[ubuntu/groovy-security] apache2 2.4.46-1ubuntu1.2 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Mon Jun 21 13:53:17 UTC 2021


apache2 (2.4.46-1ubuntu1.2) groovy-security; urgency=medium

  * SECURITY UPDATE: mod_proxy_http denial of service.
    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
      connection in modules/proxy/mod_proxy_http.c.
    - CVE-2020-13950
  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
      base64 to fail early if the format can't match anyway in
      modules/aaa/mod_auth_digest.c.
    - CVE-2020-35452
  * SECURITY UPDATE: DoS via cookie header in mod_session
    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
      session_identity_decode() in modules/session/mod_session.c.
    - CVE-2021-26690
  * SECURITY UPDATE: heap overflow via SessionHeader
    - debian/patches/CVE-2021-26691.patch: account for the '&' in
      identity_concat() in modules/session/mod_session.c.
    - CVE-2021-26691
  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
    - debian/patches/CVE-2021-30641.patch: change default behavior in
      server/request.c.
    - CVE-2021-30641
  * This update does _not_ include the changes from 2.4.46-1ubuntu1.1 in
    groovy-proposed.

Date: 2021-06-18 12:09:11.356971+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.46-1ubuntu1.2
-------------- next part --------------
Sorry, changesfile not available.


More information about the Groovy-changes mailing list