UbuntuUpdates.org

Package "libapache2-mod-md"

Name: libapache2-mod-md

Description:

transitional package
Latest version: 2.4.52-1ubuntu4.15
Release: jammy (22.04)
Level: security
Repository: universe
Head package: apache2
Homepage: https://httpd.apache.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libapache2-mod-md"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libapache2-mod-md" in Jammy

Repository Area Version
base universe 2.4.52-1ubuntu4
updates universe 2.4.52-1ubuntu4.15

Changelog

Version: 2.4.52-1ubuntu4.15 2025-07-16 20:07:29 UTC

  apache2 (2.4.52-1ubuntu4.15) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2024-42516.patch: fix header merging in
      modules/http/http_filters.c.
    - CVE-2024-42516
  * SECURITY UPDATE: SSRF with mod_headers setting Content-Type header
    - debian/patches/CVE-2024-43204-pre1.patch: avoid ap_set_content_type
      when processing a _Request_Header set|edit|unset Content-Type in
      modules/metadata/mod_headers.c.
    - debian/patches/CVE-2024-43204.patch: use header only in
      modules/metadata/mod_headers.c.
    - CVE-2024-43204
  * SECURITY UPDATE: mod_ssl error log variable escaping
    - debian/patches/CVE-2024-47252.patch: escape ssl vars in
      modules/ssl/ssl_engine_vars.c.
    - CVE-2024-47252
  * SECURITY UPDATE: mod_ssl access control bypass with session resumption
    - debian/patches/CVE-2025-23048.patch: update SNI validation in
      modules/ssl/ssl_engine_kernel.c.
    - CVE-2025-23048
  * SECURITY UPDATE: mod_proxy_http2 denial of service
    - debian/patches/CVE-2025-49630.patch: tolerate missing host header in
      h2 proxy in modules/http2/h2_proxy_session.c.
    - CVE-2025-49630
  * SECURITY UPDATE: mod_ssl TLS upgrade attack
    - debian/patches/CVE-2025-49812.patch: remove antiquated 'SSLEngine
      optional' TLS upgrade in modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
    - CVE-2025-49812
  * SECURITY UPDATE:
    - debian/patches/CVE-2025-53020.patch: improve h2 header error handling
      in modules/http2/h2_request.c, modules/http2/h2_request.h,
      modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_stream.c, modules/http2/h2_util.c,
      modules/http2/h2_util.h,
      test/modules/http2/test_200_header_invalid.py.
    - CVE-2025-53020

 -- Marc Deslauriers <email address hidden> Mon, 14 Jul 2025 12:29:02 -0400
Source diff to previous version
CVE-2024-42516 HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hos
CVE-2024-43204 SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an
CVE-2024-47252 Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape c
CVE-2025-23048 In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3
CVE-2025-49630 In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untruste
CVE-2025-49812 In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker
CVE-2025-53020 Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63

Version: 2.4.52-1ubuntu4.14 2025-04-07 12:07:11 UTC

  apache2 (2.4.52-1ubuntu4.14) jammy-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 06:05:48 -0300
Source diff to previous version
2103723 Fix for CVE-2024-38474 also blocks %3f in appended query strings
CVE-2024-38474 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by th

Version: 2.4.52-1ubuntu4.12 2024-07-18 15:07:20 UTC

  apache2 (2.4.52-1ubuntu4.12) jammy-security; urgency=medium

  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
      subrequest in modules/http/http_request.c.
    - CVE-2024-40725

 -- Marc Deslauriers <email address hidden> Wed, 17 Jul 2024 14:57:26 -0400
Source diff to previous version

Version: 2.4.52-1ubuntu4.11 2024-07-11 21:07:24 UTC

  apache2 (2.4.52-1ubuntu4.11) jammy-security; urgency=medium

  * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
    - debian/patches/CVE-2024-38477-2.patch: restart from the original URL
      on reconnect in modules/http2/mod_proxy_http2.c.

 -- Marc Deslauriers <email address hidden> Thu, 11 Jul 2024 08:20:46 -0400
Source diff to previous version
2072648 Regression in Apache 2.4.52-1ubuntu4.10 causes intermittent errors in mod_proxy_http2 backend
CVE-2024-38477 null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users

Version: 2.4.52-1ubuntu4.10 2024-07-08 18:07:55 UTC

  apache2 (2.4.52-1ubuntu4.10) jammy-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference when serving WebSocket
    protocol upgrades over a HTTP/2
    - debian/patches/CVE-2024-36387.patch: early exit if bb is null in
      modules/http2/h2_c2.c.
    - CVE-2024-36387
  * SECURITY UPDATE: encoding problem in mod_proxy
    - debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
      configuration in modules/proxy/mod_proxy.c.
    - debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
      mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
      modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
    - debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
      special filenames in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
      on Windows in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
      fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
    - CVE-2024-38473
  * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
    - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
      handling in modules/mappers/mod_rewrite.c.
    - CVE-2024-38474
  * SECURITY UPDATE: Improper escaping of output in mod_rewrite
    - Included in CVE-2024-38474_5.patch.
    - CVE-2024-38475
  * SECURITY UPDATE: information disclosure, SSRF or local script execution
    - debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
      differentiate trusted sources in include/http_protocol.h,
      include/httpd.h, modules/http/http_protocol.c,
      modules/http/mod_mime.c, modules/mappers/mod_actions.c,
      modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
      modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
      server/config.c, server/core.c.
    - CVE-2024-38476
  * SECURITY UPDATE: null pointer dereference in mod_proxy
    - debian/patches/CVE-2024-38477.patch: validate hostname in
      modules/proxy/proxy_util.c.
    - CVE-2024-38477
  * SECURITY UPDATE: Potential SSRF in mod_rewrite
    - Fixed by patches in previous CVEs.
    - CVE-2024-39573
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-39884.patch: maintain trusted flag in
      modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
      modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
      modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
      modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
      modules/generators/mod_info.c, modules/generators/mod_status.c,
      modules/http/http_filters.c, modules/http/http_protocol.c,
      modules/http/http_request.c, modules/ldap/util_ldap.c,
      modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
    - CVE-2024-39884

 -- Marc Deslauriers <email address hidden> Thu, 04 Jul 2024 07:56:21 -0400
CVE-2024-36387 Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, de
CVE-2024-38473 Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, po
CVE-2024-38474 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by th
CVE-2024-38476 Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend a
CVE-2024-38477 null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users
CVE-2024-39573 Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to
CVE-2024-39884 A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and si


About   -   Send Feedback to @ubuntu_updates