UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server
Latest version: 2.4.29-1ubuntu4.14
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://httpd.apache.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "apache2"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "apache2" in Bionic

Repository Area Version
base main 2.4.29-1ubuntu4
base universe 2.4.29-1ubuntu4
security universe 2.4.29-1ubuntu4.14
updates universe 2.4.29-1ubuntu4.14
updates main 2.4.29-1ubuntu4.14
proposed universe 2.4.29-1ubuntu4.15
proposed main 2.4.29-1ubuntu4.15

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.29-1ubuntu4.14 2020-08-13 16:07:25 UTC

  apache2 (2.4.29-1ubuntu4.14) bionic-security; urgency=medium

  * SECURITY UPDATE: mod_rewrite redirect issue
    - debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
      in include/ap_regex.h, server/core.c, server/util_pcre.c.
    - debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
      opt-out of pcre defaults in include/ap_regex.h,
      modules/filters/mod_substitute.c, server/util_pcre.c,
      server/util_regex.c.
    - CVE-2020-1927
  * SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
    - debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
      modules/proxy/mod_proxy_ftp.c.
    - CVE-2020-1934
  * SECURITY UPDATE: DoS via invalid Cache-Digest header
    - debian/patches/CVE-2020-9490.patch: remove support for abandoned
      http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
    - CVE-2020-9490
  * SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
    - debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
      worker could deadlock the main connection in modules/http2/*.
    - debian/patches/CVE-2020-11993.patch: fix logging and rename
      terminology in modules/http2/*.
    - CVE-2020-11993

 -- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 17:33:25 -0400
Source diff to previous version
CVE-2020-1927 In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded new
CVE-2020-1934 In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
CVE-2020-9490 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash whe
CVE-2020-11993 Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging stateme

Version: 2.4.29-1ubuntu4.13 2020-03-18 15:06:37 UTC

  apache2 (2.4.29-1ubuntu4.13) bionic-security; urgency=medium

  * Add additional missing commits to TLSv1.3 support. (LP: #1867223)
    - debian/patches/tlsv1.3-support-2.patch: fix whitespace and copy/paste
      typos in modules/ssl/ssl_engine_kernel.c.
    - debian/patches/tlsv1.3-support-3.patch: fail with 403 if
      SSL_verify_client_post_handshake fails in
      modules/ssl/ssl_engine_kernel.c.
    - debian/patches/tlsv1.3-support-4.patch: disable AUTO_RETRY mode for
      OpenSSL 1.1.1, which fixes post-handshake authentication in
      modules/ssl/ssl_engine_init.c.
    - debian/patches/tlsv1.3-support-5.patch: retrieve and set
      sslconn->client_cert here for both "modern" and classic access
      control in modules/ssl/ssl_engine_kernel.c.

 -- Marc Deslauriers <email address hidden> Fri, 13 Mar 2020 08:26:16 -0400
Source diff to previous version
1867223 REMOTE_USER environmental variable not set for TLSv1.3 connections

Version: 2.4.29-1ubuntu4.11 2019-09-17 13:06:21 UTC

  apache2 (2.4.29-1ubuntu4.11) bionic-security; urgency=medium

  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden> Mon, 16 Sep 2019 05:58:48 -0700
Source diff to previous version
1842701 Apache2 Balancer Manager mod_proxy_balancer not working after Update
CVE-2019-10092 Limited cross-site scripting in mod_proxy

Version: 2.4.29-1ubuntu4.10 2019-08-29 22:06:24 UTC

  apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches
    - dropped the following patches included above:
      + d/p/CVE-2018-1302.patch
      + d/p/CVE-2018-1333.patch
      + d/p/CVE-2018-11763.patch
      + d/p/CVE-2018-17189.patch
      + d/p/CVE-2019-0196.patch

 -- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:41:23 -0700
Source diff to previous version
1840188 Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
CVE-2019-9517 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens th
CVE-2019-0197 A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https
CVE-2019-10081 HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing r
CVE-2019-10082 mod_http2, read-after-free in h2 connection shutdown
CVE-2019-10092 Limited cross-site scripting in mod_proxy
CVE-2019-10098 mod_rewrite configurations vulnerable to open redirect
CVE-2018-1302 When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially
CVE-2018-1333 By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of serv
CVE-2018-11763 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time wit
CVE-2018-17189 In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unn
CVE-2019-0196 mod_http2, read-after-free on a string compare

Version: 2.4.29-1ubuntu4.6 2019-04-04 16:06:56 UTC

  apache2 (2.4.29-1ubuntu4.6) bionic-security; urgency=medium

  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

 -- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 09:22:37 -0400
CVE-2018-17189 In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unn
CVE-2018-17199 In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expir
CVE-2019-0196 mod_http2, read-after-free on a string compare
CVE-2019-0211 Apache HTTP Server privilege escalation from modules' scripts
CVE-2019-0217 mod_auth_digest access control bypass
CVE-2019-0220 Apache httpd URL normalization inconsistincy


About   -   Send Feedback to @ubuntu_updates