Your message dated Sat, 02 Jul 2022 17:17:07 +0000
with message-id <e1o7gjz-000dxk...@fasolo.debian.org>
and subject line Bug#1012513: fixed in apache2 2.4.54-1~deb11u1
has caused the Debian Bug report #1012513,
regarding apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615
CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for apache2.
CVE-2022-31813[0]:
| Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
| headers to the origin server based on client side Connection header
| hop-by-hop mechanism. This may be used to bypass IP based
| authentication on the origin server/application.
CVE-2022-26377[1]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request
| Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
| allows an attacker to smuggle requests to the AJP server it forwards
| requests to. This issue affects Apache HTTP Server Apache HTTP Server
| 2.4 version 2.4.53 and prior versions.
CVE-2022-28614[2]:
| The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
| read unintended memory if an attacker can cause the server to reflect
| very large input using ap_rwrite() or ap_rputs(), such as with
| mod_luas r:puts() function.
CVE-2022-28615[3]:
| Apache HTTP Server 2.4.53 and earlier may crash or disclose
| information due to a read beyond bounds in ap_strcmp_match() when
| provided with an extremely large input buffer. While no code
| distributed with the server can be coerced into such a call, third-
| party modules or lua scripts that use ap_strcmp_match() may
| hypothetically be affected.
CVE-2022-29404[4]:
| In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
| script that calls r:parsebody(0) may cause a denial of service due to
| no default limit on possible input size.
CVE-2022-30522[5]:
| If Apache HTTP Server 2.4.53 is configured to do transformations with
| mod_sed in contexts where the input to mod_sed may be very large,
| mod_sed may make excessively large memory allocations and trigger an
| abort.
CVE-2022-30556[6]:
| Apache HTTP Server 2.4.53 and earlier may return lengths to
| applications calling r:wsread() that point past the end of the storage
| allocated for the buffer.
As usual Apache fails to directly identify fixing commits at
https://httpd.apache.org/security/vulnerabilities_24.html
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
[1] https://security-tracker.debian.org/tracker/CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
[2] https://security-tracker.debian.org/tracker/CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
[3] https://security-tracker.debian.org/tracker/CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
[4] https://security-tracker.debian.org/tracker/CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
[5] https://security-tracker.debian.org/tracker/CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
[6] https://security-tracker.debian.org/tracker/CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-1~deb11u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Jun 2022 06:26:43 +0200
Source: apache2
Architecture: source
Version: 2.4.54-1~deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apa...@lists.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1010455 1012513
Changes:
apache2 (2.4.54-1~deb11u1) bullseye; urgency=medium
.
[ Yadd ]
* Fix htcacheclean doc (Closes: #1010455)
.
[ Yadd ]
* New upstream version 2.4.54 (closes: #1012513, CVE-2022-31813,
CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
Checksums-Sha1:
a9b12eda05896c39650d6bf2e13a2738c2b118d9 3539 apache2_2.4.54-1~deb11u1.dsc
5121eed65951d525db5bde8c8997dffa6daa613a 9743277 apache2_2.4.54.orig.tar.gz
f8c7a962998549f4816a18889555f8fa8b7f771a 874 apache2_2.4.54.orig.tar.gz.asc
5957f685697fbaebbfa077ad2ae176923240d26b 894208
apache2_2.4.54-1~deb11u1.debian.tar.xz
Checksums-Sha256:
a019ec1ca8130e8fdbde9ee198ed551a114961a32a37b9775d944659bfeaaae5 3539
apache2_2.4.54-1~deb11u1.dsc
c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 9743277
apache2_2.4.54.orig.tar.gz
d3855dc59d3e6ceaddd6d224aa9a33eef554c2706ccee5894e54f2b229ee800a 874
apache2_2.4.54.orig.tar.gz.asc
89189e18b964f58a7943024bb40af782fce654149d11c3be872af6ca73388117 894208
apache2_2.4.54-1~deb11u1.debian.tar.xz
Files:
5648326c781d60301f7c8b6a231538d9 3539 httpd optional
apache2_2.4.54-1~deb11u1.dsc
5830f69aeed1f4a00a563862aaf2c67d 9743277 httpd optional
apache2_2.4.54.orig.tar.gz
35861f1b441ce88c67ee109b63106ef7 874 httpd optional
apache2_2.4.54.orig.tar.gz.asc
7da218147f56f14894ab220f4a8f7f4a 894208 httpd optional
apache2_2.4.54-1~deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmK/RAcACgkQ9tdMp8mZ
7ukoBxAAiL67H3JqzhKPohCjNgMKrL2kBmWrOt7kb7H7pxUSbU4IjQqWbMOIRvck
Ec6yPDiZN3dfeI8DpR0Hb2tuuloa5VOfXpm0XSWMXtpyCSF5dw7xgNv28JvOgL6v
wvA8CShBrakOXp8kmnYlBzK1V1VI2Sn7ZsborbQnSEuBEH9jUXm/CoRjhB96/LAw
Dd6QUs26PergZpjgeM6OJwFIsN2PX4/JFP44Apfsv0rBFyuuuK8TrB/rGqvFL/N+
n5cJNWUq56b700OdzGHcR/1pTj2cVEnr6qbAo5gX94f2ttiYnt1MAB0AbKb2H5tm
iBTcvnPVRHhKuUi4etlEMpwOP4sQIIQ8W2fBMnQL0VBqd/0nmPsETQwgFZDRcLfu
UGu8a1uX0TyAm2RgZRgvLYnKcOlY79bLPjg/FWs7A/2zjHmjl9RT3GD6WuoAWGjh
cMZkl3AKW6ejwTeyuZ4/jkH/WWEuZlrk3lgLJrSaHG4AVRO6Ta4vN12oFGLWlmtb
aGjSJ0g+sGes9fEGlIITacZL1h03St5lDikRKxQaPVXVli+tdovzd04QhUtffcWQ
6bLncrfNv4hDUdPD7A2HrvbAGOa/JIXzntpmOocNWViWnNq+t/qYX8fcC4TMm4Z7
93FiwlzXI5cF1fR9HjlBAc5EX7m+lkrdOrIaUM1EHo2KfdJ2a8Y=
=Bmzf
-----END PGP SIGNATURE-----
--- End Message ---