Package "apache2-bin"
Name: |
apache2-bin
|
Description: |
Apache HTTP Server (modules and other binary files)
|
Latest version: |
2.4.29-1ubuntu4.27 |
Release: |
bionic (18.04) |
Level: |
updates |
Repository: |
main |
Head package: |
apache2 |
Homepage: |
http://httpd.apache.org/ |
Links
Download "apache2-bin"
Other versions of "apache2-bin" in Bionic
Changelog
apache2 (2.4.29-1ubuntu4.22) bionic-security; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <email address hidden> Wed, 16 Mar 2022 12:53:42 -0400
|
Source diff to previous version |
CVE-2022-22719 |
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Serv |
CVE-2022-22720 |
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server |
CVE-2022-22721 |
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later ca |
CVE-2022-23943 |
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. |
|
apache2 (2.4.29-1ubuntu4.21) bionic-security; urgency=medium
* SECURITY UPDATE: DoS or SSRF via forward proxy
- debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/http_protocol.h, modules/http/http_request.c,
modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c, server/protocol.c.
- debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
w/ no hostname in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/patches/CVE-2021-44790.patch: improve error handling in
modules/lua/lua_request.c.
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:50:41 -0500
|
Source diff to previous version |
CVE-2021-44224 |
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixi |
CVE-2021-44790 |
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache http |
|
apache2 (2.4.29-1ubuntu4.20) bionic; urgency=medium
* Revert fix from 2.4.29-1ubuntu4.19, due to performance regression.
(LP 1832182)
-- Bryce Harrington <email address hidden> Sun, 14 Nov 2021 23:52:18 +0000
|
Source diff to previous version |
apache2 (2.4.29-1ubuntu4.19) bionic; urgency=medium
* d/apache2ctl: Also use systemd for graceful if it is in use.
(LP: #1832182)
- This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
-- Bryce Harrington <email address hidden> Tue, 28 Sep 2021 22:27:27 +0000
|
Source diff to previous version |
1832182 |
systemd unable to detect running apache if invoked via \ |
|
apache2 (2.4.29-1ubuntu4.18) bionic-security; urgency=medium
* SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
- debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
rules in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
hostname in modules/mappers/mod_rewrite.c,
modules/proxy/proxy_util.c.
-- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 07:01:16 -0400
|
1945311 |
Fix for CVE-2021-40438 breaks existing configs |
CVE-2021-40438 |
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP |
|
About
-
Send Feedback to @ubuntu_updates