← Back to blog

Apache HTTP Server Regression Fix: mod_http2 Loading Issue Resolved

Ubuntu released USN-8338-2 to address a regression in Apache HTTP Server that prevented mod_http2 from loading on Ubuntu 18.04 LTS. The patch resolves an unintended side effect from the previous security update while maintaining fixes for multiple CVEs.

TL;DR

  • USN-8338-2 fixes a regression introduced by USN-8338-1 that broke mod_http2 module loading on Ubuntu 18.04 LTS
  • Original update patched HTTP response splitting vulnerabilities (CVE-2023-38709, CVE-2024-24795) and HTTP/2 memory exhaustion issues (CVE-2023-45802)
  • Administrators should apply the regression fix to restore HTTP/2 functionality without losing security improvements
  • The issue demonstrates the importance of thorough testing before deploying security patches to production environments

Ubuntu released security update USN-8338-2 to address an unintended regression introduced by the previous Apache HTTP Server security patch. The original update (USN-8338-1) successfully resolved multiple critical vulnerabilities but inadvertently prevented the mod_http2 module from loading on Ubuntu 18.04 LTS systems.

This follow-up patch restores mod_http2 functionality while preserving the security fixes from the initial release. Organizations running Apache on affected Ubuntu versions should prioritize applying this regression fix to maintain both security posture and HTTP/2 support.

Original Vulnerabilities Addressed

  • CVE-2023-38709 and CVE-2024-24795: HTTP response splitting attacks via improper header handling (Ubuntu 14.04 LTS)
  • CVE-2023-45802: HTTP/2 memory exhaustion denial of service caused by improper stream reset handling (Ubuntu 18.04 LTS)
  • mod_proxy URL encoding vulnerability allowing potential remote attacks

Regression Impact and Resolution

  • USN-8338-1 introduced a regression preventing mod_http2 module from loading on Ubuntu 18.04 LTS
  • USN-8338-2 corrects the module loading issue without reverting security improvements
  • Administrators should update systems to restore HTTP/2 functionality and maintain vulnerability patches
  • Demonstrates importance of regression testing in security update pipelines

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Apache HTTP Server Regression Fix: mod_http2 Loading Issue Resolved — Agent Breach Blog | Agent Breach