr_t *useragent_addr; char *useragent_ip; + + /** MIME trailer environment from the request */ + apr_table_t *trailers_in; + /** MIME trailer environment from the response */ + apr_table_t *trailers_out; }; /** Index: apache2-2.4.7/modules/http/http_filters.c =================================================================== --- apache2-2.4.7.orig/modules/http/http_filters.c 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/modules/http/http_filters.c 2015-03-05 12:29:19.557674382 -0500 @@ -214,6 +214,49 @@ } +static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f, + apr_bucket_brigade *b, int merge) +{ + int rv; + apr_bucket *e; + request_rec *r = f->r; + apr_table_t *saved_headers_in = r->headers_in; + int saved_status = r->status; + + r->status = HTTP_OK; + r->headers_in = r->trailers_in; + apr_table_clear(r->headers_in); + ctx->state = BODY_NONE; + ap_get_mime_headers(r); + + if(r->status == HTTP_OK) { + r->status = saved_status; + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(b, e); + ctx->eos_sent = 1; + rv = APR_SUCCESS; + } + else { + const char *error_notes = apr_table_get(r->notes, + "error-notes"); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Error while reading HTTP trailer: %i%s%s", + r->status, error_notes ? ": " : "", + error_notes ? error_notes : ""); + rv = APR_EINVAL; + } + + if(!merge) { + r->headers_in = saved_headers_in; + } + else { + r->headers_in = apr_table_overlay(r->pool, saved_headers_in, + r->trailers_in); + } + + return rv; +} + /* This is the HTTP_INPUT filter for HTTP requests and responses from * proxied servers (mod_proxy). It handles chunked and content-length * bodies. This can only be inserted/used after the headers @@ -223,6 +266,7 @@ ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes) { + core_server_config *conf; apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; @@ -230,6 +274,9 @@ int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; apr_bucket_brigade *bb; + conf = (core_server_config *) + ap_get_module_config(f->r->server->module_config, &core_module); + /* just get out of the way of things we don't want. */ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { return ap_get_brigade(f->next, b, mode, block, readbytes); @@ -403,13 +450,8 @@ } if (!ctx->remaining) { - /* Handle trailers by calling ap_get_mime_headers again! */ - ctx->state = BODY_NONE; - ap_get_mime_headers(f->r); - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - ctx->eos_sent = 1; - return APR_SUCCESS; + return read_chunked_trailers(ctx, f, b, + conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); } } } @@ -509,13 +551,8 @@ } if (!ctx->remaining) { - /* Handle trailers by calling ap_get_mime_headers again! */ - ctx->state = BODY_NONE; - ap_get_mime_headers(f->r); - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - ctx->eos_sent = 1; - return APR_SUCCESS; + return read_chunked_trailers(ctx, f, b, + conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); } } break; Index: apache2-2.4.7/modules/http/http_request.c =================================================================== --- apache2-2.4.7.orig/modules/http/http_request.c 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/modules/http/http_request.c 2015-03-05 12:29:19.561674411 -0500 @@ -463,6 +463,7 @@ new->main = r->main; new->headers_in = r->headers_in; + new->trailers_in = r->trailers_in; new->headers_out = apr_table_make(r->pool, 12); if (ap_is_HTTP_REDIRECT(new->status)) { const char *location = apr_table_get(r->headers_out, "Location"); @@ -470,6 +471,7 @@ apr_table_setn(new->headers_out, "Location", location); } new->err_headers_out = r->err_headers_out; + new->trailers_out = apr_table_make(r->pool, 5); new->subprocess_env = rename_original_env(r->pool, r->subprocess_env); new->notes = apr_table_make(r->pool, 5); @@ -583,6 +585,8 @@ r->headers_out); r->err_headers_out = apr_table_overlay(r->pool, rr->err_headers_out, r->err_headers_out); + r->trailers_out = apr_table_overlay(r->pool, rr->trailers_out, + r->trailers_out); r->subprocess_env = apr_table_overlay(r->pool, rr->subprocess_env, r->subprocess_env); Index: apache2-2.4.7/modules/loggers/mod_log_config.c =================================================================== --- apache2-2.4.7.orig/modules/loggers/mod_log_config.c 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/modules/loggers/mod_log_config.c 2015-03-05 12:29:19.561674411 -0500 @@ -431,6 +431,12 @@ return ap_escape_logitem(r->pool, apr_table_get(r->headers_in, a)); } +static const char *log_trailer_in(request_rec *r, char *a) +{ + return ap_escape_logitem(r->pool, apr_table_get(r->trailers_in, a)); +} + + static APR_INLINE char *find_multiple_headers(apr_pool_t *pool, const apr_table_t *table, const char *key) @@ -514,6 +520,11 @@ return ap_escape_logitem(r->pool, cp); } +static const char *log_trailer_out(request_rec *r, char *a) +{ + return ap_escape_logitem(r->pool, apr_table_get(r->trailers_out, a)); +} + static const char *log_note(request_rec *r, char *a) { return ap_escape_logitem(r->pool, apr_table_get(r->notes, a)); @@ -916,7 +927,7 @@ static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa) { const char *s = *sa; - ap_log_handler *handler; + ap_log_handler *handler = NULL; if (*s != '%') { return parse_log_misc_string(p, it, sa); @@ -986,7 +997,16 @@ break; default: - handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1); + /* check for '^' + two character format first */ + if (*s == '^' && *(s+1) && *(s+2)) { + handler = (ap_log_handler *)apr_hash_get(log_hash, s, 3); + if (handler) { + s += 3; + } + } + if (!handler) { + handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1); + } if (!handler) { char dummy[2]; @@ -1516,7 +1536,7 @@ log_struct->func = handler; log_struct->want_orig_default = def; - apr_hash_set(log_hash, tag, 1, (const void *)log_struct); + apr_hash_set(log_hash, tag, strlen(tag), (const void *)log_struct); } static ap_log_writer_init *ap_log_set_writer_init(ap_log_writer_init *handle) { @@ -1694,6 +1714,9 @@ log_pfn_register(p, "U", log_request_uri, 1); log_pfn_register(p, "s", log_status, 1); log_pfn_register(p, "R", log_handler, 1); + + log_pfn_register(p, "^ti", log_trailer_in, 0); + log_pfn_register(p, "^to", log_trailer_out, 0); } /* reset to default conditions */ Index: apache2-2.4.7/modules/proxy/mod_proxy_http.c =================================================================== --- apache2-2.4.7.orig/modules/proxy/mod_proxy_http.c 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/modules/proxy/mod_proxy_http.c 2015-03-05 12:29:19.561674411 -0500 @@ -994,8 +994,11 @@ rp->status = HTTP_OK; rp->headers_in = apr_table_make(pool, 50); + rp->trailers_in = apr_table_make(pool, 5); + rp->subprocess_env = apr_table_make(pool, 50); rp->headers_out = apr_table_make(pool, 12); + rp->trailers_out = apr_table_make(pool, 5); rp->err_headers_out = apr_table_make(pool, 5); rp->notes = apr_table_make(pool, 5); @@ -1076,6 +1079,7 @@ psc = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module); r->headers_out = apr_table_make(r->pool, 20); + r->trailers_out = apr_table_make(r->pool, 5); *pread_len = 0; /* @@ -1206,6 +1210,14 @@ #define AP_MAX_INTERIM_RESPONSES 10 #endif +static int add_trailers(void *data, const char *key, const char *val) +{ + if (val) { + apr_table_add((apr_table_t*)data, key, val); + } + return 1; +} + static apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, proxy_conn_rec **backend_ptr, @@ -1717,6 +1729,12 @@ /* next time try a non-blocking read */ mode = APR_NONBLOCK_READ; + if (!apr_is_empty_table(backend->r->trailers_in)) { + apr_table_do(add_trailers, r->trailers_out, + backend->r->trailers_in, NULL); + apr_table_clear(backend->r->trailers_in); + } + apr_brigade_length(bb, 0, &readbytes); backend->worker->s->read += readbytes; #if DEBUGGING Index: apache2-2.4.7/server/core.c =================================================================== --- apache2-2.4.7.orig/server/core.c 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/server/core.c 2015-03-05 12:29:19.561674411 -0500 @@ -519,6 +519,10 @@ if (virt->error_log_req) conf->error_log_req = virt->error_log_req; + conf->merge_trailers = (virt->merge_trailers != AP_MERGE_TRAILERS_UNSET) + ? virt->merge_trailers + : base->merge_trailers; + return conf; } @@ -3866,6 +3870,16 @@ } +static const char *set_merge_trailers(cmd_parms *cmd, void *dummy, int arg) +{ + core_server_config *conf = ap_get_module_config(cmd->server->module_config, + &core_module); + conf->merge_trailers = (arg ? AP_MERGE_TRAILERS_ENABLE : + AP_MERGE_TRAILERS_DISABLE); + + return NULL; +} + /* Note --- ErrorDocument will now work from .htaccess files. * The AllowOverride of Fileinfo allows webmasters to turn it off */ @@ -4113,6 +4127,8 @@ #endif AP_INIT_TAKE1("TraceEnable", set_trace_enable, NULL, RSRC_CONF, "'on' (default), 'off' or 'extended' to trace request body content"), +AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF, + "merge request trailers into request headers or not"), { NULL } }; @@ -4195,7 +4211,6 @@ static int do_nothing(request_rec *r) { return OK; } - static int core_override_type(request_rec *r) { core_dir_config *conf = Index: apache2-2.4.7/server/protocol.c =================================================================== --- apache2-2.4.7.orig/server/protocol.c 2015-03-05 12:29:19.561674411 -0500 +++ apache2-2.4.7/server/protocol.c 2015-03-05 12:29:19.561674411 -0500 @@ -718,6 +718,8 @@ r->status = HTTP_REQUEST_TIME_OUT; } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, + "Failed to read request header line %s", field); r->status = HTTP_BAD_REQUEST; } @@ -917,9 +919,11 @@ r->allowed_methods = ap_make_method_list(p, 2); r->headers_in = apr_table_make(r->pool, 25); + r->trailers_in = apr_table_make(r->pool, 5); r->subprocess_env = apr_table_make(r->pool, 25); r->headers_out = apr_table_make(r->pool, 12); r->err_headers_out = apr_table_make(r->pool, 5); + r->trailers_out = apr_table_make(r->pool, 5); r->notes = apr_table_make(r->pool, 5); r->request_config = ap_create_request_config(r->pool); @@ -1161,6 +1165,7 @@ rnew->status = HTTP_OK; rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in); + rnew->trailers_in = apr_table_copy(rnew->pool, r->trailers_in); /* did the original request have a body? (e.g. POST w/SSI tags) * if so, make sure the subrequest doesn't inherit body headers @@ -1172,6 +1177,7 @@ rnew->subprocess_env = apr_table_copy(rnew->pool, r->subprocess_env); rnew->headers_out = apr_table_make(rnew->pool, 5); rnew->err_headers_out = apr_table_make(rnew->pool, 5); + rnew->trailers_out = apr_table_make(rnew->pool, 5); rnew->notes = apr_table_make(rnew->pool, 5); rnew->expecting_100 = r->expecting_100; debian/patches/CVE-2018-1283.patch0000644000000000000000000000203513376761111013244 0ustar Description: fix mod_session header manipulation Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1824477 Index: apache2-2.4.7/modules/session/mod_session.c =================================================================== --- apache2-2.4.7.orig/modules/session/mod_session.c 2018-04-18 11:13:12.166553828 -0400 +++ apache2-2.4.7/modules/session/mod_session.c 2018-04-18 11:13:12.154553804 -0400 @@ -505,12 +505,15 @@ static int session_fixups(request_rec * */ ap_session_load(r, &z); - if (z && conf->env) { - session_identity_encode(r, z); - if (z->encoded) { - apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded); - z->encoded = NULL; + if (conf->env) { + if (z) { + session_identity_encode(r, z); + if (z->encoded) { + apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded); + z->encoded = NULL; + } } + apr_table_unset(r->headers_in, "Session"); } return OK; debian/patches/086_svn_cross_compiles0000644000000000000000000000760313376761111015063 0ustar Description: Pull upstream fixes for autotools for cross-compiling Author: Adam Conrad Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1328445 Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1327907 Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1328390 Origin: upstream, http://svn.eu.apache.org/viewvc?view=revision&revision=1328714 Forwarded: not-needed diff -Naurp httpd-2.4.4.orig/acinclude.m4 httpd-2.4.4/acinclude.m4 --- httpd-2.4.4.orig/acinclude.m4 2013-01-30 10:25:31.000000000 -0600 +++ httpd-2.4.4/acinclude.m4 2013-07-02 08:28:47.666057692 -0500 @@ -53,6 +53,8 @@ AC_DEFUN(APACHE_GEN_CONFIG_VARS,[ APACHE_SUBST(CPPFLAGS) APACHE_SUBST(CFLAGS) APACHE_SUBST(CXXFLAGS) + APACHE_SUBST(CC_FOR_BUILD) + APACHE_SUBST(CFLAGS_FOR_BUILD) APACHE_SUBST(LTFLAGS) APACHE_SUBST(LDFLAGS) APACHE_SUBST(LT_LDFLAGS) @@ -685,7 +687,7 @@ int main(void) { return sizeof(void *) < sizeof(long); }], [ap_cv_void_ptr_lt_long=no], [ap_cv_void_ptr_lt_long=yes], - [ap_cv_void_ptr_lt_long=yes])]) + [ap_cv_void_ptr_lt_long="cross compile - not checked"])]) if test "$ap_cv_void_ptr_lt_long" = "yes"; then AC_MSG_ERROR([Size of "void *" is less than size of "long"]) diff -Naurp httpd-2.4.4.orig/configure httpd-2.4.4/configure --- httpd-2.4.4.orig/configure 2013-02-18 14:28:23.000000000 -0600 +++ httpd-2.4.4/configure 2013-07-02 08:28:47.682057692 -0500 @@ -660,6 +660,8 @@ HTTPD_LDFLAGS SH_LDFLAGS LT_LDFLAGS LTFLAGS +CFLAGS_FOR_BUILD +CC_FOR_BUILD CXXFLAGS CXX other_targets @@ -6029,6 +6031,12 @@ fi +if test "x${build_alias}" != "x${host_alias}"; then + if test "x${CC_FOR_BUILD}" = "x"; then + CC_FOR_BUILD=cc + fi +fi + if test "x${cache_file}" = "x/dev/null"; then # Likewise, ensure that CC and CPP are passed through to the pcre # configure script iff caching is disabled (the autoconf 2.5x default). @@ -7655,7 +7663,7 @@ if ${ap_cv_void_ptr_lt_long+:} false; th $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : - ap_cv_void_ptr_lt_long=yes + ap_cv_void_ptr_lt_long="cross compile - not checked" else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -32060,6 +32068,14 @@ $as_echo "$as_me: " >&6;} + APACHE_VAR_SUBST="$APACHE_VAR_SUBST CC_FOR_BUILD" + + + + APACHE_VAR_SUBST="$APACHE_VAR_SUBST CFLAGS_FOR_BUILD" + + + APACHE_VAR_SUBST="$APACHE_VAR_SUBST LTFLAGS" diff -Naurp httpd-2.4.4.orig/configure.in httpd-2.4.4/configure.in --- httpd-2.4.4.orig/configure.in 2013-01-09 10:39:05.000000000 -0600 +++ httpd-2.4.4/configure.in 2013-07-02 08:28:47.690057692 -0500 @@ -206,6 +206,14 @@ AC_PROG_CPP dnl Try to get c99 support for variadic macros ifdef([AC_PROG_CC_C99], [AC_PROG_CC_C99]) +dnl In case of cross compilation we set CC_FOR_BUILD to cc unless +dnl we got already CC_FOR_BUILD from environment. +if test "x${build_alias}" != "x${host_alias}"; then + if test "x${CC_FOR_BUILD}" = "x"; then + CC_FOR_BUILD=cc + fi +fi + if test "x${cache_file}" = "x/dev/null"; then # Likewise, ensure that CC and CPP are passed through to the pcre # configure script iff caching is disabled (the autoconf 2.5x default). diff -Naurp httpd-2.4.4.orig/server/Makefile.in httpd-2.4.4/server/Makefile.in --- httpd-2.4.4.orig/server/Makefile.in 2013-01-28 07:13:18.000000000 -0600 +++ httpd-2.4.4/server/Makefile.in 2013-07-02 08:28:47.686057692 -0500 @@ -22,9 +22,14 @@ TARGETS = delete-exports $(LTLIBRARY_NAM include $(top_builddir)/build/rules.mk include $(top_srcdir)/build/library.mk +ifdef CC_FOR_BUILD +gen_test_char: gen_test_char.c + $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) -DCROSS_COMPILE -o $@ $< +else gen_test_char_OBJECTS = gen_test_char.lo gen_test_char: $(gen_test_char_OBJECTS) $(LINK) $(EXTRA_LDFLAGS) $(gen_test_char_OBJECTS) $(EXTRA_LIBS) +endif test_char.h: gen_test_char ./gen_test_char > test_char.h debian/patches/suexec-custom.patch0000644000000000000000000001275413376761111014461 0ustar Description: the actual patch to make suexec-custom read a config file Forwarded: not-needed Author: Stefan Fritsch Last-Update: 2012-02-25 --- a/support/suexec-custom.c +++ b/support/suexec-custom.c @@ -29,6 +29,7 @@ * * */ +#define SUEXEC_CONFIG_DIR "/etc/apache2/suexec/" #include "apr.h" #include "ap_config.h" @@ -39,6 +40,7 @@ #include #include #include +#include #if APR_HAVE_UNISTD_H #include #endif @@ -197,6 +199,26 @@ return; } +static int read_line(char *buf, FILE *file) { + char *p; + p = fgets(buf, AP_MAXPATH+1, file); + if (!p) return 0; + if (*p == '\0') return 1; + + p = buf; + while (*p) + p++; + p--; + + /* remove trailing space and slash */ + while ( isspace(*p) && p >= buf ) + *p-- = '\0'; + while ( *p == '/' && p >= buf ) + *p-- = '\0'; + + return 1; +} + static void clean_env(void) { char pathbuf[512]; @@ -263,6 +285,11 @@ struct stat dir_info; /* directory info holder */ struct stat prg_info; /* program info holder */ int cwdh; /* handle to cwd */ + char *suexec_docroot = NULL; + char *suexec_userdir_suffix = NULL; + char *filename = NULL; + FILE *configfile; + /* * Start with a "clean" environment @@ -292,15 +319,10 @@ || (! strcmp(AP_HTTPD_USER, pw->pw_name))) #endif /* _OSD_POSIX */ ) { -#ifdef AP_DOC_ROOT - fprintf(stderr, " -D AP_DOC_ROOT=\"%s\"\n", AP_DOC_ROOT); -#endif + fprintf(stderr, " -D SUEXEC_CONFIG_DIR=%s\n", SUEXEC_CONFIG_DIR); #ifdef AP_GID_MIN fprintf(stderr, " -D AP_GID_MIN=%d\n", AP_GID_MIN); #endif -#ifdef AP_HTTPD_USER - fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); -#endif #ifdef AP_LOG_EXEC fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); #endif @@ -313,9 +335,6 @@ #ifdef AP_UID_MIN fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN); #endif -#ifdef AP_USERDIR_SUFFIX - fprintf(stderr, " -D AP_USERDIR_SUFFIX=\"%s\"\n", AP_USERDIR_SUFFIX); -#endif exit(0); } /* @@ -330,23 +349,6 @@ target_gname = argv[2]; cmd = argv[3]; - /* - * Check to see if the user running this program - * is the user allowed to do so as defined in - * suexec.h. If not the allowed user, error out. - */ -#ifdef _OSD_POSIX - /* User name comparisons are case insensitive on BS2000/OSD */ - if (strcasecmp(AP_HTTPD_USER, pw->pw_name)) { - log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER); - exit(103); - } -#else /*_OSD_POSIX*/ - if (strcmp(AP_HTTPD_USER, pw->pw_name)) { - log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER); - exit(103); - } -#endif /*_OSD_POSIX*/ /* * Check for a leading '/' (absolute path) in the command to be executed, @@ -371,6 +373,63 @@ } /* + * Check to see if the user running this program + * is the user allowed to do so as defined in + * SUEXEC_CONFIG_DIR/username + * If not, error out. + */ + filename = malloc(AP_MAXPATH+1); + suexec_docroot = malloc(AP_MAXPATH+1); + suexec_userdir_suffix = malloc(AP_MAXPATH+1); + if (!filename || !suexec_docroot || !suexec_userdir_suffix) { + log_err("malloc failed\n"); + exit(120); + } + + strncpy(filename, SUEXEC_CONFIG_DIR, AP_MAXPATH); + strncat(filename, pw->pw_name, AP_MAXPATH); + filename[AP_MAXPATH] = '\0'; + + configfile = fopen(filename, "r"); + if (!configfile) { + log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename); + exit(123); + } + + if (!read_line(suexec_docroot, configfile)) { + log_err("Could not read docroot from %s\n", filename); + exit(124); + } + + if (!read_line(suexec_userdir_suffix, configfile)) { + log_err("Could not read userdir suffix from %s\n", filename); + exit(125); + } + + fclose(configfile); + + if (userdir) { + if ( !isalnum(*suexec_userdir_suffix) && suexec_userdir_suffix[0] != '.') { + log_err("userdir suffix disabled in %s\n", filename); + exit(126); + } + } + else { + if (suexec_docroot[0] != '/') { + log_err("docroot disabled in %s\n", filename); + exit(127); + } + + if (suexec_docroot[1] == '/' || + suexec_docroot[1] == '.' || + suexec_docroot[1] == '\0' ) + { + log_err("invalid docroot %s in %s\n", suexec_docroot, filename); + exit(128); + } + } + + /* * Error out if the target username is invalid. */ if (strspn(target_uname, "1234567890") != strlen(target_uname)) { @@ -511,7 +570,7 @@ if (userdir) { if (((chdir(target_homedir)) != 0) || - ((chdir(AP_USERDIR_SUFFIX)) != 0) || + ((chdir(suexec_userdir_suffix)) != 0) || ((getcwd(dwd, AP_MAXPATH)) == NULL) || ((fchdir(cwdh)) != 0)) { log_err("cannot get docroot information (%s)\n", target_homedir); @@ -519,7 +578,7 @@ } } else { - if (((chdir(AP_DOC_ROOT)) != 0) || + if (((chdir(suexec_docroot)) != 0) || ((getcwd(dwd, AP_MAXPATH)) == NULL) || ((fchdir(cwdh)) != 0)) { log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT); debian/patches/CVE-2018-1312.patch0000644000000000000000000003507513376761111013247 0ustar Description: fix insecure nonce generation Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1824481 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=54637 Index: apache2-2.4.18/modules/aaa/mod_auth_digest.c =================================================================== --- apache2-2.4.18.orig/modules/aaa/mod_auth_digest.c 2018-04-18 10:51:39.939994842 -0400 +++ apache2-2.4.18/modules/aaa/mod_auth_digest.c 2018-04-18 10:52:23.624076606 -0400 @@ -26,20 +26,13 @@ * reports to the Apache bug-database, or send them directly to me * at ronald@innovation.ch. * - * Requires either /dev/random (or equivalent) or the truerand library, - * available for instance from - * ftp://research.att.com/dist/mab/librand.shar - * * Open Issues: * - qop=auth-int (when streams and trailer support available) * - nonce-format configurability * - Proxy-Authorization-Info header is set by this module, but is * currently ignored by mod_proxy (needs patch to mod_proxy) - * - generating the secret takes a while (~ 8 seconds) if using the - * truerand library * - The source of the secret should be run-time directive (with server - * scope: RSRC_CONF). However, that could be tricky when trying to - * choose truerand vs. file... + * scope: RSRC_CONF) * - shared-mem not completely tested yet. Seems to work ok for me, * but... (definitely won't work on Windoze) * - Sharing a realm among multiple servers has following problems: @@ -52,6 +45,8 @@ * captures a packet sent to one server and sends it to another * one. Should we add "AuthDigestNcCheck Strict"? * - expired nonces give amaya fits. + * - MD5-sess and auth-int are not yet implemented. An incomplete + * implementation has been removed and can be retrieved from svn history. */ #include "apr_sha1.h" @@ -94,7 +89,6 @@ typedef struct digest_config_struct { apr_array_header_t *qop_list; apr_sha1_ctx_t nonce_ctx; apr_time_t nonce_lifetime; - const char *nonce_format; int check_nc; const char *algorithm; char *uri_list; @@ -112,7 +106,8 @@ typedef struct digest_config_struct { #define NONCE_HASH_LEN (2*APR_SHA1_DIGESTSIZE) #define NONCE_LEN (int )(NONCE_TIME_LEN + NONCE_HASH_LEN) -#define SECRET_LEN 20 +#define SECRET_LEN 20 +#define RETAINED_DATA_ID "mod_auth_digest" /* client list definitions */ @@ -121,7 +116,6 @@ typedef struct hash_entry { unsigned long key; /* the key for this entry */ struct hash_entry *next; /* next entry in the bucket */ unsigned long nonce_count; /* for nonce-count checking */ - char ha1[2*APR_MD5_DIGESTSIZE+1]; /* for algorithm=MD5-sess */ char last_nonce[NONCE_LEN+1]; /* for one-time nonce's */ } client_entry; @@ -170,7 +164,7 @@ typedef union time_union { unsigned char arr[sizeof(apr_time_t)]; } time_rec; -static unsigned char secret[SECRET_LEN]; +static unsigned char *secret; /* client-list, opaque, and one-time-nonce stuff */ @@ -228,35 +222,11 @@ static apr_status_t cleanup_tables(void return APR_SUCCESS; } -static apr_status_t initialize_secret(server_rec *s) -{ - apr_status_t status; - - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01757) - "generating secret for digest authentication ..."); - -#if APR_HAS_RANDOM - status = apr_generate_random_bytes(secret, sizeof(secret)); -#else -#error APR random number support is missing; you probably need to install the truerand library. -#endif - - if (status != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, status, s, APLOGNO(01758) - "error generating secret"); - return status; - } - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01759) "done"); - - return APR_SUCCESS; -} - static void log_error_and_cleanup(char *msg, apr_status_t sts, server_rec *s) { ap_log_error(APLOG_MARK, APLOG_ERR, sts, s, APLOGNO(01760) - "%s - all nonce-count checking, one-time nonces, and " - "MD5-sess algorithm disabled", msg); + "%s - all nonce-count checking and one-time nonces" + "disabled", msg); cleanup_tables(NULL); } @@ -377,16 +347,32 @@ static int initialize_tables(server_rec static int pre_init(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) { apr_status_t rv; + void *retained; rv = ap_mutex_register(pconf, client_mutex_type, NULL, APR_LOCK_DEFAULT, 0); - if (rv == APR_SUCCESS) { - rv = ap_mutex_register(pconf, opaque_mutex_type, NULL, APR_LOCK_DEFAULT, - 0); - } - if (rv != APR_SUCCESS) { - return rv; - } + if (rv != APR_SUCCESS) + return !OK; + rv = ap_mutex_register(pconf, opaque_mutex_type, NULL, APR_LOCK_DEFAULT, 0); + if (rv != APR_SUCCESS) + return !OK; + retained = ap_retained_data_get(RETAINED_DATA_ID); + if (retained == NULL) { + retained = ap_retained_data_create(RETAINED_DATA_ID, SECRET_LEN); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, APLOGNO(01757) + "generating secret for digest authentication"); +#if APR_HAS_RANDOM + rv = apr_generate_random_bytes(retained, SECRET_LEN); +#else +#error APR random number support is missing +#endif + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_CRIT, rv, NULL, APLOGNO(01758) + "error generating secret"); + return !OK; + } + } + secret = retained; return OK; } @@ -399,10 +385,6 @@ static int initialize_module(apr_pool_t if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) return OK; - if (initialize_secret(s) != APR_SUCCESS) { - return !OK; - } - #if APR_HAS_SHARED_MEMORY /* Note: this stuff is currently fixed for the lifetime of the server, * i.e. even across restarts. This means that A) any shmem-size @@ -483,6 +465,16 @@ static void *create_digest_dir_config(ap static const char *set_realm(cmd_parms *cmd, void *config, const char *realm) { digest_config_rec *conf = (digest_config_rec *) config; +#ifdef AP_DEBUG + int i; + + /* check that we got random numbers */ + for (i = 0; i < SECRET_LEN; i++) { + if (secret[i] != 0) + break; + } + ap_assert(i < SECRET_LEN); +#endif /* The core already handles the realm, but it's just too convenient to * grab it ourselves too and cache some setups. However, we need to @@ -496,7 +488,7 @@ static const char *set_realm(cmd_parms * * and directives outside a virtual host section) */ apr_sha1_init(&conf->nonce_ctx); - apr_sha1_update_binary(&conf->nonce_ctx, secret, sizeof(secret)); + apr_sha1_update_binary(&conf->nonce_ctx, secret, SECRET_LEN); apr_sha1_update_binary(&conf->nonce_ctx, (const unsigned char *) realm, strlen(realm)); @@ -590,8 +582,7 @@ static const char *set_nonce_lifetime(cm static const char *set_nonce_format(cmd_parms *cmd, void *config, const char *fmt) { - ((digest_config_rec *) config)->nonce_format = fmt; - return "AuthDigestNonceFormat is not implemented (yet)"; + return "AuthDigestNonceFormat is not implemented"; } static const char *set_nc_check(cmd_parms *cmd, void *config, int flag) @@ -612,7 +603,7 @@ static const char *set_algorithm(cmd_par { if (!strcasecmp(alg, "MD5-sess")) { return "AuthDigestAlgorithm: ERROR: algorithm `MD5-sess' " - "is not fully implemented"; + "is not implemented"; } else if (strcasecmp(alg, "MD5")) { return apr_pstrcat(cmd->pool, "Invalid algorithm in AuthDigestAlgorithm: ", alg, NULL); @@ -1138,7 +1129,7 @@ static const char *gen_nonce(apr_pool_t static client_entry *gen_client(const request_rec *r) { unsigned long op; - client_entry new_entry = { 0, NULL, 0, "", "" }, *entry; + client_entry new_entry = { 0, NULL, 0, "" }, *entry; if (!opaque_cntr) { return NULL; @@ -1159,92 +1150,6 @@ static client_entry *gen_client(const re /* - * MD5-sess code. - * - * If you want to use algorithm=MD5-sess you must write get_userpw_hash() - * yourself (see below). The dummy provided here just uses the hash from - * the auth-file, i.e. it is only useful for testing client implementations - * of MD5-sess . - */ - -/* - * get_userpw_hash() will be called each time a new session needs to be - * generated and is expected to return the equivalent of - * - * h_urp = ap_md5(r->pool, - * apr_pstrcat(r->pool, username, ":", ap_auth_name(r), ":", passwd)) - * ap_md5(r->pool, - * (unsigned char *) apr_pstrcat(r->pool, h_urp, ":", resp->nonce, ":", - * resp->cnonce, NULL)); - * - * or put differently, it must return - * - * MD5(MD5(username ":" realm ":" password) ":" nonce ":" cnonce) - * - * If something goes wrong, the failure must be logged and NULL returned. - * - * You must implement this yourself, which will probably consist of code - * contacting the password server with the necessary information (typically - * the username, realm, nonce, and cnonce) and receiving the hash from it. - * - * TBD: This function should probably be in a separate source file so that - * people need not modify mod_auth_digest.c each time they install a new - * version of apache. - */ -static const char *get_userpw_hash(const request_rec *r, - const digest_header_rec *resp, - const digest_config_rec *conf) -{ - return ap_md5(r->pool, - (unsigned char *) apr_pstrcat(r->pool, conf->ha1, ":", resp->nonce, - ":", resp->cnonce, NULL)); -} - - -/* Retrieve current session H(A1). If there is none and "generate" is - * true then a new session for MD5-sess is generated and stored in the - * client struct; if generate is false, or a new session could not be - * generated then NULL is returned (in case of failure to generate the - * failure reason will have been logged already). - */ -static const char *get_session_HA1(const request_rec *r, - digest_header_rec *resp, - const digest_config_rec *conf, - int generate) -{ - const char *ha1 = NULL; - - /* return the current sessions if there is one */ - if (resp->opaque && resp->client && resp->client->ha1[0]) { - return resp->client->ha1; - } - else if (!generate) { - return NULL; - } - - /* generate a new session */ - if (!resp->client) { - resp->client = gen_client(r); - } - if (resp->client) { - ha1 = get_userpw_hash(r, resp, conf); - if (ha1) { - memcpy(resp->client->ha1, ha1, sizeof(resp->client->ha1)); - } - } - - return ha1; -} - - -static void clear_session(const digest_header_rec *resp) -{ - if (resp->client) { - resp->client->ha1[0] = '\0'; - } -} - -/* * Authorization challenge generation code (for WWW-Authenticate) */ @@ -1282,8 +1187,7 @@ static void note_digest_auth_failure(req if (resp->opaque == NULL) { /* new client */ - if ((conf->check_nc || conf->nonce_lifetime == 0 - || !strcasecmp(conf->algorithm, "MD5-sess")) + if ((conf->check_nc || conf->nonce_lifetime == 0) && (resp->client = gen_client(r)) != NULL) { opaque = ltox(r->pool, resp->client->key); } @@ -1323,15 +1227,6 @@ static void note_digest_auth_failure(req memcpy(resp->client->last_nonce, nonce, NONCE_LEN+1); } - /* Setup MD5-sess stuff. Note that we just clear out the session - * info here, since we can't generate a new session until the request - * from the client comes in with the cnonce. - */ - - if (!strcasecmp(conf->algorithm, "MD5-sess")) { - clear_session(resp); - } - /* setup domain attribute. We want to send this attribute wherever * possible so that the client won't send the Authorization header * unnecessarily (it's usually > 200 bytes!). @@ -1597,24 +1492,9 @@ static const char *new_digest(const requ { const char *ha1, *ha2, *a2; - if (resp->algorithm && !strcasecmp(resp->algorithm, "MD5-sess")) { - ha1 = get_session_HA1(r, resp, conf, 1); - if (!ha1) { - return NULL; - } - } - else { - ha1 = conf->ha1; - } + ha1 = conf->ha1; - if (resp->message_qop && !strcasecmp(resp->message_qop, "auth-int")) { - a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, ":", - ap_md5(r->pool, (const unsigned char*) ""), NULL); - /* TBD */ - } - else { - a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); - } + a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); ha2 = ap_md5(r->pool, (const unsigned char *)a2); return ap_md5(r->pool, @@ -1862,8 +1742,7 @@ static int authenticate_digest_user(requ } if (resp->algorithm != NULL - && strcasecmp(resp->algorithm, "MD5") - && strcasecmp(resp->algorithm, "MD5-sess")) { + && strcasecmp(resp->algorithm, "MD5")) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01789) "unknown algorithm `%s' received: %s", resp->algorithm, r->uri); @@ -2015,27 +1894,9 @@ static int add_auth_info(request_rec *r) /* calculate rspauth attribute */ - if (resp->algorithm && !strcasecmp(resp->algorithm, "MD5-sess")) { - ha1 = get_session_HA1(r, resp, conf, 0); - if (!ha1) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01795) - "internal error: couldn't find session " - "info for user %s", resp->username); - return !OK; - } - } - else { - ha1 = conf->ha1; - } + ha1 = conf->ha1; - if (resp->message_qop && !strcasecmp(resp->message_qop, "auth-int")) { - a2 = apr_pstrcat(r->pool, ":", resp->uri, ":", - ap_md5(r->pool,(const unsigned char *) ""), NULL); - /* TBD */ - } - else { - a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); - } + a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); ha2 = ap_md5(r->pool, (const unsigned char *)a2); resp_dig = ap_md5(r->pool, debian/patches/add-itk-to-build-system.patch0000644000000000000000000000212713376761111016222 0ustar Add the new MPM to the build system as an alternative to the other MPMs and add itk's dependency to libcap. --- a/server/mpm/config2.m4 +++ b/server/mpm/config2.m4 @@ -1,7 +1,7 @@ AC_MSG_CHECKING(which MPM to use by default) AC_ARG_WITH(mpm, APACHE_HELP_STRING(--with-mpm=MPM,Choose the process model for Apache to use by default. - MPM={event|worker|prefork|winnt} + MPM={event|worker|prefork|winnt|itk} This will be statically linked as the only available MPM unless --enable-mpms-shared is also specified. ),[ @@ -66,6 +66,9 @@ else AC_MSG_ERROR([MPM $i is not supported on this platform.]) fi + if test "$i" = "itk" ; then + AC_CHECK_LIB(cap, cap_init) + fi done if test $mpm_build = "shared"; then --- a/modules/arch/unix/config5.m4 +++ b/modules/arch/unix/config5.m4 @@ -3,6 +3,7 @@ if ap_mpm_is_enabled "worker" \ || ap_mpm_is_enabled "event" \ + || ap_mpm_is_enabled "itk" \ || ap_mpm_is_enabled "prefork"; then unixd_mods_enable=yes else debian/patches/CVE-2017-3169.patch0000644000000000000000000001067213376761111013256 0ustar Backport of: From 54e0c857b1b019c147b778c09d5e72d99183ff61 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 30 May 2017 12:26:05 +0000 Subject: [PATCH] Merge r1796343 from trunk: mod_ssl: fix ctx passed to ssl_io_filter_error() Consistently pass the expected bio_filter_in_ctx_t to ssl_io_filter_error(). Submitted By: Yann Ylavic Submitted by: covener Reviewed by: covener, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ STATUS | 6 ------ modules/ssl/ssl_engine_io.c | 15 ++++++++------- 3 files changed, 11 insertions(+), 13 deletions(-) #diff --git a/CHANGES b/CHANGES #index ddf722da2a2..1b815557a37 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -18,6 +18,9 @@ Changes with Apache 2.4.26 # *) core: EBCDIC fixes for interim responses with additional headers. # [Eric Covener] # #+ *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t #+ to ssl_io_filter_error(). [Yann Ylavic] #+ # *) mod_env: when processing a 'SetEnv' directive, warn if the environment # variable name includes a '='. It is likely a configuration error. # PR 60249 [Christophe Jaillet] #diff --git a/STATUS b/STATUS #index 28add1d0f42..1ce64c6b43b 100644 #--- a/STATUS #+++ b/STATUS #@@ -120,12 +120,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t #- to ssl_io_filter_error(). [Yann Ylavic] #- trunk patch: http://svn.apache.org/r1796343 #- 2.4.x patch: svn merge -c 1796343 ^/httpd/httpd/trunk . (modulo CHANGES) #- +1: covener, ylavic, jim #- # *) core: Deprecate ap_get_basic_auth_pw() and add # ap_get_basic_auth_components(). # trunk patch: http://svn.apache.org/r1796348 Index: apache2-2.4.7/modules/ssl/ssl_engine_io.c =================================================================== --- apache2-2.4.7.orig/modules/ssl/ssl_engine_io.c 2017-06-26 07:59:16.614059669 -0400 +++ apache2-2.4.7/modules/ssl/ssl_engine_io.c 2017-06-26 08:03:56.053052369 -0400 @@ -845,19 +845,20 @@ static apr_status_t ssl_filter_write(ap_ * establish an outgoing SSL connection. */ #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1) -static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f) +static void ssl_io_filter_disable(SSLConnRec *sslconn, + bio_filter_in_ctx_t *inctx) { - bio_filter_in_ctx_t *inctx = f->ctx; SSL_free(inctx->ssl); sslconn->ssl = NULL; inctx->ssl = NULL; inctx->filter_ctx->pssl = NULL; } -static apr_status_t ssl_io_filter_error(ap_filter_t *f, +static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx, apr_bucket_brigade *bb, apr_status_t status) { + ap_filter_t *f = inctx->f; SSLConnRec *sslconn = myConnConfig(f->c); apr_bucket *bucket; int send_eos = 1; @@ -871,7 +872,7 @@ static apr_status_t ssl_io_filter_error( ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server); sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP; - ssl_io_filter_disable(sslconn, f); + ssl_io_filter_disable(sslconn, inctx); /* fake the request line */ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); @@ -1348,7 +1349,7 @@ static apr_status_t ssl_io_filter_input( * rather than have SSLEngine On configured. */ if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(inctx, bb, status); } if (is_init) { @@ -1402,7 +1403,7 @@ static apr_status_t ssl_io_filter_input( /* Handle custom errors. */ if (status != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(inctx, bb, status); } /* Create a transient bucket out of the decrypted data. */ @@ -1588,7 +1589,7 @@ static apr_status_t ssl_io_filter_output inctx->block = APR_BLOCK_READ; if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(inctx, bb, status); } while (!APR_BRIGADE_EMPTY(bb)) { debian/patches/wstunnel-ssl.patch0000644000000000000000000000163013376761111014322 0ustar Description: mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" scheme. PR55320. Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1594625 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=55320 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1445914 Last-Update: 2015-11-15 --- ./modules/proxy/mod_proxy_wstunnel.c 2013-06-13 10:09:31.000000000 -0500 +++ ./modules/proxy/mod_proxy_wstunnel.c 2013-11-11 15:58:51.000000000 -0600 @@ -315,9 +315,11 @@ conn_rec *c = r->connection; apr_pool_t *p = r->pool; apr_uri_t *uri; + int is_ssl = 0; if (strncasecmp(url, "wss:", 4) == 0) { scheme = "WSS"; + is_ssl = 1; } else if (strncasecmp(url, "ws:", 3) == 0) { scheme = "WS"; @@ -341,7 +343,7 @@ return status; } - backend->is_ssl = 0; + backend->is_ssl = is_ssl; backend->close = 0; retry = 0; debian/patches/suexec_is_shared.patch0000644000000000000000000000115613376761111015164 0ustar #! /bin/sh /usr/share/dpatch/dpatch-run ## 032_suexec_is_shared by Adam Conrad ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Patch to allow suEXEC as shared. @DPATCH@ --- a/os/unix/unixd.c +++ b/os/unix/unixd.c @@ -266,6 +266,10 @@ /* Check for suexec */ unixd_config.suexec_enabled = 0; + /* If mod_suexec isn't linked in, we shouldn't test for the binary */ + if (ap_find_linked_module("mod_suexec.c") == NULL) { + return; + } if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) != APR_SUCCESS) { return; debian/patches/CVE-2013-6438.patch0000644000000000000000000000147413376761111013254 0ustar Description: fix denial of service via mod_dav incorrect end of string calculation Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1556816 Index: apache2-2.4.7/modules/dav/main/util.c =================================================================== --- apache2-2.4.7.orig/modules/dav/main/util.c 2013-10-18 09:36:21.000000000 -0400 +++ apache2-2.4.7/modules/dav/main/util.c 2014-03-19 15:25:39.199862874 -0400 @@ -396,8 +396,10 @@ if (strip_white) { /* trim leading whitespace */ - while (apr_isspace(*cdata)) /* assume: return false for '\0' */ + while (apr_isspace(*cdata)) { /* assume: return false for '\0' */ ++cdata; + --len; + } /* trim trailing whitespace */ while (len-- > 0 && apr_isspace(cdata[len])) debian/patches/CVE-2017-15715.patch0000644000000000000000000001351713376761111013337 0ustar Description: fix incorrect matching Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1824472 Index: apache2-2.4.7/include/ap_regex.h =================================================================== --- apache2-2.4.7.orig/include/ap_regex.h 2018-04-18 11:12:18.062443920 -0400 +++ apache2-2.4.7/include/ap_regex.h 2018-04-18 11:12:42.646493851 -0400 @@ -77,6 +77,8 @@ extern "C" { #define AP_REG_NOMEM 0x20 /* nomem in our code */ #define AP_REG_DOTALL 0x40 /* perl's /s flag */ +#define AP_REG_DOLLAR_ENDONLY 0x200 /* '$' matches at end of subject string only */ + /* Error values: */ enum { AP_REG_ASSERT = 1, /** internal error ? */ @@ -101,6 +103,26 @@ typedef struct { /* The functions */ /** + * Get default compile flags + * @return Bitwise OR of AP_REG_* flags + */ +AP_DECLARE(int) ap_regcomp_get_default_cflags(void); + +/** + * Set default compile flags + * @param cflags Bitwise OR of AP_REG_* flags + */ +AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags); + +/** + * Get the AP_REG_* corresponding to the string. + * @param name The name (i.e. AP_REG_) + * @return The AP_REG_*, or zero if the string is unknown + * + */ +AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name); + +/** * Compile a regular expression. * @param preg Returned compiled regex * @param regex The regular expression string Index: apache2-2.4.7/server/core.c =================================================================== --- apache2-2.4.7.orig/server/core.c 2018-04-18 11:12:18.062443920 -0400 +++ apache2-2.4.7/server/core.c 2018-04-18 11:12:18.062443920 -0400 @@ -48,6 +48,7 @@ #include "mod_core.h" #include "mod_proxy.h" #include "ap_listen.h" +#include "ap_regex.h" #include "mod_so.h" /* for ap_find_loaded_module_symbol */ @@ -2630,6 +2631,58 @@ static const char *virtualhost_section(c return errmsg; } +static const char *set_regex_default_options(cmd_parms *cmd, + void *dummy, + const char *arg) +{ + const command_rec *thiscmd = cmd->cmd; + int cflags, cflag; + + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err != NULL) { + return err; + } + + cflags = ap_regcomp_get_default_cflags(); + while (*arg) { + const char *name = ap_getword_conf(cmd->pool, &arg); + int how = 0; + + if (strcasecmp(name, "none") == 0) { + cflags = 0; + continue; + } + + if (*name == '+') { + name++; + how = +1; + } + else if (*name == '-') { + name++; + how = -1; + } + + cflag = ap_regcomp_default_cflag_by_name(name); + if (!cflag) { + return apr_psprintf(cmd->pool, "%s: option '%s' unknown", + thiscmd->name, name); + } + + if (how > 0) { + cflags |= cflag; + } + else if (how < 0) { + cflags &= ~cflag; + } + else { + cflags = cflag; + } + } + ap_regcomp_set_default_cflags(cflags); + + return NULL; +} + static const char *set_server_alias(cmd_parms *cmd, void *dummy, const char *arg) { @@ -4141,6 +4194,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_lim OR_ALL, "soft/hard limits for max number of processes per uid"), #endif +AP_INIT_RAW_ARGS("RegexDefaultOptions", set_regex_default_options, NULL, RSRC_CONF, + "default options for regexes (prefixed by '+' to add, '-' to del)"), + /* internal recursion stopper */ AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF, "maximum recursion depth of internal redirects and subrequests"), @@ -4541,6 +4597,8 @@ static int core_pre_config(apr_pool_t *p apr_pool_cleanup_register(pconf, NULL, reset_config_defines, apr_pool_cleanup_null); + ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY); + mpm_common_pre_config(pconf); return OK; Index: apache2-2.4.7/server/util_pcre.c =================================================================== --- apache2-2.4.7.orig/server/util_pcre.c 2018-04-18 11:12:18.062443920 -0400 +++ apache2-2.4.7/server/util_pcre.c 2018-04-18 11:12:18.062443920 -0400 @@ -110,6 +110,38 @@ AP_DECLARE(void) ap_regfree(ap_regex_t * * Compile a regular expression * *************************************************/ +static int default_cflags = AP_REG_DOLLAR_ENDONLY; + +AP_DECLARE(int) ap_regcomp_get_default_cflags(void) +{ + return default_cflags; +} + +AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags) +{ + default_cflags = cflags; +} + +AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name) +{ + int cflag = 0; + + if (ap_cstr_casecmp(name, "ICASE") == 0) { + cflag = AP_REG_ICASE; + } + else if (ap_cstr_casecmp(name, "DOTALL") == 0) { + cflag = AP_REG_DOTALL; + } + else if (ap_cstr_casecmp(name, "DOLLAR_ENDONLY") == 0) { + cflag = AP_REG_DOLLAR_ENDONLY; + } + else if (ap_cstr_casecmp(name, "EXTENDED") == 0) { + cflag = AP_REG_EXTENDED; + } + + return cflag; +} + /* * Arguments: * preg points to a structure for recording the compiled expression @@ -126,12 +158,15 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * int errcode = 0; int options = 0; + cflags |= default_cflags; if ((cflags & AP_REG_ICASE) != 0) options |= PCRE_CASELESS; if ((cflags & AP_REG_NEWLINE) != 0) options |= PCRE_MULTILINE; if ((cflags & AP_REG_DOTALL) != 0) options |= PCRE_DOTALL; + if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0) + options |= PCRE_DOLLAR_ENDONLY; preg->re_pcre = pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL); debian/patches/customize_apxs.patch0000644000000000000000000002111213376761111014716 0ustar Description: Adapt apxs to Debian specific changes - Make apxs2 use a2enmod and /etc/apache2/mods-available - Make libtool happier - Use LDFLAGS from config_vars.mk, allow to override them Forwarded: not-needed Author: Stefan Fritsch Last-Update: 2012-03-17 --- a/support/apxs.in +++ b/support/apxs.in @@ -38,7 +38,7 @@ my $CFG_TARGET = get_vars("progname"); my $CFG_SYSCONFDIR = get_vars("sysconfdir"); my $CFG_CFLAGS = join ' ', map { get_vars($_) } - qw(SHLTCFLAGS CFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS); + qw(SHLTCFLAGS CFLAGS CPPFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS); my $CFG_LDFLAGS = join ' ', map { get_vars($_) } qw(LDFLAGS NOTEST_LDFLAGS SH_LDFLAGS); my $includedir = get_vars("includedir"); @@ -276,6 +276,7 @@ $data =~ s|%TARGET%|$CFG_TARGET|sg; $data =~ s|%PREFIX%|$prefix|sg; $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; + $data =~ s|%DATADIR%|$datadir|sg; my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); @@ -428,7 +429,7 @@ $la =~ s|\.c$|.la|; my $o = $s; $o =~ s|\.c$|.o|; - push(@cmds, "$libtool $ltflags --mode=compile $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo"); + push(@cmds, "$libtool $ltflags --mode=compile --tag=disable-static $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo"); unshift(@objs, $lo); } @@ -469,7 +470,7 @@ $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags"; } - push(@cmds, "$libtool $ltflags --mode=link $CFG_CC $ldflags -o $dso_file $opt $lo"); + push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static $CFG_CC $ldflags -o $dso_file $opt $lo"); # execute the commands &execute_cmds(@cmds); @@ -503,7 +504,7 @@ if ($opt_i) { push(@cmds, "$installbuilddir/instdso.sh SH_LIBTOOL='" . "$libtool' $f $CFG_LIBEXECDIR"); - push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t"); + push(@cmds, "chmod 644 $CFG_LIBEXECDIR/$t"); } # determine module symbolname and filename @@ -539,10 +540,11 @@ $filename = "mod_${name}.c"; } my $dir = $CFG_LIBEXECDIR; - $dir =~ s|^$CFG_PREFIX/?||; + # Debian doesn't have a CFG_PREFIX, so this stuffs up: + # $dir =~ s|^$CFG_PREFIX/?||; $dir =~ s|(.)$|$1/|; $t =~ s|\.la$|.so|; - push(@lmd, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t")); + push(@lmd, [ $name, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t") ] ); } # execute the commands @@ -550,108 +552,35 @@ # activate module via LoadModule/AddModule directive if ($opt_a or $opt_A) { - if (not -f "$CFG_SYSCONFDIR/$CFG_TARGET.conf") { - error("Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found"); + if (not -d "$CFG_SYSCONFDIR/mods-available") { + error("Config file $CFG_SYSCONFDIR/mods-available not found"); exit(1); } - open(FP, "<$CFG_SYSCONFDIR/$CFG_TARGET.conf") || die; - my $content = join('', ); - close(FP); - - if ($content !~ m|\n#?\s*LoadModule\s+|) { - error("Activation failed for custom $CFG_SYSCONFDIR/$CFG_TARGET.conf file."); - error("At least one `LoadModule' directive already has to exist."); - exit(1); - } - - my $lmd; - my $c = ''; - $c = '#' if ($opt_A); - foreach $lmd (@lmd) { - my $what = $opt_A ? "preparing" : "activating"; - my $lmd_re = $lmd; - $lmd_re =~ s/\s+/\\s+/g; - - if ($content !~ m|\n#?\s*$lmd_re|) { - # check for open , so that the new LoadModule - # directive always appears *outside* of an . - - my $before = ($content =~ m|^(.*\n)#?\s*LoadModule\s+[^\n]+\n|s)[0]; - - # the '()=' trick forces list context and the scalar - # assignment counts the number of list members (aka number - # of matches) then - my $cntopen = () = ($before =~ m|^\s*<[^/].*$|mg); - my $cntclose = () = ($before =~ m|^\s*$filename") || die; + print FP "$lmd\n"; + close(FP); + + if ($opt_a) { + my $cmd = "a2enmod $name"; + if (system($cmd) != 0) { + die "'$cmd' failed\n"; } - } else { - # replace already existing LoadModule line - $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1$c$lmd\n|s; - } - $lmd =~ m|LoadModule\s+(.+?)_module.*|; - notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_TARGET.conf]"); - } - if (@lmd) { - if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) { - print FP $content; - close(FP); - system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " . - "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " . - "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new"); - } else { - notice("unable to open configuration file"); } - } + + } } } @@ -671,8 +600,8 @@ ## builddir=. -top_srcdir=%PREFIX% -top_builddir=%PREFIX% +top_srcdir=%DATADIR% +top_builddir=%DATADIR% include %INSTALLBUILDDIR%/special.mk # the used tools debian/patches/AuthzProviderAlias-visibility.patch0000644000000000000000000000227613376761111017620 0ustar Description: Fix AuthzProviderAlias's visibility Allow 'es to be seen from auth stanzas under virtual hosts Origin: https://github.com/apache/httpd/commit/4f06dd51b464b66f956ae577f068b16486d3920b Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1529355 Last-Update: 2018-11-23 --- a/modules/aaa/mod_authz_core.c +++ b/modules/aaa/mod_authz_core.c @@ -168,6 +168,13 @@ return (void*)conf; } +/* Only per-server directive we have is GLOBAL_ONLY */ +static void *merge_authz_core_svr_config(apr_pool_t *p, + void *basev, void *newv) +{ + return basev; +} + static void *create_authz_core_svr_config(apr_pool_t *p, server_rec *s) { authz_core_srv_conf *authcfg; @@ -1140,7 +1147,7 @@ create_authz_core_dir_config, /* dir config creater */ merge_authz_core_dir_config, /* dir merger */ create_authz_core_svr_config, /* server config */ - NULL, /* merge server config */ + merge_authz_core_svr_config , /* merge server config */ authz_cmds, register_hooks /* register hooks */ }; debian/patches/server_config_defines.patch0000644000000000000000000000151413376761111016175 0ustar Description: core: Fix -D[efined] or [d] variables lifetime accross restarts. This could cause all kinds of strange behavior. PR 56008. PR 57328. Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1651083 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=57328 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1504354 Last-Update: 2015-10-08 Index: apache2-2.4.7/server/core.c =================================================================== --- apache2-2.4.7.orig/server/core.c 2015-10-08 19:14:34.103217971 -0400 +++ apache2-2.4.7/server/core.c 2015-10-08 19:14:34.099217896 -0400 @@ -1270,6 +1270,7 @@ static int reset_config_defines(void *dummy) { ap_server_config_defines = saved_server_config_defines; + saved_server_config_defines = NULL; server_config_defined_vars = NULL; return OK; } debian/patches/build_suexec-custom.patch0000644000000000000000000000367513376761111015642 0ustar Description: add suexec-custom to the build system Forwarded: not-needed Author: Stefan Fritsch Last-Update: 2012-02-25 --- a/Makefile.in +++ b/Makefile.in @@ -239,14 +239,16 @@ fi install-suexec: - @if test -f $(builddir)/support/suexec; then \ + @if test -f $(builddir)/support/suexec-pristine && test -f $(builddir)/support/suexec-custom; then \ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ - $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ - chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + $(INSTALL_PROGRAM) $(top_builddir)/support/suexec-pristine $(DESTDIR)$(sbindir); \ + chmod 4755 $(DESTDIR)$(sbindir)/suexec-pristine; \ + $(INSTALL_PROGRAM) $(top_builddir)/support/suexec-custom $(DESTDIR)$(sbindir); \ + chmod 4755 $(DESTDIR)$(sbindir)/suexec-custom; \ fi suexec: - cd support && $(MAKE) suexec + cd support && $(MAKE) suexec-pristine suexec-custom x-local-distclean: @rm -rf autom4te.cache --- a/support/Makefile.in +++ b/support/Makefile.in @@ -1,7 +1,7 @@ DISTCLEAN_TARGETS = apxs apachectl dbmmanage log_server_status \ logresolve.pl phf_abuse_log.cgi split-logfile envvars-std -CLEAN_TARGETS = suexec +CLEAN_TARGETS = suexec-pristine suexec-custom bin_PROGRAMS = htpasswd htdigest htdbm ab logresolve httxt2dbm sbin_PROGRAMS = htcacheclean rotatelogs $(NONPORTABLE_SUPPORT) @@ -72,9 +72,13 @@ checkgid: $(checkgid_OBJECTS) $(LINK) $(checkgid_LTFLAGS) $(checkgid_OBJECTS) $(PROGRAM_LDADD) -suexec_OBJECTS = suexec.lo -suexec: $(suexec_OBJECTS) - $(LINK) $(suexec_OBJECTS) +suexec-pristine_OBJECTS = suexec.lo +suexec-pristine: $(suexec-pristine_OBJECTS) + $(LINK) $(suexec-pristine_OBJECTS) + +suexec-custom_OBJECTS = suexec-custom.lo +suexec-custom: $(suexec-custom_OBJECTS) + $(LINK) $(suexec-custom_OBJECTS) htcacheclean_OBJECTS = htcacheclean.lo htcacheclean: $(htcacheclean_OBJECTS) debian/patches/CVE-2014-3581.patch0000644000000000000000000000276713376761111013257 0ustar Backport of: From c164ca7383d5f204915d85a5826655d3f1557148 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Fri, 26 Sep 2014 11:00:14 +0000 Subject: [PATCH] Merge r1624234 from trunk: SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference in Content-Type handling. mod_cache: Avoid a crash when Content-Type has an empty value. PR56924. Submitted By: Mark Montague Reviewed By: Jan Kaluza Submitted by: jkaluza Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1627749 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 5 ----- modules/cache/cache_util.c | 6 ++++-- 3 files changed, 8 insertions(+), 7 deletions(-) Index: apache2-2.4.7/modules/cache/cache_util.c =================================================================== --- apache2-2.4.7.orig/modules/cache/cache_util.c 2015-03-05 12:36:22.668840232 -0500 +++ apache2-2.4.7/modules/cache/cache_util.c 2015-03-05 12:37:06.393173138 -0500 @@ -1251,8 +1251,10 @@ if (!apr_table_get(headers_out, "Content-Type") && r->content_type) { - apr_table_setn(headers_out, "Content-Type", - ap_make_content_type(r, r->content_type)); + const char *ctype = ap_make_content_type(r, r->content_type); + if (ctype) { + apr_table_setn(headers_out, "Content-Type", ctype); + } } if (!apr_table_get(headers_out, "Content-Encoding") debian/patches/no_LD_LIBRARY_PATH.patch0000644000000000000000000000067413376761111014646 0ustar Description: Remove LD_LIBRARY_PATH from envvars-std Forwarded: no Author: Adam Conrad Last-Update: 2012-04-15 --- a/support/envvars-std.in +++ b/support/envvars-std.in @@ -18,11 +18,4 @@ # # This file is generated from envvars-std.in # -if test "x$@SHLIBPATH_VAR@" != "x" ; then - @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" -else - @SHLIBPATH_VAR@="@exp_libdir@" -fi -export @SHLIBPATH_VAR@ -# @OS_SPECIFIC_VARS@ debian/patches/CVE-2018-1303.patch0000644000000000000000000000163013376761111013235 0ustar Description: fix mod_cache_socache DoS Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1824475 Index: apache2-2.4.7/modules/cache/mod_cache_socache.c =================================================================== --- apache2-2.4.7.orig/modules/cache/mod_cache_socache.c 2018-04-18 11:13:26.222582396 -0400 +++ apache2-2.4.7/modules/cache/mod_cache_socache.c 2018-04-18 11:13:26.214582380 -0400 @@ -212,7 +212,8 @@ static apr_status_t read_table(cache_han "Premature end of cache headers."); return APR_EGENERAL; } - while (apr_isspace(buffer[colon])) { + /* Do not go past the \r from above as apr_isspace('\r') is true */ + while (apr_isspace(buffer[colon]) && (colon < *slider)) { colon++; } apr_table_addn(table, apr_pstrndup(r->pool, (const char *) buffer debian/patches/CVE-2019-0217.patch0000644000000000000000000001260113451141504013231 0ustar From 44b3ddc560c490c60600998fa2bf59b142d08e05 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Tue, 12 Mar 2019 09:24:26 +0000 Subject: [PATCH] Merge r1853190 from trunk: Fix a race condition. Authentication with valid credentials could be refused in case of concurrent accesses from different users. PR: 63124 Submitted by: Simon Kappel Reviewed by: jailletc36, icing, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855298 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ modules/aaa/mod_auth_digest.c | 26 ++++++++++++-------------- 2 files changed, 16 insertions(+), 14 deletions(-) #diff --git a/CHANGES b/CHANGES #index 08fc740db30..e79251389d5 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -1,6 +1,10 @@ # -*- coding: utf-8 -*- # Changes with Apache 2.4.39 # #+ *) mod_auth_digest: Fix a race condition. Authentication with valid #+ credentials could be refused in case of concurrent accesses from #+ different users. PR 63124. [Simon Kappel ] #+ # *) mod_proxy_wstunnel: Fix websocket proxy over UDS. # PR 62932 # Index: apache2-2.4.18/modules/aaa/mod_auth_digest.c =================================================================== --- apache2-2.4.18.orig/modules/aaa/mod_auth_digest.c 2019-04-03 09:34:24.262712809 -0400 +++ apache2-2.4.18/modules/aaa/mod_auth_digest.c 2019-04-03 09:34:24.262712809 -0400 @@ -92,7 +92,6 @@ typedef struct digest_config_struct { int check_nc; const char *algorithm; char *uri_list; - const char *ha1; } digest_config_rec; @@ -153,6 +152,7 @@ typedef struct digest_header_struct { apr_time_t nonce_time; enum hdr_sts auth_hdr_sts; int needed_auth; + const char *ha1; client_entry *client; } digest_header_rec; @@ -1295,7 +1295,7 @@ static int hook_note_digest_auth_failure */ static authn_status get_hash(request_rec *r, const char *user, - digest_config_rec *conf) + digest_config_rec *conf, const char **rethash) { authn_status auth_result; char *password; @@ -1347,7 +1347,7 @@ static authn_status get_hash(request_rec } while (current_provider); if (auth_result == AUTH_USER_FOUND) { - conf->ha1 = password; + *rethash = password; } return auth_result; @@ -1474,25 +1474,24 @@ static int check_nonce(request_rec *r, d /* RFC-2069 */ static const char *old_digest(const request_rec *r, - const digest_header_rec *resp, const char *ha1) + const digest_header_rec *resp) { const char *ha2; ha2 = ap_md5(r->pool, (unsigned char *)apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL)); return ap_md5(r->pool, - (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce, - ":", ha2, NULL)); + (unsigned char *)apr_pstrcat(r->pool, resp->ha1, ":", + resp->nonce, ":", ha2, NULL)); } /* RFC-2617 */ static const char *new_digest(const request_rec *r, - digest_header_rec *resp, - const digest_config_rec *conf) + digest_header_rec *resp) { const char *ha1, *ha2, *a2; - ha1 = conf->ha1; + ha1 = resp->ha1; a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); ha2 = ap_md5(r->pool, (const unsigned char *)a2); @@ -1505,7 +1504,6 @@ static const char *new_digest(const requ NULL)); } - static void copy_uri_components(apr_uri_t *dst, apr_uri_t *src, request_rec *r) { if (src->scheme && src->scheme[0] != '\0') { @@ -1750,7 +1748,7 @@ static int authenticate_digest_user(requ return HTTP_UNAUTHORIZED; } - return_code = get_hash(r, r->user, conf); + return_code = get_hash(r, r->user, conf, &resp->ha1); if (return_code == AUTH_USER_NOT_FOUND) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01790) @@ -1780,7 +1778,7 @@ static int authenticate_digest_user(requ if (resp->message_qop == NULL) { /* old (rfc-2069) style digest */ - if (strcmp(resp->digest, old_digest(r, resp, conf->ha1))) { + if (strcmp(resp->digest, old_digest(r, resp))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792) "user %s: password mismatch: %s", r->user, r->uri); @@ -1810,7 +1808,7 @@ static int authenticate_digest_user(requ return HTTP_UNAUTHORIZED; } - exp_digest = new_digest(r, resp, conf); + exp_digest = new_digest(r, resp); if (!exp_digest) { /* we failed to allocate a client struct */ return HTTP_INTERNAL_SERVER_ERROR; @@ -1894,7 +1892,7 @@ static int add_auth_info(request_rec *r) /* calculate rspauth attribute */ - ha1 = conf->ha1; + ha1 = resp->ha1; a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); ha2 = ap_md5(r->pool, (const unsigned char *)a2); debian/patches/CVE-2016-0736.patch0000644000000000000000000003023613376761111013250 0ustar Description: fix mod_sessioncrypto padding oracle attack issue Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1772925 Index: apache2-2.4.18/modules/session/mod_session_crypto.c =================================================================== --- apache2-2.4.18.orig/modules/session/mod_session_crypto.c 2013-12-26 13:08:28.000000000 -0500 +++ apache2-2.4.18/modules/session/mod_session_crypto.c 2017-05-05 11:26:17.486810327 -0400 @@ -18,6 +18,7 @@ #include "apu_version.h" #include "apr_base64.h" /* for apr_base64_decode et al */ #include "apr_lib.h" +#include "apr_md5.h" #include "apr_strings.h" #include "http_log.h" #include "http_core.h" @@ -57,6 +58,146 @@ typedef struct { int library_set; } session_crypto_conf; +/* Wrappers around apr_siphash24() and apr_crypto_equals(), + * available in APU-1.6/APR-2.0 only. + */ +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 6) + +#include "apr_siphash.h" + +#define AP_SIPHASH_DSIZE APR_SIPHASH_DSIZE +#define AP_SIPHASH_KSIZE APR_SIPHASH_KSIZE +#define ap_siphash24_auth apr_siphash24_auth + +#define ap_crypto_equals apr_crypto_equals + +#else + +#define AP_SIPHASH_DSIZE 8 +#define AP_SIPHASH_KSIZE 16 + +#define ROTL64(x, n) (((x) << (n)) | ((x) >> (64 - (n)))) + +#define U8TO64_LE(p) \ + (((apr_uint64_t)((p)[0]) ) | \ + ((apr_uint64_t)((p)[1]) << 8) | \ + ((apr_uint64_t)((p)[2]) << 16) | \ + ((apr_uint64_t)((p)[3]) << 24) | \ + ((apr_uint64_t)((p)[4]) << 32) | \ + ((apr_uint64_t)((p)[5]) << 40) | \ + ((apr_uint64_t)((p)[6]) << 48) | \ + ((apr_uint64_t)((p)[7]) << 56)) + +#define U64TO8_LE(p, v) \ +do { \ + (p)[0] = (unsigned char)((v) ); \ + (p)[1] = (unsigned char)((v) >> 8); \ + (p)[2] = (unsigned char)((v) >> 16); \ + (p)[3] = (unsigned char)((v) >> 24); \ + (p)[4] = (unsigned char)((v) >> 32); \ + (p)[5] = (unsigned char)((v) >> 40); \ + (p)[6] = (unsigned char)((v) >> 48); \ + (p)[7] = (unsigned char)((v) >> 56); \ +} while (0) + +#define SIPROUND() \ +do { \ + v0 += v1; v1=ROTL64(v1,13); v1 ^= v0; v0=ROTL64(v0,32); \ + v2 += v3; v3=ROTL64(v3,16); v3 ^= v2; \ + v0 += v3; v3=ROTL64(v3,21); v3 ^= v0; \ + v2 += v1; v1=ROTL64(v1,17); v1 ^= v2; v2=ROTL64(v2,32); \ +} while(0) + +static apr_uint64_t ap_siphash24(const void *src, apr_size_t len, + const unsigned char key[AP_SIPHASH_KSIZE]) +{ + const unsigned char *ptr, *end; + apr_uint64_t v0, v1, v2, v3, m; + apr_uint64_t k0, k1; + unsigned int rem; + + k0 = U8TO64_LE(key + 0); + k1 = U8TO64_LE(key + 8); + v3 = k1 ^ (apr_uint64_t)0x7465646279746573ULL; + v2 = k0 ^ (apr_uint64_t)0x6c7967656e657261ULL; + v1 = k1 ^ (apr_uint64_t)0x646f72616e646f6dULL; + v0 = k0 ^ (apr_uint64_t)0x736f6d6570736575ULL; + + rem = (unsigned int)(len & 0x7); + for (ptr = src, end = ptr + len - rem; ptr < end; ptr += 8) { + m = U8TO64_LE(ptr); + v3 ^= m; + SIPROUND(); + SIPROUND(); + v0 ^= m; + } + m = (apr_uint64_t)(len & 0xff) << 56; + switch (rem) { + case 7: m |= (apr_uint64_t)ptr[6] << 48; + case 6: m |= (apr_uint64_t)ptr[5] << 40; + case 5: m |= (apr_uint64_t)ptr[4] << 32; + case 4: m |= (apr_uint64_t)ptr[3] << 24; + case 3: m |= (apr_uint64_t)ptr[2] << 16; + case 2: m |= (apr_uint64_t)ptr[1] << 8; + case 1: m |= (apr_uint64_t)ptr[0]; + case 0: break; + } + v3 ^= m; + SIPROUND(); + SIPROUND(); + v0 ^= m; + + v2 ^= 0xff; + SIPROUND(); + SIPROUND(); + SIPROUND(); + SIPROUND(); + + return v0 ^ v1 ^ v2 ^ v3; +} + +static void ap_siphash24_auth(unsigned char out[AP_SIPHASH_DSIZE], + const void *src, apr_size_t len, + const unsigned char key[AP_SIPHASH_KSIZE]) +{ + apr_uint64_t h; + h = ap_siphash24(src, len, key); + U64TO8_LE(out, h); +} + +static int ap_crypto_equals(const void *buf1, const void *buf2, + apr_size_t size) +{ + const unsigned char *p1 = buf1; + const unsigned char *p2 = buf2; + unsigned char diff = 0; + apr_size_t i; + + for (i = 0; i < size; ++i) { + diff |= p1[i] ^ p2[i]; + } + + return 1 & ((diff - 1) >> 8); +} + +#endif + +static void compute_auth(const void *src, apr_size_t len, + const char *passphrase, apr_size_t passlen, + unsigned char auth[AP_SIPHASH_DSIZE]) +{ + unsigned char key[APR_MD5_DIGESTSIZE]; + + /* XXX: if we had a way to get the raw bytes from an apr_crypto_key_t + * we could use them directly (not available in APR-1.5.x). + * MD5 is 128bit too, so use it to get a suitable siphash key + * from the passphrase. + */ + apr_md5(key, passphrase, passlen); + + ap_siphash24_auth(auth, src, len, key); +} + /** * Initialise the encryption as per the current config. * @@ -128,21 +269,14 @@ static apr_status_t encrypt_string(reque apr_crypto_block_t *block = NULL; unsigned char *encrypt = NULL; unsigned char *combined = NULL; - apr_size_t encryptlen, tlen; + apr_size_t encryptlen, tlen, combinedlen; char *base64; apr_size_t blockSize = 0; const unsigned char *iv = NULL; apr_uuid_t salt; apr_crypto_block_key_type_e *cipher; const char *passphrase; - - /* by default, return an empty string */ - *out = ""; - - /* don't attempt to encrypt an empty string, trying to do so causes a segfault */ - if (!in || !