UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server

Latest version: 2.4.41-4ubuntu3.7
Release: focal (20.04)
Level: updates
Repository: main
Homepage: https://httpd.apache.org/

Links


Download "apache2"


Other versions of "apache2" in Focal

Repository Area Version
base main 2.4.41-4ubuntu3
base universe 2.4.41-4ubuntu3
security universe 2.4.41-4ubuntu3.6
security main 2.4.41-4ubuntu3.6
updates universe 2.4.41-4ubuntu3.7

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.41-4ubuntu3.7 2021-10-07 02:06:25 UTC

  apache2 (2.4.41-4ubuntu3.7) focal; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful. Fixes service failures on
      unattended upgrade.

 -- Bryce Harrington <email address hidden> Tue, 28 Sep 2021 22:28:10 +0000

Source diff to previous version
1832182 systemd unable to detect running apache if invoked via \

Version: 2.4.41-4ubuntu3.6 2021-09-28 16:07:16 UTC

  apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 07:00:45 -0400

Source diff to previous version
1945311 Fix for CVE-2021-40438 breaks existing configs
CVE-2021-40438 A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP

Version: 2.4.41-4ubuntu3.5 2021-09-27 16:06:28 UTC

  apache2 (2.4.41-4ubuntu3.5) focal-security; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193-pre1.patch: process early errors via a
      dummy HTTP/1.1 request as well in modules/http2/h2.h,
      modules/http2/h2_request.c, modules/http2/h2_session.c,
      modules/http2/h2_stream.c.
    - debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone
      version 1.15.17 in modules/http2/h2_bucket_beam.c,
      modules/http2/h2_config.c, modules/http2/h2_config.h,
      modules/http2/h2_h2.c, modules/http2/h2_headers.c,
      modules/http2/h2_headers.h, modules/http2/h2_mplx.c,
      modules/http2/h2_request.c, modules/http2/h2_stream.h,
      modules/http2/h2_task.c, modules/http2/h2_task.h,
      modules/http2/h2_version.h.
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2021-36160
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

 -- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:58:57 -0400

Source diff to previous version
CVE-2021-33193 A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. Th
CVE-2021-34798 Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-36160 A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Ser
CVE-2021-39275 ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but t
CVE-2021-40438 A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP

Version: 2.4.41-4ubuntu3.4 2021-07-15 18:06:29 UTC

  apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium

  * d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
    (LP: #1930430)

 -- Christian Ehrhardt <email address hidden> Mon, 05 Jul 2021 09:16:56 +0200

Source diff to previous version
1930430 Apache2 Certificate Chain Verification within Proxy not Working after dist-upgrade to focal

Version: 2.4.41-4ubuntu3.3 2021-06-21 15:06:34 UTC

  apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in
    focal-proposed.

 -- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 14:27:53 -0400

CVE-2020-13950 Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using bot
CVE-2020-35452 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of thi
CVE-2021-26690 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash,
CVE-2021-26691 In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-30641 Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'



About   -   Send Feedback to @ubuntu_updates