Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522
On 3/8/23 22:39, Moritz Muehlenhoff wrote: On Wed, Mar 08, 2023 at 07:09:20AM +0400, Yadd wrote: On 3/7/23 23:46, Salvatore Bonaccorso wrote: Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: CVE-2023-27522[1]: Hi, here is the debdiff for Bullseye I'm fine with a DSA, but we've seen a fair amount of regressions in 2.4.x releases, so let's wait a few days for regressions reported in sid (and Ondreys PHP repo). You can already upload the new version, though (we can reject/reupload if needed). Cheers, Moritz Hi, thanks, I just uploaded it. Regards,
Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522
On Wed, Mar 08, 2023 at 07:09:20AM +0400, Yadd wrote: > On 3/7/23 23:46, Salvatore Bonaccorso wrote: > > Source: apache2 > > Version: 2.4.55-1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Hi, > > > > The following vulnerabilities were published for apache2. > > > > CVE-2023-25690[0]: > > > > CVE-2023-27522[1]: > > Hi, > > here is the debdiff for Bullseye I'm fine with a DSA, but we've seen a fair amount of regressions in 2.4.x releases, so let's wait a few days for regressions reported in sid (and Ondreys PHP repo). You can already upload the new version, though (we can reject/reupload if needed). Cheers, Moritz
Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522
Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1";; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore