Bug#1032476: marked as done (apache2: CVE-2023-25690 CVE-2023-27522)
Your message dated Thu, 23 Mar 2023 16:02:08 + with message-id and subject line Bug#1032476: fixed in apache2 2.4.56-1~deb11u1 has caused the Debian Bug report #1032476, regarding apache2: CVE-2023-25690 CVE-2023-27522 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.56-1~deb11u1 Done: Yadd We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 08 Mar 2023 07:05:04 +0400 Source: apache2 Architecture: source Version: 2.4.56-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1032476 Changes: apache2 (2.4.56-1~deb11u1) bullseye-security; urgency=medium . * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) Checksums-Sha1: fa79c57c23aa3b9e8b4dfa4ba78564f1780fb513 3539 apache2_2.4.56-1~deb11u1.dsc 9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz 45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc 0e663e42c1785559e0a0126833f4f194b7213ae7 894512 apache2_2.4.56-1~deb11u1.debian.tar.xz Checksums-Sha256: 751eea360cd53cc4186c64a621390f9f4fd721d366cc809ff110109bb14a8f1d 3539 apache2_2.4.56-1~deb11u1.dsc db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650 apache2_2.4.56.orig.tar.gz b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833 apache2_2.4.56.orig.tar.gz.asc 37fda9dab3acfe683ff88aa472372eafb1c651a31f03dac5882d13c94bb93e32 894512 apache2_2.4.56-1~deb11u1.debian.tar.xz Files: bf739573df7d3724a410864fe9223c49 3539 httpd optional apache2_2.4.56-1~deb11u1.dsc f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional apache2_2.4.56.orig.tar.gz e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional apache2_2.4.56.orig.tar.gz.asc 077b17fca0897f07268f9f70b007adae 894512 httpd optional
Bug#1032476: marked as done (apache2: CVE-2023-25690 CVE-2023-27522)
Your message dated Wed, 08 Mar 2023 03:19:22 + with message-id and subject line Bug#1032476: fixed in apache2 2.4.56-1 has caused the Debian Bug report #1032476, regarding apache2: CVE-2023-25690 CVE-2023-27522 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.56-1 Done: Yadd We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 08 Mar 2023 06:44:05 +0400 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.56-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1032476 Changes: apache2 (2.4.56-1) unstable; urgency=medium . * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) Checksums-Sha1: 58eb00c009fd93b0985da5ab956de026dbb466e3 3488 apache2_2.4.56-1.dsc 9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz 45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc d8856bb27ad6485fb9a61f780944d75e683a0cc4 899848 apache2_2.4.56-1.debian.tar.xz Checksums-Sha256: 7d201ab7d4f0047d03bf254c28b5aef12f9b8722bf1741ba9d4ac4ae903dd53a 3488 apache2_2.4.56-1.dsc db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650 apache2_2.4.56.orig.tar.gz b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833 apache2_2.4.56.orig.tar.gz.asc 51bd3a570b9cb6df6a78a9c328433847059b0594b32d26e2b708a545ef6088fe 899848 apache2_2.4.56-1.debian.tar.xz Files: f84901cc8b922cb9a7b2f6b885726001 3488 httpd optional apache2_2.4.56-1.dsc f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional apache2_2.4.56.orig.tar.gz e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional apache2_2.4.56.orig.tar.gz.asc 7c4c4e6cee0a1e0c3267e6415b365038 899848 httpd optional apache2_2.4.56-1.debian.tar.xz -BEGIN PGP SIGNATURE-
