* SECURITY UPDATE: DoS or SSRF via forward proxy
- debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/http_protocol.h, modules/http/http_request.c,
modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c, server/protocol.c.
- debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
w/ no hostname in modules/proxy/mod_proxy.c,
modules/proxy/proxy_util.c.
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/patches/CVE-2021-44790.patch: improve error handling in
modules/lua/lua_request.c.
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:50:41 -0500
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.21
--------------- 1ubuntu4. 21) bionic-security; urgency=medium
apache2 (2.4.29-
* SECURITY UPDATE: DoS or SSRF via forward proxy patches/ CVE-2021- 44224-1. patch: enforce that fully qualified http_protocol. h, modules/ http/http_ request. c, http2/h2_ request. c, modules/ proxy/mod_ proxy.c, proxy/proxy_ util.c, server/protocol.c. patches/ CVE-2021- 44224-2. patch: don't prevent forwarding URIs proxy/mod_ proxy.c, proxy/proxy_ util.c. patches/ CVE-2021- 44790.patch: improve error handling in lua/lua_ request. c.
- debian/
uri-paths not to be forward-proxied have an http(s) scheme, and that
the ones to be forward proxied have a hostname in
include/
modules/
modules/
- debian/
w/ no hostname in modules/
modules/
- CVE-2021-44224
* SECURITY UPDATE: overflow in mod_lua multipart parser
- debian/
modules/
- CVE-2021-44790
-- Marc Deslauriers <email address hidden> Wed, 05 Jan 2022 09:50:41 -0500