apache2: CVE-2023-25690 CVE-2023-27522

Debian Bug report logs - #1032476
apache2: CVE-2023-25690 CVE-2023-27522

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache2: CVE-2023-25690 CVE-2023-27522

Date: Tue, 07 Mar 2023 20:46:27 +0100

Source: apache2
Version: 2.4.55-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for apache2.

CVE-2023-25690[0]:
| Some mod_proxy configurations on Apache HTTP Server versions 2.4.0
| through 2.4.55 allow a HTTP Request Smuggling attack. Configurations
| are affected when mod_proxy is enabled along with some form of
| RewriteRule or ProxyPassMatch in which a non-specific pattern matches
| some portion of the user-supplied request-target (URL) data and is
| then re-inserted into the proxied request-target using variable
| substitution. For example, something like: RewriteEngine on
| RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
| ProxyPassReverse /here/ http://example.com:8080/ Request
| splitting/smuggling could result in bypass of access controls in the
| proxy server, proxying unintended URLs to existing origin servers, and
| cache poisoning. Users are recommended to update to at least version
| 2.4.56 of Apache HTTP Server.


CVE-2023-27522[1]:
| HTTP Response Smuggling vulnerability in Apache HTTP Server via
| mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30
| through 2.4.55. Special characters in the origin response header can
| truncate/split the response forwarded to the client.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-25690
    https://www.cve.org/CVERecord?id=CVE-2023-25690
[1] https://security-tracker.debian.org/tracker/CVE-2023-27522
    https://www.cve.org/CVERecord?id=CVE-2023-27522

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 1032476-submitter@bugs.debian.org (full text, mbox, reply):

From: Yadd <noreply@salsa.debian.org>

To: 1032476-submitter@bugs.debian.org

Subject: Bug#1032476 marked as pending in apache2

Date: Wed, 08 Mar 2023 03:04:11 +0000

Control: tag -1 pending

Hello,

Bug #1032476 in apache2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/apache-team/apache2/-/commit/9c806d791108319cc4c8efab55767f3a79e2d0fc

------------------------------------------------------------------------
New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1032476

Message #15 received at 1032476@bugs.debian.org (full text, mbox, reply):

From: Yadd <yadd@debian.org>

To: 1032476@bugs.debian.org, Debian Security Team <team@security.debian.org>

Cc: Raoul Delpech <rdelpech@linagora.com>

Subject: Re: Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522

Date: Wed, 8 Mar 2023 07:09:20 +0400

[Message part 1 (text/plain, inline)]

On 3/7/23 23:46, Salvatore Bonaccorso wrote:
> Source: apache2
> Version: 2.4.55-1
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerabilities were published for apache2.
> 
> CVE-2023-25690[0]:
> 
> CVE-2023-27522[1]:

Hi,

here is the debdiff for Bullseye

Cheers,
Yadd

[apache2_2.4.56-1~deb11u1.debdiff (text/plain, attachment)]

Message #20 received at 1032476@bugs.debian.org (full text, mbox, reply):

From: Yadd <yadd@debian.org>

To: 1032476@bugs.debian.org, Debian Security Team <team@security.debian.org>

Cc: Raoul Delpech <rdelpech@linagora.com>

Subject: Re: Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522

Date: Wed, 8 Mar 2023 07:12:22 +0400

[Message part 1 (text/plain, inline)]

On 3/8/23 07:09, Yadd wrote:
> On 3/7/23 23:46, Salvatore Bonaccorso wrote:
>> Source: apache2
>> Version: 2.4.55-1
>> Severity: grave
>> Tags: security upstream
>> X-Debbugs-Cc: carnil@debian.org, Debian Security Team 
>> <team@security.debian.org>
>>
>> Hi,
>>
>> The following vulnerabilities were published for apache2.
>>
>> CVE-2023-25690[0]:
>>
>> CVE-2023-27522[1]:
> 
> Hi,
> 
> here is the debdiff for Bullseye
> 
> Cheers,
> Yadd

Sorry, apache 2.4.55-1~deb11u1 not yet published via bullseye-pu. Here 
is the debdiff including all changes since 2.4.54-1~deb11u1

[apache2_2.4.56-1~deb11u1.debdiff (text/plain, attachment)]

Message #25 received at 1032476@bugs.debian.org (full text, mbox, reply):

From: Yadd <yadd@debian.org>

To: 1032476@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522

Date: Wed, 8 Mar 2023 07:16:02 +0400

[Message part 1 (text/plain, inline)]

