Univention Bugzilla – Bug 56013
apache2: Multiple issues (5.0)
Last modified: 2023-05-03 15:40:42 CEST
New Debian apache2 2.4.38-3+deb10u10A~5.0.3.202304251027 fixes: This update addresses the following issues: * HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690) * mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)
--- mirror/ftp/pool/main/a/apache2/apache2_2.4.38-3+deb10u9A~5.0.3.202303031021.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/apache2_2.4.38-3+deb10u10A~5.0.3.202304251027.dsc @@ -1,7 +1,22 @@ -2.4.38-3+deb10u9A~5.0.3.202303031021 [Fri, 03 Mar 2023 10:22:33 +0100] Univention builddaemon <buildd@univention.de>: +2.4.38-3+deb10u10A~5.0.3.202304251027 [Tue, 25 Apr 2023 10:28:31 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 20-no-proxy + +2.4.38-3+deb10u10 [Fri, 21 Apr 2023 22:01:00 +0000] Bastien Roucariès <rouca@debian.org>: + + * Non-maintainer upload by the LTS Team. + * CVE-2023-27522: HTTP Response Smuggling in mod_proxy_uwsgi + (Closes: #1032476) + * CVE-2023-25690: Some mod_proxy configurations allow a HTTP + Request Smuggling attack. Configurations are affected + when mod_proxy is enabled along with some form of RewriteRule + or ProxyPassMatch in which a non-specific pattern matches + some portion of the user-supplied request-target (URL) + data and is then re-inserted into the proxied request-target + using variable substitution. (Closes: #1032476) + * Backport perl-framework testsuite from sid + * Backport regression fix for CVE-2023-25690 2.4.38-3+deb10u9 [Thu, 02 Mar 2023 15:26:27 +0100] Lee Garrett <debian@rocketjump.eu>: <http://piuparts.knut.univention.de/5.0-3/#2837773942504143828>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] 882a37d3dd Bug #56013: apache2 2.4.38-3+deb10u10A~5.0.3.202304251027 doc/errata/staging/apache2.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x649>