=======================================================================
===
Ubuntu Security Notice USN-6885-6
August 13, 2025

apache2 regression
=======================================================================
===

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

USN-6885-1 introduced a regression in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

USN-6885-1 fixed vulnerabilities in Apache. The patch for
CVE-2024-38474 was incomplete and caused a regression.
This update provides the fix for this issue.

Original advisory details:

 Orange Tsai discovered that the Apache HTTP Server mod_rewrite
 module incorrectly handled certain substitutions. A remote attacker
 could possibly use this issue to execute scripts in directories
 not directly reachable by any URL, or cause a denial of service.
 Some environments may require using the new UnsafeAllow3F flag
 to handle unsafe substitutions. (CVE-2024-38474)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  apache2                         2.4.58-1ubuntu8.8

Ubuntu 22.04 LTS
  apache2                         2.4.52-1ubuntu4.16

In general, a standard system update will make all the necessary
changes.

References:
  https://ubuntu.com/security/notices/USN-6885-6
  https://ubuntu.com/security/notices/USN-6885-5
  https://ubuntu.com/security/notices/USN-6885-4
  https://ubuntu.com/security/notices/USN-6885-3
  https://ubuntu.com/security/notices/USN-6885-2
  https://ubuntu.com/security/notices/USN-6885-1
  https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2119395

Package Information:
  https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.8
  https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.16