Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835131 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)

Summary: <www-servers/apache-2.4.53: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 830888, 835150    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-14 10:47:10 UTC
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
     (cve.mitre.org)
     Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
     Server allows an attacker to overwrite heap memory with possibly
     attacker provided data.
     This issue affects Apache HTTP Server 2.4 version 2.4.52 and
     prior versions.
     Credits: Ronald Crane (Zippenhop LLC)

  *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
     very large or unlimited LimitXMLRequestBody (cve.mitre.org)
     If LimitXMLRequestBody is set to allow request bodies larger
     than 350MB (defaults to 1M) on 32 bit systems an integer
     overflow happens which later causes out of bounds writes.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Anonymous working with Trend Micro Zero Day Initiative

  *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
     in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
     Apache HTTP Server 2.4.52 and earlier fails to close inbound
     connection when errors are encountered discarding the request
     body, exposing the server to HTTP Request Smuggling
     Credits: James Kettle <james.kettle portswigger.net>

  *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
     in r:parsebody (cve.mitre.org)
     A carefully crafted request body can cause a read to a random
     memory area which could cause the process to crash.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Chamal De Silva
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-14 10:47:55 UTC
Please bump to 2.4.53.
Comment 2 Larry the Git Cow gentoo-dev 2022-03-14 16:24:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6702959733ce8fd21a656f3bd9d1792b4700b19c

commit 6702959733ce8fd21a656f3bd9d1792b4700b19c
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2022-03-14 16:24:01 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2022-03-14 16:24:01 +0000

    www-servers/apache: add 2.4.53
    
    Bug: https://bugs.gentoo.org/835131
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.53.ebuild | 259 ++++++++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)
Comment 3 Hans de Graaff gentoo-dev 2022-03-14 16:29:56 UTC
Not changed yet:

  *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
     for regular expression evaluation. This depends on locating pcre2-config.
     [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]

This will require changes in the apache-2.eclass and is probably best left for a non-security revision.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-14 16:36:51 UTC
(In reply to Hans de Graaff from comment #3)
> Not changed yet:
> 
>   *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
>      for regular expression evaluation. This depends on locating
> pcre2-config.
>      [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]
> 
> This will require changes in the apache-2.eclass and is probably best left
> for a non-security revision.

Thanks! Filed that bit as bug 835151 too so we don't forget.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-18 07:09:01 UTC
Please cleanup, thanks!
Comment 6 Hans de Graaff gentoo-dev 2022-07-23 08:05:24 UTC
commit efdc96d17e9a8468e478d351b8546a2526f24a2c
Author: Conrad Kostecki <conikost@gentoo.org>
Date:   Sat Jul 9 22:44:47 2022 +0200

    www-servers/apache: drop 2.4.53, 2.4.53-r1
Comment 7 Larry the Git Cow gentoo-dev 2022-08-14 00:11:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 00:15:55 UTC
GLSA released, all done!