apache2_2.4.54-1_sourceonly.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 09 Jun 2022 06:33:53 +0200 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.54-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1010455 1012513 Changes: apache2 (2.4.54-1) unstable; urgency=medium . [ Simon Deziel ] * Escape literal "." for BrowserMatch directives in setenvif.conf * Use non-capturing regex with FilesMatch directive in default-ssl.conf . [ Ondřej Surý ] * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) . [ Yadd ] * Fix htcacheclean doc (Closes: #1010455) * New upstream version 2.4.54 Checksums-Sha1: ab83430595284de35a09b4925ff02d25f0c59836 3488 apache2_2.4.54-1.dsc 5121eed65951d525db5bde8c8997dffa6daa613a 9743277 apache2_2.4.54.orig.tar.gz f8c7a962998549f4816a18889555f8fa8b7f771a 874 apache2_2.4.54.orig.tar.gz.asc c3d54fc0133d051edc03cfd9366022c62e41208e 899680 apache2_2.4.54-1.debian.tar.xz Checksums-Sha256: 6638ab251c44e19013fbeef8616adf60fd82e71fc62b59ed950e4920e4dfcafd 3488 apache2_2.4.54-1.dsc c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 9743277 apache2_2.4.54.orig.tar.gz d3855dc59d3e6ceaddd6d224aa9a33eef554c2706ccee5894e54f2b229ee800a 874 apache2_2.4.54.orig.tar.gz.asc a9b19fbb49ba9540dc5004a537cad3c70eb05448076f55544592844a7d6e0cfd 899680 apache2_2.4.54-1.debian.tar.xz Files: 71f12c8f92422781eaefc68f56367ea0 3488 httpd optional apache2_2.4.54-1.dsc 5830f69aeed1f4a00a563862aaf2c67d 9743277 httpd optional apache2_2.4.54.orig.tar.gz 35861f1b441ce88c67ee109b63106ef7 874 httpd optional apache2_2.4.54.orig.tar.gz.asc f13ba4968c990a764664cdfd2a69a808 899680 httpd optional apache2_2.4.54-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmKheQwACgkQ9tdMp8mZ 7unuEQ//Uc6nlVALQPXVfl4TbGDfnBV6/tphfDz6BVWXwtXgoors/LCEIz0wqJCf nqmFmttTbqWp9zz65SFjN1nYcs2m8AhMDQBjEYkHvfi2hcsGmfBSBjVGCJzPi2Cg qKtx70i8v9Psm5Y6+UV/4LNlnCX+wCHFtLAeTFE8H9/3m8xsPc7kRsbK/pJYcit5 Fo7XZ3djflWTR2cUUAGToHZTb23dVNhEZQFcpBpMdxo3wAgJm+3rMSamb0e070jm vsJiifY0QY/a3uRVeJeiZq5zykfQxr6FBoQ97Q79/FIGV0YI+tg96Fxph/vISJ3B /fS8JgoeIOy5SI5+tOF4/D+/bRhvskwL7swL7Lk8n/Jff6ruFafAL2x+//IMunOq Xdpixj5PdgwXq80fmwH/EWzFl77iSjosGTITgVkp9r1SdtumoxM1pkM3GukaZ/ev 0D8Q7iAXXejYQHD6Q7fv7InYdQLa9IjhUuqzCi7u6sIr+d0kuw6mb+A5CSz4toQd SUkHozlF7gzU7m3u4afbBLDAR1WCqZKjRWmcDIsc+wJVRWDkpIzmEHqPqE05dn4f tSqA5p5WKGdOJd4CXxMrpx654a7itmYllK1AgqSH0fykUciDKYyWP61AAL2oinP2 UDSE8GSjA2MK7z+Zg/WEL7eKJlqBkTltDByFpH6xMluPiZTUQRY= =pJbP -END PGP SIGNATURE- Thank you for your contribution to Debian.
Bug#1010455: marked as done (Should apache2.README.Debian refer to apache-htcacheclean ?)
Your message dated Thu, 09 Jun 2022 05:03:55 + with message-id and subject line Bug#1010455: fixed in apache2 2.4.54-1 has caused the Debian Bug report #1010455, regarding Should apache2.README.Debian refer to apache-htcacheclean ? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010455 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.53-2 Tags: patch Severity: minor Sort of a patch. Refering to https://salsa.debian.org/apache-team/apache2/-/blob/master/debian/apache2.README.Debian Line 193 refers to '/etc/default/apache2'. Shouldn't that be '/etc/default/apache-htcacheclean' ? The context is the configuration file for using mod_cache_disk. -- u34 --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.54-1 Done: Yadd We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 09 Jun 2022 06:33:53 +0200 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.54-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1010455 1012513 Changes: apache2 (2.4.54-1) unstable; urgency=medium . [ Simon Deziel ] * Escape literal "." for BrowserMatch directives in setenvif.conf * Use non-capturing regex with FilesMatch directive in default-ssl.conf . [ Ondřej Surý ] * New upstream version 2.4.54 (Closes: #1012513, CVE-2022-31813, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-28330) . [ Yadd ] * Fix htcacheclean doc (Closes: #1010455) * New upstream version 2.4.54 Checksums-Sha1: ab83430595284de35a09b4925ff02d25f0c59836 3488 apache2_2.4.54-1.dsc 5121eed65951d525db5bde8c8997dffa6daa613a 9743277 apache2_2.4.54.orig.tar.gz f8c7a962998549f4816a18889555f8fa8b7f771a 874 apache2_2.4.54.orig.tar.gz.asc c3d54fc0133d051edc03cfd9366022c62e41208e 899680 apache2_2.4.54-1.debian.tar.xz Checksums-Sha256: 6638ab251c44e19013fbeef8616adf60fd82e71fc62b59ed950e4920e4dfcafd 3488 apache2_2.4.54-1.dsc c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 9743277 apache2_2.4.54.orig.tar.gz d3855dc59d3e6ceaddd6d224aa9a33eef554c2706ccee5894e54f2b229ee800a 874 apache2_2.4.54.orig.tar.gz.asc a9b19fbb49ba9540dc5004a537cad3c70eb05448076f55544592844a7d6e0cfd 899680 apache2_2.4.54-1.debian.tar.xz Files: 71f12c8f92422781eaefc68f56367ea0 3488 httpd optional apache2_2.4.54-1.dsc 5830f69aeed1f4a00a563862aaf2c67d 9743277 httpd optional apache2_2.4.54.orig.tar.gz 35861f1b441ce88c67ee109b63106ef7 874 httpd optional apache2_2.4.54.orig.tar.gz.asc f13ba4968c990a764664cdfd2a69a808 899680 httpd optional apache2_2.4.54-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmKheQwACgkQ9tdMp8mZ 7unuEQ//Uc6nlVALQPXVfl4TbGDfnBV6/tphfDz6BVWXwtXgoors/LCEIz0wqJCf nqmFmttTbqWp9zz65SFjN1nYcs2m8AhMDQBjEYkHvfi2hcsGmfBSBjVGCJzPi2Cg qKtx70i8v9Psm5Y6+UV/4LNlnCX+wCHFtLAeTFE8H9/3m8xsPc7kRsbK/pJYcit5 Fo7XZ3djflWTR2cUUAGToHZTb23dVNhEZQFcpBpMdxo3wAgJm+3rMSamb0e070jm vsJiifY0QY/a3uRVeJeiZq5zykfQxr6FBoQ97Q79/FIGV0YI+tg96Fxph/vISJ3B /fS8JgoeIOy5SI5+tOF4/D+/bRhvskwL7swL7Lk8n/Jff6ruFafAL2x+//IMunOq Xdpixj5PdgwXq80fmwH/EWzFl77iSjosGTITgVkp9r1SdtumoxM1pkM3GukaZ/ev 0D8Q7iAXXejYQHD6Q7fv7InYdQLa9IjhUuqzCi7u6sIr+d0kuw6mb+A5CSz4toQd SUkHozlF7gzU7m3u4afbBLDAR1WCqZKjRWmcDIsc+wJVRWDkpIzmEHqPqE05dn4f tSqA5p5WKGdOJd4CXxMrpx654a7itmYllK1AgqSH0fykUciDKYyWP61AAL2oinP2 UDSE8GSjA2MK7z+Zg/WEL7eKJlqBkTltDByFpH6xMluPiZTUQRY= =pJbP -END PGP SIGNATURE End Message ---
Bug#1012513: marked as done (apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556)
Your message dated Thu, 09 Jun 2022 05:03:55 +
with message-id
and subject line Bug#1012513: fixed in apache2 2.4.54-1
has caused the Debian Bug report #1012513,
regarding apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615
CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for apache2.
CVE-2022-31813[0]:
| Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
| headers to the origin server based on client side Connection header
| hop-by-hop mechanism. This may be used to bypass IP based
| authentication on the origin server/application.
CVE-2022-26377[1]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request
| Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
| allows an attacker to smuggle requests to the AJP server it forwards
| requests to. This issue affects Apache HTTP Server Apache HTTP Server
| 2.4 version 2.4.53 and prior versions.
CVE-2022-28614[2]:
| The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
| read unintended memory if an attacker can cause the server to reflect
| very large input using ap_rwrite() or ap_rputs(), such as with
| mod_luas r:puts() function.
