UbuntuUpdates.org

Package "apache2-dev"

Name: apache2-dev

Description:

Apache HTTP Server (development headers)

Latest version: 2.4.66-2ubuntu2.4
Release: resolute (26.04)
Level: updates
Repository: main
Head package: apache2
Homepage: https://httpd.apache.org/

Links


Download "apache2-dev"


Other versions of "apache2-dev" in Resolute

Repository Area Version
base main 2.4.66-2ubuntu2
security main 2.4.66-2ubuntu2.4

Changelog

Version: 2.4.66-2ubuntu2.4 2026-07-08 18:08:20 UTC

  apache2 (2.4.66-2ubuntu2.4) resolute-security; urgency=medium

  * SECURITY UPDATE: mod_ldap per-dir use-after-free
    - debian/patches/CVE-2026-29167.patch: Fix inheritance in per-dir context
      in modules/ldap/util_ldap.c.
    - CVE-2026-29167
  * SECURITY UPDATE: mod_proxy_ftp XSS
    - debian/patches/CVE-2026-29170.patch: Use ap_os_escape_path() with
      ap_escape_html() instead of ap_escape_uri() for href attributes in
      generated directory listing links in modules/proxy/mod_proxy_ftp.c.
    - CVE-2026-29170
  * SECURITY UPDATE: mod_proxy_html buffer overflow
    - debian/patches/CVE-2026-34355.patch: Simplify to use the ap_varbuf API
      in modules/filters/mod_proxy_html.c.
    - CVE-2026-34355
  * SECURITY UPDATE: ProxyPassReverseCookieMap buffer overflow
    - debian/patches/CVE-2026-34356.patch: fix dup path/domain in
      modules/proxy/proxy_util.c.
    - CVE-2026-34356
  * SECURITY UPDATE: mod_dav_fs protected directory access
    - debian/patches/CVE-2026-42535.patch: disallow DAV_FS_STATE_DIR in
      modules/dav/fs/repos.c.
    - CVE-2026-42535
  * SECURITY UPDATE: mod_xml2enc heap overflow
    - debian/patches/CVE-2026-42536.patch: Fix accounting in
      modules/filters/mod_xml2enc.c.
    - CVE-2026-42536
  * SECURITY UPDATE: OOB Read in 'merge_response_headers' can cause crash
    - debian/patches/CVE-2026-43951.patch: fix lang iteration in
      modules/http/http_filters.c, modules/http2/h2_c2_filter.c.
    - CVE-2026-43951
  * SECURITY UPDATE: escalation of privilege through expressions in .htaccess
    in multiple modules
    - debian/patches/CVE-2026-44119.patch: restrict per-dir file funcs
      centrally in include/ap_expr.h, modules/mappers/mod_rewrite.c,
      modules/metadata/mod_setenvif.c, modules/proxy/mod_proxy_fcgi.c,
      server/util_expr_eval.c.
    - CVE-2026-44119
  * SECURITY UPDATE: Stack Buffer Over-Read in mod_ssl OCSP 'send_request'
    - debian/patches/CVE-2026-44185.patch: Increase wbuf with the len read by
      apr_socket_send: in modules/ssl/ssl_util_ocsp.c.
    - CVE-2026-44185
  * SECURITY UPDATE: Loop in 'proxy_ftp_handler' in mod_proxy_ftp
    - debian/patches/CVE-2026-44186.patch: fix iteration in
      modules/proxy/mod_proxy_ftp.c.
    - CVE-2026-44186
  * SECURITY UPDATE: Heap Underflow in 'ap_regname' via Signed Char Overflow
    - debian/patches/CVE-2026-44631.patch: restrict to reasonable captures in
      include/ap_regex.h, modules/proxy/mod_proxy.c, server/core.c,
      server/util_pcre.c.
    - CVE-2026-44631
  * SECURITY UPDATE: mod_http2 memory corruption when file handles exhausted
    - debian/patches/CVE-2026-48913.patch: update to version 2.0.42 in
      changes-entries/h2_v2.0.40.txt, changes-entries/h2_v2.0.41.txt,
      changes-entries/h2_v2.0.42.txt, modules/http2/h2_c1_io.c,
      modules/http2/h2_c1_io.h, modules/http2/h2_config.c,
      modules/http2/h2_mplx.c, modules/http2/h2_util.c,
      modules/http2/h2_version.h.
    - debian/patches/CVE-2026-48913-2.patch: fix buffer overflow in link
      mapping in modules/http2/h2_proxy_util.c.
    - debian/patches/CVE-2026-49975.patch: removed, included in above patch.
    - CVE-2026-48913
  * Updated perl-framework tests for security changes:
    - debian/perl-framework/t/apache/expr.t
    - debian/perl-framework/t/modules/headers.t
    - https://github.com/apache/httpd-tests/commit/c45f32cd44cf15aca0253dc480fe687b2e4d76ff

 -- Marc Deslauriers <email address hidden> Mon, 06 Jul 2026 11:33:20 -0400

Source diff to previous version
CVE-2026-29167 Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 th
CVE-2026-29170 A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing F
CVE-2026-34355 A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgra
CVE-2026-34356 Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache
CVE-2026-42535 A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases
CVE-2026-42536 Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTT
CVE-2026-43951 Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP
CVE-2026-44119 Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges
CVE-2026-44185 Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP
CVE-2026-44186 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled ba
CVE-2026-44631 Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: fr
CVE-2026-48913 Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server:
CVE-2026-49975 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. T

Version: 2.4.66-2ubuntu2.2 2026-06-04 21:07:46 UTC

  apache2 (2.4.66-2ubuntu2.2) resolute-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 Bomb denial of service
    - debian/patches/CVE-2026-49975.patch: fix cookie header accounting against
      LimitRequestFields in modules/http2/h2_util.c.
    - CVE-2026-49975

 -- Marc Deslauriers <email address hidden> Wed, 03 Jun 2026 11:25:00 -0400

Source diff to previous version

Version: 2.4.66-2ubuntu2.1 2026-05-06 21:08:07 UTC

  apache2 (2.4.66-2ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: http2: double free and possible RCE on early reset
    - debian/patches/CVE-2026-23918.patch: update to version 2.0.37 in
      changes-entries/h2_v2.0.37.txt, modules/http2/h2_mplx.c,
      modules/http2/h2_version.h.
    - debian/patches/CVE-2026-23918-2.patch: source sync to v2.0.38 in changes-
      entries/h2_v2.0.38.txt, modules/http2/h2_c1.c, modules/http2/h2_c2.c,
      modules/http2/h2_c2_filter.c, modules/http2/h2_mplx.c,
      modules/http2/h2_proxy_session.c, modules/http2/h2_proxy_util.c,
      modules/http2/h2_session.c, modules/http2/h2_util.h,
      modules/http2/h2_version.h, modules/http2/h2_workers.c,
      modules/http2/h2_ws.c, modules/http2/h2_ws.h, test/clients/h2ws.c,
      test/modules/http2/test_800_websockets.py.
    - debian/patches/CVE-2026-23918-3.patch: update to v2.0.39 in changes-
      entries/h2_v2.0.39.txt, modules/http2/h2_session.c,
      modules/http2/h2_version.h.
    - CVE-2026-23918
  * SECURITY UPDATE: mod_rewrite elevation of privileges via ap_expr
    - debian/patches/CVE-2026-24072.patch: use AP_EXPR_FLAG_RESTRICTED in
      htaccess in modules/mappers/mod_rewrite.c,
      modules/metadata/mod_setenvif.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2026-24072
  * SECURITY UPDATE: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
    - debian/patches/CVE-2026-28780.patch: fix ajp_msg_check_header check in
      modules/proxy/ajp_msg.c.
    - CVE-2026-28780
  * SECURITY UPDATE: mod_md unrestricted OCSP response
    - debian/patches/CVE-2026-29168.patch: add ocsp limits in
      modules/md/md_ocsp.c.
    - CVE-2026-29168
  * SECURITY UPDATE: mod_dav_lock indirect lock crash
    - debian/patches/CVE-2026-29169.patch: use the right dav_lock_discovery in
      modules/dav/lock/locks.c.
    - CVE-2026-29169
  * SECURITY UPDATE: mod_auth_digest timing attack
    - debian/patches/CVE-2026-33006-1.patch: use apr_crypto_equals in
      configure.in, modules/aaa/mod_auth_digest.c.
    - debian/patches/CVE-2026-33006-2.patch: add ap_*_timingsafe() constant-
      time comparison functions in configure.in, include/ap_mmn.h,
      include/httpd.h, modules/aaa/mod_auth_digest.c,
      modules/session/mod_session_crypto.c, server/util.c.
    - CVE-2026-33006
  * SECURITY UPDATE: mod_authn_socache crash
    - debian/patches/CVE-2026-33007.patch: validate URL earlier in
      modules/aaa/mod_authn_socache.c.
    - CVE-2026-33007
  * SECURITY UPDATE: HTTP response splitting forwarding malicious status line
    - debian/patches/CVE-2026-33523.patch: scan outgoing status line for
      newlines and controls in modules/http/http_filters.c.
    - CVE-2026-33523
  * SECURITY UPDATE: Off-by-one OOB reads in AJP getter functions
    - debian/patches/CVE-2026-33857.patch: fix length checks in AJP msg_get
      functions in modules/proxy/ajp_msg.c.
    - CVE-2026-33857
  * SECURITY UPDATE: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing
    Null-Termination Check (ajp_msg_get_string)
    - debian/patches/CVE-2026-34032.patch: fix ajp_msg_get_string buffer checks
      in modules/proxy/ajp_msg.c.
    - CVE-2026-34032
  * SECURITY UPDATE: mod_proxy_ajp: Heap Over-Read and memory disclosure in
    ajp_parse_data()
    - debian/patches/CVE-2026-34059.patch: fix ajp_parse_data message len check
      in modules/proxy/ajp_header.c.
    - CVE-2026-34059

 -- Marc Deslauriers <email address hidden> Tue, 05 May 2026 09:04:33 -0400

CVE-2026-23918 Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are
CVE-2026-24072 An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges
CVE-2026-28780 Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server
CVE-2026-29168 Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache
CVE-2026-29169 A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious reques
CVE-2026-33006 A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recomm
CVE-2026-33007 A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child p
CVE-2026-33523 HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apach
CVE-2026-33857 Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recomme
CVE-2026-34032 Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are
CVE-2026-34059 Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to ve



About   -   Send Feedback to @ubuntu_updates