========================================================================== Ubuntu Security Notice USN-8516-1 July 08, 2026
apache2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Apache HTTP Server. Software Description: - apache2: Apache HTTP server Details: It was discovered that Apache HTTP Server's mod_ldap module incorrectly handled memory when processing per-directory configurations. An attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-29167) It was discovered that Apache HTTP Server's mod_proxy_ftp module incorrectly handled HTML generation for FTP directory listings. A remote attacker could possibly use this issue to inject arbitrary web script or HTML. (CVE-2026-29170) It was discovered that Apache HTTP Server's mod_proxy_html module incorrectly handled certain content from an untrusted backend. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-34355) It was discovered that Apache HTTP Server incorrectly handled ProxyPassReverseCookie directives with a malicious backend server. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-34356) It was discovered that Apache HTTP Server's mod_dav_fs module incorrectly handled certain path operations. An authenticated user could possibly use this issue to manipulate trusted WebDAV property databases or cause a denial of service. (CVE-2026-42535) It was discovered that Apache HTTP Server's mod_xml2enc module incorrectly handled certain content from an untrusted backend. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-42536) It was discovered that Apache HTTP Server incorrectly handled response headers when multiple content languages were configured. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43951) It was discovered that Apache HTTP Server incorrectly restricted certain file functions in expressions within .htaccess files. A local attacker with .htaccess write access could possibly use this issue to obtain sensitive information. (CVE-2026-44119) It was discovered that Apache HTTP Server's mod_ssl module incorrectly handled OCSP responses from an attacker-controlled server. A remote attacker could possibly use this issue to obtain sensitive information or cause a denial of service. (CVE-2026-44185) It was discovered that Apache HTTP Server's mod_proxy_ftp module incorrectly handled responses from an attacker-controlled backend FTP server. A remote attacker could possibly use this issue to cause Apache HTTP Server to stop responding, resulting in a denial of service. (CVE-2026-44186) It was discovered that Apache HTTP Server incorrectly handled crafted regular expressions in the server configuration. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. (CVE-2026-44631) It was discovered that Apache HTTP Server's mod_http2 module had a use-after-free vulnerability when file handles were exhausted. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-48913) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS apache2 2.4.66-2ubuntu2.4 Ubuntu 24.04 LTS apache2 2.4.58-1ubuntu8.15 Ubuntu 22.04 LTS apache2 2.4.52-1ubuntu4.23 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8516-1 CVE-2026-29167, CVE-2026-29170, CVE-2026-34355, CVE-2026-34356, CVE-2026-42535, CVE-2026-42536, CVE-2026-43951, CVE-2026-44119, CVE-2026-44185, CVE-2026-44186, CVE-2026-44631, CVE-2026-48913 Package Information: https://launchpad.net/ubuntu/+source/apache2/2.4.66-2ubuntu2.4 https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.15 https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.23
signature.asc
Description: OpenPGP digital signature
