[ubuntu/kinetic-proposed] apache2 2.4.53-2ubuntu1 (Accepted)

Bryce Harrington bryce at canonical.com
Fri Jun 3 16:10:13 UTC 2022 

apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1971248). Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
      (LP 261198)
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
      (LP 609177)
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/s/include-binaries: replace Debian with Ubuntu on default
      page and add Ubuntu icon file.
      (LP 1288690)
    - d/index.html, d/icons/ubuntu-logo.png:  Refresh page design and
      new logo
      (LP 1966004)
    - d/apache2.postrm: Include md5 sum for updated index.html
  * Dropped:
    - OOB read in mod_lua via crafted request body
      + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
        lua_write_body() fail in modules/lua/lua_request.c.
      [Fixed in 2.4.53 upstream]
    - HTTP Request Smuggling via error discarding the
      request body
      + d/p/CVE-2022-22720.patch: simpler connection close logic
        if discarding the request body fails in modules/http/http_filters.c,
        server/protocol.c.
      [Fixed in 2.4.53 upstream]
    - overflow via large LimitXMLRequestBody
      + d/p/CVE-2022-22721.patch: make sure and check that
        LimitXMLRequestBody fits in system memory in server/core.c,
        server/util.c, server/util_xml.c.
      [Fixed in 2.4.53 upstream]
    - out-of-bounds write in mod_sed
      + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
        buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
        modules/filters/mod_sed.c, modules/filters/sed1.c.
      + d/p/CVE-2022-23943-2.patch: improve the logic flow in
        modules/filters/mod_sed.c.
      [Fixed in 2.4.53 upstream]

Date: Mon, 23 May 2022 19:34:18 -0700
Changed-By: Bryce Harrington <bryce at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.53-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 23 May 2022 19:34:18 -0700
Source: apache2
Built-For-Profiles: noudeb
Architecture: source
Version: 2.4.53-2ubuntu1
Distribution: kinetic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Bryce Harrington <bryce at canonical.com>
Launchpad-Bugs-Fixed: 1971248
Changes:
 apache2 (2.4.53-2ubuntu1) kinetic; urgency=medium
 .
   * Merge with Debian unstable (LP: #1971248). Remaining changes:
     - debian/{control, apache2.install, apache2-utils.ufw.profile,
       apache2.dirs}: Add ufw profiles.
       (LP 261198)
     - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
       (LP 609177)
     - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
       d/s/include-binaries: replace Debian with Ubuntu on default
       page and add Ubuntu icon file.
       (LP 1288690)
     - d/index.html, d/icons/ubuntu-logo.png:  Refresh page design and
       new logo
       (LP 1966004)
     - d/apache2.postrm: Include md5 sum for updated index.html
   * Dropped:
     - OOB read in mod_lua via crafted request body
       + d/p/CVE-2022-22719.patch: error out if lua_read_body() or
         lua_write_body() fail in modules/lua/lua_request.c.
       [Fixed in 2.4.53 upstream]
     - HTTP Request Smuggling via error discarding the
       request body
       + d/p/CVE-2022-22720.patch: simpler connection close logic
         if discarding the request body fails in modules/http/http_filters.c,
         server/protocol.c.
       [Fixed in 2.4.53 upstream]
     - overflow via large LimitXMLRequestBody
       + d/p/CVE-2022-22721.patch: make sure and check that
         LimitXMLRequestBody fits in system memory in server/core.c,
         server/util.c, server/util_xml.c.
       [Fixed in 2.4.53 upstream]
     - out-of-bounds write in mod_sed
       + d/p/CVE-2022-23943-1.patch: use size_t to allow for larger
         buffer sizes and unsigned arithmetics in modules/filters/libsed.h,
         modules/filters/mod_sed.c, modules/filters/sed1.c.
       + d/p/CVE-2022-23943-2.patch: improve the logic flow in
         modules/filters/mod_sed.c.
       [Fixed in 2.4.53 upstream]
Checksums-Sha1:
 46f4c7c809c172ccbf8f51831af072af06cf7b3b 3348 apache2_2.4.53-2ubuntu1.dsc
 e4c6fddc48fd4494fc463d2a00577c7ce719aaab 9726558 apache2_2.4.53.orig.tar.gz
 71efe4b1aa8f5404cd2be9105e6f8cb6c6c012b8 918532 apache2_2.4.53-2ubuntu1.debian.tar.xz
 804cf10c770bcf5e4e12ef88526991bfd315d7fb 8441 apache2_2.4.53-2ubuntu1_source.buildinfo
Checksums-Sha256:
 6a78df7fb49aa47710a539de699cf962c1d2287d0278c520672da55c6f83a480 3348 apache2_2.4.53-2ubuntu1.dsc
 7a045e8e653aaf931f9667f3a7e1943bd81306bf908f316465f737a854d10c16 9726558 apache2_2.4.53.orig.tar.gz
 b31218a997b1ba967a0044e0303feec3e1545ca3b88139088a63aeb53fd6b4b3 918532 apache2_2.4.53-2ubuntu1.debian.tar.xz
 3e004841dc33da643991fad5b6889a8e7f119e86bd65fe7613054d1b6cf769bc 8441 apache2_2.4.53-2ubuntu1_source.buildinfo
Files:
 811fc3dd294bd8539ac27c9f9fc4ebe9 3348 httpd optional apache2_2.4.53-2ubuntu1.dsc
 fbc10dfafdf8da2bdf8fc1c2a2e4e133 9726558 httpd optional apache2_2.4.53.orig.tar.gz
 3c0e8b44ba50a8af86d39878fba20476 918532 httpd optional apache2_2.4.53-2ubuntu1.debian.tar.xz
 69e3d2c2b3ee0c6aea24e62755c12e73 8441 httpd optional apache2_2.4.53-2ubuntu1_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>

More information about the kinetic-changes mailing list