Apache has announced version 2.4.54 today (June 8): https://downloads.apache.org/httpd/Announcement2.4.html It fixes five security issues (that affect Linux): https://downloads.apache.org/httpd/CHANGES_2.4.54 https://httpd.apache.org/security/vulnerabilities_24.html Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.4.54Whiteboard: (none) => MGA8TOO
apache-2.4.54-1.mga9 uploaded for Cauldron by Stig-Ørjan.
CC: (none) => smelrorWhiteboard: MGA8TOO => (none)Version: Cauldron => 8
Advisory ======== Apache has been updated to fix several critical security issues. CVE-2022-26377: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. CVE-2022-28615: Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. CVE-2022-29404: In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. CVE-2022-30556: Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. CVE-2022-31813: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813 https://downloads.apache.org/httpd/CHANGES_2.4.54 https://httpd.apache.org/security/vulnerabilities_24.html Files ===== Uploaded to core/updates_testing apache-mod_proxy-2.4.54-1.mga8 apache-devel-2.4.54-1.mga8 apache-mod_http2-2.4.54-1.mga8 apache-mod_ssl-2.4.54-1.mga8 apache-mod_dav-2.4.54-1.mga8 apache-mod_cache-2.4.54-1.mga8 apache-mod_ldap-2.4.54-1.mga8 apache-mod_session-2.4.54-1.mga8 apache-mod_dbd-2.4.54-1.mga8 apache-mod_proxy_html-2.4.54-1.mga8 apache-htcacheclean-2.4.54-1.mga8 apache-mod_userdir-2.4.54-1.mga8 apache-mod_brotli-2.4.54-1.mga8 apache-mod_suexec-2.4.54-1.mga8 apache-2.4.54-1.mga8 apache-doc-2.4.54-1.mga8 from apache-2.4.54-1.mga8.src.rpm
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.4.54 => (none)
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. # systemctl start httpd # systemctl -l status httpd * httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2022-06-12 11:00:06 CEST; 2s ago Main PID: 222022 (httpd) Status: "Processing requests..." Tasks: 12 (limit: 9395) Memory: 24.5M CPU: 143ms CGroup: /system.slice/httpd.service |-222022 /usr/sbin/httpd -DFOREGROUND |-222024 /usr/sbin/httpd -DFOREGROUND |-222025 /usr/sbin/httpd -DFOREGROUND |-222027 /usr/sbin/httpd -DFOREGROUND |-222029 /usr/sbin/httpd -DFOREGROUND |-222031 /usr/sbin/httpd -DFOREGROUND `-222033 /usr/sbin/httpd -DFOREGROUND jun 12 11:00:06 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... jun 12 11:00:06 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. # systemctl start mysqld # systemctl -l status mysqld * mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2022-06-12 11:00:24 CEST; 10s ago Process: 222051 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) Main PID: 222066 (mysqld) Status: "Taking your SQL requests now..." Tasks: 42 (limit: 9395) Memory: 68.2M CPU: 206ms CGroup: /system.slice/mysqld.service `-222066 /usr/sbin/mysqld Started PhpMyadmin, could connect to database and insert a row in an existing test table. All works OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0228.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2022-28614 and CVE-2022-30522.