Univention Bugzilla – Bug 54298
apache2: Multiple issues (5.0)
Last modified: 2022-01-05 17:44:44 CET
New Debian apache2 2.4.38-3+deb10u7 fixes: This update addresses the following issues: * possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224) * mod_lua: possible buffer overflow when parsing multipart content (CVE-2021-44790)
--- mirror/ftp/pool/main/a/apache2/apache2_2.4.38-3+deb10u6A~5.0.0.202110130658.dsc +++ apt/ucs_5.0-0-errata5.0-1/source/apache2_2.4.38-3+deb10u7.dsc @@ -1,7 +1,10 @@ -2.4.38-3+deb10u6A~5.0.0.202110130658 [Wed, 13 Oct 2021 06:58:04 +0200] Univention builddaemon <buildd@univention.de>: +2.4.38-3+deb10u7 [Tue, 21 Dec 2021 17:50:43 +0100] Yadd <yadd@debian.org>: - * UCS auto build. The following patches have been applied to the original source package - 20-no-proxy + * Fix possible NULL dereference or SSRF in forward proxy configurations + (CVE-2021-44224) + * lua: improve error handling (Closes: CVE-2021-44790) + * mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO + (relaxes the behaviour introduced by the CVE-2021-36160 fix) 2.4.38-3+deb10u6 [Thu, 30 Sep 2021 05:50:49 +0200] Yadd <yadd@debian.org>: <http://piuparts.knut.univention.de/5.0-1/#5462403678323811604>
(In reply to Quality Assurance from comment #1) > - * UCS auto build. The following patches have been applied to the original > source package > - 20-no-proxy patches got dropped - again Bug #49600
Package: apache2 Version: 2.4.38-3+deb10u7A~5.0.0.202201051001 Branch: ucs_5.0-0 Scope: errata5.0-1 [5.0-1] 2c0ad6e5e8 Bug #54298: apache2 2.4.38-3+deb10u7A~5.0.0.202201051001 doc/errata/staging/apache2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- mirror/ftp/pool/main/a/apache2/apache2_2.4.38-3+deb10u6A~5.0.0.202110130658.dsc +++ apt/ucs_5.0-0-errata5.0-1/source/apache2_2.4.38-3+deb10u7A~5.0.0.202201051001.dsc @@ -1,7 +1,15 @@ -2.4.38-3+deb10u6A~5.0.0.202110130658 [Wed, 13 Oct 2021 06:58:04 +0200] Univention builddaemon <buildd@univention.de>: +2.4.38-3+deb10u7A~5.0.0.202201051001 [Wed, 05 Jan 2022 10:01:19 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 20-no-proxy + +2.4.38-3+deb10u7 [Tue, 21 Dec 2021 17:50:43 +0100] Yadd <yadd@debian.org>: + + * Fix possible NULL dereference or SSRF in forward proxy configurations + (CVE-2021-44224) + * lua: improve error handling (Closes: CVE-2021-44790) + * mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO + (relaxes the behaviour introduced by the CVE-2021-36160 fix) 2.4.38-3+deb10u6 [Thu, 30 Sep 2021 05:50:49 +0200] Yadd <yadd@debian.org>: <http://piuparts.knut.univention.de/5.0-1/#4467154882078320736>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-1] 2c0ad6e5e8 Bug #54298: apache2 2.4.38-3+deb10u7A~5.0.0.202201051001 doc/errata/staging/apache2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [5.0-1] 67fba84691 Bug #54298: apache2 2.4.38-3+deb10u7 doc/errata/staging/apache2.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x178>