UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server metapackage

Latest version: 2.2.22-1ubuntu1.15
Release: precise (12.04)
Level: security
Repository: main
Homepage: http://httpd.apache.org/

Links


Download "apache2"


Other versions of "apache2" in Precise

Repository Area Version
base main 2.2.22-1ubuntu1
base universe 2.2.22-1ubuntu1
security universe 2.2.22-1ubuntu1.15
updates main 2.2.22-1ubuntu1.15
updates universe 2.2.22-1ubuntu1.15

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.2.22-1ubuntu1.15 2021-05-03 14:07:13 UTC

  apache2 (2.2.22-1ubuntu1.15) precise-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
    - debian/patches/CVE-2017-15710.patch: fix language long names
      detection as short name in modules/aaa/mod_authnz_ldap.c.
    - CVE-2017-15710
  * SECURITY UPDATE: DoS via specially-crafted request
    - debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
      terminated on any error, not only on buffer full in
      server/protocol.c.
    - CVE-2018-1301
  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312-*.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 09 Apr 2019 12:48:30 -0300

Source diff to previous version
CVE-2017-15710 In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-La
CVE-2018-1301 A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is re
CVE-2018-1312 In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly g
CVE-2019-0217 mod_auth_digest access control bypass

Version: 2.2.22-1ubuntu1.11 2016-07-18 19:06:44 UTC

  apache2 (2.2.22-1ubuntu1.11) precise-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

 -- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:50:27 -0400

Source diff to previous version

Version: 2.2.22-1ubuntu1.10 2015-07-27 18:07:30 UTC

  apache2 (2.2.22-1ubuntu1.10) precise-security; urgency=medium

  * SECURITY UPDATE: request smuggling via chunked transfer encoding
    - debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
      modules/http/http_filters.c.
    - CVE-2015-3183

 -- Marc Deslauriers Fri, 24 Jul 2015 13:06:25 -0400

Source diff to previous version
CVE-2015-3183 The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attacke

Version: 2.2.22-1ubuntu1.9 2015-06-02 13:07:09 UTC

  apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2015 12:26:50 -0400

Source diff to previous version
1197884 apache2.2 SSL has no forward-secrecy: need ECDHE keys
1400473 Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0

Version: 2.2.22-1ubuntu1.8 2015-03-10 16:06:33 UTC

  apache2 (2.2.22-1ubuntu1.8) precise-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704
 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:40:00 -0500

1425141 mod_headers CVE-2013-5704
CVE-2013-5704 The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the



About   -   Send Feedback to @ubuntu_updates