[ubuntu/questing-security] apache2 2.4.64-1ubuntu3.4 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Wed May 6 19:30:59 UTC 2026 

apache2 (2.4.64-1ubuntu3.4) questing-security; urgency=medium

  * SECURITY UPDATE: http2: double free and possible RCE on early reset
    - debian/patches/CVE-2026-23918.patch: prevent double purge of a stream,
      resulting in a double free in modules/http2/h2_mplx.c.
    - CVE-2026-23918
  * SECURITY UPDATE: mod_rewrite elevation of privileges via ap_expr
    - debian/patches/CVE-2026-24072.patch: use AP_EXPR_FLAG_RESTRICTED in
      htaccess in modules/mappers/mod_rewrite.c,
      modules/metadata/mod_setenvif.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2026-24072
  * SECURITY UPDATE: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
    - debian/patches/CVE-2026-28780.patch: fix ajp_msg_check_header check in
      modules/proxy/ajp_msg.c.
    - CVE-2026-28780
  * SECURITY UPDATE: mod_md unrestricted OCSP response
    - debian/patches/CVE-2026-29168.patch: add ocsp limits in
      modules/md/md_ocsp.c.
    - CVE-2026-29168
  * SECURITY UPDATE: mod_dav_lock indirect lock crash
    - debian/patches/CVE-2026-29169.patch: use the right dav_lock_discovery in
      modules/dav/lock/locks.c.
    - CVE-2026-29169
  * SECURITY UPDATE: mod_auth_digest timing attack
    - debian/patches/CVE-2026-33006-1.patch: use apr_crypto_equals in
      configure.in, modules/aaa/mod_auth_digest.c.
    - debian/patches/CVE-2026-33006-2.patch: add ap_*_timingsafe() constant-
      time comparison functions in configure.in, include/ap_mmn.h,
      include/httpd.h, modules/aaa/mod_auth_digest.c,
      modules/session/mod_session_crypto.c, server/util.c.
    - CVE-2026-33006
  * SECURITY UPDATE: mod_authn_socache crash
    - debian/patches/CVE-2026-33007.patch: validate URL earlier in
      modules/aaa/mod_authn_socache.c.
    - CVE-2026-33007
  * SECURITY UPDATE: HTTP response splitting forwarding malicious status line
    - debian/patches/CVE-2026-33523.patch: scan outgoing status line for
      newlines and controls in modules/http/http_filters.c.
    - CVE-2026-33523
  * SECURITY UPDATE: Off-by-one OOB reads in AJP getter functions
    - debian/patches/CVE-2026-33857.patch: fix length checks in AJP msg_get
      functions in modules/proxy/ajp_msg.c.
    - CVE-2026-33857
  * SECURITY UPDATE: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing
    Null-Termination Check (ajp_msg_get_string)
    - debian/patches/CVE-2026-34032.patch: fix ajp_msg_get_string buffer checks
      in modules/proxy/ajp_msg.c.
    - CVE-2026-34032
  * SECURITY UPDATE: mod_proxy_ajp: Heap Over-Read and memory disclosure in
    ajp_parse_data()
    - debian/patches/CVE-2026-34059.patch: fix ajp_parse_data message len check
      in modules/proxy/ajp_header.c.
    - CVE-2026-34059

Date: 2026-05-05 13:43:10.367262+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.64-1ubuntu3.4
-------------- next part --------------
Sorry, changesfile not available.

More information about the Questing-changes mailing list