New Debian apache2 2.4.59-1~deb10u3A~5.0.9.202409251402 fixes: This update addresses the following issues: 2.4.59-1~deb10u3 (Mon, 16 Sep 2024 20:34:52 +0000) * Team upload by ELTS team * Fix CVE-2024-38474: Substitution encoding issue in mod_rewrite in Apache HTTP Server allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. * Fix CVE-2024-38475: Improper escaping of output in mod_rewrite in Apache HTTP allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. * Fix CVE-2024-38474 regression
--- mirror/ftp/pool/main/a/apache2/apache2_2.4.59-1~deb10u2A~5.0.8.202409020923.dsc +++ apt/ucs_5.0-0-errata5.0-9/source/apache2_2.4.59-1~deb10u3A~5.0.9.202409251402.dsc @@ -1,7 +1,29 @@ -2.4.59-1~deb10u2A~5.0.8.202409020923 [Mon, 02 Sep 2024 09:24:15 -0000] Univention builddaemon <buildd@univention.de>: +2.4.59-1~deb10u3A~5.0.9.202409251402 [Wed, 25 Sep 2024 14:03:40 -0000] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 20-no-proxy.patch + +2.4.59-1~deb10u3 [Mon, 16 Sep 2024 20:34:52 +0000] Bastien Roucariès <rouca@debian.org>: + + * Team upload by ELTS team + * Fix CVE-2024-38474: + Substitution encoding issue in mod_rewrite in Apache HTTP Server + allows attacker to execute scripts in directories + permitted by the configuration but not directly reachable by any URL + or source disclosure of scripts meant to only to be executed as + CGI. Some RewriteRules that capture and substitute unsafely + will now fail unless rewrite flag "UnsafeAllow3F" is specified. + * Fix CVE-2024-38475: + Improper escaping of output in mod_rewrite in Apache HTTP + allows an attacker to map URLs to filesystem locations + that are permitted to be served by the server but are not + intentionally/directly reachable by any URL, resulting in code + execution or source code disclosure. Substitutions in server context + that use a backreferences or variables as the first segment of the + substitution are affected. Some unsafe RewiteRules will be broken by + this change and the rewrite flag "UnsafePrefixStat" can be used to opt + back in once ensuring the substitution is appropriately constrained. + * Fix CVE-2024-38474 regression (Closes: #1079172) 2.4.59-1~deb10u2 [Tue, 20 Aug 2024 23:40:12 +0000] Bastien Roucariès <rouca@debian.org>: <http://piuparts.knut.univention.de/5.0-9/#4663857230101725153>
[5.0-9] 6a0307de5a Bug #57618: Advisory wording doc/errata/staging/apache2.yaml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) [5.0-9] 31818caf34 Bug #57618: apache2 2.4.59-1~deb10u3A~5.0.9.202409251402 doc/errata/staging/apache2.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-9] 6a0307de5a Bug #57618: Advisory wording doc/errata/staging/apache2.yaml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) [5.0-9] 31818caf34 Bug #57618: apache2 2.4.59-1~deb10u3A~5.0.9.202409251402 doc/errata/staging/apache2.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x1126>