*in) { - return APR_SUCCESS; - } + apr_size_t passlen; /* use a uuid as a salt value, and prepend it to our result */ apr_uuid_get(&salt); @@ -152,9 +286,9 @@ static apr_status_t encrypt_string(reque } /* encrypt using the first passphrase in the list */ - passphrase = APR_ARRAY_IDX(dconf->passphrases, 0, char *); - res = apr_crypto_passphrase(&key, &ivSize, passphrase, - strlen(passphrase), + passphrase = APR_ARRAY_IDX(dconf->passphrases, 0, const char *); + passlen = strlen(passphrase); + res = apr_crypto_passphrase(&key, &ivSize, passphrase, passlen, (unsigned char *) (&salt), sizeof(apr_uuid_t), *cipher, APR_MODE_CBC, 1, 4096, f, r->pool); if (APR_STATUS_IS_ENOKEY(res)) { @@ -183,8 +317,9 @@ static apr_status_t encrypt_string(reque } /* encrypt the given string */ - res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in, - strlen(in), block); + res = apr_crypto_block_encrypt(&encrypt, &encryptlen, + (const unsigned char *)in, strlen(in), + block); if (APR_SUCCESS != res) { ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, APLOGNO(01830) "apr_crypto_block_encrypt failed"); @@ -198,18 +333,20 @@ static apr_status_t encrypt_string(reque } encryptlen += tlen; - /* prepend the salt and the iv to the result */ - combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t)); - memcpy(combined, &salt, sizeof(apr_uuid_t)); - memcpy(combined + sizeof(apr_uuid_t), iv, ivSize); - memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen); - - /* base64 encode the result */ - base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen + - sizeof(apr_uuid_t) + 1) - * sizeof(char)); - apr_base64_encode(base64, (const char *) combined, - ivSize + encryptlen + sizeof(apr_uuid_t)); + /* prepend the salt and the iv to the result (keep room for the MAC) */ + combinedlen = AP_SIPHASH_DSIZE + sizeof(apr_uuid_t) + ivSize + encryptlen; + combined = apr_palloc(r->pool, combinedlen); + memcpy(combined + AP_SIPHASH_DSIZE, &salt, sizeof(apr_uuid_t)); + memcpy(combined + AP_SIPHASH_DSIZE + sizeof(apr_uuid_t), iv, ivSize); + memcpy(combined + AP_SIPHASH_DSIZE + sizeof(apr_uuid_t) + ivSize, + encrypt, encryptlen); + /* authenticate the whole salt+IV+ciphertext with a leading MAC */ + compute_auth(combined + AP_SIPHASH_DSIZE, combinedlen - AP_SIPHASH_DSIZE, + passphrase, passlen, combined); + + /* base64 encode the result (APR handles the trailing '\0') */ + base64 = apr_palloc(r->pool, apr_base64_encode_len(combinedlen)); + apr_base64_encode(base64, (const char *) combined, combinedlen); *out = base64; return res; @@ -234,6 +371,7 @@ static apr_status_t decrypt_string(reque char *decoded; apr_size_t blockSize = 0; apr_crypto_block_key_type_e *cipher; + unsigned char auth[AP_SIPHASH_DSIZE]; int i = 0; /* strip base64 from the string */ @@ -241,6 +379,13 @@ static apr_status_t decrypt_string(reque decodedlen = apr_base64_decode(decoded, in); decoded[decodedlen] = '\0'; + /* sanity check - decoded too short? */ + if (decodedlen < (AP_SIPHASH_DSIZE + sizeof(apr_uuid_t))) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO() + "too short to decrypt, aborting"); + return APR_ECRYPT; + } + res = crypt_init(r, f, &cipher, dconf); if (res != APR_SUCCESS) { return res; @@ -249,14 +394,25 @@ static apr_status_t decrypt_string(reque /* try each passphrase in turn */ for (; i < dconf->passphrases->nelts; i++) { const char *passphrase = APR_ARRAY_IDX(dconf->passphrases, i, char *); - apr_size_t len = decodedlen; - char *slider = decoded; + apr_size_t passlen = strlen(passphrase); + apr_size_t len = decodedlen - AP_SIPHASH_DSIZE; + unsigned char *slider = (unsigned char *)decoded + AP_SIPHASH_DSIZE; + + /* Verify authentication of the whole salt+IV+ciphertext by computing + * the MAC and comparing it (timing safe) with the one in the payload. + */ + compute_auth(slider, len, passphrase, passlen, auth); + if (!ap_crypto_equals(auth, decoded, AP_SIPHASH_DSIZE)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO() + "auth does not match, skipping"); + continue; + } /* encrypt using the first passphrase in the list */ - res = apr_crypto_passphrase(&key, &ivSize, passphrase, - strlen(passphrase), - (unsigned char *)decoded, sizeof(apr_uuid_t), - *cipher, APR_MODE_CBC, 1, 4096, f, r->pool); + res = apr_crypto_passphrase(&key, &ivSize, passphrase, passlen, + slider, sizeof(apr_uuid_t), + *cipher, APR_MODE_CBC, 1, 4096, + f, r->pool); if (APR_STATUS_IS_ENOKEY(res)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO(01832) "the passphrase '%s' was empty", passphrase); @@ -279,7 +435,7 @@ static apr_status_t decrypt_string(reque } /* sanity check - decoded too short? */ - if (decodedlen < (sizeof(apr_uuid_t) + ivSize)) { + if (len < (sizeof(apr_uuid_t) + ivSize)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01836) "too short to decrypt, skipping"); res = APR_ECRYPT; @@ -290,8 +446,8 @@ static apr_status_t decrypt_string(reque slider += sizeof(apr_uuid_t); len -= sizeof(apr_uuid_t); - res = apr_crypto_block_decrypt_init(&block, &blockSize, (unsigned char *)slider, key, - r->pool); + res = apr_crypto_block_decrypt_init(&block, &blockSize, slider, key, + r->pool); if (APR_SUCCESS != res) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO(01837) "apr_crypto_block_decrypt_init failed"); @@ -304,7 +460,7 @@ static apr_status_t decrypt_string(reque /* decrypt the given string */ res = apr_crypto_block_decrypt(&decrypted, &decryptedlen, - (unsigned char *)slider, len, block); + slider, len, block); if (res) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO(01838) "apr_crypto_block_decrypt failed"); debian/patches/CVE-2015-3185.patch0000644000000000000000000001467513376761111013261 0ustar Description: fix access restriction bypass via deprecated API Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1684525 Index: apache2-2.4.7/include/http_request.h =================================================================== --- apache2-2.4.7.orig/include/http_request.h 2015-07-24 12:44:04.262021348 -0400 +++ apache2-2.4.7/include/http_request.h 2015-07-24 12:44:04.262021348 -0400 @@ -185,6 +185,8 @@ * is required for the current request * @param r The current request * @return 1 if authentication is required, 0 otherwise + * @bug Behavior changed in 2.4.x refactoring, API no longer usable + * @deprecated @see ap_some_authn_required() */ AP_DECLARE(int) ap_some_auth_required(request_rec *r); @@ -539,6 +541,16 @@ AP_DECLARE_HOOK(int,post_perdir_config,(request_rec *r)) /** + * This hook allows a module to force authn to be required when + * processing a request. + * This hook should be registered with ap_hook_force_authn(). + * @param r The current request + * @return OK (force authn), DECLINED (let later modules decide) + * @ingroup hooks + */ +AP_DECLARE_HOOK(int,force_authn,(request_rec *r)) + +/** * This hook allows modules to handle/emulate the apr_stat() calls * needed for directory walk. * @param r The current request @@ -582,6 +594,17 @@ AP_DECLARE(apr_bucket *) ap_bucket_eor_create(apr_bucket_alloc_t *list, request_rec *r); +/** + * Can be used within any handler to determine if any authentication + * is required for the current request. Note that if used with an + * access_checker hook, an access_checker_ex hook or an authz provider; the + * caller should take steps to avoid a loop since this function is + * implemented by calling these hooks. + * @param r The current request + * @return TRUE if authentication is required, FALSE otherwise + */ +AP_DECLARE(int) ap_some_authn_required(request_rec *r); + #ifdef __cplusplus } #endif Index: apache2-2.4.7/server/request.c =================================================================== --- apache2-2.4.7.orig/server/request.c 2015-07-24 12:44:04.262021348 -0400 +++ apache2-2.4.7/server/request.c 2015-07-24 12:44:04.262021348 -0400 @@ -71,6 +71,7 @@ APR_HOOK_LINK(create_request) APR_HOOK_LINK(post_perdir_config) APR_HOOK_LINK(dirwalk_stat) + APR_HOOK_LINK(force_authn) ) AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name, @@ -97,6 +98,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t,dirwalk_stat, (apr_finfo_t *finfo, request_rec *r, apr_int32_t wanted), (finfo, r, wanted), AP_DECLINED) +AP_IMPLEMENT_HOOK_RUN_FIRST(int,force_authn, + (request_rec *r), (r), DECLINED) static int auth_internal_per_conf = 0; static int auth_internal_per_conf_hooks = 0; @@ -118,6 +121,39 @@ } } +AP_DECLARE(int) ap_some_authn_required(request_rec *r) +{ + int access_status; + + switch (ap_satisfies(r)) { + case SATISFY_ALL: + case SATISFY_NOSPEC: + if ((access_status = ap_run_access_checker(r)) != OK) { + break; + } + + access_status = ap_run_access_checker_ex(r); + if (access_status == DECLINED) { + return TRUE; + } + + break; + case SATISFY_ANY: + if ((access_status = ap_run_access_checker(r)) == OK) { + break; + } + + access_status = ap_run_access_checker_ex(r); + if (access_status == DECLINED) { + return TRUE; + } + + break; + } + + return FALSE; +} + /* This is the master logic for processing requests. Do NOT duplicate * this logic elsewhere, or the security model will be broken by future * API changes. Each phase must be individually optimized to pick up @@ -232,15 +268,8 @@ } access_status = ap_run_access_checker_ex(r); - if (access_status == OK) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, - "request authorized without authentication by " - "access_checker_ex hook: %s", r->uri); - } - else if (access_status != DECLINED) { - return decl_die(access_status, "check access", r); - } - else { + if (access_status == DECLINED + || (access_status == OK && ap_run_force_authn(r) == OK)) { if ((access_status = ap_run_check_user_id(r)) != OK) { return decl_die(access_status, "check user", r); } @@ -258,6 +287,14 @@ return decl_die(access_status, "check authorization", r); } } + else if (access_status == OK) { + ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, + "request authorized without authentication by " + "access_checker_ex hook: %s", r->uri); + } + else { + return decl_die(access_status, "check access", r); + } break; case SATISFY_ANY: if ((access_status = ap_run_access_checker(r)) == OK) { @@ -269,15 +306,8 @@ } access_status = ap_run_access_checker_ex(r); - if (access_status == OK) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, - "request authorized without authentication by " - "access_checker_ex hook: %s", r->uri); - } - else if (access_status != DECLINED) { - return decl_die(access_status, "check access", r); - } - else { + if (access_status == DECLINED + || (access_status == OK && ap_run_force_authn(r) == OK)) { if ((access_status = ap_run_check_user_id(r)) != OK) { return decl_die(access_status, "check user", r); } @@ -295,6 +325,14 @@ return decl_die(access_status, "check authorization", r); } } + else if (access_status == OK) { + ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, + "request authorized without authentication by " + "access_checker_ex hook: %s", r->uri); + } + else { + return decl_die(access_status, "check access", r); + } break; } } debian/patches/CVE-2017-15710.patch0000644000000000000000000000216113376761111013323 0ustar Description: fix DoS via missing header with AuthLDAPCharsetConfig Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1824456 Index: apache2-2.4.29/modules/aaa/mod_authnz_ldap.c =================================================================== --- apache2-2.4.29.orig/modules/aaa/mod_authnz_ldap.c 2017-06-29 07:31:20.000000000 -0400 +++ apache2-2.4.29/modules/aaa/mod_authnz_ldap.c 2018-04-18 09:14:38.995193064 -0400 @@ -126,9 +126,13 @@ static char* derive_codepage_from_lang ( charset = (char*) apr_hash_get(charset_conversions, language, APR_HASH_KEY_STRING); - if (!charset) { - language[2] = '\0'; - charset = (char*) apr_hash_get(charset_conversions, language, APR_HASH_KEY_STRING); + /* + * Test if language values like 'en-US' return a match from the charset + * conversion map when shortened to 'en'. + */ + if (!charset && strlen(language) > 3 && language[2] == '-') { + char *language_short = apr_pstrndup(p, language, 2); + charset = (char*) apr_hash_get(charset_conversions, language_short, APR_HASH_KEY_STRING); } if (charset) { debian/patches/CVE-2017-15715-pre.patch0000644000000000000000000001716513376761111014126 0ustar Description: add ap_cstr_casecmp[n]() Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1748334 Index: apache2-2.4.7/include/httpd.h =================================================================== --- apache2-2.4.7.orig/include/httpd.h 2018-04-18 11:10:33.294231366 -0400 +++ apache2-2.4.7/include/httpd.h 2018-04-18 11:10:33.294231366 -0400 @@ -2279,6 +2279,34 @@ AP_DECLARE(char *) ap_get_exec_line(apr_ #define AP_NORESTART APR_OS_START_USEERR + 1 +/** + * Perform a case-insensitive comparison of two strings @a atr1 and @a atr2, + * treating upper and lower case values of the 26 standard C/POSIX alphabetic + * characters as equivalent. Extended latin characters outside of this set + * are treated as unique octets, irrespective of the current locale. + * + * Returns in integer greater than, equal to, or less than 0, + * according to whether @a str1 is considered greater than, equal to, + * or less than @a str2. + * + * @note Same code as apr_cstr_casecmp, which arrives in APR 1.6 + */ +AP_DECLARE(int) ap_cstr_casecmp(const char *s1, const char *s2); + +/** + * Perform a case-insensitive comparison of two strings @a atr1 and @a atr2, + * treating upper and lower case values of the 26 standard C/POSIX alphabetic + * characters as equivalent. Extended latin characters outside of this set + * are treated as unique octets, irrespective of the current locale. + * + * Returns in integer greater than, equal to, or less than 0, + * according to whether @a str1 is considered greater than, equal to, + * or less than @a str2. + * + * @note Same code as apr_cstr_casecmpn, which arrives in APR 1.6 + */ +AP_DECLARE(int) ap_cstr_casecmpn(const char *s1, const char *s2, apr_size_t n); + #ifdef __cplusplus } #endif Index: apache2-2.4.7/server/util.c =================================================================== --- apache2-2.4.7.orig/server/util.c 2018-04-18 11:10:33.294231366 -0400 +++ apache2-2.4.7/server/util.c 2018-04-18 11:11:46.422379689 -0400 @@ -96,7 +96,6 @@ #undef APLOG_MODULE_INDEX #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX - /* * Examine a field value (such as a media-/content-type) string and return * it sans any parameters; e.g., strip off any ';charset=foo' and the like. @@ -3034,3 +3033,129 @@ AP_DECLARE(char *) ap_get_exec_line(apr_ return apr_pstrndup(p, buf, k); } + +#if !APR_CHARSET_EBCDIC +/* + * Our own known-fast translation table for casecmp by character. + * Only ASCII alpha characters 41-5A are folded to 61-7A, other + * octets (such as extended latin alphabetics) are never case-folded. + * NOTE: Other than Alpha A-Z/a-z, each code point is unique! + */ +static const short ucharmap[] = { + 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, + 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 'a', 'b', 'c', 'd', 'e', 'f', 'g', + 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', + 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', + 'x', 'y', 'z', 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 'a', 'b', 'c', 'd', 'e', 'f', 'g', + 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', + 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', + 'x', 'y', 'z', 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, + 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, + 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, + 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, + 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, + 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, + 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, + 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, + 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, + 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, + 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff +}; +#else /* APR_CHARSET_EBCDIC */ +/* + * Derived from apr-iconv/ccs/cp037.c for EBCDIC case comparison, + * provides unique identity of every char value (strict ISO-646 + * conformance, arbitrary election of an ISO-8859-1 ordering, and + * very arbitrary control code assignments into C1 to achieve + * identity and a reversible mapping of code points), + * then folding the equivalences of ASCII 41-5A into 61-7A, + * presenting comparison results in a somewhat ISO/IEC 10646 + * (ASCII-like) order, depending on the EBCDIC code page in use. + * + * NOTE: Other than Alpha A-Z/a-z, each code point is unique! + */ +static const short ucharmap[] = { + 0x00, 0x01, 0x02, 0x03, 0x9C, 0x09, 0x86, 0x7F, + 0x97, 0x8D, 0x8E, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x9D, 0x85, 0x08, 0x87, + 0x18, 0x19, 0x92, 0x8F, 0x1C, 0x1D, 0x1E, 0x1F, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x0A, 0x17, 0x1B, + 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x05, 0x06, 0x07, + 0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04, + 0x98, 0x99, 0x9A, 0x9B, 0x14, 0x15, 0x9E, 0x1A, + 0x20, 0xA0, 0xE2, 0xE4, 0xE0, 0xE1, 0xE3, 0xE5, + 0xE7, 0xF1, 0xA2, 0x2E, 0x3C, 0x28, 0x2B, 0x7C, + 0x26, 0xE9, 0xEA, 0xEB, 0xE8, 0xED, 0xEE, 0xEF, + 0xEC, 0xDF, 0x21, 0x24, 0x2A, 0x29, 0x3B, 0xAC, + 0x2D, 0x2F, 0xC2, 0xC4, 0xC0, 0xC1, 0xC3, 0xC5, + 0xC7, 0xD1, 0xA6, 0x2C, 0x25, 0x5F, 0x3E, 0x3F, + 0xF8, 0xC9, 0xCA, 0xCB, 0xC8, 0xCD, 0xCE, 0xCF, + 0xCC, 0x60, 0x3A, 0x23, 0x40, 0x27, 0x3D, 0x22, + 0xD8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0xAB, 0xBB, 0xF0, 0xFD, 0xFE, 0xB1, + 0xB0, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, + 0x71, 0x72, 0xAA, 0xBA, 0xE6, 0xB8, 0xC6, 0xA4, + 0xB5, 0x7E, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, + 0x79, 0x7A, 0xA1, 0xBF, 0xD0, 0xDD, 0xDE, 0xAE, + 0x5E, 0xA3, 0xA5, 0xB7, 0xA9, 0xA7, 0xB6, 0xBC, + 0xBD, 0xBE, 0x5B, 0x5D, 0xAF, 0xA8, 0xB4, 0xD7, + 0x7B, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0xAD, 0xF4, 0xF6, 0xF2, 0xF3, 0xF5, + 0x7D, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, + 0x71, 0x72, 0xB9, 0xFB, 0xFC, 0xF9, 0xFA, 0xFF, + 0x5C, 0xF7, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, + 0x79, 0x7A, 0xB2, 0xD4, 0xD6, 0xD2, 0xD3, 0xD5, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0xB3, 0xDB, 0xDC, 0xD9, 0xDA, 0x9F +}; +#endif + +AP_DECLARE(int) ap_cstr_casecmp(const char *s1, const char *s2) +{ + const unsigned char *str1 = (const unsigned char *)s1; + const unsigned char *str2 = (const unsigned char *)s2; + for (;;) + { + const int c1 = (int)(*str1); + const int c2 = (int)(*str2); + const int cmp = ucharmap[c1] - ucharmap[c2]; + /* Not necessary to test for !c2, this is caught by cmp */ + if (cmp || !c1) + return cmp; + str1++; + str2++; + } +} + +AP_DECLARE(int) ap_cstr_casecmpn(const char *s1, const char *s2, apr_size_t n) +{ + const unsigned char *str1 = (const unsigned char *)s1; + const unsigned char *str2 = (const unsigned char *)s2; + while (n--) + { + const int c1 = (int)(*str1); + const int c2 = (int)(*str2); + const int cmp = ucharmap[c1] - ucharmap[c2]; + /* Not necessary to test for !c2, this is caught by cmp */ + if (cmp || !c1) + return cmp; + str1++; + str2++; + } + return 0; +} + debian/patches/CVE-2016-5387.patch0000644000000000000000000000124213376761111013252 0ustar Description: fix proxy request header vulnerability (httpoxy) Origin: based on patch provided by Kurt Seifried Index: apache2-2.4.12/server/util_script.c =================================================================== --- apache2-2.4.12.orig/server/util_script.c 2016-07-14 08:38:24.893558792 -0400 +++ apache2-2.4.12/server/util_script.c 2016-07-14 08:38:24.893558792 -0400 @@ -191,6 +191,10 @@ continue; } #endif + else if (!strcasecmp(hdrs[i].key, "Proxy")) { + /* Don't pass through HTTP_PROXY */ + continue; + } else add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); } debian/patches/CVE-2018-1301.patch0000644000000000000000000001620713376761111013241 0ustar Description: fix DoS via specially-crafted request Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1824469 Index: apache2-2.4.7/server/protocol.c =================================================================== --- apache2-2.4.7.orig/server/protocol.c 2018-04-18 11:13:19.918569583 -0400 +++ apache2-2.4.7/server/protocol.c 2018-04-18 11:13:19.890569526 -0400 @@ -222,6 +222,11 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor int fold = flags & AP_GETLINE_FOLD; int crlf = flags & AP_GETLINE_CRLF; + if (!n) { + /* Needs room for NUL byte at least */ + return APR_BADARG; + } + /* * Initialize last_char as otherwise a random value will be compared * against APR_ASCII_LF at the end of the loop if bb only contains @@ -235,14 +240,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_GETLINE, APR_BLOCK_READ, 0); if (rv != APR_SUCCESS) { - return rv; + goto cleanup; } /* Something horribly wrong happened. Someone didn't block! * (this also happens at the end of each keepalive connection) */ if (APR_BRIGADE_EMPTY(bb)) { - return APR_EGENERAL; + rv = APR_EGENERAL; + goto cleanup; } for (e = APR_BRIGADE_FIRST(bb); @@ -260,7 +266,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ); if (rv != APR_SUCCESS) { - return rv; + goto cleanup; } if (len == 0) { @@ -273,17 +279,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor /* Would this overrun our buffer? If so, we'll die. */ if (n < bytes_handled + len) { - *read = bytes_handled; - if (*s) { - /* ensure this string is NUL terminated */ - if (bytes_handled > 0) { - (*s)[bytes_handled-1] = '\0'; - } - else { - (*s)[0] = '\0'; - } - } - return APR_ENOSPC; + rv = APR_ENOSPC; + goto cleanup; } /* Do we have to handle the allocation ourselves? */ @@ -291,7 +288,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor /* We'll assume the common case where one bucket is enough. */ if (!*s) { current_alloc = len; - *s = apr_palloc(r->pool, current_alloc); + *s = apr_palloc(r->pool, current_alloc + 1); } else if (bytes_handled + len > current_alloc) { /* Increase the buffer size */ @@ -302,7 +299,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor new_size = (bytes_handled + len) * 2; } - new_buffer = apr_palloc(r->pool, new_size); + new_buffer = apr_palloc(r->pool, new_size + 1); /* Copy what we already had. */ memcpy(new_buffer, *s, bytes_handled); @@ -326,19 +323,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor } } - if (crlf && (last_char <= *s || last_char[-1] != APR_ASCII_CR)) { - *last_char = '\0'; - bytes_handled = last_char - *s; - *read = bytes_handled; - return APR_EINVAL; - } - - /* Now NUL-terminate the string at the end of the line; + /* Now terminate the string at the end of the line; * if the last-but-one character is a CR, terminate there */ if (last_char > *s && last_char[-1] == APR_ASCII_CR) { last_char--; } - *last_char = '\0'; + else if (crlf) { + rv = APR_EINVAL; + goto cleanup; + } bytes_handled = last_char - *s; /* If we're folding, we have more work to do. @@ -358,7 +351,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_SPECULATIVE, APR_BLOCK_READ, 1); if (rv != APR_SUCCESS) { - return rv; + goto cleanup; } if (APR_BRIGADE_EMPTY(bb)) { @@ -375,7 +368,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ); if (rv != APR_SUCCESS) { apr_brigade_cleanup(bb); - return rv; + goto cleanup; } /* Found one, so call ourselves again to get the next line. @@ -392,10 +385,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor if (c == APR_ASCII_BLANK || c == APR_ASCII_TAB) { /* Do we have enough space? We may be full now. */ if (bytes_handled >= n) { - *read = n; - /* ensure this string is terminated */ - (*s)[n-1] = '\0'; - return APR_ENOSPC; + rv = APR_ENOSPC; + goto cleanup; } else { apr_size_t next_size, next_len; @@ -408,7 +399,6 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor tmp = NULL; } else { - /* We're null terminated. */ tmp = last_char; } @@ -417,7 +407,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor rv = ap_rgetline_core(&tmp, next_size, &next_len, r, 0, bb); if (rv != APR_SUCCESS) { - return rv; + goto cleanup; } if (do_alloc && next_len > 0) { @@ -431,7 +421,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor memcpy(new_buffer, *s, bytes_handled); /* copy the new line, including the trailing null */ - memcpy(new_buffer + bytes_handled, tmp, next_len + 1); + memcpy(new_buffer + bytes_handled, tmp, next_len); *s = new_buffer; } @@ -444,8 +434,21 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor } } } + +cleanup: + if (bytes_handled >= n) { + bytes_handled = n - 1; + } + if (*s) { + /* ensure the string is NUL terminated */ + (*s)[bytes_handled] = '\0'; + } *read = bytes_handled; + if (rv != APR_SUCCESS) { + return rv; + } + /* PR#43039: We shouldn't accept NULL bytes within the line */ if (strlen(*s) < bytes_handled) { return APR_EINVAL; @@ -484,6 +487,11 @@ AP_DECLARE(int) ap_getline(char *s, int apr_size_t len; apr_bucket_brigade *tmp_bb; + if (n < 1) { + /* Can't work since we always NUL terminate */ + return -1; + } + tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); rv = ap_rgetline(&tmp_s, n, &len, r, flags, tmp_bb); apr_brigade_destroy(tmp_bb); debian/patches/make_include_safe.patch0000644000000000000000000000427513376761111015272 0ustar Description: Avoid including dpkg droppings in globbed includes. Include /dir/* will ignore /dir/*.dpkg* files Forwarded: not-needed Author: Adam Conrad Last-Update: 2012-02-25 Index: apache2/server/config.c =================================================================== --- apache2.orig/server/config.c +++ apache2/server/config.c @@ -34,6 +34,7 @@ #include "apr_portable.h" #include "apr_file_io.h" #include "apr_fnmatch.h" +#include "apr_lib.h" #define APR_WANT_STDIO #define APR_WANT_STRFUNC @@ -1787,6 +1788,29 @@ return NULL; } +static int fname_valid(const char *fname) { + const unsigned char *c = fname; + unsigned char bad_dpkg[] = "*.dpkg*"; + + if (!apr_isalnum(*c)) { + return 0; + } + ++c; + + while (*c) { + if (!apr_isalnum(*c) && *c!='_' && *c!='-' && *c!='.') { + return 0; + } + ++c; + } + + if (!apr_fnmatch(bad_dpkg, fname, 0)) { + return 0; + } + + return 1; +} + static const char *process_resource_config_nofnmatch(server_rec *s, const char *fname, ap_directive_t **conftree, @@ -1829,7 +1853,8 @@ while (apr_dir_read(&dirent, APR_FINFO_DIRENT, dirp) == APR_SUCCESS) { /* strip out '.' and '..' */ if (strcmp(dirent.name, ".") - && strcmp(dirent.name, "..")) { + && strcmp(dirent.name, "..") + && fname_valid(dirent.name)) { fnew = (fnames *) apr_array_push(candidates); fnew->fname = ap_make_full_path(ptemp, path, dirent.name); } @@ -1918,7 +1943,8 @@ if (strcmp(dirent.name, ".") && strcmp(dirent.name, "..") && (apr_fnmatch(fname, dirent.name, - APR_FNM_PERIOD) == APR_SUCCESS)) { + APR_FNM_PERIOD) == APR_SUCCESS) + && fname_valid(dirent.name)) { const char *full_path = ap_make_full_path(ptemp, path, dirent.name); /* If matching internal to path, and we happen to match something * other than a directory, skip it debian/patches/ocsp-stapling-memory-corruption.patch0000644000000000000000000002724713376761111020153 0ustar From 6e24e496c7aee8aa1ff13a41dae71c91fe8c0bbe Mon Sep 17 00:00:00 2001 From: Alex Bligh Date: Thu, 6 Nov 2014 20:37:42 +0000 Subject: [PATCH] LP#1366174: Backport PR54357 to 2.4.7 - Crash during restart or at startup in mod_ssl, in certinfo_free() function registered by ssl_stapling_ex_init() Backport SVN: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634529 details of which follow: Merge r1629372, r1629485, r1629519 from trunk: Move OCSP stapling information from a per-certificate store (ex_data attached to an X509 *) to a per-server hash which is allocated from the pconf pool. Fixes PR 54357, PR 56919 and a leak with the certinfo_free cleanup function (missing OCSP_CERTID_free). * modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add ssl_stapling_certid_free (used with apr_pool_cleanup_register). Switch to a stapling_certinfo hash which is keyed by the SHA-1 digest of the certificate's DER encoding, rework ssl_stapling_init_cert to only store info once per certificate (allocated from the pconf to the extent possible) and extend the logging. * modules/ssl/ssl_private.h: adjust prototype for ssl_stapling_init_cert, replace ssl_stapling_ex_init with ssl_stapling_certinfo_hash_init * modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls Based on initial work by Alex Bligh Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value). Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros). Submitted by: kbrand, ylavic, ylavic Reviewed/backported by: jim Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=r1634529 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=54357 Bug-Ubuntu: https://launchpad.net/bugs/1366174 Reviewed-by: Robie Basak Last-Update: 2015-02-26 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -200,7 +200,7 @@ return HTTP_INTERNAL_SERVER_ERROR; } #ifdef HAVE_OCSP_STAPLING - ssl_stapling_ex_init(); + ssl_stapling_certinfo_hash_init(p); #endif /* @@ -818,6 +818,8 @@ } static int ssl_server_import_cert(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, modssl_ctx_t *mctx, const char *id, int idx) @@ -852,7 +854,7 @@ #ifdef HAVE_OCSP_STAPLING if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) { - if (!ssl_stapling_init_cert(s, mctx, cert)) { + if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02235) "Unable to configure server certificate for stapling"); } @@ -1000,10 +1002,10 @@ ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); #endif - have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); - have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); + have_rsa = ssl_server_import_cert(s, p, ptemp, mctx, rsa_id, SSL_AIDX_RSA); + have_dsa = ssl_server_import_cert(s, p, ptemp, mctx, dsa_id, SSL_AIDX_DSA); #ifdef HAVE_ECC - have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); + have_ecc = ssl_server_import_cert(s, p, ptemp, mctx, ecc_id, SSL_AIDX_ECC); #endif if (!(have_rsa || have_dsa --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -147,6 +147,13 @@ /* OCSP stapling */ #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) #define HAVE_OCSP_STAPLING +/* backward compatibility with OpenSSL < 1.0 */ +#ifndef sk_OPENSSL_STRING_num +#define sk_OPENSSL_STRING_num sk_num +#endif +#ifndef sk_OPENSSL_STRING_value +#define sk_OPENSSL_STRING_value sk_value +#endif #ifndef sk_OPENSSL_STRING_pop #define sk_OPENSSL_STRING_pop sk_pop #endif @@ -826,10 +833,11 @@ const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int); const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *); -const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *); -void ssl_stapling_ex_init(void); -int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); +void ssl_stapling_certinfo_hash_init(apr_pool_t *); +int ssl_stapling_init_cert(server_rec *s, apr_pool_t *, apr_pool_t *, + modssl_ctx_t *mctx, X509 *x); #endif #ifdef HAVE_SRP int ssl_callback_SRPServerParams(SSL *, int *, void *); --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -43,36 +43,32 @@ #define MAX_STAPLING_DER 10240 -/* Cached info stored in certificate ex_info. */ +/* Cached info stored in the global stapling_certinfo hash. */ typedef struct { - /* Index in session cache SHA1 hash of certificate */ - UCHAR idx[20]; - /* Certificate ID for OCSP requests or NULL if ID cannot be determined */ + /* Index in session cache (SHA-1 digest of DER encoded certificate) */ + UCHAR idx[SHA_DIGEST_LENGTH]; + /* Certificate ID for OCSP request */ OCSP_CERTID *cid; - /* Responder details */ + /* URI of the OCSP responder */ char *uri; } certinfo; -static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp) +static apr_status_t ssl_stapling_certid_free(void *data) { - certinfo *cinf = ptr; + OCSP_CERTID *cid = data; - if (!cinf) - return; - if (cinf->uri) - OPENSSL_free(cinf->uri); - OPENSSL_free(cinf); + if (cid) { + OCSP_CERTID_free(cid); + } + + return APR_SUCCESS; } -static int stapling_ex_idx = -1; +static apr_hash_t *stapling_certinfo; -void ssl_stapling_ex_init(void) +void ssl_stapling_certinfo_hash_init(apr_pool_t *p) { - if (stapling_ex_idx != -1) - return; - stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0, - certinfo_free); + stapling_certinfo = apr_hash_make(p); } static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) @@ -106,69 +102,96 @@ } -int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) +int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, + modssl_ctx_t *mctx, X509 *x) { - certinfo *cinf; + UCHAR idx[SHA_DIGEST_LENGTH]; + certinfo *cinf = NULL; X509 *issuer = NULL; + OCSP_CERTID *cid = NULL; STACK_OF(OPENSSL_STRING) *aia = NULL; - if (x == NULL) + if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) return 0; - cinf = X509_get_ex_data(x, stapling_ex_idx); + + cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); if (cinf) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215) - "ssl_stapling_init_cert: certificate already initialized!"); - return 0; - } - cinf = OPENSSL_malloc(sizeof(certinfo)); - if (!cinf) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216) - "ssl_stapling_init_cert: error allocating memory!"); - return 0; + /* + * We already parsed the certificate, and no OCSP URI was found. + * The certificate might be used for multiple vhosts, though, + * so we check for a ForceURL for this vhost. + */ + if (!cinf->uri && !mctx->stapling_force_url) { + ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, + APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI " + "in certificate and no SSLStaplingForceURL " + "configured for server %s", mctx->sc->vhost_id); + return 0; + } + return 1; } - cinf->cid = NULL; - cinf->uri = NULL; - X509_set_ex_data(x, stapling_ex_idx, cinf); - - issuer = stapling_get_issuer(mctx, x); - - if (issuer == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217) - "ssl_stapling_init_cert: Can't retrieve issuer certificate!"); + + if (!(issuer = stapling_get_issuer(mctx, x))) { + ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217) + "ssl_stapling_init_cert: can't retrieve issuer " + "certificate!"); return 0; } - cinf->cid = OCSP_cert_to_id(NULL, x, issuer); + cid = OCSP_cert_to_id(NULL, x, issuer); X509_free(issuer); - if (!cinf->cid) + if (!cid) { + ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815) + "ssl_stapling_init_cert: can't create CertID " + "for OCSP request"); return 0; - X509_digest(x, EVP_sha1(), cinf->idx, NULL); + } aia = X509_get1_ocsp(x); - if (aia) - cinf->uri = sk_OPENSSL_STRING_pop(aia); - if (!cinf->uri && !mctx->stapling_force_url) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) - "ssl_stapling_init_cert: no responder URL"); + if (!aia && !mctx->stapling_force_url) { + OCSP_CERTID_free(cid); + ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, + APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI " + "in certificate and no SSLStaplingForceURL set"); + return 0; } - if (aia) + + /* At this point, we have determined that there's something to store */ + cinf = apr_pcalloc(p, sizeof(certinfo)); + memcpy (cinf->idx, idx, sizeof(idx)); + cinf->cid = cid; + /* make sure cid is also freed at pool cleanup */ + apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free, + apr_pool_cleanup_null); + if (aia) { + /* allocate uri from the pconf pool */ + cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0)); X509_email_free(aia); + } + + ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x, + "ssl_stapling_init_cert: storing certinfo for server %s", + mctx->sc->vhost_id); + + apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf); + return 1; } -static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx, - SSL *ssl) +static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx, + SSL *ssl) { certinfo *cinf; X509 *x; + UCHAR idx[SHA_DIGEST_LENGTH]; x = SSL_get_certificate(ssl); - if (x == NULL) + if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) return NULL; - cinf = X509_get_ex_data(x, stapling_ex_idx); + cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); if (cinf && cinf->cid) return cinf; ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) - "stapling_get_cert_info: stapling not supported for certificate"); + "stapling_get_certinfo: stapling not supported for certificate"); return NULL; } @@ -577,7 +600,7 @@ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951) "stapling_cb: OCSP Stapling callback called"); - cinf = stapling_get_cert_info(s, mctx, ssl); + cinf = stapling_get_certinfo(s, mctx, ssl); if (cinf == NULL) { return SSL_TLSEXT_ERR_NOACK; } debian/patches/CVE-2019-0220-3.patch0000644000000000000000000000264513451142473013400 0ustar From 3451fc2bf8708b0dc8cd6a7d0ac0fe5b6401befc Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Tue, 19 Mar 2019 18:01:21 +0000 Subject: [PATCH] *) maintainer mode fix for util.c no2slash_ex trunk patch: http://svn.apache.org/r1855755 2.4.x patch svn merge -c 1855755 ^/httpd/httpd/trunk . +1: covener, rpluem, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855853 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 6 ------ server/util.c | 2 +- 2 files changed, 1 insertion(+), 7 deletions(-) #diff --git a/STATUS b/STATUS #index ffe5d22550c..1f8cb2f7884 100644 #--- a/STATUS #+++ b/STATUS #@@ -126,12 +126,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- *) maintainer mode fix for util.c no2slash_ex #- trunk patch: http://svn.apache.org/r1855755 #- 2.4.x patch svn merge -c 1855755 ^/httpd/httpd/trunk . #- +1: covener, rpluem, jim, ylavic #- #- # PATCHES PROPOSED TO BACKPORT FROM TRUNK: # [ New proposals should be added at the end of the list ] # diff --git a/server/util.c b/server/util.c index f3b17f1581e..e0c558cee2d 100644 --- a/server/util.c +++ b/server/util.c @@ -566,7 +566,7 @@ AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path) char *d, *s; - if (!name || !*name) { + if (!*name) { return; } debian/patches/CVE-2018-17199.patch0000644000000000000000000000622713451141476013350 0ustar From 34f58ae20d9a85f2a1508a9a732874239491d456 Mon Sep 17 00:00:00 2001 From: Hank Ibell Date: Tue, 15 Jan 2019 19:54:41 +0000 Subject: [PATCH] mod_session: Always decode session attributes early. Backport r1850947 from trunk Submitted by: hwibell Reviewed by: hwibell, covener, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851409 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 2 ++ STATUS | 5 ----- modules/session/mod_session.c | 25 ++++++++++++++----------- 3 files changed, 16 insertions(+), 16 deletions(-) #diff --git a/CHANGES b/CHANGES #index c4d9f6c2ea8..4b0a07fdcf5 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -9,6 +9,8 @@ Changes with Apache 2.4.38 # and we should just set the value for the environment variable # like in the pattern case. [Ruediger Pluem] # #+ *) mod_session: Always decode session attributes early. [Hank Ibell] #+ # *) core: Incorrect values for environment variables are substituted when # multiple environment variables are specified in a directive. [Hank Ibell] # #diff --git a/STATUS b/STATUS #index 00070f9f247..45a92ba4d81 100644 #--- a/STATUS #+++ b/STATUS #@@ -125,11 +125,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- *) mod_session: Always decode session attributes early. #- trunk patch: http://svn.apache.org/r1850947 #- 2.4.x patch: svn merge -c 1850947 ^/httpd/httpd/trunk . #- +1: hwibell, covener, wrowe #- # *) mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read) # Clear retry flags before aborting on client-initiated reneg. [Joe Orton] # PR: 63052 diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c index d517020d995..64e6e4a8132 100644 --- a/modules/session/mod_session.c +++ b/modules/session/mod_session.c @@ -126,20 +126,23 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z) /* found a session that hasn't expired? */ now = apr_time_now(); + if (zz) { - if (zz->expiry && zz->expiry < now) { + /* load the session attibutes */ + rv = ap_run_session_decode(r, zz); + + /* having a session we cannot decode is just as good as having + none at all */ + if (OK != rv) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817) + "error while decoding the session, " + "session not loaded: %s", r->uri); zz = NULL; } - else { - /* having a session we cannot decode is just as good as having - none at all */ - rv = ap_run_session_decode(r, zz); - if (OK != rv) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817) - "error while decoding the session, " - "session not loaded: %s", r->uri); - zz = NULL; - } + + /* invalidate session if session is expired */ + if (zz && zz->expiry && zz->expiry < now) { + zz = NULL; } } debian/patches/CVE-2017-3167.patch0000644000000000000000000002124613376761111013253 0ustar Backport of: From 78f0f0b6585f13ec1175c7020ee01cd0237fc1ba Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 30 May 2017 12:27:41 +0000 Subject: [PATCH] Merge r1796348 from trunk: core: deprecate and replace ap_get_basic_auth_pw *) core: Deprecate ap_get_basic_auth_pw() and add ap_get_basic_auth_components(). Submitted By: Emmanuel Dreyfus , Jacob Champion, Eric Covener Submitted by: covener Reviewed by: covener, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796855 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 6 ------ include/ap_mmn.h | 4 +++- include/http_protocol.h | 25 ++++++++++++++++++++++++- server/protocol.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ server/request.c | 17 ++++++++++++++--- 6 files changed, 93 insertions(+), 11 deletions(-) #diff --git a/CHANGES b/CHANGES #index 1b815557a37..9d7fe8e379b 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -2,6 +2,10 @@ # # Changes with Apache 2.4.26 # #+ *) core: Deprecate ap_get_basic_auth_pw() and add #+ ap_get_basic_auth_components(). #+ [Emmanuel Dreyfus , Jacob Champion, Eric Covener] #+ # *) mod_rewrite: When a substitution is a fully qualified URL, and the # scheme/host/port matches the current virtual host, stop interpreting the # path component as a local path just because the first component of the #diff --git a/STATUS b/STATUS #index 1ce64c6b43b..456596a6160 100644 #--- a/STATUS #+++ b/STATUS #@@ -120,12 +120,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- *) core: Deprecate ap_get_basic_auth_pw() and add #- ap_get_basic_auth_components(). #- trunk patch: http://svn.apache.org/r1796348 #- 2.4.x patch: http://people.apache.org/~covener/patches/httpd-2.4.x-ap_get_basic_auth_pw.diff + CHANGES #- +1: covener, ylavic, jim #- # *) core: Terminate token processing on NULL. # trunk patch: http://svn.apache.org/r1796350 # 2.4.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk . Index: apache2-2.4.7/include/ap_mmn.h =================================================================== --- apache2-2.4.7.orig/include/ap_mmn.h 2017-06-26 07:58:36.697632178 -0400 +++ apache2-2.4.7/include/ap_mmn.h 2017-06-26 07:58:56.297842089 -0400 @@ -422,6 +422,8 @@ * 20120211.25 (2.4.7-dev) Add conn_sense_e * 20120211.26 (2.4.7-dev) Add util_fcgi.h, FastCGI protocol support * 20120211.27 (2.4.7-dev) Add ap_podx_restart_t and ap_mpm_podx_* + * 20120211.68 (2.4.26-dev) Add ap_get_basic_auth_components() and deprecate + * ap_get_basic_auth_pw() */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ Index: apache2-2.4.7/include/http_protocol.h =================================================================== --- apache2-2.4.7.orig/include/http_protocol.h 2017-06-26 07:58:36.697632178 -0400 +++ apache2-2.4.7/include/http_protocol.h 2017-06-26 07:58:36.653631707 -0400 @@ -541,7 +541,11 @@ AP_DECLARE(void) ap_note_digest_auth_fai AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type)) /** - * Get the password from the request headers + * Get the password from the request headers. This function has multiple side + * effects due to its prior use in the old authentication framework. + * ap_get_basic_auth_components() should be preferred. + * + * @deprecated @see ap_get_basic_auth_components * @param r The current request * @param pw The password as set in the headers * @return 0 (OK) if it set the 'pw' argument (and assured @@ -554,6 +558,25 @@ AP_DECLARE_HOOK(int, note_auth_failure, */ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw); +#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE" + +/** + * Get the username and/or password from the request's Basic authentication + * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side + * effects on the passed request_rec. + * + * @param r The current request + * @param username If not NULL, set to the username sent by the client + * @param password If not NULL, set to the password sent by the client + * @return APR_SUCCESS if the credentials were successfully parsed and returned; + * APR_EINVAL if there was no authentication header sent or if the + * client was not using the Basic authentication scheme. username and + * password are unchanged on failure. + */ +AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r, + const char **username, + const char **password); + /** * parse_uri: break apart the uri * @warning Side Effects: Index: apache2-2.4.7/server/protocol.c =================================================================== --- apache2-2.4.7.orig/server/protocol.c 2017-06-26 07:58:36.697632178 -0400 +++ apache2-2.4.7/server/protocol.c 2017-06-26 07:58:36.657631749 -0400 @@ -1564,6 +1564,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req t = ap_pbase64decode(r->pool, auth_line); r->user = ap_getword_nulls (r->pool, &t, ':'); + apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1"); r->ap_auth_type = "Basic"; *pw = t; @@ -1571,6 +1572,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req return OK; } +AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r, + const char **username, + const char **password) +{ + const char *auth_header; + const char *credentials; + const char *decoded; + const char *user; + + auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization" + : "Authorization"; + credentials = apr_table_get(r->headers_in, auth_header); + + if (!credentials) { + /* No auth header. */ + return APR_EINVAL; + } + + if (strcasecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) { + /* These aren't Basic credentials. */ + return APR_EINVAL; + } + + while (*credentials == ' ' || *credentials == '\t') { + credentials++; + } + + /* XXX Our base64 decoding functions don't actually error out if the string + * we give it isn't base64; they'll just silently stop and hand us whatever + * they've parsed up to that point. + * + * Since this function is supposed to be a drop-in replacement for the + * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x. + */ + decoded = ap_pbase64decode(r->pool, credentials); + user = ap_getword_nulls(r->pool, &decoded, ':'); + + if (username) { + *username = user; + } + if (password) { + *password = decoded; + } + + return APR_SUCCESS; +} + struct content_length_ctx { int data_sent; /* true if the C-L filter has already sent at * least one bucket on to the next output filter Index: apache2-2.4.7/server/request.c =================================================================== --- apache2-2.4.7.orig/server/request.c 2017-06-26 07:58:36.697632178 -0400 +++ apache2-2.4.7/server/request.c 2017-06-26 07:58:36.661631792 -0400 @@ -124,6 +124,8 @@ static int decl_die(int status, const ch AP_DECLARE(int) ap_some_authn_required(request_rec *r) { int access_status; + char *olduser = r->user; + int rv = FALSE; switch (ap_satisfies(r)) { case SATISFY_ALL: @@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(r access_status = ap_run_access_checker_ex(r); if (access_status == DECLINED) { - return TRUE; + rv = TRUE; } break; @@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(r access_status = ap_run_access_checker_ex(r); if (access_status == DECLINED) { - return TRUE; + rv = TRUE; } break; } - return FALSE; + r->user = olduser; + return rv; } /* This is the master logic for processing requests. Do NOT duplicate @@ -259,6 +262,14 @@ AP_DECLARE(int) ap_process_request_inter r->ap_auth_type = r->main->ap_auth_type; } else { + /* A module using a confusing API (ap_get_basic_auth_pw) caused + ** r->user to be filled out prior to check_authn hook. We treat + ** it is inadvertent. + */ + if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) { + r->user = NULL; + } + switch (ap_satisfies(r)) { case SATISFY_ALL: case SATISFY_NOSPEC: debian/patches/util_ldap_cache_lock_fix.patch0000644000000000000000000000414713376761111016630 0ustar Description: [PATCH] Merge r1824811 from trunk: 00:00:00 2001 From: Yann Ylavic Date: Tue, 20 Feb 2018 13:02:54 +0000 Subject: [PATCH] Merge r1824811 from trunk: 10 years after r567503 , fix this properly. The lock is created in post_config, so we can't copy it around in a merge_server_config() callback. Submitted by: covener Reviewed by: covener, rpluem, jim -- Origin: https://bz.apache.org/bugzilla/show_bug.cgi?id=60296 Origin: upstream, commit: 39ae6cd642689c20b599727ee1fb95233faabb05 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58483 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60296 Bug-Debian: https://bugs.debian.org/814980 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1752683 Reviewed-by: Rafael David Tinoco Last-Update: 2018-03-01 --- apache2-2.4.7.orig/modules/ldap/util_ldap.c +++ apache2-2.4.7/modules/ldap/util_ldap.c @@ -2806,7 +2806,6 @@ static void *util_ldap_merge_config(apr_ st->search_cache_size = base->search_cache_size; st->compare_cache_ttl = base->compare_cache_ttl; st->compare_cache_size = base->compare_cache_size; - st->util_ldap_cache_lock = base->util_ldap_cache_lock; st->connections = NULL; st->ssl_supported = 0; /* not known until post-config and re-merged */ @@ -2927,12 +2926,12 @@ static int util_ldap_post_config(apr_poo st_vhost = (util_ldap_state_t *) ap_get_module_config(s_vhost->module_config, &ldap_module); - + st_vhost->util_ldap_cache = st->util_ldap_cache; + st_vhost->util_ldap_cache_lock = st->util_ldap_cache_lock; #if APR_HAS_SHARED_MEMORY st_vhost->cache_shm = st->cache_shm; st_vhost->cache_rmm = st->cache_rmm; st_vhost->cache_file = st->cache_file; - st_vhost->util_ldap_cache = st->util_ldap_cache; ap_log_error(APLOG_MARK, APLOG_DEBUG, result, s, APLOGNO(01316) "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp " "for VHOST: %s", st->cache_shm, st->cache_rmm, debian/patches/split-logfile.patch0000644000000000000000000000215213376761111014416 0ustar Description: fix completely broken split-logfile command Author: Holger Mauermann Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=56329 Bug-Ubuntu: https://launchpad.net/bugs/1299162 Reviewed-by: Robie Basak Last-Update: 2014-04-03 --- a/support/split-logfile.in 2014-02-13 13:11:33.000000000 +0100 +++ b/support/split-logfile.in 2014-03-28 20:27:59.600942795 +0100 @@ -29,7 +29,7 @@ use strict; use warnings; -my %is_open = (); +my %log_file = (); while (my $log_line = ) { # @@ -54,10 +54,9 @@ # If the log file for this virtual host isn't opened # yet, do it now. # - if (! $is_open{$vhost}) { - open $vhost, ">>${vhost}.log" + if (! $log_file{$vhost}) { + open $log_file{$vhost}, ">>${vhost}.log" or die ("Can't open ${vhost}.log"); - $is_open{$vhost} = 1; } # # Strip off the first token (which may be null in the @@ -65,6 +64,6 @@ # record to the current log file. # $log_line =~ s/^\S*\s+//; - printf $vhost "%s", $log_line; + print {$log_file{$vhost}} $log_line; } exit 0; debian/patches/CVE-2015-3183.patch0000644000000000000000000006760013376761111013253 0ustar Description: fix request smuggling via chunked transfer encoding Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1684515 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1685904 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1685950 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1686271 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1688935 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1689821 Index: apache2-2.4.7/modules/http/http_filters.c =================================================================== --- apache2-2.4.7.orig/modules/http/http_filters.c 2015-07-24 12:27:04.966661328 -0400 +++ apache2-2.4.7/modules/http/http_filters.c 2015-07-24 12:42:11.864774475 -0400 @@ -57,24 +57,29 @@ APLOG_USE_MODULE(http); -#define INVALID_CHAR -2 - -static long get_chunk_size(char *); - -typedef struct http_filter_ctx { +typedef struct http_filter_ctx +{ apr_off_t remaining; apr_off_t limit; apr_off_t limit_used; - enum { - BODY_NONE, - BODY_LENGTH, - BODY_CHUNK, - BODY_CHUNK_PART + apr_int32_t chunk_used; + apr_int32_t chunk_bws; + apr_int32_t chunkbits; + enum + { + BODY_NONE, /* streamed data */ + BODY_LENGTH, /* data constrained by content length */ + BODY_CHUNK, /* chunk expected */ + BODY_CHUNK_PART, /* chunk digits */ + BODY_CHUNK_EXT, /* chunk extension */ + BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */ + BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */ + BODY_CHUNK_DATA, /* data constrained by chunked encoding */ + BODY_CHUNK_END, /* chunked data terminating CRLF */ + BODY_CHUNK_END_LF, /* got CR after data, expect LF */ + BODY_CHUNK_TRAILER /* trailers */ } state; - int eos_sent; - char chunk_ln[32]; - char *pos; - apr_off_t linesize; + unsigned int eos_sent :1; apr_bucket_brigade *bb; } http_ctx_t; @@ -102,117 +107,154 @@ return ap_pass_brigade(f->r->output_filters, bb); } -static apr_status_t get_remaining_chunk_line(http_ctx_t *ctx, - apr_bucket_brigade *b, - int linelimit) +/** + * Parse a chunk line with optional extension, detect overflow. + * There are two error cases: + * 1) If the conversion would require too many bits, APR_EGENERAL is returned. + * 2) If the conversion used the correct number of bits, but an overflow + * caused only the sign bit to flip, then APR_ENOSPC is returned. + * In general, any negative number can be considered an overflow error. + */ +static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer, + apr_size_t len, int linelimit) { - apr_status_t rv; - apr_off_t brigade_length; - apr_bucket *e; - const char *lineend; - apr_size_t len = 0; + apr_size_t i = 0; - /* - * As the brigade b should have been requested in mode AP_MODE_GETLINE - * all buckets in this brigade are already some type of memory - * buckets (due to the needed scanning for LF in mode AP_MODE_GETLINE) - * or META buckets. - */ - rv = apr_brigade_length(b, 0, &brigade_length); - if (rv != APR_SUCCESS) { - return rv; - } - /* Sanity check. Should never happen. See above. */ - if (brigade_length == -1) { - return APR_EGENERAL; - } - if (!brigade_length) { - return APR_EAGAIN; - } - ctx->linesize += brigade_length; - if (ctx->linesize > linelimit) { - return APR_ENOSPC; - } - /* - * As all buckets are already some type of memory buckets or META buckets - * (see above), we only need to check the last byte in the last data bucket. - */ - for (e = APR_BRIGADE_LAST(b); - e != APR_BRIGADE_SENTINEL(b); - e = APR_BUCKET_PREV(e)) { + while (i < len) { + char c = buffer[i]; + + ap_xlate_proto_from_ascii(&c, 1); - if (APR_BUCKET_IS_METADATA(e)) { + /* handle CRLF after the chunk */ + if (ctx->state == BODY_CHUNK_END + || ctx->state == BODY_CHUNK_END_LF) { + if (c == LF) { + ctx->state = BODY_CHUNK; + } + else if (c == CR && ctx->state == BODY_CHUNK_END) { + ctx->state = BODY_CHUNK_END_LF; + } + else { + /* + * LF expected. + */ + return APR_EINVAL; + } + i++; continue; } - rv = apr_bucket_read(e, &lineend, &len, APR_BLOCK_READ); - if (rv != APR_SUCCESS) { - return rv; + + /* handle start of the chunk */ + if (ctx->state == BODY_CHUNK) { + if (!apr_isxdigit(c)) { + /* + * Detect invalid character at beginning. This also works for + * empty chunk size lines. + */ + return APR_EINVAL; + } + else { + ctx->state = BODY_CHUNK_PART; + } + ctx->remaining = 0; + ctx->chunkbits = sizeof(apr_off_t) * 8; + ctx->chunk_used = 0; + ctx->chunk_bws = 0; } - if (len > 0) { - break; /* we got the data we want */ + + if (c == LF) { + if (ctx->remaining) { + ctx->state = BODY_CHUNK_DATA; + } + else { + ctx->state = BODY_CHUNK_TRAILER; + } } - /* If we got a zero-length data bucket, we try the next one */ - } - /* We had no data in this brigade */ - if (!len || e == APR_BRIGADE_SENTINEL(b)) { - return APR_EAGAIN; - } - if (lineend[len - 1] != APR_ASCII_LF) { - return APR_EAGAIN; - } - /* Line is complete. So reset ctx for next round. */ - ctx->linesize = 0; - ctx->pos = ctx->chunk_ln; - return APR_SUCCESS; -} + else if (ctx->state == BODY_CHUNK_LF) { + /* + * LF expected. + */ + return APR_EINVAL; + } + else if (c == CR) { + ctx->state = BODY_CHUNK_LF; + } + else if (c == ';') { + ctx->state = BODY_CHUNK_EXT; + } + else if (ctx->state == BODY_CHUNK_EXT) { + /* + * Control chars (but tabs) are invalid. + */ + if (c != '\t' && apr_iscntrl(c)) { + return APR_EINVAL; + } + } + else if (c == ' ' || c == '\t') { + /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3). + */ + ctx->state = BODY_CHUNK_CR; + if (++ctx->chunk_bws > 10) { + return APR_EINVAL; + } + } + else if (ctx->state == BODY_CHUNK_CR) { + /* + * ';', CR or LF expected. + */ + return APR_EINVAL; + } + else if (ctx->state == BODY_CHUNK_PART) { + int xvalue; -static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b, - int linelimit) -{ - apr_size_t len; - int tmp_len; - apr_status_t rv; + /* ignore leading zeros */ + if (!ctx->remaining && c == '0') { + i++; + continue; + } - tmp_len = sizeof(ctx->chunk_ln) - (ctx->pos - ctx->chunk_ln) - 1; - /* Saveguard ourselves against underflows */ - if (tmp_len < 0) { - len = 0; - } - else { - len = (apr_size_t) tmp_len; - } - /* - * Check if there is space left in ctx->chunk_ln. If not, then either - * the chunk size is insane or we have chunk-extensions. Ignore both - * by discarding the remaining part of the line via - * get_remaining_chunk_line. Only bail out if the line is too long. - */ - if (len > 0) { - rv = apr_brigade_flatten(b, ctx->pos, &len); - if (rv != APR_SUCCESS) { - return rv; - } - ctx->pos += len; - ctx->linesize += len; - *(ctx->pos) = '\0'; - /* - * Check if we really got a full line. If yes the - * last char in the just read buffer must be LF. - * If not advance the buffer and return APR_EAGAIN. - * We do not start processing until we have the - * full line. - */ - if (ctx->pos[-1] != APR_ASCII_LF) { - /* Check if the remaining data in the brigade has the LF */ - return get_remaining_chunk_line(ctx, b, linelimit); + ctx->chunkbits -= 4; + if (ctx->chunkbits < 0) { + /* overflow */ + return APR_ENOSPC; + } + + if (c >= '0' && c <= '9') { + xvalue = c - '0'; + } + else if (c >= 'A' && c <= 'F') { + xvalue = c - 'A' + 0xa; + } + else if (c >= 'a' && c <= 'f') { + xvalue = c - 'a' + 0xa; + } + else { + /* bogus character */ + return APR_EINVAL; + } + + ctx->remaining = (ctx->remaining << 4) | xvalue; + if (ctx->remaining < 0) { + /* overflow */ + return APR_ENOSPC; + } } - /* Line is complete. So reset ctx->pos for next round. */ - ctx->pos = ctx->chunk_ln; - return APR_SUCCESS; + else { + /* Should not happen */ + return APR_EGENERAL; + } + + i++; + } + + /* sanity check */ + ctx->chunk_used += len; + if (ctx->chunk_used < 0 || ctx->chunk_used > linelimit) { + return APR_ENOSPC; } - return get_remaining_chunk_line(ctx, b, linelimit); -} + return APR_SUCCESS; +} static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f, apr_bucket_brigade *b, int merge) @@ -226,7 +268,6 @@ r->status = HTTP_OK; r->headers_in = r->trailers_in; apr_table_clear(r->headers_in); - ctx->state = BODY_NONE; ap_get_mime_headers(r); if(r->status == HTTP_OK) { @@ -270,9 +311,9 @@ apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; - apr_off_t totalread; int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; apr_bucket_brigade *bb; + int again; conf = (core_server_config *) ap_get_module_config(f->r->server->module_config, &core_module); @@ -286,7 +327,6 @@ const char *tenc, *lenp; f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx)); ctx->state = BODY_NONE; - ctx->pos = ctx->chunk_ln; ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc); bb = ctx->bb; @@ -339,7 +379,7 @@ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01587) "Invalid Content-Length"); - return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); + return bail_out_on_error(ctx, f, HTTP_BAD_REQUEST); } /* If we have a limit in effect and we know the C-L ahead of @@ -381,7 +421,8 @@ if (!ap_is_HTTP_SUCCESS(f->r->status)) { ctx->state = BODY_NONE; ctx->eos_sent = 1; - } else { + } + else { char *tmp; int len; @@ -404,276 +445,200 @@ ap_pass_brigade(f->c->output_filters, bb); } } + } - /* We can't read the chunk until after sending 100 if required. */ - if (ctx->state == BODY_CHUNK) { - apr_brigade_cleanup(bb); + /* sanity check in case we're read twice */ + if (ctx->eos_sent) { + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(b, e); + return APR_SUCCESS; + } + + do { + apr_brigade_cleanup(b); + again = 0; /* until further notice */ + + /* read and handle the brigade */ + switch (ctx->state) { + case BODY_CHUNK: + case BODY_CHUNK_PART: + case BODY_CHUNK_EXT: + case BODY_CHUNK_CR: + case BODY_CHUNK_LF: + case BODY_CHUNK_END: + case BODY_CHUNK_END_LF: { - rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, - block, 0); + rv = ap_get_brigade(f->next, b, AP_MODE_GETLINE, block, 0); /* for timeout */ - if (block == APR_NONBLOCK_READ && - ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || - (APR_STATUS_IS_EAGAIN(rv)) )) { - ctx->state = BODY_CHUNK_PART; + if (block == APR_NONBLOCK_READ + && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) + || (APR_STATUS_IS_EAGAIN(rv)))) { return APR_EAGAIN; } - if (rv == APR_SUCCESS) { - rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); - if (APR_STATUS_IS_EAGAIN(rv)) { - apr_brigade_cleanup(bb); - ctx->state = BODY_CHUNK_PART; - return rv; - } - if (rv == APR_SUCCESS) { - ctx->remaining = get_chunk_size(ctx->chunk_ln); - if (ctx->remaining == INVALID_CHAR) { - rv = APR_EGENERAL; - http_error = HTTP_BAD_REQUEST; - } - } + if (rv == APR_EOF) { + return APR_INCOMPLETE; } - apr_brigade_cleanup(bb); - /* Detect chunksize error (such as overflow) */ - if (rv != APR_SUCCESS || ctx->remaining < 0) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r, APLOGNO(01589) "Error reading first chunk %s ", - (ctx->remaining < 0) ? "(overflow)" : ""); - ctx->remaining = 0; /* Reset it in case we have to - * come back here later */ - if (APR_STATUS_IS_TIMEUP(rv)) { - http_error = HTTP_REQUEST_TIME_OUT; - } - return bail_out_on_error(ctx, f, http_error); + if (rv != APR_SUCCESS) { + return rv; } - if (!ctx->remaining) { - return read_chunked_trailers(ctx, f, b, - conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); - } - } - } - else { - bb = ctx->bb; - } + e = APR_BRIGADE_FIRST(b); + while (e != APR_BRIGADE_SENTINEL(b)) { + const char *buffer; + apr_size_t len; - if (ctx->eos_sent) { - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - return APR_SUCCESS; - } + if (!APR_BUCKET_IS_METADATA(e)) { + int parsing = 0; - if (!ctx->remaining) { - switch (ctx->state) { - case BODY_NONE: - break; - case BODY_LENGTH: - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - ctx->eos_sent = 1; - return APR_SUCCESS; - case BODY_CHUNK: - case BODY_CHUNK_PART: - { - apr_brigade_cleanup(bb); + rv = apr_bucket_read(e, &buffer, &len, APR_BLOCK_READ); - /* We need to read the CRLF after the chunk. */ - if (ctx->state == BODY_CHUNK) { - rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, - block, 0); - if (block == APR_NONBLOCK_READ && - ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || - (APR_STATUS_IS_EAGAIN(rv)) )) { - return APR_EAGAIN; + if (rv == APR_SUCCESS) { + parsing = 1; + rv = parse_chunk_size(ctx, buffer, len, + f->r->server->limit_req_fieldsize); } - /* If we get an error, then leave */ if (rv != APR_SUCCESS) { - return rv; - } - /* - * We really don't care whats on this line. If it is RFC - * compliant it should be only \r\n. If there is more - * before we just ignore it as long as we do not get over - * the limit for request lines. - */ - rv = get_remaining_chunk_line(ctx, bb, - f->r->server->limit_req_line); - apr_brigade_cleanup(bb); - if (APR_STATUS_IS_EAGAIN(rv)) { - return rv; - } - } else { - rv = APR_SUCCESS; - } - - if (rv == APR_SUCCESS) { - /* Read the real chunk line. */ - rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, - block, 0); - /* Test timeout */ - if (block == APR_NONBLOCK_READ && - ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || - (APR_STATUS_IS_EAGAIN(rv)) )) { - ctx->state = BODY_CHUNK_PART; - return APR_EAGAIN; - } - ctx->state = BODY_CHUNK; - if (rv == APR_SUCCESS) { - rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); - if (APR_STATUS_IS_EAGAIN(rv)) { - ctx->state = BODY_CHUNK_PART; - apr_brigade_cleanup(bb); - return rv; - } - if (rv == APR_SUCCESS) { - ctx->remaining = get_chunk_size(ctx->chunk_ln); - if (ctx->remaining == INVALID_CHAR) { - rv = APR_EGENERAL; + ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r, APLOGNO(01590) + "Error reading/parsing chunk %s ", + (APR_ENOSPC == rv) ? "(overflow)" : ""); + if (parsing) { + if (rv != APR_ENOSPC) { http_error = HTTP_BAD_REQUEST; } + return bail_out_on_error(ctx, f, http_error); } + return rv; } - apr_brigade_cleanup(bb); } - /* Detect chunksize error (such as overflow) */ - if (rv != APR_SUCCESS || ctx->remaining < 0) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r, APLOGNO(01590) "Error reading chunk %s ", - (ctx->remaining < 0) ? "(overflow)" : ""); - ctx->remaining = 0; /* Reset it in case we have to - * come back here later */ - if (APR_STATUS_IS_TIMEUP(rv)) { - http_error = HTTP_REQUEST_TIME_OUT; - } - return bail_out_on_error(ctx, f, http_error); - } + apr_bucket_delete(e); + e = APR_BRIGADE_FIRST(b); + } + again = 1; /* come around again */ - if (!ctx->remaining) { - return read_chunked_trailers(ctx, f, b, + if (ctx->state == BODY_CHUNK_TRAILER) { + /* Treat UNSET as DISABLE - trailers aren't merged by default */ + return read_chunked_trailers(ctx, f, b, conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); - } } + break; } - } - /* Ensure that the caller can not go over our boundary point. */ - if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) { - if (ctx->remaining < readbytes) { - readbytes = ctx->remaining; - } - AP_DEBUG_ASSERT(readbytes > 0); - } + case BODY_NONE: + case BODY_LENGTH: + case BODY_CHUNK_DATA: { - rv = ap_get_brigade(f->next, b, mode, block, readbytes); + /* Ensure that the caller can not go over our boundary point. */ + if (ctx->state != BODY_NONE && ctx->remaining < readbytes) { + readbytes = ctx->remaining; + } + if (readbytes > 0) { + apr_off_t totalread; + + rv = ap_get_brigade(f->next, b, mode, block, readbytes); + + /* for timeout */ + if (block == APR_NONBLOCK_READ + && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) + || (APR_STATUS_IS_EAGAIN(rv)))) { + return APR_EAGAIN; + } - if (rv != APR_SUCCESS) { - return rv; - } + if (rv == APR_EOF && ctx->state != BODY_NONE + && ctx->remaining > 0) { + return APR_INCOMPLETE; + } - /* How many bytes did we just read? */ - apr_brigade_length(b, 0, &totalread); + if (rv != APR_SUCCESS) { + return rv; + } - /* If this happens, we have a bucket of unknown length. Die because - * it means our assumptions have changed. */ - AP_DEBUG_ASSERT(totalread >= 0); - - if (ctx->state != BODY_NONE) { - ctx->remaining -= totalread; - if (ctx->remaining > 0) { - e = APR_BRIGADE_LAST(b); - if (APR_BUCKET_IS_EOS(e)) - return APR_EOF; - } - } + /* How many bytes did we just read? */ + apr_brigade_length(b, 0, &totalread); - /* If we have no more bytes remaining on a C-L request, - * save the callter a roundtrip to discover EOS. - */ - if (ctx->state == BODY_LENGTH && ctx->remaining == 0) { - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - } + /* If this happens, we have a bucket of unknown length. Die because + * it means our assumptions have changed. */ + AP_DEBUG_ASSERT(totalread >= 0); + + if (ctx->state != BODY_NONE) { + ctx->remaining -= totalread; + if (ctx->remaining > 0) { + e = APR_BRIGADE_LAST(b); + if (APR_BUCKET_IS_EOS(e)) { + apr_bucket_delete(e); + return APR_INCOMPLETE; + } + } + else if (ctx->state == BODY_CHUNK_DATA) { + /* next chunk please */ + ctx->state = BODY_CHUNK_END; + ctx->chunk_used = 0; + } + } - /* We have a limit in effect. */ - if (ctx->limit) { - /* FIXME: Note that we might get slightly confused on chunked inputs - * as we'd need to compensate for the chunk lengths which may not - * really count. This seems to be up for interpretation. */ - ctx->limit_used += totalread; - if (ctx->limit < ctx->limit_used) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01591) - "Read content-length of %" APR_OFF_T_FMT - " is larger than the configured limit" - " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); - apr_brigade_cleanup(bb); - e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL, - f->r->pool, - f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, e); - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, e); - ctx->eos_sent = 1; - return ap_pass_brigade(f->r->output_filters, bb); - } - } + /* We have a limit in effect. */ + if (ctx->limit) { + /* FIXME: Note that we might get slightly confused on + * chunked inputs as we'd need to compensate for the chunk + * lengths which may not really count. This seems to be up + * for interpretation. + */ + ctx->limit_used += totalread; + if (ctx->limit < ctx->limit_used) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, + APLOGNO(01591) "Read content length of " + "%" APR_OFF_T_FMT " is larger than the " + "configured limit of %" APR_OFF_T_FMT, + ctx->limit_used, ctx->limit); + return bail_out_on_error(ctx, f, + HTTP_REQUEST_ENTITY_TOO_LARGE); + } + } + } - return APR_SUCCESS; -} + /* If we have no more bytes remaining on a C-L request, + * save the caller a round trip to discover EOS. + */ + if (ctx->state == BODY_LENGTH && ctx->remaining == 0) { + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(b, e); + ctx->eos_sent = 1; + } -/** - * Parse a chunk extension, detect overflow. - * There are two error cases: - * 1) If the conversion would require too many bits, a -1 is returned. - * 2) If the conversion used the correct number of bits, but an overflow - * caused only the sign bit to flip, then that negative number is - * returned. - * In general, any negative number can be considered an overflow error. - */ -static long get_chunk_size(char *b) -{ - long chunksize = 0; - size_t chunkbits = sizeof(long) * 8; + break; + } + case BODY_CHUNK_TRAILER: { - ap_xlate_proto_from_ascii(b, strlen(b)); + rv = ap_get_brigade(f->next, b, mode, block, readbytes); - if (!apr_isxdigit(*b)) { - /* - * Detect invalid character at beginning. This also works for empty - * chunk size lines. - */ - return INVALID_CHAR; - } - /* Skip leading zeros */ - while (*b == '0') { - ++b; - } + /* for timeout */ + if (block == APR_NONBLOCK_READ + && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) + || (APR_STATUS_IS_EAGAIN(rv)))) { + return APR_EAGAIN; + } - while (apr_isxdigit(*b) && (chunkbits > 0)) { - int xvalue = 0; + if (rv != APR_SUCCESS) { + return rv; + } - if (*b >= '0' && *b <= '9') { - xvalue = *b - '0'; + break; } - else if (*b >= 'A' && *b <= 'F') { - xvalue = *b - 'A' + 0xa; + default: { + /* Should not happen */ + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(02901) + "Unexpected body state (%i)", (int)ctx->state); + return APR_EGENERAL; } - else if (*b >= 'a' && *b <= 'f') { - xvalue = *b - 'a' + 0xa; } - chunksize = (chunksize << 4) | xvalue; - chunkbits -= 4; - ++b; - } - if (apr_isxdigit(*b)) { - /* overflow */ - return -1; - } + } while (again); - return chunksize; + return APR_SUCCESS; } typedef struct header_struct { debian/patches/CVE-2014-0098.patch0000644000000000000000000000410313376761111013241 0ustar Description: fix denial of service via truncated cookie and mod_log_config Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1575904 Index: apache2-2.4.7/modules/loggers/mod_log_config.c =================================================================== --- apache2-2.4.7.orig/modules/loggers/mod_log_config.c 2013-11-15 12:07:52.000000000 -0500 +++ apache2-2.4.7/modules/loggers/mod_log_config.c 2014-03-19 15:26:13.407863790 -0400 @@ -543,14 +543,24 @@ while ((cookie = apr_strtok(cookies, ";", &last1))) { char *name = apr_strtok(cookie, "=", &last2); - if (name) { - char *value = name + strlen(name) + 1; - apr_collapse_spaces(name, name); + /* last2 points to the next char following an '=' delim, + or the trailing NUL char of the string */ + char *value = last2; + if (name && *name && value && *value) { + char *last = value - 2; + /* Move past leading WS */ + name += strspn(name, " \t"); + while (last >= name && apr_isspace(*last)) { + *last = '\0'; + --last; + } if (!strcasecmp(name, a)) { - char *last; - value += strspn(value, " \t"); /* Move past leading WS */ - last = value + strlen(value) - 1; + /* last1 points to the next char following the ';' delim, + or the trailing NUL char of the string */ + last = last1 - (*last1 ? 2 : 1); + /* Move past leading WS */ + value += strspn(value, " \t"); while (last >= value && apr_isspace(*last)) { *last = '\0'; --last; @@ -559,6 +569,7 @@ return ap_escape_logitem(r->pool, value); } } + /* Iterate the remaining tokens using apr_strtok(NULL, ...) */ cookies = NULL; } } debian/patches/CVE-2017-7668.patch0000644000000000000000000000331713376761111013264 0ustar From a585e36e06a53170be6d2d462ceb5b30b8382988 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 30 May 2017 12:28:20 +0000 Subject: [PATCH] Merge r1796350 from trunk: short-circuit on NULL Submitted By: jchampion Submitted by: covener Reviewed by: covener, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796856 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 4 ---- server/util.c | 6 ++---- 2 files changed, 2 insertions(+), 8 deletions(-) #diff --git a/STATUS b/STATUS #index 456596a6160..87abfa95d81 100644 #--- a/STATUS #+++ b/STATUS #@@ -120,10 +120,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- *) core: Terminate token processing on NULL. #- trunk patch: http://svn.apache.org/r1796350 #- 2.4.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk . #- +1: covener, ylavic, jim # # # PATCHES PROPOSED TO BACKPORT FROM TRUNK: Index: apache2-2.4.7/server/util.c =================================================================== --- apache2-2.4.7.orig/server/util.c 2017-06-26 08:04:48.041609150 -0400 +++ apache2-2.4.7/server/util.c 2017-06-26 08:04:48.037609107 -0400 @@ -1537,10 +1537,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t s = (const unsigned char *)line; for (;;) { - /* find start of token, skip all stop characters, note NUL - * isn't a token stop, so we don't need to test for it - */ - while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { + /* find start of token, skip all stop characters */ + while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { ++s; } if (!*s) { debian/patches/CVE-2017-9788.patch0000644000000000000000000000431413376761111013267 0ustar From 549ba6a39aa0df78a610025f74f3a06503a70f67 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Thu, 6 Jul 2017 00:02:54 +0000 Subject: [PATCH] Correct string scope to prevent duplicated values for subsequent tokens. Submitted by: wrowe Backports: r1800919 Reviewed by: wrowe, jim, jchampion git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1800955 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 5 ----- modules/aaa/mod_auth_digest.c | 4 ++-- 2 files changed, 2 insertions(+), 7 deletions(-) #diff --git a/STATUS b/STATUS #index cc2f9e5592c..6f4ef92edcf 100644 #--- a/STATUS #+++ b/STATUS #@@ -115,11 +115,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- *) Correct string scope to prevent duplicated values for subsequent tokens. #- Submitted by: wrowe #- trunk patch: http://svn.apache.org/r1800919 #- +1: wrowe, jim, jchampion #- # *) Fix negotiation type parsing to be strict about "*", "*/*" and "type/*" # comparisons. # Submitted by: wrowe, Robert Święcki Index: apache2-2.4.25/modules/aaa/mod_auth_digest.c =================================================================== --- apache2-2.4.25.orig/modules/aaa/mod_auth_digest.c 2017-07-27 10:32:26.640621384 -0400 +++ apache2-2.4.25/modules/aaa/mod_auth_digest.c 2017-07-27 10:32:26.632621384 -0400 @@ -956,13 +956,13 @@ static int get_digest_rec(request_rec *r /* find value */ + vv = 0; if (auth_line[0] == '=') { auth_line++; while (apr_isspace(auth_line[0])) { auth_line++; } - vv = 0; if (auth_line[0] == '\"') { /* quoted string */ auth_line++; while (auth_line[0] != '\"' && auth_line[0] != '\0') { @@ -981,8 +981,8 @@ static int get_digest_rec(request_rec *r value[vv++] = *auth_line++; } } - value[vv] = '\0'; } + value[vv] = '\0'; while (auth_line[0] != ',' && auth_line[0] != '\0') { auth_line++; debian/patches/CVE-2019-0220-1.patch0000644000000000000000000002310113451145745013371 0ustar Backport of: From 9bc1917a27a2323e535aadb081e38172ae0e3fc2 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Mon, 18 Mar 2019 08:49:59 +0000 Subject: [PATCH] Merge of r1855705 from trunk: core: merge consecutive slashes in the path git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855737 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ docs/manual/mod/core.xml | 26 ++++++++++++++++++++++++++ include/ap_mmn.h | 4 +++- include/http_core.h | 2 +- include/httpd.h | 14 ++++++++++++-- server/core.c | 13 +++++++++++++ server/request.c | 25 +++++++++---------------- server/util.c | 10 +++++++--- 8 files changed, 75 insertions(+), 23 deletions(-) #diff --git a/CHANGES b/CHANGES #index e3e8a98db24..9dd7045c232 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -1,6 +1,10 @@ # -*- coding: utf-8 -*- # Changes with Apache 2.4.39 # #+ *) core: new configuration option 'MergeSlashes on|off' that controls handling of #+ multiple, consecutive slash ('/') characters in the path component of the request URL. #+ [Eric Covener] #+ # *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is # in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED. # Fixed. [Michael Kaufmann] #diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml #index fc664116727..460b4367621 100644 #--- a/docs/manual/mod/core.xml #+++ b/docs/manual/mod/core.xml #@@ -5138,4 +5138,30 @@ recognized methods to modules.

