UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

Apache HTTP Server
Latest version: 2.4.66-2ubuntu2.1
Release: resolute (26.04)
Level: updates
Repository: main
Homepage: https://httpd.apache.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "apache2"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "apache2" in Resolute

Repository Area Version
base universe 2.4.66-2ubuntu2
base main 2.4.66-2ubuntu2
security main 2.4.66-2ubuntu2.1
security universe 2.4.66-2ubuntu2.1
updates universe 2.4.66-2ubuntu2.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.66-2ubuntu2.1 2026-05-06 21:08:07 UTC

  apache2 (2.4.66-2ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: http2: double free and possible RCE on early reset
    - debian/patches/CVE-2026-23918.patch: update to version 2.0.37 in
      changes-entries/h2_v2.0.37.txt, modules/http2/h2_mplx.c,
      modules/http2/h2_version.h.
    - debian/patches/CVE-2026-23918-2.patch: source sync to v2.0.38 in changes-
      entries/h2_v2.0.38.txt, modules/http2/h2_c1.c, modules/http2/h2_c2.c,
      modules/http2/h2_c2_filter.c, modules/http2/h2_mplx.c,
      modules/http2/h2_proxy_session.c, modules/http2/h2_proxy_util.c,
      modules/http2/h2_session.c, modules/http2/h2_util.h,
      modules/http2/h2_version.h, modules/http2/h2_workers.c,
      modules/http2/h2_ws.c, modules/http2/h2_ws.h, test/clients/h2ws.c,
      test/modules/http2/test_800_websockets.py.
    - debian/patches/CVE-2026-23918-3.patch: update to v2.0.39 in changes-
      entries/h2_v2.0.39.txt, modules/http2/h2_session.c,
      modules/http2/h2_version.h.
    - CVE-2026-23918
  * SECURITY UPDATE: mod_rewrite elevation of privileges via ap_expr
    - debian/patches/CVE-2026-24072.patch: use AP_EXPR_FLAG_RESTRICTED in
      htaccess in modules/mappers/mod_rewrite.c,
      modules/metadata/mod_setenvif.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2026-24072
  * SECURITY UPDATE: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
    - debian/patches/CVE-2026-28780.patch: fix ajp_msg_check_header check in
      modules/proxy/ajp_msg.c.
    - CVE-2026-28780
  * SECURITY UPDATE: mod_md unrestricted OCSP response
    - debian/patches/CVE-2026-29168.patch: add ocsp limits in
      modules/md/md_ocsp.c.
    - CVE-2026-29168
  * SECURITY UPDATE: mod_dav_lock indirect lock crash
    - debian/patches/CVE-2026-29169.patch: use the right dav_lock_discovery in
      modules/dav/lock/locks.c.
    - CVE-2026-29169
  * SECURITY UPDATE: mod_auth_digest timing attack
    - debian/patches/CVE-2026-33006-1.patch: use apr_crypto_equals in
      configure.in, modules/aaa/mod_auth_digest.c.
    - debian/patches/CVE-2026-33006-2.patch: add ap_*_timingsafe() constant-
      time comparison functions in configure.in, include/ap_mmn.h,
      include/httpd.h, modules/aaa/mod_auth_digest.c,
      modules/session/mod_session_crypto.c, server/util.c.
    - CVE-2026-33006
  * SECURITY UPDATE: mod_authn_socache crash
    - debian/patches/CVE-2026-33007.patch: validate URL earlier in
      modules/aaa/mod_authn_socache.c.
    - CVE-2026-33007
  * SECURITY UPDATE: HTTP response splitting forwarding malicious status line
    - debian/patches/CVE-2026-33523.patch: scan outgoing status line for
      newlines and controls in modules/http/http_filters.c.
    - CVE-2026-33523
  * SECURITY UPDATE: Off-by-one OOB reads in AJP getter functions
    - debian/patches/CVE-2026-33857.patch: fix length checks in AJP msg_get
      functions in modules/proxy/ajp_msg.c.
    - CVE-2026-33857
  * SECURITY UPDATE: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing
    Null-Termination Check (ajp_msg_get_string)
    - debian/patches/CVE-2026-34032.patch: fix ajp_msg_get_string buffer checks
      in modules/proxy/ajp_msg.c.
    - CVE-2026-34032
  * SECURITY UPDATE: mod_proxy_ajp: Heap Over-Read and memory disclosure in
    ajp_parse_data()
    - debian/patches/CVE-2026-34059.patch: fix ajp_parse_data message len check
      in modules/proxy/ajp_header.c.
    - CVE-2026-34059

 -- Marc Deslauriers <email address hidden> Tue, 05 May 2026 09:04:33 -0400
CVE-2026-23918 Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are
CVE-2026-24072 An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges
CVE-2026-28780 Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server
CVE-2026-29168 Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache
CVE-2026-29169 A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious reques
CVE-2026-33006 A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recomm
CVE-2026-33007 A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child p
CVE-2026-33523 HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apach
CVE-2026-33857 Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recomme
CVE-2026-34032 Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are
CVE-2026-34059 Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to ve


About   -   Send Feedback to @ubuntu_updates