-
apache2 (2.4.48-3.1ubuntu3.5) impish-security; urgency=medium
* SECURITY UPDATE: HTTP Request Smuggling
- debian/patches/CVE-2022-26377.patch: changing
precedence between T-E and C-L in modules/proxy/mod_proxy_ajp.c.
- CVE-2022-26377
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28614.patch: handle large
writes in ap_rputs.
in server/util.c.
- CVE-2022-28614
* SECURITY UPDATE: Read beyond bounds
- debian/patches/CVE-2022-28615.patch: fix types
in server/util.c.
- CVE-2022-28615
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-29404.patch: cast first
in modules/lua/lua_request.c.
- CVE-2022-29404
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-30522.patch: limit mod_sed
memory use in modules/filters/mod_sec.c,
modules/filters/sed1.c.
- CVE-2022-30522
* SECURITY UPDATE: Returning point past of the buffer
- debian/patches/CVE-2022-30556.patch: use filters consitently
in modules/lua/lua_request.c.
- CVE-2022-30556
* SECURITY UPDATE: Bypass IP authentication
- debian/patches/CVE-2022-31813.patch: to clear
hop-by-hop first and fixup last in modules/proxy/proxy_util.c.
- CVE-2022-31813
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 14 Jun 2022 09:33:28 -0300
-
apache2 (2.4.48-3.1ubuntu3.4) impish; urgency=medium
* d/p/mod_http2-Don-t-send-GOAWAY-too-early-when-MaxReques.patch:
Don't send GOAWAY too early on new connections when
MaxRequestsPerChild has been reached. (LP: #1969629)
-- Sergio Durigan Junior <email address hidden> Tue, 26 Apr 2022 15:55:37 -0400
-
apache2 (2.4.48-3.1ubuntu3.3) impish-security; urgency=medium
* SECURITY UPDATE: OOB read in mod_lua via crafted request body
- debian/patches/CVE-2022-22719.patch: error out if lua_read_body() or
lua_write_body() fail in modules/lua/lua_request.c.
- CVE-2022-22719
* SECURITY UPDATE: HTTP Request Smuggling via error discarding the
request body
- debian/patches/CVE-2022-22720.patch: simpler connection close logic
if discarding the request body fails in modules/http/http_filters.c,
server/protocol.c.
- CVE-2022-22720
* SECURITY UPDATE: overflow via large LimitXMLRequestBody
- debian/patches/CVE-2022-22721.patch: make sure and check that
LimitXMLRequestBody fits in system memory in server/core.c,
server/util.c, server/util_xml.c.
- CVE-2022-22721
* SECURITY UPDATE: out-of-bounds write in mod_sed
- debian/patches/CVE-2022-23943-1.patch: use size_t to allow for larger
buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
modules/filters/mod_sed.c, modules/filters/sed1.c.
- debian/patches/CVE-2022-23943-2.patch: improve the logic flow in
modules/filters/mod_sed.c.
- CVE-2022-23943
-- Marc Deslauriers <email address hidden> Wed, 16 Mar 2022 12:46:16 -0400
-
apache2 (2.4.48-3.1ubuntu3.2) impish-security; urgency=medium
* SECURITY UPDATE: DoS or SSRF via forward proxy
- debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/http_protocol.h, modules/http/http_request.c,
modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c, server/protocol.c.
- debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
w/ no hostname in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/patches/CVE-2021-44790.patch: improve error handling in
modules/lua/lua_request.c.
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:29:15 -0500
-
apache2 (2.4.48-3.1ubuntu3.1) impish; urgency=medium
* Revert fix from 2.4.46-1ubuntu2, due to performance regression.
(LP 1832182)
-- Bryce Harrington <email address hidden> Sun, 14 Nov 2021 23:49:31 +0000
-
apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
* SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
- debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
rules in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
hostname in modules/mappers/mod_rewrite.c,
modules/proxy/proxy_util.c.
-- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 08:52:26 -0400
-
apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
* SECURITY UPDATE: request splitting over HTTP/2
- debian/patches/CVE-2021-33193.patch: refactor request parsing in
include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
server/core_filters.c, server/protocol.c, server/vhost.c.
- CVE-2021-33193
* SECURITY UPDATE: NULL deref via malformed requests
- debian/patches/CVE-2021-34798.patch: add NULL check in
server/scoreboard.c.
- CVE-2021-34798
* SECURITY UPDATE: DoS in mod_proxy_uwsgi
- debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
generic worker in modules/proxy/mod_proxy_uwsgi.c.
- CVE-2021-36160
* SECURITY UPDATE: buffer overflow in ap_escape_quotes
- debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
substitution logic in server/util.c.
- CVE-2021-39275
* SECURITY UPDATE: arbitrary origin server via crafted request uri-path
- debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- debian/patches/CVE-2021-40438.patch: add sanity checks on the
configured UDS path in modules/proxy/proxy_util.c.
- CVE-2021-40438
-- Marc Deslauriers <email address hidden> Thu, 23 Sep 2021 12:51:16 -0400
-
apache2 (2.4.48-3.1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP 1918209)
-- Bryce Harrington <email address hidden> Wed, 11 Aug 2021 20:03:24 -0700
-
apache2 (2.4.48-3ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles. (LP: 261198)
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
(LP: 609177)
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
d/s/include-binaries: replace Debian with Ubuntu on default
page and add Ubuntu icon file. (LP: 1288690)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade. (LP: 1832182)
- d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: 1918209)
* Dropped:
- d/t/control, d/t/check-http2: add basic test for http2 support
[Fixed in 2.4.48-2]
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
[Fixed in 2.4.48-1]
- d/p/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
[Fixed in 2.4.48 upstream]
- d/p/CVE-2021-30641.patch: change default behavior in
server/request.c.
[Fixed in 2.4.48 upstream]
-- Bryce Harrington <email address hidden> Thu, 08 Jul 2021 03:20:46 +0000
-
apache2 (2.4.46-4ubuntu3) impish; urgency=medium
* No-change rebuild due to OpenLDAP soname bump.
-- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 17:43:48 -0400
-
apache2 (2.4.46-4ubuntu2) impish; urgency=medium
* SECURITY UPDATE: mod_proxy_http denial of service.
- debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
connection in modules/proxy/mod_proxy_http.c.
- CVE-2020-13950
* SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
- debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
base64 to fail early if the format can't match anyway in
modules/aaa/mod_auth_digest.c.
- CVE-2020-35452
* SECURITY UPDATE: DoS via cookie header in mod_session
- debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
session_identity_decode() in modules/session/mod_session.c.
- CVE-2021-26690
* SECURITY UPDATE: heap overflow via SessionHeader
- debian/patches/CVE-2021-26691.patch: account for the '&' in
identity_concat() in modules/session/mod_session.c.
- CVE-2021-26691
* SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
- debian/patches/CVE-2021-30641.patch: change default behavior in
server/request.c.
- CVE-2021-30641
-- Marc Deslauriers <email address hidden> Thu, 17 Jun 2021 13:09:41 -0400
-
apache2 (2.4.46-4ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable, to allow moving from lua5.2 to
lua5.3 (LP: #1910372). Remaining changes:
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
- d/p/t/apache/expr_string.t: Avoid test suite failure due to timing
issue reading error log too quickly after request, by adding a sleep.
(LP #1890302)
- d/apache2ctl: Also use systemd for graceful if it is in use.
This extends an earlier fix for the start command to behave
similarly for restart / graceful. Fixes service failures on
unattended upgrade.
* Drop:
- d/perl-framework/t/modules/allowmethods.t: disable reset test. This
was re-added by mistake in 2.4.41-1 (Closes #921024)
[Included in Debian 2.4.46-3]
* d/apache2ctl: Also use /run/systemd to check for systemd usage
(LP: #1918209)
-- Bryce Harrington <email address hidden> Tue, 09 Mar 2021 00:45:35 +0000
