Bug#1012513: marked as done (apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556)
Your message dated Sat, 02 Jul 2022 17:17:07 + with message-id and subject line Bug#1012513: fixed in apache2 2.4.54-1~deb11u1 has caused the Debian Bug report #1012513, regarding apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2022-31813[0]: | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* | headers to the origin server based on client side Connection header | hop-by-hop mechanism. This may be used to bypass IP based | authentication on the origin server/application. CVE-2022-26377[1]: | Inconsistent Interpretation of HTTP Requests ('HTTP Request | Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server | allows an attacker to smuggle requests to the AJP server it forwards | requests to. This issue affects Apache HTTP Server Apache HTTP Server | 2.4 version 2.4.53 and prior versions. CVE-2022-28614[2]: | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may | read unintended memory if an attacker can cause the server to reflect | very large input using ap_rwrite() or ap_rputs(), such as with | mod_luas r:puts() function. CVE-2022-28615[3]: | Apache HTTP Server 2.4.53 and earlier may crash or disclose | information due to a read beyond bounds in ap_strcmp_match() when | provided with an extremely large input buffer. While no code | distributed with the server can be coerced into such a call, third- | party modules or lua scripts that use ap_strcmp_match() may | hypothetically be affected. CVE-2022-29404[4]: | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua | script that calls r:parsebody(0) may cause a denial of service due to | no default limit on possible input size. CVE-2022-30522[5]: | If Apache HTTP Server 2.4.53 is configured to do transformations with | mod_sed in contexts where the input to mod_sed may be very large, | mod_sed may make excessively large memory allocations and trigger an | abort. CVE-2022-30556[6]: | Apache HTTP Server 2.4.53 and earlier may return lengths to | applications calling r:wsread() that point past the end of the storage | allocated for the buffer. As usual Apache fails to directly identify fixing commits at https://httpd.apache.org/security/vulnerabilities_24.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813 [1] https://security-tracker.debian.org/tracker/CVE-2022-26377 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377 [2] https://security-tracker.debian.org/tracker/CVE-2022-28614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614 [3] https://security-tracker.debian.org/tracker/CVE-2022-28615 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615 [4] https://security-tracker.debian.org/tracker/CVE-2022-29404 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404 [5] https://security-tracker.debian.org/tracker/CVE-2022-30522 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522 [6] https://security-tracker.debian.org/tracker/CVE-2022-30556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.54-1~deb11u1 Done: Yadd We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1012...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED
Bug#1012513: marked as done (apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556)
Your message dated Thu, 09 Jun 2022 05:03:55 + with message-id and subject line Bug#1012513: fixed in apache2 2.4.54-1 has caused the Debian Bug report #1012513, regarding apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2022-31813[0]: | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* | headers to the origin server based on client side Connection header | hop-by-hop mechanism. This may be used to bypass IP based | authentication on the origin server/application. CVE-2022-26377[1]: | Inconsistent Interpretation of HTTP Requests ('HTTP Request | Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server | allows an attacker to smuggle requests to the AJP server it forwards | requests to. This issue affects Apache HTTP Server Apache HTTP Server | 2.4 version 2.4.53 and prior versions. CVE-2022-28614[2]: | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may | read unintended memory if an attacker can cause the server to reflect | very large input using ap_rwrite() or ap_rputs(), such as with | mod_luas r:puts() function. CVE-2022-28615[3]: | Apache HTTP Server 2.4.53 and earlier may crash or disclose | information due to a read beyond bounds in ap_strcmp_match() when | provided with an extremely large input buffer. While no code | distributed with the server can be coerced into such a call, third- | party modules or lua scripts that use ap_strcmp_match() may | hypothetically be affected. CVE-2022-29404[4]: | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua | script that calls r:parsebody(0) may cause a denial of service due to | no default limit on possible input size. CVE-2022-30522[5]: | If Apache HTTP Server 2.4.53 is configured to do transformations with | mod_sed in contexts where the input to mod_sed may be very large, | mod_sed may make excessively large memory allocations and trigger an | abort. CVE-2022-30556[6]: | Apache HTTP Server 2.4.53 and earlier may return lengths to | applications calling r:wsread() that point past the end of the storage | allocated for the buffer. As usual Apache fails to directly identify fixing commits at https://httpd.apache.org/security/vulnerabilities_24.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813 [1] https://security-tracker.debian.org/tracker/CVE-2022-26377 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377 [2] https://security-tracker.debian.org/tracker/CVE-2022-28614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614 [3] https://security-tracker.debian.org/tracker/CVE-2022-28615 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615 [4] https://security-tracker.debian.org/tracker/CVE-2022-29404 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404 [5] https://security-tracker.debian.org/tracker/CVE-2022-30522 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522 [6] https://security-tracker.debian.org/tracker/CVE-2022-30556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.54-1 Done: Yadd We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1012...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: