enterprise-support team mailing list archive

Thread
Date

[Bug 1971248] Re: Merge apache2 from Debian unstable for kinetic

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1971248@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Jun 2022 00:43:40 -0000
Reply-to: Bug 1971248 <1971248@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package apache2 - 2.4.53-2ubuntu1

---------------
apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1971248). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
    - d/index.html, d/icons/ubuntu-logo.png:  Refresh page design and
      new logo
      (LP 1966004)
    - d/apache2.postrm: Include md5 sum for updated index.html
  * Dropped:
    - OOB read in mod_lua via crafted request body
      + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
        lua_write_body() fail in modules/lua/lua_request.c.
      [Fixed in 2.4.53 upstream]
    - HTTP Request Smuggling via error discarding the
      request body
      + d/p/CVE-2022-22720.patch: simpler connection close logic
        if discarding the request body fails in modules/http/http_filters.c,
        server/protocol.c.
      [Fixed in 2.4.53 upstream]
    - overflow via large LimitXMLRequestBody
      + d/p/CVE-2022-22721.patch: make sure and check that
        LimitXMLRequestBody fits in system memory in server/core.c,
        server/util.c, server/util_xml.c.
      [Fixed in 2.4.53 upstream]
    - out-of-bounds write in mod_sed
      + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
        buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
        modules/filters/mod_sed.c, modules/filters/sed1.c.
      + d/p/CVE-2022-23943-2.patch: improve the logic flow in
        modules/filters/mod_sed.c.
      [Fixed in 2.4.53 upstream]

 -- Bryce Harrington <bryce@xxxxxxxxxxxxx>  Mon, 23 May 2022 19:34:18
-0700

** Changed in: apache2 (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22719

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22720

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22721

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23943

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1971248

Title:
  Merge apache2 from Debian unstable for kinetic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1971248/+subscriptions

References

[Bug 1971248] [NEW] Merge apache2 from Debian unstable for kinetic
From: Bryce Harrington, 2022-05-03