CVE-2022-28615[3]:
| Apache HTTP Server 2.4.53 and earlier may crash or disclose
| information due to a read beyond bounds in ap_strcmp_match() when
| provided with an extremely large input buffer. While no code
| distributed with the server can be coerced into such a call, third-
| party modules or lua scripts that use ap_strcmp_match() may
| hypothetically be affected.
CVE-2022-29404[4]:
| In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
| script that calls r:parsebody(0) may cause a denial of service due to
| no default limit on possible input size.
CVE-2022-30522[5]:
| If Apache HTTP Server 2.4.53 is configured to do transformations with
| mod_sed in contexts where the input to mod_sed may be very large,
| mod_sed may make excessively large memory allocations and trigger an
| abort.
CVE-2022-30556[6]:
| Apache HTTP Server 2.4.53 and earlier may return lengths to
| applications calling r:wsread() that point past the end of the storage
| allocated for the buffer.
As usual Apache fails to directly identify fixing commits at
https://httpd.apache.org/security/vulnerabilities_24.html
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
[1] https://security-tracker.debian.org/tracker/CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
[2] https://security-tracker.debian.org/tracker/CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
[3] https://security-tracker.debian.org/tracker/CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
[4] https://security-tracker.debian.org/tracker/CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
[5] https://security-tracker.debian.org/tracker/CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
[6] https://security-tracker.debian.org/tracker/CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-1
Done: Yadd
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash:
Processing of apache2_2.4.54-1_sourceonly.changes
apache2_2.4.54-1_sourceonly.changes uploaded successfully to localhost along with the files: apache2_2.4.54-1.dsc apache2_2.4.54.orig.tar.gz apache2_2.4.54.orig.tar.gz.asc apache2_2.4.54-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org)
Processed: tagging 1012513, found 1012513 in 2.4.53-2
Processing commands for cont...@bugs.debian.org: > tags 1012513 + upstream Bug #1012513 [src:apache2] apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 Added tag(s) upstream. > found 1012513 2.4.53-2 Bug #1012513 [src:apache2] apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 Marked as found in versions apache2/2.4.53-2. > thanks Stopping processing here. Please contact me if you need assistance. -- 1012513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012513 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
On Wed, Jun 08, 2022 at 07:51:28PM +0200, Yadd wrote: > Hi, > > those CVEs are tagged low/moderate by upstream, why did you tag this bug as > grave ? Anything moderate or above should get fixed by the next Debian release IOW RC severity. Cheers, Moritz
Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
Hi,
those CVEs are tagged low/moderate by upstream, why did you tag this bug as
grave ?
Cheers,
Yadd
Le Mercredi, Juin 08, 2022 17:49 CEST, Moritz Mühlenhoff a
écrit:
> Source: apache2
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for apache2.
>
> CVE-2022-31813[0]:
> | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
> | headers to the origin server based on client side Connection header
> | hop-by-hop mechanism. This may be used to bypass IP based
> | authentication on the origin server/application.
>
> CVE-2022-26377[1]:
> | Inconsistent Interpretation of HTTP Requests ('HTTP Request
> | Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
> | allows an attacker to smuggle requests to the AJP server it forwards
> | requests to. This issue affects Apache HTTP Server Apache HTTP Server
> | 2.4 version 2.4.53 and prior versions.
>
> CVE-2022-28614[2]:
> | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
> | read unintended memory if an attacker can cause the server to reflect
> | very large input using ap_rwrite() or ap_rputs(), such as with
> | mod_luas r:puts() function.
>
> CVE-2022-28615[3]:
> | Apache HTTP Server 2.4.53 and earlier may crash or disclose
> | information due to a read beyond bounds in ap_strcmp_match() when
> | provided with an extremely large input buffer. While no code
> | distributed with the server can be coerced into such a call, third-
> | party modules or lua scripts that use ap_strcmp_match() may
> | hypothetically be affected.
>
> CVE-2022-29404[4]:
> | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
> | script that calls r:parsebody(0) may cause a denial of service due to
> | no default limit on possible input size.
>
> CVE-2022-30522[5]:
> | If Apache HTTP Server 2.4.53 is configured to do transformations with
> | mod_sed in contexts where the input to mod_sed may be very large,
> | mod_sed may make excessively large memory allocations and trigger an
> | abort.
>
> CVE-2022-30556[6]:
> | Apache HTTP Server 2.4.53 and earlier may return lengths to
> | applications calling r:wsread() that point past the end of the storage
> | allocated for the buffer.
>
> As usual Apache fails to directly identify fixing commits at
> https://httpd.apache.org/security/vulnerabilities_24.html
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-31813
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
> [1] https://security-tracker.debian.org/tracker/CVE-2022-26377
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
> [2] https://security-tracker.debian.org/tracker/CVE-2022-28614
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
> [3] https://security-tracker.debian.org/tracker/CVE-2022-28615
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
> [4] https://security-tracker.debian.org/tracker/CVE-2022-29404
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
> [5] https://security-tracker.debian.org/tracker/CVE-2022-30522
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
> [6] https://security-tracker.debian.org/tracker/CVE-2022-30556
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
>
> Please adjust the affected versions in the BTS as needed.
