1

Here's the partial answer to my question: How to patch Apache 2.4.18 on Ubuntu 16.04 LTS? and here: Will Ubuntu 16.04.6 updates ever include a version of Apache newer than 2.4.18?

My Apache version info:

apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built:   2023-03-20T21:41:20

Here is the latest updates for Apache 2.4

2.4.18-2ubuntu3.17+esm10

I checked Ubuntu website at https://changelogs.ubuntu.com/changelogs/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.17/changelog and compare it with https://httpd.apache.org/security/vulnerabilities_24.html

Fixed in Apache HTTP Server 2.4.42
low: mod_rewrite CWE-601 open redirect (CVE-2020-1927)
https://httpd.apache.org/security/vulnerabilities_24.html

and

apache2 (2.4.18-2ubuntu3.17) xenial-security; urgency=medium

  * SECURITY UPDATE: mod_rewrite redirect issue
    - debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
      in include/ap_regex.h, server/core.c, server/util_pcre.c.
    - debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
      opt-out of pcre defaults in include/ap_regex.h,
      modules/filters/mod_substitute.c, server/util_pcre.c,
      server/util_regex.c.
    - CVE-2020-1927
  * SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
    - debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
      modules/proxy/mod_proxy_ftp.c.
    - CVE-2020-1934
https://changelogs.ubuntu.com/changelogs/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.17/changelog

It is not clear if other security issues up to CVE-2023-25690 fixed. Can I trust Ubuntu that all security issues for Apache version 2.4.56 in the latest 2.4.18-2ubuntu3.17+esm10 ? How do I check what is included in esm10 updates?

Improve this question
6
  • Found this link about ESM change logs: https://ubuntu.com/security/notices?order=newest&release=xenial&details=apache
    – yW0K5o
    Oct 16 at 10:32
  • 3
    Ubuntu 16.04 is EOL. Questions should demonstrate reasonable information technology management practices. Questions that relate to unsupported hardware or software platforms or unmaintained environments may not be suitable for Server Fault.
    – djdomi
    Oct 16 at 10:54
  • @djdomi The free version Ubuntu 16.04 is EOL, but the question is about the paid version 16.04 ESM which has an EOL date of 2026. ubuntu.com/security/esm
    – Robert
    Oct 16 at 11:21
  • well if you pay for an EOL system then I suggest you to contact the vendor support about your inquiry
    – djdomi
    Oct 16 at 11:57
  • 1
    So well, its paid version who has an EOL date of 2026. Yours already expired. Time to update.
    – Nikita Kipriyanov
    Oct 17 at 8:32

2 Answers 2

Reset to default
0 
apt policy apache2

gives:

apache2:  
  Installed: 2.4.18-2ubuntu3.17+esm10  
  Candidate: 2.4.18-2ubuntu3.17+esm10
Improve this answer
1
  • Yes. Your answer is included in my question 2.4.18-2ubuntu3.17+esm10. How can we explain esm10?
    – yW0K5o
    Oct 25 at 17:03
0

you could check for every CVE for example: https://ubuntu.com/security/CVE-2023-25690

Improve this answer
1
  • Beware, though. CVEs might not be accurate for a vendor-supported distribution where the vendor backports fixes into versions of software specific to that distribution. Or, in this case, where the vendor used to do that backporting but stopped as the specific free distribution is EOL.
    – Andrew Henle
    Oct 25 at 18:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .