apache2 in trusty-backports is vulnerable to CVE-2016-5387

Bug #1604209 reported by Mike Gerow on 2016-07-19
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)

Bug Description

The patch is small and easy, will attach a debdiff once I get it together.

Not checking that this is a security vuln because trusty-backports technically doesn't get security attention.

CVE References

Mathew Hodson (mhodson) on 2016-07-19
information type: Public → Public Security
Mike Gerow (gerow) wrote :

The attached patch addresses the issue for apache2 in trusty-backports.

Mike Gerow (gerow) wrote :

Whoops, didn't look at that closely enough :\

Mike Gerow (gerow) wrote :

Cleaned up the patch.

The attachment "CVE-2016-5387.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Mathew Hodson (mhodson) on 2016-07-22
Changed in apache2 (Ubuntu):
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors since this needs to be handled by the backports team.

Scott Kitterman (kitterman) wrote :

Ack. Approved by ubuntu-backporters.

Philipp Kern (pkern) wrote :

Ok, as it turns out component ownership is also enforced on backports. Unfortunately that means that my MOTU permissions are not sufficient here and this will require a sponsor to upload.

Philipp Kern (pkern) wrote :

New debdiff attached that can be uploaded as-is.

Robie Basak (racb) wrote :

No action for the main apache2 package. This affects the Trusty backports project only.

Changed in apache2 (Ubuntu):
status: New → Invalid
Philipp Kern (pkern) wrote :

Anyone to upload an approved backport to trusty-backports?

Mike Gerow (gerow) wrote :

*ping* still looking for someone to upload to trusty-backports.

Iain Lane (laney) wrote :

I'll upload this for you if it builds.

Normally we would expect this kind of thing to be fixed by re-backporting from a later release though. If xenial's apache2 works on trusty, it'd be cool to backport that.

Changed in trusty-backports:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers