Univention Bugzilla – Bug 57341
apache2: Multiple issues (4.4)
Last modified: 2024-05-29 12:32:00 CEST
New Debian apache2 2.4.25-3+deb9u16A~4.4.9.202405270805 fixes: This update addresses the following issues: 2.4.25-3+deb9u16 (Sun, 26 May 2024 13:47:43 +0000) * Non-maintainer upload by the ELTS team. * Fix CVE-2023-31122: Fix and Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server * Fix CVE-2023-38709: Fix a faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. * Fix CVE-2024-24795: Fix HTTP Response splitting in multiple modules. Apache allowed an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. * Fix autopkgtest suite.
--- mirror/ftp/4.4/unmaintained/component/4.4-9-errata/source/apache2_2.4.25-3+deb9u14A~4.4.9.202210182015.dsc +++ apt/ucs_4.4-0-errata4.4-9/source/apache2_2.4.25-3+deb9u16A~4.4.9.202405270805.dsc @@ -1,9 +1,48 @@ -2.4.25-3+deb9u14A~4.4.9.202210182015 [Tue, 18 Oct 2022 20:43:35 +0200] Univention builddaemon <buildd@univention.de>: +2.4.25-3+deb9u16A~4.4.9.202405270805 [Mon, 27 May 2024 08:06:03 -0000] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package - 05-autostart-setting - 10-apache2-reload - 20-no-proxy + 05-autostart-setting.patch + 10-apache2-reload.patch + 20-no-proxy.patch + +2.4.25-3+deb9u16 [Sun, 26 May 2024 13:47:43 +0000] Bastien Roucariès <rouca@debian.org>: + + * Non-maintainer upload by the ELTS team. + * Fix CVE-2023-31122: Fix and Out-of-bounds Read vulnerability + in mod_macro of Apache HTTP Server + * Fix CVE-2023-38709: Fix a faulty input validation in the + core of Apache allows malicious or exploitable backend/content + generators to split HTTP responses. + * Fix CVE-2024-24795: Fix HTTP Response splitting in multiple + modules. Apache allowed an attacker that can inject malicious + response headers into backend applications to cause an + HTTP desynchronization attack. + * Fix autopkgtest suite. + +2.4.25-3+deb9u15 [Tue, 25 Apr 2023 08:16:21 +0000] Bastien Roucariès <rouca@debian.org>: + + * Non-maintainer upload by the ELTS team. + * CVE-2023-25690: Some mod_proxy configurations allow a HTTP + Request Smuggling attack. Configurations are affected + when mod_proxy is enabled along with some form of RewriteRule + or ProxyPassMatch in which a non-specific pattern matches + some portion of the user-supplied request-target (URL) + data and is then re-inserted into the proxied request-target + using variable substitution. (Closes: #1032476) + * CVE-2022-36760: Inconsistent Interpretation of HTTP Requests + (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp + of Apache HTTP Server allows an attacker to smuggle requests + to the AJP server it forwards requests to. + * CVE-2006-20001: A carefully crafted If: request header can cause + a memory read, or write of a single zero byte, in a pool (heap) + memory location beyond the header value sent. + This could cause the process to crash. + * CVE-2022-37436: a malicious backend can cause the response + headers to be truncated early, resulting in some headers + being incorporated into the response body. + If the later headers have any security purpose, they will + not be interpreted by the client. + * Backport regression fix for CVE-2023-25690. 2.4.25-3+deb9u14 [Sat, 18 Jun 2022 20:05:41 -0400] Roberto C. Sánchez <roberto@debian.org>: <http://piuparts.knut.univention.de/4.4-9/#7020263848491978319>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-9] 984aeccf2d Bug #57341: apache2 2.4.25-3+deb9u16A~4.4.9.202405270805 doc/errata/staging/apache2.yaml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) [4.4-9] aa98280037 Bug #57341: apache2 2.4.25-3+deb9u16A~4.4.9.202405270805 doc/errata/staging/apache2.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1576>