The Apache Foundation has released version 2.4.56 which fixes two security issues. https://downloads.apache.org/httpd/CHANGES_2.4.56
Cauldron has been updated
CVE: (none) => CVE-2023-27522, CVE-2023-25690
Advisory ======== Apache has been updated to version 2.4.56 to fix 2 critical security issues. CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org) HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org) Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1" http://example.com:8080/elsewhere ; [P] ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. References ========== https://downloads.apache.org/httpd/CHANGES_2.4.56 Files ===== Uploaded to core/updates_testing apache-mod_proxy-2.4.56-1.mga8 apache-devel-2.4.56-1.mga8 apache-mod_http2-2.4.56-1.mga8 apache-mod_ssl-2.4.56-1.mga8 apache-mod_dav-2.4.56-1.mga8 apache-mod_cache-2.4.56-1.mga8 apache-mod_session-2.4.56-1.mga8 apache-mod_proxy_html-2.4.56-1.mga8 apache-mod_dbd-2.4.56-1.mga8 apache-mod_ldap-2.4.56-1.mga8 apache-htcacheclean-2.4.56-1.mga8 apache-mod_userdir-2.4.56-1.mga8 apache-mod_brotli-2.4.56-1.mga8 apache-mod_suexec-2.4.56-1.mga8 apache-2.4.56-1.mga8 apache-doc-2.4.56-1.mga8 from apache-2.4.56-1.mga8.src.rpm
Assignee: smelror => qa-bugs
Thanks Stig-Ørjan! Announcement and vulnerability references: https://downloads.apache.org/httpd/Announcement2.4.html https://httpd.apache.org/security/vulnerabilities_24.html
Summary: Apache Security issues - CVE-2023-27522 and CVE-2023-25690 => apache new security issues CVE-2023-27522 and CVE-2023-25690Severity: normal => majorSource RPM: (none) => apache-2.4.55-1.mga8.src.rpm
CC: (none) => mageia
Ubuntu has issued an advisory for this today (March 9): https://ubuntu.com/security/notices/USN-5942-1
MGA8-64 MATE on Acer Aspire 5253 No installation issues Tested by accessing localhost in browser: It works! Connected phpmyadmin and created and deleted a new database. Loaded my genealogic info as webpages made by gramps , /etc/httpd/conf/htppd.conf sill pointed to the correct Document root as from previous updates test, accessed it locally from localhost. Opened port 80 in firewall and accessed the same info on the laptop from my desktop PC. I was able to navigate in the family tree (lots of files in it), all works OK. For me good enough, awaiting more tests from others.
CC: (none) => herman.viaene
This box is running nextcloud 25 The following 2 packages are going to be installed: - apache-2.4.56-1.mga8.x86_64 - apache-mod_ssl-2.4.56-1.mga8.x86_64 6.9KB of additional disk space will be used. Stopped httpd service restarted httpd service from command line # httpd -v Server version: Apache/2.4.56 (Unix) Server built: Mar 7 2023 13:24:10 I verified nextcloud is running properly and configuration is intact. Working for me
CC: (none) => brtians1
Installed and tested without issues. Tested for five days with several sites and scripts installed. Tested: - systemd socket activation; - server status; - server info; - custom logs; - IPv4 and IPv6; - HTTPS with SNI; - Lets Encrypt SSL signed certificates; - SSL test using sslscan and https://www.ssllabs.com/ssltest/; - multiple sites resolution by IP and host name; - HTTP 1.1 and 2; - HTTP 1.1 upgrade to HTTP 2; - PHP through FPM; - PHP scripts; - mod_rewrite; - mod_security; - mod_proxy; - mod_alias. System: Mageia 8, x86_64, AMD CPU. $ uname -a Linux jupiter 6.1.15-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Mar 4 11:14:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep apache.*2.4.56 | sort apache-2.4.56-1.mga8 apache-mod_http2-2.4.56-1.mga8 apache-mod_proxy-2.4.56-1.mga8 apache-mod_ssl-2.4.56-1.mga8 $ systemctl status httpd.socket httpd.service ● httpd.socket - httpd server activation socket Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-03-13 09:56:16 WET; 7h ago Triggers: ● httpd.service Listen: [::]:80 (Stream) [::]:443 (Stream) Tasks: 0 (limit: 37622) Memory: 8.0K CPU: 521us CGroup: /system.slice/httpd.socket mar 13 09:56:16 jupiter systemd[1]: Listening on httpd server activation socket. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2023-03-13 10:33:04 WET; 7h ago TriggeredBy: ● httpd.socket Main PID: 7129 (httpd) Status: "Total requests: 1033; Idle/Busy workers 100/0;Requests/sec: 0.0389; Bytes served/sec: 3.7KB/sec" Tasks: 54 (limit: 37622) Memory: 133.1M CPU: 2.734s CGroup: /system.slice/httpd.service ├─7129 /usr/sbin/httpd -DFOREGROUND ├─7130 /usr/sbin/httpd -DFOREGROUND └─7131 /usr/sbin/httpd -DFOREGROUND mar 13 10:33:04 jupiter systemd[1]: Starting The Apache HTTP Server... mar 13 10:33:04 jupiter systemd[1]: Started The Apache HTTP Server.
No further reaction. Since then httpd has been used in other updates without problems, so goeed enough.
Whiteboard: (none) => MGA8-64-OK
Thanks, Everybody! Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0100.html
Status: NEW => RESOLVEDResolution: (none) => FIXED