UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Apache HTTP Server configurable suexec program for mod_suexec
  • Apache HTTP Server standard suexec program for mod_suexec
  • transitional package
  • transitional package
Latest version: 2.4.58-1ubuntu8.12
Release: noble (24.04)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "apache2" in Noble

Repository Area Version
base universe 2.4.58-1ubuntu8
base main 2.4.58-1ubuntu8
security main 2.4.58-1ubuntu8.12
updates universe 2.4.58-1ubuntu8.12
updates main 2.4.58-1ubuntu8.12

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.58-1ubuntu8.12 2026-05-06 21:08:01 UTC

  apache2 (2.4.58-1ubuntu8.12) noble-security; urgency=medium

  * SECURITY UPDATE: http2: double free and possible RCE on early reset
    - debian/patches/CVE-2026-23918.patch: prevent double purge of a stream,
      resulting in a double free in modules/http2/h2_mplx.c.
    - CVE-2026-23918
  * SECURITY UPDATE: mod_rewrite elevation of privileges via ap_expr
    - debian/patches/CVE-2026-24072.patch: use AP_EXPR_FLAG_RESTRICTED in
      htaccess in modules/mappers/mod_rewrite.c,
      modules/metadata/mod_setenvif.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2026-24072
  * SECURITY UPDATE: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
    - debian/patches/CVE-2026-28780.patch: fix ajp_msg_check_header check in
      modules/proxy/ajp_msg.c.
    - CVE-2026-28780
  * SECURITY UPDATE: mod_md unrestricted OCSP response
    - debian/patches/CVE-2026-29168.patch: add ocsp limits in
      modules/md/md_ocsp.c.
    - CVE-2026-29168
  * SECURITY UPDATE: mod_dav_lock indirect lock crash
    - debian/patches/CVE-2026-29169.patch: use the right dav_lock_discovery in
      modules/dav/lock/locks.c.
    - CVE-2026-29169
  * SECURITY UPDATE: mod_auth_digest timing attack
    - debian/patches/CVE-2026-33006-1.patch: use apr_crypto_equals in
      configure.in, modules/aaa/mod_auth_digest.c.
    - debian/patches/CVE-2026-33006-2.patch: add ap_*_timingsafe() constant-
      time comparison functions in configure.in, include/httpd.h,
      modules/aaa/mod_auth_digest.c, modules/session/mod_session_crypto.c,
      server/util.c.
    - CVE-2026-33006
  * SECURITY UPDATE: mod_authn_socache crash
    - debian/patches/CVE-2026-33007.patch: validate URL earlier in
      modules/aaa/mod_authn_socache.c.
    - CVE-2026-33007
  * SECURITY UPDATE: HTTP response splitting forwarding malicious status line
    - debian/patches/CVE-2026-33523.patch: scan outgoing status line for
      newlines and controls in modules/http/http_filters.c.
    - CVE-2026-33523
  * SECURITY UPDATE: Off-by-one OOB reads in AJP getter functions
    - debian/patches/CVE-2026-33857.patch: fix length checks in AJP msg_get
      functions in modules/proxy/ajp_msg.c.
    - CVE-2026-33857
  * SECURITY UPDATE: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing
    Null-Termination Check (ajp_msg_get_string)
    - debian/patches/CVE-2026-34032.patch: fix ajp_msg_get_string buffer checks
      in modules/proxy/ajp_msg.c.
    - CVE-2026-34032
  * SECURITY UPDATE: mod_proxy_ajp: Heap Over-Read and memory disclosure in
    ajp_parse_data()
    - debian/patches/CVE-2026-34059.patch: fix ajp_parse_data message len check
      in modules/proxy/ajp_header.c.
    - CVE-2026-34059

 -- Marc Deslauriers <email address hidden> Tue, 05 May 2026 09:22:45 -0400
Source diff to previous version
CVE-2026-23918 Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are
CVE-2026-24072 An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges
CVE-2026-28780 Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server
CVE-2026-29168 Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache
CVE-2026-29169 A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious reques
CVE-2026-33006 A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recomm
CVE-2026-33007 A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child p
CVE-2026-33523 HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apach
CVE-2026-33857 Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recomme
CVE-2026-34032 Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are
CVE-2026-34059 Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to ve

Version: 2.4.58-1ubuntu8.11 2026-03-09 14:08:11 UTC

  apache2 (2.4.58-1ubuntu8.11) noble-security; urgency=medium

  * SECURITY REGRESSION: mod_md setting MDStapleOthers is ignored breaking
    OCSP for some domains (LP: 2142766)
    - debian/patches/CVE-2025-55753-3.patch: update mod_md to version
      2.6.7 which fixes a regression in MDStapleOthers.

