Re: Apache2 Vulnerability

2023-09-15 Thread Matthew Ruffell 
Hi Daniel,

The two CVEs you mention, CVE-2023-27522 and CVE-2023-25690, have already
been
addressed in Ubuntu, and have been since March.

https://ubuntu.com/security/CVE-2023-27522
https://ubuntu.com/security/CVE-2023-25690

For 22.04, these were both fixed in apache2 2.4.52-1ubuntu4.4:

https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.4

For 20.04, these were both fixed in apache2 2.4.41-4ubuntu3.14:

https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.14

Packages in the Ubuntu archive don't typically receive wholesale point
releases
unless that package has a microrelease exception. This is intended to keep
regressions and changes in functionality to a minimum. Instead, we simply
take
the CVE fix itself, and place it ontop of the version in the Ubuntu archive,
and make a new build. The CVE is fixed without having to take sometimes
hundreds of additional changes at the same time.

See:

https://wiki.ubuntu.com/SecurityTeam/FAQ
https://wiki.ubuntu.com/StableReleaseUpdates#Why

In the future, see the Ubuntu CVE tracker to see if a particular CVE has
been
fixed.

Thanks,
Matthew

On Fri, 15 Sept 2023 at 11:00, Daniel Johnston 
wrote:

> Hello,
>
>
>
> I was wondering on when you plan to upgrade Apache from 2.4.55 to at least
> 2.4.56 to address the vulnerabilities with Apache?
>
> We have been checking weekly for a number of months now.
>
> Changes with Apache 2.4.56
>
>
>
>   *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
>
>  HTTP response splitting (cve.mitre.org)
>
>  HTTP Response Smuggling vulnerability in Apache HTTP Server via
>
>  mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
>
>  2.4.30 through 2.4.55.
>
>  Special characters in the origin response header can
>
>  truncate/split the response forwarded to the client.
>
>  Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
>
>
>
>   *) SECURITY: CVE-2023-25690: HTTP request splitting with
>
>  mod_rewrite and mod_proxy (cve.mitre.org)
>
>  Some mod_proxy configurations on Apache HTTP Server versions
>
>  2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
>
>  Configurations are affected when mod_proxy is enabled along with
>
>  some form of RewriteRule or ProxyPassMatch in which a non-specific
>
>  pattern matches some portion of the user-supplied request-target (URL)
>
>  data and is then re-inserted into the proxied request-target
>
>  using variable substitution. For example, something like:
>
> RewriteEngine on
>
> RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;;
> [P]
>
> ProxyPassReverse /here/  http://example.com:8080/
>
>  Request splitting/smuggling could result in bypass of access
>
>  controls in the proxy server, proxying unintended URLs to
>
>  existing origin servers, and cache poisoning.
>
>  Credits: Lars Krapf of Adobe
>
>
>
> *Daniel Johnston**​**​**​**​*
>
> *IT Systems Administrator*
>
>  |
>
> *Premier Credit Union*
>
> 515-245-3541
>
>  |
>
> dani...@premiercu.org
>
> www.PremierCU.org 
>
> 
>
> 
>
> 800 9th St
>
> ,
>
> Des Moines
>
> ,
>
> Iowa
>
>
>
> 50309
>
> *Leave us a Review on Google!
> *
>
> 
>
> *This e-mail, including attachments, is covered by the Electronic
> Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential, and may
> be legally privileged. If you are not the intended recipient, you are
> hereby notified that any retention, dissemination, distribution, or copying
> of this communication is strictly prohibited. Please reply to the sender if
> you received this message in error, and then please delete it. Thank you.*
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com

Re: Apache2 Vulnerability

2023-09-14 Thread Alex Murray 
Hi Daniel

In Ubuntu we generally do not upgrade to new package versions to fix
security issues but instead backport the individual fixes. As such you
should not expect to see say apache 2.4.56 in Ubuntu 23.04. Instead we
just add the minimal change needed to fix the vulnerability on top of
the existing 2.4.55 version.

Regarding these two CVEs in question, you can see the status for each of
these vulnerabilities in Ubuntu at

https://ubuntu.com/security/CVE-2023-27522

and

https://ubuntu.com/security/CVE-2023-25690

respectively.

Both have already been patched and updates released back in March of
this year.

