enterprise-support team mailing list archive

[Launchpad Bug Tracker <1832182@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.9

---------------
apache2 (2.4.41-4ubuntu3.9) focal-security; urgency=medium

  * SECURITY UPDATE: DoS or SSRF via forward proxy
    - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified
      uri-paths not to be forward-proxied have an http(s) scheme, and that
      the ones to be forward proxied have a hostname in
      include/http_protocol.h, modules/http/http_request.c,
      modules/http2/h2_request.c, modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c, server/protocol.c.
    - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs
      w/ no hostname in modules/proxy/mod_proxy.c,
      modules/proxy/proxy_util.c.
    - CVE-2021-44224
  * SECURITY UPDATE: overflow in mod_lua multipart parser
    - debian/patches/CVE-2021-44790.patch: improve error handling in
      modules/lua/lua_request.c.
    - CVE-2021-44790

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 05 Jan 2022
09:49:56 -0500

** Changed in: apache2 (Ubuntu Focal)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44224

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44790

** Changed in: apache2 (Ubuntu Bionic)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1832182

Title:
  systemd unable to detect running apache if invoked via "apache2ctl
  graceful"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1832182/+subscriptions