Monday, April 7, 2025

[USN-6885-4] Apache HTTP Server regression

==========================================================================
Ubuntu Security Notice USN-6885-4
April 07, 2025

apache2 regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-6885-1 introduced a regression in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

USN-6885-1 fixed a vulnerability in Apache. The patch
for CVE-2024-38474 was incomplete and caused regressions.
This update provides the fix for that issue.

Original advisory details:

Orange Tsai discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain substitutions. A remote attacker could
possibly use this issue to execute scripts in directories not directly
reachable by any URL, or cause a denial of service. Some environments
may require using the new UnsafeAllow3F flag to handle unsafe
substitutions. (CVE-2024-38474)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
apache2 2.4.62-1ubuntu1.1

Ubuntu 24.04 LTS
apache2 2.4.58-1ubuntu8.6

Ubuntu 22.04 LTS
apache2 2.4.52-1ubuntu4.14

Ubuntu 20.04 LTS
apache2 2.4.41-4ubuntu3.23

Ubuntu 18.04 LTS
apache2 2.4.29-1ubuntu4.27+esm4
Available with Ubuntu Pro

Ubuntu 16.04 LTS
apache2 2.4.18-2ubuntu3.17+esm14
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6885-4
https://ubuntu.com/security/notices/USN-6885-3
https://ubuntu.com/security/notices/USN-6885-2
https://ubuntu.com/security/notices/USN-6885-1
https://launchpad.net/bugs/2103723

Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.62-1ubuntu1.1
https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.6
https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.14
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.23

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)