Package "apache2"
Name: |
apache2
|
Description: |
Apache HTTP Server
|
Latest version: |
2.4.29-1ubuntu4.14 |
Release: |
bionic (18.04) |
Level: |
security |
Repository: |
main |
Homepage: |
http://httpd.apache.org/ |
Links
Download "apache2"
Other versions of "apache2" in Bionic
Packages in group
Deleted packages are displayed in grey.
Changelog
apache2 (2.4.29-1ubuntu4.14) bionic-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
* SECURITY UPDATE: DoS via invalid Cache-Digest header
- debian/patches/CVE-2020-9490.patch: remove support for abandoned
http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
- CVE-2020-9490
* SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
- debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
worker could deadlock the main connection in modules/http2/*.
- debian/patches/CVE-2020-11993.patch: fix logging and rename
terminology in modules/http2/*.
- CVE-2020-11993
-- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 17:33:25 -0400
|
Source diff to previous version |
CVE-2020-1927 |
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded new |
CVE-2020-1934 |
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. |
CVE-2020-9490 |
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash whe |
CVE-2020-11993 |
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging stateme |
|
apache2 (2.4.29-1ubuntu4.13) bionic-security; urgency=medium
* Add additional missing commits to TLSv1.3 support. (LP: #1867223)
- debian/patches/tlsv1.3-support-2.patch: fix whitespace and copy/paste
typos in modules/ssl/ssl_engine_kernel.c.
- debian/patches/tlsv1.3-support-3.patch: fail with 403 if
SSL_verify_client_post_handshake fails in
modules/ssl/ssl_engine_kernel.c.
- debian/patches/tlsv1.3-support-4.patch: disable AUTO_RETRY mode for
OpenSSL 1.1.1, which fixes post-handshake authentication in
modules/ssl/ssl_engine_init.c.
- debian/patches/tlsv1.3-support-5.patch: retrieve and set
sslconn->client_cert here for both "modern" and classic access
control in modules/ssl/ssl_engine_kernel.c.
-- Marc Deslauriers <email address hidden> Fri, 13 Mar 2020 08:26:16 -0400
|
Source diff to previous version |
1867223 |
REMOTE_USER environmental variable not set for TLSv1.3 connections |
|
apache2 (2.4.29-1ubuntu4.11) bionic-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-- Steve Beattie <email address hidden> Mon, 16 Sep 2019 05:58:48 -0700
|
Source diff to previous version |
1842701 |
Apache2 Balancer Manager mod_proxy_balancer not working after Update |
CVE-2019-10092 |
Limited cross-site scripting in mod_proxy |
|
apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
- d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_http2-1.14.1-backport-*.patches and
d/p/mod_http2-1.15.4-backport-*.patches
- dropped the following patches included above:
+ d/p/CVE-2018-1302.patch
+ d/p/CVE-2018-1333.patch
+ d/p/CVE-2018-11763.patch
+ d/p/CVE-2018-17189.patch
+ d/p/CVE-2019-0196.patch
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:41:23 -0700
|
Source diff to previous version |
1840188 |
Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco |
CVE-2019-9517 |
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens th |
CVE-2019-0197 |
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https |
CVE-2019-10081 |
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing r |
CVE-2019-10082 |
mod_http2, read-after-free in h2 connection shutdown |
CVE-2019-10092 |
Limited cross-site scripting in mod_proxy |
CVE-2019-10098 |
mod_rewrite configurations vulnerable to open redirect |
CVE-2018-1302 |
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially |
CVE-2018-1333 |
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of serv |
CVE-2018-11763 |
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time wit |
CVE-2018-17189 |
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unn |
CVE-2019-0196 |
mod_http2, read-after-free on a string compare |
|
apache2 (2.4.29-1ubuntu4.6) bionic-security; urgency=medium
* SECURITY UPDATE: slowloris DoS in mod_http2
- debian/patches/CVE-2018-17189.patch: change cleanup strategy for
slave connections in modules/http2/h2_conn.c.
- CVE-2018-17189
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 09:22:37 -0400
|
CVE-2018-17189 |
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unn |
CVE-2018-17199 |
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expir |
CVE-2019-0196 |
mod_http2, read-after-free on a string compare |
CVE-2019-0211 |
Apache HTTP Server privilege escalation from modules' scripts |
CVE-2019-0217 |
mod_auth_digest access control bypass |
CVE-2019-0220 |
Apache httpd URL normalization inconsistincy |
|
About
-
Send Feedback to @ubuntu_updates