Bug 31644

Summary: apache new security issues CVE-2023-27522 and CVE-2023-25690
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: apache-2.4.55-1.mga8.src.rpm CVE: CVE-2023-27522, CVE-2023-25690
Status comment:

Description Stig-Ørjan Smelror 2023-03-07 14:20:40 CET 
The Apache Foundation has released version 2.4.56 which fixes two security issues.

https://downloads.apache.org/httpd/CHANGES_2.4.56
Comment 1 Stig-Ørjan Smelror 2023-03-07 14:24:29 CET 
Cauldron has been updated

CVE: (none) => CVE-2023-27522, CVE-2023-25690

Comment 2 Stig-Ørjan Smelror 2023-03-07 14:36:24 CET 
Advisory
========
Apache has been updated to version 2.4.56 to fix 2 critical security issues.

CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org)
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.
Special characters in the origin response header can truncate/split the response forwarded to the client.

CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
For example, something like:
     RewriteEngine on
     RewriteRule "^/here/(.*)" "
     http://example.com:8080/elsewhere?$1"
     http://example.com:8080/elsewhere ; [P]
     ProxyPassReverse /here/  http://example.com:8080/
     http://example.com:8080/
Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.

References
==========
https://downloads.apache.org/httpd/CHANGES_2.4.56


Files
=====

Uploaded to core/updates_testing

apache-mod_proxy-2.4.56-1.mga8 
apache-devel-2.4.56-1.mga8 
apache-mod_http2-2.4.56-1.mga8 
apache-mod_ssl-2.4.56-1.mga8 
apache-mod_dav-2.4.56-1.mga8 
apache-mod_cache-2.4.56-1.mga8 
apache-mod_session-2.4.56-1.mga8 
apache-mod_proxy_html-2.4.56-1.mga8 
apache-mod_dbd-2.4.56-1.mga8 
apache-mod_ldap-2.4.56-1.mga8 
apache-htcacheclean-2.4.56-1.mga8 
apache-mod_userdir-2.4.56-1.mga8 
apache-mod_brotli-2.4.56-1.mga8 
apache-mod_suexec-2.4.56-1.mga8 
apache-2.4.56-1.mga8 
apache-doc-2.4.56-1.mga8

from apache-2.4.56-1.mga8.src.rpm

Assignee: smelror => qa-bugs

Comment 3 David Walser 2023-03-07 17:19:22 CET 
Thanks Stig-Ørjan!

Announcement and vulnerability references:
https://downloads.apache.org/httpd/Announcement2.4.html
https://httpd.apache.org/security/vulnerabilities_24.html

Summary: Apache Security issues - CVE-2023-27522 and CVE-2023-25690 => apache new security issues CVE-2023-27522 and CVE-2023-25690
Severity: normal => major
Source RPM: (none) => apache-2.4.55-1.mga8.src.rpm

PC LX 2023-03-08 22:38:34 CET

CC: (none) => mageia

Comment 4 David Walser 2023-03-09 17:57:18 CET 
Ubuntu has issued an advisory for this today (March 9):
https://ubuntu.com/security/notices/USN-5942-1
Comment 5 Herman Viaene 2023-03-10 10:16:42 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tested by accessing localhost in browser: It works!
Connected phpmyadmin and created and deleted a new database.
Loaded my genealogic info as webpages made by gramps , /etc/httpd/conf/htppd.conf sill pointed to the correct Document root as from previous updates test, accessed it locally from localhost. Opened port 80 in firewall and accessed the same info on the laptop from my desktop PC. I was able to navigate in the family tree (lots of files in it), all works OK.
For me good enough, awaiting more tests from others.

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2023-03-10 20:23:41 CET 
This box is running nextcloud 25

The following 2 packages are going to be installed:

- apache-2.4.56-1.mga8.x86_64
- apache-mod_ssl-2.4.56-1.mga8.x86_64

6.9KB of additional disk space will be used.

Stopped httpd service

restarted httpd service

from command line

# httpd -v
Server version: Apache/2.4.56 (Unix)
Server built:   Mar  7 2023 13:24:10

I verified nextcloud is running properly and configuration is intact.

Working for me

CC: (none) => brtians1

Comment 7 PC LX 2023-03-13 18:55:54 CET 
Installed and tested without issues.

Tested for five days with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- server info;
- custom logs;
- IPv4 and IPv6;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- PHP through FPM;
- PHP scripts;
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.



System: Mageia 8, x86_64, AMD CPU.



$ uname -a
Linux jupiter 6.1.15-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Mar  4 11:14:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache.*2.4.56 | sort
apache-2.4.56-1.mga8
apache-mod_http2-2.4.56-1.mga8
apache-mod_proxy-2.4.56-1.mga8
apache-mod_ssl-2.4.56-1.mga8
$ systemctl status httpd.socket httpd.service
● httpd.socket - httpd server activation socket
     Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-03-13 09:56:16 WET; 7h ago
   Triggers: ● httpd.service
     Listen: [::]:80 (Stream)
             [::]:443 (Stream)
      Tasks: 0 (limit: 37622)
     Memory: 8.0K
        CPU: 521us
     CGroup: /system.slice/httpd.socket

mar 13 09:56:16 jupiter systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-03-13 10:33:04 WET; 7h ago
TriggeredBy: ● httpd.socket
   Main PID: 7129 (httpd)
     Status: "Total requests: 1033; Idle/Busy workers 100/0;Requests/sec: 0.0389; Bytes served/sec: 3.7KB/sec"
      Tasks: 54 (limit: 37622)
     Memory: 133.1M
        CPU: 2.734s
     CGroup: /system.slice/httpd.service
             ├─7129 /usr/sbin/httpd -DFOREGROUND
             ├─7130 /usr/sbin/httpd -DFOREGROUND
             └─7131 /usr/sbin/httpd -DFOREGROUND

mar 13 10:33:04 jupiter systemd[1]: Starting The Apache HTTP Server...
mar 13 10:33:04 jupiter systemd[1]: Started The Apache HTTP Server.
Comment 8 Herman Viaene 2023-03-16 15:45:16 CET 
No further reaction. Since then httpd has been used in other updates without problems, so goeed enough.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2023-03-16 19:45:17 CET 
Thanks, Everybody!

Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:26:46 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2023-03-18 23:18:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0100.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED