Advisory: CLSA-2022:1656430949
OS: Ubuntu 16.04 ELS
Public date: 2022-06-28 00:00:00
Project: apache2
Version: 1:2.4.18-2ubuntu3.17+tuxcare.els5
Errata link: https://errata.tuxcare.com/els_os/ubuntu16.04els/CLSA-2022-1656430949.html
* SECURITY UPDATE: mod_sed may make excessively large memory allocations and trigger an abort - debian/patches/CVE-2022-30522.patch: limit mod_sed memory usage - CVE-2022-30522 * SECURITY UPDATE: HTTP request smuggling in mod_proxy_ajp - debian/patches/CVE-2022-26377.patch: parse request headers in the way so Transfer-Encoding has precedence over Content-Length - CVE-2022-26377 * SECURITY UPDATE: possible out-of-bounds read in ap_strcmp_match() with an extremely large input buffer - debian/patches/CVE-2022-28615.patch: use apr_size_t (e.g. long) for array indexing - CVE-2022-28615 * SECURITY UPDATE: mod_lua r:wsread() may return length that points past the end of the storage allocated for the buffer - debian/patches/CVE-2022-30556.patch: consistently use lua_websocket_readbytes() and check the return value - CVE-2022-30556 * SECURITY UPDATE: mod_proxy may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism - debian/patches/CVE-2022-31813.patch: preserve original request headers so an upstream knows what the original request hostname was - CVE-2022-31813
Update command: apt-get update apt-get --only-upgrade install apache*
apache2_2.4.18-2ubuntu3.17+tuxcare.els5_amd64.deb apache2-bin_2.4.18-2ubuntu3.17+tuxcare.els5_amd64.deb apache2-data_2.4.18-2ubuntu3.17+tuxcare.els5_all.deb apache2-dev_2.4.18-2ubuntu3.17+tuxcare.els5_amd64.deb apache2-doc_2.4.18-2ubuntu3.17+tuxcare.els5_all.deb apache2-suexec-custom_2.4.18-2ubuntu3.17+tuxcare.els5_amd64.deb apache2-suexec-pristine_2.4.18-2ubuntu3.17+tuxcare.els5_amd64.deb apache2-utils_2.4.18-2ubuntu3.17+tuxcare.els5_amd64.deb