Univention Bugzilla – Bug 53562
apache2: Multiple issues (5.0)
Last modified: 2021-07-14 18:01:27 CEST
New Debian apache2 2.4.38-3+deb10u5A~5.0.0.202107120954 fixes: This update addresses the following issues: * Single zero byte stack overflow in mod_auth_digest (CVE-2020-35452) * mod_session NULL pointer dereference in parser (CVE-2021-26690) * Heap overflow in mod_session (CVE-2021-26691) * MergeSlashes regression (CVE-2021-30641) * NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)
--- mirror/ftp/pool/main/a/apache2/apache2_2.4.38-3+deb10u4A~5.0.0.202009030844.dsc +++ apt/ucs_5.0-0-errata5.0-0/source/apache2_2.4.38-3+deb10u5A~5.0.0.202107120954.dsc @@ -1,7 +1,14 @@ -2.4.38-3+deb10u4A~5.0.0.202009030844 [Thu, 03 Sep 2020 09:12:26 +0200] Univention builddaemon <buildd@univention.de>: +2.4.38-3+deb10u5A~5.0.0.202107120954 [Mon, 12 Jul 2021 09:54:54 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 20-no-proxy + +2.4.38-3+deb10u5 [Thu, 10 Jun 2021 12:13:06 +0200] Yadd <yadd@debian.org>: + + * Fix "NULL pointer dereference on specially crafted HTTP/2 request" + (Closes: #989562, CVE-2021-31618) + * Fix various low security issues (Closes: CVE-2020-35452, CVE-2021-26690, + CVE-2021-26691, CVE-2021-30641) and fix related test 2.4.38-3+deb10u4 [Tue, 25 Aug 2020 22:08:29 +0200] Xavier Guimard <yadd@debian.org>: <http://piuparts.knut.univention.de/5.0-0/#767108358698564609>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-0] 025808d821 Bug #53562: apache2 2.4.38-3+deb10u5A~5.0.0.202107120954 doc/errata/staging/apache2.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x45>