Package "apache2"

Name: apache2


Apache HTTP Server

Latest version: 2.4.46-1ubuntu1.2
Release: groovy (20.10)
Level: updates
Repository: main
Homepage: https://httpd.apache.org/


Download "apache2"

Other versions of "apache2" in Groovy

Repository Area Version
base universe 2.4.46-1ubuntu1
base main 2.4.46-1ubuntu1
security main 2.4.46-1ubuntu1.2
security universe 2.4.46-1ubuntu1.2
updates universe 2.4.46-1ubuntu1.2

Packages in group

Deleted packages are displayed in grey.


Version: 2.4.46-1ubuntu1.2 2021-06-21 15:06:40 UTC

  apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in

 -- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:45:11 -0400

CVE-2020-13950 Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using bot
CVE-2020-35452 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of thi
CVE-2021-26690 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash,
CVE-2021-26691 In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-30641 Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

About   -   Send Feedback to @ubuntu_updates