For more details on how package updates work in Ubuntu, I recommend
taking a look at
https://ubuntu.com/blog/ubuntu-updates-releases-and-repositories-explained

Thanks,
Alex


On Thu, 2023-09-07 at 17:25:27 +, Daniel Johnston wrote:

> Hello,
>
> I was wondering on when you plan to upgrade Apache from 2.4.55 to at least 
> 2.4.56 to address the vulnerabilities with Apache?
> We have been checking weekly for a number of months now.
> Changes with Apache 2.4.56
>
>   *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
>  HTTP response splitting (cve.mitre.org)
>  HTTP Response Smuggling vulnerability in Apache HTTP Server via
>  mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
>  2.4.30 through 2.4.55.
>  Special characters in the origin response header can
>  truncate/split the response forwarded to the client.
>  Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
>
>   *) SECURITY: CVE-2023-25690: HTTP request splitting with
>  mod_rewrite and mod_proxy (cve.mitre.org)
>  Some mod_proxy configurations on Apache HTTP Server versions
>  2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
>  Configurations are affected when mod_proxy is enabled along with
>  some form of RewriteRule or ProxyPassMatch in which a non-specific
>  pattern matches some portion of the user-supplied request-target (URL)
>  data and is then re-inserted into the proxied request-target
>  using variable substitution. For example, something like:
> RewriteEngine on
> RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P]
> ProxyPassReverse /here/  http://example.com:8080/
>  Request splitting/smuggling could result in bypass of access
>  controls in the proxy server, proxying unintended URLs to
>  existing origin servers, and cache poisoning.
>  Credits: Lars Krapf of Adobe
>
> [cid:image001.jpg@01D9E186.60BF0920]
> Daniel Johnston
> IT Systems Administrator
>  |
> Premier Credit Union
> [cid:image002.png@01D9E186.60BF0920]
> 515-245-3541
>  |
> [cid:image003.png@01D9E186.60BF0920]
> dani...@premiercu.org
> [cid:image004.png@01D9E186.60BF0920]
> www.PremierCU.org
> [cid:image005.png@01D9E186.60BF0920]
> [cid:image006.png@01D9E186.60BF0920]
> [cid:image007.png@01D9E186.60BF0920]
> 800 9th St
> ,
> Des Moines
> ,
> Iowa
>
> 50309
> Leave us a Review on 
> Google!
> [cid:image008.jpg@01D9E186.60BF0920]
> This e-mail, including attachments, is covered by the Electronic 
> Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential, and may be 
> legally privileged. If you are not the intended recipient, you are hereby 
> notified that any retention, dissemination, distribution, or copying of this 
> communication is strictly prohibited. Please reply to the sender if you 
> received this message in error, and then please delete it. Thank you.
>
>
> -- 
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

--

Apache2 Vulnerability

2023-09-14 Thread Daniel Johnston 
Hello,

I was wondering on when you plan to upgrade Apache from 2.4.55 to at least 
2.4.56 to address the vulnerabilities with Apache?
We have been checking weekly for a number of months now.
Changes with Apache 2.4.56

  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
 HTTP response splitting (cve.mitre.org)
 HTTP Response Smuggling vulnerability in Apache HTTP Server via
 mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
 2.4.30 through 2.4.55.
 Special characters in the origin response header can
 truncate/split the response forwarded to the client.
 Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

  *) SECURITY: CVE-2023-25690: HTTP request splitting with
 mod_rewrite and mod_proxy (cve.mitre.org)
 Some mod_proxy configurations on Apache HTTP Server versions
 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
 Configurations are affected when mod_proxy is enabled along with
 some form of RewriteRule or ProxyPassMatch in which a non-specific
 pattern matches some portion of the user-supplied request-target (URL)
 data and is then re-inserted into the proxied request-target
 using variable substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P]
ProxyPassReverse /here/  http://example.com:8080/
 Request splitting/smuggling could result in bypass of access
 controls in the proxy server, proxying unintended URLs to
 existing origin servers, and cache poisoning.
 Credits: Lars Krapf of Adobe

[cid:image001.jpg@01D9E186.60BF0920]
Daniel Johnston
IT Systems Administrator
 |
Premier Credit Union
[cid:image002.png@01D9E186.60BF0920]
515-245-3541
 |
[cid:image003.png@01D9E186.60BF0920]
dani...@premiercu.org
[cid:image004.png@01D9E186.60BF0920]
www.PremierCU.org
[cid:image005.png@01D9E186.60BF0920]
[cid:image006.png@01D9E186.60BF0920]
[cid:image007.png@01D9E186.60BF0920]
800 9th St
,
Des Moines
,
Iowa

50309
Leave us a Review on 
Google!
[cid:image008.jpg@01D9E186.60BF0920]
This e-mail, including attachments, is covered by the Electronic Communications 
Privacy Act, 18 U.S.C. 2510-2521, is confidential, and may be legally 
privileged. If you are not the intended recipient, you are hereby notified that 
any retention, dissemination, distribution, or copying of this communication is 
strictly prohibited. Please reply to the sender if you received this message in 
error, and then please delete it. Thank you.


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss