Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3279 apache2 security update 5 October 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: apache2 Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-40438 CVE-2021-39275 CVE-2021-34798 Reference: ESB-2021.3239 ESB-2021.3234 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2776 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2776-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler October 02, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : apache2 Version : 2.4.25-3+deb9u11 CVE ID : CVE-2021-34798 CVE-2021-39275 CVE-2021-40438 Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash. CVE-2021-34798 Malformed requests may cause the server to dereference a NULL pointer. CVE-2021-39275 ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. CVE-2021-40438 A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. For Debian 9 stretch, these problems have been fixed in version 2.4.25-3+deb9u11. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmFYfEoACgkQDTl9HeUl XjBlDhAAjFWc5Lw22sRMNJcs6OpMwYDGrOjykZ6U5QL9MUWJNLQKOz0u1/i+PjiE AKeJaeBPewfa7dOJ1XUznCiNwIaxQ5OVVM+qsGt7Srtll8yjvSAwQ/NETBDB9sK8 LN74BYuex9iv2ImVtl3Calv5zHVWI1YwExKgrZJw57KHXyeAPheGlJikUrNc8FNk 28a3kYjYLD2cFxVgAFgCVxB7AMLhG44tNVdQL/9glW2sMfvmJ418Zx7ecZYWDnj9 J78QMrSOWk/0hngeTdopQxJ1EHLjf/23jL1bYl0pua8Sncy8diC/W3De+yo3EIVg d72YsLqVidkuHxmoftjZs3K4evzHRcywYQkI5AWoo9D0DqtI0yqOwg4mzO2jrZjz 9G+VXdYDTdqFM4aDA2Aa7X8fQhgRM3ERYN405WsoGxxig/OCP6ZavRvwfr/V35T2 qeoQzW1XDT2G79qB7KcqvjCiA3RXQyXuz/KXRTpizb91RIlMinCv7jeIpirZAxyj l4oBBevFBSxBIwxYJ5W42RysKZq0jK34DkH5vYsRcN4dZpk8kBOh1sOsXbqdGGky rv24qOWBq4WV6WHKx28DdOh56EQPbceZnFZvRThWesEEi34p/sYeHv4OV9fD4Mig pfjLRTb2slMB/GEYmyHKSY9dgbwDWetvlwfSERVppHQS5Ev5H+I= =+f/k - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYVvQm+NLKJtyKPYoAQhHyQ//cGB/pD5UE4wTHQjqBQTWAWvDpzdRcVD0 gptyYgBp177nzcqLryTCELL1k2VCdnCUIW/CrfjkqlzdlLyILkzULrdVAa20hsU0 i2OdyUrfux4H2mfOcZRaoRHZg79iuLzU1vys80eAI57Pm2ZB2aubGolccAiv7Sgd 0nuuaxIRHUCzp4ZE8VYU8mgLFXlDatdXf/pA5C/q19TJ6cMidsbQjHHVlFg+8mvM 40TkcydVAKoWBBwRRPxgJwh/hrMqqDEqpOp81mzMd9SqGiZ1zxZc2JG60IjE9Bxq DJUoIyy+ns3rGWSitXk8ei+16IOmYdaFLxA6k95MM2V25SsxgCgqCEBdjnS6EUVW t69DLucBbqH3mo1o/M/NJ6NbqHfszca0Syafcw8T7M0iFn/N+lkNjUkW7Ot3oS2p p42I1xJCi5iLORQSlvC9qwgeyCu6gGMfcvRILVbIRUIVFkSTuGpLvb7IU0iHDk4a 9hSL+5BXMk3dbe2Kroe4yBvTSe5zSCZmJi8+2ZQiHJ/ZljLe62d0hUITBKD4zqhI rk61WnaE6EGJO9z77CsjExSidaHxGzmWzkv7nZUUV4dS1fsEKzJTMGDAtKPmzY96 V/zjP2Qp6KDux4aUeuMalC5W8aLA/srYcmowcubs2djnLZakzrMzZrmq1NZz76H3 Xs/+l0mAiQs= =njjA -----END PGP SIGNATURE-----