Your message dated Wed, 08 Mar 2023 03:19:22 +0000
with message-id <e1pzkko-00hq0i...@fasolo.debian.org>
and subject line Bug#1032476: fixed in apache2 2.4.56-1
has caused the Debian Bug report #1032476,
regarding apache2: CVE-2023-25690 CVE-2023-27522
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.55-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for apache2.
CVE-2023-25690[0]:
| Some mod_proxy configurations on Apache HTTP Server versions 2.4.0
| through 2.4.55 allow a HTTP Request Smuggling attack. Configurations
| are affected when mod_proxy is enabled along with some form of
| RewriteRule or ProxyPassMatch in which a non-specific pattern matches
| some portion of the user-supplied request-target (URL) data and is
| then re-inserted into the proxied request-target using variable
| substitution. For example, something like: RewriteEngine on
| RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1";; [P]
| ProxyPassReverse /here/ http://example.com:8080/ Request
| splitting/smuggling could result in bypass of access controls in the
| proxy server, proxying unintended URLs to existing origin servers, and
| cache poisoning. Users are recommended to update to at least version
| 2.4.56 of Apache HTTP Server.
CVE-2023-27522[1]:
| HTTP Response Smuggling vulnerability in Apache HTTP Server via
| mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30
| through 2.4.55. Special characters in the origin response header can
| truncate/split the response forwarded to the client.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-25690
https://www.cve.org/CVERecord?id=CVE-2023-25690
[1] https://security-tracker.debian.org/tracker/CVE-2023-27522
https://www.cve.org/CVERecord?id=CVE-2023-27522
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1032...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Mar 2023 06:44:05 +0400
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.56-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1032476
Changes:
apache2 (2.4.56-1) unstable; urgency=medium
.
* New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
Checksums-Sha1:
58eb00c009fd93b0985da5ab956de026dbb466e3 3488 apache2_2.4.56-1.dsc
9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz
45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc
d8856bb27ad6485fb9a61f780944d75e683a0cc4 899848 apache2_2.4.56-1.debian.tar.xz
Checksums-Sha256:
7d201ab7d4f0047d03bf254c28b5aef12f9b8722bf1741ba9d4ac4ae903dd53a 3488
apache2_2.4.56-1.dsc
db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650
apache2_2.4.56.orig.tar.gz
b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833
apache2_2.4.56.orig.tar.gz.asc
51bd3a570b9cb6df6a78a9c328433847059b0594b32d26e2b708a545ef6088fe 899848
apache2_2.4.56-1.debian.tar.xz
Files:
f84901cc8b922cb9a7b2f6b885726001 3488 httpd optional apache2_2.4.56-1.dsc
f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional
apache2_2.4.56.orig.tar.gz
e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional
apache2_2.4.56.orig.tar.gz.asc
7c4c4e6cee0a1e0c3267e6415b365038 899848 httpd optional
apache2_2.4.56-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQH+wIACgkQ9tdMp8mZ
7umhVA//WjHqBOnNyYti8o/qxWu/i+sk7m4901yoC/zfpn9taMnbPLM21AzsSRRh
P6Mh0+aGdJTLhL+WFvhlzfZCSEjG/TV18jdciYwD1s1AtHS22qA1n1QSkEQUv1fE
37PKL5pzqB/zIn8jqn3DWzkYCKH0vRwGi+xdffUqF+9w846ynmTZtsKUqvYV9Yl/
aItonoaJNRakcShpkOgcw5r3bJ0IurQrftFex+CLrJouoQYhMFYhXxyNUgcw99G6
tR5c2cy3FkVKEu9VopPbdAnt4RngWSBjCEL8gKcuJMGU6ujUTBV7NBsIoXcguIVO
9ERD4y3PmV8I3HavrRszxJd+Fc7z32Fqa+HBZri7ygB0INSGNcs4rKlKn8RBRBrh
KYQgTo9xZnNdjnfi3Bospk2ZateCjrOYdVYPNnpiD8sb5+38wfXQYXHI5F6kXaMo
gLjKXUEyj3mUvYZUEZxbaPimC7SaNQZi4pKKfYyRiwNrTEP7XkdGC8KNwe1/xEKb
+aeWpnAXImsXTGqufUhJEu7DgLxJ9B+3Zn1gQr4q7+MxEkrIRzAoaVgW2uQwRuYg
u0nZruqzQ7FKG+4jjAcp/ac6T6FBjs+gWVDfVkv8FzbddBRWcZa9VLcWi7TSiz8G
qJ35RkWmuPKAt4m1upxkn/69BJL3PkoJB/SaQLR/+SXq2kbxFE4=
=i2sR
-----END PGP SIGNATURE-----
--- End Message ---
