[ubuntu/focal-security] apache2 2.4.41-4ubuntu3.9 (Accepted)

[Marc Deslauriers]

apache2 (2.4.41-4ubuntu3.9) focal-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

apache2 (2.4.41-4ubuntu3.8) focal; urgency=medium

  * Revert fix from 2.4.41-4ubuntu3.7, due to performance regression.
    (LP 1832182)

apache2 (2.4.41-4ubuntu3.7) focal; urgency=medium

  * d/apache2ctl: Also use systemd for graceful if it is in use.
    (LP: #1832182)
    - This extends an earlier fix for the start command to behave
      similarly for restart / graceful.  Fixes service failures on
      unattended upgrade.

Date: 2022-01-05 16:02:09.859774+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.9
-------------- next part --------------
Sorry, changesfile not available.