*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds (cve.mitre.org) Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. Credits: Ronald Crane (Zippenhop LLC) *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (cve.mitre.org) If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Anonymous working with Trend Micro Zero Day Initiative *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling Credits: James Kettle <james.kettle portswigger.net> *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of in r:parsebody (cve.mitre.org) A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Chamal De Silva
Please bump to 2.4.53.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6702959733ce8fd21a656f3bd9d1792b4700b19c commit 6702959733ce8fd21a656f3bd9d1792b4700b19c Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2022-03-14 16:24:01 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2022-03-14 16:24:01 +0000 www-servers/apache: add 2.4.53 Bug: https://bugs.gentoo.org/835131 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/apache/Manifest | 1 + www-servers/apache/apache-2.4.53.ebuild | 259 ++++++++++++++++++++++++++++++++ 2 files changed, 260 insertions(+)
Not changed yet: *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x) for regular expression evaluation. This depends on locating pcre2-config. [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung] This will require changes in the apache-2.eclass and is probably best left for a non-security revision.
(In reply to Hans de Graaff from comment #3) > Not changed yet: > > *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x) > for regular expression evaluation. This depends on locating > pcre2-config. > [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung] > > This will require changes in the apache-2.eclass and is probably best left > for a non-security revision. Thanks! Filed that bit as bug 835151 too so we don't forget.
Please cleanup, thanks!
commit efdc96d17e9a8468e478d351b8546a2526f24a2c Author: Conrad Kostecki <conikost@gentoo.org> Date: Sat Jul 9 22:44:47 2022 +0200 www-servers/apache: drop 2.4.53, 2.4.53-r1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476 commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 00:09:33 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-14 00:11:42 +0000 [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/813429 Bug: https://bugs.gentoo.org/816399 Bug: https://bugs.gentoo.org/816864 Bug: https://bugs.gentoo.org/829722 Bug: https://bugs.gentoo.org/835131 Bug: https://bugs.gentoo.org/850622 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+)
GLSA released, all done!
