| Summary: | apache new security issues CVE-2022-26377, CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, smelror, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | apache-2.4.53-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-06-08 18:35:42 CEST
David Walser
2022-06-08 18:36:01 CEST
Status comment:
(none) =>
Fixed upstream in 2.4.54 apache-2.4.54-1.mga9 uploaded for Cauldron by Stig-Ørjan. CC:
(none) =>
smelror Advisory
========
Apache has been updated to fix several critical security issues.
CVE-2022-26377: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
CVE-2022-28615: Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
CVE-2022-29404: In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
CVE-2022-30556: Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-31813: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
https://downloads.apache.org/httpd/CHANGES_2.4.54
https://httpd.apache.org/security/vulnerabilities_24.html
Files
=====
Uploaded to core/updates_testing
apache-mod_proxy-2.4.54-1.mga8
apache-devel-2.4.54-1.mga8
apache-mod_http2-2.4.54-1.mga8
apache-mod_ssl-2.4.54-1.mga8
apache-mod_dav-2.4.54-1.mga8
apache-mod_cache-2.4.54-1.mga8
apache-mod_ldap-2.4.54-1.mga8
apache-mod_session-2.4.54-1.mga8
apache-mod_dbd-2.4.54-1.mga8
apache-mod_proxy_html-2.4.54-1.mga8
apache-htcacheclean-2.4.54-1.mga8
apache-mod_userdir-2.4.54-1.mga8
apache-mod_brotli-2.4.54-1.mga8
apache-mod_suexec-2.4.54-1.mga8
apache-2.4.54-1.mga8
apache-doc-2.4.54-1.mga8
from apache-2.4.54-1.mga8.src.rpmAssignee:
bugsquad =>
qa-bugs
David Walser
2022-06-09 14:33:52 CEST
Status comment:
Fixed upstream in 2.4.54 =>
(none) MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
# systemctl start httpd
# systemctl -l status httpd
* httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2022-06-12 11:00:06 CEST; 2s ago
Main PID: 222022 (httpd)
Status: "Processing requests..."
Tasks: 12 (limit: 9395)
Memory: 24.5M
CPU: 143ms
CGroup: /system.slice/httpd.service
|-222022 /usr/sbin/httpd -DFOREGROUND
|-222024 /usr/sbin/httpd -DFOREGROUND
|-222025 /usr/sbin/httpd -DFOREGROUND
|-222027 /usr/sbin/httpd -DFOREGROUND
|-222029 /usr/sbin/httpd -DFOREGROUND
|-222031 /usr/sbin/httpd -DFOREGROUND
`-222033 /usr/sbin/httpd -DFOREGROUND
jun 12 11:00:06 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
jun 12 11:00:06 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
# systemctl start mysqld
# systemctl -l status mysqld
* mysqld.service - MySQL database server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2022-06-12 11:00:24 CEST; 10s ago
Process: 222051 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
Main PID: 222066 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 42 (limit: 9395)
Memory: 68.2M
CPU: 206ms
CGroup: /system.slice/mysqld.service
`-222066 /usr/sbin/mysqld
Started PhpMyadmin, could connect to database and insert a row in an existing test table.
All works OK.Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-06-13 21:33:26 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0228.html Status:
NEW =>
RESOLVED This update also fixed CVE-2022-28614 and CVE-2022-30522. |