feat: update apache2 to 2.4.66-1~deb13u2

CHANGES

@@ -1,6 +1,68 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.66
+
+  *) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580.
+     [Stefan Eissing]
+
+  *) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
+     integers, used in push diaries and proxy window size calculations.
+     PR69741 [Benjamin P. Kallus]
+
+  *) mod_md: update to version 2.6.5
+     - New directive `MDInitialDelay`, controlling how longer to wait after
+       a server restart before checking certificates for renewal.
+       [Michael Kaufmann]
+     - Hardening: when build with OpenSSL older than 1.0.2 or old libressl
+       versions, the parsing of ASN.1 time strings did not do a length check.
+     - Hardening: when reading back OCSP responses stored in the local JSON
+       store, missing 'valid' key led to uninitialized values, resulting in
+       wrong refresh behaviour.
+
+  *) mod_md: update to version 2.6.6
+     - Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
+     - Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]
+
+  *) mod_http2: update to version 2.0.35
+     New directive `H2MaxStreamErrors` to control how much bad behaviour
+     by clients is tolerated before the connection is closed.
+     [Stefan Eissing]
+
+  * mod_proxy_http2: add support for ProxyErrorOverride directive. PR69771
+
+  *) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
+     the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
+     [Ruediger Pluem]
+
+  *) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
+     host compatibility policy.  PR 69743.  [Joe Orton]
+
+  *) mod_md: update to version 2.6.2
+     - Fix error retry delay calculation to not already doubling the wait
+       on the first error.
+
+  *) mod_md: update to version 2.6.1
+     - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
+       traffic on errored renewals for the ACME CA. This leads to error retries
+        of 30s, 1 minute, 2, 4, etc. up to daily attempts.
+     - Checking that configuring `MDRetryDelay` will result in a positive
+       duration. A delay of 0 is not accepted.
+     - Fix a bug in checking Content-Type of responses from the ACME server.
+     - Added ACME ARI support (rfc9773) to the module. Enabled by default. New
+       directive "MDRenewViaARI on|off" for controlling this.
+     - Removing tailscale support. It has not been working for a long time
+       as the company decided to change their APIs. Away with the dead code,
+       documentation and tests.
+     - Fixed a compilation issue with pre-industrial versions of libcurl.
+
 Changes with Apache 2.4.65
 
+  *) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
+     always evaluates to true in 2.4.64 (cve.mitre.org)
+     A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
+     expr ..." tests evaluating as "true".
+     Users are recommended to upgrade to version 2.4.65, which fixes
+     the issue.
+
 Changes with Apache 2.4.64
 
   *) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by
@@ -541,7 +603,8 @@ Changes with Apache 2.4.59
   *) htpasswd: Add support for passwords using SHA-2.  [Joe Orton,
      Yann Ylavic]
 
-  *) core: Allow mod_env to override system environment vars. [Joe Orton]
+  *) core: Allow mod_env to override system environment vars. PR 63117.
+     [Joe Orton]
 
   *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
      operation which removes a directory/file between apr_dir_read() and

CMakeLists.txt

@@ -502,7 +502,7 @@ SET(mod_md_extra_sources
   modules/md/md_ocsp.c               modules/md/md_util.c               
   modules/md/mod_md_config.c         modules/md/mod_md_drive.c
   modules/md/mod_md_os.c             modules/md/mod_md_status.c
-  modules/md/mod_md_ocsp.c           modules/md/md_tailscale.c
+  modules/md/mod_md_ocsp.c
 )
 SET(mod_optional_hook_export_extra_defines AP_DECLARE_EXPORT) # bogus reuse of core API prefix
 SET(mod_proxy_extra_defines          PROXY_DECLARE_EXPORT)

configure

@@ -33942,7 +33942,7 @@ EOF
   > $modpath_current/modules.mk
 
 
-md_objs="md_acme.lo md_acme_acct.lo md_acme_authz.lo md_acme_drive.lo md_acmev2_drive.lo md_acme_order.lo md_core.lo md_curl.lo md_crypt.lo md_event.lo md_http.lo md_json.lo md_jws.lo md_log.lo md_ocsp.lo md_result.lo md_reg.lo md_status.lo md_store.lo md_store_fs.lo md_tailscale.lo md_time.lo md_util.lo mod_md.lo mod_md_config.lo mod_md_drive.lo mod_md_ocsp.lo mod_md_os.lo mod_md_status.lo "
+md_objs="md_acme.lo md_acme_acct.lo md_acme_authz.lo md_acme_drive.lo md_acmev2_drive.lo md_acme_order.lo md_core.lo md_curl.lo md_crypt.lo md_event.lo md_http.lo md_json.lo md_jws.lo md_log.lo md_ocsp.lo md_result.lo md_reg.lo md_status.lo md_store.lo md_store_fs.lo md_time.lo md_util.lo mod_md.lo mod_md_config.lo mod_md_drive.lo mod_md_ocsp.lo mod_md_os.lo mod_md_status.lo "
 
