Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
Marc Stern discovered that the Apache HTTP Server incorrectly handled
serving WebSocket protocol upgrades over HTTP/2 connections. A remote
attacker could possibly use this issue to cause the server to crash,
resulting in a denial of service. (CVE-2024-36387)
Orange Tsai discovered that the Apache HTTP Server mod_proxy module
incorrectly sent certain request URLs with incorrect encodings to backends.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2024-38473)
Orange Tsai discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain substitutions. A remote attacker could possibly
use this issue to execute scripts in directories not directly reachable
by any URL, or cause a denial of service. Some environments may require
using the new UnsafeAllow3F flag to handle unsafe substitutions.
...
The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS apache2 2.4.58-1ubuntu8.2 Ubuntu 23.10 apache2 2.4.57-2ubuntu2.5 Ubuntu 22.04 LTS apache2 2.4.52-1ubuntu4.10 Ubuntu 20.04 LTS apache2 2.4.41-4ubuntu3.19 In general, a standard system update will make all the necessary changes.
https://ubuntu.com/security/notices/USN-6885-1
CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475,
CVE-2024-38476, CVE-2024-38477, CVE-2024-39573, CVE-2024-39884
Get the latest Linux and open source security news straight to your inbox.