Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore