Package "apache2"
| Name: |
apache2
|
Description: |
Apache HTTP Server
|
| Latest version: |
2.4.7-1ubuntu4.22 |
| Release: |
trusty (14.04) |
| Level: |
security |
| Repository: |
main |
| Homepage: |
http://httpd.apache.org/ |
Links
Download "apache2"
Other versions of "apache2" in Trusty
Packages in group
Deleted packages are displayed in grey.
Changelog
|
apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
-- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:52:21 -0400
|
| Source diff to previous version |
|
|
|
apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
server/util_script.c.
- CVE-2016-5387
* This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
trusty-proposed.
-- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:40:55 -0400
|
| Source diff to previous version |
|
apache2 (2.4.7-1ubuntu4.5) trusty-security; urgency=medium
* SECURITY UPDATE: request smuggling via chunked transfer encoding
- debian/patches/CVE-2015-3183.patch: refactor chunk parsing in
modules/http/http_filters.c.
- CVE-2015-3183
* SECURITY UPDATE: access restriction bypass via deprecated API
- debian/patches/CVE-2015-3185.patch: deprecate old API and add new one
in include/http_request.h, server/request.c.
- CVE-2015-3185
-- Marc Deslauriers Fri, 24 Jul 2015 12:44:36 -0400
|
| Source diff to previous version |
| CVE-2015-3183 |
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attacke |
| CVE-2015-3185 |
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may b |
|
|
apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium
* SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
- debian/patches/CVE-2013-5704.patch: don't merge trailers by default
and add a "MergeTrailers" directive to revert to previous behaviour
to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
modules/http/http_request.c, modules/loggers/mod_log_config.c,
modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
- CVE-2013-5704
* SECURITY UPDATE: mod_cache denial of service via empty HTTP
Content-Type header
- debian/patches/CVE-2014-3581.patch: check for NULL in
modules/cache/cache_util.c.
- CVE-2014-3581
-- Marc Deslauriers <email address hidden> Tue, 10 Mar 2015 07:42:50 -0400
|
| Source diff to previous version |
| 1425141 |
mod_headers CVE-2013-5704 |
| CVE-2013-5704 |
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the |
| CVE-2014-3581 |
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote atta |
|
|
apache2 (2.4.7-1ubuntu4.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service in mod_proxy
- debian/patches/CVE-2014-0117.patch: also skip over semicolons in
modules/proxy/proxy_util.c.
- CVE-2014-0117
* SECURITY UPDATE: resource consumption via mod_deflate body
decompression
- debian/patches/CVE-2014-0118.patch: added new configuration options
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and
DeflateInflateRatioBurst in modules/filters/mod_deflate.c.
- CVE-2014-0118
* SECURITY UPDATE: denial of service via race in mod_status
- debian/patches/CVE-2014-0226.patch: fix race by adding
ap_copy_scoreboard_worker() to include/scoreboard.h,
modules/generators/mod_status.c, modules/lua/lua_request.c,
server/scoreboard.c.
- CVE-2014-0226
* SECURITY UPDATE: denial of service in mod_cgid
- debian/patches/CVE-2014-0231.patch: added new configuration option
CGIDScriptTimeout in modules/generators/mod_cgid.c.
- CVE-2014-0231
-- Marc Deslauriers <email address hidden> Mon, 21 Jul 2014 15:46:10 -0400
|
| CVE-2014-0117 |
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, ... |
| CVE-2014-0118 |
The deflate_in_filter function in mod_deflate.c in the mod_deflate ... |
| CVE-2014-0226 |
Race condition in the mod_status module in the Apache HTTP Server ... |
| CVE-2014-0231 |
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not ... |
|
About
-
Send Feedback to @ubuntu_updates
