When is Apache 2.4.42 expected for Ubuntu 18.04?

Asked by Kanuj Bhatnagar on 2020-04-21

Apache is vulernable to to CVE-2020-1927 and CVE-2020-1934m which is fixed in version 2.4.42. When is Apache 2.4.42 expected for Ubuntu 18.04?

Reference: https://httpd.apache.org/security/vulnerabilities_24.html

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apache2 Edit question
Assignee:
No assignee Edit question
Last query:
2020-04-22
Last reply:
2020-04-22

At the very least, please consider integrating https://nvd.nist.gov/vuln/detail/CVE-2020-1927 as it pertains to mod_rewrite, which is a very frequently used apache module.

I suggest you report a bug. Report it as a security bug

Manfred Hampl (m-hampl) said : #3

The problem is already known, see
https://people.canonical.com/~ubuntu-security/cve/pkg/apache2.html
and
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1927
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1934

And as a general remark:
For versions of software in older Ubuntu releases the standard procedure is not upgrading to a newer version, but to cherry-pick only the relevant patches. So the answer to you question ("When is Apache 2.4.42 expected for Ubuntu 18.04?") is: Probably never.

@m-hampl: So, what are my options as far as me not being able to switch to a newer Ubuntu version just for this specific package version? I'd like to keep Ubuntu 18.04 on my server and use this Apache version as well.

Possibly a PPA or you can compile the source yourself

Erotavlas (erotavlas) said : #6

Any update on this? I prefer to avoid to install a third party PPA as https://launchpad.net/~ondrej/+archive/ubuntu/apache2 in order to have TLS 1.3.

Can you help with this problem?

Provide an answer of your own, or ask Kanuj Bhatnagar for more information if necessary.

To post a message you must log in.