Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 900416 (CVE-2023-25690, CVE-2023-27522)

Summary: <www-servers/apache-2.4.56: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, hydrapolic
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://httpd.apache.org/security/vulnerabilities_24.html
See Also: https://github.com/gentoo/gentoo/pull/30021
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 903493    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-08 15:55:16 UTC 
CVE-2023-25690:

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

CVE-2023-27522:

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.

Please bump to 2.4.56.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-11 11:17:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=491e42d2897839a8f980080579044f9dd97d818d

commit 491e42d2897839a8f980080579044f9dd97d818d
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-03-11 08:56:36 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-03-11 11:17:46 +0000

    www-servers/apache: add 2.4.56
    
    Bug: https://bugs.gentoo.org/900416
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.56.ebuild | 259 ++++++++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-06-16 06:18:54 UTC 
Cleanup done.
Comment 3 Tim Hammer 2023-06-16 13:28:39 UTC 
Curious as to why no GLSA has been created for CVE-2023-25690 or CVE- 2023-27522?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 02:52:29 UTC 
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2023-09-08 19:24:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c436d88493a5c8eec9b1f8a63799d35dd75d3372

commit c436d88493a5c8eec9b1f8a63799d35dd75d3372
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-08 19:12:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-08 19:18:31 +0000

    [ GLSA 202309-01 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/891211
    Bug: https://bugs.gentoo.org/900416
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-01.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)