UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server

Latest version: 2.4.38-2ubuntu2.3
Release: disco (19.04)
Level: security
Repository: main
Homepage: https://httpd.apache.org/

Links

Save this URL for the latest version of "apache2": https://www.ubuntuupdates.org/apache2


Download "apache2"


Other versions of "apache2" in Disco

Repository Area Version
base main 2.4.38-2ubuntu2
base universe 2.4.38-2ubuntu2
security universe 2.4.38-2ubuntu2.3
updates main 2.4.38-2ubuntu2.3
updates universe 2.4.38-2ubuntu2.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.38-2ubuntu2.3 2019-09-17 13:06:23 UTC

  apache2 (2.4.38-2ubuntu2.3) disco-security; urgency=medium

  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden> Mon, 16 Sep 2019 05:36:25 -0700

Source diff to previous version
1842701 Apache2 Balancer Manager mod_proxy_balancer not working after Update
CVE-2019-10092 Limited cross-site scripting in mod_proxy

Version: 2.4.38-2ubuntu2.2 2019-08-29 22:06:27 UTC

  apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
    pointer dereference.
    - d/p/CVE-2019-10097.patch: add better sanity checks.
    - CVE-2019-10097
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches

 -- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:31:40 -0700

1840188 Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
CVE-2019-9517 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens th
CVE-2019-0197 A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https
CVE-2019-10081 HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing r
CVE-2019-10082 mod_http2, read-after-free in h2 connection shutdown
CVE-2019-10097 mod_remoteip stack buffer overflow and NULL pointer dereference
CVE-2019-10092 Limited cross-site scripting in mod_proxy
CVE-2019-10098 mod_rewrite configurations vulnerable to open redirect



About   -   Send Feedback to @ubuntu_updates