USN-4994-2: Apache HTTP Server vulnerabilities
21 June 2021
Several security issues were fixed in Apache HTTP Server.
- apache2 - Apache HTTP server
USN-4994-1 fixed several vulnerabilities in Apache. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Antonio Morales discovered that the Apache mod_auth_digest module
incorrectly handled certain Digest nonces. A remote attacker could possibly
use this issue to cause Apache to crash, resulting in a denial of service.
Antonio Morales discovered that the Apache mod_session module incorrectly
handled certain Cookie headers. A remote attacker could possibly use this
issue to cause Apache to crash, resulting in a denial of service.
Christophe Jaillet discovered that the Apache mod_session module
incorrectly handled certain SessionHeader values. A remote attacker could
use this issue to cause Apache to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2021-26691)
Christoph Anton Mitterer discovered that the new MergeSlashes configuration
option resulted in unexpected behaviour in certain situations.
The problem can be corrected by updating your system to the following package versions:
In general, a standard system update will make all the necessary changes.
- USN-4994-1: apache2-bin, apache2-utils, apache2-data, apache2-ssl-dev, apache2, libapache2-mod-md, apache2-suexec-pristine, libapache2-mod-proxy-uwsgi, apache2-doc, apache2-dev, apache2-suexec-custom