 # Ensure that other modules can pick up mod_md.h
 

debian/apache2.NEWS

@@ -1,3 +1,56 @@
+apache2 (2.4.65-2) unstable; urgency=medium
+
+  Following the resolution of CVE-2025-23048,
+  some SSL-enabled websites may begin encountering
+  the error (AH02032):
+  .
+    Misdirected Request:
+    The client needs a new connection for this request as the
+    requested host name does not match the Server Name Indication
+    (SNI) in use for this connection.
+  .
+  This behavior is particularly noticeable with AWS Application
+  Load Balancers. Although they support intelligent SNI handling,
+  they do not (as of this writing) relay SNI data to the target
+  server, resulting in failed connections when hostnames don’t align.
+  .
+  Without an SNI provided by the client, there is nothing httpd
+  can do to determine which vhost/configuration should be
+  used to provide the correct certificate (and TLS authentication
+  eventually) whenever multiple vhosts listen on the same IP:port.
+  .
+  That's because reading the HTTP Host header necessarily has to
+  happen after the TLS handshake/auth/decryption (and later
+  renegotiation is not an option with TLSv1.3).
+  .
+  So those connections fall back to the first vhost declared on
+  the IP:port for the TLS handshake part, and if the request
+  Host header finally matches a different vhost with a different
+  TLS configuration it's rejected with AH02032.
+  .
+  Before 2.4.64 the check was not accurate and would allow that,
+  with security implications.
+  .
+  As a workaround, you may (after a risk analysis) generate a
+  wildcard certificate. If you’re managing multiple domains,
+  consolidate them into a single certificate by including each
+  wildcard domain as an alias. Then, update the Apache configuration
+  to reference this unified certificate.
+  .
+  Another possible workaround is to configure each virtual host to
+  listen on a separate port. This approach avoids SNI-related issues
+  by ensuring that each vhost is uniquely addressed through its own
+  connection endpoint, thereby allowing distinct TLS configurations
+  without ambiguity.
+  .
+  This error may also stem from a misconfigured HAProxy setup.
+  In such cases, enabling dynamic SNI handling on HAProxy might be
+  necessary to ensure that the correct hostname is passed through
+  during the TLS handshake. After risk analysis, it could be done
+  by using "sni req.hdr(Host)" directive.
+
+ -- Bastien Roucariès <rouca@debian.org>  Fri, 25 Jul 2025 20:33:38 +0200
+
 apache2 (2.4.64-2) unstable; urgency=medium
 
   RFC 8996 published by the IETF in March 2021,
@@ -7,7 +60,7 @@ apache2 (2.4.64-2) unstable; urgency=medium
   These older protocols lack support for modern cryptographic
   algorithms and are prone to exploits that threaten data
   confidentiality and integrity. In alignment with RFC 8996,
-  we disable by default this protocols.
+  we disable by default these protocols.
   .
   This change can cause older applications or systems
   to break if they haven't been updated to support

debian/changelog

@@ -1,11 +1,38 @@
+apache2 (2.4.66-1~deb13u2) trixie; urgency=medium
+
+  * Team upload
+  * Fix a regression on http2
+    (Closes: #1125713, #1125368, #1126177, #1128831)
+  * Split testsuite avoiding timeout (Closes: #1126571)
+
+ -- Bastien Roucariès <rouca@debian.org>  Sun, 01 Mar 2026 14:26:45 +0100
+
+apache2 (2.4.66-1~deb13u1) trixie; urgency=medium
+
+  * Team upload
+  * New upstream version (Closes: #1121926, CVE-2025-55753, CVE-2025-58098,
+    CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)
+  * Update test framework
+
+ -- Yadd <yadd@debian.org>  Fri, 05 Dec 2025 19:52:34 +0100
+
+apache2 (2.4.65-2) unstable; urgency=high
+
+  * Fix SSLProtocol has a duplicate "all"
+    (Closes: #1109839)
+  * Warn about misconfigured load balancer following fix of
+    CVE-2025-23048.
+
+ -- Bastien Roucariès <rouca@debian.org>  Tue, 29 Jul 2025 19:52:31 +0200
+
 apache2 (2.4.65-1) unstable; urgency=medium
 
   * New upstream version 2.4.65 (Closes: CVE-2025-54090)
   * Unfuzz patch
 
  -- Yadd <yadd@debian.org>  Wed, 23 Jul 2025 16:05:45 +0200
 
-apache2 (2.4.64-2) unstable; urgency=medium
+apache2 (2.4.64-2) UNRELEASED; urgency=medium
 
   * Per RFC 8996 disable by default TLS 1.0 and TLS 1.1
     (Closes: #943415)

debian/config-dir/mods-available/ssl.conf

@@ -68,7 +68,7 @@ SSLCipherSuite HIGH:!aNULL
 #   The protocols to enable.
 #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
 #   SSL v2  is no longer supported
-SSLProtocol all all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
 #   Allow insecure renegotiation with clients which do not yet support the
 #   secure renegotiation protocol. Default: Off