Release Info

Advisory: CLSA-2021:1635459129

OS: Ubuntu 16.04 ELS

Public date: 2021-10-28 00:00:00

Project: apache2

Version: 2.4.18-2ubuntu3.18

Errata link: https://errata.cloudlinux.com/ubuntu16-els/CLSA-2021-1635459129.html

Changelog

* SECURITY UPDATE: Unexpected URL matching with 'MergeSlashes OFF' - debian/patches/CVE-2021-30641.patch: legacy default slash-matching behavior with 'MergeSlashes OFF'. - CVE-2021-30641 * SECURITY UPDATE: heap overflow in mod_session - debian/patches/CVE-2021-26691.patch: A specially crafted SessionHeader sent by an origin server could cause a heap overflow. - CVE-2021-26691 * SECURITY UPDATE: NULL pointer dereference in mod_session - debian/patches/CVE-2021-26690.patch: A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service. - CVE-2021-26690 * SECURITY UPDATE: mod_auth_digest possible stack overflow by one nul byte - debian/patches/CVE-2020-35452.patch: A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. - CVE-2020-35452

Update

Packages list

apache2_2.4.18-2ubuntu3.18_amd64.deb apache2-bin_2.4.18-2ubuntu3.18_amd64.deb apache2-data_2.4.18-2ubuntu3.18_all.deb apache2-dev_2.4.18-2ubuntu3.18_amd64.deb apache2-doc_2.4.18-2ubuntu3.18_all.deb apache2-suexec-custom_2.4.18-2ubuntu3.18_amd64.deb apache2-suexec-pristine_2.4.18-2ubuntu3.18_amd64.deb apache2-utils_2.4.18-2ubuntu3.18_amd64.deb

CVEs

CVE-2021-26690
CVE-2020-35452
CVE-2021-30641
CVE-2021-26691