USN-4994-1: Apache HTTP Server vulnerabilities

21 June 2021

Several security issues were fixed in Apache HTTP Server.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

Marc Stern discovered that the Apache mod_proxy_http module incorrectly
handled certain requests. A remote attacker could possibly use this issue
to cause Apache to crash, resulting in a denial of service. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2020-13950)

Antonio Morales discovered that the Apache mod_auth_digest module
incorrectly handled certain Digest nonces. A remote attacker could possibly
use this issue to cause Apache to crash, resulting in a denial of service.
(CVE-2020-35452)

Antonio Morales discovered that the Apache mod_session module incorrectly
handled certain Cookie headers. A remote attacker could possibly use this
issue to cause Apache to crash, resulting in a denial of service.
(CVE-2021-26690)

Christophe Jaillet discovered that the Apache mod_session module
incorrectly handled certain SessionHeader values. A remote attacker could
use this issue to cause Apache to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2021-26691)

Christoph Anton Mitterer discovered that the new MergeSlashes configuration
option resulted in unexpected behaviour in certain situations.
(CVE-2021-30641)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 21.04
Ubuntu 20.10
Ubuntu 20.04
Ubuntu 18.04

In general, a standard system update will make all the necessary changes.

Related notices