apache2 (2.4.52-1ubuntu4.16) jammy-security; urgency=medium
* SECURITY REGRESSION: Removing duplicated lines
- debian/patches/CVE-2024-38474-regression.patch: (LP: #2119395)
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 11 Aug 2025 09:10:10 -0300
apache2 (2.4.52-1ubuntu4.15) jammy-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2024-42516.patch: fix header merging in
modules/http/http_filters.c.
- CVE-2024-42516
* SECURITY UPDATE: SSRF with mod_headers setting Content-Type header
- debian/patches/CVE-2024-43204-pre1.patch: avoid ap_set_content_type
when processing a _Request_Header set|edit|unset Content-Type in
modules/metadata/mod_headers.c.
- debian/patches/CVE-2024-43204.patch: use header only in
modules/metadata/mod_headers.c.
- CVE-2024-43204
* SECURITY UPDATE: mod_ssl error log variable escaping
- debian/patches/CVE-2024-47252.patch: escape ssl vars in
modules/ssl/ssl_engine_vars.c.
- CVE-2024-47252
* SECURITY UPDATE: mod_ssl access control bypass with session resumption
- debian/patches/CVE-2025-23048.patch: update SNI validation in
modules/ssl/ssl_engine_kernel.c.
- CVE-2025-23048
* SECURITY UPDATE: mod_proxy_http2 denial of service
- debian/patches/CVE-2025-49630.patch: tolerate missing host header in
h2 proxy in modules/http2/h2_proxy_session.c.
- CVE-2025-49630
* SECURITY UPDATE: mod_ssl TLS upgrade attack
- debian/patches/CVE-2025-49812.patch: remove antiquated 'SSLEngine
optional' TLS upgrade in modules/ssl/ssl_engine_config.c,
modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
modules/ssl/ssl_private.h.
- CVE-2025-49812
* SECURITY UPDATE:
- debian/patches/CVE-2025-53020.patch: improve h2 header error handling
in modules/http2/h2_request.c, modules/http2/h2_request.h,
modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_stream.c, modules/http2/h2_util.c,
modules/http2/h2_util.h,
test/modules/http2/test_200_header_invalid.py.
- CVE-2025-53020
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Jul 2025 12:29:02 -0400
apache2 (2.4.52-1ubuntu4.14) jammy-security; urgency=medium
* SECURITY REGRESSION: Better question mark tracking
- debian/patches/CVE-2024-38474-regression.patch: improve
previous patch allowing to avoid [UnsafeAllow3F] for most
cases in modules/mappers/mod_rewrite.c (LP: #2103723).
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 03 Apr 2025 06:05:48 -0300
apache2 (2.4.52-1ubuntu4.13) jammy; urgency=medium
* d/debhelper/apache2-maintscript-helper: Allow execution when called from a
postinst script through a trigger (i.e., postinst triggered).
Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 18 Mar 2024 10:41:27 -0300
apache2 (2.4.52-1ubuntu4.12) jammy-security; urgency=medium
* SECURITY UPDATE: source code disclosure with handlers configured via
AddType
- debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
subrequest in modules/http/http_request.c.
- CVE-2024-40725
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 17 Jul 2024 14:57:26 -0400
apache2 (2.4.52-1ubuntu4.11) jammy-security; urgency=medium
* SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
- debian/patches/CVE-2024-38477-2.patch: restart from the original URL
on reconnect in modules/http2/mod_proxy_http2.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 11 Jul 2024 08:20:46 -0400
apache2 (2.4.52-1ubuntu4.10) jammy-security; urgency=medium
* SECURITY UPDATE: null pointer dereference when serving WebSocket
protocol upgrades over a HTTP/2
- debian/patches/CVE-2024-36387.patch: early exit if bb is null in
modules/http2/h2_c2.c.
- CVE-2024-36387
* SECURITY UPDATE: encoding problem in mod_proxy
- debian/patches/CVE-2024-38473-1.patch: escape for non-proxypass
configuration in modules/proxy/mod_proxy.c.
- debian/patches/CVE-2024-38473-2.patch: fixup UDS filename for
mod_proxy called through r->handler in modules/proxy/mod_proxy.c,
modules/proxy/mod_proxy.h, modules/proxy/proxy_util.c.
