USN-6885-1 fixed vulnerabilities in Apache. The patch for CVE-2024-38474 was incomplete and caused a regression. This update provides the fix for this issue.
Original advisory details:
Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions. (CVE-2024-38474)
{ "binaries": [ { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-bin" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-bin-dbgsym" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-data" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-dev" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-doc" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-ssl-dev" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-suexec-custom" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-suexec-custom-dbgsym" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-suexec-pristine" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-suexec-pristine-dbgsym" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-utils" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "apache2-utils-dbgsym" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "libapache2-mod-md" }, { "binary_version": "2.4.52-1ubuntu4.16", "binary_name": "libapache2-mod-proxy-uwsgi" } ], "availability": "No subscription required" }
{ "binaries": [ { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-bin" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-bin-dbgsym" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-data" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-dev" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-doc" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-ssl-dev" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-suexec-custom" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-suexec-custom-dbgsym" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-suexec-pristine" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-suexec-pristine-dbgsym" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-utils" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "apache2-utils-dbgsym" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "libapache2-mod-md" }, { "binary_version": "2.4.58-1ubuntu8.8", "binary_name": "libapache2-mod-proxy-uwsgi" } ], "availability": "No subscription required" }