# AllowMethods # # #+ #+MergeSlashes #+Controls whether the server merges consecutive slashes in URLs. #+ #+MergeSlashes ON|OFF #+MergeSlashes ON #+server configvirtual host #+ #+Added in 2.5.1 #+ #+ #+

By default, the server merges (or collapses) multiple consecutive slash #+ ('/') characters in the path component of the request URL.

#+ #+

When mapping URL's to the filesystem, these multiple slashes are not #+ significant. However, URL's handled other ways, such as by CGI or proxy, #+ might prefer to retain the significance of multiple consecutive slashes. #+ In these cases MergeSlashes can be set to #+ OFF to retain the multiple consecutive slashes. In these #+ configurations, regular expressions used in the configuration file that match #+ the path component of the URL (LocationMatch, #+ RewriteRule, ...) need to take into account multiple #+ consecutive slashes.

#+ #+ #+ # Index: apache2-2.4.7/include/http_core.h =================================================================== --- apache2-2.4.7.orig/include/http_core.h 2019-04-03 10:50:22.424728467 -0400 +++ apache2-2.4.7/include/http_core.h 2019-04-03 10:50:22.420728394 -0400 @@ -682,7 +682,7 @@ typedef struct { #define AP_HTTP_METHODS_LENIENT 1 #define AP_HTTP_METHODS_REGISTERED 2 char http_methods; - + unsigned int merge_slashes; } core_server_config; /* for AddOutputFiltersByType in core.c */ Index: apache2-2.4.7/include/httpd.h =================================================================== --- apache2-2.4.7.orig/include/httpd.h 2019-04-03 10:50:22.424728467 -0400 +++ apache2-2.4.7/include/httpd.h 2019-04-03 10:50:22.420728394 -0400 @@ -1629,12 +1629,22 @@ AP_DECLARE(int) ap_unescape_url_keep2f(c AP_DECLARE(int) ap_unescape_urlencoded(char *query); /** - * Convert all double slashes to single slashes - * @param name The string to convert + * Convert all double slashes to single slashes, except where significant + * to the filesystem on the current platform. + * @param name The string to convert, assumed to be a filesystem path */ AP_DECLARE(void) ap_no2slash(char *name); /** + * Convert all double slashes to single slashes, except where significant + * to the filesystem on the current platform. + * @param name The string to convert + * @param is_fs_path if set to 0, the significance of any double-slashes is + * ignored. + */ +AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path); + +/** * Remove all ./ and xx/../ substrings from a file name. Also remove * any leading ../ or /../ substrings. * @param name the file name to parse Index: apache2-2.4.7/server/core.c =================================================================== --- apache2-2.4.7.orig/server/core.c 2019-04-03 10:50:22.424728467 -0400 +++ apache2-2.4.7/server/core.c 2019-04-03 10:54:29.241278799 -0400 @@ -473,6 +473,7 @@ static void *create_core_server_config(a */ conf->trace_enable = AP_TRACE_UNSET; + conf->merge_slashes = 2; return (void *)conf; } @@ -532,6 +533,9 @@ static void *merge_core_server_configs(a conf->merge_trailers = (virt->merge_trailers != AP_MERGE_TRAILERS_UNSET) ? virt->merge_trailers : base->merge_trailers; + conf->merge_slashes = (virt->merge_slashes != 2) + ? virt->merge_slashes + : base->merge_slashes; return conf; } @@ -1668,6 +1672,13 @@ static const char *set_override(cmd_parm return NULL; } +static const char *set_core_server_flag(cmd_parms *cmd, void *s_, int flag) +{ + core_server_config *conf = + ap_get_core_module_config(cmd->server->module_config); + return ap_set_flag_slot(cmd, conf, flag); +} + static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[]) { core_dir_config *d = d_; @@ -4258,6 +4269,10 @@ AP_INIT_ITERATE("HttpProtocolOptions", s "'Unsafe' or 'Strict' (default). Sets HTTP acceptance rules"), AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF, "Registers non-standard HTTP methods"), +AP_INIT_FLAG("MergeSlashes", set_core_server_flag, + (void *)APR_OFFSETOF(core_server_config, merge_slashes), + RSRC_CONF, + "Controls whether consecutive slashes in the URI path are merged"), { NULL } }; Index: apache2-2.4.7/server/request.c =================================================================== --- apache2-2.4.7.orig/server/request.c 2019-04-03 10:50:22.424728467 -0400 +++ apache2-2.4.7/server/request.c 2019-04-03 10:50:22.424728467 -0400 @@ -167,6 +167,8 @@ AP_DECLARE(int) ap_process_request_inter int file_req = (r->main && r->filename); int access_status; core_dir_config *d; + core_server_config *sconf = + ap_get_core_module_config(r->server->module_config); /* Ignore embedded %2F's in path for proxy requests */ if (!r->proxyreq && r->parsed_uri.path) { @@ -191,6 +193,10 @@ AP_DECLARE(int) ap_process_request_inter } ap_getparents(r->uri); /* OK --- shrinking transformations... */ + if (sconf->merge_slashes != 0) { + ap_no2slash(r->uri); + ap_no2slash(r->parsed_uri.path); + } /* All file subrequests are a huge pain... they cannot bubble through the * next several steps. Only file subrequests are allowed an empty uri, @@ -1383,20 +1389,7 @@ AP_DECLARE(int) ap_location_walk(request cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); cached = (cache->cached != NULL); - - /* Location and LocationMatch differ on their behaviour w.r.t. multiple - * slashes. Location matches multiple slashes with a single slash, - * LocationMatch doesn't. An exception, for backwards brokenness is - * absoluteURIs... in which case neither match multiple slashes. - */ - if (r->uri[0] != '/') { - entry_uri = r->uri; - } - else { - char *uri = apr_pstrdup(r->pool, r->uri); - ap_no2slash(uri); - entry_uri = uri; - } + entry_uri = r->uri; /* If we have an cache->cached location that matches r->uri, * and the vhost's list of locations hasn't changed, we can skip @@ -1449,7 +1442,7 @@ AP_DECLARE(int) ap_location_walk(request * terminated (or at the end of the string) to match. */ if (entry_core->r - ? ap_regexec(entry_core->r, r->uri, 0, NULL, 0) + ? ap_regexec(entry_core->r, entry_uri, 0, NULL, 0) : (entry_core->d_is_fnmatch ? apr_fnmatch(entry_core->d, cache->cached, APR_FNM_PATHNAME) : (strncmp(entry_core->d, cache->cached, len) Index: apache2-2.4.7/server/util.c =================================================================== --- apache2-2.4.7.orig/server/util.c 2019-04-03 10:50:22.424728467 -0400 +++ apache2-2.4.7/server/util.c 2019-04-03 10:50:22.424728467 -0400 @@ -561,16 +561,16 @@ AP_DECLARE(void) ap_getparents(char *nam name[l] = '\0'; } } - -AP_DECLARE(void) ap_no2slash(char *name) +AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path) { + char *d, *s; s = d = name; #ifdef HAVE_UNC_PATHS /* Check for UNC names. Leave leading two slashes. */ - if (s[0] == '/' && s[1] == '/') + if (is_fs_path && s[0] == '/' && s[1] == '/') *d++ = *s++; #endif @@ -587,6 +587,10 @@ AP_DECLARE(void) ap_no2slash(char *name) *d = '\0'; } +AP_DECLARE(void) ap_no2slash(char *name) +{ + ap_no2slash_ex(name, 1); +} /* * copy at most n leading directories of s into d debian/patches/CVE-2014-0118.patch0000644000000000000000000002336713376761111013247 0ustar Description: fix resource consumption via mod_deflate body decompression Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1610503 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1610522 Index: apache2-2.4.7/modules/filters/mod_deflate.c =================================================================== --- apache2-2.4.7.orig/modules/filters/mod_deflate.c 2014-07-22 09:30:24.512176550 -0400 +++ apache2-2.4.7/modules/filters/mod_deflate.c 2014-07-22 09:30:36.128176492 -0400 @@ -37,6 +37,7 @@ #include "httpd.h" #include "http_config.h" #include "http_log.h" +#include "http_core.h" #include "apr_lib.h" #include "apr_strings.h" #include "apr_general.h" @@ -52,6 +53,9 @@ static const char deflateFilterName[] = "DEFLATE"; module AP_MODULE_DECLARE_DATA deflate_module; +#define AP_INFLATE_RATIO_LIMIT 200 +#define AP_INFLATE_RATIO_BURST 3 + typedef struct deflate_filter_config_t { int windowSize; @@ -63,6 +67,12 @@ char *note_output_name; } deflate_filter_config; +typedef struct deflate_dirconf_t { + apr_off_t inflate_limit; + int ratio_limit, + ratio_burst; +} deflate_dirconf_t; + /* RFC 1952 Section 2.3 defines the gzip header: * * +---+---+---+---+---+---+---+---+---+---+ @@ -119,7 +129,7 @@ } } else if (ap_strchr_c(encoding, ',') != NULL) { - /* If the outermost encoding isn't gzip, there's nowt + /* If the outermost encoding isn't gzip, there's nothing * we can do. So only check the last non-identity token */ char *new_encoding = apr_pstrdup(r->pool, encoding); @@ -204,6 +214,14 @@ return c; } +static void *create_deflate_dirconf(apr_pool_t *p, char *dummy) +{ + deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc)); + dc->ratio_limit = AP_INFLATE_RATIO_LIMIT; + dc->ratio_burst = AP_INFLATE_RATIO_BURST; + return dc; +} + static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy, const char *arg) { @@ -295,6 +313,55 @@ return NULL; } + +static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + char *errp; + + if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) { + return "DeflateInflateLimitRequestBody is not parsable."; + } + if (*errp || dc->inflate_limit < 0) { + return "DeflateInflateLimitRequestBody requires a non-negative integer."; + } + + return NULL; +} + +static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd, + void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + int i; + + i = atoi(arg); + if (i <= 0) + return "DeflateInflateRatioLimit must be positive"; + + dc->ratio_limit = i; + + return NULL; +} + +static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd, + void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + int i; + + i = atoi(arg); + if (i <= 0) + return "DeflateInflateRatioBurst must be positive"; + + dc->ratio_burst = i; + + return NULL; +} + typedef struct deflate_ctx_t { z_stream stream; @@ -305,6 +372,8 @@ unsigned char *validation_buffer; apr_size_t validation_buffer_length; unsigned int inflate_init:1; + int ratio_hits; + apr_off_t inflate_total; unsigned int filter_init:1; unsigned int done:1; } deflate_ctx; @@ -422,6 +491,22 @@ } } +/* Check whether the (inflate) ratio exceeds the configured limit/burst. */ +static int check_ratio(request_rec *r, deflate_ctx *ctx, + const deflate_dirconf_t *dc) +{ + if (ctx->stream.total_in) { + int ratio = ctx->stream.total_out / ctx->stream.total_in; + if (ratio < dc->ratio_limit) { + ctx->ratio_hits = 0; + } + else if (++ctx->ratio_hits > dc->ratio_burst) { + return 0; + } + } + return 1; +} + static int have_ssl_compression(request_rec *r) { const char *comp; @@ -897,6 +982,8 @@ int zRC; apr_status_t rv; deflate_filter_config *c; + deflate_dirconf_t *dc; + apr_off_t inflate_limit; /* just get out of the way of things we don't want. */ if (mode != AP_MODE_READBYTES) { @@ -904,6 +991,7 @@ } c = ap_get_module_config(r->server->module_config, &deflate_module); + dc = ap_get_module_config(r->per_dir_config, &deflate_module); if (!ctx) { char deflate_hdr[10]; @@ -994,6 +1082,12 @@ apr_brigade_cleanup(ctx->bb); } + inflate_limit = dc->inflate_limit; + if (inflate_limit == 0) { + /* The core is checking the deflated body, we'll check the inflated */ + inflate_limit = ap_get_limit_req_body(f->r); + } + if (APR_BRIGADE_EMPTY(ctx->proc_bb)) { rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes); @@ -1038,6 +1132,17 @@ ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; + + ctx->inflate_total += len; + if (inflate_limit && ctx->inflate_total > inflate_limit) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02647) + "Inflated content length of %" APR_OFF_T_FMT + " is larger than the configured limit" + " of %" APR_OFF_T_FMT, + ctx->inflate_total, inflate_limit); + return APR_ENOSPC; + } ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, @@ -1073,6 +1178,26 @@ ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; + ctx->inflate_total += len; + if (inflate_limit && ctx->inflate_total > inflate_limit) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02648) + "Inflated content length of %" APR_OFF_T_FMT + " is larger than the configured limit" + " of %" APR_OFF_T_FMT, + ctx->inflate_total, inflate_limit); + return APR_ENOSPC; + } + + if (!check_ratio(r, ctx, dc)) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02649) + "Inflated content ratio is larger than the " + "configured limit %i by %i time(s)", + dc->ratio_limit, dc->ratio_burst); + return APR_EINVAL; + } + ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, NULL, f->c->bucket_alloc); @@ -1203,6 +1328,7 @@ int zRC; apr_status_t rv; deflate_filter_config *c; + deflate_dirconf_t *dc; /* Do nothing if asked to filter nothing. */ if (APR_BRIGADE_EMPTY(bb)) { @@ -1210,6 +1336,7 @@ } c = ap_get_module_config(r->server->module_config, &deflate_module); + dc = ap_get_module_config(r->per_dir_config, &deflate_module); if (!ctx) { @@ -1472,6 +1599,14 @@ while (ctx->stream.avail_in != 0) { if (ctx->stream.avail_out == 0) { + if (!check_ratio(r, ctx, dc)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02650) + "Inflated content ratio is larger than the " + "configured limit %i by %i time(s)", + dc->ratio_limit, dc->ratio_burst); + return APR_EINVAL; + } + ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; @@ -1558,12 +1693,20 @@ "Set the Deflate Memory Level (1-9)"), AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF, "Set the Deflate Compression Level (1-9)"), + AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL, + "Set a limit on size of inflated input"), + AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL, + "Set the inflate ratio limit above which inflation is " + "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"), + AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL, + "Set the maximum number of following inflate ratios above limit " + "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"), {NULL} }; AP_DECLARE_MODULE(deflate) = { STANDARD20_MODULE_STUFF, - NULL, /* dir config creater */ + create_deflate_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_deflate_server_config, /* server config */ NULL, /* merge server config */ debian/patches/CVE-2014-0231.patch0000644000000000000000000001215113376761111013230 0ustar Description: fix denial of service in mod_cgid Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1610512 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1610522 Index: apache2-2.4.7/modules/generators/mod_cgid.c =================================================================== --- apache2-2.4.7.orig/modules/generators/mod_cgid.c 2013-01-08 15:49:50.000000000 -0500 +++ apache2-2.4.7/modules/generators/mod_cgid.c 2014-07-21 15:45:43.332115234 -0400 @@ -98,6 +98,10 @@ static pid_t parent_pid; static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 }; +typedef struct { + apr_interval_time_t timeout; +} cgid_dirconf; + /* The APR other-child API doesn't tell us how the daemon exited * (SIGSEGV vs. exit(1)). The other-child maintenance function * needs to decide whether to restart the daemon after a failure @@ -973,7 +977,14 @@ return overrides->logname ? overrides : base; } +static void *create_cgid_dirconf(apr_pool_t *p, char *dummy) +{ + cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf)); + return c; +} + static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) + { server_rec *s = cmd->server; cgid_server_conf *conf = ap_get_module_config(s->module_config, @@ -1026,7 +1037,16 @@ return NULL; } +static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) +{ + cgid_dirconf *dc = dummy; + if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { + return "CGIDScriptTimeout has wrong format"; + } + + return NULL; +} static const command_rec cgid_cmds[] = { AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, @@ -1038,6 +1058,10 @@ AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF, "the name of the socket to use for communication with " "the cgi daemon."), + AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, + "The amount of time to wait between successful reads from " + "the CGI script, in seconds."), + {NULL} }; @@ -1361,12 +1385,16 @@ apr_file_t *tempsock; struct cleanup_script_info *info; apr_status_t rv; + cgid_dirconf *dc; if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) { return DECLINED; } conf = ap_get_module_config(r->server->module_config, &cgid_module); + dc = ap_get_module_config(r->per_dir_config, &cgid_module); + + is_included = !strcmp(r->protocol, "INCLUDED"); if ((argv0 = strrchr(r->filename, '/')) != NULL) { @@ -1446,6 +1474,12 @@ */ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); + if (dc->timeout > 0) { + apr_file_pipe_timeout_set(tempsock, dc->timeout); + } + else { + apr_file_pipe_timeout_set(tempsock, r->server->timeout); + } apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); /* Transfer any put/post args, CERN style... @@ -1522,6 +1556,10 @@ if (rv != APR_SUCCESS) { /* silly script stopped reading, soak up remaining message */ child_stopped_reading = 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02651) + "Error writing request body to script %s", + r->filename); + } } apr_brigade_cleanup(bb); @@ -1615,7 +1653,13 @@ return HTTP_MOVED_TEMPORARILY; } - ap_pass_brigade(r->output_filters, bb); + rv = ap_pass_brigade(r->output_filters, bb); + if (rv != APR_SUCCESS) { + /* APLOG_ERR because the core output filter message is at error, + * but doesn't know it's passing CGI output + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02550) "Failed to flush CGI output to client"); + } } if (nph) { @@ -1746,6 +1790,8 @@ request_rec *r = f->r; cgid_server_conf *conf = ap_get_module_config(r->server->module_config, &cgid_module); + cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module); + struct cleanup_script_info *info; add_ssi_vars(r); @@ -1775,6 +1821,13 @@ * get rid of the cleanup we registered when we created the socket. */ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); + if (dc->timeout > 0) { + apr_file_pipe_timeout_set(tempsock, dc->timeout); + } + else { + apr_file_pipe_timeout_set(tempsock, r->server->timeout); + } + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock, @@ -1880,7 +1933,7 @@ AP_DECLARE_MODULE(cgid) = { STANDARD20_MODULE_STUFF, - NULL, /* dir config creater */ + create_cgid_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_cgid_config, /* server config */ merge_cgid_config, /* merge server config */ debian/patches/fix_mod_proxy_wstunnel.patch0000644000000000000000000000356113376761111016476 0ustar Description: Don't reuse socket in proxy_wstunnel Reusing sockets causes issue for ssl connections while proxying. Initial commit 0c3795fee530e0e40243f723d2750cdfed909045 is reverted and reimplemented by 53038bd5b1e9f072460e6aeac2ae433c4854f2ad. This was due to the socket being closed too early in the connection. Author: Eric Covener Reviewed-by: Dave Chiluk Origin: upstream, https://github.com/apache/httpd/commit/0c3795fee530e0e40243f723d2750cdfed909045 Origin: upstream, https://github.com/apache/httpd/commit/53038bd5b1e9f072460e6aeac2ae433c4854f2ad Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=55890 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: apache2-2.4.7/CHANGES =================================================================== --- apache2-2.4.7.orig/CHANGES 2016-01-13 14:05:14.080105323 -0600 +++ apache2-2.4.7/CHANGES 2016-01-13 14:05:14.076105304 -0600 @@ -2,6 +2,10 @@ Changes with Apache 2.4.7 + *) mod_proxy_wstunnel: Don't pool backend websockets connections, + because we need to handshake every time. PR 55890. + [Eric Covener] + *) APR 1.5.0 or later is now required for the event MPM. *) slotmem_shm: Error detection. [Jim Jagielski] Index: apache2-2.4.7/modules/proxy/mod_proxy_wstunnel.c =================================================================== --- apache2-2.4.7.orig/modules/proxy/mod_proxy_wstunnel.c 2016-01-13 14:05:14.080105323 -0600 +++ apache2-2.4.7/modules/proxy/mod_proxy_wstunnel.c 2016-01-13 14:06:19.544395119 -0600 @@ -373,6 +373,8 @@ break; } + backend->close = 1; /* must be after ap_proxy_determine_connection */ + /* Step Three: Process the Request */ status = ap_proxy_wstunnel_request(p, r, backend, worker, conf, uri, locurl, server_portstr); debian/patches/CVE-2017-7679.patch0000644000000000000000000000360513376761111013266 0ustar From 398f3ddeb1ceb8ba710eadf7036a36a41e0e769a Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 5 Jun 2017 12:12:31 +0000 Subject: [PATCH] Merge 1797550 from trunk: mod_mime: fix quoted pair scanning Submitted By: ylavic Reviewed By: covener, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1797653 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 2 ++ STATUS | 5 ----- modules/http/mod_mime.c | 4 ++-- 3 files changed, 4 insertions(+), 7 deletions(-) #diff --git a/CHANGES b/CHANGES #index 301cb7061c9..9583c92d076 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -2,6 +2,8 @@ # # Changes with Apache 2.4.26 # #+ *) mod_mime: Fix error checking for quoted pairs. [Yann Ylavic] #+ # *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other # protocols. [Jean-Frederic Clere] # #diff --git a/STATUS b/STATUS #index 191de520104..f38da4ca99b 100644 #--- a/STATUS #+++ b/STATUS #@@ -120,11 +120,6 @@ RELEASE SHOWSTOPPERS: # PATCHES ACCEPTED TO BACKPORT FROM TRUNK: # [ start all new proposals below, under PATCHES PROPOSED. ] # #- *) mod_mime: Fix scanning of quoted-pairs. #- trunk patch: http://svn.apache.org/r1797550 #- 2.4.x patch: svn merge -c 1797550 ^/httpd/httpd/trunk . #- +1: covener, ylavic, jim #- # PATCHES PROPOSED TO BACKPORT FROM TRUNK: # [ New proposals should be added at the end of the list ] # diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c index f92119b633e..28c53be132b 100644 --- a/modules/http/mod_mime.c +++ b/modules/http/mod_mime.c @@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s) int res = -1; int c; - if (((s + 1) != NULL) && (*s == '\\')) { + if (*s == '\\') { c = (int) *(s + 1); - if (apr_isascii(c)) { + if (c && apr_isascii(c)) { res = 1; } } debian/apache2-data.lintian-overrides0000644000000000000000000000004313376761111014763 0ustar debian-changelog-file-is-a-symlink debian/clean0000644000000000000000000000133713376761111010205 0ustar debian/apache2-suexec-custom.postinst debian/apache2-suexec-custom.preinst debian/apache2-suexec-custom.prerm debian/apache2-suexec-custom.links debian/apache2-suexec-custom.dirs debian/apache2-suexec-custom.lintian-overrides debian/apache2-suexec-pristine.postinst debian/apache2-suexec-pristine.preinst debian/apache2-suexec-pristine.prerm debian/apache2-suexec-pristine.links debian/apache2-suexec-pristine.dirs debian/apache2-suexec-pristine.lintian-overrides debian/apache2-mpm-event.postinst debian/apache2-mpm-itk.postinst debian/apache2-mpm-prefork.postinst debian/apache2-mpm-worker.postinst debian/a2query debian/manpages/a2query.8 debian/manpages/dh_apache2.1 debian/debhelper/dh_apache2 config.nice support/suexec-custom.c debian/apache2-suexec-pristine.install0000644000000000000000000000005413376761111015213 0ustar /usr/sbin/suexec-pristine /usr/lib/apache2/ debian/secondary-init-script0000644000000000000000000000102413376761111013346 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: apache2-XXX # Required-Start: $local_fs $remote_fs $network $syslog $named # Required-Stop: $local_fs $remote_fs $network $syslog $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Start/stop apache2 web server (config /etc/apache2-XXX) ### END INIT INFO set -e # # this init script can be installed as /etc/init.d/apache2-XXX # # source original init script to keep $0 and other arguments . /etc/init.d/apache2 debian/apache2.docs0000644000000000000000000000014213376761111011346 0ustar debian/README.backtrace debian/README.multiple-instances debian/PACKAGING debian/migrate-sites.pl debian/libapache2-mod-macro.postinst0000644000000000000000000000257513376761111014660 0ustar #! /bin/bash # postinst script for libapache2-mod-macro # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) if [ -n "$2" ] && dpkg --compare-versions "$2" lt "1:2.4.6-1" ; then if [ -d /usr/share/doc/libapache2-mod-macro ] ; then RET=0 rmdir /usr/share/doc/libapache2-mod-macro > /dev/null 2>&1|| RET=$? if [ $RET = 0 ] ; then ln -s /usr/share/doc/apache2-bin /usr/share/doc/libapache2-mod-macro fi fi fi ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/setup-instance0000644000000000000000000000215413376761111012063 0ustar #!/bin/sh set -eu if [ $# != 1 ] ; then echo usage: $0 '' exit 1 fi # the SUFFIX must not contain spaces or shell meta characters SUFFIX=$1 if [ -e /etc/apache2-$SUFFIX ] ; then echo ERROR: /etc/apache2-$SUFFIX already exists exit 2 fi echo Setting up /etc/apache2-$SUFFIX ... cp -a /etc/apache2 /etc/apache2-$SUFFIX echo Setting up /etc/init.d/apache2-$SUFFIX ... cp /usr/share/doc/apache2/examples/secondary-init-script /etc/init.d/apache2-$SUFFIX # adjust service name (this prevents us from using a simple symlink) perl -p -i -e s,XXX,$SUFFIX, /etc/init.d/apache2-$SUFFIX chmod 755 /etc/init.d/apache2-$SUFFIX echo -n Setting up symlinks: for a in a2enmod a2dismod a2ensite a2dissite apache2ctl ; do echo -n " $a-$SUFFIX" ln -s /usr/sbin/$a /usr/local/sbin/$a-$SUFFIX done echo echo Setting up /etc/logrotate.d/apache2-$SUFFIX and /var/log/apache2-$SUFFIX ... cp -a /etc/logrotate.d/apache2 /etc/logrotate.d/apache2-$SUFFIX perl -p -i -e s,apache2,apache2-$SUFFIX,g /etc/logrotate.d/apache2-$SUFFIX mkdir /var/log/apache2-$SUFFIX chmod 750 /var/log/apache2-$SUFFIX chown root:adm /var/log/apache2-$SUFFIX debian/bash_completion/0000755000000000000000000000000013376761111012342 5ustar debian/bash_completion/apache20000644000000000000000000000267713376761111013604 0ustar # bash completion for Debian apache2 configuration tools _apache2_allcomp() { command ls /etc/apache2/$1 2>/dev/null } _apache2_mods() { COMPREPLY=( $( compgen -W '$( _apache2_allcomp $1 \ | sed -e 's/[.]load$//' -e 's/[.]conf$//' )' -- $cur ) ) } _apache2_sites() { COMPREPLY=( $( compgen -W '$( _apache2_allcomp $1 )' -- $cur ) ) } _apache2_conf() { COMPREPLY=( $( compgen -W '$( _apache2_allcomp $1 \ | sed -e 's/[.]conf$//' )' -- $cur ) ) } _a2enmod() { local cur COMPREPLY=() cur=${COMP_WORDS[COMP_CWORD]} _apache2_mods mods-available } complete -F _a2enmod a2enmod _a2ensite() { local cur COMPREPLY=() cur=${COMP_WORDS[COMP_CWORD]} _apache2_sites sites-available } complete -F _a2ensite a2ensite _a2enconf() { local cur COMPREPLY=() cur=${COMP_WORDS[COMP_CWORD]} _apache2_conf conf-available } complete -F _a2enconf a2enconf _a2dismod() { local cur COMPREPLY=() cur=${COMP_WORDS[COMP_CWORD]} _apache2_mods mods-enabled } complete -F _a2dismod a2dismod _a2dissite() { local cur COMPREPLY=() cur=${COMP_WORDS[COMP_CWORD]} _apache2_sites sites-enabled } complete -F _a2dissite a2dissite _a2disconf() { local cur COMPREPLY=() cur=${COMP_WORDS[COMP_CWORD]} _apache2_conf conf-enabled } complete -F _a2disconf a2disconf debian/apache2-suexec.lintian-overrides.in0000644000000000000000000000043313376761111015756 0ustar # The suexec binaries basically do no more than setuid/setgid before executing a # CGI script. As these operations require root privileges but Apache drops its # privileges, the binary needs to have the setuid bit set setuid-binary usr/lib/apache2/suexec-__TYPE__ 4754 root/www-data debian/apache2ctl0000755000000000000000000001440213376761111011131 0ustar #!/bin/sh # # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # # Apache control script designed to allow an easy command line interface # to controlling Apache. Written by Marc Slemko, 1997/08/23 # # Heavily modified for Debian by Stefan Fritsch 2007-2010 # # The exit codes returned are: # XXX this doc is no longer correct now that the interesting # XXX functions are handled by httpd # 0 - operation completed successfully # 1 - # 2 - usage error # 3 - httpd could not be started # 4 - httpd could not be stopped # 5 - httpd could not be started during a restart # 6 - httpd could not be restarted during a restart # 7 - httpd could not be restarted during a graceful restart # 8 - configuration syntax error # # When multiple arguments are given, only the error from the _last_ # one is reported. Run "apachectl help" for usage info # ARGV="$@" # # |||||||||||||||||||| START CONFIGURATION SECTION |||||||||||||||||||| # -------------------- -------------------- # # main configuration directory if test -z "$APACHE_CONFDIR" ; then if test "${0##*apache2ctl-}" != "$0" ; then APACHE_CONFDIR="/etc/apache2-${0##*apache2ctl-}" else APACHE_CONFDIR=/etc/apache2 fi fi # the path to the environment variable file test -z "$APACHE_ENVVARS" && APACHE_ENVVARS="$APACHE_CONFDIR/envvars" # pick up any necessary environment variables if test -f $APACHE_ENVVARS; then . $APACHE_ENVVARS fi if test "$APACHE_CONFDIR" != /etc/apache2 ; then APACHE_ARGUMENTS="-d $APACHE_CONFDIR $APACHE_ARGUMENTS" fi # the following APACHE_* variables should be set in /etc/apache2/envvars # # the path to your httpd binary, including options if necessary HTTPD=${APACHE_HTTPD:-/usr/sbin/apache2} # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other # programs may work. LYNX="${APACHE_LYNX:-www-browser -dump}" # # the URL to your server's mod_status status page. If you do not # have one, then status and fullstatus will not work. STATUSURL="${APACHE_STATUSURL:-http://localhost:80/server-status}" # # Set this variable to a command that increases the maximum # number of file descriptors allowed per child process. This is # critical for configurations that use many file descriptors, # such as mass vhosting, or a multithreaded server. ULIMIT_MAX_FILES="${APACHE_ULIMIT_MAX_FILES:-ulimit -n 8192}" # -------------------- -------------------- # |||||||||||||||||||| END CONFIGURATION SECTION |||||||||||||||||||| # Set the maximum number of file descriptors allowed per child process. if [ "x$ULIMIT_MAX_FILES" != "x" ] && [ `id -u` -eq 0 ] ; then if ! $ULIMIT_MAX_FILES ; then echo Setting ulimit failed. See README.Debian for more information. >&2 fi fi ERROR=0 if [ "x$ARGV" = "x" ] || [ "x$ARGV" = "xusage" ] || [ "x$ARGV" = "xhelp" ] || [ "x$ARGV" = "x--help" ]; then echo "Usage: $0 start|stop|restart|graceful|graceful-stop|configtest|status|fullstatus|help" >&2 echo " $0 " >&2 echo " $0 -h (for help on )" >&2 exit 1 fi get_status () { if ! $LYNX $STATUSURL ; then echo "'$LYNX $STATUSURL'" failed. >&2 echo Maybe you need to install a package providing www-browser or you >&2 echo need to adjust the APACHE_LYNX variable in /etc/apache2/envvars >&2 exit 1 fi } mkdir_chown () { local OWNER="$1" local DIR="$2" local STAT="$(LC_ALL=C stat -c %F:%U $DIR 2> /dev/null || true)" if [ "$STAT" = "" ] ; then local TMPNAME=$(mktemp -d $DIR.XXXXXXXXXX) || exit 1 chmod 755 $TMPNAME || exit 1 chown $OWNER $TMPNAME || exit 1 if ! mv -T $TMPNAME $DIR 2> /dev/null; then rmdir $TMPNAME # check for race with other apachectl if [ "$(LC_ALL=C stat -c %F:%U $DIR 2>/dev/null)" != "directory:$OWNER" ] then echo Cannot create $DIR with owner $OWNER. echo Please fix manually. Aborting. exit 1 fi fi elif [ "$STAT" != "directory:$OWNER" ] ; then echo $DIR already exists but is not a directory owned by $OWNER. echo Please fix manually. Aborting. exit 1 fi } [ ! -d ${APACHE_RUN_DIR:-/var/run/apache2} ] && mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2} [ ! -d ${APACHE_LOCK_DIR:-/var/lock/apache2} ] && mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} case $ARGV in start) # ssl_scache shouldn't be here if we're just starting up. # (this is bad if there are several apache2 instances running) rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache* $HTTPD ${APACHE_ARGUMENTS} -k $ARGV ERROR=$? ;; stop|graceful-stop) $HTTPD ${APACHE_ARGUMENTS} -k $ARGV ERROR=$? ;; restart|graceful) if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then $HTTPD ${APACHE_ARGUMENTS} -k $ARGV else $HTTPD ${APACHE_ARGUMENTS} -t fi ERROR=$? ;; startssl|sslstart|start-SSL) echo The startssl option is no longer supported. echo Please edit httpd.conf to include the SSL configuration settings echo and then use "apachectl start". ERROR=2 ;; configtest) $HTTPD ${APACHE_ARGUMENTS} -t ERROR=$? ;; status) get_status | awk ' /process$/ { print; exit } { print } ' ;; fullstatus) get_status ;; *) $HTTPD ${APACHE_ARGUMENTS} $ARGV ERROR=$? esac if [ "$ERROR" != 0 ] ; then echo Action \'"$@"\' failed. echo The Apache error log may have more information. fi exit $ERROR debian/apache2.examples0000644000000000000000000000011013376761111012227 0ustar debian/setup-instance debian/secondary-init-script debian/apache2.monit debian/apache2-doc.doc-base0000644000000000000000000000057613376761111012651 0ustar Document: apache2-manual Title: Apache HTTP Server Version 2.4 Documentation Abstract: This documentation describes the configuration of the Apache Web server and the included modules. Section: Network/Communication Format: HTML Index: /usr/share/doc/apache2-doc/manual/en/index.html Files: /usr/share/doc/apache2-doc/manual/*/*.html /usr/share/doc/apache2-doc/manual/*/*/*.html debian/apache2-bin.lintian-overrides0000644000000000000000000000022713376761111014626 0ustar # Modules tend to not use protectable libc functions, which causes lots of # false positives. hardening-no-fortify-functions usr/lib/apache2/modules/* debian/apache2-bin.install0000644000000000000000000000013513376761111012634 0ustar /usr/lib/apache2/modules/ /usr/sbin/apache2 debian/apache2.py usr/share/apport/package-hooks debian/migrate-sites.pl0000644000000000000000000000275013376761111012312 0ustar #! /usr/bin/perl # # Rename existing sites in $SITES_AVAILABLE to make sure they have a # .conf suffix. update symlinks in $SITES_ENABLED if necessary # # Warning: This script does not work if you didn't use a2ensite/a2dissite to # manage your sites # use strict; use File::Copy; use File::Spec; use File::Basename; my $SITES_AVAILABLE = "/etc/apache2/sites-available"; my $SITES_ENABLED = "/etc/apache2/sites-enabled"; my %SITES = ( "$SITES_AVAILABLE" => [], "$SITES_ENABLED" => [] ); sub error { my $reason = shift; print STDERR "$reason\n"; exit 1; } foreach my $key (keys %SITES) { error("No such directory: $key") unless -d $key; opendir(DIR, $key) || error("$key: $!"); push $SITES{$key}, grep { m#^[^\.]# && $_ !~ m/default|default-ssl/ && $_ !~ m#\.conf$# } readdir(DIR); closedir(DIR); } foreach my $site (@{ $SITES{$SITES_AVAILABLE} }) { print("rename $site -> $site.conf\n"); my $curname = $SITES_AVAILABLE . "/" . $site; my $newname = $curname . ".conf"; my $curlink = $SITES_ENABLED . "/" . $site; my $newlink = $curlink . ".conf"; if (-e $curname) { move($curname, $newname) || error("Could not rename file $curname: $!"); if ( grep { $_ eq $site && -l $SITES_ENABLED . "/" . $_ } @{ $SITES{$SITES_ENABLED} } ) { print("re-enable site: $site as $site.conf\n"); symlink( File::Spec->abs2rel( $newname, dirname($newlink)), $newlink ) || error("Could not create link $newlink: $1"); if ( -l $curlink ) { unlink($curlink) } } } } debian/compat0000644000000000000000000000000213376761111010372 0ustar 8 debian/icons/0000755000000000000000000000000013376761111010307 5ustar debian/icons/odf6odm-20x22.png0000644000000000000000000000204413376761111013126 0ustar PNG  IHDRL4[PLTE---..../////33333\\]\]]^^ 3 tRNS@fbKGDH pHYs  UIDATc`E PzC{vlݴuLQe.6NMV.e=rΚeŦy,Ǣ{ uYLUdC6N+JO Ml2$'rXpjiv6v"ಥsLc`NM.^0}N1|!&h;XDr ۚjr!;[j3 muELqaA>vҢt&o^F+`MyQfjB#1D$/=)&p\d%D$W562(͉"XԄ0_g[K3c}  :``n fj,IENDB`debian/icons/odf6ott-20x22.png0000644000000000000000000000177613376761111013170 0ustar PNG  IHDRL4FPLTE!!!33344455533\\]\]]^^tRNS@fbKGDH pHYs  DIDATc`B t݉[7[|y3)rrȭ^xi\` Ed Dp;'ܚsY uKMd櫯`]x[oO;/3O1Dp,qV*n<%llb- UO3h*HNΝ5qBO[C]eanZR\$Dpڄގ?`<2@ r3SbBܜl @27yy `eiAzr\X!DH>U> lBsR"C|]- 5!)~@1S D 0`23S3IENDB`debian/icons/odf6odf-20x22.png0000644000000000000000000000202713376761111013120 0ustar PNG  IHDRL4XPLTE&&&'''(((33333\\]\]]^^tRNS@fbKGDH pHYs  KIDATc`A PrIoٸe9L%NVkW, e9 K̜ e*i 9,;,1 uOQ`CV5+HMWF9VbZ[j,v+xW[SME!Lp9't6Ԕd$B͟6b\r|Dp ]̢̱I}]5"iQ^ EB̂Q֖¼TA&~owg[`cMIanZ %D0#%^"X ThbECܩL wsujPpp10(a &IENDB`debian/icons/ubuntu-logo.png0000644000000000000000000001145113376761111013277 0ustar PNG  IHDRwc~sBIT|d pHYs~vxtEXtSoftwarewww.inkscape.org<IDATxy|Tǿϝd#!a !.TRbE `ZKkTk[mmZK.+P `mq+P $@ȞLf?&N2w;>s=9爪2zAAl0ƋX` B_(jQ1LUPZQ,8h *%ߚV}q43V?;Q A~le?P~B9,tx2 n䇊LB&O育P_\8s @n,@Xd-YrE 5NrA;mHN 4@j /w#m-[9FӶX!C-NJʊ➐Y0 Nx4Fn>ުM-<^E>v '*9EFj+"/^ӏ<[S:uѲyyg?tuÿdꀤw",Hv(~h5>qo-c߽_~s?iKHUQ ؉_x3.S2ۻO߲H)qʋD?t)B")sF(^6B@^X\s2N>p*;:Wtn{ݘDUs ?TQؿEn.`b.2OI\ēa,3ߥsi{u2LL~ﮉ 1ݗ_=]bHJ4˕2@o%2#G3z3 uqXaCɘ2O?N,4<SCv6; %EbhE\YbC.hZ[|ƥLn2;7ֵ;*㼂SLSމ6#iƕQV*anڹ}r (.[Y^af4y'˘adoj`ub6 k)>eh}L?iœMOGc"}TIE͎h GŭS0dC4y#0q+'{6fHF}Mװxʎ%}qGڸ 4y6ʏqo>0`^vKҏ8>lvP=B:nk.Ҋڲh2Ƃ*U(|y_ZX1Ht h#ynv~!{]NlO]M|1dĭSx%mD.2N}]7i~~=o'gwyQeUͿv!IhY?1嫫f߽ף.>FvrUjוW@XƵ[B˛l@h]qFgDcN?WD=na3/'@#Ŵ_y{2.K)RL#nBB nϷ o˘b5_z;l)$uS~}[Q-Fx(ŸFZFb4ȋ0W`nEi׊h2Ƃrbih߸2WWMO0 uaj"y=zVt~!u!q+#_']fdik~8-eجދ_v5[~x1[ҹ}|{܏hSI+. {jg;xUwhGkz`⨸%[9 ތg}ZeCtư<2?;+2[־L˛оq.,F]ȭ{"̱rGU#Oޗ͞»c3eQhDXTlK~x=<]zh=B ?2MVըE$BzDdARUxp#H=|mΎ<+dxL@p6\^% o`HC3"K$Y> =#ʀ"P 8ȎTO.6)%v 's`~B֋F{iUG9AiJ"2!NJžQɼC3lU=AUj1PLK"2;gUUPUj.p."2oEX4UsM|$K%:CUVU_pV7Cr%U]|$"Ya8Fm(-(D0EUAAiT{]ɦy BOJ#j޶4%̛!qCUۀU,nhxHޏjd 8?BuwLnG7٫lW~5?[4``o[κ91=|bd)coC>y Ad{_޽>'WyE`{S]vx95=uOH^fH*ІN10I͵FzE=7Bߧw~& 0h|"2N!н:^`qHԍj5S_C.:8kB#!"Ã^/HM[UD7@ϙ*.xv 3y0SD#p7 xGL@3#Tr;[Ume~\ " WD>x; PN`B"xE=|Tޝt _ݫ{)H"~s=q0/#"O^H'äJ&۾c'D2>s";U:Uw3ԍ' EU?&09~}vS;9}~g9 8/n*fc=nT>wB`*XM+0GAW@Zݻdof9=n{=|0", Z$H?OKmNlFU-|"28/{N%H#UGwq|h4W@IENDB`debian/icons/odf6otc-20x22.png0000644000000000000000000000202013376761111013126 0ustar PNG  IHDRL4FPLTE!!!33344455533\\]\]]^^tRNS@fbKGDH pHYs  VIDATc`B t݉[7[|y3)rrȭ^xi\` Ed Dp;'ܚsY uKMd櫯`]x[oO;/3O1Dp,qV*n<%llb- UO3h*HNΝ5qBO[C]eanZR\$Dp|oGk}UY|VBLDO$-" o,IOw6WfȻ@ rZ- a>."Ԅ@/;+c}]`<2ЄF8Xi@PHA 00*c=WgIENDB`debian/icons/odf6otg-20x22.png0000644000000000000000000000212213376761111013135 0ustar PNG  IHDRL4PLTE!!!***+**+++++,,,,,,----33344455533\\]\]]^^YztRNS@fbKGDH pHYs  _IDATcDF ys%'ܷk֍kT/۵m*\` < [} 2D]z|ոU&C@o\¥8"xgMڼ ϒk3]ţ`^F:<&v57A7oZulyΦbKϟ9C0"r3&q4I'BΛ=mR/t8[Nzb Dp)z٪ D!Ӧu6K秋FC'5KxC{:2S…Y<\ bl)Bb6#`d$Fy8YC9Q'H 00atLIENDB`debian/icons/odf6odb-20x22.png0000644000000000000000000000202713376761111013114 0ustar PNG  IHDRL4UPLTE&&&'''('''((((()))33333\\]\]]^^0tRNS@fbKGDH pHYs  NIDATc`G P~mް}LaEn kϟe?2KϘe!q4ׂ: u+pMgCnKpCHp,qj^ Y))X]^\x,~6NVyS' W DBgMlkgdNli/N 7Uʧ'Fɻ@[k rSbBm 9!~n҂8@w{kyC`QNjBT(?.D($r#&D0%6"PO[]"΋A  `{IENDB`debian/icons/odf6odp-20x22.png0000644000000000000000000000172213376761111013133 0ustar PNG  IHDRL4.PLTE33333\\]\]]^^rUtRNS@fbKGDH pHYs  0IDATc`D Ps!kW.[޶`wG`P@J sS⣂|!BH*!yi>6\d$*T2_[kcC]5%`P0J`x8DA 00i0P"7IENDB`debian/icons/odf6otp-20x22.png0000644000000000000000000000177113376761111013157 0ustar PNG  IHDRL4FPLTE!!!33344455533\\]\]]^^tRNS@fbKGDH pHYs  ?IDATc`B t݉[7[|y3)rrȭ^xi\` Ed Dp;'ܚsY uKMd櫯`]x[oO;/3O1Dp,qV*n<%llb- UO3h*HNΝ5qBO[C]eanZR\$Dpڄގ?`|<xB{k+ sb#] H*m U9 !~nJ$"@/;+c}]`|JM`JlD D 0Ja&!IENDB`debian/icons/odf6oti-20x22.png0000644000000000000000000000212313376761111013140 0ustar PNG  IHDRL4PLTE!!!+++,,,,,----33344455533\\]\]]^^F*6tRNS@fbKGDH pHYs  ZIDATc`C& v e>gW/rسcբ|`K `Cb(D /=9DمB @vn^*.4e"D[t-#.<`ĩQSkьl=;8ΜܺejEsgLn(nZlS'5UAW/]4w֔dsg fOԧάR, 1}B*lIx DpJ+r3*TSۓ舽 Fj2 J, A) 8PxP4o/T. VM#T"<u/11%{7~NKy+T4uJwRC0j7>*(i.G\Q ,oh݃gv5Yo ؅9(*ۖd;TGҬ*ߤ`;dY |+=#Sʔe _ư{!e$fU\ sRN)扰+V.,"Xn0 HkVM*|@9uz, O=r 9v¼գU>L ev[P= rvGG9(eN9t16Gq8?"[AgWFӅn뷒 ۳],߇XA1jȲǸj>  9gh< ڡu4(X5)U|B6鱇H{x/^}nY8(ۃ =UXJ_hS,zo+Rʞ} -:doMWQ|zM5G^=gquhVbzJёǑLP $R#A|Vm Ϊ9#hO2}X|{59̫a(Stbu'k"ӊ1?lg(7|evd@fQkl,vMä9[ |M9.^?xbsMtj~9%'zn(,Q^ ?zeYsBOŕ'OЯZ(`Wd' $-ʻ%m_]0V(@mb ;}W NJ75~i*a>C)N{BEz2)O ԆC.Oy+ Ɓ=Y ܲa=[봀!˗Dqki(rSn;xN ~;ɣ.2l'/ͬLC@6zNCȲ)wd9%_zL\pD8l0v[!I&@hbe!W("@MAP3D,q*)U?`u U4\j!0,xdyg_O3A/hv3OcYot،͍uT,W`򌊦y#ቨHRx/DOJؼIzT]pTG)悢r2St3Cf)@4Pp[| /u%Z]ռ-y:gQ>:_J~hJY/&/k4^ϽI5D_"tpd~oA*pȴpVƞFglMRL-r6z+Y _P)ic&Źdh*zkmjU4d;3ӡۦ܊m^CMV%gQ rcI0 ǒ(: P'dК5R^ed;w}ޓ*v< S4 f@P @O4v| +=z+8e,3@BG.lxl'0Δk"ӊT:i"Kb;U(5D{y1WOɸ@Wi!XuTzJGQ *7q o2o$˾slŝ0P^Rh QV|G)oʷ.܊sKLkxm` YDMzʢ5Pޮ􂕋 t%+U6/ޜŵFIkwwsκ UQ^eB1HK\ج^r[nECND8;Z?`!`_/@j5YNklF `}-O,>&W47SPfe'.LGG^e^?{X쉙(uh Y -~_mŽ` mQ33NyVz(%(@T|JjH,4 *@6W[V/T0][X)8 Øs~;ugEEE>߿ 0.4^Rسzx<8j(DkR.Bi@hYZ9'~IVe0 F) 0"@ xB^L̻xfxKA0?܀I)`08ujj̘1lo߾8f B礵jKY٦iڲ~=q71(3> V WC{GuϘ1c\`Gv}ݦ%Rcl X2Ԛ5kbYL;%Զ۶dlaRISь1;kd2U)pq?q~ꩧRE@+ٵo߾TF rN)6"6d^[V{ÔRǺX#TGC )r'ajW9NvkR"rr!^tٶ7peh/-- !NJ`vuUY0}3;:v%QdPu+M]]];%H$/{qJRwIM5Ms&|jfرcCofmwK.x,֭[#t[[[ .L!жhI&wmmm9I Juj@t] GR2J)wC !M>8c .|4l'-7O'{ktJ7Rn'QPP ZZZ8B4M{ۿaUjJ):[SS*L^1i4heUUU+n˲.X^\uks'֢|o6RɈ -ڑ%~/q^22DRn&Nh,]Wx<cXmUUDvkdX t32{@*bAӨҊ7!wY ]5R]/?b9;v@bŊ1`o榬uJWaECפ 9x~Rƍwr;H$~x Uqƺ[sv 2!n]"ir]%xYc@K}i^rW 0;YA"1pg\z#qR<[#(Z{1I[MӜ8N.(]rE.3|1ri`4CǙzР PB˘OpǎˋrfӅ'I;BNw⫪.WBco 8tb]]nݝ.L&`]2p"B](wٕvEĄi1K0.RSmtCt]>S#b4T?\~hc>xbmc*eiVǼӲ~u܇@lB܂'˵t(7u9 .c}9\2}گ_N@dC(!mَVuEE=^)Y1KAVto ˕R11Eķ9:#hhh[=!gD]4x\)VO1&u] !vZ뺮? qT"nB$u]aض][9'-a %80>RTeY_yS [j/:)eΉ'RPnfH?4ʲ*PJypIIENDB`debian/icons/odf6oth-20x22.png0000644000000000000000000000204613376761111013143 0ustar PNG  IHDRL4XPLTE!!!33344455533\\]\]]^^wwxxyxyyzz{{l.B9tRNS@fbKGDH pHYs  ZIDATc`B t黷oٸv%%ǎsrl\r9`j Ej8Dp/'ʦ$YęE uLgimn`]rIBʬ dY'wv42@׮gcejk-+..[:wΖҼ4ӧMik//HΙ6/-)*"8eb_'H 0ިr>VxVn_/`gGcMY1P0* "PYVl.L"XQ`ij GE{9ڙCCb@1]- ` 20SiIENDB`debian/icons/odf6ots-20x22.png0000644000000000000000000000176213376761111013162 0ustar PNG  IHDRL4FPLTE!!!33344455533\\]\]]^^tRNS@fbKGDH pHYs  8IDATc`B t݉[7[|y3)rrȭ^xi\` Ed Dp;'ܚsY uKMd櫯`]x[oO;/3O1Dp,qV*n<%llb- UO3h*HNΝ5qBO[C]eanZR\$Dpڄގ?`<27V'Fɻ@QT@ rRC<- (* !E QvV؈@?WkSC=mu  ` 20ȣP]n'IENDB`debian/icons/odf6ods-20x22.png0000644000000000000000000000171313376761111013136 0ustar PNG  IHDRL4.PLTE33333\\]\]]^^rUtRNS@fbKGDH pHYs  )IDATc`D Ps!kW.[޶`wG`26  89 CQTCҒ#m,!(*U B.BƆjB x2oG sc= E9)q #; ``lM^d`wG`PM9H,N(]"$TZ,(d,LNr҇ %    iCs„<̅T B.ƆjJ x!d  vq07PQ2p10R눳eIENDB`debian/icons/odf6odi-20x22.png0000644000000000000000000000205313376761111013122 0ustar PNG  IHDRL4mPLTE+++,,,,,----33333\\]\]]^^z tRNS@fbKGDH pHYs  JIDATc`E PzޱuLiM.6N[ֳ._e=*kV.5"zMmeYgN eM۸n:+pm^Z}4u PeSZ!&;[6*Ml Yx=uΞTY\4{ľ溊0̩{@bŹLa]mMRL"LL>:If &a& u/`G4 X_#DIE<;-.2ǝ"XTdn ,QGԄ0_g[K3c} +7 :``fOIENDB`debian/icons/odf6odt-20x22.png0000644000000000000000000000172713376761111013144 0ustar PNG  IHDRL4.PLTE33333\\]\]]^^rUtRNS@fbKGDH pHYs  5IDATc`D Ps!kW.[޶`wG`26C3bݝm-M!@x`2K!!m`nFrTX D0U(Bl!+@#}]̍Ud .@1 8DA 00MOɟfIENDB`debian/apache2.install0000644000000000000000000000053613376761111012073 0ustar debian/bash_completion/apache2 /etc/bash_completion.d/ debian/config-dir/* /etc/apache2 debian/a2enmod /usr/sbin debian/apache2ctl /usr/sbin debian/a2query /usr/sbin debian/debhelper/apache2-maintscript-helper /usr/share/apache2/ debian/apache2-utils.ufw.profile /etc/ufw/applications.d/ debian/ask-for-passphrase /usr/share/apache2/ debian/PACKAGING0000644000000000000000000004701513376761111010412 0ustar Apache 2 Packaging Guidelines ============================= This document describes handling and behavior of reverse dependencies which would like to interact with the Apache 2 HTTP server Contents ======== 1. Overview 2. Packaging Modules 2.1 '.load' and '.conf' files 2.2 Maintainer scripts 3. Packaging Sites and Configurations for Web Applications 3.1 Web application module dependencies 3.2 Package dependencies 4. Maintainer Scripts 4.1 Enabling Configurations 4.2 Switching MPMs 5. Tools 5.1 a2query 5.2 apache2-maintscript-helper 5.3 dh_apache2 6. Version 6.1 Changes 1 Overview ========== The Apache 2 web server package in Debian supports two types of reverse dependencies: modules and web applications. They need to be treated differently as their requirements are different. We have special requirements for how to declare dependencies against Apache 2 web server packages depending on the type of package. Refer to the appropriate parts for extensive information. Furthermore, there are several helper tools available to assist with common tasks. These are outlined in their respective sub sections as well. You should use these tools to get maintainer scripts and dependencies right. This document adopts the normative wording of the Debian Policy Manual §1.1[1]. The words "must", "should", and "may", and the adjectives "required", "recommended", and "optional", are used to distinguish the significance of the various guidelines in this policy document. [1] http://www.debian.org/doc/debian-policy/ch-scope.html#s1.1 2 Packaging Modules =================== Modules are packages which are installing third party extensions to the Apache 2 web server which can be loaded at runtime to extend the functionality of the core server. Please be aware that such compiled modules make use of a stable Application Binary Interface (ABI) and therefore need a recompile if the web server changes. Hence be careful how you declare dependencies against the web server. You need to make sure it does not break upon upgrades. A module package providing an Apache module must obey these policies to make sure it can be upgraded without breakage of local sites. To achieve this, a package must build-depend on apache2-dev. That package provides the 'apxs' compile helper which makes sure the module to be compiled is compatible with the Apache 2 web server and the C headers the server is providing as a public interface. If an updated package is not buildable with Apache 2.2 anymore, the apache2-dev build-dependency should be versioned ">> 2.4~", because older versions of apache2-threaded-dev did provide apache2-dev. The resulting binary package should be called libapache2-mod- and MUST NOT depend on apache2 or apache2-bin. Instead a module package must depend on our virtual package providing the module magic number which denotes the ABI compatibility version number. The virtual package is called apache2-api-YYYYMMDD and is guaranteed to be stable through all binary updates of 2.4.x. The dh_apache2 helper assists in getting the dependencies right. 2.1 '.load' and '.conf' files ----------------------------- The module must install a 'module.load' file to /etc/apache2/modules-available, where 'module' is the name of the installed module minus the "mod_" prefix. The '.load' file must contain an appropriate "LoadModule" directive only. Additionally maintainers may use a magic line in '.load' files to declare module dependencies and conflicts which need to be resolved to load a module for a local site. This is useful if a module depends on other modules to be loaded, or to conflict with other modules if they can't be loaded at the same time. a2enmod and a2dismod will parse any "magic comment lines" with the format "# Depends: module [module [...]]" and "# Conflicts: module [module [...]]"; for example to load mod_foo: In 'foo.load': # Depends: bar # Conflicts: baz LoadModule foo_module /usr/lib/modules/mod_foo.so Additionally, if required, a 'foo.conf' configuration file to configure the module may be installed along with the 'load' file, following the same naming scheme. This is useful if the module in question requires some initial configuration to be useful. No magic comments are recognized in '.conf' files. Otherwise they have the same functionality and requirements as configuration files (see section 3 below). You should use only directives provided by default by our web server configuration or which are provided by your module itelf in a supplied '.conf' file. In some rare cases it can't be avoided that a module depends on an another module being loaded already before its own loading process can succeed. The module load order is guaranteed to be sorted alphabetically, which could lead to problems if the new module to be loaded sorts later. In most cases such pre-load dependencies can be avoided upstream - consider filing a bug. If there is no way out of this problem, you may want to add a conditional Include in your own module file. Suppose mod_foo relies on mod_bar to be loaded first. You may want to write a module 'load' file like this: # Depends: bar Include mods-enabled/bar.load LoadModule foo_module /usr/lib/modules/mod_foo.so Please note that the bar.load file must also contain a matching "" guard as it would be loaded twice otherwise. Use this method extremely sparingly and in agreement with related package maintainers only. Note that such a module '.load' file must still contain a "Depends:" magic line to make sure that the a2enmod/a2dismod dependency resolver works correctly. 2.2 Maintainer scripts ---------------------- Maintainer scripts should not invoke a2enmod directly. Instead, the apache2-maintscript-helper should be used. Please be aware that the helper is not guaranteed to be installed on the target system. There are certain setups which do not require Debian specific configurations, so modules must not do anything in maintainer scripts which makes use of Debian-specific enhancements like apache2-maintscript-helper, a2enmod, or a2query unconditionally. It is recommended to invoke it like this: if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then . /usr/share/apache2/apache2-maintscript-helper apache2_invoke enmod foo fi The dh_apache2 helper can be used to install module configuration and load files. Additionally it generates appropriate maintainer scripts. The apache2-maintscript-helper provides a few functions for common tasks. See their respective reference documentations below. If maintainer scripts use a2enmod/a2dismod manually, they must invoke them with the "-m" (maintainer mode) switch. 3 Packaging Sites and Configurations for Web Applications ========================================================= Web applications are different from modules in that they do not have a hard dependency on the web server. Typically they require a running web server, but they do not need to worry about binary compatibility of modules. We accept that there are other web servers besides Apache; thus we discourage package maintainers of web applications from depending unconditionally on Apache. That said, we provide several helpers to assist web application packagers to invoke configuration snippets to enable a web application in the Apache 2 web server. We differentiate between two sub-types: sites and general configuration. Sites are installed to /etc/apache2/sites-available and configure a particular virtual host. Special care must be taken when installing a site configuration to make sure it does not interfere with site-local configuration used by the administrator. Typically there are only a few use cases where a Debian package should include a virtual host configuration. The general configuration snippets are installed to /etc/apache2/conf-available instead. Package maintainers are advised to avoid "local-" prefixes to installed conffiles, and ideally use "packagename.conf" to avoid name clashes. This type of configuration must be used when installing a global (i.e. virtual host independent) configuration. Usually these configuration snippets will be included in the global server context via the conf-enabled directory. However, it is planned to allow the administrator to only enable the configuration snippets in a selected set of virtual hosts. Typically a "packagename.conf" should enable a global alias pointing to your web application along with a script-dependendent per-script configuration; for example: Alias /packagename /usr/share/packagename ... Please be careful about the directives you are using. Some might be provided by modules which are not enabled by default. By default you can unconditionally use directives from these modules: mod_access_compat, mod_alias, mod_auth_basic, mod_authn_file, mod_authz_host, mod_authz_user, mod_autoindex, mod_deflate, mod_dir, mod_env, mod_filter, mod_logio, mod_mime, mod_negotiation, mod_setenvif, mod_unixd, mod_version, mod_watchdog. Check the module documentation for the modules providing directives you are using. Note that not all directives are really required. If your configuration can be enhanced by mod_rewrite rules, but does not necessarily need to use them, you could do something like: ... RewriteEngine on RewriteRule ... (Note that some common uses of mod_rewrite for web applications can be replaced by the relatively new FallbackResource directive.) 3.1 Web application module dependencies --------------------------------------- There are use cases where a configuration really needs a certain module to be enabled. This is tricky to achieve for web applications as dependencies could lead to complex dependency chains which could break unrelated web applications installed alongside your package. Thus, we do not resolve module dependencies for web applications automatically, but they may be expressed (see 'load' files in section 2.1), and a2enconf will warn the site administrator about modules which need to enabled. Moreover, modules can be arbitrarily enabled and disabled by local administrators, so a web application must make sure not to break the web server's start-up if a required module is not available. The syntax for config snippets to express dependencies is identical to the syntax in modules' '.load' files. Within your package.conf file you still need to protect non-default directives with clauses as there is no guarantee that the modules are actually enabled. It is acceptable if your configuration file turns into a no-op as long as it does not break the server start-up. For both types of configuration (configurations and sites), dh_apache2 can be used to assist packagers. 3.2 Package dependencies ------------------------ Web applications must only depend on (or recommend) the apache2 package. Web applications must not depend on or recommend the packages apache2-bin or apache2-data. Generally, web server dependencies should be declared in the form: Depends: apache2 | | httpd-cgi Using dh_apache2 assists you to do so, although dh_apache2 declares a weaker Recommends relation only. While a consolidated and consistent behavior among web applications would be desirable, from Apache's point of view, both alternatives are acceptable. If your web application depends on a particular web server module you need to depend on that, too. For example, PHP applications might need to formulate dependency lines in the form: Depends: libapache2-mod-php5 | php5-cgi | php5-fpm Recommends: apache2 | | httpd-cgi A with modules, web applications may enable their configuration files in maintainer scripts. Use of dh_apache2 is recommended to achieve this. Generally, special care should be taken not to use Apache2 Debian helper scripts like a2query and a2enmod unconditionally. You can use the apache2-maintscript-helper tools provided by the apache2 package for common tasks this way: if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then . /usr/share/apache2/apache2-maintscript-helper apache2_invoke enconf foo fi Refer to the reference documentation below to learn how to use apache2-maintscript-helper. Do not enable or disable modules in web application maintainer scripts; instead protect your configuration with clauses if you require non-standard modules. 4 Maintainer Scripts ==================== Though already discussed briefly in previous sections, here follow some clarifications regarding the invocation of wrapper scripts in maintainer scripts of modules and web applications. 4.1 Enabling Configurations --------------------------- Both modules and web applications should use the apache2-maintscript-helper in general. The helper will obey local policies to decide when to enable a piece of configuration, to reload the web server, and so on. Moreover, it will remember whether a module was activated by the site administrator or a maintainer script. Thus, it is particularly important you do not use "a2enmod" and so on directly (though a2query is acceptable). This is a summary of how the apache2-maintscript-helper should be invoked in maintainer scripts: Modules: Unless a maintainer or debconf script verified that no configuration was to be installed at all, e.g. for scripts supporting several web servers, modules should unconditionally call apache2_invoke in their "postinst configure" sections. It will obey site-local policies in future and will make sure that disabled modules are not enabled again during upgrades of a module package. Modules need to be disabled on removal (and purge anyway), as otherwise their configuration will be broken (as LoadModule would fail because of the missing shared object file). Thus, modules need to call "apache2_invoke dismod" on both removal and purge. It's apache2_invoke's job to deal with upgrades and it will remember modules it removed during removal and will reenable them during re-install. Web Applications: Web Applications derive the same behavior as modules if the web application can be run with a sensible out-of-box configuration; don't enable it otherwise. Likewise, web application should also be disabled on removal (and on purge anyway), because important files may be missing (and that's the point of package removal, anyway). 4.2 Switching MPMs ------------------ Only modules are allowed to switch the enabled MPM. Web applications must not switch the enabled MPM in their maintainer scripts. To actually switch the MPM, packagers can use a2query to find out whether it is necessary, and if so, can switch it by using the corresponding helper function provided in apache2-maintscript-helper. Do not try to switch the MPM yourself - the helper function takes special care not to leave the site in a state without an enabled MPM, which is a fatal error. The helper call may fail. Your maintainer script must cope with this possibility. It is not recommended to make your maintainer script fail if the MPM could not be changed. Instead emit a warning. You can use the apache2_msg function from apache2-maintscript-helper which will also log to syslog. If you are using debconf anyway you may want to consider using that - but continue operation. However, make sure you only enable the module in question if the MPM was changed successfully. See below for an example snippet: if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then . /usr/share/apache2/apache2-maintscript-helper # mod_foo requires the prefork MPM if [ $(a2query -M) != 'prefork' ] ; then if apache2_switch_mpm prefork ; then apache2_invoke enmod foo else apache2_msg err "Could not switch to prefork, not enabling mod_foo" fi else apache2_invoke enmod foo fi fi 5. Tools ======== This is an overview of tools supplied with the Apache2 package which can assist in building web application and module packages. 5.1 apache2-maintscript-helper ------------------------------ The apache2-maintscript-helper is a collection of functions which can be sourced in maintainer scripts to do required tasks in a simple and standardized way. It is NOT a script; it is a library (insofar as shell functions can be libraries). This is to avoid users calling these functions. They are not meant to be used by users. The helper is installed within the apache2 binary package. Thus you MUST NOT use any function of it unconditionally, as for both modules and web applications there are use cases when this package is not added as a dependency. Thus, use it in a protected conditional like this only: if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then . /usr/share/apache2/apache2-maintscript-helper fi The helper provides functions to enable and disable configuration files, restart the web server, switch the MPM in use and similar. Refer to the source code for detailed interface documentation. When available, please use the apache2-maintscript-helper instead of calling helper scripts directly, as these functions are careful to invoke and use the appropriate helper. Later versions may be configurable to allow the administrator to influence which actions are performed. Always check the return code of the called function to find out whether something went wrong: if ! apache2_invoke enmod modulename ; then echo "Whoops! Something went wrong" fi 5.2 dh_apache2 -------------- dh_apache2 is a debhelper which can be used to install modules, module configuration, site configuration, and global configuration snippets. It assists you to set appropriate dependencies and maintainer scripts. Refer to dh_apache2(1) for full usage guidelines. 5.2 a2enmod ----------- a2enmod and its special invocations a2enconf, a2ensite, a2dismod, a2dissite and a2disconf can be used to enable all types of Apache 2 configuration files. When invoking these helpers in maintainer scripts, you should carefully check their error return codes. These scripts must always be used with the -q (quiet) and -m (maintainer mode) switches in maintainer scripts. Preferably, you should not interface with this scripts directly; instead it is recommended to use apache2-maintscript-helper. For detailed usage refer to their respective man pages. 5.3 a2query ---------- a2query is a query tool to retrieve runtime status information about the Apache 2 web server instance. You can use this tool to get information about loaded modules, the MPM used on the installation site, the module magic number and other useful information. Use this script instead of accessing configuration files in /etc/apache2 directly as it tries its best to return useful information even on incomplete or broken configurations. For example, you can use a2query to retrieve the MPM enabled on the local site and make actions dependent on the result like this: [ -x /usr/sbin/a2query ] || exit $? CUR_MPM=$(a2query -M) || exit $? case "$CUR_MPM" in worker) ;; ... esac Refer to the a2query(1) man page for the full documentation. Please note that the apache2-maintscript-helper can be used to interface with this task as well. 6 Version ========= Document version: 1.0 Starting with Apache2 2.4.2-2 this document is versioned. Any change which affects packaging is denoted by an increased major nummer; clarifications, spelling fixes and minor edits are denoted by minor numbers. In future, a changelog will appear here as well. 6.1 Changes ----------- 1.0: * first version of this document which is versioned. debian/copyright0000644000000000000000000005054213376761111011135 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Apache HTTPD Server Source: http://httpd.apache.org/ Files: * Copyright: Copyright 2009 The Apache Software Foundation License: Apache 2.0 Files: include/ap_regex.h Copyright: 2009 The Apache Software Foundation Copyright: 1997-2004 University of Cambridge License: Apache 2.0 and BSD-3-clause (Cambridge) Files: server/util_pcre.c Copyright: 1997-2001 University of Cambridge License: PCRE Files: server/util_expr_parse.c Copyright: 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc. License: GPL-3+ or Custom Files: test/test_limits.c Copyright: 1998 Dag-Erling Codan Smrgrav License: BSD-3-clause (Smrgrav) Files: modules/metadata/mod_mime_magic.c Copyright: 2009 The Apache Software Foundation 1996-1997 Cisco Systems, Inc. 1987 Ian F. Darwin. License: Apache 2.0 and Cisco Files: docs/conf/magic debian/config-dir/magic Copyright: Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995. License: BSD-2-clause (Darwin) Files: modules/mappers/mod_imagemap.c Copyright: 2009 The Apache Software Foundation 1992 by Eric Haines, erich@eye.com License: Apache 2.0 and Haines Files: server/util_md5.c Copyright: 2009 The Apache Software Foundation 1995, Board of Trustees of the University of Illinois 1993,1994 by Carnegie Mellon University 1991 Bell Communications Research, Inc. (Bellcore) License: Apache 2.0 and MD5 Files: support/ab.c Copyright: 2009 The Apache Software Foundation 1996 by Zeus Technology Ltd. http://www.zeustech.net/ License: Apache 2.0 and Zeus Files: debian/a2query.in debian/debhelper/dh_apache2 Copyright: 2012 Arno Töll License: Apache 2.0 or GPL-2+ Files: debian/debhelper/apache2-maintscript-helper Copyright: 2012 Arno Töll License: MIT Files: debian/a2enmod Copyright: 2008 Stefan Fritsch License: Apache 2.0 Files: debian/patches/itk/* Copyright: 2005-2012 Steinar H. Gunderson, 2008 Knut Auvor Grythe License: Apache 2.0 License: Apache 2.0 Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems, the full text of the Apache Software License version 2 can be found in the file `/usr/share/common-licenses/Apache-2.0'. License: Zeus This program is based on ZeusBench V1.0 written by Adam Twiss which is Copyright (c) 1996 by Zeus Technology Ltd. http://www.zeustech.net/ . This software is provided "as is" and any express or implied waranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Zeus Technology Ltd. be liable for any direct, indirect, incidental, special, exemplary, or consequential damaged (including, but not limited to, procurement of substitute good or services; loss of use, data, or profits; or business interruption) however caused and on theory of liability. Whether in contract, strict liability or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage License: PCRE This is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. See the file Tech.Notes for some information on the internals. . This module is a wrapper that provides a POSIX API to the underlying PCRE functions. . Written by: Philip Hazel . Copyright (c) 1997-2004 University of Cambridge . ----------------------------------------------------------------------------- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License: MD5 NCSA HTTPd Server Software Development Group National Center for Supercomputing Applications University of Illinois at Urbana-Champaign 605 E. Springfield, Champaign, IL 61820 httpd@ncsa.uiuc.edu . Copyright (C) 1995, Board of Trustees of the University of Illinois . *********************************************************************** . md5.c: NCSA HTTPd code which uses the md5c.c RSA Code . Original Code Copyright (C) 1994, Jeff Hostetler, Spyglass, Inc. Portions of Content-MD5 code Copyright (C) 1993, 1994 by Carnegie Mellon University (see Copyright below). Portions of Content-MD5 code Copyright (C) 1991 Bell Communications Research, Inc. (Bellcore) (see Copyright below). Portions extracted from mpack, John G. Myers - jgm+@cmu.edu Content-MD5 Code contributed by Martin Hamilton (martin@net.lut.ac.uk) . these portions extracted from mpack, John G. Myers - jgm+@cmu.edu */ . (C) Copyright 1993,1994 by Carnegie Mellon University All Rights Reserved. . Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Carnegie Mellon University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. . CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. . . . Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore) . Permission to use, copy, modify, and distribute this material for any purpose and without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies, and that the name of Bellcore not be used in advertising or publicity pertaining to this material without the specific, prior written permission of an authorized representative of Bellcore. BELLCORE MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. License: GPL-3+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-3'. License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-2'. License: Haines This imagemap module started as a port of the original imagemap.c written by Rob McCool (11/13/93 robm@ncsa.uiuc.edu). This version includes the mapping algorithms found in version 1.3 of imagemap.c. . Contributors to this code include: . Kevin Hughes, kevinh@pulua.hcc.hawaii.edu . Eric Haines, erich@eye.com "macmartinized" polygon code copyright 1992 by Eric Haines, erich@eye.com . Randy Terbush, randy@zyzzyva.com port to Apache module format, "base_uri" and support for relative URLs . James H. Cloos, Jr., cloos@jhcloos.com Added point datatype, using code in NCSA's version 1.8 imagemap.c program, as distributed with version 1.4.1 of their server. The point code is originally added by Craig Milo Rogers, Rogers@ISI.Edu . Nathan Kurz, nate@tripod.com Rewrite/reorganization. New handling of default, base and relative URLs. New Configuration directives: ImapMenu {none, formatted, semiformatted, unformatted} ImapDefault {error, nocontent, referer, menu, URL} ImapBase {map, referer, URL} Support for creating non-graphical menu added. (backwards compatible): Old: directive URL [x,y ...] New: directive URL "Menu text" [x,y ...] or: directive URL x,y ... "Menu text" Map format and menu concept courtesy Joshua Bell, jsbell@acs.ucalgary.ca. . Mark Cox, mark@ukweb.com, Allow relative URLs even when no base specified License: BSD-2-clause (Darwin) Software written by Ian F. Darwin and others; maintained 1994-2004 Christos Zoulas. . This software is not subject to any export provision of the United States Department of Commerce, and may be exported to any country or planet. . Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice immediately at the beginning of the file, without modification, this list of conditions, and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License: Cisco This software was submitted by Cisco Systems to the Apache Software Foundation in July 1997. Future revisions and derivatives of this source code must acknowledge Cisco Systems as the original contributor of this module. All other licensing and usage conditions are those of the Apache Software Foundation. . Some of this code is derived from the free version of the file command originally posted to comp.sources.unix. Copyright info for that program is included below as required. --------------------------------------------------------------------------- - Copyright (c) Ian F. Darwin, 1987. Written by Ian F. Darwin. . This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. . Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it freely, subject to the following restrictions: . 1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. . 2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation. . 3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation. . 4. This notice may not be removed or altered. ------------------------------------------------------------------------- . For compliance with Mr Darwin's terms: this has been very significantly modified from the free "file" command. - all-in-one file for compilation convenience when moving from one version of Apache to the next. - Memory allocation is done through the Apache API's apr_pool_t structure. - All functions have had necessary Apache API request or server structures passed to them where necessary to call other Apache API routines. (i.e. usually for logging, files, or memory allocation in itself or a called function.) - struct magic has been converted from an array to a single-ended linked list because it only grows one record at a time, it's only accessed sequentially, and the Apache API has no equivalent of realloc(). - Functions have been changed to get their parameters from the server configuration instead of globals. (It should be reentrant now but has not been tested in a threaded environment.) - Places where it used to print results to stdout now saves them in a list where they're used to set the MIME type in the Apache request record. - Command-line flags have been removed since they will never be used here. . Ian Kluft Engineering Information Framework Central Engineering Cisco Systems, Inc. San Jose, CA, USA . Initial installation July/August 1996 Misc bug fixes May 1997 Submission to Apache Software Foundation July 1997 License: BSD-3-clause (Smrgrav) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer in this position and unchanged. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software withough specific prior written permission . THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License: BSD-3-clause (Cambridge) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License: Custom As a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work under terms of your choice, so long as that work isn't itself a parser generator using the skeleton or a modified version thereof as a parser skeleton. Alternatively, if you modify or redistribute the parser skeleton itself, you may (at your option) remove this special exception, which will cause the skeleton and the resulting Bison output files to be licensed under the GNU General Public License without this special exception. . This special exception was added by the Free Software Foundation in version 2.2 of Bison. */ . C LALR(1) parser skeleton written by Richard Stallman, by simplifying the original so-called "semantic" parser. License: MIT Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. debian/apache2-data.links0000644000000000000000000000020713376761111012447 0ustar # This link is dangling by design (sometimes) usr/share/doc/apache2/changelog.Debian.gz usr/share/doc/apache2-data/changelog.Debian.gz debian/convert_docs0000755000000000000000000000435713376761111011623 0ustar #!/usr/bin/perl -w use strict; use File::Path; use Fatal qw/mkpath symlink open close/; use File::Copy; use File::Find; scalar @ARGV == 1 or die; my $TGT=$ARGV[0]; my $SRC=$TGT.".orig"; move($TGT, $SRC); # list of languages my @lang = glob("$SRC/index.html.*") or die; map { s{^.*html\.}{} } @lang; # map "ja.euc-jp" to "ja/", ... my %lpath; foreach my $l (@lang) { my $t=$l; $t =~ s{\..*$}{}; $lpath{$l}="$t/"; } my @html; find(sub { $File::Find::name =~ s/^$SRC\///; push(@html, $File::Find::name) if $File::Find::name =~ /\.html$/; }, $SRC); foreach my $h (@html) { my $dir=""; if ($h =~ m{^(.*/)}) { $dir=$1; } for my $l (@lang) { my $tdir="$TGT/$lpath{$l}"; -d "$tdir$dir" || mkpath("$tdir$dir"); my $updir=$dir; $updir =~ s{[^/]+}{..}g; if ($l eq "en") { conv("$SRC/$h.en", "$tdir$h", $h); } elsif ( -f "$SRC/$h.$l" ) { conv("$SRC/$h.$l", "$tdir$h", $h); } else { symlink("${updir}../en/$h", "$tdir$h"); } } } open(my $out, ">", "$TGT/index.html"); print $out '', '', "\n\n"; foreach my $l (sort values %lpath) { print $out qq{\n}; } print $out '
