Hi,
On Sat, Mar 18, 2023 at 05:42:40PM +0000, Adam D. Barratt wrote:
> On Wed, 2023-01-18 at 11:25 +0400, Yadd wrote:
> > Apache2 has 3 new security issues:
> > * CVE-2006-20001: mod_dav out of bounds read, or write of zero byte.
> > A carefully crafted If: request header can cause a memory read, or
> > write
> > of a single zero byte, in a pool (heap) memory location beyond the
> > header
> > value sent. This could cause the process to crash.
> > * CVE-2022-36760: mod_proxy_ajp Possible request smuggling.
> > Inconsistent Interpretation of HTTP Requests ('HTTP Request
> > Smuggling')
> > vulnerability in mod_proxy_ajp of Apache HTTP Server allows an
> > attacker
> > to smuggle requests to the AJP server it forwards requests to.
> > * CVE-2022-37436: mod_proxy prior to 2.4.55 allows a backend to
> > trigger HTTP
> > response splitting.
> > A malicious backend can cause the response headers to be truncated
> > early,
> > resulting in some headers being incorporated into the response
> > body. If
> > the later headers have any security purpose, they will not be
> > interpreted
> > by the client.
>
> Apologies for letting this fall through the cracks until now.
>
> >From comments in #1032977, it sounds as if this request has been
> effectively superseded by an impending DSA release?
Yes, there will be a DSA release for apache2 based on 2.4.56 upstream
(versioned 2.4.56-1~deb11u1), which will include those changes as
well.
Regards,
Salvatore
