Your message dated Thu, 23 Mar 2023 16:02:08 +0000
with message-id <e1pfnoc-009wth...@fasolo.debian.org>
and subject line Bug#1032476: fixed in apache2 2.4.56-1~deb11u1
has caused the Debian Bug report #1032476,
regarding apache2: CVE-2023-25690 CVE-2023-27522
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.55-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for apache2.
CVE-2023-25690[0]:
| Some mod_proxy configurations on Apache HTTP Server versions 2.4.0
| through 2.4.55 allow a HTTP Request Smuggling attack. Configurations
| are affected when mod_proxy is enabled along with some form of
| RewriteRule or ProxyPassMatch in which a non-specific pattern matches
| some portion of the user-supplied request-target (URL) data and is
| then re-inserted into the proxied request-target using variable
| substitution. For example, something like: RewriteEngine on
| RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1";; [P]
| ProxyPassReverse /here/ http://example.com:8080/ Request
| splitting/smuggling could result in bypass of access controls in the
| proxy server, proxying unintended URLs to existing origin servers, and
| cache poisoning. Users are recommended to update to at least version
| 2.4.56 of Apache HTTP Server.
CVE-2023-27522[1]:
| HTTP Response Smuggling vulnerability in Apache HTTP Server via
| mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30
| through 2.4.55. Special characters in the origin response header can
| truncate/split the response forwarded to the client.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-25690
https://www.cve.org/CVERecord?id=CVE-2023-25690
[1] https://security-tracker.debian.org/tracker/CVE-2023-27522
https://www.cve.org/CVERecord?id=CVE-2023-27522
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.56-1~deb11u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1032...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Mar 2023 07:05:04 +0400
Source: apache2
Architecture: source
Version: 2.4.56-1~deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1032476
Changes:
apache2 (2.4.56-1~deb11u1) bullseye-security; urgency=medium
.
* New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
Checksums-Sha1:
fa79c57c23aa3b9e8b4dfa4ba78564f1780fb513 3539 apache2_2.4.56-1~deb11u1.dsc
9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz
45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc
0e663e42c1785559e0a0126833f4f194b7213ae7 894512
apache2_2.4.56-1~deb11u1.debian.tar.xz
Checksums-Sha256:
751eea360cd53cc4186c64a621390f9f4fd721d366cc809ff110109bb14a8f1d 3539
apache2_2.4.56-1~deb11u1.dsc
db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650
apache2_2.4.56.orig.tar.gz
b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833
apache2_2.4.56.orig.tar.gz.asc
37fda9dab3acfe683ff88aa472372eafb1c651a31f03dac5882d13c94bb93e32 894512
apache2_2.4.56-1~deb11u1.debian.tar.xz
Files:
bf739573df7d3724a410864fe9223c49 3539 httpd optional
apache2_2.4.56-1~deb11u1.dsc
f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional
apache2_2.4.56.orig.tar.gz
e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional
apache2_2.4.56.orig.tar.gz.asc
077b17fca0897f07268f9f70b007adae 894512 httpd optional
apache2_2.4.56-1~deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQJM+0ACgkQ9tdMp8mZ
7unfYA/+O48XF+WQT4wk4mwIm0giyCtAZrJcShsH45tdsxVv3ZGnb6e1xT9Oez46
gOmn+N4XMdrjgsUNjFqpmXZstAZf6JtxXdjEMTYEdXbETCaSq5IhS1N+4No2qfgt
ZBlgvWL7wHfftNRgiOdXBq/9K9lOVhEvIwdRk7G4ShL2nWPnk4fGScCbrmjHD/wt
T3Gfk22JEcsdJkbcH0l+mlibIE/xQ90/kh1VOzmI3FYSzQ4SQGXIE2IRNIaLdP09
Pk9KwxLG6o4z/qWI7d8GY9TxkUMitluN1ZugUXh5rHWNqD08/vpCIQGPNP7o7ZlV
YRB/9xZfmLr8BHKiXt/CqJbjIodtHstLAKR8wB06rL8UmB6TnvmFp04/PVJ18T2g
o9tdUbWXdKTSPNJWB3IehWdlUirTJGx/M70Fd5oVQfDmy11KgsUk6LekxJZ6RtMo
N761I5891VMKh7kBNd7CzcLzHSp6W7c+xtZc8rSdZUJx/q0kJoD0f25O9bFQWxIS
Dlbk46cBe1CqAxOBpl89EGepSGDHoLgkF7H+46Okc1n+SW/zXKm7N1Zs5a1kYfEg
dSPOsXzEnfyXPWJd3U82m/NLiZGB4Evj1UgUfowpkOJ2XqNHoqWBl4XMAQoV/njQ
GgHH93RfSWkLr7b7Lw8bY4fYfmXLbNqCyYAyBjmQ5LJkyigd88w=
=3kYG
-----END PGP SIGNATURE-----
--- End Message ---