$l
'; move("$SRC/images", "$TGT/images"); move("$SRC/style", "$TGT/style"); rmdir("$TGT/style/lang"); rmdir("$TGT/style/xsl/util"); rmdir("$TGT/style/xsl"); rmtree("$SRC"); ### END sub conv { my ($old, $new, $name) = @_; open(my $in, "<", $old); local $/; my $file = <$in>; close($in); # /mod/ -> /mod/index.html $file =~ s{href="([^:"]*/)"}{href="${1}index.html"}g; # style and images now one level up $file =~ s{(src|href)="\.\./(style|images)}{$1="../../$2}g; $file =~ s{(src|href)="(?:\./)?(style|images)}{$1="../$2}g; foreach my $l (values %lpath) { # language directories one level up $file =~ s{href="\.\./$l}{href="../../$l}g; $file =~ s{href="(?:\./)?$l}{href="../$l}g; $file =~ s{apachectl(?!\.html)}{apache2ctl}g; } # Debian tweaks $file =~ s{/usr/local/apache2/conf/httpd[.]conf}{/etc/apache2/apache2.conf}g; $file =~ s{httpd[.]conf}{apache2.conf}g; $file =~ s{apachectl(?!\.html)}{apache2ctl}g; open(my $out, ">", $new); print $out $file; close($out); } debian/apache2-dev.install0000644000000000000000000000056413376761111012650 0ustar /usr/include/apache2 /usr/share/apache2/build /usr/bin/apxs debian/debhelper/dh_apache2 /usr/bin debian/debhelper/apache2.pm /usr/share/perl5/Debian/Debhelper/Sequence/ debian/debhelper/postinst-apache2 /usr/share/debhelper/autoscripts/ debian/debhelper/prerm-apache2 /usr/share/debhelper/autoscripts/ debian/debhelper/postrm-apache2 /usr/share/debhelper/autoscripts/ debian/upstream-signing-key.pgp0000644000000000000000000122175513376761111014003 0ustar  Lfߔ|;OmM)j'Lq$^$+P*qJq|v<3%6x"e~8zN]=M^PKi5r]EWh5 6A:Eߤ rGr]]ňcG o7!3_V% یa=l. x3lFL 2åQ:WPPd+| 0alHOsKFN#R  nN$Q|L<e#8C*n WS9p ]M^7>6FN-L 2e* ?d_#D2/Q|eTQZy:Rw赈FP .o0K\j)>>stԫƴ9\%E}j.4F L :`ue M!%̠mi$:ŝ~=6oJf-x`uFNN &x7%'薥1Aڨ=Ȅ7a؛^}8wF LM0 L(1=ZMdy 8V0pvB7K`/Q ;rVQ.} #6dFS¬ 1/e2LYl"o`V恷wKv5KP>Ϗ>1gy2맗>٦1YY6e8\-uLJW 4Oe'ܯs;"Sa7-v ub]'!y懣2)t+l0n!) Y^P?Z s 2{%|r;\*o'K]P"ojX&L3 c^ e0Mun(~'R 7njlzkWZ  ФlF&-- H0> 0}#+Ӣ`&ȁɩ'پy!= $XoGv2.Y,G٦`r <'7] ]8#jI]I㞂:HW&.&e,0ޭC`-;/8k:NVħZ/|^k^=q z>k%HBTm8{wA1ͽqm+b|I0LxQn =PW1U,Ό]VI&t+ ZI$v+ fKJ5_ھ}WtwfޘB +q, 5u X]\%D.d ΄|0#t*0Z7QwM!fn'.;\ pV&+*N ya}ۭu Ш R&o#!dGneΣ>gW؝FUDZH6 4(_bǑ-Ih&7OR$!y|ߎB R$A!E^PZX$P^Wkca EqDۣzh[1WHqɲtrwl#2eko5u9&7\B$D;66̤7cr $`m`>˃Y1w1jmAyHu:yNu?/p5ˎWoU8tҒ#(o]|-;uReߤ(G bEp3RF9ڏnH-< ^N; MAEff{mavPg :!&LzY[ÇI* EK} ۟] 7㢇TG?'(-(ǬZuS¦yA9gx:<ڈ°!8_9:jMNFStI5w 8ΩWF_]Bv]O:(/8P[c'ZF#BB@Opb ({2O~>ٹE 6k[Vy,ߑ2DXwt(z!Jsҫ H 5rvSOH=qC P]l;kETK™>ƶj.IQ+{UBE뤇`~XP\x@2Rp?l4zvNZ V5*vЯ{-^(]_ņ6n&SmzsdS&W8R(V(/sy^qP^o:B/;M.1ux ~ںx`oFY^rѕUڬ6aJߛ򦁾֖_BcAޥ_'U oX{$/]sG<Ő釗#ǐůFhZZQeU._H Yl 5y/!V#%S WE[6*v>-nqhAo্*V l?j'F OZSd!*FCn ;M-5ˀcۛJޮ.uM}@~H<ԾSmk9-*X dTT\dgpN+ii )=ݖ&g`& CErx5Eՠ,(jV!c)dM:v_ 5R >+{?8Rs=~tfd-r {`Ywx`C"89Qh~P-[CemVF!MT.,q5޸G:w~=+`a0VV^0w~GCZ_ZC Z ~)CĚ Z_ fxV:QpȉNq- F2 7FԾϼ֊F?LI.6ID\.J}Ij 0 TƐ$6i"sގ(4 @z~FH?*ziu(ښ% 1?NJ~ }5Զ T:N'ff dϾhNi,!UIJ11QF&kC蝜Y6aIk[ԉQ[aNqq4Dz>;Yu٠K(uNm˕U5OQqkReM靯JW6*}VSgO6i 8s&'"+}z$،ʓS:d'Ʋӆ$ư~zVCg2V [_d';ɗ\:n zD#X\]+t-S2LNtQח3B+z=Z2sLYZC}#PT7Mŝx*&Txa-?^*Gr gb) /߶щA" u&CFL5A~*38b) * $'~@-'i?M}WpS<95twՇ]!1ik(҈JЊ"硹P$`z?}7O q?޸[׮0ƽEA?zNEaa [*2E@ͣ Z/@'`e:1!Gig΍ %M|]Kq!!޷8u͠nҿ]瘚ɽ;Xvr܄`ct$ֆC.5[R5'fznIQ- 3>8=CZV*nGHtW04[mT6چ(De? H8pkC`ԑnE}Lǁc#EͿ 6s\UKEvl"1$2Ǖch8TWL7ϹGޑI?5_Zu*ŀ?@ݣ Cnjg(arݐ[:2Kԥ7~Ѿ6WMrCw`;8$T+tЈl"zO'!͠>1zpΥ-zݎ*!nC߹Ş9K2/7[11ъتͧ㱩\%YYATYN/#h~?Ǐ";ҜM˭cSf5YWhϼ~ET}5C$619|֧Zӝ^eh$$d"aXƜ47h Ef+jD2ՆFP_1t44˫C^Q.QX ,T`v$_Ħ@o"+?c 8L[NI##|64_3֎?e)kRŢ#E9qń(ŝ/F$Ӧ Q2sa@~{nA~";1Up0U*SW x@,?jE@hD2flJ5OiG[;md!C*+8KoF,֮8? oזpݳ=VB8u9[9yܰC~xWd UĩD):f)%Ǽ뚅Nr4Eq̼%=+7!C}%*瞒湪¤@ 02mptbqd}b^<\fQQ69Ԭ6ٟ͡?Avy(Tmsa=X 7B8 86@y7ҝ\z,੖?~H]V&cVZS|h7݌~IB5~zIF%p9NQ>SOlRKn&\`DFQ0Z wMk2$cՙĴ*.nc4dϽӈ:eLX}Aޠ1!hc:\'K6+dc(e#`Ds'U\nDq_d@FnslƒLu<aHD%C&vs|q͚jK`e8bg ww$xq8$ Mɬ&0k@X} f*2~zJ,GP$ rt|#VIHHnֵ0&m`ǧ%N;63JFQrpz3r ."HPb9 bxfltT-ACQ7D&sU؍?%x- ܳ'< *cYz2ô]MA&Qgi%0~%s; 8jsͱ\)ZS&LŗJQ5 \p~T(<ݤ=yц숟aq|w*%&0X(9}`kV$Oxz8`ZH })) u }B>oݐI?Q}MsQR;3췹ḧtSYu&Qv[9*9n`BYFI-sIqK/-K%A.gq eodZ·Fm",- dFT"'av r̖̍8#b"~4lY؃9#S;"9rÀmS&HXLiq&k*Ֆ7{rJ >=V"kB@n Rl(&Bʴ? BQgȅ@O1>&ml\JzꕊR8f M1L_&&3`I.pi p\am;AJR5 <; S}.PvJfyZ- Lށ [Ͼ'zOh7@p뻅" ruc!؍TqRS;5)n&|)XiBxQ{?ÉJ#eU*'RnZaÍgzv 0֦g;ΚP?bN]klqگ՘aDU~y n}]F!19_U^Iw3 O4U"f·IC%L7w"m`3s 7R>Q9u|9Ĝ0-plG? F2$'n ,L]d㰗xLS6jc-S$ MPW ?Rz|dDQ4q p0tmr}J$>.c "`Cj4wߣΧeqž): T"9X3"iYshҜolRjRgy<}*csse~?OzXR'Hfe{//;xyP5RH2=:V&9:Y!.,rTu&\l 5!ؕf1fB?><90LGs~2 Ẍ́~%o6]z%U/:C*2**}6iV+o,lୡ(w[ #9Pʳ-DN޴ڠ?Ղx/6_SRZ66cWFԕ< LLMG+I<}#_BFðsIb^eQei U{?Q|l=9ftLW@UWGE ')W%Ma*rB=4Ė`&/O\"$Q,+h筗ӽmHFI,QL1K?R.ݝ?E %!B!Hl0̀M:Z\5g^'~x6RyUSL ?rL 3(+ lq-HD&* xJ.-.q_nI%k?h;QZ(VJ _bh';?MC71 LCPVI?WgbBdEY=s("o oqQc'0ݍ Ȩre)k9&T%Kx?J@9HӜ#4ER6:X#~ Q3P o `j DՅѬuH4#P1;* ΟbGDAm@.SY>td>p]cR1L12>Vq;Z.S}lNqw4:pË>9j"Zz+<}iT kA9p9M J2}sD_DT,Ѭo!=). [2r_nmV,T" /-$ـ8f~=6uݾ:dn\n@%.kBOO , t'>SE[l0}@'q"C}%YR De!"N.gJ< I%.jCw6'O6Ƙq(\fOEG)(Nۅ{{?ad[5|B,rHHawVxjJD /h?Rh+nQ/h,UC)ʔ ;w~F0I9%kōR.Nro~xXْ,?# Q4 bԏ<^C|SW0G0<>i'u^AxS EZe JJ 7^l3o@OXmA~~C-eo6';)srzwDҡ Ʊ_Z8I` І >(x* =uYN( }aH@v1‰N Ƈ_5AK[g1"sY:0x  qw`'\Vq'ńgJ %CĥؐO#R)rXA}y~`I&4/T4J&H)ZZRZOa\ 6ͅh?7Qtzxg o p%0dyOd(:Fnr#dA{ws"7oD2`ZrHtE"|]^KD4+F%?tեkoEix*~; ZlKĵy}>Z1VdLJ{OBb8@ HO$<ߛrH| nyATNzL>;Hڗ,- NF N I #pBq h&^;%;/Qe*v+£~ /6~+k^(WratfMړTЀ#zQaN9Ey΂uHhd B*ثW&mg[ ڢ |C.^CtߙGnDj22n; t-UBI>M f ::Y49Et '"#/pIZ*00I [blU #WΑKWKqo+nG܀J-8 /GIM|`ĭvHO@&Ȍ$Ghw QN*NwuW 74D/fs Ev,XTE(i^«ͨ|<nkXŕnuzZ7/-A}uacz v++u&|&-y*DWz( `rn|Y*{`TN瑻njA\JIZ~|n")ېRgk(;0꜋?BYƉ Q3 򅓮Q&cE DYHE689v'bgy#'r<6j[p|Ԇdb,FȧX_b)vWi=~2bk4"pwy)yX>ֹd%g[ 9p#6 .IΎ&LPv6EOWj)H B^]eaAƭp{E$ =x8=4rhv{6B+߳?=,MrM$,.<MrmpET>TBl+Y!<z|rR)B/(r!?+!z*&W1&w?C'33 7 ţy#! [ q K>q"{@zJ348hd$ `XLH_ǭu`n`LH9iSOy\HmpWF7Za"1_{\Ι^@l'v8jc4v\;[O7 !   No 4vy584yNQ^Z.P VZ$V8 'qDMe)+ #X<*"[缳hwW>#s#7 ,(B7^R?jSv%k& |Q͓d>.ux$h\ <_8)t_LKwJv&Lo,2]?KŠ,?eojqŬ@[r1D4& >!u?^<2<Õ>Y/0.6;(kofVoI4#(3=Ʃ%\Mz1y|e+sb@v~۞{NU!P&[h#vŖڍK1f 330< N8g ɈAͥFǗWٞ#X4l,:tA&F&^9$AuY7Vʼ}}"iN_9{l~A.PjʀKȈ8ĉ7 !L    4vy&Glʃ4ٴ\i}u>w9S4%u'O;R-FNS$ ;Gٓ  usdoͳ;-uiVQPX2ɼMDGfЃҒo(@loS`hdgm*]Sn*xΙO"L<5^%Hr0ϐ)ư$b *ÌGQݞQksM?ۯ5Ccg(Rg"㡽h%){$~)0m6O4:Y!qD!)d=eg=L@M}(%p>XT)9Bs$Ѩ)D^(VW[VU>F#1Njo7ЩׯLqa5cսyPJ;eӤD[tTd{I2<%tKHS4sJIp.$!Dԫ &XsjQHQQwhnLR NAkiUKڱ"ϓ1XԧSpn Gczi3O27}2)9L{p@̨Z<$j,P:>o'hA?d˷3`\uGyGt+3lS}3Xd`Uqx ZX0>l ס̚QaKh.{zHDTg.DsZЧfir2Ѱ!G&},V*Z\,nOv?WO`=e y3Omv"M&8k+q]TxrZ.:Lw!GWpa VFI6 }zQB  +1{Lw Kn 6.ٸi~*Ѫ,t y5옜B"(,ȝJs۪LT`Uy)]/~3vMC:dLӷb>&1Jim Jagielski FL 2åwGF”߹^we# x&Zw6q/4}䄣FN#R  nN$Q|\:jVSXHnpt^Usq0t{4kLFN-L 2e17E9v:Y{ӟ>;>gXA۹zFP .o0K\ %|2 vЁSΔS6cyD-3'F L  :`uҥvRw]1}"igD-ngH3;sFNN &:_(H2~YSV O`` 6f"ͱ4Bx)GF LM0 L(1=)rDf|Ui$ 'Y\]Q.} #6dT F6RV<#-Ġp,G0P+ S2M)a&G)]Y ˯ G<6z'`,#d B_'|4 $}hs~Y0%7EQBU-Pm!7RB7/}$Hu(;#V.L rjKqBa~{4 kg(k˞?SшhWB$]k,y-}G>|L3 c*M-˦¹6hHsptL]b1}Y:(I_#iO2˞w& GCo"CsI~).eT6a [ U8S_Ě?+dZjP$0ͱxD@;P*(y$ $!pk.6Sk}J߼  f@@ `1'Bu/-OF,g)I|`Qz`2k~> A#)+6%^W?/mx6[ 2XA ig/:iPNW! o%n r3y}X}'E3Z![,G7ܽr $BpqX{U[95m1w$H aIM։ yOD$mm?)š6f&]|+Wwsuz~$*d,5k|A؍ʌ 0>D,>{GcĐ ԵV0Eu& 7IN3fx/R;N ya}ۭ!@&eg X!5B!xfvgĵ7 GA:ņK},JR$S[bIgଯ_.zPXnڔm͎];&qoz:MH,Adg %-(95*}C̥zH D??ZAkDL(wEgx"D`ܤwʣ5Ӛ!/c^l}=\# w?i |>Gg,owb|D t un\U֊Fg+[GSO:1{SBBā&ʃdh$G7&|`tkO4ޮN>QY2ZmwUΊXY6fljN; MAE%8II?x]&6|cWüH@2rsY(=j@'`òn2!K+3Ў 42 ѤWc!j&KƱqOVLȹsTy{ \ }@n04}&;.CBLPՊǩ>V}<66y"A&p2cxއϯ9Cc8º:C A؍# D{۽9.zf%CIvNZ V5*v1NN{IL t|sd=Kk.7WS'<.(YmvoʗSV6]&s8%őy{[^EH=]|@ .\PtlmdU=]q46<{@YxP +{@*2}<Ì'm>#Yٰ1ɚC!IMQ*A4K݅؃K# 8"3o壚b! ejM=P~\#.S%DEdlSKb)V?n3>0e'ꑺPu?A&2~v離~n"9 `AtNx{^T(ݿ Ie k8Uo@]Fޜ߶9@A߶)A%D7uz58Ao24XUkX74TsP&0JQiNhBz qO:4*4ASB $dׇ")]Nc c=ˮkm)1Cn|'ЇDs4 xwu-Qܺs< o:vog+_7Y4m/ndb3I)gS.pm݊I/)K>PwYX$}e 힜^5 82߭;/-paq Ro fb :DP ( KHo9}gz!MMɛnE*,m#6Vli7[#щ9B5ŴB&yʇy$P m==>$vT e^ҟ0P 0̓C!W֚S;PunW.`%IcT$m ޗNAk {RGau*G4K#% k)Ηy(F3PT w1͢ŧz[qqWfv>8|P*HNq- F28@@?RyӢfDdz)[S3;V -WK.wW=٤UMz!+:տRIrkBl<"oOĔ4ZԄDe,֡%Ye[gKuMlJ1|挭VtVWh2uTU"D4ԇoy{^b6;a {Υj=bS#F_ñݣY>?+<"jۍU-Q'<6e@gxv_{T#Ji L$-EQ-W+ElRn016˻~[ O8ع /. k](*9jw"VTڒsGei` =aAq fm -6W~[t62nԕFzrWNyc Q*#,"]G+~F0'`k*\py8#itBMf`hfx*k=7#W[y ߉ʞ\lQc -9^&DKƻo!ÒrOk^+HLb.v JOw%P{y[bA aQcGV1}̧cA * qՈl W.1> +-u_6mljؼ*c+:z0T7ٹ^$1L]['5\4{(hi`zԫ+ƲJKIzջv8rա3H\Ueʚ?:Nz~ ')1ƵʭF{Ug6@5cd *lEIcWhF p0Iu'?j'!۩D,4Y#J'V^#j z>?e-pVpDH6!0Ty&dҸ" j4wPr֒Xf JO6i 8s&'"@[U2(삈T)b~\DACkywTnmcAW@W _#?muz/ /O''~Vy9"7x n2zNYW1 .}u,j8gbΈs5 sAݟp| )Y3"v-;kHy/ rZ0&C3Njo*|yu:hFVFVånTX`LFK(ⳘҨ}1ǮV(Hk9ј`@"erWL!9G2z9֓G"ɱ\lB}`N%)cۘ)n`{k8]+>VQ5d+݄V+y> eAq2@v@tn \<$Aډ }Tkr2lwS+xՆ]nȽF$p͔a9Oc TJ-="?V0I"|1g 2K~sܠ BQ- 3>8=CGrTdQ<?7 ':͢`?(6jg>ۘ-ѯz閖إ"Rod^"0?w0M6qb-_ T-ׁunM},@Hofq*ī dz8}c7l Z_AO`oUސ*#]c&) r@kॵZdGeA:lZ%LoH)"Y'!'okB, <_0^dښ Ŷ-jKtnD RFK3@M $qڬg~ڑ݅TsN pB 0 Dv@_g&j%pؒ>dԾ FR1W; 7!Xn&kyiۈƮDR }۰Н؝}]$F}U8Kv: <{520"@F<0GKA38͉Q.QX ,T#lEJ&훊6y$d7 z3uBu^Tl+ Ƈ`kN:X $P:FV;᫵X޲P~̟}Mٮf)!S&>74JD79p H|GRZLbg,nA /˸<*UCX/>+?jvYzl#L5=5T i,o1DzY?%|,;YPI%`j3]^?.(|UﮕGV.D]Zm`|OЦKQ.r #Xj:% #L J{&Od/7Cn&d geB5( 7nh;a܊+ Ƈ0_NB]ZjfQ`")U 91VַtR2 B}# ݼVШKe{L;%.83ؓ@0K4Њ ƌ$GA64y܊^K3Vꊎf6waLIFOlϤ0E6yoDtt#oRӷuCp\[ܶƧUp"#ϏnwX|i;ۉOju:6 uȟ4ˍ$왦7JHޫ(fWJQ.< C{\fZʳBQin;FG>5 7Eu#|G+ 7 lT nWZ*@`vSNU`ԈK/MVgz/hmWD(ێu52-.e:֒ŷE43_cUu,cN@y,PvZ+ u*ׇ =D/R^>†9m_8P֏p`%^H"k0"u)rh *JE6ڥ]p ͑} uQzQ>͆&~I2`DaC.iv;\)gz-.0 ug"I2Nb.ZNc?tbx>uLUC55<ۂ8? :*Z81 s@ oR!X?pC_;>ْk%;b1 <}5xQւzމQ0Z wMk/{"EПrAtnG۽RTSPKKQkIL6Fet AKʤNu% ƍ؁%l{TrF/w7x=%Z] {<Y-W1a934|CDzSa5V-\KjgSDʊ<2yl'W@ ?>18B! Cs4PA];mIEaG"Nl!@.PQv=?X{雒6E8کJnS7^VH '9WSr◸a]+?}ҩLCSct.h\^c Nì(,'KeX"oc8C`Z c:W$Gv Nadޡ;e*;H"Z=,$SĄX<1PP3`|&scbcz:;IP Z;88aMX~W{ X = Lށ [6V *h6ph0!){&zs}0{)&@uJHNjM3c:p"֘S(hUЖZeƯ|nϳJɝ_.+I&9坱3ጭ.4j^NdBiO'Gnċm)TZ2~kރ]W7a1!y[ ?-Yz9#j{;G4M՚4[d|FP`6w10!sL ~DV$ՠO/Hm3 7[ݟb=knl$ݡ*x уrGK3=lyHoOtD)U'XQ$ t+ı >fJ_H\PsyLWsoYGЇe*|qRiT6}}s羯AW]%0X\OnJL-j L # -HGwC M#W)un wZ/Ұ,W ȁ*uSC|a&=. w>қu0tJ2cR 7>9\S04l%neq:輱B`VP՝fA:bĜ" ܉B#U$'γ\0Zv.9xl@3Y  zJԼ4! nYGz޲ +Ҧ5ݮQ=Z4fmIݽ7I[$3LtW$ڶʿ((kgXv6ϊ-_͛R,$hW+H!VŶ6dmZ$<:I~8 #,l'prBgh ;#D_/c"Q;ٮ MPW ?Rz{/VugAOL!*ǮQ xL?G^*d(?ZPtҒ5FH5}+xd4O&iry0xš} tZX߆hX0e3 ô'S-D @a4$)aiq:t6_n.2]IVvcUq9TT4⭇/R~ ǃ%W@_oiQRw`)ez}{mds^T}ۨw5jG9ݫskK\a)S~nijX&;-Mgoxmxzî Xύ_(E qL˛^%Tg W) rtL\Xם,?_:>Oqu)چl`մ B5V9g&@iwՄE[޷ 1-~ɫ2ص腍lBpѲI49$ΒGԹ`ߗJ Z@qb&7ۺS N; S=]{ZT!Žчv뢩*8g f^O_^Ӆ&tm^&L -h2pŻ恴4s_D:mėvTO%ʍƁ!C99+">7$ sJ}C4_RY, yOt 0xdX8 1akw*z)2m%zBc6ٜ.gQᵞ!1O~HVI5g};?ZHA]7zAWt4Np\hdl 8$aJQ "PސVRKu?˚r N͖ OH5{3됮ŗIUG'5qM>c1exCp=mB>t+^zD:hÑNY8 3Ԣv"r \ںd BT+#ETp2΅<͈7|SpBu"Pbq^ =ƒ ;9T1h &U:TU]~G;ڡգ@al߮Iw4Yvc̔S #$;M% _'5.v-gmEv+Zq3n} ۺj[飂(&3WH KxC^IMs9'۳pCEgL#c/w LU!հ95`%bU2 Q3Q o B|;:ՔA%GC ZY6)3cQP՞90lE$A­C:cp謹œ0'`,~-3 s~W뫏O=rsdՉ(bIum{{ʙ ׳ ܒvwwM^;؄ (4 f`DtE\҃C0%Nx ƌK>/*چnomNJR^*KH_2:@0|?&za~BW޺IgK>rCAk Z4׃ Yvj&f^{3z. iE# ܘ~  vn6|mbЛN Ƈ_5Ac j:ջAU6ǢImøǔIb*}UXl;"*mߵ&BCꜨ" (7V4Z&Zd%7O؆ uy=EWJo2>i~+cBqڜ {-6BևMnl3j5{@,@K^-[l pAB)T&!zTD 6F M3k''b|%g !`J.jNM aGrɠ~ݧqF*iI)5Jo:AdεOuyWewQj)6*Y;pxNáy4ыEU';5ԽKp~0Nk](OA^")*x:e  8)@q(i07$} NF N [f@.5X7 r`|j131 'Q+>&i"uwsY!c- Ui2ɧrjeN ,G_EVyz[+0 BwMRr[L{rC0Dw8?IwhgHUƏydigIE_ǶKwP?) )pO4^≲b끘NiE7Sk6VO}:(XX1Z:UC Í(~a:ʥJl㦳c6|Xyr `q/\D!ՆO9"U썿 Q]42 .z7"Y"pz T0  .4sN&Vr4L , lzz_ǤŰP3)"@ 4FUr?̆i{,iދF B\c^F"`Nr 䆖G%0߾jyF15&`H8w1/E&Q$=8٘cZHӕ=uDZbG$Qu Q3 򅓮Q[FڵZ0Lt>BШKE=ry]\Ni/S׃^Ok}Ӡ5ѻ8MhJ!97\Wt6ymx7NƎaJ0H>W:'/)d3ԞQ41$ɻo=WFpo.x& kFMQuK T`,D o6^ b > ;[|\A,1GX[bɤ8s\ĸ7(MR~s r}r؂%ng\Yļ&ux!,Pwrvg=wxL$8zNB+t'_y !?w 2E18z@fvʇ$Qsm&pOQ?o.BoZش]ZMJXƗlu!a6xh9\ `½fa<'P쨰1exS9phUxpn: Tj}p\_c37 !   No 4vyW^΁E?{uO DMkQ\|_r-rƉ ?(A+ sVBZv6'Rj/7 XJav=(:&=4{(7!?ƔS7Aѡ!1מP NrO"J](F y+@[ ,)^77ֿv ?ݎR_}$'4^H5Nwt!1h ѿѸϮ +5bj2b8J1e4e+9?٧.ApS5Ia'$lu n~2FcMC s9.նAhdW/? Kr3R̟->^TȆ2ԾctVX~غmߩO r7 f/S02ԃu٥4~<6d H6`g}Q:Eezc3pnUyl_* M.>$kyX[6I(aJqT* "+Vr [`FZߖk5]ѧ!^s"Pcҍ.$7߼S<"r*kg(t:AͺVB;&vCFQ8N!E[ck|C:u3Q9LR NAĪ?C Ȟ l QE]iώ9$&߻L5[;j@opʙT: [_2 S鰀ԅzX~k[@H+G嘌&̉`5?2Rh%n#8ࡼۺw֟uG/c[߰nAd P .Tr w&#;w8呫L(__O WSW;"Ԭ6%G3?(7M~sLA^8\ѽdd4왜MlF R#hkJ[0t*SnZ 3+'IpUJ#0ɚ`)Xvת5/ΦܦP$AH {BD*ik~_UQ/h>RuW^gHiV4Rhg,BiRR `DPn4;: I,ѲЪ(]< &@Wĩ ~2=T>kAc4VlKڜv<( 94hisKj[)CZ ]<4&=a'Rx{".PA{"M-<`v*۠DyQY>8֓a'i q!JWC*0?N=-BnmAqX0]Su*D}-=J}Qpab&H\W!$T񈽜X I f?hj ܨu<a:Iz#+}^rC4-',ɖyM\E yD#5^Zb ݮ:|ٞ+Z( Dqa/Ű݀R& 䪩cgw4֎yFI Jim Jagielski FP .o0K\E/ ;p*{Ŝ 9 c2hZwO}Q.} #6d+xҹNg{~azzQ}MEVRaϲaz Me%V Q5QvKkW؅4K59̴B<5U|8+lT,d}]4;SBZmf+JfSΛ.,l݊~'>6ɺɔ[և{̇001B%WLd6MÞşa)YjOd>s4Tjx>pLQ- 3>8=CaN8'=@AiG| bGn>U+{6%P@)ԿR3OqY9Q_TN+݇|\\x?KPR]4Cdd3^dE E m4tJ,' H-;s/#Ө2X'yZn<ٻW 4=NᐆُO$e['mı^MSkjG^sЄ~#/#clXx~ac#4G( zqx&՜6 0D"۫dJRF VDܝ ;Qdlu0FL_B^F` Zjր#(och)f $7{*G+w`{156l{OaL_#3Sjoa)qj)uSo,~.&E@/pЯ&H:  RE@2RgT` :TQ.QX ,T_{hʷ١r, 0'B|hMu$џniNIaZ {Am"3vd ^p `lY8i`AIo )iwa-иV6HWu-ea^MQ9=2+ O8U1ˤw⟫_f#]ƕƘ>$\2<Sb:k#ciǜDNoi,ƟiEA/qo2A%!mMNSčyq|c2viSmܦUщO{`H-uڱ~YЮ߯"ժŖ%f!q i*,~qYDc&A \!9yF|9zd& dq˹ɒ0AWclIrUx@)4õ Y,uTL(_Ԑ#ld_<b`<ߦ}kjQ"} XleKl^Q.r #XjJ\uD=K;3rĐby{qE9C=р ȭBiK-Ȩ/6>jvinǵR28R5Ɯ(hɾfhh0 R)2v p$.PC)|W1aMaQn[xƾy/N (P}tަ0QreR`z՜-Fl y; >0GbLebx:';{7M15:H|N *ÓYҎjOQټ"2"hy).&7ADh3'iąxG 7m$5p sTFK"8GkES&'0Aqd>+w*2>O"/3ǵ$p0b6p FCǣXp.<=KZ%K2 D/SGf2^a|>E!]M4E9w)^\3 }dN"ܾOQ.< C{@;DYu9ER賓-̻>tjM-k=Qg}6n\ꚞP^V)7;a[Sn׶5 u/vXy1LG`vƠP},:^ez<;TϪ?&z3O|QP'o{_2>M/E 4(T2CDa$]41eŗ(S=4(S%#tH*{Dӊ%''fqK3: kSLdd|D9E4YRt== M:zelBk|b֢E6!(-s\ I٫kO*NJmL+!Q,9ySrk1f| S >ٽP,ICv ZTghߺ?dy(\Nm-R9SNj?Z-T3xQ0Z wMk t>:"A't฿N ܲ!Kϸz;\FAٓCY' -߉r}5e3fȩJ9cT%v S(\qw{lN2 Qt0(T8=Wx W bN>14McLH@$v1X lBh!Dp>`s/uUO*h/n'dj\םj}) jS>!`hA9ЊЦ`}f]yrUN5n%SEzIWsMԈf0xI -K9Qul'ϰU 0O ^kzKAWHCӥviŭ3 9`50^5Cb[^SF=L\uox "4!Bk!--ß>^,`'䩘G&){8ʙ/W!b! Q3Q o 3KR^_$L0q=]>g)ƢB;'ZuiFR8B(//A>;g%w՞hP:P'ۡ?mWN6//T?ss:L4=KiTvEL {9$EBI9^8ƥFRdq>iY;S4Ll'Ĝ%r(İRjrt[<3dy/ 1_X L?TE'LŰS4/a+v'UᾺ|xLg}2nzAxK ~ӥ#:dLv5D w_fBЯشT]fT"e3[ G9A7/$YgU mnXXޏU%.}(0/wIei䁪MWJJhp GTĚ)Jk| Q4 bԏgk~SP&;hʞP߯'s'+i F i ^5VVI0z,$EtVƴm^S!.hC7ȉIRq6M9ަq@M-".B7@3OdI~ܟP%FLnj'H&=P\2Jl"wzSkC fFyCDoؕZNzܱ*ɗwY 4i' |S`'؞$)YJ5$"_µsZSVոc,zz0@鰓 f5\ڪF'=yzBse9'ȏgP\;=&?َ!=,P sy4)N*'~'2҅﹢:0oYܟ6J7d~X&_6x- (p4RQ]THfM4@ NGuG\XytA5 Q3 򅓮QѝG7)R EVHݞޓZ<^M}zH Jqʂ&c6d tAFP>4CVz&OZl꼤mڒY](|arӜ}l'Bk&S1m =6,I<s>-g%qQ!;E!VEhiqZ}$;xXk yw|}f& N*"oˋd-cG+GL\~,@(_\J W( sh e"Éuɚ",O@CWV]#k'=OU0]$\EnU}q\<++u4Ӏڞde1!MJb =ܝ"(snhU34nm֔J?{U U˪N3V"}@5مgg*|-uI+6F '1IBO*NFޡ6/%/dj6 o ;38A5[]`:M" &OvxRjZdb2hWɤWA=~m 'ZԣVmK<'rI}gaAvH_&EixWG"!'ʪN?#V*TT{0 "&!(h?KT%+@HVh( ”"fHK:~"QR n6glx#k]ZNNR/VTɑ.F@U= ,y'Qy*Jo.ς-tb$Qׇ?y|h.(IQx) ݐVr}F OĔkwLb+<œƼEr;xSQ. NAG@2iK+b7Xp)[{f92_`]z6:zI{)OJp_ ;ӱW&/ 7L+lƿk|}D_U8EL"Hאi'[mq0Q eAG& r2^Sjlv&X{ mB4Oթ-#BM{S/ $τ`$}21R)곷8d+ -u#݃tT@Ȣ)mWN0VmaH{]͌B*V8,Jnx=Ë ՚YCOax6,eLcmW aXAP4:`g ]$ PW?㆗;U!yqg/fgr|O'Ta5# ܦY3\NOHXOu.Ygf9h{f@!Į? Tuض[I_CI۵PD4S1ŧ} =`4=e6.3r4`E>s(9{A\-6.Ku.ldRhT1/{+Cհæ)f^%s}|q@̂ORVBSs,Y=;pId/6=\(LthnԔeykZEp.آ {S{k2O!&`Iw16Fӧv;wdCȨ=ܯH9}E)<wiSIc[EiǯXaGFOfqoH0`'8qpǃ+€[s:q&T[w"X FC}?E v+C Jw XpQXy]pIZþŗ!ghZEu{kz.ĢjqXj J"W*M}KR(J^UĻEjaJ]'z ZLq4Jim Jagielski (Release Signing Key) EP .o0K\JKFA?s2l e!QȨYLjFL 2åB JX ZJN2VHœ{\gaYG*FN#R  nN$Q|CSR0'Ă1Pؘ3G䞫pV-EYӈFN-L 2evSx]2Au,6`v&+S?3b9F L :`ueJ< Q=?qn; !(H[ycXFNN &DA$O4ze{7x#v vc{v}9Em$CF LM0 L(1=oJ:\<ݐQY`CҫޕAL[3 Q.} #6dFKQ|N%#B:$;33gg0N+b=m r@WSN ya}ۭFu. 3F" NY:a -ԳXesnV1]7ӳ"e*FFnN; MAE'0L=)!7o`P13Pۣ e>T~k2T4Rk<]f]~n=|8 >S Y!FKy/?Ř)?1dr͑ˀ0I]'w.Md3>0>ƻ=Jպ##?6P;\-}YɈh?z W={zjÜΓE!O[!K } jNZ V5*vw(\C\epKfe37[x̣k/^ln4/8KgLH $tbxp7]')? VNkF5YȞ%Y jBw΀G_McZ{&_e-ۅǧN* mhzqOrlfwdŲQOsi'~$kdanV׏I\0!k * O/ i"A ڋV@ ˭Vz 8FVVq!K{#?,#*Wuot;yeY&CX`OVDM748r@sV eƛTeG_*;.luJ\ۃ~_!$d{y'NBCtXEvji?s88:PID_O eHU&P{,j> 5oNc c=ˮkȵ#ŸyբJ91gЦbNr6joկX$ѫE}_Ei6hFA2T? =Glfhi3YWsԍH )4 cɄ;TRă<xN`6a̱n,Kmb8IkLiD k4)=wCtn'FŘ?Ǿ攷^C?IE18IM⼤(WK 7$ąH:=hVBĉt#Jd0;f9{s Ifhk}>L֨@GրW=(S ;0P5c?99ڲkۻ g:G74Lʝm\NGOPvެvQ2GX:EU?'p04v}߅i琘Ǡ8$W+a?_pg*VC6ˌ- ^b‰Nq, F2ZɃk=认&}Ta!@R˄[8m'S]H7,h7&nQd-Zl ށDEm%-)g#}a0OrNeM춋OOJ kgHVriᙊKI-tqȪ` |E@S~ $gh[Kzt_Н]:y8}Al Kƃ> ':9d:^}2*м ~u埋;r;pG'"y§"ab9KtOA)6ϓΑt d疨sLj*5hqt7qzdž+)m"y2r\1Q d@ 43d3SpTR,D@4_zXGUYifo|'c2VJdA{z*7B,u5}Cny|TcYvHtB^UMȩj.T^o TƋzdE_}>6tn{(Fph7 fnLZ#Ӥ}!^`̳+w|zz{[눊g7cbf}(n3Cmrxc~Oٌ`rCR -en0X06݌PmZo>}KS̔2hcD9+k6)@о<( #:6rLHۅMZhST6sg{m iy̖Mpk}m& ' F|OA9k0O v1-H! c*9 zi]fOR xl!zתS?07NaT/'2kf?݉Q- 3>8=CkYH'D@.)QwSH`VbUw_JCSexOL]MAms!R ;$*Jqf9̖30cR:H! 6ɣ') 'o ^1Q@%TjxϛqB&ny-3_ P.DF&9K 7]UB"hhw o('&GEjqs,g8j<%(փ1hH<Q–8.5x]Xْw^цi1i߇*dQ1]WJ} x-LU_d=>8l$~3/?G9 ijZ r/S@֏1}FʷK-lQ@r`Lq e$?yLuue6@X?,_S+ceQ8/۲Ru\]/=#Fl-c'^TtrRfQ.QX ,TAWQ9J( Le8I;v=)*tKty3h=@go[`i _e(2\{l/ W}]e@܀m>}OkvG(IЍT{h[lÁE[C!g'`G 6Q zZK<8zUL[Ǡķfk?jvG'͈4)L(ӄ> @h>Ms蓋WYcQ yL "cMKE!4TW4*W5iHL!IД ]DŽѥZa%o 3_hҟS[h3gCif{[2'i-~:dxچ}l[Gzj!"сlĜeqypIa~&JW27_$TKps K o/e׻rnt>WqQ.r #Xj3b.2N7lW;b#`:+{7{0I?aJBssǨdi6}qN rm@L%͈XU|oS˸i71}@Rk.DoTݴUXŠTvKWp?=G >~e|$]@G زJ0eG35 7++V5Lp 隵y'+49/ Ԩ:_uY] ivfxB9BjEGce#ϼQ.< C{[dWPӴ,fvotM\p4y?ׂKYL@~ht(;c"| tjRIbն-1K凹ǗЅ S'|>\}e K7webbݾk .{9θxmPt e=/_E_h˃;|qZQbyqٿTխ}t 0[;x\:Ai? XQi 2ASx$9'I[d:,{%@VV9T\haL61I%J\*u?d4lU[ l˵*dkUvT3wQ5 \p~&Z@ /yZ"J'}nʂ/S,)F!Z#q+ bR@!(aYXe,cw}&4 4ϲh]jvtF+]z1Wn  %@mc9gnX8l6$"ia ^nC\Vn$i8 Ș)V;iK#͠|QF }XR,c ] o]Ѹ#PVvftގgv7YryjGcXPؠgFfO6)2=m\g@Ñ>:XvU<wD:mKb8x:rQh0>O%!VdVUΤs-)PF RC" ttp捍.0>6uo "]>,oxV :N܊]$4 0|utrR$x=S:+4{c=miGQ,aW }pko&AJs/ŰK b~+7IƝ]{,R/I3hŒ<-읪wxT4GB rG+<6Ɖbh[Ppaϳ!vy. ocs1VS%VtKT֋ah5D|mӖn/7 "m=§TߘU({uJgW1Z>=<[ځʘ{b&2(wne@(Nƺ MPW ?RzBQ 7}1~Zv=O}*foOZ$mU PóF{cm[.eu Qe ##C0[_D2x1Oc_@e>y_ z)bIGe/f:٩ 36k#L<Շ)tl{3#ņ[\%OpmS gc\/A6l1W_"8I6 sf>+r-{˺Rvy)7jc;mSӻ\_e@B핈/wӜjuE4yl MbqnRx~ ax͸MD-6œ| G:T7d c5Dey~nv -bC.Ҽ.\ƍVfWբ#%N=9e5fهWfcyHbb I#xzFQL8U`"^R%vBz,;B^n-_g N͖ OH5bZ#}RP024s)!Kn<lj1;\zp4k5\aHº]"qp~'ƃiZ29Xp4Ѹd).7::b>]NcVo˪xNj<08m&&.7 pRKcߪ3CX26>zhq)?6z6;y (`APc@dzuo~teAN}ۀ Jtg;${G1f #bܳIV+E@D-E/:C jOxYթnpEAÈBq#|7:ut?-:䴤!U4Ƶ0`eC ȆiY_sV,086L'|wRkP`A&/u_M<-uLl7n} W 3:\/E Q3P o P`*r{ZGkQ0G7Bbpﭒ}A\JұBa$LD_~ȉ&רZjT AI5/z8#i<Ȱ_@BFENG|~S帍~|EZ޳,~Q|c%1Ȫ>3[An֓$iCK9Ym@b;qP@PUp%ő)͡ l+)omo,vS$/^٦[̗H^S< Vހ@A-Oʿg)cC췱36 l2˹. E_R!EzmxsRERM1NVӾ:ۿ~1[Y1A٠' yOpYbg&Wqfx3t)x}om]6 }d`9PQ +dȞFK]:l$f:UK,xɥ2RT/en8FsG; 5dӉxn ,8lqEf _ _+d>k{of/j[frq=#1D YM]VƤÉi m<FU(gEN`4A]͜4mu.#`IOn={E^}g#9ƩO oȤ6]|RR+t60`ȾLSخyVs)\Gry9)ދ . Q#'iv-yV[ G4Bt/sd,cbܮhN Ƈ_5AB` Rr&TlgTK[jpON]<= yr Qp z;:+hal, vA KdxL~E:y~+G= #ljST}rXߕZ(UBlа}\3/sk`R;=CԦ\~^H+H4#JxvL9cY2kYLzEotY톌ZT?gQ->jnʙ:d3ӓ5髁Ɛ%Fj擏T"w^0Hq{0^KlT!CeUܪkC ‘ 4!毶O&-8rnj.!z`ub,Ҋ,DKıv+4ޥ =פ+C&Fs4zlp2(sUl  \t$ڪ0:t/,1cjLG(@5q_ ]"(7B͖bHKq)'[0}V"q[Nڎa NF N Q1ϦR K[Zex}9n?SeGjݺ05$Bz.zo?͘%`3n_$b;H;cvFl`ǭWLT:R]U. %(@\ܞK'ߖf<´'7qZc)S`mܻ%Ml_l2/sņi t et4sZBBvIFd Qc!|7֘M"W K uERQ֭J3K+<[rT{##uš{1WX3p4y3 2~Ȅgx/}:|D[xk FXZ|TǢ3"-TM߸s I{`COU,AKEB|ؗJ*ٻ/8/%ҖtTϤ?^(qשOeFݨCf7/*ca|+Ӣւ6Ӊ Q3 򅓮Qp.nXȄKJ [_+\ƪ5?U@av\:u}苢5$2P7"Notoo0tAMu{YT.ԋ4 % gptfa"Ғ !5ab"ˡ;T\y$ |X[\\: $   L b 4vy#PtANA5M![.zkZ(>;*Θ ~P)FK`,gm*:H>_֪©957d ?.ک>u$^Ts,lLF1|gWa&KX`P1] ؼ S_w&tsد n"k }sjK̥B.Q&ڀmGG0uxٙVVaOpȘ y/xi M ҼmF sH{FW0~@M (wC օmn#ꪙ v[i2 o)唼 H-/Claݠb\vB|ŦJ3u5&cwԋ \h5v|wh(к紗QGXx;. cǀI8Y:y&X>X Ba2n#ASRR#-@Μж`,Ԡ?o=Hq3?YOA3 owDyif6h4miKeWI! giOZ::>=e-Z}FqA|q0{7 |EFf(vOGstq`?XuDK6޴Hd=ܤּ)b*gdHl]ύ%aB.`SrYX>ʘ'CQaa+\8Nx(6(k +B'H).@4SvK?u" ]G6d?ɑ(iU #ˊ2s 𤮑Y*Q3Q^ӧOy|KRb Fj>CogarE_ќebwOJ6^3ַf,+)"U L\U ?]M#RNL-n-gLYcD-Τc}1 e`m$4$B( i^q8 q ֖ GekM.n2ڦgGFPbx݇MJonn0a9l[k &augQ]%EʔXl߉E"ᚆΘw? 5^fݩU)M8-u9Yk2 f #"(ЯQ?89WVZWiR,s{jJ8O&诚ϸ.dcEZ/9 F2 &ʨĿ#!l̒>R J)u2_ėgѕxs`φjIZ"qEU7YZk~FYWz9Մz -9V#d< ;FTjL57B/. 91,q3a L 4vyLZa%8I%>`/Xm!֭lZ,B6G}l*r>JAkdH3xͼ90iFhiTKNZоI;h zrՂ%Rj uMPˍ Q5`\nM%%q*f^M @>AFV-I~^hjIMU&SBU2sb?,|)>5Xq[J7٨e/AU(}9j$Q ݅3js*_XJ꘧`w(Ƴ#'q"OkPƽbGlSR7Wx p6kWcN}l7u#NzElԑĎ%OL/-U P ? A, ;#:R4iC"/EVqnlJ 9K~jUILC60 "ZN4FJ ^EG//_A^6w{H/ (aRu`0!y=[QOJ-sy8i,%-XMUTmB۶g>Jj:CO?`S} E'5Ben Laurie 2o`sp,7H#9YO:$ili>kgSfuCgk(.9`aS6vjȦh m 337Fׄ>)],dck;vmVP 9z U5{{\][߃ӑ'GT"uW!K^ jO:fD{P1} {o~$Ȇwz ;eJ=a u1sLfo.<~pd3w# +4T#`+%לi.nf/vCGޜaVH@ǞṂMiMHgyֿu-B1u E'56D4h\hL$Gs5g,d9EC.^qY*V ΄Jzw 32l6+p Qx |"^൬rR;p1`bSdAHH09Vtl{MYV}50Ne.˘pՉR WLr"/~??X+y*e:cMi0Z0&GhۀKq)i\Xȟ`jt7FL?ioit X6 [蹻?0e#s|((Ben Laurie 1% E'5s ƾrU A wfB;.I% ?1fN搆q9NÜ U9,+ފE* A%xz*rujj4#"uο;WӉwPs~G2#%J M3=cxExwc:98*=Q03χ\"Z>_QRd&(=q(H}hx4rO$%)VrDy1f*.YYs%D8$q휚6(ؚ OVy`61= i.>%.{ 1H-b+tu3c@:3<:]D2\.R3JLBtEؽ0ܕ{>U >W;OK;tKoA2ʬZA.4p:É7;6 cWIp]5&kHRաHyW`M ): )HT8g׍J$}K'Ǎ)qgWT8,N8tpoDT&{irxsF8o YUChh+ A?GLb!.fxpaH0R=(f"LΈ?:&ݺd,1-/VOgTa+RLDp1[Nm2F; );:&\4c8gUlR$> 5I J!*NF;{- KyRu"-BD-xpQ'`Wu#X|ZJjwv(Rodent of Unusual Size 6(tL|C(Zat 9L&+@$gWy6Ó)J]fd4Snƈ?:&ݺd,1-/y+c:.`wrXNUxى%߈>pF; );:Lsha؂.iUnq.̥juM -Rodent of Unusual Size 6(ir=|VeH닜e@mXFUujawK,=,f#צ=K(^eW:N9`\[*J_r0=决⮬zV?D?6o!Ч4rq JZ rZ| 61= _XS\WfʹUڢzğTTN7O[$6.|W҉q'$RzZ1Nsp~ lOfD8U]lÉkc_?:'ݺd,1-/Afkhp9gqT',Ԧ qs(& Q~} ZF; );:SPRY\ztՙp'6u]?:<o!Ч; DU~{7:>5Xl[$㘐[#]P%Rodent of Unusual Size 7ߚ3M|}@ћs`@8oF6i k@zzqPBuڣ#p;.qdFR.cpJZ وF8IȬ Q$ET>k&Ph UޝDa:)1Qt|cׁ" ?6o!ЧɃOT,aJvGsy{T陈Ń;>61= ]ZnZX%nec`HY,%{%Y`!~*(\eg Hw39񖑟 t DgA3-Ae̋$*.֥!p>:'ݺd,1-/뫂@@Yc2s?]ϯeG|Pb]:˒ǍF; );:q0.sSmL3!-pby#<ԍ6ֈvߴ%Rodent of Unusual Size :ZYhyokbbr(T"Sf?:'#ݺd,1-/|Uh0znLJg(9.ɷVF; );:pxj!3` `yqصȤnDL};krk_[B\WO0mX`$P=El6(Kg>uڀjrۣkӾx$4*P "޸)QLl#Rz; ](l턙EB3bu?ք,Q?l0ojR4;0sMKM(RrvHrq9[k<%c0$mnv :{[1Rodent of Unusual Size (DSA) V:K  P0-h(q}3uV̽\ n Lṃ  B 1qsV:K  P0-h(KVJBJQU?x|Hta^tFV;F; );:Gn ~r!K7tlvspjF:5詉;R/V:  P0-h0'.DsX"m1G{ %SLG6F; );:Pa(-bzeΥ=`W}]Mj;R9>H yQ yg9^ C\virMWI\^X?{Kס/HNXO}j!͌~/ l9 /{9?;Rݺd,1-/ ENefaPnfE1|(9EG7A{a3Rodent of Unusual Size (DSA) V:  P0-hKA"uXՖ&Ky|TFg࠾{{ܲf&F; );:N+aA ?u&<8zzȣM-(3Rodent of Unusual Size (DSA) V:  P0-hjH"~fP&vZYumE{{ԷF; );:J)uJނPЄ:%W~ۻSfd-Ӊ;RJV:  P0-h&ː|9۱rN9Am@H;㴪.I F; );:kAaw&$5T`e(&?+vB;RVV: $  P0-hWur@+a2)\*WI0҃LS)F; );:ࡅ\-q,zBL3SMlNKiyfQb;R`-YސԀ<;3whq%A_ fD)(͂cĮ+ sU0@U398>ɭ2h)H0ohjXMC^Mo=ήi{D>Hq|n9&,abQ3代visکnA )4]sxl<51ilᇾo᱐DB 0@([$VQC߿JcNmi۞yN مtS'iE΀Hf]H؏/.)IhѨoSq1IJxB8U~ĸG >?nCfFQhg' 8BAUe e(UPPL(nT~K \*]-Xgq6Ž آ"kU[_Emƀ1Rodent of Unusual Size (DSS) K 6)   ݺd,1-/y!2n'[r>}AsTm~  9HfT;ZzF>=+YnϣqW+tQrd5갈F8*  &0eV]h GcpE*'E!N;pcF: P0-hL?΢r g*-FS]w~."A*=;QK 6)"(  ݺd,1-/1_i-K9!vPrӳXwD͛?6o!ЧiMf<.Ep-K[ qUqqN|Js~dgKPo5N/@7;5 cWI$oXFK!y-"X{kwT*{T(aǺ:jqxIl IlpXꨔ6+?+@1{TN}U{!6YڡSպtԵF: P0-h;MMRK@%-{+W>in.kq7\8;QK 7  ݺd,1-/Vз zSM\Ki 4iOm))c 4'F: P0-h$w?W,y>vV2-} *]Kn\;QšK 7  ݺd,1-/e|4vz\mVP0A (GAΈF: P0-hTPIE/)*_{˵CϪg g+Rodent of Unusual Size (DSS) K 7  ݺd,1-/"M .!K*4p2-ep(ҲI>7,F: P0-hlkVsJ.KKB LP#\p66">ԋqhXfJvsk\OR~Oܜl czk()ckwub4ie7^(MQB1k-Rodent of Unusual Size (DSS) K 6)!k  ݺd,1-/ lg DB&u^xiP_ror?6xo!Ч97i7W~`6W?4UY6=w61= )I:fm=7GE]|B_ylL0'W<@{ Jޙx]a3R60.wۏ2bB ǔ2 $MRڿ+\AK=..cj2i/#}6bRQ%Rodent of Unusual Size K :  ݺd,1-/ 7 :Y`)DkZ0j Iyڢ¸riBҗJ;Q]uq,d`gA`>cV8zS_K>} ]E} 2XPg~rnM369A?=|y3+@Ϲ 6) BWr֩BS9OnK8 V@UCLdI eԡPY_vRO==ΙWYtOvG0a|f^[r:FX+XNI 6k3l8 E||[-#C[U]84|WCl3!,*<)@| rֆ)zʕ ٖ PF=f]A|K"&^U2 ; 9Z.uKڞ>Ƴ=5kǓ?,4?Pggv7Es}';y4oA&ZüT`J cl M3}|+#*Nš+SSOa+P\u+xZL)С?6) ݺd,1-/ҙfQ}e1e ^׮|JEކA87|e_jp1%Nz.ǓcUߠ%Ad)|\Uf$[ڤ~8.?nDn-gJ}v^- ^z?TujlSv.;Fj+QSjݙob*R;,m v "<(p YwŜc`<| 8TNOb]rVmJ>lG1&qe& T~ Bsyt&fctЕǹI}XoڔD^.heCqU*y\`@<]LK[ ?b !LV0-%7Z)/P%(p[‹P30׎Ozr'N#5SxjpiWJim Jagielski N 7 :`uI%k$Fv&09#O,VKn-&)X-Jim Jagielski K :j  :`uj94K=ZG/*2 >20}Jim Jagielski \=  :`uop@ń0 +n!f6e2d'|ic 7BWr֩BS9OnK8 V@UCLdI eԡPY_vRO==ΙWYtOvG0a|f^[r:FX+XNI 6k3l8 E||[-#C[U]84|WCl3!,*<)@| rֆ)zʕ ٖ PF=f]A|K"&^U2 ;7G7`ֆfiNsq:R$j)/O("`"1恮wk2'k\R [u'?*ͶZ4wn Ƥv.8Br'G)]JRFܲ,0-Z`BԺ/qiD2Sl1A$yq^FhyNmSJp, *q_}ɵ}!bDxvd݊?杘5!u^U%@))=iטAGF7 :`u0N* 1w`_-X<z/İ (A* 2A;ް|=) [V5ƜNEǰ09LDOJJ=γטCOeӗ'D5ԧk<è!.!dJt,eaCJU0N TK!@COoN ?;oFh6y~W'm^Ox7"kq7(>m)xH Γ[dއ7fԭ (O++ټT"Ym6kݑ1 sameer@c2.net2Am6kݑ1FK0!Z8zM =8ӗ[3#I圫f~9xCqD[Hn}So誈slQr-4 k-kj)S*#I_D(<,A5cz ld w8j@$6+:#=rs7vT[oCd'>9͟Jɫ!qbp8LZgCmOGpr?'vؼ ʷF'Vw1UEeOB`?5 )6g&oIR*xd n&+}8\XXRkMrf\Pj$Y}2 (6LӥDصF)&ec dRobert Hartill 1ec dM~L/$[ro_c`^;Y=;f}:3?v,ܣbKY~w=w, "0P<>!gD B)-Nc Xn\a qJ%~{1/х]h}X.!=7 yS@'ċpz2jjIrJGe+Ѹ=J6 B Uف'O<jdҫ|j6{v"+Й^̨ cWI!Randy Terbush 10 cWI'u}Y;$1 11No)>%@fJ`+4a1ϘLgp'%Z%[ [m[*׫4/a1LIc,z@@s.kנ `œ<,;2(lmSsTA3HUx, >]hnw? j/lxAz7?% ϳ(sc:k{2eA0[4 T[V!F܌4P\~_hi pFq )T)}/'&ەLk9SU_mM?Z[eb2lrڎ_a$_˝E>x,r=`"şF{r|)x%J]oJEJeom|׈|'C!HIx؈F;Г U e='Mv$Qa>]8:v06g0CF; P-/wKMV_Erj1RIۢD':GvnjȈF:7 ݄D7l<Th*^L/o=zݓ5Fݖ04u|?:rWo!Ч7^Nzz`cIC62Үkk z~mŴMark Cox 9LIc'+ofHoرεOu5$7k9LIc'M{{V$c\!"t6ן1/zFϵYľ/\s,* 1O5**ZIE9,"F+w ITC!,2-!y*tOlY>] Jxms^y@>ӌ"E>",eF;Г U e=yh /loe$m^̵Tm~q&QF; P-*Y%ìk2WC*2Q`n7b4F~?:rxo!Ч7p!hq(͇#ô"sf $\؞3]aOq $C|s.~)*s,rtf2co_qc KlZ url8t^;\rl.SiyI96B誗đcPi$K1dJ/Paul Sutton 3dJ/n#+*(P68g~0WzH{-i@&)#Cu>)(NqϥV0Odac{&O81Vz\XE1F3dv3ڳg ?_ я?`ËK $GkfpЊZӊRJ*kϪ "o2zج`-7m ~ht@L^&C})Ralf S. Engelschall 3d^&C})Zb\hdhx0FwOQ.6WkPhI]=0͟ E*_c2'xV!\0Sd p.Ztk7ٽh=] Z*~ p9r~,%ٙ3Y<&?߄I!{}޶d3x׊k×+ RIpY wd_h!gW0,@Yh3 86z7QTOac6GmDֻmT>݁JӬf9C65iԼΛM"AZ+Aoin:n夒[Ŏ Vx?R\1Yl̖IEw :neZR˯aYX܄ և{}eHHoى6/k+ED3QB,;9oJxmJy5c`/>u8 ɱ=xڿPjbI-ql=}E$_$gO3Slt=;d3&\86/kg7_e!p6/wl}Y"@pgm~V&(5gyoDb+Z |C 2r5. fSDyßPx SP)9~i6ݼMUxV/`"v09oFlx 89$>90 a4#B4D($.y)v)-k,_s`F<{)`I'r81f}?e(7ӎ鑓eu*^٘3A\%-a7hRejA|aRk"ԀfPӢ^ [~ gl؟gS)PzZ&==i`-)/4Řԁ̋F>W 1O Us<`ݙ@mai0aH.Ue6lF?k \7xȓs{i%`5eXoXCsN,crzTDx;Vh9?L 10+ʊ6mQ1şnK2F@>\6}-Z젣\m2~XH X^Tv}(H7sE$Rh`c/~sq^Y{ٯRTYF=P ͽ 5 .o0K\ ]W^ӥO gg&x-F? );:^(.ť4>[ʧ˕{c_3c"=Tk,kbF? $RLe9Tur df(AH=bh{@)EJAXc݄&Or/oV"RHGc껩!\M^^lFO.-ܫ ݼ#dԀ8 57'!gVaĻcXs*kw2X=SlOتlsca$! y7Ի`ɉ:_'je{aKOYƿ+>79%ד._ց{Cutܭ e: tߕv#J_5B^xi33XQbǼC[~휮}s`]:IyknH(g怳.CGBND2oz2=1-_,gY05MHG,HF[o_s>d'r' z90%ikzbZY OwQ80m4РIWcp]F)}(Φg 9݄͜TFEȜ$cǰ]RZlzE夻|o?s2o7h~OqqrםyF=DU .o0K\ "`$mYR^U} F+u?A,d<HF? LM߱'yIhѪe!{:*g=BaJk#35/F?S !0 ֗YU1u;9exÐ1ReJLXxT0$F? @)$\Vfz U7;Z]Rco+F? {GO1ٟ~vW%ZQJfK[0q/6}Uen[stʃCN99y/_D`Eۃu;vlz6)R͘ب픞6Av3cdž#EZhaΒ'|/QV |D2s]2ޭIm=X\#E]*R]S ZPSiu6R=G7VR@I-d;C xttcF? I4W*#H"qă׸Af./j !*}ZXF?~ +KB(`w2@*3u@q7ld]oĈF?#  у g[$x:/4~m4Jd2{$[>K-mwpu30fȷ^7aoq!ٟiXͦ?l偄(0>g:AsPr4"Martin Kraemer u6/g?Pr4Epͯir7> 5mOX'v;&̮WwUceRSj5:^,'ٔBE?aaRN#u6/f6*X9N=z39@L&9&tkBNrM*P*7 ōQ;-m &M[&JMxZ[M)pq)O\ :Z+EDY PUb. hAҼ{ŵ "W|,>ʿꉽz7)f.G1܅)biRWEȳe;w-|bfG?_ P 3M:k4a4x /JĹ8 Q^Mkt`|1(v2r9MO\q/M\p4fnd8}k{$K2 ?&byuC׿ܮQ1= ,Dirk-Willem van Gulik 4Y1= \gSKąkp:A>njݢ6חz>}G/z061M̲>oB@ <15VsW}%U`%N Gܮvi50*vo]u \.u:'ۜ8\r6G,Dirk-Willem van Gulik 3M:1= o@#3VRRV\j#I oFgb"SF{5'f+f|uo!cXʣ#' <||W^ eKI35KڱQ/:7+Dirk-Willem van Gulik 4Y1= 4h{۞-> zq[րfxP4u2EQ tsPțvӕ'`tmKj\ڻ)W 8zƜxJTw^8#{ʌͱNX|ˣ$Dirk-Willem van Gulik 4Y1= 7T"Wڕ‡S6NE}aUƸr_D QUފ!w5UR˗gߚn}>eZ.1 NKFDy}s[-۴)Dirk-Willem van Gulik 4Y1= R:GCl8}3|Ċ70#P*2?|)soy xlk^k}ŔGҫ^Sp+)$WiVkgiT.Dirk-Willem van Gulik 4Y1= Cdl.ƥbN=@_ȟ^"z;^Y.H>xmR5B ,wH:+Tϰi2I%p[ S1 '{dK/IDn&I:!zq4ɘ5"$1Q`,;ZB5e{l܍b*c}JԮԦkXB8Vds jrDD.?@Օ_L?ERՒ{TAPv3Vy]om0iz"q=O)&s *B'b"c&g=ly8f ( *Z77 #]1)m: }~foݚKlݎUu bw̷Jlаa| qZI='`9bfuϻ.z9%$9;~oR>{z!03~±C$R=[s]J1zh GsTrċw+g/7N'yd>f0Ɣ*eDtwM Dean Gaudet K 4  }m*Q4!y46߆TaAPj\Z=&Dean Gaudet K 4  }m*8oV*] zmeM %;_,QX7ƭ Dean Gaudet K 4  }m*/t„T'}W_-Z9q$0) -@F-d 4BWr֩BS9OnK8 V@UCLdI eԡPY_vRO==ΙWYtOvG0a|f^[r:FX+XNI 6k3l8 E||[-#C[U]84|WCl3!,*<)@| rֆ)zʕ ٖ PF=f]A|K"&^U2 ;dz~>'~yuى=Po}cf + QuɺK4_!mE 45GM%TbUN3>U>B*`29!RhVY?4odgEO'yN~loy_ fIj>^aZ!Y3jD\W'#$bJ2$﫥 ( (ڄ;^QDr%?4}m*mELupj4Nzxd҅F0N5)$},e.sɂKm-7 :hZ.IShUq5|7)58Gi(iҪo&p]lD,H.zN{[G,zOU7>A$Lars Eilebrecht 7FGDk?'~GH;1;ON[*U@jSJ:LM?Df\p[a,0 M*W a+1,G*{yQo&8oTn:eKi\ى6(P.~ȗ dOvc-ŏ4hjx ŎSC֕mC{CK'*V^kC'#T+FQPZ(MZnpV=dݚ;y#Ue9*\,ϒl>Px|݉0cB'i񍨉ŲB[ˆ9E'_9z77$IUViv6lnAͬ4v֭m~')oxb.+qhܡt#yAm1oO˔m#|4@Qܛ|׬v6 M*=a¸,\ΐ7 Qmz?ӱgM.{lw.&>/;QO(EڻQWۗYe¦}"|K౱!(ƐВ=Nu=P{j+[!vA8{ҟ]VVL(Mœ۳J2= XQ]3WhB?3gp$M*ω&w}tof;d-=p5ǧ#5# =˰G0`v\ \:ǒݣ͹ATM=L N\,Ѣ X h7 F9!MFFL$.(VJD 11BWA ŌM]+9Z^߈otD* "fA~IGC`5)7@%N֒q_(@0i[s§B~^$RgFщ7Ks MXQ 7-v\VtbEx}^JbRE@ 1#>ũM6F3|Ufӆ\iƾh@3`nKhR/xtW QbmZTAx#1'!{]|5&.ҁV ZZؚ!.pT^SI^V+TgOX_$`ó6K9†7k}, ݡWM%' / סMK mD[\9n$h wOcT!)٥ DW)I߉V#^"p4'_=7FL*P_$*$, ?Gf;Y(zàB *֟s& ߫\suKA*r "I*ǴI;yOiwmpLPӛ?*Eܓ20幺PWGt5rLҾ7Ɇz:j܅n[c8hQpH9&jV0a@SZ t2ilExB3FZ J]]2ȂPPG8aLDsՕ|-ك ;9uM k>KU\9lsYO7j^)(HE֥*xqQ.q :edyAj<%_8Ɂ@WiAKOWnhdiQYC1< q^eZݕg@̽h/-1/N*9z-E»X reyqFWj)k}z> f{{Grgb,0\3 .O)XB˾&z&JRa]n0ӡÿ!P**U4Bf^&7.t>Ab^8Qsb6 j.N(lj$a5{ߴYSuP˧͡}S@&`qɟIf`c5vy<(/ 6£v; 11^t1_y?fŵLgrQY$%+v}?:(ݺd,1-//|v'ԢÆߪ@Ey 5Fd~d<G/[4Mdy_x-,TP\O¤Bǔ7J{Pc+4sMլFt a@j r^,P{TpjuBǥ\BhE:AxaFĸ6=F=?9 );:b5|&)iQ&#Yp!tONA3S?=kE,4cKI(qo8,! 7=aЮ0( ȈF=g ,pD1s0xjU:٦4 g&,P`ZRm𒽦O)F=D .o0K\j5x5놜̩4c/I #3şt?+Y= Wo}'^ͧScnq*O4 ,zi6_dZx7U=oCn(F7p~HH"}'Q6(&=Q_cPJN_]a-ns?&z&WW +F=! ]AJˆ{BcH[DG3;l\?TbjUj5$K)+KF=P jl1K'Q'?*F9m$Y:y #:#]3ʲF= |P\:x7m3*4 ȎT#t~l(ϛliiAF= z fTyMWvOORT1^~8KRGmF=& 6"ׂ{њͶȩ<)BfjHی$Uhhy`!|NF=# f5ވ]*XW%G(ܴĹ|FMX῕[ @!+=#$fŜ2p19"YWY z9wtMMiur9n .*w3Iw+@oՅa~?x$/uل'"LawgU?r=!3qDFY%Dco`pA|A5$Sfe0,Л 0qGX Bo-ա0\l~ '.VӌT0'i^_cԞ.& \q'"dr[RxF?<2'74ܡ_e۟T=Lв3M "MY\vB?͛HHE%o叟(Y˓XuYMA*3Khw<}9TdX.rxq~iXd|l.,2S `\ uA*=n~2E%F<0}YɕT' j\0XfjVG=DIkꔹS4=$N1= iJw^1W.Kcq:Ǒvw~oBHj^SָkY ;T#U`Rul$a0Y+aIf̃[=0PߪJF=/ @)$.YD;t\Z P'XZ;KVF=܎ Ufdxٖ.[e6}W9JYnU,%3 F== 4JMu'1Hx].Y/mOp_Y %JMU Oq)݈F=k6 LM߇ Zuda ĬaqAEvoAnKBJ4BؾRUӈI0 > 5 .o0K\:KtQ%npE&y \.!Lars Eilebrecht 73-{%O ]hzn&3r{AYVhڵ:ߗk55i͓ܢ_,PaOwg@Do} aNCxM١[㙔AZ=ac)ô?7_V{ 4tu>ntVmXzڡr~ #q#87ȋ<9m 9ū|< 䭀+Pi0Q$S=,Ru|'Pc!;*'S1mᩓ]ț2T YʗmC15z>D4OO*h*G/VELCv4;C6;+zMѳںv564vMw>3E(" h/K %8j \(%JaQ"a @?z.ڽM6|; >!fV׭Y|rcSs7jQmz?ӱUڱTX֎hs @L?EEm Ur',dZ> D]:8 Yg6 ħadl<0[=I$ia-j'ۂ`büL5Y)Dĸ>{YNaK ?MÇׅ?W6r?ۨ4E= /thٍY)kdWE(BXD :iFf˝7F9Ihn 11zpRJ2 0b7GS}ylW)Iഓ5:w4U\/?E2KYO!jD80斝M<{esxG>n1((6)AƗnɍ1 I`E Q=/,bՒGddžY^k&Ņ庼n:.զqd,Gz̅/H1H̿'1ylk2?٪ ABI|6Y1= k5-g:Y ػ$@;B =tj_{6њS rq3:cCߞ$47T2@}&` 0O@E&od?:(Sݺd,1-/$+÷/B j6;,=iͧ!<G/[4MgƢeW4E|H1`ܙH&-M9@m,8s2O#la^5X@M2gFGeG{OG0[|/HNo};5#EF=?@ );:U!'C+p׭Nk"N Why gP|F=D .o0K\\Z?AڒZ(ud0&:AYX*9x_=5YrT`&5֢S!IS֨0Yȭ"vg.Ϧ g>R$?2D&IX=fVǺ'0慲]?+(҈5&8 X%*F=! ]AJ>xZ̀ şRu"lUxL$0Y҆؃xQMF=j jl1oVµF= ݼ(zo ]a()9ֹ=#F=& 6"ׂ{<s_OIO'po @qI+@OEF=# f5ވ]~r@J0~3fqRN{h">e&zEd@=$fŜ2p.yJZ9Rq=]F+x{$}&t{tι>j Nc,[ִ̉v#2CdFJ+!k$}+\vΫX.Hh'h$S-Sھawq*F"?%OfHЍE,׻{tev54\ Y&{LE gU%Lm#Ez]rdn_~X%n%zz!ҕ]vGoߟjDL ${ ]}qE"nCNB+Q A\L# eN=u4 d/, .`1MʗiQx9 pڒkw1n#ѳB L9q`x':hY'.H+YL!XK{FK։WxqĐ3$g6ƻ(䬹(5oUjx LsH]tIxxF== 4JMu';/w֨/޳7l-AXq3\EiZfE=k0 LM߇D='oEj*ŏ>w?MxQt{];'M e =!d{֍PH۾o\#\[TjZpnq'OǶL2L-;)I^mAnyd6gUrB~p/vVɶ&rqYߋ{joݔA,*HNr=ߌLIcD1m;&%`z#XESҀa[9h?naɬPV['mP^ M:w\6hܛ{VMFū,$a!sF=` 164仒Tc*;*M>cNmrX$_m?iF= e4XxlH]F \3TTv* ӻ:SшF> ZudaG%|GiqʬgwCV}s 0溕L7I0 > 5 .o0K\> *%lv܊Q+֤`7`|̢Ӵ!Lars Eilebrecht 74-{%&:7FFx?5퍉 ^IݾK 1BHpJ(){⎐QTvP! ȀAV=9pYsrJacrqx%á_$)ʔ`y|#CψhKtwgs)(H?ÀeҀ,~}g6N0gïDb}"fFLz3y0Mُo4dGv)?:(ݺd,1-/6fj ]Ae#3È~PH&%f<G/[4MVP9j\ F(dm[sb{k! zIZwл<2:sj٨(k] y;Kߎt޴ ԫ`"%?3+,hNF=?@ );:zTPXVhZ(mB{?L.}N ?=}E,<c.)8dUa`C pJDb >F=g ,pD1sQO;H s*itiT5!OeMs 2TȓPF=D .o0K\gZMAZ/Ti K͋0t} >= }OˣeOZ3[va:0,{t>w'JSCսb,4vә4TEFWڣhvB\ yeGd=UpYY'@==< E'5[ zz=96ljȂ[wj=Bc؜vr%y޻rrj|q躦kp@YZʲ n 6ݝh I9= W+YFCzrF=! ]AJS(bWY!xeдFQc*zb= '_|<ΈF=j jl1*}fw=[  $d3kyiwF= |P\:dSux($.L p^\]F= L_ Hn[R}[f>lQ ;uF=& 6"ׂ{kR4 mܵ.J0G/8+ʏF=# f5ވ] *cIᘑi4 CkH%s7z,=#$fŜ2pEYH= )/Vxcz ԺXSCRAY; #M]fuX&Γ:D35' WL>[ &-ل^ yQWi>[RX^r KAm|Cs(g\*#/s-! ?c3WYq)PJ%Z9SRKl:$dlZ);QZzg"پ1UV?= d xXV*S*n h:ƖFk&\a$;}AұJd[4fuP/c<Z)_*DPxs;rD8ei'-Mx }l;z#2jRuH[QdU/KMWظMqWXItfnjz(JIʷ{ҝ\\‚n-vOUi<f1+5 T[p$WM+<#TR?х*O-C5 BEdH/g=$M1= >up{Czw\hd9TъJnzߩ҆ @W#9bVh@^oV _N/%Q@z+86q%w\(قEAxւ&qq*4s-bݾ)7/UF=/ @)$6 S;p^o 6JY% ÒZ)Tv F=܎ Ufdx' "y|TajggR `\F== 4JMu'kh"˯ ʫfdԷr7KmF8]{p6F=k6 LM߇ga+@; @"HK(@j&fݭ<7kF=" \7xȓnFx6S,P.[8g(1rkA=! d{֍hV6& 8824ꤓH0e = j ߦ. 3V5Xt:um/Cйc:JcfPħ:A 25N^gN]i0Z3JDn=ߌLIcuL%1KGԼ Zs9&ۥw٧q:E]w:W^ި(: ֹD^|PBex=V6*TgBYIл/M tPF;Ag+E2DF=m 164仒TNy,J]M!v sfӊֵ+}l&bF= e4Xx>@#GtOW+-w@I<;BGk5F> ZudatQ>tc)/f.IsS!7۰nI0 > 5 .o0K\2F5/v$O ^ū:_-Lars Eilebrecht 74-{%Ya@*N 0%; V(3|'n?5kE6"u34k`iQClΡ{{S!{ ?7_V{ pWoW2)@\ EvUiNg>7ȋ<9mm|_ڣcXͫt-~ ](Fu$vEa1NP.cxp/W&(:X"n2Rv:tv Pto\?b"gtxT8Wx+JT[L}ߧl{?Eqr %MQ*|N,\ lU?r)",uY]#-U' %Tďl_Wj#7u;u7{Qmz?ӱI- Vr> 56{Z}^/w ;=M() Jb[sCuuZ3$c >S)銠$ͧɉ] YG見\XTvpyzAhۤs`ˉa[ƃEn;`n `Uz| ӯi CӠ3dQ,hIM C+4~T,^N}( |HP(~!} mվ,z.B;É7F9( hgS~QR_tel7p\_̍o:,˚i]R{IzגpꞀvqhk{;EJ<љ؅,aa20]!#Qn`/ :Sr){O&>˥s|̉3 >AOp5٤0"-YyVLZ;~ۊqѢu Z⾺Au%/okL–[ю$vs}\𹸑Uն GVP@wM}#0q3v:k#1 b{a)pVT1a n.x* z~RSk?=E,?j,#=[m{^hf/4]:8E&FlF=g ,pD1sPHv͏MhYQy҅["liϨF=D .o0K\OCBU@oh*JOnaKGS"r$*q= @~`?x byMŲB" ~dv| 콾;8ג ƷR}eut̬/0WA*VFH#yI=M*R4 e9W) :C^F=! ]AJiLt0f4om2  !Kº$. kF=k jl1%*^L]bvil_ja  :ASzk߿F= |P\:קnXQ3=jbNge`k7F= dUP緐3xTb2/\_m KjF=& 6"ׂ{ѥ2YPZb2kcQGv?ʄcg8n tAN@F=# f5ވ]y\@6d wd#'l@3*!Po F#=#$fŜ2p-#6r% 9)/m.hs|, Cv g?H'%q{*<r0fWwGTrT 0" Aq4 fic /ӵ2J9b  }Woyg9Ckx/ w#l zo`JR'V,mS+U-wQ!fzTS,FI(Γ "ӿ[\&]vS fƉ=$O1= w٨4fCmϘ$"QZæhyvpaƌ嶜 @ >U86p;3çbv6,U~;;:7&\Mx/9 |m)bTcK:9a]c'?vY1/F=- @)$A$e5\u2'CjEJs9dF=܍ Ufdx^dAx>>q7jXfF== 4JMu'g% iFL=Hb×m.;Z|kU?F=k6 LM߇1 h63\Lbsb,tr+@ q4nA{s=! d{֍?;D-y>>փ Zuda3 zJ8LXZhc f & ~I0 > 5 .o0K\YO@I o\U D\=HJ +X1Lars `SFX' Eilebrecht U0}J 4b칂9=*aH+u%-<>hՅ gA}f]RX&xg%٣9g0ЀF6 h]X5Ne!XhRd49YJLAfYviIqShf|K/V -'"mCgh:  olQtMLu3uK\%4h~ ~3sŞSé:C,"<2xՈG`dW*Aoobf3CX-R<[}; ZOj1L0B|ji֜#zYZb[ˀ‡K\i= \[om?[\bh>s7%@5 KI{́:0Qdu)Ny $!u$9JVOV,H֣]񇲟63ݠ!pP+n]]J@ lįe"LR4(n/hй?JEeo@;Q;:* "&a?q n&J>ӶݍM,/yu3j| ry0c )zU0ڛQg%!tf26ȫO ,M(mD-J{ƫ%x0EflɭYV&sJP5fZ{PV)UjTlqk&lˑr7Ӯ-f*kulRNe)hLXr6H2?3T!_j" _741,UtcWZ|9bf`x 1:{#/x7za̼tdl9Q,Ɣ޲/0gI)csp%R>< ƛJZ;_$$F9^2ΉݓlIuyJiDemFH`>{0g)nR6597.-}P<օ\-շy<@eX @ 4к\b'XVׅ,X]R@ۊ259S{r@FH$~$晉74'-{%*OҲy l@‰ Y쮩|}ŐՏ9<\ݑB;c0W7t~}_0L?X"ԾuPzJ{ ٢RVf뿇*OWX^>i[g{lFޖ'7r<">Aq[h3Q7: ȧ7^yjقO|YC16 eyPٺYNOn2Xu }''+t=0!n,4ҕS|ҿ[[F=?@ );:K[ OB{URGyɔb'!_,s6[sH>]wv!,=$P1= 8-IBg苤R mzʿݹt-8,0:YLdP$ To X!mL5 twOQ8ȔȆY|դ7i.+[8?B/o&xȧF=. @)$Cg }8) Avd1K {ގqu?4F=܍ Ufdxpêl,hn'6nUI{auWFfF== 4JMu' +URYD_WkSHe;XEF=k6 LM߇ #u'75/WUAst:SN e"``=! d{֍^n` mQ0עGo.;w~:;{]y"tǛph*,!1@ 3v*ݥ̂{ jʞ tX:TN[7zK 󒝲 P;=ߌLIcL/|A Fq~7d\1}]ָ/Җg|&"C?ZI{h%&'6!@Q!kQ+}GW'9?מ$9{ޙe &=5Ksx Zuda,O폝f݋%l" "ԁ)գ0E+N )q[I0 > 5 .o0K\gIPeM^G2D1Yy'O33Lars `SFX' Eilebrecht 0<#M>A;@ĸ K?R2p >}9OeJO<3L)T^tSqAdvf WCw MD49Y{Y6ߕFùhp*N%O^l{b]*p.s$p(? Nt+U/;CwG;[4upHކO!IOR1uHMsgc7QnFZø0; |V} mjᦉ/>GFުm{2x0 p~#Jypt8>[X7; g΃룞;sl J@"ezg6 q{|̚8'~e|ԖV) F՟d|~`}oF X qHB̉/H_/#+TxU pb7"qD׻駼MԮ&CU RavV(<_fOO p~~J"?[d>nq3P)KV٠ֲ(wsGD(ZUp/ѷII,F'su61g4<7!.QMZmONZ\wy8'ULf:㧅E9|9arnyS fv/@%w`QH<P<20{d*FU/>y {] fuB%=u.5܁]ѧmvksj &=f}ji?=^lZ#j0B؅ji֜0@RPuȹFN$G)vjV{f!Ɲzsb8B.,UzaK^]i&W7 $#cHTpu|WNS˷ߚ(v}LLH8oK77_+E.ŭӋQfqUN-X+}sXA1 m ;)?aq>^ 溷ȴڏnp~R/U/휙5NhMۛ w^B6)wf%aB<÷6pf bIX`){Ӗ>wJU0,Qg~{JD;ʣϔ T zYIQ{sS͉0ھEflɭSpW#)Kpr^7XIiHZKiMD lB)&Uހa BDRDE&֭:($=ݼ#SނcDȮӸBû]/8Jˆ Dc7C0p^H;P |us24xω n8cGUo픀iOQ_0KŃOO M2CC_wǚP|$UqqjJ#*y1,UcWT*cz|@J^J+z|8'xz_MRm7 dQ6SM ;h9/L5VpyVE2 n kl|ivʓ>o d"wіQᴔ;k xG]؃J@ *99Uw?/(66}4oͮ/߀@}nC[9i*VtĒ2ؗw}JOT$G&ǵِ^774R-{%8h{[l Ij@9bFuHǓ+&%քīď6$μK9ş>Yb5tZPr^+"/A%H#wj!Qw>t(HUCTl];ѸYnU#8h0fAa;0:"Uv6-m ޣ)MQ*L>4nK,DE ĹuTH-x3Lars `SFX' Eilebrecht 0<">Aha&&rg]urzK˺Y!0Nza0C?LQ7[_o[?{kIz!.X3lS1n:ՙޱƢg/ͳni0Bji֜{(=t'NSJ vC@'JVXP٧(`Px[ 0/(^*Zr!ö預Mz%8!#:MHC5;C ?4kN jYNxy0R3du)5;֔|G~ OU ml4dWPafu,hOH4m;ի"0w:s`MgwKv]ns=Xpגx8#zkyWomy#/q\74,Rq6iV&5Ӣ.U0 QTx/'C,xs[RJuW4蜷bnn3El0Eflɭ"*ȤAZ1$>1 aXIs!$lOwiR{rY|goѰw&x~b@,aIeb= ~]GIu*581,UcWVqn9x|R:Zbv4"0X4H{ZR$y<1擫Armud⼥;>|Zpv(j+KVn0TGnhS9Gd/l+.u"7 U+WC̃׷#D&5량c58KS:n Dy#`5a$IiK~]A9f&'hA0Z%r )073ߕ{b$a6[UOˁ!"mDґKH{gQvZ~Sꞓ`擭> OX}ñITI[zD}1$%Lars Eilebrecht <$>A#TGϳdYK{Ne JYYFPޗ4Dzu|վ ukke#"`az4.|vGY%Ci˶׀}Z :gdkP'b>!zl01xF=?@ );:YyYھAfgهAPm7"QOt QʈY:?=E,wN1X +^,"{|gj׈E=g ,pD1sȁEŮW j7)~NvwyxM̊`шF=D .o0K\ϦC~N S Ip`j{ ii=ZhTGiߚSS=  ۭȦSx%$}ANJ=&I-tfT# *^ICih1rEWBE<cv HTx!+[6T﹈F=! ]AJ.LgLmvNw@OR6HU>孴‰aF=k jl1${VM.˶%9F E )҈F= |P\:׭䑣z{x ՇZYQ0=pBeqɷ++׋ΈF= 6(E%'24 hw#JΚ"F=& 6"ׂ{Ѩ=8*eF]ԍɫ#2ؐ> F=# f5ވ]bqY7?1PZ4QOA1m]=xBχ=#$fŜ2pRN5 )Up_(]"󋳞U=#}Xp fOCK9AlDI<<Reȳ`FXcA Š+k8ٝrϦu0Ŗ34-/Bk?\,KE1u<ኩ\0Ua@넯,vBq1+Ba R)"y”e ~>F:6+ U/ﯕ.`'ꔶMZ qq Zuda hە|޼ M΄i3X'|LI0 > 5 .o0K\v)S:F<Z^8Αr2*hvJ%Lars Eilebrecht <$>Ac1N%K(%rFÔ`Mn^^-)_q.?s9NN7g)YӞ7ӘRf+|1;}uaS&0INMxC0F=?@ );:! el*@(2=5zKqQ M?=E,YJ'0lu*&aZk^_a4*4>LF=g ,pD1soro =+N]p]t~SF=D .o0K\%­u5^7J=IZ\C!&ɆT_gH= m`(s0P=RgH{Y/=PLv[n -8( _Paunr-!G`˭U#hƻ[0K rkr˸nF=! ]AJec"%cڦWF%c@$Ji]F=k jl1bOcb-k88H"hRo0_[(ZB嶈F= |P\:׈آSZ7Ad^cq&+N\ ln7U F= -aD \d 8%k>wE@ĬdAЗF=& 6"ׂ{&`̋]_}2%+CZ#1Dպ_X7 vF=# f5ވ]uڎcZΣN!π{*kd<. g<=#$fŜ2pOb}K:=o._f-r?  i z#C{݌V@ XHCn9Aw@scv Cdp 9E*RόLjdB*4}љB^bZ[|/sHQ*1Xx^>ϜBFjnbמ6U?*O6SJޓ]>(% " U|"AF7ߌƝϞR$^ @NKxS~Ju`l(> 4U9Qc0sG^afb'cԔ(Y4S94C#6yѣOߺDFw/aM[b$ 0Z|>jE]A?ˏ|Fy?I7 ;ʣfȸ]1N=5?gWḎ3 T=5> o0]{B}d]EHMSOĄq,ZkH{H}>Ή=$O1= I1#7;>e`5>מ :߽ Ro^ւ+0][<25< ʚ]ӎLL&/>7}͖O3>Z33%qeBN!F=܍ Ufdx t82v^ۮw۫#7 Z*%F== 4JMu'_T< z|"蜺V;..$F=k6 LM߇$fO' N-l]vq ^c\qBpF=" \7xȓ(AWI}0adz$_rBx z3 35fIv 7F=m 164仒TJSE؆0?0fMR9oVN'݈F= e4Xx?g66&EC9 MޙM}XRF> ZudaޤBzLLd9j NF50>I0 > 5 .o0K\d*F]2ir%s{q=,Xqj 8iY8֙8hr}n[Ivӑu0 T^~ 5IT~V3K6<)pyZS-}Ńn |QUreS'5cyW:oXI0E}&*(U+Daniel Lopez Ridruejo 8#&*(U}Zzlҭ?fJz^9#77i^_^/t2fҀhً00m_il-I)ML>$NmorݶU2L Nu?W0P<f*G Bm첛y6 xPBrbb@apache.org86#xPB8jSgxpE a˔*R-T>sL0ssKwg,k1U'=K: | c @" 8KFD;q9n8lYmqhxw~&At,Pc0{ʄ]!~毌6$łʕ*Wm~'ބCh n>$/!r@-RL)f'kDgl>ÌAs'%Q"mIs9_IeЍJ?89o!Чv_ 6jcK/`}R4H"fX-6)8-m&B[ u&&ô.AU*wPkP_/4-^klܙn}҄a;3@֍ː 8k>63R>Ӵ3T/Marc Slemko 8T/SfCp«yx{Lh8><%+97O(tCTC@L-|MLF[@h3! #41{vCos7jtg)꺝,^ Ӌ1wk[e)}&`%F<_()R?_Y]X `9#,k'qРjK^{՛-''#q/jO /^iyB7rhf((bċ)$Ask Bjoern Hansen 5y((bċ)#>"b`q摔qǠ EtG"Td,ޡ}XVRQZR1Fَ7ޫiPLWAEԘXz|<1)qf=~dȳnU?5{ =8r+2J !-Xg]qtq-s#y,巟EZ BF6v hj.M&<*iKS Eϗ^3#Zc79#u0{ R`1!AJFZl'$G)F՞+2ӣ7*0C[[)kb 7{-iօqw'm@ڈJFr^je~&:@H Ask Bjoern Hansen 3((bċ)_Xt MszW8NW@.ZIyʍfZ TrW9 ?ެ'#5u %P{:-:9/#{(\]bY׷ XF$$Θ5y((bċ)nM&6 W8?%N_f,Crm0\\~-]/驈 |CwwMa:rtrht؉.pF͌a' Qrx"{g Ask Bjoern Hansen 9#((bċ)Xgݺ}Fߓ)ep"w/*GW-@(#B. e tG3 ՋFۀ^09#((bċ) UdݹIh0 /It9YBz)!/YO:%,Q/VZ"x>G9})(R'ƲЫG~*ZtRj'X/૊ 99[H+E X{#Իz!p'Dxu524B% |:aDOǑ&{o3Dz!ɒE:wHUXSba7tSrT:`VUOWY~ \1yM2 2G%Ί>deml_++$p*;[ZE[a g F3M.?70ј[|߆Ubx-e}n^Oyu*William A. Rowe, Jr. :ѫPSG#^șQ_a9 Ծ?n,e%oiȲ٩­Ę.qI =ç][^Ῥ:^Âѽ :DRg̖ZbkC>!3nF;R( UfdxVQ0ݬW'M| .;:F:{W );:;o3;~$9&%temت@'F{/1QܶB?T6e$to]|6?:tGo!Чsk.(1Gόx|ƐO60A'rz.eV wrowe@lnd.comF:{Z );:b_:ߟf t¦t%F;w @WSk ^sX9$/kS Sox~93Jv  IlF:{Y );:.+K7#bZF?{$П0VF;w @WG_ M}_%tir zӚv 4]X2$Ż?sTz9gM~̍a4# 謄 5?%Ny*HL'UkFfKm >릙o2DGIY&DUO'xY`SBZx 'mH6 W@F;R Ufdxh=Xt~o`ӯhZbJ#ψF:{Z );:FR~dps:Z@:az7$pO FTaf7F;w @W?!Ǔm/C3 Qɒ$9>yui~OmAm(vOyl M2'uxr-{t[6у~㮚W }D6f y1yh]\S0H,#ƚ_vٱ3'3_4o-Py?G[ŸlY I'܀PMLbm] ŋ$ 9P0# 7!xU@,% At~3\x 0 9flDw0d3E?:tgo!Ч[eo"n.)(Jݿl)U+F.L`) GHjvgi5^h+3; u1g&BT@gX߾{\Yz1M -1`=~qq)4|+JbTg)yZ`@԰-MY:?dFϔ?pyш5쭠AOM0xIQfIrJhic7c K}W P| 3zfjd?&E:VO̔Aǜ<6Rg{HU,q%ڄ=s8Ϭ> עZ]r+F0 SՇ]YaHg (R HhƎ"vR^oݘ3\춈J@J<+&tdV0-φCw Ƒ_X4-zuZl07=~ /HA߃rb1 Hvq\B=(`dSG yu/Su@}8|B3b?:>"mIi?.p.? 8?I2ZܽbwZ{/'3H{ 3-kGfY%h0|c/]g-=`lwD͋ԟ)p SOjr(.|Kj.KQ{ ~\nў ri/HurUf%1|z4?X|h5 ?^2$|7Tkg"Y7E5Rb;Z׷g(M Ѻ\>]FHl `L_"|_秫NYs)2=>¾}FH?5 hLvWya#DmVB@fWY޻Ahg9}^ňFHND a"`&AVHz~dmٗ;yzzWuDAFH" E &b 엊X/ teR'9^r6f^1FG L(1=*++SKmE> 9gccFH < ހV)no1 v2&{F`nHY$3 <ڑ!hPk+G+G$https://www.cacert.org/cps.php#p5.2 XOMĮSd[?xk%lE} 6%)5׬',SQ!$1GM 1= OKK U{kf:ӉN>V?@hܡ_1M eJjw 407q[ S@<*sMSa} %k3v1;Z[j܈YH`f9LԣFHB @)$)9A*047ۣqjM?)G;°99!'VFHYDW 3Nu1=!5 P<[^])J ^gcYy}zFI4N [O4*&_|[ -WoL0rT>  C7LΝhttp://pgp.mit.edu/ ? ]w|2/JW6 #W E1/dua=NsҐenL?pnԶЀJ}IҒA )U9h4H ɰr@'`E\uZsnӰ ۏOl6u utS$XWծEִN o R#R5&tGL'Z%A./+[bj̆h@Jih [:j ea{:lLf[taA}~$) ~Q< xm z}>uꊶV.X}rʇ"i ޔINi4dˊ:}&t8Yk9!N]3IĜko ޢUgDird[iǧ8 VAso⟼S)t4m[G yu^CZjpppcϵw B2;Qu,($ա[A G~ W`Yn}$T]uѧ7^dlS(;A4R6Gg_plr~ ɫ"6ys,hE;X?*V@Z@=MNBTPTyfgGcAr4dHYބ{3<G|ڰH˩:r)wle'' ʪ1sfēt-sTTnFGFQ 8M5BFcfɆ:3z*ۣ?zAd^j1FGƧ 8K-QExDHϞ((l+]=^-fXW[iFGB s݌S5xO$OpU%04/ ^ ґ1d]FGO o!Ч-b[JsVz;_Jij`A-9~7eCFGS !(FH?5 hLvWsD۴gN j6`VǵDcwFHNL a"`(T[VXW)- ׷ $A ш?SF**WUFH" E &b#$*ם} X{6m6Ѫ^]G+FG L(1=y?zM2. xc[&r"ߠCkFH > ހV)lWSϪ6BDU0[Qy"o &%g|V!k+G+J$https://www.cacert.org/cps.php#p5.2 XOMĩZ0u\g4 @!4i׾ZGM 1= ;,~)6mkwCT|{4GqKTɡV|9wGb M2@f@jKFfϙ ǘj}j|P7' ZHzTr{~z&funӟ1:&"M_拜͜M 6/}/経rGynO@vcu|Qt=qe [>-Qr瑦-G$x-r\ I# ;L xelkVLs>ᗉ䠆)fDo<&L^ C7  ? ]w֩WBi70ÌI3΅ ;G`,ʋoyaaӗ5{ydIޯLj LڜU1[2O ϿaskٍGv``6p\1/Xn!Kg&UrfLVo؟++}R0ũսuEl̷[3Ahg,/YD5tt|vĦ#i\Hu-m1%{,ٛ?M~C6lXX<E L &pUYe1 C1 ɠ^Y턬he34*}2lZsoȨ SQ>KA(zx O; yH 1E#cY4+Nnh=Sp&Q0.1\{H_ < Eb-j R&j Qtua+HE.L3;p$d`l`,{ދ-zMtV\ tбE (y脹aT[DG  QC) ? ]w] G Tg˛l?8p( ׹#}CJD8Ct6zShTsJ ^GJ)٩yF-q%MN.`"msu!B~2N<`f2VC:]Wu=rq}"H1t7\s*ӂ0OJ;\ SR )g U!!wXz3 8W_  Pzl`c7,*ݕ@'i QDuu^m[n c/[ }ج.pƏ*ltTSЈÀl]H.ͭ@7TAPϔj鬘4ِ"WzE\u P>^XQ-KQ\z8Y1poú2cPu8oy*)ҼD;&)ADnVʲX߆{CԤ%V&>yZU, ;k~{UߖvK*gp_T- R(atDfU[U[Yc3F]ICn ]S!9 K`Cp%˚DgŶ',mLo5bDa4?(.R"xG]0DzLaHf:KieΟ qqP\Vyus[j8ʥ,A_k@+NR q؏69Su4!\?J[w0C`z!8r+t @+M/ܴ֦a$,b2SUV=T-av.2l&zX dA\"2,Z Yú݅3+23khZCL@23CGan cA~^eA&i;nDe{+ZfCw߇MI b +vmG4a N GI^\/Mwj $vF=ԐwVH5,&f3ǗȸW]!d]+dԌs(uSbɄ \ p/1~1"L@ O8ZH'U%'B|[%&:-1n1DLG7lQЦ:Nݱ4a$JeKiXP'a/Xh5"jW]e523-=!KtƺɲjWJь0e!>9p-eǹzK=_$ݥH羴-ix aD(hg#Xh֒LaO"r%tYطCC tTI~M i魥*<ٙ2tSY΅,T !8"\CKsBNY:mRfɆU xf[U֊9 _1KU.q.uEigJ9ҙ9PBv/ظ.Gs5$8]Q2^,sN)q>F?#޺jĸ ᓢ7ˋ!So'tw@6W>jd0~I!(p5oOQ~2;l'FVd\'d_9Y[J˸*bV & #W"ƹbᦷ3^^RP^0)'Mq?v~YG`_12o;F of.~&E'ĖߔtEjd$!0`24tk9;iB߆U%sS20mJVC,hV8SFD43 j$TuϺQq? gBݥ ;;g_41i$~Str6pI֣ MYs 6RVŲ octpAixM/ %Gq  QC ? ]w^"b;{pO P9*bvék+YͻFtnml,kC7Kֽ(D|O~zŊhl<]D3)ρ72#ۗxePnxsz6!bd@[0QIƹE.^Ks망Qũ>zyg`9֚)h: Ri#W &C_pt Ϻ5X|b;@6.?ZvZS|"Tv}(γ'>%$;iYn8TQ=;d1x6,@<˲0<8?jD6ZY*rd!yRlYjןֵj5]TCNܹ JU?wFa*p \g0녊|w]ϟ}ֱ25(l ڥǕvz-"QJi!?H(E" Š҇.>0LZpsTxX 8o|Yf࣏~s=1 55gJG:jhEj%s0 li N)dRt8z`MM#q SNyDGA6]1*Kt{M@Iھ &D_SQH\1Ő^ŷI[c_$BԢY?=53BFXx@ąλb\-Z2@oC fbitS@娭lBlDj/ tw:p2oǖ! vuI#fC:|wu ws}5WLOQڦuec?#Mûw!DJU? g) ? ]w] JU? Hrk<Å&_avm9թ?卥P~זaҜL'"f&uJdO$a%8p>9/3JS~w+jw6z3CVbt*S/8]zTOetx~/J:}oA3Mt%u K\ )g >o4l]Uv{ +R>QoK~7)։Yn0n`8ê3۾LPWr$TU[m#$KxVӜn a!1``i·1vn_n[x;Ip /?z&ζ(>۫I{{S@.'.sn2:R%-/!#hʷc[50 LHPgyfPwMæ=K n,ObItѤf25ڬ >câR m:)Z9nILcv e;l-cޗ8u' |KPG c*ًBhm Dn# ?{wѻz;F(/5R0J .hCV}tdZU[^TJ#_$T) Ild+iȮeZi R`ް深 X T\O3"Rҿ$FSS$ "q:0ni:R&I0it0L]ZrP9T,7 2OSw5UYvm]裘cؚH!б]X](9 JU@T7؊rdV TQE.܃B୴ \$Eݴ\ׁcMKQ690AV\٠5T/F]Xr. y;vԕ{lR$6!QC8A4jxŘ&b*yx wLMqwjE!eAcBwc4oHYu8SvxIYiu[M"*f}b!EV}f!m&Od|aHb,z}I*.z-SWPQJ>4℧Ƞ-)ua#2E'q&[g8!)H>g.a+hZ֝TR.wm6|'ﶎli C}jeI~€6<9c#:ʽ-X?AG7τJ 5kaRcs@Mo_[K:6O:~eң:[UcZ,vIQLWI4|]ew1mE%JU@  g ? ]wO҇#{-aVo{@sNea܌gSva%ȶ;vf-1SJR7lVxbT]Oݣi6-?dLPJɹL{q$f@CЃ+V9 ߈^?d֛B4H,hxE7sQ!5(踔iY v+s.Xf5x+QN.6c`-F)`\V] U7fR픾7~N+>ɓAS0JY)-}7nfU$;{Y&yEO7y [(3@khc:1~|!,)90q N}lܘFJL;gp0*y8Kfõ#"KQb"c ;b9cE5t",CՑx\6v0}bS m["E?&pZcA4lj JU@?Ϗ!n#?mJCVS>;({<n |3oNXg fio/mooI!.S~F́UuL(s'D?'"H~f`5qKmAlޚˎ76F1;2~)<ƶK`ѷ#}I8zdg>iv%[)",W6Jg@k0]l qUe<77$T'evgcfi aax}<e9Χ<طW$ǘa`UcNz7 $g,҂3'Kև1"ٿ.矋⨡p;:E4nVqcmf*g&gZlf\鳠}6{BdX5(hrA}.q0jIϜur`|1zȰy $Jp,,SG4TqͪCc6I@(ݑih0C X3zڂ4&vvJy3'!I9fK;;,A!Z?[ UeE"-3.kƃm3bTu!ۋ`*&.RO W ފ K7?=CDq_ -"/mLN8KA O~݀usqrUuL1<`7ܶ?yM&]W9贚MToWF`7aqG<#]6'!AklXH@'h^XqǼ OAע=޼4lY(eiJ ~rcI{R3Nb%;64>-򪓌.ez4I_[.R"zz"')Id7X\;ւ Z7wwO F+y%m#"f9J~Z,$.+7[s{*O];rO&IؘZEBrb. i%%JU@?  g ? ]w(*hps؜TLV=杛z_њW3~Y3QӪ$i>^9;U8ߔ v7~rz'+sC>[[IfA@?k<)=`v9 Dc\["N/ôW+**`䞟䆷Z7"ZHDMmz.֊|90yq4Bomo$%v ϲ OP`D+xUvu$և)]=|nA;?=t\Z|lG =p=3mU/WPL[T.E.k2i`BWk|7KU!>9`"IH:~fh\qJRç>љ>r)bv!-w Wq]Օkp A8,y3T!!oj9#OEi_N#9\ `vnPYu&iW,bX 8, N]-)[]'џ7fӎK22_ܽ K=GZ7<_ ӯ7zD%:^CR?C5O_K&'A!Gnz9|%nKlIO^v ׈N$1Za+$Ü jQ/&WƊ6;\G=FU{.ܔ JTbp &R]"kl!~@~nGH}1LPP]HC]X~'ƸL{r?Az8 o@6s`(򚎘4E͙(o,vo\[٪*lECq5B,fctȈeq BS={šzThmPTV: lÐx!d%+J9[9LZu^ `ZtZ+L\$|LYX5-T?+W+F aږ# Q)5w GdeGHT hf` jU~ &`ҭ4O@̇C Vś%\j KȲ};Ջ֤S/IQc6|ø$up*4d;$: ߱NYb57W/ .L} e$~Pw!hG!H@I8-4a /,Z)~, W>,*[:BT7-T\p05j1u%"o#%wϿJVu@l*4 Ϥcl1Etg H mxv90Iaɴ+f11[aT~7%N]   g ? ]wk/vKɵV-MGLJpy8/D~ۓ—D.ZW#Y|YvwXnU̞n)̑Rtm_؍ʼ`x. sAs1t1&*cX*Ƞ@Ar +$͉d3l#\g&Mu"isrTg^rpDv:[oKϔpzi$U8r*)o"/XcQ?:[ۨEM)^u5Q-ZWn ֟iORP汙D Nr[*w9nUS¿`f _ Zִi'I0kַ>9HNzcq9ID tn\,+GHNN:܇ш޹ N]/ k,SbkF7 #$}Im]V%,x&dѡE>NbqEZୀNoJ(mSkuKP`Y[] 5h豰ujrtM^,H#T[]ZY*XW"mY^~-4<$w9!н N]f=fCm)p}N}ZJ|K/ 1qĐ<7} խ0=p;E^gz$ = @2Ho[ yZz?oHhBۦ!.i?o )@ǃ#g ?)oz"4J żز4>b)AItghdЫ BO]JxkF$k82)_lE"h"=(^S4LmUT\%%^vV}on&6LH@|/dIc| ^ KbSQ]WOiĻ@ֶHSR8SSg[_>֏K)͝Y~d ۑۉr,>1Ҵ]M"#By8&!w+w}a*sFE GEe)?uM++cٍ.Y=Bx3l- MosOt0ZSK%l Ұmٛ  .'dSÐp(1U2EÜM$vTIxkjfCTe|"/i$2[Pcue̋:X c/5a/F v`hx@&% 9Rlķhm#H{^Fİ5߬B!ϓҹv:9ag16@V"0'|*2]_Z[+~]]b9X'qCmdBDD~d>wZ+.&ތ tA*g͚P7IoMܒM^Zr@nK؀Nt.`uBS@c%N]/  g ? ]wH0z2`@vMfW6t:_s{0I.QfTiVmN\(vI[.!&ZUwLMf<>$4Sks7i9l Z fQ eGxًy([Wvki9e˨jbaryMDF=y{q;!x|& 9*3Z|PVn(̊DkWp~oydN5IgOAQՉO}`7&y{m[.BS20t=¿=t3 S6ٌbX4г S|cto'(ȳxs"XVB0{G;MDŚ 5I=!o7m-"Jsp@BpsN^G|J70U&ЩRեYZp\l+V%9s?%X0gVUތ.QZkܺGF$hT!qwW 箢5wːhG~A¯H]pw Q@"${Uu̢(vT4'/#& 7JL5H^52Mteo )VQ5}sS'!K/tEc]p^9W:IK @ ո\UquC.K.`22*x\14v8[~Kt CnfU/ JiQj` PͼM;St H. )c^s;OOc!ash1ЮOc0ZN򲗕wEA^˗o?Ʌ㮰5sL`8Qq^.O}$RQYXL~U=  x vhm ] Iڃ?|-iP cZ|5Uվj{Dilh'G ؠeMրhe$q`YSnP dKX /uGhM59iHn >%΀/@afZ-ǗZ﷛rK-4C*S"ռL+XTr;(.)S&AhV Yy՝*R5KWLJ([fEa9ߥ2EI@6}iUfD hQp/bM,P.cnUFg29@@r! v~z l:o,_M'|kBq+i䴮ckH)$m<>2Fæ>5&CucKmOWsP&/ڃY'{@1Ądz'UVC?^E&RW Sbd_ }nSw=4O~Ooa8a8r$Sƚliv &+!m K)O :b@7|5Ihu5K)5 %VU#?#Syoz9 77MOC-_XyP~.LHI<\zm%7D!m0ڏ *|p)o:yym(d]_ui $w`%l)Y݀I[}p1{>XM|ֵ'eaۅV"F\޹+k1h‘ L׾#+鱕pGa vta[$sC Q_ S/1;QHQDc!$(0I[Wj a-V%zM+P1YuB2:]c$pmrur6NܿPm)la6& e.F_mDJFd=hݗYpPdʽ854DuW[-ZkfF]r:(33kh*ϭFYŁ_9V5SGG1 ƍ--3/MxiIMw*xlv;7 s8b3S("yt]m.3r-Y'Rn@5a.0*t9MtH>mt20Mxo*8ܱҮEDi_kՄbS&?J2v!yy]H6=9];p)-J=BJEr]u+GR9*6udkmrt׶-*,<bZc]0NIrg $Us0+4C5Jo]y@5CAHր 򖴸EڬGAq :7rg%1%c[[^f3 ÐF? 1džb]'}Bib7L&=%K,3NFPӨ kF;w 0`䇛9ɵ s> =̨;-J,>I>t; kZ:(s|obm*?Bцɷg,K/o-*_ QǣGX'qsycC,PBq ciA,o}؏p$.<\n CB^Z?N2?2O62,_I٢'\S-?]9O◧[rQ>B[ׯbUuЏ~OcLũ\rKS_S R٩t1 XxjU[ŚbVݽ{zmY grwr~g&v| "k}X֮+V2ɿ°oH¡^060>- EʒȪaWҪ[jgnۥF3Vf+/e|}HQ;3!(U-:dMi9Cm:ǩ}~$_DBKdCxPP |gE5u2LCgPB b\r%Qǣ  f ? ]w~&@=щ>y538 !E~g%GɫEXO Dϫ'&!7wPok382f++PsD <7X+mwg .u֑p!=4 06=B69% ܑv:TީHBqY(AƈZCKM{mBOH*=u{ϗ巼J#U Pm#QzfbĸOh:3YUZ¿ IΓh>m#a''; A:q وthYB~LssƢϔf9/ RfwG#OaNE`.s:H{+Q剗 :SNIj/4ZLgT€knDEce|RRc< nڱ%;T2TK#K5h%6A'"4.ƾ=7Q>'>Z(8 m +Ï=!"Vyl\M2@oxV:Qc5m׆5eKtʃ 7MA3n"xk=F + rIdV?l"Bill Stoddard :S㷝l,0U#dlH![UD$/>t&oGLC`C+cS742'=%jŁa"y+_|B+VaCTP|IrQiԖ,K߬b  e.8C#4Z3cXӐj6SBK'fM ~hMSՔRWlI`4MYv4=PW@\Χk(;;wͥJjk,k7PwW^I2?J>9v=&} oZ :zޢK#86IsI셴Ky G b^L:q~80)uPuT<I"㩐wrQmh`mk6oT7BvD{l ~> p۽EK;^ogXSr*DznKw! s^!d *Y8E9Ł *r= efB iaGqê掏ĠscKE 2{Tl)wi2q._UB?'Paul J. Reder :z_UB?_!M?cg; E~CUg P[?41RM;a*츣7uôߙZ`vǔ.* ߼l!JBR韈ᙑcZ3JXJG#YO2z5\$ `ʮ0쓼C5QUCV}& ͶnDxB9tfu@nTK PAzGh48u`0>R>Ja u<  F'*.ĴMqgܴ 2ֺ r qhkW!7EOLv}ߦk,]%[񃂀c쳤Hw6 G qo4E/9emP.#0@;f,,([ĻOݘSOAVz_RiT2I(l|Ev}x=K|S0':7 FBd='C$/<<L*P,Vgzlvic :bwM; sۻnc#vBF38D܂0 If&:$A`Dd\a%j5JqsR% OrBKMK7q.#Ɨ9sS*6(b;Y hb]Vym^%i{]WQ?#Cliff Woolley N<   6"ׂ{<wV5Mn^Ewن`volŨ{ₙ6< P :k]FfYijrsR90)1ցʛWi [1LX>yZF]ɴkc`;٦@yruЯ2/R.Hp!j&#ExΎ5h6U;{%HAe6(_雉T[<,0nwb~n^'%~ؖN}>`;{ߚ2> g+U6XQ_N^pm|Jr[4n+ҌS6π'ЀӞ ]V  < 5BWr֩BS9OnK8 V@UCLdI eԡPY_vRO==ΙWYtOvG0a|f^[r:FX+XNI 6k3l8 E||[-#C[U]84|WCl3!,*<)@| rֆ)zʕ ٖ PF=f]A|K"&^U2 ;nxix$)x,5'n($ؗ.q9NaBv0e» Ǻn"Ҏ.JBtBm} $pڻ'^us~P`RG^"0+ aKp)̤8=B >VߑA:adƇGDit3#؇n*rBh"kb[c륟[PL(=TɶF< 5 6"ׂ{ 糍:$ts=vPlav&al:'< < (̺M 6IkcqM(Ys۶A!o1ՈMlʇ##47XAX*C3¤QjN/-8[@m *-uM(,5rae@"Cn|iI乞^`Ƚ3Y$YEu+qu-K^DSZUVJ"|eyU)\s&KEZ4Z6v %rGD@S1n#zK٭3'(Dg/^em:k]#Cliff Woolley < (:k]KmGVXskAFX%*X*JG< Vi6;GDh>9.nء+AϽ(y6Lj(OyL<පp}rk.K}q:\\8{Ǹh$-@17dWPՌd[3Mr2Fj;ns?n1lRʚ[Nӳg6t/_Ke&yYɱX+ȶUtNȓրNjF< !EJ̋~wd!]`z B8e0]8>kg];^,rM{ļ.!=,K .i[00Re5D>Eʸ ܟ *{$ädF- Чxܕݞv&3lA{4N?uMKY_MY($ў3녣N듎+gav! Aׁ״%oDv#O%,P-yg*:+Y˿Ėn?6=eb<#=s4nZtʾPY KD/Olp6C.贂`*=0 Mٴ%Cliff Woolley N;^,  q5/ fS.(kaJУF܉< :k][*L/h.5o29 G --V)'59;jXM| 8b*)1 '| B/:OE!jݾNny#X(V;dZNj7K9P+H,a:/ү C[=ƎIͅee)Y( q6*Se ^𗕪II=Y!BБNA ΜNdi0-O0(Nz6KzlR'XD0\] (u?JRFOI#FC rTь^S&;88&6"͋u&G€l$pY]wHk愼P#< :k]_ܼy('\$(vRA"  Ob!3a 0FLݟw}~:o*z-pDŨ=zf]],.Ac/ -EUԼE\X۞'Up7NRqpC+N66 H͇Sǎ*ؒ"*l.4=Jv M_Mdƍkd7NLijj3[;esOXC/S7vXt!嚝{VP㠽aXBOmVcW=Q`PeLsŠCwKMF Z5 "mnpҔ/\$kgQqrƾ6 o C0 #F+9m2$+~PYRUL&YVf'f\5U0 YP52+LvHЅNT8{sHت\oOW. w ;yYqx4@y\(Zz܍rǧ91̽N`VzmhtR}ڞgN$3^|k/#l'|PĨyx>C*!Graham Leggett K 7v  4JMu'ff[?sY<>p˛fe}F=< jl1yeRA[&)r ^#e$Vdh:^p*CLH53m̐јDu-[ xӉ=GUyy]́a=  yucNl4W*ä]kߍD%*+l>oCXN[Ea9*L"c7O& h(4n꾀)ҲXNm"&. Y*YϹ̗rAdmR"wAѷ5qh~5L G[҆ZEGo92cZԀ=hoژSV=!R rj*Щj9%[ہ ?!l1R| =RU)6o$塬ЂYF=F +KB/1|8uxGTpv(c#Graham Leggett W<   4JMu'ei)r\o M,5I{\}T%[F=< jl1 DND@ 5)q K^B=EKQMunJF=F .o0K\1($}.n46¨F[rrO=G]*eT5b= ! yurU,?qgQ!Md S142j\P/2X-n5u'鯖vS Z '1Yg瘦xwRo(l ܯi,7Yl.5}8ǔ0#6 :vM[AZ*׈En ڼԯЃkxTdi3LWO|>#-3 hMQG*a<DFi7,;j.1L&F=#4 :`u!gf ȇR~ߩhfG6nI_5׃순=0 1= tQ ЅVkĐFӴ3a\0̰$kfV@:PVWMiEZF!<ʽ: RTw [\;'&`蚝f]5C/Vc*9y(kr=< >Ap]/Wյ DXӜ+T4$AoP٥Mg+\B c@kٕUw^ZcY"lƥ7a5jü+Ȉ(i=T<@yA69G" 7vBWr֩BS9OnK8 V@UCLdI eԡPY_vRO==ΙWYtOvG0a|f^[r:FX+XNI 6k3l8 E||[-#C[U]84|WCl3!,*<)@| rֆ)zʕ ٖ PF=f]A|K"&^U2 ;Tp.B7/#6 hD_9O1. Φ=B-vW%7sw[ :AEG>=0kucxPzL:! tq"h1 GVʁ-U0R7 j`{BȦchӈʢt{B ?kAe\4=m~OFS7EQ>*GYf_uY6Am(jz˗՞JP?7v4JMu'}U EA>#64tPF<=;zH:^7ڶ;٧w!"//p"u*go]^vؑoXP=z ,YYIQ)dRf Cx%wlUq-,$%#na\<98 ѢY?$Mц1o籋42La+C Hwz5vʹ=֞GF- {hۇF`v`m<Bcyz i U1^}Pʘ}|L%ی.CA'Ԏ%lF%WBT7z;![4$[f_-KD*$ ~%*\nKu6P];٧w    `^ZmyAildD EX{rGN i9Vv3CІ ;pL ;٧  `^ZmyA!6 47|WШETA4qKG*>ZF:vA8VKzZ U,#M S߈'+)UL=ߏ+F(fHdəP[>oZ"0Vb݂Τ.nL߄b0yc^?!߁Շ{7z6ʂ3̍jSz;}wREI=ro$|ޱ$ i@EF.R: !;L_`A4&Ns.13b2J1 /9_iOxs!4|&/'T"-7!sNu 3倐)fK9WGSR.‚UgêIi(-A_R1I$%F ~@*&uXQ}Fa@H%e툯B]koIʿ>EN*ݴ&Roy T. Fielding _An  [O* B]6p˔[sg]<== #F"^ W@KFAYi Ցr=.-^#x#(w Kzo{eɠFA) 0yr)Рtcj,"s@` ~XCPb$m"<FA ~wuy&"˿IJg:o 1feO1߿ *FA asR?d|'>\,%@8ϼD©((YFAr \7xȓ N,^$Qϫ߸C99mf ¾FA jѪbD}plx=%:+c(rkBY6AG_GFAΓ ]AJzEY$xeZ|_&lBa9`Xʵ8(1a/A 1= _9+mI=C 'C+y6.(jݜ0Ft1>Z]"h*P)ãm!5<~Kz\XcMy]B`/\zo* &(lg(!?.OEAK zf-޷̺""Zr#y8^ H:FA ޢ82GY#C'L1,sg !EFAy ~CPi! GETZ3.~*X$aB=#kPFA< fc-KIʐ8) YjJB`VRnaJU/t^UFAK @)$T "(7?_۔3/0MI1Ahʺ FA LM߇3pQ,Ŝc.ԞMsHdrԛv5tFAH 9S#z*DGhq}'E{SIV]tYANBǞ>FB." Q倳c[,O1gb׫*nh®ݼaRtFBu { --{H0Ef/8tEY?08^No ^栈FB vԆKx*-v,d:9%-a[ MFBްP o!Ч3@ udHl4컳U-͹OQdFB޺ 26BK&ȿ{ &ZUcrŎRqQSN鲈FBl P0-h#rw>}WXZnLb 1<(-FBl ݺd,1-/D|A~U[Q1A'O%S_yXBǢ 7_e!Ȧ E5অ'O߈BRf$ 1?ViI 0|9 rcNgK լ'ɳmLhB.Qgs^7++ƤaMhs/:m~r{1m ƈBl pl!a%ir|\E#g )S?y9]2FB ɵty|{pE|6,t< xwSl%Roy T. Fielding W  AE [O+"^&FDxeܕHOycBNoycYrlTA?:vi yuNyj&$/_zfUi"e z6/wz{ g"@C 4(w ;fյ lWuZhRmٛY8{:K6;jP> KҩmT3N)lo(޴ B|l&0Zdj .eWk„'KknYH2bO-_0Y{af_W0O:cY!L{3G\݆ ph%&R@o]0 Gg/&z-'=w9bc!vW⪓n ',屢hj|n%m]  dP׬!S9!q4b1;D%&T8Ď9`2}t#9IꠅyBjo-"9Ugk-Hiww-7 %"SnzP!4؏=rw\h\?PPl<(xgI80D1?Npcc-PHČvN჆D7 ]B0CTmo=]q~ɀD..LɀȎsm䕎0oP<#]2+xilƔ>ܜL$ t'|5NIL8[U,I8%=hH)fE=>Xr c݄&O66P.:߽]!DY[>\3vQd:/#G}~)ut[I~ӧvQkYqV^-0τP_)߆M('Nmm[,,9pVA~Ű"2IIcӻXױ-F]Mk">\-poYm Phv 8H pmcp-'$NͩZ gof:q)`ϙ,ґX2Q "~C }JC.e1[Iš*#! 1;ڮfv0Dw,eDF%ק4&(Vt<Qb$V[{N,4D,c3 WN@}Be`2/>e,Xq| Fyy-I]x'QKZOy$fHdQCGr [!V+=BqZ;>0xG fF={t  "%|3"`v޸;u oвt]F>W 1O UZC*uU;8/D]w"  L6eZF?h LFbO n'sI۴jo)}kL,ֿ6SփF@# ]'Չ=^dJWl63V1oYW1V5.޼l(?o >ABH,֍/,7adxƈs8B[g5LlLLUfP^{4x9qV]hopqM-y2+UeTHĨwt[Sg3_ЎFF=Q ͽA FAenv 6:0~?D%A԰ iC,y86}!ܝmFAp: nRž4g u4~n_ 1V?լėI%b@`ɘl݈I0 > 7 .o0K\"3į$߳6 -t=Bf<\v9X??FA& :`uov~BÍ|7+qҔ2%A/qv׈FAYi Ց皐M~hDss`yФ*J0@-} FA) 0yr)м;uxMt@d1er)A ")!5fՈFAUq |P\:./3HJตqkOm6(j>-@[?k Ϫv<'2 kc6W# tI΄p OYѭ6: hQ!>0heGh Ŵx{q\Ё6,ҁ͚Kꉟ:[o,CFO(xPPЩx..lFLB;DZC+Z݁G..,O hl?j yg/S4c܊9<0B+rC+BFA ~wuy1Fb} SWA*X֪*|].@t=uFA asRuTߐ-\!ُѯ< ՗}F!o/G?F@0c .Ѐi.j#vy7HA5e2peˈFA jѪbJu,DGejYǤS+x꬛|BK[ÈFAΊ ]AJ%0kڲ@.K yK88Ye~DW:v   [O4IrDd`OjINY-?]WLXћ∜A 1= s5wjWbnrk@W{GA-_ؼDSpfmA0o@Z=$UȆ{IH37,+33(X7ȍLFOgUk3hԗL>F? +KBihxQ-W `[ջ .a32DdWkFAK kM`ׁ@a>|d:vX-kc]R FA}T ˹Pcwmb7d d{e[faa) (ؤ쟰6  FAX gr--R&d큳=؋4^``Usq҈FA ޢ82j {f!eTT@/*x@3<ҧGFAy ~CPhem/c^W2q'uPcQLqT9d)nR`1aⱶݳFA< fc;)JsKGjYI)Û[Q<|F? @)$۩MJO1EE yO]`2 !2(q|F? {GO1ىFw|jngsuTUD5m T FA LM߇iU \ы,F_{pE/c9cN;]t;FAH 9S#z*4ŝWx9N?tcw=ޣTY%[KMFB." Q倳c~̾gvSP=t83zEUBX;FBu { b)]ŝ3)4M YR BEFB vԆO8w글1{»' Kϯ'u.qFBްO o!Чv[g0:7%>$ IWyc#a]FB޺ 26BK{M}ʔ5zKhFu+@z ,c:L2FBl P0-h^ڃ>19%cPby%ҰS&WD FBl ݺd,1-/^vr.|Gi~Y9CYl_Jp1PzPvBl a)RZp̟&qY6^d n޵HVo0疆=!Ẍ́" BѺu W|EN,9&d*h6_-.#ٖ\X_;J*-Pos5} M{~6iTTqi OUn-n~9w!FICb+fc#ol4G=TΪS׷^qwaPF6u66(pi~E6 I !H\&b cQ1,˔]6g;6d/`zلlHW)O Y*FB ɵto+4bMAN2BCwѦ';G4FB- 7ZJVQfEv<8+|" vLj"Roy T. Fielding _A  [OGai؀{aCzƯb0]2UvˈFA& :`uDU{N+U@&uş a߀˲W$FAYi Ց֖`h( 6z}oSM Nwv5ldFA) 0yr)2. }F2!3_(? E3iN5FAUq |P\:W.XlʪB?A>mKVDcjAI Ϫv< Pcb)a_LxǍK۠}Mt-+nU!/%BYFsQξZT-9"AU }B @FqUIvvg>h2VJ$- u}Ӂ̳4%=z 4 ^GN콲ǰ;j3+1`.hw Jr1zEB}&"r/P"/| en\qjm mbFA ~wuyD'#_grE72NvD3(M/c-@UшFA asR0 kb45 (rm, Ra%¥N&<9)lFAr \7xȓ 2.L G-ՂZEߒ<ѾB0 [C׈FA jѪb zqԦj*VF|Pg_,xg r>1tc2`BFAΓ ]AJhk݈Թ U͈\?1NS-;UوA 1= b ۍɵI*0uj03cPGqc!O~Ie Gi5/'sYˀiJ]{Mf?*4O" {&Er} tj}Ts@5ʡ?Hb)?;?ě2+x[2FAK ѷOhWPvmdKx.6gI &wcˈFAX gr--RC&c]T_3JNH Ҧ<5$!OQUFA@ +KB pI9nDwB9[N8x@ #%[+1m:6=aD?qFA ޢ82lϴb:._u0!-ȳpPo[lFAy ~CP.t3*PҌG%7EE#g? CSo(8FA< fc!C{GW=A&rF%ۑaڼ:5FAT @)$ B%_)oL^ miP(?I5k]iOǍx+FA LM߇7& b7ձk T.2m-IYvj7FAH 9S#z*{3v(Œֈ+\,2y1!If#䯗]lڈFBu { fT]8cSTPVhB*{$5sޅoFB vԆg]\{,*|GJ*`W)LDa~FBްP o!ЧO6>eTd7n2UEfU?z%-EN'@FB޺ 26BKd(GbA@Xo1FBl P0-h;rbXȉGd4|dI2?s/nƠ1]ZYjFBl ݺd,1-/hke~5{#]l%zawc_mBǢ 7_e!fUmY>gKlǬcƑ{Ϳ(.|R1r'fy_AW^g'0 {.x'TIiڳN"$EU'/B_.WZUvjg˯[Bl b" A [O34 TyI K]9-pOj塼SfFA& :`u@`zN}vڸ+Q2ٶc3,RFBRTշf5 FAYf Ցa:s0="OEm$X1AUa3BoDFA( 0yr)k{HEXҠ Jp>}?-FAUk |P\:טĴeaz:'˟ZfjS9YcAI Ϫv<ƆFSpʼm.qCI>= yB ` u~/ 584:a<:&SɫƥHў2"LZy:sMwm/ndzGe Y''(jͥ6%g79@߼; EwӮFc)&v-fQ֞9 sN:%6$p[SPӣxZ+m he8|OۜSdFA ~wuyiِxߛʀz֡V1iX<9FAz 'F$<&dh5tHy?kW<+g+FA asRU!3V{3/4 ;Y'x !$zxFAo \7xȓrc:sRu_Oڵ3~ԶwY%7FA jѪb`}Ӥ_<(, N̜8xg!Dx?` 7FAΓ ]AJnDOMBÔٴMӅrAwy<wAQA 1= G-}& B͑r|Jef *@]|#*_lm0B)"Q3cz<2,Vl)MdXC$uMq7 } plgFA= ȭV0Ud\DFNS'2<-0FAX gr--RZLu`mɟ;ƟB^n'{މ{`FA= +KBQӤZC17z1O=^VNoJN[aG|+LˆFA ޢ82<U7Ŏ)iGiK~ AxTJDM܈FAyy ~CPlš|~e ʂ&MbsrުEDFA< fcX[d҂Ql)[/T|SWn8 !+s<獬FA^ @)$%I އ8N+GR5@NIW=g-5{HvFA4 0Hӫ+ z:e/j.+Md&n( Ay c'iFA LM߇TCq%.&IY>@Sk3Df?4K|6FAH 9S#z*$-o8Ar `;D4>i4?޳ri'AA $l|O]Y 2bNyv7!|7wwd|#W~nJ;/) -aPVd弔ɫS$? !vFQA:Ved=SAl—}=)U#H*{lM HRQ yTo 6>Μ5~Q)UI؝N_'Լ+@wSL3@ ?ɘ8)l B/&>>}0@r#&(^47*aø 3JjP.$Y]neae!L:xtH*P EFHhe=1_N6ɤCv8)77ndUQԏ!r(.d,;ca;NMy!ľ^5\s# Y{4@J)ϫjIi:!Uu85k~J(LO{:Bqq(W~ @_Vt KSZnFBq { adߚ/MIlԔ5.c,1ؿn k)zFB vԆz'?yASyr,L4Q3Cg3m<τ i'); FBްL o!ЧI/yt)Ql~uVG<٬!@xT)FB޺ 26BK/di\f_Vڨj{~?:MehYFBl P0-h6N lh<I^MrR _E4FBl ݺd,1-/#q̅R`{tous'Y}mVd|:LjBǚ 7_e!º?YhJxj?m6tٲ86)S/Rn7υRIeƠ K5.HkQuC\i`[5y`4p$ˆBl ] *_ ?Ծi֖^F]Ԑن- ]n\YeKb# {h0MP8~R";:> û.)$~S\1ẏ4EПev])G7*F: [Oa(U8zYc:.e;"@<%>]kFmƙ7 5PZ6K$s!qj9 ē\w2ѴzM~3!X:j.Sd14V!ˎ~VH3:HOYϸق<}7`fpm %Yoay*&E .9ǵrL|pg OKz~_!9$#<%Tu:a=:Dj,SwFB)1-#PQr479l!Ґ}9}f}ZlqܷO:+R.h]cYGY7&80x_ejH) _P#z]kD[rZr*wwcWZ:Z*ZY`e5۟i؇.G-Justin R. Erenkrantz W;   d"gq?y̞RcVQmӤ B fXF;b !EJ̋~9E lw][4Z*8!Zk/-Justin R. Erenkrantz V9(  d"g$kR SZ| M̩i8 )䃌KF;b !EJ̋~MlA"R lYߚ6(uq#\nV;ݛ 7BWr֩BS9OnK8 V@UCLdI eԡPY_vRO==ΙWYtOvG0a|f^[r:FX+XNI 6k3l8 E||[-#C[U]84|WCl3!,*<)@| rֆ)zʕ ٖ PF=f]A|K"&^U2 ;.1ö}TГV@o 珵#4%@}yޯNmqRSodHͥqn] ibBA7}z-L.R'Y#974oӼ)>?Ђ{Ǹ^o͞a}; +o["͈F7 d"gH@nbI e>Pj`_! S0jD^aϞ&Ǐg#uQ^-<Oz>x߫E6Z㭅)&,/L+}[ u ۆFcB@౰jZRa#PPyy4蹇 )Ꮍn:LqPq({ί`CX.cgW?I!(S򭖏MWc,tܫ(t©~E}R^*T {ɜ͉"8C Ian Holsman ]9d,K(&(ޤ; 񓖨1-I#)lbc! TZɌΝ5a* U7i@Wƒɡq9jm,zM?%,7Q3–+Lu1@@A>)3@==r6pF佶=$ǩIA'5 o+TT?#BtjOuwR\I,YG`n("7toELhO~S:l Cmyc(N7yG`I*B|̒S@ְ M澒f4&mI~iw[۳D͂st[^,S uw{KH&xקL/Aaron Bannert W;   !EJ̋~^F vg.x&*s [q e&T)X>8C҈F; d"gԞa xnMPT}T8T6d B^D7tKo U_/1 #Bm"_}7I<%0'͊.%#4VW;   !EJ̋~35=l̷%LFW;*   !EJ̋~tJ&?|cP儛۟W&v_C},m _Ү8v"Sn0F; d"gwFM=li l9`T$?`Mͬ?HUrAsnH1Hs9Xt> F< f5ވ]Ӕ[~{`׺=cgQZj 2$JY, !Aaron Bannert W;I   !EJ̋~|kI/|5NŤ- "ټ|!}F; d"g,j|bg4D^B_iIʑe*gM0XJqR+"~N I{>H9*iX͓mY_,7RQݾnYۏW*.jš?i63yqKZ%4qwHy.MA[ u)꺨 /("#UfU6g6圠2XH\APݗairIRCr.^^JD? w QԔ+($T{}ғ^@+],6tl4waVJ2a j7伺q8lJN#o+z+9o"E礮nCIqX{--zĶ~{`3 L"bݳSyl%Wfm=hױ8?yɇc91Iz|g"sw\KgK#wPTP__]Ҵ)yι]Z_z`]<2j/ӅYl,π$Brad Nicholes N9ȭ  ]):NzC>Q+}b+@i@),e,If )粹 9ȳًg$ܦU8ZF h6sP>wP)P$ŪЪihE՜؂"};SZc e6ޙV }e>,Tֿ51]EmdVuѴ<#M=2;$e3a':G[!Ց+jR!?l=. z7ʮ 8,o K@{< \(V=QXGr :5R_73e~82Z3WُȈF9ȳ ]):Nz,&<muDr<:oCXzpd.?td4dqעN֙7 =J*D(aI!6s ÖŢX\GH$ -Fo@i*o8">5*oGTP!3g۴E R!VW{f#Sander Striker Wv\3?9K5F<Ϛ2 d"g,\d w=Wz/ &Lei Z*j#Sander Striker W<   f5ވ]@Gp+'b| 'gb_ۿ$$G w/@F<Ϛ5 d"g]Z_'DF;ʚy$NhMXbK|1[eMK6 <_/ܿ$݂W9)ss߿eT42#cL .K˱tyթzx̡Qͩ8 -rg 7Ya\)[Ӹ%#uCGTd l 87'Ȥ_ os\۷`%8vZBibok%b91@K<[Wd^kYgP y8.cBi^)o%u ;\$Ey-!`P&=( `+v w/Zn# _bx'+ V7υ}٪kAꖰ#z?*EQ5˸^ӕ\)}p\<j;qFMך VR91Q T)lm 4<ک̾-{VT(P+$!~ \G (J6 LdoUi[HD}=Z^(z?)!,iF< f5ވ]=?@.K/久HRXzE+UQ9h+u'{=[D$kԒRR(m(lw6&;E8ejŠ _~Tb'{ZCѬk1=#p)>/Lǫ"ز*فP6H^{LҐd#(Yb3j$a@qc=/(:;N^qeM bdz(o oQ+R f8śCFsٞ-N=$a>]}fW=[\   ]AJ1P{ޅf}\ĥ,p>xTyKui߄^tg״Greg Stein W=[l   ]AJ){ hOH́Bnמ?03#Eb糓1Greg Stein W=[ԑ   ]AJeP)N=Gـ19x)L#t:VvԿtius,ZS_pMi,7!SvzM\m9tطJןpm1)j_>x   i9t~eGPG\CL^-5Xkޢg,z/YYJkjNz,>u5 >ADzb~BUrtv (_{RR̡xx\(0Nl@cx׿gr q- j" D&p.=U#(lLfɥF>u] Z_krcK  pM}ňF> 9"as -+e׹6V%FB)l?n#È?>uo!Ч(+؄D)Q8_çZ/w ?uv=<(,GI~]sI-ai?>kE,2*}Y#Z4nښ@Z)zZ_t\ˆF?}> ͽ_=6O   i9t~eGPGŝۡm[{hۓccj.LѬ| ]̡>u/ >A$J]wU4Oщb. s3 58m y ERaDXǟU?1*yފ/_vLXsч[Brwm^kr F>uT Z_kruQ'B6ԥ`wpeS:#,$#`~F> 9"asG&J*n~VR_W,3^zs1J2?>uo!ЧAN "m[e:oW+1~!v`fB.F>w ?uv(ǡ,5OYB~9cxŻmH?>bE,~d6PkJUA>(=/0BڋF& F?}? ͽu] )t5.HϴAndre Malo _=6!   i9t~eGPG,CE#*m(>Z<ϡ&|fr[zK=U>u5 >A(~rC-De42Eg"eꁵ@$eZwqVS׋5|dK3=ZVEP[4KXYN1FY&4C{iIsտzw}eWI^1[F>u] Z_krtN*~ᚁ1\ [MӚʩX 9"asXjiFcݠãc8=m,Q sP?>uo!Чd4$4 va^f$6HObHVr-tLʈF>w ?uv24#.U̡s }'JtE,)0ط.EG0hܱfd}iِpH.F?}? ͽegb5ؿA7_ u&:x2LX\D:Vf4ݓQUhUM9N=6\ i9t~eGPGJJ!K S KߎwQ 5Ϲ =6}g9V0 7J*2DK7.ڐ.htQ"!w6]jwu丬YkؔXKf54nd3t |HBC@ V_<2_ {B[Q맮su`u3ڜVéHg͘'Ud0>m'z_>][RYNz8{G<+给nob$V +5Byk}Ցs믋61E}Q }q;ۭ%x۳+AzjD+tU7#Z^ІK_.n?-kw(jƌrM~G% ͑cuu͸V}unx2Fؠ[@-V .OY\kuBP|'Gنp1a'Q)pm׵.22hx@ uL }S挊ҧ@݌3uo Uy9 Å(#<\PdN`( ?Ʀgnupg vulnerability :-( i9t~xX]aoJc)xwP X'pR,6S&N=6 i9t~eGPG*בQг" 'xu6=/ 4'Ky"@ 1R,6Đ/+$ɣ[+tjj1um&asOA#4ndAPei&xE6_hNzcm8L|($}~%_OI{ "= =F"g_PW0M,ҹ`'i@?DOw` N@|՞Ywm1Φ9Ld'HP=ضtwd )UL5j)tN1`^_i).?D+kF= ?uv*(=$jL!ô݆QFZ"s A_ QЈ?>u^o!Ч,wUpYgƃ |N3rm}g1VlH>u߲ >AM ݚTf>> TdXvjn:fQIRr;?J{ )Wyzr֐m"N ~*kyۓ&wv㉏9iQӰ)3w+OOW1%Nb TZ8"3ՈF>u[ 9"asXoy ]~Er23Hrn>F>u Z_krp>\̞I}-g\B,MS%F] ?>UE,Kvq1Csh||3z#6X}^F> i9t~=Rr~b}}AxApcȉ^!Erik Abele W=W   ?uv[*%8@ YgN{K4>X.?>ufo!Ч4qaawb?PNmd嵛|gΚ8xO>u߼ >A' /#DVSPyfcmn@aȯ+J|7xX'hb`1bpiWs&BlmkHQ C`*eDz8orkv9KBEmpd|. aE>u` 9"as buܵ~˭hr7[v$xeE{wu`NU"F>u Z_krSKn̉݅ 5Kfίs|k7ܟ?>`E,,%B i zX%$_d3o>Ppb]1teS F> i9t~ڡ5ࢇ% 쟼;K:t0J 8k|D/ =/Wu4P (kG$K~(gxaiCc=x@#UL.AvJ )qFͭ~bcKT&:-!u `Bfدv=eNn2:J]\VDuCon9Bk]%==_|MI.ƌv08" u›1ݱ^ƟqGsTo Qz8HL;nW7FM nRP}T !+;W>{"z>[h'Ƈ9K YoR}%n>m_zUgVLQs[_1?&@ih=`ȵnd«6 Mk #-Ծi^m/uƉ[ͯZKC>jUOw(>pS>NACa8rп`L I#jLP=IɾI:+톄Hg70/UG8w'36#%zxPH/h=_/k_ͫq=& p:*oUO1S?uNNW3#dyI`~9)& %Pv"_"t U7t%2ANſY1-0@T eXI:/1;:P1B ߹1_T^V ´(Astrid Keáler (Kess) Y >p 9"as]:,@VTDȽ 3/+˲oIv0/4pF>zR i9t~J3h 8n'p1%dZg*f(6 |e9>u >A.Uȥtk 3%4cj`)NDT/G_Z+KD28JMB 8r3*jp,^JQZOa2&}?NZm==U?>uo!Ч*}QP+Y(OuZf35II`AhF>w ?uv6A~"42'R_)Jj ; X'14)-F>u Z_krbnjMPռ3zt~$'dd[5jd`݃F>#S E,ziF?ɻx_5g*;"A]1)Astrid Keáler (Kess) \>x|  9"as)0bRyfV15 T(\&>y(F>zR i9t~=uFzyJ[զlCByx1ddrC{>u >AL^# iHEl`#zxnGYnOpdjU~:D S4OL3 L">]$VO}}vU|dHM)UƷ^ &1+L3h?>uo!Ч0i#yrG(! Fi׆tTB,ë~5׽܈F>w ?uv˂L% ?*?U43|EF>u Z_kr$hqKDTq^!JE9Ar3p쀕/ F># E,B>LP~)q>)=Yo/~д'Astrid Keáler (Kess) \>x  9"asj6 ΙEv릷vLd4bv"ֱ34eCF>zR i9t~hzLy"Okuk_P%\ך>u >Ac:Ӡse" ټ5)0>kĕib[S$]/Sy7NOwP2:RcTY*M_eRE|3“Ss,Fܜ%a'+?>u o!ЧqDV}3wж#'?*BCͯޑmH _Q-E>w ?uvx-\>/S']L x.G}R;B&xu']F>u Z_krNi#o E,uȜ3^ 1+%4ZLFbYMF;Astrid Keáler (Kess) \>y  9"asVЅ[R6/G VИI_ lFekmF>zR i9t~YhZ$dy>t;ڬ$.>u >A̡>!8vq}Ny~)h$'?'sǚ ۾Grx 4{HejB)2m*\4HK7 Y E"]@ϭfXy&8jSY?>u"o!Ч = 1|ALlz ͬ>+SZD@F>w ?uvm,7AN{ R.};m:h.Yb [F>u Z_krhᎧ~8D$CL2!6*iTըtkyF># E,d6e!h4PLop(9&&}!(Astrid Kessler (Kess) _ > ? 9"asFEYKAgAf ځQkص%e['q`-nIV >ps)^H%_G#a }Y~?I40<I3؉ճlhgouSմfYS1Wr#nw*.nI[}'3\ xUlmt5:6a ?' @Hmeʣ lmW{^p ]E6ڕBު_Nŧc'n1J7k'7N߮=2VyTa8cZ7$qb!Rs{| Җw7^JwUhj{fìkoõPF RI\(˱#GONNG*{R|32=t1*t ]PBY|eiUk\KmEN{ /#u!$ee5v֨ߎ8T:&rFոT}H]͡01Ocd[ӓ"DF#MXv=n0ӽv4VSb"݌%FG@8:!&To[ ;|7vKe`L F>ps 9"as!27H-NK+:F"_#wq!>_fs7 @[n;Rl4g6vT'AkOzYps] C5ȧ|6Ue4@cD;& \RF 9w7 0G׎x3upד-+>yf"bl57r[YGl:D=(q[VJ ٜ]ٳ5P3ʙc; O Hь|ҥ jY"R{ե-A@;^"\xHtQ51/*љ\ >_ != PdQ,t5mG$nNAuB>EJwDJoe Schaefer \>`3  != PdIHmb⤽$Σ=8c4ٍNNx+yb >_t5W~jǜ<ƞAz4Sˀ|]ҷ` Q'MeK^ٱ#45[e+ߖ|:r2l֧G]R|yixhapb +#?Jo밃 Ӌ9}\d-g6i)K qYE,g+m2wg_EeYڒ)\pe~<<̶zIr>k/W.T~x GuF>_ != PdZR^V<89u7D(58e}>aÂ+=؏оUwi}V4}w9l T\ 2 z@]4k-ˉ SI] p4cBf!Tk W ^=玲ϔ'V7mY>t` J]qפ=S9? :Rg4s~pR6FB87# M`k ESf1w 'h+C_t8 l)-)99o9hQf䧙wRolrW5,F?SL B  != Pd7Fۨ0g d~1 issrA];;PId@Cޕ7ugaO4RVR@{Sl` i"P t2ρUh!koy?4W6Jm1IHKIVb+[\Hq[ tE ?*N'>T Lf̑ 3wLA< ˬ f_1?Fu,*4BU|U 4y`ت*s %oɇds{JBd nކqi>.|ON88ހ^L`^X%ESRr qy\LE愱Ao $78S2)"g{|fUfQ7 }\yt+[B_vbOkSO:EϮ.Gregory Trubetskoy (Grisha) ];PI f   yF#\taʗ!N=H4o&9O{uP4rrw.Ɋ ;PnbN%abY&L{G؏ kUNyb(W{3 U%թ>wHoώ9^QFT+ӕ'>4DŽD,@_JBZä|wL÷9`an #'U;3.1=cn~*(x.yCDRCzrȳMܛ>nn܂k|dkw&>4L2A=qZ ]Bcv=.{U,?~΋z$XdrmkY3KM8U/bk)]RtR;wͳ#څ'+h$5p+S”QFENX 5s{;2R 6r\'T5͵\ǽ9rNj\s%[: T-GsI)O7 $ l7(Qٺ?BTIp24fsV%ρ )[;] =k8NO7+qγU7vǑ.g݇b L ;Pn f yl !TpS5 OҬ<5ڳo#ds*:)!ՙLt H{?.td|5K ުE{{}Wۙ"M5wZݻ |5Q#ߝX>`N#|0ۮpp‘:M<lJ9^靉fl6eQT;ܟ#ո̓7LDȀܲ;+m2}tBQG՟`U2 ˟Y[9bϓ;/+U%ӱ?m@RO9NStas Bekman K :)  ̲FlНt?ʇ\3y / 'RA}:џL SG#x)@:ƥBDY$,'O[KtMd3ad9=6f8Ε􀭠u${4: EYA W&. B3oppJ}$MЏ؊nF;R Ufdx\6nΧ=Pz on^#6eEb; -&WF;W7 2åI@0Ged0a̷V:l*is!=iaw :)BWr֩BS9OnK8 V@UCLdI eԡPY_vRO==ΙWYtOvG0a|f^[r:FX+XNI 6k3l8 E||[-#C[U]84|WCl3!,*<)@| rֆ)zʕ ٖ PF=f]A|K"&^U2 ;;M;L0ᢁXZ_Ԧp?)@Ed}})Rw/l6wTe~36Q*k{"CnT!iY~CK9Ny¿xG/g7>jXJQ)]S1ӭK1y~\DNU"O}v5mPEJ vf>ZjKdo9Bĥ 5*#nܪG!r >wz凄_Vu?:)̲FlYX X w+Y/rUti|ˬF+R*+KXbygEdI)Fb3]!P4ڢTsb۫5'AM E ?m?L^APaul Querna ^@b  uBr5a8U?"TPjPRT8[`VFA asR oz( tDVCe I=`QPj }4u0S>VhWexq Ea6TFAX Ց皘<I=_xcOd?E{aZAkPF^FAK ݺd,1-/{8\V+b[-f1>@PkAӈFAK P0-h>nt3F5IEj_0O'0`&Dsf/FA/ jѪb:˃ 'V=]ipE+UY3NFAx ~CPj>xIqh@6 ,lqW >%q`XKD]EAM= t\W |VW*ZEv/0$D'77: >3(U/;Y+(|1vI@G*'R!GcKB~F{L2&S׈An 1= -'NK tG"U.:݅:x, :,Qӷs@V*h. 2rOl5sG~](ϙʀ6ʤ\n+v{u TeFAȞ LM߇r=X!gMh3QZnrYÜ+m_VZgx0FAΩF 9S#z*RbuFdТ_s+j)=)71QVK"Paul Querna `! @g uBrXƤK_㏒7Kg6_pk8ߓFAz 'F$Z;Iz^@   uBr;]^10n^f׏r Sf{NLAMB FWXHZT aDvh]KJ6Q`az{Y` -Qe6Թ* My *Al 1= .C{).@Ƞ. 5.ea1,A[XcN:y7qk?6nzt jZ=J XؒD*؞BLX{4D5 _ZRP}򱜲v`MFAȡ LM߇!D(ӿW2 [FKp2;*Ѷ"FAΩJ 9S#z* @ Դwb# ['O云$!֟ޫ Paul Querna ^@bt  uBrXل{5+Q8:gb:*-BMX2<^)xFA asR+zlVAŰ^sX{6n ZShj(&Z(EFA; fc&P9b踁#!#rŰhzzsՂǃ P{FA 0yr)xP>mdTn pwE7x:hn@Jo}xFA [OShۑ>ÓĎ Ň-1tҧ%~- Fdf\j"7͞@ĸ圷G-z<*ce } |AWw1Cr3#ޓɹj,JwЈFAȢ LM߇:M&MZ}v{؈pxIij+{N暑FAΩJ 9S#z*aD~B uӽM.D._ݷ$Ĵ Paul Querna ^@b  uBrE:eQ83 3x!Ρz O6eN1MN5QW[ FA asR]+ڶ1j&j6B4dp&#v9f~ї]FA; fcuuIҶKH9+q,]rl5F!Y|AFA 0yr)Зrn8 $ Om JJ($2 sFA [O _L^]zV<^(`+p le)YvKFAX Ց皲.7ei #[j"^!`+&H[mY(ZzFAK ݺd,1-/&7G8ϓCP>]E xxygtngFAK P0-h.g^ OJML\HqOט5ۓ.;BMFA/ jѪbR@+tk\j}lr ɌFAx ~CPD݂)l\S‰؃"|~ƒ%∜AMB i\ypau1-zk$xz+̄tx46ꄇM _S`%0:S(OsxG!An 1= ͹q%9:Kz(rZ< SSyB<⮣Fݓ!C/E eVNëQHRѪ@a*zkFAȢ LM߇锻xdq&&KQx-[?{H{Sqԭ4:FAΩJ 9S#z*UC1Ǿpk>u >B#6C7%\( @ C,&ՐĽ>!6"i `\XOڸ7J9 `EO UHh&4ScȆ@Jr{,2@boMv210z${?#ʼ:f?hU=27m9rA)=P&S,j;-KEڠE੥Q2~sBjOL2'mOdpa 8fR/m$jB*JZ6T jB:eW»ȅb9T^L:K>ZJ8frVom]O=6ЀeBȆ&f <[UNCN^KWb`C.0 0 8yꖺT~ _ظH#Z:'"Gzg^M!AnWM`,]>ZQ̢xJJ[+]2BMh-H2 FAI @  uBrKڟ+7@ m+Ge=T_ޙB_g F!uL-Ԑ.=włvO$i]IG a Y=:vaYy(4b%n E={eQTح>?Gf&f7.bq=Owь쉩$90jiA4SZDLe.k*" z@B]+#U|";NЙkP3]E| 1·8c X H Z<c3 w==X+MϞ؉ %]NQnKJU )#@9*]1ئl;l/d +~jJʺz"$h߽5*:h*u2 yI qj1O1Ŗϥ1G N'C#Colm MacCarthaigh ^C   uʢ7PӲGfj@U{"\@߁Prі< zYFC Q ȃC0Ȣ@|F['Sʊ[$c}VJTFC \7xȓ~ @@#g@Q^ǒLx~?FC$ ML?~h6Ud XyZO^B_  uʢ7PCapIJf@q dm 'mz<FB i9t~!\̢;p}zU{k(kQxS #FBL A WIkfG7M>B1ۡP;6awFBߒ fc6MME6Tbxիa ;$1(D;(v辈FBw vԆ/'?1pVKbE9EYyyP*R?NUFB 4BF8:!;.|>Cp?D04v%$FB aj.3>Nl:7 @,<8Kۏ]5:z,$YވFBe @)$a6(ۣ&"R>{'Q㾫u0˸^وFC S ȃC0Ȣ\$s|liiܶб ߙĘGѥuՈFB޵) )C$?<6iI \)G-m LԈ2JʈFB6 Z_kr} ]b<]HXUczr 뗽B|"ψBެ 1= *1!TBx"IH~7#GEQKMْ8Ph`]]HiXj#}3j"0#V>,0=n.rmf?]r}N:9q饴YYSz v 3CS&By 7_e!ʪެ >Gu~3w>t!-DZ=e$߱a+AVo^6AGrd.Y>pQl+QwvcMFZFBm2 ݺd,1-/zg+8/[$kr=ɑ-[:+% /VшFB ɵt߄tL(#NSwS38ټT҈FB 7ZLտV}RӠ-Jb$ m -GƙK.tFB [OSYhHQ } h[U> (׊"ӈFBb m1\1 !X(8`(PД4/Lp=FBZ .I~ҁF ݊6r)=IB_Ky$-iաh-IeFBN m :@X7q}lw6̆kohu&YˠiMQ ޙhpFB 2NA"+oG#eNΒrZޕjbu LR!eFB Ry/x ٔĂal~Zs/%pn |ƊTFB ks*b?r<4+|}d׺:isJLճ1 grFB晨 hv)g!>= kYG @2J$QIN"õFBa nuRCpK_Fd˥ *gr/,8;;ZIĦQ|FC \7xȓ 0`-̑>uBd};QN۬*"BVu?ۍkFC$ ML?~Iƈo)FzcR$H;%>fX׈FC$$ kdj>EVl,Cl$]ǎ0DkzFC%W =rEžʺHb=O$]*TAbbSE5h/Colm MacCarthaigh ^C U  uʢ7PvMYMKSk%ϜEHş|mn7uFC \7xȓ0r4QՃ1)C*mF\esFC$ ML?~J4 v5c@OpQrp>շ'xFC$! kdjXke x`V'UGwQԈFC%V =rEžX/ iu$zҐ$pt~S21ׂ}2 qPkhI B}=%!x`p`ïCi 'nrC B;JǝWTHMOd"A 6K4aa3 몏\hI>#5d)'aߙJϹ η6V9/4WeyoF^>ZmUXNmMCֱ/O^Ȉ ( %K:B_f$gp7G@sF&98KO:0fFCHԨ2i2Yvj^@3J .g nn^6@|b4Dޢ}W~-[j]qL[vq8;{IU=%ElXsgKԥTs=nH3_Y>~=Hv] t)/sipR!Q3hCŊ |J[=\ N '^%S`!aD.<}K-1'9DF޻!DqY)ڥ1dDx_(juňI B} uʢ7PM; 羟b> E*2LD۹3 dZ| "C? e[z_Aϟ-4hy4429gyc%2X`WY(HqE:f+r{YnY tfW}tA}JC9 -2Itv߿=l𐯲aA=P3kp *m:-_Gv*];c n+-̝׈>?5lsdgޏٙ>2AgizmUn $,P.e )+eqT T)@7C' ޞ!rajYr֬'MA_cU_ 9ŴW0W5.mu(KUȹsV2jRF1X):+Ik;LФ FʒV"Ruediger Pluem ^J    L(1=:Xy1xhy5KOƖIUve+z-[TFFD6 8M5B:Jjm\ )/}E?my?9ދD8` 7_e!7}՜$Y+3T@.?ޔ3$AVۣsq7/S\3sfp~B8gU9uj3 5xz+(xM$-+1Ks*p* ۽FD8R 26BK O Lwy rB!XWYߵ4R$jir>FDq 53Pa'uvl !*Gu( ];hXj[ƹE>mFD 3Nu1=Ij5rjرEKRLiG). uFD 7@3.cӢ^(*䭇Œ͛Q~uݷ{uR(r v '+J6(*{eњ RTXFF=V .FtJ#]B Y8F {"V PH2FF> T" ,t\ݶrQm_9s~VCdKK4eefDi@=FFF> >*o_)$*pMpw-JST v+lFO#4ʉٖFF=W `L_[4 *Cuι2>eC o'va UFF= rCXń$IgD]7TWpӘ5ed$s Tn?XFF>  ~lvڱ,B^' Ex,|72:}" $cFF= Ԫbr0ޫI -]V >K*7}ߪIˆFF8b s݌S55K&2Q|jjKD}^ 3?n8rFFFF Z_kr rY2xHj xNO^t6~ \ &_p~Јq1FHa*Henning Schmiedehausen 2NA"+{lƷD*MAѾrc8o3ЈFF@ m :@X7aMr:99 feV 7 îOCFUhMUiECFFLD= !#kr!g<I'BiQչ<'v-FFL| E &b5aBTQ8FT!to=Q ݊X򢩇FFR1 ވjZ-e1q'5ghv+a|"i:_FFRn 2;_l3(\ڰɆQql""KLFFRn ˮ9lL{YڞnI\VXAPGn8+0oIIϔ;iFSʤ Sander Temme "Sander Temme Sander Temme @)$z Uf%Dܜ@bX5W]os 06FF^c Ѫ`<r'\$W;X|Ggѵނ)+Uoa^5FFJ\ 9QL#@F~(t_ uZXF%[\`geFF 3g3^RGl;NM6Y)9 rHù1#ДYFG, )C$?<1+UqN%ؐ\7%U^n:p7\#yN&Oޑk+G&$https://www.cacert.org/cps.php#p5.2 XOMī9;xSktuTRzw*4 [aQ"IFG 8Kn,[g*6 MeYX|p[>0BK FG ࡛`|oTow0u 4uB0C‚z(`w!GMi 1= Wa4`U [x?VZy"]LgkP* 2b6JliD0ـ!:YgEOޱ4Q +STJvi8(=fjTgc q;+TC#`FGi uBr g؁"QÏUvDqEk|A.wӡ1FGN o!ЧFçXsskzk)լ8FG / 1QIm[`Ⅲ  g*BEQq0aHyJim Jagielski Jim Jagielski Jim Jagielski "Jim Jagielski :`uIz6w ?&(u@]Nf]fFH> hLvWs2ވFTn:U爸`_pP/q+zGeFH ހV)@rE W'RYdDot B!@.܋.ބH eP\ftd˄NƑSFgJgH74o2;YRܓic;p-DazZMQ m^f hJӒˎed/^ݼIML0m7FQpm'I5Tk*{|n%Oi~<ʼhz~Pys:sPJJJCFHM a"`{ uG.0I"Pj@[ATm|2<-(h4r2H d+Bernd Fondermann (ASF) Sm KTdIu+~FQ yc=;yX}LxByy`?nmrCPv)xJt4em z4Kw3D'zh78<>wkC SLc ":%~k2mO;4V`BNLD%34V\mZPpR ⡃tE^q-/,ة&IR:=TܖH3 xK7:D;-f8B-v wKyZ_BNSǯaG(#h1\Փ2|٫v .Vx;LN mG_n_H$1B ӚLxF]:: bf/ Ɍ@ZIQ# GqFC? L(1=3!%FK_1dGB`^ݢ jAc64B`ڹ J v3zK2[($F}Q3q &s}lW. lFhVLIqPAjE֓Lf.C;7} (ήu{s [޻-%خpTQC}X7ǸdE } }NVڿ5XI$ƽ}G?f"_' ,>+)K &$ 9{G]d20&hUs$qϱCB .[_ ?GJI_>(第cf0Nj hUk+x]c!ʲg]72n^Ɠ@QG|p|pyF?n>f97 nEƒJQL@|:F19do2xaI!Kw@v?=[;:gD^S ۃ17=S3d N>6_4wRErˁP'\~φY/ԉOXrr?>Zk;qm/<9))_yL2oG[O+ySv_Eٱ>]CS]B@EV}!3tw+Ka+ 䚳3J|@ girn~e90I&0<9&p$}綄Y.iqк!;5?SI J!= L(1=1Yo3ql4dV+AAtO#u(v NO]>`·74,pH2ɧ.,qtMA4*T>;*::7ImC{ _K>ȺVAO.'YѽF%IEW I eIM\+CpąCxh̓o9¤5T{25e{6˦3+"^F_ht3+qo~듴& > C .wmEȍ{u 5VX42l #ܷ #0+Q+l.3FA7coU)Q:. 5PtraщL*Ul9iHỴR(ׄrq ?Nx7h=Lg>;&Xo;R:9Maxime Petazzoni (Bulix.org) g' AS B { 7\=j*[; ǡ # jr%Eif嶀K5L Bcv uBrH `"|Jf%6z.]*ܲFB \7xȓ>M 2](cɿyIx@V\YѧL BĊ ItHS x$+e+":)Ije!, D;rcL BVD m :@X7e36mSwٱճUF? <(~oL CH =OSdv|=}6z*}_1te oȓL CG KsVA9\=da(Ϳ n &>|yWuÏdB= V7nFCL [A1HmHSISpjRt>ΥxqX,Maxime Petazzoni (Bulix.org) d$ AW B { $r"2wKZ嗃P*guvZx%Ԅj˅۫SFAn  5PdaV1Zև:P' 8gm:^K-HL A$E/ 05OR3orYXIRO=w;zK62\ߧa4vF^A  { <p' 4++x {S'3T" L A _Mն4a=~[q-GT֜(l,D|XRJiNFBB) N U/ndKJڿ4ϸ~r-D#gL B$wj S0KEW%-c,A `IRİPB EUFB [Odr"04н%>5Q >!p*>[NƞL Bcv uBrUmYrFc} @qy֯օ'o"m~Qk_FB \7xȓT U#[pmjh^)]t<;ވL BĊ ItHp_R4j.CrcATw$ϱe40]u L BVD m :@X7> }X%^Mm:~`74<[)bl몰RL CH =OSdK}"& 5ŚRŠRAˤ([NNEr8=pL CG KsVAPUį72?;I#r lP;ɌJttFCL [cHޢ&u NXn|TjëV0l?Maxime Petazzoni (Nova-mag.org) d0$A`0 This email no longer exists { 5g-^Q[׺a {7<8m}Q gp  L A _Mն4P)~/ nAۅS#i= g0m]큲7^?w  { 3HV2L{;@8(\(惷Ɗ4ĦpFAn  5Pda!u#?TbvFTGgj98xWL A$E/ 05ORnX]vUGǾBc#ܱ0Q:}0ˆd$ AW B { EŤ&}GN/m\è@gz9=G2Maxime Petazzoni (Nova-mag.org) d0$A`? This email no longer exists { $ M'uìl;%{\ua(B2jF? u9iDZ^DO_`习!22tCn CT͈Y>`  { \U>nR詹Tfj'..gЍy]܂F@Pi 0"fgSfo ˢ Zx=GH+{p?F? [T{<~pt"k C]i*qog>F?