0

There is a critical CVE for Apache HTTP server versions 2.4.32 to 2.4.44 that allows info disclosure and possible remote code execution, so you can imagine how bad this could be on a web server if someone were to productize it into an exploit, however the most current version available for Ubuntu is 2.4.41. Does anyone know if there is a patch available or has anyone successfully built from source? The latest version from Apache for 20.04 is 2.4.46 but I've typically ran into issues whenever building from source whenever there isn't an official Ubuntu package available yet.

zogden
  • 1
  • 1

2 Answers2

4

In most cases, new versions of software doesn't get packaged for already released versions of Ubuntu. For example, Ubuntu 20.04 comes with a package containing Apache HTTP server 2.4.41. Newer releases upstream (2.4.42 and so forth) would be integrated in newer Ubuntu versions, like Apache 2.4.46 that comes with Ubuntu 20.10.

But of course you can't just keep security problems unfixed. Because of that, security fixes are often backported to older versions. In this case, the fix for CVE-2020-11984 has been backported to Apache 2.4.41 for Ubuntu 20.04, and to Apache 2.4.29 for Ubuntu 18.04 and so forth.

More information about this specific backport (which also took care of several other CVEs) can be found in the Ubuntu Security Notices.

Henning Kockerbeck
  • 8,057
3

You already have it installed if you installed all security updates.

See:

Ubuntu 20.10 (Groovy Gorilla)   Released (2.4.46-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)  Released (2.4.41-4ubuntu3.1)
Ubuntu 18.04 LTS (Bionic Beaver)    Not vulnerable (code not present)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable (code not present)
Ubuntu 14.04 ESM (Trusty Tahr)  Not vulnerable (code not present)

What you are asking is not how Ubuntu works. Ubuntu patches current versions with a security fix (for the main repositories).

Rinzwind
  • 299,756