subject:"Bug#1012513\: apache2\: CVE\-2022\-31813 CVE\-2022\-26377 CVE\-2022\-28614 CVE\-2022\-28615 CVE\-2022\-29404 CVE\-2022\-30522 CVE\-2022\-30556"

Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556

2022-06-08 Thread Moritz Muehlenhoff

On Wed, Jun 08, 2022 at 07:51:28PM +0200, Yadd wrote:
> Hi,
> 
> those CVEs are tagged low/moderate by upstream, why did you tag this bug as 
> grave ?

Anything moderate or above should get fixed by the next Debian release IOW RC 
severity.

Cheers,
Moritz

Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556

2022-06-08 Thread Yadd

Hi,

those CVEs are tagged low/moderate by upstream, why did you tag this bug as 
grave ?

Cheers,
Yadd

Le Mercredi, Juin 08, 2022 17:49 CEST, Moritz Mühlenhoff  a 
écrit:

> Source: apache2
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for apache2.
>
> CVE-2022-31813[0]:
> | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
> | headers to the origin server based on client side Connection header
> | hop-by-hop mechanism. This may be used to bypass IP based
> | authentication on the origin server/application.
>
> CVE-2022-26377[1]:
> | Inconsistent Interpretation of HTTP Requests ('HTTP Request
> | Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
> | allows an attacker to smuggle requests to the AJP server it forwards
> | requests to. This issue affects Apache HTTP Server Apache HTTP Server
> | 2.4 version 2.4.53 and prior versions.
>
> CVE-2022-28614[2]:
> | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
> | read unintended memory if an attacker can cause the server to reflect
> | very large input using ap_rwrite() or ap_rputs(), such as with
> | mod_luas r:puts() function.
>
> CVE-2022-28615[3]:
> | Apache HTTP Server 2.4.53 and earlier may crash or disclose
> | information due to a read beyond bounds in ap_strcmp_match() when
> | provided with an extremely large input buffer. While no code
> | distributed with the server can be coerced into such a call, third-
> | party modules or lua scripts that use ap_strcmp_match() may
> | hypothetically be affected.
>
> CVE-2022-29404[4]:
> | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
> | script that calls r:parsebody(0) may cause a denial of service due to
> | no default limit on possible input size.
>
> CVE-2022-30522[5]:
> | If Apache HTTP Server 2.4.53 is configured to do transformations with
> | mod_sed in contexts where the input to mod_sed may be very large,
> | mod_sed may make excessively large memory allocations and trigger an
> | abort.
>
> CVE-2022-30556[6]:
> | Apache HTTP Server 2.4.53 and earlier may return lengths to
> | applications calling r:wsread() that point past the end of the storage
> | allocated for the buffer.
>
> As usual Apache fails to directly identify fixing commits at
> https://httpd.apache.org/security/vulnerabilities_24.html
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-31813
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
> [1] https://security-tracker.debian.org/tracker/CVE-2022-26377
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
> [2] https://security-tracker.debian.org/tracker/CVE-2022-28614
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
> [3] https://security-tracker.debian.org/tracker/CVE-2022-28615
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
> [4] https://security-tracker.debian.org/tracker/CVE-2022-29404
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
> [5] https://security-tracker.debian.org/tracker/CVE-2022-30522
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
> [6] https://security-tracker.debian.org/tracker/CVE-2022-30556
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
>
> Please adjust the affected versions in the BTS as needed.
>

Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556

2022-06-08 Thread Moritz Mühlenhoff

Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2022-31813[0]:
| Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
| headers to the origin server based on client side Connection header
| hop-by-hop mechanism. This may be used to bypass IP based
| authentication on the origin server/application.

CVE-2022-26377[1]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request
| Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
| allows an attacker to smuggle requests to the AJP server it forwards
| requests to. This issue affects Apache HTTP Server Apache HTTP Server
| 2.4 version 2.4.53 and prior versions.

CVE-2022-28614[2]:
| The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
| read unintended memory if an attacker can cause the server to reflect
| very large input using ap_rwrite() or ap_rputs(), such as with
| mod_luas r:puts() function.

CVE-2022-28615[3]:
| Apache HTTP Server 2.4.53 and earlier may crash or disclose
| information due to a read beyond bounds in ap_strcmp_match() when
| provided with an extremely large input buffer. While no code
| distributed with the server can be coerced into such a call, third-
| party modules or lua scripts that use ap_strcmp_match() may
| hypothetically be affected.

CVE-2022-29404[4]:
| In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
| script that calls r:parsebody(0) may cause a denial of service due to
| no default limit on possible input size.

CVE-2022-30522[5]:
| If Apache HTTP Server 2.4.53 is configured to do transformations with
| mod_sed in contexts where the input to mod_sed may be very large,
| mod_sed may make excessively large memory allocations and trigger an
| abort.

CVE-2022-30556[6]:
| Apache HTTP Server 2.4.53 and earlier may return lengths to
| applications calling r:wsread() that point past the end of the storage
| allocated for the buffer.

As usual Apache fails to directly identify fixing commits at
https://httpd.apache.org/security/vulnerabilities_24.html

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
[1] https://security-tracker.debian.org/tracker/CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
[2] https://security-tracker.debian.org/tracker/CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
[3] https://security-tracker.debian.org/tracker/CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
[4] https://security-tracker.debian.org/tracker/CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
[5] https://security-tracker.debian.org/tracker/CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
[6] https://security-tracker.debian.org/tracker/CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556

Please adjust the affected versions in the BTS as needed.

Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556

Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556

Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556

3 matches

Site Navigation

Mail list logo

Footer information