}a _Hi `֓HG4Mse\AQWi~0\r0ԕÈF? p=v-cM0sz d$B B  { ՔrY`Kz v(W<6+D5*9eD],7eL CH =OSdS|>(;pkk$؆Lma]lK\HFI L CG KsVAi Ƹ럺,Z/boK.M:"+[3k1+b/++ >a:h]{yr-yM~'1]KgC \\gE=TK+\ yԿDFoL=&]k@@Zl}`"QsxzZK.dz^]O6anl/~6gbkPw { DCNzB&)k9i~\2#QxG%jʵp̃[ 꾪˻F\գIF>a { O) K >lo'ue␴!9 8OJi#ݤl:юhTe@\)4go+t*2r3^چD!~p瀆bB ͋pJ6Q/b DBdkn)D%)_{zeD\S@g.R Xa-ټ8k'gp7vRh'oR+6VtiK+sm\g=mWړ %Ne~Iw>tUR@,#qSĐ#q 7zw=eIׯAֹzi O@J8;D[{Nick Kew W9   m :@X7irYj :Nf͖^D>AMv|/mxoS?€ 7_e!>ޛˀd(_fȗꌼ|+xP2qt";9@pxmJ*],IX2fA(ȴ&wkÑG78N=_y #4F?iu 2å>Wܞ/p񉭚1:Ks5OP*J*Vrmhώ6#F?a \7xȓ_%Os9oz~2;e*C&"798U[,L{NF?DZ' t9Gv0w֗`'(EuW퉜'M(*8!3F?Ç <&+P2; HpC(5%3/&%`{/]F?h =ceIf-?%O7sܜЈj*qwξ*F?d  у OO&oNxpSq;{udnr/'w&9`EGgFd޶Bx;s 93G/Ÿ w[0&ͧҬ .Z٪O﬏rZ{F?H LM+GK}n)(s+,=[i^$DPqE`2F? IƝx% ƴ3̴sk9VP̘qE]D ԈF?ϰ +KB۔`ύuH7˂07U~4AD(WdVF?M $RLeLexXEܐ2 n')ȷwpF?P !0 ֗Y1i$DZ KAϡͥ5rk)y\Gف7EYײF? hZwVU!#24_7L/Q;£F? .I~d*r n -74Vh*S0{'$Yݓv"W3F?ˋ  ZEܡVڮQWpW׻@s$j0um\תF?_ d٭=\]{ UHtlN1;}Z< =\?ot >ApAq 14r/d-6 9fۓ!N`}u(N =*֗& \_6-!B7Pchl j,(@%{kZɷ} !~f`siF@U UEV|γ T}rw91CζW f&F@0G .ЀiFc">p]Oo' ,p--q`,Ԅ'0aF@ ?uvncc%F=4CFSez6, 5Q|S.?@_SZ̲Fl}3z!px! ]'H\FA [O:R3Rf&ޤk2]F?Y LFbn_PE:f0}1p`/J)g1;f`FBӠ i9t~ /ʸ]ӎal L߽aK8u(\5UFBE A WI||cZګtu:)F8*j<K 3ǻMLq.mFB߆ c:W| AB{ż3f9xR\덯gW3oxKJFzFBߒW fcfjJȍQh8M[nV¨:0*3CFB vԆD|V9qۄCuIIRqbCm*֕,(f80FB㥆 4BhL2-vw؂6BD0 RhBN>ˆFBb aj.3>N'Ә-6oѯ0un?`:ZQZYFBަW )C$?||"3pFBm 66j7[NIZ;߷"6ၦwwCMS?RBkN}yD 6FBԎ 9"asv9dۖ#_[C!3x%`ZQ) FBl^ P0-h"jc0z~C#fy}O{/r KAFBl` ݺd,1-/W^ b _mDp ipFB ɵt uIͯ: |0}!*70QTFB 7ZTK=XcǩxRDXfud΅sPnoƬā܈FBa m1\1 'h5v߄:/"|eU9yw"FBU3 .I~XYM1a2@,UyQqV{y0ǙʝAb$MFBd uʢ7P݊2~) Y:~LtMg^X-d0kFBe ˂`ߓWM홧xJ\>΃94" +1f00FB 2NA"+Qq86eR+=FlcbcÂ+}z_uDٞFBx Ry/x§Z|g&VNFȆz &<ݒ-N,+ySvIFBr ks*b?rY`K;u%Bi駚R_c lt3FB` nuRCwwlZ{sSd}jKJ]"LjBެ5 1= F`^P ^4(o0k nƯ}Z4ߖ4Av={-Wo/B# @.P\ ;节ews_OoS_&Gjx6^92r/qq.VABl\ BH8ߔv}ew;FEL~>{G(%* vKGU^O]ȉB: \23e8I܈-㜒MYc [a.w c\ &>pb]>;xxplOaRfo !'-p['-~ o#KǚlI`sa;?(ֈІ҈FB8 ~6LI0ZQu;ܖݿ] uQ~*Bɲvq]R!EB5 Z_krJ ڝVΥ Th!k3$e xdu^?+ʬJ%QA09-1{OtꋗR0v Z}5)S<1n&p jDE/ȭzUhdT\y|rul+"`46uśs,zT)R>^~N {F#Sg<*쀣%Q4SN|xve oq,8{3nx%ޚ F Qž(T;φ3g([QmsZ{bN'sNpfdWHr VքS+ۀ9JhyJmdϙ6kζЂ:}04{#K4aԓm^<םz/NEb ?# [Y 5'N8H;:Sander Temme FJ @)$%) >.?L/vO?:j֨"K= 8s&'"tzhz =סp] {y )'=J,EwTRP j!]8AcRO)9ҽp|l.ԯ4,]r Itqah8'AG_`-_> hznBae&y ::?)8 '3C)M 3$*(]4`Ru8AqTgjgάP71@8y9$]uA<[T[eTRke 0?s q  K%F/ 1|mל֬4/IN+biA`F?eDB@strIs< ِ12O \H< ~FAeXCB呒Ϊ+#>gC>v ޮё7#a7'XWz7w ֎m^w-2ΣO<vT>ǹ,2p"h:Y)f5b%g3y,J؎,*K5 NAK}'$NTFGƙgӏmYI#MY=$nFhޟ9mHs-g5=f1$]@ܵ[XZq)r,|@KēY2c'0*L.? P] CVPk]:27 d6<VT&p>9&n ɵ\M}mR.<%'KyNF%Ku0 K(uBQ7oPlɻ.`"fGjn {[!ƅwMr_Ht%ov79:6f&Lt͏_=?Z{tߑV-j4|Y!'GYFszw4㺾ვQ*||95YQ3\-}HmO~B(p\B[RX )B#!5,%\gGcZۼwB (薔sƳ;"g&كt81_yځJS tQy4}uiO1IQܲ,: ˜` =ְ̛~1Q4Al) QHd"f/ҀT[dl z^?RHLk`"jĖߙ-c;5]=.Y7W#/ی?Ha"6K[}JY `׈C("FÌXGA7NLJ1s-A_25lk&SGm#sy,? QyEfXե}߶97mpmYj oRoΩXdvqe;[%5Q(?ȗ=Z lKS?N%w`ŕ>c V[)sL}jɽΐp>.UI'Dm"-!yv- W|- @22JPge:%5>lx/} KJ.u`Oeήo6KiYZ.c `oVJp9w$)לqpS-n"+ z̲NBcP'b)a@t[Uqzj@$)7_kikq=f@Tc3=_r0ĵ=r^i w\s#3qg]K;mQom OW8~[r*֑Aέ4ٔm#v u0]=i&P"A= "aAwtM}ȴӷEE9zÕQ Mlτ/@ K_eL S=]{ZC?pCf볽J{(/2{yJdk>_ }?~hzM})S]H`b#>OumոSmUw1%6tHҗDAaHqe`UӤ,NV w$<}XZ)7G%p`iq-:KoQm t sm)T6P1 2μ-!T,|=N1SN];aej\RA,ZӔ U./#hQ/_Z{|nѨC BďF5S=/d2e0FG~ f  z2 wdMke2"˱Os[I+G{TLY ov.ζ|\\ O 5t9ߗ M=841"<؄ɵv]q󶒵b>Z`yx>I]TbUߔSkJ}mE ˉ Lv 6$C_4XmR_SmûA)9VshCgJNj3jb@S(-=C8fXU$A'4_mǪЁp-6ͺ"%Oq/ȯlK耿hйj7m_](|6uTLeH_Pl,d.^s Q2 2Xs 9cMrb}wC0+0g gpuF+},PJ>vK*v#3:vx1n0̺s~4 O1G+󗓬#mwŸXsIF-d/6: }g[+8CZ3VѠ,< D\[;5{NC$%A8ݑ&_JX8&mlHryD^2t,Ѯ7Ji0$%slQrd` ,%FeHϸvRsJ.KO}}~FL. Hwf"u}o |Qc mR$Bn4t.bU\TM*u5LR.Jean-Sebastien Delfino }->y_֔y[|ʐ ԑGRA@_P/w  LҴCJim Jagielski Jim Jagielski Jim Jagielski "Jim Jagielski :`uY[bB383&@={tԓ9fTYW] LҴ xmYTT>EG{Չ1HB&RuXO JJϖ}"pp#Q,<+ rQ1#M!`93;g\g$a<%,>/̢g#!f &;>dܝT-qS[(HzdZGouJtR0hvTTxp iOt.-!Oʊ O-e'/8"/d<-PJ'4mDi6iՓrcI% 5P,AvGE)4$5Μ6tAlC}gd9nmၬI,Ao3 @J?NRELpK+hU;]Nz8tC**}:ݤL>06o <ܝrR k%Ӫg5\{!OsΎxWIN'>swj @= 2 }o ML ?Rz3y:djImKЭd׭\dFZX0KSc\ie-~mmۿgEkzr~a|JE74XBuDKr G(GS~|owUc'䓚Ej5?%t,\IR&൜s&ۂu25x)L/ףQ)z^K}p,'_.ja)|H#i\֥s\l *ݪfo?2Zg[?/s b#9*oE!]j fC6JӡnEU)B^M P(#AG訕W o0"O'.R<Lͩ5Thomas Dudziak (CODE SIGNING KEY) MMʨ,{Y!(FH b/=ɴ{O o ip@e,9ɁHukp US:"6MZ[v6x~#ۅ] O^{R62V-U15z}Y.hyTdD(.J$l|&X 4Z3-0"Bڃhg:Yky歬Rî*@䧽1z+xF6e~a&э2$KmPBB6GE_ny_X,C'*MD/Y,`.[{clu! Y[Fui+Ik/6yH? b ZS>]uϜ|p7Pw5Q qbPS]? N7R> ݚat1dzpGc H_mh:v2xdSŢ_Ri8BY(ZDLҸ=Antoine Levy-Lambert (CODE SIGNING KEY) ^5~ܡ+D&:oߐw yV{YU&Xh2wbщ~bVl.U'exp~{\,B1J[cDX:2Up)K` h5Sd^frfEVY^%fm$%y }2,h{5 am=ք|u)3p`ǿqRjK ^qkt%^=*UBxàc~o̐gwܳS0 S|_d(Xoǀ6huI ݆0Sؠ~ y3 #* cGW1hηvtY>#O|%A{aWO2OE7 ?O~9.W(qb7$և0%ћv-%.kH/,;avK9vB@Sw]GLѫ@Joseph Edward Bergmark (CODE SIGNING KEY) ّ|@7i_AQBNMIy?_P;Pc~x;6Ͻ,ߏЯ"G@s+t΋_~I>f%93"]JCd4RDXJw_du2t 8k6^FEwtH'-5o|/ΒL{;H+1@ Pf~D-(}LҴ)5Jim Jagielski (Release Signing Key) Jim Jagielski Jim Jagielski 4vyc$KM?h.,ƽh 8Xx8ѕBAiq];O]Ki%4>E\ Oa/u1u noCYHu'Md2Ҫoo I`UKOHS5/%符iGfbSff-" WUF&y%_`#Ͼpv54,JDc.kh^/e2XlX޿ExZe*jUAG HFQ3]1I쥭q=1k|ɯ4,!|~$hTOˉNh c=ˮk C[f}nfUJũz 6)<*ND SNn'QEU-&H&^+@`9k43 >0s8ǯo}Ev!Y߂,==;6Af 3YD GI7pmrLV8@Gs|P*_ ]k-90XN_Z V5*vgem [2-{L]+1N'Vf~|CTLA*:ٙ*IqV':lφn6>Cԛ44dj;*zZ6 /+ZF&Y"Y!Z!PPS]J+_KESl4pZ^`OΪxBu<_=V4v6io%T¤y3yySo=s^{ IJd] ĴZ-G`=HWDg6;x%'{Y yeޯ(T=N| %fg|[&|x\?  v4h./\^-׳3p~MF͛` s0=xCM~ϭU_tjp2T#4;_9,D<׽o~ o֢}t3TpQp6FtLGD(ln Jh_INR MAEYrޔrIo $Rt+{ 3 fG7s3S ,\ٲZU**x.ڔXBѠ*8:YFx}TߗRKBV[/XDzӔ"՞MoxQLwŽ"g'ʡ1SRY'E%DhoWnvsew_Ҥ52Մ dPxN\\͏c3v҉C-vⵑ{M0 @:`v)$h4b[D=ˆ4@Y3|i&O-T5w(YIUW]!nzJW)W@R{=[…L&=P7\h.D pjRhK3Uc!3]3^_1S7GPh)"c/ MW&.'xCf% !! V&2ly$ .:4B 0 X}Vqcksx=ړ'py TN~ Q*#,hS}('pd<61n+j IF's~8ZdYb5 dM/1c̻AT1b9~b8'Aɴ0XÒuJݾZ-W[ƴFp+Jwb}A3b(dB~_=ъtEx46B`?Gڃ疫Sg3N?_x3$,ߠ7MH8ՌQxS?Q2W[TH09@p w5+b/v kAK _ɋ0Ȏ" cVnj*`&6A S!gb\Β1ީ&M`@2L^gH`*#{ՖI"sYQѤևqt꽨qTLFU ߓ`e%HO |7X[;n WTzS8Ӳ57j&eDmLYcT>flj Nd N #F XE |CH 3Y%t\&U csq5i&Kvy[.?}n }mm+ua>Hci/oDإ"vk`6ht [W+PʬoQ[0 >@&T3-+n%O)Sʿ`M* Lo8k OC%ps.2/4qM=1 ;9],/PG@ZR>IuWD̼,v:* !&HrTP,n"-3-ijj{Ds_1LΟ:=>V9]G2pz0֡cs^񘩱Ъʛ'&btR5QVGv 7xQaPUtyLJ KWeb΁?4ªZ[ghnRD7cM|ojDEx/^%mܾ C&[d~7ޚswKR Nŗ@ T=w9I(t<f~@>9¡_V4 FSaɠH!Y}Wdɑ#R wf\j88Y2^9iFUi()^%gPyROjɊu+-W'l-`</ R?{,$ޥ[7lE'rP[oQ}u3:`y{)Y{!xNd8}? 4Fuf]?pl8K҂di_V POLV)1ve$xgAiUeScJ ""mϓWl t,en*Ǎ]BQǡ eāUq~FR5[G?|5j.?xq4TD_c١f 8˫e 'ǝ"8w`=L1fRb> VeZFDwtT?@OR N͗ OH5R~DOJ& 7WIRC! !o_psV[GyoNjZo[**H6G.ѶI{՚+-Ro7n ߓXRf~ڑ<`NDȲέUo*'`_nфwiT`؇dUg Yt; V͜ }NЮZS\A^ ~|\w,/K/5nТ&WYߪݴy z`vψ " j90ѦѸaAz;OF9 +Q;6n$Gk jB$^\YX*/4L%@:j5 Ï]S&;EuTgpK 7Y#'u@{N;Q\0e^c/!K#[͏'Hb_HGI$g hya9c/CCwzPƕU5hVUɈwFۈx!=P.Og;/kq"Sꈱ*{W@E?CN^ Ƈ_5AF'BPvbvBma%"}/y^sKҊRśE&g0~k:ZJ0%;D(a_b\rp'8rg"ԭ]0sB20`7#09~ PzW"O,|{8 y#!q:6*Ce؛`"@`dȒuk*S3Dx1}*PFv>.ƺ 3,׫S\moܼP 8#UﭭM @^*R .{ɞCz'6ziZ'aj/^V*9BzJQ"8v+VkF؞2oHhLaCk^Fm G?ٌ^*DIV0rv =ZCr6 }bB|U};Z߆t}Wv.** „n%T/t[0%%q3<@*   Q G 0 c6*- u|;Wz)rV(z#R$S 'ܡ#i%2p(Hn걶\-4` ɨfM9̟,o&Tmroī>@0zİXFP ihrEk6L!ܯ7ʾ&cȮp pVsd==F՚V.G#3K3kfvQwF<R92kOU0Q_Sc$AU`>*கE*"K%GﶤEZ$D Zn}[*NZg n(e(̵hqoy&-%뛮ϿCF\2 F7gCDo_9[2Trbe ݧ)Mɽ ]G΋ 2eBSmn$ω@*    J&n c,wl'CPdt8$ D#}ɑ ȁBaCj,AXniŸnR͊3TԡUaG bt~O"2sL̄ڿ,pCq?|&1g#04?}EAT 2%Q߭A1B"*-gzDj]4U;Cd8eb `!N]/Irlk2cک@L!{SwVagq340J)قHfcVq T7PBڮS%mﲧ/TXg0 ݷtSander Temme FJ @)$$Rj5ͦ˨Kv_p"Qղ)O3PqgQͨÉK= 8s&'" lmً1? ɫ‷ X@ߢx˜5=jV-6&E2aL,7`Gzh2y2t[^Df:NaV\+E1Um+9Y[;0tftE2;PxS ;X̨]$VNaƑp)}(+S >LP~GV m"SR&q0V?A{/GF 9GeO>(%l4]zQgyaX d0wؕ܉j%@5BA90+Fj3>ê2,Jk\>ץr`Qₑ'ZT~ ַMbzUswA۬b\xF yKR{5B"fx7fem٩Wim5 P\U;%^ ie0-vj&ԬoM2\! ȉ K%F0 1|m,GkNa}nVTRҴ#(rSVeq,nQiTEM0u^^o.hw5)M!5 ۰щƾc'נ5 㼹S<4b磓雼 ƶ#-m9ŗ;0OwHj>{yuGJ#ڃ'=U軬) > [߈.!eՐ@bp{< "%CI1 `LVY5Mdj]*#l?Pu6:?E6wv@DwXj6g딖A'Bgժ!>baaպ 9-e~'KM.y/.6jP^ +j8zQ!tp0ÉK5 NAGHQX`l`T 8U c_d-?yϖcFzk̎V!WR}Bie?QʎSozHDwZE o-f?!:R_qŰ@+ -ѻǾĵ`"m\h%p& HZWf8gJ7A\ODd L*M#hq5|gx[}qܦMiH S Mt ֲ%㬚skcp=zC#mvCFh:, g FM5=-1l+Q Dz"9  ֚ =11p$E[b u vf|ȢvF 4-4p>n'c|?gd|2ʽOĆَ,0Rtߟ裐e ET>|/|J^0i _N}_XDu%1.j lG GC2.`3I$-|x\dcQDA#$uRy7bK:(lf9 <4(><_%T`N_0GmwV87BŖFxXu/9'ʺ.m9gcd/ ]Nֺ]bbDDϹ]č:jLP,CLT*%[.j\bH 5Üp6Q #,D|8mILi˷V >?/@p=4gnJ;(O O8գ\+RUbSR,E)x|>+ xU7)Kt/ՒtFxxxBEAA}T=. fW>?sh5f|4ĕ.*hPT/Ty4)K_4D$%^xaF4h%U i $-S *su,NebfFK{g  NH=L՝܀D&KD) b%bK_e ? ]w9 Q-Q3տ_+, {-/N*,H6+bHm5 [&XPl(C.XT# S)#8bkuKBƦR%dh@Zq&N"5<#dz_~y32 6K'qyRhgjLkbI-CI8 1$ɖ,XlxNdkfP0Y.(nx37_E_i;8Om]tҵ\3>ˇCKZdO61E/7j4'\8twI1>>͒܁V \vr 0U: o#󛒫M. R'8OS6>Y#ʩcx}[qoMZ"1EGAM&622Wd6;t\-+ΰB_Wr5R?vw nR.L\ +T` 4оZ'7'K_u4 Uk? tRL VsZ/E"[{KK-Puz_SY)+ŸgI,`rIب\pglعGd$|@wml/'*/״LEQ~oBf{&WQ%vB41Fsv\|J|SxH`Zth8.z^gCd K"ݔbNi1GqIZB\u=`Ddw {Iz@ՌMkg:|WvqFX IQqv2=E4Y:%5+\̳г Xh\]rfmDerK@)&%f<>cMx3w} NJi 3خI}Ugo߼Sc |a@sg溭<;ǨYBN6yx1QݵӐfuhbweT0@.l%XV#VkuPZD| vU]{ zbq9usTWY%+ K_eL S=]{ZbӫKdV'yBB8#V!zS^k`Rj6$^|c}p&O XPkQS&|ң-c$k&]6gD`w2΁G<0wvk4~){PR,`+ K{!3 :6*m+ZtfRd&;{.^=E 3E- AK 5 V[L%꫆Bp;cΔzufe[GB$\W}y#W,P ,v0AY?S䶊d5t3maVl>4|9N,:Go|l(nR(&aT uk=?©vPin%bp1abYwsb@z,[)(ZFJ-=,V ]Y GfC*څ8*K mKI#~MR̟TeﬖAoً޹ֈ^"lT!+À@!}H̷H'DtMC.w̸]c|#frrQMR`WHU=aԴʝOu#bQ'I,McLF3#fA>);4]a ~^w?sou6n/曶`./]IIoI<3{~_N+SpkVB ƚm)/F )^:5呶؈FL. Hwf_ ya_{$GO3yXW)qLVgז|i5u5LR.Jean-Sebastien Delfino }->y_֔y[|ʐ ԑGRA@_P/w  LҴCJim Jagielski Jim Jagielski Jim Jagielski "Jim Jagielski :`uY[bB383&@={tԓ9fTYW] LҴ xmYT]A3âZz YLC@V'awD:hBRn6Sc~6"}^y(9r+#LhWsD" ΁t~xfZL"i{-pᰌ8/--/Z(Ex𥋂w&Q7 Q0yëXϔ˺H`jhmeߙl ښ䘡DB0(űiP=23Z5P}_ f6 Jc'$l|c<)DLJev&< ?c]RȚ*>%i1^U;˭q}jߴ T"T:_G3yc>b@c*49Z%(9l ^)O5iu6f3, چh"BJS#CwlS<x~a,]ig yf7hUٜoFsrU7)!m J͠*TU^\w,E1pT@El^ưP[+ir@ dVѪJ99P޴O|-+DFܘޕOw㡵9\ԇ]񚓑;-)UKW swZNwF8+BcEWVjPfǺ0U~D.G-.@)^0ϗ' :u-{N6%1Ғ&|>z1q(;w jA2gso].)a͔-Nf)By)mU`i"Y[$f:R<Lͩ5Thomas Dudziak (CODE SIGNING KEY) MMʨ,{Y!(FH b/=ɴ{O o ip@e,9ɁHukp US:"6MZ[v6x~#ۅ] O^{R62V-U15z}Y.hyTdD(.J$l|&X 4Z3-0"Bڃhg:Yky歬Rî*@䧽1z+xF6e~a&э2$KmPBB6GE_ny_X,C'*MD/Y,`.[{clu! Y[Fui+Ik/6yH? b ZS>]uϜ|p7Pw5Q qbPS]? N7R> ݚat1dzpGc H_mh:v2xdSŢ_Ri8BY(ZDLҸ=Antoine Levy-Lambert (CODE SIGNING KEY) ^5~ܡ+D&:oߐw yV{YU&Xh2wbщ~bVl.U'exp~{\,B1J[cDX:2Up)K` h5Sd^frfEVY^%fm$%y }2,h{5 am=ք|u)3p`ǿqRjK ^qkt%^=*UBxàc~o̐gwܳS0 S|_d(Xoǀ6huI ݆0Sؠ~ y3 #* cGW1hηvtY>#O|%A{aWO2OE7 ?O~9.W(qb7$և0%ћv-%.kH/,;avK9vB@Sw]GLѫ@Joseph Edward Bergmark (CODE SIGNING KEY) ّ|@7i_AQBNMIy?_P;Pc~x;6Ͻ,ߏЯ"G@s+t΋_~I>f%93"]JCd4RDXJw_du2t 8k6^FEwtH'-5o|/ΒL{;H+1@ Pf~D-(}LҴ)5Jim Jagielski (Release Signing Key) Jim Jagielski Jim Jagielski 4vyc$KM?h.,ƽh 8Xx8ѕBAiq];O]Ki%4>E\ Oa/u1u noCYHu'Md2Ҫoo I`UKOHS5/%符iGfbSff-" WUF&y%_`#Ͼpv54,JDc.kh^/e2XlX޿ExZe*jUAG HFQ3u c8Uwmu t=mcߥsk l[^'11z0ڽi~,4ށ6htYzOTO{Հ ὣa_hq™q?D#Zz8 ybE$l?BO WWpqkQ{|خ3]a;0+8 +T.ByJ>pYR) $N>4<ܓ JV""֝N樖^=b`;S[*G^TL|L^z8/}/52d}D]ЊO.. Q.\7@GBV83V;MPPTc#ⲅ\͒lMzhYUo0t^19My tFɞڷK fcY .gnG-74ퟐ.Pb&yHv3%@$IEWYB o`?.[a*|7XD)? `wc_7g[-slFN$R  nN$Q|9]/|!]98fe/b MD<?WFN) 2eUѥ^Z˰JNɜ" ֒h#Dew9FNN />]1IpLyinFc4l:-UV?v;]^L.{Xe ;Lq$8>È]qV+ў8ުiqvn݃7ufiZjgr#*Ii+Z[M\v {5ٷz6s;}jr~|`*1EȔ]1 :ґ:U9X2ve: ;,|\."z vG5d!솣٧w㒀f_?,F[Ί5 c2{\J-u3^>Ɨ EƔtY~OU)CX ey= 0YT1 |kaCc-9fd)?AiT>C:^iWZ!ޔn?oh+.~iNR MAEJw5B3`ziLfIE_|S$(_Jv~/qY2$W-ฎaa9;HbU9t({[Rz~/R<}neÄ\`f˲$\hs}QEDUwCiv盦k}NkPGo;)oՈ[ Q 1//pa3_:4x Jf9ȓ(#P5is3L0+Z"%I &`EAGY ͉Nh c=ˮk*",8%NLm w?ͫu#-U :*aSqP<<~SDGQ{TQtM=#ɽo}o#a+jюw& Equl..>iD-ĄnR(me!Qx%̎wZ OBpk5-EX*-F'K;V33u1(J!L<_ "%j9R1^YC,$T]_tfyCz5nLnZ(:%d zb  ^x,\s?>TeB{3';>@nԔ@ Y2+њVXP92s<̿oG5r(}-&ؑ PVTKѺ"#i -Fe+bӊ=]-uQ4 <qT/L=Y-c;p&rB(^aI鍨M[QD5* `UD1Q6zv̫lK<`< Qaӑ?W,٩fj{2h/#[64YMD4[l15CG*\mAELaH~a6]hR]RGZη(Df`Lق݈3d*qrT7 *ЛvKEvI5 #ZZ2XcE͈\\t" IF%U݈ՃaO%g:vUWzY, _ KR~\hm4)d2Q"|ۡoZBJ* ˀ(`(CBN< Nd N $ yӤ[õa *n)oprTp?8J3h[ t&S}?4Y/WBIZ)>wUps|P]d7M=0k?"ߡgh1ϻL3aaIgYmG,~d7S ֝ >Y0(_og d~7ZŸOg∠mnB$d/' NW^w3t!&dp (:c0wA#<~|OU)BRPMwO|ڠ锪YG@UHPov$ɲ<1**ai뗗h=a&xΥR NbS1GUɏ >#o=@rRdH VlHdQU#%؏>B~F:Ɉ&n+JQNyv'M,&GXLʝ(5N5,bwxX N^ Ƈ_5A4w JcӡO\`SL܋),Fg7AWց/x}Zj>ns ([;V!K8gS,b֔`,"nRrwbqR1J"-D|Yɏaln}}CEr/lAjSfNCP';dzMi$&ى<ŋL$1s_U-ezO.f+ϧ*>7zd7//[]D͝Ad@nWY {TVPLOw&+ ?BM5)ؖZqaGg1fYBJ4 x+7T;+D~v"C#O=%8AZ zc kڹG75b? =+c26l?)D/)yi} `|Հ^vDɂft4P h"Rx :8ݻj='   Q N 0 c0qWA)F7Hz_Dх==i=w2^4-uytvY1-O\LX9zm@Syȗg#`#xx4 \n.OAjDzEĻ6HA`@J(wr79ͦ4+(CY*dywW7m |3='J     c*!+ qmg4geL|؞FlIۯ1XWd]kw4! .ԴÎ#{GQqZ9a+SzvW]+%q,U<^[1_eNXc\X3hFQԩ(8"jEVlgc#'ndF* ait*JlQ)]8־S#P,y~05qOSh3x7x?ҳ%pt8Ė8a"hIxkqV˯Ѥ,AI 6Kc|W4ckgKAOY`Xa&$~:X h}+3x\kgǦ/0T3R%%T_3~=wR6!S9|Qc͹2Z0ÍVM"2R=ff( ŌĠv4 6UdVb0!DYYJFIFHH ExifMM*bj(1r2iHHAdobe Photoshop 7.02004:09:28 16:59:59He(& HHJFIFHH Adobe_CMAdobed            eH"?   3!1AQa"q2B#$Rb34rC%Scs5&DTdE£t6UeuF'Vfv7GWgw5!1AQaq"2B#R3$brCScs4%&5DTdEU6teuFVfv'7GWgw ?KsZ@;?n_} XKHw{I蟳C{[|ڊΝk Ox?-n0$cV/>f0.uu=1۷1ze toI].} pp%̨N[U/-44msF;ܨYsɫmo,i:sq]2 I&$2 z]Sn0ev`K1:5uwXp_sZGF˒}VKnI:OiJ^+و7]{CPk=70Ƴ3$VG Hƻ^I˾Z=?[C@m˘nCGVF^;1-D\KSjݝ >9Vs:9߼huonc0HPpu'V:81wUsQ~&^v?~݇YP,zh[y+Pڮl8qy2ׇ4?>}5c4/k1%x_m?vrƩ# @䡖bT5c(xn;9xe%mW@4_$qjCnĵ]] D8~w`ufMtkUzXsCʬ09OmG+5K%.ME؁M] CZ>! !RO |Ak\ck'Dѧ ]]'UA0~5 ?XoƱ~j7}h;v>+ T>ur[Pp.y -<;:# {@!c}U˲m> 0]L"%nU7Kk8t$[c0@ C-eLKSSf;׹@- i+6X ml֍I%:[ 4yV.`vm#B$\NN~--,{u[m§c4[KmwgΟվe~ KvDJnV)FV:y,/WWַp+kCpw]3.k\+K@5Fy8?!)g^*ԩa [Ѓ+d>lvU歴6ډ'hsf<;M΢ֺy%9QTP'!CеdƇ ;k&HyVvI6a=-5R-±.ŸnwTgE/ҋҲ+#и'k]9wjK kvu$lq+kqoೆ,xx'lzz/F 5s)!ѳ||_} A8~no8?hߣ[Sy Jm2W}zS i;6sþԓ/l~a^9d"{uߛ*ћ2MU͟O"Dz-TSsg?/:ID?h?Nʹo{k#1*JPhotoshop 3.08BIM%8BIMHH8BIM&?8BIM 8BIM8BIM 8BIM 8BIM' 8BIMH/fflff/ff2Z5-8BIMp8BIM@@8BIM8BIMUeHNewOrleansSquareHenullboundsObjcRct1Top longLeftlongBtomlongeRghtlongHslicesVlLsObjcslicesliceIDlonggroupIDlongoriginenum ESliceOrigin autoGeneratedTypeenum ESliceTypeImg boundsObjcRct1Top longLeftlongBtomlongeRghtlongHurlTEXTnullTEXTMsgeTEXTaltTagTEXTcellTextIsHTMLboolcellTextTEXT horzAlignenumESliceHorzAligndefault vertAlignenumESliceVertAligndefault bgColorTypeenumESliceBGColorTypeNone topOutsetlong leftOutsetlong bottomOutsetlong rightOutsetlong8BIM8BIM8BIM HeU8 JFIFHH Adobe_CMAdobed            eH"?   3!1AQa"q2B#$Rb34rC%Scs5&DTdE£t6UeuF'Vfv7GWgw5!1AQaq"2B#R3$brCScs4%&5DTdEU6teuFVfv'7GWgw ?KsZ@;?n_} XKHw{I蟳C{[|ڊΝk Ox?-n0$cV/>f0.uu=1۷1ze toI].} pp%̨N[U/-44msF;ܨYsɫmo,i:sq]2 I&$2 z]Sn0ev`K1:5uwXp_sZGF˒}VKnI:OiJ^+و7]{CPk=70Ƴ3$VG Hƻ^I˾Z=?[C@m˘nCGVF^;1-D\KSjݝ >9Vs:9߼huonc0HPpu'V:81wUsQ~&^v?~݇YP,zh[y+Pڮl8qy2ׇ4?>}5c4/k1%x_m?vrƩ# @䡖bT5c(xn;9xe%mW@4_$qjCnĵ]] D8~w`ufMtkUzXsCʬ09OmG+5K%.ME؁M] CZ>! !RO |Ak\ck'Dѧ ]]'UA0~5 ?XoƱ~j7}h;v>+ T>ur[Pp.y -<;:# {@!c}U˲m> 0]L"%nU7Kk8t$[c0@ C-eLKSSf;׹@- i+6X ml֍I%:[ 4yV.`vm#B$\NN~--,{u[m§c4[KmwgΟվe~ KvDJnV)FV:y,/WWַp+kCpw]3.k\+K@5Fy8?!)g^*ԩa [Ѓ+d>lvU歴6ډ'hsf<;M΢ֺy%9QTP'!CеdƇ ;k&HyVvI6a=-5R-±.ŸnwTgE/ҋҲ+#и'k]9wjK kvu$lq+kqoೆ,xx'lzz/F 5s)!ѳ||_} A8~no8?hߣ[Sy Jm2W}zS i;6sþԓ/l~a^9d"{uߛ*ћ2MU͟O"Dz-TSsg?/:ID?h?Nʹo{k#1*J8BIM!UAdobe PhotoshopAdobe Photoshop 7.08BIMHhttp://ns.adobe.com/xap/1.0/ adobe:docid:photoshop:dabeb716-11a8-11d9-aef9-803fb9f49b6e Adobed@eH      u!"1A2# QBa$3Rqb%C&4r 5'S6DTsEF7Gc(UVWdte)8fu*9:HIJXYZghijvwxyzm!1"AQ2aqB#Rb3 $Cr4%ScD&5T6Ed' sFtUeuV7)(GWf8vgwHXhx9IYiy*:JZjz ?,bq;W3KǓ楦ɻ_3C*dxiiNBP|t1WZ 9<z.$ee,T-R SMF8 G>jL [sp}RSu"z\nٹH1P&O=*ܸh#*-z4DCT_ZץOk#oI5i,>1w:~Uͳ!Xc͈AR$TUrR5""9G:uX6lxL\1pϠϵxĀVO:'hwEsSfb6;riZQCE_ߞj8*ehZx˦+Z:"32D&XH‚QCZf?oDqg?MSd{sWLV- o[I%8q"tKyeF Ҝ @ tF04=妿,Akc!4_׵HW&F,iAU *ȱo+ %ċv ͨPJS=:LBdQk‡G/Y" ;`Yximaj^|A]MϦ}U/DW}A%xfοϥ/f\n#CQQa!hj0 Jp߶0YKoF *ZU3B Zhq2G:_YObⲲCssoڋyT٫jEYg OLf$qwחv67kC]!5+Ӭ~U"8<0 ]M 6cd`Tي\ٸ"g5yyYi ]t?˩\M_ۻVKԊ,ˤ,XWa{ M #$r@9!qgۥ ,m$|gT~g6>tJkjCNmɲ]x*Ed2ͷ䠟0٬\^?IVL0=lvjNx|=NZꮭ(1&N=kñ_h%})d E 7)EGQHeHydyemn}2^Ǐ`8h< [W  5*qZp$}5dUcfZ8}i\B hf-O#>F]cO cV2PQ\y$/ θN_o_ѦCPSͳqCMM^CqS,ҽMXd66HE$1%B]=XʛP,+FƔ#'Ua`̀SAK¼qֻFMcQ(o;‡!&GEmZx 7V(4q!\ACݽZl%%%EqSšxӡ'(l7ݼv*F,ȠjN:ˋ9۶fk&6Rx4kYJҩ<0:[jmd@TdA#FjFO+L|C_/z(9]YIR_fR$H?fmyn AGm'_.M9Տ\p{1|ԌOl K=w蒞OEMeZERg!HņBO,cc^=$WYA(kNWglꓝ+]a-n E*Z,0Ur F`c7Eo~!Vm=(pϑ|?;>?vFW'k)𻎋9r)o5%n'+KJ XC 8׸}tIKyԯ=:۸:55+:[ :>Bn䒟'һ? `y{ARZTO$)rP >t=Q1@ruA@*uaGՆ+r2@ OkԉRZ(HYrCs͌ Yʊg#>_gD}rfʆݵ0=mMԛJ<%5 Wagi.O?AHTK y$Ϯ0 HQZ4|I#]-Fie͍]2{Xih:hĂ;ݏϲ$;*שSau?j]}x`y.[Hۖ N?ο]gk_.UwOEO (#UFf:6c r¨ U1ӽƈYFݑdTAgC9hsچZhI)*|3%H1"H$0ONNkqѐ[z|ka|V:AGUʸUy Z@75bi@!uPwkV0c;֜Gۊztl,bV`ё-jz=[\mZߑ_{h47&4^7עǴʓM]Ld,mq&,gẂPF+Éݑà9nPv[+MRSN#n>c֛{wnWM6Bm⭆)񢪷 )9-2 n-u*yޏsu WI89ɧPrXl29B_Im(qX&5Ic䕸%5?rDRIԗb? F_ Y27F ">RI?n}[DAFD+t1GJb6o m_@'-Rt:%Ytp?Kvv}52WBjC \iG*Y jGVHS7K67Ln?6.,U~NJxX5-uC'*Z ׅn h-ӹ?M.ת{+ i2t )C14j%Ft2$ڿeՋDM{o:nRO:h^U^_Uoknm={갻?b~Ee0 janw|e1ty(T$IRPXYFDO$";&?[i=E{[AXQWYр\.xS+i\Rsb6kO;g]ɱtxy&j-֑ L[G3`n@2ya5bMsNA@?.E=ꝯ?'Յ VBmg2gpi+ |PrYzZ*: $; nx +Wu^߾bOb;'OeWQˆS3Y*L-}"T|$b`Oz&ehe A|*kX$g?ѭtwÏGa຃6{gMۛz{m^?;x: *y0$@RhWԡXwJgϬ+ohZ"«Kz>Kn`w-Ԑ$qc7D)ԃ*Aޡ)C=oe +s%G 4%&>*ȮdMHĮy^NsanoXQ@-:\k3W-?/phG鬣yܔ˩⥙+ $y&s@PYZdO g_A^k#5a5dp-d5B-_>6.Hde9OB-PV+٘kĤPQT4ХTULu/s& 0%2.w;  7l,xڙ.fVc؛jO5xeaJE4)U bH#QZѷkņ-/gS 恅GͯRUfiPScfOMT2h9@}y'kwymwiXP%"j>Π٢)e*3Tq!ߒ_>Z&cey?[*|ң꧓`wYoSI4XmkSPgGo,{ \^y6$ܒTI  0MAE*c d`]ޯ4 89J~)kxJjpU4qxUc [H G*)ǙClw'n;KȥԇɕԧЭ88;[pVᙣ".X8P^JrMlo.RC.k)TSE3sY K[sjk*8kqi2"(*sfu=m3$\|GPJ m'gO]_C7 ]F:z TIH:ԪB;}ohmiZVXqS7u4p6a±GяUKCcYY ZZd-4}#R=پylwW&6?3e}oujmJ:?/ua=-t̪0o!1Vҫ RB|Sg/nl=CEZз_5 =PTҟkO嵸wn{jRl|-E}3CIqYܱbz䫧 3FAF[vy)<Z>}9t۷]m},ZMs220 8?nxo{fmM_~d7g=}p9xF 444k'َչMG,iQO3_/JEz-K d#20 2~`ӯ)?!vvY}v$U.R $$ }-#G8dWP1Ni.s@`kB0x`rm" #|?>*}{"Kz SO`VZ\f'WO*mmMUBKH*>!VFoSE[.4χ nڢyv5 m%VqR4jk(&`RH\6UjiY9F5 Q'>1F){vnTzW?!AV4S3rQ;7 c"!I@GÍ?Np]ia_@m]nǘS X*A0SE3 GQ]Q@;^hF4f1X@Zc$Lתݍ8"("JI8W{2gn.V%&?1԰ޚ4I&oTM#ō$ŦMx_$rDX ҿʂ/.= :,\dc."kUVPUOYM5>;%扑,7"FQn">TqGqw/M'R2SHְ])ԛ; 3#>SUV:(*i}mR[6RDiZK\c}}Kw" Ek)]DvدO[fhI&59_=՘j.Wm+Oy25X%f i.UQ!4 ㎫_ڼlcSEe Fd$sYWh+VނzI5}HiQLԲ@ϰnG: }.JC[sdo:ʀ֮!!>C,sDI:FG{YtU@$Zg&aquAyejJ(`-Uu#*A#‡sC=elc]kMj:j ipG1> ŨL(N #:{۹.w2&QSA i:<~?lu٪)&#q2̓SWC&wQ,8E(`?Wx-[ qK3q HԔ,SU2zoz>Ϻ|serY8g0I47zzNF:7G{on^uoJ)Lj(kRZ\ +4rFcb@5hs3@ QHUj^=[mppe"IJ\RXRtQ"әbF)blS?2+B=zA~q~Ο }V*6e:*8b6؀Ƕ,u8b*Ƥg/y _?d%VRժʼ do&#pZm 팲Gn zf:ggua.c]k6K^3BCZyҝG[oL*IR$c Ei|O>/awgt>ϛ]k{ cIPѬ205&mb[ʹ&Q)/#XrզߵkRsk•$}u̞۬W7F`BGPT`Z T K{o=VW{15"b_{TOݵ4RS=Iޠk;+P?t yt;[Ms7h YHaJr$cqul}K]3mzQ=4c.X.f]Q: CÆpԗeIpzԗ"䫁z{TZwbX)ќWz<~BXw.-b-&;|twU-%YrDahHGC4:*M׵⎊*34t*ܬQ.N8kjY]6>s=d0ZbM8YJ(HFJTPք|qKFTf&+8169,E([V۲l~:6ң^o.ˏcq& N48C̙oQ54i_'ONw#/[x<(LJ i֠di;xm_WO]e.9zm{?Ri_AOU_ϡl(~OM$/nn@_~OztܟQV?Ν/볏4es.ͥLo1dq>rc~o'i?zyxxzxOO/_|Yڅ[CkI_ A$4z}t?C'ij*2Z^SPm*YCE$FK}UV_M-`ɦYry=}:rسm$*>Cjj!kUl\ú}Eٛwfߋh&z,P ^Yӽ[pVU&3XyYv.SG:`CҸuZMuܹl~ڱJ=xӢE+%mH=TTO4QV)̐=D+TFe:Wm(IդkL*+îW\ux,Qd WWn=)P sوFJ @)$plgήÖ?~m(Iz i&= NItK= 8s&'" wTɦ}אҽ%LUÆ0hڸz{D#kE;Vܕ 2-&)P Z{[#Q# cZ$j#2Fah\|fd6:,ehbi}n{jЇ!9Ig<<N0vC X~%d ,Ł(\U؋j^-*z͙^sl b&[0; ) }jpL gvj  "xZi|;=l|)%fhMbgöF8i:O޳> %{ץn0g ᘸo]a.=oǬN+>PI5@o{(Ib\^" FbaF0!e/fn{>NxuЉ#sh!R 2m:|6V+5(m^rfh/: Lsh4 v_QqT0sһf3L}dIq.!Ѭy b6Y%Ml^rʆFNn:սHQB%,d|_1= vÓ4#ZH;~.#,} NƬ/-^iR~ډK5 NA y8C\I˭NSrL+xd @IE9NBA``ǫß RQq3ә,Dd,B#P>#%Tǻj#Z:Bdw^@|<ɴyN3A d~*ny$6:Jo2x|mdNͬx\Ғ΢gl_o `л+СE )ӡPku.v$K_e ? ]wl.b߹Ѷңڟv`Q;+c@X3|Uy)ςו Ŭ8JrGVv"uPI1HlCJ·H9If)(# WX4"~KS}r:ٌZe{o{L oXH|hK\UoYSl$DϔO"xQcM˃4MȐrܭ9gڌH7SQG١8ambmi"dD 7nK6 "vzYC WW&{9CWJo(!jEAA'|2Ujf eaC{E&+7auydvJ)'C|Ç~+?;:xU|XX(S*M>}1Ί,C(^3y&/f;p>ÓO!M}hv;V[hS], ]`F3=JvnK_u5 Uk? ۄ_%A bzgT;(,A׫D(I@ 8C9ӸeNl5v8<˓ChT<ȷC&=@7xD1$&wA)b[X 'S"mbuhHƊx`3X*=?ɊffRFg$5e#7R2+0sV֭qaWQlhGCi eltmUl@2wuT,#,UUh-֩` jaۼ-[R-*Q9ͭKnY 4+`F乆^t "ɕ٥ A6HxlHtIXW3s2HZb%ntkI|COu6ZY K_eL S=]{ZYӢ)355B-&5ӯ+QV(Moh~0*Lb@V7-\,{[wG,' {XNUDVק G4K96('yظs>($(7 %_#!ć@˫uC}XN6DTm!V&yE#evϺ +Cجyd6xa|!MIoĬ.&츎]UpQ]"VpAn)ṛ`存 Y5GJ~^c$Ԏ5*^Rvc\#csٗu4Oma W4Bd;)ޓ˶ޡD ^p`9]LM#78KD[4x1"H[IY 5Ex`f?h| d T[Y읊ML%zeVGC&nvtzݗtIz Lv 6$Ģq~=R+Ꭻ͐=#*h->%0bP'Y;caCnTIk#cB_F]ECZ(܇ǿN_|4enAk.2xaDxX=wia J&A,8s^5 cH)y  7 `JG_QH•yx8%h;KV('S7 ÔO#+`aq֔WHdq5jsZKAV5|J#m\sxo]ď0 ,Z/!A5"6P#ѫ#`uBIs@ `ceZ?,~T[ܫ9EO߮مi9(:fGf]7A24]Ra.ԩ*sϓ-&+0>OhYyW!=ꕰq4/6v ^1z1&irŠM5F=%\8?P0oqFL. Hwf6~KB/NIz\> =׃PPFCSW LҴ xmYT}|4[rq5 +uX(-&pnDorp8٧{m:Or5X]stlXrR뽮Shfc 8_Ɏ*xk.|$q#X؏Sg{ K7E4i&[W¯–3B:n",@3i޾(ֈAGG럣/eB% E#]>f& Y'uu#3| BPߢǙZf8tIg #=Kj2!:Kg/Y<&)K,1=0hQw98I1;!Z/o*0c\9:p*$vCU߅a%x Q| ML ?RzHqb\VebW_!=k M̝?`+!uR0J3ޏbXuWh^%KɆpb}'ɟ{ 5[NoSq(:&-9ylSn(=#$ P{?0jxe?l-$?QؽJc(纛/Ğt0T8.BqاWv0wVW гؙevOO7XnR x _UOU:9k&y/LI/Ekyl >DŽ jV:'ήh,aۦ5ܠ\\/pXlUzt9D65Nam): mcLۅa# _NH|"ڲ >V3l{Ҕ^݂jEL"cFM$ ~*7 K:6k!eEWb !Jk{*>]cAFL# &E Vj{M={Wk1Qa#M)'GƉ" N C6He-r%˒{HZa8] 9IUPs^<qsn;hfaD>vr'6݌&2Δo4pzbj䃆?q؋7*4:_<YGNXpͰ .?ex`9+ӽ ,4vۂ/Õl7wPâZEVŊF &$c\{fzeEI)9'bå4:<ގrAkrJs%;9rJ$r7ѧ1(NS6 U ʋ sv4/'6G,|2d誄Yҋ$O'}k !wlN3A4Y|~N O-|+F׶簎$L&sVV0ŐmDƍZS!.1 a$k#fE@IUNm8qƈ\=nP#32TxDoFN$R  nN$Q|hynYs#`Io#̨ĿU]/-FN) 2es^gR̉1 bBx4bV2f[FNN />]1I3BqN~i5ߍ!\(ne[}$Ƕ'\~2yX݉N_Z V5*vv3VaaIc1ٍ4\L?{v2HxvJO9sVV5IC+3 M}rRH~Z Ս|lutr9CY}  ;lpE*y>&ܶ^Lt=pDT:2%4 uANR MAEy * ҩ<+i/MNkt\ 򤒋>MS5 B<qj6ݱ!aXkN(BxK D1~Ds84ƩA0`c XO_7#_1LyslVe^^rGIIO4Ԗ &~zB1Ewc{_VUmN9pӯՙ@+3sZ/рٵBc{l|G= ry0YqR I-+R]~,tAZ$`D<;Q0s[t,VCBU^Ng+:z ;P3Y}ED3d'gBk Fnʸ0> \J{m˄1Ry^:tnf2EѤ-YmA؆рB6i@hL>*y[Mo (ȟj%*t=-vpN4*Cl-qtb/lU؅3Nh c=ˮk`]]P8s!4\ >QTD= XaMs_ZjnB8pxb_)ر[w]x&-MNc 묞Y Y]mOLgn2S<0>\ Ozbw+jZKyW4W\:=rs] 8~).% -0–d,-MtC5$'ŵxbnfOw5ؓVXkeG2k$v 9D 8R瑦*(((8xmc|N0`[?_R<=7+!G>zI!T!" +b jQDǞCYBa}8 NPflB X@׀ y#N4EG㯈#ÁƷrGvOx(ēXs-AG(JAI:CL%o-)/ԌQwvI~{(9d&GbֶˈFN {N4N Qu,pi18H_9N!$ӰE RJ#Nˀ Q*#,5ۣ!jAI Shٗdz!f],8 8mZ˩~47K#ΜA8i]fS #G=6HJJs.h T̩ =HL\;$DQD,3M}0]М觑sR(UUߺ7;\mqbF@$LnWu֬i/:') WWicKK~gÕc _(@Fz{yC vӝ/<9+K:h\]59B< +]d:)vvOC]L?WDzm(!ɹBPYߜj(!Z%]l#tD` Nd N @Nۉ DMp@$'V7 nIrMɫ/]sXC::`&FC.Z`ُ.bOĄGRWS, (,idmrbaY4sKQ=B9 m; DF}Z3ft-tfB/< Q 9?HvN\]4JH V-@E㝬ɁX3v hU7LoY,:#=mu },Oy|p Ӂ WD `~q^Hw}45u5|+4W3lMiE]]ΆJZeSeFi%ZONoSrǥsbw#Er9+_13%M2֚aNYRion.Q D 52 N͗ OH5\mfU`!e8ܐሁrXⰅ19gC,.S )=3hh9=6qL/Ɔ)t)*;"U.w^H^S<x>3Ⲝ3IIzn` 0xxg)#cE%%:> 9xOk֔q&xK1"l8-Q:<ϵ+5S.Y]N]8ZS Jrl;F+ۿ(gVpaST9\5[ [ReVy9J4uV?;:t7E.~5}@DP—⛙S_"E98r[jxyml=`NUßgQw??hC/4< QBN/>d @Z,@qC޼Htd5T^GU҅0 oW[iF怺)6:ذܜ'#S sS/0 N^ Ƈ_5Ati}$GJ:%F0]B+T3n;HV~vp}s^ 3htec s\`#C p{UOKXz tNu:b|)Q}4}EE-^~)կV3^ XD?.^EśpkN"EE 6c qsg -?~.e72(Zmx]W-15^OF<(ʼnbbv. D =+g.v8+UDgzs{xëeC1,mNg8lNNe9Z/kzaXL  Y0=ոֆfb,DH',tg 5$?:b{%.96ҙi='   Q N 0 c?q2.mq8|imcf<=\,՚iG7Jgohf@EB%ƋL{(!` fǙ_!kz9*rYCYs tU"Gs'd0v][DS.R3=sDP[dNj&H ~ X' ͚SRZx,SŕoZOLu#e@HW!aeܟ!g+W܄;.t$:㬑هӠLU+y,v,9sZᄍђ-޻`PӦK["P& 0#͹ ΋a-CC@>+xlb MdY,P ,v;r0vagάH[{at@jR)vY6|8:máHDRY ǨLOeY^%䕯[&PLtazb%ſMPeM} A:='J     c [gMxĐzE5EnGJ%55Nhn#%KC\V 8FHJ=WG|Ȅ2E*YrVJKXJ}jx.!Y.I=) 5>NJ&}yaSjˤKFlQ? Nlk$c*);>A ߊr> rluT=((DV:0U'< ]K a;d'`nyq#g.y :dlZZ\_猷M:ph*נJAngb6 qGle6J/0ɢa(==|8TXhR?F0k/Cm0fKU\hڟ# 1㱓ω( q,s@qj/VPt?JUZ4"@rwJ^F?M+ .aOړuL1p]t-0E HP369寣;knrƺoe/vL}7O{!Sander Temme FJ @)$"-0ԏoXӃLev+ )dzFeXK= 8s&'"YC&8BN\.1PRG4T$:Mܩ&B1.]9W/Kĺy6YL1n-e =Lch =vm,8F}E?"S rzwZ'ߖm=q[bTqfP='v"Dt .ܱ+aaIoG_2\PFq $@W"?Y:H]I EP"y_=S\@ka_Cd;h3 IEffTuc,[EwCo.Oh$$e8Tƞtr68K@a]{"7F&폍`_ݣuS*A'08K4#†.Z3gɌhpYcgI-3Չ K%F2 1|mgvA.Jε?qAhq?V.3o_v{n'/޵K|k,FY7 R<ªt,ܫ ]@k/>}_T9/ v dI\&حpV{~Ev2~c.]_~=cB7k7mM%ɒ(DŚ8\HzF2N ,h>t 2=toJ?]E2PtMa04${_HR".J1){TB3 "l5c`Clklk@ÿ:Wio&SW f^}uE:'[閯܈v@8BL#O{$h^K5 NA)\t+q%tBZMJZkv^ntI|wF#6Rk3Tq&q=cE«~d#G0=JP+W՗1IRs_VCN\|9Q&DPNxv 'XA8"Ly\[0#*|m+5ˢcTC7>ލ)bu@c6@q췉^Ksnj z(="d3q;78!hɖ@ &#yM k)'1D9A I ӿ}?@,:/!lCy?Ersr!`ֲq~|/Ympl:m+$Gj`'"2g1!f,8(JonDmLzOCʼnCDCD:LVt؃+ISM3O_/k/BcФpa*>Kr=kؼcAۙctӌUm\#n M0}"KeZ#` DM=chj[\mq]oHeנE*55T>6ׇZc@P}* X>,&7}*ђ;e-T0g`uO)r+frc6lf<6;~ue0| Bqb<.< @-Dq r@(.xW_3K_e ? ]w% vͽd3ݹ%}q l}[:T1}h= _xfjo_%ZۋktߩC.T9C_ }^OڝP% p:}0<9¢8eG i\R4 X!i yp^6P8ϲ]=yhs:qơ3sӗ1g2UfA/Al}Z$2ZSfkcl+~? 4Bm & NFK+Z>CrI7|yQj}Y |D"W9'}_H5L5 lMˉ K_eL S=]{Z m6cG$7^)13ۍ:;Ͼ|5OTU2't,㖻L@ZM ?D IRit|2oښ7̦7*cy8{r OG\t#)`kN| ]$} Xm-i X? )MB9>.լb=hrWS\Rr2=c ݑv>1TS|λs${HB""<8YD+ԥ`pK/4#VV`TEQT!y!a#‰0FL. Hwf>Hơf񟖑T>GB2Ń=;}zbwmӞu5LR.Jean-Sebastien Delfino }->y_֔y[|ʐ ԑGRA@_P/w  LҴCJim Jagielski Jim Jagielski Jim Jagielski "Jim Jagielski :`uY[bB383&@={tԓ9fTYW] LҴ xmYT)8KgyFTǴ0'fl[X<0i}|0"0_[N=`B>eefvDz$4`h<烍+pyAm1m<^kjJ;Y-"J/XcDʡh?Iu}YfNvpF ML ?Rzk=l68xGIM48A` n# $9GKre-+GhuI CS5[2kR3-4,npͶ[u H5[#cH>0Uz)Z_P?*秎;K'4SMR(_1|^ЖV~13Ҏpb[d2魂4VY3OYoƚFzrdA'x/RC]eU,@ YieRaY~F#Ҁ# -xL"ߴuPzhRuaKF>9k"… A9CɼaLݯJ4@ϯ\Pq;B,gs?JCp8 JQh9F6+E诎Ð0rB`8vWcITǺw6fh1*P|+'DM]rR<Lͩ5Thomas Dudziak (CODE SIGNING KEY) MMʨ,{Y!(FH b/=ɴ{O o ip@e,9ɁHukp US:"6MZ[v6x~#ۅ] O^{R62V-U15z}Y.hyTdD(.J$l|&X 4Z3-0"Bڃhg:Yky歬Rî*@䧽1z+xF6e~a&э2$KmPBB6GE_ny_X,C'*MD/Y,`.[{clu! Y[Fui+Ik/6yH? b ZS>]uϜ|p7Pw5Q qbPS]? N7R> ݚat1dzpGc H_mh:v2xdSŢ_Ri8BY(ZDLҸ=Antoine Levy-Lambert (CODE SIGNING KEY) ^5~ܡ+D&:oߐw yV{YU&Xh2wbщ~bVl.U'exp~{\,B1J[cDX:2Up)K` h5Sd^frfEVY^%fm$%y }2,h{5 am=ք|u)3p`ǿqRjK ^qkt%^=*UBxàc~o̐gwܳS0 S|_d(Xoǀ6huI ݆0Sؠ~ y3 #* cGW1hηvtY>#O|%A{aWO2OE7 ?O~9.W(qb7$և0%ћv-%.kH/,;avK9vB@Sw]GLѫ@Joseph Edward Bergmark (CODE SIGNING KEY) ّ|@7i_AQBNMIy?_P;Pc~x;6Ͻ,ߏЯ"G@s+t΋_~I>f%93"]JCd4RDXJw_du2t 8k6^FEwtH'-5o|/ΒL{;H+1@ Pf~D-(}LҴ)5Jim Jagielski (Release Signing Key) Jim Jagielski Jim Jagielski 4vyc$KM?h.,ƽh 8Xx8ѕBAiq];O]Ki%4>E\ Oa/u1u noCYHu'Md2Ҫoo I`UKOHS5/%符iGfbSff-" WUF&y%_`#Ͼpv54,JDc.kh^/e2XlX޿ExZe*jUAG HFQ3ZC JnWFNN />]1I{u]0E6jgm) b<فjEaࡉN_Z V5*vou;࠲FGL!3:}u7;'7acЇ-jV ڀT?:f_ZXU)kT 3i`z?=$Y{^lڄ'a/5 V"9eQ?uc*5S1}XcA|ɁQG{G(ꔢ_9tB*uUC*pihbj]vHk (1(9F-ycdUT?`5|c >(- . nB@?w=mOhؾHӔo7=C\nm]KwvcȒ+):ԉNR MAE;jɢC R"F?hJ}"Α^3g+4(F j׵& PȖ:IecRbKųӨ!?+4\",M/ Uu9sn;W|"Y$Imac%`w `B'xb,+8v!凉7US? K}.(^Vj !+IҠJm` Xfҕ"R ӆ"'N- ?Z,QSϐEty|KLz*ZXvϩW%[{'be%"["ݦ9@bR9}eq{c{2Z4T$f([Nһ7 2!&5[]`ݳ6 s@FT#k50AVtUow撗l׵DiE {Gue%N*Daob &P"_vXKCFZhEI# d{5NzAZA"F.".e_.l:WAA]꫽|Ahٱ#r;Ue|ʯ[{XުaI *l$^W,tñжQGAx`0/|,,jtw)pf:2] eaN Q*#,L5詩$\b\~+^Wlpx/ycXT=PTnl(.{ :-V4HMwӳwb֋)8@UU5N ?0G d&98HF_-Bβ˕ ;qԳðM]TUԔ2BVq}oeY(S?|6.T.}4)bUނ@tN"cQU~$YS}"L<2TF1čKXXy*y?67N?ؿ9Q#3ӉY{Tj3>o-0ʝ=ןF6C?s iu.ew&K`ha ÍeR#>8SE6nBvqoNs$wGu^8Gs:m)#Q"nɀ/o8{!rkR\g;!h* %O}՚\璺1ot]$ *k]m8 S'o96TNK)(pT7pyrgOzX65f$nM "֠d]A}UW +#䄎`M'jTAs`5﹵yUeZZ ʤą)_N  YН(ך}[]nFoWb<áY[iHrv;7 c"tͻ-&gpKX(Ih' )@\g֬G N͗ OH5Hal%n3Ma!=yRr!^CȼXF2͓Umu2b]DO'5X4^Esm mA%`@JT! +l:cKKLOg碝Щ_ȷ@ƜjgY1O\ZYmy  kvںy(uWWJu6?G>$mJ"/ɤ\bJNK쑵x?qrQ 6vTIs}AC1h6Zhpp\vr-@9#yTp]֦˔u"?r/RuXB %#"Ã|{η]nxOLL0$U2D"|؅VP ~1TD˒)"XugFM0MmL -R/-(.9|w NT\|j#*-Bai:p="*xLmv[:j YŒAU췸 N* s%0:Em3.sBDƺeEX3-A%LIc_mTboAIe0'قu.4NQɑ@RǘVM\MoM^| j1?,)x<>hL-g"뛾N)c˪$5:ZTm׮ZzV (wϳ3/m1`%zZ8{-* s Jw!wn1|#9 = '[S؞nm?Qj%s}YAO =k[}M5̰p6i5;ρ{%coi` f_},{G23{frq@yJ4eī?U T(;Skc&0NQ2;!s=8'zT{(f y6%~B⪍}k)QjTsP\,@^KzN^ Ƈ_5A'{-;dGO.sBe"4yM:D)twQ A}+Y<.*a'2Ƅ0.TW҇ځIj\lVYϊ$cBĞVpr\6 צ±ZI1W5aoΑ='   Q O 0 c@>Xu@⧣gx_4d|wA0:V}HEeި)\nHB玔;n*fĢ2Nҡ@շEЛ'IK=r%R>Fekrĕ{Li̚7εjccIw Hb\, lJ _jI?h&DW&A  cV+N: fo$O lg TV8ׁnWu=gHM64||W;b >!qo:oLLDjLJEӋ `='Ji     c?-5ٯf5XݡZ”La+vHbLQZ+SRAP1!E IJOL'43–Εf@'`ZbZeN`DKrY.@4)PNK.'*^E HzNhqG&f_L]|PbX,{> o.4Eg^lDBf%>LCLԷCݿ6a|_8U53au >\ }'5<0cFI ?I#TR<1)A aOTŏO ä6rKЬ[&1eh7}:f6bFGdun J;wKA[򓲅_MQ3!rV0>@Fg[  Eڊe5ԉ(/5MK"N^E"Uﺴ)Sander Temme  LҴ xmYT'$bgQa0N="ZJ1Z\_3^lȎƒh{(Yɂ~c@ LOd%VXwWF'˹cmK!=)]52U+iY4âQWpSAD}1%-*"2] <:xDסZ KoCj:4]T]^ w筶Ö4LxIulC9$@t9ӽ`1:7}@CITbb5$NࢄR>'PxS?Z;\Q̇s |eH*Cp8?U7K?d/J#ఋHx{ܾ`t0b0dmCZ,WK\;>Y&PSV<`}/%hue@QHvɶwheسhV&z-+mxGՋ1~=̮kEºSI_wkPͣפ@Ch .omtpdj|n ML ?Rz}a }TQ"{WHTLw$+n<c&);5j:[.6:8;DH d$b fN0OW`&硯{ ]dh%9hLۗ}$3Ġ@8:DzWq\zc{נ 3"ف%~1pú9:e>Ն 6YFgei Q~1@ǓWp%Ǔ3hV:D4>)5uvߜ B2~ ʠlOu܅FᴬRվcX3j=j{ڢ3>C\(khXGͻn QJ=?ф8wtVT4 ߥV-8+i1~nJ4E8=ۊJu "KH04ܧJE ;s MMʨ,{Y!(FH b/=ɴ{O o ip@e,9ɁHukp US:"6MZ[v6x~#ۅ] O^{R62V-U15z}Y.hyTdD(.J$l|&X 4Z3-0"Bڃhg:Yky歬Rî*@䧽1z+xF6e~a&э2$KmPBB6GE_ny_X,C'*MD/Y,`.[{clu! Y[Fui+Ik/6yH? b ZS>]uϜ|p7Pw5Q qbPS]? N7R> ݚat1dzpGc H_mh:v2xdSŢ_Ri8BY(ZDLҸ=Antoine Levy-Lambert (CODE SIGNING KEY) ^5~ܡ+D&:oߐw yV{YU&Xh2wbщ~bVl.U'exp~{\,B1J[cDX:2Up)K` h5Sd^frfEVY^%fm$%y }2,h{5 am=ք|u)3p`ǿqRjK ^qkt%^=*UBxàc~o̐gwܳS0 S|_d(Xoǀ6huI ݆0Sؠ~ y3 #* cGW1hηvtY>#O|%A{aWO2OE7 ?O~9.W(qb7$և0%ћv-%.kH/,;avK9vB@Sw]GLѫ@Joseph Edward Bergmark (CODE SIGNING KEY) ّ|@7i_AQBNMIy?_P;Pc~x;6Ͻ,ߏЯ"G@s+t΋_~I>f%93"]JCd4RDXJw_du2t 8k6^FEwtH'-5o|/ΒL{;H+1@ Pf~D-(}LҴ)5Jim Jagielski (Release Signing Key) Jim Jagielski Jim Jagielski 4vyc$KM?h.,ƽh 8Xx8ѕBAiq];O]Ki%4>E\ Oa/u1u noCYHu'Md2Ҫoo I`UKOHS5/%符iGfbSff-" WUF&y%_`#Ͼpv54,JDc.kh^/e2XlX޿ExZe*jUAG HFQ3ٿw?Ru+Ee|i$]_#NKlt5 -#9T禽W 3Q($/5{KW+.ׁ]:t$R…B*ͫ^\4p(柇Dm`!~ӍšSN$^?emZd'܂W荾XGE'a9' HYw7XjС"eW6X~ԨSqd,;R2dϠ:q{FB'ovS=lPۃ)k!D~²q'J~uV"5'E8QQ џA.&D^p=&e^p7QsO ujA% tPKƆ 6U8_^&= 56>n.qo#6FEQgxG5ͱy"YUTs$1\T=sWD6 j,P"Mgg*Mp$~éO4KdVAI.r(O5Uo89  RL̏N y)>&&nHU_$-sn9||G|L!EDe7}^4gIv ً#\)'Gؠaٸuž S ߇mP%USDE/,jdԂuI UXV̍9glPN|.7Z1 Fj>u) <cGIW6@Gkg"FM$ ~*7 4|D[ټ9>Sn cCz%_H M\WsFL# &df9-t~h>]'zf&@{׉E" N C6H^) Gsp> >TrD}}ĪX F1m]L~^L`y[. Ji<-ͨ*dR٨?# rTڗ0 K&Q<OiVN}"$F,3o^ɞQ}vȻ1w$ 6d-]\Y+ [L=#[z҇=(m;%/7d{ ֩zS:PF$T fZP#WRBwvU@WNݼEJkF+~Lv9{a vBUӤ\ r $%FZhs4Qg YE 6w܌fPOdCȿ{u'mkyA:FEM{8yh=ЋtۦO {UEΝFN$R  nN$Q|^` !@8)7nüN 4nFN) 2ep`W+Bkl27b%%+aY{?͕=FNN />]1I0Z?,4z6k==qbhN_Z V5*v'Knx1)q̴HLłc9/+k;F %\^6$vAw(#z ռ/Y'͚r1p=f,f@'\@)^ M#\ F-XB"}gs#w}1%ffJ'q=c#󆃻Sz+ۛ̅P\J v*7 Ni S=]{Zs=#h.D;kľ-Ollo\dxY]w֡6Ӆm s"S=#5NR" ?Z".P^V5~r>(WhJGB@&=3iȅ[P >X>俇/ffܔf gk!:RbʦִvTVLQd 2mSq5ٝTmY3xXFٶAwx2yLp3`&{cv\hL:Goߍ;eJSLLiHa -0|Vp5zMP7 r=GFRTEJ.^ɚx kp@;=ӹLxV O>[b[Csd*;t>9a6" BNɘ1b8̪nޢI #uTbqWѓFo՚lwUN Q*#,mI cf?tG|ND Y.NVR 8QK,u8jMϝA} VNR6 T7ob׽3.==!>C˘ȏ۸O`s(LFrWCM=,xLfQս\ H|+TڸHad F`ꞙjD3t[h|P0ѕ;tO 6-gˮT:В 0y2FZfPU8À^z᪞>BcG:*Za~4K" 6y&ܕuns _,j'ܨr(\gP0o(2[3٦[ afT(.71nZ&ݻUV ĞtD3h#-(jyyloT|KZӆIM9vV%_Zxi4nГ[7x =͉O6oi 8s&'"'H.59 ޤQ ?=.\#h_!CIԨn Esx<=pȥ& U]8S9 gH1m*bbl4p)8,,!r;e;]uBnD{\\fO) 5Bΐ).)"h;X 1۲md)5cx:H>{Y.hkB]|NPi#,ջ5̫z :B~wI}mc }?d Z&ϚyP;YRqD4cX 'ܞtUh*-WoDG7*k` 'A؝ ceFƪ;yΒy[@ -La/I׋65`!a2U]gTp\5qVE/^k'<Ԝi1ձwֳWN2DzǚȮ .#"][ zRnN Nd N nCWfS*5a~`^Fq Ͻw3DWwu+yyݾe+Nv\? TRPL yZn׭b4bӿDwL2T^#¾@^há:&{RDj̻T@IgQ75jukN&x/ɑǙ$ҧ6Xkrlk^5d\dڳ;:`Y|ԍ"U;Wf?$gl1O /ُ߀3idUsu|d+{|lI,kJvr񘢵R mzW=D,p }%1)mѦG~6R jĽZ9 8FpbKǮ!MKL!4kD4k}>Y:x拢 h5?epǒFa)[ ̠g1I.T,L(ߵ2WIHgjՈҡ|*=-{N^ Ƈ_5A"]#Ei#e`}~.W k4HWf :uOm;Rbg9nnX;q|`;1g?-9<}5[ӼTtaD1Z޺A"'!J3w ]l2PEcŴv4b|qmW&Ob` ,0붗д\VV) ̵5o †ؚZr8M cǐ/HIORQ2Ǽd@K)372.(S/晓Ahn wz(86ђ"C@:Ϊ:ef? Cq$l)yӵK8ҥy5#xc`ޠӑgxj^][CF_5Ӈs{F#ZH\VxgT/"㒯<>(  Q O 0 c${S* ak [S/)ur z#cZ3At ?Bf%'N h&"_h dQ;d/2$7O[$̟ٷ`:B^ڟD8*oFz-7BϏ$\:Á:$F+APiKl~UɯP; - [>M~#d!L8 6)12d )I|ƹ WzB֘\۩ȖD(:p+^X<dob ဠ"ǞG_%5Hv); #2)Y_u*n2lK Tj,>ޝͦ$t#z)7C5Cr*5u5LR.Jean-Sebastien Delfino }->y_֔y[|ʐ ԑGRA@_P/w  LҴCJim Jagielski Jim Jagielski Jim Jagielski "Jim Jagielski :`uY[bB383&@={tԓ9fTYW]8"Q   c%Jj^lI+ŗq=y-Йbtm}db 3 Lkr CnA|~Ak)4KyC,\\=[!qz|ZoM hŸF݂&{5$;%w2m֚ײQ5rLFTa0H\C=(Lw|    cv:2>cwz@bV]MG q۔j-3c Q-:ϥ͔BkNAnrT2vao8& QL٪G$z".""-_y ʾ]ާ>{OrleVٻO'QI`Py=6Yd(P#СW!.wLyj$,%DN.T`.ltĤg^܁4ԅ[nFŢ6b66mBȔ"F\+R>/jc?c@eܡԤalkM4A?uF_3=.g,?x$sǺؤq3!!]Wlw5XY{U5Կl1,tW) 9t&;(>7fr:w0,m:% Q  0z cB;sOaqXR0]MgXl8]4n5@SK9ߏ.`4j i|yVs,Jq Odc ~ '=qްEYe'\Q?Uˣ= zv:B$ym/ ? uYNEDQ  em)] O ]c/Z{ 2`R8~4ŋ~: l f.щ#\*e n'6@ґ䗽lʏ("`ZGG&C!Bl ^h?j;7%=(g^_;$v<@4j^q/oD\;̳daK(r Ux!Ӗ/BxyePI<@m) R>eRkƐcfu~xH5)՞VEU7#sMv,oOJ9'gH$$2WsIצrg>.hy};EL<dLa9.[EQ70rPl+9dcmY}jy8 Ǵ{eA\"!603!Б*PnH?7R߰ YUNr}L$#Hi$>vF #O]] cf gJ2V`eĉE򇾆coERˀ8xّa0ǜ5Q?pp=X6^Df{ oLwX,=;b.yFhYPI$WMJDԍmwl)Yb~!B@N G\3w5714^( ~it߿q3v.t̄`;1U% ˕vRXV.a\N{z*`LU cw->IHp` ERˀ  $O술_ֶ7I`QmpFBV+5\NXO ERˌGu׈}y~v ]( pB:KJܰxFӉ Z1hdĜFjI::?0,A(busz-Rx1cٓq&āMt]邒\AYnh|+⿗7޹3l)>a @m1pCjj}+439 tg'C\Q;ʹxn]>73>5*| uI ERˌ $O술'g# xVW)ܔB;u$Y d;ә;/.3&p,.' ՖU-rH0lnYJCLj嫨 N#z"v]\9t3@<]tf_ 4ߛM&qۻf ,MQ,X}{ i+գZNF`- .;]@>V{zPھ%Qr{To`EĪ%Mn#45;TԠ6P%50$BEaL.Љu w-n@qA4H"r>7g,p {d^JY&l` hҩh|zΤs|zX:9.- y^y,`fJ4%8͗U4 0e OwrU@}{`.GJoe Orton W;/   GD PE-&D S%qv볥FzF@lt 7Wxh}~k/Ry]VqR# xP+@FAf' K*Hӝ]씛nTUoR\QZ"PH2X V;G!FAȜ :Aȩ~Jv'Y k)u4֨X~0FBo OIoFpmsqF;/ GD DtF K|Z'Z9RkM+NrQ7݉ HEB)oM5x"d2֑U]w/ז!{w&} hVo}@=3FTc ܯ8Evwă{5+r/frgS`ΎFdFƴ舲4"+gEIAE/BkWк: `Ã*_G N_jgff?#Bojan Smojver 6 HE   MA3Ŕ'r-5kݬg8T>|~Yh[T9FDR*$D!7+G8a7y_GU`η=4DsE$$'erd2DŖ7w-҄p lSD`p!e?H=x0q qdN2x$*{I+ zU8>+>˷$LR$Η!ôA'le$%MO* Htȗ̻DdGG63rJ989{dl=G`ǟ-'hBbZ,kfmc[x;z70';Ie]b]D`fttCt8l7"7ԓ`+AI!+JM],3~h,JzggFn.K89]_J=#%_N$[0-[I_7DH fCf0Pb1 j\Y*St>`yO%ѬcÎC+u9l~DEW Jn_f/h{\s3)v8 {zjL#2!2WqS (}<6uYĬmJ XF@'HRG CW%H$    M43|Kr:E3+A4_B»1Rb#icTZ福H莖4md94#L/P:?43NUGj/s0#,.-FWT^,OZH 5bX(ϳ}g` src2}^ztxI<<e K]㦳J N$?z,$8 ۸w\X ͳaMۼ-j͎9I@8g%Jl=ɀD9 Vhc]M:|('iLi`g4 n`o}ăiIgIo8%iŔp-,\P͹R: "\'{"v88sԈ/b^PD%;Z G^O3w6нDSafl-`5 S;fާ/Whv0PƵp,آR;+Crk_/. fBZpkSp\t+ "ۿ ˑIݙxZ?-<{L\L% J D 7~/VcEB#W9,j?GjXG)ӈrk&ݴ&Issac Goldstand Y@8g  o"Gv. #WtJ79xL;}(GaOF@>` 7kcv>XАe-\OphUw,F@>? i`T1|K{\(^ +,F@>g6 T,t6rFdfxaPu5iQEj6 s^tF@? umKȁ8q1+AJЫʊM1JP6b/<%0w$|FG@f 7ZMuEo}[DaX$ai4n~눩iGC' Sander Temme "Sander Temme Sander Temme @)$\8 e=pL )C+adLgOEBFGg3 @«~@fxt!uDwcu]Z,\צIg:PjFG=G ,֨ F3pr! k7OF8$oʪxwXˆFG=) :Ys\+] >{a߱cNVb$B/{9sx_[+ Ԟ;FH E &b bt+HIlܷB+IΆ;[0I FG<+ ՜e45axN!g}%ߴMO/ [QW-CFGC!1 NiN/'g?4WU8E+mS[J)[eN`|Y@8g  o"cLs1cX,"Meқ*Uk{ FG?el 95.o^I0 䵧p}C ?vFG= f"nޱl grѝRNCVLJDhdFG<. 2å\xy <2F<)>.QWY q1G<Х*Henning Schmiedehausen 2NA"+  Z$ڋ8؇\ 2-&l.;N,ɝ=pƈFGCRu `(:O yۆJhhd%+XtR^ ;%σ FG= =0اn+QFBW / V4m5. JnMXl FGC ًh=dFO:30Q~*i]į%P{FH > `c0n MwІ[V%Êh(خUp&J' vad26DG<2 ePl]󌆔Ƀ\9Qk:GJd. >y D_K ߳Yfj=sW9^\!fAL IhC@]ڐ*-kNQt4IT8"pKC>x*Qw6.|o-\=<4;\7)4NL!$:0qjֲ`Q)-<t8$TyYp>dB=GPRj溇:F BF1/A-6 YFG;ʘ [OP8rtl!`WG.g}#XQ# VXBp`FGV .I~EQ/R<'$aF}-1\FG@ 1QyqϪG3.z8RS:2xS?TcFG@ i4 RͶ..G:9*xr>&q!%/.Oio/GB(Felix Meschberger ^'nwwH?X5܇jyJ)cbK}-^lEa-vȻ%S916Q77*Lu Ku"}w{4kDwO^1WZKyXʮncu!#=MWT3VBT̸`\抷 Y7xFe67߼98mK({IxYTumÿ&:]r<(0`1VjR #Vc9"}{h!)6ΚoԎ5\(mX_#*~1VTvV;,m`+C*"gRń`+nuw8"Guenter Knauf" ("CODE SIGNING KEY") `  P3| /h[ K8U%D[Xx)@ i16-5.l}*k}/!n3 &[0n1"ḦМy2p!y8?&qwDE7-N8Rx%{V~iT [iwø=[ 2 |KDwOj{p-W]5 bJ;Ll[_N9m Qq̟Aw-hu P2e[i=cp!>sJLdTQN: *#݀ ];Utټe*BZ#Y2N=1z;?).ēW t')/&[HKX4svz*!1E[XQ-_2$N&-QGv`^P[8J+1Q )v12W<bS?JIwڑKm2l9j8C:c6Vr}R* mcf P8\2izE䇦OpPoX*!_/j21擦"2^DTp:zҷ2sZ`SY`XzˎfNA|m'uW$LpE_d\0 OO@OEN  f /h[ ta搬dv(f7]WvLu? P3hJK t }© $1-srbl^~s*4TdhyX(a I4t`b|C꾊\̑\/sroFlˊUh P3) /h[ ] P3 U1f_7KrwӏEt@ձr.=KX gAVN{MaLL}V¢rK ^_B瀷0,>lUD5hܢ-O0o~h dcJVs0ŭW68h@b<[x]<"xiQۅ坈ap/2w=n#kMލi<]̴Hj_XDž]En!=  KUͶ@HFaaNY`> 9neQԐ2kH( ;nqߋ-kK@QǬq2_ "٦r nb0(xb]m$vHmf/yrHvQelATd`Q\,V ޶VKaf'KS1ޫ}̱e14bzl)!o݀1 5]5\295DQc1+\X;ZdQ1DH\A ʯ>yV>WM$[!F J^Ϝ>ܲyvUȓT% mH;Ks8e\nh8&P xMRpIݍkմW#kcS98oiESdVyScs٣T_ҌLX"}1NèKpPXA?`壝>4ԙ6+Q^B15<Ɩ9D"$/,4Jeff Trawick (CODE SIGNING KEY) 7 !KU    X.9 ,9"89)TUY7<c:3`h>1}лֱ7^g" FAV/3J4\{L?Ɉv(T @jcClJ3'/&K@~|4{Q !_ o0 t4J@N|rE˳!)SJ۵ӽ!#h]` [#yؐ@:`5< }Tꈼon 8 2Jm R np7O w-6)") sԭ E7Z0]- G[;o'vKm\`pY#GMq};E1ni8*l<~jvZŅoJ -f|2:۪ɾ|<ˠU\RupB&r=N>oY>kqA2T@Z)>M*jna>u `G 9_۵&\5hTJS}q^ sV*{:ufyT\g\v*{ KN@SI#.GM j\`|FWyo uQ3gϼl@z= j/w7QƭIxC7w KU X.9 ,HEoCa ^2m;;Edᕀ9n*~2^T_ txA†A^n6u 3ڟl GLf?dg&+p፜`g)\8dx QSE@jOc|'͗͟{E $Py#P JG;}C]6H &;,(6[tƲ:ΕT0#dǖ1 \ Ԓ^iub ֞.#:}%5nNߨ k|_7=WQyȺa <'E%SX!"VB$}eE,;+lT[ƨbTkM 7JĖN% /90[;%oZ[R73ȿipJN_WfHb0D1({K60?.L;(-ę K*vWeEO>YkB$@5ӓzC:v9x+MTxSwK7'O#7lL,1KȲ:+Iho-v k-E8q^lR=8pJO; d^+ Ud&ns \W7qѧ{(h 5<$Bg>t )3Cýjq۱[̴US-% Hj.KL/05*^jYsM0P:+$4ȡ\ΖnKR7h"$ΜZ rQS,›ސAP#-b= [(ѸEe5;8O_B3/(jy w+!Eric Covener : $   Oo,  xmYTo S=S@u4uOǗ#"iNT{;jk&A?HEҦlȌ5У;^#X 5Jp65xT4{ڟ,^«e>ah44I #\dŸ(8--1`[c?_uƋO#\`n 5ݴR=;1z;~J@wrdp @\u nw:6.Oo'1s ǝ]dQW:YޙbM6rD 57ƾJK>}  N>Er%j0ޭl8γ@iXI$JsC+?Ͳ\<^ct[}M>&CByٰ3F|YJ݁7,mQkZAK7~瓸@M Dan Poirier Dan Poirier +b?5,-gؓ~UYk~`QNi+_ t\ߩ% ݴ9QAN ޓ7Q%fѐp#(`ӢID2q;zgKLFeyedwS<w8-ܚ#i}sW |'yK_i!Ƌng'-`=dŵdy_i,m/ kPMT%N>K{2GN#{B-⃷iYxZ`9\#GpBB́*vN{;Zտ3.'Ύ%Cg~C4vge?CJ޹;^!sL9 ;NU1-Vqg_V8ϱ(#9W@Ͻ),Am{E.*Æj[~9%N? (ƙEJ;*ÑN2D三]GL׫@Joseph Edward Bergmark (CODE SIGNING KEY) ّ|@7,x> Ϳy/:K?B_&wl`7⏥Y!g~O 7fGc%ϗ7q :2e\ҜrԦ|5w2/Anknh\36SFzpԵSk'~``_\,U f11(Y4(Uq#:MGr !gDc&p6)l_h%JSB%' :͍[bu!餋-wl(f  ֙L%~V웠WJ+a$] Y3lKT t Oue~2y9RӾd4NJKHN-:M6oRfJ<}78w5JO.ߪeZLYܛh]:U~R&{fyW\2Zm^PwJ6EVXFډ/]s[^3f LҞ [{r^\Jŀo ԅn?o_OÈI{l++!@pN< |\ejS.e°#wRK":14SAݨRCV%p8A~#(␱濱3EeXJT  ˉCۍOz$Dޕ4 )kt%Ic#Sؔb;wژZ+:EBsNqRv's|׾h-/~ -ge@,#{gt tTvA Cѭ<;qxZue\S,Օi!~%&KS V!gBCyru4rK'T~\eO$eO8fѡb#cW'\"KK:no>{>sP<-~W`TwoR u5LR.Jean-Sebastien Delfino }-pRzt>Y;шK(ż̈LҴCJim Jagielski Jim Jagielski Jim Jagielski "Jim Jagielski :`u7%}LJ++Gg2u!}BwS MM ?Rzuzp5#nhXin墰QUI4?MKP9A2'<ۧռ{A rz-@.u"KmRZHۨ&5^ l0; Y(~{IgwhZ+ja2x Q#I #:8^g늋aAZ8DȪeCV?sىL'vR_:d>TTn,I×A\-K4?{(/uo ;5I(H6b?f wz@u-5ʻTgETyܲY PTFME* aըt2megFצo`T-MN(4ya؁]8a{iec.Ѡ'vŢ;cʳ~f,c~M8% 3Vu="(`Lԍ9jBN8WѸqPDBf_:䶌Lj]R<Lͨ5Thomas Dudziak (CODE SIGNING KEY) MMʨJr}#9ta´rD;ѝ20]6wX؆m!" VDw[ nD>V1D(>JJ\v$/t@jfZ]4. JP[-#fMr ƐDKWݚvAcNHwzʑP]R9: fIǤߏ rr]M3黍G֠gУ2~2azeWn F61x&N/w2F"QPo$4`NG>?$L ʇ 6$> !oX}5*( Ru|Я, jB7x#u)2.N7(od"K@Om$9 AgQG&}+q@Y P!J;\B6JOXЇDkd0{:Gh0|*ϔ-Z: 7IeBIcVjbdE' Li}S{Šg&\%,w/$K1,%Ԑfm{6")_J6).pK K{оI'k+Eu5IUUooM7:hGP̠<9D  |8 8i{w^q0TƓ뒗s )k㍇ U@.BlJ4_Y=4=ᝎTj)S뭨`%Jn$+%" WqIʤHY^얤 ąY',/ZTཙAK\2[pRDZDLҸ=Antoine Levy-Lambert (CODE SIGNING KEY) ^͉{Sj3t*fU%9u1h_ĀdϟFOK9P@aPLiKZ^+N#oL':'@V|D6{SŢEF̔ O T積]šlI*\ =E).jch~DfP]TK]nw_b*&Ujøe"N"I}*VAϝ{w( T.n1w\"o>=}+⹣ VR rRgAgL$nJ"(?*MLʷWJUsoω(3HMI9__YFҞ(Yqŀo5H)CX7<=9(j$uVTF6pe4\\ $= P_قFY(]"..FbB(#+!8g*]b]GLѭ@Joseph Edward Bergmark (CODE SIGNING KEY) ّ|@76y|G6?Ⱥ;|?? F;P2qGJ%HLʰ?(˟o}#>P `j}c>}\(f#SBL : 3$@ē"_[Ydc{|}CZGE'[,"/};~XB\6íq7Q(NPmՑ^ zBSfiOngrR_ᣨo[;Y*nP[ֺ!R3E'P,m*[\h٪BBVi4F"O_^?쀕)lXDL^Mqօfb Q$;M,v,H_p2ub;*̆[t]L3Ĭ4M~A:դS:sC3>Q D r]Ur Mm !WHf&O.Z}LҴ(5Jim Jagielski (Release Signing Key) Jim Jagielski Jim Jagielski 4vy6m)Gk]7G ֫OpW } qQsNx@{$  xyEm63<&jZ';FZSZc1`Wk,+H<~Er:!E F@t+Ц o+d7K4FWO;)\Ej1ߔPm֖ɻ NЍ&)fI_zN6bPjSL6/ CnmmSl"t<3Theojy"ޗ28")RQ0Ws`5&@uSI=![ YA\V DZk(jDiu^9QnWR+JИ)e?;r곟ìe^.?w'V).Ѱ8u aT,e mIy ;VSO6t1p@!7:h}fOvjZ#5Šr#EL Sander Temme "Sander Temme Sander Temme *Sander Temme cdsEVS7{ivBDX=y\ٛ҇wᑿlw(`SA["= J qt>3r /4HEP%2L=r,}jPa Cԣ[G'}݃b;X(v#pº' ނ-Mej<-Ժ$n|SR0cjDqԘ܋]F3LG=wx(TJ8"oQ5y^Zh{ yp1<~yen۩,LO:'XmS>jFn}ƠRSIz?(])?s+Bq#G[y c߁țJs:Yl;Ho.IFcD(ZP5m_`?Bȇys ~:4ENdqC:?Gm`{Jnh*-Z:J,D$P98*ꯠ (i`۹Mb q0[saIn]K6=k)V|˛OPI v͉B?`Hn >עJ4%?x4fثOwhYYA8D'3R,鄝I6)+(V VIRug-)I =@_qD4"T/9<e34ͧ%*^rskҤɜ ц|R~ωRYy#9v*b.t̀lv 4 ?y;wZ_W΍ đ߮`hJ \XM^8(dC&][Ů 2Efw MٗsT:dYoȏS|UO)վ!%a?\d3:dYhٮ~t<{0h q1 '2HC?piwnv s&ˍYܓ;d튶k |iy]p?. -:]oB҅5Dv#Y>$s/- T/=(ІW߄0/1iH"Eric Covener 7 !Oo+    xmYT+ CDY@X㙄>CǾ~ dhF-䮳ĴgǬ1d}:#)Iu,N ocyÇJ/<5oV PX3|IWtt Ƈ8|/* ~%*6cKJt@ ܥ QM*TVC lp0/90DC4aSh|uDTz o#ՓΏ!=.PblNA}h W6Iޱ~AHr$0DvF@2!=r]d37N17>[lvY>H7G;Udo d;@G<#v2QGw "(覎qL ܅ ش [sE\v39sCFMEB:ވ صDc֜jzfJG=~!\t83yjfߓ*bύ-*t K*vn(aD%"1y0JRKu#m;HTif (r>`fv5KQJZ؈Ⳉ67d{EÂoBPTʵzB Vr˭] y˰8D41=L56 *H^ 80;JXrHa2Pw?M0\vzShcf޲b/U5"dGdD0WÂo}G_- `$8ΣW 1p4f4>4~44,y9)J'T!L陗,w=:(K*lCn2!GRkӇW Hds6AgZKU`  ƷuLACRP5bE)o 3 Jt'0I7Bn/MG&=& j1$g^6$c]V|oA.= O&UlGxF&_+0ߞw qky<7/# K*v xmYTK*1>|w#ZdfOy_=?c{]a`y(omc15P60YzWU֕dBSoDOqmt3ES h0P |/ݹ ?+"%K312搩17Ɲa v7Ҟxu~yrbқ)F ӳFh_,ˮuv=ǻ%%9x=:̌) ]^c&U*K8P2ȸ:ڠ..L!aBi?o۝H!*E$b6˅󯱄~Y8QDw[Navwk6;7=.ߏ.zj׎G^6I'f\얽sLTYK, A ״6 iwɀf@XEfF"=tP2X.LiBKcMdYu>Hi3Lm{đ)debian/apache2.preinst0000644000000000000000000001100513376761111012102 0ustar #! /bin/bash # preinst script for apache2 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # XXX remove # echo apache2.preinst $@ running # XXX: Whichever file you add in one of the sections below, make sure you copy # the same file arrays to apache2.postinst and apache2.postrm, too! OBSOLETE_CONFFILES="/etc/apache2/mods-available/authz_default.load /etc/apache2/mods-available/authn_default.load /etc/apache2/mods-available/mem_cache.load /etc/apache2/mods-available/mem_cache.conf /etc/apache2/mods-available/authn_alias.load /etc/apache2/mods-available/cern_meta.load /etc/apache2/mods-available/disk_cache.load /etc/apache2/mods-available/disk_cache.conf /etc/apache2/mods-available/ident.load /etc/apache2/mods-available/imagemap.load /etc/apache2/mods-available/version.load" # conffiles which moved from one random location to another, separate source and # destination by a colon MOVED_CONFFILES="/etc/bash_completion.d/apache2.2-common:/etc/bash_completion.d/apache2 /etc/apache2/sites-available/default:/etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default-ssl:/etc/apache2/sites-available/default-ssl.conf /etc/apache2/conf.d/charset:/etc/apache2/conf-available/charset.conf /etc/apache2/conf.d/localized-error-pages:/etc/apache2/conf-available/localized-error-pages.conf /etc/apache2/conf.d/other-vhosts-access-log:/etc/apache2/conf-available/other-vhosts-access-log.conf /etc/apache2/conf.d/security:/etc/apache2/conf-available/security.conf" obsolete_conffile_exists() { for CONFFILE in $OBSOLETE_CONFFILES ; do if [ -e "$CONFFILE" ] ; then return 0 fi done for CONFFILE in $MOVED_CONFFILES_IN ; do if [ -e "/etc/apache2/conf.d/$CONFFILE" ] ; then return 0 fi done return 1 } # The two functions below are licensed GPL-2+ and was written by dpkg maintainers # See the dpkg-maintscript-helper script for details prepare_rm_conffile() { for CONFFILE in $OBSOLETE_CONFFILES ; do [ -e "$CONFFILE" ] || continue local md5sum="$(md5sum $CONFFILE | sed -e 's/ .*//')" local old_md5sum="$(dpkg-query -W -f='${Conffiles}' apache2.2-common apache2 | \ sed -n -e "\' $CONFFILE ' { s/ obsolete$//; s/.* //; p }")" if [ "$md5sum" != "$old_md5sum" ]; then echo "Obsolete conffile $CONFFILE has been modified by you." echo "Saving as $CONFFILE.dpkg-bak ..." mv -f "$CONFFILE" "$CONFFILE.dpkg-backup" else echo "Moving obsolete conffile $CONFFILE out of the way..." mv -f "$CONFFILE" "$CONFFILE.dpkg-remove" fi done } prepare_mv_conffile() { for CONFFILE in $MOVED_CONFFILES ; do CONFFILE=$( echo "$CONFFILE" | cut -d: -f1 ) [ -e "$CONFFILE" ] || continue local md5sum="$(md5sum $CONFFILE | sed -e 's/ .*//')" local old_md5sum="$(dpkg-query -W -f='${Conffiles}' apache2.2-common apache2 | \ sed -n -e "\' $CONFFILE ' { s/ obsolete$//; s/.* //; p }")" if [ "$md5sum" = "$old_md5sum" ]; then mv -f "$CONFFILE" "$CONFFILE.dpkg-remove" fi done } case "$1" in install|upgrade) # black magic follows below. we're upgrading from Squeeze if # 1) an apache2-mpm package exists if [ -d "/etc/apache2/" ] ; then mpm=$(dpkg-query -f '${Package}\t${Status}\n' -W 'apache2-mpm-*' 2>/dev/null | grep "install ok" | cut -f1) if [ -n "$mpm" ] ; then if [ ! -f /etc/apache2/.apache2_mpm_selected ] ; then echo "# automatically created during upgrade" >> /etc/apache2/.apache2_mpm_selected echo "# it can be safely removed anytime" >> /etc/apache2/.apache2_mpm_selected echo "$mpm" >> /etc/apache2/.apache2_mpm_selected fi fi if [ -n "$2" ] && dpkg --compare-versions "$2" 'lt' '2.4.7-1~' && dpkg --compare-versions "$2" 'ge' '2.4.1-1' ; then CUR_MPM=$(a2query -M) || exit 1 if [ "$CUR_MPM" == "itk" ] ; then echo "apache2-mpm-itk" >> /etc/apache2/.apache2_mpm_selected fi fi fi # 2) an apache2.2-common conffiles exists or the 2.2 apache2 package is # installed if [ -n "$2" ] || obsolete_conffile_exists ; then prepare_rm_conffile prepare_mv_conffile fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 # vim: syntax=sh ts=4 sw=4 sts=4 sr noet debian/a2enmod0000755000000000000000000003202513376761111010451 0ustar #!/usr/bin/perl -w # # a2enmod by Stefan Fritsch # Licensed under Apache License 2.0 # # The coding style is "perltidy -pbp" use strict; use Cwd 'realpath'; use File::Spec; use File::Basename; use File::Path; use Getopt::Long; my $quiet; my $force; my $maintmode; my $purge; Getopt::Long::Configure('bundling'); GetOptions( 'quiet|q' => \$quiet, 'force|f' => \$force, 'maintmode|m' => \$maintmode, 'purge|p' => \$purge ) or exit 2; my $basename = basename($0); $basename =~ /^a2(en|dis)(mod|site|conf)((?:-.+)?)$/ or die "$basename call name unknown\n"; my $act = $1; my $obj = $2; my $dir_suffix = $3; my $env_file = $ENV{APACHE_ENVVARS} || ( $ENV{APACHE_CONFDIR} ? "$ENV{APACHE_CONFDIR}/envvars" : "/etc/apache2$dir_suffix/envvars" ); $ENV{LANG} = 'C'; read_env_file($env_file); $act .= 'able'; my ( $name, $dir, $sffx, $reload ); if ( $obj eq 'mod' ) { $obj = 'module'; $dir = 'mods'; $sffx = '.load'; $reload = 'restart'; } elsif ( $obj eq 'conf' ) { $obj = 'conf'; $dir = 'conf'; $sffx = '.conf'; $reload = 'reload'; } else { $dir = 'sites'; $sffx = '.conf'; $reload = 'reload'; } $name = ucfirst($obj); my $confdir = $ENV{APACHE_CONFDIR} || "/etc/apache2$dir_suffix"; my $availdir = $ENV{ uc("APACHE_${dir}_AVAILABLE") } || "$confdir/$dir-available"; my $enabldir = $ENV{ uc("APACHE_${dir}_ENABLED") } || "$confdir/$dir-enabled"; my $statedir = $ENV{ uc("APACHE_STATE_DIRECTORY") } || "/var/lib/apache2"; $statedir .= "/$obj"; my $choicedir = $act eq 'enable' ? $availdir : $enabldir; my $linkdir = File::Spec->abs2rel( $availdir, $enabldir ); my $request_reload = 0; my $rc = 0; if ( !scalar @ARGV ) { my @choices = myglob('*'); print "Your choices are: @choices\n"; print "Which ${obj}(s) do you want to $act (wildcards ok)?\n"; my $input = <>; @ARGV = split /\s+/, $input; } my @objs; foreach my $arg (@ARGV) { $arg =~ s/${sffx}$//; my @glob = myglob($arg); if ( !@glob ) { error("No $obj found matching $arg!\n"); $rc = 1; } else { push @objs, @glob; } } foreach my $acton (@objs) { doit($acton) or $rc = 1; } info( "To activate the new configuration, you need to run:\n service apache2 $reload\n" ) if $request_reload; exit($rc); ############################################################################## sub myglob { my $arg = shift; my @glob = map { s{^$choicedir/}{}; s{$sffx$}{}; $_ } glob("$choicedir/$arg$sffx"); return @glob; } sub doit { my $acton = shift; my ( $conftgt, $conflink ); if ( $obj eq 'module' ) { if ( $acton eq 'cgi' && threaded() ) { print "Your MPM seems to be threaded. Selecting cgid instead of cgi.\n"; $acton = 'cgid'; } $conftgt = "$availdir/$acton.conf"; if ( -e $conftgt ) { $conflink = "$enabldir/$acton.conf"; } } my $tgt = "$availdir/$acton$sffx"; my $link = "$enabldir/$acton$sffx"; if ( !-e $tgt ) { if ( -l $link && !-e $link ) { if ( $act eq 'disable' ) { info("removing dangling symlink $link\n"); unlink($link); # force a .conf path. It may exist as dangling link, too $conflink = "$enabldir/$acton.conf"; if ( -l $conflink && !-e $conflink ) { info("removing dangling symlink $conflink\n"); unlink($conflink); } return 1; } else { error("$link is a dangling symlink!\n"); } } if ( $purge ) { switch_marker( $obj, $act, $acton ); # exit silently, we are purging anyway return 1; } error("$name $acton does not exist!\n"); return 0; } # handle module dependencies if ( $obj eq 'module' ) { if ( $act eq 'enable' ) { my @depends = get_deps("$availdir/$acton.load"); do_deps( $acton, @depends ) or return 0; my @conflicts = get_deps( "$availdir/$acton.load", "Conflicts" ); check_conflicts( $acton, @conflicts ) or return 0; } else { my @depending; foreach my $d ( glob("$enabldir/*.load") ) { my @deps = get_deps($d); if ( is_in( $acton, @deps ) ) { $d =~ m,/([^/]+).load$,; push @depending, $1; } } if ( scalar @depending ) { if ($force) { do_deps( $acton, @depending ) or return 0; } else { error( "The following modules depend on $acton ", "and need to be disabled first: @depending\n" ); return 0; } } } } elsif ( $act eq 'enable' ) { my @depends = get_deps("$availdir/$acton$sffx"); warn_deps( $acton, @depends ) or return 0; } if ( $act eq 'enable' ) { my $check = check_link( $tgt, $link ); if ( $check eq 'ok' ) { if ($conflink) { # handle .conf file my $confcheck = check_link( $conftgt, $conflink ); if ( $confcheck eq 'ok' ) { info("$name $acton already enabled\n"); return 1; } elsif ( $confcheck eq 'missing' ) { print "Enabling config file $acton.conf.\n"; add_link( $conftgt, $conflink ) or return 0; } else { error( "Config file $acton.conf not properly enabled: $confcheck\n" ); return 0; } } else { info("$name $acton already enabled\n"); return 1; } } elsif ( $check eq 'missing' ) { if ($conflink) { # handle .conf file my $confcheck = check_link( $conftgt, $conflink ); if ( $confcheck eq 'missing' ) { add_link( $conftgt, $conflink ) or return 0; } elsif ( $confcheck ne 'ok' ) { error( "Config file $acton.conf not properly enabled: $confcheck\n" ); return 0; } } print "Enabling $obj $acton.\n"; if ( $acton eq 'ssl' ) { info( "See /usr/share/doc/apache2/README.Debian.gz on " . "how to configure SSL and create self-signed certificates.\n" ); } return add_link( $tgt, $link ) && switch_marker( $obj, $act, $acton ); } else { error("$name $acton not properly enabled: $check\n"); return 0; } } else { if ( -e $link || -l $link ) { remove_link($link); if ( $conflink && -e $conflink ) { remove_link($conflink); } switch_marker( $obj, $act, $acton ); print "$name $acton disabled.\n"; } elsif ( $conflink && -e $conflink ) { print "Disabling stale config file $acton.conf.\n"; remove_link($conflink); } else { info("$name $acton already disabled\n"); if ( $purge ) { switch_marker( $obj, $act, $acton ); } return 1; } } return 1; } sub get_deps { my $file = shift; my $type = shift || "Depends"; my $fd; if ( !open( $fd, '<', $file ) ) { error("Can't open $file: $!"); return; } my $line; while ( defined( $line = <$fd> ) ) { chomp $line; if ( $line =~ /^# $type:\s+(.*?)\s*$/ ) { my $deps = $1; return split( /[\n\s]+/, $deps ); } # only check until the first non-empty non-comment line last if ( $line !~ /^\s*(?:#.*)?$/ ); } return; } sub do_deps { my $acton = shift; foreach my $d (@_) { info("Considering dependency $d for $acton:\n"); if ( !doit($d) ) { error("Could not $act dependency $d for $acton, aborting\n"); return 0; } } return 1; } sub warn_deps { my $acton = shift; my $modsenabldir = $ENV{APACHE_MODS_ENABLED} || "$confdir/mods-enabled"; foreach my $d (@_) { info("Checking dependency $d for $acton:\n"); if ( !-e "$modsenabldir/$d.load" ) { warning( "Module $d is not enabled, but $acton depends on it, aborting\n" ); return 0; } } return 1; } sub check_conflicts { my $acton = shift; my $haderror = 0; foreach my $d (@_) { info("Considering conflict $d for $acton:\n"); my $tgt = "$availdir/$d$sffx"; my $link = "$enabldir/$d$sffx"; my $confcheck = check_link( $tgt, $link ); if ( $confcheck eq 'ok' ) { error( "Module $d is enabled - cannot proceed due to conflicts. It needs to be disabled first!\n" ); # Don't return immediately, there could be several conflicts $haderror++; } } if ($haderror) { return 0; } return 1; } sub add_link { my ( $tgt, $link ) = @_; # create relative link if ( !symlink( File::Spec->abs2rel( $tgt, dirname($link) ), $link ) ) { die("Could not create $link: $!\n"); } $request_reload = 1; return 1; } sub check_link { my ( $tgt, $link ) = @_; if ( !-e $link ) { if ( -l $link ) { # points to nowhere info("Removing dangling link $link"); unlink($link) or die "Could not remove $link\n"; } return 'missing'; } if ( -e $link && !-l $link ) { return "$link is a real file, not touching it"; } if ( realpath($link) ne realpath($tgt) ) { return "$link exists but does not point to $tgt, not touching it"; } return 'ok'; } sub remove_link { my ($link) = @_; if ( -l $link ) { unlink($link) or die "Could not remove $link: $!\n"; } elsif ( -e $link ) { error("$link is not a symbolic link, not deleting\n"); return 0; } $request_reload = 1; return 1; } sub threaded { my $result = ""; $result = qx{/usr/sbin/apache2ctl -V | grep 'threaded'} if -x '/usr/sbin/apache2ctl'; if ( $? != 0 ) { # config doesn't work if ( -e "$enabldir/mpm_prefork.load" || -e "$enabldir/mpm_itk.load" ) { return 0; } elsif (-e "$enabldir/mpm_worker.load" || -e "$enabldir/mpm_event.load" ) { return 1; } else { error("Can't determine enabled MPM"); # do what user requested return 0; } } if ( $result =~ / no/ ) { return 0; } elsif ( $result =~ / yes/ ) { return 1; } else { die("Can't parse output from apache2ctl -V:\n$result\n"); } } sub info { print @_ if !$quiet; } sub error { print STDERR 'ERROR: ', @_; } sub warning { print STDERR 'WARNING: ', @_; } sub is_in { my $needle = shift; foreach my $e (@_) { return 1 if $needle eq $e; } return 0; } sub read_env_file { my $file = shift; -r $file or return; my @lines = qx{env - sh -c '. $file && env'}; if ($?) { die "Could not read $file\n"; } foreach my $l (@lines) { chomp $l; $l =~ /^(.*)?=(.*)$/ or die "Could not parse $file\n"; $ENV{$1} = $2; } } sub switch_marker { die('usage: switch_marker([module|site|conf], [enable|disable], $name)') if @_ != 3; my $which = shift; my $what = shift; my $name = shift; my $mode = "admin"; $mode = "maint" if $maintmode; #print("switch_marker $which $what $name\n"); # TODO: get rid of the magic string(s) my $state_marker_dir = "$statedir/$what" . "d" . "_by_$mode"; my $state_marker = "$state_marker_dir/$name"; if ( !-d $state_marker_dir ) { File::Path::mkpath("$state_marker_dir") || error( "Failed to create marker directory: '$state_marker_dir'\n"); } # XXX: swap find with perl alternative my @markers = qx{find "$statedir" -type f -a -name "$name"}; chomp(@markers); foreach (@markers) { unless ( unlink $_ ) { error("Failed to remove old marker '$_'!\n") && return 0; } } unless ($purge) { qx{touch "$state_marker"}; if ( $? != 0 ) { error("Failed to create marker '$state_marker'!\n") && return 0; } return 1; } } # vim: syntax=perl sw=4 sts=4 sr et debian/manpages/0000755000000000000000000000000013376761111010767 5ustar debian/manpages/a2dissite.80000644000000000000000000000002413376761111012743 0ustar .so man8/a2ensite.8 debian/manpages/split-logfile.80000644000000000000000000000127013376761111013632 0ustar .TH "SPLIT-LOGFILE" 8 "2009-12-06" "Apache HTTP Server" "split-logfile" .SH NAME split-logfile - Split combined virtual hosts access log into one file per virtual host .SH "SYNOPSIS" .PP \fBsplit-logfile\fR < \fIlogfile\fR .SH "SUMMARY" .PP This script will take a combined Web server access log file and break its contents into separate files. It assumes that the first field of each line is the virtual host identity (put there by "%v"), and that the logfiles should be named that+".log" in the current directory. The combined log file is read from stdin. Records read will be appended to any existing log files. .SH "EXAMPLES" split-logfile < /var/log/apache2/other_vhosts_access.log debian/manpages/suexec-custom.80000644000000000000000000000536213376761111013672 0ustar .TH suexec-custom 8 "April 2008" .\" Copyright 1999-2004 The Apache Software Foundation .\" Copyright 2008 Stefan Fritsch .\" .\" Licensed under the Apache License, Version 2.0 (the "License"); .\" you may not use this file except in compliance with the License. .\" You may obtain a copy of the License at .\" .\" http://www.apache.org/licenses/LICENSE-2.0 .\" .\" Unless required by applicable law or agreed to in writing, software .\" distributed under the License is distributed on an "AS IS" BASIS, .\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. .\" See the License for the specific language governing permissions and .\" limitations under the License. .\" .SH NAME suexec \- Switch User For Exec .SH SYNOPSIS .B suexec -V .PP This is a customized version that can be configured with config files in /etc/apache2/suexec. .PP No other synopsis for usage, because this program is otherwise only used internally by the Apache HTTP server. .PP .SH DESCRIPTION .B suexec is the "wrapper" support program for the suexec behaviour for the Apache HTTP server. It is run from within the server automatically to switch the user when an external program has to be run under a different user. For more information about suexec in general, see the online document `Apache suexec Support' on the HTTP server project's Web site at http://httpd.apache.org/docs/suexec.html . .PP This version of suexec reads a config file on every execution. Therefore it is a bit slower than the standard suexec version from the apache2-suexec package. .SH CONFIGURATION If suexec is called by a user with name 'username', it will look into /etc/apache2/suexec/username for configuration. If the file does not exist, suexec will abort. By creating several config files, you can allow several different apache run users to use suexec. .PP The first line in the file is used as the document root (/var/www in the standard suexec) and the second line in the file is used as the suffix that is appended to users' home directories (public_html in standard suexec). .PP If any of the lines is commented out (with #), suexec will refuse the corresponding type of request. It is recommended to comment out the userdir suffix if you don't need it. .SH SECURITY Do not set the document root to a path that includes users' home directories (like /home or /var) or directories where users can mount removable media. Doing so would create local security issues. Suexec does not allow to set the document root to the root directory / . .SH OPTIONS .IP -V Display the list of compile-time settings used when \fBsuexec\fP was built. No other action is taken. .PD .SH FILES .BR /etc/apache2/suexec/www-data .SH SEE ALSO .BR apache2(8) , .BR /usr/share/doc/apache2/README.Debian.gz , .BR dpkg-statoverride(8) debian/manpages/a2enmod.80000644000000000000000000000513313376761111012407 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH A2ENMOD 8 "12 October 2006" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME a2enmod, a2dismod \- enable or disable an apache2 module .SH SYNOPSIS .B a2enmod [ [\-q|\-\-quiet] .IR module ] .PP .B a2dismod [ [\-q|\-\-quiet] .IR module ] .SH DESCRIPTION This manual page documents briefly the .B a2enmod and .B a2dismod commands. .PP .B a2enmod is a script that enables the specified module within the .B apache2 configuration. It does this by creating symlinks within .BR /etc/apache2/mods-enabled . Likewise, .B a2dismod disables a module by removing those symlinks. It is not an error to enable a module which is already enabled, or to disable one which is already disabled. .PP Note that many modules have, in addition to a .load file, an associated .conf file. Enabling the module puts the configuration directives in the .conf file as directives into the main server context of .B apache2. .SH OPTIONS .TP .B \-q, \-\-quiet Don't show informative messages. .TP .B \-m, \-\-maintmode Enables the maintainer mode, that is the program invocation is effectuated automatically by a maintainer script. This switch should not be used by end users. .B \-p, \-\-purge When disabling a module, purge all traces of the module in the internal state data base. .SH "EXIT STATUS" .B a2enmod and .B a2dismod exit with status 0 if all .IR module s are processed successfully, 1 if errors occur, 2 if an invalid option was used. .SH EXAMPLES .RS .B "a2enmod imagemap" .br .B "a2dismod mime_magic" .RE .PP Enables the .B mod_imagemap module, and disables the .B mod_mime_magic module. .SH FILES .TP .B /etc/apache2/mods-available Directory with files giving information on available modules. .TP .B /etc/apache2/mods-enabled Directory with links to the files in .B mods-available for enabled modules. .SH "SEE ALSO" .BR apache2ctl (8), .BR a2enconf (8), .BR a2disconf (8). .SH AUTHOR This manual page was written by Daniel Stone for the Debian GNU/Linux distribution, as it is a Debian-specific script with the package. debian/manpages/apxs2.10000644000000000000000000000002013376761111012076 0ustar .so man1/apxs.1 debian/manpages/checkgid.80000644000000000000000000000260213376761111012621 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH CHECKGID 8 "November 3rd, 2001" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME checkgid \- checks the gid .SH SYNOPSIS .B checkgid group .SH DESCRIPTION This manual page documents briefly the .B checkgid command. .PP .\" TeX users may be more comfortable with the \fB\fP and .\" \fI\fP escape sequences to invode bold face and italics, .\" respectively. \fBcheckgid\fP is a program that checks whether it can setgid to the group specified. This is to see if it is a valid group for apache2 to use at runtime. If the user (should be run as superuser) is in that group, or can setgid to it, it will return 0. .SH AUTHOR This manual page was written by Daniel Stone for the Debian GNU/Linux distribution, as the original did not have a manpage. debian/manpages/a2ensite.80000644000000000000000000000511013376761111012567 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH A2ENSITE 8 "8 June 2007" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME a2ensite, a2dissite \- enable or disable an apache2 site / virtual host .SH SYNOPSIS .B a2ensite [ [\-q|\-\-quiet] .IR site ] .PP .B a2dissite [ [\-q|\-\-quiet] .IR site ] .SH DESCRIPTION This manual page documents briefly the .B a2ensite and .B a2dissite commands. .PP .B a2ensite is a script that enables the specified site (which contains a block) within the .B apache2 configuration. It does this by creating symlinks within .BR /etc/apache2/sites-enabled . Likewise, .B a2dissite disables a site by removing those symlinks. It is not an error to enable a site which is already enabled, or to disable one which is already disabled. .PP Apache treats the very first virtual host enabled specially as every request not matching any actual directive is being redirected there. Thus it should be called .B 000-default in order to sort before the remaining hosts to be loaded first. .SH OPTIONS .TP .B \-q, \-\-quiet Don't show informative messages. .TP .B \-m, \-\-maintmode Enables the maintainer mode, that is the program invocation is effectuated automatically by a maintainer script. This switch should not be used by end users. .B \-p, \-\-purge When disabling a module, purge all traces of the module in the internal state data base. .SH "EXIT STATUS" .B a2ensite and .B a2dissite exit with status 0 if all .IR site s are processed successfully, 1 if errors occur, 2 if an invalid option was used. .SH EXAMPLES .RS .B "a2dissite 000-default" .RE .PP Disables the .B default site. .SH FILES .TP .B /etc/apache2/sites-available Directory with files giving information on available sites. .TP .B /etc/apache2/sites-enabled Directory with links to the files in .B sites-available for enabled sites. .SH "SEE ALSO" .BR apache2ctl (8). .SH AUTHOR This manual page was written by Stefan Fritsch (based on the a2enmod manual page by Daniel Stone ) for the Debian GNU/Linux distribution. debian/manpages/apachectl.80000644000000000000000000000002613376761111013002 0ustar .so man8/apache2ctl.8 debian/manpages/apache2ctl.80000644000000000000000000001453513376761111013076 0ustar .TH apache2ctl 8 "April 2008" .\" The Apache Software License, Version 1.1 .\" .\" Copyright (c) 2000-2002 The Apache Software Foundation. All rights .\" reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in .\" the documentation and/or other materials provided with the .\" distribution. .\" .\" 3. The end-user documentation included with the redistribution, .\" if any, must include the following acknowledgment: .\" "This product includes software developed by the .\" Apache Software Foundation (http://www.apache.org/)." .\" Alternately, this acknowledgment may appear in the software itself, .\" if and wherever such third-party acknowledgments normally appear. .\" .\" 4. The names "Apache" and "Apache Software Foundation" must .\" not be used to endorse or promote products derived from this .\" software without prior written permission. For written .\" permission, please contact apache@apache.org. .\" .\" 5. Products derived from this software may not be called "Apache", .\" nor may "Apache" appear in their name, without prior written .\" permission of the Apache Software Foundation. .\" .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED .\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE .\" DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR .\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT .\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF .\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, .\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT .\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" This software consists of voluntary contributions made by many .\" individuals on behalf of the Apache Software Foundation. For more .\" information on the Apache Software Foundation, please see .\" . .\" .SH NAME apache2ctl \- Apache HTTP server control interface .SH SYNOPSIS When acting in SysV init mode, apache2ctl takes simple, one-word commands, defined below. .PP .B apachectl .I command .PP .B apache2ctl .I command .PP When acting in pass-through mode, apache2ctl can take all the arguments available for the httpd binary. .PP .B apachectl .RI [ httpd-argument ] .PP .B apache2ctl .RI [ httpd-argument ] .PP .SH DESCRIPTION .B apache2ctl is a front end to the Apache HyperText Transfer Protocol (HTTP) server. It is designed to help the administrator control the functioning of the Apache .B apache2 daemon. .PP .B NOTE: The default Debian configuration requires the environment variables .BR APACHE_RUN_USER , .BR APACHE_RUN_GROUP , and .B APACHE_PID_FILE to be set in .BR /etc/apache2/envvars . .PP The .B apache2ctl script returns a 0 exit value on success, and >0 if an error occurs. For more details, view the comments in the script. .PP .SH OPTIONS The \fIcommand\fP can be any one or more of the following options: .TP 14 .BI start Start the Apache daemon. Gives an error if it is already running. .TP .BI stop Stops the Apache daemon. .TP .BI restart Restarts the Apache daemon by sending it a SIGHUP. If the daemon is not running, it is started. This command automatically checks the configuration files via .BI configtest before initiating the restart to to catch the most obvious errors. However, it is still possible for the daemon to die because of problems with the configuration. .TP .BI fullstatus Displays a full status report from .B mod_status. For this to work, you need to have mod_status enabled on your server and a text-based browser such as \fIlynx\fP available on your system. The URL used to access the status report can be set by setting the .B APACHE_STATUSURL variable in .BR /etc/apache2/envvars . .TP .BI status Displays a brief status report. Similar to the fullstatus option, except that the list of requests currently being served is omitted. .TP .BI graceful Gracefully restarts the Apache daemon by sending it a SIGUSR1. