UBUNTU-CVE-2020-13950

Apache HTTP Server versions 2.4.41 to 2.4.46 modproxyhttp can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

References

Affected packages

Ubuntu:20.04:LTS / apache2

Package

Name: apache2
Purl: pkg:deb/ubuntu/apache2@2.4.41-4ubuntu3.3?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.3

Affected versions

2.*

2.4.41-1ubuntu1

2.4.41-4ubuntu1

2.4.41-4ubuntu2

2.4.41-4ubuntu3

2.4.41-4ubuntu3.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "apache2",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "apache2-bin",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "apache2-data",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "apache2-dev",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "apache2-ssl-dev",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "apache2-suexec-custom",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "apache2-suexec-pristine",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "apache2-utils",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "libapache2-mod-md",
            "binary_version": "2.4.41-4ubuntu3.3"
        },
        {
            "binary_name": "libapache2-mod-proxy-uwsgi",
            "binary_version": "2.4.41-4ubuntu3.3"
        }
    ]
}