This bug was fixed in the package apache2 - 2.4.41-4ubuntu2
---
apache2 (2.4.41-4ubuntu2) focal; urgency=medium
* d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
parameter to mod_proxy_ajp (LP: #1865340)
-- Andreas Hasenack Thu, 05 Mar 2020 15:51:00
-0300
** Cha
** Description changed:
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely
this change was triggered by CVE-2020-1938 (Ghostcat).
Unfortunately, in Apache 2.4 this parameter is not available yet in the
stable version 2.4.41 (currently only in the development branch 2
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/380324
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865340
Title:
"secret" parameter
** Changed in: apache2 (Ubuntu)
Status: Triaged => In Progress
** Changed in: apache2 (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html seems to
indicate "secret" will be available in 2.4.42:
?secret 0x0CString Supported since 2.4.42
>From https://bugzilla.redhat.com/show_bug.cgi?id=1397241, looks like
redhat has had "secret" support for quite a while. That bug report
** Description changed:
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely
- CVE-2020-1938 (Ghostcat) is the reason for this.
+ this change was triggered by CVE-2020-1938 (Ghostcat).
Unfortunately, in Apache 2.4 this parameter is not available yet in the
stable version