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted. A side effect is that old log files will not be closed immediately. This means that if used in a log rotation script, a substantial delay may be necessary to ensure that the old log files are closed before processing them. This command automatically checks the configuration files via apache2ctl configtest before initiating the restart to to catch the most obvious errors. However, it is still possible for the daemon to die because of problems with the configuration. .TP .BI graceful-stop Gracefully stops the Apache httpd daemon. This differs from a normal stop in that currently open connections are not aborted. A side effect is that old log files will not be closed immediately. .TP .BI configtest Run a configuration file syntax test. It parses the configuration files and either reports .B "Syntax Ok" or information about the particular syntax error. This test does not catch all errors. .TP .BI help Displays a short help message. .TP The following option was available in earlier versions but has been removed. .TP .BI startssl To start httpd with SSL support, you should edit your configuration file to include the relevant directives and then use the normal apache2ctl start. .SH ENVIRONMENT The behaviour of .B apache2ctl can be influenced with these environment variables: .BR APACHE_HTTPD , .BR APACHE_LYNX , .BR APACHE_STATUSURL , .BR APACHE_ULIMIT_MAX_FILES , .BR APACHE_RUN_DIR , .BR APACHE_LOCK_DIR , .BR APACHE_RUN_USER , .BR APACHE_ARGUMENTS , .BR APACHE_ENVVARS . See the comments in the script for details. These variables (except .BR APACHE_ENVVARS ) can be set in .BR /etc/apache2/envvars . .SH SEE ALSO .BR apache2(8) , .BR /usr/share/doc/apache2/README.Debian.gz . debian/manpages/a2dismod.80000644000000000000000000000002313376761111012555 0ustar .so man8/a2enmod.8 debian/manpages/a2disconf.80000644000000000000000000000002413376761111012724 0ustar .so man8/a2enconf.8 debian/manpages/check_forensic.80000644000000000000000000000106313376761111014025 0ustar .TH check_forensic 8 .SH NAME check_forensic \- tool to extract mod_log_forensic output from apache log files .SH SYNOPSIS .B check_forensic .SH "DESCRIPTION" chech_forensic is a simple shell script designed to help apache administrators to extract mod_log_forensic output from apache2 log files. It checks the forensic log for requests that did not complete and outputs the request log for each one. .PP .SH AUTHOR This manual page was written by Fabio M. Di Nitto , for the Debian GNU/Linux system (but may be used by others). debian/manpages/apache2.80000644000000000000000000000765613376761111012401 0ustar .TH "APACHE2" 8 "2008-04-05" "Apache HTTP Server" "apache2" .SH NAME apache2 \- Apache Hypertext Transfer Protocol Server .SH "SYNOPSIS" .PP \fBapache2\fR [ -\fBd\fR \fIserverroot\fR ] [ -\fBf\fR \fIconfig\fR ] [ -\fBC\fR \fIdirective\fR ] [ -\fBc\fR \fIdirective\fR ] [ -\fBD\fR \fIparameter\fR ] [ -\fBe\fR \fIlevel\fR ] [ -\fBE\fR \fIfile\fR ] [ \fB-k\fR start|restart|graceful|stop|graceful-stop ] [ -\fBR\fR \fIdirectory\fR ] [ -\fBh\fR ] [ -\fBl\fR ] [ -\fBL\fR ] [ -\fBS\fR ] [ -\fBt\fR ] [ -\fBv\fR ] [ -\fBV\fR ] [ -\fBX\fR ] [ -\fBM\fR ] .SH "SUMMARY" .PP apache2 is the Apache HyperText Transfer Protocol (HTTP) server program\&. It is designed to be run as a standalone daemon process\&. When used like this it will create a pool of child processes or threads to handle requests\&. .PP In general, apache2 should not be invoked directly, but rather should be invoked via /etc/init.d/apache2 or apache2ctl\&. The default Debian configuration requires environment variables that are defined in /etc/apache2/envvars and are not available if apache2 is started directly. However, apache2ctl can be used to pass arbitrary arguments to apache2. .SH "DOCUMENTATION" .PP The full documentation is available in the apache2-doc package or at http://httpd.apache.org/docs/2.2/ . Information about Debian specific changes and configuration can be found in /usr/share/doc/apache2/README.Debian.gz . .SH "OPTIONS" .TP -d \fIserverroot\fR Set the initial value for the ServerRoot directive to \fIserverroot\fR\&. This can be overridden by the ServerRoot directive in the configuration file\&. .TP -f \fIconfig\fR Uses the directives in the file \fIconfig\fR on startup\&. If \fIconfig\fR does not begin with a /, then it is taken to be a path relative to the ServerRoot\&. The default is /etc/apache2/apache2\&.conf\&. .TP -k start|restart|graceful|stop|graceful-stop Signals apache2 to start, restart, or stop\&. See Stopping Apache for more information\&. .TP -C \fIdirective\fR Process the configuration \fIdirective\fR before reading config files\&. .TP -c \fIdirective\fR Process the configuration \fIdirective\fR after reading config files\&. .TP -D \fIparameter\fR Sets a configuration \fIparameter \fRwhich can be used with sections in the configuration files to conditionally skip or process commands at server startup and restart\&. .TP -e \fIlevel\fR Sets the LogLevel to \fIlevel\fR during server startup\&. This is useful for temporarily increasing the verbosity of the error messages to find problems during startup\&. .TP -E \fIfile\fR Send error messages during server startup to \fIfile\fR\&. .TP -R \fIdirectory\fR When the server is compiled using the SHARED_CORE rule, this specifies the \fIdirectory\fR for the shared object files\&. .TP -h Output a short summary of available command line options\&. .TP -l Output a list of modules compiled into the server\&. This will \fBnot\fR list dynamically loaded modules included using the LoadModule directive\&. .TP -L Output a list of directives together with expected arguments and places where the directive is valid\&. .TP -M Dump a list of loaded Static and Shared Modules\&. .TP -S Show the settings as parsed from the config file (currently only shows the virtualhost settings)\&. .TP -t Run syntax tests for configuration files only\&. The program immediately exits after these syntax parsing tests with either a return code of 0 (Syntax OK) or return code not equal to 0 (Syntax Error)\&. If -D \fIDUMP\fR_\fIVHOSTS \fRis also set, details of the virtual host configuration will be printed\&. If -D \fIDUMP\fR_\fIMODULES \fR is set, all loaded modules will be printed\&. .TP -v Print the version of apache2, and then exit\&. .TP -V Print the version and build parameters of apache2, and then exit\&. .TP -X Run apache2 in debug mode\&. Only one worker will be started and the server will not detach from the console\&. .SH SEE ALSO .BR apache2ctl (8), .BR /usr/share/doc/apache2/README.Debian.gz debian/manpages/a2enconf.80000644000000000000000000000551713376761111012563 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH A2ENCONF 8 "14 February 2012" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME a2enconf, a2disconf \- enable or disable an apache2 configuration file .SH SYNOPSIS .B a2enconf [ [\-q|\-\-quiet] .IR configuration ] .PP .B a2disconf [ [\-q|\-\-quiet] .IR configuration ] .SH DESCRIPTION This manual page documents briefly the .B a2enconf and .B a2disconf commands. .PP .B a2enconf is a script that enables the specified configuration file within the .B apache2 configuration. It does this by creating symlinks within .BR /etc/apache2/conf-enabled . Likewise, .B a2disconf disables a specific configuration part by removing those symlinks. It is not an error to enable a configuration which is already enabled, or to disable one which is already disabled. .PP Note that many configuration file may have a dependency to specific modules. Unlike module dependencies, these are not resolved automatically. Configuration fragments stored in the conf-available directory are considered non-essential or being installed and manged by reverse dependencies (e.g. web scripts). .SH OPTIONS .TP .B \-q, \-\-quiet Don't show informative messages. .TP .B \-m, \-\-maintmode Enables the maintainer mode, that is the program invocation is effectuated automatically by a maintainer script. This switch should not be used by end users. .B \-p, \-\-purge When disabling a module, purge all traces of the module in the internal state data base. .SH "EXIT STATUS" .B a2enconf and .B a2disconf exit with status 0 if all .IR configuration s are processed successfully, 1 if errors occur, 2 if an invalid option was used. .SH EXAMPLES .RS .B "a2enconf security" .br .B "a2disconf charset" .RE .PP Enables Apache security directives stored in the .B security configuration files, and disables the .B charset configuration. .SH FILES .TP .B /etc/apache2/conf-available Directory with files giving information on available configuration files. .TP .B /etc/apache2/conf-enabled Directory with links to the files in .B conf-available for enabled configuration files. .SH "SEE ALSO" .BR apache2ctl (8), .BR a2enmod (8), .BR a2dismod (8). .SH AUTHOR This manual page was written by Arno Toell for the Debian GNU/Linux distribution, as it is a Debian-specific script with the package. debian/apache2-dev.manpages0000644000000000000000000000013213376761111012764 0ustar debian/tmp/usr/share/man/man1/apxs.1 debian/manpages/apxs2.1 debian/manpages/dh_apache2.1 debian/source/0000755000000000000000000000000013376761111010474 5ustar debian/source/include-binaries0000644000000000000000000000115113376761111013632 0ustar debian/icons/odf6ott-20x22.png debian/icons/odf6otf-20x22.png debian/icons/odf6odc-20x22.png debian/icons/odf6odb-20x22.png debian/icons/odf6odg-20x22.png debian/icons/odf6odt-20x22.png debian/icons/odf6otc-20x22.png debian/icons/odf6odm-20x22.png debian/icons/odf6odf-20x22.png debian/icons/odf6odi-20x22.png debian/icons/odf6ots-20x22.png debian/icons/odf6otg-20x22.png debian/icons/odf6oti-20x22.png debian/icons/odf6ods-20x22.png debian/icons/odf6odp-20x22.png debian/icons/odf6otp-20x22.png debian/icons/odf6oth-20x22.png debian/icons/openlogo-75.png debian/icons/ubuntu-logo.png debian/upstream-signing-key.pgp debian/source/format0000644000000000000000000000001413376761111011702 0ustar 3.0 (quilt) debian/suexec-config-dir/0000755000000000000000000000000013376761111012507 5ustar debian/suexec-config-dir/www-data0000644000000000000000000000056013376761111014166 0ustar /var/www public_html/cgi-bin # The first two lines contain the suexec document root and the suexec userdir # suffix. If one of them is disabled by prepending a # character, suexec will # refuse the corresponding type of request. # This config file is only used by the apache2-suexec-custom package. See the # suexec man page included in the package for more details. debian/apache2.logrotate0000644000000000000000000000066213376761111012425 0ustar /var/log/apache2/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 640 root adm sharedscripts postrotate if /etc/init.d/apache2 status > /dev/null ; then \ /etc/init.d/apache2 reload > /dev/null; \ fi; endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript } debian/libapache2-mod-proxy-html.postinst0000644000000000000000000000262113376761111015672 0ustar #! /bin/bash # postinst script for libapache2-mod-proxy-html # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) if [ -n "$2" ] && dpkg --compare-versions "$2" lt "1:2.4.4-2" ; then if [ -d /usr/share/doc/libapache2-mod-proxy-html ] ; then RET=0 rmdir /usr/share/doc/libapache2-mod-proxy-html > /dev/null 2>&1|| RET=$? if [ $RET = 0 ] ; then ln -s /usr/share/doc/apache2-bin /usr/share/doc/libapache2-mod-proxy-html fi fi fi ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/apache2.README.Debian0000644000000000000000000003556413376761111012554 0ustar Contents ======== Apache2 Configuration under Debian GNU/Linux Files and Directories in '/etc/apache2' Tools Using mod_cache_disk SSL Enabling SSL Creating self-signed certificates SSL workaround for MSIE Suexec Documentation Upgrades Common Problems For Developers Apache2 Configuration under Debian GNU/Linux ============================================ Debian's default Apache2 installation attempts to make adding and removing modules, virtual hosts, and extra configuration directives as flexible as possible, in order to make automating the changes and administering the server as easy as possible. Please be aware that this layout is quite different from the standard Apache configuration. Due to the use of environment variables, apache2 needs to be started/stopped with '/etc/init.d/apache2', apachectl, or apache2ctl. Calling '/usr/bin/apache2' directly will not work with the default configuration. To call apache2 with specific command line arguments, just call apache2ctl with the same arguments. Files and Directories in '/etc/apache2': --------------------------------------- apache2.conf This is the main configuration file. It does not include any actual configuration we expect to be adapted on your site, so where possible please do not touch it. This file is the foundation stone of the Apache configuration in Debian and should be up to date after upgrades to make sure all configuration pieces are properly included. If you want to extend the global configuration, you can customize the Apache web server by including configuration files through the conf-available mechanism. To change listening ports and socket configuration use ports.conf (see below). ports.conf Configuration directives for which ports and IP addresses to listen to. magic Patterns for mod_mime_magic. This is not compatible with the format used by current versions of the file/libmagic packages. envvars This contains environment variables that may be used in the configuration. Some settings, like user and pid file, need to go in here so that other scripts can use them. It can also be used to change some default settings used by apache2ctl, including the ulimit value for the maximum number of open files. The default LANG=C setting is also here, and can be changed to a different language. conf-available/ Files in this directory are included in the global server scope by this line in apache2.conf: # Include generic snippets of statements IncludeOptional conf-enabled/*.conf This is a good place to add additional configuration directives. All configuration snippets need a '.conf' suffix to be included as actual configuration. The local administrator should use file names starting with 'local-' to avoid name clashes with files installed by packages. Configuration snippets can be enabled and disabled by using the a2enconf and a2disconf executables. This works similarly to the approach used for modules and sites below. Configuration snippets can of course also be included in individual virtual hosts. conf-enabled/ Like mods-enabled/ and sites-enabled/, a piece of configuration is enabled by symlinking a file from conf-available/ into this directory. The a2enconf helper is provided to assist this task. mods-available/ This directory contains a series of .load and .conf files. The .load files contain the Apache configuration directive necessary to load the module in question. The corresponding .conf files contain configuration directives necessary to utilize the module in question. mods-enabled/ To actually enable a module for Apache2, it is necessary to create a symlink in this directory to the .load (and .conf, if it exists) files associated with the module in mods-available/. For example: cgi.load -> /etc/apache2/mods-available/cgi.load The a2enmod helper can be used to enable a module. sites-available/ Like mods-available/, except that it contains configuration directives for different virtual hosts that might be used with apache2. Note that the hostname doesn't have to correspond exactly with the filename. '000-default.conf' is the default host which is provided by Debian. sites-enabled/ Similar in functionality to mods-enabled/, sites-enabled contains symlinks to sites in sites-available/ that the administrator wishes to enable. Apache uses the first VirtualHost that matches the IP/Port as default for named virtual hosts. Therefore the 'default' site should be called '000-default' to make sure it sorts before other sites. Example: dedasys.conf -> /etc/apache2/sites-available/dedasys.conf The a2ensite helper can be used to enable a site. The Include directives ignore files with names that do not end with a .conf suffix. This behavior has changed from previous releases! In some cases you may want to enable a specific piece of configuration (think of files shipped in conf-available/) for a particular virtual host only and not globally as is our default. In such cases you can disable the configuration at a global scope for example by doing a2disconf some-configuration Then it can be included in a particular virtual host within a file in sites-enabled/. You may want to add Include conf-available/some-configuration.conf in that site configuration. However, be careful, as this may not work for some configurations, depending on the context and implications of some directives. Tools ----- a2enmod and a2dismod are available for enabling and disabling modules utilizing the above configuration system. a2ensite and a2dissite do essentially the same thing as the above tools, but for sites rather than modules. Finally a2enconf and a2disconf are the corresponding tools for configuration snippets. a2query is a helper script providing runtime information about the running server instance. For example it can be used to query enabled modules, the selected MPM, and other information. This tool is primarily meant for package maintainers who need to interact with the Apache packages to activate their configurations upon package installation, but it can be used by users as well. apxs2 -a/-A is modified to use a2enmod to activate newly installed modules. Using mod_cache_disk ==================== To ensure that the disk cache does not grow indefinitely, htcacheclean is started when mod_cache_disk is enabled. Both daemon and cron (daily) mode are supported. The configuration (run mode, cache size, etc.) is in '/etc/default/apache2'. Normally, htcacheclean is automatically started and stopped by '/etc/init.d/apache2'. However, if you change the state of mod_cache_disk or the configuration of htcacheclean while apache2 is running, you may need to manually start/stop htcacheclean with "/etc/init.d/apache2 start-htcacheclean" or "/etc/init.d/apache2 stop-htcacheclean". Note that mod_cache_disk was named mod_disk_cache in versions 2.2 and earlier. SSL === Enabling SSL ------------ To enable SSL, type (as user root): a2ensite default-ssl a2enmod ssl If you want to use self-signed certificates, you should install the ssl-cert package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache: service apache2 restart The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user. Creating self-signed certificates --------------------------------- If you install the ssl-cert package, a self-signed certificate will be automatically created using the hostname currently configured on your computer. You can recreate that certificate (e.g. after you have changed '/etc/hosts' or DNS to give the correct hostname) as user root with: make-ssl-cert generate-default-snakeoil --force-overwrite To create more certificates with different host names, you can use make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt This will ask you for the hostname and place both SSL key and certificate in the file '/path/to/cert-file.crt'. Use this file with the SSLCertificateFile directive in the Apache config (you don't need the SSLCertificateKeyFile in this case as it also contains the key). The file '/path/to/cert-file.crt' should only be readable by root. A good directory to use for the additional certificates/keys is '/etc/ssl/private'. SSL workaround for MSIE ----------------------- The SSL workaround for MS Internet Explorer needs to be added to your SSL VirtualHost section (it was previously in ssl.conf but caused keepalive to be disabled even for non-SSL connections): BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown The default SSL virtual host in '/etc/apache2/sites-available/default-ssl.conf' already contains this workaround. Suexec ====== Debian ships two version of the suexec helper program required by mod_suexec. It is not installed by default, to avoid possible security issues. The package apache2-suexec-pristine contains the standard version that works only with document root /var/www, userdir suffix public_html, and Apache run user www-data. The package apache2-suexec-custom contains a customizable version that can be configured with a config file to use different settings (like /srv/www as document root). For more information see the suexec(8) man page in the apache2-suexec-custom package. Since apache2-suexec-custom has received less testing and might be slightly slower, apache2-suexec is the recommended version unless you need the features from apache2-suexec-custom. Starting with Apache 2.4 both alternatives can be installed at the same time and the default suexec mechanism can be picked by using the update-alternatives(8) system. Unicode File Name Normalization =============================== Using Apache with the document root on a file system that does unicode normalization on the filenames can cause security issues. In Debian, this affects ZFS with the non-default option to enable filename normalization, and HFS+. It is strongly recommended not to use Apache with such file systems. More information about this issue can be found by searching the web for CVE-2013-0966. Documentation ============= The full Apache 2 documentation can be found on the web at http://httpd.apache.org/docs/2.4/ or, if you have installed the apache2-doc package, in /usr/share/doc/apache2-doc/manual/ or at http://localhost/manual/ There is also a wiki that contains useful information: http://wiki.apache.org/httpd/ Some hints about securing Apache 2 on Debian are available at http://wiki.debian.org/Apache/Hardening Upgrades ======== Changes in the Apache packages that require manual configuration adjustments are announced in NEWS.Debian. Installing the apt-listchanges package is recommended. It will display the relevant NEWS.Debian sections before upgrades. Multiple instances ================== There is some support for running multiple instances of Apache2 on the same machine. See '/usr/share/doc/apache2/README.multiple-instances' for more information. Common Problems =============== 1) Error message "Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName" during start This can usually be ignored but it means that Apache httpd was unable to obtain a fully-qualified hostname by doing a reverse lookup on your server's IP address. You may want to add the fully-qualified hostname to '/etc/hosts'. An alternative is to specify "ServerName 127.0.0.1" in the global server context of the configuration, e.g. in '/etc/apache2/conf-enabled/local-servername.conf'. 2) Error message "mod_rewrite: could not create rewrite_log_lock" This probably means that there are some stale SYSV semaphores around. This usually happens after apache2 has been killed with kill -9 (SIGKILL). You can clean up the semaphores with: ipcs -s | grep www-data | awk ' { print $2 } ' | xargs ipcrm sem 3) Message "File does not exist: /etc/apache2/htdocs" in error log In most cases this means that no matching VirtualHost definition could be found for an incoming request. Check that the target IP address/port and the name in the Host: header of the request actually match one of the virtual hosts. 4) Message "Couldn't create pollset in child; check user or system limits" in error log On Linux kernels since 2.6.27.8, the value in /proc/sys/fs/epoll/max_user_instances needs to be larger than for prefork/itk MPM: 2 * MaxClients for worker/event MPM: MaxClients + MaxClients/ThreadsPerChild It can be set on boot by adding a line like fs.epoll.max_user_instances=1024 to '/etc/sysctl.conf'. There are several other error messages related to creating a pollset that can appear for the same reason. On the other hand, errors about adding to a pollset are related to the setting fs.epoll.max_user_watches. On most systems, max_user_watches should be high enough by default. 5) Message "Server should be SSL-aware but has no certificate configured" in error log Since 2.2.12, Apache is stricter about certain misconfigurations concerning name based SSL virtual hosts. See NEWS.Debian.gz for more details. 6) Apache does not pass Authorization header to CGI scripts This is intentional to avoid security holes. If you really want to change it, you can use mod_rewrite: RewriteCond %{HTTP:Authorization} (.*) RewriteRule . - [env=HTTP_AUTHORIZATION:%1] 7) mod_dav is behaving strangely In general, if you use mod_dav_fs, you need to disable multiviews and script execution for that directory. For example: Dav on Options -MultiViews -ExecCGI SetHandler none php_admin_value engine Off 8) Message "apache2: bad user name ${APACHE_RUN_USER}" when starting apache2 directly Use apache2ctl (it accepts all the same options as apache2). 9) A PUT with mod_dav_fs fails with "Unable to PUT new contents for /... [403, #0]" even if Apache has permission to write the file. Apache also needs write permission to the directory containing the file, in order to replace it atomically. 10) When starting/reloading Apache, there is the error message "ulimit: open files: cannot modify limit: Operation not permitted" If you are running Apache in a vserver environment, the start script may not be allowed to set the maximum number of open files. You should adjust APACHE_ULIMIT_MAX_FILES in /etc/apache2/envvars to your setup. You can disable changing the limits by setting APACHE_ULIMIT_MAX_FILES=true . For Developers ============== The Apache 2 web server package provides several helpers to assist packagers to interact with the web server for both, build and installation time. Please refer to the PACKAGING file in the apache2 package for detailed information. debian/README.backtrace0000644000000000000000000000227213376761111011775 0ustar If apache crashes or freezes, it is helpful if you include a backtrace in the bug report. In case of a crash, do the following: 1) Install the packages apache2-dbg libapr1-dbg libaprutil1-dbg gdb. 2) Add "CoreDumpDirectory /var/cache/apache2" to your apache configuration. 3) Execute as root: /etc/init.d/apache2 stop ulimit -c unlimited /etc/init.d/apache2 start 4) Do whatever it takes to reproduce the crash. There should now be the file /var/cache/apache2/core . 5) If you use a forking MPM (e.g. mod_prefork), execute: gdb /usr/sbin/apache2 /var/cache/apache2/core (gdb) bt full ... (gdb) quit If you use a threaded mpm (mod_worker, mod_event), execute: gdb /usr/sbin/apache2 /var/cache/apache2/core (gdb) thread apply all bt full ... (gdb) quit Include the backtrace in the bug report. 6) Undo the change to your configuration, uninstall the debug packages, remove /var/cache/apache2/core In case of a hanging process, you don't need a core dump and you can skip steps 2 and 3. 4) Reproduce the problem. Get the pid of a hanging process. 5) Start gdb with gdb -p pid and continue as described above. It may also be helpful to include the output of strace -p pid debian/apache2.monit0000644000000000000000000000044413376761111011551 0ustar check process apache2 with pidfile /var/run/apache2.pid group www start program = "/etc/init.d/apache2 start" stop program = "/etc/init.d/apache2 stop" if failed host localhost port 80 protocol HTTP request "/" then restart if 5 restarts within 5 cycles then timeout debian/apache2-doc.postrm0000644000000000000000000000047213376761111012513 0ustar #! /bin/sh set -e # This code should use dh_apache2 once it is available as build dependency if [ "$1" = "purge" ] ; then if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then . /usr/share/apache2/apache2-maintscript-helper apache2_invoke disconf apache2-doc || true fi fi #DEBHELPER# exit 0 debian/apache2-suexec.prerm.in0000755000000000000000000000064313376761111013453 0ustar #!/bin/sh # prerm script for apache2-suexec-__TYPE__ set -e case "$1" in remove) update-alternatives --remove suexec /usr/lib/apache2/suexec-__TYPE__ ;; upgrade|deconfigure|failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/apache2.py0000644000000000000000000000343013376761111011051 0ustar #!/usr/bin/python '''apport hook for apache2 (c) 2010 Adam Sommer. Author: Adam Sommer This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See http://www.gnu.org/copyleft/gpl.html for the full text of the license. ''' from apport.hookutils import * import os SITES_ENABLED_DIR = '/etc/apache2/sites-enabled/' def add_info(report, ui): if os.path.isdir(SITES_ENABLED_DIR): response = ui.yesno("The contents of your " + SITES_ENABLED_DIR + " directory " "may help developers diagnose your bug more " "quickly. However, it may contain sensitive " "information. Do you want to include it in your " "bug report?") if response == None: # user cancelled raise StopIteration elif response == True: # Attache config files in /etc/apache2/sites-enabled and listing of files in /etc/apache2/conf.d for conf_file in os.listdir(SITES_ENABLED_DIR): attach_file_if_exists(report, SITES_ENABLED_DIR + conf_file, conf_file) try: report['Apache2ConfdDirListing'] = str(os.listdir('/etc/apache2/conf.d')) except OSError: report['Apache2ConfdDirListing'] = str(False) # Attach default config files if changed. attach_conffiles(report, 'apache2', conffiles=None) # Attach the error.log file. attach_file(report, '/var/log/apache2/error.log', key='error.log') # Get loaded modules. report['Apache2Modules'] = root_command_output(['/usr/sbin/apachectl', '-D DUMP_MODULES']) debian/apache2-bin.manpages0000644000000000000000000000003213376761111012755 0ustar debian/manpages/apache2.8 debian/clean_config_vars0000755000000000000000000000237413376761111012572 0ustar #! /usr/bin/perl use strict; my %FLAGS = { 'CFLAGS' => $ARGV[0], 'CPPFLAGS' => $ARGV[1], 'LDDFLAGS' => $ARGV[2], }; sub clean_and_deduplicate { my $arg = shift; my $return_flags = ""; my @flags = split(/\s+/, $arg); my %seen = (); my @flags = grep { ! $seen{ $_ }++ } @flags; foreach my $flag (@flags) { #print("FLAG: $flag\n"); $return_flags .= "$flag " unless $flag =~ m/PLATFORM/; } return $return_flags; } chdir("debian/tmp/usr/share/apache2/build/") || die("$1"); open(CONFIG_VARS, "<", "config_vars.mk") || die("config_vars.mk: $!"); open(TMP_CONFIG_VARS, ">", "tmp_config_vars.mk") || die("tmp_config_vars.mk: $1"); while(my $line = ) { chomp $line; unless ($line =~ m/(^|_)(LD|CPP|C)FLAGS/) { print TMP_CONFIG_VARS "$line\n"; } else { my ($flag, $value) = split(/\s*=\s*/, $line, 2); if (exists $FLAGS{$flag}) { $value .= ' ' . $FLAGS{$flag}; } my $mangled = clean_and_deduplicate($value); print "mangle: $flag: '$value' => '$mangled'\n"; printf TMP_CONFIG_VARS "%s = %s\n", $flag, $mangled; } } close(CONFIG_VARS); close(TMP_CONFIG_VARS); unlink("config_vars.mk") || die("unlink: config_vars.mk: $1"); rename("tmp_config_vars.mk", "config_vars.mk") || die("rename: tmp_config_vars.mk: $1"); debian/apache2-bin.bug-control0000644000000000000000000000012213376761111013415 0ustar report-with: apache2 apache2-bin apache2-data package-status: apache2 apache2-bin debian/apache2-doc.maintscript0000644000000000000000000000013113376761111013514 0ustar mv_conffile /etc/apache2/conf.d/apache2-doc /etc/apache2/conf-available/apache2-doc.conf debian/apache2-doc.conf0000644000000000000000000000033513376761111012112 0ustar Alias /manual /usr/share/doc/apache2-doc/manual/ Options Indexes FollowSymlinks AllowOverride None Require all granted AddDefaultCharset off debian/apache2.postrm0000644000000000000000000000676613376761111011764 0ustar #!/bin/sh # postrm script for apache2 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package OBSOLETE_CONFFILES="/etc/apache2/mods-available/authz_default.load /etc/apache2/mods-available/authn_default.load /etc/apache2/mods-available/mem_cache.load /etc/apache2/mods-available/mem_cache.conf /etc/apache2/mods-available/authn_alias.load /etc/apache2/mods-available/cern_meta.load /etc/apache2/mods-available/disk_cache.load /etc/apache2/mods-available/disk_cache.conf /etc/apache2/mods-available/ident.load /etc/apache2/mods-available/imagemap.load /etc/apache2/mods-available/version.load" MOVED_CONFFILES="/etc/bash_completion.d/apache2.2-common:/etc/bash_completion.d/apache2 /etc/apache2/sites-available/default:/etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default-ssl:/etc/apache2/sites-available/default-ssl.conf /etc/apache2/conf.d/charset:/etc/apache2/conf-available/charset.conf /etc/apache2/conf.d/localized-error-pages:/etc/apache2/conf-available/localized-error-pages.conf /etc/apache2/conf.d/other-vhosts-access-log:/etc/apache2/conf-available/other-vhosts-access-log.conf /etc/apache2/conf.d/security:/etc/apache2/conf-available/security.conf" case "$1" in purge) for CONFFILE in $OBSOLETE_CONFFILES ; do rm -f "$CONFFILE.dpkg-bak" "$CONFFILE.dpkg-remove" "$CONFFILE.dpkg-backup" done for d in var/cache/apache2 \ var/cache/apache2/mod_cache_disk \ var/log/apache2 \ var/lib/apache2 ; do [ -d $d ] && rm -rf $d done for f in /etc/apache2/sites-enabled/* \ /etc/apache2/conf-enabled/* \ /etc/apache2/mods-enabled/* ; do [ -L "$f" ] && rm -f "$f" done for d in /etc/apache2/sites-enabled/ \ /etc/apache2/mods-enabled/ \ /etc/apache2/conf-enabled/ \ /etc/apache2 \ /var/cache/apache2 \ /var/run/apache2 \ /var/lock/apache2 ; do rmdir $d 2> /dev/null || true done #XXX: index.html is intentionally(?) left back ;; abort-install|abort-upgrade) for CONFFILE in $OBSOLETE_CONFFILES ; do if [ -e "$CONFFILE.dpkg-remove" ]; then echo "Reinstalling $CONFFILE that was moved away" mv "$CONFFILE.dpkg-remove" "$CONFFILE" fi if [ -e "$CONFFILE.dpkg-backup" ]; then echo "Reinstalling $CONFFILE that was backupped" mv "$CONFFILE.dpkg-backup" "$CONFFILE" fi done for CONFFILE in $MOVED_CONFFILES ; do CONFFILE=$( echo "$CONFFILE" | cut -d: -f1 ) if [ -e "$CONFFILE.dpkg-remove" ]; then echo "Reinstalling $CONFFILE that was moved away" mv "$CONFFILE.dpkg-remove" "$CONFFILE" fi if [ -e "$CONFFILE.dpkg-backup" ]; then echo "Reinstalling $CONFFILE that was backupped" mv "$CONFFILE.dpkg-backup" "$CONFFILE" fi done # post installation cleanup if [ -e /etc/apache2/.apache2_mpm_selected ] ; then rm -f /etc/apache2/.apache2_mpm_selected fi ;; remove|upgrade|failed-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/apache2.manpages0000644000000000000000000000036613376761111012221 0ustar debian/manpages/apache2ctl.8 debian/manpages/apachectl.8 debian/manpages/a2enmod.8 debian/manpages/a2dissite.8 debian/manpages/a2dismod.8 debian/manpages/a2ensite.8 debian/manpages/a2enconf.8 debian/manpages/a2disconf.8 debian/manpages/a2query.8 debian/apache2-utils.install0000644000000000000000000000053213376761111013225 0ustar /usr/bin/ab /usr/bin /usr/sbin/fcgistarter /usr/bin /usr/bin/logresolve /usr/bin /usr/bin/htdbm /usr/bin /usr/bin/htpasswd /usr/bin /usr/bin/htdigest /usr/bin /usr/sbin/rotatelogs /usr/bin /usr/sbin/htcacheclean /usr/bin /usr/sbin/checkgid /usr/bin /usr/bin/httxt2dbm /usr/sbin support/check_forensic /usr/sbin support/split-logfile /usr/sbin debian/apache2-doc.dirs0000644000000000000000000000003213376761111012120 0ustar usr/share/doc/apache2-doc debian/apache2-data.install0000644000000000000000000000031613376761111012776 0ustar /usr/share/apache2/icons/ /usr/share/apache2/error/ debian/icons/*.png /usr/share/apache2/icons /usr/sbin/envvars-std /usr/share/apache2/build debian/index.html /usr/share/apache2/default-site/ debian/a2query.in0000755000000000000000000002317713376761111011131 0ustar #! /usr/bin/perl # a2query - Apache2 helper to retrieve configuration informations # Copyright (C) 2012 Arno Töll # # This program is licensed at your choice under the terms of the GNU General # Public License vserion 2+ or under the terms of the Apache Software License # 2.0. # # For GPL-2+: # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, # USA. # # For ASF 2.0: # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. use feature "switch"; use strict; use Getopt::Std; =head1 NAME a2query - retrieve runtime configuration from a local Apache 2 HTTP server =cut our $APACHE2 = "apache2ctl"; our $API = "__API__"; our $MODULE_DIR = "__MODULE_DIR__"; our $SERVER_VERSION = "__SERVER_VERSION__"; our $MODULE_DIR = "/usr/lib/apache2/modules/"; our $STATE_DIR = "/var/lib/apache2"; our @STATES = ("maint", "admin"); our $MPM = "invalid"; our $CONFIG_DIR = "/etc/apache2"; our $QUIET = 0; # time to introduce more _exit_ values our $E_OK = '0'; our $E_FOUND = '0'; our $E_NOTFOUND = '1'; our $E_OFFBYADMIN = '32'; our $E_OFFBYMAINT = '33'; our @RETVALS = ( $E_OK, $E_FOUND, $E_OFFBYADMIN, $E_NOTFOUND, $E_OFFBYMAINT ); our @MODULES = (); our @CONFS = (); our @SITES =(); our @HELP = (); our %verbose_state = ( 'admin' => 'site administrator', 'maint' => 'maintainer script', 'unknown' => 'unknown' ); =head1 SYNOPSIS B [S<-m> [I]] [S<-s> [I]] [S<-c> [I]] [S<-a>] [S<-v>] [S<-M>] [S<-d>] [S<-h>] =head1 DESCRIPTION B is a program designed to retrieve configuration values from a locally available Apache 2 HTTP web server. It was designed to be as robust as possible by returning feasible values even if the Apache 2 syntax validator fails. This program is primarily meant to be used from maintainer scripts. =head1 OPTIONS =over 4 =item S<-a> Returns the Apache 2 "Module Magic Version" (API version) number, the server was compiled with. The returned version does not contain any minor versions which are known to be compatible with the major version returned. =item S<-c> [I] Checks whether the configuration I is enabled. If no argument was given, all enabled configuration files are being returned. I is compared by string comparison by ignoring a leading "mod_" prefix and possibly a '.conf' or '.load' suffix. =item S<-h> Displays a brief summary how the program can be called and exits. =item S<-m> [I] Checks whether the module I is enabled, The argument is interpreted in the same way, as for configuration files queried by the S<-c> switch. =item S<-M> Returns the currently enabled Apache 2 MPM (Multi Processing Module). =item S<-s> [I] Checks whether the module I is enabled, The argument is interpreted in the same way, as for configuration files queried by the S<-c> switch. =item S<-v> returns the currently installed Apache 2 HTTP server version =item S<-q> suppress any output. This is useful to invoke a2query from another script. This is useful if only the return code is of interest. =back =head1 EXIT CODES B returns with a zero (S<0>) exit status if the requested operation was effectuated successfully and with a non-zero status otherwise. In case of an error it leaves with error code S<32> if a requested module, site or configuration was not found and S<33> if a module, site or configuration was disabled by a maintainer script. However, exit status S<1> is returned if the module was not found at all =head1 SEE ALSO L(8), L(8), L(1) =head1 AUTHOR This manual and L was written by Arno Toell . =cut sub output { print @_ unless $QUIET; } sub warning { print STDERR @_ unless $QUIET; } sub fail { die('usage: fail($reason, $retval)') if @_ != 2; my $reason = shift; my $retval = shift; warning "$reason\n"; exit $retval; } sub load_defaults { my @out = `$APACHE2 -V 2>/dev/null`; return if $?; for (my $line; $line <= $#out; $line++) { if ($out[$line] =~ m/(Server version|Server MPM|Magic Number):\s+(.*?)$/) { my ($pattern, $value) = ($1, $2); if ($pattern =~ /version/) { $SERVER_VERSION = $value; $SERVER_VERSION =~ s/[^\d\.]//g; } elsif($pattern =~ /MPM/) { $MPM = $value; } elsif($pattern =~ /Magic/) { $API = $value; $API =~ s/\:\d+//; } } } } sub load_modules { my $conf_dir = $CONFIG_DIR . "/mods-enabled"; opendir(DIR, $conf_dir) || fail("$conf_dir: $!"); while( readdir(DIR) ) { my $file = $_; next if $file !~ m/\.load$/; $file =~ s/\.load//; if ($file =~ /mpm_(\w+)/ && $file ne 'mpm_itk') { $MPM = $1 if $MPM eq 'invalid'; if(grep { $_ =~ m/^mpm_/ } @MODULES) { fail("There is more than one MPM loaded. Do not proceed due to undefined results"); } } push @MODULES, $file; } closedir(DIR); } sub load_conf { if ($#CONFS >= 0) { return; } my $conf_dir = $CONFIG_DIR . "/conf-enabled"; opendir(DIR, $conf_dir) || fail("$conf_dir: $!"); while( readdir(DIR) ) { my $file = $_; next if $file !~ m/\.conf$/; $file =~ s/\.conf$//; push @CONFS, $file; } closedir(DIR); } sub load_sites { if ($#SITES >= 0) { return; } my $conf_dir = $CONFIG_DIR . "/sites-enabled"; opendir(DIR, $conf_dir) || fail("$conf_dir: $!"); while( readdir(DIR) ) { my $file = $_; next if $file !~ m/\.conf$/; $file =~ s/\.conf$//; push @SITES, $file; } closedir(DIR); } sub switch_history { die('usage: switch_history([module|site|conf], [enabled|disabled], $name)') if @_ != 3; my $which = shift; my $what = shift; my $name = shift; $name =~ s/\.conf$//; foreach my $state (@STATES) { my $state_token = "$STATE_DIR/$which/$what" . "_by_$state/" . $name; if (-e $state_token) { return $state; } } return 0; } sub query_state { my $type = shift; my $pattern = shift; my $listref = shift; $pattern =~ s/^mod//; $pattern =~ s/\.(conf|load)//; my @candidates; if ($pattern) { @candidates = grep { $_ eq $pattern } @{ $listref }; } else { @candidates = @{ $listref } } my $matches = 0; foreach my $module (@candidates) { my $state = switch_history($type, "enabled", $module); if (!$state) { $state = "unknown"; } output("$module (enabled by $verbose_state{$state})\n"); $matches++; } if (!$matches) { my $reason = "No $type matches $pattern"; my $retval = $E_NOTFOUND; my $state = switch_history($type, "disabled", $pattern); if ($state) { $reason .= " (disabled by $verbose_state{$state})"; if ($state eq 'maint') { $retval = $E_OFFBYMAINT; } if ($state eq 'admin') { $retval = $E_OFFBYADMIN; } } fail($reason, $retval); } } load_defaults(); load_modules(); my %opts; my $help = 1; getopts('m:s:c:havMdq', \%opts); #foreach my $key (keys %opts) { print("$key=$opts{$key}\n");} push @HELP, ["q", "suppress any output. Useful for invocation from scripts"]; if (exists $opts{'q'}) { --$help; $QUIET=1; } push @HELP, ["m [MODULE]", "checks whether the module MODULE is enabled, lists all enabled modules if no argument was given"]; if (exists $opts{'m'}) { --$help; query_state('module', $opts{'m'}, \@MODULES); } push @HELP, ["s [SITE]", "checks whether the site SITE is enabled, lists all sites if no argument was given"]; if (exists $opts{'s'}) { --$help; load_sites(); query_state('site', $opts{'s'}, \@SITES); } push @HELP, ["c [CONF]", "checks whether the configuration CONF is enabled, lists all configurations if no argument was given"]; if (exists $opts{'c'}) { --$help; load_conf(); query_state('conf', $opts{'c'}, \@CONFS); } push @HELP, ["a", "returns the current Apache 2 module magic version"]; if (exists $opts{'a'}) { --$help; output("$API\n"); } push @HELP, ["v", "returns the current Apache 2 version"]; if (exists $opts{'v'}) { --$help; output("$SERVER_VERSION\n"); } push @HELP, ["M", "returns the enabled Apache 2 MPM"]; if (exists $opts{'M'}) { --$help; output("$MPM\n"); } push @HELP, ["d", "returns the Apache 2 module directory"]; if (exists $opts{'d'}) { --$help; output("$MODULE_DIR\n"); } push @HELP, ["h", "display this help"]; if (exists $opts{'h'} or $help == 1) { my $usage = "$0 "; map { $usage .= "-$_->[0] " } @HELP; print("Usage: $usage\n"); my $switch_name; my $description; format STDOUT = @<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< "-$switch_name", $description, ~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< $description, . foreach my $switch (@HELP) { ($switch_name, $description) = ($switch->[0], $switch->[1]); write STDOUT; } exit $E_OK; } # vim: syntax=perl sw=8 sts=8 sr noet debian/changelog0000644000000000000000000061004713451142635011054 0ustar apache2 (2.4.7-1ubuntu4.22) trusty-security; urgency=medium * SECURITY UPDATE: mod_session expiry time issue - debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions that could not be decoded in modules/session/mod_session.c. - debian/patches/CVE-2018-17199.patch: always decode session attributes early in modules/session/mod_session.c. - CVE-2018-17199 * SECURITY UPDATE: mod_auth_digest access control bypass - debian/patches/CVE-2019-0217.patch: fix a race condition in modules/aaa/mod_auth_digest.c. - CVE-2019-0217 * SECURITY UPDATE: URL normalization inconsistincy - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in the path in include/http_core.h, include/httpd.h, server/core.c, server/request.c, server/util.c. - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety in server/request.c, server/util.c. - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in server/util.c. - CVE-2019-0220 -- Marc Deslauriers Wed, 03 Apr 2019 10:37:52 -0400 apache2 (2.4.7-1ubuntu4.21) trusty; urgency=medium * d/p/AuthzProviderAlias-visibility.patch: Allow 'es to be seen from auth stanzas under virtual hosts (LP: #1529355) -- Andreas Hasenack Fri, 23 Nov 2018 17:45:20 -0200 apache2 (2.4.7-1ubuntu4.20) trusty-security; urgency=medium * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig - debian/patches/CVE-2017-15710.patch: fix language long names detection as short name in modules/aaa/mod_authnz_ldap.c. - CVE-2017-15710 * SECURITY UPDATE: incorrect matching - debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to include/httpd.h, server/util.c. - debian/patches/CVE-2017-15715.patch: allow to configure global/default options for regexes, like caseless matching or extended format in include/ap_regex.h, server/core.c, server/util_pcre.c. - CVE-2017-15715 * SECURITY UPDATE: mod_session header manipulation - debian/patches/CVE-2018-1283.patch: strip Session header when SessionEnv is on in modules/session/mod_session.c. - CVE-2018-1283 * SECURITY UPDATE: DoS via specially-crafted request - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL terminated on any error, not only on buffer full in server/protocol.c. - CVE-2018-1301 * SECURITY UPDATE: mod_cache_socache DoS - debian/patches/CVE-2018-1303.patch: fix caching of empty headers up to carriage return in modules/cache/mod_cache_socache.c. - CVE-2018-1303 * SECURITY UPDATE: insecure nonce generation - debian/patches/CVE-2018-1312.patch: actually use the secret when generating nonces in modules/aaa/mod_auth_digest.c. - CVE-2018-1312 -- Marc Deslauriers Wed, 18 Apr 2018 11:13:36 -0400 apache2 (2.4.7-1ubuntu4.19) trusty; urgency=medium * Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683) - added debian/patches/util_ldap_cache_lock_fix.patch -- Rafael David Tinoco Fri, 02 Mar 2018 01:48:33 +0000 apache2 (2.4.7-1ubuntu4.18) trusty-security; urgency=medium * SECURITY UPDATE: optionsbleed information leak - debian/patches/CVE-2017-9798.patch: disallow method registration at run time in server/core.c. - CVE-2017-9798 -- Marc Deslauriers Mon, 18 Sep 2017 11:10:30 -0400 apache2 (2.4.7-1ubuntu4.17) trusty-security; urgency=medium * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest - debian/patches/CVE-2017-9788.patch: correct string scope in modules/aaa/mod_auth_digest.c. - CVE-2017-9788 -- Marc Deslauriers Thu, 27 Jul 2017 10:34:31 -0400 apache2 (2.4.7-1ubuntu4.16) trusty-security; urgency=medium * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw() - debian/patches/CVE-2017-3167.patch: deprecate and replace ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h, server/protocol.c, server/request.c. - CVE-2017-3167 * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection() - debian/patches/CVE-2017-3169.patch: fix ctx passed to ssl_io_filter_error() in modules/ssl/ssl_engine_io.c. - CVE-2017-3169 * SECURITY UPDATE: denial of service and possible incorrect value return in HTTP strict parsing changes - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in server/util.c. - CVE-2017-7668 * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in modules/http/mod_mime.c. - CVE-2017-7679 -- Marc Deslauriers Mon, 26 Jun 2017 08:04:58 -0400 apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue - debian/patches/CVE-2016-0736.patch: authenticate the session data/cookie with a MAC in modules/session/mod_session_crypto.c. - CVE-2016-0736 * SECURITY UPDATE: denial of service via malicious mod_auth_digest input - debian/patches/CVE-2016-2161.patch: improve memory handling in modules/aaa/mod_auth_digest.c. - CVE-2016-2161 * SECURITY UPDATE: response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in include/http_core.h, include/http_protocol.h, include/httpd.h, modules/http/http_filters.c, server/core.c, server/gen_test_char.c, server/protocol.c, server/util.c, server/vhost.c. - debian/patches/hostnames_with_underscores.diff: relax hostname restrictions in server/vhost.c. - CVE-2016-8743 * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. -- Marc Deslauriers Fri, 05 May 2017 12:52:21 -0400 apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in server/util_script.c. - CVE-2016-5387 * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in trusty-proposed. -- Marc Deslauriers Thu, 14 Jul 2016 08:40:55 -0400 apache2 (2.4.7-1ubuntu4.11) trusty; urgency=medium * Fix hang until proxy timeout for Proxy responses with error status and "ProxyErrorOverride On" being set (LP: #1495988). -- Christian Ehrhardt Tue, 07 Jun 2016 16:28:05 +0200 apache2 (2.4.7-1ubuntu4.10) trusty; urgency=medium * Add apache2 specific modification needed along with fix to libapache2-mpm-itk so it becomes installable again (LP: #1286882): - Removes warning on mpm_itk use - Removes conflicts on mpm_itk -- Louis Bouchard Wed, 20 Apr 2016 16:21:03 +0200 apache2 (2.4.7-1ubuntu4.9) trusty; urgency=medium * Force disablereuse on for mod_proxy_wstunnel. Fixes "Unable to connect to: ws://:/MAAS/ws" errors with maas, and other proxy applications. https://bz.apache.org/bugzilla/show_bug.cgi?id=55890 (LP: #1484696). -- Dave Chiluk Wed, 13 Jan 2016 15:34:51 -0600 apache2 (2.4.7-1ubuntu4.8) trusty; urgency=medium * Fix -D[efined] or [d] variables lifetime across restarts. This fixes incorrect processing of configuration files on reload (LP: #1504354). -- Jeffrey Hutzelman Thu, 08 Oct 2015 19:30:10 -0400 apache2 (2.4.7-1ubuntu4.7) trusty; urgency=medium * d/p/wstunnel-ssl.patch: mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" scheme. PR55320. LP: #1445914 Submitted by: Alex Liu -- Jeffrey Hutzelman Thu, 10 Sep 2015 12:50:00 -0400 apache2 (2.4.7-1ubuntu4.6) trusty; urgency=medium * d/p/fix_rewrite_rule.patch: Add a configurable option to keep mod_dir from running when another handler is set. This makes default behavior consistant with 2.2, and fixes (LP: #1394403) - This adds the configuration option "DirectoryCheckHandler" which is present in apache 2.4.8 and later versions. The default value is "DirectoryCheckHandler Off". - This will change default behavior. Instead of mod_dir running even if other rules are being run, mod_dir will only run when no other rules have been processed by default. This is the expected behavior of mod_dir, and is consistant with the behavior of mod_dir in apache versions < 2.4 and > 2.4.8, and so the default value of this configuration option will correct the bug. - The current default behavior, which is considered to be a bug, can be kept by setting "DirectoryCheckHandler On". -- Wesley Wiedenmeier Tue, 18 Aug 2015 09:36:21 -0500 apache2 (2.4.7-1ubuntu4.5) trusty-security; urgency=medium * SECURITY UPDATE: request smuggling via chunked transfer encoding - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in modules/http/http_filters.c. - CVE-2015-3183 * SECURITY UPDATE: access restriction bypass via deprecated API - debian/patches/CVE-2015-3185.patch: deprecate old API and add new one in include/http_request.h, server/request.c. - CVE-2015-3185 -- Marc Deslauriers Fri, 24 Jul 2015 12:44:36 -0400 apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141) - debian/patches/CVE-2013-5704.patch: don't merge trailers by default and add a "MergeTrailers" directive to revert to previous behaviour to include/http_core.h, include/httpd.h, modules/http/http_filters.c, modules/http/http_request.c, modules/loggers/mod_log_config.c, modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c. - CVE-2013-5704 * SECURITY UPDATE: mod_cache denial of service via empty HTTP Content-Type header - debian/patches/CVE-2014-3581.patch: check for NULL in modules/cache/cache_util.c. - CVE-2014-3581 -- Marc Deslauriers Tue, 10 Mar 2015 07:42:50 -0400 apache2 (2.4.7-1ubuntu4.2) trusty; urgency=medium * d/p/ocsp-stapling-memory-corruption.patch: fix crash on startup due to memory corruption while modules are reloaded (LP: #1366174). Thanks to Alex Bligh for reporting, debugging, fixing upstream, backporting and driving this fix through to Trusty. -- Robie Basak Thu, 26 Feb 2015 18:11:56 +0000 apache2 (2.4.7-1ubuntu4.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service in mod_proxy - debian/patches/CVE-2014-0117.patch: also skip over semicolons in modules/proxy/proxy_util.c. - CVE-2014-0117 * SECURITY UPDATE: resource consumption via mod_deflate body decompression - debian/patches/CVE-2014-0118.patch: added new configuration options DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst in modules/filters/mod_deflate.c. - CVE-2014-0118 * SECURITY UPDATE: denial of service via race in mod_status - debian/patches/CVE-2014-0226.patch: fix race by adding ap_copy_scoreboard_worker() to include/scoreboard.h, modules/generators/mod_status.c, modules/lua/lua_request.c, server/scoreboard.c. - CVE-2014-0226 * SECURITY UPDATE: denial of service in mod_cgid - debian/patches/CVE-2014-0231.patch: added new configuration option CGIDScriptTimeout in modules/generators/mod_cgid.c. - CVE-2014-0231 -- Marc Deslauriers Mon, 21 Jul 2014 15:46:10 -0400 apache2 (2.4.7-1ubuntu4) trusty; urgency=medium * d/p/split-logfile.patch: fix completely broken split-logfile command (LP: #1299162). Thanks to Holger Mauermann. -- Robie Basak Thu, 03 Apr 2014 11:21:22 +0000 apache2 (2.4.7-1ubuntu3) trusty; urgency=medium * SECURITY UPDATE: denial of service via mod_dav incorrect end of string calculation - debian/patches/CVE-2013-6438.patch: properly calculate correct length in modules/dav/main/util.c. - CVE-2013-6438 * SECURITY UPDATE: denial of service via truncated cookie and mod_log_config - debian/patches/CVE-2014-0098.patch: properly parse tokens in modules/loggers/mod_log_config.c. - CVE-2014-0098 -- Marc Deslauriers Thu, 20 Mar 2014 08:34:10 -0400 apache2 (2.4.7-1ubuntu2) trusty; urgency=medium * d/index.html: replace Debian with Ubuntu on default page (LP: #1288690). -- Robie Basak Wed, 19 Mar 2014 11:04:21 +0000 apache2 (2.4.7-1ubuntu1) trusty; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - d/control, d/config-dir/mods-available/ssl.conf, d/ask-for-passphrase, d/apache2.install, d/tests/ssl-passphrase: Plymouth aware passphrase dialog program ask-for-passphrase. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream - Build using lua5.2. - d/tests/chroot: dep8 test for ChrootDir case. - d/p/ignore-quilt-dir: adjust build system so that it does not use files find inside the .pc directory. This stops a double module load causing later havoc, including "ChrootDir" directive failure. * Drop changes: - debian/{control, rules}: Enable PIE hardening: no longer required; 2.4.7-1 is already hardened. - d/p/itk-rerun-configure.patch: no longer needed, as ITK support has moved out of this package. * d/tests/ssl-passphrase: update for new default path /var/www/html. * d/tests/duplicate-module-load: check for duplicate module loads. -- Robie Basak Tue, 14 Jan 2014 17:23:47 +0000 apache2 (2.4.7-1) unstable; urgency=low New upstream version [ Stefan Fritsch ] * In logrotate and init script, don't hardcode path to htcacheclean. Instead, put sbin directories in PATH. Also fix one missed reference to disk_cache.load, missed in 2.4.6-3. Really closes: #718909 * Remove possiblity to override path to apache2 executable via envvars. This is no longer necessary with MPMs as modules. * Fix typo in serve-cgi-bin.conf. Closes: #723196 * Bump Build-Depends. 2.4.7 requires apr 1.5. [ Arno Töll ] * Fix "No default site enabled after fresh install if /etc/apache2 exists" by using a condition in preinst which actually works as expected. Thanks to Jean-Michel Vourgère for triaging the issue and providing a patch (Closes: #711493). * Leave a2disconf with rc=0 when purging a configuration which does not exist. (Closes: #718166) * Explicitly express the dependency for mod_access_compat depending on authn_core. Thanks Jean-Michel Vourgère for providing a patch (Closes: #710412) * Allow "apache2_invoke disconf" in postinst/preinst (Closes: #717693) * Rework the default index.html file. Instead of a blank, minimalistic page give a quick start guide, since nobody seems to read our docs. This site is hopefully explaining the most important questions. * Add a virtual provides line to the itk/worker/event/prefork transitional packages so that people with an unusual (unsupported) Apache setup can upgrade neatless in some corner cases (Closes: #728937) * Drop the Apache ITK patches. The Apache ITK MPM is a standalone package now and will be provided by libapache2-mpm-itk in future. The apache2-mpm-itk package depends on this package from now on. Users of itk are advised to consult the itk manual. This also resolves a build-system problem that caused mod_unixd to be initialized twice. (LP: #1251939) * Remove Steinar H. Gunderson from uploaders, he will continue to support itk in his own package in future. The remaining Apache team thanks Steinar for all the work in the past. * Change the Default Document root directory where files are served from (Closes: #730372). * Add GPG support to our watch file. Thanks to Daniel Kahn Gillmor for this suggestion and for providing a patch (Closes: #732450) * Refresh suexec-custom.patch. -- Arno Töll Thu, 02 Jan 2014 00:17:56 -1100 apache2 (2.4.6-3) unstable; urgency=low * Fix 'implicit declaration' compiler warnings. * Fix module dependencies in lbmethod_*.load files. Closes: #717910 LP: #1205314 * Mark apache2-data as Multi-Arch: foreign. Closes: #718387 * Backport open_htaccess hook from upstream 2.4.x branch to allow building mpm-itk as separate package. * Improve comment for LogLevel in apache2.conf. Closes: #718677 * Fix comment in ports.conf. Closes: #718650 * Fix htcacheclean path and function name in init script. Closes: #718909 * Enable bindnow hardening compiler option, patch by Felix Geyer. Closes: #714872 -- Stefan Fritsch Mon, 12 Aug 2013 20:15:38 +0200 apache2 (2.4.6-2ubuntu4) trusty; urgency=low * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so that it does not use files find inside the .pc directory. This stops a double module load causing later havoc, including "ChrootDir" directive failure (LP: #1251939). Thanks to Stefan Fritsch. * d/tests/chroot: dep8 test for ChrootDir case. -- Robie Basak Thu, 28 Nov 2013 16:21:51 +0000 apache2 (2.4.6-2ubuntu3) trusty; urgency=low * debian/apache2.install: Correct path for ufw. (LP: #1252722) -- Chuck Short Tue, 19 Nov 2013 08:59:54 -0500 apache2 (2.4.6-2ubuntu2) saucy; urgency=low * d/ask-for-passphrase: mark executable so that apache2 can run it. Fixes passphrase prompting for SSL certificates that are passphrase protected. * Add dep8 test for SSL passphrase prompting. -- Robie Basak Fri, 09 Aug 2013 13:08:52 +0000 apache2 (2.4.6-2ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, apache2.install, apache2-utils.ufw.profile, apache2.dirs}: Add ufw profiles. - debian/apache2.py, debian/apache2-bin.install: Add apport hook. - debian/control, debian/config-dir/mods-available/ssl.conf, debian/ask-for-passphrase, debian/apache2.install: Plymouth aware passphrase dialog program ask-for-passphrase. - debian/rules: Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. - debian/patches/086_svn_cross_compiles: Backport several cross fixes from upstream * Dropped changes: - debian/patches/CVE-2013-1896.patch: upstream * Fixed module dependencies (LP: #1205314) - debian/config-dir/mods-available/lbmethod_*: properly specify proxy_balancer, not mod_proxy_balancer. -- Marc Deslauriers Fri, 26 Jul 2013 08:31:33 -0400 apache2 (2.4.6-2) unstable; urgency=low [ Stefan Fritsch ] * Fix watch file * Don't pass --silent to libtool, allowing blhc to check the compiler options in the build logs. [ Arno Töll ] * Allow third party packages to use triggers if they use them in a maintainer script invoking apache2-maintscript-helper (Closes: #717610) -- Arno Töll Tue, 23 Jul 2013 13:25:30 +0200 apache2 (2.4.6-1) unstable; urgency=low New upstream release: * CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request (Closes: #717272) * New modules mod_cache_socache, mod_proxy_wstunnel. * mod_ssl: Add support for subjectAltName-based host name checking in proxy mode (SSLProxyCheckPeerName). * mod_lua: Many new functions. * mod_auth_basic: Add a generic mechanism to fake basic authentication using the ap_expr parser (AuthBasicFake). * mod_proxy: New BalancerInherit and ProxyPassInherit options. * mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password. [ Arno Töll ] * Document our security model in our NEWS file and highlight we do not allow access to /srv. Thanks to joeyh for pointing this out. * Allow the use of apache2-maintscript-helper from a sub-function. We rely on dpkg's arguments supplied in $1, $2 etc. This clashes with function arguments supplied to to sh sub-function. Allow manual override in such cases. * Mention that the dh_apache2 conditional must be present in postrm too (Closes: #716694) * Fix "dh_apache2 ignores alternative httpd on conf files" by correctly checking the supplied arguments, we were off by one (Closes: #717299). * Reinstall index.html also on upgrades as it is removed during upgrades. * Add mod_macro transitional package as it was promoted to core and does not exist as individual package anymore (Closes: #706962) [ Stefan Fritsch ] * Don't fail package upgrade or removal just because the configuration is in an inconsistent state (Closes: #716921, #717343, LP: #1202653). * Improve error output of init script. * Fix broken dependency information in several *.load files. * Add mod_authn_core as dependency of the mod_auth_* modules. (Closes: #717448) -- Arno Töll Sun, 21 Jul 2013 18:44:42 +0200 apache2 (2.4.4-6ubuntu5) saucy; urgency=low * SECURITY UPDATE: denial of service via MERGE request - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI in modules/dav/main/mod_dav.c. - CVE-2013-1896 -- Marc Deslauriers Thu, 18 Jul 2013 11:20:47 -0400 apache2 (2.4.4-6ubuntu4) saucy; urgency=low * d/apache2-{utils,bin}.install: move apport hook from apache2-utils to apache2-bin. apache2-utils is only suggested by apache2, so may not always be installed by bug reporters. However, apache2-bin will always need to be installed for Apache to be functional, so this is a better place for the apport hook. apache2-bin already Conflicts/Replaces apache2.2-common, so this also fixes (LP: #1199318). * d/apache2.py: adjust apport hook for new location of configuration files in apache2 >= 2.4: they have moved from apache2.2-common to apache2. -- Robie Basak Wed, 17 Jul 2013 17:54:22 +0000 apache2 (2.4.4-6ubuntu3) saucy; urgency=low * Build using lua5.2. -- Matthias Klose Wed, 17 Jul 2013 14:24:42 +0200 apache2 (2.4.4-6ubuntu2) saucy; urgency=low * debian/rules: Fix FTBFS while installing ufw. -- Chuck Short Tue, 02 Jul 2013 10:10:14 -0500 apache2 (2.4.4-6ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. * Dropped changes: - debian/patches/CVE-2012-2687.patch: Dropped no longer needed. - debian/patches/CVE-2012-3499_4558.patch: Dropped no longer needed. - debian/patches/CVE-2012-4929.patch: Dropped no longer needed. -- Chuck Short Tue, 02 Jul 2013 08:34:01 -0500 apache2 (2.4.4-6) unstable; urgency=low * Denote exact versions breaking gnome-user-share now that Gnome maintainers have a fixed version in the works. That makes Gnome installable again. * Update our gbp.conf for our big merge next -> master. The eagle has landed, 2.4 is here. * Push Standards version to 3.9.4 - no changes needed. * Fix spelling errors in man pages. * Update the git VCS pointer to its canonical location for anonymous checkouts. * Boost the description for the LSB init script to appease Lintian. * Fix spurious warnings in the Apache2 bug report script (Closes: #711121, #711480) * Strip off file extensions from arguments to a2(en|dis)(site|conf|mod) so that "a2ensite 000-default.conf" works, as well as "a2ensite 000-default" (Closes: #711494) * Fix "apache2-dev: dh-apache2 does not strip .conf extension" for modules relying on the install heuristic, instead of writing an *.apache2 conf file (Closes: #711483) * Apply patch submitted by Robert Luberda and redirect all output of apache2-maintscript-helper to stderr (Closes: #711478) * Tell about essential operations in the init script (Closes: #711120) * Fix indentation mess in the init script, and add modelines * Make sure /etc/init.d/apache2 reload does not always return. Thanks to Thorsten Glaser for suggesting a patch (Closes: #711117) * Make apache2-maintscript-helper usable when sourced from weird environments (e.g. Perl maintainer scripts). Thanks to Robert Luberda for doing unexpected things, and providing patches for it, and to Axel Beckert for demangling shell specifics (Closes: #711479) * Fix "copyright file missing after upgrade (policy 12.5)" and add these for MPM transitional packages (Closes: #710914) * Fix "apache2.2-bin transitional package (binaries only) should not depend on apache2 package (which runs a system daemon)". This happened by accident added by debhelper since we are linking docs. We do to apache2-bin instead (Closes: #711127) * Refresh "upstream-fixes" patch * Fix "Disabling strtoul violates C89 and C99 and is unnecessary" by removing the symbol override in httpd.h(Closes: #711534) -- Arno Töll Fri, 07 Jun 2013 19:14:36 +0200 apache2 (2.4.4-5) unstable; urgency=low [ Arno Töll ] * Fix compile issue on kfreebsd. -- Stefan Fritsch Fri, 31 May 2013 10:19:18 +0200 apache2 (2.4.4-4) unstable; urgency=low [ Stefan Fritsch ] * Upload to unstable. * Fix FTBFS on hurd caused by mpm-itk linking fix. * Fix some lintian warnings: - fix pod error - add overrides for hardening-no-fortify-functions - don't use /lib/init/vars.sh in init script * Add note to README.Debian about CVE-2013-0966 if the document root is on HFS+ or on ZFS with filename normalization. * Add a note to README.Debian about how to change the max file limit. Make apache2ctl print a message pointing to README.Debian if setting the limit fails. (Closes: #706822) [ Arno Töll ] * Correct maintainer scripts by removing forgotten left-overs of our Squeeze -> Wheezy renaming -- Stefan Fritsch Thu, 30 May 2013 17:25:09 +0200 apache2 (2.4.4-3) experimental; urgency=low [ Arno Töll ] * libapache2-mod-proxy-html is included in Apache 2.4 and not packaged separately anymore. Thus, we are using the most recent version available now (Closes: #695482). * Fix "typo in mpm_event.load" by applying the patch provided by Bastian Triller. Thanks (Closes: #704639) * Replace some occurrences of "Squeeze" in our scripts. It's Wheezy time. * Changes in dh_apache2: + Add -e|--noenable option to dh_apache2 (Closes: #681544) + Disable scripts in prerm, not postrm (Closes: #681546) + However, still hook into postrm and purge state when required + Call the postinst code always, not only during configure (Closes: #681545) + Fix "dh_apache2 postinst code needs to reload more" and reload the web-server in postinst when upgrading (Closes: #702929) * Let a2enmod purge state when calling -p for already disabled configurations. * Fix "don't assume apache2 is running 24 hours a day when rotating logs": Only restart the webserver when it was previously running (Closes: #707892) * Properly return the conf/site configuration fragments enabled for Apache when queried from a2query (Closes: #683212) * Fix "/etc/init.d/apache2 start and restart need to wait until really started" (Closes: #645460) * Fix "apxs2 outputs "uninitialized value" warnings" by removing the double declaration of variables in apxs. This problem was harmless, but noisy (Closes: #707109) * Make the DEBIAN_VERSION parsing in debian/rules more robust. Thanks to Ondřej Surý for noticing and providing a patch. * Fix "copyright file missing after upgrade (policy 12.5)" by linking to the apache2 doc-dir when upgrading (Closes: #707795) [ Stefan Fritsch ] * Backport various fixes from upstream svn branch '2.4.x'. * Remove paragraph about MaxMemFree in README.Debian. The issue should be fixed in 2.4. * Enable mod_authn_core when upgrading from wheezy (Closes: #702866) * Bump libaprutil1-dev build dependency to get support for bcrypt password hashes. * Fix mod_mpm_itk.so not being linked to libcap.so (Closes: #702475) * Make apache2-dev not depend on apache2. -- Stefan Fritsch Tue, 28 May 2013 22:47:26 +0200 apache2 (2.4.4-2) experimental; urgency=low * The "let's shorten up this discussion" release, and strip changelogs which are not a direct ancestor of the 2.4 branch. * Restart the server on upgrades. We need to make sure the new binary is loading all symbols from the core again to make sure, upgrades don't break the server. -- Arno Töll Sat, 09 Mar 2013 02:02:08 +0100 apache2 (2.4.4-1) experimental; urgency=low * New upstream release - Fixes mod_log_forensic logging spurious '-' characters. Closes: #693292 - Responds with HTTP/1.0 when talking http to https port. Closes: #701117 - Fix various XSS flaws in modules (CVE-2012-3499, CVE-2012-4558) [ Stefan Fritsch ] * Add examples for X-Content-Type-Options and X-Frame-Options to security.conf. * Make dh_apache2 only accept shell function names as conditional, to avoid problems with shell and sed special characters. * Add Replaces for the old mpm packages to apache2-bin. Closes: #671683 * Add transitional package for libapache2-mod-proxy-html. Closes: #666816 - Override dh_gencontrol so that the package's version sorts later than the existing version in Wheezy. * Don't ship changelogs in the apache2.2-bin transitional package. * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 [ Arno Töll ] * Rewrite most parts of the init script to make it more readable and improve visual feedback when fancy output is in use. * Drop the dbmanage tool from apache2-utils. It is mostly unmaintained and outdated. Users of mod_authn_dbm should use htdbm instead. * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible with ext3" by changing the default to more moderate values. Note, some file systems have a hard limit of supported subdirectories (Closes: #682840). Ported from our 2.2 tree targeted for Wheezy. * Properly check return code of a2query in the apache2_invoke library function. This caused reverse dependencies to fail for newly installed modules previously. * Implement -q (quiet) option for a2query (Closes: #681541). * Properly honor -p/-N options as understood by debhelper (Closes: 681542). Thanks Russ Allbery for the hint. * Be more careful regarding link attacks when for the the cache disk directory. * Compress the data.tar in binary packages using xz to save some space on installation medias (Debian only). * Fix "invoke-rc.d apache2 status fails" by merging patch of Jean-Michel Vourgère. Thanks! (Closes: #691365) * Fix "copyright file missing after upgrade (policy 12.5)" - add link manually when necessary in postinst (Closes: #691440) * Document APACHE_ARGUMENTS in envvars (ported from our 2.2 branch, reported as #693299) * Don't croak about lacking permissions in apache2ctl when the script is executed as a non-privileged user [ Bernhard R. Link ] * Rearrane patches: Move all the patches or parts of patches touching non-itk specific files (i.e. those from the upstream tarball) directly in the debian/patches/series series. While this seperates the itk patches into two heaps, it makes both more visible what changes happen to the general code (and thus are also done to the other servers generated) -- Arno Töll Thu, 07 Mar 2013 01:24:51 +0100 apache2 (2.4.2-2) experimental; urgency=low [ Stefan Fritsch ] * Explicitly enable mod_authz_core on upgrades. It can happen that it is not pulled in by any of the enabled modules, but we need it in any case for apache2.conf. Closes: #669876 * Don't ship the changelogs in the apache2-mpm-itk transitional package. [ Arno Töll ] * Add mode lines to various configuration files and scripts. Reformat configuration files for consitency. * Fix "Fix typographic errors in configuration file comments": Thanks to Oxan van Leeuwen for providing a patch (Closes: #669269) * Formulate several clarifications in PACKAGING, start versioning this document and add normative read hints. Moreover, document the -m switch for a2enmod. * Merge spelling and grammar fixes provided by Justin B Rye. Much appreciated! * Change various state and run directories used by Apache from /var/run/ to /var/run/apache2/. This might change again for Wheezy+1 to adopt /run. * Use more exit status codes for a2query which allows to tell apart why a module was disabled, also make its output more readable. * Changes in apache2-maintscript-helper: + Finally apache2_invoke may behave correctly and catch all cases including upgrades from Squeeze. + apache2_invoke: accepts a third argument to override the rc.d-action now + support APACHE2_MAINTSCRIPT_DEBUG: When defined in the environment or in /etc/apache2/envvars, debug output is displayed. * Implement a -r switch for dh_apache2 which allows to force a reload of the web server if required. -- Arno Töll Mon, 28 May 2012 17:36:03 +0200 apache2 (2.4.2-1) experimental; urgency=low * New upstream release [ Arno Töll ] * Drop update-alternative call in postrm. Our prerm script catches them already anyway. * Update my mail address. * Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/" Set directory permissions to 755 by default (Closes: #666875). Thanks Axel Beckert for the hint. * Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to give sites a .conf suffix, add a hint to the NEWS file. * Do stateful configuration handling by remembering who enabled when a particular piece of configuration. That way in can be told under which circumstances for example modules should be re-enabled. Thanks to Filip M. Nowak who was providing a patch where my changes are built upon. * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible to override LDFLAGS at compile time by defining LDLAGS in the environment, just like it is possible for CFLAGS. This also means, config_vars.mk now exports hardening build flags by default. * Provide the virtual packages httpd and httpd-cgi again. [ Stefan Fritsch ] * Change default config to deny access to / in the file system and only allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022 * Disable MultiViews in the default config. * Update ssl default cipher config, add alternative speed optimized config. Closes: #649020 * Move the configuration of /usr/lib/cgi-bin into a separate config file. Closes: #589638 * Comment out per-vhost loglevel. * Add section to security.conf that shows how to forbid access to VCS directories. Closes: #548213 * Change the compiled in default of DocumentRoot to /var/www by updating fhs_compliance.patch * Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental! -- Stefan Fritsch Sun, 15 Apr 2012 20:50:28 +0200 apache2 (2.4.1-3) experimental; urgency=low [ Arno Töll ] * apache2-suexec-{custom,pristine}: Fix argument order when removing alternatives, do not remove alternatives on upgrades. Thanks Andreas Beckmann for spotting the issue (Closes: #665002) * Install suexec(8) link to /usr/share/man/man8/... * Enable mod_version statically, drop associated module load file. * Update PACKAGING hints and cope several questions raised among the discussions with packagers. Thus, invocation of apache2-maintscript-helper in maintainer scripts are covered now. * Changes in dh_apache2: + Invoke the maintscript helper postrm action for simple package removals, too. + Fix a bug which accidentally called "en{mod,site,conf}" instead of "di{mod,site,conf}" + Set the default conditional back to "true", now the maintainer script is expected to cope itself with upgrades correctly * Changes in apache2_maintscript_helper + Provide apache2_action_needed, apache2_msg + Parse maintainer script arguments to find out which script called us + Support APACHE2_MAINTSCRIPT_HELPER_QUIET which, when set, omits any visible output + Break APIs: apache2_invoke accepts a single configuration file argument only now. However, other than dh_apache2 no users of this feature were known. * Build the apache2.2-bin transitional package again, without it updates from Squeeze are broken from some use cases * Remove 2.2's postrm script only if we're actually upgrading. This previously didn't have bad side-effects, but caused a disturbing warning. [ Stefan Fritsch ] * Import lots of bug fixes from upstream svn: All code changes from branch 2.4.x up to r1307835, plus r1294306 and r1307067 from trunk. * CVE-2012-0216: Remove /usr/share/doc alias from default virtual hosts' configs. * Add 'Multi-Arch: foreign' to apache2-utils * Make a2enconf and a2ensite warn if dependencies are not fullfilled. -- Stefan Fritsch Sun, 01 Apr 2012 21:11:51 +0200 apache2 (2.4.1-2) experimental; urgency=low [ Arno Töll ] * Shift convert_docs script to a arch-indep target only. Debhelper does not build apache2-doc on binary only builds causing a FTBS on binary-only (-B) builds * Raise debhelper build-dependency to 8.9.7~ due to the use of arch-indep targets [ Stefan Fritsch ] * dh_apache2: Make autoscripts only run on upgrades by default. Bump debhelper dependency of apache2-dev. Escape slashes in conditionals. -- Stefan Fritsch Tue, 20 Mar 2012 21:32:43 +0100 apache2 (2.4.1-1) experimental; urgency=low * Package the coming up 2.4 branch of Apache by packaging the current GA release 2.4.1. + Fix "IndexIgnore only allowes to add in vhost context, not replace" (Closes: #296886) + Fix "mod_status stats are wrong." (Closes: #519322) + Fix "PNG DirectoryIndex icons transparancy messed up" (Closes: #233047) + Fix "apache2-common: there should be a possibility to access the parsed configuration" (Closes: #350285) + Fix "AddOutputFilterByType is deprecated but used in deflate.conf" (Closes: #601033) + Fixes "Renegotiation on POST request fails intermittently" (Closes: #601606) + Allows configuring source address for proxy requests. (Closes: #465283) + Supports CONNECT request through https. (Closes: #307298) + New Upstream (2.4). (Closes: #662115) * Refresh patches but leave all hunks unchanged where possible. Give all * patches a ".patch" suffix, drop sequence numbers as they are not needed when * using quilt. Notable changes are. + [AT] 202_suexec-custom: Keep functionality as is, but rewrite smaller parts of the patch to build two binaries: suexec-pristine and suexec-custom (see below) + [AT] 201_build_suexec-custom: Patch the makefile to build "suexec-pristine" instead. Aside of that, refresh hunks. + [AT] 010_fhs_compliance: Drop config.layout patches. These have been applied upstream + [JMV] Drop patches: + 004_usr_bin_perl_0wnz_j00: printenv exemple doesn't refer to /usr/local/bin/perl anymore + 008_make_include_safe: Include doesn't support directory anymore. Include dir/*.conf must be used. + 009_apache2_has_dso: Upstream is no longer testing DSO is available. So we don't need to remove that test anymore. + [AT] customize_apxs.patch: Aggregate changes from various apxs2 patches, drop obsolete hunks [ Arno Töll ] * Rewrite most parts of debian/rules / debhelper configuration. + move cronjob and init script to debhelper configuration files (apache2.cron.daily and apache2.init respectively) + move man pages to debian/manpages + Remove Ubuntu hacks in debian/rules, we expect them to carry Ubuntu specifics in their own patch set, as it diverges already anyway. + shake-up files installed in different packages + Do not copy the source tree anymore, build package in place. * Push standards version to 3.9.3 - no special changes required * Refactor binary packages, now as things simplified. MPMs are simple modules now, they can be bundled into the same binary package which do not need to conflict with each other. Thus, Apache now primarily consists of the following packages: + apache2 - configuration files and init scripts, Debian specific helper scripts + apache2-bin - binaries and modules + apache2-data - error pages and images * Drop the ITK MPM entirely for now * Consolidate development packages. As MPM packages are gone, we do not need specific development packages either. Thus, drop all MPM specific apache2 development packages and provide a single apache2-dev package instead. (Closes: #428095) * Drop debian/source/options again: We do not need to ignore .svn directories anymore since the new package management system is based on git and includes the full source * Rework the suexec mechanism. Now there are two suexec packages providing alternatives through the update-alternatives mechanism. The untouched upstream "suexec" binary is provided by the apache2-suexec-pristine package, whereas the configurable suexec can be found in the apache2-suexec-custom package. Both are providing the "suexec" binary which are managed by the update-alternatives(9) mechanism. This change is transparent to users at runtime and does not need any configuration changes. * Remove obsolete README.source file. * Update doc-base metadata for the apache2-doc package * Changes in the default configuration (not specific modules): + On the head of the apache2.conf configuration file, give a short summary how configuration of the Apache web server works in Debian. + Drop NameVirtualHost entirely. It is deprecated (Closes: #511594) + Remove DefaultType. It is deprecated. + Replace Allow/Deny directives in the default configuration by using the new Require directive. Load mod_access_compat if you rely on the old syntax + Replace LockFile by Mutex which consolidates all lock file synchronization files among modules + Update configuration to use the new IncludeOptional syntax + Enable these modules by default: authz_core authz_host alias cgi dir + Move MPM specific configuration to their respective configuration files. Users can just load and unload MPMs like other modules, enable the worker MPM by default + Move per-site global configuration from conf.d to conf-available and manage it similar to modules and sites. To do so, the new tools "a2enconf" and "a2disconf" are provided. Moreover, such configuration files need to have a .conf suffix now. The following configuration files are enabled by default: charset localized-error-pages other-vhosts-access-log security. These were enabled by default previously, too (Closes: #620347, Closes: #605227). This holds for apache2-doc as well, which is still enabled by default but can be disabled easily anytime by using a2disconf (Closes: #604980). + Give site configuration a .conf suffix, too. For example the default vhost is called default.conf. Moreover, files without .conf suffix are ignored upon startup. Please update your site links and confs. Also rename the default vhost to 000-default.conf and don't do hacky things in a2enmod anymore. * Changes in a2enmod: + Parse "Conflicts: " header to denote conflicts between modules which cannot be loaded into the same Apache server. + Remove dangling "module.conf" files, too. They were forgotten previously if they existed and only the "module.load" file was removed. + Extend the tool to support conf-available/conf-enabled directories (see also configuration changes). + Expect a .conf suffix for sites-enabled/sites-available configurations. + Remove the default vhost special handling. Instead, we expect the default host to be named appropripriately (for example 000-default.conf; Closes: #605535). * The following modules and associated configuration files were removed: + mod_authz_default and mod_authn_default: Please use a proper authentication module instead + mod_mem_cache: Use mod_cache_disk instead * The following modules and associated configuration files are provided (but not enabled by default): access_compat, allowmethods, authz_dbd, cache_disk, data, log_debug, lua proxy_express, proxy_fcgi, proxy_fdpass, proxy_html, ratelimit, reflector remoteip, request, session, session_cookie, session_crypto, session_dbd (Closes: #400881) * Provide a dh_apache2 debhelper which can be used by reverse dependencies to install modules, module configuration files, site configuration files and global configuration files which need to be registered to the Apache web server. Thus, dh_apache2 can be used for Apache web server modules and web applications providing configuration files for Apache. * Write apache2-maintscript-helper which packagers can use to interface in a reliable way with the Apache 2 web server in maintainer scripts * Document programming hints how to interface with the Apache 2 web server for * packagers of web applications and module maintainer in /usr/share/doc/apache2/PACKAGING.gz. * Fix the watch file, thanks to Jean-Michel Vourgère for pointing out the problem. * Update debian/copyright and switch it to the copyright-format 1.0 (formerly known as DEP5) [ Stefan Fritsch ] * Use "dh --with autotools_dev" instead of patching config.sub/config.guess. * Only include conf.d/*.conf, not conf.d/*. * Don't create httpd.conf anymore. Also, do a proper transition of existing httpd.conf files to /etc/apache2/conf-available (Closes: #639383) * Add "AddCharset" for .brf files in default mod_mime config. (Closes: #402567) * Update the README.Debian file [ Jean-Michel Vourgère ] * Update bash completion functions to reflect the new site setup. (Closes: #657492) * Migrate patches to DEP-3 format. For particular changes see the summary above. -- Stefan Fritsch Mon, 19 Mar 2012 10:46:02 +0100 apache2 (2.2.22-6ubuntu5) raring; urgency=low * SECURITY UPDATE: multiple cross-site scripting issues - debian/patches/CVE-2012-3499_4558.patch: properly escape html in modules/generators/{mod_info.c,mod_status.c}, modules/ldap/util_ldap_cache_mgr.c, modules/mappers/mod_imagemap.c, modules/proxy/{mod_proxy_balancer.c,mod_proxy_ftp.c}. - CVE-2012-3499 - CVE-2012-4558 * SECURITY UPDATE: symlink attack in apache2ctl script - debian/apache2ctl: introduce and use a safer mkdir_chown() function. - Thanks to Stefan Fritsch for the fix. - CVE-2013-1048 -- Marc Deslauriers Fri, 15 Mar 2013 07:59:58 -0400 apache2 (2.2.22-6ubuntu4) raring; urgency=low * Fix cross-building by passing DEB_{HOST,BUILD}_GNU_TYPE to configure. * Skip module sanity check between MPMs if cross-building without the kernel/binfmt support to run our target binaries on the build system. * Backport several cross fixes from upstream as 086_svn_cross_compiles. -- Adam Conrad Wed, 05 Dec 2012 02:21:46 -0700 apache2 (2.2.22-6ubuntu3) raring; urgency=low * SECURITY UPDATE: XSS vulnerability in mod_negotiation - debian/patches/CVE-2012-2687.patch: escape filenames in modules/mappers/mod_negotiation.c. - CVE-2012-2687 * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854) - debian/patches/CVE-2012-4929.patch: backport SSLCompression on|off directive. Defaults to off as enabling compression enables the CRIME attack. - CVE-2012-4929 -- Marc Deslauriers Thu, 08 Nov 2012 17:56:24 -0500 apache2 (2.2.22-6ubuntu2) quantal; urgency=low * debian/apache2.py - Update apport hook for python3 ; thanks to Edward Donovan (LP: #1013171) - Check if this directory exists: /etc/apache2/sites-enabled/ -- Matthieu Baerts (matttbe) Mon, 16 Jul 2012 10:02:18 +0200 apache2 (2.2.22-6ubuntu1) quantal; urgency=low * Merge from Debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. * Dropped changes: - debian/control: Add bzr tag and point it to our tree; this is not really required and just increases the delta. -- Robie Basak Fri, 08 Jun 2012 11:37:31 +0100 apache2 (2.2.22-6) unstable; urgency=low [ Stefan Fritsch ] * Fix regression causing apache2 to cache "206 partial content" responses, and then serving these partial responses when replying to normal requests. Closes: #671204 * Add section to security.conf that shows how to forbid access to VCS directories. Closes: #548213 * Update ssl default cipher config, add alternative speed optimized config. Closes: #649020 * Add "AddCharset" for .brf files in default mod_mime config. Closes: #402567 * Don't create httpd.conf anymore and don't include it in apache2.conf. If it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf * Port some of the comments in apache2.conf from the 2.4 package. * Compile mod_version statically, drop associated module load file. * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the configtest. * Note in README.Debian that future versions of the package will have the include statements changed to include only *.conf. * Change compiled-in document root to /var/www, to avoid strange error messages. * Use "dh --with autotools_dev" instead of patching config.sub/config.guess. [ Arno Töll ] * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible to override LDFLAGS at compile time by defining LDLAGS in the environment, just like it is possible for CFLAGS. This also means, config_vars.mk now exports hardening build flags by default. * Update doc-base metadata for the apache2-doc package. -- Stefan Fritsch Tue, 29 May 2012 22:05:48 +0200 apache2 (2.2.22-5) unstable; urgency=low * Make LoadFile and LoadModule look in the standard search paths if the dso file name is given as a pure filename. This helps with the multi-arch transition. -- Stefan Fritsch Mon, 30 Apr 2012 23:38:33 +0200 apache2 (2.2.22-4) unstable; urgency=high * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual hosts' config files. If scripting modules like mod_php or mod_rivet are enabled on systems where either 1) some frontend server forwards connections to an apache2 backend server on the localhost address, or 2) the machine running apache2 is also used for web browsing, this could allow a remote attacker to execute example scripts stored under /usr/share/doc. Depending on the installed packages, this could lead to issues like cross site scripting, code execution, or leakage of sensitive data. -- Stefan Fritsch Sun, 15 Apr 2012 23:41:43 +0200 apache2 (2.2.22-3) unstable; urgency=low * Fix "FTBFS: mkdir: cannot create directory `debian/build-tree/arch': No such file or directory". Do not use internal rules targets which clash with build target names ... (Closes: #667069) * Drop apache2-dev virtual package. This had virtually no users but breaks our experimental package in some cases (e.g. #666793) * Push Standards version - no further changes * Update my maintainer address -- Arno Töll Thu, 05 Apr 2012 13:21:42 +0200 apache2 (2.2.22-2) unstable; urgency=low [ Arno Töll ] * Fix "Incorrect debhelper build dependency" by raising the build-dependency of debhelper to 8.9.7 (Closes: #659148) -- Stefan Fritsch Thu, 15 Mar 2012 00:02:31 +0100 apache2 (2.2.22-1ubuntu1) precise; urgency=low * Merge from Debian testing. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Chuck Short Sun, 12 Feb 2012 20:06:35 -0500 apache2 (2.2.22-1) unstable; urgency=low [ Stefan Fritsch ] * New upstream release, urgency medium due to security fixes: - Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format - Fix CVE-2012-0031: Unprivileged child process could cause the parent to crash at shutdown - Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error message. * Move httxt2dbm to apache2-utils * Adjust debian/control to point to new git repository. [ Arno Töll ] * Fix "typo in /etc/apache2/apache2.conf" (Closes: #653801) -- Stefan Fritsch Wed, 01 Feb 2012 21:49:04 +0100 apache2 (2.2.21-5ubuntu1) precise; urgency=low * Merge from Debian testing. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Chuck Short Mon, 09 Jan 2012 06:26:31 +0000 apache2 (2.2.21-5) unstable; urgency=low [ Arno Töll ] * Fix build failures introduced as regregression by the previous build. Debian buildds aren't rebuilding arch:all packages which caused problems for our unconditional copying into binary package. I was warned. -- Stefan Fritsch Thu, 29 Dec 2011 17:36:41 +0100 apache2 (2.2.21-4) unstable; urgency=low [ Stefan Fritsch ] * Security: Fix broken patch for CVE-2011-3607 (Integer overflow in ap_pregsub). * Optimize debian/rules again to improve build time by doing most work in a single parallelized "build-%" target. [ Arno Töll ] * Fix "Suggest removing DefaultType from apache2.conf" change the DefaultType from text/plain to None. This lets the browser guess a proper MIME type instead of being forced to treat a given file according to our default type (Closes: #440058) * Fix "add pre-rotate hook to logrotate script" execute scripts in /etc/logrotate.d/httpd-prerotate if available (Closes: #590096). * Fix "Hide /icons index" Disables indexes on the icon directory. By upgrading to Debian's 3.0/quilt source format also images don't need to be generated at build time anymore. Hence, the icon date can no longer lead to information disclosure (Closes: #649888). * Upgrade package to 3.0/quilt. + Remove uuencoded images, keep them in their binary format in debian/icons + Upgrade to quilt from dpatch and refresh all patches by keeping all hunks unchanged. Remove the `001_branding' patch by supplying -DPLATFORM at build time where needed Move the 200_cp_suexec.dpatch patch and 202_suexec-custom.dpatch patch to debian/rules. 200_cp_suexec.dpatch was a script, not a patch which is not supported by quilt. * Rewrite debian/rules and base it on dh(1). + use overrides where possible, replace some debhelper calls by our own implementation where needed. That's required since the Apache package is compiled in parts several times for each MPM once. + move some install operations to the their respective .install files + Support dpkg-buildflags now, which also enables by default hardening flags. Thus, remove them from their explicit appearance in debian/rules + Remove DEB_BUILD_OPTIONS legacy support. It comes for free when using dh(1)/dpkg-buildflags(1). * Push debhelper compatibility to 8 * Remove unused Lintian overrides for the Debian source package remove and redundant priorities in debian/control. * Add myself to Uploaders -- Stefan Fritsch Thu, 29 Dec 2011 12:09:14 +0100 apache2 (2.2.21-3ubuntu2) precise; urgency=low * d/ask-for-passphrase: Flip the logic of this script so that it checks first to see if apache is being started from a TTY, and then if not, tries plymouth. (LP: #887410) -- Clint Byrum Tue, 06 Dec 2011 16:49:33 -0800 apache2 (2.2.21-3ubuntu1) precise; urgency=low * Merge from Debian testing. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Chuck Short Fri, 09 Dec 2011 05:20:43 +0000 apache2 (2.2.21-3) unstable; urgency=medium * Fix CVE-2011-4317: Prevent unintended pattern expansion in some reverse proxy configurations. (Similar to CVE-2011-3368, but different attack vector.) * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault via malicious .htaccess. * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120 * Fix broken link in docs. Closes: #650528 * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders. Thanks for your work in the past. -- Stefan Fritsch Sat, 03 Dec 2011 18:54:03 +0100 apache2 (2.2.21-2ubuntu2) precise; urgency=low * No-change rebuild to drop spurious libsfgcc1 dependency on armhf. -- Adam Conrad Fri, 02 Dec 2011 17:36:28 -0700 apache2 (2.2.21-2ubuntu1) precise; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Chuck Short Fri, 14 Oct 2011 16:01:29 +0000 apache2 (2.2.21-2) unstable; urgency=high * Fix CVE-2011-3368: Prevent unintended pattern expansion in some reverse proxy configurations by strictly validating the request-URI. * Correctly set permissions of suexec.load even if umask is 0002 during build. LP: #872000 -- Stefan Fritsch Tue, 11 Oct 2011 22:54:47 +0200 apache2 (2.2.21-1) unstable; urgency=low * New upstream release. - Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp if combined with mod_proxy_balancer -- Stefan Fritsch Mon, 26 Sep 2011 18:16:11 +0200 apache2 (2.2.20-1ubuntu1) oneiric; urgency=low * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991). Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Steve Beattie Tue, 06 Sep 2011 01:17:15 -0700 apache2 (2.2.20-1) unstable; urgency=low * New upstream release. * Fix some regressions related to Range requests caused by the CVE-2011-3192 fix. Closes: #639825 * Add build-arch and build-indep rules targets to make Lintian happy. * Bump Standards-Version (no changes). -- Stefan Fritsch Sun, 04 Sep 2011 21:50:22 +0200 apache2 (2.2.19-2) unstable; urgency=high * Fix CVE-2011-3192: DoS by high memory usage for a large number of overlapping ranges. * Reduce default KeepAliveTimeout from 15 to 5 seconds. * Use "linux-any" in build-deps. Closes: #634709 * Improve reload message of a2enmod. Closes: #639291 * Improve description of the prefork MPM. Closes: #634242 * Mention .conf files in a2enmod man page. Closes: #634834 -- Stefan Fritsch Mon, 29 Aug 2011 17:08:17 +0200 apache2 (2.2.19-1ubuntu1) oneiric; urgency=low * Merge from debian unstable (LP: #787013). Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debian/apache2.py, debian/apache2.2-common.install: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Andres Rodriguez Mon, 23 May 2011 10:16:09 -0400 apache2 (2.2.19-1) unstable; urgency=low * New upstream release. - Makes apr-md5 the default algorithm for htpasswd, removing the 8 character limit of the crypt()-algorithm. Closes: #539246 - Fixes merging of IndexOptions. Closes: #394688 - Documents why order of ProxyPass and blocks matters in the configuration. See "Workers" section in the mod_proxy documentation. Closes: #560020 * For multiple instance setups, correctly determine the config dir in the init script if it is called via a start/stop link. Closes: #627061 * Make a2enmod's restart hint more cut'n'paste friendly. LP: #770204 * Make it clear in README.multiple-instances that the MPMs are shipped in the apache2.2-bin package. -- Stefan Fritsch Sun, 22 May 2011 10:21:21 +0200 apache2 (2.2.17-3ubuntu1) oneiric; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Chuck Short Mon, 11 Apr 2011 02:13:30 +0100 apache2 (2.2.17-3) unstable; urgency=low * Fix compilation with OpenSSL without SSLv2 support. Closes: #622049 * Fix link errors with -no-add-needed/--no-copy-dt-needed-entries in htpasswd/htdbm. -- Stefan Fritsch Sun, 10 Apr 2011 20:43:55 +0200 apache2 (2.2.17-2) unstable; urgency=high * New mpm_itk upstream version 2.2.17-01: - Fix CVE-2011-1176: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group, due to the configuration merger having an incorrect default configuration. Closes: #618857 * Make exit code of '/etc/init.d/apache2 status' more LSB compatible. Closes: #613969 * Set the default file descriptor limit to 8192 instead of whatever the current limit is (usually 1024). Document how to change it in /etc/apache2/envvars . Closes: #615632 * Fix typo in init script. Closes: #615866 * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438 * Remove some obsolete Depends and Replaces. -- Stefan Fritsch Mon, 21 Mar 2011 23:01:17 +0100 apache2 (2.2.17-1ubuntu1) natty; urgency=low * Merge from debian unstable, remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Chuck Short Tue, 22 Feb 2011 13:02:08 -0500 apache2 (2.2.17-1) unstable; urgency=low * New upstream version * Disable md5 in mod_ssl default cipher suite. Closes: #609126 * Fix order of comments in "worker" section in apache2.conf. Closes: #608488 -- Stefan Fritsch Tue, 15 Feb 2011 23:30:18 +0100 apache2 (2.2.16-6ubuntu3) natty; urgency=low * debian/rules: Don't use "-fno-strict-aliasing" since it causes apache FTBFS on amd64. (LP: #711293) -- Chuck Short Tue, 01 Feb 2011 10:19:55 -0500 apache2 (2.2.16-6ubuntu2) natty; urgency=low * debian/rules: Use "-fno-strict-aliasing" to work around a gcc bug. (LP: #697105) -- Chuck Short Tue, 25 Jan 2011 11:14:58 -0500 apache2 (2.2.16-6ubuntu1) natty; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree - debain/apache2.py, debian/apache2.2-common.isntall: Add apport hook. - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf: Plymouth aware passphrase dialog program ask-for-passphrase. -- Chuck Short Sun, 02 Jan 2011 06:05:51 +0000 apache2 (2.2.16-6) unstable; urgency=low * Also add $named to the secondary-init-script example. -- Stefan Fritsch Sat, 01 Jan 2011 22:55:15 +0100 apache2 (2.2.16-5) unstable; urgency=medium * Add $named to the init script dependency header, since apache depends on DNS in some configurations. Closes: #608437 * Update outdated description of /etc/apache2/magic in README.Debian. Closes: #603586 -- Stefan Fritsch Fri, 31 Dec 2010 01:22:19 +0100 apache2 (2.2.16-4ubuntu2) natty; urgency=low [Clint Byrum] * Adding plymouth aware passphrase dialog program ask-for-passphrase. (LP: #582963) + debian/control: apache2.2-common depends on bash for ask-for-passphrase + debian/config-dir/mods-available/ssl.conf: - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase [Chuck Short] * Add apport hook. (LP: #609177) + debian/apache2.py, debian/apache2.2-common.install -- Chuck Short Mon, 22 Nov 2010 09:43:43 -0500 apache2 (2.2.16-4ubuntu1) natty; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree -- Chuck Short Mon, 22 Nov 2010 09:43:41 -0500 apache2 (2.2.16-4) unstable; urgency=medium * Increase the mod_reqtimeout default timeouts to avoid potential problems with CRL-requesting browsers. Also extend the comments in reqtimeout.conf. * Remove bogus comment in conf.d/security about default in the "release after Lenny". * Clarify comments in suexec-custom's default config file. LP: #673289 -- Stefan Fritsch Sun, 14 Nov 2010 19:05:55 +0100 apache2 (2.2.16-3ubuntu1) natty; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree. -- Chuck Short Tue, 12 Oct 2010 11:54:48 +0100 apache2 (2.2.16-3) unstable; urgency=high * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage. * Fix "Could not reliably determine the server's ..." error message in README.Debian, to make it easier to search for it. Closes: #590528 -- Stefan Fritsch Sat, 09 Oct 2010 20:59:34 +0200 apache2 (2.2.16-2) unstable; urgency=low * Force -j1 for 'make install' to fix occasional FTBFS. Closes: #593036 * Add a note about the new behaviour of SSL/TLS renegotiation and the new directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334 * Support 'graceful' as alias for 'reload' in the init script. * In README.Debian, suggest an Apache configuration change to get rid of the "Could not reliably determine the server's fully qualified domain name" warning, as alternative to changing DNS or /etc/hosts. Closes: #590528 * Add notes to README.Debian on how to reduce memory usage. * Bump Standards-Version (no changes). -- Stefan Fritsch Sun, 29 Aug 2010 15:29:21 +0200 apache2 (2.2.16-1ubuntu3) maverick; urgency=low * Revert "stty sane" to unbreak apache starting, this will have to be fixed a different way. (LP: #626723) -- Chuck Short Wed, 08 Sep 2010 08:33:17 -0400 apache2 (2.2.16-1ubuntu2) maverick; urgency=low * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a password prompt when using apache-ssl. (LP: #582963) -- Chuck Short Wed, 25 Aug 2010 09:25:05 -0400 apache2 (2.2.16-1ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree. - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) -- Chuck Short Mon, 26 Jul 2010 20:21:37 +0100 apache2 (2.2.16-1) unstable; urgency=medium * Urgency medium for security fix. * New upstream release: - CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability due to incorrect handling of requests without a path segment. - mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite * Fix mod_ssl header line corruption because of using memcpy for overlapping buffers. PR 45444. LP: #609290, #589611, #595116 -- Stefan Fritsch Sat, 24 Jul 2010 22:18:43 +0200 apache2 (2.2.15-6) unstable; urgency=low * Fix init script not correctly killing htcacheclean. Closes: #580971 * Add a separate entry in README.Debian about the need to use apache2ctl for starting instead of calling apache2 directly. Closes: #580445 * Fix debug info to allow gdb loading it automatically. Closes: #581514 * Fix install target in Makefile created by apxs2 -n. Closes: #588787 * Fix ab sending more requests than specified by the -n parameter. Closes: #541158 * Add apache2 monit configuration to apache2.2-commons examples dir. Closes: #583127 * Build as PIE, since gdb in squeeze now supports it. * Update the postrm script to also purge the version of /var/www/index.html introduced in 2.2.11-7. * Bump Standards-Version (no changes). -- Stefan Fritsch Fri, 16 Jul 2010 23:41:08 +0200 apache2 (2.2.15-5ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree. - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) + Dropped: - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed. - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed. - debian/config-dir/apache2.conf: Merged back from debian. - mod-reqtimeout functionality: Merge back from debian. - debian/patches/204_CVE-2010-0408.dpatch: No longer needed. - debian/patches/205_CVE-2010-0434.dpatch: No longer needed. - debian/patches/203_fix-ab-segfault.dpatch: No longer needed. -- Chuck Short Wed, 05 May 2010 01:28:04 +0100 apache2 (2.2.15-5) unstable; urgency=low * Conflict with apache package as we now include apachectl. Closes: #579065 * Remove conflicts with old apache 2.0 modules. The conflicts are not necessary anymore as skipping a stable release is not supported anyway. * Silence the grep in preinst. -- Stefan Fritsch Sun, 25 Apr 2010 10:46:09 +0200 apache2 (2.2.15-4) unstable; urgency=low * Move definition of other_vhosts_access.log to new config file /etc/apache2/conf.d/other-vhosts-access-log, but disable it if it has been disabled by the admin. Closes: #576572. LP: #507616 * Comment out the contents of mods-available/proxy.conf, as it just is a nuisance for use of apache2 as a reverse proxy, which is much more common than the use as forward proxy. Extend the comments in the file. * Change defaults or add example configs for some modules: status.conf: - enable ExtendedStatus by default - enable ProxyStatus by default - document SeeRequestTail directive proxy_ftp.conf: - set 'ProxyFtpDirCharset UTF-8' by default ldap.conf: - enable /ldap-status page, allow it from localhost by default proxy_balancer.conf: - add (disabled) example for /balancer-manager page ssl.conf: - document SSLStrictSNIVHostCheck directive * Add symlink from apachectl to apache2ctl to be more compatible with upstream. Apache httpd 1.3 hasn't been in Debian for some time. * Simplify logrotate script. Closes: #576105 * Remove empty directory /usr/lib/debug/usr/sbin in mpm packages. Closes: #576089 * Fix apxs2 to work with perl 5.12rc3. Closes: #577239 * Add source/format file to make lintian happy. -- Stefan Fritsch Tue, 20 Apr 2010 23:11:09 +0200 apache2 (2.2.15-3) unstable; urgency=low * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881, including a fix for mod_proxy CONNECT requests. * mod_dav_fs: Use correct permissions when creating new files. LP: #540747 -- Stefan Fritsch Mon, 29 Mar 2010 22:16:24 +0200 apache2 (2.2.15-2) unstable; urgency=low * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding Satisfy all. Closes: #572075 * mod_reqtimeout: Various bug fixes, including: - Don't mess up timeouts of mod_proxy's backend connections. Closes: #573163 -- Stefan Fritsch Wed, 10 Mar 2010 21:06:06 +0100 apache2 (2.2.15-1) unstable; urgency=low * New upstream version: - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol prefix injection attack. - CVE-2010-0434: mod_headers: Fix potential information leak with threaded MPMs. - mod_reqtimeout: New module limiting the time waiting for receiving a request from the client. This is a (partial) mitigation against slowloris-type resource exhaustion attacks. The module is enabled by default. Closes: #533661 - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure renegotiation with clients which do not yet support the secure renegotiation protocol. As this requires openssl 0.9.8m, bump build dependency accordingly. * Fix bash completion for a2ensite if the site name contains 'conf' or 'load'. Closes: #572232 * Do a configcheck in the init script before doing a non-graceful restart. Closes: #571461 -- Stefan Fritsch Sun, 07 Mar 2010 23:22:56 +0100 apache2 (2.2.14-7) unstable; urgency=low * Fix potential memory leaks related to the usage of apr_brigade_destroy(). * Add hints about correct mod_dav_fs configuration to README.Debian. Closes: #257945 * Fix error in Polish translation of 404 error page. Closes: #570228 * Document ThreadLimit in apache2.conf's comments. -- Stefan Fritsch Sat, 20 Feb 2010 12:38:30 +0100 apache2 (2.2.14-6) unstable; urgency=low * Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and APACHE_LOG_DIR in the default configuration. If you have modified /etc/apache2/envvars, make sure that these variables are set and exported. * Add support for multiple apache2 instances to initscript and apache2ctl. See /usr/share/doc/apache2.2-common/README.multiple-instances for details. Closes: #353450 * Set default compiled-in ServerRoot to /etc/apache2 and make paths in apache2.conf relative to ServerRoot. * Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061 * Fix symlinks in apache2-dbg package. Closes: #567076 * Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383 * Add new init script action graceful-stop (LP: #456381) * Add more languages to mime.conf. To limit this to useful entries, we only add those for which a translation of the Debian intaller exists. LP: #217964 * Unset $HOME in /etc/apache2/envvars. * Change default config of mod_info and mod_status to use IP addresses instead of hostnames. Otherwise the hostname is sometimes logged even with 'HostnameLookup Off'. Closes: #568409 * Add a hook to apache2.2-common's postrm script that may come in handy when upgrading to 2.4. * Make bug script also display php extensions. * Bump Standards-Version (no changes). * Remove Adam Conrad from Uploaders. Thanks for your work in the past. -- Stefan Fritsch Sun, 07 Feb 2010 17:29:45 +0100 apache2 (2.2.14-5ubuntu8) lucid; urgency=low * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so (LP: #562370) -- Chuck Short Tue, 13 Apr 2010 15:09:57 -0400 apache2 (2.2.14-5ubuntu7) lucid; urgency=low * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory leaks by making sure to not destroy bucket brigades that have been created by earlier filters. Backported from 2.2.15. * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server has reached MaxClients until it has. Backported from 2.2.15 * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf more secure by adding Satisfy all. (Debian bug: #572075) * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch, debian/config2-dir/mods-available/reqtimeout.load, debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris bug in apache. Enable it by default. (LP: #392759) -- Chuck Short Mon, 05 Apr 2010 09:53:35 -0400 apache2 (2.2.14-5ubuntu6) lucid; urgency=low * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681) -- Chuck Short Tue, 30 Mar 2010 09:41:11 -0400 apache2 (2.2.14-5ubuntu5) lucid; urgency=low * Revert 99-fix-mod-dav-permissions.dpatch -- Chuck Short Tue, 30 Mar 2010 07:55:46 -0400 apache2 (2.2.14-5ubuntu4) lucid; urgency=low * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when downloading files from webdav (LP: #540747) * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381) -- Chuck Short Mon, 29 Mar 2010 13:37:39 -0400 apache2 (2.2.14-5ubuntu3) lucid; urgency=low * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp - debian/patches/204_CVE-2010-0408.dpatch: return the right error code in modules/proxy/mod_proxy_ajp.c. - CVE-2010-0408 * SECURITY UPDATE: information disclosure via improper handling of headers in subrequests - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in in server/protocol.c. - CVE-2010-0434 -- Marc Deslauriers Wed, 10 Mar 2010 14:48:48 -0500 apache2 (2.2.14-5ubuntu2) lucid; urgency=low * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really wacky options. (LP: #450501) -- Chuck Short Mon, 08 Mar 2010 14:53:17 -0500 apache2 (2.2.14-5ubuntu1) lucid; urgency=low * Merge from debian testing. Remaining changes: LP: #506862 - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree. -- Bhavani Shankar Wed, 13 Jan 2010 14:28:41 +0530 apache2 (2.2.14-5) unstable; urgency=low * Security: Further mitigation for the TLS renegotation attack (CVE-2009-3555): Disable keep-alive if parts of the next request have already been received when doing a renegotiation. This defends against some request splicing attacks. * Print a useful error message if 'apache2ctl status' fails. Add a comment to /etc/apache2/envvars on how to change the options for www-browser. Closes: #561496, #272069 * Improve function to detect apache2 pid in init-script (closes: #562583). * Add hint README.Debian on how to pass auth info to CGI scripts. Closes: #483219 * Re-introduce objcopy magic to avoid dangling symlinks to the debug info in the mpm packages. Closes: #563278 * Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178, LP: #500703 * Point to README.backtrace in apache2-dbg's description. * Use more debhelper functions to simplify debian/rules. * Add misc-depends to various packages to make lintian happy. * Change build-dep from libcap2-dev to libcap-dev because of package rename. -- Stefan Fritsch Sat, 02 Jan 2010 22:44:15 +0100 apache2 (2.2.14-4ubuntu1) lucid; urgency=low * Resynchronzie with Debian, remaining changes are: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree. -- Chuck Short Wed, 23 Dec 2009 14:44:51 -0500 apache2 (2.2.14-4) unstable; urgency=low * Disable localized error pages again by default because they break configurations with " SetHandler ...". A workaround is described in the comments in /etc/apache2/conf.d/localized-error-pages (closes: #543333). * mod_rewrite: Fix URLs in redirects with literal IPv6 hosts (closes: #557015). * Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234). * Add man page for split-logfile. * Link with -lcrypt where necessary to fix a FTBFS with binutils-gold (closes: #553946). -- Stefan Fritsch Sun, 13 Dec 2009 20:05:37 +0100 apache2 (2.2.14-3) unstable; urgency=low * Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This includes: - Make PUT replace files atomically (closes: #525137). - Make MOVE not delete the destination if the source file disappeared in the meantime (closes: #273476). NOTE: The format of the DavLockDB has changed. The default DavLockDB will be deleted on upgrade. Non-default DavLockDBs should be deleted manually. * Fix output of "/etc/init.d/apache2 status" (closes: #555687). * Update the comment about SNI in ports.conf (closes: #556932). * Set redirect-carefully for Konqueror/4. -- Stefan Fritsch Sat, 21 Nov 2009 10:20:54 +0100 apache2 (2.2.14-2) unstable; urgency=medium * Security: Reject any client-initiated SSL/TLS renegotiations. This is a partial fix for the TLS renegotiation prefix injection attack (CVE-2009-3555). Any configuration which requires renegotiation for per-directory/location access control is still vulnerable. * Allow RemoveType to override the types from /etc/mime.types. This allows to use .es and .tr for Spanish and Turkish files in mod_negotiation. Closes: #496080 * Fix 'CacheEnable disk http://'. Closes: #442266 * Fix missing dependency by changing killall to pkill in the init script. LP: #460692 * Add X-Interactive header to init script as it may ask for the ssl key passphrase. Closes: #554824 * Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too. * Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian -- Stefan Fritsch Sat, 07 Nov 2009 14:37:37 +0100 apache2 (2.2.14-1ubuntu1) lucid; urgency=low * Merge from debian testing, remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. - debian/conrol: Add bzr tag and point it to our tree. - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: Already applied upstream. -- Chuck Short Fri, 06 Nov 2009 00:29:03 +0000 apache2 (2.2.14-1) unstable; urgency=low * New upstream version: - new module mod_proxy_scgi * Disable hardening option -pie again, as gdb in Debian does not support it properly and it is broken on mips*. -- Stefan Fritsch Tue, 29 Sep 2009 20:55:05 +0200 apache2 (2.2.13-2) unstable; urgency=high * mod_proxy_ftp security fixes (closes: #545951): - DoS by malicious ftp server (CVE-2009-3094) - missing input sanitization: a user could execute arbitrary ftp commands on the backend ftp server (CVE-2009-3095) * Add entries to NEWS.Debian and README.Debian about Apache being stricter about certain misconfigurations involving name based SSL virtual hosts. Also make Apache print the location of the misconfigured VirtualHost when it complains about a missing SSLCertificateFile statement. Closes: #541607 * Add Build-Conflicts: autoconf2.13 (closes: #541536). * Adjust priority of apache2-mpm-itk to extra. * Switch apache2.2-common and the four mpm packages from architecture all to any. This is stupid but makes apache2 binNMUable again (closes: #544509). * Bump Standards-Version (no changes). -- Stefan Fritsch Wed, 16 Sep 2009 20:55:02 +0200 apache2 (2.2.13-1) unstable; urgency=low * New upstream release: - Fixes segfault with mod_deflate and mod_php (closes: #542623). -- Stefan Fritsch Mon, 31 Aug 2009 20:28:56 +0200 apache2 (2.2.12-1ubuntu2) karmic; urgency=low * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: - Fix potential segfaults with the use of the legacy ap_rputs() etc interfaces, in cases where an output filter fails. This happens frequently after CVE-2009-1891 got fixed. (LP: #409987) -- Marc Deslauriers Mon, 17 Aug 2009 15:38:47 -0400 apache2 (2.2.12-1ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - debian/{control,rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch. -- Chuck Short Tue, 04 Aug 2009 20:04:24 +0100 apache2 (2.2.12-1) unstable; urgency=low * New upstream release: - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131). (The Debian default configuration will be changed to use SNI in a later version.) - Fixes timefmt config in SSI (closes: #363964). - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. * Make mod_deflate not compress the content for HEAD requests. This is a similar issue as CVE-2009-1891. * Enable hardening compile options. * Switch default LogFormat from %b (size of file sent) to %O (bytes actually sent) (closes: #272476 LP: #255124) * Add the default LANG=C to /etc/apache2/envvars and document it in README.Debian (closes: #511878). * Enable localized error pages by default if the necessary modules are loaded. Move the config for it from apache2.conf to /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the required order of the aliases in the comment (closes: #196795). * Change default for ServerTokens to 'OS', to not announce the exact module versions to the world (LP: #205996) * Make a2ensite and friends ignore the same filenames as apache does for included config files, even if LANG is not C. * Merge source packages apache2 and apache2-mpm-itk (current itk version is 2.2.11-02). This removes the binNMU mess necessary for every apache2 upload (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src package, which is no longer necessary. * Ship our own version of the magic config file (taken from file 4.17-5etch3) which is still compatible with mod_mime_magic (closes: #483111). * Add ThreadLimit to the default config and put ThreadsPerChild and MaxClients into the correct order so that Apache does not complain (closes: #495656). Also add a configuration block for the event MPM in apache2.conf. * Fix HTTP PUT with mod_dav failing to detect an aborted connection (closes: #451563). * Change references to httpd.conf in apache2-doc to apache2.conf (closes: #465393). * Clarify the recommended permissions for SSL certificates in README.Debian (closes: #512778). * Document in README.Debian how to name files in conf.d to avoid conflicts with packages (closes: #493252) * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts. * Remove other_vhosts_access.log on package purge. -- Stefan Fritsch Tue, 04 Aug 2009 11:02:34 +0200 apache2 (2.2.11-7ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: LP: #398130 - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: Fix timefmt is ignored when XBitHack is on. (LP: #258914) - debian/{control,rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Bhavani Shankar Sat, 11 Jul 2009 16:34:32 +0530 apache2 (2.2.11-7) unstable; urgency=low * Security fixes: - CVE-2009-1890: denial of service in mod_proxy - CVE-2009-1891: denial of service in mod_deflate (closes: #534712) * Add symlinks for the debug info to the mpm packages. * Be slightly more informative in the default index.html without pointing to Apache or Debian (LP: #89364) * Remove dependency on net-tools, which is no longer necessary (closes: #535849) * Bump Standards-Version (no changes) -- Stefan Fritsch Fri, 10 Jul 2009 22:42:57 +0200 apache2 (2.2.11-6ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: Fix timefmt is ignored when XBitHack is on. (LP: #258914) - debian/{control,rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Chuck Short Tue, 09 Jun 2009 01:01:23 +0100 apache2 (2.2.11-6) unstable; urgency=high * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server Side Includes (closes: #530834). * Fix postinst scripts (closes: #532278). -- Stefan Fritsch Mon, 08 Jun 2009 19:22:58 +0200 apache2 (2.2.11-5ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: Fix timefmt is ignored when XBitHack is on. (LP: #258914) - debian/{control,rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Andrew Mitchell Wed, 03 Jun 2009 14:10:54 +1200 apache2 (2.2.11-5) unstable; urgency=low * Move all binaries into a new package apache2.2-bin and make apache2.2-common depend on it. This allows to - run apache as user process only, e.g. with gnome-user-share. Closes: #468690 - run multiple instances of apache with different MPMs. This configuration is not supported in any way, though. Closes: #517572 * Switch to debhelper compatibility level 7 and remove some code duplication in debian/rules. * Override some Lintian warnings about old autotools helper files and being not binNMUable (apache2 is not binNMUable anyway, because of the apache2 <-> apache2-mpm-itk dependency). -- Stefan Fritsch Fri, 22 May 2009 19:30:20 +0200 apache2 (2.2.11-4) unstable; urgency=low [ Stefan Fritsch ] * Disable TRACE method by default (closes: #492130). * Compress some more mime types with mod_deflate by default. This may cause problems with MSIE 6, but that browser should now be considered obsolete. Closes: #397526, #521209 * Various backports from upstream svn branches/2.2.x: - CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body - Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes PR 45959 (closes: #524474) - Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268) - Fix mod_deflate etag handling PR 45023 (LP: #358314) - Fix mod_ldap segfault if LDAP initialization failed PR 45994 * Allow apache2-mpm-itk as alternate dependency in apache2 meta package (closes: #527225). * Fix some misuse of command substitution in the init script. Thanks to Jari Aalto for the patch. (Closes: #523398) * Extend the gnome-vfs DAV workaround to gvfs (closes: #522845). * Add more info to check_forensic man page (closes: #528424). * Make "apache2ctl help" point to help on apache2 args (closes: #528425). * Lintian warnings: - fix spelling error in apache2-utils description - tweak debian/copyright to make lintian not complain about pointers to GPL - bump standards-version (no changes) [ Peter Samuelson ] * Adjust sections to match recent ftpmaster overrides. -- Stefan Fritsch Tue, 19 May 2009 22:55:27 +0200 apache2 (2.2.11-3ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: Fix timefmt is ignored when XBitHack is on. (LP: #258914) - debian/{control,rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Andrew Mitchell Tue, 12 May 2009 16:15:34 +1200 apache2 (2.2.11-3) unstable; urgency=low * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap (see #521899). This also creates the dependencies on the new external libaprutil1-dbd-* and libaprutil1-ldap packages. -- Stefan Fritsch Tue, 31 Mar 2009 21:07:26 +0200 apache2 (2.2.11-2ubuntu2) jaunty; urgency=low * debian/patches/203_fix-ssi-timeftm-ignored.dpatch: Fix timefmt is ignored when XBitHack is on. (LP: #258914) -- Chuck Short Wed, 01 Apr 2009 11:39:17 -0400 apache2 (2.2.11-2ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: - debian/{contro,rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Chuck Short Sat, 17 Jan 2009 00:02:55 +0000 apache2 (2.2.11-2) unstable; urgency=low * Report an error instead instead of segfaulting when apr_pollset_create fails (PR 46467). On Linux kernels since 2.6.27.8, the value in /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the value of MaxClients in the Apache configuration. Closes: #511103 -- Stefan Fritsch Fri, 16 Jan 2009 19:01:59 +0100 apache2 (2.2.11-1ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: - debian/{control, rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Chuck Short Mon, 15 Dec 2008 00:06:50 +0000 apache2 (2.2.11-1) unstable; urgency=low [Thom May] * New Upstream Version (Closes: #508186, LP: #307397) - Contains rewritten shmcb code which should fix alignment problems on alpha (Closes: #419720). - Notable new features: chroot support, mod_proxy improvements. [Ryan Niebur] * fix segfault in ab when being verbose on ssl sites (Closes: #495982) * remove trailing slash for DocumentRoot (Closes: #495110) -- Stefan Fritsch Sun, 14 Dec 2008 09:34:24 +0100 apache2 (2.2.9-11ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: (LP: #303375) - debian/{control, rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Bhavani Shankar Sat, 29 Nov 2008 14:02:31 +0530 apache2 (2.2.9-11) unstable; urgency=low * Regression fix from upstream svn for mod_proxy: Prevent segmentation faults by correctly adjusting the lifetime of the buckets read from the proxy backend. PR 45792 * Fix from upstream svn for mpm_worker: Crosscheck that idle workers are still available before using them and thus preventing an overflow of the worker queue which causes a SegFault. PR 45605 * Add a comment to ports.conf to point to NEWS.Debian.gz in case of upgrading problems. -- Stefan Fritsch Wed, 26 Nov 2008 23:10:22 +0100 apache2 (2.2.9-10ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: - debian/{control, rules}: enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. -- Chuck Short Wed, 05 Nov 2008 02:23:18 -0400 apache2 (2.2.9-10) unstable; urgency=low * Regression fix from upstream svn for mod_proxy_http: Don't trigger a retry by the client if a failure to read the response line was the result of a timeout. -- Stefan Fritsch Wed, 01 Oct 2008 11:50:18 +0200 apache2 (2.2.9-9) unstable; urgency=medium * Revert the attempted fix for #496080 because it did not work due to upstream PR 38330. Instead, document the problem and possible workarounds in README.Debian. -- Stefan Fritsch Fri, 12 Sep 2008 11:39:15 +0200 apache2 (2.2.9-8) unstable; urgency=low * Fix Spanish language support which was broken by .es being added to /etc/mime.types for application/ecmascript. (Closes: #496080) * Correct description of ServerTokens in /etc/apache2/conf.d/security. (Closes: #497362) * Clarify how to use apache2ctl to pass arbitrary arguments to apache2. (LP: #259363) * Add hints to README.Debian about the messages "NameVirtualHost *:80 has no VirtualHosts" and "File does not exist: /htdocs". -- Stefan Fritsch Thu, 11 Sep 2008 09:17:33 +0200 apache2 (2.2.9-7ubuntu3) intrepid; urgency=low * Revert logrotate change since it will break it for everyone. -- Chuck Short Fri, 19 Sep 2008 09:32:01 -0400 apache2 (2.2.9-7ubuntu2) intrepid; urgency=low * debian/logrotate: Restart rather than reload for busy websites. (LP: #270899) -- Chuck Short Thu, 18 Sep 2008 08:42:22 -0400 apache2 (2.2.9-7ubuntu1) intrepid; urgency=low * Merge from debian unstable, remaining changes: - debian/{control,rules}: enable PIE hardening. - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles. -- Kees Cook Thu, 28 Aug 2008 08:10:59 -0700 apache2 (2.2.9-7) unstable; urgency=low * Fix XSS in mod_proxy_ftp (CVE-2008-2939). * Fix mod_proxy_http losing the query string with noescape (PR 45247). * Make the balancer manager work in Opera and MSIE (PR 45578). * Fix mod_headers "edit" removing multiple headers with the same name (PR 45333). * Also describe how to get a backtrace from a running process in README.backtrace. -- Stefan Fritsch Fri, 08 Aug 2008 19:27:40 +0200 apache2 (2.2.9-6) unstable; urgency=high * Urgency high for RC bug fix. * Fix SIGBUS on SPARC by preventing gcc from optimizing some memcpy calls away. (Closes: #485525) -- Stefan Fritsch Sun, 20 Jul 2008 10:17:19 +0200 apache2 (2.2.9-5) unstable; urgency=medium * Urgency medium to get this into testing before the freeze. * Remove IPv6 patch that was necessary for very old kernels but creates problems on systems with current kernels and net.ipv6.bindv6only = 1. Apache will now always create its sockets with IPV6_V6ONLY set to 0. (Closes: #391280) -- Stefan Fritsch Mon, 07 Jul 2008 21:20:48 +0200 apache2 (2.2.9-4) unstable; urgency=low * Make postinst more quiet. (Closes: #489153) * Add Turkish language support. (Closes: #489224) * Remove duplicate comments in sites-available/default-ssl. (Closes: #489383) * Describe in NEWS.Debian how to revert to the old NameVirtualHost config. (Closes: #489215) * Redirect apache2 bug reports to apache2.2-common, to get useful dependency information. -- Stefan Fritsch Sun, 06 Jul 2008 10:38:37 +0200 apache2 (2.2.9-3ubuntu2) intrepid; urgency=low * add ufw integration (see https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages) (LP: #261198) - debian/control: suggest ufw for apache2.2-common - add apache2.2-common.ufw.profile with 3 profiles and install it to /etc/ufw/applications.d/apache2.2-common -- Didier Roche Tue, 26 Aug 2008 19:03:42 +0200 apache2 (2.2.9-3ubuntu1) intrepid; urgency=low * debian/{control,rules}: enable PIE hardening -- Kees Cook Wed, 20 Aug 2008 15:45:00 -0700 apache2 (2.2.9-3) unstable; urgency=low [ Stefan Fritsch ] * Move NameVirtualHost directive to ports.conf and switch from "*" to "*:80". (Closes: #314606, #486286) * Comment out the CacheEnable line in disk_cache.conf. It would have caused problems with Etch to Lenny upgrades. * Change the minimum user id for suexec back to 100, the new value of 1000 was too disruptive for existing configurations. (Closes: #488821) * Add a default SSL virtual host. (Closes: #267477) - Use snakeoil certificate by default (if ssl-cert is installed). (Closes: #293524, #446765) - Document this in README.Debian. (Closes: #293469, #293519, #398520, #395823) - Add MSIE workarounds. (Closes: #421802) - Add ssl-cert to Recommends. * Add a new config file /etc/apache2/conf.d/security with some vaguely security related diectives. (Closes: #260063) * Adjust mod_userdir accordingly. Also add "AllowOverride Indexes" for the home directories. * Disable SSLv2 by default. It is insecure. Also only enable ciphers with key lengths of at least 128 bit. * Make the init script complain about a missing $APACHE_PID_FILE during "start", too, and not only during "stop" or "restart". This makes it more obvious that /etc/apache2/envvars has to be updated. (Closes: #473982) * Add hint about the "..., using 127.0.0.1 for ServerName" warning to README.Debian. (Closes: #457708) * Add hint about the "could not create rewrite_log_lock" error message to README.Debian. (Closes: #450831) * Remove empty dir from apache2-doc to fix Lintian warning. * Always pass -g to gcc instead of relying on dpkg-buildpackage to set CFLAGS. We always want the debug info for the apache2-dbg package. [ Ryan Niebur ] * Upgraded to policy 3.8.0 - added support for noopt in DEB_BUILD_OPTIONS - added a README.source - added support for parallel in DEB_BUILD_OPTIONS * Dropped XS- from the Vcs fields in control -- Stefan Fritsch Wed, 02 Jul 2008 10:15:57 +0200 apache2 (2.2.9-2) unstable; urgency=low * Make the init script use normal 'stop' instead of 'graceful-stop' again: With graceful-stop, it can take a long time until all child processes have closed their listening sockets and there is no way for the init script to know when it is save to start apache again. This could make the restart of apache fail. (Closes: #486629, #463338) * Improve package descriptions, thanks to Justin B Rye. (Closes: #486855) -- Stefan Fritsch Sat, 21 Jun 2008 12:22:17 +0200 apache2 (2.2.9-1) unstable; urgency=low * New upstream release. Notable changes: - mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage (CVE-2008-2364). - mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager (CVE-2007-6420). - Worker / Event MPM: Fix race condition in pool recycling that leads to segmentation faults under load. (Closes: #484800) - mod_proxy: Keep connections to the backend persistent in the HTTPS case. - mod_proxy: Support environment variable interpolation in reverse proxying directives. - mod_headers: Add 'merge' option to avoid duplicate values within the same header. - mod_substitute: The default is now flattening the buckets after each substitution. The newly added 'q' flag allows for the quicker, more efficient bucket-splitting. * Shorten the init script's waiting period during 'restart' from 10 to 4 seconds. This should still be plenty to allow the apache processes to close their listening sockets. Make the wait even shorter if apache dies faster. (Closes: #479136) * Fix some lintian warnings: - Add some missing patch descriptions. - Point to /usr/share/common-licenses instead of including the license in the copyright file. -- Stefan Fritsch Sat, 14 Jun 2008 08:29:41 +0200 apache2 (2.2.8-5) unstable; urgency=low * Replace a2{en,dis}{mod,site} by a rewritten version that - supports wildcards (Closes: #373969). - can be influenced with environment variables (Closes: #349716). - checks existing symlinks for correctness (Closes: #409970). - allows to remove dead symlinks (Closes: #480893). * Move suexec suid helper program to a separate package apache2-suexec, which is not installed by default. Provide an alternative version of suexec, which can be customized with a config file. This can be found in the apache2-suexec-custom package. Closes: #312252, #266835 * Some more suexec fixes: - Fix race condition when changing directories. - Accept only /var/www/*, and not /var/www*. The same for public_html/* instead of public_html* (CVE-2007-1742). - Raise the minimum userid that suexec may change to from 100 to 1000. * Enable mod_deflate in new installs. * Include config.nice in apache2-src. This hopefully allows apache2-mpm-itk to drop the build-dependency on apache2-prefork-dev. * Mention environment variables in apache2 and apache2ctl man pages and point to README.Debian. (Closes: #475150) * Drop unneeded build-dep on libtool. * Drop obsolete apache2-mpm-perchild package (closes: #477522). * Don't fail in postinst if there is a dangling symlink /var/www/index.html. * Fix typo in bug number in 2.2.8-3 changelog entry. * Use dh_lintian in debian/rules. -- Stefan Fritsch Sat, 31 May 2008 17:02:03 +0200 apache2 (2.2.8-4) unstable; urgency=high * Urgency high for DoS vulnerability fix. * Fix memory leak in mod_ssl with zlib compression. -- Stefan Fritsch Tue, 13 May 2008 22:31:37 +0200 apache2 (2.2.8-3) unstable; urgency=low * mod_cache: Handle If-Range correctly if the cached resource was stale (closes: #470652). * mod_autodindex: Use UTF-8 as character set for filenames in the default configuration. Change this in autoindex.conf if you are still using ISO-8859-1. * Introduce APACHE_RUN_DIR and APACHE_LOCK_DIR in apache2ctl. Also, make it use APACHE_RUN_USER instead of APACHE2_RUN_USER, to be consistent with apache2.conf. * Add 'status' function to init script (adapted from patch by Dustin Kirkland). * Don't build the modules three times. We are only shipping one set of them, anyway. (Inspired by the Fedora package.) * Remove Fabio M. Di Nitto from the uploaders field (thanks for your work). -- Stefan Fritsch Fri, 14 Mar 2008 10:57:19 +0100 apache2 (2.2.8-2) unstable; urgency=low * Provide a fallback access log (other_vhosts_access.log) and a suitable LogFormat (vhost_combined) for VirtualHosts that don't define their own log file. (Closes: #313430) * Fix broken symlink to README.Debian.gz and typos in the file (closes: #461462). * Improve generation of password salts in htpasswd (closes: #469271). * Point VCS tags in debian control to trunk, to make them useful with debcheckout. * Add missing ${APACHE_ARGUMENTS} to *) case in apache2ctl. * In upgrades from etch, replace /etc/apache2/default without asking also in the NO_START=1 case, in order to not break piuparts (closes: #466367). * Print file name where "Useless use of AllowOverride" occured. (Closes: #410334) * Make bugreport script source /etc/apache2/envvars before calling apache2. * Add note about MSIE SSL workaround to README.Debian. * Don't ship empty /var/www/apache2-default in apache2-doc. (Closes: #469145) * mod_autoindex: Use the bomb icon only for the name 'core', not for '*core'. (Closes: #467480) * Include module name in a2enmod error messages (closes: #461341). -- Stefan Fritsch Sat, 08 Mar 2008 12:28:14 +0100 apache2 (2.2.8-1) unstable; urgency=low * New upstream version: - Fixes cross-site scripting issues in o mod_imagemap (CVE-2007-5000) o mod_status (CVE-2007-6388) o mod_proxy_balancer's balancer manager (CVE-2007-6421) - Fixes a denial of service issue in mod_proxy_balancer's balancer manager (CVE-2007-6422). - Fixes mod_proxy URL encoding in error messages (closes: #337325). - Adds explicit charset to the output of various modules to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. For mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to specify something else than ISO-8859-1 (CVE-2008-0005). - Adds mod_substitute which performs inline response content pattern matching (including regex) and substitution (like mod_line_edit). - Adds "DefaultType none" option. - Adds new "B" option to RewriteRule to suppress URL unescaping. - Adds an "if" directive for mod_include to test whether an URL is accessible, and if so, conditionally display content. - Adds support for mod_ssl to the event MPM. * Move the configuration of User, Group, and PidFile to /etc/apache2/envvars. This makes it easier to use these settings in scripts. /etc/apache2/envvars can now also be used to influence apache2ctl (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085) * Make apache2ctl check the configuration syntax before trying to restart apache, to match the behaviour documented in the man page. (Closes: #459236) * Convert docs to be directly viewable with a browser (and not use content negotiation). * Add doc-base entry for the documentation. (closes: #311269) * Don't ship default files in /var/www, but copy a sample file to /var/www/index.html on new installs. Also remove the now unneeded RedirectMatch line from sites-available/default. (Closes: #411774, #458093) * Add some information to README.Debian (Apache wiki, default virtual host) * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary dependencies, easing library transitions (closes: #458857). * Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode. Patch by Nicolas Valcárcel. (Closes: #436441) * Add reportbug script to list enabled modules. * Fix some lintian warnings: - Pass --no-start to dh_installinit instead of omitting the debhelper token in various maintainer scripts. Also move the update-rc.d call to apache2.2-common. - Add Short-Description to init script. * Remove unused apache2-mpm-prefork.prerm from source package and clean up debian/rules a bit. * Don't ship NEWS.Debian with apache2-utils, as the contents are only relevant for the server. -- Stefan Fritsch Thu, 17 Jan 2008 20:27:56 +0100 apache2 (2.2.6-3) unstable; urgency=low * Allocate fewer bucket brigades in case of a flush bucket. This might help with the memory leaks reported in #399776 and #421557. * Escape the HTTP method in error messages to avoid potential cross site scripting vulnerabilities (CVE-2007-6203). * Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition. * Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config (Closes: #450867). * Add icons for .ogg and .ogm (Closes: #255443). * Add comment about how to log X-Forwarded-For (Closes: #425008). * Make mod_proxy_balancer not depend on mod_cache. * Add Homepage field to debian/control. * Add/fix some lintian overrides, fix some warnings. * Bump Standards-Version (no changes). -- Stefan Fritsch Fri, 07 Dec 2007 22:38:59 +0100 apache2 (2.2.6-2) unstable; urgency=low * Avoid calling apr_pollset_poll() and accept_func() when the listening sockets have already been closed on graceful stop or reload. This hopefully fixes processes not being killed (closes: #445263, #447164) and the "Bad file descriptor: apr_socket_accept: (client socket)" error message (closes: #400918, #443310) * Allow logresolve to process long lines (Closes: #331631) * Remove duplicate config examples (Closes: #294662) * Include README.backtrace describing how to create a backtrace * Add CVE reference to 2.2.6-1 changelog entry -- Stefan Fritsch Thu, 18 Oct 2007 19:35:40 +0200 apache2 (2.2.6-1) unstable; urgency=low * New upstream release - fixes mod_proxy DoS for threaded MPMs (CVE-2007-3847) - fixes spurious warning for valid wildcard certificates (Closes: #414855) - adds warning that htpasswd is not setuid safe (Closes: #356285) - adds Type and Charset options to IndexOptions directive, allowing a workaround for buggy browsers affected by CVE-2007-4465 - adds new ProxyPassMatch directive * Add index.htm to the default DirectoryIndex configuration (Closes: #439375) * Use apache2ctl in init script (Closes: #439027) * make init script less noisy (Closes: #438950) * improve NEWS entry (Closes: #440084) -- Stefan Fritsch Thu, 06 Sep 2007 23:54:42 +0200 apache2 (2.2.4-3) unstable; urgency=low [ Stefan Fritsch ] * enable default site on new installs again (Closes: #436341) * make mod_authn_dbd depend on mod_dbd * make a2dissite return 0 if a site is already disabled (Closes: #435398) * make a2 scripts print errors to stderr (Closes: #435400) * move TypesConfig directive from apache2.conf to mime.conf (Closes: #434248) [ Adam Conrad ] * Special case apache2-dbg magic in debian/rules, so we don't do this on Ubuntu, which has an archive of detached debug packages. -- Stefan Fritsch Tue, 07 Aug 2007 20:49:28 +0200 apache2 (2.2.4-2) unstable; urgency=low * Modularize config: Move module specific configuration from apache2.conf to mods-available/*conf (Closes: #338472) * Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable apache2. (Closes: #408462, #275561) * Create run and lock directores in apache2ctl to make it work on fresh installations before the first call of the init script. Together with the previous item, this closes: #418499 * Disable AddDefaultCharset again (Closes: #397886) * Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles managed by dpkg * Listen on port 443 by default if mod_ssl is loaded (Closes: #404598) * Add logic to start htcacheclean as daemon or cronjob. The configuration is in /etc/default/apache2 * Fix security issues: - CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary processes - CVE-2006-5752: XSS in mod_status * Add init.d dependency info from insserv overrides to /etc/init.d/apache2 * Replace apachectl with apache2ctl in docs (Closes: #164493) * Add usage message to apache2ctl (Closes: #359008) * Make -dev packages priority extra * Add secure example cipher/protocol configuration to ssl.conf * Update watch file (Closes: #433552) * Bump dh_compat to 5 * Add new package apache2-dbg with debugging symbols * Fix mod_cache returning 304 instead of 200 on HEAD requests -- Stefan Fritsch Tue, 03 Jul 2007 21:23:40 +0200 apache2 (2.2.4-1) unstable; urgency=medium [ Stefan Fritsch ] * Urgency medium for security fix * Fix CVE-2007-1863: DoS in mod_cache * New upstream version (Closes: #427050) - Fixes "proxy: error reading status line from remote server" (Closes: #410331) * Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4) * Change logrotate script to use reload instead of restart. (Closes: #298689) * chmod o-rx /var/log/apache2 (Closes: #291841) * chmod o-x suexec (Closes: #431048) * Update patch for truncated mod_cgi 500 responses from upstream SVN (Closes: #412580) * Don't use AddDefaultCharset for our docs (Closes: #414429) * fix options syntax in sites-available/default (Closes: #419539) * Move conf.d include to the end of apache2.conf (Closes: #305933) * Remove log, cache, and lock files on purge (Closes: #428887) * Ship /usr/lib/cgi-bin (Closes: #415698) * Add note to README.Debian how to read docs (Closes: #350822) * Document pid file name (Closes: #350286) * Update Standards-Version (no changes needed) * Fix some lintian warnings, add some overrides * Start apache when doing a "restart" even if it was not running (Closes: #384682) * reload config in apache2-doc postinst (Closes: #289289) * don't fail in prerm if apache is not running (Closes: #418536) * Suggest apache2-doc and www-browser (Closes: #399056) * Make init script always display a warning if NO_START=1 since VERBOSE=yes is not the default anymore (Closes: #430116) * Replace apache2(8) man page with a more current version * Add httxt2dbm(8) man page * Show -X option in help message (Closes: #391817) * remove sick-hack-to-update-modules * don't depend on procps on hurd (Closes: #431125) [ Peter Samuelson ] * Add shlibs:Depends to apache2.2-common. -- Stefan Fritsch Sun, 01 Jul 2007 19:57:51 +0200 apache2 (2.2.3-5) unstable; urgency=low [ Tollef Fog Heen ] * Fix up apache2-src so the .tar.gz contains an apache2 top level directory. * Make apache2 MPMs provide and conflict with apache2-mpm so other packages can provide MPMs too. * Get rid of 2.1 references from descriptions. (Closes: #400981) [ Thom May ] * Let the init script cope with multiple pid files correctly. Probably we shouldn't be doing this at all, but we might as well do it properly! (Closes: #396162) * Add a sensible autoindex default config * Add patch from upstream to ensure that mod_cgi 500 responses aren't truncated (Closes: #412580) * Use graceful-stop to shutdown apache to ensure we cope nicely with long running or blocked children [ Peter Samuelson ] * Ship apache2 manpage in apache2.2-common. (Closes: #391813) * Rearrange init script so that 'force-reload' is the same as 'reload'. (Closes: #401053) * Add Build-Depends: mawk. (Closes: #403682) * Add a needed guard to apache2.conf. (Closes: #407307) * Stop shipping /var/run/apache2/ as it is created at runtime anyway. * Move the /var/lock/apache2 owner fix from the apache2.2-common postinst to the init script, as /var/lock may not persist across reboots. (Closes: #420101) [ Stefan Fritsch ] * Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043) * Add XS-Vcs-* to debian/control * Improve handling of empty $MODNAME