Package "apache2"
Name: |
apache2
|
Description: |
Apache HTTP Server
|
Latest version: |
2.4.18-2ubuntu3.17 |
Release: |
xenial (16.04) |
Level: |
security |
Repository: |
main |
Homepage: |
http://httpd.apache.org/ |
Links
Download "apache2"
Other versions of "apache2" in Xenial
Packages in group
Deleted packages are displayed in grey.
Changelog
apache2 (2.4.18-2ubuntu3.17) xenial-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
-- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 17:35:50 -0400
|
Source diff to previous version |
CVE-2020-1927 |
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded new |
CVE-2020-1934 |
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. |
|
apache2 (2.4.18-2ubuntu3.13) xenial-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-- Steve Beattie <email address hidden> Mon, 16 Sep 2019 06:13:53 -0700
|
Source diff to previous version |
1842701 |
Apache2 Balancer Manager mod_proxy_balancer not working after Update |
CVE-2019-10092 |
Limited cross-site scripting in mod_proxy |
|
apache2 (2.4.18-2ubuntu3.12) xenial-security; urgency=medium
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:43:29 -0700
|
Source diff to previous version |
|
apache2 (2.4.18-2ubuntu3.10) xenial-security; urgency=medium
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 09:34:47 -0400
|
Source diff to previous version |
CVE-2018-17199 |
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expir |
CVE-2019-0211 |
Apache HTTP Server privilege escalation from modules' scripts |
CVE-2019-0217 |
mod_auth_digest access control bypass |
CVE-2019-0220 |
Apache httpd URL normalization inconsistincy |
|
apache2 (2.4.18-2ubuntu3.8) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
include/httpd.h, server/util.c.
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-- Marc Deslauriers <email address hidden> Wed, 18 Apr 2018 10:53:04 -0400
|
CVE-2017-15710 |
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-La |
CVE-2017-15715 |
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than |
CVE-2018-1283 |
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a r |
CVE-2018-1301 |
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is re |
CVE-2018-1303 |
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing |
CVE-2018-1312 |
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly g |
|
About
-
Send Feedback to @ubuntu_updates