UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server

Latest version: 2.4.41-4ubuntu3.21
Release: focal (20.04)
Level: updates
Repository: main
Homepage: https://httpd.apache.org/

Links


Download "apache2"


Other versions of "apache2" in Focal

Repository Area Version
base main 2.4.41-4ubuntu3
base universe 2.4.41-4ubuntu3
security universe 2.4.41-4ubuntu3.21
security main 2.4.41-4ubuntu3.21
updates universe 2.4.41-4ubuntu3.21
proposed universe 2.4.41-4ubuntu3.22
proposed main 2.4.41-4ubuntu3.22

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.41-4ubuntu3.15 2023-11-22 17:07:00 UTC

  apache2 (2.4.41-4ubuntu3.15) focal-security; urgency=medium

  * SECURITY UPDATE: mod_macro buffer over-read
    - debian/patches/CVE-2023-31122.patch: fix length in
      modules/core/mod_macro.c.
    - CVE-2023-31122
  * SECURITY UPDATE: Multiple issues in HTTP/2
    - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
    - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
    - debian/tests/run-test-suite: run with HARNESS_VERBOSE=1.
    - debian/patches/update_tests.patch: backport tests from jammy's
      2.4.52 to improve test coverage.
    - debian/patches/update_http2.patch: backport version 2.0.22 of
      mod_http2 from httpd 2.4.58.
    - CVE-2023-43622
    - CVE-2023-45802

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2023 09:54:09 -0400

Source diff to previous version

Version: 2.4.41-4ubuntu3.14 2023-03-09 17:06:59 UTC

  apache2 (2.4.41-4ubuntu3.14) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:32:54 -0500

Source diff to previous version
CVE-2023-25690 Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected
CVE-2023-27522 HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. S

Version: 2.4.41-4ubuntu3.13 2023-02-01 16:09:33 UTC

  apache2 (2.4.41-4ubuntu3.13) focal-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted If header in mod_dav
    - debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
      parsing in modules/dav/main/util.c.
    - CVE-2006-20001
  * SECURITY UPDATE: request smuggling in mod_proxy_ajp
    - debian/patches/CVE-2022-36760.patch: cleanup on error in
      modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-36760
  * SECURITY UPDATE: response header truncation issue
    - debian/patches/CVE-2022-37436.patch: fail on bad header in
      modules/proxy/mod_proxy_http.c, server/protocol.c.
    - CVE-2022-37436

 -- Marc Deslauriers <email address hidden> Mon, 23 Jan 2023 13:36:09 -0500

Source diff to previous version
CVE-2006-20001 A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header va
CVE-2022-36760 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to sm
CVE-2022-37436 Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorpo

Version: 2.4.41-4ubuntu3.12 2022-06-21 16:06:27 UTC

  apache2 (2.4.41-4ubuntu3.12) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-26377.patch: changing
      precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-26377
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28614.patch: handle large
      writes in ap_rputs.
      in server/util.c.
    - CVE-2022-28614
  * SECURITY UPDATE: Read beyond bounds
    - debian/patches/CVE-2022-28615.patch: fix types
      in server/util.c.
    - CVE-2022-28615
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-29404.patch: cast first
      in modules/lua/lua_request.c.
    - CVE-2022-29404
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-30522.patch: limit mod_sed
      memory use in modules/filters/mod_sec.c,
      modules/filters/sed1.c.
    - CVE-2022-30522
  * SECURITY UPDATE: Returning point past of the buffer
    - debian/patches/CVE-2022-30556.patch: use filters consistently
      in modules/lua/lua_request.c.
    - CVE-2022-30556
  * SECURITY UPDATE: Bypass IP authentication
    - debian/patches/CVE-2022-31813.patch: to clear
      hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
    - CVE-2022-31813

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 14 Jun 2022 10:30:55 -0300

Source diff to previous version
CVE-2022-26377 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to sm
CVE-2022-28614 The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very larg
CVE-2022-28615 Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extrem
CVE-2022-29404 In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no defau
CVE-2022-30522 If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may m
CVE-2022-30556 Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the
CVE-2022-31813 Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop m

Version: 2.4.41-4ubuntu3.11 2022-05-30 11:06:21 UTC

  apache2 (2.4.41-4ubuntu3.11) focal; urgency=medium

  * d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
    Don't send GOAWAY too early on new connections when
    MaxRequestsPerChild has been reached. (LP: #1969629)

 -- Sergio Durigan Junior <email address hidden> Tue, 26 Apr 2022 14:02:11 -0400

1969629 Apache 2.4.x: mod_http2 sends empty response after MaxRequestsPerChild



About   -   Send Feedback to @ubuntu_updates