Lucene search

DebianDEBIAN:DSA-5035-1:9CF94

HistoryJan 04, 2022 - 4:38 p.m.

[SECURITY] [DSA 5035-1] apache2 security update

2022-01-0416:38:55

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.088 Low

EPSS

Percentile

94.5%

JSON

Debian Security Advisory DSA-5035-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
January 04, 2022 https://www.debian.org/security/faq

Package : apache2
CVE ID : CVE-2021-44224 CVE-2021-44790

Two vulnerabilities have been discovered in the Apache HTTP server:

CVE-2021-44224

When operating as a forward proxy, Apache was depending on the setup
suspectible to denial of service or Server Side Request forgery.

CVE-2021-44790

A buffer overflow in mod_lua may result in denial of service or
potentially the execution of arbitrary code.

For the oldstable distribution (buster), these problems have been fixed
in version 2.4.38-3+deb10u7.

For the stable distribution (bullseye), these problems have been fixed in
version 2.4.52-1~deb11u2.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian11i386apache2-suexec-custom< 2.4.52-1~deb11u2apache2-suexec-custom_2.4.52-1~deb11u2_i386.deb
Debian10amd64apache2-ssl-dev< 2.4.38-3+deb10u7apache2-ssl-dev_2.4.38-3+deb10u7_amd64.deb
Debian10s390xapache2-suexec-pristine< 2.4.38-3+deb10u7apache2-suexec-pristine_2.4.38-3+deb10u7_s390x.deb
Debian9armhfapache2-suexec-pristine< 2.4.25-3+deb9u12apache2-suexec-pristine_2.4.25-3+deb9u12_armhf.deb
Debian10arm64libapache2-mod-md< 2.4.38-3+deb10u7libapache2-mod-md_2.4.38-3+deb10u7_arm64.deb
Debian11armelapache2-suexec-pristine< 2.4.52-1~deb11u2apache2-suexec-pristine_2.4.52-1~deb11u2_armel.deb
Debian10ppc64ellibapache2-mod-proxy-uwsgi< 2.4.38-3+deb10u7libapache2-mod-proxy-uwsgi_2.4.38-3+deb10u7_ppc64el.deb
Debian11allapache2< 2.4.52-1~deb11u2apache2_2.4.52-1~deb11u2_all.deb
Debian10ppc64elapache2-bin-dbgsym< 2.4.38-3+deb10u7apache2-bin-dbgsym_2.4.38-3+deb10u7_ppc64el.deb
Debian10ppc64elapache2-suexec-custom< 2.4.38-3+deb10u7apache2-suexec-custom_2.4.38-3+deb10u7_ppc64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	i386	apache2-suexec-custom	< 2.4.52-1~deb11u2	apache2-suexec-custom_2.4.52-1~deb11u2_i386.deb
Debian	10	amd64	apache2-ssl-dev	< 2.4.38-3+deb10u7	apache2-ssl-dev_2.4.38-3+deb10u7_amd64.deb
Debian	10	s390x	apache2-suexec-pristine	< 2.4.38-3+deb10u7	apache2-suexec-pristine_2.4.38-3+deb10u7_s390x.deb
Debian	9	armhf	apache2-suexec-pristine	< 2.4.25-3+deb9u12	apache2-suexec-pristine_2.4.25-3+deb9u12_armhf.deb
Debian	10	arm64	libapache2-mod-md	< 2.4.38-3+deb10u7	libapache2-mod-md_2.4.38-3+deb10u7_arm64.deb
Debian	11	armel	apache2-suexec-pristine	< 2.4.52-1~deb11u2	apache2-suexec-pristine_2.4.52-1~deb11u2_armel.deb
Debian	10	ppc64el	libapache2-mod-proxy-uwsgi	< 2.4.38-3+deb10u7	libapache2-mod-proxy-uwsgi_2.4.38-3+deb10u7_ppc64el.deb
Debian	11	all	apache2	< 2.4.52-1~deb11u2	apache2_2.4.52-1~deb11u2_all.deb
Debian	10	ppc64el	apache2-bin-dbgsym	< 2.4.38-3+deb10u7	apache2-bin-dbgsym_2.4.38-3+deb10u7_ppc64el.deb
Debian	10	ppc64el	apache2-suexec-custom	< 2.4.38-3+deb10u7	apache2-suexec-custom_2.4.38-3+deb10u7_ppc64el.deb