Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 900416 (CVE-2023-25690, CVE-2023-27522) - <www-servers/apache-2.4.56: multiple vulnerabilities
Summary: <www-servers/apache-2.4.56: multiple vulnerabilities
Alias: CVE-2023-25690, CVE-2023-27522
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa+]
Keywords: PullRequest
Depends on: 903493
  Show dependency tree
Reported: 2023-03-08 15:55 UTC by John Helmert III
Modified: 2023-09-17 06:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-08 15:55:16 UTC

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "$1"; [P] ProxyPassReverse /here/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.


HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.

Please bump to 2.4.56.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-11 11:17:52 UTC
The bug has been referenced in the following commit(s):

commit 491e42d2897839a8f980080579044f9dd97d818d
Author:     Hans de Graaff <>
AuthorDate: 2023-03-11 08:56:36 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-03-11 11:17:46 +0000

    www-servers/apache: add 2.4.56
    Signed-off-by: Hans de Graaff <>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.56.ebuild | 259 ++++++++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-06-16 06:18:54 UTC
Cleanup done.
Comment 3 Tim Hammer 2023-06-16 13:28:39 UTC
Curious as to why no GLSA has been created for CVE-2023-25690 or CVE- 2023-27522?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 02:52:29 UTC
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2023-09-08 19:24:53 UTC
The bug has been referenced in the following commit(s):

commit c436d88493a5c8eec9b1f8a63799d35dd75d3372
Author:     GLSAMaker <>
AuthorDate: 2023-09-08 19:12:28 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-09-08 19:18:31 +0000

    [ GLSA 202309-01 ] Apache HTTPD: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202309-01.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)