Ubuntu
apache2 package

Apache2 2.4.57

Asked by harsh chaudhary

On apache2 2.4.57 audit discovered CVE-2023-31122 CVE-2023-43622 CVE-2023-45802 currently using ubuntu 18.04, how to fix it?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apache2 Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

PLeaase see
https://ubuntu.com/security/CVE-2023-45802
https://ubuntu.com/security/CVE-2023-31122
https://ubuntu.com/security/CVE-2023-43622
and
https://ubuntu.com/security/notices/USN-6510-1

Revision history for this message
harsh chaudhary (iamroot0615) said : 		#2

Hi,

Thanks for your prompt response and support over here i have checked the following:-
https://ubuntu.com/security/CVE-2023-45802
https://ubuntu.com/security/CVE-2023-31122
https://ubuntu.com/security/CVE-2023-43622

1>>It says on bionic status Needs triage, i am not sure what does this means?

2>>one more information i would like to know that if i use the default Apache2 last release on ubuntu 18.04 i.e., assuming 2.4.29-1ubuntu4.27 will this will be the solution of my problem?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#3

1. "needs triage" means that the investigation whether that release is affected and which action is to be taken has not yet been completed.

2. Support for Ubuntu 18.04 has ended, unless you have registered for Ubuntu Pro.
For dealing with that CVE you need to have version 2.4.29-1ubuntu4.27+esm1 of the apache2 packages, and that is available only for systems with an Ubuntu Pro subscription. (2.4.29-1ubuntu4.27+esm1 is different from 2.4.29-1ubuntu4.27)

Another and maybe better option is upgrading to a newer Ubuntu release that is fully supported (e.g. 22.04 LTS)

Revision history for this message
harsh chaudhary (iamroot0615) said : 		#4

Thanks for your response, hampl.
The audit report recommended Apache2 version 2.4.58, but the latest package for Ubuntu 22.04 is 2.4.52-1ubuntu4.8. When upgrading from Ubuntu 18.04 to 22.04, the question arises: Can version 2.4.52-1ubuntu4.8 effectively address all vulnerabilities?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#5

https://ubuntu.com/security/notices/USN-6506-1 tells that CVE-2023-45802, CVE-2023-31122 and CVE-2023-43622 are dealt with by version 2.4.52-1ubuntu4.7 in Ubuntu 22.04.

Remark: Recently new CVEs have been discovered (CVE-2023-38709, CVE-2024-24795, CVE-2024-27316); for Ubuntu 22.04 they will be covered with apache2 version 2.4.52-1ubuntu4.9 (currently work in progress). More updates will be necessary whenever new vulnerabilities will be detected.
(For apache2 in Ubuntu 18.04 the status of these vulnerabilities also is "needs triage".)

Can you help with this problem?

Provide an answer of your own, or ask harsh chaudhary for more information if necessary.

To post a message you must log in.