Package "apache2-data"

  apache2 (2.4.57-2ubuntu2.5) mantic-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference when serving WebSocket
    protocol upgrades over a HTTP/2
    - debian/patches/CVE-2024-36387.patch: early exit if bb is null in
      modules/http2/h2_c2.c.
    - CVE-2024-36387
  * SECURITY UPDATE: encoding problem in mod_proxy
    - debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
      configuration in modules/proxy/mod_proxy.c.
    - debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
      mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
      modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
    - debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
      special filenames in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
      on Windows in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
      fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
    - CVE-2024-38473
  * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
    - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
      handling in modules/mappers/mod_rewrite.c.
    - CVE-2024-38474
  * SECURITY UPDATE: Improper escaping of output in mod_rewrite
    - Included in CVE-2024-38474_5.patch.
    - CVE-2024-38475
  * SECURITY UPDATE: information disclosure, SSRF or local script execution
    - debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
      differentiate trusted sources in include/http_protocol.h,
      include/httpd.h, modules/http/http_protocol.c,
      modules/http/mod_mime.c, modules/mappers/mod_actions.c,
      modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
      modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
      server/config.c, server/core.c.
    - CVE-2024-38476
  * SECURITY UPDATE: null pointer dereference in mod_proxy
    - debian/patches/CVE-2024-38477.patch: validate hostname in
      modules/proxy/proxy_util.c.
    - CVE-2024-38477
  * SECURITY UPDATE: Potential SSRF in mod_rewrite
    - Fixed by patches in previous CVEs.
    - CVE-2024-39573
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-39884.patch: maintain trusted flag in
      modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
      modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
      modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
      modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
      modules/generators/mod_info.c, modules/generators/mod_status.c,
      modules/http/http_filters.c, modules/http/http_protocol.c,
      modules/http/http_request.c, modules/ldap/util_ldap.c,
      modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
    - CVE-2024-39884

 -- Marc Deslauriers <email address hidden> Thu, 04 Jul 2024 07:51:13 -0400

  apache2 (2.4.57-2ubuntu2.4) mantic-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
    - CVE-2023-38709
  * SECURITY UPDATE: HTTP Response Splitting in multiple modules
    - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
      non-http handlers in include/util_script.h,
      modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
      modules/generators/mod_cgid.c, modules/http/http_filters.c,
      modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
      modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2024-24795
  * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
    continuation frames
    - debian/patches/CVE-2024-27316.patch: bail after too many failed reads
      in modules/http2/h2_session.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2024-27316

 -- Marc Deslauriers <email address hidden> Wed, 10 Apr 2024 13:41:02 -0400

  apache2 (2.4.57-2ubuntu2.1) mantic-security; urgency=medium

  * SECURITY UPDATE: mod_macro buffer over-read
    - debian/patches/CVE-2023-31122.patch: fix length in
      modules/core/mod_macro.c.
    - CVE-2023-31122
  * SECURITY UPDATE: Multiple issues in HTTP/2
    - CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
    - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
    - debian/patches/update_http2.patch: backport version 2.0.22 of
      mod_http2 from httpd 2.4.58.
    - CVE-2023-43622
    - CVE-2023-45802

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2023 09:28:30 -0400