Security
Headlines
HeadlinesLatestCVEs

Headline

Debian Security Advisory 5729-2

Debian Linux Security Advisory 5729-2 - The fixes for CVE-2024-38474 and CVE-2024-39884 introduced two regressions in mod_rewrite and mod_proxy.

Packet Storm
#linux#debian#apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Debian Security Advisory DSA-5729-2 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
October 08, 2024 https://www.debian.org/security/faq


Package : apache2
Debian Bug : 1079172 1079206

The fixes for CVE-2024-38474 and CVE-2024-39884 introduced two
regressions in mod_rewrite and mod_proxy.

For the stable distribution (bookworm), these problems have been fixed in
version 2.4.62-1~deb12u2.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcFlPAACgkQEMKTtsN8
TjYXsBAAmEc/DBZN7SjocvWn5mSLFhHmn5amtaEYfQrmkvS6bDWIGK91ezydYmGW
CqvkIanyCPmx1d79kSlwGySNRxK1bb0JYhgblN6nwV7DlCqL08xELh1zn94nx8HG
v0YhrHN769P44weq96x/84lc+PImolKv8UB6CkJX5OvcSoDV01XtxvX4ynWsAoUd
9N7yB6MZL+6znCY08TLvuVE/5bDfXuM/u0sabIvuSRbrVVuShmznmeXbuULAc9y7
POfmXCAdMM0znyM+ZxxLO9ou9bUP2kJJvRT+M8mo872s/8bbUmRPPkw+SNWFcJTV
ShcWze2fh27B7Rpd3yCrItqXZwoojQUKX4lsYbk6BVy4RLWEuyeLB9Mhm23tO0uO
8jYGEbgD/6vnhVTsIpVCKMiv3Q0IPvrUQnkF3LKxtoiVolgkcpzAU3q9ZtFfHAjJ
8dhIe2GyUJaJ6Ajnl14n1ffycNdc1giKNlNsoFFphEFyvuQIu3Bf+IajDHIN41JQ
h379u0znHIE53P1O6rhKG1F9j7SYq1FKkKgdqgjXGXnbYV9uBnpg2bWX9ilCDiYm
i+rWI3CRBVDt7tuTt0M1z6PF1GV44thrTDTjT8TTc8VsNDcCdZHWWHw2PVzRpA3R
/9OFQH8icMPs1Z/xPychUn0VSO+Iijp2qFT1/IlqUu7LoFdTz80=
=tQ62
-----END PGP SIGNATURE-----

Related news

Gentoo Linux Security Advisory 202409-31

Gentoo Linux Security Advisory 202409-31 - Multiple vulnerabilities have been found in Apache HTTPD, the worst of which could result in denial of service. Versions greater than or equal to 2.4.62 are affected.

Gentoo Linux Security Advisory 202409-31

Gentoo Linux Security Advisory 202409-31 - Multiple vulnerabilities have been found in Apache HTTPD, the worst of which could result in denial of service. Versions greater than or equal to 2.4.62 are affected.

Ubuntu Security Notice USN-6885-3

Ubuntu Security Notice 6885-3 - USN-6885-1 fixed several vulnerabilities in Apache. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions.

Red Hat Security Advisory 2024-4943-03

Red Hat Security Advisory 2024-4943-03 - An update for httpd is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Security Advisory 2024-4938-03

Red Hat Security Advisory 2024-4938-03 - An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2024-4830-03

Red Hat Security Advisory 2024-4830-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2024-4827-03

Red Hat Security Advisory 2024-4827-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2024-4820-03

Red Hat Security Advisory 2024-4820-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a null pointer vulnerability.

Debian Security Advisory 5729-1

Debian Linux Security Advisory 5729-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service.

Ubuntu Security Notice USN-6885-2

Ubuntu Security Notice 6885-2 - USN-6885-1 fixed vulnerabilities in Apache HTTP Server. One of the security fixes introduced a regression when proxying requests to a HTTP/2 server. This update fixes the problem. Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication. Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to h...

Ubuntu Security Notice USN-6885-2

Ubuntu Security Notice 6885-2 - USN-6885-1 fixed vulnerabilities in Apache HTTP Server. One of the security fixes introduced a regression when proxying requests to a HTTP/2 server. This update fixes the problem. Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication. Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to h...

Ubuntu Security Notice USN-6885-1

Ubuntu Security Notice 6885-1 - Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication.

Ubuntu Security Notice USN-6885-1

Ubuntu Security Notice 6885-1 - Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication.

Packet Storm: Latest News

Zeek 6.0.9