Package "apache2"

Name:	apache2
Description:	This package is just an umbrella for a group of other packages, it has no description. Description samples from packages in group: Apache HTTP Server configurable suexec program for mod_suexec Apache HTTP Server standard suexec program for mod_suexec transitional package transitional package
Latest version:	2.4.52-1ubuntu4.16
Release:	jammy (22.04)
Level:	updates
Repository:	universe

Links

Raw Package Information

All versions of this package

Bug fixes

List of files in package

Repository home page

Other versions of "apache2" in Jammy

Repository	Area	Version
base	main	2.4.52-1ubuntu4
base	universe	2.4.52-1ubuntu4
security	main	2.4.52-1ubuntu4.16
security	universe	2.4.52-1ubuntu4.16
updates	main	2.4.52-1ubuntu4.16

Packages in group

Deleted packages are displayed in grey.

Changelog

Version: 2.4.52-1ubuntu4.11 2024-07-11 23:07:16 UTC

apache2 (2.4.52-1ubuntu4.11) jammy-security; urgency=medium * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648) - debian/patches/CVE-2024-38477-2.patch: restart from the original URL on reconnect in modules/http2/mod_proxy_http2.c. -- Marc Deslauriers <email address hidden> Thu, 11 Jul 2024 08:20:46 -0400

Source diff to previous version

2072648	Regression in Apache 2.4.52-1ubuntu4.10 causes intermittent errors in mod_proxy_http2 backend
CVE-2024-38477	null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users

Version: 2.4.52-1ubuntu4.10 2024-07-08 20:07:21 UTC

apache2 (2.4.52-1ubuntu4.10) jammy-security; urgency=medium * SECURITY UPDATE: null pointer dereference when serving WebSocket protocol upgrades over a HTTP/2 - debian/patches/CVE-2024-36387.patch: early exit if bb is null in modules/http2/h2_c2.c. - CVE-2024-36387 * SECURITY UPDATE: encoding problem in mod_proxy - debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass configuration in modules/proxy/mod_proxy.c. - debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for mod_proxy called through r->handler in modules/proxy/mod_proxy.c, modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c. - debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of special filenames in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2024-38473-4.patch: fix comparison of local path on Windows in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c. - CVE-2024-38473 * SECURITY UPDATE: Substitution encoding issue in mod_rewrite - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f handling in modules/mappers/mod_rewrite.c. - CVE-2024-38474 * SECURITY UPDATE: Improper escaping of output in mod_rewrite - Included in CVE-2024-38474_5.patch. - CVE-2024-38475 * SECURITY UPDATE: information disclosure, SSRF or local script execution - debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to differentiate trusted sources in include/http_protocol.h, include/httpd.h, modules/http/http_protocol.c, modules/http/mod_mime.c, modules/mappers/mod_actions.c, modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c, modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c, server/config.c, server/core.c. - CVE-2024-38476 * SECURITY UPDATE: null pointer dereference in mod_proxy - debian/patches/CVE-2024-38477.patch: validate hostname in modules/proxy/proxy_util.c. - CVE-2024-38477 * SECURITY UPDATE: Potential SSRF in mod_rewrite - Fixed by patches in previous CVEs. - CVE-2024-39573 * SECURITY UPDATE: source code disclosure with handlers configured via AddType - debian/patches/CVE-2024-39884.patch: maintain trusted flag in modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c, modules/examples/mod_example_hooks.c, modules/filters/mod_data.c, modules/filters/mod_include.c, modules/filters/mod_proxy_html.c, modules/generators/mod_cgi.c, modules/generators/mod_cgid.c, modules/generators/mod_info.c, modules/generators/mod_status.c, modules/http/http_filters.c, modules/http/http_protocol.c, modules/http/http_request.c, modules/ldap/util_ldap.c, modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c. - CVE-2024-39884 -- Marc Deslauriers <email address hidden> Thu, 04 Jul 2024 07:56:21 -0400

Source diff to previous version

CVE-2024-36387	Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, de
CVE-2024-38473	Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, po
CVE-2024-38474	Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by th
CVE-2024-38475	Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are p
CVE-2024-38476	Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend a
CVE-2024-38477	null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users
CVE-2024-39573	Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to
CVE-2024-39884	A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and si

Version: 2.4.52-1ubuntu4.9 2024-04-11 19:06:56 UTC

apache2 (2.4.52-1ubuntu4.9) jammy-security; urgency=medium * SECURITY UPDATE: HTTP response splitting - debian/patches/CVE-2023-38709.patch: header validation after content-* are eval'ed in modules/http/http_filters.c. - CVE-2023-38709 * SECURITY UPDATE: HTTP Response Splitting in multiple modules - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for non-http handlers in include/util_script.h, modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c, modules/generators/mod_cgid.c, modules/http/http_filters.c, modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c, modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c. - CVE-2024-24795 * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless continuation frames - debian/patches/CVE-2024-27316.patch: bail after too many failed reads in modules/http2/h2_session.c, modules/http2/h2_stream.c, modules/http2/h2_stream.h. - CVE-2024-27316 -- Marc Deslauriers <email address hidden> Wed, 10 Apr 2024 13:45:18 -0400

Source diff to previous version

CVE-2023-38709	Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects
CVE-2024-24795	HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applicat
CVE-2024-27316	HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client do

Version: 2.4.52-1ubuntu4.8 2024-03-13 09:06:55 UTC

apache2 (2.4.52-1ubuntu4.8) jammy; urgency=medium * d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add dolphin and Konqueror/5 careful redirection so that directories can be deleted via webdav. (LP: #1927742) -- Bryce Harrington <email address hidden> Tue, 16 Jan 2024 19:00:18 -0800

Source diff to previous version

1927742

dolphin in focal can't delete webdav directories running on focal's apache

Version: 2.4.52-1ubuntu4.7 2023-11-22 17:07:06 UTC

Version: 2.4.52-1ubuntu4.7	2023-11-22 17:07:06 UTC
apache2 (2.4.52-1ubuntu4.7) jammy-security; urgency=medium * SECURITY UPDATE: mod_macro buffer over-read - debian/patches/CVE-2023-31122.patch: fix length in modules/core/mod_macro.c. - CVE-2023-31122 * SECURITY UPDATE: Multiple issues in HTTP/2 - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0 - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST - debian/patches/update_http2.patch: backport version 2.0.22 of mod_http2 from httpd 2.4.58. - CVE-2023-43622 - CVE-2023-45802 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2023 09:44:44 -0400

apache2 (2.4.52-1ubuntu4.7) jammy-security; urgency=medium * SECURITY UPDATE: mod_macro buffer over-read - debian/patches/CVE-2023-31122.patch: fix length in modules/core/mod_macro.c. - CVE-2023-31122 * SECURITY UPDATE: Multiple issues in HTTP/2 - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0 - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST - debian/patches/update_http2.patch: backport version 2.0.22 of mod_http2 from httpd 2.4.58. - CVE-2023-43622 - CVE-2023-45802 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2023 09:44:44 -0400

About - Send Feedback to @ubuntu_updates

Package "apache2"

Links

Other versions of "apache2" in Jammy

Packages in group

Changelog

Share this page

Bookmarks

Latest updates

updates

proposed

PPA updates