Format: 1.8 Date: Thu, 23 Sep 2021 13:01:10 -0400 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: s390x Version: 2.4.29-1ubuntu4.17 Distribution: bionic Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Changes: apache2 (2.4.29-1ubuntu4.17) bionic-security; urgency=medium . * SECURITY UPDATE: request splitting over HTTP/2 - debian/patches/CVE-2021-33193-pre1.patch: process early errors via a dummy HTTP/1.1 request as well in modules/http2/h2.h, modules/http2/h2_request.c, modules/http2/h2_session.c, modules/http2/h2_stream.c. - debian/patches/CVE-2021-33193-pre2.patch: sync with github standalone version 1.15.17 in modules/http2/h2_bucket_beam.c, modules/http2/h2_config.c, modules/http2/h2_config.h, modules/http2/h2_h2.c, modules/http2/h2_headers.c, modules/http2/h2_headers.h, modules/http2/h2_mplx.c, modules/http2/h2_request.c, modules/http2/h2_stream.h, modules/http2/h2_task.c, modules/http2/h2_task.h, modules/http2/h2_version.h. - debian/patches/CVE-2021-33193.patch: refactor request parsing in include/ap_mmn.h, include/http_core.h, include/http_protocol.h, include/http_vhost.h, modules/http2/h2_request.c, server/core.c, server/core_filters.c, server/protocol.c, server/vhost.c. - CVE-2021-33193 * SECURITY UPDATE: NULL deref via malformed requests - debian/patches/CVE-2021-34798.patch: add NULL check in server/scoreboard.c. - CVE-2021-34798 * SECURITY UPDATE: buffer overflow in ap_escape_quotes - debian/patches/CVE-2021-39275.patch: fix ap_escape_quotes substitution logic in server/util.c. - CVE-2021-39275 * SECURITY UPDATE: arbitrary origin server via crafted request uri-path - debian/patches/CVE-2021-40438-pre1.patch: faster unix socket path parsing in the "proxy:" URL in modules/proxy/mod_proxy.c, modules/proxy/proxy_util.c. - debian/patches/CVE-2021-40438.patch: add sanity checks on the configured UDS path in modules/proxy/proxy_util.c. - CVE-2021-40438 Checksums-Sha1: b97153a8e37054485e9e99689cc15bd025b69acd 978536 apache2-bin_2.4.29-1ubuntu4.17_s390x.deb b3e395ef08b532a6f85cfebf2b0638f29eec0b71 4075404 apache2-dbg_2.4.29-1ubuntu4.17_s390x.deb d685456cb50e3e0fd6f8cdcf472afd89c2c066e0 178324 apache2-dev_2.4.29-1ubuntu4.17_s390x.deb d04cd1d317536c41f52ff365fa178a1d547c4d87 2396 apache2-ssl-dev_2.4.29-1ubuntu4.17_s390x.deb 8c615d922739fe5a51d5a14a483f827b0e468ff2 15104 apache2-suexec-custom_2.4.29-1ubuntu4.17_s390x.deb 92d8b1f3f8134cde1543813b9b7de1715e9c8eb1 13588 apache2-suexec-pristine_2.4.29-1ubuntu4.17_s390x.deb 28a01c06ded2201d0683352b78b54ee955388136 82076 apache2-utils_2.4.29-1ubuntu4.17_s390x.deb 7122231574fc600bec2e13d0863e2f3da8103de1 10137 apache2_2.4.29-1ubuntu4.17_s390x.buildinfo cb0d0e318186e4bf91e5bedf2b2ecb938aa0482e 95104 apache2_2.4.29-1ubuntu4.17_s390x.deb Checksums-Sha256: 058c4035899de6b75515aec793b0b33af425fe90fba0521b4385829fec3843f7 978536 apache2-bin_2.4.29-1ubuntu4.17_s390x.deb ac6c5dbb40ed0f70bf9989eb37b2e1f634d3156f16b503a31ec61166fceb23fd 4075404 apache2-dbg_2.4.29-1ubuntu4.17_s390x.deb 69f69d11935142699e80aed57edfb7dcd9b0a160aa9386d3c3e282a7bcfe2ca8 178324 apache2-dev_2.4.29-1ubuntu4.17_s390x.deb a9c89d49374544dc3d9f48a5cc818cadc3a1a3e42921f63b9ef1f0d026bc3fc4 2396 apache2-ssl-dev_2.4.29-1ubuntu4.17_s390x.deb e19d4ab47242205f8396f15299a9965b32562827dc8c990aaaa2869e722a1974 15104 apache2-suexec-custom_2.4.29-1ubuntu4.17_s390x.deb 43987602aafded1510ba8f63619673ea20d929f32503712fd078141cbe3826e3 13588 apache2-suexec-pristine_2.4.29-1ubuntu4.17_s390x.deb 773cf645b6a67fa0a7550225c7068c34a91f5f79b523678c5444cee247bf9ab8 82076 apache2-utils_2.4.29-1ubuntu4.17_s390x.deb cd142022d7aa745e59fd4cde9b5fefcfb567607250a6ad1c33663638a917e21b 10137 apache2_2.4.29-1ubuntu4.17_s390x.buildinfo 26fa94397e80d771d3d4367dc69b392a0040a872b8ab6cc08c85e5e04cb966fa 95104 apache2_2.4.29-1ubuntu4.17_s390x.deb Files: afde20d6c3123ec7467aa253696c5846 978536 httpd optional apache2-bin_2.4.29-1ubuntu4.17_s390x.deb a72d98dfa83f61fbd2f5fb855ed34cd4 4075404 debug optional apache2-dbg_2.4.29-1ubuntu4.17_s390x.deb 04b4e27842a97b6cd25d9f4d0fe07a20 178324 httpd optional apache2-dev_2.4.29-1ubuntu4.17_s390x.deb 146330fc4ad77787fdcc9e553383fc66 2396 httpd optional apache2-ssl-dev_2.4.29-1ubuntu4.17_s390x.deb 5e2cc16f5682779d410e5b7462861340 15104 httpd optional apache2-suexec-custom_2.4.29-1ubuntu4.17_s390x.deb 6d2e0562d6eb4c148b0f7291b2fe78c9 13588 httpd optional apache2-suexec-pristine_2.4.29-1ubuntu4.17_s390x.deb e69c6295114d5cd7a688d0ed3a32473e 82076 httpd optional apache2-utils_2.4.29-1ubuntu4.17_s390x.deb add2971ca4cafcec436d47bead19f4ec 10137 httpd optional apache2_2.4.29-1ubuntu4.17_s390x.buildinfo cd5718280ec8f6343debefb213a5fc0f 95104 httpd optional apache2_2.4.29-1ubuntu4.17_s390x.deb Original-Maintainer: Debian Apache Maintainers