apache2 - Debian Package Tracker

general

source: apache2 (main)
version: 2.4.52-1
maintainer: Debian Apache Maintainers (archive) (DMD)
uploaders: Stefan Fritsch [DMD] – Arno Töll [DMD] – Yadd [DMD] – Ondřej Surý [DMD]
arch: all any
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.4.25-3+deb9u9
o-o-sec: 2.4.25-3+deb9u11
o-o-bpo-sl: 2.4.46-1~bpo9+1
oldstable: 2.4.38-3+deb10u5
old-sec: 2.4.38-3+deb10u7
old-bpo: 2.4.51-1~bpo10+2
old-p-u: 2.4.38-3+deb10u7
stable: 2.4.51-1~deb11u1
stable-sec: 2.4.52-1~deb11u2
stable-p-u: 2.4.52-1~deb11u2
testing: 2.4.52-1
unstable: 2.4.52-1
exp: 2.4.52-3

versioned links

2.4.25-3+deb9u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.25-3+deb9u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3+deb10u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3+deb10u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.46-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.51-1~bpo10+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.51-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.52-1~deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.52-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.52-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

apache2 (113 bugs: 1, 73, 39, 0)
apache2-bin (39 bugs: 0, 30, 9, 0)
apache2-data
apache2-dev (4 bugs: 0, 2, 2, 0)
apache2-doc (4 bugs: 0, 2, 2, 0)
apache2-ssl-dev
apache2-suexec-custom (3 bugs: 0, 2, 1, 0)
apache2-suexec-pristine (3 bugs: 0, 1, 2, 0)
apache2-utils (8 bugs: 0, 4, 4, 0)
libapache2-mod-md
libapache2-mod-proxy-uwsgi (1 bugs: 0, 1, 0, 0)

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:10:10
Last run: 2022-01-05T01:44:56.000Z
Previous status: pass

testing: fail (log)
The tests ran in 0:13:15
Last run: 2022-01-15T05:23:27.000Z
Previous status: fail

stable: pass (log)
The tests ran in 0:30:30
Last run: 2022-01-02T18:05:18.000Z
Previous status: pass

Created: 2022-01-01 Last update: 2022-01-18 08:11

6 security issues in stretch high

There are 6 open security issues in stretch.

2 important issues:

CVE-2021-44224: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
CVE-2021-44790: A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

1 issue postponed or untriaged:

CVE-2021-33193: (postponed; to be fixed through a stable update) A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

3 ignored issues:

CVE-2020-9490: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
CVE-2020-11993: Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Created: 2021-12-20 Last update: 2022-01-04 20:03

lintian reports 1 error and 16 warnings high

Lintian reports 1 error and 16 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-10-13 Last update: 2022-01-01 04:31

15 bugs tagged patch in the BTS normal

The BTS contains patches fixing 15 bugs (17 if counting merged bugs), consider including or untagging them.

Created: 2021-08-14 Last update: 2022-01-18 08:02

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 92c034dcfb4de6fb1477d52e7fbcbd570b8cab86
Merge: 075d8ef6 b3cd2ac9
Author: Yadd <yadd@debian.org>
Date:   Wed Dec 29 07:35:53 2021 +0100

    Merge remote-tracking branch 'origin/master'

commit b3cd2ac9680bbbac6033639b9d8061a5d18c0e51
Author: Ondřej Surý <ondrej@sury.org>
Date:   Tue Dec 28 21:16:39 2021 +0100

    Add upstream patch to fix active daemon accounting

Created: 2021-12-28 Last update: 2022-01-10 22:42

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #910917 for more information.

Created: 2018-10-13 Last update: 2020-01-27 22:50

2 low-priority security issues in buster low

There are 2 open security issues in buster.

1 issue left for the package maintainer to handle:

CVE-2021-33193: (postponed; to be fixed through a stable update) A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

You can find information about how to handle this issue in the security team's documentation.

1 ignored issue:

CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Created: 2021-06-06 Last update: 2022-01-04 20:03

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-07-28 Last update: 2018-07-28 20:07

testing migrations

This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.52-1~deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.52-1~deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.52-1~deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-04] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 189 194
RC: 1
I&N: 130 132
M&W: 57 60
F&P: 1
patch: 15 17

links

homepage
lintian (1, 16)
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.4.51-2ubuntu1
58 bugs (5 patches)
patches for 2.4.51-2ubuntu1