[USN-5090-3] Apache HTTP Server regression
marc.deslauriers at canonical.com
Tue Sep 28 14:46:58 UTC 2021
Ubuntu Security Notice USN-5090-3
September 28, 2021
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
USN-5090-1 introduced a regression in Apache HTTP Server.
- apache2: Apache HTTP server
USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream
fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
The problem can be corrected by updating your system to the following
Ubuntu 20.04 LTS:
Ubuntu 18.04 LTS:
In general, a standard system update will make all the necessary changes.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the ubuntu-security-announce