apache2 - Debian Package Tracker

general

source: apache2 (main)
version: 2.4.46-6
maintainer: Debian Apache Maintainers (archive) (DMD)
uploaders: Stefan Fritsch [DMD] – Arno Töll [DMD] – Ondřej Surý [DMD] – Xavier Guimard [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.4.25-3+deb9u9
old-sec: 2.4.25-3+deb9u9
old-bpo-sl: 2.4.46-1~bpo9+1
stable: 2.4.38-3+deb10u4
stable-sec: 2.4.38-3+deb10u4
stable-bpo: 2.4.46-4~bpo10+1
testing: 2.4.46-6
unstable: 2.4.46-6
exp: 2.4.48-1

versioned links

2.4.25-3+deb9u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.46-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.46-4~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.46-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.48-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

apache2 (111 bugs: 1, 71, 39, 0)
apache2-bin (40 bugs: 0, 30, 10, 0)
apache2-data
apache2-dev (4 bugs: 0, 2, 2, 0)
apache2-doc (3 bugs: 0, 1, 2, 0)
apache2-ssl-dev
apache2-suexec-custom (3 bugs: 0, 2, 1, 0)
apache2-suexec-pristine (3 bugs: 0, 1, 2, 0)
apache2-utils (8 bugs: 0, 4, 4, 0)
libapache2-mod-md
libapache2-mod-proxy-uwsgi (1 bugs: 0, 1, 0, 0)

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:42:48
Last run: 2021-06-11 06:26:52 UTC
Previous status: pass

testing: pass (log)
The tests ran in 0:18:12
Last run: 2021-06-14 12:43:48 UTC
Previous status: pass

stable: fail (log)
The tests ran in 0:10:15
Last run: 2021-06-13 05:01:42 UTC
Previous status: pass

Created: 2021-06-13 Last update: 2021-06-18 17:06

A new upstream version is available: 2.4.48 high

A new upstream version 2.4.48 is available, you should consider packaging it.

Created: 2021-05-27 Last update: 2021-06-18 16:31

11 security issues in stretch high

There are 11 open security issues in stretch.

7 important issues:

CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
CVE-2020-13950: Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service
CVE-2020-35452: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow
CVE-2021-26690: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
CVE-2021-26691: In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-30641: Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
CVE-2021-31618: Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

2 issues postponed or untriaged:

CVE-2020-1927: (needs triaging) In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-1934: (needs triaging) In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.

2 ignored issues:

CVE-2020-11993: Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
CVE-2020-9490: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Created: 2021-06-06 Last update: 2021-06-17 04:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Created: 2021-06-06 Last update: 2021-06-17 04:00

7 security issues in buster high

There are 7 open security issues in buster.

7 important issues:

CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
CVE-2020-13950: Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service
CVE-2020-35452: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow
CVE-2021-26690: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
CVE-2021-26691: In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-30641: Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
CVE-2021-31618: Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

Created: 2021-06-06 Last update: 2021-06-17 04:00

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Created: 2021-06-06 Last update: 2021-06-17 04:00

15 bugs tagged patch in the BTS normal

The BTS contains patches fixing 15 bugs (17 if counting merged bugs), consider including or untagging them.

Created: 2020-10-19 Last update: 2021-06-18 17:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.4.48-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit dd2426de227bf1b62a8adb30d373412105d1dc09
Author: Yadd <yadd@debian.org>
Date:   Thu Jun 10 18:26:42 2021 +0200

    Update CVEs list

commit ff03b76f4d9285003b4f5002afc3f4d0918265f7
Author: Yadd <yadd@debian.org>
Date:   Thu Jun 10 18:20:24 2021 +0200

    Fix changelog: CVEs were fixed in 2.4.48, not 2.4.47

commit 5ec0b2acf94e0e2edda37ec9769b2f68a1f2c0a9
Author: Yadd <yadd@debian.org>
Date:   Thu Jun 10 18:17:01 2021 +0200

    Update d/ch

commit ed1e42132bd9b5a0bfa76928bb32e997d6577924
Author: Yadd <yadd@debian.org>
Date:   Thu Jun 10 18:13:20 2021 +0200

    Merge Bullseye changelog

commit 206167ce27551569422dc2d1fda15586af8b3e31
Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date:   Thu Dec 7 12:09:21 2017 +0100

    d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)
    
    Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

commit 8a6abf80504499ed1c43d645b33bd68e3afe8b7d
Merge: a0b97448 51f35cf5
Author: Yadd <yadd@debian.org>
Date:   Thu Jun 10 12:10:08 2021 +0200

    Merge branch 'bullseye'

commit 51f35cf5a50cd3a385fde258d42da47af760cc8a
Author: Yadd <yadd@debian.org>
Date:   Thu Jun 10 12:07:11 2021 +0200

    releasing package apache2 version 2.4.46-5

commit 3290146cbe9f2a0b270be79ec7594f249f983f48
Author: Yadd <yadd@debian.org>
Date:   Thu Jun 10 11:57:24 2021 +0200

    Fix "NULL pointer dereference on specially crafted HTTP/2 request" (Closes: #989562, CVE-2021-31618)

commit 6a41612e278bcedd0b1be1bb4bfe5d757b5bc8c3
Author: Yadd <yadd@debian.org>
Date:   Tue Jun 8 12:13:10 2021 +0200

    Revert "Import the whole HTTP2 module from 2.4.48 (Closes: #989562, CVE-2021-31618)"
    
    This reverts commit 77aadf7b7d4f28684d9ddf97f447719245737090.

commit 77aadf7b7d4f28684d9ddf97f447719245737090
Author: Yadd <yadd@debian.org>
Date:   Tue Jun 8 08:08:16 2021 +0200

    Import the whole HTTP2 module from 2.4.48 (Closes: #989562, CVE-2021-31618)
    
    x

Created: 2021-01-11 Last update: 2021-06-11 18:34

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2021-05-27 22:03

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #910917 for more information.

Created: 2018-10-13 Last update: 2020-01-27 22:50

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-07-28 Last update: 2018-07-28 20:07

testing migrations

This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2021-06-15] apache2 2.4.46-6 MIGRATED to testing (Debian testing watch)
[2021-06-10] Accepted apache2 2.4.46-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-06-10] Accepted apache2 2.4.46-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-06-08] Accepted apache2 2.4.48-1 (source) into experimental (Ondřej Surý)
[2021-04-29] Accepted apache2 2.4.47-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-01-20] Accepted apache2 2.4.46-4~bpo10+1 (source) into buster-backports (Xavier Guimard)
[2021-01-15] apache2 2.4.46-4 MIGRATED to testing (Debian testing watch)
[2021-01-11] Accepted apache2 2.4.46-4 (source) into unstable (Xavier Guimard)
[2021-01-10] Accepted apache2 2.4.46-3 (source) into unstable (Xavier Guimard)
[2020-11-18] apache2 2.4.46-2 MIGRATED to testing (Debian testing watch)
[2020-11-13] Accepted apache2 2.4.46-2 (source) into unstable (Xavier Guimard)
[2020-09-11] Accepted apache2 2.4.46-1~bpo9+1 (source) into stretch-backports-sloppy->backports-policy, stretch-backports-sloppy (Debian FTP Masters) (signed by: Xavier Guimard)
[2020-09-05] Accepted apache2 2.4.38-3+deb10u4 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2020-08-31] Accepted apache2 2.4.46-1~bpo10+1 (source) into buster-backports (Xavier Guimard)
[2020-08-31] Accepted apache2 2.4.38-3+deb10u4 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Xavier Guimard)
[2020-08-10] apache2 2.4.46-1 MIGRATED to testing (Debian testing watch)
[2020-08-08] Accepted apache2 2.4.46-1 (source) into unstable (Xavier Guimard)
[2020-05-12] Accepted apache2 2.4.43-1~bpo9+1 (source amd64 all) into stretch-backports-sloppy->backports-policy, stretch-backports-sloppy (Debian FTP Masters) (signed by: Xavier Guimard)
[2020-05-10] Accepted apache2 2.4.43-1~bpo10+1 (source) into buster-backports (Xavier Guimard)
[2020-04-03] apache2 2.4.43-1 MIGRATED to testing (Debian testing watch)
[2020-03-31] Accepted apache2 2.4.43-1 (source) into unstable (Xavier Guimard)
[2020-03-21] apache2 2.4.41-5 MIGRATED to testing (Debian testing watch)
[2020-03-18] Accepted apache2 2.4.41-5 (source) into unstable (Xavier Guimard)
[2020-02-09] apache2 2.4.41-4 MIGRATED to testing (Debian testing watch)
[2020-02-07] Accepted apache2 2.4.41-4 (source) into unstable (Xavier Guimard)
[2020-02-05] Accepted apache2 2.4.41-3 (source) into unstable (Xavier Guimard)
[2020-01-17] apache2 2.4.41-2 MIGRATED to testing (Debian testing watch)
[2020-01-13] Accepted apache2 2.4.41-2 (source) into unstable (Xavier Guimard)
[2019-10-19] Accepted apache2 2.4.38-3+deb10u3 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2019-10-19] Accepted apache2 2.4.38-3+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Xavier Guimard)

bugs [bug history graph]

all: 188 193
RC: 1
I&N: 127 129
M&W: 58 61
F&P: 2
patch: 15 17

links

homepage
lintian (0, 4)
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.4.46-4ubuntu1
63 bugs (4 patches)
patches for 2.4.46-4ubuntu1