UbuntuUpdates.org

Package "apache2-bin"

Name: apache2-bin

Description:

Apache HTTP Server (modules and other binary files)

Latest version: 2.4.58-1ubuntu8.7
Release: noble (24.04)
Level: updates
Repository: main
Head package: apache2
Homepage: https://httpd.apache.org/

Links


Download "apache2-bin"


Other versions of "apache2-bin" in Noble

Repository Area Version
base main 2.4.58-1ubuntu8
security main 2.4.58-1ubuntu8.7

Changelog

Version: 2.4.58-1ubuntu8.7 2025-07-16 23:07:23 UTC

  apache2 (2.4.58-1ubuntu8.7) noble-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2024-42516.patch: fix header merging in
      modules/http/http_filters.c.
    - CVE-2024-42516
  * SECURITY UPDATE: SSRF with mod_headers setting Content-Type header
    - debian/patches/CVE-2024-43204-pre1.patch: avoid ap_set_content_type
      when processing a _Request_Header set|edit|unset Content-Type in
      modules/metadata/mod_headers.c.
    - debian/patches/CVE-2024-43204.patch: use header only in
      modules/metadata/mod_headers.c.
    - CVE-2024-43204
  * SECURITY UPDATE: mod_ssl error log variable escaping
    - debian/patches/CVE-2024-47252.patch: escape ssl vars in
      modules/ssl/ssl_engine_vars.c.
    - CVE-2024-47252
  * SECURITY UPDATE: mod_ssl access control bypass with session resumption
    - debian/patches/CVE-2025-23048.patch: update SNI validation in
      modules/ssl/ssl_engine_kernel.c.
    - CVE-2025-23048
  * SECURITY UPDATE: mod_proxy_http2 denial of service
    - debian/patches/CVE-2025-49630.patch: tolerate missing host header in
      h2 proxy in modules/http2/h2_proxy_session.c.
    - CVE-2025-49630
  * SECURITY UPDATE: mod_ssl TLS upgrade attack
    - debian/patches/CVE-2025-49812.patch: remove antiquated 'SSLEngine
      optional' TLS upgrade in modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
    - CVE-2025-49812
  * SECURITY UPDATE:
    - debian/patches/CVE-2025-53020.patch: improve h2 header error handling
      in modules/http2/h2_request.c, modules/http2/h2_request.h,
      modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_stream.c, modules/http2/h2_util.c,
      modules/http2/h2_util.h,
      test/modules/http2/test_200_header_invalid.py.
    - CVE-2025-53020

 -- Marc Deslauriers <email address hidden> Mon, 14 Jul 2025 12:22:22 -0400

Source diff to previous version
CVE-2024-42516 HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hos
CVE-2024-43204 SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an
CVE-2024-47252 Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape c
CVE-2025-23048 In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3
CVE-2025-49630 In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untruste
CVE-2025-49812 In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker
CVE-2025-53020 Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63

Version: 2.4.58-1ubuntu8.6 2025-04-07 17:07:14 UTC

  apache2 (2.4.58-1ubuntu8.6) noble-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 11:36:49 -0300

Source diff to previous version
2103723 Fix for CVE-2024-38474 also blocks %3f in appended query strings
CVE-2024-38474 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by th

Version: 2.4.58-1ubuntu8.5 2024-11-14 22:06:48 UTC

  apache2 (2.4.58-1ubuntu8.5) noble; urgency=medium

  * SRU: LP: #2083480: No-change rebuild to disable frame pointers on
    ppc64el and s390x.

 -- Matthias Klose <email address hidden> Wed, 02 Oct 2024 14:40:51 +0200

Source diff to previous version

Version: 2.4.58-1ubuntu8.4 2024-07-18 16:07:12 UTC

  apache2 (2.4.58-1ubuntu8.4) noble-security; urgency=medium

  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
      subrequest in modules/http/http_request.c.
    - CVE-2024-40725

 -- Marc Deslauriers <email address hidden> Wed, 17 Jul 2024 14:55:23 -0400

Source diff to previous version

Version: 2.4.58-1ubuntu8.3 2024-07-11 23:07:21 UTC

  apache2 (2.4.58-1ubuntu8.3) noble-security; urgency=medium

  * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
    - debian/patches/CVE-2024-38477-2.patch: restart from the original URL
      on reconnect in modules/http2/mod_proxy_http2.c.

 -- Marc Deslauriers <email address hidden> Thu, 11 Jul 2024 10:41:54 -0400

2072648 Regression in Apache 2.4.52-1ubuntu4.10 causes intermittent errors in mod_proxy_http2 backend
CVE-2024-38477 null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users



About   -   Send Feedback to @ubuntu_updates