Univention Bugzilla – Bug 55187
apache2: Multiple issues (5.0)
Last modified: 2022-09-13 17:50:19 CEST
New Debian apache2 2.4.38-3+deb10u8A~5.0.2.202209111835 fixes: This update addresses the following issues: * mod_lua: Use of uninitialized value of in r:parsebody (CVE-2022-22719) * Errors encountered during the discarding of request body lead to HTTP request smuggling (CVE-2022-22720) * core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721) * mod_sed: Read/write beyond bounds (CVE-2022-23943) * mod_proxy_ajp: Possible request smuggling (CVE-2022-26377) * out-of-bounds read via ap_rwrite() (CVE-2022-28614) * out-of-bounds read in ap_strcmp_match() (CVE-2022-28615) * mod_lua: DoS in r:parsebody (CVE-2022-29404) * mod_sed: DoS vulnerability (CVE-2022-30522) * mod_lua: Information disclosure with websockets (CVE-2022-30556) * mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
--- mirror/ftp/pool/main/a/apache2/apache2_2.4.38-3+deb10u7A~5.0.0.202201051001.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/apache2_2.4.38-3+deb10u8A~5.0.2.202209111835.dsc @@ -1,7 +1,22 @@ -2.4.38-3+deb10u7A~5.0.0.202201051001 [Wed, 05 Jan 2022 10:01:19 +0100] Univention builddaemon <buildd@univention.de>: +2.4.38-3+deb10u8A~5.0.2.202209111835 [Sun, 11 Sep 2022 18:36:26 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 20-no-proxy + +2.4.38-3+deb10u8 [Mon, 20 Jun 2022 15:03:00 -0400] Roberto C. Sánchez <roberto@debian.org>: + + * Non-maintainer upload. + * CVE-2022-22719: denial of service in mod_lua via crafted request body. + * CVE-2022-22720: HTTP request smuggling. + * CVE-2022-22721: integer overflow leading to buffer overflow write. + * CVE-2022-23943: heap memory overwrite via crafted data in mod_sed. + * CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. + * CVE-2022-28614: read beyond bounds via ap_rwrite(). + * CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). + * CVE-2022-29404: Denial of service in mod_lua r:parsebody. + * CVE-2022-30522: mod_sed denial of service. + * CVE-2022-30556: Information Disclosure in mod_lua with websockets. + * CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. 2.4.38-3+deb10u7 [Tue, 21 Dec 2021 17:50:43 +0100] Yadd <yadd@debian.org>: <http://piuparts.knut.univention.de/5.0-2/#2074946467113710181>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-2] 9d1622d361 Bug #55187: apache2 2.4.38-3+deb10u8A~5.0.2.202209111835 doc/errata/staging/apache2.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) [5.0-2] b5563c518a Bug #55187: apache2 2.4.38-3+deb10u8A~5.0.2.202209111835 doc/errata/staging/apache2.yaml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x412>