 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2026 12:31:54 -0500
Source diff to previous version
CVE-2025-55753 An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the bac

Version: 2.4.58-1ubuntu8.10 2026-01-19 19:15:42 UTC

  apache2 (2.4.58-1ubuntu8.10) noble-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in the case of failed ACME
    certificate renewal
    - debian/patches/CVE-2025-55753.patch: update mod_md to version
      2.6.6 in modules/md/*
    - CVE-2025-55753
  * SECURITY UPDATE: Server Side Includes adds query string to #exec cmd=
    - debian/patches/CVE-2025-58098.patch: don't pass args for SSI request
      in modules/generators/mod_cgid.c.
    - CVE-2025-58098
  * SECURITY UPDATE: CGI environment variable override
    - debian/patches/CVE-2025-65082.patch: envvars from HTTP headers low
      precedence in server/util_script.c.
    - CVE-2025-65082
  * SECURITY UPDATE: mod_userdir+suexec bypass via AllowOverride FileInfo
    - debian/patches/CVE-2025-66200.patch: don't use request notes for
      suexec in modules/mappers/mod_userdir.c,
      modules/metadata/mod_headers.c.
    - CVE-2025-66200
  * SECURITY REGRESSION: Misdirected Request error (LP: #2117112)
    - debian/patches/CVE-2025-23048-regression.patch: add SSLVHostSNIPolicy
      directive to set the compatibility level required for VirtualHost
      matching in modules/ssl/*.
    - debian/patches/CVE-2025-23048-regression-2.patch: fix handling of
      STRICT mode in modules/ssl/ssl_engine_kernel.c.

 -- Marc Deslauriers <email address hidden> Tue, 09 Dec 2025 10:50:28 -0500
Source diff to previous version
2117112 421 Misdirected Request: apache2 regression
CVE-2025-55753 An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the bac
CVE-2025-58098 Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to
CVE-2025-65082 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache co
CVE-2025-66200 mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in hta
CVE-2025-23048 In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3

Version: 2.4.58-1ubuntu8.8 2025-08-13 20:07:10 UTC

  apache2 (2.4.58-1ubuntu8.8) noble-security; urgency=medium

  * SECURITY REGRESSION: Removing duplicated lines
    - debian/patches/CVE-2024-38474-regression.patch: (LP: #2119395)

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 11 Aug 2025 08:10:09 -0300
Source diff to previous version
2119395 CVE-2024-38474-regression.patch add an extra call to do_expand()
CVE-2024-38474 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by th

Version: 2.4.58-1ubuntu8.7 2025-07-16 20:07:32 UTC

  apache2 (2.4.58-1ubuntu8.7) noble-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2024-42516.patch: fix header merging in
      modules/http/http_filters.c.
    - CVE-2024-42516
  * SECURITY UPDATE: SSRF with mod_headers setting Content-Type header
    - debian/patches/CVE-2024-43204-pre1.patch: avoid ap_set_content_type
      when processing a _Request_Header set|edit|unset Content-Type in
      modules/metadata/mod_headers.c.
    - debian/patches/CVE-2024-43204.patch: use header only in
      modules/metadata/mod_headers.c.
    - CVE-2024-43204
  * SECURITY UPDATE: mod_ssl error log variable escaping
    - debian/patches/CVE-2024-47252.patch: escape ssl vars in
      modules/ssl/ssl_engine_vars.c.
    - CVE-2024-47252
  * SECURITY UPDATE: mod_ssl access control bypass with session resumption
    - debian/patches/CVE-2025-23048.patch: update SNI validation in
      modules/ssl/ssl_engine_kernel.c.
    - CVE-2025-23048
  * SECURITY UPDATE: mod_proxy_http2 denial of service
    - debian/patches/CVE-2025-49630.patch: tolerate missing host header in
      h2 proxy in modules/http2/h2_proxy_session.c.
    - CVE-2025-49630
  * SECURITY UPDATE: mod_ssl TLS upgrade attack
    - debian/patches/CVE-2025-49812.patch: remove antiquated 'SSLEngine
      optional' TLS upgrade in modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
    - CVE-2025-49812
  * SECURITY UPDATE:
    - debian/patches/CVE-2025-53020.patch: improve h2 header error handling
      in modules/http2/h2_request.c, modules/http2/h2_request.h,
      modules/http2/h2_session.c, modules/http2/h2_session.h,
      modules/http2/h2_stream.c, modules/http2/h2_util.c,
      modules/http2/h2_util.h,
      test/modules/http2/test_200_header_invalid.py.
    - CVE-2025-53020

 -- Marc Deslauriers <email address hidden> Mon, 14 Jul 2025 12:22:22 -0400
CVE-2024-42516 HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hos
CVE-2024-43204 SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an
CVE-2024-47252 Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape c
CVE-2025-23048 In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3
CVE-2025-49630 In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untruste
CVE-2025-49812 In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker
CVE-2025-53020 Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63


About   -   Send Feedback to @ubuntu_updates