UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server
Latest version: 2.4.54-2ubuntu1.2
Release: kinetic (22.10)
Level: security
Repository: main
Homepage: https://httpd.apache.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "apache2"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "apache2" in Kinetic

Repository Area Version
base universe 2.4.54-2ubuntu1
base main 2.4.54-2ubuntu1
security universe 2.4.54-2ubuntu1.2
updates main 2.4.54-2ubuntu1.2
updates universe 2.4.54-2ubuntu1.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.54-2ubuntu1.2 2023-03-09 17:07:04 UTC

  apache2 (2.4.54-2ubuntu1.2) kinetic-security; urgency=medium

  * SECURITY UPDATE: HTTP request splitting with mod_rewrite and mod_proxy
    - debian/patches/CVE-2023-25690-1.patch: don't forward invalid query
      strings in modules/http2/mod_proxy_http2.c,
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy_ajp.c,
      modules/proxy/mod_proxy_balancer.c, modules/proxy/mod_proxy_http.c,
      modules/proxy/mod_proxy_wstunnel.c.
    - debian/patches/CVE-2023-25690-2.patch: Fix missing APLOGNO in
      modules/http2/mod_proxy_http2.c.
    - CVE-2023-25690
  * SECURITY UPDATE: mod_proxy_uwsgi HTTP response splitting
    - debian/patches/CVE-2023-27522.patch: stricter backend HTTP response
      parsing/validation in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2023-27522

 -- Marc Deslauriers <email address hidden> Wed, 08 Mar 2023 12:31:20 -0500
Source diff to previous version
CVE-2023-25690 Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected
CVE-2023-27522 HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. S

Version: 2.4.54-2ubuntu1.1 2023-02-01 15:07:22 UTC

  apache2 (2.4.54-2ubuntu1.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted If header in mod_dav
    - debian/patches/CVE-2006-20001.patch: fix error path for "Not" prefix
      parsing in modules/dav/main/util.c.
    - CVE-2006-20001
  * SECURITY UPDATE: request smuggling in mod_proxy_ajp
    - debian/patches/CVE-2022-36760.patch: cleanup on error in
      modules/proxy/mod_proxy_ajp.c.
    - CVE-2022-36760
  * SECURITY UPDATE: response header truncation issue
    - debian/patches/CVE-2022-37436.patch: fail on bad header in
      modules/proxy/mod_proxy_http.c, server/protocol.c.
    - CVE-2022-37436

 -- Marc Deslauriers <email address hidden> Mon, 23 Jan 2023 13:25:54 -0500
CVE-2006-20001 A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header va
CVE-2022-36760 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to sm
CVE-2022-37436 Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorpo


About   -   Send Feedback to @ubuntu_updates