Package "apache2"

Name: apache2


This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Apache HTTP Server configurable suexec program for mod_suexec
  • Apache HTTP Server standard suexec program for mod_suexec
  • transitional package
  • transitional package

Latest version: 2.4.41-4ubuntu3.3
Release: focal (20.04)
Level: security
Repository: universe


Other versions of "apache2" in Focal

Repository Area Version
base main 2.4.41-4ubuntu3
base universe 2.4.41-4ubuntu3
security main 2.4.41-4ubuntu3.3
updates main 2.4.41-4ubuntu3.4
updates universe 2.4.41-4ubuntu3.4

Packages in group

Deleted packages are displayed in grey.


Version: 2.4.41-4ubuntu3.3 2021-06-21 15:06:37 UTC

  apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in

 -- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 14:27:53 -0400

Source diff to previous version
CVE-2020-13950 Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using bot
CVE-2020-35452 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of thi
CVE-2021-26690 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash,
CVE-2021-26691 In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-30641 Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

Version: 2.4.41-4ubuntu3.1 2020-08-13 16:07:31 UTC

  apache2 (2.4.41-4ubuntu3.1) focal-security; urgency=medium

  * SECURITY UPDATE: mod_rewrite redirect issue
    - debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
      in include/ap_regex.h, server/core.c, server/util_pcre.c.
    - debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
      opt-out of pcre defaults in include/ap_regex.h,
      modules/filters/mod_substitute.c, server/util_pcre.c,
    - CVE-2020-1927
  * SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
    - debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
    - CVE-2020-1934
  * SECURITY UPDATE: DoS via invalid Cache-Digest header
    - debian/patches/CVE-2020-9490.patch: remove support for abandoned
      http-wg draft in modules/http2/h2_push.c, modules/http2/h2_push.h.
    - CVE-2020-9490
  * SECURITY UPDATE: mod_proxy_uwsgi info disclosure and possible RCE
    - debian/patches/CVE-2020-11984.patch: error out on HTTP header larger
      than 16K in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2020-11984
  * SECURITY UPDATE: concurrent use of memory pools in HTTP/2 module
    - debian/patches/CVE-2020-11993-pre1.patch: fixed rare cases where a h2
      worker could deadlock the main connection in modules/http2/*.
    - debian/patches/CVE-2020-11993.patch: fix logging and rename
      terminology in modules/http2/*.
    - CVE-2020-11993

 -- Marc Deslauriers <email address hidden> Wed, 12 Aug 2020 15:46:17 -0400

CVE-2020-1927 In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded new
CVE-2020-1934 In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
CVE-2020-9490 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash whe
CVE-2020-11984 Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
CVE-2020-11993 Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging stateme

About   -   Send Feedback to @ubuntu_updates