Package "apache2-utils"
| Name: |
apache2-utils
|
Description: |
Apache HTTP Server (utility programs for web servers)
|
| Latest version: |
2.4.58-1ubuntu8.10 |
| Release: |
noble (24.04) |
| Level: |
updates |
| Repository: |
main |
| Head package: |
apache2 |
| Homepage: |
https://httpd.apache.org/ |
Links
Download "apache2-utils"
Other versions of "apache2-utils" in Noble
Changelog
|
apache2 (2.4.58-1ubuntu8.10) noble-security; urgency=medium
* SECURITY UPDATE: Integer overflow in the case of failed ACME
certificate renewal
- debian/patches/CVE-2025-55753.patch: update mod_md to version
2.6.6 in modules/md/*
- CVE-2025-55753
* SECURITY UPDATE: Server Side Includes adds query string to #exec cmd=
- debian/patches/CVE-2025-58098.patch: don't pass args for SSI request
in modules/generators/mod_cgid.c.
- CVE-2025-58098
* SECURITY UPDATE: CGI environment variable override
- debian/patches/CVE-2025-65082.patch: envvars from HTTP headers low
precedence in server/util_script.c.
- CVE-2025-65082
* SECURITY UPDATE: mod_userdir+suexec bypass via AllowOverride FileInfo
- debian/patches/CVE-2025-66200.patch: don't use request notes for
suexec in modules/mappers/mod_userdir.c,
modules/metadata/mod_headers.c.
- CVE-2025-66200
* SECURITY REGRESSION: Misdirected Request error (LP: #2117112)
- debian/patches/CVE-2025-23048-regression.patch: add SSLVHostSNIPolicy
directive to set the compatibility level required for VirtualHost
matching in modules/ssl/*.
- debian/patches/CVE-2025-23048-regression-2.patch: fix handling of
STRICT mode in modules/ssl/ssl_engine_kernel.c.
-- Marc Deslauriers <email address hidden> Tue, 09 Dec 2025 10:50:28 -0500
|
| Source diff to previous version |
| 2117112 |
421 Misdirected Request: apache2 regression |
| CVE-2025-55753 |
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the bac |
| CVE-2025-58098 |
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to |
| CVE-2025-65082 |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache co |
| CVE-2025-66200 |
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in hta |
| CVE-2025-23048 |
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 |
|
|
apache2 (2.4.58-1ubuntu8.8) noble-security; urgency=medium
* SECURITY REGRESSION: Removing duplicated lines
- debian/patches/CVE-2024-38474-regression.patch: (LP: #2119395)
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 11 Aug 2025 08:10:09 -0300
|
| Source diff to previous version |
| 2119395 |
CVE-2024-38474-regression.patch add an extra call to do_expand() |
| CVE-2024-38474 |
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by th |
|
|
apache2 (2.4.58-1ubuntu8.7) noble-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2024-42516.patch: fix header merging in
modules/http/http_filters.c.
- CVE-2024-42516
* SECURITY UPDATE: SSRF with mod_headers setting Content-Type header
- debian/patches/CVE-2024-43204-pre1.patch: avoid ap_set_content_type
when processing a _Request_Header set|edit|unset Content-Type in
modules/metadata/mod_headers.c.
- debian/patches/CVE-2024-43204.patch: use header only in
modules/metadata/mod_headers.c.
- CVE-2024-43204
* SECURITY UPDATE: mod_ssl error log variable escaping
- debian/patches/CVE-2024-47252.patch: escape ssl vars in
modules/ssl/ssl_engine_vars.c.
- CVE-2024-47252
* SECURITY UPDATE: mod_ssl access control bypass with session resumption
- debian/patches/CVE-2025-23048.patch: update SNI validation in
modules/ssl/ssl_engine_kernel.c.
- CVE-2025-23048
* SECURITY UPDATE: mod_proxy_http2 denial of service
- debian/patches/CVE-2025-49630.patch: tolerate missing host header in
h2 proxy in modules/http2/h2_proxy_session.c.
- CVE-2025-49630
* SECURITY UPDATE: mod_ssl TLS upgrade attack
- debian/patches/CVE-2025-49812.patch: remove antiquated 'SSLEngine
optional' TLS upgrade in modules/ssl/ssl_engine_config.c,
modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
modules/ssl/ssl_private.h.
- CVE-2025-49812
* SECURITY UPDATE:
- debian/patches/CVE-2025-53020.patch: improve h2 header error handling
in modules/http2/h2_request.c, modules/http2/h2_request.h,
modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_stream.c, modules/http2/h2_util.c,
modules/http2/h2_util.h,
test/modules/http2/test_200_header_invalid.py.
- CVE-2025-53020
-- Marc Deslauriers <email address hidden> Mon, 14 Jul 2025 12:22:22 -0400
|
| Source diff to previous version |
| CVE-2024-42516 |
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hos |
| CVE-2024-43204 |
SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an |
| CVE-2024-47252 |
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape c |
| CVE-2025-23048 |
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 |
| CVE-2025-49630 |
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untruste |
| CVE-2025-49812 |
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker |
| CVE-2025-53020 |
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63 |
|
|
apache2 (2.4.58-1ubuntu8.6) noble-security; urgency=medium
* SECURITY REGRESSION: Better question mark tracking
- debian/patches/CVE-2024-38474-regression.patch: improve
previous patch allowing to avoid [UnsafeAllow3F] for most
cases in modules/mappers/mod_rewrite.c (LP: #2103723).
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 11:36:49 -0300
|
| Source diff to previous version |
| 2103723 |
Fix for CVE-2024-38474 also blocks %3f in appended query strings |
| CVE-2024-38474 |
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by th |
|
|
apache2 (2.4.58-1ubuntu8.5) noble; urgency=medium
* SRU: LP: #2083480: No-change rebuild to disable frame pointers on
ppc64el and s390x.
-- Matthias Klose <email address hidden> Wed, 02 Oct 2024 14:40:51 +0200
|
About
-
Send Feedback to @ubuntu_updates
