Format: 1.8 Date: Thu, 17 Jun 2021 13:45:11 -0400 Source: apache2 Binary: apache2 apache2-bin apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-pristine apache2-utils libapache2-mod-md libapache2-mod-proxy-uwsgi Architecture: amd64 all Version: 2.4.46-1ubuntu1.2 Distribution: groovy Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) libapache2-mod-md - transitional package libapache2-mod-proxy-uwsgi - transitional package Changes: apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium . * SECURITY UPDATE: mod_proxy_http denial of service. - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy connection in modules/proxy/mod_proxy_http.c. - CVE-2020-13950 * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's base64 to fail early if the format can't match anyway in modules/aaa/mod_auth_digest.c. - CVE-2020-35452 * SECURITY UPDATE: DoS via cookie header in mod_session - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in session_identity_decode() in modules/session/mod_session.c. - CVE-2021-26690 * SECURITY UPDATE: heap overflow via SessionHeader - debian/patches/CVE-2021-26691.patch: account for the '&' in identity_concat() in modules/session/mod_session.c. - CVE-2021-26691 * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF' - debian/patches/CVE-2021-30641.patch: change default behavior in server/request.c. - CVE-2021-30641 * This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in groovy-proposed. Checksums-Sha1: d1899ec4445e72bdbf7fe6ac8930e071a8bf23ed 4567264 apache2-bin-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb 1508b0ff4e5f44c342e56b7b55e0a39859104a5e 1204860 apache2-bin_2.4.46-1ubuntu1.2_amd64.deb e5776c9f66c3b8c4726b83bb77141cce0cd2b4f4 158576 apache2-data_2.4.46-1ubuntu1.2_all.deb da8d74ac8175767a796a856c16034bd2d7d2a8db 179092 apache2-dev_2.4.46-1ubuntu1.2_amd64.deb 110fba6e0d4ebd189ea5e6c52c7d96f12caab3dd 3870848 apache2-doc_2.4.46-1ubuntu1.2_all.deb 83ebf15fb8712ec266a7ccea64d62d9be9b8a049 3168 apache2-ssl-dev_2.4.46-1ubuntu1.2_amd64.deb 05a68895ff5fd97d0608750ae2a4ad6350107078 12620 apache2-suexec-custom-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb a2889065ea3fc3f3cb489af6af9255fae2ea8287 15588 apache2-suexec-custom_2.4.46-1ubuntu1.2_amd64.deb fea9110cb2f1f3fe482c7878450e615a30cfe116 11356 apache2-suexec-pristine-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb 329afd9a7fc228ef6070d375f2b387a7fb8e997a 14024 apache2-suexec-pristine_2.4.46-1ubuntu1.2_amd64.deb f300c877f6f4276e5f2d7597eacb10a4b7d06756 132196 apache2-utils-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb 586911c7e036cf3bab2e58d3f20e76338ed14e33 83908 apache2-utils_2.4.46-1ubuntu1.2_amd64.deb 6fd56a7aeff0e3264bfc4ef5780187fef37d50b4 12282 apache2_2.4.46-1ubuntu1.2_amd64.buildinfo c451ce7fcc3afedbe986571f97cc47c6d1b43858 95648 apache2_2.4.46-1ubuntu1.2_amd64.deb ce9767003e1660503f33b3fa77ed7000b4563442 1004 libapache2-mod-md_2.4.46-1ubuntu1.2_amd64.deb 15f109376129e5553ef1536d369b0deac933ab3e 1180 libapache2-mod-proxy-uwsgi_2.4.46-1ubuntu1.2_amd64.deb Checksums-Sha256: b9f355f63d362a1bf337c105e3fd4f8c8a210ea388b4d38f6828e87c8e2fdf82 4567264 apache2-bin-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb 27f0321c2c8d1c59b4e5d1c0ba1cf68461a5f21e49e80a9d0d644d5fd47ecf6b 1204860 apache2-bin_2.4.46-1ubuntu1.2_amd64.deb 08711935c8d597dbe80a55adff09c9840e6f905806fb5512469e2d7582c4e657 158576 apache2-data_2.4.46-1ubuntu1.2_all.deb cbe378d7331103c286a4377389f40c3d98ae4cecfb6c3796fbe1ef91e1f827f5 179092 apache2-dev_2.4.46-1ubuntu1.2_amd64.deb 4ee5dd2e1415e1a39ee43a4a219438621aef312728aeaee4bba10c5ff7ab7013 3870848 apache2-doc_2.4.46-1ubuntu1.2_all.deb 924424340c9bcade4a7dacb36b510c1f479d51840f6cf4cad1b99f8e4113f5d7 3168 apache2-ssl-dev_2.4.46-1ubuntu1.2_amd64.deb b515a5fed57c9bbb41584acfeb0fc6533c07d8427b6afd4feb56064d429332ea 12620 apache2-suexec-custom-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb f23d700c15072da89e9be3f211779ba8fa82b07c8590a321b293bf4500a33cca 15588 apache2-suexec-custom_2.4.46-1ubuntu1.2_amd64.deb 60f66f6afeeda78fbc9e2dea59ef10b3a78867ce941d0ac17143b51c876d0d9c 11356 apache2-suexec-pristine-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb d5974be4df45a1b84a9511606e387fb8a5a51e0b0919758854a30bcdf90f98ab 14024 apache2-suexec-pristine_2.4.46-1ubuntu1.2_amd64.deb 9d6fdc26b8224e6e2a93551973c88edfa4d0cd8e52a1e47c4009ecb16ac105c5 132196 apache2-utils-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb a1fa0757b64a0d62d2a7fdab2e1fdaab79013d770a18e82606cd69640a905182 83908 apache2-utils_2.4.46-1ubuntu1.2_amd64.deb ae5d883a871075536304b70e3c9e59006193c3c8f27a56644caf35059e96a0e5 12282 apache2_2.4.46-1ubuntu1.2_amd64.buildinfo 848897ada2f0811641fad55e79a7a653e3a758b4661d50917240121159d51054 95648 apache2_2.4.46-1ubuntu1.2_amd64.deb 21d476b6bc5af8c8899d89e31ce9638a20b4c35b09be9dd5e336dec45254703c 1004 libapache2-mod-md_2.4.46-1ubuntu1.2_amd64.deb 0c9057075ebc2222de6a451a94d4851953df87e19b9f990a5763f16c8dca2f18 1180 libapache2-mod-proxy-uwsgi_2.4.46-1ubuntu1.2_amd64.deb Files: e6e39aac61287c9fef215ac4b7df9c76 4567264 debug optional apache2-bin-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb 0764a048c4173270a16f22aed4c02cf8 1204860 httpd optional apache2-bin_2.4.46-1ubuntu1.2_amd64.deb 9a2f4715a2ae38e66fa06092c4eb0313 158576 httpd optional apache2-data_2.4.46-1ubuntu1.2_all.deb 45209fad166e9a897ef1853c3ec4af41 179092 httpd optional apache2-dev_2.4.46-1ubuntu1.2_amd64.deb 286ab0989a29bc6f2bde94a54257685a 3870848 doc optional apache2-doc_2.4.46-1ubuntu1.2_all.deb 61fa2219915525f048111956e10e6fde 3168 httpd optional apache2-ssl-dev_2.4.46-1ubuntu1.2_amd64.deb 1a8cdcd181f2643c5e1ee18bde0d6863 12620 debug optional apache2-suexec-custom-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb f0f0428d974e17c1bd76d90e8cab70a0 15588 httpd optional apache2-suexec-custom_2.4.46-1ubuntu1.2_amd64.deb 7b5813d79e9abe9e0b751323fae68958 11356 debug optional apache2-suexec-pristine-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb acf7fa345fae1a5d43bd2f45716084cd 14024 httpd optional apache2-suexec-pristine_2.4.46-1ubuntu1.2_amd64.deb 86255ca64b0d029e0a430fca46e8fc39 132196 debug optional apache2-utils-dbgsym_2.4.46-1ubuntu1.2_amd64.ddeb 8f3029e6b0e17cbce8cfec31fab588a0 83908 httpd optional apache2-utils_2.4.46-1ubuntu1.2_amd64.deb cf931dd2278670d8d49173fa2eb682e6 12282 httpd optional apache2_2.4.46-1ubuntu1.2_amd64.buildinfo 3c91caf2fa8e8cdd560197b479475d41 95648 httpd optional apache2_2.4.46-1ubuntu1.2_amd64.deb 8ad470f679c34c079a9751378c246275 1004 oldlibs optional libapache2-mod-md_2.4.46-1ubuntu1.2_amd64.deb b3b55591b6bfd3bf18ca928141b78d82 1180 oldlibs optional libapache2-mod-proxy-uwsgi_2.4.46-1ubuntu1.2_amd64.deb Original-Maintainer: Debian Apache Maintainers