Package "apache2-bin"
Name: |
apache2-bin
|
Description: |
Apache HTTP Server (modules and other binary files)
|
Latest version: |
2.4.29-1ubuntu4.27 |
Release: |
bionic (18.04) |
Level: |
security |
Repository: |
main |
Head package: |
apache2 |
Homepage: |
http://httpd.apache.org/ |
Links
Download "apache2-bin"
Other versions of "apache2-bin" in Bionic
Changelog
apache2 (2.4.29-1ubuntu4.27) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:34:33 -0500
|
Source diff to previous version |
CVE-2023-25690 |
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected |
|
apache2 (2.4.29-1ubuntu4.26) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via crafted If header in mod_dav
- debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
parsing in modules/dav/main/util.c.
- CVE-2006-20001
* SECURITY UPDATE: request smuggling in mod_proxy_ajp
- debian/patches/CVE-2022-36760.patch: cleanup on error in
modules/proxy/mod_proxy_ajp.c.
- CVE-2022-36760
* SECURITY UPDATE: response header truncation issue
- debian/patches/CVE-2022-37436.patch: fail on bad header in
modules/proxy/mod_proxy_http.c.
- CVE-2022-37436
-- Marc Deslauriers <email address hidden> Tue, 31 Jan 2023 09:01:53 -0500
|
Source diff to previous version |
CVE-2006-20001 |
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header va |
CVE-2022-36760 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to sm |
CVE-2022-37436 |
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorpo |
|
apache2 (2.4.29-1ubuntu4.25) bionic-security; urgency=medium
* SECURITY REGRESSION: Previous fix for CVE-2022-30522 caused
a regression
- debian/patches/CVE-2022-30522.patch: removing line should be removed
at the backport but was missing in modules/filters/sed1.c (LP: #1979641)
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 23 Jun 2022 09:51:37 -0300
|
Source diff to previous version |
1979641 |
mod_sed duplicates lines (in 2.4.29-1ubuntu4.24) |
CVE-2022-30522 |
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may m |
|
apache2 (2.4.29-1ubuntu4.24) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling
- debian/patches/CVE-2022-26377.patch: changing
precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
- CVE-2022-26377
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28614.patch: handle large
writes in ap_rputs.
in server/util.c.
- CVE-2022-28614
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28615.patch: fix types
in server/util.c.
- CVE-2022-28615
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-29404.patch: cast first
in modules/lua/lua_request.c.
- CVE-2022-29404
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-30522.patch: limit mod_sed
memory use in modules/filters/mod_sec.c,
modules/filters/sed1.c.
- CVE-2022-30522
* SECURITY UPDATE: Returning point past of the buffer
- debian/patches/CVE-2022-30556.patch: use filters consistently
in modules/lua/lua_request.c.
- CVE-2022-30556
* SECURITY UPDATE: Bypass IP authentication
- debian/patches/CVE-2022-31813.patch: to clear
hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
- CVE-2022-31813
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 14 Jun 2022 14:52:48 -0300
|
Source diff to previous version |
CVE-2022-26377 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to sm |
CVE-2022-28614 |
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very larg |
CVE-2022-28615 |
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extrem |
CVE-2022-29404 |
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no defau |
CVE-2022-30522 |
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may m |
CVE-2022-30556 |
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the |
CVE-2022-31813 |
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop m |
|
apache2 (2.4.29-1ubuntu4.22) bionic-security; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <email address hidden> Wed, 16 Mar 2022 12:53:42 -0400
|
CVE-2022-22719 |
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Serv |
CVE-2022-22720 |
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server |
CVE-2022-22721 |
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later ca |
CVE-2022-23943 |
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. |
|
About
-
Send Feedback to @ubuntu_updates