Bug 31427 - apache new security issues CVE-2022-37436, CVE-2022-36760, CVE-2006-20001
Summary: apache new security issues CVE-2022-37436, CVE-2022-36760, CVE-2006-20001
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-01-18 15:23 CET by Stig-Ørjan Smelror
Modified: 2023-02-07 01:08 CET (History)
6 users (show)

See Also:
Source RPM: apache-2.4.54-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stig-Ørjan Smelror 2023-01-18 15:23:37 CET 
Apache has been updated to fix several CVEs.

See
https://downloads.apache.org/httpd/CHANGES_2.4.55

CVE-2022-37436, CVE-2022-36760, CVE-2006-20001
Comment 1 Stig-Ørjan Smelror 2023-01-18 17:17:37 CET 
Advisory
========

Apache has been updated to fix several security issues.

CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)

CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.  This issue affects Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group

CVE-2006-20001: mod_dav out of  bounds read, or write of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.

References
==========

https://downloads.apache.org/httpd/CHANGES_2.4.55
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37436
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-20001

Files
=====

Uploaded to core/updates_testing

apache-mod_proxy-2.4.55-1.mga8
apache-devel-2.4.55-1.mga8
apache-mod_http2-2.4.55-1.mga8
apache-mod_ssl-2.4.55-1.mga8
apache-mod_dav-2.4.55-1.mga8
apache-mod_cache-2.4.55-1.mga8
apache-mod_session-2.4.55-1.mga8
apache-mod_ldap-2.4.55-1.mga8
apache-mod_proxy_html-2.4.55-1.mga8
apache-mod_dbd-2.4.55-1.mga8
apache-mod_suexec-2.4.55-1.mga8
apache-htcacheclean-2.4.55-1.mga8
apache-mod_userdir-2.4.55-1.mga8
apache-mod_brotli-2.4.55-1.mga8
apache-2.4.55-1.mga8
apache-doc-2.4.55-1.mga8

from apache-2.4.55-1.mga8.src.rpm

Assignee: smelror => qa-bugs

Comment 2 David Walser 2023-01-18 19:28:41 CET 
Thanks Stig-Ørjan!

Announcement and vulnerability references:
https://downloads.apache.org/httpd/Announcement2.4.html
https://httpd.apache.org/security/vulnerabilities_24.html

Summary: Apache Security issues - CVE-2022-37436, CVE-2022-36760, CVE-2006-20001 => apache new security issues CVE-2022-37436, CVE-2022-36760, CVE-2006-20001
Source RPM: (none) => apache-2.4.54-1.1.mga8.src.rpm

Comment 3 Herman Viaene 2023-01-19 14:37:48 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tested by accessing localhost in browser: It works!
Connected phpmyadmin and created and deleted a new database.
Loaded my genealogic info as webpages made by gramps , made sure /etc/httpd/conf/htppd.conf pointed to the correct Document root, accessed it locally from localhost. Opened port 80 in firewall and accessed the same info on the laptop from my desktop PC. I was able to navigate in the family tree (lots of files in it), all works OK.
Waiting for others to confirm.

CC: (none) => herman.viaene

Comment 4 PC LX 2023-01-23 01:53:41 CET 
Installed and tested without issues.

Tested for four days with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status, info;
- custom logs;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- PHP through FPM;
- PHP scripts;
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.



System: Mageia 8, x86_64, AMD CPU.



$ uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache.*2.4.55 | sort
apache-2.4.55-1.mga8
apache-mod_http2-2.4.55-1.mga8
apache-mod_proxy-2.4.55-1.mga8
apache-mod_ssl-2.4.55-1.mga8
$ systemctl status httpd.socket httpd.service
● httpd.socket - httpd server activation socket
     Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2023-01-22 10:13:17 WET; 14h ago
   Triggers: ● httpd.service
     Listen: [::]:80 (Stream)
             [::]:443 (Stream)
      Tasks: 0 (limit: 37625)
     Memory: 8.0K
        CPU: 380us
     CGroup: /system.slice/httpd.socket

jan 22 10:13:17 jupiter systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-01-23 00:40:41 WET; 12min ago
TriggeredBy: ● httpd.socket
   Main PID: 43759 (httpd)
     Status: "Total requests: 1933; Idle/Busy workers 100/0;Requests/sec: 2.62; Bytes served/sec: 211KB/sec"
      Tasks: 54 (limit: 37625)
     Memory: 79.3M
        CPU: 1.236s
     CGroup: /system.slice/httpd.service
             ├─43759 /usr/sbin/httpd -DFOREGROUND
             ├─43770 /usr/sbin/httpd -DFOREGROUND
             └─43772 /usr/sbin/httpd -DFOREGROUND

jan 23 00:40:41 jupiter systemd[1]: Starting The Apache HTTP Server...
jan 23 00:40:41 jupiter systemd[1]: Started The Apache HTTP Server.

CC: (none) => mageia

Comment 5 Brian Rockwell 2023-01-26 04:40:08 CET 
This box is running nextcloud 25

# uname -a
Linux localhost 5.15.88-desktop-1.mga8 #1 SMP Sat Jan 14 15:00:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux



The following 2 packages are going to be installed:

- apache-2.4.55-1.mga8.x86_64
- apache-mod_ssl-2.4.55-1.mga8.x86_64

8.8KB of additional disk space will be used.


restarted httpd service

from command line

# httpd -v
Server version: Apache/2.4.55 (Unix)
Server built:   Jan 18 2023 14:31:04


installed nextcloud on 2.4.54 then upgraded to 2.4.55.  Things are working as expected.

CC: (none) => brtians1

Comment 6 PC LX 2023-01-26 13:35:59 CET 
This update has been working without issues for a week so I'm giving it the OK to push it forward. Please undo if appropriate.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-01-26 14:32:26 CET 
Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 David Walser 2023-02-01 17:09:02 CET 
Ubuntu has issued an advisory for this today (January 1):
https://ubuntu.com/security/notices/USN-5839-1
Dave Hodgins 2023-02-06 22:21:08 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2023-02-07 01:08:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0032.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.