USN-4994-2: Apache HTTP Server vulnerabilities

21 June 2021

Several security issues were fixed in Apache HTTP Server.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

USN-4994-1 fixed several vulnerabilities in Apache. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

Antonio Morales discovered that the Apache mod_auth_digest module
incorrectly handled certain Digest nonces. A remote attacker could possibly
use this issue to cause Apache to crash, resulting in a denial of service.
(CVE-2020-35452)

Antonio Morales discovered that the Apache mod_session module incorrectly
handled certain Cookie headers. A remote attacker could possibly use this
issue to cause Apache to crash, resulting in a denial of service.
(CVE-2021-26690)

Christophe Jaillet discovered that the Apache mod_session module
incorrectly handled certain SessionHeader values. A remote attacker could
use this issue to cause Apache to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2021-26691)

Christoph Anton Mitterer discovered that the new MergeSlashes configuration
option resulted in unexpected behaviour in certain situations.
(CVE-2021-30641)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04
Ubuntu 14.04

In general, a standard system update will make all the necessary changes.

Related notices