UbuntuUpdates.org

Package "apache2-bin"

Name: apache2-bin

Description:

Apache HTTP Server (modules and other binary files)

Latest version: 2.4.48-3.1ubuntu3.3
Release: impish (21.10)
Level: updates
Repository: main
Head package: apache2
Homepage: https://httpd.apache.org/

Links


Download "apache2-bin"


Other versions of "apache2-bin" in Impish

Repository Area Version
base main 2.4.48-3.1ubuntu3
security main 2.4.48-3.1ubuntu3.3
proposed main 2.4.48-3.1ubuntu3.4

Changelog

Version: 2.4.48-3.1ubuntu3.3 2022-03-17 14:06:53 UTC

  apache2 (2.4.48-3.1ubuntu3.3) impish-security; urgency=medium

  * SECURITY UPDATE: OOB read in mod_lua via crafted request body
    - debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
      lua_write_body() fail in modules/lua/lua_request.c.
    - CVE-2022-22719
  * SECURITY UPDATE: HTTP Request Smuggling via error discarding the
    request body
    - debian/patches/CVE-2022-22720.patch: simpler connection close logic
      if discarding the request body fails in modules/http/http_filters.c,
      server/protocol.c.
    - CVE-2022-22720
  * SECURITY UPDATE: overflow via large LimitXMLRequestBody
    - debian/patches/CVE-2022-22721.patch: make sure and check that
      LimitXMLRequestBody fits in system memory in server/core.c,
      server/util.c, server/util_xml.c.
    - CVE-2022-22721
  * SECURITY UPDATE: out-of-bounds write in mod_sed
    - debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
      buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
      modules/filters/mod_sed.c, modules/filters/sed1.c.
    - debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
      modules/filters/mod_sed.c.
    - CVE-2022-23943

 -- Marc Deslauriers <email address hidden> Wed, 16 Mar 2022 12:46:16 -0400

Source diff to previous version
CVE-2022-22719 A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Serv
CVE-2022-22720 Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server
CVE-2022-22721 If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later ca
CVE-2022-23943 Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

Version: 2.4.48-3.1ubuntu3.2 2022-01-06 17:06:43 UTC

  apache2 (2.4.48-3.1ubuntu3.2) impish-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:29:15 -0500

Source diff to previous version
CVE-2021-44224 A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixi
CVE-2021-44790 A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache http

Version: 2.4.48-3.1ubuntu3.1 2021-12-02 17:06:24 UTC

  apache2 (2.4.48-3.1ubuntu3.1) impish; urgency=medium

  * Revert fix from 2.4.46-1ubuntu2, due to performance regression.
    (LP 1832182)

 -- Bryce Harrington <email address hidden> Sun, 14 Nov 2021 23:49:31 +0000




About   -   Send Feedback to @ubuntu_updates