UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server

Latest version: 2.4.29-1ubuntu4.8
Release: bionic (18.04)
Level: updates
Repository: main
Homepage: http://httpd.apache.org/

Links

Save this URL for the latest version of "apache2": https://www.ubuntuupdates.org/apache2


Download "apache2"


Other versions of "apache2" in Bionic

Repository Area Version
base main 2.4.29-1ubuntu4
base universe 2.4.29-1ubuntu4
security universe 2.4.29-1ubuntu4.6
security main 2.4.29-1ubuntu4.6
updates universe 2.4.29-1ubuntu4.8

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.29-1ubuntu4.8 2019-07-19 00:07:09 UTC

  apache2 (2.4.29-1ubuntu4.8) bionic; urgency=medium

  * d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
    similarly to <0 with openssl 1.1.1
  * d/p/clear-retry-flags-before-abort.patch: clear retry flags before
    aborting on client-initiated reneg (LP: #1836329)

 -- Andreas Hasenack <email address hidden> Tue, 16 Jul 2019 15:14:45 -0300

Source diff to previous version
1836329 Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS

Version: 2.4.29-1ubuntu4.7 2019-07-11 11:06:24 UTC

  apache2 (2.4.29-1ubuntu4.7) bionic; urgency=medium

  * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
    authentication when built with openssl 1.1.1 (LP: #1833039)

 -- Andreas Hasenack <email address hidden> Fri, 28 Jun 2019 13:49:35 -0300

Source diff to previous version
1833039 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1

Version: 2.4.29-1ubuntu4.6 2019-04-04 17:07:28 UTC

  apache2 (2.4.29-1ubuntu4.6) bionic-security; urgency=medium

  * SECURITY UPDATE: slowloris DoS in mod_http2
    - debian/patches/CVE-2018-17189.patch: change cleanup strategy for
      slave connections in modules/http2/h2_conn.c.
    - CVE-2018-17189
  * SECURITY UPDATE: mod_session expiry time issue
    - debian/patches/CVE-2018-17199.patch: always decode session attributes
      early in modules/session/mod_session.c.
    - CVE-2018-17199
  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

 -- Marc Deslauriers <email address hidden> Wed, 03 Apr 2019 09:22:37 -0400

Source diff to previous version
CVE-2018-17189 In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unn
CVE-2018-17199 In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expir
CVE-2019-0196 mod_http2, read-after-free on a string compare
CVE-2019-0211 Apache HTTP Server privilege escalation from modules' scripts
CVE-2019-0217 mod_auth_digest access control bypass
CVE-2019-0220 Apache httpd URL normalization inconsistincy

Version: 2.4.29-1ubuntu4.5 2018-11-26 10:06:50 UTC

  apache2 (2.4.29-1ubuntu4.5) bionic; urgency=medium

  * d/debhelper/apache2-maintscript-helper: fix typo in apache2_switch_mpm()'s
    a2query call. (LP: #1782806)

 -- Andreas Hasenack <email address hidden> Wed, 10 Oct 2018 15:59:25 -0300

Source diff to previous version
1782806 Typo in apache2-maintscript-helper causes MPM check to misfire

Version: 2.4.29-1ubuntu4.4 2018-10-03 20:07:10 UTC

  apache2 (2.4.29-1ubuntu4.4) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS in HTTP/2 via NULL pointer
    - debian/patches/CVE-2018-1302.patch: remove obsolete stream detach
      code in modules/http2/h2_bucket_beam.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2018-1302
  * SECURITY UPDATE: DoS in HTTP/2 via worker exhaustion
    - debian/patches/CVE-2018-1333.patch: always wake up any conditional
      waits when streams are aborted in modules/http2/h2_bucket_beam.c.
    - CVE-2018-1333
  * SECURITY UPDATE: DoS in HTTP/2 via large SETTINGS frames
    - debian/patches/CVE-2018-11763.patch: rework connection IO event
      handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_version.h.
    - CVE-2018-11763

 -- Marc Deslauriers <email address hidden> Wed, 03 Oct 2018 10:41:08 -0400

CVE-2018-1302 When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially
CVE-2018-1333 By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of serv
CVE-2018-11763 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time wit



About   -   Send Feedback to @ubuntu_updates