in a2enmod (Closes: #422589) * Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602) * Re-add README.Debian and describe - the config dir layout (closes: #419552) - which files are ignored by Include - when and how to change "restart" to "reload" in the logrotate script * When purging, remove {mods,sites}-enabled symlinks and the config files created by postinst (Closes: #397789) * Fix suexec to log after a cgi error (Closes: #312385) * Add watch file * Add AddType for .bz2 (Closes: #416322) * Make init script messages conform better to policy (Closes: #390348) and exit with failure if called with unknown parameter (Closes: #412407) * Fix segfault in mod_proxy_ftp when FTP server sends back no spaces (Closes: #413727) * Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464) * Tell the user when selecting cgid instead of cgi (Closes: #428058) * Add a2ensite/a2dissite man pages (Closes: #322385) * Comment out CacheEnable by default, to prevent filling up /var. Document the problem in README.Debian and NEWS.Debian, point to htcacheclean and give a warning when doing a2enmod disk_cache (Closes: #423653). * Add myself to Uploaders. -- Stefan Fritsch Sun, 10 Jun 2007 18:54:29 +0200 apache2 (2.2.3-4) unstable; urgency=high * High-urgency upload for RC bugfixes. * Ack NMUs - thanks Andi, Steve. * Add myself to Uploaders. * Refactor apache2.2-common.postinst slightly, to account for sarge upgrades (since it's a new package name, rather than an upgrade). (Closes: #396782, #415775) * If mod_proxy was configured in sarge, add proxy_http and disk_cache modules, which used to be included in the mod_proxy config. (Closes: #407171) -- Peter Samuelson Tue, 27 Mar 2007 07:06:49 -0500 apache2 (2.2.3-3.3) unstable; urgency=high * Non-maintainer upload. * High-urgency upload for RC bugfix. * apache2.2-common should depend on procps, since it will fail to create httpd.conf if it's not installed. Closes: #398535. -- Steve Langasek Mon, 5 Feb 2007 01:55:57 -0800 apache2 (2.2.3-3.2) unstable; urgency=high * Non-maintainer upload. * 043_ajp_connection_reuse: Patch from upstream Bugzilla, fixing a critical issue with regard to connection reuse in mod_proxy_ajp. Closes: #396265 -- Andreas Barth Sat, 9 Dec 2006 21:05:45 +0000 apache2 (2.2.3-3.1) unstable; urgency=low * Non-maintainer upload. * Enable authz_user by default, fix silent authentication breakage. Closes: #397310 * Add default modules if coming from earlier than this version. Closes: #392349, #392352, #392701, #393913, #396678, #395976 * Re-Enable modules cern_meta, dumpio and ext_filter. Closes: #391393 -- Andreas Barth Fri, 10 Nov 2006 15:44:33 +0100 apache2 (2.2.3-3) unstable; urgency=medium [ Peter Samuelson ] * a2dismod: exit 0 if a module exists but is already disabled. * Ship a2enmod.8 and a2dismod.8 again, and expand them a bit. (Closes: #270551) [ Tollef Fog Heen ] * Build apache2-src package. * Do not AddDefaultCharset if we are proxying. Closes: #277526 * Do not forcefully link against libdb4.3 and other libs. * Enable the same list of modules as we had in 2.0 (by default) and do that for all older versions than 2.2.3-3 to fix upgrade issues people have had. Closes: #392349 * Set default IndexWidth to *. * Clean up CPPFLAGS and CFLAGS, including making all of CFLAGS a superset of CPPFLAGS. Also make sure to include -I switches with absolute paths so the apache headers are useful. * Warn when not starting HTTPD due to missing apache binary. Closes: #384128 * Provide sample disk and memory cache configurations. Closes: #278564 * Provide dir.conf. Closes: #392356 * Add alternate dependency from apache to apache2-mpm-event * On reload, make the init script exit 1 with an error message if the configuration is broken. Closes: #316858 * Add default deflate.conf compressing text/html, text/plain and text/xml. Closes: #349016 * Add { and } around the usage format in the init script to make the init script bash completion happier. Closes: #350606 [ Adam Conrad ] * Update our php4 and php5 conflicts, to reflect the reality that each were uploaded and built again while apache2.2 was in the new queue. Closes: #392189 * Migrate kill symlinks from K91 to K09 (closes: #376503) * Make apache2 depend on the current version of the MPMs, as it used to in the 2.0.x series (and make it binNMU-safe) (closes: #394658) * Make sure that the RedirectMatch in sites-available/default continues to be commented out for Ubuntu, while having it uncommented for Debian. [ Thom May ] * Fix permissions on suexec (Closes: #391918) * This is Debian, not Ubuntu (Closes: #393277) -- Adam Conrad Sat, 7 Oct 2006 17:57:04 +1000 apache2 (2.2.3-2) unstable; urgency=low * Make sure to ship /var/log/apache2 in the apache2.2-common package. Closes: #390786 * Install suexec.8 as suexec2.8. Closes: #390774 * Make sure that we never ship .svn directories in any binary packages. Closes: #390785 * Not only chmod -x /usr/sbin/apache2 in apache2.2-common.preinst, chmod +x it in same's postinst too. Closes: #390794 * We now ship htcacheclean in apache2-utils. Closes: #376680 * Try to stop old apaches in preinst of the mpms. Closes: #390893 * Make apache2-mpm-{worker,prefork} conflict with apache2-mpm-event and apache2-common. * rm -f /var/lib/dpkg/info/apache2-common.postrm. So apache2-common can be purged. Yes, we're on crack. Closes: #390823 * Make apache2-utils's Replaces on apache2-common be unversioned. Closes: #391018 * Stop shipping cern_meta.load, dumpio.load and ext_filter.load. Thanks to Stephane Chazelas for noticing. Closes: #391393 -- Tollef Fog Heen Tue, 3 Oct 2006 10:03:48 +0200 apache2 (2.2.3-1) unstable; urgency=low * Remove mention of AddDefaultCharset from apache2.conf as this is now in /etc/apache2/conf.d/charset. * Rename apache2-common to apache2.2-common. Conflict and replace old version. This is to force modules to be uninstalled until versions compiled against 2.2 are provided. * Remove Daniel Stone from list of uploaders. * We no longer ship 035_HEAD_Content-Length_Fix_From_CVS. Closes: #298143 * Don't start the server on reload. Closes: #316321 * Install S91/K09 links, not S91/K91, also only support not starting through defaults file to cover upgrades from old installations. Closes: #359977, #349655 * Big cleanup by using dh_install properly rather than loads of hacks in debian/rules. * No longer ship compat symlinks for ab, etc. Those are installed as ab, htpasswd and similar. * Remove apache2-mpm-{event,worker}-{prerm,preinst,postinst} in clean, as those are copies of other files. * Add build-depends for libapr1-dev (>= 1.2.7-6) to make sure we get a version which ships a useful apr-config --apr-libtool. * chmod -x /usr/sbin/apache2 on upgrades from before 2.2 to avoid problems stopping apache due to some dpkg bug. * Add Conflicts for broken modules which didn't depend on apache2-common. -- Tollef Fog Heen Thu, 17 Aug 2006 14:02:58 +0200 apache2 (2.2.3-1~exp.r170) experimental; urgency=low [ Jeroen van Wolffelaar ] * Staging upload to experimental of subversion revision r170 [ Thom May, Tollef Fog Heen, Fabio M. Di Nitto and Adam Conrad ] * New Upstream Release. Closes: #344072 http://httpd.apache.org/docs/2.2/new_features_2_2.html has a list of new features and changes. - Fixes LFS support. Closes: #341460, #285337, #241223 - Fixes off-by-one error in mod_rewrite ldap schema handling (CVE-2006-3747) - Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352). Closes: #343467. - mpm_perchild no longer exists, so closing bugs for perchild. Closes: #236193, #238586 - Fixes PHP POST with SSLVerifyClient. Closes: 353443 * Build-depend on lsb-release and pick up the branding from there. * Build-depend on apr-util 1.0 which is now in a separate source package. * Mangle the Debian layout to be more FHS compatible * No longer build-conflict with libgdbm-dev * Use external PCRE * Make apache2-utils stop providing apache2-utils. Also make it stop conflicting with itself. * Rename default site from default-site to just default. * Try to migrate modules which used to be built-in:, alias, mime, authz_host, autoindex, dir, env, negotiation, setenvif, status. * Mod imap has been renamed to imagemap, ditto for auth_ldap => authnz_ldap. Cope with that in postinst. * Stop globbing in apache2.conf. Closes: #337817, #340955, #348189, #379015, #368497 * Don't install CHANGES into the apache2 package. It's just a metapackage. * Add rudimentary rdeps handling to a2dismod. Closes: #273929 * Stop providing apache-utils. * Cope with /var/run and /var/lock on tmpfs. * Remove all subdirs in srclib as we are using external libraries for those anyway. Also remove test/zb.c. Closes: 340538 * Make ssl.conf not block on /dev/random, but rather use /dev/urandom. * Make apache2-common depend on lsb-base, thanks to Gleb Arshinov -- Jeroen van Wolffelaar Tue, 15 Aug 2006 16:17:33 +0200 apache2 (2.0.55-4.1) unstable; urgency=high * Non-maintainer upload. Urgency set to high due to security fixes. * Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in mod_rewrite. [CVE-2006-3747]. (Closes: #380182) * Added '053_restore_prefix_fix' to allow rebuilding from source. (Closes: #374160) * Added '054_apr_sendfile' to allow building for Hurd. (Closes: #349416) * Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers. [CVE-2006-3918]. (Closes: #381376) * Added bash-completion script from Guillaume Rousse. (Closes: #299855) -- Steve Kemp Sat, 5 Aug 2006 21:35:53 +0000 apache2 (2.2.0-1) UNRELEASED; urgency=low * New upstream release. -- Fabio M. Di Nitto Thu, 26 Jan 2006 13:46:08 +0100 apache2 (2.0.55-4) unstable; urgency=low * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 * Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in threaded MPMs when making a non-SSL connection to an SSL-enabled port on a server with a custom 400 error document defined; see CVE-2005-3357 * Clean up our use of trailing slashes on directories in debian/rules, so the newer, pickier, obviously very improved coreutils doesn't bite us. * Remove some cruft from apache2-common's postinst, dealing with upgrade scenarios from versions older than those released in Sarge or Warty. * Use "SHELL := sh -e" in debian/rules, so the build will stop on shell errors, instead of blundering on to later make targets (closes: #340761) * Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in case the user has /var/run and /var/lock on tmpfs, which is fasionable. * Make our init script a /bin/bash script instead of a /bin/sh script, so we can abuse it with regex globbing (#348189, #347962, #340955, #342008) * Take patch from Adrian Bridgett to output errors from our config test in the init script, but only do so when we're VERBOSE (closes: #339323) * In the spirit of the LSB, make our init script exit 2 when called with incorrect arguments, and exit 4 when asked for status (closes: #330275) * Fix the default site to not mix configuration syntax (closes: #345922) * Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921) -- Adam Conrad Sat, 26 Nov 2005 19:06:32 +1100 apache2 (2.0.55-3) unstable; urgency=low * Brown paper bag release: Tidy up CFLAGS and APR configure call to make sure that what we link to agrees with what apu-config tells others to do. -- Adam Conrad Mon, 24 Oct 2005 13:02:52 +1000 apache2 (2.0.55-2) unstable; urgency=low * Mess with 010_more_fhs_compliancy to nail down the compiled default for cgisock to match with the default shipped in the config file, so people don't get confused if they miss including cgid.conf (closes: #316477) * Make the compiled-in PidFile match the config file for similar reasons. * Add 049_apr_tables_HEAD_cleanup, resolving an issue where merging two tables from different resource pools would leave you with the contents of only one, rather than both. This patch also cleans up some broken pointer arithmetic and type casting along the way (closes: #251800) * Specify the DocumentRoot without a trailing slash (closes: #311317) * Fix the manpage to point at proper locations (closes: #307665, #332619) -- Adam Conrad Sun, 23 Oct 2005 13:24:39 +1000 apache2 (2.0.55-1) unstable; urgency=low * New upstream bugfix and security release, superseding these patches: - Drop 041_util_ldap_fix.patch, util_ldap seems to be unbroken. - Drop 043_ssl_off_by_one_CAN-2005-1268, fixed upstream. - Drop 044_content_length_CAN-2005-2088, fixed upstream. - Drop 045_byterange_CAN-2005-2728, fixed upstream. - Drop 046_verify_client_CAN-2005-2700, fixed upstream. - Resolves a serious memory leak in the worker MPM; see CVE-2005-2970 - Add 048_reverse_proxy_fix, to resolve a regression in 2.0.55 with mod_proxy, mod_ssl and HTTP POST requests (upstream bug #37145) * New release builds cleanly with OpenSSL 0.9.8 (closes: #332791, #333363) * Fix up our built-in version of DBS to use find's -{max,min}depth arguments in a way that doesn't make find whine like a spoiled child. * Merge Ubuntu and Debian packaging, bringing in patch 047 (closes: #327269) - Comment out the / -> /apache2-default/ redirect, as user feedback seems to indicate that it's just too bloody confusing for most people. - New installations (only) now get an AddDefaultCharset UTF-8 directive. * Build-depend on lsb-release, and use it in debian/rules to determine which distribution we're building on, dropping the 007_debian_advertising patch. * Drop debconf dependency entirely; we don't even use it (closes: #331741) * Finally support DEB_BUILD_OPTIONS="noopt debug" properly in debian/rules. * Adjust mime_magic.conf to point at the new FHS location of magic.mime. * Drop the apache2-mpm-threadpool transitional package; Sarge is released. * Try a bit harder to find the *CORRECT* PidFile directive in the init script, instead of the old "rgrep and pray" method (closes: #303076) * Make init script to always use apache2ctl consistently (closes: #316303) * Build (and have -dev packages depend on) libdb4.3 instead of libdb4.2. -- Adam Conrad Mon, 17 Oct 2005 13:00:13 +1000 apache2 (2.0.54-5ubuntu2) breezy; urgency=low * Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request body data to provide a limited but safe fix for the mod_ssl renegotiation vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991) -- Adam Conrad Tue, 4 Oct 2005 11:53:01 +1000 apache2 (2.0.54-5ubuntu1) breezy; urgency=low * Resynchronise with Debian, bringing in several security patches. -- Adam Conrad Mon, 5 Sep 2005 20:40:31 +1000 apache2 (2.0.54-5) stable-security; urgency=high * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL certificate validation; see CAN-2005-1268 (closes: #320048, #320063) * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy where, when a response contains both Transfer-Encoding and Content-Length headers, the connection can be used for HTTP request smuggling and HTTP request spoofing attacks; see CAN-2005-2088 (closes: #316173) * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache when large byte ranges are requested; see CAN-2005-2728 (closes: #326435) * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context of the SSLVerifyClient directive is not honoured within a nested in a , and is left unenforced; see CAN-2005-2700 -- Adam Conrad Fri, 2 Sep 2005 22:26:28 +1000 apache2 (2.0.54-4) unstable; urgency=low * Alter 041_util_ldap_fix.patch to revert util_ldap.c to the known good version from 2.0.53 (closes: #308648, and re-fixes #307567) -- Adam Conrad Wed, 11 May 2005 20:15:38 -0600 apache2 (2.0.54-3) unstable; urgency=medium * Add 042_htdigest_CAN-2005-1344 to fix a buffer overflow in htdigest, which is described in CAN-2005-1344 (closes: #307134) * Add 041_util_ldap_fix.patch from upstream bug #34618 to fix issues with mod_auth_ldap sometimes segfaulting and sometimes locking up and spinning the CPU to oblivion (closes: #307567) * Alter 011_fix_ap-config to make apr-config point us at the system libtool, and make libapr0-dev depend on libtool (closes: #306481) * Alter 008_make_include_safe to prevent apache2 from including dpkg conffile leftovers (.dpkg-old et al) (closes: #304786, #296728) -- Adam Conrad Thu, 5 May 2005 03:45:24 -0600 apache2 (2.0.54-2) unstable; urgency=low * Set suexec2's ownership properly, so it's actually executable by apache2 with the newly-restrictive permissions (closes: #305242) -- Adam Conrad Mon, 18 Apr 2005 22:09:42 -0600 apache2 (2.0.54-1) unstable; urgency=low * New upstream bugfix-only release (closes: #305121) * Fix debian/watch file to only look at apache 2.0.x, so we stop being told about the 2.1 beta releases (and I'll notice new 2.0.x releases) * Drop o+rx permissions from suexec2; while it has code in place to make sure the caller is www-data, if that code should be buggy, filesystem permissions will help mitigate fallout (closes: #301045) * Update the 003_build_with_autoconf_2.5 patch to make sure both apr and apr-util have an AC_PREREQ for autoconf 2.50, so we don't get weird autoconf mix-and-match FTBFS issues (closes: #301819) -- Adam Conrad Sun, 17 Apr 2005 23:10:18 -0600 apache2 (2.0.53-5ubuntu5) hoary; urgency=low * Fix the init script to not exit with an error when asked to stop a daemon that isn't running (Was the root cause of #8374) -- Adam Conrad Fri, 1 Apr 2005 16:30:56 +0000 apache2 (2.0.53-5ubuntu4) hoary; urgency=low * Make sure package removals don't fail even if the init script doesn't stop apache2 (Ubuntu #8374) -- Adam Conrad Fri, 1 Apr 2005 15:07:20 +0000 apache2 (2.0.53-5ubuntu3) hoary; urgency=low * Add dependency on lsb-base (>= 1.3-9ubuntu2) to guarantee availability of lsb init functions (Ubuntu #7765) -- Adam Conrad Sun, 27 Mar 2005 21:55:41 -0700 apache2 (2.0.53-5ubuntu2) hoary; urgency=low * Really remove /etc/apache2/conf.d/charset on purge, rather than just writing about it in the changelog. -- Adam Conrad Sun, 27 Mar 2005 08:32:39 -0700 apache2 (2.0.53-5ubuntu1) hoary; urgency=low * Resynchronise with Debian, resolving minor conflicts. * Remove /etc/apache2/conf.d/charset on purge. -- Adam Conrad Sun, 27 Mar 2005 15:15:44 +0000 apache2 (2.0.53-5) unstable; urgency=high * Update 040_link_external_pcre to require autoconf 2.50, so it doesn't fail when autoconf2.13 is installed (closes: #295428) * Further mangle the apache_stop function in the init script so it attempts as hard as possible to make sure apache2 is stopped before it tries to restart. Thanks to Andre Tomt for the bug and patch this fix was based on (closes: #295915, #281557) -- Adam Conrad Fri, 25 Feb 2005 00:51:13 -0700 apache2 (2.0.53-4) unstable; urgency=low * Add 040_link_external_pcre to allow us to link to an external libpcre rather than statically compiling the bundled version. * Add --with-external-pcre to the configure flags in debian/rules (closes: #294673, #294675, #282606, #294740) * Stop hardcoding the path to netstat in postinst (closes: #294737) -- Adam Conrad Mon, 14 Feb 2005 01:45:08 +0000 apache2 (2.0.53-3) unstable; urgency=medium * Drop Andres Salomon's PCRE manglig patch in favour of hand-merging Joe Orton's patch against head to completely internalise apache's copy of PCRE, only exposing a wrapper API. (closes: #294395) -- Adam Conrad Wed, 9 Feb 2005 11:30:21 -0700 apache2 (2.0.53-2) unstable; urgency=low * Make apache2-threaded-dev and apache2-prefork-dev both arch:any as they contain architecture-dependant defines (closes: #294257) -- Adam Conrad Wed, 9 Feb 2005 04:20:07 -0700 apache2 (2.0.53-1) unstable; urgency=low * New upstream release - Remove 036_HEAD_CAN-2004-0942, integrated upstream - Remove 037_HEAD_CAN-2004-0885, integrated upstream * Drop support for the threadpool MPM, as it's abandoned upstream. - Make apache2-mpm-threadpool an empty package depending on apache2-mpm-worker, and make worker replace the old threadpool * Make SYSCONFDIR configurable at the top of a2{en,dis}{mod,site} * Drop the build-conflict on gawk, and use ac_cv_prog_AWK=mawk instead (closes: #283396) * Make the apache_stop() function stop trying to do the equivalent of "killall apache2", and instead issue a nasty warning if it can't stop apache2 on its own * Make "restart" an alias for "force-reload" in the init script, as apache2ctl restart doesn't match policy's requirements for restart * Swapping between threaded and unthreaded MPMs could leave one with both mod_cgi and mod_cgid enabled. Fixed the postinsts so that no longer happens * Update 021-pcre_mangle_symbols.patch from Andres Salomon, now also mangling typedefs, which should fix PHP (closes: #280823) * Hardcode a dependency on libgcc1 (>= 1:3.3.5) so pthread_cancel will work correctly with partial upgrades (closes: #287033) * When removing ssl_scache, make sure to remove its db transation logs and other garbage as well (closes: #293831) * Remove duplicate /icons/ from the default site (closes: #291856) * Yank 039_fix_forensic_tmpfiles from Ubuntu's apache2 packages * Split out utils into seperate apache2-utils. This will also supercede the apache-utils package (closes: #285219) * Add split-logfile to apache2-utils (closes: #290814) * Make the MPM postinsts scream loudly, but not fail, if you've deleted cgi{,d}.load before swapping MPMs (closes: #283141) -- Adam Conrad Mon, 7 Feb 2005 07:54:12 -0700 apache2 (2.0.52-3) unstable; urgency=high * Brown paper bag release to fix apache2-common's postinst, by judiciously sprinkling ||true in a couple of needed places (closes: #280527) * While hunting for unclean uses of VAR=`command` in the package, found the cause of the "can't purge with broken config" bugs and fixed that too with yet another ||true (closes: #263511, #273759, #279875) -- Adam Conrad Wed, 10 Nov 2004 01:32:16 -0700 apache2 (2.0.52-2) unstable; urgency=high * Include two patches, 036_HEAD_CAN-2004-0942 and 037_HEAD_CAN-2004-0885 - CAN-2004-0942: Memory leak in header parsing in server/protocol.c - CAN-2004-0885: Incorrect SSLCipherSuite selection in mod_ssl * Fix up our use of netstat in apache2-common's postinst to clean up some unnecessary output to stderr, as well as detect when netstat believes we don't have AF_INET support. This should allow for installation in chroots where the /proc filesystem isn't mounted (closes: #245487) * Add 035_HEAD_Content-Length_Fix_From_CVS, which should solve problems with Content-Length being set incorrectly on proxied HEAD requests, breaking Windows Update from proxied machines (closes: #277787) * Take out the reload/start magic in the postinst, and just call start in all cases, as we stop the daemon in the prerm (closes: #275175, #222786) * Copy config.guess/config.sub/ltmain.sh in from /usr/share/libtool at build time. (closes: #257228, #263101) * Clean up the clean target in debian/rules to remove some duplicate maintainer scripts from the debian/ directory that we don't need to be shipping in the source package. * Move envvars to /etc/apache2/ and add patch 038_no_LD_LIBRARY_PATH to remove the extraneous LD_LIBRARY_PATH from envvars (closes: #276670) -- Adam Conrad Sun, 7 Nov 2004 04:09:46 -0700 apache2 (2.0.52-1) unstable; urgency=high * New upstream bugfix/security release: - Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412) * Add '|| true' to a2enmod to stop it from dying when the installed MPM isn't prefork (closes: #273017, #273019, #272865, #273021, #273258) * Touch /var/log/apache2/error.log on new installs to ensure that our log directory isn't removed until the package is purged, so logrotate doesn't complain about its inability to find it (closes: #239571) * Add 032_suexec_is_shared, which makes sure suEXEC is only searched for and enabled when mod_suexec is loaded (closes: #227653) * Use '$APACHE2CTL startssl' consistently in init script to make sure the SSL define doesn't disappear on force-reload (closes: #272531) * Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open and manipulate DB_BTREE databases, while still defaulting to creating DB_HASH databases as before. This should clear up incompatibilities with other applications (such as PHP) which default to DB_BTREE. * Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool. * Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit of munging, to compile a working ab2 with SSL support (closes: #261820) -- Adam Conrad Tue, 28 Sep 2004 10:21:20 -0600 apache2 (2.0.51-2) unstable; urgency=high * Test for the existence of /usr/sbin/apache2 before we go trying to invoke it to determine what MPM we have installed (closes: #272103, #272207) * Make the default httpd.conf created in apache2-common's postinst contain a fake LoadModule line (commented out), and make apxs2 default to installing modules to /etc/apache2/httpd.conf, so people using apxs2 rather than the mods-{enabled,available} directories get the expected behaviour, rather than obscure errors (closes: #167552, #231134) * apxs2 now writes the correct path to modules in httpd.conf, including the mysteriously missing slash (closes: #231450, #167557) * Make apxs2 install modules with mode 644, since 755 makes no sense. * Added a bit of magic to a2{en,dis}site to treat the default site as a special case and add a "000-" priority to the beginning of its symlink. Patches welcome to turn this into something robust, like update-rc.d. -- Adam Conrad Sat, 18 Sep 2004 07:12:12 -0600 apache2 (2.0.51-1) unstable; urgency=high * New upstream release, including the following security fixes: - CAN-2004-0747: ap_resolve_env buffer overflow - CAN-2004-0786: apr_uri_parse segfault in memcpy - CAN-2004-0809: mod_dav crash/DoS via NULL pointer dereference * Drop the following patches which are now included upstream: - 025_CAN-2004-0748.patch - 026_CAN-2004-0751.patch - 027_autoindex_ignore_bad_files.patch - 028_apr_sticky_bits.patch * Install a properly sanitised config_vars.mk so that apxs2 behaves in a reasonably sane way (closes: #243340, #270768) * Relax www-browser dependency to a Suggests, as the mod_status dump from apache2ctl is a pretty minor (and oft unused) feature (closes: #269309) * init script now allows you to stop (but not start, restart, etc) the web server, even if NO_START is set to 1 (closes: #269398) * Make the apache2 -> apache2-mpm-* dependency tighter, so it does what one expects when installing it (closes: #269580) * Remove the ^/doc/apache2-doc/manual(.*)$ /manual$1 RedirectMatch from the default site which was confusing and useless (closes: #270216) * Add debian/watch file to track upstream versions. * Add some magic to a2enmod to map cgi to cgid if using a threaded MPM. * Add a2ensite and a2dissite which do the same thing as a2{en,dis}mod, but for sites rather than modules (closes: #269251) -- Adam Conrad Wed, 15 Sep 2004 00:09:39 -0600 apache2 (2.0.50-12) unstable; urgency=high * Build-depend on mawk, and build-conflict with gawk, as we're only guaranteed of having one or the other installed at any given time and GNU awk seems to royally mess up the build with regards to which external symbols get exported by httpd (closes: #268155) * Add myself to the Uploaders field as it seems that, for better or worse, I have become a co-maintainer of apache2. * Drop the :80 from the default site config, so changing ports in ports.conf now Just Works (closes: #253271) * Added 029_docroot_manual.patch, which corrects the links in the start page to point to /manual/ instead of manual/, so the link actually works when apache2-doc is installed (closes: #232954) * Add a postrm to apache2-common, implementing a policy-compliant purge process (closes: #237030, #252254, #197986) * Add a simple RedirectMatch to the "default" site, so that fresh installations see the default start page, rather than a directory listing (closes: #240772, #255974, #264070) * Add 030_www-browser_apachectl.patch, and make apache2-common depend on www-browser, so 'apache2ctl status' works (closes: #266724) * Move apache2's (re)start from the apache2-common postinst to the MPM postinsts, so we're not trying to start the old binary if apache2-common is configured before apache2-mpm-* is unpacked (closes: #268936) * Enable CGI on initial installation, as packages depending on httpd-cgi require it to be running to work (closes: #267547, #263038) * Only enable userdir on upgrades from older versions where it was built-in, or on fresh installs. -- Adam Conrad Mon, 30 Aug 2004 17:40:47 -0600 apache2 (2.0.50-11) unstable; urgency=high * Add two patches from upstream to address two vulnerabilities in mod_ssl: - CAN-2004-0748 is a potential infinite loop in the SSL input filter which can be triggered by an aborted connection. - CAN-2004-0751 is a potential segfault in the SSL input filter which can be triggered by the response to request which is proxied to a remote SSL server. * Changed the ownership of /var/cache/apache2 to allow mod_proxy to actually cache files (closes: #264622) * Added a patch from upstream to make mod_autoindex skip over files that it can't stat() (closes: #264645) * New installations now get an /etc/default/apache2 file with a moderately informative comment, and the default set sanely (closes: #263515) * Added a patch from upstream to make APR stop creating directories with the sticky bit set (closes: #266198) * Remove the bogus "-e" from the echo that creates httpd.conf, so people installing with ash/dash don't get a broken file (closes: #267693) -- Adam Conrad Mon, 23 Aug 2004 19:25:50 -0600 apache2 (2.0.50-10) unstable; urgency=high * Roll back the libapr0 ABI changes introduced in 2.0.50-9. We were hopeful that we could hunt down and fix any fallout from this change before release, and we were, apparently, wrong. (closes: #266211, #266145, #266165, #266330, #266230, #266279, #266736) -- Adam Conrad Thu, 19 Aug 2004 03:46:11 -0600 apache2 (2.0.50-9) unstable; urgency=medium * Enable LFS properly. (Closes: #264645, #244897) - Added 023_largefiles_upstream_fixes which makes the upstream configure script a bit smarter and fixes some misuses of size_t/off_t. - Added 024_largefiles_debian_hacks which adds some hideous hackery to work around a bug in glibc where sendfile64 is used in place of sendfile with no fallback even if the current kernel doesn't support it. - Add note to README.Debian noting that while we can now read, write, and list large files, SERVING large files is kernel-dependant. * Bump libapr0 shlibs to (>= 2.0.50-9), since we're introducing some serious ABI breakage with the above changes. * Fix up the PATH in apache2's init script to list /usr/local, /usr, / in the standard order. * Change misleading return messages for a2{en,dis}mod, to reflect the reality that some modules just won't load/unload properly without a full stop/start server cycle. -- Adam Conrad Sun, 15 Aug 2004 07:41:19 -0600 apache2 (2.0.50-8) unstable; urgency=high * Ensure we link against the correct version of DB42 -- Thom May Mon, 9 Aug 2004 14:37:38 +0100 apache2 (2.0.50-7) unstable; urgency=high * Fix up linking of apr-util (Closes: #262009) -- Thom May Tue, 3 Aug 2004 12:42:53 +0100 apache2 (2.0.50-6) unstable; urgency=high * use 'env -i' rather than trying to parse env (Closes: #261558, #258713) * revert to old build process (Closes: #260756, #259693) * Reflect changes in ssl setup - Thanks, Björn Wiberg (Closes: #259414) * Remove userdir config from main config file (Closes: #260058) -- Thom May Tue, 27 Jul 2004 10:31:46 +0100 apache2 (2.0.50-5) unstable; urgency=high * Add necessary suexec information to central build (Closes: #258453, #258772) * Exclude lines starting with a space from removal from the env (Closes: #258713) -- Thom May Mon, 12 Jul 2004 17:30:59 +0100 apache2 (2.0.50-4) unstable; urgency=high * Fix dependencies so the MPMs don't conflict with the metapackages *g* Thanks to Adam Conrad for this catch -- Thom May Fri, 9 Jul 2004 00:55:19 +0100 apache2 (2.0.50-3) unstable; urgency=high * Brown paper bag of epic proportion. Build all mpms with the proper collection of libraries. (Closes: #258217, #258202) * Clean up environment (Closes: #241579) * Clarify prefork description (Closes: #252918) * Make apache2-default/manual DTRT (Closes: #244847) * Note that we don't ship INSTALL or README.platforms (Closes: #232956) -- Thom May Thu, 8 Jul 2004 16:04:31 +0100 apache2 (2.0.50-2) unstable; urgency=high * Make a2enmod a bit more robust (Closes: #258149, #258145) * Should really be urgency=high to get into testing quick -- Thom May Wed, 7 Jul 2004 23:03:36 +0100 apache2 (2.0.50-1) unstable; urgency=medium * New upstream release, fixes [CAN-2004-0493] and [CAN-2004-0488] * The "I can't believe you're late to your own raid" release * Check whether verbose is on or off in rcS's config (Closes: #242351) * Add an apache2 metapackage (Closes: #234955) * Specifically disable /~root (Closes: #246139) * Stop the daemon in prerm (Closes: #245488) * Redirect /doc/apache2-doc/manual to /manual so the correct magic happens (Closes: #248038) * Update SSL config to current upstream (Closes: #234591,#231147) * No longer install default cgis - they're already shipped in -doc as examples. (Closes: #231665) * Tighten regex for Include (Closes: #234489) * Remove ext-filter.load since we ship ext_filter.load too (Closes: #249268) * Enable userdir as a shared module (Closes: #251102, #246134) * OSKURO SUCKS (otherwise known as: not a bug) (Closes: #208569) * Create /var/lib/apache2 (Closes: #242169) * Remove 'AddDefaultCharset' line from apache2.conf (Suggestion from Marco D'Itri) -- Thom May Tue, 6 Jul 2004 18:45:35 +0100 apache2 (2.0.49-1) unstable; urgency=high * New Upstream release. (Closes: #240100) * Add missing $ to init-script (closes: #240301) * Provides: httpd-cgi in reference to #117916 -- Thom May Sun, 4 Apr 2004 11:32:20 +0100 apache2 (2.0.48-8) unstable; urgency=low * Fix typo in debian/rules (closes: #230760) * Added patch 021-pcre_mangle_symbols.patch (closes: #235810) * Fixed typo in the init scripts (closes: #230263) * Changed a bunch of mv's to cp's in rules (closes: #228840) * Change mime_magic to use magic from libmagic1 (closes: #236509) * Disable ssl-cert until it sucks less. related to 230791 (closes: #231726) * update descriptions (closes: #234543, #234538, #234542) * Nuke /etc/vhosts and all associated cruft (closes: #235029) -- Thom May Mon, 2 Feb 2004 12:47:10 +0000 apache2 (2.0.48-7) unstable; urgency=low * Brown paper bag release. Refix the nonfixed libapr0 which built without linking information. -- Tollef Fog Heen Fri, 30 Jan 2004 18:25:12 +0100 apache2 (2.0.48-6) unstable; urgency=low * Build-Conflict with gdbm (closes: #230226, #230175, #204672) -- Tollef Fog Heen Fri, 30 Jan 2004 12:24:09 +0100 apache2 (2.0.48-5) unstable; urgency=low * (Daniel Stone) - Bump Standards-Version to 3.6.1.0. - init-script: Print a small warning when NO_START=1. (closes: #178431) - default site: Enable FollowSymLinks. (closes: #200829) * (Thom May) - Permanently kill the ErrorLog directive from ssl.conf - Call ssl-cert to generate an SSL cert using debconf (closes: #178322) - Allow /usr/share/doc/ to be viewable from localhost (closes: #222551) - Set the default DocumentRoot to be /var/www (closes: #222552) - Change where the init script is installed to (Closes: #223417) - Upgrade to DB4.2 * (Tollef Fog Heen) - handle building out of the SVN checkout. -- Tollef Fog Heen Wed, 28 Jan 2004 00:13:13 +0100 apache2 (2.0.48-4) unstable; urgency=medium * (Daniel Stone) - Change apache2-threaded-dev's Conflicts from apache2-perfork-dev to apache2-prefork-dev. Learn how to type, dude (thanks to Grzegorz Prokopski for spotting this one). -- Daniel Stone Mon, 17 Nov 2003 12:00:11 +1100 apache2 (2.0.48-3) unstable; urgency=medium * Grmmp. stuffed the upload -- Thom May Wed, 12 Nov 2003 18:18:54 +0000 apache2 (2.0.48-2) unstable; urgency=high * (Thom May) - Fix locking busted by NPTL (Closes: #220299) - Fix IPv6 weirdness (thanks to Jordi/Fabio) (Closes: #220334) -- Thom May Wed, 12 Nov 2003 13:04:04 +0000 apache2 (2.0.48-1) unstable; urgency=low * (Thom May) - New Upstream Release (Closes: #202094) - Fix i18n autonegotiation for the manual (Closes: #201648) - Add deb.{gif,png} (Closes: #199454) - Explicitly link against libdl (Closes: #195968) - Add dependency on ssl-cert (Closes: #177837) - Take preventative action against SCTP - Add apache2-prefork-dev to work around PHP. - Shut Oskuro up - startup time changed to 91 (Closes: #208569) - Install README.etc into apache2-common's doc dir (Closes: #208751,#177941) - Auth_LDAP loads mod_ldap as well. (Closes: #217795) - Make sure /var/lock/apache2 has correct ownership (Closes: #206375) - Fix for SSL enabled virtual hosts (Closes: #202925) - Steal new apr_threads.m4 from upstream to deal with -lpthread better (Closes: #197685) * (Fabio M. Di Nitto) - Fixed init script (Closes: #203093) -- Thom May Sat, 16 Aug 2003 00:13:20 +0100 apache2 (2.0.47-2) unstable; urgency=low * Move dav.conf to dav_fs.conf (Closes: #201530) * Fix the manual, and only ship it once. (Closes: #201648) * Enable SymLinksIfOwnerMatch for cgi-bin (Closes: #200829) -- Thom May Wed, 16 Jul 2003 10:24:28 +0100 apache2 (2.0.47-1) unstable; urgency=high * New Upstream Release. Bunch of security fixes (Closes: #200593) * Add asis.load, auth_ldap.load, cache.load, dav_fs.load, disk_cache.load, ext_filter.load, file_cache.load, imap.load, ldap.load, mem_cache.load, include.load (Closes: #197152, #198389, #196115) Note that dav_fs was previously loaded by dav.load, and is now broken out into a seperate file. * Patch apxs2 to use datadir rather than prefix for top_builddir. (Closes: #198607) * Kill a couple of pointless conflicts. (Closes: #197242) * Change suexec docroot from /var/www/apache2-default to /var/www (Closes: #198981) * Make sure we use Expat rather than xmltok (Closes: #197020) * Ship find_ap{r,u}.m4 (per Nuutti Kotivuori) -- Thom May Fri, 4 Jul 2003 13:40:37 +0100 apache2 (2.0.46-3) unstable; urgency=low * Clean up the proxy config although it's not enabled by default. (Closes: #195187) * Remove all traces of gdbm. (Closes: #196231) * Re-enable ldap support (Closes: #190092) * This changelog should be policy compliant. Any whingers can take a long hike off a short pier. * use printf rather than echo to work round weird shells. (Closes: #196230) -- Thom May Thu, 5 Jun 2003 19:26:21 +0100 apache2 (2.0.46-2) unstable; urgency=critical * Fix config_vars.mk creation and installation (Closes: #195141, #195190) -- Thom May Thu, 29 May 2003 11:47:13 +0100 apache2 (2.0.46-1) unstable; urgency=critical * The "David Welton is my hero" release * New upstream release, numerous security vulns fixed. * Oh the pain. * Move ScriptSocket to /var/run/apache2 (Closes: #188655) * Restore mod_include (Closes: #188483) * Move the virtual hosts config to the end of the config file (Closes: #188584) * Add Mod-Ext-Filter (Closes: #182770) * Add actions.load (Closes: #178087, #179571, #181527) * Add a dependency on net-tool (Closes: #190663) * Clean up FHS compliancy and fix up a typo in apachectl (Closes: #187723) * Fix for the apxs -q APR_BINDIR doesn't work problem (Closes: #188278) * Special case the install of special.mk (Closes: #179776) * Make apache2-dev and apache-dev not conflict. (This renames apxs back to apxs2) * Add README for /etc/apache2 written by David. * Add auth_digest.load courtesy of Amelia A Lewis (Closes: #194111) -- Thom May Wed, 28 May 2003 14:17:21 +0100 apache2 (2.0.45-3) unstable; urgency=critical * another "stupid freaking sasl" release. the series is on! -- Thom May Tue, 8 Apr 2003 17:13:09 +0100 apache2 (2.0.45-2) unstable; urgency=critical * the "stupid freaking sasl" release. * fix override disparities too. * fix dulpicate dependency on libssl0.9.7 (Closes: #179598) -- Thom May Tue, 8 Apr 2003 13:34:44 +0100 apache2 (2.0.45-1) unstable; urgency=critical * New upstream release (Closes: #187502) * Fix korean language type, thanks to Donggyoo Lee (Closes: #179542) * Add explicit dependency to libsasl-dev (Closes: #179674) * Remove ErrorLog from ssl.conf * forward ported patches courtesy of Roberto Moreda ; big thanks! -- Thom May Sat, 5 Apr 2003 14:35:58 +0100 apache2 (2.0.44-6) unstable; urgency=low * Make APR's postinst idempotent (Closes: #178105, #178141) * Make Apache2-common's postinst non interactive (Closes: #178551) * People filing bugs after they're fixed should be shot (Closes: #178244) * Build Logio into the core, apparently. -- Thom May Mon, 27 Jan 2003 20:47:28 +0000 apache2 (2.0.44-5) unstable; urgency=low * The "someone should take my compiler away from me" release * Depend on openssl as well. Grrr. (Closes: #177985) * Clean up the last of the section mismatches -- Thom May Thu, 23 Jan 2003 15:04:20 +0000 apache2 (2.0.44-4) unstable; urgency=low * The "going for broke" release. * Enable Logio, suggested by Roberto Moreda * Stop force loading of cgi modules. (until we can do it cleanly) (Closes: #177876, #177795) * Restore symlink for libapr.so.0 (Closes: #177792) * Apache2-common must depend on libssl0.9.7 (Closes: #177845) * Rename ssl-certificate so we don't conflict with apache-ssl (Closes: #177881) * Only create the certificate if it's not there already (Duh!) -- Thom May Wed, 22 Jan 2003 09:59:11 +0000 apache2 (2.0.44-3) unstable; urgency=low * The "This one goes out wearing a brown paper bag" release * Fix apxs to correctly return the header locations (Closes: #177729) -- Thom May Tue, 21 Jan 2003 16:35:14 +0000 apache2 (2.0.44-2) unstable; urgency=low * The "Ooops, I did it again" release * Fixup of sections and priorities. * Add dependency of libldap2-dev to libapr0-dev * Correct dependencies to be db4.1 not db4.0 -- Thom May Tue, 21 Jan 2003 13:26:57 +0000 apache2 (2.0.44-1) unstable; urgency=low * Conform to 10.4 of policy re init scripts, (Closes: #165693) * Be more selective about filenames when doing Include Patch - 008_make_include_safe (Closes: #161512) * Make HTMLTable validate, and add a note recommending its use. (Patch submitted upstream and will be in 2.0.44) Patch - 010_fix_html_table (Closes: #153593) * Make apr have correct library versioning Patch committed upstream Patch - 011_make_apr_versioned (Closes: #162775) * Placed packaging code under subversion change management http://svn.positive-internet.com/svn/apache2/trunk * Changed some bash scripts to use #!/bin/bash rather than #!/bin/sh (Closes: #168338) * Changed apache2-common to merely suggest apache2-doc (Closes: #167595) * Patch from David Kimdon to clean up debian/scripts/* * Rename apxs2 to apxs; conflict with apache-dev (Closes: #167550) * Upstream fix for AllowOverride documentation (Closes: #169431) * Tighter build dependency on debhelper (Closes: #170803) * Only reload in logrotate if apache2 is actually running (Closes: #171095) * Upstream Fix for AddOutputFilterByType documentation (Closes: #172294) * Add robots.txt to apache2-common (Closes: #172592) * Enable cgi in postinst (Closes: #168709) * Create an SSL Certificate on install (Closes: #168109) * Fix a couple of typos in debian/ssl-certificate, with thanks to Nuutti Kotivuori * Change to restart rather than reload in logrotate, to work round a nasty PHP bug (PHP has bugs? *gasp* I thought it was perfect!) with thanks to Adam Conrad for the suggestion * Clarify what needs to be installed for a working system (Thanks to Sean Abrahams) * Support debug DEB_BUILD_OPTIONS setting, thanks to Karl Hegbloom (Closes: #174221) * Add -pipe to the CFLAGS, thanks to Karl Hegbloom * Force apr-util to build against db4 * add OSX finder to the list of things that needs to be redirect-carefully'd * s/enabled/disabled in debian/a2-scripts/a2dismod (Closes: #173956) * enable auth-ldap, auth-anon, auth-dbm, auth-digest, and action as shared modules (Closes: #172044, #174583, #172093) * Upgrade to Berkely DB 4.1 * Upgrade to OpenSSL 0.9.7 * Add patch to ensure DB4.1 --with-unique-names is picked up. (Committed upstream) * Add local apache2 and apache2ctl manpages, since upstream have removed them. -- Thom May Mon, 20 Jan 2003 11:14:43 +0000 apache2 (2.0.43-1) unstable; urgency=medium * New Upstream Release; Fixes: CVE: CAN-2002-0840 CERT: VU#240329 * Add extra config to unfuck perchild. hopefully. * Rejig Proxy Config some. With thanks to: Emmanuel Chantreau (Closes: #163124) * Fix cgi install. Thanks to: Bastian Kleineidam (Closes: #162791) * Fix postinst to check installation type and behave accordingly (Closes: #162627) * Bring product version into line with RFC2616 (Closes: #151384) * Add allow line for ipv6 localhost (Closes: #163533) * Make more of the modules modular. * Set UseCanonicalName off * Added index.xhtml to DirectoryIndex settings * Enabled MultiViews in the default site, and for the manual (Closes: #160367) * Removed Unnecessary cgi.conf (Closes: #163842) -- Thom May Fri, 4 Oct 2002 21:47:18 +0100 apache2 (2.0.42-2) unstable; urgency=low * Tighten dependencies yet more * Restart in postinst. don't stop in prerm and start in postinst (Closes: #162344, #162350, #162537) * Fix dh_shlibdeps up * PERCHILD IS NOT WORKING IN THIS RELEASE. DON'T EXPECT IT TO. BUGS ABOUT THIS WILL BE CLOSED WITH EXTREME PREJUDICE. -- Thom May Fri, 27 Sep 2002 13:06:59 +0100 apache2 (2.0.42-1) unstable; urgency=low * "Pretty. What shall we blow up?" * New Upstream Version (Closes: #160364) * Fix man names and sections (Closes: #157113) * Correct the regex for netstat checking of ports, thanks to Matthew Hambley for this. * Correct dependencies for apache2-common. (Closes: #161793) * Applied patch from Stefan Gybas to fix a2enmod (Closes: #159459) * Added BrowserMatch directives for microsoft's bodgy DAV implementations and also for gnome-vfs (Closes: #155097) * Loosened the config for home directories (Closes: #153599) * Updated to latest standards version * Drop priority to extra to bring it in line with libdb4.0 * Added logrotate script - Thanks to Phil Edwards for the basic version, and the apache package that I ripped the rest off from (Closes: #155488) * Tighten up what the Include lines load some. This is related to #161512 but doesn't completely close it. -- Thom May Sat, 21 Sep 2002 22:14:22 +0100 apache2 (2.0.40-1) unstable; urgency=low * New Upstream Version * Correct dependencies. (Closes: #156959) * Code to check for something else listening on 80 (Closes: #156129) * correct permissions on suexec2 man page (Closes: #157005) * Make the start and stop targets use apache2 directly rather than apache2ctl. * Check for the existence of apache2 and exit if it's not there (Closes: #156640) * Nuke ssl_scache on startup (Closes: #157445) * patch apxs to not need an mpm installed. Correct dependencies for -dev. Stop messing around with ap_config_auto.h. This hopefully resolves James Troup's objections to apache2. (Closes: #157895) * Add code to check for a 2.2 based kernel and set up the Scoreboard accordingly. (Closes: #156899) * make sure i only have to update one init.d script, rather than 4. * make apxs return a correctly formatted response on queries. -- Thom May Wed, 21 Aug 2002 14:21:14 +0100 apache2 (2.0.39+cvs.1028741220-2) unstable; urgency=low * Rebuild against new libc6. Grr. (Closes: #155865) * Actually create /etc/apache2/httpd.conf * Propagate init.d changes through the other MPMs. -- Thom May Thu, 8 Aug 2002 09:19:49 +0100 apache2 (2.0.39+cvs.1028741220-1) unstable; urgency=low * New Upstream Version * Make a versioned depends on libapr0 (Closes: #154879, #155400) * Ensure that /etc/init.d/apache2 is registered properly. * Added a conf.d directory for random conf snippets * Ensure that the /manual/ alias is setup by the correct package (Closes: #155179) * Ensure that DAVLockDB is created in the right directory (Closes: #155096) * Now Building in a pbuilder chroot environment. * Perchild is now pseudo working (Closes: #154148) * Cumulatively (note to Lazarus Long: this means all the things in this changelog added together) (Closes: #155297, #155307, #155317, #155717, #155363, #155719, #155801) * Note that preceeding changelog entry may not be parseable by strict grammar checks. Thanks to Jamie Wilkinson for pointing this out. * Turn MultiViews back on for the default site (Closes: #155450) checks. Thanks to Jamie Wilkinson for pointing this out. * Turn MultiViews back on for the default site (Closes: #155450) * Removed all CVS directories (Closes: #155602, #155393, #155402) * SSI has been fixed upstream (Closes: #151744) * Removed SSLLog directives (Closes: #152940) * Put icons in the right place (Closes: #155178) * Fixed build-dep on libgdbmg1-dev (Closes: #155412) * Get correct information into config_vars.mk (Closes: #151712) * Removed 'ServerName localhost' line (Closes: #155359) * Placed apr-util headers in correct package * Ensured that the init.d script restarts apache properly -- Thom May Tue, 30 Jul 2002 22:37:52 +0100 apache2 (2.0.39+cvs.1027964860-1) unstable; urgency=low * New Upstream Source * Correct Icons path (Closes: #151314) * Add missing dep on mime-support (Closes: #151848, #152220, #152221, #151772) * Fixup suexec2, thanks to Masahito Omote (Closes: #151422) * Mark Brown - Remove spurious claim that apache2 hasn't been uploaded (Closes: #151433) - Bring apache2 in line with policy on /usr/share/doc/ (Closes: #151459) - Make reload behave the same as force-reload (Closes: #151432) * place the manual in the right place, thanks to Md (Closes: #151766) * David Kimdon - add build depends on zlib1g-dev (Closes: #151286) -- Thom May Fri, 29 Jul 2002 19:12:56 +0100 apache2 (2.0.39-1) unstable; urgency=low * New Upstream Version, fixing a denial of service attack. * Fix installation of icons and manual. * David Kimdon - fix path for envvars in apxs2 - use generalized directives in ssl.conf ( SSLLog -> ErrorLog, SSLLogLevel -> LogLevel ), this allows server to load ssl module -- Thom May Fri, 14 Jun 2002 17:29:59 -0700 apache2 (2.0.37-2) unstable; urgency=low * Updated Copyright file to actually contain a copy of the various licenses. -- Thom May Fri, 14 Jun 2002 15:41:41 +0100 apache2 (2.0.37-1) unstable; urgency=low * New upstream version -- Thom May Thu, 13 Jun 2002 17:47:12 +0100 apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low * New upstream release -- Thom May Wed, 5 Jun 2002 12:42:34 +0100 apache2 (2.0.36-2) unstable; urgency=low * debian/control - Correct provides, conflicts and depends, especially for the mpms. * build-dep doesn't work with provides, which makes sense. Need to make a note of this in the policy. * debian/rules - ensure that the mpm specific header file is installed into the right place -- Thom May Fri, 31 May 2002 14:54:39 +0100 apache2 (2.0.36-1) unstable; urgency=low * The "The obviously begging in a changelog works" release. * New Upstream release * Vpath Builds now work, giving the ability to select which MPM you require * Changed vhost base to only be a Recommends: as I'm not happy that it's currently in a properly releasable state. * New enhost script courtesy of DannyS. * David Kimdon - make apxs2 find envvars properly - use libtool to install apache2 binaries for different mpm's - fix dependancies for apache2-dev (we can't do a versioned 'Provides' so we need to list all the packages that provide apache2 along with their version) * Implemented a long overdue suggestion to only create ports.conf if it's not in existance already, rather than to add a command to listen on 80 iff that didn't exist. The person who suggested it is lost in the mists of my mailbox. If it was you, please email me! * debian/vhost-base/add.d/apache2 - apply patch from "Omniflux" to fix some brainos -- Thom May Mon, 6 May 2002 16:39:18 +0100 apache2 (2.0.35+cvs.20020420-1) unstable; urgency=low * The "finding myself standing on the corner staring into a different world" release. Will someone please give me a job? * Resync with upstream CVS. lots and lots of bug fixes since the last release. * Attempting to build with multiple MPMs, so speedfreaks can have a threaded MPM. (Available MPMs are: prefork, worker, threadpool, and leader/follower). * Now sedding ap{r,u}-config in the install target. * vpath build evilness suggested by Andrew Suffield and others. I hate them all. :) -- Thom May Sat, 20 Apr 2002 17:04:46 +0100 apache2 (2.0.35-2) unstable; urgency=low * The "Apache2 isn't released, therefore the Bug Tracking System doesn't bloody well work" release * Fixes a bug in add host, due to the change from Port to Listen. (Reported by numerous people, patch more or less from Esteve Fernandez . * Attempt to fix apu-config, suggestion and patch from David Kimdon, if it's wrong, I broke it. (Changed it to apply pre-build, rather than post build. Yes, it's the lazy approach. It's also the right one :) ) * THE BUG TRACKING SYSTEM IS NOT THE RIGHT PLACE TO SEND BUG REPORTS FOR APACHE2. * REALLY. -- Thom May Sat, 6 Apr 2002 21:04:16 +0100 apache2 (2.0.35-1) unstable; urgency=low * WOOOOOOOOOOOHOOOOOOOOO! Apache2's first General Availability release! * Various bug fixes, suggestions and so on. * Built with db3 for the time being. -- Thom May Sat, 6 Apr 2002 03:01:24 +0100 apache2 (2.0.34+retag-1) unstable; urgency=low * Resync with upstream release. * Fix packaging-fus (Hi Marcello!) * Upstream have fixed cgi probs. -- Thom May Mon, 1 Apr 2002 14:50:12 +0100 apache2 (2.0.34-1) unstable; urgency=low * New upstream release * added mod_deflate as a shared library * bashed on apache2.conf some. -- Thom May Tue, 26 Mar 2002 23:23:09 +0000 apache2 (2.0.33-1) unstable; urgency=low * New upstream. * Unfucked all code, include init.d and /etc/vhosts. * FHS'ified, more or less * Some debconf, but not much. * Merged more patches upstream -- Thom May Sat, 9 Mar 2002 23:33:09 +0000 apache2 (2.0.32+cvs.20020228-1) unstable; urgency=low * The "bathwater, no baby" release. * Submitted patches upstream like crazy. * Tossed the insanely bogus apachectl patch * Debconf not included here. Want to get everything else right, and a release out. * Boom! -- Thom May Thu, 28 Feb 2002 21:07:24 +0000 apache2 (2.0.32-1) unstable; urgency=low * The "Throwing stuff away like mad and seeing if it still builds" release. * Ditched apache2-modules* on the principle of least surprise - the deb layouts now pretty closely follow apache. * Trying to triage away patches that have been fixed upstream. * Major attack on debconfiscation starts here -> . -- Thom May Tue, 19 Feb 2002 20:37:58 +0000 apache2 (2.0.31+cvs.20020217-1) unstable; urgency=low * New CVS snapshot from HEAD to benefit Subversion for the impending 0.9 release. Enjoy! 81 lines in the last couple of days ... :) * debian/patches/005_more_hardcoded_paths: - Regenerated diff against newer version of mpm_default.h. * debian/patches/008_apr-config_sucks - Regenerated apr-util part of diff against newer version of apu-config.in. * debian/apache2.{config,templates,postinst}, debian/vhost-base/add.d/apache2, debian/vhost-base/templates.d/apache2{,.in}, debian/rules: - Debconfage asking which port to run on, and make the vhost-base script only list the current ports; ports stuff moved to /etc/apache2/ports.conf - re-enable dh_installdebconf in debian/rules. - Moved templates.d/apache2 to templates.d/apache2.in so we can do some nifty inplace regexps. * debian/apache2.init.d: - Bail out of the init script if there aren't any sites enabled. * debian/{rules,control}: - Get rid of apache2-modules; move its contents to apache2. * debian/config-mods/cgid.conf: - Get rid of redundant wrapper around ScriptSock, so it actually loads. Thanks to Pieter "Pitr" Jansen for this one. -- Daniel Stone Sun, 17 Feb 2002 01:23:43 +1100 apache2 (2.0.31+cvs.20020207-1) unstable; urgency=low * The one-big-happy-apache2-bug-squashing-family release. * Update to latest CVS; hopefully this won't mean that piro deadlocks every time dpkg goes to read its database. Hopefully this gets rid of the bugs. Yes, all of them. * debian/patches/004a_srclib_layout_support: - Updated a touch to fit in with .32-dev. * debian/patches/008_stuff_in_sbin_not_bin: - Removed; obsoleted by upstream discovering sanity. * debian/patches/008_apr-config_sucks: - Fix problem whereby @prefix@ would sub to $(prefix), but $(prefix) wouldn't sub to the prefix, or ${prefix}, thus screwing up the running of apr-config ... ditto for apu-config (from apr-util). * debian/patches/009_apxs: - Reworked to make it actually work, and apply cleanly. - Fix libtool breakage once again, thanks David Kimdon. * debian/patches/010_shmget: - Hack to srclib/apr/apr.h.in to make it prefer shmget over everything else, to make it 2.2/non-tmpfs safe. (Thanks Ben Collins). * debian/patches/012_debian_version: - Minor update (include a space in front of "Debian", change it to "Debian GNU/Linux" to clarify things, and before the the Hurd [happy now, you crack junkies?] people complain, it's not released as a Debian port yet, so feh). * debian/vhost-base/add.d/apache2: - Change sites to sites-available, in line with the previous change. * debian/config/mods-available: - Move to debian/config-mods to make life easier with the move to apache2-modules (see below). * debian/config-mods/auth_dbm.load: - New file, in line with introducing mod_auth_dbm; thanks again to David Kimdon. * debian/a2-scripts/a2{en,dis}mod: - Rewritten to be much cleaner and cool. (Thanks to Ben Collins for pointing out that the permissions were screwed). * debian/apache2.postinst: - New file, no #DEBHELPER# token so that we don't care if postinst fails; this way it won't bail if you're already running another web server. Thanks to David Kimdon for pointing out an error. * debian/vhost-base/{enable,disable}.d/apache2: - Fixed! Woot! The code isn't the best you'll see, but now *WORKS*. Whoo! * debian/control: - Extend libapr-dev's Depends to include libapr0 (duh). - Remove apache2-modules-dev as modules are no longer built both shared and static, IMHO this was quite braindead behavior. Upstream's change, not mine. - Remove apache2-support as apxs2 requred apache2 anyway. Chalk one (more) down for "failed experiments". - Removed redundant libssl0.9.6 and libxmltok1 build-deps; we already build-depped on the relevant -dev packages; thanks Ben Collins. * debian/rules: - Modules are no longer built statically as well as dynamically (upstream change), so stop trying to move the files around. - Sort out the libapr0/libapr-dev mess once and for all; thanks to Matt Wilcox and Ben Collins for patiently talking me through it. - Move *contents* of mods-available to apache2-modules, but keep the directory itself as part of apache2, to keep the addons happy; thanks David Kimdon. - s/apache2-support/apache2/, see debian/control entry. - Remove extraneous LICENSE file from the vhost manual. - Remove *.exp files, because they're unneeded. * debian/apache2.docs: - Remove KEYS from the list of docs because this is crap and no longer distributed. w00t! -- Daniel Stone Thu, 7 Feb 2002 20:39:44 +1100 apache2 (2.0.28-3) unstable; urgency=low * Enabled mod_auth_dbm for Subversion. (thanks David Kimdon). -- Daniel Stone Thu, 29 Nov 2001 23:25:53 +1100 apache2 (2.0.28-2) unstable; urgency=low * Fixed up a couple of things, /etc/apache2/modules->/etc/apache2/mods-available, etc. * Included mod_dav, so Subversion can be built. * New package: apache2-modules-dev, containing all /usr/lib/apache2/modules/*a. (Thanks Adam Heath). * Moved libapr.so.* symlinks to libapr-dev (Thanks again to doogie). -- Daniel Stone Sun, 25 Nov 2001 19:00:19 +1100 apache2 (2.0.28-1) unstable; urgency=low * Updated to 2.0.28, which they actually managed to agree on calling a beta. * debian/apache2.init.d: - Stripped of almost all its functionality. Now just touches httpd.conf if we're starting and it doesn't exist, and then calls apache2ctl with all our options, whatever they may be - it can error out if it wants. * Removed patches: - 010_index.html.it_typo - merged upstream. * Updated patches: - 009_apxs: make it actually find libtool. Thanks to David Kimdon. - 002_apache2ctl: really fix apache2ctl graceful. -- Daniel Stone Sun, 18 Nov 2001 15:29:43 +1100 apache2 (2.0.26+cvs.20011028-2) unstable; urgency=low * Added vhost-base support. - Removed Debconfage and moved all the templates to debian/vhost-base/templates.d (/etc/vhosts/templates.d). Removed apache2.postinst and apache2.config. - Removed a2{dis,en}host. * /usr/lib/cgi-bin will now be /cgi-bin, /var/vhosts/hostname/cgi-bin will be /cgi-local. -- Daniel Stone Fri, 9 Nov 2001 21:53:27 +1100 apache2 (2.0.26+cvs.20011028-1) unstable; urgency=low * Resync with HEAD (another coming to fix segfaults, but no net connectivity at the moment - 4-11-2001, 2:12pm. Grrr). * New patches: - 011_mod_autoindex-symlink: make icons for symlinks to files and dirs special cases. + Touches modules/generators/mod_autoindex.c + Special cases: ^^SYMDIR^^ and ^^SYMLINK^^. - 012_debian_version: adds "Debian" to the Apache version string. + Touches include/ap_release.h - this patch has *no* context. Please don't give it any, I don't want to have to rediff every version. * debian/config/httpd.conf, debian/config/apache2.conf: - Move main config file to apache2.conf, made it much more bare-bones. + User (or package) config should be done in httpd.conf. * apache2.conf: - s/Port/Listen/ - booya! Finally they cleaned it up. - Add (commented-out) icon entries for ^^SYMDIR^^ and ^^SYMLINK^^. Anyone volunteer to create icons? * debian/apache2.postinst: - Minor cleanups. - And later: Made it just call ap2addhost --default. (and a2enhost). * debian/config/modules/ssl.conf, debian/config/sites/default-443: - Put only generic SSL stuff in ssl.conf, split SSL support out into a new virtual host thingy in accordance with dealing with ports. * debian/config/sites/default, debian/config/sites/default-443, debian/patches/004b_debian_layout: - Add a new alias /cgi-pub/ to /usr/lib/cgi-bin. Packages should put scripts here. * debian/control: - changed the Suggests: on apache2-doc to a Recommends: + otherwise /manual/ will be a broken alias, as it points to /usr/share/doc/apache2-doc/manual. - changed libapr-dev to Architecture: all (from Arch: any) - whoops. * Added support for multiple ports on the one virtual host. At the moment it's one gigantic, ugly, kludge. *sigh*. Format: - /var/vhosts/site.name/htdocs-PORT - /var/vhosts/site.name/logs/(access|error).log-PORT - /var/vhosts/site.name/cgi-bin-PORT * debian/apache2.postinst, debian/config/sites/default, etc: - s#/var/www#/var/vhosts#; - s#htdocs#htdocs-$PORT#; * More Debconfage - it now asks if you want SSL support in the default virtual host, and which port number you want (default 81 so it sits side-by-side with apache). * Major change to postinst, a2addhost, et al: - It's all now done in Perl, and postinst is no longer a special case. The standalones call Debconf for what they need to do, calling it as a standalone. This way, postinst just calls a2addhost, etc, and it also smooths the path for me to do the vhost-base stuff. * No, this migration path probably won't be smooth (between apache2 versions). Sorry. * Last release before I make it vhost-base compliant. -- Daniel Stone Sun, 28 Oct 2001 20:33:18 +1100 apache2 (2.0.26+cvs.20011023-1) unstable; urgency=low * Damnit, resync with HEAD (2_0_26 was unstable). -- Daniel Stone Tue, 23 Oct 2001 18:36:42 +1000 apache2 (2.0.26-1) unstable; urgency=low * Resync with upstream CVS (but only as far as the APACHE_2_0_26 tag). Essentially, this gives all the coolness of a CVS tree, but all the stability of a release. I may start tracking HEAD later, we'll just have to see. * Changed libapr->libapr0. * Fixed a couple of typo's in index.html.it (thanks Md, via Joey). * 22nd October, 7:51pm: Resync again as they added a couple of files and bumped the tag to fix segfaults. -- Daniel Stone Wed, 17 Oct 2001 23:50:39 +1000 apache2 (2.0.25+cvs.20011001-1) unstable; urgency=low * More CVS resyncing joy. * Silly stupid evil poo bum hack to apachectl. I don't like this. Please, help. * Got rid of a few lintian warnings. * Install build stuff to /etc/apache2/build, adjust apxs accordingly. * Agreed on policy with madduck. This is a MAJOR CHANGE, people. A lot of stuff has changed around, so you'll need to change your packages. apache2 now treats everything as a virtual host (even when you only have one host). This allows us to skirt around FHS and do our own thing. ("Thpthpthpthpthpthpt, we're using vhosts. FHS doesn't say anything about that.") Please see README.Debian for more details. * More fun with virtual hosts. Migrated their configuration files to /etc/apache2/virtuals/. This will allow for easy adding and removal, via the new tools /usr/sbin/ap2(add|del)vh. apache2's postinst touches /etc/apache2/POSTINST_CONFED, and will refuse to re-run the postinst config stuff if it's there already. * Module fun - /usr/sbin/ap2mod(en|dis). Modules put their loading line in /etc/apache2/modules/foo.load, config in /etc/apache2/modules/foo.conf. Enabled module stuff gets symlinked into /etc/apache2/mods-enabled. * Move APR stuff to /usr/lib, not /usr/lib/libapr. Whoops, should've done this a *long* *time* *ago*. * More silly APR hacks: Move /usr/include/libapr to /usr/include/apache2, as silly things like php4 don't get the fact that APR and apache2 can indeed have different include directories. Grrr. * Juggled script names - it's now a2(en|dis)(host|mod). * I don't care, I'm uploading. No, really (closes: #103471). It's been 93 days since I first did dh_make and ITPed it. :) -- Daniel Stone Thu, 4 Oct 2001 20:15:31 +1000 apache2 (2.0.25+cvs.20010923-1) unstable; urgency=low * Another resync with upstream CVS; most of the changes below were made between then and now. * Also added apache2-support - everything from support/*, so php4, et al don't need to Build-Depend on apache2 itself. -- Daniel Stone Sun, 23 Sep 2001 13:21:16 +1000 apache2 (2.0.25+cvs.20010908-1) unstable; urgency=low * Synched everything with CVS; it works now. * We now build with ./buildconf due to the above; redo all the patches against configure.in. I swear this will be the last change, and that I'll test it. * Removed php4 and modperl-2.0 from the tree. I should keep the changelogs internal, as this is now getting not only very silly, but very embarassing. * I corrected myself in the ITP that it was licensed under the Apache Software License, not GPLed, but forgot to do that in debian/copyright. Whoops. Feel free to LART. * Lintian cleanups: - Remove extra LICENSE files. - Stop stuff calling -rpath. - Change printenv to call /usr/bin/perl, not /usr/local/bin/perl - wtf? - Move manpages to the right directory. * Minor merge from Thom courtesy of some stuff being stored on pandora:~thom. - Use buildprogs.pl to parse stuff like apache2ctl, apxs2, etc. * Hopefully I'm only one CVS sync away from an upload. * Moved some stuff over to /usr/sbin, fixed apache2ctl once and for all. Hopefully. -- Daniel Stone Sun, 9 Sep 2001 00:05:03 +1000 apache2 (2.0.24-2) unstable; urgency=low * The "Farewell Buddha" Release. * Or, alternatively: The "Darren Milburn is an Idiot for Inciting Crowds" Release. * Yes, it's the height of evil, I know: modperl-2.0 goes into the source tree. (from CVS). Separate tarballs, thanks to DBS, but still, yeah. * Ditto php4. * Still no Thom's laptop; hence no merges, and I'm not going to duplicate work. -- Daniel Stone Sun, 2 Sep 2001 21:50:59 +1000 apache2 (2.0.24-1) unstable; urgency=low * New upstream version. * Use prefork, not threaded, MPM. (threaded is currently broken). * Update example httpd.conf for mod_ssl and have lines for all the modules. * Build-Depends, all the Build-Depends! * Update maintainer email address (thanks Joey). * Turns out using buildconf was what broke modules. I swear I won't do anything like that again. Promise! (thanks Thom for pointing this out) * Implied by the above, rediff all patches against configure, not configure.in. * Also, don't copy configure.{guess,sub} over anymore, because we don't need them. * More Thom merges: - debian/patches/003_apache2ctl - rewritten apache2ctl to actually work. * Return of debian/patches/006_dont_install_build_crap. GAH! -- Daniel Stone Sat, 18 Aug 2001 17:01:19 +1000 apache2 (2.0.23-2) unstable; urgency=low * SSL finally works, and beat instructions on how to get it going out of someone on new-httpd. Moved SSL stuff to apache2-modules. * Disabled TLS, because it's unstable and unnecessary. * Merge from Thom May's tree: 005b_debian_layout - The Debian layout for stuff - Move APR stuff to /usr/lib/libapr and /usr/include/libapr. - Clean up debian/rules, largely thanks to the two new patches. * General cleanups, resulting from running lintian: - Chuck #DEBHELPER# in postinst, which also fixes the /usr/doc and init.d problems (due to debhelper now doing its postinst thing). - Remove LICENSE files from apache2-doc and the default document root. - Remove man/ and build/ top-level dirs, install manpages correctly. - Updated 004_perl_in_usr_bin to include the manual search CGI. * Remove all evil, ugly, patches to configure in debian/patches/*, instead, diff against configure.in, because autoconf gets run in the configure stage every time. * Copy config.{guess,sub} from /usr/share/misc (provided by autotools-dev) at runtime, thus eliminating debian/patches/002_config_guess_and_sub. * Reshuffled patch numbers to cope with the above. * I give up on this DBM crap. Disable mod_auth_dbm for now. -- Daniel Stone Wed, 15 Aug 2001 18:27:23 +1000 apache2 (2.0.23-1) unstable; urgency=low * New upstream - 2.0.23. * New patches: 004_conffile_in_etc_apache2 - Make an ugly init.d hack unnecessary. 005_perl_in_usr_bin - Make example CGI scripts use /usr/bin/perl. * Fix mime_magic stuff by copying magic to /etc/apache2. * Remove debian/patches/003_cgisock_in_var_log_apache2, instead found a new conffile directive, put this into the default distributed conffile. -- Daniel Stone Sun, 12 Aug 2001 18:05:32 +1000 apache2 (2.0.22-2) unstable; urgency=low * Aargh, I'm an idiot. Fix a bug in mod_cgid.c that had a hardcoded path. That's now debian/pactches/003*. -- Daniel Stone Sat, 11 Aug 2001 08:04:13 +1000 apache2 (2.0.22-1) unstable; urgency=low * Updated to 2.0.22, started using a form of DBS. * Merge from Thom May's 2.0.20 tree - new libapr-dev package. * Backed out the old mod_(tls|ssl) hacks, see if 2.0.23 is any better (apparently it is, thank god). -- Daniel Stone Wed, 8 Aug 2001 15:13:09 +1000 apache2 (2.0.20-2) unstable; urgency=low * New SSL fixes from new-httpd. Apparently, this (generally) works. -- Daniel Stone Fri, 13 Jul 2001 07:57:18 -0500 apache2 (2.0.20-1) unstable; urgency=low * New upstream release -- Daniel Stone Mon, 9 Jul 2001 18:41:04 +1000 apache2 (2.0.18-1) unstable; urgency=low * Initial Release. -- Daniel Stone Wed, 4 Jul 2001 21:29:29 +1000