- debian/patches/CVE-2024-38473-3.patch: block inadvertent subst of
special filenames in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2024-38473-4.patch: fix comparison of local path
on Windows in modules/mappers/mod_rewrite.c.
- debian/patches/CVE-2024-38473-5.patch: factor out IS_SLASH, perdir
fix in include/httpd.h, modules/mappers/mod_rewrite.c, server/util.c.
- CVE-2024-38473
* SECURITY UPDATE: Substitution encoding issue in mod_rewrite
- debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
handling in modules/mappers/mod_rewrite.c.
- CVE-2024-38474
* SECURITY UPDATE: Improper escaping of output in mod_rewrite
- Included in CVE-2024-38474_5.patch.
- CVE-2024-38475
* SECURITY UPDATE: information disclosure, SSRF or local script execution
- debian/patches/CVE-2024-38476.patch: add ap_set_content_type_ex to
differentiate trusted sources in include/http_protocol.h,
include/httpd.h, modules/http/http_protocol.c,
modules/http/mod_mime.c, modules/mappers/mod_actions.c,
modules/mappers/mod_negotiation.c, modules/mappers/mod_rewrite.c,
modules/metadata/mod_headers.c, modules/metadata/mod_mime_magic.c,
server/config.c, server/core.c.
- CVE-2024-38476
* SECURITY UPDATE: null pointer dereference in mod_proxy
- debian/patches/CVE-2024-38477.patch: validate hostname in
modules/proxy/proxy_util.c.
- CVE-2024-38477
* SECURITY UPDATE: Potential SSRF in mod_rewrite
- Fixed by patches in previous CVEs.
- CVE-2024-39573
* SECURITY UPDATE: source code disclosure with handlers configured via
AddType
- debian/patches/CVE-2024-39884.patch: maintain trusted flag in
modules/cluster/mod_heartmonitor.c, modules/dav/main/mod_dav.c,
modules/examples/mod_example_hooks.c, modules/filters/mod_data.c,
modules/filters/mod_include.c, modules/filters/mod_proxy_html.c,
modules/generators/mod_cgi.c, modules/generators/mod_cgid.c,
modules/generators/mod_info.c, modules/generators/mod_status.c,
modules/http/http_filters.c, modules/http/http_protocol.c,
modules/http/http_request.c, modules/ldap/util_ldap.c,
modules/mappers/mod_imagemap.c, modules/proxy/mod_proxy_balancer.c.
- CVE-2024-39884
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 04 Jul 2024 07:56:21 -0400
apache2 (2.4.52-1ubuntu4.9) jammy-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2023-38709.patch: header validation after
content-* are eval'ed in modules/http/http_filters.c.
- CVE-2023-38709
* SECURITY UPDATE: HTTP Response Splitting in multiple modules
- debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
non-http handlers in include/util_script.h,
modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
modules/generators/mod_cgid.c, modules/http/http_filters.c,
modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
- CVE-2024-24795
* SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
continuation frames
- debian/patches/CVE-2024-27316.patch: bail after too many failed reads
in modules/http2/h2_session.c, modules/http2/h2_stream.c,
modules/http2/h2_stream.h.
- CVE-2024-27316
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Apr 2024 13:45:18 -0400
apache2 (2.4.52-1ubuntu4.8) jammy; urgency=medium
* d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
dolphin and Konqueror/5 careful redirection so that directories can be
deleted via webdav.
(LP: #1927742)
-- Bryce Harrington <bryce@canonical.com> Tue, 16 Jan 2024 19:00:18 -0800
apache2 (2.4.52-1ubuntu4.7) jammy-security; urgency=medium
* SECURITY UPDATE: mod_macro buffer over-read
- debian/patches/CVE-2023-31122.patch: fix length in
modules/core/mod_macro.c.
- CVE-2023-31122
* SECURITY UPDATE: Multiple issues in HTTP/2
- CVE-2023-43622: DoS in HTTP/2 with initial windows size 0
- CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST
- debian/patches/update_http2.patch: backport version 2.0.22 of
mod_http2 from httpd 2.4.58.
- CVE-2023-43622
- CVE-2023-45802
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 26 Oct 2023 09:44:44 -0400
# For older changelog entries, run 'apt-get changelog apache2-doc'
Generated by dwww version 1.14 on Tue Aug 19 11:53:24 CEST 2025.