On 3/8/23 07:12, Yadd wrote:
> On 3/8/23 07:09, Yadd wrote:
>> On 3/7/23 23:46, Salvatore Bonaccorso wrote:
>>> Source: apache2
>>> Version: 2.4.55-1
>>> Severity: grave
>>> Tags: security upstream
>>> X-Debbugs-Cc: carnil@debian.org, Debian Security Team 
>>> <team@security.debian.org>
>>>
>>> Hi,
>>>
>>> The following vulnerabilities were published for apache2.
>>>
>>> CVE-2023-25690[0]:
>>>
>>> CVE-2023-27522[1]:
>>
>> Hi,
>>
>> here is the debdiff for Bullseye

and the same without docs/* changes

[apache2_2.4.56-1~deb11u1.debdiff (text/plain, attachment)]

Message #30 received at 1032476-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1032476-close@bugs.debian.org

Subject: Bug#1032476: fixed in apache2 2.4.56-1

Date: Wed, 08 Mar 2023 03:19:22 +0000

Source: apache2
Source-Version: 2.4.56-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1032476@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 08 Mar 2023 06:44:05 +0400
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.56-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1032476
Changes:
 apache2 (2.4.56-1) unstable; urgency=medium
 .
   * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
Checksums-Sha1: 
 58eb00c009fd93b0985da5ab956de026dbb466e3 3488 apache2_2.4.56-1.dsc
 9789aaa2eae1bea4a538b960b25f27e6d20398df 9769650 apache2_2.4.56.orig.tar.gz
 45d0c75499398e06ef3be013611c30a7f5e05deb 833 apache2_2.4.56.orig.tar.gz.asc
 d8856bb27ad6485fb9a61f780944d75e683a0cc4 899848 apache2_2.4.56-1.debian.tar.xz
Checksums-Sha256: 
 7d201ab7d4f0047d03bf254c28b5aef12f9b8722bf1741ba9d4ac4ae903dd53a 3488 apache2_2.4.56-1.dsc
 db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 9769650 apache2_2.4.56.orig.tar.gz
 b53aaa7b05c6888a9cacbbeb100790772f8a8b042f0f308f4aeee60a21e8e44c 833 apache2_2.4.56.orig.tar.gz.asc
 51bd3a570b9cb6df6a78a9c328433847059b0594b32d26e2b708a545ef6088fe 899848 apache2_2.4.56-1.debian.tar.xz
Files: 
 f84901cc8b922cb9a7b2f6b885726001 3488 httpd optional apache2_2.4.56-1.dsc
 f3791f1a6a17291dacfd8c7efea4a79f 9769650 httpd optional apache2_2.4.56.orig.tar.gz
 e4bd6ccc0f685465a02006d8c183e3ed 833 httpd optional apache2_2.4.56.orig.tar.gz.asc
 7c4c4e6cee0a1e0c3267e6415b365038 899848 httpd optional apache2_2.4.56-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQH+wIACgkQ9tdMp8mZ
7umhVA//WjHqBOnNyYti8o/qxWu/i+sk7m4901yoC/zfpn9taMnbPLM21AzsSRRh
P6Mh0+aGdJTLhL+WFvhlzfZCSEjG/TV18jdciYwD1s1AtHS22qA1n1QSkEQUv1fE
37PKL5pzqB/zIn8jqn3DWzkYCKH0vRwGi+xdffUqF+9w846ynmTZtsKUqvYV9Yl/
aItonoaJNRakcShpkOgcw5r3bJ0IurQrftFex+CLrJouoQYhMFYhXxyNUgcw99G6
tR5c2cy3FkVKEu9VopPbdAnt4RngWSBjCEL8gKcuJMGU6ujUTBV7NBsIoXcguIVO
9ERD4y3PmV8I3HavrRszxJd+Fc7z32Fqa+HBZri7ygB0INSGNcs4rKlKn8RBRBrh
KYQgTo9xZnNdjnfi3Bospk2ZateCjrOYdVYPNnpiD8sb5+38wfXQYXHI5F6kXaMo
gLjKXUEyj3mUvYZUEZxbaPimC7SaNQZi4pKKfYyRiwNrTEP7XkdGC8KNwe1/xEKb
+aeWpnAXImsXTGqufUhJEu7DgLxJ9B+3Zn1gQr4q7+MxEkrIRzAoaVgW2uQwRuYg
u0nZruqzQ7FKG+4jjAcp/ac6T6FBjs+gWVDfVkv8FzbddBRWcZa9VLcWi7TSiz8G
qJ35RkWmuPKAt4m1upxkn/69BJL3PkoJB/SaQLR/+SXq2kbxFE4=
=i2sR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.