[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
This bug was fixed in the package apache2 - 2.4.48-3.1ubuntu3 --- apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers Tue, 28 Sep 2021 08:52:26 -0400 ** Changed in: apache2 (Ubuntu Impish) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0604 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
** Changed in: apache2 (Ubuntu Xenial) Status: Confirmed => Fix Released ** Changed in: apache2 (Ubuntu Trusty) Status: Confirmed => Invalid ** Changed in: apache2 (Ubuntu Xenial) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: apache2 (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
** Changed in: apache2 (Ubuntu Impish) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
This bug was fixed in the package apache2 - 2.4.46-4ubuntu1.3 --- apache2 (2.4.46-4ubuntu1.3) hirsute-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers Tue, 28 Sep 2021 06:57:42 -0400 ** Changed in: apache2 (Ubuntu Hirsute) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.18 --- apache2 (2.4.29-1ubuntu4.18) bionic-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers Tue, 28 Sep 2021 07:01:16 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.6 --- apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P rules in modules/mappers/mod_rewrite.c. - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty hostname in modules/mappers/mod_rewrite.c, modules/proxy/proxy_util.c. -- Marc Deslauriers Tue, 28 Sep 2021 07:00:45 -0400 ** Changed in: apache2 (Ubuntu Focal) Status: Confirmed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40438 ** Changed in: apache2 (Ubuntu Bionic) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
Packages from PPA fix the problem on 18.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
I've installed the packages (apache2/apache2-bin/apache2-data/apache2-utils) and can confirm that this fixes the issue (with Plesk) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
The updates are currently building in the security team PPA here, in case someone wants to try them before they are published: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apache2 (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apache2 (Ubuntu Trusty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
** Changed in: apache2 (Ubuntu Bionic) Importance: Undecided => High ** Changed in: apache2 (Ubuntu Focal) Importance: Undecided => High ** Changed in: apache2 (Ubuntu Hirsute) Importance: Undecided => High ** Changed in: apache2 (Ubuntu Impish) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
Another follow-up: https://github.com/apache/httpd/commit/0557043c024429cef7a43862cd6b2724a75b39b9 ** Also affects: apache2 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Impish) Importance: Undecided Status: Confirmed ** Also affects: apache2 (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: apache2 (Ubuntu Bionic) Status: New => Confirmed ** Changed in: apache2 (Ubuntu Focal) Status: New => Confirmed ** Changed in: apache2 (Ubuntu Hirsute) Status: New => Confirmed ** Changed in: apache2 (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: apache2 (Ubuntu Focal) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: apache2 (Ubuntu Hirsute) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: apache2 (Ubuntu Impish) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
Here are the 2.4.x backports: https://github.com/apache/httpd/commit/6e768a811c59ca6a0769b72681aaef381823339f https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c I will prepare updates that add those commits and will release them likely today. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apache2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945311 Title: Fix for CVE-2021-40438 breaks existing configs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs