On Wed, 2023-01-18 at 11:25 +0400, Yadd wrote: > Apache2 has 3 new security issues: > * CVE-2006-20001: mod_dav out of bounds read, or write of zero byte. > A carefully crafted If: request header can cause a memory read, or > write > of a single zero byte, in a pool (heap) memory location beyond the > header > value sent. This could cause the process to crash. > * CVE-2022-36760: mod_proxy_ajp Possible request smuggling. > Inconsistent Interpretation of HTTP Requests ('HTTP Request > Smuggling') > vulnerability in mod_proxy_ajp of Apache HTTP Server allows an > attacker > to smuggle requests to the AJP server it forwards requests to. > * CVE-2022-37436: mod_proxy prior to 2.4.55 allows a backend to > trigger HTTP > response splitting. > A malicious backend can cause the response headers to be truncated > early, > resulting in some headers being incorporated into the response > body. If > the later headers have any security purpose, they will not be > interpreted > by the client.
Apologies for letting this fall through the cracks until now. >From comments in #1032977, it sounds as if this request has been effectively superseded by an impending DSA release? Regards, Adam