[USN-6885-4] Apache HTTP Server regression

[Leonidas S. Barbosa]

==========================================================================
Ubuntu Security Notice USN-6885-4
April 07, 2025

apache2 regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-6885-1 introduced a regression in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

USN-6885-1 fixed a vulnerability in Apache. The patch
for CVE-2024-38474 was incomplete and caused regressions.
This update provides the fix for that issue.

Original advisory details:

 Orange Tsai discovered that the Apache HTTP Server mod_rewrite module
 incorrectly handled certain substitutions. A remote attacker could
 possibly use this issue to execute scripts in directories not directly
 reachable by any URL, or cause a denial of service. Some environments
 may require using the new UnsafeAllow3F flag to handle unsafe
 substitutions. (CVE-2024-38474)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  apache2                         2.4.62-1ubuntu1.1

Ubuntu 24.04 LTS
  apache2                         2.4.58-1ubuntu8.6

Ubuntu 22.04 LTS
  apache2                         2.4.52-1ubuntu4.14

Ubuntu 20.04 LTS
  apache2                         2.4.41-4ubuntu3.23

Ubuntu 18.04 LTS
  apache2                         2.4.29-1ubuntu4.27+esm4
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  apache2                         2.4.18-2ubuntu3.17+esm14
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6885-4
  https://ubuntu.com/security/notices/USN-6885-3
  https://ubuntu.com/security/notices/USN-6885-2
  https://ubuntu.com/security/notices/USN-6885-1
  https://launchpad.net/bugs/2103723

Package Information:
  https://launchpad.net/ubuntu/+source/apache2/2.4.62-1ubuntu1.1
  https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.6
  https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.14
  https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.23

signature.asc
Description: PGP signature