Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for apache2. CVE-2022-31813[0]: | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* | headers to the origin server based on client side Connection header | hop-by-hop mechanism. This may be used to bypass IP based | authentication on the origin server/application. CVE-2022-26377[1]: | Inconsistent Interpretation of HTTP Requests ('HTTP Request | Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server | allows an attacker to smuggle requests to the AJP server it forwards | requests to. This issue affects Apache HTTP Server Apache HTTP Server | 2.4 version 2.4.53 and prior versions. CVE-2022-28614[2]: | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may | read unintended memory if an attacker can cause the server to reflect | very large input using ap_rwrite() or ap_rputs(), such as with | mod_luas r:puts() function. CVE-2022-28615[3]: | Apache HTTP Server 2.4.53 and earlier may crash or disclose | information due to a read beyond bounds in ap_strcmp_match() when | provided with an extremely large input buffer. While no code | distributed with the server can be coerced into such a call, third- | party modules or lua scripts that use ap_strcmp_match() may | hypothetically be affected. CVE-2022-29404[4]: | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua | script that calls r:parsebody(0) may cause a denial of service due to | no default limit on possible input size. CVE-2022-30522[5]: | If Apache HTTP Server 2.4.53 is configured to do transformations with | mod_sed in contexts where the input to mod_sed may be very large, | mod_sed may make excessively large memory allocations and trigger an | abort. CVE-2022-30556[6]: | Apache HTTP Server 2.4.53 and earlier may return lengths to | applications calling r:wsread() that point past the end of the storage | allocated for the buffer. As usual Apache fails to directly identify fixing commits at https://httpd.apache.org/security/vulnerabilities_24.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813 [1] https://security-tracker.debian.org/tracker/CVE-2022-26377 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377 [2] https://security-tracker.debian.org/tracker/CVE-2022-28614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614 [3] https://security-tracker.debian.org/tracker/CVE-2022-28615 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615 [4] https://security-tracker.debian.org/tracker/CVE-2022-29404 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404 [5] https://security-tracker.debian.org/tracker/CVE-2022-30522 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522 [6] https://security-tracker.debian.org/tracker/CVE-2022-30556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556 Please adjust the affected versions in the BTS as needed.