apache2 security fix in 2.4.43

Bug #1870818 reported by Gleb
272
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Undecided
Ubuntu Security Team

Bug Description

update version apache to 2.4.43

CVE References

Revision history for this message
Gleb (long76) wrote :

*) SECURITY: CVE-2020-1934 (cve.mitre.org)
     mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
     server. [Eric Covener]

*) SECURITY: CVE-2020-1927 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]

Gleb (long76)
information type: Private Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
Paride Legovini (paride)
information type: Public → Public Security
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Assigning to ubuntu-security for triage from their POV.

But actually I think this is known and in progress:
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1934.html
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html

Changed in apache2 (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: Confirmed → In Progress
Revision history for this message
Chris Samaritoni (9e9o1ko8b2f5xp-fvlbw-0zxvj9hhx1hzo5) wrote :

As this security issue seems to have not progressed afaik since may, I wanted to make sure whoever is involved in triaging this know that this CVE has been considered a high priority for PCI compliancy checks even though it appears to be marked "Low" by Canonical.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Chris, thanks for contacting us. If you know why your PCI compliance auditor has flagged these issues as high priorities, it may be helpful to us to better understand the urgency.

We do intend to address these issues but currently we have other issues that we believe are more impactful to work on.

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

This was addressed in USN 4458-1: https://usn.ubuntu.com/4458-1

Thanks

Changed in apache2 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.