Hi Daniel, The two CVEs you mention, CVE-2023-27522 and CVE-2023-25690, have already been addressed in Ubuntu, and have been since March.
https://ubuntu.com/security/CVE-2023-27522 https://ubuntu.com/security/CVE-2023-25690 For 22.04, these were both fixed in apache2 2.4.52-1ubuntu4.4: https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.4 For 20.04, these were both fixed in apache2 2.4.41-4ubuntu3.14: https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.14 Packages in the Ubuntu archive don't typically receive wholesale point releases unless that package has a microrelease exception. This is intended to keep regressions and changes in functionality to a minimum. Instead, we simply take the CVE fix itself, and place it ontop of the version in the Ubuntu archive, and make a new build. The CVE is fixed without having to take sometimes hundreds of additional changes at the same time. See: https://wiki.ubuntu.com/SecurityTeam/FAQ https://wiki.ubuntu.com/StableReleaseUpdates#Why In the future, see the Ubuntu CVE tracker to see if a particular CVE has been fixed. Thanks, Matthew On Fri, 15 Sept 2023 at 11:00, Daniel Johnston <dani...@premiercu.org> wrote: > Hello, > > > > I was wondering on when you plan to upgrade Apache from 2.4.55 to at least > 2.4.56 to address the vulnerabilities with Apache? > > We have been checking weekly for a number of months now. > > Changes with Apache 2.4.56 > > > > *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi > > HTTP response splitting (cve.mitre.org) > > HTTP Response Smuggling vulnerability in Apache HTTP Server via > > mod_proxy_uwsgi. This issue affects Apache HTTP Server: from > > 2.4.30 through 2.4.55. > > Special characters in the origin response header can > > truncate/split the response forwarded to the client. > > Credits: Dimas Fariski Setyawan Putra (nyxsorcerer) > > > > *) SECURITY: CVE-2023-25690: HTTP request splitting with > > mod_rewrite and mod_proxy (cve.mitre.org) > > Some mod_proxy configurations on Apache HTTP Server versions > > 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. > > Configurations are affected when mod_proxy is enabled along with > > some form of RewriteRule or ProxyPassMatch in which a non-specific > > pattern matches some portion of the user-supplied request-target (URL) > > data and is then re-inserted into the proxied request-target > > using variable substitution. For example, something like: > > RewriteEngine on > > RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1";; > [P] > > ProxyPassReverse /here/ http://example.com:8080/ > > Request splitting/smuggling could result in bypass of access > > controls in the proxy server, proxying unintended URLs to > > existing origin servers, and cache poisoning. > > Credits: Lars Krapf of Adobe > > > > *Daniel Johnston********* > > *IT Systems Administrator* > > | > > *Premier Credit Union* > > 515-245-3541 > > | > > dani...@premiercu.org > > www.PremierCU.org <https://www.premiercu.org/> > > <https://www.facebook.com/PremierCreditUnion/> > > <https://twitter.com/premiercu> > > 800 9th St > > , > > Des Moines > > , > > Iowa > > > > 50309 > > *Leave us a Review on Google! > <https://www.google.com/search?q=premier%20credit%20union%20iowa&oq=pre&aqs=edge.1.69i60j69i59j69i57j69i65l3j69i64j69i60.1812j0j1&sourceid=chrome&ie=UTF-8&tbs=lrf:!1m4!1u3!2m2!3m1!1e1!2m1!1e3!3sIAE,lf:1,lf_ui:4&tbm=lcl&sxsrf=AJOqlzXrvCL3bZvWYPIkdsyB1EaIVMvANA:1674676176884&rflfq=1&num=10&rldimm=3124682254401017333&lqi=ChlwcmVtaWVyIGNyZWRpdCB1bmlvbiBpb3dhIgOIAQFIjvPOuqaugIAIWjMQABABEAIYABgBGAIYAyIZcHJlbWllciBjcmVkaXQgdW5pb24gaW93YSoICAIQABABEAKSARVmaW5hbmNpYWxfaW5zdGl0dXRpb26aASNDaFpEU1VoTk1HOW5TMFZKUTBGblNVTnRlbVpUWjFsUkVBRaoBPRABGh8QASIbRcUtPvG9ipyn7BPbtEp9sUYAsaNggU881hGLKhgiFHByZW1pZXIgY3JlZGl0IHVuaW9uKADgAQA&ved=2ahUKEwiD-Iv1vuP8AhXRlIkEHUE1AMUQvS56BAgUEAE&sa=X&rlst=f&safe=active&ssui=on#rlfi=hd:;si:3124682254401017333,l,ChlwcmVtaWVyIGNyZWRpdCB1bmlvbiBpb3dhIgOIAQFIjvPOuqaugIAIWjMQABABEAIYABgBGAIYAyIZcHJlbWllciBjcmVkaXQgdW5pb24gaW93YSoICAIQABABEAKSARVmaW5hbmNpYWxfaW5zdGl0dXRpb26aASNDaFpEU1VoTk1HOW5TMFZKUTBGblNVTnRlbVpUWjFsUkVBRaoBPRABGh8QASIbRcUtPvG9ipyn7BPbtEp9sUYAsaNggU881hGLKhgiFHByZW1pZXIgY3JlZGl0IHVuaW9uKADgAQA;mv:[[42.0533971,-93.61367969999999],[41.553990399999996,-93.7275892]];tbs:lrf:!1m4!1u3!2m2!3m1!1e1!2m1!1e3!3sIAE,lf:1,lf_ui:4>* > > <https://premiercu.org/high-yield-checking/> > > *This e-mail, including attachments, is covered by the Electronic > Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential, and may > be legally privileged. If you are not the intended recipient, you are > hereby notified that any retention, dissemination, distribution, or copying > of this communication is strictly prohibited. Please reply to the sender if > you received this message in error, and then please delete it. Thank you.* > > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
