Apache has been updated to fix several CVEs. See https://downloads.apache.org/httpd/CHANGES_2.4.55 CVE-2022-37436, CVE-2022-36760, CVE-2006-20001
Advisory ======== Apache has been updated to fix several security issues. CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer) CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. References ========== https://downloads.apache.org/httpd/CHANGES_2.4.55 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37436 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36760 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-20001 Files ===== Uploaded to core/updates_testing apache-mod_proxy-2.4.55-1.mga8 apache-devel-2.4.55-1.mga8 apache-mod_http2-2.4.55-1.mga8 apache-mod_ssl-2.4.55-1.mga8 apache-mod_dav-2.4.55-1.mga8 apache-mod_cache-2.4.55-1.mga8 apache-mod_session-2.4.55-1.mga8 apache-mod_ldap-2.4.55-1.mga8 apache-mod_proxy_html-2.4.55-1.mga8 apache-mod_dbd-2.4.55-1.mga8 apache-mod_suexec-2.4.55-1.mga8 apache-htcacheclean-2.4.55-1.mga8 apache-mod_userdir-2.4.55-1.mga8 apache-mod_brotli-2.4.55-1.mga8 apache-2.4.55-1.mga8 apache-doc-2.4.55-1.mga8 from apache-2.4.55-1.mga8.src.rpm
Assignee: smelror => qa-bugs
Thanks Stig-Ørjan! Announcement and vulnerability references: https://downloads.apache.org/httpd/Announcement2.4.html https://httpd.apache.org/security/vulnerabilities_24.html
Summary: Apache Security issues - CVE-2022-37436, CVE-2022-36760, CVE-2006-20001 => apache new security issues CVE-2022-37436, CVE-2022-36760, CVE-2006-20001Source RPM: (none) => apache-2.4.54-1.1.mga8.src.rpm
MGA8-64 MATE on Acer Aspire 5253 No installation issues Tested by accessing localhost in browser: It works! Connected phpmyadmin and created and deleted a new database. Loaded my genealogic info as webpages made by gramps , made sure /etc/httpd/conf/htppd.conf pointed to the correct Document root, accessed it locally from localhost. Opened port 80 in firewall and accessed the same info on the laptop from my desktop PC. I was able to navigate in the family tree (lots of files in it), all works OK. Waiting for others to confirm.
CC: (none) => herman.viaene
Installed and tested without issues. Tested for four days with several sites and scripts installed. Tested: - systemd socket activation; - server status, info; - custom logs; - HTTP 1.1 and 2; - HTTP 1.1 upgrade to HTTP 2; - HTTPS with SNI; - Lets Encrypt SSL signed certificates; - SSL test using sslscan and https://www.ssllabs.com/ssltest/; - multiple sites resolution by IP and host name; - PHP through FPM; - PHP scripts; - mod_rewrite; - mod_security; - mod_proxy; - mod_alias. System: Mageia 8, x86_64, AMD CPU. $ uname -a Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep apache.*2.4.55 | sort apache-2.4.55-1.mga8 apache-mod_http2-2.4.55-1.mga8 apache-mod_proxy-2.4.55-1.mga8 apache-mod_ssl-2.4.55-1.mga8 $ systemctl status httpd.socket httpd.service ● httpd.socket - httpd server activation socket Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled) Active: active (running) since Sun 2023-01-22 10:13:17 WET; 14h ago Triggers: ● httpd.service Listen: [::]:80 (Stream) [::]:443 (Stream) Tasks: 0 (limit: 37625) Memory: 8.0K CPU: 380us CGroup: /system.slice/httpd.socket jan 22 10:13:17 jupiter systemd[1]: Listening on httpd server activation socket. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2023-01-23 00:40:41 WET; 12min ago TriggeredBy: ● httpd.socket Main PID: 43759 (httpd) Status: "Total requests: 1933; Idle/Busy workers 100/0;Requests/sec: 2.62; Bytes served/sec: 211KB/sec" Tasks: 54 (limit: 37625) Memory: 79.3M CPU: 1.236s CGroup: /system.slice/httpd.service ├─43759 /usr/sbin/httpd -DFOREGROUND ├─43770 /usr/sbin/httpd -DFOREGROUND └─43772 /usr/sbin/httpd -DFOREGROUND jan 23 00:40:41 jupiter systemd[1]: Starting The Apache HTTP Server... jan 23 00:40:41 jupiter systemd[1]: Started The Apache HTTP Server.
CC: (none) => mageia
This box is running nextcloud 25 # uname -a Linux localhost 5.15.88-desktop-1.mga8 #1 SMP Sat Jan 14 15:00:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux The following 2 packages are going to be installed: - apache-2.4.55-1.mga8.x86_64 - apache-mod_ssl-2.4.55-1.mga8.x86_64 8.8KB of additional disk space will be used. restarted httpd service from command line # httpd -v Server version: Apache/2.4.55 (Unix) Server built: Jan 18 2023 14:31:04 installed nextcloud on 2.4.54 then upgraded to 2.4.55. Things are working as expected.
CC: (none) => brtians1
This update has been working without issues for a week so I'm giving it the OK to push it forward. Please undo if appropriate.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Ubuntu has issued an advisory for this today (January 1): https://ubuntu.com/security/notices/USN-5839-1
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0032.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED