UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • transitional itk MPM package for apache2
  • transitional package for apache2-suexec-pristine
  • Apache HTTP Server configurable suexec program for mod_suexec
  • Apache HTTP Server standard suexec program for mod_suexec
Latest version: 1:2.4.7-1ubuntu4.22
Release: trusty (14.04)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "apache2" in Trusty

Repository Area Version
base main 2.4.7-1ubuntu4
base universe 1:2.4.7-1ubuntu4
security main 2.4.7-1ubuntu4.22
security universe 1:2.4.7-1ubuntu4.22
updates main 2.4.7-1ubuntu4.22
backports universe 1:2.4.10-1ubuntu1.1~ubuntu14.04.2
backports main 2.4.10-1ubuntu1.1~ubuntu14.04.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:2.4.7-1ubuntu4.17 2017-07-27 19:06:47 UTC

  apache2 (2.4.7-1ubuntu4.17) trusty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:34:31 -0400
Source diff to previous version
CVE-2017-9788 In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or

Version: 1:2.4.7-1ubuntu4.16 2017-06-26 18:06:46 UTC

  apache2 (2.4.7-1ubuntu4.16) trusty-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 08:04:58 -0400
Source diff to previous version
CVE-2017-3167 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication p
CVE-2017-3169 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_con
CVE-2017-7668 The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to searc
CVE-2017-7679 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Typ

Version: 1:2.4.7-1ubuntu4.15 2017-05-09 18:06:38 UTC

  apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:52:21 -0400
Source diff to previous version
CVE-2016-0736 Padding Oracle in Apache mod_session_crypto
CVE-2016-2161 DoS vulnerability in mod_auth_digest
CVE-2016-8743 Apache HTTP Request Parsing Whitespace Defects

Version: 1:2.4.7-1ubuntu4.13 2016-07-18 21:07:54 UTC

  apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387
  * This update does _not_ contain the changes from (2.4.7-1ubuntu4.12) in
    trusty-proposed.

 -- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:40:55 -0400
Source diff to previous version

Version: 1:2.4.7-1ubuntu4.11 2016-07-12 09:07:08 UTC

  apache2 (2.4.7-1ubuntu4.11) trusty; urgency=medium

  * Fix hang until proxy timeout for Proxy responses with error status and
    "ProxyErrorOverride On" being set (LP: #1495988).

 -- Christian Ehrhardt <email address hidden> Tue, 07 Jun 2016 16:28:05 +0200
1495988 ProxyErrorOverride leads to slow 404 responses


About   -   Send Feedback to @ubuntu_updates