apache2 - Debian Package Tracker

general

source: apache2 (main)
version: 2.4.54-1
maintainer: Debian Apache Maintainers (archive) (DMD)
uploaders: Stefan Fritsch [DMD] – Arno Töll [DMD] – Yadd [DMD] – Ondřej Surý [DMD]
arch: all any
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.4.25-3+deb9u9
o-o-sec: 2.4.25-3+deb9u13
o-o-bpo-sl: 2.4.46-1~bpo9+1
oldstable: 2.4.38-3+deb10u5
old-sec: 2.4.38-3+deb10u7
old-bpo: 2.4.52-1~bpo10+1
stable: 2.4.51-1~deb11u1
stable-sec: 2.4.52-1~deb11u2
testing: 2.4.54-1
unstable: 2.4.54-1

versioned links

2.4.25-3+deb9u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.25-3+deb9u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3+deb10u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.38-3+deb10u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.46-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.51-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.52-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.52-1~deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.54-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

apache2 (116 bugs: 1, 76, 39, 0)
apache2-bin (40 bugs: 0, 31, 9, 0)
apache2-data
apache2-dev (4 bugs: 0, 2, 2, 0)
apache2-doc (4 bugs: 0, 2, 2, 0)
apache2-ssl-dev
apache2-suexec-custom (3 bugs: 0, 2, 1, 0)
apache2-suexec-pristine (3 bugs: 0, 1, 2, 0)
apache2-utils (8 bugs: 0, 4, 4, 0)
libapache2-mod-md
libapache2-mod-proxy-uwsgi (1 bugs: 0, 1, 0, 0)

action needed

11 security issues in stretch high

There are 11 open security issues in stretch.

7 important issues:

CVE-2022-26377: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
CVE-2022-28614: The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.
CVE-2022-28615: Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
CVE-2022-29404: In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
CVE-2022-30522: If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
CVE-2022-30556: Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-31813: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

1 issue postponed or untriaged:

CVE-2021-33193: (postponed; to be fixed through a stable update) A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

3 ignored issues:

CVE-2020-9490: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
CVE-2020-11993: Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Created: 2022-06-08 Last update: 2022-06-22 19:37

lintian reports 1 error and 16 warnings high

Lintian reports 1 error and 16 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-10-13 Last update: 2022-01-01 04:31

16 bugs tagged patch in the BTS normal

The BTS contains patches fixing 16 bugs (18 if counting merged bugs), consider including or untagging them.

Created: 2021-08-14 Last update: 2022-06-29 04:00

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #910917 for more information.

Created: 2018-10-13 Last update: 2020-01-27 22:50

9 low-priority security issues in buster low

There are 9 open security issues in buster.

8 issues left for the package maintainer to handle:

CVE-2021-33193: (postponed; to be fixed through a stable update) A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
CVE-2022-26377: (needs triaging) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
CVE-2022-28614: (needs triaging) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.
CVE-2022-28615: (needs triaging) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
CVE-2022-29404: (needs triaging) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
CVE-2022-30522: (needs triaging) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
CVE-2022-30556: (needs triaging) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-31813: (needs triaging) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2019-17567: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

4 issues that should be fixed with the next stable update:

CVE-2022-22719: A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.
CVE-2022-22720: Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
CVE-2022-22721: If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
CVE-2022-23943: Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

Created: 2021-06-06 Last update: 2022-06-22 19:37

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-07-28 Last update: 2018-07-28 20:07

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).

Created: 2022-05-11 Last update: 2022-06-09 11:38

news

[rss feed]

[2022-06-11] apache2 2.4.54-1 MIGRATED to testing (Debian testing watch)
[2022-06-09] Accepted apache2 2.4.54-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-05-07] Accepted apache2 2.4.53-2~bpo10+1 (source amd64 all) into oldstable-backports-sloppy->backports-policy, oldstable-backports-sloppy (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-03-22] Accepted apache2 2.4.25-3+deb9u13 (source) into oldoldstable (Emilio Pozuelo Monfort)
[2022-03-19] Accepted apache2 2.4.53-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-03-18] apache2 2.4.53-2 MIGRATED to testing (Debian testing watch)
[2022-03-15] Accepted apache2 2.4.53-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-03-14] Accepted apache2 2.4.53-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-02-08] Accepted apache2 2.4.52-1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-02-01] Accepted apache2 2.4.25-3+deb9u12 (source) into oldoldstable (Anton Gladky)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.38-3+deb10u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-08] Accepted apache2 2.4.52-1~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 193 198
RC: 1
I&N: 134 136
M&W: 57 60
F&P: 1
patch: 16 18

links

homepage
lintian (1, 16)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.4.53-2ubuntu1
59 bugs (4 patches)
patches for 2.4.53-2ubuntu1