apache2_2.4.56-1_sourceonly.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 08 Mar 2023 06:44:05 +0400 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.56-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1032476 Changes: apache2 (2.4.56-1) unstable; urgency=medium . * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) Checksums-Sha1: 58eb00c009fd93b0985da5ab956de026dbb466e3 3488 apache2_2.4.56-1.dsc 9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz 45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc d8856bb27ad6485fb9a61f780944d75e683a0cc4 899848 apache2_2.4.56-1.debian.tar.xz Checksums-Sha256: 7d201ab7d4f0047d03bf254c28b5aef12f9b8722bf1741ba9d4ac4ae903dd53a 3488 apache2_2.4.56-1.dsc db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650 apache2_2.4.56.orig.tar.gz b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833 apache2_2.4.56.orig.tar.gz.asc 51bd3a570b9cb6df6a78a9c328433847059b0594b32d26e2b708a545ef6088fe 899848 apache2_2.4.56-1.debian.tar.xz Files: f84901cc8b922cb9a7b2f6b885726001 3488 httpd optional apache2_2.4.56-1.dsc f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional apache2_2.4.56.orig.tar.gz e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional apache2_2.4.56.orig.tar.gz.asc 7c4c4e6cee0a1e0c3267e6415b365038 899848 httpd optional apache2_2.4.56-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQH+wIACgkQ9tdMp8mZ 7umhVA//WjHqBOnNyYti8o/qxWu/i+sk7m4901yoC/zfpn9taMnbPLM21AzsSRRh P6Mh0+aGdJTLhL+WFvhlzfZCSEjG/TV18jdciYwD1s1AtHS22qA1n1QSkEQUv1fE 37PKL5pzqB/zIn8jqn3DWzkYCKH0vRwGi+xdffUqF+9w846ynmTZtsKUqvYV9Yl/ aItonoaJNRakcShpkOgcw5r3bJ0IurQrftFex+CLrJouoQYhMFYhXxyNUgcw99G6 tR5c2cy3FkVKEu9VopPbdAnt4RngWSBjCEL8gKcuJMGU6ujUTBV7NBsIoXcguIVO 9ERD4y3PmV8I3HavrRszxJd+Fc7z32Fqa+HBZri7ygB0INSGNcs4rKlKn8RBRBrh KYQgTo9xZnNdjnfi3Bospk2ZateCjrOYdVYPNnpiD8sb5+38wfXQYXHI5F6kXaMo gLjKXUEyj3mUvYZUEZxbaPimC7SaNQZi4pKKfYyRiwNrTEP7XkdGC8KNwe1/xEKb +aeWpnAXImsXTGqufUhJEu7DgLxJ9B+3Zn1gQr4q7+MxEkrIRzAoaVgW2uQwRuYg u0nZruqzQ7FKG+4jjAcp/ac6T6FBjs+gWVDfVkv8FzbddBRWcZa9VLcWi7TSiz8G qJ35RkWmuPKAt4m1upxkn/69BJL3PkoJB/SaQLR/+SXq2kbxFE4= =i2sR -END PGP SIGNATURE-
Processing of apache2_2.4.56-1_sourceonly.changes
apache2_2.4.56-1_sourceonly.changes uploaded successfully to localhost along with the files: apache2_2.4.56-1.dsc apache2_2.4.56.orig.tar.gz apache2_2.4.56.orig.tar.gz.asc apache2_2.4.56-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org)
Bug#1032476: marked as done (apache2: CVE-2023-25690 CVE-2023-27522)
Your message dated Wed, 08 Mar 2023 03:19:22 + with message-id and subject line Bug#1032476: fixed in apache2 2.4.56-1 has caused the Debian Bug report #1032476, regarding apache2: CVE-2023-25690 CVE-2023-27522 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.56-1 Done: Yadd We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 08 Mar 2023 06:44:05 +0400 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.56-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1032476 Changes: apache2 (2.4.56-1) unstable; urgency=medium . * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) Checksums-Sha1: 58eb00c009fd93b0985da5ab956de026dbb466e3 3488 apache2_2.4.56-1.dsc 9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz 45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc d8856bb27ad6485fb9a61f780944d75e683a0cc4 899848 apache2_2.4.56-1.debian.tar.xz Checksums-Sha256: 7d201ab7d4f0047d03bf254c28b5aef12f9b8722bf1741ba9d4ac4ae903dd53a 3488 apache2_2.4.56-1.dsc db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650 apache2_2.4.56.orig.tar.gz b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833 apache2_2.4.56.orig.tar.gz.asc 51bd3a570b9cb6df6a78a9c328433847059b0594b32d26e2b708a545ef6088fe 899848 apache2_2.4.56-1.debian.tar.xz Files: f84901cc8b922cb9a7b2f6b885726001 3488 httpd optional apache2_2.4.56-1.dsc f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional apache2_2.4.56.orig.tar.gz e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional apache2_2.4.56.orig.tar.gz.asc 7c4c4e6cee0a1e0c3267e6415b365038 899848 httpd optional apache2_2.4.56-1.debian.tar.xz -BEGIN PGP SIGNATURE-
Processed: Bug#1032476 marked as pending in apache2
Processing control commands: > tag -1 pending Bug #1032476 [src:apache2] apache2: CVE-2023-25690 CVE-2023-27522 Added tag(s) pending. -- 1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
apr_1.7.0-6+deb11u2_source.changes ACCEPTED into proposed-updates->stable-new
Thank you for your contribution to Debian.
