enterprise-support team mailing list archive

Thread
Date

[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1945311@xxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Sep 2021 13:24:29 -0000
Reply-to: Bug 1945311 <1945311@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.6

---------------
apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Tue, 28 Sep 2021
07:00:45 -0400

** Changed in: apache2 (Ubuntu Focal)
       Status: Confirmed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40438

** Changed in: apache2 (Ubuntu Bionic)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1945311

Title:
  Fix for CVE-2021-40438 breaks existing configs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions

References

[Bug 1945311] [NEW] Fix for CVE-2021-40438 breaks existing configs
From: Jean-Louis Dupond, 2021-09-28