apache2 2.4.57-2ubuntu2.5 source package in Ubuntu
Changelog
apache2 (2.4.57-2ubuntu2.5) mantic-security; urgency=medium
* SECURITY UPDATE: null pointer dereference when serving WebSocket
protocol upgrades over a HTTP/2
- debian/patches/CVE-2024-36387.patch: early exit if bb is null in
modules/http2/h2_c2.c.
- CVE-2024-36387
* SECURITY UPDATE: encoding problem in mod_proxy
- debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
configuration in modules/proxy/mod_proxy.c.
- debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
- debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
special filenames in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
on Windows in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
- CVE-2024-38473
* SECURITY UPDATE: Substitution encoding issue in mod_rewrite
- debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
handling in modules/mappers/mod_rewrite.c.
- CVE-2024-38474
* SECURITY UPDATE: Improper escaping of output in mod_rewrite
- Included in CVE-2024-38474_5.patch.
- CVE-2024-38475
* SECURITY UPDATE: information disclosure, SSRF or local script execution
- debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
differentiate trusted sources in include/http_protocol.h,
include/httpd.h, modules/http/http_protocol.c,
modules/http/mod_mime.c, modules/mappers/mod_actions.c,
modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
server/config.c, server/core.c.
- CVE-2024-38476
* SECURITY UPDATE: null pointer dereference in mod_proxy
- debian/patches/CVE-2024-38477.patch: validate hostname in
modules/proxy/proxy_util.c.
- CVE-2024-38477
* SECURITY UPDATE: Potential SSRF in mod_rewrite
- Fixed by patches in previous CVEs.
- CVE-2024-39573
* SECURITY UPDATE: source code disclosure with handlers configured via
AddType
- debian/patches/CVE-2024-39884.patch: maintain trusted flag in
modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
modules/generators/mod_info.c, modules/generators/mod_status.c,
modules/http/http_filters.c, modules/http/http_protocol.c,
modules/http/http_request.c, modules/ldap/util_ldap.c,
modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
- CVE-2024-39884
-- Marc Deslauriers <email address hidden> Thu, 04 Jul 2024 07:51:13 -0400
Upload details
- Uploaded by:
- Marc Deslauriers
- Uploaded to:
- Mantic
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- httpd
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section | |
|---|---|---|---|---|
| Mantic | updates | main | web | |
| Mantic | security | main | web |
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| apache2_2.4.57.orig.tar.gz | 9.3 MiB | bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45 |
| apache2_2.4.57-2ubuntu2.5.debian.tar.xz | 951.7 KiB | 4d6a4ec0cd067fc08c9775b5be7b2c070dd131e32f1979766cba5f577763251c |
| apache2_2.4.57-2ubuntu2.5.dsc | 3.3 KiB | e9b87579a38e55d49dd3e4441ebbd147ae32d924e8953906f16106476dc61322 |
Available diffs
Binary packages built by this source
- apache2: Apache HTTP Server
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
Installing this package results in a full installation, including the
configuration files, init scripts and support scripts.
- apache2-bin: Apache HTTP Server (modules and other binary files)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains the binaries only and does not set up a working
web-server instance. Install the "apache2" package to get a fully working
instance.
- apache2-bin-dbgsym: debug symbols for apache2-bin
- apache2-data: Apache HTTP Server (common files)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package contains architecture-independent common files such as icons,
error pages and static index files.
- apache2-dev: Apache HTTP Server (development headers)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides development headers and the apxs2 binary for the Apache
2 HTTP server, useful to develop and link third party additions to the Debian
Apache HTTP server package.
.
It also provides dh_apache2 and dh sequence addons useful to install various
Debian Apache2 extensions with debhelper. It supports
- Apache 2 module configurations and shared objects
- Site configuration files
- Global configuration files
- apache2-doc: Apache HTTP Server (on-site documentation)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides the documentation for the Apache 2 HTTP server. The
documentation is shipped in HTML format and can be accessed from a local
running Apache HTTP server instance or by browsing the file system directly.
- apache2-ssl-dev: Apache HTTP Server (mod_ssl development headers)
The Apache HTTP Server Project's goal is to build a secure, efficient and
extensible HTTP server as standards-compliant open source software. The
result has long been the number one web server on the Internet.
.
This package provides the development header and the dependencies for
modules that interact with mod_ssl's internal openssl state.
- apache2-suexec-custom: Apache HTTP Server configurable suexec program for mod_suexec
Provides a customizable version of the suexec helper program for mod_suexec.
This is not the version from upstream, but can be configured with a
configuration file.
.
If you do not need non-standard document root or userdir settings, it is
recommended that you use the standard suexec helper program from the
apache2-suexec- pristine package instead.
- apache2-suexec-custom-dbgsym: debug symbols for apache2-suexec-custom
- apache2-suexec-pristine: Apache HTTP Server standard suexec program for mod_suexec
Provides the standard suexec helper program for mod_suexec. This version is
compiled with document root /var/www and userdir suffix public_html. If you
need different settings, use the package apache2-suexec- custom.
- apache2-suexec-pristine-dbgsym: debug symbols for apache2-suexec-pristine
- apache2-utils: Apache HTTP Server (utility programs for web servers)
Provides some add-on programs useful for any web server. These include:
- ab (Apache benchmark tool)
- fcgistarter (Start a FastCGI program)
- logresolve (Resolve IP addresses to hostnames in logfiles)
- htpasswd (Manipulate basic authentication files)
- htdigest (Manipulate digest authentication files)
- htdbm (Manipulate basic authentication files in DBM format, using APR)
- htcacheclean (Clean up the disk cache)
- rotatelogs (Periodically stop writing to a logfile and open a new one)
- split-logfile (Split a single log including multiple vhosts)
- checkgid (Checks whether the caller can setgid to the specified group)
- check_forensic (Extract mod_log_forensic output from Apache log files)
- httxt2dbm (Generate dbm files for use with RewriteMap)
- apache2-utils-dbgsym: debug symbols for apache2-utils
- libapache2-mod-md: transitional package
This is a transitional package to apache2 for users of libapache2-mod-md.
It can be safely removed after the installation is complete.
- libapache2-mod-proxy-uwsgi: transitional package
This is a transitional package to apache2 for users of
libapache2-mod-proxy- uwsgi.
It can be safely removed after the installation is complete.