>
Bug#790943: Root and local certificate location clash
You made a very good investigation on the topic. I agree that a public cert shouldn't be placed into the same folder as CA certs. There is some mention of a weird bug https://serverfault.com/a/840191/442430 Instead I think that both private key and cert should be merged into a one file and placed into /etc/ssl/private/. It looks like there were a lot of discussions but we didn't come to a single agreement about the place to store certs and how to manage them. Please read my proposition here https://github.com/certbot/certbot/issues/1425#issuecomment-1150116062 I'll appreciate any feedback. Regards, Sergey Ponomarev, stokito.com
Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for apache2.
CVE-2022-31813[0]:
| Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
| headers to the origin server based on client side Connection header
| hop-by-hop mechanism. This may be used to bypass IP based
| authentication on the origin server/application.
CVE-2022-26377[1]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request
| Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
| allows an attacker to smuggle requests to the AJP server it forwards
| requests to. This issue affects Apache HTTP Server Apache HTTP Server
| 2.4 version 2.4.53 and prior versions.
CVE-2022-28614[2]:
| The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may
| read unintended memory if an attacker can cause the server to reflect
| very large input using ap_rwrite() or ap_rputs(), such as with
| mod_luas r:puts() function.
CVE-2022-28615[3]:
| Apache HTTP Server 2.4.53 and earlier may crash or disclose
| information due to a read beyond bounds in ap_strcmp_match() when
| provided with an extremely large input buffer. While no code
| distributed with the server can be coerced into such a call, third-
| party modules or lua scripts that use ap_strcmp_match() may
| hypothetically be affected.
CVE-2022-29404[4]:
| In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
| script that calls r:parsebody(0) may cause a denial of service due to
| no default limit on possible input size.
CVE-2022-30522[5]:
| If Apache HTTP Server 2.4.53 is configured to do transformations with
| mod_sed in contexts where the input to mod_sed may be very large,
| mod_sed may make excessively large memory allocations and trigger an
| abort.
CVE-2022-30556[6]:
| Apache HTTP Server 2.4.53 and earlier may return lengths to
| applications calling r:wsread() that point past the end of the storage
| allocated for the buffer.
As usual Apache fails to directly identify fixing commits at
https://httpd.apache.org/security/vulnerabilities_24.html
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
[1] https://security-tracker.debian.org/tracker/CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
[2] https://security-tracker.debian.org/tracker/CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
[3] https://security-tracker.debian.org/tracker/CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
[4] https://security-tracker.debian.org/tracker/CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
[5] https://security-tracker.debian.org/tracker/CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
[6] https://security-tracker.debian.org/tracker/CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
Please adjust the affected versions in the BTS as needed.
Project of System
Hello, Are you affected by limited local resources or service capability disrupted by war? You want to work with an experienced company from the European Union? Dynamic software company, since 2011 on the market, with over 100 software engineers opens for new work. We usually work with EMEA banking, fin-tech, media and insurance. We are open to working as white label. Our area of expertise covers: - Custom web and mobile applications - Business toolkit: BPM, Document Managements Systems ,Workflow, Business Intelligence, Enterprise Content Management, Document Portals and Document Generation, etc. - Digital transformation & application enhancement - Digital native projects / green field - System integrations including open integration platform - DevOps Support - Manual and Automated Testing What works very well for our customers in Germany and the UK is offering the service capability. Looking from the customer perspective he/she receives at least one dedicated person but the work itself can be delivered by many people to ensure that the job would be accomplished as fast as possible. So even if the contract is let's say for only up to 168 hours per month (the equivalent of one person) this can be delivered by more than one person. You can easily scale up or down where necessary. Our most used stack for digital transformation is as below: Backend: Apache Tomcat 9, Elasticsearch 7, Gradle 7, Kibana 7, Logstash 7, Apache Commons Lang 3, Apache Commons IO 2, Apache Commons Text 1, Apache PdfBox 2, Bouncy Castle OpenPGP API 1, Exchange Web Services Java API 2, Flyway 8, Hibernate 5, IText Core 5, JAX WS API 2, Log4j2 2, Opencsv 5, Spring Boot 2, Thymeleaf 3 Frontend : Angular 13, Angular Material 13, File-saver 2, Hammerjs 2, Lodash 4, NgxSpinner 12, RxJS 7, Tailwindcss 2, Tslib 2, Zone.js 0.11 I hope to hear from you soon!. Best regards Viljar Bodvar
