31644 – apache new security issues CVE-2023-27522 and CVE-2023-25690

Bug 31644 - apache new security issues CVE-2023-27522 and CVE-2023-25690

Summary: apache new security issues CVE-2023-27522 and CVE-2023-25690

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-03-07 14:20 CET by Stig-Ørjan Smelror
Modified:	2023-03-18 23:18 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	apache-2.4.55-1.mga8.src.rpm
CVE:	CVE-2023-27522, CVE-2023-25690
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stig-Ørjan Smelror 2023-03-07 14:20:40 CET

The Apache Foundation has released version 2.4.56 which fixes two security issues.

https://downloads.apache.org/httpd/CHANGES_2.4.56

Comment 1 Stig-Ørjan Smelror 2023-03-07 14:24:29 CET

Cauldron has been updated

CVE: (none) => CVE-2023-27522, CVE-2023-25690

Comment 2 Stig-Ørjan Smelror 2023-03-07 14:36:24 CET

Advisory
========
Apache has been updated to version 2.4.56 to fix 2 critical security issues.

CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org)
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.
Special characters in the origin response header can truncate/split the response forwarded to the client.

CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
For example, something like:
     RewriteEngine on
     RewriteRule "^/here/(.*)" "
     http://example.com:8080/elsewhere?$1"
     http://example.com:8080/elsewhere ; [P]
     ProxyPassReverse /here/  http://example.com:8080/
     http://example.com:8080/
Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.

References
==========
https://downloads.apache.org/httpd/CHANGES_2.4.56


Files
=====

Uploaded to core/updates_testing

apache-mod_proxy-2.4.56-1.mga8 
apache-devel-2.4.56-1.mga8 
apache-mod_http2-2.4.56-1.mga8 
apache-mod_ssl-2.4.56-1.mga8 
apache-mod_dav-2.4.56-1.mga8 
apache-mod_cache-2.4.56-1.mga8 
apache-mod_session-2.4.56-1.mga8 
apache-mod_proxy_html-2.4.56-1.mga8 
apache-mod_dbd-2.4.56-1.mga8 
apache-mod_ldap-2.4.56-1.mga8 
apache-htcacheclean-2.4.56-1.mga8 
apache-mod_userdir-2.4.56-1.mga8 
apache-mod_brotli-2.4.56-1.mga8 
apache-mod_suexec-2.4.56-1.mga8 
apache-2.4.56-1.mga8 
apache-doc-2.4.56-1.mga8

from apache-2.4.56-1.mga8.src.rpm

Assignee: smelror => qa-bugs

Comment 3 David Walser 2023-03-07 17:19:22 CET

Thanks Stig-Ørjan!

Announcement and vulnerability references:
https://downloads.apache.org/httpd/Announcement2.4.html
https://httpd.apache.org/security/vulnerabilities_24.html

Summary: Apache Security issues - CVE-2023-27522 and CVE-2023-25690 => apache new security issues CVE-2023-27522 and CVE-2023-25690
Severity: normal => major
Source RPM: (none) => apache-2.4.55-1.mga8.src.rpm

PC LX 2023-03-08 22:38:34 CET

CC: (none) => mageia

Comment 4 David Walser 2023-03-09 17:57:18 CET

Ubuntu has issued an advisory for this today (March 9):
https://ubuntu.com/security/notices/USN-5942-1

Comment 5 Herman Viaene 2023-03-10 10:16:42 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tested by accessing localhost in browser: It works!
Connected phpmyadmin and created and deleted a new database.
Loaded my genealogic info as webpages made by gramps , /etc/httpd/conf/htppd.conf sill pointed to the correct Document root as from previous updates test, accessed it locally from localhost. Opened port 80 in firewall and accessed the same info on the laptop from my desktop PC. I was able to navigate in the family tree (lots of files in it), all works OK.
For me good enough, awaiting more tests from others.

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2023-03-10 20:23:41 CET

This box is running nextcloud 25

The following 2 packages are going to be installed:

- apache-2.4.56-1.mga8.x86_64
- apache-mod_ssl-2.4.56-1.mga8.x86_64

6.9KB of additional disk space will be used.

Stopped httpd service

restarted httpd service

from command line

# httpd -v
Server version: Apache/2.4.56 (Unix)
Server built:   Mar  7 2023 13:24:10

I verified nextcloud is running properly and configuration is intact.

Working for me

CC: (none) => brtians1

Comment 7 PC LX 2023-03-13 18:55:54 CET

Installed and tested without issues.

Tested for five days with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- server info;
- custom logs;
- IPv4 and IPv6;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- PHP through FPM;
- PHP scripts;
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.



System: Mageia 8, x86_64, AMD CPU.



$ uname -a
Linux jupiter 6.1.15-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Mar  4 11:14:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache.*2.4.56 | sort
apache-2.4.56-1.mga8
apache-mod_http2-2.4.56-1.mga8
apache-mod_proxy-2.4.56-1.mga8
apache-mod_ssl-2.4.56-1.mga8
$ systemctl status httpd.socket httpd.service
● httpd.socket - httpd server activation socket
     Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-03-13 09:56:16 WET; 7h ago
   Triggers: ● httpd.service
     Listen: [::]:80 (Stream)
             [::]:443 (Stream)
      Tasks: 0 (limit: 37622)
     Memory: 8.0K
        CPU: 521us
     CGroup: /system.slice/httpd.socket

mar 13 09:56:16 jupiter systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-03-13 10:33:04 WET; 7h ago
TriggeredBy: ● httpd.socket
   Main PID: 7129 (httpd)
     Status: "Total requests: 1033; Idle/Busy workers 100/0;Requests/sec: 0.0389; Bytes served/sec: 3.7KB/sec"
      Tasks: 54 (limit: 37622)
     Memory: 133.1M
        CPU: 2.734s
     CGroup: /system.slice/httpd.service
             ├─7129 /usr/sbin/httpd -DFOREGROUND
             ├─7130 /usr/sbin/httpd -DFOREGROUND
             └─7131 /usr/sbin/httpd -DFOREGROUND

mar 13 10:33:04 jupiter systemd[1]: Starting The Apache HTTP Server...
mar 13 10:33:04 jupiter systemd[1]: Started The Apache HTTP Server.

Comment 8 Herman Viaene 2023-03-16 15:45:16 CET

No further reaction. Since then httpd has been used in other updates without problems, so goeed enough.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2023-03-16 19:45:17 CET

Thanks, Everybody!

Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:26:46 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2023-03-18 23:18:30 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0100.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.