Hi, those CVEs are tagged low/moderate by upstream, why did you tag this bug as grave ?
Cheers, Yadd Le Mercredi, Juin 08, 2022 17:49 CEST, Moritz Mühlenhoff <j...@inutil.org> a écrit: > Source: apache2 > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for apache2. > > CVE-2022-31813[0]: > | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* > | headers to the origin server based on client side Connection header > | hop-by-hop mechanism. This may be used to bypass IP based > | authentication on the origin server/application. > > CVE-2022-26377[1]: > | Inconsistent Interpretation of HTTP Requests ('HTTP Request > | Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server > | allows an attacker to smuggle requests to the AJP server it forwards > | requests to. This issue affects Apache HTTP Server Apache HTTP Server > | 2.4 version 2.4.53 and prior versions. > > CVE-2022-28614[2]: > | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may > | read unintended memory if an attacker can cause the server to reflect > | very large input using ap_rwrite() or ap_rputs(), such as with > | mod_luas r:puts() function. > > CVE-2022-28615[3]: > | Apache HTTP Server 2.4.53 and earlier may crash or disclose > | information due to a read beyond bounds in ap_strcmp_match() when > | provided with an extremely large input buffer. While no code > | distributed with the server can be coerced into such a call, third- > | party modules or lua scripts that use ap_strcmp_match() may > | hypothetically be affected. > > CVE-2022-29404[4]: > | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua > | script that calls r:parsebody(0) may cause a denial of service due to > | no default limit on possible input size. > > CVE-2022-30522[5]: > | If Apache HTTP Server 2.4.53 is configured to do transformations with > | mod_sed in contexts where the input to mod_sed may be very large, > | mod_sed may make excessively large memory allocations and trigger an > | abort. > > CVE-2022-30556[6]: > | Apache HTTP Server 2.4.53 and earlier may return lengths to > | applications calling r:wsread() that point past the end of the storage > | allocated for the buffer. > > As usual Apache fails to directly identify fixing commits at > https://httpd.apache.org/security/vulnerabilities_24.html > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31813 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813 > [1] https://security-tracker.debian.org/tracker/CVE-2022-26377 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377 > [2] https://security-tracker.debian.org/tracker/CVE-2022-28614 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614 > [3] https://security-tracker.debian.org/tracker/CVE-2022-28615 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615 > [4] https://security-tracker.debian.org/tracker/CVE-2022-29404 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404 > [5] https://security-tracker.debian.org/tracker/CVE-2022-30522 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522 > [6] https://security-tracker.debian.org/tracker/CVE-2022-30556 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556 > > Please adjust the affected versions in the BTS as needed. >