Mapping stable-security to proposed-updates.
Accepted:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Wed, 01 Mar 2023 15:22:18 +0100
Source: apr
Architecture: source
Version: 1.7.0-6+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Apache Maintainers
Changed-By: Salvatore Bonaccorso
Changes:
apr (1.7.0-6+deb11u2) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Address some warnings raised by MSVC-32/64
* apr_encode_base32: fix advertised output *len when called with dst == NULL
* apr_decode_base{64,32,16}: stop reading before (not including) NUL byte.
* encoding: Better check inputs of apr_{encode,decode}_* functions
(CVE-2022-24963)
Checksums-Sha1:
156212687fcf6e23df18da892aa91fc5b2f6ff03 2202 apr_1.7.0-6+deb11u2.dsc
58ebc7b35efaebb211c0b9df594ab16c4d874234 872238 apr_1.7.0.orig.tar.bz2
d9f104d20e52acfb6dbc6c09aa18a98f16bbfbe8 225364
apr_1.7.0-6+deb11u2.debian.tar.xz
a8427f42f0f6ffddcded47d974162b9ec0d8699b 7519
apr_1.7.0-6+deb11u2_source.buildinfo
Checksums-Sha256:
9736c0926998f8ca24f96a88c935f323127817400184b4040e52456e483eacb1 2202
apr_1.7.0-6+deb11u2.dsc
e2e148f0b2e99b8e5c6caa09f6d4fb4dd3e83f744aa72a952f94f5a14436f7ea 872238
apr_1.7.0.orig.tar.bz2
b90bcafcb6061f1685473f8c48e26c0916c8a312542eb25dca852c730a4dae64 225364
apr_1.7.0-6+deb11u2.debian.tar.xz
ebee93c4d5a433c2309430f3b0bc3d6559e4ed2a51b7d75a22c63129f7880cc2 7519
apr_1.7.0-6+deb11u2_source.buildinfo
Files:
8b3b9c840454b87fb0e20065e8ebd141 2202 libs optional apr_1.7.0-6+deb11u2.dsc
7a14a83d664e87599ea25ff4432e48a7 872238 libs optional apr_1.7.0.orig.tar.bz2
23c14b186d64c6c904bb93d59a981820 225364 libs optional
apr_1.7.0-6+deb11u2.debian.tar.xz
ec11e0df59b18ed6a1c18c7e4c37749a 7519 libs optional
apr_1.7.0-6+deb11u2_source.buildinfo
-BEGIN PGP SIGNATURE-
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmP/belfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmzwP/ifKtNCcT6KE8jFkmCMZcJMXMTE6bsgM
j+Z3YGzdyTB89YV+Q0Po66xoz8Iv26LydAiEoWdQKU0gPqmq5Bo0F3f8Uq1tZVaT
tFiCXBBD0+TXmdh434ThV1ik3Dszrkp8uymvVSRn+dpjHUJqRF5OvluVQXEZNPOd
mEMGhS5BLX7nyW0Ke7D9UjCcR6M7p77qs5OVitif/t/IHuYUuEVa53syX9vVkSx1
nStanH63APGBVQcUrVloGtqoX4jpIbh+f/zNe+ab02Eqyt6sa0CGkFm3D2QdV3cA
GfMQoPOvpQw7fI+YPyq775vG3Wca4JcP9qQSwTmsIPTvuCgEUXxcyP+B0xZsBA9K
7QuZrJhTSmOVq66OMd2Hv4wgE7ibL5yRyDi1adMAOd2tUpmCzSek4rqe7QOGWiz8
beuVHDqFyIU/OUa91JE7RyUYe+yshIiQG0N2CEnRerJQg6/eTM5t/CAC4zetQ42d
zswlT3BpdIVc9qTBbxxGq3/82HWhZ72jeSoB93gnpMGOzk1p9vlsfLveFbbLoa0I
sYmFNqFN7gMLi7uhois3FKXqLHcmEOTmMK79WJtkr36kwiEqrb3qau0+35DkZdW9
pBQiIdXRee522mCcVY4XC/7Ne1j3m85W7Uu9Sa0eK8kQUyhIHymDpNlWQmSRf7EB
dWefK5cJZi81
=tj2Y
-END PGP SIGNATURE-
Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522
Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
