[ubuntu/focal-security] apache2 2.4.41-4ubuntu3.3 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Mon Jun 21 13:53:16 UTC 2021


apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in
    focal-proposed.

Date: 2021-06-18 12:09:22.003046+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.3
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list