Operating System:

[Debian]

Published:

05 October 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3279
                          apache2 security update
                              5 October 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apache2
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-40438 CVE-2021-39275 CVE-2021-34798

Reference:         ESB-2021.3239
                   ESB-2021.3234

Original Bulletin: 
   https://www.debian.org/lts/security/2021/dla-2776

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2776-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
October 02, 2021                              https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : apache2
Version        : 2.4.25-3+deb9u11
CVE ID         : CVE-2021-34798 CVE-2021-39275 CVE-2021-40438

Several vulnerabilities were discovered in the Apache HTTP server.
An attacker could send proxied requests to arbitrary servers, corrupt
memory in some setups involving third-party modules, and cause the
server to crash.

CVE-2021-34798

    Malformed requests may cause the server to dereference
    a NULL pointer.

CVE-2021-39275

    ap_escape_quotes() may write beyond the end of a buffer when given
    malicious input. No included modules pass untrusted data to these
    functions, but third-party / external modules may.

CVE-2021-40438

    A crafted request uri-path can cause mod_proxy to forward the
    request to an origin server choosen by the remote user.

For Debian 9 stretch, these problems have been fixed in version
2.4.25-3+deb9u11.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmFYfEoACgkQDTl9HeUl
XjBlDhAAjFWc5Lw22sRMNJcs6OpMwYDGrOjykZ6U5QL9MUWJNLQKOz0u1/i+PjiE
AKeJaeBPewfa7dOJ1XUznCiNwIaxQ5OVVM+qsGt7Srtll8yjvSAwQ/NETBDB9sK8
LN74BYuex9iv2ImVtl3Calv5zHVWI1YwExKgrZJw57KHXyeAPheGlJikUrNc8FNk
28a3kYjYLD2cFxVgAFgCVxB7AMLhG44tNVdQL/9glW2sMfvmJ418Zx7ecZYWDnj9
J78QMrSOWk/0hngeTdopQxJ1EHLjf/23jL1bYl0pua8Sncy8diC/W3De+yo3EIVg
d72YsLqVidkuHxmoftjZs3K4evzHRcywYQkI5AWoo9D0DqtI0yqOwg4mzO2jrZjz
9G+VXdYDTdqFM4aDA2Aa7X8fQhgRM3ERYN405WsoGxxig/OCP6ZavRvwfr/V35T2
qeoQzW1XDT2G79qB7KcqvjCiA3RXQyXuz/KXRTpizb91RIlMinCv7jeIpirZAxyj
l4oBBevFBSxBIwxYJ5W42RysKZq0jK34DkH5vYsRcN4dZpk8kBOh1sOsXbqdGGky
rv24qOWBq4WV6WHKx28DdOh56EQPbceZnFZvRThWesEEi34p/sYeHv4OV9fD4Mig
pfjLRTb2slMB/GEYmyHKSY9dgbwDWetvlwfSERVppHQS5Ev5H+I=
=+f/k
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYVvQm+NLKJtyKPYoAQhHyQ//cGB/pD5UE4wTHQjqBQTWAWvDpzdRcVD0
gptyYgBp177nzcqLryTCELL1k2VCdnCUIW/CrfjkqlzdlLyILkzULrdVAa20hsU0
i2OdyUrfux4H2mfOcZRaoRHZg79iuLzU1vys80eAI57Pm2ZB2aubGolccAiv7Sgd
0nuuaxIRHUCzp4ZE8VYU8mgLFXlDatdXf/pA5C/q19TJ6cMidsbQjHHVlFg+8mvM
40TkcydVAKoWBBwRRPxgJwh/hrMqqDEqpOp81mzMd9SqGiZ1zxZc2JG60IjE9Bxq
DJUoIyy+ns3rGWSitXk8ei+16IOmYdaFLxA6k95MM2V25SsxgCgqCEBdjnS6EUVW
t69DLucBbqH3mo1o/M/NJ6NbqHfszca0Syafcw8T7M0iFn/N+lkNjUkW7Ot3oS2p
p42I1xJCi5iLORQSlvC9qwgeyCu6gGMfcvRILVbIRUIVFkSTuGpLvb7IU0iHDk4a
9hSL+5BXMk3dbe2Kroe4yBvTSe5zSCZmJi8+2ZQiHJ/ZljLe62d0hUITBKD4zqhI
rk61WnaE6EGJO9z77CsjExSidaHxGzmWzkv7nZUUV4dS1fsEKzJTMGDAtKPmzY96
V/zjP2Qp6KDux4aUeuMalC5W8aLA/srYcmowcubs2djnLZakzrMzZrmq1NZz76H3
Xs/+l0mAiQs=
=njjA
-----END PGP SIGNATURE-----