[ubuntu/impish-proposed] apache2 2.4.48-3.1ubuntu2 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Fri Sep 24 16:25:45 UTC 2021 

apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: request splitting over HTTP/2
    - debian/patches/CVE-2021-33193.patch: refactor request parsing in
      include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
      include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
      server/core_filters.c, server/protocol.c, server/vhost.c.
    - CVE-2021-33193
  * SECURITY UPDATE: NULL deref via malformed requests
    - debian/patches/CVE-2021-34798.patch: add NULL check in
      server/scoreboard.c.
    - CVE-2021-34798
  * SECURITY UPDATE: DoS in mod_proxy_uwsgi
    - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
      generic worker in modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2021-36160
  * SECURITY UPDATE: buffer overflow in ap_escape_quotes
    - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
      substitution logic in server/util.c.
    - CVE-2021-39275
  * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
    - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
      parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - debian/patches/CVE-2021-40438.patch: add sanity checks on the
      configured UDS path in modules/proxy/proxy_util.c.
    - CVE-2021-40438

Date: Thu, 23 Sep 2021 12:51:16 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.48-3.1ubuntu2
-------------- next part --------------
Format: 1.8
Date: Thu, 23 Sep 2021 12:51:16 -0400
Source: apache2
Built-For-Profiles: noudeb
Architecture: source
Version: 2.4.48-3.1ubuntu2
Distribution: impish
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 apache2 (2.4.48-3.1ubuntu2) impish; urgency=medium
 .
   * SECURITY UPDATE: request splitting over HTTP/2
     - debian/patches/CVE-2021-33193.patch: refactor request parsing in
       include/ap_mmn.h, include/http_core.h, include/http_protocol.h,
       include/http_vhost.h, modules/http2/h2_request.c, server/core.c,
       server/core_filters.c, server/protocol.c, server/vhost.c.
     - CVE-2021-33193
   * SECURITY UPDATE: NULL deref via malformed requests
     - debian/patches/CVE-2021-34798.patch: add NULL check in
       server/scoreboard.c.
     - CVE-2021-34798
   * SECURITY UPDATE: DoS in mod_proxy_uwsgi
     - debian/patches/CVE-2021-36160.patch: fix PATH_INFO setting for
       generic worker in modules/proxy/mod_proxy_uwsgi.c.
     - CVE-2021-36160
   * SECURITY UPDATE: buffer overflow in ap_escape_quotes
     - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes
       substitution logic in server/util.c.
     - CVE-2021-39275
   * SECURITY UPDATE: arbitrary origin server via crafted request uri-path
     - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path
       parsing in the "proxy:" URL in modules/proxy/mod_proxy.c,
       modules/proxy/proxy_util.c.
     - debian/patches/CVE-2021-40438.patch: add sanity checks on the
       configured UDS path in modules/proxy/proxy_util.c.
     - CVE-2021-40438
Checksums-Sha1:
 e41fe64d1286f2073fd5f7ee5bb5353e5b08418b 3375 apache2_2.4.48-3.1ubuntu2.dsc
 144fcb9aa1a37def9562bc4565b4df7cdf72d5ab 911720 apache2_2.4.48-3.1ubuntu2.debian.tar.xz
 c93b059df80ad8854b81e3c62a6fde93bb0e57f0 8462 apache2_2.4.48-3.1ubuntu2_source.buildinfo
Checksums-Sha256:
 36d47888b82ab019bf3e8fad52edad62739834eadf565f6e38302431c98d3db3 3375 apache2_2.4.48-3.1ubuntu2.dsc
 4ca627dc65d4083c42fd50482b8c50d5c1bde3f230ebed08063cad01f63e11ce 911720 apache2_2.4.48-3.1ubuntu2.debian.tar.xz
 e27eabdebfca7e877f495eb1e88615d2afe67d535685260f517887c786c7131a 8462 apache2_2.4.48-3.1ubuntu2_source.buildinfo
Files:
 56c984629e5b7805d35c16d8be9b919f 3375 httpd optional apache2_2.4.48-3.1ubuntu2.dsc
 8130c4519744532243dc65f747c3df29 911720 httpd optional apache2_2.4.48-3.1ubuntu2.debian.tar.xz
 3d4c789a4765afc1d46a8d033a724786 8462 httpd optional apache2_2.4.48-3.1ubuntu2_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>

More information about the impish-changes mailing list