Bug 31644 - apache new security issues CVE-2023-27522 and CVE-2023-25690
Summary: apache new security issues CVE-2023-27522 and CVE-2023-25690
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-03-07 14:20 CET by Stig-Ørjan Smelror
Modified: 2023-03-18 23:18 CET (History)
6 users (show)

See Also:
Source RPM: apache-2.4.55-1.mga8.src.rpm
CVE: CVE-2023-27522, CVE-2023-25690
Status comment:


Description Stig-Ørjan Smelror 2023-03-07 14:20:40 CET
The Apache Foundation has released version 2.4.56 which fixes two security issues.

Comment 1 Stig-Ørjan Smelror 2023-03-07 14:24:29 CET
Cauldron has been updated

CVE: (none) => CVE-2023-27522, CVE-2023-25690

Comment 2 Stig-Ørjan Smelror 2023-03-07 14:36:24 CET
Apache has been updated to version 2.4.56 to fix 2 critical security issues.

CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org)
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.
Special characters in the origin response header can truncate/split the response forwarded to the client.

CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
For example, something like:
     RewriteEngine on
     RewriteRule "^/here/(.*)" "
     http://example.com:8080/elsewhere ; [P]
     ProxyPassReverse /here/  http://example.com:8080/
Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.



Uploaded to core/updates_testing


from apache-2.4.56-1.mga8.src.rpm

Assignee: smelror => qa-bugs

Comment 3 David Walser 2023-03-07 17:19:22 CET
Thanks Stig-Ørjan!

Announcement and vulnerability references:

Summary: Apache Security issues - CVE-2023-27522 and CVE-2023-25690 => apache new security issues CVE-2023-27522 and CVE-2023-25690
Severity: normal => major
Source RPM: (none) => apache-2.4.55-1.mga8.src.rpm

PC LX 2023-03-08 22:38:34 CET

CC: (none) => mageia

Comment 4 David Walser 2023-03-09 17:57:18 CET
Ubuntu has issued an advisory for this today (March 9):
Comment 5 Herman Viaene 2023-03-10 10:16:42 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tested by accessing localhost in browser: It works!
Connected phpmyadmin and created and deleted a new database.
Loaded my genealogic info as webpages made by gramps , /etc/httpd/conf/htppd.conf sill pointed to the correct Document root as from previous updates test, accessed it locally from localhost. Opened port 80 in firewall and accessed the same info on the laptop from my desktop PC. I was able to navigate in the family tree (lots of files in it), all works OK.
For me good enough, awaiting more tests from others.

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2023-03-10 20:23:41 CET
This box is running nextcloud 25

The following 2 packages are going to be installed:

- apache-2.4.56-1.mga8.x86_64
- apache-mod_ssl-2.4.56-1.mga8.x86_64

6.9KB of additional disk space will be used.

Stopped httpd service

restarted httpd service

from command line

# httpd -v
Server version: Apache/2.4.56 (Unix)
Server built:   Mar  7 2023 13:24:10

I verified nextcloud is running properly and configuration is intact.

Working for me

CC: (none) => brtians1

Comment 7 PC LX 2023-03-13 18:55:54 CET
Installed and tested without issues.

Tested for five days with several sites and scripts installed.

- systemd socket activation;
- server status;
- server info;
- custom logs;
- IPv4 and IPv6;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- PHP through FPM;
- PHP scripts;
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.

System: Mageia 8, x86_64, AMD CPU.

$ uname -a
Linux jupiter 6.1.15-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Mar  4 11:14:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache.*2.4.56 | sort
$ systemctl status httpd.socket httpd.service
● httpd.socket - httpd server activation socket
     Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-03-13 09:56:16 WET; 7h ago
   Triggers: ● httpd.service
     Listen: [::]:80 (Stream)
             [::]:443 (Stream)
      Tasks: 0 (limit: 37622)
     Memory: 8.0K
        CPU: 521us
     CGroup: /system.slice/httpd.socket

mar 13 09:56:16 jupiter systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-03-13 10:33:04 WET; 7h ago
TriggeredBy: ● httpd.socket
   Main PID: 7129 (httpd)
     Status: "Total requests: 1033; Idle/Busy workers 100/0;Requests/sec: 0.0389; Bytes served/sec: 3.7KB/sec"
      Tasks: 54 (limit: 37622)
     Memory: 133.1M
        CPU: 2.734s
     CGroup: /system.slice/httpd.service
             ├─7129 /usr/sbin/httpd -DFOREGROUND
             ├─7130 /usr/sbin/httpd -DFOREGROUND
             └─7131 /usr/sbin/httpd -DFOREGROUND

mar 13 10:33:04 jupiter systemd[1]: Starting The Apache HTTP Server...
mar 13 10:33:04 jupiter systemd[1]: Started The Apache HTTP Server.
Comment 8 Herman Viaene 2023-03-16 15:45:16 CET
No further reaction. Since then httpd has been used in other updates without problems, so goeed enough.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2023-03-16 19:45:17 CET
Thanks, Everybody!

Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:26:46 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2023-03-18 23:18:30 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.