apache2 security fix in 2.4.43

Bug #1870818 reported by Gleb on 2020-04-04
272
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Ubuntu Security Team

Bug Description

update version apache to 2.4.43

CVE References

Gleb (long76) wrote :

*) SECURITY: CVE-2020-1934 (cve.mitre.org)
     mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
     server. [Eric Covener]

*) SECURITY: CVE-2020-1927 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]

Gleb (long76) on 2020-04-04
information type: Private Security → Public
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
Paride Legovini (paride) on 2020-05-07
information type: Public → Public Security

Assigning to ubuntu-security for triage from their POV.

But actually I think this is known and in progress:
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1934.html
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html

Changed in apache2 (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: Confirmed → In Progress

As this security issue seems to have not progressed afaik since may, I wanted to make sure whoever is involved in triaging this know that this CVE has been considered a high priority for PCI compliancy checks even though it appears to be marked "Low" by Canonical.

Seth Arnold (seth-arnold) wrote :

Hello Chris, thanks for contacting us. If you know why your PCI compliance auditor has flagged these issues as high priorities, it may be helpful to us to better understand the urgency.

We do intend to address these issues but currently we have other issues that we believe are more impactful to work on.

Thanks

Seth Arnold (seth-arnold) wrote :

This was addressed in USN 4458-1: https://usn.ubuntu.com/4458-1

Thanks

Changed in apache2 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Related questions