CVE-2024-24795
Published: 4 April 2024
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
Notes
| Author | Note |
|---|---|
| leosilva | after this update reports were made that fossil package stopped to work properly (LP: #2064509). |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
apache2 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.4.29-1ubuntu4.27+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
| focal |
Released
(2.4.41-4ubuntu3.17)
|
|
| jammy |
Released
(2.4.52-1ubuntu4.9)
|
|
| mantic |
Released
(2.4.57-2ubuntu2.4)
|
|
| noble |
Released
(2.4.58-1ubuntu8.1)
|
|
| trusty |
Needs triage
|
|
| upstream |
Released
(2.4.59-1)
|
|
| xenial |
Released
(2.4.18-2ubuntu3.17+esm12)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1916769 upstream: https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8 |
||
References
- https://www.openwall.com/lists/oss-security/2024/04/04/5
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://ubuntu.com/security/notices/USN-6729-1
- https://www.cve.org/CVERecord?id=CVE-2024-24795
- https://ubuntu.com/security/notices/USN-6729-2
- https://ubuntu.com/security/notices/USN-6729-3
- NVD
- Launchpad
- Debian