Package "apache2-utils"
Name: |
apache2-utils
|
Description: |
Apache HTTP Server (utility programs for web servers)
|
Latest version: |
2.4.41-4ubuntu3.17 |
Release: |
focal (20.04) |
Level: |
updates |
Repository: |
main |
Head package: |
apache2 |
Homepage: |
https://httpd.apache.org/ |
Links
Download "apache2-utils"
Other versions of "apache2-utils" in Focal
Changelog
apache2 (2.4.41-4ubuntu3.17) focal-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2023-38709.patch: header validation after
content-* are eval'ed in modules/http/http_filters.c.
- CVE-2023-38709
* SECURITY UPDATE: HTTP Response Splitting in multiple modules
- debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
non-http handlers in include/util_script.h,
modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
modules/generators/mod_cgid.c, modules/http/http_filters.c,
modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
- CVE-2024-24795
* SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
continuation frames
- debian/patches/CVE-2024-27316.patch: bail after too many failed reads
in modules/http2/h2_session.c, modules/http2/h2_stream.c,
modules/http2/h2_stream.h.
- CVE-2024-27316
-- Marc Deslauriers <email address hidden> Wed, 10 Apr 2024 13:46:26 -0400
|
Source diff to previous version |
CVE-2023-38709 |
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects |
CVE-2024-24795 |
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applicat |
CVE-2024-27316 |
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client do |
|
apache2 (2.4.41-4ubuntu3.16) focal; urgency=medium
* d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
dolphin and Konqueror/5 careful redirection so that directories can be
deleted via webdav.
(LP: #1927742)
-- Bryce Harrington <email address hidden> Tue, 16 Jan 2024 19:00:27 -0800
|
Source diff to previous version |
1927742 |
dolphin in focal can't delete webdav directories running on focal's apache |
|
apache2 (2.4.41-4ubuntu3.15) focal-security; urgency=medium
* SECURITY UPDATE: mod_macro buffer over-read
- debian/patches/CVE-2023-31122.patch: fix length in
modules/core/mod_macro.c.
- CVE-2023-31122
* SECURITY UPDATE: Multiple issues in HTTP/2
- CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
- CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
- debian/tests/run-test-suite: run with HARNESS_VERBOSE=1.
- debian/patches/update_tests.patch: backport tests from jammy's
2.4.52 to improve test coverage.
- debian/patches/update_http2.patch: backport version 2.0.22 of
mod_http2 from httpd 2.4.58.
- CVE-2023-43622
- CVE-2023-45802
-- Marc Deslauriers <email address hidden> Thu, 26 Oct 2023 09:54:09 -0400
|
Source diff to previous version |
apache2 (2.4.41-4ubuntu3.14) focal-security; urgency=medium
* SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
- debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
strings in modules/http2/mod_proxy_http2.c,
modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
modules/proxy/mod_proxy_wstunnel.c.
- debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
modules/http2/mod_proxy_http2.c.
- CVE-2023-25690
* SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
- debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2023-27522
-- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:32:54 -0500
|
Source diff to previous version |
CVE-2023-25690 |
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected |
CVE-2023-27522 |
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. S |
|
apache2 (2.4.41-4ubuntu3.13) focal-security; urgency=medium
* SECURITY UPDATE: DoS via crafted If header in mod_dav
- debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
parsing in modules/dav/main/util.c.
- CVE-2006-20001
* SECURITY UPDATE: request smuggling in mod_proxy_ajp
- debian/patches/CVE-2022-36760.patch: cleanup on error in
modules/proxy/mod_proxy_ajp.c.
- CVE-2022-36760
* SECURITY UPDATE: response header truncation issue
- debian/patches/CVE-2022-37436.patch: fail on bad header in
modules/proxy/mod_proxy_http.c, server/protocol.c.
- CVE-2022-37436
-- Marc Deslauriers <email address hidden> Mon, 23 Jan 2023 13:36:09 -0500
|
CVE-2006-20001 |
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header va |
CVE-2022-36760 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to sm |
CVE-2022-37436 |
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorpo |
|
About
-
Send Feedback to @ubuntu_updates