From their changelog. *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds (cve.mitre.org) Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. Credits: Ronald Crane (Zippenhop LLC) *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (cve.mitre.org) If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Anonymous working with Trend Micro Zero Day Initiative *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling Credits: James Kettle <james.kettle portswigger.net> *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of in r:parsebody (cve.mitre.org) A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Chamal De Silva Cauldron has been updated to 2.4.53.
CVE: (none) => CVE-2022-23943, CVE-2022-22721, CVE-2022-22720, CVE-2022-22719
References: https://downloads.apache.org/httpd/Announcement2.4.html https://downloads.apache.org/httpd/CHANGES_2.4.53 https://httpd.apache.org/security/vulnerabilities_24.html Updated package uploaded for Mageia 8 by Stig-Ørjan. apache-2.4.53-1.mga8 apache-devel-2.4.53-1.mga8 apache-mod_proxy-2.4.53-1.mga8 apache-mod_http2-2.4.53-1.mga8 apache-mod_ssl-2.4.53-1.mga8 apache-mod_dav-2.4.53-1.mga8 apache-mod_cache-2.4.53-1.mga8 apache-mod_ldap-2.4.53-1.mga8 apache-mod_session-2.4.53-1.mga8 apache-mod_proxy_html-2.4.53-1.mga8 apache-mod_dbd-2.4.53-1.mga8 apache-htcacheclean-2.4.53-1.mga8 apache-mod_suexec-2.4.53-1.mga8 apache-mod_userdir-2.4.53-1.mga8 apache-mod_brotli-2.4.53-1.mga8 apache-doc-2.4.53-1.mga8 from apache-2.4.53-1.mga8.src.rpm
Summary: Apache several security issues => apache new security issues CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943Source RPM: (none) => apache-2.4.52-1.mga8.src.rpmStatus comment: (none) => Fixed upstream in 2.4.53Assignee: smelror => qa-bugs
Installed and tested without issues. Tested for a few days with several sites and scripts installed. Tested: - systemd socket activation; - server status; - custom logs; - HTTP 1.1; - HTTP 2; - HTTP 1.1 upgrade to HTTP 2; - HTTPS with SNI; - Lets Encrypt SSL signed certificates; - SSL test using https://www.ssllabs.com/ssltest/; - multiple sites resolution by IP and host name; - PHP through FPM; - multiple PHP scripts; - mod_rewrite; - mod_security. System: Mageia 8, x86_64, Intel CPU. $ uname -a Linux marte 5.15.28-desktop-1.mga8 #1 SMP Fri Mar 11 15:54:53 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ systemctl status httpd.socket httpd.service ● httpd.socket - httpd server activation socket Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled) Active: active (running) since Wed 2022-03-16 11:02:44 WET; 14h ago Triggers: ● httpd.service Listen: [::]:80 (Stream) [::]:443 (Stream) Tasks: 0 (limit: 4690) Memory: 8.0K CPU: 781us CGroup: /system.slice/httpd.socket mar 16 11:02:44 marte systemd[1]: Listening on httpd server activation socket. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-03-16 11:18:57 WET; 14h ago TriggeredBy: ● httpd.socket Main PID: 3047 (httpd) Status: "Total requests: 3510; Idle/Busy workers 92/8;Requests/sec: 0.06638; Bytes served/sec: 491 B/sec" Tasks: 54 (limit: 4690) Memory: 37.6M CPU: 2min 59.675s CGroup: /system.slice/httpd.service ├─3047 /usr/sbin/httpd -DFOREGROUND ├─3048 /usr/sbin/httpd -DFOREGROUND └─3049 /usr/sbin/httpd -DFOREGROUND mar 16 11:18:57 marte systemd[1]: Starting The Apache HTTP Server... mar 16 11:18:57 marte systemd[1]: Started The Apache HTTP Server.
CC: (none) => mageia
Ubuntu has issued an advisory for this today (March 17): https://ubuntu.com/security/notices/USN-5333-1
CC: (none) => luigiwalser
MGA8-32bit $ uname -a Linux localhost.localdomain 5.15.28-server-1.mga8 #1 SMP Fri Mar 11 17:35:07 UTC 2022 i686 i686 i386 GNU/Linux The following 4 packages are going to be installed: - apache-2.4.53-1.mga8.i586 - apache-htcacheclean-2.4.53-1.mga8.i586 - apache-mod_cache-2.4.53-1.mga8.i586 - apache-mod_ssl-2.4.53-1.mga8.i586 8KB of additional disk space will be used. ---this is an upgrade --- Nextcloud Server - recycled services and system is working as expected. -- rebooted server Nextcloud server working as expected.
CC: (none) => brtians1Whiteboard: (none) => MGA8-32-OK
While a 32-bit OK is probably enough, I'm glad that we have a 64-bit test as well. Giving this a 64-bit OK based on Comment 2, and validating. Advisory information in Comment 0 and Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: MGA8-32-OK => MGA8-32-OK MGA8-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0105.html
Status: NEW => RESOLVEDResolution: (none) => FIXED